Can't Run Suricata 6.0.10_3

bmeeks

@bitslammer said in Can't Run Suricata 6.0.10_3:

I've uninstalled and reinstalled Surcata 6.0.10_3 a few times. Every time I get the following error:

PHP ERROR: Type: 1, File: /usr/local/pkg/suricata/suricata_migrate_config.php, Line: 229, Message: Uncaught TypeError: Cannot access offset of type string on string in /usr/local/pkg/suricata/suricata_migrate_config.php:229
Stack trace:
#0 /usr/local/pkg/suricata/suricata_post_install.php(153): include()
#1 /etc/inc/pkg-utils.inc(781) : eval()'d code(1): include_once('/usr/local/pkg/...')
#2 /etc/inc/pkg-utils.inc(781): eval()
#3 /etc/inc/pkg-utils.inc(899): eval_once('include_once("/...')
#4 /etc/rc.packages(76): install_package_xml('suricata')
#5 {main}
thrown @ 2023-02-26 08:04:27

Not sure how to get around this one. It shows up in packages, but isn't in the menu or list of services.

What version of Suricata were you running before trying the 6.0.10_3 update?

I'm trying to build a 6.0.10_3 package in my 2.7 CE snapshot builder to see if I can replicate the problem. I see what might be a problematic area of code that could get triggered by an existing old Pass List configuration. That's why I asked what version of Suricata you were on previously.

bitslammer

@bmeeks None. The last pfSense update borked my 3100 and I had to install clean. I did restore a backup, but I don't think I included any packages.

bmeeks

@bitslammer said in Can't Run Suricata 6.0.10_3:

@bmeeks None. The last pfSense update borked my 3100 and I had to install clean. I did restore a backup, but I don't think I included any packages.

Ah ... okay. That makes the problem a little clearer.

First off, I'm sort of surprised 6.0.10 showed up in the package repo for an SG-3100. Due to issues with Rust versions, I thought the 32-bit ARM appliances were frozen with a 5.x version of Suricata.

So, you are running an SG-3100 and Suricata version 6.0.10_3 is showing up as available to install?

bmeeks

@bitslammer:
Open up the config.xml file you restored in a text editor and scroll down towards the bottom of the file and file this section of XML:

<passlist>
	<item>
		<name>passlist_10750</name>
		<uuid>24167</uuid>
		<localnets>yes</localnets>
		<wangateips>yes</wangateips>
		<wandnsips>yes</wandnsips>
		<vips>yes</vips>
		<vpnips>yes</vpnips>
		<address>
			<item>10.6.210.0/31</item>
			<item>10.6.250.0/31</item>
			<item>10.6.210.1/32</item>
		</address>
		<descr><![CDATA[Test List]]></descr>
	</item>
</passlist>

Your file is likely to not to have the same content as I show above, but it will have the XML element tags <passlist> and </passlist>. I need a copy of everything between those two tags. There is nothing sensitive there, so if you can post that back here I can likely help you edit it so that Suricata will not choke when installing.

bitslammer

@bmeeks

Trying to post that but the forum is marking it as SPAM. Will try a screenshot.

bitslammer

@bmeeks OK....let's try this the hard way since the antispam AI is being a jerk.

My config looks pretty much the same as yours with the differences being:

• I have a section called "wanips" that is yes
• I only have a alias in the address section called "myPCs)
• My decsr section is blank
• I have a section called "detail" below descr but it's blank.

bitslammer

@bmeeks

</rule>
<passlist>
<item>
<name>passlist_32494</name>
<uuid>32494</uuid>
<localnets>yes</localnets>
<wanips>yes</wanips>
<wangateips>yes</wangateips>
<wandnsips>yes</wandnsips>
<vips>yes</vips>
<vpnips>yes</vpnips>
<address>CNPCs</address>
<descr></descr>
<detail></detail>
</item>
</passlist>

bitslammer

@bmeeks said in Can't Run Suricata 6.0.10_3:

So, you are running an SG-3100 and Suricata version 6.0.10_3 is showing up as available to install?

Yes. I know I've run other 6.x versions in the past with no issues.

bmeeks

@bitslammer said in Can't Run Suricata 6.0.10_3:

@bmeeks said in Can't Run Suricata 6.0.10_3:

So, you are running an SG-3100 and Suricata version 6.0.10_3 is showing up as available to install?

Yes. I know I've run other 6.x versions in the past with no issues.

Okay, apparently Netgate fixed the Rust compilation issue on 32-bit ARM hardware.

I see what the problem is in both the code and in your config.xml. It's due to a legacy setting for aliases in a Pass List that allowed only one. The newer Suricata versions allow multiple aliases and custom IP addresses in a Pass List. The change in the way PHP 8.1 behaves as compared to 7.4 is the reason for the error.

I will post up an edit you can do to your config.xml that should help you get around the problem.

bmeeks

@bitslammer said in Can't Run Suricata 6.0.10_3:

<passlist>
<item>
<name>passlist_32494</name>
<uuid>32494</uuid>
<localnets>yes</localnets>
<wanips>yes</wanips>
<wangateips>yes</wangateips>
<wandnsips>yes</wandnsips>
<vips>yes</vips>
<vpnips>yes</vpnips>
<address>CNPCs</address>
<descr></descr>
<detail></detail>
</item>
</passlist>

Edit your <passlist> section in the "active" config.xml to look like this:

<passlist>
<item>
<name>passlist_32494</name>
<uuid>32494</uuid>
<localnets>yes</localnets>
<wanips>yes</wanips>
<wangateips>yes</wangateips>
<wandnsips>yes</wandnsips>
<vips>yes</vips>
<vpnips>yes</vpnips>
<address>
        <item>CNPCs</item>
</address>
<descr></descr>
<detail></detail>
</item>
</passlist>

1. You can make this edit directly in config.xml on the firewall, or you can make the edit in the backup and then restore the backup.
2. Whichever method you choose in #1 above, do that BEFORE trying to install Suricata. If Suricata is currently showing under PACKAGE MANAGER > INSTALLED PACKAGES, then remove it and circle back to step 1.

The config.xml must look like what I show above in my edit BEFORE installing Suricata. Notice that I have added a pair of <item></item> tags and put your existing CNPCs alias in between those new tags. Making the edit should satisfy the migration code and prevent the PHP crash. The PHP crash is why the install does not complete and so Suricata does not show under the SERVICES menu as it should.

The problem is the PHP code in that section of the migration routine, and I will get that fixed. But that might take a few days to get posted because the Netgate folks are quite busy with a number of things right now.

bmeeks

I created a Redmine Issue to track this here: https://redmine.pfsense.org/issues/14041.

I will get a fix submitted, but it's going to take a day or two. My 2.7 CE package builder and testing system is currently rebuilding a bunch of ports due to a merge done by the Netgate team from upstream. On my puny VM builder, that job is taking FOREVER ... .

The llvm compiler and Rust are the big culprits taking hours and hours to each to build. Maybe it will finish and be ready before Halley's Comet returns .

bmeeks

@bitslammer:
The fix for your issue has been posted for the Netgate team to review and merge. The pull request is here: https://github.com/pfsense/FreeBSD-ports/pull/1241.

Once this is merged and the packages rebuilt, a new 6.0.10_4 version of the Suricata package will show up in SYSTEM > PACKAGE MANAGER for installation.

bitslammer

@bmeeks Excellent I'll keep an eye out for it or just do a backup edit that file and then restore. Thanks for the fix!

bitslammer

@bmeeks Decided not to wait. Went the manual route and it worked fine with those edits. Thanks again.

bmeeks

@bitslammer said in Can't Run Suricata 6.0.10_3:

@bmeeks Decided not to wait. Went the manual route and it worked fine with those edits. Thanks again.

Okay. The manual edit is fine. The updated code makes those checks in a different manner so that PHP is happy and does not complain. That's necessary because of the changes in PHP 8.1 as compared to the 7.4 used in older pfSense editions. The change in PHP behavior is why there are so many GUI code changes in 23.01 (and coming in 2.7 CE) and reports of little annoying bugs related to PHP errors.