[Oisf-users] suricata.yaml

Jason Ish ish at unx.ca
Fri Oct 8 19:31:24 UTC 2010 


On 10/08/2010 11:40 AM, Anoop Saldanha wrote:
>
>
> On Thu, Oct 7, 2010 at 4:40 PM, Victor Julien <victor at inliniac.net
> <mailto:victor at inliniac.net>> wrote:
>
>     mex wrote:
>      > Hi there,
>      >
>      > did not found much info on that,
>      > but is it possible to have includes in
>      > suricata.yaml?
>      >
>      > i'd like to have the single conf divided
>      > into different parts, esp. the rules - definitions
>      > excluded. i do this with snort.conf in the following
>      > way (inspired by the way debian splits up
>      > apache-config)
>      >
>      > snort.conf
>      >
>      >   decoder.conf
>      >   preprocessor.conf
>      >   rules.conf
>      >   threshold.conf
>      >   output.conf
>      >   snort_vars.conf
>
>     No, this is not possible with an "include"-like keyword.
>
>     You can point to your thresholding config using:
>     threshold-file: /etc/suricata/threshold.config
>
>     To the classification file using:
>     classification-file: /etc/suricata/classification.config
>
>     To rule files using:
>
>     rule-files:
>       - attack-responses.rules
>
>      >From the rule files only rules will be loaded. All other content
>     is ignored.
>
>     Cheers,
>     Victor
>
>     --
>     ---------------------------------------------
>     Victor Julien
>     http://www.inliniac.net/
>     PGP: http://www.inliniac.net/victorjulien.asc
>     ---------------------------------------------
>
>     _______________________________________________
>     Oisf-users mailing list
>     Oisf-users at openinfosecfoundation.org
>     <mailto:Oisf-users at openinfosecfoundation.org>
>     http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
>
> Coming to think of it, maybe it should be supported?  Certainly makes it
> easier for people who like to split their conf file

Adding an include was on my mental to-do list.  The other thing, which 
we had discussed sometime back was having an include statement right 
inside the rule files.  That way suricata.yaml could just reference 
something like master.rules, and that would then include further 
rulesets.  I had a need for that at one time, but not anymore.

Jason

More information about the Oisf-users mailing list