Bug #780
closedSuricata fails to load any of threshold rules if at least one of them is not parseable
Description
It seems that if one of the threshold rules contains type and Suricata is unable to parse it, none of the threshold rules is loaded (my peek into sourcecode seems to confirm this). Things are especially confusing if the typo is in the last rule, since Suricata is logging number of rules processed (including the failed one).
Example (failed! note the by_stc in the second line):
suppress gen_id 1, sig_id 2200029, track by_dst, ip fe80::/16
suppress gen_id 1, sig_id 2200029, track by_stc, ip fe80::/16
Expected outcome:
Suricata will still use correctly parsed threshold rules even in case the later one fails to parse. Possibly even skipping the offended rule and continue with the parsing with next line.
Updated by Victor Julien over 11 years ago
- Assignee set to OISF Dev
- Target version changed from 1.4.1 to 1.4.2
Updated by Victor Julien over 11 years ago
- Status changed from New to Assigned
- Assignee changed from OISF Dev to Victor Julien
Where in the code did you see that? I have done some testing, can't reproduce the issue. No matter how I order your suppress rules, the valid one is properly set up.
Updated by Victor Julien over 11 years ago
- Status changed from Assigned to Closed
- Target version deleted (
1.4.2)
Can't reproduce and reporter isn't responding, so closing.