Failure in alerts query and download: ntop_push_redis expected string, got nil

[deepCrysis]

Environment:

• OS name: Ubuntu
• OS version: 20.04
• Architecture: amd64
• ntopng version/revision: ntopng Enterprise L v.5.6.230531

What happened:

point 1: periodically, the log service reports: ntop ntopng[167991] [LuaEngineNtop.ccp:45] ERROR: ntop_push_redis: expected string[@pop 2], got nil.

Then, the alert query works with performance degradation or unavailability

point 2: Trying download records of alerts, the web interfaces responds with: /usr/share/ntop/scripts/lua/modules/i18n/interpolate.lua:62: bad argument #2 to 'format' (no value)

How did you reproduce it?

just let the service run and at some indeterminable time, the service starts crashing with the two points mentioned.

It is believed that the problem is one of the enabled alerts, this is the list of alerts that we have enabled:

• Anonymous Subscriber
• Binary Application Transfer
• Blacklisted Flow
• Broadcast Domain Too Large
• Broadcast Non-UDP Traffic
• Clear-text credentials
• Countries Contacts Alert
• Dangerous Host
• Device Application Not Allowed
• DHCP Storm
• DNS Data Exfiltration
• DNS Fragmented
• DNS Invalid Characters
• DNS Large Packet
• Elephant Flows
• External Alert
• FIN Scan Alert
• Flow Flood Alert
• Fortinet
• Ghost Networks
• High Interface Discards/Errors
• Host Log
• HTTP Crawler/Bot
• HTTP Obsolete Server
• HTTP Suspicious Content
• HTTP Suspicious Header
• HTTP Suspicious URL
• HTTP Suspicious User-Agent
• ICMP Data Exfiltration
• ICMP Flood Alert
• Idle Hash Table Entries Alert
• Interface Alerts Drops
• Interface Errors Exceeded
• Interface Load Threshold Alerts
• Interface Packets Drops Alert
• Intrusion Detection and Prevention Log
• Invalid DNS Query
• IP/MAC Reassoc/Spoofing
• Kerberos/NXLog
• Lateral Movement Detection
• Long Lived
• MAC Detection (SNMP)
• MAC Port Changed (SNMP)
• Malformed packet
• Malicious JA3 Fingerprint
• Malicious JA3 SHA1 Cert.
• Malicious JA3 Signature
• Missing TLS SNI
• Network Discovery Detected
• No Traffic Activity
• Not Purged
• NTP Server Contacts Alert
• NTP Traffic Alert
• Obsolete SSH Client Version or Cipher
• Obsolete SSH Server Version or Cipher
• Old TLS Version
• OpenVPN
• Oper. Status Change
• OPNsense
• Periodic Activity Not Executed
• Periodic Activity Not Executed
• Possible Exploit
• Possible Remote Code Execution (RCE)
• Possible SQL Injection
• Possible XSS
• Punicody IDN
• Remote Access
• Remote Connection
• Remote to Local Insecure Protocol
• Risky ASN
• Risky Domain
• RST Scan Alert
• Scan Detection Alert
• Score Threshold Exceeded
• Slow Periodic Activity
• SMB Insecure Version
• SMTP Server Contacts Alert
• SNMP Device Restart
• SonicWALL
• Sophos
• Suricata
• Suspicious DGA domain name
• Suspicious DNS Traffic
• Suspicious Entropy
• Suspicious TLS ESNI Usage
• SYN Flood Alert
• SYN Flood Victim Alert
• SYN Scan Alert
• SYN Scan Victim Alert
• System Alerts Drops
• TCP No Data Exchanged
• TCP Zero Window
• Throughput Alert
• TLS Certificate About To Expire
• TLS Certificate Expired
• TLS Certificate Issues
• TLS Certificate Self-signed
• TLS Fatal Alert
• TLS Suspicious Extension
• TLS Uncommon ALPN
• TLS Unsafe Ciphers
• Too Many MACs on Non-Trunk
• Traffic Change Detected
• Unsafe Protocol
• Web Mining

Debug Information: point 1:

Point 2:

[MatteoBiscosi]

Hi @deepCrysis could you share your ntopng configuration file?

[deepCrysis]

Hi @deepCrysis could you share your ntopng configuration file?

Sure!

#         The  configuration  file is similar to the command line, with the exception that an equal
#        sign '=' must be used between key and value. Example:  -i=p1p2  or  --interface=p1p2  For
#        options with no value (e.g. -v) the equal is also necessary. Example: "-v=" must be used.
#
#
#       -G|--pid-path
#        Specifies the path where the PID (process ID) is saved. This option is ignored when
#        ntopng is controlled with systemd (e.g., service ntopng start).
#
-G=/var/run/ntopng.pid
#
#       -e|--daemon
#        This  parameter  causes ntop to become a daemon, i.e. a task which runs in the background
#        without connection to a specific terminal. To use ntop other than as a casual  monitoring
#        tool, you probably will want to use this option. This option is ignored when ntopng is
#        controlled with systemd (e.g., service ntopng start)
#
# -e=
#
#       -i|--interface
#        Specifies  the  network  interface or collector endpoint to be used by ntopng for network
#        monitoring. On Unix you can specify both the interface name  (e.g.  lo)  or  the  numeric
#        interface id as shown by ntopng -h. On Windows you must use the interface number instead.
#        Note that you can specify -i multiple times in order to instruct ntopng to create  multi-
#        ple interfaces.
#
# -i=eth1
-i=eno2
#
#       -w|--http-port
#        Sets the HTTP port of the embedded web server.
-w=3000
#
#       -m|--local-networks
#        ntopng determines the ip addresses and netmasks for each active interface. Any traffic on
#        those  networks  is considered local. This parameter allows the user to define additional
#        networks and subnetworks whose traffic is also considered local in  ntopng  reports.  All
#        other hosts are considered remote. If not specified the default is set to 192.168.1.0/24.
#
#        Commas  separate  multiple  network  values.  Both netmask and CIDR notation may be used,
#        even mixed together, for instance "131.114.21.0/24,10.0.0.0/255.0.0.0".
#
# -m=10.10.123.0/24,10.10.124.0/24
 -m="This value was changed to publish the configuration file"
#
#       -n|--dns-mode
#        Sets the DNS address resolution mode: 0 - Decode DNS responses  and  resolve  only  local
#        (-m)  numeric  IPs  1  -  Decode DNS responses and resolve all numeric IPs 2 - Decode DNS
#        responses and don't resolve numeric IPs 3 - Don't decode DNS responses and don't  resolve
#
# -n=1
#
#       -S|--sticky-hosts
#        ntopng  periodically purges idle hosts. With this option you can modify this behaviour by
#        telling ntopng not to purge the hosts specified by -S. This parameter requires  an  argu-
#        ment  that  can  be  "all"  (Keep  all hosts in memory), "local" (Keep only local hosts),
#        "remote" (Keep only remote hosts), "none" (Flush hosts when idle).
#
# -S=
#
#       -d|--data-dir
#        Specifies the data directory (it must be writable by the user that is executing ntopng).
#
# -d=/var/lib/ntopng
#
#       -q|--disable-autologout
#        Disable web interface logout for inactivity.
#
# -q=
#
# Set max number of active flows (default: 131072)
-X=5000000
#
#       -x|--max-num-hosts
#       Set max number of active hosts (default: 131072)
#
-x=200000

In addition, we detected that by disabling the "HTTP Suspicious URL" alert, the reported problems disappear for alerts classified as "Error"

[NicoMaio]

Hi @deepCrysis,

What alerts are you planning to download when ntopng prints that log?

[MatteoBiscosi]

Hi @deepCrysis sorry but i was totally unable to reproduce the issue in our lab. So please update and let me know if the problem persists. Otherwise if possible trying to switch to the dev version and updating (at least until now, no issue like yours is reported). Otherwise an other thing i could suggest on trying is checking if by filtering alerts with the alert you reported you have the same problem in the ntopng GUI. Lastly please send me the output of: journalctl -e -u ntopng If you prefer sending it by mail, drop an email at "biscosi at ntop.org"

[MatteoBiscosi]

closing for inactivity, please reopen if needed