<br><br><div class="gmail_quote">On Thu, Oct 7, 2010 at 4:40 PM, Victor Julien <span dir="ltr"><<a href="mailto:victor@inliniac.net">victor@inliniac.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div class="im">mex wrote:<br>
> Hi there,<br>
><br>
> did not found much info on that,<br>
> but is it possible to have includes in<br>
> suricata.yaml?<br>
><br>
> i'd like to have the single conf divided<br>
> into different parts, esp. the rules - definitions<br>
> excluded. i do this with snort.conf in the following<br>
> way (inspired by the way debian splits up<br>
> apache-config)<br>
><br>
> snort.conf<br>
><br>
>   decoder.conf<br>
>   preprocessor.conf<br>
>   rules.conf<br>
>   threshold.conf<br>
>   output.conf<br>
>   snort_vars.conf<br>
<br>
</div>No, this is not possible with an "include"-like keyword.<br>
<br>
You can point to your thresholding config using:<br>
threshold-file: /etc/suricata/threshold.config<br>
<br>
To the classification file using:<br>
classification-file: /etc/suricata/classification.config<br>
<br>
To rule files using:<br>
<br>
rule-files:<br>
 - attack-responses.rules<br>
<br>
>From the rule files only rules will be loaded. All other content is ignored.<br>
<br>
Cheers,<br>
Victor<br>
<font color="#888888"><br>
--<br>
---------------------------------------------<br>
Victor Julien<br>
<a href="http://www.inliniac.net/" target="_blank">http://www.inliniac.net/</a><br>
PGP: <a href="http://www.inliniac.net/victorjulien.asc" target="_blank">http://www.inliniac.net/victorjulien.asc</a><br>
---------------------------------------------<br>
</font><div><div></div><div class="h5"><br>
_______________________________________________<br>
Oisf-users mailing list<br>
<a href="mailto:Oisf-users@openinfosecfoundation.org">Oisf-users@openinfosecfoundation.org</a><br>
<a href="http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
</div></div></blockquote></div><br>Coming to think of it, maybe it should be supported?  Certainly makes it easier for people who like to split their conf file<br clear="all"><br>-- <br>Regards,<br>Anoop Saldanha<br><br>