Bug #3536
closedBad number of arguments.
Description
I'm getting a "Bad number of arguments." error when launching Suricata-update, even if no parameters are specified in the command...
sudo suricata-update
Traceback (most recent call last): File "/usr/bin/suricata-update", line 33, in <module> sys.exit(main.main()) File "/usr/bin/../lib/python2.7/site-packages/suricata/update/main.py", line 1515, in main sys.exit(_main()) File "/usr/bin/../lib/python2.7/site-packages/suricata/update/main.py", line 1318, in _main modify_filters += load_filters(modify_conf_filename) File "/usr/bin/../lib/python2.7/site-packages/suricata/update/main.py", line 451, in load_filters filter = ModifyRuleFilter.parse(line) File "/usr/bin/../lib/python2.7/site-packages/suricata/update/main.py", line 272, in parse raise Exception("Bad number of arguments.") Exception: Bad number of arguments.
sudo suricata-update -V
suricata-update version 1.0.6
Updated by Kenneth Kolano almost 5 years ago
Full Output beyond just the error quoted above...
17/3/2020 -- 10:11:20 - <Info> -- Loading /etc/suricata/update.yaml 17/3/2020 -- 10:11:20 - <Info> -- Using data-directory /var/lib/suricata. 17/3/2020 -- 10:11:20 - <Info> -- Using Suricata configuration /etc/suricata/suricata.yaml 17/3/2020 -- 10:11:20 - <Info> -- Using /etc/suricata/rules for Suricata provided rules. 17/3/2020 -- 10:11:20 - <Info> -- Found Suricata version 4.1.6 at /usr/bin/suricata. 17/3/2020 -- 10:11:20 - <Info> -- Loading /etc/suricata/disable.conf. 17/3/2020 -- 10:11:20 - <Info> -- Loading /etc/suricata/enable.conf. 17/3/2020 -- 10:11:20 - <Info> -- Loading /etc/suricata/modify.conf. Traceback (most recent call last): File "/usr/bin/suricata-update", line 33, in <module> sys.exit(main.main()) File "/usr/bin/../lib/python2.7/site-packages/suricata/update/main.py", line 1515, in main sys.exit(_main()) File "/usr/bin/../lib/python2.7/site-packages/suricata/update/main.py", line 1318, in _main modify_filters += load_filters(modify_conf_filename) File "/usr/bin/../lib/python2.7/site-packages/suricata/update/main.py", line 451, in load_filters filter = ModifyRuleFilter.parse(line) File "/usr/bin/../lib/python2.7/site-packages/suricata/update/main.py", line 272, in parse raise Exception("Bad number of arguments.") Exception: Bad number of arguments.
Updated by Jason Ish almost 5 years ago
This is reporting an error while parsing your modify.conf, it not a very user friendly way (which we should address). For now, can you post your modify.conf as well?
Updated by Kenneth Kolano almost 5 years ago
Ah, thanks.
So it was having trouble with this line intended to backtrack rules using tls.cert_subject back to the 4.x format.
re:"tls.cert_subject" "tls_cert_subject"
The syntax for "re" modifications in modify.conf could also be better documented. The only coverage currently seems to be...
# Change all trojan-activity rules to drop. Its better to setup a # drop.conf for this, but this does show the use of back references. #re:classtype:trojan-activity "(alert)(.*)" "drop\\2"
...but it's unclear how to perform a re not restricted to a particular classtype.
Updated by Jason Ish almost 5 years ago
So a modification requires 3 parameters:
match from to
So
re:"tls.cert_subject" "tls_cert_subject"
Should probably be something like:
re:tls\.cert_subject "tls\.cert_subject" "tls_cert_subject"
There is some info here: https://suricata-update.readthedocs.io/en/latest/update.html#modifying-rules, but the configuration file could probably do with some more detail as well.
Updated by Shivani Bhardwaj over 4 years ago
- Related to Documentation #3550: More detail about usage in configuration files added
Updated by Shivani Bhardwaj over 4 years ago
- Status changed from New to Assigned
- Target version set to 1.2.0
Updated by Jason Ish over 4 years ago
- Copied to Bug #3619: 1.1.x: Bad number of arguments. added
Updated by Jason Ish over 4 years ago
- Copied to Bug #3625: 1.0.x: Bad number of arguments. added
Updated by Shivani Bhardwaj over 4 years ago
- Status changed from Assigned to Closed
- Assignee changed from Shivani Bhardwaj to Jason Ish
Updated by Jason Ish over 4 years ago
- Target version changed from 1.2.0 to 1.2.0rc1