Bug #892
closeddetect-engine.profile - custom - does not err out in incorrect toclient/srv values - suricata.yaml
Description
If in suricata.yaml we have ->
detect-engine:
- profile: custom
- custom-values:
toclient-src-groups: BA
toclient-dst-groups: 2
toclient-sp-groups: 2
toclient-dp-groups: 3
toserver-src-groups: 2
toserver-dst-groups: 4
toserver-sp-groups: 2
toserver-dp-groups: 25
- sgh-mpm-context: auto
- inspection-recursion-limit: 3000
Notice how abpve we have "toclient-src-groups: BA" Suriacta does not err out on that during start up.
The issue is present on both 1.4.4 and git master 2.0dev (rev 055b422).
Updated by Amin Latifi over 10 years ago
Unfortunately, the problem is more basic. I found that suricata doesn't recognize "toclient-src-groups", "toclient-dst-groups" and other names under custom-values node!
This is because in detect-engine.c code, the names for related variables are set "toclient_src_groups", "toclient_dst_groups" and etc. This means all the '_' characters in these parameters in code must be changed to '-' character.
It's somehow an unpleasant bug and should be fix ASAP.
Updated by Peter Manev over 10 years ago
Following up Amin's comment - yes I agree it looks like a "small effort" and important fix. I think it should be pointed to Beta/RC/2.0
The bigger part of the problem is actually that one can not use the detect-engine custom profile as of now.
This feature can really help inspection on high traffic sensors with lots of RAM available.
Updated by Victor Julien over 10 years ago
- Status changed from New to Closed
- Assignee set to Victor Julien
- Target version changed from TBD to 2.0beta2
- % Done changed from 0 to 100
Fixed through https://github.com/inliniac/suricata/pull/669