[ERRCODE: SC_ERR_INVALID_ARGUMENTS(52)] - prefix or user NULL
I cant start a suricata instance on a router anymore.
a [ERRCODE: SC_ERR_INVALID_ARGUMENTS(52)] - prefix or user NULL entry is just the final log entry.
This happened after adding an alert to a supress list (click button on the GUI to suppress that particular alert type)
Also, ban time was changed to the minimal 15 minutes periode on the general settings.
After some minutes I realized the interface was down (the time to luckily navigate again to the interfaces tab…)
Starting fails, the log logs the error, and the thing seems to be screwed.
There is only a thread in which same thing occured... but no valuable info on how to proceed.
What does the log message means? how could it be corrected?
Thank you all
Something got written to the Suppress List that Suricata does not like. Go to the SUPPRESS LIST tab, open the list for editing, and manually remove the last entry you made. Save the change and see if Suricata will start. If you still have issues, post back here.
It didnt work…
At first i thought it worked but it is not working...
I have ended up destroying the supress list and creating a brand new one.
It is cleanly new and empty.
It does not work...
i'm revising all config... maybe something went wrong while with the GUI open and the setup got corrupt...
I'm lost now...
FOUND THE ISSUE:
Suricata does effectively not like something.... but in the pass list!
OK... I'm realizing i have part of my routers without an Alias list appended to the pass list.
The reason: it does not work.
The list is the SAME on all nodes, on some it works, in some does not.
There is probably some kind of character (likely a hidden one like a non-displaying space) lurking in the Suppress List somehow. That may have gotten here via a copy-paste operation. The ALERTS tab uses zero-length spaces to help with controlling formats.
To really and truly reset the suppress list, you will need to edit that section of the config.xml file. The other method is to remove Suricata, but first uncheck the "save settings" checkbox on the GLOBAL SETTINGS tab. Of course if you do that, you will have to rebuild the configuration from scratch.
If you know your way around XML, you can find the appropriate section to clean out in the /conf/config.xml file. Just make a backup of the file before you edit it in case you mess up!
I should check those xmls... but I do not like that approach very much since those machines are on production.
Setup has been allways done through the web GUI, and on it I trust!... so I shoud recheck wether some char typo is around but I didnt find a single one.
Also, theGUI gives you little if any chances of error when creating the alias list... since the form seems to be closed and validated... maybe the error comes when generating the xml or the final config... dont know.
Any how, at least I got it partially working
Thank you and best regards!
The specific character code I'm talking can only be seen if you view the data in a Hex Editor. The character is "invisible" when viewed in plain-text mode. It's a trick used to get IP addresses to wrap properly in the narrow confines of the table cells on the ALERTS tab. I have code that is supposed to strip that out prior to "pasting" content into a Suppress List. Perhaps for some reason that failed in your case, or there may be some other character in there.
The Suppress List is encoded in the XML configuration as a Base64 string. You can use an online Base64 decoder site to turn the encoding into regular text. You can then view that regular text in a Hex Editor.