[Discussion] Configuration file conditional preprocessor

Martin Holste mcholste at gmail.com
Tue Feb 10 18:18:02 UTC 2009


I think that writing and maintaining code capable of interpreting such
dynamic configuration would be cool, but I think that the cost/benefit ratio
isn't there.  True, it would be convenient to have just one config for
everything, but that's only partially true anyway, since each sensor needs
it's own specifics for topology, etc.  That means that you're already doing
per-sensor configuration somewhere along the way, and so all you're really
saving is duplicating config lines.  I just have a few templates lying
around that I use and it seems to work just fine.  It also makes parsing
configs much, much easier when they are declarative and not conditional
(i.e. when you want to create configs via script).

--Martin

On Tue, Feb 10, 2009 at 2:49 AM, Victor Julien <lists at inliniac.net> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Martin Fong wrote:
> > Matt,
> >
> >> So we're only loading certain modules for detection if they are
> >> specifically called for? I.e. don't load the pcre module if there are no
> >> rules asking for pcre?
> >
> > One specific use case is having two different set of preprocessor
> > parameters depending on whether the sensor is in front of or behind
> > a firewall -- this would eliminate the need for building two different,
> > but mostly identical, configuration files.
>
> I understand your goal and I like it. However one of our goals is to
> make the configuration & tuning less complex. Adding this type of
> complexity could conflict with that goal. On the other hand just having
> to configure one config that could be deployed everywhere in your
> organization may make it simpler again... thoughts?
>
> Cheers,
> Victor
>
> - --
> - ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> - ---------------------------------------------
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkmRP6wACgkQiSMBBAuniMdmsQCbBRAuRmJXP++QVye6fBmjHDDY
> 9UEAn2axA1U+Cuv56931Fi/AUAq4YQIB
> =Nbj1
> -----END PGP SIGNATURE-----
> _______________________________________________
> Discussion mailing list
> Discussion at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/discussion
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/discussion/attachments/20090210/c1d8a0cb/attachment-0002.html>


More information about the Discussion mailing list