Regression #15713
closedSuricata Files tab shows nothing due to unassigned variable in ``suricata_files.php``
100%
Description
Hi, there is a PHP coding bug in the interface of Suricata Files tab - this is where you would see uploaded/downloaded files show up after a proper alert rule is made and a detection fires.
On line 77 of ``/usr/local/www/suricata/suricata_files.php`` the 'id' variable used to retrieve Suricata's config is undefined, which results in no files being shown even though the appropriate eve.json log contains the records:
$a_instance = config_get_path("installedpackages/suricata/rule/{$id}", []);
Replacing the above with the below resolves the issue and is in line with what other Suricata PHP files do:
$a_instance = config_get_path("installedpackages/suricata/rule/{$instanceid}", []);
Steps to reproduce:
1. Enable EVE JSON Log with the FILE Output type and set the Tracked-Files Checksum to MD5/SHA1 etc.
2. Create a custom ALERT rule on the test interface - for example:
alert http any any -> any any (msg:"FILE store all"; filestore; sid:1; rev:1;)
3. Perform a sample download/upload of a file over HTTP and verify that Suricata created an Alert.
4. Observe your file entry in the /var/log/suricata/suricata_(interface)(uuid)/eve.json log with the same command used in suricata_files.php on line 463:
/usr/bin/grep filename /var/log/suricata/suricata_eth01234/eve.json
5. Go to pfSense GUI Services->Suricata->Files and observe no files being listed.
Let me know how I can help further.
-Anton
Updated by Bill Meeks 3 months ago
Yes, that is a copy-paste typo error in the PHP code. Should be $instanceid
as you surmised. I will add this to my TODO list and post a pull request with the correction soon.
Updated by Bill Meeks 3 months ago
A Pull Request containing the fix for this issue has been posted against the RELENG_2_7_2 CE branch of pfSense here: https://github.com/pfsense/FreeBSD-ports/pull/1382.
Once this PR is merged, this issue can be marked as "Resolved".