<html><body><div style="color:#000; background-color:#fff; font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, Sans-Serif;font-size:10pt"><div><span>I'm using Linux. I cross compiled Suricata for mips and ran it on a mips processor.</span></div><div style="color: rgb(0, 0, 0); font-size: 13.3333px; font-family: HelveticaNeue,Helvetica Neue,Helvetica,Arial,Lucida Grande,Sans-Serif; background-color: transparent; font-style: normal;"><span>There I saw magic_load failure issue.<br></span></div><div><br></div>  <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, Sans-Serif; font-size: 10pt;"> <div style="font-family: times new roman, new york, times, serif; font-size: 12pt;"> <div dir="ltr"> <hr size="1">  <font face="Arial" size="2"> <b><span style="font-weight:bold;">From:</span></b> Victor Julien <victor@inliniac.net><br> <b><span style="font-weight: bold;">To:</span></b>
 oisf-devel@lists.openinfosecfoundation.org <br> <b><span style="font-weight: bold;">Sent:</span></b> Thursday, 12 June 2014 3:26 PM<br> <b><span style="font-weight: bold;">Subject:</span></b> Re: [Oisf-devel] magic-file inconsistency in suricata.yaml file and the code<br> </font> </div> <div class="y_msg_container"><br>On 06/12/2014 11:16 AM, Mahendra Ladhe wrote:<div class="qtdSeparateBR"><br><br></div><div class="yqt0682254852" id="yqtfd02240"><br clear="none">> Hi,<br clear="none">>    From suricata.yaml file<br clear="none">> <br clear="none">> # Magic file. The extension .mgc is added to the value here.<br clear="none">> #magic-file: /usr/share/file/magic<br clear="none">> magic-file: /usr/share/file/magic<br clear="none">> <br clear="none">> But in files<br clear="none">> src/util-magic.c<br clear="none">> detect-filemagic.c<br clear="none">> <br clear="none">> there's code<br clear="none">> 
    (void)ConfGet("magic-file", &filename);<br clear="none">>     if (filename != NULL) {<br clear="none">>         SCLogInfo("using magic-file %s", filename);<br clear="none">> <br clear="none">>         if ( (fd = fopen(filename, "r")) == NULL) {<br clear="none">>             SCLogWarning(SC_ERR_FOPEN, "Error opening file: \"%s\": %s",<br clear="none">> filename, strerror(errno));<br clear="none">>             goto error;<br clear="none">>         }<br clear="none">>         fclose(fd);<br clear="none">>     }<br clear="none">> <br clear="none">>     if (magic_load(t->ctx, filename) != 0) {<br clear="none">>         SCLogError(SC_ERR_MAGIC_LOAD, "magic_load failed: %s",<br clear="none">>
 magic_error(t->ctx));<br clear="none">>         goto error;<br clear="none">>     }<br clear="none">> <br clear="none">> which uses the magic file name as is without adding the .mgc extension.<br clear="none">> So either the suricata.yaml file needs to be corrected or code needs to<br clear="none">> be modified.<br clear="none">> This was causing "magic_load failed" error for me. Only when I added<br clear="none">> .mgc extension to magic-file field in suricata.yaml file, the error went<br clear="none">> away.</div><br clear="none"><br clear="none">What OS are you using? It seems that on some (most?) OS' the .mgc is<br clear="none">automagically added.<br clear="none"><br clear="none">-- <br clear="none">---------------------------------------------<br clear="none">Victor Julien<br clear="none"><a shape="rect" href="http://www.inliniac.net/" target="_blank">http://www.inliniac.net/</a><br
 clear="none">PGP: <a shape="rect" href="http://www.inliniac.net/victorjulien.asc" target="_blank">http://www.inliniac.net/victorjulien.asc</a><br clear="none">---------------------------------------------<br clear="none"><br clear="none">_______________________________________________<br clear="none">Suricata IDS Devel mailing list: <a shape="rect" ymailto="mailto:oisf-devel@openinfosecfoundation.org" href="mailto:oisf-devel@openinfosecfoundation.org">oisf-devel@openinfosecfoundation.org</a><br clear="none">Site: <a shape="rect" href="http://suricata-ids.org/" target="_blank">http://suricata-ids.org </a>| Participate: <a shape="rect" href="http://suricata-ids.org/participate/" target="_blank">http://suricata-ids.org/participate/</a><br clear="none">List: <a shape="rect" href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel</a><br
 clear="none">Redmine: <a shape="rect" href="https://redmine.openinfosecfoundation.org/" target="_blank">https://redmine.openinfosecfoundation.org/</a><div class="yqt0682254852" id="yqtfd53037"><br clear="none"></div><br><br></div> </div> </div>  </div></body></html>