Arpwatch Notification : Cron <root@pfsense> /usr/bin/nice -n20 /usr/local/bin/php-cgi -f /usr/local/pkg/suricata/suricata_check_for_rule_updates.php

eveready1010

Ever since I installed suricata, I keep getting the following email daily:

X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <LOGNAME=root>
X-Cron-Env: <USER=root>

tar: rules: Not found in archive
tar: Error exit delayed from previous errors.
tar: etc: Not found in archive
tar: Error exit delayed from previous errors.

Is this a bug or a settings that I need to turn off?

bmeeks

It looks like you are experiencing the same bug as is reported here: https://redmine.pfsense.org/issues/11366#change-50861. Your error looks to be the same type of thing. I don't believe it is an issue with Suricata, but instead with the email reporting package.

slim2016

@bmeeks

Or it could be arpwatch, because i get similar problem with arpwatch and it's not related to suricata.

Cron root@firewall /etc/rc.filter_configure_sync

X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <LOGNAME=root>
X-Cron-Env: <USER=root>

0 addresses deleted.

'Disable Cron emails' is checked.

I created a bug report but it was rejected because i had to check 'Disable Cron emails', which I already had done.

eveready1010

I just uninstalled arpwatch and reinstalled. Will wait a couple of days and see if that resolves this issue. Will report back with findings.

eveready1010

So, I'm still receiving these alerts whenever Suricata tries to update, even after uninstalling and reinstalling Arpwatch.

Anyone have any suggestions as to how to report this bug? Is there an Arpwatch site for example, or would this be a pfSense issue?

This is just affected by the Suricata daily updates, BTW. I used to have the other false messages a while back, from vnstat for example, but those have been gone for some time now. Only since I installed Suricata, a couple of months ago have I been getting these messages.

Thank you.

bingo600

I'm not that familiar with FreeBSD , but on linux you will have to redirect stdout & stderr messages to /dev/null , or cron will forward any output to root via e-mail.

Ie.
0 3 * * * /home/xxx/scripts/getcams >/dev/null 2>/dev/null

/Bingo

eveready1010

I found the bug in arpwatch.

The bug is in the file: /usr/local/arpwatch/sendmail_proxy.php

In the statement:

if ((false !== $message) && ((false === strpos($message, ': Cron ')) ||
    ($config['installedpackages']['arpwatch']['config'][0]**['cron_disable']** != 'on'))) {

The key for 'cron_disable' is incorrect. The correct value should be, 'disable_cron'

I've tested it and I no longer get a useless email every time my Suricata script runs daily.

Now how to get in contact with the creator, or does pfsense do this? If I need to report it as a bug, do I do it on the pfSense site (If so, where?) or should it go to whoever created Arpwatch?

I never had to report a bug before.

bmeeks

@eveready1010 said in Arpwatch Notification : Cron <root@pfsense> /usr/bin/nice -n20 /usr/local/bin/php-cgi -f /usr/local/pkg/suricata/suricata_check_for_rule_updates.php:

I found the bug in arpwatch.

The bug is in the file: /usr/local/arpwatch/sendmail_proxy.php

In the statement:

if ((false !== $message) && ((false === strpos($message, ': Cron ')) ||
    ($config['installedpackages']['arpwatch']['config'][0]**['cron_disable']** != 'on'))) {

The key for 'cron_disable' is incorrect. The correct value should be, 'disable_cron'

I've tested it and I no longer get a useless email every time my Suricata script runs daily.

Now how to get in contact with the creator, or does pfsense do this? If I need to report it as a bug, do I do it on the pfSense site (If so, where?) or should it go to whoever created Arpwatch?

I never had to report a bug before.

It appears there may be an existing bug report that is closely related (if not really the same underlying issue). Here is the link: https://redmine.pfsense.org/issues/11366.

You can create an account on Redmine and either add additional supporting information to the bug report I linked, or you can create a new bug report.

slim2016

@bmeeks @eveready1010

The fix has been posted by Viktor Gurov but the link does not work.

https://gitlab.netgate.com/pfSense/FreeBSD-ports/-/merge_requests/72

bmeeks

@slim2016 said in Arpwatch Notification : Cron <root@pfsense> /usr/bin/nice -n20 /usr/local/bin/php-cgi -f /usr/local/pkg/suricata/suricata_check_for_rule_updates.php:

@bmeeks @eveready1010

The fix has been posted by Viktor Gurov but the link does not work.

https://gitlab.netgate.com/pfSense/FreeBSD-ports/-/merge_requests/72

That is Netgate's private Git respository. It is not publically available. You will need to wait for the change to be merged into the public Github repo. They have a private internal repo where they do testing of changes before migrating them to the public site. Notice the URL is "gitlab.netgate.com". Anytime you see that "gitlab" portion, that is their private repo.