[Oisf-devel] magic-file inconsistency in suricata.yaml file and the code

Mahendra Ladhe lml108 at yahoo.com
Thu Jun 12 09:16:23 UTC 2014

   From suricata.yaml file

# Magic file. The extension .mgc is added to the value here.
#magic-file: /usr/share/file/magic
magic-file: /usr/share/file/magic

But in files

there's code
    (void)ConfGet("magic-file", &filename);
    if (filename != NULL) {
        SCLogInfo("using magic-file %s", filename);

        if ( (fd = fopen(filename, "r")) == NULL) {
            SCLogWarning(SC_ERR_FOPEN, "Error opening file: \"%s\": %s", filename, strerror(errno));
            goto error;

    if (magic_load(t->ctx, filename) != 0) {
        SCLogError(SC_ERR_MAGIC_LOAD, "magic_load failed: %s", magic_error(t->ctx));
        goto error;

which uses the magic file name as is without adding the .mgc extension.
So either the suricata.yaml file needs to be corrected or code needs to be modified.
This was causing "magic_load failed" error for me. Only when I added .mgc extension to magic-file field in suricata.yaml file, the error went away.

Thank you,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20140612/2868fdf3/attachment.html>

More information about the Oisf-devel mailing list