Added by Ben Magistro 10 months ago. Updated about 2 months ago.
Description
Given a structure of
/tmp/rules/
├── file1.rules
└── nested
└── file2.rules
To me, it looks that the current behavior is the expected one
Can you please clarify how this is expected behavior? Are there notes that say rule files shouldn't be nested in directories that we have been missing? The current behavior described above would fail to load any rules from file2 which is in the directory nested as it cannot be found.
Maybe I misunderstand the report.
Here is what I understand :
you have find /tmp/rules -type f that shows
/tmp/rules/file2.rules /tmp/rules/file1.rules /tmp/rules/nested/file2.rules
And you have your configuration that says that you want to load file1.rules and file2.rules, and /tmp/rules is the default-rule-path
Why would it pick /tmp/rules/nested/file2.rules over /tmp/rules/file2.rules ?
I should have looked at the formatting of the tree I provided after posting and when you replied. That's totally on me. The nesting in the original report didn't get preserved. There are only two files one at `/tmp/rules/file1.rules` and second at `/tmp/rules/nested/file2.rules`. The find runs but doesn't preserved the fact that `file2.rules` is in a directory so attempts to load it from `/tmp/rules/` which turns into a file not found so rules in `file2` are not added. Our current workaround is to just not have folks use nested files.
Going from memory + some internal comments I believe the issue is in https://github.com/OISF/suricata-update/blob/2621544e41d5fcc459b2efe885d18fffce61b5ae/suricata/update/main.py#L315 but didn't have the cycles then to try and develop a patch.
edit: looks like I might have opened a pr...https://github.com/OISF/suricata-update/pull/347/files
Thanks, so I understand the bug lies in suricata-update, not in suricata, right ?
That is correct. Thanks for updating things, I must have missed that option when opening this initially.