Bug #1487
closedConfiguration parser depends on key ordering
Description
According to the YAML 1.1 spec (http://yaml.org/spec/1.1/#id861435):
The content of a mapping node is an unordered set of key: value node pairs
However, Suricata behaves differently depending on the ordering of at least one mapping node: af-packet. For example:
af-packet: - interface: default - cluster-id: '99' interface: eth2 threads: 8 defrag: 'true' cluster-type: cluster_flow
Yields the following with suricata --dump-config:
af-packet = (null) af-packet.0 = interface af-packet.0.interface = default af-packet.1 = cluster-id af-packet.1.cluster-id = 99 af-packet.1.interface = eth2 af-packet.1.threads = 8 af-packet.1.defrag = true af-packet.1.cluster-type = cluster_flow
And the following output at startup:
15/6/2015 -- 07:03:22 - <Info> - Adding interface eth2 from config file 15/6/2015 -- 07:03:22 - <Info> - Using 4 AF_PACKET threads for interface eth2 15/6/2015 -- 07:03:22 - <Error> - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - Could not get cluster-id from config 15/6/2015 -- 07:03:22 - <Error> - [ERRCODE: SC_ERR_GET_CLUSTER_TYPE_FAILED(35)] - Could not get cluster-type from config
Whereas, this config:
af-packet: - interface: default - interface: eth2 cluster-id: '99' threads: 8 defrag: 'true' cluster-type: cluster_flow
produces this output from suricata --dump-config:
af-packet = (null) af-packet.0 = interface af-packet.0.interface = default af-packet.1 = interface af-packet.1.interface = eth2 af-packet.1.cluster-id = 99 af-packet.1.threads = 8 af-packet.1.defrag = true af-packet.1.cluster-type = cluster_flow
And this output at startup:
15/6/2015 -- 07:04:38 - <Info> - Using flow cluster mode for AF_PACKET (iface eth2) 15/6/2015 -- 07:04:38 - <Info> - Using defrag kernel functionality for AF_PACKET (iface eth2) 15/6/2015 -- 07:04:38 - <Info> - Generic Receive Offload is unset on eth2 15/6/2015 -- 07:04:38 - <Info> - Large Receive Offload is unset on eth2 15/6/2015 -- 07:04:38 - <Info> - Going to use 8 thread(s)
Version info:
root@hlbinddevids01:~# lsb_release -cs
trusty
root@hlbinddevids01:~# suricata -V
This is Suricata version 2.1beta4 RELEASE
root@hlbinddevids01:~# apt-cache policy suricata
suricata:
Installed: 2.1~beta4-0ubuntu12
Candidate: 2.1~beta4-0ubuntu12
Version table:
*** 2.1~beta4-0ubuntu12 0
500 http://ppa.launchpad.net/oisf/suricata-beta/ubuntu/ trusty/main amd64 Packages
100 /var/lib/dpkg/status
2.0.8-0ubuntu8 0
500 http://ppa.launchpad.net/oisf/suricata-stable/ubuntu/ trusty/main amd64 Packages
1.4.7-1ubuntu1.1 0
500 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/universe amd64 Packages
500 http://security.ubuntu.com/ubuntu/ trusty-security/universe amd64 Packages
1.4.7-1 0
500 http://us.archive.ubuntu.com/ubuntu/ trusty/universe amd64 Packages
root@hlbinddevids01:~#
This prevents the use of other tools for modifying the suricata configuration file (such as Puppet) because the ordering is not guaranteed.
Please let me know if I can provide any further information.