Bug #13333
closed
PHP error when saving Suricata rulesets
0%
Description
In some cases, $enabled_rulesets_array in suricata_rulesets.php may not be an array which results in the following PHP errors:
[27-Apr-2022 17:57:15 America/Mexico_City] PHP Warning: in_array() expects parameter 2 to be array, string given in /usr/local/www/suricata/suricata_rulesets.php on line 751 [27-Apr-2022 18:00:01 America/Mexico_City] PHP Warning: in_array() expects parameter 2 to be array, string given in /usr/local/www/suricata/suricata_rulesets.php on line 492 [27-Apr-2022 18:00:01 America/Mexico_City] PHP Warning: in_array() expects parameter 2 to be array, string given in /usr/local/www/suricata/suricata_rulesets.php on line 559 [27-Apr-2022 18:00:01 America/Mexico_City] PHP Warning: in_array() expects parameter 2 to be array, string given in /usr/local/www/suricata/suricata_rulesets.php on line 626
This was triggered when existing rules were auto-enabled by SID Mgmt.
Updated by Bill Meeks almost 3 years ago
Can you add a little more detail for this statement: " This was triggered when existing rules were auto-enabled by SID Mgmt "? When you say "existing rules", does that mean the same SID values were already enabled elsewhere in the GUI and the SID Mgmt settings are matching the same SIDs and attempting to enable them again? Just checking to make sure I am correctly understanding "existing rules" in the context of this bug report.
Thanks!
Bill
Updated by Marcos M almost 3 years ago
It happened a while ago as you can tell from the timestamp, unfortunately I don't remember the exact details to reproduce it. By existing rules, I mean the rulesets/categories e.g. emerging-bocc.rules. They had been already enabled by SID Mgmt, and using the Select All button and saving (iirc) would trigger it. I tried to reproduce it today and couldn't, but from what I can tell, the code hasn't been updated to deal with it. Hence I don't believe it's fixed and there should likely be some safeguard against it.
Updated by Bill Meeks almost 3 years ago
Marcos Mendoza wrote in #note-2:
It happened a while ago as you can tell from the timestamp, unfortunately I don't remember the exact details to reproduce it. By existing rules, I mean the rulesets/categories e.g.
emerging-bocc.rules. They had been already enabled by SID Mgmt, and using the Select All button and saving (iirc) would trigger it. I tried to reproduce it today and couldn't, but from what I can tell, the code hasn't been updated to deal with it. Hence I don't believe it's fixed and there should likely be some safeguard against it.
Thanks. That helps me isolate the potential trigger area of the code. I've added this to my own internal bug tracking as well and will look into it some more.
Updated by Bill Meeks almost 3 years ago
This issue has been addressed in the new pfSense-pkg-suricata-6.0.6 update. Pull request posted here: https://github.com/pfsense/FreeBSD-ports/pull/1179.
Updated by Bill Meeks almost 3 years ago
The pull request has been merged to correct this issue and it can be marked "Resolved".