[Oisf-users] Allowing empty rules file?

AMuse osif-amuse at foofus.com
Wed Sep 18 17:15:10 UTC 2013

Duane - The only logic I can think of for fatally exiting on loading an 
empty rules file would be to prevent a user from accidentally wiping out 
all their rules (bad VI save command, bad 'cat' redirec, etc) and then 
proceeding to rely on an emtpy IDS to protect them.

On 09/18/2013 10:10 AM, Duane Howard wrote:
> Hey folks,
> I keep an empty rules file on my snort boxes for use with short lived 
> or temporary rules. Snort seems to be alright with loading an empty 
> rules file, but when I try to do the same on Suricata it complains 
> with an Warning and exits.
> me at mybox:~$suricata -T -l /tmp -c /etc/suricata/suricata.yaml
> <snip>
> 18/9/2013 -- 17:01:38 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - 
> No rules loaded from /etc/suricata/rules/temp.rules
> Shouldn't a warning message be non-fatal? Why is attempting to load an 
> empty file bad?
> The primary reason I do this is so that I don't need to change my 
> suricata.yaml config when swapping in and out these temporary rules.
> Currently on 1.4.2 RELEASE if that matters.
> Thanks!
> ./d
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130918/aa0e5856/attachment-0002.html>

More information about the Oisf-users mailing list