Invalid header block at offset

Security Intrusion Prevention
1

hi
i have this message in httpd log

Invalid header block at offset unknown at /var/ipfire/ids-functions.pl line 550.

i look the file at line 550

		# Initialize the tar module.
		my $tar = Archive::Tar->new($tarball);

i see (T) I don’t know if (t) is error for Tar
ty

2

In which log file did you find this?

3

Have you added additional sources into the suricata sources file or done any manual editing of any of the other suricata settings files?

That error about invalid header block has occurred in the past when an error has been manually created in one of the suricata files and the file trying to be opened is not an archive file or is a corrupted archive file and therefore cannot be read correctly.

4

hi
sory in
/var/log/httpd/error_log

yes

i have add rule but only with gui source a ipfire
ty

5

Which ruleset provider did you additionally select?

6

i have tested this

OISF Traffic ID Rules
PT Attack Detection Team Rules
Travis Green - Hunting Rules
Snort/VRT GPLv2 Community
Etnetera Aggressive Blacklist Rules
Emerging Threats Community Ruleset
Talos ruleset for registered users

and acitvate more than ever Rules

7

I just added and enabled all the ruleset providers you listed and I didn’t get that error in my http/error_log file.

So I can’t reproduce the problem by just having the providers you listed enabled.

By the way, the PT Attack rules will be removed in CU185 as they are End Of Life and were made read only in Sep 2022 with last significant updates in 2021. So no update is being made anymore and they are 1.5 years old.

8

i have delet any rule and source
i reboot
i added and enabled all the ruleset providers
i no added PT Attack rules
i have same message
i have many other error in suricata log
ty

9

Hello everyone!

I can reproduce this error on my ipfire IPFire 2.29 (x86_64) - Core-Update 184.
with rulesets:
Emergingthreats.net Community-Regelsatz
Abuse.ch SSLBL Blacklist Rules

Tried it with different other rulesets, but it doesn’t seem to depend on it.

Found in /var/log/httpd/error.log:

 [core:notice] [pid 3647:tid 130990554702016] AH00094: Command line: '/usr/sbin/httpd'
Invalid header block at offset unknown at /var/ipfire/ids-functions.pl line 550.
Invalid header block at offset unknown at /var/ipfire/ids-functions.pl line 550.
...
1_12_09, updated_at 2024_03_18;): checksum error at /var/ipfire/ids-functions.pl line 550.

This happens when rulesets were updated and a new update is existing for the respective ruleset. Not just when activating existing or new rulesets.

Looking in older (Core-update 183) error.logs there is no error of this kind to found.

Question is: What was changed belonging to updating suricata rules in Core-Update 184?

Greetings
Wayne

10

The answer is nothing.

The last change to the update-ids-ruleset script was in May 2022.

The update-ids-ruleset script is run by the suricatactrl program via fcron.

The last update to the suricatactrl program was in Sep 2018.

I have Emerging Threats Community ruleset and the Abuse.ch ruleset in my production IPFire system and that was the one I looked in at the
/var/log/httpd/error_log
and I had none of those messages 19 hours ago.

However, just checked now and I do have the same messages.

I checked my IPFire IPS WUI page and the update/time are

Screenshot_2024-03-19_13-27-52
Screenshot_2024-03-19_13-27-52979×168 6.72 KB

Both rulesets have been updated since I last looked.

The Abuse.ch ruleset is a plain text file so would not get to line 550 in ids-functions.pl while the Emerging Threats ruleset is an archive file and would get to line 550.

What is in both @waynetsun and my error_log files is that there was a checksum error in the archive file, so it might be that this is being caused by some error from the Emerging Threats people with their ruleset file archive.

2 Likes
11

hi
ty Wayniewaynetsun
i dont have detected the Emergingthreats.net Community-Regelsatz
i disable this source
ty

12

Thank you, Adolf, for your good explanation (as always!) of this error message. I agree with you. There must be s.th. changed in the Emergingthreats.net CR.

There doesn’t seem to be any error with these rules. They are firing as expected.
I will continue to monitor this.

1 Like
13

@bonnietwin Just to assist with this post, I also have the Emerging Threats Community ruleset enabled and can confirm the same error in my /var/log/httpd/error.log.
My emerging threats was last updated 2024-03-18 23:28:12

14

Yes, I saw that also. I don’t quite understand how we get a checksum error but the update looks to have gone ahead.

It might be worth raising a bug on this for one of the devs experienced with suricata to have a look at it.

2 Likes
15

Just sent a bug report 13632 – Error message when updating Emerginthreats.net rules.

2 Likes
16

I researched a bit about this issue.

The doc for the Perl module Archive::Tar mentions problems with tar for AIX

The AIX tar does not fill all unused space in the tar archive with 0x00. This sometimes leads to warning messages from Archive::Tar.
Invalid header block at offset nnn
A fix for that problem is scheduled to be released in the following levels of AIX, all of which should be coming out in the 4th quarter of 2009:

We don’t know which tar program is used, but I suppose any program with this property leads to the warning.

A workaround could be to set Archive::Tar::WARN to 0. I don’t whether useful warnings are switch off by this also.

2 Likes
17

ty for Examplicate