[Discussion] Configuration file conditional preprocessor
Matt Jonkman
jonkman at jonkmans.com
Tue Feb 10 21:05:28 UTC 2009
Agreed, I don't think one config will serve for an entire net. It still
has to be sensor specific. But hopefully we can make it less complex.
Matt
Martin Holste wrote:
> I think that writing and maintaining code capable of interpreting such
> dynamic configuration would be cool, but I think that the cost/benefit
> ratio isn't there. True, it would be convenient to have just one config
> for everything, but that's only partially true anyway, since each sensor
> needs it's own specifics for topology, etc. That means that you're
> already doing per-sensor configuration somewhere along the way, and so
> all you're really saving is duplicating config lines. I just have a few
> templates lying around that I use and it seems to work just fine. It
> also makes parsing configs much, much easier when they are declarative
> and not conditional (i.e. when you want to create configs via script).
>
> --Martin
>
> On Tue, Feb 10, 2009 at 2:49 AM, Victor Julien <lists at inliniac.net
> <mailto:lists at inliniac.net>> wrote:
>
> Martin Fong wrote:
>> Matt,
>
>>> So we're only loading certain modules for detection if they are
>>> specifically called for? I.e. don't load the pcre module if there
> are no
>>> rules asking for pcre?
>
>> One specific use case is having two different set of preprocessor
>> parameters depending on whether the sensor is in front of or behind
>> a firewall -- this would eliminate the need for building two
> different,
>> but mostly identical, configuration files.
>
> I understand your goal and I like it. However one of our goals is to
> make the configuration & tuning less complex. Adding this type of
> complexity could conflict with that goal. On the other hand just having
> to configure one config that could be deployed everywhere in your
> organization may make it simpler again... thoughts?
>
> Cheers,
> Victor
>
_______________________________________________
Discussion mailing list
Discussion at openinfosecfoundation.org
<mailto:Discussion at openinfosecfoundation.org>
http://lists.openinfosecfoundation.org/mailman/listinfo/discussion
> ------------------------------------------------------------------------
> _______________________________________________
> Discussion mailing list
> Discussion at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/discussion
--
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------
PGP: http://www.jonkmans.com/mattjonkman.asc
More information about the Discussion
mailing list