[Oisf-devel] [Oisf-users] RFC: Yaml conf structure for enabling/disabling protocol parsers
Anoop Saldanha
anoopsaldanha at gmail.com
Thu Dec 26 17:50:43 UTC 2013
On Thu, Dec 26, 2013 at 8:51 PM, Christophe Vandeplas
<christophe at vandeplas.com> wrote:
> Option 2 seems the most logical one to me.
>
> In addition to Victor's argument about nesting I'd like to add and usability
> argument for keeping the tcp and udp configuration close to each other:
> When you dive into the configuration you mostly care about it being "dns"
> and not "tcp/udp". So if you're going to make a change there's a high
> probability that you'll want to change both the tcp and udp version of the
> dns procotol. You'll probably prefer to to scroll a page downwards to change
> the udp part after setting the tcp settings.
>
> Kind regards and merry xmas
>
+1
> On Thu, Dec 26, 2013 at 4:05 PM, Anoop Saldanha <anoopsaldanha at gmail.com>
> wrote:
>>
>> On Tue, Dec 17, 2013 at 7:16 PM, Rich Rumble <richrumble at gmail.com> wrote:
>> > On Tue, Dec 17, 2013 at 8:41 AM, Victor Julien <lists at inliniac.net>
>> > wrote:
>> >> On 12/17/2013 02:34 PM, Peter Manev wrote:
>> >>> On Tue, Dec 17, 2013 at 12:56 PM, Rich Rumble <richrumble at gmail.com>
>> >>> wrote:
>> >>>> On Tue, Dec 17, 2013 at 5:32 AM, Anoop Saldanha
>> >>>> <anoopsaldanha at gmail.com> wrote:
>> >>>>> We are currently planning on updating the above parameters and
>> >>>>> introduce "ipproto" as a separate hierarchy. The options currently
>> >>>>> under consideration are listed in the below link.
>> >>>>>
>> >>>>>
>> >>>>> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/AppLayerYaml
>> >>>>>
>> >>>>> Thoughts, comments welcome.
>> >>>>>
>> >>>>> Please specify the option(1, 2 or 3 from the above link) you prefer.
>> >>>>> If you have something different on your mind, please go ahead and
>> >>>>> introduce it, and we can deliberate on adding it to the list as
>> >>>>> well.
>> >>>>
>> >>>>
>> >>>> Option 1.
>> >>>
>> >>> Option 1
>> >>
>> >> What I dislike about this scheme, is that it adds an extra layer of
>> >> nesting that is unnecessary for most protocols. Each layer of nesting
>> >> is
>> >> an added opportunity for messing up the yaml, which is very strict on
>> >> indenting.
>> >>
>> >> tcp:
>> >> http:
>> >>
>> >> Is redundant for example.
>> >>
>> >> There are a few protocols we support currently that have need to
>> >> specify
>> >> ipproto: dns and smb.
>> > You just had to go an make sense didn't you... I'm changing to Option 2.
>>
>> We have 2 votes for option (2), and 1 for option (1).
>>
>> I give my vote for option (2) as well.
>>
>> I have updated the link -
>>
>> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/AppLayerYaml
>> with a more detailed expansion of how it would look like when all the
>> protocols are included in the conf.
>>
>> --
>> -------------------------------
>> Anoop Saldanha
>> http://www.poona.me
>> -------------------------------
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> OISF: http://www.openinfosecfoundation.org/
>
>
>
> _______________________________________________
> Suricata IDS Devel mailing list: oisf-devel at openinfosecfoundation.org
> Site: http://suricata-ids.org | Participate:
> http://suricata-ids.org/participate/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
> Redmine: https://redmine.openinfosecfoundation.org/
--
-------------------------------
Anoop Saldanha
http://www.poona.me
-------------------------------
More information about the Oisf-devel
mailing list