Detect invalid configuration

adrien_moreau · February 15, 2023, 4:35pm

I am struggling to find a way to test the validity of some suricata config file.
Let’s say I have the following condiguration suricata.yaml file:

outputs:
  - eve-log:
      enabled: yuhu
      abcd: toto
      filetype: titi
      filename: eve.json

IMO this file should be considered invalid for several reasons (enabled should expect boolean value, abcd is unknown field, titi is not in the list of possible values for filetype)

If I run:

suricata -T suricata.yaml
or
suricata -c suricata.yaml --dump-config

Neither of this command return non zero status code or write anything that could potentially indicate that the configuration is invalid. Is it the expected behavior? Am I missing something?

jufajardini · February 15, 2023, 6:55pm

I think you have a valid point.
We have bug tickets for related issues (see Bug #4553: Configuration test mode succeeds when reference.config file contains invalid content - Suricata - Open Information Security Foundation) but I couldn’t find one for the suricata.yaml file…

Topic		Replies	Views
Is there a standard way to test all Suricata rules? Are there any sample EVE files I should use for testing? Developers rules , suricata	1	1896	October 26, 2022
I have an error with the configuration file Help configuration , suricata	1	846	May 16, 2023
Suricata not writing output files Help	1	1584	December 27, 2020
Suricata 6.0.9 on Ubuntu 22.04 : How to enable the Redis output of SURICATA Help suricata	8	2132	January 6, 2023
/etc/suricata/disable.conf and checksum Help	7	5036	September 7, 2020

Detect invalid configuration

Related topics