Bug #1148
closed1.4.7 will not run on Windows Server 2012 because magic file will not load
Description
Installed 2.0rc2 and then back-revved to 1.4.7 but I get the same error, despite editing all of the relevant paths in suricata.yaml
[ERRCODE: UNKNOWN_ERROR(197)] - magic_load failed: count not find any magic files!
The relevant stanza in my suricata.yaml is as follows (and the path is correct):
magic-file: D:\Suricata\magic.mgc
Updated by Peter Manev about 10 years ago
I tried to reproduce the issue on Win 2012 Server and Suricata2.0rc2 and do not have that problem.
In suricata.yaml my magic entry is:
magic-file: C:\Program Files (x86)\Suricata\magic.mgc
and I get no issues :
15/3/2014 -- 01:15:27 - <Notice> - This is Suricata version 2.0rc2 RELEASE 15/3/2014 -- 01:15:27 - <Info> - CPUs/cores online: 2 ..... ..... 15/3/2014 -- 01:15:27 - <Info> - using magic-file C:\Program Files (x86)\Suricata\magic.mgc 15/3/2014 -- 01:15:27 - <Info> - Delayed detect disabled 15/3/2014 -- 01:15:28 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from C:\\Program Files (x86)\\Suricata\\rules\\emerging-icmp.rules 15/3/2014 -- 01:15:32 - <Info> - 49 rule files processed. 14591 rules successfully loaded, 0 rules failed 15/3/2014 -- 01:15:33 - <Info> - 14599 signatures processed. 1291 are IP-only rules, 4517 are inspecting packet payload, 10790 inspect application layer, 85 are decoder event only
Have you checked if the actual magic.mgc is there?
Where from/How do you install Suricata ?
Updated by Jason Richardson about 10 years ago
Yes, the file is there, at that path. I just uninstalled ver. 1.4.7 and installed the new RC and I'm having the same issue. I am downloading the MSI directly from here - https://www.openinfosecfoundation.org/index.php/download-suricata and running it as an Admin.
Thanks.
Jason
C:\Users\Administrator\Desktop>d:\suricata\suricata -c d:\suricata\suricata.yaml -i eth3 cygwin warning:
MS-DOS style path detected: d:\suricata\suricata.yaml
Preferred POSIX equivalent is: /suricata/suricata.yaml
CYGWIN environment variable option "nodosfilewarning" turns off this warning.
Consult the user's guide for more details about POSIX paths:
http://cygwin.com/cygwin-ug-net/using.html#using-pathnames
20/3/2014 -- 09:43:18 - <Notice> - This is Suricata version 2.0rc3 RELEASE
20/3/2014 -- 09:43:18 - <Info> - CPUs/cores online: 8
20/3/2014 -- 09:43:18 - <Info> - 'default' server has 'request-body-minimal-inspect-size' set to 33882 and 'request-body-inspect-w indow' set to 4053 after randomization.
20/3/2014 -- 09:43:18 - <Info> - 'default' server has 'response-body-minimal-inspect-size' set to 33695 and 'response-body-inspect -window' set to 4218 after randomization.
20/3/2014 -- 09:43:18 - <Warning> - [ERRCODE: SC_WARN_OPTION_OBSOLETE(233)] - Personality Apache_2_2 no longer supported by libhtp , failing back to Apache2 personality.
20/3/2014 -- 09:43:18 - <Info> - 'apache' server has 'request-body-minimal-inspect-size' set to 34116 and 'request-body-inspect-wi ndow' set to 3973 after randomization.
20/3/2014 -- 09:43:18 - <Info> - 'apache' server has 'response-body-minimal-inspect-size' set to 32229 and 'response-body-inspect- window' set to 4205 after randomization.
20/3/2014 -- 09:43:18 - <Info> - 'iis7' server has 'request-body-minimal-inspect-size' set to 32040 and 'request-body-inspect-wind ow' set to 4118 after randomization.
20/3/2014 -- 09:43:18 - <Info> - 'iis7' server has 'response-body-minimal-inspect-size' set to 32694 and 'response-body-inspect-wi ndow' set to 4148 after randomization.
20/3/2014 -- 09:43:18 - <Warning> - [ERRCODE: SC_ERR_DNS_CONFIG(239)] - no DNS UDP config found, enabling DNS detection on port 53 .
20/3/2014 -- 09:43:18 - <Info> - DNS request flood protection level: 500
20/3/2014 -- 09:43:18 - <Info> - DNS per flow memcap (state-memcap): 524288
20/3/2014 -- 09:43:18 - <Info> - DNS global memcap: 16777216
20/3/2014 -- 09:43:18 - <Warning> - [ERRCODE: SC_ERR_DNS_CONFIG(239)] - no DNS TCP config found, enabling DNS detection on port 53 .
20/3/2014 -- 09:43:18 - <Warning> - [ERRCODE: SC_ERR_SYSCALL(50)] - Failure when trying to get MTU via ioctl: 22
20/3/2014 -- 09:43:18 - <Info> - No 'host-mode': suricata is in IDS mode, using default setting 'sniffer-only'
20/3/2014 -- 09:43:18 - <Info> - allocated 786432 bytes of memory for the defrag hash... 65536 buckets of size 12
20/3/2014 -- 09:43:18 - <Info> - preallocated 65535 defrag trackers of size 92
20/3/2014 -- 09:43:18 - <Info> - defrag memory usage: 6815652 bytes, maximum: 33554432
20/3/2014 -- 09:43:18 - <Info> - AutoFP mode using default "Active Packets" flow load balancer
20/3/2014 -- 09:43:18 - <Info> - preallocated 1024 packets. Total memory 2820096
20/3/2014 -- 09:43:18 - <Info> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
20/3/2014 -- 09:43:18 - <Info> - preallocated 1000 hosts of size 52
20/3/2014 -- 09:43:18 - <Info> - host memory usage: 322144 bytes, maximum: 16777216
20/3/2014 -- 09:43:18 - <Info> - allocated 4194304 bytes of memory for the flow hash... 65536 buckets of size 64
20/3/2014 -- 09:43:18 - <Info> - preallocated 10000 flows of size 148
20/3/2014 -- 09:43:18 - <Info> - flow memory usage: 5714304 bytes, maximum: 33554432
20/3/2014 -- 09:43:18 - <Info> - IP reputation disabled
20/3/2014 -- 09:43:18 - <Error> - [ERRCODE: SC_ERR_MAGIC_LOAD(197)] - magic_load failed: could not find any magic files!
Updated by Peter Manev about 10 years ago
Can you try installing it in the default location (C:\Program Files (x86)\Suricata\) and see if any issues arise?
I suspect it is a Win PATH issue.
Updated by Christopher Stover about 10 years ago
Hello,
I just installed version 2.0rc3 with all defaults, and I experienced the same issue. I found this post, which helped resolve the issue: http://www.redmine.org/boards/2/topics/35034. I had to replace all the double slashes in the yaml with single slashes though, more than just the magic file.
Suricata version: 2.0rc3
OS: Win 2k8 R2, 64-bit
Chris
Updated by Jason Richardson about 10 years ago
Installing to the default directory of C:\Program Files (x86)\Suricata got me past the magic.mgc file not loading error (although it makes no sense that we can't install to a different dir without running into this issue), but it won't load rules files despite me taking out the double slashes in all of the relevant places in the yaml file and the error messages indicate that the double slashes are still there. This windows distro just isn't ready yet.
Jason
Updated by Christopher Stover about 10 years ago
Jason,
Add a backslash after rules like this and it should work:
C:\Program Files (x86)\Suricata\rules\
Updated by Peter Manev about 10 years ago
Jasaon,
You can install in a different location but you would have to make sure that location is in the system path (or add it).
Updated by Rich Rumble almost 10 years ago
I encountered this too, had to put trailing slashes on path's that end in a directory.
e.g.
C:\\Program Files\\Suricata\\log\\
C:\\Program Files\\Suricata\\rules\\
magic-file: C:\Program Files\Suricata\magic.mgc <---Only needs takes single \'s... the rest work with double\\
FYI: This works too
using magic-file C:/\\Program Files/\\Suricata/\\magic.mgc
Also the path is hardcoded to 64-bit windows, and people may still run 32-bit, easy enough for them to change though.
Updated by Peter Manev almost 10 years ago
The issues with the slashes inside the suricata.yaml will be addressed in the next win release.
Updated by Andreas Herz over 8 years ago
Peter Manev wrote:
The issues with the slashes inside the suricata.yaml will be addressed in the next win release.
did it :) so we can close it?