Bug #977
closedWARNING on empty rules file is fatal (should not be)
Description
Output from the two scenarios (empty rules file enabled/disabled):
---DISABLED EMPTY RULES FILE--- me@mybox:~$ suricata -T -l /tmp -c /etc/suricata/suricata.yaml 19/9/2013 -- 22:16:33 - <Info> - Running suricata under test mode 19/9/2013 -- 22:16:33 - <Info> - This is Suricata version 1.4.2 RELEASE 19/9/2013 -- 22:16:33 - <Info> - CPUs/cores online: 1 19/9/2013 -- 22:16:33 - <Info> - allocated 229376 bytes of memory for the defrag hash... 4096 buckets of size 56 19/9/2013 -- 22:16:33 - <Info> - preallocated 1000 defrag trackers of size 144 19/9/2013 -- 22:16:33 - <Info> - defrag memory usage: 373376 bytes, maximum: 16777216 19/9/2013 -- 22:16:33 - <Info> - AutoFP mode using default "Active Packets" flow load balancer 19/9/2013 -- 22:16:33 - <Info> - preallocated 10000 packets. Total memory 42580000 19/9/2013 -- 22:16:33 - <Info> - allocated 229376 bytes of memory for the host hash... 4096 buckets of size 56 19/9/2013 -- 22:16:33 - <Info> - preallocated 1000 hosts of size 120 19/9/2013 -- 22:16:33 - <Info> - host memory usage: 349376 bytes, maximum: 16777216 19/9/2013 -- 22:16:33 - <Info> - allocated 14680064 bytes of memory for the flow hash... 262144 buckets of size 56 19/9/2013 -- 22:16:33 - <Info> - preallocated 40000 flows of size 272 19/9/2013 -- 22:16:33 - <Info> - flow memory usage: 25560064 bytes, maximum: 2147483648 19/9/2013 -- 22:16:33 - <Info> - IP reputation disabled 19/9/2013 -- 22:16:33 - <Info> - using magic-file /usr/share/file/magic 19/9/2013 -- 22:16:33 - <Info> - Delayed detect disabled 19/9/2013 -- 22:16:41 - <Info> - 11 rule files processed. 7446 rules successfully loaded, 0 rules failed 19/9/2013 -- 22:16:46 - <Info> - 7476 signatures processed. 39 are IP-only rules, 2445 are inspecting packet payload, 5906 inspect application layer, 0 are decoder event only 19/9/2013 -- 22:16:46 - <Info> - building signature grouping structure, stage 1: adding signatures to signature source addresses... complete 19/9/2013 -- 22:16:47 - <Info> - building signature grouping structure, stage 2: building source address list... complete 19/9/2013 -- 22:16:50 - <Info> - building signature grouping structure, stage 3: building destination address lists... complete 19/9/2013 -- 22:16:52 - <Info> - Threshold config parsed: 141 rule(s) found 19/9/2013 -- 22:16:52 - <Info> - Core dump size set to unlimited. 19/9/2013 -- 22:16:52 - <Info> - fast output device (regular) initialized: fast.log 19/9/2013 -- 22:16:52 - <Info> - Unified2-alert initialized: filename unified2.alert, limit 50 MB 19/9/2013 -- 22:16:52 - <Info> - http-log output device (regular) initialized: http.log 19/9/2013 -- 22:16:52 - <Info> - Configuration provided was successfully loaded. Exiting. me@mybox:~$
---ENABLED EMPTY RULES FILE--- me@mybox:~$ suricata -T -l /tmp -c /etc/suricata/suricata.yaml 19/9/2013 -- 22:17:18 - <Info> - Running suricata under test mode 19/9/2013 -- 22:17:18 - <Info> - This is Suricata version 1.4.2 RELEASE 19/9/2013 -- 22:17:18 - <Info> - CPUs/cores online: 1 19/9/2013 -- 22:17:18 - <Info> - allocated 229376 bytes of memory for the defrag hash... 4096 buckets of size 56 19/9/2013 -- 22:17:18 - <Info> - preallocated 1000 defrag trackers of size 144 19/9/2013 -- 22:17:18 - <Info> - defrag memory usage: 373376 bytes, maximum: 16777216 19/9/2013 -- 22:17:18 - <Info> - AutoFP mode using default "Active Packets" flow load balancer 19/9/2013 -- 22:17:18 - <Info> - preallocated 10000 packets. Total memory 42580000 19/9/2013 -- 22:17:18 - <Info> - allocated 229376 bytes of memory for the host hash... 4096 buckets of size 56 19/9/2013 -- 22:17:18 - <Info> - preallocated 1000 hosts of size 120 19/9/2013 -- 22:17:18 - <Info> - host memory usage: 349376 bytes, maximum: 16777216 19/9/2013 -- 22:17:18 - <Info> - allocated 14680064 bytes of memory for the flow hash... 262144 buckets of size 56 19/9/2013 -- 22:17:18 - <Info> - preallocated 40000 flows of size 272 19/9/2013 -- 22:17:18 - <Info> - flow memory usage: 25560064 bytes, maximum: 2147483648 19/9/2013 -- 22:17:18 - <Info> - IP reputation disabled 19/9/2013 -- 22:17:18 - <Info> - using magic-file /usr/share/file/magic 19/9/2013 -- 22:17:18 - <Info> - Delayed detect disabled 19/9/2013 -- 22:17:24 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /etc/suricata/rules/temporary-stuff.rules me@mybox:~$
Note that everything stops processing here, no rules loaded (from my other files, the same number of rules should have been loaded.
Shouldn't the Warning be non-fatal?
Updated by Duane Howard about 11 years ago
After some more testing it seems like this only occurs when running with -T actually reloading Suricata seems to succeed with an empty file.
Updated by Anoop Saldanha about 11 years ago
Well, maybe it makes sense to just warn(without being fatal) on empty files, yeah.
Updated by Victor Julien about 11 years ago
- Description updated (diff)
Looks like the commandline option --init-errors-fatal is implied with -T. Not sure that is a bad thing.
Updated by Duane Howard about 11 years ago
Is there a way to disable --init-errors-fatal with -T? I'd like a mechanism to ensure suricata will not fail to start without actually starting the service...
Updated by Victor Julien about 10 years ago
- Status changed from New to Assigned
- Assignee set to Victor Julien
- Target version changed from TBD to 3.0RC2
Duane, could you try https://github.com/inliniac/suricata/pull/1224 ?
Updated by Duane Howard about 10 years ago
Looks like it works for empty file:
[17308] 21/11/2014 -- 18:21:44 - (detect.c:410) (SigLoadSignatures) -- [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /etc/suricata/rules/empty.rules
[17308] 21/11/2014 -- 18:21:44 - (detect.c:439) (SigLoadSignatures) -- 12 rule files processed. 9994 rules successfully loaded, 0 rules failed
[17308] 21/11/2014 -- 18:21:52 - (suricata.c:2293) (main) -- Configuration provided was successfully loaded. Exiting.
Also appears to work for multiple broken rules:
[22071] 21/11/2014 -- 18:26:33 - (util-rule-vars.c:89) (SCRuleVarsGetConfVar) -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] - Variable "HME_NET" is not defined in configuration file
[22071] 21/11/2014 -- 18:26:33 - (detect.c:354) (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HME_NET any > $EXTERNAL_NET any (msg:"BROKEN RULE 1"; flow:established; content:"|52 61 72 21 1A 07 00|"; tag:session,300,seconds; classtype:misc-activity; sid:6999998; rev:1;)" from file /etc/suricata/rules/empty.rules at line 1 18:26:33 - (detect-content.c:204) (DetectContentDataParse) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Invalid hex code assembly in content - "|52 61 72 21 1A 07 00". Invalidating signature
[22071] 21/11/2014 -
[22071] 21/11/2014 -- 18:26:33 - (detect.c:354) (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any > $EXTERNAL_NET any (msg:"BROKEN RULE 2"; flow:established; content:"|52 61 72 21 1A 07 00"; tag:session,300,seconds; classtype:misc-activity; sid:6999999; rev:6;)" from file /etc/suricata/rules/empty.rules at line 2 18:26:33 - (detect.c:439) (SigLoadSignatures) -- 12 rule files processed. 9994 rules successfully loaded, 2 rules failed
[22071] 21/11/2014 -
My only concern is that the final exit code is still 0, indicating success, where previously it would exit with a failure. Using -T to test loads before a Suricata restart would currently only require checking the final exit code of suricata -T, this change seems like it will break that though.
Updated by Victor Julien about 10 years ago
- Status changed from Assigned to Closed
- Target version changed from 3.0RC2 to 2.1beta3
- % Done changed from 0 to 100