Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suricata crash log

    Development
    2
    12
    755
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • kiokomanK
      kiokoman LAYER 8
      last edited by

      @bmeeks if you want to take a look a this new problem i have.
      it was working fine for some days now this is happening every time i modify an action for a rule

      Crash report begins. Anonymous machine information:

      amd64
      12.0-RELEASE-p7
      FreeBSD 12.0-RELEASE-p7 11b34259783(RELENG_2_5) pfSense

      Crash report details:

      PHP Errors:
      [25-Jul-2019 14:56:55 Europe/Rome] PHP Warning: array_keys() expects parameter 1 to be array, null given in /usr/local/www/suricata/suricata_alerts.php on line 363
      [25-Jul-2019 14:56:55 Europe/Rome] PHP Warning: Invalid argument supplied for foreach() in /usr/local/www/suricata/suricata_alerts.php on line 363
      [25-Jul-2019 14:57:45 Europe/Rome] PHP Warning: array_keys() expects parameter 1 to be array, null given in /usr/local/www/suricata/suricata_alerts.php on line 363
      [25-Jul-2019 14:57:45 Europe/Rome] PHP Warning: Invalid argument supplied for foreach() in /usr/local/www/suricata/suricata_alerts.php on line 363
      [25-Jul-2019 14:57:54 Europe/Rome] PHP Warning: array_keys() expects parameter 1 to be array, null given in /usr/local/www/suricata/suricata_alerts.php on line 363
      [25-Jul-2019 14:57:54 Europe/Rome] PHP Warning: Invalid argument supplied for foreach() in /usr/local/www/suricata/suricata_alerts.php on line 363
      [25-Jul-2019 14:58:04 Europe/Rome] PHP Warning: array_keys() expects parameter 1 to be array, null given in /usr/local/www/suricata/suricata_alerts.php on line 363
      [25-Jul-2019 14:58:04 Europe/Rome] PHP Warning: Invalid argument supplied for foreach() in /usr/local/www/suricata/suricata_alerts.php on line 363
      [25-Jul-2019 14:58:18 Europe/Rome] PHP Warning: array_keys() expects parameter 1 to be array, null given in /usr/local/www/suricata/suricata_alerts.php on line 363
      [25-Jul-2019 14:58:18 Europe/Rome] PHP Warning: Invalid argument supplied for foreach() in /usr/local/www/suricata/suricata_alerts.php on line 363
      [25-Jul-2019 15:01:18 Europe/Rome] PHP Warning: array_keys() expects parameter 1 to be array, null given in /usr/local/www/suricata/suricata_alerts.php on line 363
      [25-Jul-2019 15:01:18 Europe/Rome] PHP Warning: Invalid argument supplied for foreach() in /usr/local/www/suricata/suricata_alerts.php on line 363
      [25-Jul-2019 15:01:27 Europe/Rome] PHP Warning: array_keys() expects parameter 1 to be array, null given in /usr/local/www/suricata/suricata_alerts.php on line 363
      [25-Jul-2019 15:01:27 Europe/Rome] PHP Warning: Invalid argument supplied for foreach() in /usr/local/www/suricata/suricata_alerts.php on line 363
      [25-Jul-2019 15:02:06 Europe/Rome] PHP Warning: array_keys() expects parameter 1 to be array, null given in /usr/local/www/suricata/suricata_alerts.php on line 363
      [25-Jul-2019 15:02:06 Europe/Rome] PHP Warning: Invalid argument supplied for foreach() in /usr/local/www/suricata/suricata_alerts.php on line 363
      [25-Jul-2019 15:02:15 Europe/Rome] PHP Warning: array_keys() expects parameter 1 to be array, null given in /usr/local/www/suricata/suricata_alerts.php on line 363
      [25-Jul-2019 15:02:15 Europe/Rome] PHP Warning: Invalid argument supplied for foreach() in /usr/local/www/suricata/suricata_alerts.php on line 363
      [25-Jul-2019 15:02:42 Europe/Rome] PHP Warning: array_keys() expects parameter 1 to be array, null given in /usr/local/www/suricata/suricata_alerts.php on line 363
      [25-Jul-2019 15:02:42 Europe/Rome] PHP Warning: Invalid argument supplied for foreach() in /usr/local/www/suricata/suricata_alerts.php on line 363

      No FreeBSD crash data found.

      ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
      Please do not use chat/PM to ask for help
      we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
      Don't forget to Upvote with the 👍 button for any post you find to be helpful.

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by bmeeks

        Are you running with Inline IPS Mode enabled or just Legacy Mode Blocking?

        If you are running Legacy Mode, then try this edit to a file to see if it fixes the issue.

        In file /usr/local/www/suricata/suricata_alerts.php:

        Find the code below that starts on line 176 --

        // REJECT forcing is only applicable to Inline IPS Mode
if ($a_instance[$instanceid]['ips_mode'] == 'ips_mode_inline' ) {
	$rejectsid = suricata_load_sid_mods($a_instance[$instanceid]['rule_sid_force_reject']);
}

        and modify it to look like this --

        // REJECT forcing is only applicable to Inline IPS Mode
if ($a_instance[$instanceid]['ips_mode'] == 'ips_mode_inline' ) {
	$rejectsid = suricata_load_sid_mods($a_instance[$instanceid]['rule_sid_force_reject']);
}
else {
	$rejectsid = array();
}

        Save the change and let me know how that works for you.

        1 Reply Last reply Reply Quote 0
        • kiokomanK
          kiokoman LAYER 8
          last edited by

          yes, it's in legacy mode.

          i don't see any error / problem for the moment after editing the file, good work 👍

          ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
          Please do not use chat/PM to ask for help
          we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
          Don't forget to Upvote with the 👍 button for any post you find to be helpful.

          bmeeksB 1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks @kiokoman
            last edited by bmeeks

            @kiokoman said in Suricata crash log:

            yes, it's in legacy mode.

            i don't see any error / problem for the moment after editing the file, good work 👍

            Great! I will put this fix into the update I'm currently working on. It's more fallout from a change the PHP folks made upstream a version or so back when they stopped automatically initializing an "uninitialized" array when it was accessed. In this case, the $rejectsid array variable is initialized by the call to the suricata_load_sid_mods() function, but that call is skipped when Suricata is not using Inline IPS Mode. Then later on the code attempts to iterate the uninitialized array. My bad for not making sure the array is initialized before accessing it, but that PHP change sure causes a lot of programmer "oops" mistakes.

            1 Reply Last reply Reply Quote 0
            • bmeeksB
              bmeeks
              last edited by

              This problem should be fixed in the latest Suricata 4.1.4_5 package released for pfSense-2.5 snapshots.

              1 Reply Last reply Reply Quote 0
              • kiokomanK
                kiokoman LAYER 8
                last edited by

                yes i have upgraded as soon as i saw it available, the problem is solved

                ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
                Please do not use chat/PM to ask for help
                we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
                Don't forget to Upvote with the 👍 button for any post you find to be helpful.

                1 Reply Last reply Reply Quote 0
                • kiokomanK
                  kiokoman LAYER 8
                  last edited by

                  @bmeeks

                  new crash today

                  Crash report begins.  Anonymous machine information:

amd64
12.0-RELEASE-p8
FreeBSD 12.0-RELEASE-p8 2ffab8b5708(RELENG_2_5) pfSense

Crash report details:

PHP Errors:
[14-Aug-2019 06:00:56 Europe/Rome] PHP Warning:  Use of undefined constant LOG_WARN - assumed 'LOG_WARN' (this will throw an Error in a future version of PHP) in /usr/local/pkg/suricata/suricata_geoipupdate.php on line 129
[14-Aug-2019 06:00:56 Europe/Rome] PHP Warning:  syslog() expects parameter 1 to be int, string given in /usr/local/pkg/suricata/suricata_geoipupdate.php on line 129



No FreeBSD crash data found.

                  ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
                  Please do not use chat/PM to ask for help
                  we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
                  Don't forget to Upvote with the 👍 button for any post you find to be helpful.

                  1 Reply Last reply Reply Quote 0
                  • bmeeksB
                    bmeeks
                    last edited by bmeeks

                    Crap! That's another one I missed with the last change. Should say LOG_WARNING for the constant instead of LOG_WARN. I'll fix it in the next release since it is a non-fatal error (just a warning for now).

                    If you want to eliminate the warning message before I get a fix posted, go edit the file indicated and change the string LOG_WARN on line 129 to LOG_WARNING and save the change. The file is: /usr/local/pkg/suricata/suricata_geoipupdate.php.

                    1 Reply Last reply Reply Quote 0
                    • kiokomanK
                      kiokoman LAYER 8
                      last edited by kiokoman

                      done

                      Aug 15 13:12:41 	php 	38699 	[Suricata] Checking for updated MaxMind GeoLite2 IP database file...
Aug 15 13:12:41 	php 	38699 	[Suricata] GeoLite2-Country IP database is up-to-date.
Aug 15 13:12:41 	php 	38699 	[Suricata] GeoLite2-Country database update check finished.

                      no error
                      👍

                      ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
                      Please do not use chat/PM to ask for help
                      we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
                      Don't forget to Upvote with the 👍 button for any post you find to be helpful.

                      1 Reply Last reply Reply Quote 0
                      • bmeeksB
                        bmeeks
                        last edited by bmeeks

                        Thanks for the report. I entered the bug in my internal bug tracking system.

                        It was my fault for using the wrong string, but it's also darn confusing/frustrating the way the PHP creators chose to define these constants for the PHP syslog() function. In half the instances they spell out the complete phrase, while in the other half they use an abbreviation. That leads me to kind of automatically default to assuming LOG_WARN in my head when typing, but the PHP folks actually defined it as LOG_WARNING. So the constants are defined like this:

                        LOG_DEBUG
                        LOG_INFO
                        LOG_NOTICE
                        LOG_WARNING
                        LOG_ALERT
                        LOG_CRIT
                        LOG_ERR
                        LOG_EMERG

                        Notice how they intermix abbreviations with the complete word. Four use abbreviations while the other four are fully written out. Makes it so easy to get it wrong when just coding away, and I did type it wrong in a bunch of places ... ☹ . I guess I need to keep that list of defined constants in front of my face at all times.

                        And to add insult to injury, I used grep to search the source code files for instances of LOG_WARN and still managed to miss one ... 😞 .

                        1 Reply Last reply Reply Quote 0
                        • kiokomanK
                          kiokoman LAYER 8
                          last edited by

                          @bmeeks
                          i had this today after upgrading pfsense 2.5 and reboot to the latest revision

                          Crash report begins.  Anonymous machine information:

amd64
12.0-RELEASE-p9
FreeBSD 12.0-RELEASE-p9 e23c75c4280(RELENG_2_5) pfSense

Crash report details:

PHP Errors:
[27-Aug-2019 20:56:56 Europe/Rome] PHP Warning:  filesize(): stat failed for /usr/local/etc/suricata/suricata_3908_pppoe0/rules/suricata.rules in /usr/local/pkg/suricata/suricata_generate_yaml.php on line 999
[27-Aug-2019 20:56:56 Europe/Rome] PHP Warning:  filesize(): stat failed for /usr/local/etc/suricata/suricata_3908_pppoe0/rules/flowbit-required.rules in /usr/local/pkg/suricata/suricata_generate_yaml.php on line 1001
[27-Aug-2019 20:56:56 Europe/Rome] PHP Warning:  filesize(): stat failed for /usr/local/etc/suricata/suricata_3908_pppoe0/rules/custom.rules in /usr/local/pkg/suricata/suricata_generate_yaml.php on line 1003
[27-Aug-2019 20:56:56 Europe/Rome] PHP Warning:  filesize(): stat failed for /usr/local/etc/suricata/suricata_35924_igb2/rules/suricata.rules in /usr/local/pkg/suricata/suricata_generate_yaml.php on line 999
[27-Aug-2019 20:56:56 Europe/Rome] PHP Warning:  filesize(): stat failed for /usr/local/etc/suricata/suricata_35924_igb2/rules/flowbit-required.rules in /usr/local/pkg/suricata/suricata_generate_yaml.php on line 1001
[27-Aug-2019 20:56:56 Europe/Rome] PHP Warning:  filesize(): stat failed for /usr/local/etc/suricata/suricata_35924_igb2/rules/custom.rules in /usr/local/pkg/suricata/suricata_generate_yaml.php on line 1003
[27-Aug-2019 20:56:56 Europe/Rome] PHP Warning:  filesize(): stat failed for /usr/local/etc/suricata/suricata_55009_igb1/rules/suricata.rules in /usr/local/pkg/suricata/suricata_generate_yaml.php on line 999
[27-Aug-2019 20:56:56 Europe/Rome] PHP Warning:  filesize(): stat failed for /usr/local/etc/suricata/suricata_55009_igb1/rules/flowbit-required.rules in /usr/local/pkg/suricata/suricata_generate_yaml.php on line 1001
[27-Aug-2019 20:56:56 Europe/Rome] PHP Warning:  filesize(): stat failed for /usr/local/etc/suricata/suricata_55009_igb1/rules/custom.rules in /usr/local/pkg/suricata/suricata_generate_yaml.php on line 1003



No FreeBSD crash data found.

                          ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
                          Please do not use chat/PM to ask for help
                          we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
                          Don't forget to Upvote with the 👍 button for any post you find to be helpful.

                          bmeeksB 1 Reply Last reply Reply Quote 0
                          • bmeeksB
                            bmeeks @kiokoman
                            last edited by bmeeks

                            @kiokoman said in Suricata crash log:

                            @bmeeks
                            i had this today after upgrading pfsense 2.5 and reboot to the latest revision

                            Crash report begins.  Anonymous machine information:

amd64
12.0-RELEASE-p9
FreeBSD 12.0-RELEASE-p9 e23c75c4280(RELENG_2_5) pfSense

Crash report details:

PHP Errors:
[27-Aug-2019 20:56:56 Europe/Rome] PHP Warning:  filesize(): stat failed for /usr/local/etc/suricata/suricata_3908_pppoe0/rules/suricata.rules in /usr/local/pkg/suricata/suricata_generate_yaml.php on line 999
[27-Aug-2019 20:56:56 Europe/Rome] PHP Warning:  filesize(): stat failed for /usr/local/etc/suricata/suricata_3908_pppoe0/rules/flowbit-required.rules in /usr/local/pkg/suricata/suricata_generate_yaml.php on line 1001
[27-Aug-2019 20:56:56 Europe/Rome] PHP Warning:  filesize(): stat failed for /usr/local/etc/suricata/suricata_3908_pppoe0/rules/custom.rules in /usr/local/pkg/suricata/suricata_generate_yaml.php on line 1003
[27-Aug-2019 20:56:56 Europe/Rome] PHP Warning:  filesize(): stat failed for /usr/local/etc/suricata/suricata_35924_igb2/rules/suricata.rules in /usr/local/pkg/suricata/suricata_generate_yaml.php on line 999
[27-Aug-2019 20:56:56 Europe/Rome] PHP Warning:  filesize(): stat failed for /usr/local/etc/suricata/suricata_35924_igb2/rules/flowbit-required.rules in /usr/local/pkg/suricata/suricata_generate_yaml.php on line 1001
[27-Aug-2019 20:56:56 Europe/Rome] PHP Warning:  filesize(): stat failed for /usr/local/etc/suricata/suricata_35924_igb2/rules/custom.rules in /usr/local/pkg/suricata/suricata_generate_yaml.php on line 1003
[27-Aug-2019 20:56:56 Europe/Rome] PHP Warning:  filesize(): stat failed for /usr/local/etc/suricata/suricata_55009_igb1/rules/suricata.rules in /usr/local/pkg/suricata/suricata_generate_yaml.php on line 999
[27-Aug-2019 20:56:56 Europe/Rome] PHP Warning:  filesize(): stat failed for /usr/local/etc/suricata/suricata_55009_igb1/rules/flowbit-required.rules in /usr/local/pkg/suricata/suricata_generate_yaml.php on line 1001
[27-Aug-2019 20:56:56 Europe/Rome] PHP Warning:  filesize(): stat failed for /usr/local/etc/suricata/suricata_55009_igb1/rules/custom.rules in /usr/local/pkg/suricata/suricata_generate_yaml.php on line 1003



No FreeBSD crash data found.

                            I just upgraded a test virtual machine to the same version without issue. Something went awry with your system during the update. Those errors indicate none of the rules files got created properly. I suggest you delete the package and install it again from the Package Manager menu.

                            If you have a RAM disk configured, be sure there is at least 256 MB of free space on /tmp.

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.