Project

General

Profile

Actions

Bug #977

closed

WARNING on empty rules file is fatal (should not be)

Added by Duane Howard over 10 years ago. Updated over 9 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Output from the two scenarios (empty rules file enabled/disabled):

---DISABLED EMPTY RULES FILE---
me@mybox:~$ suricata -T -l /tmp -c /etc/suricata/suricata.yaml
19/9/2013 -- 22:16:33 - <Info> - Running suricata under test mode
19/9/2013 -- 22:16:33 - <Info> - This is Suricata version 1.4.2 RELEASE
19/9/2013 -- 22:16:33 - <Info> - CPUs/cores online: 1
19/9/2013 -- 22:16:33 - <Info> - allocated 229376 bytes of memory for the defrag hash... 4096 buckets of size 56
19/9/2013 -- 22:16:33 - <Info> - preallocated 1000 defrag trackers of size 144
19/9/2013 -- 22:16:33 - <Info> - defrag memory usage: 373376 bytes, maximum: 16777216
19/9/2013 -- 22:16:33 - <Info> - AutoFP mode using default "Active Packets" flow load balancer
19/9/2013 -- 22:16:33 - <Info> - preallocated 10000 packets. Total memory 42580000
19/9/2013 -- 22:16:33 - <Info> - allocated 229376 bytes of memory for the host hash... 4096 buckets of size 56
19/9/2013 -- 22:16:33 - <Info> - preallocated 1000 hosts of size 120
19/9/2013 -- 22:16:33 - <Info> - host memory usage: 349376 bytes, maximum: 16777216
19/9/2013 -- 22:16:33 - <Info> - allocated 14680064 bytes of memory for the flow hash... 262144 buckets of size 56
19/9/2013 -- 22:16:33 - <Info> - preallocated 40000 flows of size 272
19/9/2013 -- 22:16:33 - <Info> - flow memory usage: 25560064 bytes, maximum: 2147483648
19/9/2013 -- 22:16:33 - <Info> - IP reputation disabled
19/9/2013 -- 22:16:33 - <Info> - using magic-file /usr/share/file/magic
19/9/2013 -- 22:16:33 - <Info> - Delayed detect disabled
19/9/2013 -- 22:16:41 - <Info> - 11 rule files processed. 7446 rules successfully loaded, 0 rules failed
19/9/2013 -- 22:16:46 - <Info> - 7476 signatures processed. 39 are IP-only rules, 2445 are inspecting packet payload, 5906 inspect application layer, 0 are decoder event only
19/9/2013 -- 22:16:46 - <Info> - building signature grouping structure, stage 1: adding signatures to signature source addresses... complete
19/9/2013 -- 22:16:47 - <Info> - building signature grouping structure, stage 2: building source address list... complete
19/9/2013 -- 22:16:50 - <Info> - building signature grouping structure, stage 3: building destination address lists... complete
19/9/2013 -- 22:16:52 - <Info> - Threshold config parsed: 141 rule(s) found
19/9/2013 -- 22:16:52 - <Info> - Core dump size set to unlimited.
19/9/2013 -- 22:16:52 - <Info> - fast output device (regular) initialized: fast.log
19/9/2013 -- 22:16:52 - <Info> - Unified2-alert initialized: filename unified2.alert, limit 50 MB
19/9/2013 -- 22:16:52 - <Info> - http-log output device (regular) initialized: http.log
19/9/2013 -- 22:16:52 - <Info> - Configuration provided was successfully loaded. Exiting.
me@mybox:~$

---ENABLED EMPTY RULES FILE---
me@mybox:~$ suricata -T -l /tmp -c /etc/suricata/suricata.yaml
19/9/2013 -- 22:17:18 - <Info> - Running suricata under test mode
19/9/2013 -- 22:17:18 - <Info> - This is Suricata version 1.4.2 RELEASE
19/9/2013 -- 22:17:18 - <Info> - CPUs/cores online: 1
19/9/2013 -- 22:17:18 - <Info> - allocated 229376 bytes of memory for the defrag hash... 4096 buckets of size 56
19/9/2013 -- 22:17:18 - <Info> - preallocated 1000 defrag trackers of size 144
19/9/2013 -- 22:17:18 - <Info> - defrag memory usage: 373376 bytes, maximum: 16777216
19/9/2013 -- 22:17:18 - <Info> - AutoFP mode using default "Active Packets" flow load balancer
19/9/2013 -- 22:17:18 - <Info> - preallocated 10000 packets. Total memory 42580000
19/9/2013 -- 22:17:18 - <Info> - allocated 229376 bytes of memory for the host hash... 4096 buckets of size 56
19/9/2013 -- 22:17:18 - <Info> - preallocated 1000 hosts of size 120
19/9/2013 -- 22:17:18 - <Info> - host memory usage: 349376 bytes, maximum: 16777216
19/9/2013 -- 22:17:18 - <Info> - allocated 14680064 bytes of memory for the flow hash... 262144 buckets of size 56
19/9/2013 -- 22:17:18 - <Info> - preallocated 40000 flows of size 272
19/9/2013 -- 22:17:18 - <Info> - flow memory usage: 25560064 bytes, maximum: 2147483648
19/9/2013 -- 22:17:18 - <Info> - IP reputation disabled
19/9/2013 -- 22:17:18 - <Info> - using magic-file /usr/share/file/magic
19/9/2013 -- 22:17:18 - <Info> - Delayed detect disabled
19/9/2013 -- 22:17:24 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /etc/suricata/rules/temporary-stuff.rules
me@mybox:~$

Note that everything stops processing here, no rules loaded (from my other files, the same number of rules should have been loaded.

Shouldn't the Warning be non-fatal?

Actions #1

Updated by Duane Howard over 10 years ago

After some more testing it seems like this only occurs when running with -T actually reloading Suricata seems to succeed with an empty file.

Actions #2

Updated by Anoop Saldanha over 10 years ago

Well, maybe it makes sense to just warn(without being fatal) on empty files, yeah.

Actions #3

Updated by Victor Julien over 10 years ago

  • Description updated (diff)

Looks like the commandline option --init-errors-fatal is implied with -T. Not sure that is a bad thing.

Actions #4

Updated by Duane Howard over 10 years ago

Is there a way to disable --init-errors-fatal with -T? I'd like a mechanism to ensure suricata will not fail to start without actually starting the service...

Actions #5

Updated by Victor Julien over 10 years ago

  • Target version set to TBD
Actions #6

Updated by Victor Julien over 9 years ago

  • Status changed from New to Assigned
  • Assignee set to Victor Julien
  • Target version changed from TBD to 3.0RC2
Actions #7

Updated by Duane Howard over 9 years ago

Looks like it works for empty file:

[17308] 21/11/2014 -- 18:21:44 - (detect.c:410) (SigLoadSignatures) -- [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /etc/suricata/rules/empty.rules
[17308] 21/11/2014 -- 18:21:44 - (detect.c:439) (SigLoadSignatures) -- 12 rule files processed. 9994 rules successfully loaded, 0 rules failed

[17308] 21/11/2014 -- 18:21:52 - (suricata.c:2293) (main) -- Configuration provided was successfully loaded. Exiting.

Also appears to work for multiple broken rules:
[22071] 21/11/2014 -- 18:26:33 - (util-rule-vars.c:89) (SCRuleVarsGetConfVar) -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] - Variable "HME_NET" is not defined in configuration file
[22071] 21/11/2014 -- 18:26:33 - (detect.c:354) (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HME_NET any > $EXTERNAL_NET any (msg:"BROKEN RULE 1"; flow:established; content:"|52 61 72 21 1A 07 00|"; tag:session,300,seconds; classtype:misc-activity; sid:6999998; rev:1;)" from file /etc/suricata/rules/empty.rules at line 1
[22071] 21/11/2014 -
18:26:33 - (detect-content.c:204) (DetectContentDataParse) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Invalid hex code assembly in content - "|52 61 72 21 1A 07 00". Invalidating signature
[22071] 21/11/2014 -- 18:26:33 - (detect.c:354) (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any > $EXTERNAL_NET any (msg:"BROKEN RULE 2"; flow:established; content:"|52 61 72 21 1A 07 00"; tag:session,300,seconds; classtype:misc-activity; sid:6999999; rev:6;)" from file /etc/suricata/rules/empty.rules at line 2
[22071] 21/11/2014 -
18:26:33 - (detect.c:439) (SigLoadSignatures) -- 12 rule files processed. 9994 rules successfully loaded, 2 rules failed

My only concern is that the final exit code is still 0, indicating success, where previously it would exit with a failure. Using -T to test loads before a Suricata restart would currently only require checking the final exit code of suricata -T, this change seems like it will break that though.

Actions #8

Updated by Victor Julien over 9 years ago

  • Status changed from Assigned to Closed
  • Target version changed from 3.0RC2 to 2.1beta3
  • % Done changed from 0 to 100
Actions

Also available in: Atom PDF