[Oisf-users] Allowing empty rules file?
AMuse
osif-amuse at foofus.com
Wed Sep 18 17:15:10 UTC 2013
Duane - The only logic I can think of for fatally exiting on loading an
empty rules file would be to prevent a user from accidentally wiping out
all their rules (bad VI save command, bad 'cat' redirec, etc) and then
proceeding to rely on an emtpy IDS to protect them.
On 09/18/2013 10:10 AM, Duane Howard wrote:
> Hey folks,
>
> I keep an empty rules file on my snort boxes for use with short lived
> or temporary rules. Snort seems to be alright with loading an empty
> rules file, but when I try to do the same on Suricata it complains
> with an Warning and exits.
>
> me at mybox:~$suricata -T -l /tmp -c /etc/suricata/suricata.yaml
> <snip>
> 18/9/2013 -- 17:01:38 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] -
> No rules loaded from /etc/suricata/rules/temp.rules
>
> Shouldn't a warning message be non-fatal? Why is attempting to load an
> empty file bad?
> The primary reason I do this is so that I don't need to change my
> suricata.yaml config when swapping in and out these temporary rules.
>
> Currently on 1.4.2 RELEASE if that matters.
>
> Thanks!
> ./d
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130918/aa0e5856/attachment-0002.html>
More information about the Oisf-users
mailing list