Suricata crash log

kiokoman

yes, it's in legacy mode.

i don't see any error / problem for the moment after editing the file, good work

bmeeks

@kiokoman said in Suricata crash log:

yes, it's in legacy mode.

i don't see any error / problem for the moment after editing the file, good work

Great! I will put this fix into the update I'm currently working on. It's more fallout from a change the PHP folks made upstream a version or so back when they stopped automatically initializing an "uninitialized" array when it was accessed. In this case, the $rejectsid array variable is initialized by the call to the suricata_load_sid_mods() function, but that call is skipped when Suricata is not using Inline IPS Mode. Then later on the code attempts to iterate the uninitialized array. My bad for not making sure the array is initialized before accessing it, but that PHP change sure causes a lot of programmer "oops" mistakes.

bmeeks

This problem should be fixed in the latest Suricata 4.1.4_5 package released for pfSense-2.5 snapshots.

kiokoman

yes i have upgraded as soon as i saw it available, the problem is solved

kiokoman

@bmeeks

new crash today

Crash report begins.  Anonymous machine information:

amd64
12.0-RELEASE-p8
FreeBSD 12.0-RELEASE-p8 2ffab8b5708(RELENG_2_5) pfSense

Crash report details:

PHP Errors:
[14-Aug-2019 06:00:56 Europe/Rome] PHP Warning:  Use of undefined constant LOG_WARN - assumed 'LOG_WARN' (this will throw an Error in a future version of PHP) in /usr/local/pkg/suricata/suricata_geoipupdate.php on line 129
[14-Aug-2019 06:00:56 Europe/Rome] PHP Warning:  syslog() expects parameter 1 to be int, string given in /usr/local/pkg/suricata/suricata_geoipupdate.php on line 129



No FreeBSD crash data found.

bmeeks

Crap! That's another one I missed with the last change. Should say LOG_WARNING for the constant instead of LOG_WARN. I'll fix it in the next release since it is a non-fatal error (just a warning for now).

If you want to eliminate the warning message before I get a fix posted, go edit the file indicated and change the string LOG_WARN on line 129 to LOG_WARNING and save the change. The file is: /usr/local/pkg/suricata/suricata_geoipupdate.php.

kiokoman

done

Aug 15 13:12:41 	php 	38699 	[Suricata] Checking for updated MaxMind GeoLite2 IP database file...
Aug 15 13:12:41 	php 	38699 	[Suricata] GeoLite2-Country IP database is up-to-date.
Aug 15 13:12:41 	php 	38699 	[Suricata] GeoLite2-Country database update check finished.

no error

bmeeks

Thanks for the report. I entered the bug in my internal bug tracking system.

It was my fault for using the wrong string, but it's also darn confusing/frustrating the way the PHP creators chose to define these constants for the PHP syslog() function. In half the instances they spell out the complete phrase, while in the other half they use an abbreviation. That leads me to kind of automatically default to assuming LOG_WARN in my head when typing, but the PHP folks actually defined it as LOG_WARNING. So the constants are defined like this:

LOG_DEBUG
LOG_INFO
LOG_NOTICE
LOG_WARNING
LOG_ALERT
LOG_CRIT
LOG_ERR
LOG_EMERG

Notice how they intermix abbreviations with the complete word. Four use abbreviations while the other four are fully written out. Makes it so easy to get it wrong when just coding away, and I did type it wrong in a bunch of places ... . I guess I need to keep that list of defined constants in front of my face at all times.

And to add insult to injury, I used grep to search the source code files for instances of LOG_WARN and still managed to miss one ... .

kiokoman

@bmeeks
i had this today after upgrading pfsense 2.5 and reboot to the latest revision

Crash report begins.  Anonymous machine information:

amd64
12.0-RELEASE-p9
FreeBSD 12.0-RELEASE-p9 e23c75c4280(RELENG_2_5) pfSense

Crash report details:

PHP Errors:
[27-Aug-2019 20:56:56 Europe/Rome] PHP Warning:  filesize(): stat failed for /usr/local/etc/suricata/suricata_3908_pppoe0/rules/suricata.rules in /usr/local/pkg/suricata/suricata_generate_yaml.php on line 999
[27-Aug-2019 20:56:56 Europe/Rome] PHP Warning:  filesize(): stat failed for /usr/local/etc/suricata/suricata_3908_pppoe0/rules/flowbit-required.rules in /usr/local/pkg/suricata/suricata_generate_yaml.php on line 1001
[27-Aug-2019 20:56:56 Europe/Rome] PHP Warning:  filesize(): stat failed for /usr/local/etc/suricata/suricata_3908_pppoe0/rules/custom.rules in /usr/local/pkg/suricata/suricata_generate_yaml.php on line 1003
[27-Aug-2019 20:56:56 Europe/Rome] PHP Warning:  filesize(): stat failed for /usr/local/etc/suricata/suricata_35924_igb2/rules/suricata.rules in /usr/local/pkg/suricata/suricata_generate_yaml.php on line 999
[27-Aug-2019 20:56:56 Europe/Rome] PHP Warning:  filesize(): stat failed for /usr/local/etc/suricata/suricata_35924_igb2/rules/flowbit-required.rules in /usr/local/pkg/suricata/suricata_generate_yaml.php on line 1001
[27-Aug-2019 20:56:56 Europe/Rome] PHP Warning:  filesize(): stat failed for /usr/local/etc/suricata/suricata_35924_igb2/rules/custom.rules in /usr/local/pkg/suricata/suricata_generate_yaml.php on line 1003
[27-Aug-2019 20:56:56 Europe/Rome] PHP Warning:  filesize(): stat failed for /usr/local/etc/suricata/suricata_55009_igb1/rules/suricata.rules in /usr/local/pkg/suricata/suricata_generate_yaml.php on line 999
[27-Aug-2019 20:56:56 Europe/Rome] PHP Warning:  filesize(): stat failed for /usr/local/etc/suricata/suricata_55009_igb1/rules/flowbit-required.rules in /usr/local/pkg/suricata/suricata_generate_yaml.php on line 1001
[27-Aug-2019 20:56:56 Europe/Rome] PHP Warning:  filesize(): stat failed for /usr/local/etc/suricata/suricata_55009_igb1/rules/custom.rules in /usr/local/pkg/suricata/suricata_generate_yaml.php on line 1003



No FreeBSD crash data found.

bmeeks

@kiokoman said in Suricata crash log:

@bmeeks
i had this today after upgrading pfsense 2.5 and reboot to the latest revision

Crash report begins.  Anonymous machine information:

amd64
12.0-RELEASE-p9
FreeBSD 12.0-RELEASE-p9 e23c75c4280(RELENG_2_5) pfSense

Crash report details:

PHP Errors:
[27-Aug-2019 20:56:56 Europe/Rome] PHP Warning:  filesize(): stat failed for /usr/local/etc/suricata/suricata_3908_pppoe0/rules/suricata.rules in /usr/local/pkg/suricata/suricata_generate_yaml.php on line 999
[27-Aug-2019 20:56:56 Europe/Rome] PHP Warning:  filesize(): stat failed for /usr/local/etc/suricata/suricata_3908_pppoe0/rules/flowbit-required.rules in /usr/local/pkg/suricata/suricata_generate_yaml.php on line 1001
[27-Aug-2019 20:56:56 Europe/Rome] PHP Warning:  filesize(): stat failed for /usr/local/etc/suricata/suricata_3908_pppoe0/rules/custom.rules in /usr/local/pkg/suricata/suricata_generate_yaml.php on line 1003
[27-Aug-2019 20:56:56 Europe/Rome] PHP Warning:  filesize(): stat failed for /usr/local/etc/suricata/suricata_35924_igb2/rules/suricata.rules in /usr/local/pkg/suricata/suricata_generate_yaml.php on line 999
[27-Aug-2019 20:56:56 Europe/Rome] PHP Warning:  filesize(): stat failed for /usr/local/etc/suricata/suricata_35924_igb2/rules/flowbit-required.rules in /usr/local/pkg/suricata/suricata_generate_yaml.php on line 1001
[27-Aug-2019 20:56:56 Europe/Rome] PHP Warning:  filesize(): stat failed for /usr/local/etc/suricata/suricata_35924_igb2/rules/custom.rules in /usr/local/pkg/suricata/suricata_generate_yaml.php on line 1003
[27-Aug-2019 20:56:56 Europe/Rome] PHP Warning:  filesize(): stat failed for /usr/local/etc/suricata/suricata_55009_igb1/rules/suricata.rules in /usr/local/pkg/suricata/suricata_generate_yaml.php on line 999
[27-Aug-2019 20:56:56 Europe/Rome] PHP Warning:  filesize(): stat failed for /usr/local/etc/suricata/suricata_55009_igb1/rules/flowbit-required.rules in /usr/local/pkg/suricata/suricata_generate_yaml.php on line 1001
[27-Aug-2019 20:56:56 Europe/Rome] PHP Warning:  filesize(): stat failed for /usr/local/etc/suricata/suricata_55009_igb1/rules/custom.rules in /usr/local/pkg/suricata/suricata_generate_yaml.php on line 1003



No FreeBSD crash data found.

I just upgraded a test virtual machine to the same version without issue. Something went awry with your system during the update. Those errors indicate none of the rules files got created properly. I suggest you delete the package and install it again from the Package Manager menu.

If you have a RAM disk configured, be sure there is at least 256 MB of free space on /tmp.