pfSense Suricata Crashes on Malformed Blocklist Entry

Suricata is crashing my pfSense box. It looks like it is trying to parse an intentionally malformed blocklist entry

System Details:
Operating System: pfSense 2.7.0
Suricata Version: 6.0.13

Crash Details:

PHP Errors:
[18-Oct-2023 23:50:07 UTC] PHP Fatal error:  Uncaught ValueError: date_create_from_format(): Argument #2 ($datetime) must not contain any null bytes in /usr/local/www/suricata/suricata_blocked.php:326
Stack trace:
#0 /usr/local/www/suricata/suricata_blocked.php(326): date_create_from_format('m/d/Y-H:i:s.u', '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00...')
#1 {main}
  thrown in /usr/local/www/suricata/suricata_blocked.php on line 326

It looks like this is an intentionally malformed connection packet. I also think we should probably not be crashing, but handling this error in a safer manner. It seems very unsafe to 500 because someone sends a malformed packet. How can I safely patch this behavior?

I can attach the full PHP crash dump if needed, but I think there’s enough info here to get started.


please report this to the pfSense team, since we provide no PHP code at all. So this is more pfSense specific as it is Suricata specific.

Sounds good. I suspected it was in the blocklist code. But, it makes sense that it’s on their end. Thank you!

I am the volunteer package creator/maintainer of the Suricata package for pfSense.

This problem was reported on the pfSense IDS/IPS forum and addressed there. There is no exploit and the problem is not an intentionally malformed connection packet. It is simply the result of an unexpected NULL value encountered while parsing the log file that is created by the custom blocking plugin compiled into Suricata on pfSense. Crashing the current PHP process for a GUI tab has no impact on the underlying Suricata daemon.

1 Like