[Oisf-devel] magic-file inconsistency in suricata.yaml file and the code

Mahendra Ladhe lml108 at yahoo.com
Thu Jun 12 10:09:23 UTC 2014 

I'm using Linux. I cross compiled Suricata for mips and ran it on a mips processor.
There I saw magic_load failure issue.



________________________________
 From: Victor Julien <victor at inliniac.net>
To: oisf-devel at lists.openinfosecfoundation.org 
Sent: Thursday, 12 June 2014 3:26 PM
Subject: Re: [Oisf-devel] magic-file inconsistency in suricata.yaml file and the code
 

On 06/12/2014 11:16 AM, Mahendra Ladhe wrote:



> Hi,
>    From suricata.yaml file
> 
> # Magic file. The extension .mgc is added to the value here.
> #magic-file: /usr/share/file/magic
> magic-file: /usr/share/file/magic
> 
> But in files
> src/util-magic.c
> detect-filemagic.c
> 
> there's code
>     (void)ConfGet("magic-file", &filename);
>     if (filename != NULL) {
>         SCLogInfo("using magic-file %s", filename);
> 
>         if ( (fd = fopen(filename, "r")) == NULL) {
>             SCLogWarning(SC_ERR_FOPEN, "Error opening file: \"%s\": %s",
> filename, strerror(errno));
>             goto error;
>         }
>         fclose(fd);
>     }
> 
>     if (magic_load(t->ctx, filename) != 0) {
>         SCLogError(SC_ERR_MAGIC_LOAD, "magic_load failed: %s",
> magic_error(t->ctx));
>         goto error;
>     }
> 
> which uses the magic file name as is without adding the .mgc extension.
> So either the suricata.yaml file needs to be corrected or code needs to
> be modified.
> This was causing "magic_load failed" error for me. Only when I added
> .mgc extension to magic-file field in suricata.yaml file, the error went
> away.

What OS are you using? It seems that on some (most?) OS' the .mgc is
automagically added.

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

_______________________________________________
Suricata IDS Devel mailing list: oisf-devel at openinfosecfoundation.org
Site: http://suricata-ids.org | Participate: http://suricata-ids.org/participate/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
Redmine: https://redmine.openinfosecfoundation.org/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20140612/a8f853d3/attachment-0002.html>

More information about the Oisf-devel mailing list