Project

General

Profile

Actions

Bug #3536

closed

Bad number of arguments.

Added by Kenneth Kolano over 4 years ago. Updated over 4 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

I'm getting a "Bad number of arguments." error when launching Suricata-update, even if no parameters are specified in the command...

sudo suricata-update

Traceback (most recent call last):
  File "/usr/bin/suricata-update", line 33, in <module>
    sys.exit(main.main())
  File "/usr/bin/../lib/python2.7/site-packages/suricata/update/main.py", line 1515, in main
    sys.exit(_main())
  File "/usr/bin/../lib/python2.7/site-packages/suricata/update/main.py", line 1318, in _main
    modify_filters += load_filters(modify_conf_filename)
  File "/usr/bin/../lib/python2.7/site-packages/suricata/update/main.py", line 451, in load_filters
    filter = ModifyRuleFilter.parse(line)
  File "/usr/bin/../lib/python2.7/site-packages/suricata/update/main.py", line 272, in parse
    raise Exception("Bad number of arguments.")
Exception: Bad number of arguments.

sudo suricata-update -V

suricata-update version 1.0.6

Related issues 3 (0 open3 closed)

Related to Suricata-Update - Documentation #3550: More detail about usage in configuration filesClosedShivani BhardwajActions
Copied to Suricata-Update - Bug #3619: 1.1.x: Bad number of arguments.ClosedJason IshActions
Copied to Suricata-Update - Bug #3625: 1.0.x: Bad number of arguments.ClosedJason IshActions
Actions #1

Updated by Kenneth Kolano over 4 years ago

Full Output beyond just the error quoted above...

17/3/2020 -- 10:11:20 - <Info> -- Loading /etc/suricata/update.yaml
17/3/2020 -- 10:11:20 - <Info> -- Using data-directory /var/lib/suricata.
17/3/2020 -- 10:11:20 - <Info> -- Using Suricata configuration /etc/suricata/suricata.yaml
17/3/2020 -- 10:11:20 - <Info> -- Using /etc/suricata/rules for Suricata provided rules.
17/3/2020 -- 10:11:20 - <Info> -- Found Suricata version 4.1.6 at /usr/bin/suricata.
17/3/2020 -- 10:11:20 - <Info> -- Loading /etc/suricata/disable.conf.
17/3/2020 -- 10:11:20 - <Info> -- Loading /etc/suricata/enable.conf.
17/3/2020 -- 10:11:20 - <Info> -- Loading /etc/suricata/modify.conf.
Traceback (most recent call last):
  File "/usr/bin/suricata-update", line 33, in <module>
    sys.exit(main.main())
  File "/usr/bin/../lib/python2.7/site-packages/suricata/update/main.py", line 1515, in main
    sys.exit(_main())
  File "/usr/bin/../lib/python2.7/site-packages/suricata/update/main.py", line 1318, in _main
    modify_filters += load_filters(modify_conf_filename)
  File "/usr/bin/../lib/python2.7/site-packages/suricata/update/main.py", line 451, in load_filters
    filter = ModifyRuleFilter.parse(line)
  File "/usr/bin/../lib/python2.7/site-packages/suricata/update/main.py", line 272, in parse
    raise Exception("Bad number of arguments.")
Exception: Bad number of arguments.
Actions #2

Updated by Jason Ish over 4 years ago

This is reporting an error while parsing your modify.conf, it not a very user friendly way (which we should address). For now, can you post your modify.conf as well?

Actions #3

Updated by Kenneth Kolano over 4 years ago

Ah, thanks.
So it was having trouble with this line intended to backtrack rules using tls.cert_subject back to the 4.x format.

re:"tls.cert_subject" "tls_cert_subject" 

The syntax for "re" modifications in modify.conf could also be better documented. The only coverage currently seems to be...

# Change all trojan-activity rules to drop. Its better to setup a
# drop.conf for this, but this does show the use of back references.
#re:classtype:trojan-activity "(alert)(.*)" "drop\\2" 

...but it's unclear how to perform a re not restricted to a particular classtype.

Actions #4

Updated by Jason Ish over 4 years ago

So a modification requires 3 parameters:

match from to

So

re:"tls.cert_subject" "tls_cert_subject" 

Should probably be something like:
re:tls\.cert_subject "tls\.cert_subject" "tls_cert_subject" 

There is some info here: https://suricata-update.readthedocs.io/en/latest/update.html#modifying-rules, but the configuration file could probably do with some more detail as well.

Actions #5

Updated by Shivani Bhardwaj over 4 years ago

Actions #6

Updated by Shivani Bhardwaj over 4 years ago

  • Status changed from New to Assigned
  • Target version set to 1.2.0
Actions #7

Updated by Jason Ish over 4 years ago

  • Copied to Bug #3619: 1.1.x: Bad number of arguments. added
Actions #8

Updated by Jason Ish over 4 years ago

  • Copied to Bug #3625: 1.0.x: Bad number of arguments. added
Actions #9

Updated by Shivani Bhardwaj over 4 years ago

  • Status changed from Assigned to Closed
  • Assignee changed from Shivani Bhardwaj to Jason Ish
Actions #10

Updated by Jason Ish over 4 years ago

  • Target version changed from 1.2.0 to 1.2.0rc1
Actions

Also available in: Atom PDF