
<br><br><div class="gmail_quote">On Thu, Oct 7, 2010 at 4:40 PM, Victor Julien <span dir="ltr"><<a href="mailto:victor@inliniac.net">victor@inliniac.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">

<div class="im">mex wrote:<br>

> Hi there,<br>

><br>

> did not found much info on that,<br>

> but is it possible to have includes in<br>

> suricata.yaml?<br>

><br>

> i'd like to have the single conf divided<br>

> into different parts, esp. the rules - definitions<br>

> excluded. i do this with snort.conf in the following<br>

> way (inspired by the way debian splits up<br>

> apache-config)<br>

><br>

> snort.conf<br>

><br>

>   decoder.conf<br>

>   preprocessor.conf<br>

>   rules.conf<br>

>   threshold.conf<br>

>   output.conf<br>

>   snort_vars.conf<br>

<br>

</div>No, this is not possible with an "include"-like keyword.<br>

<br>

You can point to your thresholding config using:<br>

threshold-file: /etc/suricata/threshold.config<br>

<br>

To the classification file using:<br>

classification-file: /etc/suricata/classification.config<br>

<br>

To rule files using:<br>

<br>

rule-files:<br>

 - attack-responses.rules<br>

<br>

>From the rule files only rules will be loaded. All other content is ignored.<br>

<br>

Cheers,<br>

Victor<br>

<font color="#888888"><br>

--<br>

---------------------------------------------<br>

Victor Julien<br>

<a href="http://www.inliniac.net/" target="_blank">http://www.inliniac.net/</a><br>

PGP: <a href="http://www.inliniac.net/victorjulien.asc" target="_blank">http://www.inliniac.net/victorjulien.asc</a><br>

---------------------------------------------<br>

</font><div><div></div><div class="h5"><br>

_______________________________________________<br>

Oisf-users mailing list<br>

<a href="mailto:Oisf-users@openinfosecfoundation.org">Oisf-users@openinfosecfoundation.org</a><br>

<a href="http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>

</div></div></blockquote></div><br>Coming to think of it, maybe it should be supported?  Certainly makes it easier for people who like to split their conf file<br clear="all"><br>-- <br>Regards,<br>Anoop Saldanha<br><br>