Bug #840
closedYaml parsers confusing suricata
Description
Some Yaml loaders/dumper, like pyyaml, insert a null for empty entries. This is confusing suricata. I removed the nulls in the attached file. However for some reason the pid is not being written to /var/run/suricata.pid as instructed. I appreciate it if you help with this.
Thanks!
Files
Updated by Peter Manev almost 11 years ago
Hi,
The yaml provided does not keep the required format, ex:
pattern-matcher:
- b2gc:
bf-size: medium
hash-size: low
search-algo: B2gSearchBNDMq
- b2gm:
bf-size: medium
hash-size: low
search-algo: B2gSearchBNDMq
- b2g:
bf-size: medium
hash-size: low
search-algo: B2gSearchBNDMq
- b3g:
bf-size: medium
hash-size: low
search-algo: B3gSearchBNDMq
- wumanber:
bf-size: medium
hash-size: low
As opposed to -
pattern-matcher:
- b2gc:
search-algo: B2gSearchBNDMq
hash-size: low
bf-size: medium
- b2gm:
search-algo: B2gSearchBNDMq
hash-size: low
bf-size: medium
- b2g:
search-algo: B2gSearchBNDMq
hash-size: low
bf-size: medium
- b3g:
search-algo: B3gSearchBNDMq
hash-size: low
bf-size: medium
- wumanber:
hash-size: low
bf-size: medium
This yaml , looks a bit massacred to me - hence I think the funny results.
Yaml is suppsoed to have certain structure and that structure is supposed to be followed in order not to get unexpected results, like this.
I am sure if you use the default yaml you will get the pid going the way you want it.
I am using python-yaml and never had a problem as long as I follow the required structure.
thanks
Updated by Ted Elhourani almost 11 years ago
I am using python-yaml, the latest version supporting yaml1.1. Here is the code that rewrites the suricata config file:
stream_in = open(suricata_yaml, 'r')
suricata_config = yaml.load(stream_in)
stream_in.close()
stream_out = open(directory + test_name+".yaml", 'w')
stream_out.write("%YAML 1.1\n")
yaml.dump(suricata_config, stream_out, default_flow_style=False,explicit_start=True)
stream_out.close()Are you using the same options for yaml.dump ? These gave me the closest to the original syntax.
Updated by Ted Elhourani almost 11 years ago
The pid is written to /var/run/suricata.pid (or other locations) only when in daemon mode. That was the reason I wasn't seeing the pid.
If any entry has no value, such as nfq:nfq:
- mode: accept
- repeat-mark: 1
- repeat-mask: 1
- route-queue: 2
- fail-open: yes
then python-yaml will replace with nfq: null. This could be an issue for suricata, however this is appears to be a problem with python-yaml itself.
thanks
Updated by Peter Manev almost 11 years ago
Have you tried to include "indent" in the yaml.dump and see if anything comes up?
Updated by Ted Elhourani almost 11 years ago
Thank you. I haven't tried "indent". This: yaml.dump(suricata_config, stream_out, default_flow_style=False,explicit_start=True), works as long as no "null" strings are generated by yaml.dump. The nulls should not be there, this is a problem with pyyaml, that must be fixed.
Updated by Andreas Herz about 8 years ago
- Status changed from New to Closed
This is an issue with python-yaml not suricata itself.