Suricata crash log


  • LAYER 8

    @bmeeks if you want to take a look a this new problem i have.
    it was working fine for some days now this is happening every time i modify an action for a rule

    Crash report begins. Anonymous machine information:

    amd64
    12.0-RELEASE-p7
    FreeBSD 12.0-RELEASE-p7 11b34259783(RELENG_2_5) pfSense

    Crash report details:

    PHP Errors:
    [25-Jul-2019 14:56:55 Europe/Rome] PHP Warning: array_keys() expects parameter 1 to be array, null given in /usr/local/www/suricata/suricata_alerts.php on line 363
    [25-Jul-2019 14:56:55 Europe/Rome] PHP Warning: Invalid argument supplied for foreach() in /usr/local/www/suricata/suricata_alerts.php on line 363
    [25-Jul-2019 14:57:45 Europe/Rome] PHP Warning: array_keys() expects parameter 1 to be array, null given in /usr/local/www/suricata/suricata_alerts.php on line 363
    [25-Jul-2019 14:57:45 Europe/Rome] PHP Warning: Invalid argument supplied for foreach() in /usr/local/www/suricata/suricata_alerts.php on line 363
    [25-Jul-2019 14:57:54 Europe/Rome] PHP Warning: array_keys() expects parameter 1 to be array, null given in /usr/local/www/suricata/suricata_alerts.php on line 363
    [25-Jul-2019 14:57:54 Europe/Rome] PHP Warning: Invalid argument supplied for foreach() in /usr/local/www/suricata/suricata_alerts.php on line 363
    [25-Jul-2019 14:58:04 Europe/Rome] PHP Warning: array_keys() expects parameter 1 to be array, null given in /usr/local/www/suricata/suricata_alerts.php on line 363
    [25-Jul-2019 14:58:04 Europe/Rome] PHP Warning: Invalid argument supplied for foreach() in /usr/local/www/suricata/suricata_alerts.php on line 363
    [25-Jul-2019 14:58:18 Europe/Rome] PHP Warning: array_keys() expects parameter 1 to be array, null given in /usr/local/www/suricata/suricata_alerts.php on line 363
    [25-Jul-2019 14:58:18 Europe/Rome] PHP Warning: Invalid argument supplied for foreach() in /usr/local/www/suricata/suricata_alerts.php on line 363
    [25-Jul-2019 15:01:18 Europe/Rome] PHP Warning: array_keys() expects parameter 1 to be array, null given in /usr/local/www/suricata/suricata_alerts.php on line 363
    [25-Jul-2019 15:01:18 Europe/Rome] PHP Warning: Invalid argument supplied for foreach() in /usr/local/www/suricata/suricata_alerts.php on line 363
    [25-Jul-2019 15:01:27 Europe/Rome] PHP Warning: array_keys() expects parameter 1 to be array, null given in /usr/local/www/suricata/suricata_alerts.php on line 363
    [25-Jul-2019 15:01:27 Europe/Rome] PHP Warning: Invalid argument supplied for foreach() in /usr/local/www/suricata/suricata_alerts.php on line 363
    [25-Jul-2019 15:02:06 Europe/Rome] PHP Warning: array_keys() expects parameter 1 to be array, null given in /usr/local/www/suricata/suricata_alerts.php on line 363
    [25-Jul-2019 15:02:06 Europe/Rome] PHP Warning: Invalid argument supplied for foreach() in /usr/local/www/suricata/suricata_alerts.php on line 363
    [25-Jul-2019 15:02:15 Europe/Rome] PHP Warning: array_keys() expects parameter 1 to be array, null given in /usr/local/www/suricata/suricata_alerts.php on line 363
    [25-Jul-2019 15:02:15 Europe/Rome] PHP Warning: Invalid argument supplied for foreach() in /usr/local/www/suricata/suricata_alerts.php on line 363
    [25-Jul-2019 15:02:42 Europe/Rome] PHP Warning: array_keys() expects parameter 1 to be array, null given in /usr/local/www/suricata/suricata_alerts.php on line 363
    [25-Jul-2019 15:02:42 Europe/Rome] PHP Warning: Invalid argument supplied for foreach() in /usr/local/www/suricata/suricata_alerts.php on line 363

    No FreeBSD crash data found.



  • Are you running with Inline IPS Mode enabled or just Legacy Mode Blocking?

    If you are running Legacy Mode, then try this edit to a file to see if it fixes the issue.

    In file /usr/local/www/suricata/suricata_alerts.php:

    Find the code below that starts on line 176 --

    // REJECT forcing is only applicable to Inline IPS Mode
    if ($a_instance[$instanceid]['ips_mode'] == 'ips_mode_inline' ) {
    	$rejectsid = suricata_load_sid_mods($a_instance[$instanceid]['rule_sid_force_reject']);
    }
    

    and modify it to look like this --

    // REJECT forcing is only applicable to Inline IPS Mode
    if ($a_instance[$instanceid]['ips_mode'] == 'ips_mode_inline' ) {
    	$rejectsid = suricata_load_sid_mods($a_instance[$instanceid]['rule_sid_force_reject']);
    }
    else {
    	$rejectsid = array();
    }
    

    Save the change and let me know how that works for you.


  • LAYER 8

    yes, it's in legacy mode.

    i don't see any error / problem for the moment after editing the file, good work ๐Ÿ‘



  • @kiokoman said in Suricata crash log:

    yes, it's in legacy mode.

    i don't see any error / problem for the moment after editing the file, good work ๐Ÿ‘

    Great! I will put this fix into the update I'm currently working on. It's more fallout from a change the PHP folks made upstream a version or so back when they stopped automatically initializing an "uninitialized" array when it was accessed. In this case, the $rejectsid array variable is initialized by the call to the suricata_load_sid_mods() function, but that call is skipped when Suricata is not using Inline IPS Mode. Then later on the code attempts to iterate the uninitialized array. My bad for not making sure the array is initialized before accessing it, but that PHP change sure causes a lot of programmer "oops" mistakes.



  • This problem should be fixed in the latest Suricata 4.1.4_5 package released for pfSense-2.5 snapshots.


  • LAYER 8

    yes i have upgraded as soon as i saw it available, the problem is solved


  • LAYER 8

    @bmeeks

    new crash today

    Crash report begins.  Anonymous machine information:
    
    amd64
    12.0-RELEASE-p8
    FreeBSD 12.0-RELEASE-p8 2ffab8b5708(RELENG_2_5) pfSense
    
    Crash report details:
    
    PHP Errors:
    [14-Aug-2019 06:00:56 Europe/Rome] PHP Warning:  Use of undefined constant LOG_WARN - assumed 'LOG_WARN' (this will throw an Error in a future version of PHP) in /usr/local/pkg/suricata/suricata_geoipupdate.php on line 129
    [14-Aug-2019 06:00:56 Europe/Rome] PHP Warning:  syslog() expects parameter 1 to be int, string given in /usr/local/pkg/suricata/suricata_geoipupdate.php on line 129
    
    
    
    No FreeBSD crash data found.
    


  • Crap! That's another one I missed with the last change. Should say LOG_WARNING for the constant instead of LOG_WARN. I'll fix it in the next release since it is a non-fatal error (just a warning for now).

    If you want to eliminate the warning message before I get a fix posted, go edit the file indicated and change the string LOG_WARN on line 129 to LOG_WARNING and save the change. The file is: /usr/local/pkg/suricata/suricata_geoipupdate.php.


  • LAYER 8

    done

    Aug 15 13:12:41 	php 	38699 	[Suricata] Checking for updated MaxMind GeoLite2 IP database file...
    Aug 15 13:12:41 	php 	38699 	[Suricata] GeoLite2-Country IP database is up-to-date.
    Aug 15 13:12:41 	php 	38699 	[Suricata] GeoLite2-Country database update check finished.
    

    no error
    ๐Ÿ‘



  • Thanks for the report. I entered the bug in my internal bug tracking system.

    It was my fault for using the wrong string, but it's also darn confusing/frustrating the way the PHP creators chose to define these constants for the PHP syslog() function. In half the instances they spell out the complete phrase, while in the other half they use an abbreviation. That leads me to kind of automatically default to assuming LOG_WARN in my head when typing, but the PHP folks actually defined it as LOG_WARNING. So the constants are defined like this:

    LOG_DEBUG
    LOG_INFO
    LOG_NOTICE
    LOG_WARNING
    LOG_ALERT
    LOG_CRIT
    LOG_ERR
    LOG_EMERG

    Notice how they intermix abbreviations with the complete word. Four use abbreviations while the other four are fully written out. Makes it so easy to get it wrong when just coding away, and I did type it wrong in a bunch of places ... โ˜น . I guess I need to keep that list of defined constants in front of my face at all times.

    And to add insult to injury, I used grep to search the source code files for instances of LOG_WARN and still managed to miss one ... ๐Ÿ˜ž .


  • LAYER 8

    @bmeeks
    i had this today after upgrading pfsense 2.5 and reboot to the latest revision

    Crash report begins.  Anonymous machine information:
    
    amd64
    12.0-RELEASE-p9
    FreeBSD 12.0-RELEASE-p9 e23c75c4280(RELENG_2_5) pfSense
    
    Crash report details:
    
    PHP Errors:
    [27-Aug-2019 20:56:56 Europe/Rome] PHP Warning:  filesize(): stat failed for /usr/local/etc/suricata/suricata_3908_pppoe0/rules/suricata.rules in /usr/local/pkg/suricata/suricata_generate_yaml.php on line 999
    [27-Aug-2019 20:56:56 Europe/Rome] PHP Warning:  filesize(): stat failed for /usr/local/etc/suricata/suricata_3908_pppoe0/rules/flowbit-required.rules in /usr/local/pkg/suricata/suricata_generate_yaml.php on line 1001
    [27-Aug-2019 20:56:56 Europe/Rome] PHP Warning:  filesize(): stat failed for /usr/local/etc/suricata/suricata_3908_pppoe0/rules/custom.rules in /usr/local/pkg/suricata/suricata_generate_yaml.php on line 1003
    [27-Aug-2019 20:56:56 Europe/Rome] PHP Warning:  filesize(): stat failed for /usr/local/etc/suricata/suricata_35924_igb2/rules/suricata.rules in /usr/local/pkg/suricata/suricata_generate_yaml.php on line 999
    [27-Aug-2019 20:56:56 Europe/Rome] PHP Warning:  filesize(): stat failed for /usr/local/etc/suricata/suricata_35924_igb2/rules/flowbit-required.rules in /usr/local/pkg/suricata/suricata_generate_yaml.php on line 1001
    [27-Aug-2019 20:56:56 Europe/Rome] PHP Warning:  filesize(): stat failed for /usr/local/etc/suricata/suricata_35924_igb2/rules/custom.rules in /usr/local/pkg/suricata/suricata_generate_yaml.php on line 1003
    [27-Aug-2019 20:56:56 Europe/Rome] PHP Warning:  filesize(): stat failed for /usr/local/etc/suricata/suricata_55009_igb1/rules/suricata.rules in /usr/local/pkg/suricata/suricata_generate_yaml.php on line 999
    [27-Aug-2019 20:56:56 Europe/Rome] PHP Warning:  filesize(): stat failed for /usr/local/etc/suricata/suricata_55009_igb1/rules/flowbit-required.rules in /usr/local/pkg/suricata/suricata_generate_yaml.php on line 1001
    [27-Aug-2019 20:56:56 Europe/Rome] PHP Warning:  filesize(): stat failed for /usr/local/etc/suricata/suricata_55009_igb1/rules/custom.rules in /usr/local/pkg/suricata/suricata_generate_yaml.php on line 1003
    
    
    
    No FreeBSD crash data found.
    


  • @kiokoman said in Suricata crash log:

    @bmeeks
    i had this today after upgrading pfsense 2.5 and reboot to the latest revision

    Crash report begins.  Anonymous machine information:
    
    amd64
    12.0-RELEASE-p9
    FreeBSD 12.0-RELEASE-p9 e23c75c4280(RELENG_2_5) pfSense
    
    Crash report details:
    
    PHP Errors:
    [27-Aug-2019 20:56:56 Europe/Rome] PHP Warning:  filesize(): stat failed for /usr/local/etc/suricata/suricata_3908_pppoe0/rules/suricata.rules in /usr/local/pkg/suricata/suricata_generate_yaml.php on line 999
    [27-Aug-2019 20:56:56 Europe/Rome] PHP Warning:  filesize(): stat failed for /usr/local/etc/suricata/suricata_3908_pppoe0/rules/flowbit-required.rules in /usr/local/pkg/suricata/suricata_generate_yaml.php on line 1001
    [27-Aug-2019 20:56:56 Europe/Rome] PHP Warning:  filesize(): stat failed for /usr/local/etc/suricata/suricata_3908_pppoe0/rules/custom.rules in /usr/local/pkg/suricata/suricata_generate_yaml.php on line 1003
    [27-Aug-2019 20:56:56 Europe/Rome] PHP Warning:  filesize(): stat failed for /usr/local/etc/suricata/suricata_35924_igb2/rules/suricata.rules in /usr/local/pkg/suricata/suricata_generate_yaml.php on line 999
    [27-Aug-2019 20:56:56 Europe/Rome] PHP Warning:  filesize(): stat failed for /usr/local/etc/suricata/suricata_35924_igb2/rules/flowbit-required.rules in /usr/local/pkg/suricata/suricata_generate_yaml.php on line 1001
    [27-Aug-2019 20:56:56 Europe/Rome] PHP Warning:  filesize(): stat failed for /usr/local/etc/suricata/suricata_35924_igb2/rules/custom.rules in /usr/local/pkg/suricata/suricata_generate_yaml.php on line 1003
    [27-Aug-2019 20:56:56 Europe/Rome] PHP Warning:  filesize(): stat failed for /usr/local/etc/suricata/suricata_55009_igb1/rules/suricata.rules in /usr/local/pkg/suricata/suricata_generate_yaml.php on line 999
    [27-Aug-2019 20:56:56 Europe/Rome] PHP Warning:  filesize(): stat failed for /usr/local/etc/suricata/suricata_55009_igb1/rules/flowbit-required.rules in /usr/local/pkg/suricata/suricata_generate_yaml.php on line 1001
    [27-Aug-2019 20:56:56 Europe/Rome] PHP Warning:  filesize(): stat failed for /usr/local/etc/suricata/suricata_55009_igb1/rules/custom.rules in /usr/local/pkg/suricata/suricata_generate_yaml.php on line 1003
    
    
    
    No FreeBSD crash data found.
    

    I just upgraded a test virtual machine to the same version without issue. Something went awry with your system during the update. Those errors indicate none of the rules files got created properly. I suggest you delete the package and install it again from the Package Manager menu.

    If you have a RAM disk configured, be sure there is at least 256 MB of free space on /tmp.


Log in to reply