Project

General

Profile

Actions

Bug #13333

open

PHP error when saving Suricata rulesets

Added by Marcos M about 1 month ago. Updated about 1 month ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Suricata
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
Affected Plus Version:
Affected Architecture:

Description

In some cases, $enabled_rulesets_array in suricata_rulesets.php may not be an array which results in the following PHP errors:

[27-Apr-2022 17:57:15 America/Mexico_City] PHP Warning:  in_array() expects parameter 2 to be array, string given in /usr/local/www/suricata/suricata_rulesets.php on line 751
[27-Apr-2022 18:00:01 America/Mexico_City] PHP Warning:  in_array() expects parameter 2 to be array, string given in /usr/local/www/suricata/suricata_rulesets.php on line 492
[27-Apr-2022 18:00:01 America/Mexico_City] PHP Warning:  in_array() expects parameter 2 to be array, string given in /usr/local/www/suricata/suricata_rulesets.php on line 559
[27-Apr-2022 18:00:01 America/Mexico_City] PHP Warning:  in_array() expects parameter 2 to be array, string given in /usr/local/www/suricata/suricata_rulesets.php on line 626

This was triggered when existing rules were auto-enabled by SID Mgmt.

Actions #1

Updated by Bill Meeks about 1 month ago

Can you add a little more detail for this statement: " This was triggered when existing rules were auto-enabled by SID Mgmt "? When you say "existing rules", does that mean the same SID values were already enabled elsewhere in the GUI and the SID Mgmt settings are matching the same SIDs and attempting to enable them again? Just checking to make sure I am correctly understanding "existing rules" in the context of this bug report.

Thanks!
Bill

Actions #2

Updated by Marcos M about 1 month ago

It happened a while ago as you can tell from the timestamp, unfortunately I don't remember the exact details to reproduce it. By existing rules, I mean the rulesets/categories e.g. emerging-bocc.rules. They had been already enabled by SID Mgmt, and using the Select All button and saving (iirc) would trigger it. I tried to reproduce it today and couldn't, but from what I can tell, the code hasn't been updated to deal with it. Hence I don't believe it's fixed and there should likely be some safeguard against it.

Actions #3

Updated by Bill Meeks about 1 month ago

Marcos Mendoza wrote in #note-2:

It happened a while ago as you can tell from the timestamp, unfortunately I don't remember the exact details to reproduce it. By existing rules, I mean the rulesets/categories e.g. emerging-bocc.rules. They had been already enabled by SID Mgmt, and using the Select All button and saving (iirc) would trigger it. I tried to reproduce it today and couldn't, but from what I can tell, the code hasn't been updated to deal with it. Hence I don't believe it's fixed and there should likely be some safeguard against it.

Thanks. That helps me isolate the potential trigger area of the code. I've added this to my own internal bug tracking as well and will look into it some more.

Actions #4

Updated by Bill Meeks about 1 month ago

This issue has been addressed in the new pfSense-pkg-suricata-6.0.6 update. Pull request posted here: https://github.com/pfsense/FreeBSD-ports/pull/1179.

Actions #5

Updated by Bill Meeks about 1 month ago

The pull request has been merged to correct this issue and it can be marked "Resolved".

Actions

Also available in: Atom PDF