New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Bug] Suricata rule lookup crash #1516

Closed
L1ghtn1ng opened this Issue Apr 2, 2017 · 9 comments

Comments

Projects
None yet
3 participants
@L1ghtn1ng

L1ghtn1ng commented Apr 2, 2017

While trying to look at the rules on 17.1.4 64-bit I get the follwoing crash and this is even after a reboot

configd.py: [765dd116-17aa-4f24-87ea-61c7dcb83e14] Script action failed with Command '/usr/local/opnsense/scripts/suricata/queryInstalledRules.py /limit "10" /offset "0" /filter "" /sort_by "sid"' returned non-zero exit status 1 at Traceback (most recent call last): File "/usr/local/opnsense/service/modules/processhandler.py", line 477, in execute stdout=output_stream, stderr=error_stream) File "/usr/local/lib/python2.7/subprocess.py", line 541, in check_call raise CalledProcessError(retcode, cmd) CalledProcessError: Command '/usr/local/opnsense/scripts/suricata/queryInstalledRules.py /limit "10" /offset "0" /filter "" /sort_by "sid"' returned non-zero exit status 1

@AdSchellevis

This comment has been minimized.

Member

AdSchellevis commented Apr 2, 2017

@L1ghtn1ng can you execute the following on a console and post the output?

/usr/local/opnsense/scripts/suricata/queryInstalledRules.py /limit "10" /offset "0" /filter "" /sort_by "sid"

@L1ghtn1ng

This comment has been minimized.

L1ghtn1ng commented Apr 2, 2017

AdSchellevis added a commit that referenced this issue Apr 2, 2017

@AdSchellevis

This comment has been minimized.

Member

AdSchellevis commented Apr 2, 2017

@L1ghtn1ng can you try 5f17abb ?

it looks there's some unicode text in your rules, which result in parsing issues in sqlite, because I don't have the same files, I can't properly test it here.

@L1ghtn1ng

This comment has been minimized.

L1ghtn1ng commented Apr 2, 2017

@AdSchellevis That did the trick, they now load. I am just using the rules that come in OPNsense

@L1ghtn1ng

This comment has been minimized.

L1ghtn1ng commented Apr 2, 2017

Can we get this pulled in for 17.1.5?

@AdSchellevis

This comment has been minimized.

Member

AdSchellevis commented Apr 2, 2017

@L1ghtn1ng ok, thanks for confirming. Let's ask @fichtner if he can pull this one in.

@fichtner

This comment has been minimized.

Member

fichtner commented Apr 3, 2017

I think I have another case, if this is confirmed there too it's going into 17.1.5 for sure.

As for the trigger of this issue, I don't see anything in particular, maybe a Framework change in the ports? Or did ET Open rules maybe start embedding UTF-8? The timing for 17.1.4 is off: it was released on Wednesday, but reports for this problem are not older than 24 hours...

@fichtner fichtner added the bug label Apr 3, 2017

@fichtner fichtner added this to the 17.7 milestone Apr 3, 2017

@L1ghtn1ng

This comment has been minimized.

L1ghtn1ng commented Apr 3, 2017

@fichtner

This comment has been minimized.

Member

fichtner commented Apr 3, 2017

Confirmed. Backport+Close.

@fichtner fichtner closed this Apr 3, 2017

fichtner added a commit that referenced this issue Apr 3, 2017

(ids) fix for #1516
(cherry picked from commit 5f17abb)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment