[Oisf-users] Allowing empty rules file?

Thu Sep 19 22:22:17 UTC 2013

To be more clear, here's some output from the two scenarios (empty rules
file enabled/disabled):
---DISABLED EMPTY RULES FILE---
me at mybox:~$ suricata -T -l /tmp -c /etc/suricata/suricata.yaml
19/9/2013 -- 22:16:33 - <Info> - Running suricata under test mode
19/9/2013 -- 22:16:33 - <Info> - This is Suricata version 1.4.2 RELEASE
19/9/2013 -- 22:16:33 - <Info> - CPUs/cores online: 1
19/9/2013 -- 22:16:33 - <Info> - allocated 229376 bytes of memory for the
defrag hash... 4096 buckets of size 56
19/9/2013 -- 22:16:33 - <Info> - preallocated 1000 defrag trackers of size
144
19/9/2013 -- 22:16:33 - <Info> - defrag memory usage: 373376 bytes,
maximum: 16777216
19/9/2013 -- 22:16:33 - <Info> - AutoFP mode using default "Active Packets"
flow load balancer
19/9/2013 -- 22:16:33 - <Info> - preallocated 10000 packets. Total memory
42580000
19/9/2013 -- 22:16:33 - <Info> - allocated 229376 bytes of memory for the
host hash... 4096 buckets of size 56
19/9/2013 -- 22:16:33 - <Info> - preallocated 1000 hosts of size 120
19/9/2013 -- 22:16:33 - <Info> - host memory usage: 349376 bytes, maximum:
16777216
19/9/2013 -- 22:16:33 - <Info> - allocated 14680064 bytes of memory for the
flow hash... 262144 buckets of size 56
19/9/2013 -- 22:16:33 - <Info> - preallocated 40000 flows of size 272
19/9/2013 -- 22:16:33 - <Info> - flow memory usage: 25560064 bytes,
maximum: 2147483648
19/9/2013 -- 22:16:33 - <Info> - IP reputation disabled
19/9/2013 -- 22:16:33 - <Info> - using magic-file /usr/share/file/magic
19/9/2013 -- 22:16:33 - <Info> - Delayed detect disabled
19/9/2013 -- 22:16:41 - <Info> - 11 rule files processed. 7446 rules
successfully loaded, 0 rules failed
19/9/2013 -- 22:16:46 - <Info> - 7476 signatures processed. 39 are IP-only
rules, 2445 are inspecting packet payload, 5906 inspect application layer,
0 are decoder event only
19/9/2013 -- 22:16:46 - <Info> - building signature grouping structure,
stage 1: adding signatures to signature source addresses... complete
19/9/2013 -- 22:16:47 - <Info> - building signature grouping structure,
stage 2: building source address list... complete
19/9/2013 -- 22:16:50 - <Info> - building signature grouping structure,
stage 3: building destination address lists... complete
19/9/2013 -- 22:16:52 - <Info> - Threshold config parsed: 141 rule(s) found
19/9/2013 -- 22:16:52 - <Info> - Core dump size set to unlimited.
19/9/2013 -- 22:16:52 - <Info> - fast output device (regular) initialized:
fast.log
19/9/2013 -- 22:16:52 - <Info> - Unified2-alert initialized: filename
unified2.alert, limit 50 MB
19/9/2013 -- 22:16:52 - <Info> - http-log output device (regular)
initialized: http.log
19/9/2013 -- 22:16:52 - <Info> - Configuration provided was successfully
loaded. Exiting.
me at mybox:~$

---ENABLED EMPTY RULES FILE---
me at mybox:~$ suricata -T -l /tmp -c /etc/suricata/suricata.yaml
19/9/2013 -- 22:17:18 - <Info> - Running suricata under test mode
19/9/2013 -- 22:17:18 - <Info> - This is Suricata version 1.4.2 RELEASE
19/9/2013 -- 22:17:18 - <Info> - CPUs/cores online: 1
19/9/2013 -- 22:17:18 - <Info> - allocated 229376 bytes of memory for the
defrag hash... 4096 buckets of size 56
19/9/2013 -- 22:17:18 - <Info> - preallocated 1000 defrag trackers of size
144
19/9/2013 -- 22:17:18 - <Info> - defrag memory usage: 373376 bytes,
maximum: 16777216
19/9/2013 -- 22:17:18 - <Info> - AutoFP mode using default "Active Packets"
flow load balancer
19/9/2013 -- 22:17:18 - <Info> - preallocated 10000 packets. Total memory
42580000
19/9/2013 -- 22:17:18 - <Info> - allocated 229376 bytes of memory for the
host hash... 4096 buckets of size 56
19/9/2013 -- 22:17:18 - <Info> - preallocated 1000 hosts of size 120
19/9/2013 -- 22:17:18 - <Info> - host memory usage: 349376 bytes, maximum:
16777216
19/9/2013 -- 22:17:18 - <Info> - allocated 14680064 bytes of memory for the
flow hash... 262144 buckets of size 56
19/9/2013 -- 22:17:18 - <Info> - preallocated 40000 flows of size 272
19/9/2013 -- 22:17:18 - <Info> - flow memory usage: 25560064 bytes,
maximum: 2147483648
19/9/2013 -- 22:17:18 - <Info> - IP reputation disabled
19/9/2013 -- 22:17:18 - <Info> - using magic-file /usr/share/file/magic
19/9/2013 -- 22:17:18 - <Info> - Delayed detect disabled
19/9/2013 -- 22:17:24 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No
rules loaded from /etc/suricata/rules/temporary-stuff.rules
me at mybox:~$

Note that everything stops processing here, no rules loaded (from my other
files, the same number of rules should have been loaded.

Again, shouldn't the Warning be non-fatal?

On Thu, Sep 19, 2013 at 9:14 AM, Duane Howard <duane.security at gmail.com>wrote:

> Yes, it did stop.
>
>
> On Thu, Sep 19, 2013 at 12:25 AM, Peter Manev <petermanev at gmail.com>wrote:
>
>> On Wed, Sep 18, 2013 at 7:10 PM, Duane Howard <duane.security at gmail.com>
>> wrote:
>> > Hey folks,
>> >
>> > I keep an empty rules file on my snort boxes for use with short lived or
>> > temporary rules. Snort seems to be alright with loading an empty rules
>> file,
>> > but when I try to do the same on Suricata it complains with an Warning
>> and
>> > exits.
>> >
>> > me at mybox:~$suricata -T -l /tmp -c /etc/suricata/suricata.yaml
>> > <snip>
>> > 18/9/2013 -- 17:01:38 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No
>> > rules loaded from /etc/suricata/rules/temp.rules
>> >
>> > Shouldn't a warning message be non-fatal? Why is attempting to load an
>> empty
>> > file bad?
>>
>> What do you mean "non-fatal" ? Suricata initialization did not stop ,
>> correct?
>>
>> > The primary reason I do this is so that I don't need to change my
>> > suricata.yaml config when swapping in and out these temporary rules.
>> >
>> > Currently on 1.4.2 RELEASE if that matters.
>> >
>> > Thanks!
>> > ./d
>>
>>
>>
>> --
>> Regards,
>> Peter Manev
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130919/c277d956/attachment-0002.html>