<div dir="ltr">To be more clear, here's some output from the two scenarios (empty rules file enabled/disabled):<div><div>---DISABLED EMPTY RULES FILE---</div><div>me@mybox:~$ suricata -T -l /tmp -c /etc/suricata/suricata.yaml</div>
<div>19/9/2013 -- 22:16:33 - <Info> - Running suricata under test mode</div><div>19/9/2013 -- 22:16:33 - <Info> - This is Suricata version 1.4.2 RELEASE</div><div>19/9/2013 -- 22:16:33 - <Info> - CPUs/cores online: 1</div>
<div>19/9/2013 -- 22:16:33 - <Info> - allocated 229376 bytes of memory for the defrag hash... 4096 buckets of size 56</div><div>19/9/2013 -- 22:16:33 - <Info> - preallocated 1000 defrag trackers of size 144</div>
<div>19/9/2013 -- 22:16:33 - <Info> - defrag memory usage: 373376 bytes, maximum: 16777216</div><div>19/9/2013 -- 22:16:33 - <Info> - AutoFP mode using default "Active Packets" flow load balancer</div>
<div>19/9/2013 -- 22:16:33 - <Info> - preallocated 10000 packets. Total memory 42580000</div><div>19/9/2013 -- 22:16:33 - <Info> - allocated 229376 bytes of memory for the host hash... 4096 buckets of size 56</div>
<div>19/9/2013 -- 22:16:33 - <Info> - preallocated 1000 hosts of size 120</div><div>19/9/2013 -- 22:16:33 - <Info> - host memory usage: 349376 bytes, maximum: 16777216</div><div>19/9/2013 -- 22:16:33 - <Info> - allocated 14680064 bytes of memory for the flow hash... 262144 buckets of size 56</div>
<div>19/9/2013 -- 22:16:33 - <Info> - preallocated 40000 flows of size 272</div><div>19/9/2013 -- 22:16:33 - <Info> - flow memory usage: 25560064 bytes, maximum: 2147483648</div><div>19/9/2013 -- 22:16:33 - <Info> - IP reputation disabled</div>
<div>19/9/2013 -- 22:16:33 - <Info> - using magic-file /usr/share/file/magic</div><div>19/9/2013 -- 22:16:33 - <Info> - Delayed detect disabled</div><div>19/9/2013 -- 22:16:41 - <Info> - 11 rule files processed. 7446 rules successfully loaded, 0 rules failed</div>
<div>19/9/2013 -- 22:16:46 - <Info> - 7476 signatures processed. 39 are IP-only rules, 2445 are inspecting packet payload, 5906 inspect application layer, 0 are decoder event only</div><div>19/9/2013 -- 22:16:46 - <Info> - building signature grouping structure, stage 1: adding signatures to signature source addresses... complete</div>
<div>19/9/2013 -- 22:16:47 - <Info> - building signature grouping structure, stage 2: building source address list... complete</div><div>19/9/2013 -- 22:16:50 - <Info> - building signature grouping structure, stage 3: building destination address lists... complete</div>
<div>19/9/2013 -- 22:16:52 - <Info> - Threshold config parsed: 141 rule(s) found</div><div>19/9/2013 -- 22:16:52 - <Info> - Core dump size set to unlimited.</div><div>19/9/2013 -- 22:16:52 - <Info> - fast output device (regular) initialized: fast.log</div>
<div>19/9/2013 -- 22:16:52 - <Info> - Unified2-alert initialized: filename unified2.alert, limit 50 MB</div><div>19/9/2013 -- 22:16:52 - <Info> - http-log output device (regular) initialized: http.log</div><div>
19/9/2013 -- 22:16:52 - <Info> - Configuration provided was successfully loaded. Exiting.</div><div>me@mybox:~$ <br></div><div><br></div><div>---ENABLED EMPTY RULES FILE---</div><div>me@mybox:~$ suricata -T -l /tmp -c /etc/suricata/suricata.yaml</div>
<div>19/9/2013 -- 22:17:18 - <Info> - Running suricata under test mode</div><div>19/9/2013 -- 22:17:18 - <Info> - This is Suricata version 1.4.2 RELEASE</div><div>19/9/2013 -- 22:17:18 - <Info> - CPUs/cores online: 1</div>
<div>19/9/2013 -- 22:17:18 - <Info> - allocated 229376 bytes of memory for the defrag hash... 4096 buckets of size 56</div><div>19/9/2013 -- 22:17:18 - <Info> - preallocated 1000 defrag trackers of size 144</div>
<div>19/9/2013 -- 22:17:18 - <Info> - defrag memory usage: 373376 bytes, maximum: 16777216</div><div>19/9/2013 -- 22:17:18 - <Info> - AutoFP mode using default "Active Packets" flow load balancer</div>
<div>19/9/2013 -- 22:17:18 - <Info> - preallocated 10000 packets. Total memory 42580000</div><div>19/9/2013 -- 22:17:18 - <Info> - allocated 229376 bytes of memory for the host hash... 4096 buckets of size 56</div>
<div>19/9/2013 -- 22:17:18 - <Info> - preallocated 1000 hosts of size 120</div><div>19/9/2013 -- 22:17:18 - <Info> - host memory usage: 349376 bytes, maximum: 16777216</div><div>19/9/2013 -- 22:17:18 - <Info> - allocated 14680064 bytes of memory for the flow hash... 262144 buckets of size 56</div>
<div>19/9/2013 -- 22:17:18 - <Info> - preallocated 40000 flows of size 272</div><div>19/9/2013 -- 22:17:18 - <Info> - flow memory usage: 25560064 bytes, maximum: 2147483648</div><div>19/9/2013 -- 22:17:18 - <Info> - IP reputation disabled</div>
<div>19/9/2013 -- 22:17:18 - <Info> - using magic-file /usr/share/file/magic</div><div>19/9/2013 -- 22:17:18 - <Info> - Delayed detect disabled</div><div>19/9/2013 -- 22:17:24 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /etc/suricata/rules/temporary-stuff.rules</div>
<div>me@mybox:~$ </div></div><div><br></div><div>Note that everything stops processing here, no rules loaded (from my other files, the same number of rules should have been loaded.</div><div><br></div><div>Again, shouldn't the Warning be non-fatal?</div>
</div><div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Sep 19, 2013 at 9:14 AM, Duane Howard <span dir="ltr"><<a href="mailto:duane.security@gmail.com" target="_blank">duane.security@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Yes, it did stop.</div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><br><div class="gmail_quote">
On Thu, Sep 19, 2013 at 12:25 AM, Peter Manev <span dir="ltr"><<a href="mailto:petermanev@gmail.com" target="_blank">petermanev@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div>On Wed, Sep 18, 2013 at 7:10 PM, Duane Howard <<a href="mailto:duane.security@gmail.com" target="_blank">duane.security@gmail.com</a>> wrote:<br>
> Hey folks,<br>
><br>
> I keep an empty rules file on my snort boxes for use with short lived or<br>
> temporary rules. Snort seems to be alright with loading an empty rules file,<br>
> but when I try to do the same on Suricata it complains with an Warning and<br>
> exits.<br>
><br>
> me@mybox:~$suricata -T -l /tmp -c /etc/suricata/suricata.yaml<br>
> <snip><br>
> 18/9/2013 -- 17:01:38 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No<br>
> rules loaded from /etc/suricata/rules/temp.rules<br>
><br>
> Shouldn't a warning message be non-fatal? Why is attempting to load an empty<br>
> file bad?<br>
<br>
</div>What do you mean "non-fatal" ? Suricata initialization did not stop , correct?<br>
<div><div><br>
> The primary reason I do this is so that I don't need to change my<br>
> suricata.yaml config when swapping in and out these temporary rules.<br>
><br>
> Currently on 1.4.2 RELEASE if that matters.<br>
><br>
> Thanks!<br>
> ./d<br>
<br>
<br>
<br>
</div></div><span><font color="#888888">--<br>
Regards,<br>
Peter Manev<br>
</font></span></blockquote></div><br></div>
</div></div></blockquote></div><br></div>