Detect invalid configuration

adrien_moreau · February 15, 2023, 4:35pm

I am struggling to find a way to test the validity of some suricata config file.
Let’s say I have the following condiguration suricata.yaml file:

outputs:
  - eve-log:
      enabled: yuhu
      abcd: toto
      filetype: titi
      filename: eve.json

IMO this file should be considered invalid for several reasons (enabled should expect boolean value, abcd is unknown field, titi is not in the list of possible values for filetype)

If I run:

suricata -T suricata.yaml
or
suricata -c suricata.yaml --dump-config

Neither of this command return non zero status code or write anything that could potentially indicate that the configuration is invalid. Is it the expected behavior? Am I missing something?

jufajardini · February 15, 2023, 6:55pm

I think you have a valid point.
We have bug tickets for related issues (see Bug #4553: Configuration test mode succeeds when reference.config file contains invalid content - Suricata - Open Information Security Foundation) but I couldn’t find one for the suricata.yaml file…

Topic		Replies	Views
Is there a standard way to test all Suricata rules? Are there any sample EVE files I should use for testing? Developers rules , suricata	1	1605	October 26, 2022
Suricata not writing output files Help	1	1406	December 27, 2020
Suricata 6.0.9 on Ubuntu 22.04 : How to enable the Redis output of SURICATA Help suricata	8	1756	January 6, 2023
These logs showing any attacks or misconfiguration? Help	3	2455	August 24, 2020
Alert-debug.log not write Help	5	309	November 27, 2021

Detect invalid configuration

Related Topics