[Oisf-users] Allowing empty rules file?

Peter Manev petermanev at gmail.com
Fri Sep 20 06:11:53 UTC 2013 

On Fri, Sep 20, 2013 at 12:22 AM, Duane Howard <duane.security at gmail.com> wrote:
> To be more clear, here's some output from the two scenarios (empty rules
> file enabled/disabled):
> ---DISABLED EMPTY RULES FILE---
> me at mybox:~$ suricata -T -l /tmp -c /etc/suricata/suricata.yaml
> 19/9/2013 -- 22:16:33 - <Info> - Running suricata under test mode
> 19/9/2013 -- 22:16:33 - <Info> - This is Suricata version 1.4.2 RELEASE
> 19/9/2013 -- 22:16:33 - <Info> - CPUs/cores online: 1
> 19/9/2013 -- 22:16:33 - <Info> - allocated 229376 bytes of memory for the
> defrag hash... 4096 buckets of size 56
> 19/9/2013 -- 22:16:33 - <Info> - preallocated 1000 defrag trackers of size
> 144
> 19/9/2013 -- 22:16:33 - <Info> - defrag memory usage: 373376 bytes, maximum:
> 16777216
> 19/9/2013 -- 22:16:33 - <Info> - AutoFP mode using default "Active Packets"
> flow load balancer
> 19/9/2013 -- 22:16:33 - <Info> - preallocated 10000 packets. Total memory
> 42580000
> 19/9/2013 -- 22:16:33 - <Info> - allocated 229376 bytes of memory for the
> host hash... 4096 buckets of size 56
> 19/9/2013 -- 22:16:33 - <Info> - preallocated 1000 hosts of size 120
> 19/9/2013 -- 22:16:33 - <Info> - host memory usage: 349376 bytes, maximum:
> 16777216
> 19/9/2013 -- 22:16:33 - <Info> - allocated 14680064 bytes of memory for the
> flow hash... 262144 buckets of size 56
> 19/9/2013 -- 22:16:33 - <Info> - preallocated 40000 flows of size 272
> 19/9/2013 -- 22:16:33 - <Info> - flow memory usage: 25560064 bytes, maximum:
> 2147483648
> 19/9/2013 -- 22:16:33 - <Info> - IP reputation disabled
> 19/9/2013 -- 22:16:33 - <Info> - using magic-file /usr/share/file/magic
> 19/9/2013 -- 22:16:33 - <Info> - Delayed detect disabled
> 19/9/2013 -- 22:16:41 - <Info> - 11 rule files processed. 7446 rules
> successfully loaded, 0 rules failed
> 19/9/2013 -- 22:16:46 - <Info> - 7476 signatures processed. 39 are IP-only
> rules, 2445 are inspecting packet payload, 5906 inspect application layer, 0
> are decoder event only
> 19/9/2013 -- 22:16:46 - <Info> - building signature grouping structure,
> stage 1: adding signatures to signature source addresses... complete
> 19/9/2013 -- 22:16:47 - <Info> - building signature grouping structure,
> stage 2: building source address list... complete
> 19/9/2013 -- 22:16:50 - <Info> - building signature grouping structure,
> stage 3: building destination address lists... complete
> 19/9/2013 -- 22:16:52 - <Info> - Threshold config parsed: 141 rule(s) found
> 19/9/2013 -- 22:16:52 - <Info> - Core dump size set to unlimited.
> 19/9/2013 -- 22:16:52 - <Info> - fast output device (regular) initialized:
> fast.log
> 19/9/2013 -- 22:16:52 - <Info> - Unified2-alert initialized: filename
> unified2.alert, limit 50 MB
> 19/9/2013 -- 22:16:52 - <Info> - http-log output device (regular)
> initialized: http.log
> 19/9/2013 -- 22:16:52 - <Info> - Configuration provided was successfully
> loaded. Exiting.
> me at mybox:~$
>
> ---ENABLED EMPTY RULES FILE---
> me at mybox:~$ suricata -T -l /tmp -c /etc/suricata/suricata.yaml
> 19/9/2013 -- 22:17:18 - <Info> - Running suricata under test mode
> 19/9/2013 -- 22:17:18 - <Info> - This is Suricata version 1.4.2 RELEASE
> 19/9/2013 -- 22:17:18 - <Info> - CPUs/cores online: 1
> 19/9/2013 -- 22:17:18 - <Info> - allocated 229376 bytes of memory for the
> defrag hash... 4096 buckets of size 56
> 19/9/2013 -- 22:17:18 - <Info> - preallocated 1000 defrag trackers of size
> 144
> 19/9/2013 -- 22:17:18 - <Info> - defrag memory usage: 373376 bytes, maximum:
> 16777216
> 19/9/2013 -- 22:17:18 - <Info> - AutoFP mode using default "Active Packets"
> flow load balancer
> 19/9/2013 -- 22:17:18 - <Info> - preallocated 10000 packets. Total memory
> 42580000
> 19/9/2013 -- 22:17:18 - <Info> - allocated 229376 bytes of memory for the
> host hash... 4096 buckets of size 56
> 19/9/2013 -- 22:17:18 - <Info> - preallocated 1000 hosts of size 120
> 19/9/2013 -- 22:17:18 - <Info> - host memory usage: 349376 bytes, maximum:
> 16777216
> 19/9/2013 -- 22:17:18 - <Info> - allocated 14680064 bytes of memory for the
> flow hash... 262144 buckets of size 56
> 19/9/2013 -- 22:17:18 - <Info> - preallocated 40000 flows of size 272
> 19/9/2013 -- 22:17:18 - <Info> - flow memory usage: 25560064 bytes, maximum:
> 2147483648
> 19/9/2013 -- 22:17:18 - <Info> - IP reputation disabled
> 19/9/2013 -- 22:17:18 - <Info> - using magic-file /usr/share/file/magic
> 19/9/2013 -- 22:17:18 - <Info> - Delayed detect disabled
> 19/9/2013 -- 22:17:24 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No
> rules loaded from /etc/suricata/rules/temporary-stuff.rules
> me at mybox:~$
>
> Note that everything stops processing here, no rules loaded (from my other
> files, the same number of rules should have been loaded.
>
> Again, shouldn't the Warning be non-fatal?
>
>

Yes it should be non fatal I believe in this particular case ( -T )
Unless some rules are required to be loaded in order to test the configuration?

thanks


-- 
Regards,
Peter Manev

More information about the Oisf-users mailing list