Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reporter errors "field value missing (CVE_2021_44228::c$http$uri)" #4

Closed
dwdixon opened this issue Dec 15, 2021 · 4 comments
Closed

Reporter errors "field value missing (CVE_2021_44228::c$http$uri)" #4

dwdixon opened this issue Dec 15, 2021 · 4 comments
Assignees
@benjeems
Labels
bug Something isn't working

Comments

@dwdixon
Copy link

dwdixon commented Dec 15, 2021
edited
Loading

I installed this package and I'm seeing some of these crop up in reporter.log and wanted to let you all know. It may have been a transient burst of these errors (I haven't seen any in a while) but I nonetheless had them occur and our checks to the custom scripts API endpoint in our monitoring seemed to not like it at all, seems worth looking into. I saw about 51 of these events in reporter.log within a 1 hour timeframe after initially loading the bundle with this package included.

{"_path":"reporter","_system_name":"redacted","_write_ts":"2021-12-15T22:53:03.090118Z","ts":"2021-12-15T22:53:03.090118Z","level":"Reporter::ERROR","message":"field value missing (CVE_2021_44228::c$http$uri)","location":"/opt/bro/share/zeek/site/packages/customer-bundle/packages/./cve-2021-44228/./CVE_2021_44228.zeek, line 111"}
@dwdixon
Copy link
Author

dwdixon commented Dec 16, 2021
edited
Loading

Just leaving an update that I am in fact seeing more occurrences of these errors which is again tripping the Custom Packages service status to red and is stating "Stopped due to script errors".

@benjeems
Copy link
Collaborator

Thank you @dwdixon , confirmed and being fixed @ynadji FYI

@benjeems benjeems self-assigned this Dec 16, 2021
@benjeems benjeems linked a pull request Dec 16, 2021 that will close this issue
added check for c$http$uri existence when building notice #5
Closed
@benjeems benjeems added the bug Something isn't working label Dec 16, 2021
ynadji added a commit that referenced this issue Dec 16, 2021
@ynadji
Fixes #4. Also does the same fix for c$http$method, which is also opt…
7ca2bfd 
…ional in HTTP::Info and may cause the same failure
ynadji added a commit that referenced this issue Dec 16, 2021
@ynadji
Merge pull request #11 from corelight/field-value-missing
fca3cb1 
Fixes #4. Also does the same fix for c$http$method
@ynadji ynadji mentioned this issue Dec 16, 2021
Merged
@ynadji ynadji closed this as completed in e0d25f3 Dec 16, 2021
@dwdixon
Copy link
Author

dwdixon commented Dec 16, 2021

@benjeems @ynadji Thanks so much for the quick fix, I pulled the new version with the fix and it seems to have made the custom scripts monitoring happy once again etc.

@ynadji
Copy link
Member

ynadji commented Dec 16, 2021

Great! Thanks for reporting. Please open issues for any other problems you see.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@benjeems benjeems

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

added check for c$http$uri existence when building notice corelight/cve-2021-44228
3 participants
@ynadji @dwdixon @benjeems