Suricata Update 4.0.13_9 PHP Warnings

Veldkornet

My problem on line 399 is back after updating to pfSense 4.3.3_p1.

Except this time, it’s changing back after I try start the service via the interface...

Any ideas?

bmeeks

@veldkornet said in Suricata Update 4.0.13_9 PHP Warnings:

My problem on line 399 is back after updating to pfSense 4.3.3_p1.

Except this time, it’s changing back after I try start the service via the interface...

Any ideas?

You have corruption within the Suricata section of your firewall's config.xml file. Specifically it looks like some funky data exists for the HTTP stream engine. Go to the FLOW/STREAM tab and scroll down to the HTTP engine section. Click to edit any entries there and see if you either get an error or see bogus data (like extra spaces or something).

Veldkornet

@bmeeks said in Suricata Update 4.0.13_9 PHP Warnings:

@veldkornet said in Suricata Update 4.0.13_9 PHP Warnings:

My problem on line 399 is back after updating to pfSense 4.3.3_p1.

Except this time, it’s changing back after I try start the service via the interface...

Any ideas?

You have corruption within the Suricata section of your firewall's config.xml file. Specifically it looks like some funky data exists for the HTTP stream engine. Go to the FLOW/STREAM tab and scroll down to the HTTP engine section. Click to edit any entries there and see if you either get an error or see bogus data (like extra spaces or something).

So I found that when I click on the “App Parsers” tab, I get the following error:

Fatal error: Uncaught Error: Cannot use string offset as an array in /usr/local/www/suricata/suricata_app_parsers.php:79 Stack trace: #0 {main} thrown in /usr/local/www/suricata/suricata_app_parsers.php on line 79 PHP ERROR: Type: 1, File: /usr/local/www/suricata/suricata_app_parsers.php, Line: 79, Message: Uncaught Error: Cannot use string offset as an array in /usr/local/www/suricata/suricata_app_parsers.php:79 Stack trace: #0 {main} thrown

Could this be causing the issue?

bmeeks

Yes, that is another symptom of something being amiss within your config.xml file for the firewall. Specifically within the <installedpackages><suricata></suricata></installedpackages> section. The last bug fix I posted for Suricata was supposed to fix that issue (an uninitialized array), but for some reason it's not working in your case. That's why I suspect something amiss within your configuration file.

Does the APP PARSERS tab display? If so, please post a screenshot of that tab.

Veldkornet

@bmeeks said in Suricata Update 4.0.13_9 PHP Warnings:

Yes, that is another symptom of something being amiss within your config.xml file for the firewall. Specifically within the <installedpackages><suricata></suricata></installedpackages> section. The last bug fix I posted for Suricata was supposed to fix that issue (an uninitialized array), but for some reason it's not working in your case. That's why I suspect something amiss within your configuration file.

Does the APP PARSERS tab display? If so, please post a screenshot of that tab.

Nope, it doesn’t display. As soon as you click the tab, it throws that error on the screen. White screen, nothing else visible except that error

bmeeks

@veldkornet said in Suricata Update 4.0.13_9 PHP Warnings:

@bmeeks said in Suricata Update 4.0.13_9 PHP Warnings:

Yes, that is another symptom of something being amiss within your config.xml file for the firewall. Specifically within the <installedpackages><suricata></suricata></installedpackages> section. The last bug fix I posted for Suricata was supposed to fix that issue (an uninitialized array), but for some reason it's not working in your case. That's why I suspect something amiss within your configuration file.

Does the APP PARSERS tab display? If so, please post a screenshot of that tab.

Nope, it doesn’t display. As soon as you click the tab, it throws that error on the screen. White screen, nothing else visible except that error

Sorry to be late replying. I have several other appointments today that are keeping me away from my PC.

You have two choices for fixing this. One is to send me your config.xml file privately and let me see what is really wrong within the Suricata package section. You can just send me everything between the <installedpackages><suricata></suricata> section of the file. The other choice is to completely delete the Suricata interface that is giving you this problem and create it again from scratch. This second option means you will have to rebuild your configuration in terms of enabled rules and such. If you have not done a ton of customization on the interface, this may be the fastest approach.

Your problem seems to be that somehow a key piece of the default Suricata configuration has gotten removed from your firewall. This "bad data" is now permanently in place in your configuration, so simply removing the package and reinstalling it is not going to fix it so long as you continue to let the reinstall process restore the old configuration (which has the bad data). Hence my suggestion to delete the Suricata interface entirely and start over. Deleting the interface should clean up that section of the configuration and restore the missing default pieces.

Veldkornet

Thanks, I recreated the interface and that fixed it indeed!

bmeeks

@veldkornet said in Suricata Update 4.0.13_9 PHP Warnings:

Thanks, I recreated the interface and that fixed it indeed!

Glad it is fixed for you. Thank you for the feedback.