[Oisf-users] RFC: Yaml conf structure for enabling/disabling protocol parsers

Jose Paulo paulo at sistemasolar.com.br
Tue Dec 17 13:35:49 UTC 2013


Le 17/12/2013 08:32, Anoop Saldanha a écrit :
> We currently have an option in our 2.0 branch's yaml conf, which allow
> users to individually enable/disable a paticular app layer protocol
> parser.  This is how it looks currently -
>
> app-layer:
>   protocols:
>     ftp:
>       enabled: yes
>     dnstcp:
>        enabled: yes
>        detection-ports:
>          tcp:
>            toserver: 53
>     dnsudp:
>        enabled: yes
>        detection-ports:
>          udp:
>            toserver: 53
>     http:
>       enabled: yes
>
> As you can see, the above structure doesn't have an exclusive option
> to specify the ipporoto the protocol parser represents, and hence we
> have to define the ipproto by modifying the protocol name.  For
> example, in the above case we do this for dns by appending the ipproto
> to "dns", thus giving us dnstcp and dnsudp, which represents the tcp
> verion of dns and udp parsers, respectively.
>
> We are currently planning on updating the above parameters and
> introduce "ipproto" as a separate hierarchy.  The options currently
> under consideration are listed in the below link.
>
> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/AppLayerYaml
>
> Thoughts, comments welcome.
>
> Please specify the option(1, 2 or 3 from the above link) you prefer.
> If you have something different on your mind, please go ahead and
> introduce it, and we can deliberate on adding it to the list as well.
>
Option 2

Best regards

José Paulo



More information about the Oisf-users mailing list