activecm/rita

Parsing logs fails with "runtime error: makeslice: len out of range" v4.6.0

jnimmo opened this issue · 3 comments

jnimmo commented

Hi team,
Running RITA 4.6.0 on a fresh SO 2.3.150 installation and experiencing the following error

       [-] Finished parsing logs in 566ms
        [-] Host Analysis:            465 / 465  [==================] 100 %
        [-] Host Aggregation:         14 / 14  [==================] 100 %
        [-] Unique Connection Analysis: 1055 / 1055  [==================] 100 %
        [-] Unique Connection Aggregation: 14 / 14  [==================] 100 %
        [-] Uconn Proxy Analysis:     7 / 7  [==================] 100 %
        [-] SNI Connection Analysis:  691 / 691  [==================] 100 %
        [!] No DNS data to analyze
        [!] No Hostname data to analyze
        [-] Beacon Analysis:          1055 / 1055  [==================] 100 %
        [-] Beacon Aggregation:       14 / 14  [==================] 100 %
        [-] Gathering FQDNs for Beacon Analysis ...     [                    ] 
        [-] FQDN Beacon Analysis:     366 / 366  [==================] 100 %
        [-] FQDN Beacon Aggregation:  14 / 14  [==================] 100 %
panic: runtime error: makeslice: len out of range

goroutine 1428 [running]:
github.com/activecm/rita/pkg/beaconproxy.(*analyzer).start.func1()
        /go/src/github.com/activecm/rita/pkg/beaconproxy/analyzer.go:109 +0x44e
created by github.com/activecm/rita/pkg/beaconproxy.(*analyzer).start
        /go/src/github.com/activecm/rita/pkg/beaconproxy/analyzer.go:66 +0x6f
panic: runtime error: makeslice: len out of range
Zalgo2462 commented

Thank you for your bug report. We have begun tracking down the issue using the info in your report.

Version 4.6.0 is currently in pre-release. We recommend using version 4.5.1 for any meaningful work at this time.

The error appears to be stemming from

rita/pkg/beaconproxy/analyzer.go

Line 107 in 5383a55

tsLengthFull := len(entry.TsListFull) - 1

In this line, we assume len(entry.TsListFull) is positive. In this error case, we can see that len(entry.TsListFull) must be 0. So, there is either a bug in the code which gathers these timestamps in the proxy beacons module or we are missing a filter which would have prevented this code from executing.

Zalgo2462 commented

@jnimmo Please replace your existing copy of RITA v4.6.0 with a fresh copy from the v4.6.0 pre-release page and try importing your data once again.

It appears that this issue was resolved in PR #749 5 days ago, but the rita binary on the pre-release page was not updated afterwards.

jnimmo commented

Fantastic thanks for the quick response! That's solved it now :)