unknown control byte received

[lorenzo95]

Hi guys,

I am using tikapy to gather alerts from the evebox api (suricata alerts) and then update an address-list in one or several mikrotiks to block the offending IP. I have run into an issue that I thought maybe someone could help. Essentially i am getting a traceback from the tikapy when I print an address-list but not on all of them. It almost looks like an issue with the size of the list to me. However, here are the details.

Here I am showing two address-lilsts:

I made a test-script to narrow down the error:

from tikapy import TikapySslClient
from pprint import pprint

client = TikapySslClient('192.168.1.253', 8729)
client.login('api-test', 'api123')
pprint('###1')
pprint(client.talk(['/routing/ospf/neighbor/getall']))

pprint('###2')
pprint(client.talk(['/ip/firewall/address-list/print', '?list=Internal network']))

pprint('###3')
pprint(client.talk(['/ip/firewall/address-list/print', '?list=List-EveBoxBlockedGlobalIPs']))

When I run the script, I get this output:

python3 apytest
'###1'
{}
'###2'
{'1': {'.id': '*1',
       'address': '192.168.1.0/24',
       'disabled': 'false',
       'dynamic': 'false',
       'list': 'Internal network'}}
'###3'
Traceback (most recent call last):
  File "/usr/local/lib/python3.5/dist-packages/tikapy/__init__.py", line 180, in talk
    return self.tik_to_json(self._api.talk(words))
  File "/usr/local/lib/python3.5/dist-packages/tikapy/api/__init__.py", line 105, in talk
    sentence = self.read_sentence()
  File "/usr/local/lib/python3.5/dist-packages/tikapy/api/__init__.py", line 170, in read_sentence
    word = self.read_word()
  File "/usr/local/lib/python3.5/dist-packages/tikapy/api/__init__.py", line 294, in read_word
    raise ApiUnrecoverableError("unknown control byte received")
tikapy.api.ApiUnrecoverableError: unknown control byte received

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "apytest", line 16, in <module>
    pprint(client.talk(['/ip/firewall/address-list/print', '?list=List-EveBoxBlockedGlobalIPs']))
  File "/usr/local/lib/python3.5/dist-packages/tikapy/__init__.py", line 182, in talk
    raise ClientError('could not talk to api') from exc
tikapy.ClientError: could not talk to api

You can see that I don't have ospf neighbors so ###1 returns correctly,

2 only has one IP so that is correct and the

3 starts working when I delete a bunch of address-list items. Until then, no go.

I have tried the same setup on a Mikrotik with most current firmware with the same result. I used pip3 install tikapy to install the api. Thank you for your help.

[lorenzo95]

Did some more reading through the code and decided to print out the "length" to debug since that is where it fails. Here is the result: (tl:dr Length: 65533 or 0xfffd)

python3 apytest

Length:  5
Length:  37
Length:  0
Length:  5
Length:  0
'###1'
Length:  5
Length:  0
{}
'###2'
Length:  3
Length:  7
Length:  22
Length:  23
Length:  14
Length:  14
Length:  15
Length:  0
Length:  5
Length:  0
{'1': {'.id': '*1',
       'address': '192.168.1.0/24',
       'disabled': 'false',
       'dynamic': 'false',
       'list': 'Internal network'}}
'###3'
Length:  3
Length:  8
Length:  33
Length:  24
Length:  14
Length:  14
Length:  15
Length:  102
Length:  0
Length:  3
Length:  8
Length:  33
Length:  23
Length:  14
Length:  14
Length:  15
Length:  78
Length:  0
Length:  3
Length:  8
Length:  33
Length:  21
Length:  14
Length:  14
Length:  15
Length:  119
Length:  0
Length:  3
Length:  8
Length:  33
Length:  21
Length:  14
Length:  14
Length:  15
Length:  106
Length:  0
Length:  3
Length:  8
Length:  33
Length:  24
Length:  14
Length:  14
Length:  15
Length:  78
Length:  0
Length:  3
Length:  8
Length:  33
Length:  23
Length:  14
Length:  14
Length:  15
Length:  89
Length:  0
Length:  3
Length:  8
Length:  33
Length:  23
Length:  14
Length:  14
Length:  15
Length:  94
Length:  0
Length:  3
Length:  8
Length:  33
Length:  21
Length:  14
Length:  14
Length:  15
Length:  127
Length:  0
Length:  3
Length:  8
Length:  33
Length:  19
Length:  14
Length:  14
Length:  15
Length:  127
Length:  0
Length:  3
Length:  8
Length:  33
Length:  20
Length:  14
Length:  14
Length:  15
Length:  127
Length:  0
Length:  3
Length:  8
Length:  33
Length:  22
Length:  14
Length:  14
Length:  15
Length:  123
Length:  0
Length:  3
Length:  8
Length:  33
Length:  24
Length:  14
Length:  14
Length:  15
Length:  123
Length:  0
Length:  3
Length:  8
Length:  33
Length:  20
Length:  14
Length:  14
Length:  15
Length:  122
Length:  0
Length:  3
Length:  8
Length:  33
Length:  21
Length:  14
Length:  14
Length:  15
Length:  122
Length:  0
Length:  3
Length:  8
Length:  33
Length:  24
Length:  14
Length:  14
Length:  15
Length:  65533
Traceback (most recent call last):
  File "/usr/local/lib/python3.5/dist-packages/tikapy/__init__.py", line 180, in talk
    return self.tik_to_json(self._api.talk(words))
  File "/usr/local/lib/python3.5/dist-packages/tikapy/api/__init__.py", line 105, in talk
    sentence = self.read_sentence()
  File "/usr/local/lib/python3.5/dist-packages/tikapy/api/__init__.py", line 170, in read_sentence
    word = self.read_word()
  File "/usr/local/lib/python3.5/dist-packages/tikapy/api/__init__.py", line 294, in read_word
    raise ApiUnrecoverableError("unknown control byte received")
tikapy.api.ApiUnrecoverableError: unknown control byte received

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "apytest", line 16, in <module>
    pprint(client.talk(['/ip/firewall/address-list/print', '?list=List-EveBoxBlockedGlobalIPs']))
  File "/usr/local/lib/python3.5/dist-packages/tikapy/__init__.py", line 182, in talk
    raise ClientError('could not talk to api') from exc
tikapy.ClientError: could not talk to api

[andrekeller]

Hi,

is it possible that you can provide me with an export of the address list? This would make it easier to debug. Feel free to send it via e-mail if you do not want to post it publicly.

[lorenzo95]

Hello,

No problem. I forgot to export it. Address list export is attached.

I'm not sure if the logical and functions in the api are working as expected. I downloaded a c# api that I could find and it can read the list. I just wanted to test it.

Thanks,

Gero

On Jun 15, 2017 12:30 AM, "André Keller" notifications@github.com wrote:

Hi,

is it possible that you can provide me with an export of the address list? This would make it easier to debug. Feel free to send it via e-mail if you do not want to post it publicly.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/vshn/tikapy/issues/6#issuecomment-308641452, or mute the thread https://github.com/notifications/unsubscribe-auth/AHrgvAOR1UFIrVuIIb8xKCsk7T0YZ1dRks5sEM9rgaJpZM4N6l3k .

[lorenzo95]

/ip firewall address-list
add address=192.168.1.0/24 list="Internal network"
add address=151.101.148.193 comment="EveBox -- 2017-06-08T22:51:32 -- sid20122\
    52 -- ET SHELLCODE Common 0a0a0a0a Heap Spray String" list=\
    List-EveBoxBlockedGlobalIPs
add address=104.113.56.224 comment=\
    "EveBox -- 2017-06-12T23:13:34 -- sid2016360 -- ET INFO JAVA - ClassID" \
    list=List-EveBoxBlockedGlobalIPs
add address=45.76.92.117 comment="EveBox -- 2017-06-11T01:15:53 -- sid2522772 \
    -- ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 387" list=\
    List-EveBoxBlockedGlobalIPs
add address=52.84.64.156 comment="EveBox -- 2017-06-10T21:14:50 -- sid2018959 \
    -- ET POLICY PE EXE or DLL Windows file download HTTP" list=\
    List-EveBoxBlockedGlobalIPs
add address=195.211.221.116 comment=\
    "EveBox -- 2017-06-11T10:50:58 -- sid2016360 -- ET INFO JAVA - ClassID" \
    list=List-EveBoxBlockedGlobalIPs
add address=141.212.122.48 comment="EveBox -- 2017-06-11T12:52:25 -- sid222101\
    4 -- SURICATA HTTP missing Host header" list=List-EveBoxBlockedGlobalIPs
add address=162.243.96.172 comment="EveBox -- 2017-06-11T17:31:37 -- sid202388\
    2 -- ET INFO HTTP Request to a *.top domain" list=\
    List-EveBoxBlockedGlobalIPs
add address=52.84.64.130 comment="EveBox -- 2017-06-14T07:53:02 -- sid2006380 \
    -- ET POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted\
    " list=List-EveBoxBlockedGlobalIPs
add address=52.84.0.29 comment="EveBox -- 2017-06-14T06:52:57 -- sid2006380 --\
    \_ET POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted" \
    list=List-EveBoxBlockedGlobalIPs
add address=52.84.0.118 comment="EveBox -- 2017-06-14T05:52:59 -- sid2006380 -\
    - ET POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted" \
    list=List-EveBoxBlockedGlobalIPs
add address=217.10.68.152 comment="EveBox -- 2017-06-13T20:57:27 -- sid2018908\
    \_-- ET INFO Session Traversal Utilities for NAT (STUN Binding Response)" \
    list=List-EveBoxBlockedGlobalIPs
add address=217.116.122.138 comment="EveBox -- 2017-06-13T20:50:17 -- sid20189\
    08 -- ET INFO Session Traversal Utilities for NAT (STUN Binding Response)" \
    list=List-EveBoxBlockedGlobalIPs
add address=52.87.201.4 comment="EveBox -- 2017-06-13T19:44:21 -- sid2016149 -\
    - ET INFO Session Traversal Utilities for NAT (STUN Binding Request)" \
    list=List-EveBoxBlockedGlobalIPs
add address=54.172.47.69 comment="EveBox -- 2017-06-13T18:24:34 -- sid2016149 \
    -- ET INFO Session Traversal Utilities for NAT (STUN Binding Request)" \
    list=List-EveBoxBlockedGlobalIPs
add address=176.194.164.183 comment="EveBox -- 2017-06-14T06:03:22 -- sid22300\
    12 -- SURICATA TLS overflow heartbeat encountered, possible exploit attemp\
    t (heartbleed)" list=List-EveBoxBlockedGlobalIPs
add address=192.229.211.70 comment="EveBox -- 2017-06-13T21:40:11 -- sid201653\
    8 -- ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Se\
    cond Stage Download" list=List-EveBoxBlockedGlobalIPs
add address=194.42.22.9 comment="EveBox -- 2017-06-13T21:38:36 -- sid2016538 -\
    - ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Secon\
    d Stage Download" list=List-EveBoxBlockedGlobalIPs

[lorenzo95]

Hi, I was just wondering if you were able to re-produce the error I am seeing? Thanks.