[Oisf-users] classifications/references/rules directly in suricata.yaml

elof2 at sentor.se elof2 at sentor.se
Mon Mar 21 15:59:01 UTC 2016 

Hi Victor.

Oh.
Doh.

This is clearly something that I request.
Is this possible to do in a future version?

Some reasons/motives:
I want to add a custom reference while not interfering with the conf-files 
managed by the pkg system, i.e. I don't want to modify 
/usr/local/etc/suricata/reference.config.
I also prefer adding my custom config in the yaml file and not creating a 
second /usr/local/etc/suricata/reference.config.local.

It is more convenient to test things when all can be put into *one* file. 
Then you can easily copy it to another machine.

If you manage hundreds of sensors, it is easier to "compile" one big
suricata.yaml file per sensor and distribute it from a central place than 
distributing the conf-part in one file, rules in others, references and 
classifications in yet others.

/Elof


On Mon, 21 Mar 2016, Victor Julien wrote:

> On 21-03-16 13:19, elof2 at sentor.se wrote:
>> What is the syntax if I want to put classifications/references/rules
>> directly in the suricata.yaml file?
>>
>> Example:
>> If I comment out the reference-config-file and add references manually,
>> using the same syntax as in the file, suricata won't start.
>>
>> #reference-config-file: /usr/local/etc/suricata/reference.config
>> config reference: bugtraq   http://www.securityfocus.com/bid/
>> config reference: bid        http://www.securityfocus.com/bid/
>> config reference: cve       http://cve.mitre.org/cgi-bin/cvename.cgi?name=
>> ...etc...
>>
>>
>> Configuration node 'config reference' redefined.
>> SC_ERR_CONF_YAML_ERRORESC - Failed to parse configuration file at line
>> 1222: mapping values are not allowed in this context
>>
>>
>>
>> So what should the yaml look like when adding classifications,
>> references or rules directly in suricata.yaml?
>
> You can't.
>
> -- 
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC: http://oisfevents.net

More information about the Oisf-users mailing list