Context problem

cayu · December 1, 2023, 5:56pm

Hi,
I´m trying to follow this Simplify Threat Detection with Alert Context (crowdsec.net)

And I have this problem when execute detect

cscli lapi context detect  -a
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x20 pc=0x17b00bb]

goroutine 1 [running]:
main.detectSubNode({{0x1e76298, 0x3}, 0x0, 0x0, {0xc000926ea0, 0x19}, {0x0, 0x0}, {0xc000926f80, 0x1c}, ...}, ...)
        github.com/crowdsecurity/crowdsec/cmd/crowdsec-cli/lapi.go:550 +0x1fb
main.NewLapiContextCmd.func5(0xc000475a00?, {0xc0005a9d80, 0x0, 0x1e76976?})
        github.com/crowdsecurity/crowdsec/cmd/crowdsec-cli/lapi.go:362 +0x5f9
github.com/spf13/cobra.(*Command).execute(0xc0007fec00, {0xc0005a9d60, 0x1, 0x1})
        github.com/spf13/cobra@v1.7.0/command.go:944 +0x863
github.com/spf13/cobra.(*Command).ExecuteC(0xc000005800)
        github.com/spf13/cobra@v1.7.0/command.go:1068 +0x3a5
github.com/spf13/cobra.(*Command).Execute(...)
        github.com/spf13/cobra@v1.7.0/command.go:992
main.main()
        github.com/crowdsecurity/crowdsec/cmd/crowdsec-cli/main.go:267 +0xe5f

I Use Ubuntu 20.04.6 LTS , with PRO suscription and Crowdsec package 1.5.5 and crowdsec-nginx-bouncer 1.0.5

From this repo https://packagecloud.io/crowdsec/crowdsec/ubuntu/ focal main

Is there any problem with some library version ?

iiAmLoz · December 3, 2023, 10:07am

Do you have any context currently setup?

Edit: I managed to replicate the issue just by running the command, I will investigate.

cayu · December 4, 2023, 12:28pm

Hi

This is my output

cscli lapi context status
auth:
- evt.Parsed.auth
clientip:
- evt.Parsed.clientip
computer:
- evt.Parsed.Computer
datasource_path:
- evt.Meta.datasource_path
datasource_type:
- evt.Meta.datasource_type
file_dir:
- evt.Parsed.file_dir
file_ext:
- evt.Parsed.file_ext
file_frag:
- evt.Parsed.file_frag
file_name:
- evt.Parsed.file_name
http_args:
- evt.Parsed.http_args
http_path:
- evt.Meta.http_path
http_status:
- evt.Meta.http_status
http_user_agent:
- evt.Meta.http_user_agent
http_verb:
- evt.Meta.http_verb
httpversion:
- evt.Parsed.httpversion
log_type:
- evt.Meta.log_type
machine:
- evt.Meta.machine
port:
- evt.Parsed.port
referrer:
- evt.Parsed.referrer
target_fqdn:
- evt.Meta.target_fqdn
target_user:
- evt.Meta.target_user
username:
- evt.Meta.username
usersid:
- evt.Parsed.UserSID

iiAmLoz · December 11, 2023, 2:14pm

This will be fixed next release

Topic		Replies	Views
Panic when executing cscli metrics	1	613	April 12, 2023
Alerts and détection issue	3	968	December 22, 2021
Bug? when trying to delete a range from decisions	3	471	April 13, 2022
Crowdsec stopped working : while pushing to api : failed sending alert to LAPI: API error: unable to create alerts: creating alert events: ent: validator failed for field \"serialized\": value is greater than the required length: unable to insert bulk" crowdsec	4	562	September 16, 2021
Crowdsec failing to start after executing cscli explain crowdsec	2	1752	May 25, 2022

Context problem

Related Topics