[Oisf-devel] [Oisf-users] RFC: Yaml conf structure for enabling/disabling protocol parsers
Christophe Vandeplas
christophe at vandeplas.com
Thu Dec 26 15:21:52 UTC 2013
Option 2 seems the most logical one to me.
In addition to Victor's argument about nesting I'd like to add and
usability argument for keeping the tcp and udp configuration close to each
other:
When you dive into the configuration you mostly care about it being "dns"
and not "tcp/udp". So if you're going to make a change there's a high
probability that you'll want to change both the tcp and udp version of the
dns procotol. You'll probably prefer to to scroll a page downwards to
change the udp part after setting the tcp settings.
Kind regards and merry xmas
Christophe
On Thu, Dec 26, 2013 at 4:05 PM, Anoop Saldanha <anoopsaldanha at gmail.com>wrote:
> On Tue, Dec 17, 2013 at 7:16 PM, Rich Rumble <richrumble at gmail.com> wrote:
> > On Tue, Dec 17, 2013 at 8:41 AM, Victor Julien <lists at inliniac.net>
> wrote:
> >> On 12/17/2013 02:34 PM, Peter Manev wrote:
> >>> On Tue, Dec 17, 2013 at 12:56 PM, Rich Rumble <richrumble at gmail.com>
> wrote:
> >>>> On Tue, Dec 17, 2013 at 5:32 AM, Anoop Saldanha <
> anoopsaldanha at gmail.com> wrote:
> >>>>> We are currently planning on updating the above parameters and
> >>>>> introduce "ipproto" as a separate hierarchy. The options currently
> >>>>> under consideration are listed in the below link.
> >>>>>
> >>>>>
> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/AppLayerYaml
> >>>>>
> >>>>> Thoughts, comments welcome.
> >>>>>
> >>>>> Please specify the option(1, 2 or 3 from the above link) you prefer.
> >>>>> If you have something different on your mind, please go ahead and
> >>>>> introduce it, and we can deliberate on adding it to the list as well.
> >>>>
> >>>>
> >>>> Option 1.
> >>>
> >>> Option 1
> >>
> >> What I dislike about this scheme, is that it adds an extra layer of
> >> nesting that is unnecessary for most protocols. Each layer of nesting is
> >> an added opportunity for messing up the yaml, which is very strict on
> >> indenting.
> >>
> >> tcp:
> >> http:
> >>
> >> Is redundant for example.
> >>
> >> There are a few protocols we support currently that have need to specify
> >> ipproto: dns and smb.
> > You just had to go an make sense didn't you... I'm changing to Option 2.
>
> We have 2 votes for option (2), and 1 for option (1).
>
> I give my vote for option (2) as well.
>
> I have updated the link -
>
> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/AppLayerYaml
> with a more detailed expansion of how it would look like when all the
> protocols are included in the conf.
>
> --
> -------------------------------
> Anoop Saldanha
> http://www.poona.me
> -------------------------------
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20131226/83dd4ebf/attachment-0002.html>
More information about the Oisf-devel
mailing list