[Oisf-users] RFC: Yaml conf structure for enabling/disabling protocol parsers
Jose Paulo
paulo at sistemasolar.com.br
Tue Dec 17 13:35:49 UTC 2013
Le 17/12/2013 08:32, Anoop Saldanha a écrit :
> We currently have an option in our 2.0 branch's yaml conf, which allow
> users to individually enable/disable a paticular app layer protocol
> parser. This is how it looks currently -
>
> app-layer:
> protocols:
> ftp:
> enabled: yes
> dnstcp:
> enabled: yes
> detection-ports:
> tcp:
> toserver: 53
> dnsudp:
> enabled: yes
> detection-ports:
> udp:
> toserver: 53
> http:
> enabled: yes
>
> As you can see, the above structure doesn't have an exclusive option
> to specify the ipporoto the protocol parser represents, and hence we
> have to define the ipproto by modifying the protocol name. For
> example, in the above case we do this for dns by appending the ipproto
> to "dns", thus giving us dnstcp and dnsudp, which represents the tcp
> verion of dns and udp parsers, respectively.
>
> We are currently planning on updating the above parameters and
> introduce "ipproto" as a separate hierarchy. The options currently
> under consideration are listed in the below link.
>
> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/AppLayerYaml
>
> Thoughts, comments welcome.
>
> Please specify the option(1, 2 or 3 from the above link) you prefer.
> If you have something different on your mind, please go ahead and
> introduce it, and we can deliberate on adding it to the list as well.
>
Option 2
Best regards
José Paulo
More information about the Oisf-users
mailing list