Bug #840
closed
Yaml parsers confusing suricata
Added by Ted Elhourani almost 11 years ago.
Updated over 6 years ago.
Description
Some Yaml loaders/dumper, like pyyaml, insert a null for empty entries. This is confusing suricata. I removed the nulls in the attached file. However for some reason the pid is not being written to /var/run/suricata.pid as instructed. I appreciate it if you help with this.
Thanks!
Files
Hi,
The yaml provided does not keep the required format, ex:
pattern-matcher:
- b2gc:
bf-size: medium
hash-size: low
search-algo: B2gSearchBNDMq
- b2gm:
bf-size: medium
hash-size: low
search-algo: B2gSearchBNDMq
- b2g:
bf-size: medium
hash-size: low
search-algo: B2gSearchBNDMq
- b3g:
bf-size: medium
hash-size: low
search-algo: B3gSearchBNDMq
- wumanber:
bf-size: medium
hash-size: low
As opposed to -
pattern-matcher:
- b2gc:
search-algo: B2gSearchBNDMq
hash-size: low
bf-size: medium
- b2gm:
search-algo: B2gSearchBNDMq
hash-size: low
bf-size: medium
- b2g:
search-algo: B2gSearchBNDMq
hash-size: low
bf-size: medium
- b3g:
search-algo: B3gSearchBNDMq
hash-size: low
bf-size: medium
- wumanber:
hash-size: low
bf-size: medium
This yaml , looks a bit massacred to me - hence I think the funny results.
Yaml is suppsoed to have certain structure and that structure is supposed to be followed in order not to get unexpected results, like this.
I am sure if you use the default yaml you will get the pid going the way you want it.
I am using python-yaml and never had a problem as long as I follow the required structure.
thanks
I am using python-yaml, the latest version supporting yaml1.1. Here is the code that rewrites the suricata config file:
stream_in = open(suricata_yaml, 'r')
suricata_config = yaml.load(stream_in)
stream_in.close()
stream_out = open(directory + test_name+".yaml", 'w')
stream_out.write("%YAML 1.1\n")
yaml.dump(suricata_config, stream_out, default_flow_style=False,explicit_start=True)
stream_out.close()
Are you using the same options for yaml.dump ? These gave me the closest to the original syntax.
The pid is written to /var/run/suricata.pid (or other locations) only when in daemon mode. That was the reason I wasn't seeing the pid.
If any entry has no value, such as nfq:
nfq:
- mode: accept
- repeat-mark: 1
- repeat-mask: 1
- route-queue: 2
- fail-open: yes
then python-yaml will replace with nfq: null. This could be an issue for suricata, however this is appears to be a problem with python-yaml itself.
thanks
Have you tried to include "indent" in the yaml.dump and see if anything comes up?
Thank you. I haven't tried "indent". This: yaml.dump(suricata_config, stream_out, default_flow_style=False,explicit_start=True), works as long as no "null" strings are generated by yaml.dump. The nulls should not be there, this is a problem with pyyaml, that must be fixed.
- Target version set to TBD
- Status changed from New to Closed
This is an issue with python-yaml not suricata itself.
- Target version deleted (
TBD)
Also available in: Atom
PDF