[Oisf-devel] magic-file inconsistency in suricata.yaml file and the code
Mahendra Ladhe
lml108 at yahoo.com
Thu Jun 12 10:09:23 UTC 2014
I'm using Linux. I cross compiled Suricata for mips and ran it on a mips processor.
There I saw magic_load failure issue.
________________________________
From: Victor Julien <victor at inliniac.net>
To: oisf-devel at lists.openinfosecfoundation.org
Sent: Thursday, 12 June 2014 3:26 PM
Subject: Re: [Oisf-devel] magic-file inconsistency in suricata.yaml file and the code
On 06/12/2014 11:16 AM, Mahendra Ladhe wrote:
> Hi,
> From suricata.yaml file
>
> # Magic file. The extension .mgc is added to the value here.
> #magic-file: /usr/share/file/magic
> magic-file: /usr/share/file/magic
>
> But in files
> src/util-magic.c
> detect-filemagic.c
>
> there's code
> (void)ConfGet("magic-file", &filename);
> if (filename != NULL) {
> SCLogInfo("using magic-file %s", filename);
>
> if ( (fd = fopen(filename, "r")) == NULL) {
> SCLogWarning(SC_ERR_FOPEN, "Error opening file: \"%s\": %s",
> filename, strerror(errno));
> goto error;
> }
> fclose(fd);
> }
>
> if (magic_load(t->ctx, filename) != 0) {
> SCLogError(SC_ERR_MAGIC_LOAD, "magic_load failed: %s",
> magic_error(t->ctx));
> goto error;
> }
>
> which uses the magic file name as is without adding the .mgc extension.
> So either the suricata.yaml file needs to be corrected or code needs to
> be modified.
> This was causing "magic_load failed" error for me. Only when I added
> .mgc extension to magic-file field in suricata.yaml file, the error went
> away.
What OS are you using? It seems that on some (most?) OS' the .mgc is
automagically added.
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
_______________________________________________
Suricata IDS Devel mailing list: oisf-devel at openinfosecfoundation.org
Site: http://suricata-ids.org | Participate: http://suricata-ids.org/participate/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
Redmine: https://redmine.openinfosecfoundation.org/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20140612/a8f853d3/attachment-0002.html>
More information about the Oisf-devel
mailing list