Project

General

Profile

Actions

Bug #3154

closed

int() argument must be a string or a number, not 'NoneType'

Added by Kenneth Kolano over 5 years ago. Updated about 5 years ago.

Status:
Closed
Priority:
Low
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

I started seeing this error while making .conf file modifications to drop a flowbit rule. Even after renaming disable.conf, drop.conf, and modify.conf so they will no longer be applied it still occurs. Unclear what's causing it /wo any of my modified config applied anymore.

6/9/2019 -- 12:12:53 - <Debug> -- This is suricata-update version 1.0.5 (rev: None); Python: 2.7.16 (default, Apr  6 2019, 01:42:57) - [GCC 8.3.0]
6/9/2019 -- 12:12:53 - <Info> -- Loading /etc/suricata/update.yaml
6/9/2019 -- 12:12:53 - <Debug> -- Setting configuration value force -> False
6/9/2019 -- 12:12:53 - <Debug> -- Setting configuration value verbose -> True
6/9/2019 -- 12:12:53 - <Debug> -- Setting configuration value enable -> False
6/9/2019 -- 12:12:53 - <Debug> -- Setting configuration value no-merge -> False
6/9/2019 -- 12:12:53 - <Debug> -- Setting configuration value version -> False
6/9/2019 -- 12:12:53 - <Debug> -- Setting configuration value dump-sample-configs -> False
6/9/2019 -- 12:12:53 - <Debug> -- Setting configuration value no-test -> False
6/9/2019 -- 12:12:53 - <Debug> -- Setting configuration value subcommand -> update
6/9/2019 -- 12:12:53 - <Debug> -- Setting configuration value modify -> False
6/9/2019 -- 12:12:53 - <Debug> -- Setting configuration value no-reload -> False
6/9/2019 -- 12:12:53 - <Debug> -- Setting configuration value no-ignore -> False
6/9/2019 -- 12:12:53 - <Debug> -- Setting configuration value disable -> False
6/9/2019 -- 12:12:53 - <Debug> -- Setting configuration value etopen -> False
6/9/2019 -- 12:12:53 - <Debug> -- Setting configuration value now -> False
6/9/2019 -- 12:12:53 - <Debug> -- Setting configuration value url -> []
6/9/2019 -- 12:12:53 - <Debug> -- Setting configuration value drop -> False
6/9/2019 -- 12:12:53 - <Debug> -- Found suricata at /usr/bin/suricata
6/9/2019 -- 12:12:53 - <Info> -- Using data-directory /var/lib/suricata.
6/9/2019 -- 12:12:53 - <Info> -- Using Suricata configuration /etc/suricata/suricata.yaml
6/9/2019 -- 12:12:53 - <Info> -- Using /etc/suricata/rules for Suricata provided rules.
6/9/2019 -- 12:12:53 - <Info> -- Found Suricata version 4.1.4 at /usr/bin/suricata.
6/9/2019 -- 12:12:53 - <Info> -- Loading /etc/suricata/enable.conf.
6/9/2019 -- 12:12:53 - <Debug> -- Parsing regex matcher: re:ET SCAN
6/9/2019 -- 12:12:53 - <Info> -- Loading /etc/suricata/suricata.yaml
6/9/2019 -- 12:12:53 - <Info> -- Disabling rules with proto modbus
6/9/2019 -- 12:12:54 - <Debug> -- Resolved source oisf/trafficid to URL https://openinfosecfoundation.org/rules/trafficid/trafficid.rules.
6/9/2019 -- 12:12:54 - <Debug> -- Resolved source sslbl/ja3-fingerprints to URL https://sslbl.abuse.ch/blacklist/ja3_fingerprints.rules.
6/9/2019 -- 12:12:54 - <Debug> -- Resolved source et/blockrules/portgroupedbotcc to URL https://rules.emergingthreats.net/blockrules/emerging-botcc.portgrouped.suricata.rules.
6/9/2019 -- 12:12:54 - <Debug> -- Resolved source ptresearch/attackdetection to URL https://raw.githubusercontent.com/ptresearch/AttackDetection/master/pt.rules.tar.gz.
6/9/2019 -- 12:12:54 - <Debug> -- Resolved source et/blockrules/compromised to URL https://rules.emergingthreats.net/blockrules/emerging-compromised.suricata.rules.
6/9/2019 -- 12:12:54 - <Debug> -- Resolved source et/blockrules/ciarmy to URL https://rules.emergingthreats.net/blockrules/emerging-ciarmy.suricata.rules.
6/9/2019 -- 12:12:54 - <Debug> -- Resolved source et/blockrules/spamhaus to URL https://rules.emergingthreats.net/blockrules/emerging-drop.suricata.rules.
6/9/2019 -- 12:12:54 - <Debug> -- Resolved source et/open to URL https://rules.emergingthreats.net/open/suricata-4.1.4/emerging.rules.tar.gz.
6/9/2019 -- 12:12:54 - <Debug> -- Resolved source snort/registered to URL https://www.snort.org/rules/snortrules-snapshot-29120.tar.gz?oinkcode=0620450108513d84067863fcc0212cc98d99ad2e.
6/9/2019 -- 12:12:54 - <Debug> -- Resolved source snort/community2 to URL https://snort.org/downloads/community/community-rules.tar.gz.
6/9/2019 -- 12:12:54 - <Debug> -- Resolved source et/blockrules/tor to URL https://rules.emergingthreats.net/blockrules/emerging-tor.suricata.rules.
6/9/2019 -- 12:12:54 - <Debug> -- Resolved source sslbl/ssl-fp-blacklist to URL https://sslbl.abuse.ch/blacklist/sslblacklist.rules.
6/9/2019 -- 12:12:54 - <Debug> -- Resolved source tgreen/hunting to URL https://raw.githubusercontent.com/travisbgreen/hunting-rules/master/hunting.rules.
6/9/2019 -- 12:12:54 - <Debug> -- Resolved source et/blockrules/botcc to URL https://rules.emergingthreats.net/blockrules/emerging-botcc.suricata.rules.
6/9/2019 -- 12:12:54 - <Debug> -- Resolved source et/blockrules/dshield to URL https://rules.emergingthreats.net/blockrules/emerging-dshield.suricata.rules.
6/9/2019 -- 12:12:54 - <Debug> -- Resolved source etnetera/aggressive to URL https://security.etnetera.cz/feeds/etn_aggressive.rules.
6/9/2019 -- 12:12:54 - <Debug> -- Adding source https://rules.emergingthreats.net/open/suricata-4.1.4/emerging.rules.tar.gz.
6/9/2019 -- 12:12:54 - <Debug> -- Adding source https://sslbl.abuse.ch/blacklist/sslblacklist.rules.
6/9/2019 -- 12:12:54 - <Info> -- Last download less than 15 minutes ago. Not downloading https://rules.emergingthreats.net/blockrules/emerging-ciarmy.suricata.rules.
6/9/2019 -- 12:12:54 - <Info> -- Last download less than 15 minutes ago. Not downloading https://snort.org/downloads/community/community-rules.tar.gz.
6/9/2019 -- 12:12:54 - <Info> -- Last download less than 15 minutes ago. Not downloading https://rules.emergingthreats.net/blockrules/emerging-botcc.suricata.rules.
6/9/2019 -- 12:12:54 - <Info> -- Last download less than 15 minutes ago. Not downloading https://rules.emergingthreats.net/blockrules/emerging-tor.suricata.rules.
6/9/2019 -- 12:12:54 - <Info> -- Last download less than 15 minutes ago. Not downloading https://rules.emergingthreats.net/open/suricata-4.1.4/emerging.rules.tar.gz.
6/9/2019 -- 12:12:54 - <Info> -- Last download less than 15 minutes ago. Not downloading https://rules.emergingthreats.net/blockrules/emerging-dshield.suricata.rules.
6/9/2019 -- 12:12:54 - <Info> -- Last download less than 15 minutes ago. Not downloading https://rules.emergingthreats.net/blockrules/emerging-botcc.portgrouped.suricata.rules.
6/9/2019 -- 12:12:54 - <Info> -- Last download less than 15 minutes ago. Not downloading https://raw.githubusercontent.com/travisbgreen/hunting-rules/master/hunting.rules.
6/9/2019 -- 12:12:54 - <Info> -- Last download less than 15 minutes ago. Not downloading https://rules.emergingthreats.net/blockrules/emerging-compromised.suricata.rules.
6/9/2019 -- 12:12:54 - <Info> -- Last download less than 15 minutes ago. Not downloading https://sslbl.abuse.ch/blacklist/sslblacklist.rules.
6/9/2019 -- 12:12:54 - <Info> -- Last download less than 15 minutes ago. Not downloading https://sslbl.abuse.ch/blacklist/ja3_fingerprints.rules.
6/9/2019 -- 12:12:54 - <Info> -- Last download less than 15 minutes ago. Not downloading https://raw.githubusercontent.com/ptresearch/AttackDetection/master/pt.rules.tar.gz.
6/9/2019 -- 12:12:54 - <Info> -- Last download less than 15 minutes ago. Not downloading https://www.snort.org/rules/snortrules-snapshot-29120.tar.gz?oinkcode=0620450108513d84067863fcc0212cc98d99ad2e.
^C6/9/2019 -- 12:12:55 - <Info> -- Last download less than 15 minutes ago. Not downloading https://rules.emergingthreats.net/blockrules/emerging-drop.suricata.rules.
6/9/2019 -- 12:12:55 - <Info> -- Last download less than 15 minutes ago. Not downloading https://openinfosecfoundation.org/rules/trafficid/trafficid.rules.
6/9/2019 -- 12:12:55 - <Info> -- Last download less than 15 minutes ago. Not downloading https://security.etnetera.cz/feeds/etn_aggressive.rules.
6/9/2019 -- 12:12:55 - <Info> -- Loading local file /etc/suricata/rules/pass-http.rules
6/9/2019 -- 12:12:55 - <Info> -- Loading local file /etc/suricata/rules/pass.rules
6/9/2019 -- 12:12:55 - <Info> -- Loading local file /etc/suricata/rules/pass-ftp.rules
6/9/2019 -- 12:12:55 - <Info> -- Loading local file /etc/suricata/rules/pass-nfs.rules
6/9/2019 -- 12:12:55 - <Info> -- Loading local file /etc/suricata/rules/pass-smb.rules
6/9/2019 -- 12:12:55 - <Info> -- Loading local file /etc/suricata/rules/pass-smtp.rules
6/9/2019 -- 12:12:55 - <Info> -- Loading local file /etc/suricata/rules/pass-whitelist.rules
6/9/2019 -- 12:12:55 - <Info> -- Loading local file /etc/suricata/rules/otx_file_rules.rules
6/9/2019 -- 12:12:55 - <Info> -- Loading local file /etc/suricata/rules/otx_iprep.rules
6/9/2019 -- 12:12:55 - <Info> -- Loading local file /etc/suricata/rules/phishtank.rules
6/9/2019 -- 12:12:55 - <Info> -- Loading local file /etc/suricata/rules/malwaredomainlist.url.rules
6/9/2019 -- 12:12:55 - <Info> -- Loading local file /etc/suricata/rules/malwaredomainlist.domain.rules
6/9/2019 -- 12:12:55 - <Info> -- Loading local file /etc/suricata/rules/sslblacklist_tls_cert.rules
6/9/2019 -- 12:12:55 - <Info> -- Loading local file /etc/suricata/rules/urlhaus.rules
6/9/2019 -- 12:12:55 - <Info> -- Loading local file /etc/suricata/rules/feodotracker.rules
6/9/2019 -- 12:12:55 - <Info> -- Ignoring file rules/emerging-deleted.rules
6/9/2019 -- 12:12:55 - <Debug> -- Parsing etn_aggressive.rules.
6/9/2019 -- 12:12:55 - <Debug> -- Parsing rules/emerging-shellcode.rules.
6/9/2019 -- 12:12:55 - <Debug> -- Parsing rules/emerging-trojan.rules.
6/9/2019 -- 12:12:55 - <Debug> -- Parsing /etc/suricata/rules/pass-nfs.rules.
6/9/2019 -- 12:12:55 - <Debug> -- Parsing rules/emerging-scada.rules.
6/9/2019 -- 12:12:55 - <Debug> -- Parsing /etc/suricata/rules/pass-smtp.rules.
6/9/2019 -- 12:12:55 - <Debug> -- Parsing /etc/suricata/rules/pass-whitelist.rules.
6/9/2019 -- 12:12:55 - <Debug> -- Parsing rules/emerging-web_server.rules.
6/9/2019 -- 12:12:56 - <Debug> -- Parsing rules/botcc.rules.
6/9/2019 -- 12:12:56 - <Debug> -- Parsing /etc/suricata/rules/sslblacklist_tls_cert.rules.
6/9/2019 -- 12:12:56 - <Debug> -- Parsing rules/drop.rules.
6/9/2019 -- 12:12:56 - <Debug> -- Parsing /etc/suricata/rules/pass-http.rules.
6/9/2019 -- 12:12:56 - <Debug> -- Parsing rules/emerging-smtp.rules.
6/9/2019 -- 12:12:56 - <Debug> -- Parsing emerging-botcc.suricata.rules.
6/9/2019 -- 12:12:56 - <Debug> -- Parsing rules/pt-rules.rules.
6/9/2019 -- 12:12:56 - <Debug> -- Parsing rules/emerging-rpc.rules.
6/9/2019 -- 12:12:56 - <Debug> -- Parsing rules/emerging-mobile_malware.rules.
6/9/2019 -- 12:12:56 - <Debug> -- Parsing rules/emerging-icmp.rules.
6/9/2019 -- 12:12:56 - <Debug> -- Parsing /etc/suricata/rules/phishtank.rules.
6/9/2019 -- 12:12:57 - <Debug> -- Parsing rules/emerging-activex.rules.
6/9/2019 -- 12:12:57 - <Debug> -- Parsing rules/emerging-policy.rules.
6/9/2019 -- 12:12:57 - <Debug> -- Parsing rules/emerging-user_agents.rules.
6/9/2019 -- 12:12:57 - <Debug> -- Parsing rules/emerging-dns.rules.
6/9/2019 -- 12:12:57 - <Debug> -- Parsing community-rules/community.rules.
6/9/2019 -- 12:12:58 - <Debug> -- Parsing rules/emerging-misc.rules.
6/9/2019 -- 12:12:58 - <Debug> -- Parsing rules/emerging-ftp.rules.
6/9/2019 -- 12:12:58 - <Debug> -- Parsing rules/emerging-sql.rules.
6/9/2019 -- 12:12:58 - <Debug> -- Parsing emerging-compromised.suricata.rules.
6/9/2019 -- 12:12:58 - <Debug> -- Parsing rules/emerging-inappropriate.rules.
6/9/2019 -- 12:12:58 - <Debug> -- Parsing rules/emerging-tftp.rules.
6/9/2019 -- 12:12:58 - <Debug> -- Parsing /etc/suricata/rules/otx_iprep.rules.
6/9/2019 -- 12:12:58 - <Debug> -- Parsing rules/emerging-netbios.rules.
6/9/2019 -- 12:12:58 - <Debug> -- Parsing /etc/suricata/rules/malwaredomainlist.domain.rules.
6/9/2019 -- 12:12:58 - <Debug> -- Parsing emerging-tor.suricata.rules.
6/9/2019 -- 12:12:58 - <Debug> -- Parsing rules/emerging-chat.rules.
6/9/2019 -- 12:12:58 - <Debug> -- Parsing /etc/suricata/rules/otx_file_rules.rules.
6/9/2019 -- 12:12:58 - <Debug> -- Parsing sslblacklist.rules.
6/9/2019 -- 12:12:58 - <Debug> -- Parsing rules/emerging-dos.rules.
6/9/2019 -- 12:12:58 - <Debug> -- Parsing rules/emerging-worm.rules.
6/9/2019 -- 12:12:58 - <Debug> -- Parsing rules/tor.rules.
6/9/2019 -- 12:12:58 - <Debug> -- Parsing rules/emerging-icmp_info.rules.
6/9/2019 -- 12:12:58 - <Debug> -- Parsing emerging-botcc.portgrouped.suricata.rules.
6/9/2019 -- 12:12:58 - <Debug> -- Parsing rules/emerging-attack_response.rules.
6/9/2019 -- 12:12:58 - <Debug> -- Parsing rules/emerging-telnet.rules.
6/9/2019 -- 12:12:58 - <Debug> -- Parsing /etc/suricata/rules/feodotracker.rules.
6/9/2019 -- 12:12:59 - <Debug> -- Parsing rules/emerging-web_specific_apps.rules.
6/9/2019 -- 12:13:00 - <Debug> -- Parsing rules/dshield.rules.
6/9/2019 -- 12:13:00 - <Debug> -- Parsing /etc/suricata/rules/pass-smb.rules.
6/9/2019 -- 12:13:00 - <Debug> -- Parsing rules/emerging-games.rules.
6/9/2019 -- 12:13:00 - <Debug> -- Parsing rules/emerging-voip.rules.
6/9/2019 -- 12:13:00 - <Debug> -- Parsing /etc/suricata/rules/pass.rules.
6/9/2019 -- 12:13:00 - <Debug> -- Parsing rules/ciarmy.rules.
6/9/2019 -- 12:13:00 - <Debug> -- Parsing trafficid.rules.
6/9/2019 -- 12:13:00 - <Debug> -- Parsing /etc/suricata/rules/pass-ftp.rules.
6/9/2019 -- 12:13:00 - <Debug> -- Parsing hunting.rules.
6/9/2019 -- 12:13:00 - <Debug> -- Parsing rules/emerging-snmp.rules.
6/9/2019 -- 12:13:00 - <Debug> -- Parsing emerging-ciarmy.suricata.rules.
6/9/2019 -- 12:13:00 - <Debug> -- Parsing rules/emerging-exploit.rules.
6/9/2019 -- 12:13:00 - <Debug> -- Parsing /etc/suricata/rules/urlhaus.rules.
6/9/2019 -- 12:13:01 - <Debug> -- Parsing rules/emerging-malware.rules.
6/9/2019 -- 12:13:01 - <Debug> -- Parsing rules/emerging-info.rules.
6/9/2019 -- 12:13:01 - <Debug> -- Parsing rules/compromised.rules.
6/9/2019 -- 12:13:01 - <Debug> -- Parsing emerging-drop.suricata.rules.
6/9/2019 -- 12:13:01 - <Debug> -- Parsing /etc/suricata/rules/malwaredomainlist.url.rules.
6/9/2019 -- 12:13:02 - <Debug> -- Parsing rules/emerging-current_events.rules.
6/9/2019 -- 12:13:02 - <Debug> -- Parsing rules/emerging-p2p.rules.
6/9/2019 -- 12:13:02 - <Debug> -- Parsing rules/emerging-scan.rules.
6/9/2019 -- 12:13:02 - <Debug> -- Parsing emerging-dshield.suricata.rules.
6/9/2019 -- 12:13:02 - <Debug> -- Parsing rules/emerging-imap.rules.
6/9/2019 -- 12:13:02 - <Debug> -- Parsing rules/emerging-web_client.rules.
6/9/2019 -- 12:13:02 - <Debug> -- Parsing rules/botcc.portgrouped.rules.
6/9/2019 -- 12:13:02 - <Debug> -- Parsing rules/emerging-pop3.rules.
6/9/2019 -- 12:13:02 - <Debug> -- Parsing ja3_fingerprints.rules.
6/9/2019 -- 12:13:03 - <Info> -- Loaded 68241 rules.
6/9/2019 -- 12:13:03 - <Debug> -- Enabling: # [1:2000536] ET SCAN NMAP -sO
6/9/2019 -- 12:13:03 - <Debug> -- Enabling: # [1:2009582] ET SCAN NMAP -sS window 1024
6/9/2019 -- 12:13:03 - <Debug> -- Enabling: # [1:2000540] ET SCAN NMAP -sA (2)
6/9/2019 -- 12:13:03 - <Debug> -- Enabling: # [1:2003870] ET SCAN ProxyReconBot POST method to Mail
6/9/2019 -- 12:13:03 - <Debug> -- Enabling: # [1:2017142] ET SCAN Arachni Web Scan
6/9/2019 -- 12:13:03 - <Debug> -- Enabling: # [1:2016763] ET SCAN Non-Malicious SSH/SSL Scanner on the run
6/9/2019 -- 12:13:03 - <Debug> -- Enabling: # [1:2000546] ET SCAN NMAP -f -sX
6/9/2019 -- 12:13:03 - <Debug> -- Enabling: # [1:2010343] ET SCAN pangolin SQL injection tool
6/9/2019 -- 12:13:03 - <Debug> -- Enabling: # [1:2000543] ET SCAN NMAP -f -sF
6/9/2019 -- 12:13:03 - <Debug> -- Enabling: # [1:2001904] ET SCAN Behavioral Unusually fast inbound Telnet Connections, Potential Scan or Brute Force
6/9/2019 -- 12:13:03 - <Debug> -- Enabling: # [1:2011031] ET SCAN HTTP GET invalid method case
6/9/2019 -- 12:13:03 - <Debug> -- Enabling: # [1:2009476] ET SCAN Possible jBroFuzz Fuzzer Detected
6/9/2019 -- 12:13:03 - <Debug> -- Enabling: # [1:2001553] ET SCAN Possible SSL Brute Force attack or Site Crawl
6/9/2019 -- 12:13:03 - <Debug> -- Enabling: # [1:2000545] ET SCAN NMAP -f -sV
6/9/2019 -- 12:13:03 - <Debug> -- Enabling: # [1:2011368] ET SCAN Malformed Packet SYN RST
6/9/2019 -- 12:13:03 - <Debug> -- Enabling: # [1:2011034] ET SCAN HTTP OPTIONS invalid method case
6/9/2019 -- 12:13:03 - <Debug> -- Enabling: # [1:2000538] ET SCAN NMAP -sA (1)
6/9/2019 -- 12:13:03 - <Debug> -- Enabling: # [1:2008230] ET SCAN Behavioral Unusually fast outbound Telnet Connections, Potential Scan or Brute Force
6/9/2019 -- 12:13:03 - <Debug> -- Enabling: # [1:2009768] ET SCAN NBTStat Query Response to External Destination, Possible Windows Network Enumeration
6/9/2019 -- 12:13:03 - <Debug> -- Enabling: # [1:2000544] ET SCAN NMAP -f -sN
6/9/2019 -- 12:13:03 - <Debug> -- Enabling: # [1:2009885] ET SCAN Unusually Fast 404 Error Messages (Page Not Found), Possible Web Application Scan/Directory Guessing Attack
6/9/2019 -- 12:13:03 - <Debug> -- Enabling: # [1:2009286] ET SCAN Modbus Scanning detected
6/9/2019 -- 12:13:03 - <Debug> -- Enabling: # [1:2011033] ET SCAN HTTP HEAD invalid method case
6/9/2019 -- 12:13:03 - <Debug> -- Enabling: # [1:2014893] ET SCAN critical.io Scan
6/9/2019 -- 12:13:03 - <Debug> -- Enabling: # [1:2009584] ET SCAN NMAP -sS window 4096
6/9/2019 -- 12:13:03 - <Debug> -- Enabling: # [1:2009767] ET SCAN Multiple NBTStat Query Responses to External Destination, Possible Automated Windows Network Enumeration
6/9/2019 -- 12:13:03 - <Debug> -- Enabling: # [1:2000537] ET SCAN NMAP -sS window 2048
6/9/2019 -- 12:13:03 - <Debug> -- Enabling: # [1:2011367] ET SCAN Malformed Packet SYN FIN
6/9/2019 -- 12:13:03 - <Debug> -- Enabling: # [1:2002973] ET SCAN Behavioral Unusual Port 3127 traffic, Potential Scan or Backdoor
6/9/2019 -- 12:13:03 - <Debug> -- Enabling: # [1:2009749] ET SCAN Unusually Fast 403 Error Messages, Possible Web Application Scan
6/9/2019 -- 12:13:03 - <Debug> -- Enabling: # [1:2009583] ET SCAN NMAP -sS window 3072
6/9/2019 -- 12:13:03 - <Debug> -- Enabling: # [1:2009884] ET SCAN Unusually Fast 400 Error Messages (Bad Request), Possible Web Application Scan
6/9/2019 -- 12:13:03 - <Debug> -- Enabling: # [1:2012755] ET SCAN Possible SQLMAP Scan
6/9/2019 -- 12:13:03 - <Debug> -- Enabling: # [1:2011032] ET SCAN HTTP POST invalid method case
6/9/2019 -- 12:13:04 - <Info> -- Disabled 0 rules.
6/9/2019 -- 12:13:04 - <Info> -- Enabled 34 rules.
6/9/2019 -- 12:13:04 - <Info> -- Modified 0 rules.
6/9/2019 -- 12:13:04 - <Info> -- Dropped 0 rules.
6/9/2019 -- 12:13:05 - <Debug> -- Found 349 required flowbits.
6/9/2019 -- 12:13:05 - <Debug> -- Found 53 rules to enable to for flowbit requirements
6/9/2019 -- 12:13:05 - <Debug> -- Found 350 required flowbits.
6/9/2019 -- 12:13:05 - <Debug> -- Found 0 rules to enable to for flowbit requirements
6/9/2019 -- 12:13:05 - <Debug> -- All required rules enabled.
6/9/2019 -- 12:13:05 - <Info> -- Enabled 50 rules for flowbit dependencies.
6/9/2019 -- 12:13:05 - <Info> -- Backing up current rules.
6/9/2019 -- 12:13:06 - <Debug> -- Recording existing file /var/lib/suricata/rules/suricata.rules with hash 'bcab609a88b53954effb0a3691a91776'.
Traceback (most recent call last):
  File "/usr/bin/suricata-update", line 33, in <module>
    sys.exit(main.main())
  File "/usr/bin/../lib/python2.7/site-packages/suricata/update/main.py", line 1458, in main
    sys.exit(_main())
  File "/usr/bin/../lib/python2.7/site-packages/suricata/update/main.py", line 1401, in _main
    write_merged(os.path.join(output_filename), rulemap)
  File "/usr/bin/../lib/python2.7/site-packages/suricata/update/main.py", line 583, in write_merged
    oldset[rule.id] = True
  File "/usr/bin/../lib/python2.7/site-packages/suricata/update/rule.py", line 121, in id
    return (int(self.gid), int(self.sid))
TypeError: int() argument must be a string or a number, not 'NoneType'
Actions #1

Updated by Kenneth Kolano over 5 years ago

At least one thing that's weird in the debug logs, are the multiple misaligned counts of flowbit rewquirements...

6/9/2019 -- 12:13:05 - <Debug> -- Found 53 rules to enable to for flowbit requirements
6/9/2019 -- 12:13:05 - <Debug> -- Found 0 rules to enable to for flowbit requirements

Actions #2

Updated by Kenneth Kolano over 5 years ago

I've been able to get this to re-occur, but I'm still unclear of the specifics. Seems to have something to do with adding / removing the following in order to disable a flowbit rule:

modify.conf:
1:2018959 "flowbits:.*;" ""

disable.conf
1:2018959

Actions #3

Updated by Kenneth Kolano over 5 years ago

Guessing this is due to the modify rule using a greedy match, which replaced many parts of the rule and not just the flowbits portion of the rule. Which likely resulted in a rule without a SID.

  • Warnings should be output for such rather than crashing.
  • Something else weird is occurring, as removing that modify.conf line would not resolve the issue after it occured; perhaps related to parsing of backup files
Actions #4

Updated by Shivani Bhardwaj over 5 years ago

Kenneth Kolano wrote:

Guessing this is due to the modify rule using a greedy match, which replaced many parts of the rule and not just the flowbits portion of the rule. Which likely resulted in a rule without a SID.

Correct. suricata-update uses python re library, see here: https://docs.python.org/3/library/re.html

It mentions about the '*' character that it does a greedy match and for your regex, it tends to remove everything after the flowbits, to avoid that, use

1:2018959 "flowbits:.*?;" ""
. This seems to be working fine on my end, let me know if this seems to be failing for your usecase.

  • Warnings should be output for such rather than crashing.

In the latest master if you'll check, we raise an exception with a clearer message for such cases however, it is not a regular output, it is a traceback since sid is crucial for any rule.

raise BadSidError("Sid cannot be of type null")
suricata.update.rule.BadSidError: Sid cannot be of type null
  • Something else weird is occurring, as removing that modify.conf line would not resolve the issue after it occured; perhaps related to parsing of backup files

Yes, the code to overwrite the old rule file was never executed because of the error. This has also been fixed in the latest master with the exception as mentioned above.

So, in case regex is incorrect, its fairly hard to figure out with code unless it is something that causes major damage. If you have any suggestions for dealing with such situations, they're very welcome.

Actions #5

Updated by Shivani Bhardwaj over 5 years ago

  • Status changed from New to Assigned
Actions #6

Updated by Victor Julien over 5 years ago

  • Target version set to TBD
Actions #7

Updated by Shivani Bhardwaj about 5 years ago

  • Priority changed from Normal to Low

Hi, Kenneth!
Does the above solution fix problem for you? Let me know if the issue still persists.

Actions #8

Updated by Shivani Bhardwaj about 5 years ago

  • Status changed from Assigned to Closed

Please feel free to open a new issue in case you still see any problem. Thank you.

Actions

Also available in: Atom PDF