<div dir="ltr">Option 2 seems the most logical one to me. <div><br><div>In addition to Victor's argument about nesting I'd like to add and usability argument for keeping the tcp and udp configuration close to each other:</div>
<div>When you dive into the configuration you mostly care about it being "dns" and not "tcp/udp". So if you're going to make a change there's a high probability that you'll want to change both the tcp and udp version of the dns procotol. You'll probably prefer to to scroll a page downwards to change the udp part after setting the tcp settings. </div>
<div><br></div><div>Kind regards and merry xmas</div><div><br></div><div>Christophe </div><div><br></div></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Dec 26, 2013 at 4:05 PM, Anoop Saldanha <span dir="ltr"><<a href="mailto:anoopsaldanha@gmail.com" target="_blank">anoopsaldanha@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="HOEnZb"><div class="h5">On Tue, Dec 17, 2013 at 7:16 PM, Rich Rumble <<a href="mailto:richrumble@gmail.com">richrumble@gmail.com</a>> wrote:<br>
> On Tue, Dec 17, 2013 at 8:41 AM, Victor Julien <<a href="mailto:lists@inliniac.net">lists@inliniac.net</a>> wrote:<br>
>> On 12/17/2013 02:34 PM, Peter Manev wrote:<br>
>>> On Tue, Dec 17, 2013 at 12:56 PM, Rich Rumble <<a href="mailto:richrumble@gmail.com">richrumble@gmail.com</a>> wrote:<br>
>>>> On Tue, Dec 17, 2013 at 5:32 AM, Anoop Saldanha <<a href="mailto:anoopsaldanha@gmail.com">anoopsaldanha@gmail.com</a>> wrote:<br>
>>>>> We are currently planning on updating the above parameters and<br>
>>>>> introduce "ipproto" as a separate hierarchy. The options currently<br>
>>>>> under consideration are listed in the below link.<br>
>>>>><br>
>>>>> <a href="https://redmine.openinfosecfoundation.org/projects/suricata/wiki/AppLayerYaml" target="_blank">https://redmine.openinfosecfoundation.org/projects/suricata/wiki/AppLayerYaml</a><br>
>>>>><br>
>>>>> Thoughts, comments welcome.<br>
>>>>><br>
>>>>> Please specify the option(1, 2 or 3 from the above link) you prefer.<br>
>>>>> If you have something different on your mind, please go ahead and<br>
>>>>> introduce it, and we can deliberate on adding it to the list as well.<br>
>>>><br>
>>>><br>
>>>> Option 1.<br>
>>><br>
>>> Option 1<br>
>><br>
>> What I dislike about this scheme, is that it adds an extra layer of<br>
>> nesting that is unnecessary for most protocols. Each layer of nesting is<br>
>> an added opportunity for messing up the yaml, which is very strict on<br>
>> indenting.<br>
>><br>
>> tcp:<br>
>> http:<br>
>><br>
>> Is redundant for example.<br>
>><br>
>> There are a few protocols we support currently that have need to specify<br>
>> ipproto: dns and smb.<br>
> You just had to go an make sense didn't you... I'm changing to Option 2.<br>
<br>
</div></div>We have 2 votes for option (2), and 1 for option (1).<br>
<br>
I give my vote for option (2) as well.<br>
<br>
I have updated the link -<br>
<a href="https://redmine.openinfosecfoundation.org/projects/suricata/wiki/AppLayerYaml" target="_blank">https://redmine.openinfosecfoundation.org/projects/suricata/wiki/AppLayerYaml</a><br>
with a more detailed expansion of how it would look like when all the<br>
protocols are included in the conf.<br>
<div class="im HOEnZb"><br>
--<br>
-------------------------------<br>
Anoop Saldanha<br>
<a href="http://www.poona.me" target="_blank">http://www.poona.me</a><br>
-------------------------------<br>
</div><div class="HOEnZb"><div class="h5">_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
OISF: <a href="http://www.openinfosecfoundation.org/" target="_blank">http://www.openinfosecfoundation.org/</a><br>
</div></div></blockquote></div><br></div>