Actions
Bug #6559
openSignatures starting with space have invalid diagnosis
Affected Versions:
Effort:
Difficulty:
Label:
Description
Signature:¶
Starting with no space¶
alert tcp any any -> $DCNET any (msg: "test"; content: "toto"; sid: 1;)
Starting with space¶
alert tcp any any -> $DCNET any (msg: "test"; content: "toto"; sid: 1;)
Suricata 6.0.10¶
Starting with no space¶
{"timestamp":"2023-11-20T09:53:42.141885+0100","log_level":"Warning","event_type":"engine","engine":{"error_code":242,"error":"SC_ERR_CONF_YAML_ERROR","message":"App-Layer protocol http2 enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details."}}
{"timestamp":"2023-11-20T09:53:42.141941+0100","log_level":"Warning","event_type":"engine","engine":{"error_code":242,"error":"SC_ERR_CONF_YAML_ERROR","message":"App-Layer protocol http2 enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details."}}
{"timestamp":"2023-11-20T09:53:42.141947+0100","log_level":"Warning","event_type":"engine","engine":{"error_code":242,"error":"SC_ERR_CONF_YAML_ERROR","message":"App-Layer protocol imap enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details."}}
{"timestamp":"2023-11-20T09:53:42.148911+0100","log_level":"Error","event_type":"engine","engine":{"error_code":101,"error":"SC_ERR_UNDEFINED_VAR","message":"Variable \"DCNET\" is not defined in configuration file"}}
{"timestamp":"2023-11-20T09:53:42.148933+0100","log_level":"Error","event_type":"engine","engine":{"error_code":39,"error":"SC_ERR_INVALID_SIGNATURE","message":"error parsing signature \"alert tcp any any -> $DCNET any (msg: \"test\"; content: \"toto\"; sid: 1;)\" from file \/tmp\/tmpjkqi4i2t\/file.rules at line 1"}}
{"timestamp":"2023-11-20T09:53:42.148939+0100","log_level":"Warning","event_type":"engine","engine":{"error_code":43,"error":"SC_ERR_NO_RULES_LOADED","message":"1 rule files specified, but no rules were loaded!"}}
{"timestamp":"2023-11-20T09:53:42.148951+0100","log_level":"Error","event_type":"engine","engine":{"error_code":43,"error":"SC_ERR_NO_RULES_LOADED","message":"Loading signatures failed."}}
Here we have err 101 "Variable \"DCNET\""
Starting with space¶
{"timestamp":"2023-11-20T11:37:21.691625+0100","log_level":"Warning","event_type":"engine","engine":{"error_code":242,"error":"SC_ERR_CONF_YAML_ERROR","message":"App-Layer protocol http2 enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details."}}
{"timestamp":"2023-11-20T11:37:21.691697+0100","log_level":"Warning","event_type":"engine","engine":{"error_code":242,"error":"SC_ERR_CONF_YAML_ERROR","message":"App-Layer protocol http2 enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details."}}
{"timestamp":"2023-11-20T11:37:21.691704+0100","log_level":"Warning","event_type":"engine","engine":{"error_code":242,"error":"SC_ERR_CONF_YAML_ERROR","message":"App-Layer protocol imap enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details."}}
{"timestamp":"2023-11-20T11:37:21.698308+0100","log_level":"Warning","event_type":"engine","engine":{"error_code":43,"error":"SC_ERR_NO_RULES_LOADED","message":"1 rule files specified, but no rules were loaded!"}}
{"timestamp":"2023-11-20T11:37:21.698423+0100","log_level":"Warning","event_type":"engine","engine":{"error_code":242,"error":"SC_ERR_CONF_YAML_ERROR","message":"App-Layer protocol http enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details."}}
We don t have err 101 "Variable \"DCNET\""
Suricata 7.0.1¶
Starting with no space¶
{"timestamp":"2023-11-20T11:41:56.083558+0100","log_level":"Error","event_type":"engine","engine":{"message":"Variable \"DCNET\" is not defined in configuration file","thread_name":"Suricata-Main","module":"rule-vars"}}
{"timestamp":"2023-11-20T11:41:56.083586+0100","log_level":"Error","event_type":"engine","engine":{"message":"error parsing signature \"alert tcp any any -> $DCNET any (msg: \"test\"; content: \"toto\"; sid: 1;)\" from file /tmp/tmpjkqi4i2t/file.rules at line 1","thread_name":"Suricata-Main","module":"detect"}}
{"timestamp":"2023-11-20T11:41:56.083592+0100","log_level":"Warning","event_type":"engine","engine":{"message":"1 rule files specified, but no rules were loaded!","thread_name":"Suricata-Main","module":"detect"}}
{"timestamp":"2023-11-20T11:41:56.083601+0100","log_level":"Error","event_type":"engine","engine":{"message":"Loading signatures failed.","thread_name":"Suricata-Main","module":"suricata"}}
We have err "Variable \"DCNET\""
Starting with space¶
{"timestamp":"2023-11-20T11:43:43.722560+0100","log_level":"Warning","event_type":"engine","engine":{"message":"1 rule files specified, but no rules were loaded!","thread_name":"Suricata-Main","module":"detect"}}
{"timestamp":"2023-11-20T11:43:43.722591+0100","log_level":"Warning","event_type":"engine","engine":{"message":"Error opening file: \"/usr/local/etc/suricata//threshold.config\": No such file or directory","thread_name":"Suricata-Main","module":"threshold-config"}}
We don t have err "Variable \"DCNET\""
Expected Results¶
A rule starting or not with a space should have same output errors.
No data to display
Actions