Context problem

Hi,
I´m trying to follow this Simplify Threat Detection with Alert Context (crowdsec.net)

And I have this problem when execute detect

cscli lapi context detect  -a
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x20 pc=0x17b00bb]

goroutine 1 [running]:
main.detectSubNode({{0x1e76298, 0x3}, 0x0, 0x0, {0xc000926ea0, 0x19}, {0x0, 0x0}, {0xc000926f80, 0x1c}, ...}, ...)
        github.com/crowdsecurity/crowdsec/cmd/crowdsec-cli/lapi.go:550 +0x1fb
main.NewLapiContextCmd.func5(0xc000475a00?, {0xc0005a9d80, 0x0, 0x1e76976?})
        github.com/crowdsecurity/crowdsec/cmd/crowdsec-cli/lapi.go:362 +0x5f9
github.com/spf13/cobra.(*Command).execute(0xc0007fec00, {0xc0005a9d60, 0x1, 0x1})
        github.com/spf13/cobra@v1.7.0/command.go:944 +0x863
github.com/spf13/cobra.(*Command).ExecuteC(0xc000005800)
        github.com/spf13/cobra@v1.7.0/command.go:1068 +0x3a5
github.com/spf13/cobra.(*Command).Execute(...)
        github.com/spf13/cobra@v1.7.0/command.go:992
main.main()
        github.com/crowdsecurity/crowdsec/cmd/crowdsec-cli/main.go:267 +0xe5f

I Use Ubuntu 20.04.6 LTS , with PRO suscription and Crowdsec package 1.5.5 and crowdsec-nginx-bouncer 1.0.5

From this repo https://packagecloud.io/crowdsec/crowdsec/ubuntu/ focal main

Is there any problem with some library version ?

Do you have any context currently setup?

Edit: I managed to replicate the issue just by running the command, I will investigate.

Hi

This is my output

cscli lapi context status
auth:
- evt.Parsed.auth
clientip:
- evt.Parsed.clientip
computer:
- evt.Parsed.Computer
datasource_path:
- evt.Meta.datasource_path
datasource_type:
- evt.Meta.datasource_type
file_dir:
- evt.Parsed.file_dir
file_ext:
- evt.Parsed.file_ext
file_frag:
- evt.Parsed.file_frag
file_name:
- evt.Parsed.file_name
http_args:
- evt.Parsed.http_args
http_path:
- evt.Meta.http_path
http_status:
- evt.Meta.http_status
http_user_agent:
- evt.Meta.http_user_agent
http_verb:
- evt.Meta.http_verb
httpversion:
- evt.Parsed.httpversion
log_type:
- evt.Meta.log_type
machine:
- evt.Meta.machine
port:
- evt.Parsed.port
referrer:
- evt.Parsed.referrer
target_fqdn:
- evt.Meta.target_fqdn
target_user:
- evt.Meta.target_user
username:
- evt.Meta.username
usersid:
- evt.Parsed.UserSID

This will be fixed next release

1 Like