[Oisf-users] Allowing empty rules file?
Duane Howard
duane.security at gmail.com
Fri Sep 20 14:24:01 UTC 2013
Yeah, there are 11 other rules files enabled in the config (the same ones
from the previous run where it doesn't stop) so it looks like Suricata is
just complaining and stopping. Any configuration changes to be made here to
allow this, or is this a bug?
On Thu, Sep 19, 2013 at 11:11 PM, Peter Manev <petermanev at gmail.com> wrote:
> On Fri, Sep 20, 2013 at 12:22 AM, Duane Howard <duane.security at gmail.com>
> wrote:
> > To be more clear, here's some output from the two scenarios (empty rules
> > file enabled/disabled):
> > ---DISABLED EMPTY RULES FILE---
> > me at mybox:~$ suricata -T -l /tmp -c /etc/suricata/suricata.yaml
> > 19/9/2013 -- 22:16:33 - <Info> - Running suricata under test mode
> > 19/9/2013 -- 22:16:33 - <Info> - This is Suricata version 1.4.2 RELEASE
> > 19/9/2013 -- 22:16:33 - <Info> - CPUs/cores online: 1
> > 19/9/2013 -- 22:16:33 - <Info> - allocated 229376 bytes of memory for the
> > defrag hash... 4096 buckets of size 56
> > 19/9/2013 -- 22:16:33 - <Info> - preallocated 1000 defrag trackers of
> size
> > 144
> > 19/9/2013 -- 22:16:33 - <Info> - defrag memory usage: 373376 bytes,
> maximum:
> > 16777216
> > 19/9/2013 -- 22:16:33 - <Info> - AutoFP mode using default "Active
> Packets"
> > flow load balancer
> > 19/9/2013 -- 22:16:33 - <Info> - preallocated 10000 packets. Total memory
> > 42580000
> > 19/9/2013 -- 22:16:33 - <Info> - allocated 229376 bytes of memory for the
> > host hash... 4096 buckets of size 56
> > 19/9/2013 -- 22:16:33 - <Info> - preallocated 1000 hosts of size 120
> > 19/9/2013 -- 22:16:33 - <Info> - host memory usage: 349376 bytes,
> maximum:
> > 16777216
> > 19/9/2013 -- 22:16:33 - <Info> - allocated 14680064 bytes of memory for
> the
> > flow hash... 262144 buckets of size 56
> > 19/9/2013 -- 22:16:33 - <Info> - preallocated 40000 flows of size 272
> > 19/9/2013 -- 22:16:33 - <Info> - flow memory usage: 25560064 bytes,
> maximum:
> > 2147483648
> > 19/9/2013 -- 22:16:33 - <Info> - IP reputation disabled
> > 19/9/2013 -- 22:16:33 - <Info> - using magic-file /usr/share/file/magic
> > 19/9/2013 -- 22:16:33 - <Info> - Delayed detect disabled
> > 19/9/2013 -- 22:16:41 - <Info> - 11 rule files processed. 7446 rules
> > successfully loaded, 0 rules failed
> > 19/9/2013 -- 22:16:46 - <Info> - 7476 signatures processed. 39 are
> IP-only
> > rules, 2445 are inspecting packet payload, 5906 inspect application
> layer, 0
> > are decoder event only
> > 19/9/2013 -- 22:16:46 - <Info> - building signature grouping structure,
> > stage 1: adding signatures to signature source addresses... complete
> > 19/9/2013 -- 22:16:47 - <Info> - building signature grouping structure,
> > stage 2: building source address list... complete
> > 19/9/2013 -- 22:16:50 - <Info> - building signature grouping structure,
> > stage 3: building destination address lists... complete
> > 19/9/2013 -- 22:16:52 - <Info> - Threshold config parsed: 141 rule(s)
> found
> > 19/9/2013 -- 22:16:52 - <Info> - Core dump size set to unlimited.
> > 19/9/2013 -- 22:16:52 - <Info> - fast output device (regular)
> initialized:
> > fast.log
> > 19/9/2013 -- 22:16:52 - <Info> - Unified2-alert initialized: filename
> > unified2.alert, limit 50 MB
> > 19/9/2013 -- 22:16:52 - <Info> - http-log output device (regular)
> > initialized: http.log
> > 19/9/2013 -- 22:16:52 - <Info> - Configuration provided was successfully
> > loaded. Exiting.
> > me at mybox:~$
> >
> > ---ENABLED EMPTY RULES FILE---
> > me at mybox:~$ suricata -T -l /tmp -c /etc/suricata/suricata.yaml
> > 19/9/2013 -- 22:17:18 - <Info> - Running suricata under test mode
> > 19/9/2013 -- 22:17:18 - <Info> - This is Suricata version 1.4.2 RELEASE
> > 19/9/2013 -- 22:17:18 - <Info> - CPUs/cores online: 1
> > 19/9/2013 -- 22:17:18 - <Info> - allocated 229376 bytes of memory for the
> > defrag hash... 4096 buckets of size 56
> > 19/9/2013 -- 22:17:18 - <Info> - preallocated 1000 defrag trackers of
> size
> > 144
> > 19/9/2013 -- 22:17:18 - <Info> - defrag memory usage: 373376 bytes,
> maximum:
> > 16777216
> > 19/9/2013 -- 22:17:18 - <Info> - AutoFP mode using default "Active
> Packets"
> > flow load balancer
> > 19/9/2013 -- 22:17:18 - <Info> - preallocated 10000 packets. Total memory
> > 42580000
> > 19/9/2013 -- 22:17:18 - <Info> - allocated 229376 bytes of memory for the
> > host hash... 4096 buckets of size 56
> > 19/9/2013 -- 22:17:18 - <Info> - preallocated 1000 hosts of size 120
> > 19/9/2013 -- 22:17:18 - <Info> - host memory usage: 349376 bytes,
> maximum:
> > 16777216
> > 19/9/2013 -- 22:17:18 - <Info> - allocated 14680064 bytes of memory for
> the
> > flow hash... 262144 buckets of size 56
> > 19/9/2013 -- 22:17:18 - <Info> - preallocated 40000 flows of size 272
> > 19/9/2013 -- 22:17:18 - <Info> - flow memory usage: 25560064 bytes,
> maximum:
> > 2147483648
> > 19/9/2013 -- 22:17:18 - <Info> - IP reputation disabled
> > 19/9/2013 -- 22:17:18 - <Info> - using magic-file /usr/share/file/magic
> > 19/9/2013 -- 22:17:18 - <Info> - Delayed detect disabled
> > 19/9/2013 -- 22:17:24 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No
> > rules loaded from /etc/suricata/rules/temporary-stuff.rules
> > me at mybox:~$
> >
> > Note that everything stops processing here, no rules loaded (from my
> other
> > files, the same number of rules should have been loaded.
> >
> > Again, shouldn't the Warning be non-fatal?
> >
> >
>
> Yes it should be non fatal I believe in this particular case ( -T )
> Unless some rules are required to be loaded in order to test the
> configuration?
>
> thanks
>
>
> --
> Regards,
> Peter Manev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130920/6c46e133/attachment-0002.html>
More information about the Oisf-users
mailing list