[Oisf-users] RFC: Yaml conf structure for enabling/disabling protocol parsers

Anoop Saldanha anoopsaldanha at gmail.com
Tue Dec 17 10:32:05 UTC 2013


We currently have an option in our 2.0 branch's yaml conf, which allow
users to individually enable/disable a paticular app layer protocol
parser.  This is how it looks currently -

app-layer:
  protocols:
    ftp:
      enabled: yes
    dnstcp:
       enabled: yes
       detection-ports:
         tcp:
           toserver: 53
    dnsudp:
       enabled: yes
       detection-ports:
         udp:
           toserver: 53
    http:
      enabled: yes

As you can see, the above structure doesn't have an exclusive option
to specify the ipporoto the protocol parser represents, and hence we
have to define the ipproto by modifying the protocol name.  For
example, in the above case we do this for dns by appending the ipproto
to "dns", thus giving us dnstcp and dnsudp, which represents the tcp
verion of dns and udp parsers, respectively.

We are currently planning on updating the above parameters and
introduce "ipproto" as a separate hierarchy.  The options currently
under consideration are listed in the below link.

https://redmine.openinfosecfoundation.org/projects/suricata/wiki/AppLayerYaml

Thoughts, comments welcome.

Please specify the option(1, 2 or 3 from the above link) you prefer.
If you have something different on your mind, please go ahead and
introduce it, and we can deliberate on adding it to the list as well.

-- 
-------------------------------
Anoop Saldanha
http://www.poona.me
-------------------------------


More information about the Oisf-users mailing list