Project

General

Profile

Actions

Bug #1466

closed

Rule reload - Rules won't reload if rule files are listed in an included file.

Added by Jason Ish over 7 years ago. Updated over 7 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Appears to affect at least 2.1beta3, and 2.1beta4. 2.0.8 seems fine.

If the "rule-files" configuration node is in a file included into suricata.yaml, no rules appear to be reloaded after a SIGUSR2.

For example, my suricata.yaml looks like:

default-rule-path: /etc/suricata/rules
include: /etc/suricata/rules/rules.yaml

Where rules.yaml is something like:

rule-files:
  - botcc.portgrouped.rules
  - botcc.rules

The output after a SIGUSR2 is something like:

[14081] 11/5/2015 -- 09:44:35 - (reputation.c:620) <Info> (SRepInit) -- IP reputation disabled
[14081] 11/5/2015 -- 09:44:35 - (util-classification-config.c:359) <Info> (SCClassConfParseFile) -- Added "34" classification types from the classification file
[14081] 11/5/2015 -- 09:44:35 - (util-reference-config.c:337) <Info> (SCRConfParseFile) -- Added "19" reference types from the reference.config file
[14081] 11/5/2015 -- 09:44:35 - (detect.c:474) <Info> (SigLoadSignatures) -- No signatures supplied.
[14081] 11/5/2015 -- 09:44:35 - (util-threshold-config.c:1195) <Info> (SCThresholdConfParseFile) -- Threshold config parsed: 0 rule(s) found
[14081] 11/5/2015 -- 09:44:35 - (detect-engine.c:574) <Notice> (DetectEngineReloadThreads) -- rule reload starting
[14081] 11/5/2015 -- 09:44:35 - (detect-engine.c:653) <Info> (DetectEngineReloadThreads) -- Live rule swap has swapped 12 old det_ctx's with new ones, along with the new de_ctx
[14081] 11/5/2015 -- 09:44:35 - (detect-engine.c:725) <Notice> (DetectEngineReloadThreads) -- rule reload complete
[14081] 11/5/2015 -- 09:44:35 - (detect.c:4185) <Info> (SigAddressCleanupStage1) -- cleaning up signature grouping structure... complete

Resulting in no rules being loaded.

Actions #1

Updated by Jason Ish over 7 years ago

  • Status changed from New to Assigned
  • Assignee set to Jason Ish
Actions #2

Updated by Victor Julien over 7 years ago

Whats the status of this one? Think I remember seeing a patch :)

Actions #3

Updated by Victor Julien over 7 years ago

  • Target version set to 3.0RC1
Actions #4

Updated by Jason Ish over 7 years ago

Addressed in this PR https://github.com/inliniac/suricata/pull/1483 (merged).

Actions #5

Updated by Victor Julien over 7 years ago

  • Status changed from Assigned to Closed
Actions

Also available in: Atom PDF