Project

General

Profile

Actions

Regression #15713

closed

Suricata Files tab shows nothing due to unassigned variable in ``suricata_files.php``

Added by Anton Pleshakov 2 months ago. Updated 2 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
Suricata
Target version:
-
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
24.03
Affected Version:
2.7.2
Affected Plus Version:
Affected Architecture:
All

Description

Hi, there is a PHP coding bug in the interface of Suricata Files tab - this is where you would see uploaded/downloaded files show up after a proper alert rule is made and a detection fires.

On line 77 of ``/usr/local/www/suricata/suricata_files.php`` the 'id' variable used to retrieve Suricata's config is undefined, which results in no files being shown even though the appropriate eve.json log contains the records:

$a_instance = config_get_path("installedpackages/suricata/rule/{$id}", []);

Replacing the above with the below resolves the issue and is in line with what other Suricata PHP files do:

$a_instance = config_get_path("installedpackages/suricata/rule/{$instanceid}", []);

Steps to reproduce:
1. Enable EVE JSON Log with the FILE Output type and set the Tracked-Files Checksum to MD5/SHA1 etc.
2. Create a custom ALERT rule on the test interface - for example:

alert http any any -> any any (msg:"FILE store all"; filestore; sid:1; rev:1;)

3. Perform a sample download/upload of a file over HTTP and verify that Suricata created an Alert.
4. Observe your file entry in the /var/log/suricata/suricata_(interface)(uuid)/eve.json log with the same command used in suricata_files.php on line 463:
/usr/bin/grep filename /var/log/suricata/suricata_eth01234/eve.json 

5. Go to pfSense GUI Services->Suricata->Files and observe no files being listed.

Let me know how I can help further.

-Anton

Actions #1

Updated by Bill Meeks 2 months ago

Yes, that is a copy-paste typo error in the PHP code. Should be $instanceid as you surmised. I will add this to my TODO list and post a pull request with the correction soon.

Actions #2

Updated by Bill Meeks 2 months ago

A Pull Request containing the fix for this issue has been posted against the RELENG_2_7_2 CE branch of pfSense here: https://github.com/pfsense/FreeBSD-ports/pull/1382.

Once this PR is merged, this issue can be marked as "Resolved".

Actions #3

Updated by Marcos M 2 months ago

  • Status changed from New to Resolved
  • % Done changed from 0 to 100
  • Plus Target Version set to 24.03

Merged into 2.7.2/24.03 and devel/plus-devel.

Actions #4

Updated by Marcos M 2 months ago

  • Project changed from pfSense to pfSense Packages
  • Category changed from Web Interface to Suricata
  • Release Notes deleted (Default)
Actions

Also available in: Atom PDF