23.05 Suricata Update pfSense php crash

mrsunfire

After all the php crashes with 23.01 I now get another one with 23.05 every time suricata is updating.

Crash report begins.  Anonymous machine information:

amd64
14.0-CURRENT
FreeBSD 14.0-CURRENT #1 plus-RELENG_23_05-n256102-7cd3d043045: Mon May 22 15:33:52 UTC 2023     root@freebsd:/var/jenkins/workspace/pfSense-Plus-snapshots-23_05-main/obj/amd64/LkEyii3W/var/jenkins/workspace/pfSense-Plus-snapshots-23_05-main/sources/FreeBS

Crash report details:

PHP Errors:
[14-Jun-2023 01:00:58 Europe/Berlin] PHP Fatal error:  Uncaught ValueError: gettext(): Argument #1 ($message) is too long in /usr/local/pkg/suricata/suricata_check_for_rule_updates.php:820
Stack trace:
#0 /usr/local/pkg/suricata/suricata_check_for_rule_updates.php(820): gettext('- Snort rules: ...')
#1 {main}
  thrown in /usr/local/pkg/suricata/suricata_check_for_rule_updates.php on line 820



No FreeBSD crash data found.
			

stephenw10

Are you running the current Suricata package? Interesting, I don't see any other reports of that error....

stephenw10

Opened https://redmine.pfsense.org/issues/14475 to track it.

bmeeks

@stephenw10 said in 23.05 Suricata Update pfSense php crash:

Interesting, I don't see any other reports of that error....

This is GUI code that was contributed by Viktor Gurov when he worked for Netgate. It is part of the logic that allows the addition of multiple custom rules package files to the list for automatic downloading and updating.

@mrsunfire, please share your list of custom rule archives configured on the GLOBAL SETTINGS tab. Is your firewall locale (language) set for English or perhaps some other language?

The specific error is happening within a gettext() PHP function call which typically attempts to translate from one language to another.

mrsunfire

@bmeeks It's english of course :) Here are my custom rules:

I cloud fix the issue by changing the Snort Rules Filename to that what is shown in the screenshot. Before that I had it set to snortrules-snapshot-29200.tar.gz. With that it was crashing!

@stephenw10 I'm running Suricata 6.0.12, yes.

bmeeks

@mrsunfire said in 23.05 Suricata Update pfSense php crash:

I cloud fix the issue by changing the Snort Rules Filename to that what is shown in the screenshot. Before that I had it set to snortrules-snapshot-29200.tar.gz. With that it was crashing!

That is really puzzling as both filenames are the exact same length. Is it possible that the old filename had some extra whitespace tacked onto the end that made it longer? You would not have seen the extra spaces on the screen, so everything would look fine.

I asked about the language due to the time zone shown in the error message (Europe/Berlin). But that might just be pfSense defaults for debugging errors.

mrsunfire

@bmeeks I'm located in Germany so that's the reason for that timezone. But I do always use English for networking stuff.

bmeeks

@mrsunfire:
I've identified the source of this error. The original author of the section of code that performs remote notifications of newly added rules categories was apparently unaware that the PHP gettext() function has an input string limit of 4096 characters. In his defense, neither was I aware of that limit until some research clued me in

I have a fix that will be coming with the next Suricata package update. I hope to have that posted in the next couple of days or so for the Netgate team to review and approve.