[Oisf-users] Config options discrepancies between suricata.yaml and ConfNodeLookupChildValue() in the source.

Victor Julien victor at inliniac.net
Thu Feb 16 16:46:20 UTC 2012 

On 02/16/2012 05:44 PM, Nikolay Denev wrote:
> 
> On Feb 16, 2012, at 6:30 PM, Victor Julien wrote:
> 
>> On 02/16/2012 03:16 PM, Nikolay Denev wrote:
>>> Hi,
>>>
>>> I've noticed that there are some discrepancies regarding the config options that are in the default suricata.yaml file, that
>>> I guess most people use as a starting point to modify for their needs. For example I've tried to set the pcap logging to use only 10 files and rotate them,
>>> and I noticed that this didn't work. I've found that the source uses "ConfNodeLookupChildValue(conf, "max-files");" to get the number of files, but suricata.yaml
>>> has "max_files", so this option is not parsed.
>>> I see other similar mixups of dashes and underscores like : 
>>>
>>> /usr/local/etc/suricata/suricata.yaml:      use_stream_depth: no #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets
>>> ./log-pcap.c:        use_stream_depth = ConfNodeLookupChildValue(conf, "use-stream-depth");
>>>
>>> ./log-pcap.c:            s_dir = ConfNodeLookupChildValue(conf, "sguil-base-dir");
>>> ./log-pcap.c:                s_dir = ConfNodeLookupChildValue(conf, "sguil_base_dir");
>>>
>>>
>>> ts-format and ts_format…
>>>
>>> I can try to prepare a patch for these when I have free time, if it's clear what should be the convention: underscore or dash.
>>
>> Yeah it's inconsistent. The goal is to have the dash approach
>> everywhere. Complicating things is that for every setting we convert, I
>> want the old way to continue to work. So backwards compatibility, like
>> with the sguil-base-dir.
>>
>> Still interested in helping out? :)
>>
>> -- 
>> ---------------------------------------------
>> Victor Julien
>> http://www.inliniac.net/
>> PGP: http://www.inliniac.net/victorjulien.asc
>> ---------------------------------------------
> 
> Hmm :)
> Does converting all underscores to dashes in the ConfNodeLookup* functions (emitting warning about the uncerscore versions being deprecated) and using only dashes internally makes sense?
> This way even "sguil_base-dir" would work as a side effect, but I doubt it would break anything.
> 

Thats actually a pretty good idea, as long as we only do it for the
option name, not the value.

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-users mailing list