From 01d8fb296e69b99b271da0ec92caf7e1b572b953 Mon Sep 17 00:00:00 2001 From: Ad Schellevis Date: Mon, 23 Sep 2019 18:07:41 +0200 Subject: [PATCH] Insight, catch struct.unpack errors instead od rashing out when flow record doesn't match standards. closes https://github.com/opnsense/core/issues/3715 --- src/opnsense/scripts/netflow/lib/flowparser.py | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/src/opnsense/scripts/netflow/lib/flowparser.py b/src/opnsense/scripts/netflow/lib/flowparser.py index 1c472050d..830451f24 100755 --- a/src/opnsense/scripts/netflow/lib/flowparser.py +++ b/src/opnsense/scripts/netflow/lib/flowparser.py @@ -27,6 +27,7 @@ flowd log parser """ import struct +import syslog from socket import inet_ntop, AF_INET, AF_INET6, ntohl @@ -113,11 +114,15 @@ class FlowParser: raw_record[fieldname] = raw_data[raw_data_idx:raw_data_idx + fsize] else: fsize = self.calculate_size(self.field_definition[fieldname]) - content = struct.unpack( - self.field_definition[fieldname], - raw_data[raw_data_idx:raw_data_idx + fsize] - ) - raw_record[fieldname] = content[0] if len(content) == 1 else content + try: + content = struct.unpack( + self.field_definition[fieldname], + raw_data[raw_data_idx:raw_data_idx + fsize] + ) + raw_record[fieldname] = content[0] if len(content) == 1 else content + except struct.error as e: + # the flowd record doesn't appear to be as expected, log for now. + syslog.syslog(syslog.LOG_NOTICE, "flowparser failed to unpack %s (%s)" % (fieldname, e)) raw_data_idx += fsize return raw_record