Project

General

Profile

Actions

Bug #2049

closed

Empty rule files cause failure exit code without corresponding message

Added by Duane Howard over 7 years ago. Updated over 7 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Using -T to try to load an empty rules file directly behaves as expected (still returns 0 and calls out a Warning to identify the issue)[0]. If the empty rules file is part of the rule list in the yaml config, the behavior changes, Suricata sets the error code to 1 and doesn't provide any message indicating the reason for the failure1.

[0] Old expected behavior:
$ /usr/bin/suricata T -c ~/suricata-pcap.yaml -S empty.rules
21/2/2017 -
20:32:06 - <Info> - Running suricata under test mode
Initialization syslog logging with format "[%i] <%d> -- ".
21/2/2017 -- 20:32:06 - <Notice> - This is Suricata version 3.2.1 RELEASE
21/2/2017 -- 20:32:06 - <Info> - CPUs/cores online: 16
21/2/2017 -- 20:32:06 - <Info> - HTTP memcap: 6442450944
21/2/2017 -- 20:32:09 - <Warning> - [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - 1 rule files specified, but no rule was loaded at all!
21/2/2017 -- 20:32:09 - <Info> - 0 signatures processed. 0 are IP-only rules, 0 are inspecting packet payload, 0 inspect application layer, 0 are decoder event only
21/2/2017 -- 20:32:09 - <Info> - Threshold config parsed: 1 rule(s) found
21/2/2017 -- 20:32:09 - <Info> - fast output device (regular) initialized: /tmp/fast.log
21/2/2017 -- 20:32:09 - <Info> - Unified2-alert initialized: filename suricata.u2, limit 128 MB
21/2/2017 -- 20:32:09 - <Info> - stats output device (regular) initialized: stats.log
21/2/2017 -- 20:32:09 - <Info> - Syslog output initialized
21/2/2017 -- 20:32:09 - <Notice> - Configuration provided was successfully loaded. Exiting.
$ echo $?
0

[1]
New, unexpected behavior:
Put empty.rules in the rules list in suricata.yaml:

$ /usr/bin/suricata T -c /etc/suricata/suricata.yaml
21/2/2017 -
20:35:32 - <Info> - Running suricata under test mode
Initialization syslog logging with format "[%i] <%d> -- ".
21/2/2017 -- 20:35:32 - <Notice> - This is Suricata version 3.2.1 RELEASE
21/2/2017 -- 20:35:32 - <Info> - CPUs/cores online: 16
21/2/2017 -- 20:35:32 - <Info> - HTTP memcap: 6442450944
$ echo $?
1

[2] As above, but with vvvv note that output stops after the empty file, but no warning is thrown.
$ sudo /usr/bin/suricata -T -c /etc/suricata/suricata.yaml -vvvv
21/2/2017 -
20:42:15 - <Info> - Running suricata under test mode
21/2/2017 -- 20:42:15 - <Notice> - This is Suricata version 3.2.1 RELEASE
21/2/2017 -- 20:42:15 - <Info> - CPUs/cores online: 16
21/2/2017 -- 20:42:15 - <Config> - luajit states preallocated: 128
<snip>
21/2/2017 -- 20:42:21 - <Config> - Loading rule file: /etc/suricata/rules/stuff.rules
21/2/2017 -- 20:42:21 - <Config> - Loading rule file: /etc/suricata/rules/empty.rules
$ echo $?
1

@ish identified this3 as the change that modified the behavior.
@Duane Howard requested empty rule files to return 0 (nothing broken per se, versus a malformed rule) in another issue a while back4.

[3] https://redmine.openinfosecfoundation.org/issues/1493
[4] https://redmine.openinfosecfoundation.org/issues/977

Actions #1

Updated by Jason Ish over 7 years ago

  • Assignee set to Jason Ish

Happy to take this as I've started to look into already.

Actions #2

Updated by Duane Howard over 7 years ago

any updates/thoughts on this Jason?

Actions #3

Updated by Jason Ish over 7 years ago

Duane Howard wrote:

any updates/thoughts on this Jason?

Here's my solution to this problem:
https://github.com/inliniac/suricata/pull/2613

Actions #4

Updated by Jason Ish over 7 years ago

  • Status changed from New to Assigned
Actions #5

Updated by Jason Ish over 7 years ago

  • Status changed from Assigned to Closed
  • Target version set to 4.0beta1
Actions

Also available in: Atom PDF