Bug #2049
closedEmpty rule files cause failure exit code without corresponding message
Description
Using -T to try to load an empty rules file directly behaves as expected (still returns 0 and calls out a Warning to identify the issue)[0]. If the empty rules file is part of the rule list in the yaml config, the behavior changes, Suricata sets the error code to 1 and doesn't provide any message indicating the reason for the failure1.
[0] Old expected behavior:
$ /usr/bin/suricata T -c ~/suricata-pcap.yaml -S empty.rules 20:32:06 - <Info> - Running suricata under test mode
21/2/2017 -
Initialization syslog logging with format "[%i] <%d> -- ".
21/2/2017 -- 20:32:06 - <Notice> - This is Suricata version 3.2.1 RELEASE
21/2/2017 -- 20:32:06 - <Info> - CPUs/cores online: 16
21/2/2017 -- 20:32:06 - <Info> - HTTP memcap: 6442450944
21/2/2017 -- 20:32:09 - <Warning> - [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - 1 rule files specified, but no rule was loaded at all!
21/2/2017 -- 20:32:09 - <Info> - 0 signatures processed. 0 are IP-only rules, 0 are inspecting packet payload, 0 inspect application layer, 0 are decoder event only
21/2/2017 -- 20:32:09 - <Info> - Threshold config parsed: 1 rule(s) found
21/2/2017 -- 20:32:09 - <Info> - fast output device (regular) initialized: /tmp/fast.log
21/2/2017 -- 20:32:09 - <Info> - Unified2-alert initialized: filename suricata.u2, limit 128 MB
21/2/2017 -- 20:32:09 - <Info> - stats output device (regular) initialized: stats.log
21/2/2017 -- 20:32:09 - <Info> - Syslog output initialized
21/2/2017 -- 20:32:09 - <Notice> - Configuration provided was successfully loaded. Exiting.
$ echo $?
0
[1]
New, unexpected behavior:
Put empty.rules in the rules list in suricata.yaml:
$ /usr/bin/suricata T -c /etc/suricata/suricata.yaml 20:35:32 - <Info> - Running suricata under test mode
21/2/2017 -
Initialization syslog logging with format "[%i] <%d> -- ".
21/2/2017 -- 20:35:32 - <Notice> - This is Suricata version 3.2.1 RELEASE
21/2/2017 -- 20:35:32 - <Info> - CPUs/cores online: 16
21/2/2017 -- 20:35:32 - <Info> - HTTP memcap: 6442450944
$ echo $?
1
[2] As above, but with vvvv note that output stops after the empty file, but no warning is thrown. 20:42:15 - <Info> - Running suricata under test mode
$ sudo /usr/bin/suricata -T -c /etc/suricata/suricata.yaml -vvvv
21/2/2017 -
21/2/2017 -- 20:42:15 - <Notice> - This is Suricata version 3.2.1 RELEASE
21/2/2017 -- 20:42:15 - <Info> - CPUs/cores online: 16
21/2/2017 -- 20:42:15 - <Config> - luajit states preallocated: 128
<snip>
21/2/2017 -- 20:42:21 - <Config> - Loading rule file: /etc/suricata/rules/stuff.rules
21/2/2017 -- 20:42:21 - <Config> - Loading rule file: /etc/suricata/rules/empty.rules
$ echo $?
1
@ish identified this3 as the change that modified the behavior.
@Duane Howard requested empty rule files to return 0 (nothing broken per se, versus a malformed rule) in another issue a while back4.
[3] https://redmine.openinfosecfoundation.org/issues/1493
[4] https://redmine.openinfosecfoundation.org/issues/977
Updated by Jason Ish over 7 years ago
- Assignee set to Jason Ish
Happy to take this as I've started to look into already.
Updated by Jason Ish over 7 years ago
Duane Howard wrote:
any updates/thoughts on this Jason?
Here's my solution to this problem:
https://github.com/inliniac/suricata/pull/2613
Updated by Jason Ish over 7 years ago
- Status changed from Assigned to Closed
- Target version set to 4.0beta1