Project

General

Profile

Bug #11605

Suricata can trigger PHP crash on SG-3100

Added by Justin P about 2 months ago. Updated about 1 month ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Suricata
Target version:
-
Start date:
03/02/2021
Due date:
% Done:

0%

Estimated time:
Affected Version:
2.5.x
Affected Architecture:
SG-3100

Description

Suricata and SNORT won't start on 21.02p1 SG3100. Appears to be an issue related to PHP see the following post for more information:

https://forum.netgate.com/topic/161050/snort-won-t-start-after-upgrade-to-21-02-on-sg-3100/13

Current workaround is to revert to 2.4.5_1

History

#1 Updated by Marcos Mendoza about 1 month ago

Tested on [21.02.2 built on Thu Mar 11 09:10:56 EST 2021] with Suriata 4.1.9_5 on a fresh install.
  1. Enable ETOpen rules and force update of rules
  2. On "Services / Suricata / Interfaces" click "Add"
  3. Default interface is WAN; click "Save"
    Result:
    Page times out with HTTP 502 error
    System log shows:
    Mar 11 19:35:36     nginx         2021/03/11 19:35:36 [error] 67394#100107: *177 upstream prematurely closed connection while reading response header from upstream, client: 10.0.5.50, server: , request: "POST /suricata/suricata_interfaces_edit.php?id=0 HTTP/2.0", upstream: "fastcgi://unix:/var/run/php-fpm.socket:", host: "10.0.20.103", referrer: "https://10.0.20.103/suricata/suricata_interfaces_edit.php?id=0" 
    Mar 11 19:35:36     kernel         pid 15438 (php-fpm), jid 0, uid 0: exited on signal 11 (core dumped) 
    

    Crash report on dashboard shows up and says:
    [11-Mar-2021 19:28:27 Etc/UTC] PHP Warning:  count(): Parameter must be an array or an object that implements Countable in /usr/local/pkg/suricata/suricata_check_for_rule_updates.php on line 684
    

It seems this only happens the first time, as deleting and re-adding the interface did not trigger the crash.

Additionally, changing to categories tab without saving interface first can also lead to php crash:
  1. On "Services / Suricata / Interfaces" click "Add"
  2. Default interface is WAN; click "WAN Categories"
  3. Tabs name are now "Iface" instead of "WAN"
  4. Check a rule and click save
    Result:
    Page times out with HTTP 502 error
    System log shows:
    Mar 11 19:48:20     nginx         2021/03/11 19:48:20 [error] 67394#100107: *609 upstream prematurely closed connection while reading response header from upstream, client: 10.0.5.50, server: , request: "POST /suricata/suricata_rulesets.php HTTP/2.0", upstream: "fastcgi://unix:/var/run/php-fpm.socket:", host: "10.0.20.103", referrer: "https://10.0.20.103/suricata/suricata_rulesets.php" 
    Mar 11 19:48:20     kernel         pid 506 (php-fpm), jid 0, uid 0: exited on signal 11 (core dumped) 
    

Likely related #11466

#2 Updated by Marcos Mendoza about 1 month ago

  • Subject changed from Suricata won't start on 21.02p1 SG3100 to Suricata can trigger PHP crash on SG-3100

Also available in: Atom PDF