pfSense » pfSense Packages

Hi, there is a PHP coding bug in the interface of Suricata Files tab - this is where you would see uploaded/downloaded files show up after a proper alert rule is made and a detection fires.

On line 77 of ``/usr/local/www/suricata/suricata_files.php`` the 'id' variable used to retrieve Suricata's config is undefined, which results in no files being shown even though the appropriate eve.json log contains the records:

$a_instance = config_get_path("installedpackages/suricata/rule/{$id}", []);

Replacing the above with the below resolves the issue and is in line with what other Suricata PHP files do:

$a_instance = config_get_path("installedpackages/suricata/rule/{$instanceid}", []);

Steps to reproduce:
1. Enable EVE JSON Log with the FILE Output type and set the Tracked-Files Checksum to MD5/SHA1 etc.
2. Create a custom ALERT rule on the test interface - for example:

alert http any any -> any any (msg:"FILE store all"; filestore; sid:1; rev:1;)

3. Perform a sample download/upload of a file over HTTP and verify that Suricata created an Alert.
4. Observe your file entry in the /var/log/suricata/suricata_(interface)(uuid)/eve.json log with the same command used in suricata_files.php on line 463:

/usr/bin/grep filename /var/log/suricata/suricata_eth01234/eve.json 

5. Go to pfSense GUI Services->Suricata->Files and observe no files being listed.

Let me know how I can help further.

-Anton