Project

General

Profile

Actions

Optimization #3429

closed

improve err msg for dataset rules parsing

Added by Peter Manev about 4 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
Normal
Target version:
Effort:
low
Difficulty:
low
Label:

Description

Might be helpful to the end user if the err message is a step more descriptive where the error is. In the example below i forgot to add

,type string;

to the "dataset" stanza. Maybe something like - "No dataset type specified" or similar


/opt/suritest/bin/suricata -V
This is Suricata version 5.0.2-dev (700eebaec 2019-12-21)

 sudo /opt/suritest/bin/suricata -l log/ -S /opt/suritest/var/lib/suricata/rules/http-abuse-hostnames-dataset.rules -T
[359272] 31/12/2019 -- 14:48:42 - (suricata.c:1905) <Info> (ParseCommandLine) -- Running suricata under test mode
[359272] 31/12/2019 -- 14:48:42 - (suricata.c:1083) <Notice> (LogVersion) -- This is Suricata version 5.0.2-dev (700eebaec 2019-12-21) running in SYSTEM mode
[359272] 31/12/2019 -- 14:48:42 - (datasets.c:417) <Notice> (DatasetGet) -- dataset and datarep features are experimental and subject to change
[359272] 31/12/2019 -- 14:48:42 - (datasets.c:455) <Error> (DatasetGet) -- [ERRCODE: SC_ERR_DATASET(322)] - dataset base64hostnames.list not defined
[359272] 31/12/2019 -- 14:48:42 - (detect-dataset.c:377) <Error> (DetectDatasetSetup) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - failed to set up dataset 'base64hostnames.list'.
[359272] 31/12/2019 -- 14:48:42 - (detect-engine-loader.c:184) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "pass http $HOME_NET any -> any any (msg:"StamusN whitelisted HTTP hostname - Abuse URLs "; http.host; dataset:set,base64hostnames.list; bypass; sid:4444; rev:1; )" from file /opt/suritest/var/lib/suricata/rules/http-abuse-hostnames-dataset.rules at line 1
[359272] 31/12/2019 -- 14:48:42 - (detect-engine-loader.c:345) <Warning> (SigLoadSignatures) -- [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - 1 rule files specified, but no rule was loaded at all!
[359272] 31/12/2019 -- 14:48:42 - (suricata.c:2478) <Error> (LoadSignatures) -- [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - Loading signatures failed.

sudo cat /opt/suritest/var/lib/suricata/rules/http-abuse-hostnames-dataset.rules
pass http $HOME_NET any -> any any (msg:"StamusN whitelisted HTTP hostname - Abuse URLs "; http.host; dataset:set,base64hostnames.list; bypass; sid:4444; rev:1; )

sudo head -5  /opt/suritest/var/lib/suricata/rules/base64hostnames.list
MTc3LjEyNS4zNy4xNTYK
MTcyLjM2LjE0LjExMAo=
MjIyLjE4Ny4xNjUuMjQ1Cg==
MS4yNDYuMjIzLjEyNwo=
MTgwLjEyNC4yNi44Mwo=
...
...

Actions

Also available in: Atom PDF