Suricata doesn't like bulk imported alias list



  • I'm trying to whitelist some large groups of IP addresses and I am creating aliases with the bulk importer.  They seem to import fine, but if I put them into another alias for use as a passlist for a Suricata interface, Suricata refuses to run, with no indication in the logs as to why (unless I am missing it).

    Running 2.3.2 RELEASE with Suricata 3.0_9

    Is this a known issue?  I can create the same list in the web interface, network by network, and Suricata has no problem starting and using it.

    Thanks for any suggestions!



  • Nobody has any ideas on this?  Is it something truly stupid that I am missing?  I don't mind being called stupid if it fixes my issue…  8)



  • Sorry for the late response, but I've been busy for several months and not very active on this forum.

    First guess would be there is something funky with the line termination character in your bulk file.  If created on Windows, you would need to remove the CR/LF combo and replace that character pair with just a LF (linefeed character).  First thing I would check is what kind of line termination is happening in the bulk alias file.  You can see that either with a binary file editor, or if you open the bulk alias file in vi, you will see funny caret characters at the end of each line if the CR/LF combo is there.

    Bill



  • Thanks for the reply.  I should have thought about that possibility as much as I have been bamboozled by UNIX to DOS files before.  The lists were put in by hand in the GUI, so all is well. but for future reference (hopefully never) I will definitely check that.

    On a completely unrelated topic, since you are the maintainer of the package, I wanted to let you know that we now have Suricata running inline after a hardware change from Intel X710 adapters to Intel X520 adapters.  Been working like a champ!  Thanks for your work maintaining this package.



  • @dhboyd26:

    Thanks for the reply.  I should have thought about that possibility as much as I have been bamboozled by UNIX to DOS files before.  The lists were put in by hand in the GUI, so all is well. but for future reference (hopefully never) I will definitely check that.

    On a completely unrelated topic, since you are the maintainer of the package, I wanted to let you know that we now have Suricata running inline after a hardware change from Intel X710 adapters to Intel X520 adapters.  Been working like a champ!  Thanks for your work maintaining this package.

    Good to hear.  Netmap support is still not 100% in all the NIC drivers yet, but maybe someday we will get there.

    Bill


Log in to reply