[Oisf-devel] magic-file inconsistency in suricata.yaml file and the code
Mahendra Ladhe
lml108 at yahoo.com
Thu Jun 12 09:16:23 UTC 2014
Hi,
From suricata.yaml file
# Magic file. The extension .mgc is added to the value here.
#magic-file: /usr/share/file/magic
magic-file: /usr/share/file/magic
But in files
src/util-magic.c
detect-filemagic.c
there's code
(void)ConfGet("magic-file", &filename);
if (filename != NULL) {
SCLogInfo("using magic-file %s", filename);
if ( (fd = fopen(filename, "r")) == NULL) {
SCLogWarning(SC_ERR_FOPEN, "Error opening file: \"%s\": %s", filename, strerror(errno));
goto error;
}
fclose(fd);
}
if (magic_load(t->ctx, filename) != 0) {
SCLogError(SC_ERR_MAGIC_LOAD, "magic_load failed: %s", magic_error(t->ctx));
goto error;
}
which uses the magic file name as is without adding the .mgc extension.
So either the suricata.yaml file needs to be corrected or code needs to be modified.
This was causing "magic_load failed" error for me. Only when I added .mgc extension to magic-file field in suricata.yaml file, the error went away.
Thank you,
Mahendra
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20140612/2868fdf3/attachment.html>
More information about the Oisf-devel
mailing list