🐞🐋 Internal Server Error when trying to view/edit/change a suppress rule

[ulysse31]

Is there an existing issue for this?

• [X] I have searched the existing issues

Current Behavior

on a matched rule, you click a "cross" button to create a suppress rule from a destination ip. You then create a suppress rule, by clicking on the "Default Ruleset" and then submit. Then, once the supress rule was created, go to ruleset, and then click on the ID number of the suppress rule created on the suppress rule listing ... You'll get "Internal Server Error" on the django-error log file, you get :

Traceback (most recent call last):
  File "/root/.local/lib/python3.9/site-packages/django/core/handlers/exception.py", line 47, in inner
    response = get_response(request)
  File "/root/.local/lib/python3.9/site-packages/django/core/handlers/base.py", line 181, in _get_response
    response = wrapped_callback(request, *callback_args, **callback_kwargs)
  File "/root/.local/lib/python3.9/site-packages/django/contrib/auth/decorators.py", line 21, in _wrapped_view
    return view_func(request, *args, **kwargs)
  File "/opt/scirius/rules/views.py", line 2079, in threshold
    threshold.rule.highlight_content = SuriHTMLFormat(threshold.rule.content)
AttributeError: 'Rule' object has no attribute 'content'
2024-07-08 08:10:09,303 ERROR Internal Server Error: /rules/threshold/8/
Traceback (most recent call last):
  File "/root/.local/lib/python3.9/site-packages/django/core/handlers/exception.py", line 47, in inner
    response = get_response(request)
  File "/root/.local/lib/python3.9/site-packages/django/core/handlers/base.py", line 181, in _get_response
    response = wrapped_callback(request, *callback_args, **callback_kwargs)
  File "/root/.local/lib/python3.9/site-packages/django/contrib/auth/decorators.py", line 21, in _wrapped_view
    return view_func(request, *args, **kwargs)
  File "/opt/scirius/rules/views.py", line 2079, in threshold
    threshold.rule.highlight_content = SuriHTMLFormat(threshold.rule.content)
AttributeError: 'Rule' object has no attribute 'content'

Expected Behavior

showing the suppress rule info page, and be able from there to modify/delete the suppress rule.

Steps To Reproduce

1. freshly installed docker configuration following the documentation
2. click on a matched alert traffic
3. click on a "cross" button in front of a destination ip to create a suppress rule
4. create the suppress rule by clicking "Defaut Ruleset" then "submit"
5. try to view/edit the created suppress rule ...

Docker version

Docker version 27.0.3, build 7d4bcd8

Docker version

Docker Compose version v2.28.1

OS Version

Debian GNU/Linux 12 (bookworm)

Content of the environnement File

COMPOSE_PROJECT_NAME=selks INTERFACES= -i "SUPPRESSED" ELASTIC_MEMORY=64G SCIRIUS_SECRET_KEY="SUPPRESSED" PWD=${PWD}

Version of SELKS

commit 4af455cd15f69f2ba471fa6cd0b96d6aae6e93b9 (HEAD -> master, origin/master, origin/HEAD) Author: Peter Manev pmanev@stamus-networks.com Date: Thu Jun 13 13:18:18 2024 +0200

docker: Add Logstash/Kibana docker versions

Anything else?

No response

[pevma]

I can not reproduce. Can you please share a screenshot or a url link that i can maybe try to use/mimc on my own setup to try to reproduce ?

[ulysse31]

Hello,

I have right now two servers in which I installed the docker version of SELKS. Both have the issue : just create a suppress rule by clicking on the "cross" a matched destination ip :

Then go to the ruleset menu, go to the list of suppression rules :

And click on any suppression ID on the list :

The install steps are quite simple :

• Install a fresh up-to-date debian bookworm
• setup debian to use docker repo for official/up-to-date docker version, here are the detailled steps :

a/ Install necessary tools for key repo addition sudo apt install ca-certificates curl gnupg

b/ remove any existing docker package if present (does not match anything if fresh install) for pkg in docker.io docker-doc docker-compose podman-docker containerd runc; do sudo apt remove $pkg; done

c/ Install docker repo keys sudo install -m 0755 -d /etc/apt/keyrings curl -fsSL https://download.docker.com/linux/debian/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg sudo chmod a+r /etc/apt/keyrings/docker.gpg echo \ "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian \ "$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | \ sudo tee /etc/apt/sources.list.d/docker.list > /dev/null sudo apt update

d/ Install docker sudo apt install docker-ce docker-ce-cli containerd.io docker-compose-plugin

e/ add docker rights to user sudo usermod -aG docker $USER && su $USER

• And finally do SELKS install :

git clone https://github.com/StamusNetworks/SELKS.git cd SELKS/docker/ ./easy-setup.sh --install-portainer --non-interactive -i bond1 --iA --restart-mode always --es-memory 64G sudo -E docker compose up -d

From what I quickly googled, this error seems to be related to python code and unprotected/unchecked variable usage.

[pevma]

Ok , understood - now i can reproduce it. We would push an update.

[ulysse31]

Hello,

Do you know when this bug will be corrected ? Not being able to edit/modify/suppress a created suppress rule is somewhat a blocking issue ^^' (Cannot remove at all a supress rule ...) Thanks a lot,

--

[pevma]

We should push a fix in the next day.

[pevma]

@ulysse31 - should be all set. All you need to do is : https://github.com/StamusNetworks/SELKS/wiki/Docker#upgrade-all-containers

[ulysse31]

Great ! Seems to work as it should ^^ Thanks a lot