Bug #7805
opensuricata-update: rule filename lost after conversion to drop
Description
Hi,
If I let rule 3321284 (pawpatrules : DNS request to suspicious domain - Listed by PhishStats), I can receive alerts without problems, suricata-update run without error.
But, when I add this rule in /etc/suricata/drop.conf, suricata-update gives error :
root@iNetSrv01:~# suricata-update
8/7/2025 -- 10:06:02 - <Info> -- Using data-directory /var/lib/suricata.
8/7/2025 -- 10:06:02 - <Info> -- Using Suricata configuration /etc/suricata/suricata.yaml
8/7/2025 -- 10:06:02 - <Info> -- Using /etc/suricata/rules for Suricata provided rules.
8/7/2025 -- 10:06:02 - <Info> -- Found Suricata version 6.0.10 at /usr/bin/suricata.
8/7/2025 -- 10:06:02 - <Info> -- Loading /etc/suricata/disable.conf.
8/7/2025 -- 10:06:02 - <Info> -- Loading /etc/suricata/enable.conf.
8/7/2025 -- 10:06:02 - <Info> -- Loading /etc/suricata/drop.conf.
8/7/2025 -- 10:06:02 - <Info> -- Loading /etc/suricata/suricata.yaml
8/7/2025 -- 10:06:02 - <Info> -- Disabling rules for protocol http2
8/7/2025 -- 10:06:02 - <Info> -- Disabling rules for protocol modbus
8/7/2025 -- 10:06:02 - <Info> -- Disabling rules for protocol dnp3
8/7/2025 -- 10:06:02 - <Info> -- Disabling rules for protocol enip
8/7/2025 -- 10:06:02 - <Info> -- Fetching https://rules.pawpatrules.fr/suricata/paw-patrules.tar.gz.
100% - 744276/744276
8/7/2025 -- 10:06:02 - <Info> -- Done.
8/7/2025 -- 10:06:02 - <Info> -- Fetching https://sslbl.abuse.ch/blacklist/sslblacklist_tls_cert.tar.gz.
100% - 484488/484488
8/7/2025 -- 10:06:03 - <Info> -- Done.
8/7/2025 -- 10:06:03 - <Info> -- Fetching https://sslbl.abuse.ch/blacklist/sslipblacklist.tar.gz.
100% - 335/335
8/7/2025 -- 10:06:03 - <Info> -- Done.
8/7/2025 -- 10:06:03 - <Info> -- Fetching https://feodotracker.abuse.ch/downloads/feodotracker.tar.gz.
100% - 492/492
8/7/2025 -- 10:06:03 - <Info> -- Done.
8/7/2025 -- 10:06:03 - <Info> -- Checking https://rules.emergingthreats.net/open/suricata-6.0.10/emerging.rules.tar.gz.md5.
8/7/2025 -- 10:06:04 - <Info> -- Remote checksum has not changed. Not fetching.
8/7/2025 -- 10:06:04 - <Info> -- Fetching https://urlhaus.abuse.ch/downloads/urlhaus_suricata.tar.gz.
100% - 629472/629472
8/7/2025 -- 10:06:04 - <Info> -- Done.
8/7/2025 -- 10:06:04 - <Info> -- Loading distribution rule file /etc/suricata/rules/app-layer-events.rules
8/7/2025 -- 10:06:04 - <Info> -- Loading distribution rule file /etc/suricata/rules/decoder-events.rules
8/7/2025 -- 10:06:04 - <Info> -- Loading distribution rule file /etc/suricata/rules/dhcp-events.rules
8/7/2025 -- 10:06:04 - <Info> -- Loading distribution rule file /etc/suricata/rules/dnp3-events.rules
8/7/2025 -- 10:06:04 - <Info> -- Loading distribution rule file /etc/suricata/rules/dns-events.rules
8/7/2025 -- 10:06:04 - <Info> -- Loading distribution rule file /etc/suricata/rules/files.rules
8/7/2025 -- 10:06:04 - <Info> -- Loading distribution rule file /etc/suricata/rules/http-events.rules
8/7/2025 -- 10:06:04 - <Info> -- Loading distribution rule file /etc/suricata/rules/ipsec-events.rules
8/7/2025 -- 10:06:04 - <Info> -- Loading distribution rule file /etc/suricata/rules/kerberos-events.rules
8/7/2025 -- 10:06:04 - <Info> -- Loading distribution rule file /etc/suricata/rules/modbus-events.rules
8/7/2025 -- 10:06:04 - <Info> -- Loading distribution rule file /etc/suricata/rules/nfs-events.rules
8/7/2025 -- 10:06:04 - <Info> -- Loading distribution rule file /etc/suricata/rules/ntp-events.rules
8/7/2025 -- 10:06:04 - <Info> -- Loading distribution rule file /etc/suricata/rules/smb-events.rules
8/7/2025 -- 10:06:04 - <Info> -- Loading distribution rule file /etc/suricata/rules/smtp-events.rules
8/7/2025 -- 10:06:04 - <Info> -- Loading distribution rule file /etc/suricata/rules/stream-events.rules
8/7/2025 -- 10:06:04 - <Info> -- Loading distribution rule file /etc/suricata/rules/tls-events.rules
8/7/2025 -- 10:06:07 - <Info> -- Ignoring file rules/emerging-deleted.rules
8/7/2025 -- 10:06:21 - <Info> -- Loaded 114521 rules.
8/7/2025 -- 10:06:59 - <Info> -- Disabled 120 rules.
8/7/2025 -- 10:06:59 - <Info> -- Enabled 0 rules.
8/7/2025 -- 10:06:59 - <Info> -- Modified 0 rules.
8/7/2025 -- 10:06:59 - <Info> -- Dropped 4 rules.
8/7/2025 -- 10:07:00 - <Info> -- Enabled 136 rules for flowbit dependencies.
8/7/2025 -- 10:07:00 - <Info> -- Backing up current rules.
8/7/2025 -- 10:07:21 - <Info> -- Writing rules to /var/lib/suricata/rules/suricata.rules: total: 114521; enabled: 98816; added: 141; removed 6; modified: 25
Traceback (most recent call last):
File "/usr/bin/suricata-update", line 36, in <module>
sys.exit(main.main())
^^^^^^^^^
File "/usr/lib/python3/dist-packages/suricata/update/main.py", line 1369, in main
sys.exit(_main())
^^^^^
File "/usr/lib/python3/dist-packages/suricata/update/main.py", line 1305, in _main
write_merged(os.path.join(output_filename), rulemap, dep_files)
File "/usr/lib/python3/dist-packages/suricata/update/main.py", line 542, in write_merged
reformatted = handle_dataset_files(rule, dep_files)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/suricata/update/main.py", line 446, in handle_dataset_files
prefix = os.path.dirname(rule.group)
^^^^^^^^^^^^^^^^^^^^^^^^^
File "<frozen posixpath>", line 152, in dirname
TypeError: expected str, bytes or os.PathLike object, not NoneType
root@iNetSrv01:~#
Here, details of this rule :
alert dns any any -> any any (msg:" DNS request to suspicious domain - Listed by PhishStats"; flow:to_server, stateless; dns_query; dataset:isset,pawpatrules_phishstats,type string,load datasets/41774a4b30ea8ae2004d8f0b299cef98; reference: url,https://phishstats.info/; metadata:created_at 2024_06_23, updated_at 2025_03_04; sid:3321284; rev:3; classtype:bad-unknown;)
Dataset exist:rw-r--r- 1 root root 630943 8 juil. 08:48 /var/lib/suricata/rules/datasets/41774a4b30ea8ae2004d8f0b299cef98
suricata version : 6.0.10
suricata-update version 1.2.7
Is it possible that suricata-update return something like :
Error with drop.conf, rule 3321284, error description.
Will be easier to debug.
Regards,