From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter =?utf-8?q?M=C3=BCller?= To: development@lists.ipfire.org Subject: Re: [PATCH 2/3] suricata: Move default loaded rulefiles to own included file. Date: Thu, 09 Dec 2021 20:21:12 +0100 Message-ID: <71c97e71-7cd6-1fde-4042-993dbba9d0b8@ipfire.org> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============8757297929825710083==" List-Id: --===============8757297929825710083== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable ... and, for the records, it fixes bug #12739, which is currently show-stoppi= ng Core Update 162. :-) > Hello Stefan, >=20 > thank you for submitting this. >=20 > There is one very minor comment, please see below. Apart from it, this patc= h looks good to me. >=20 > Reviewed-by: Peter M=C3=BCller >=20 > Thanks, and best regards, > Peter M=C3=BCller >=20 >=20 >> Signed-off-by: Stefan Schantl >> --- >> config/rootfiles/common/suricata | 1 + >> config/suricata/suricata-default-rules.yaml | 22 ++++++++++++++++++ >> config/suricata/suricata.yaml | 25 ++++----------------- >> lfs/suricata | 3 +++ >> 4 files changed, 30 insertions(+), 21 deletions(-) >> create mode 100644 config/suricata/suricata-default-rules.yaml >> >> diff --git a/config/rootfiles/common/suricata b/config/rootfiles/common/su= ricata >> index ff31ec7d2..41193f4ea 100644 >> --- a/config/rootfiles/common/suricata >> +++ b/config/rootfiles/common/suricata >> @@ -37,6 +37,7 @@ usr/share/suricata >> #usr/share/suricata/rules/smtp-events.rules >> #usr/share/suricata/rules/stream-events.rules >> #usr/share/suricata/rules/tls-events.rules >> +var/ipfire/suricata/suricata-default-rules.yaml >> var/lib/suricata >> var/lib/suricata/classification.config >> var/lib/suricata/reference.config >> diff --git a/config/suricata/suricata-default-rules.yaml b/config/suricata= /suricata-default-rules.yaml >> new file mode 100644 >> index 000000000..d13aa622a >> --- /dev/null >> +++ b/config/suricata/suricata-default-rules.yaml >> @@ -0,0 +1,22 @@ >> +%YAML 1.1 >> +--- >> + >> +# Default rules which helps >=20 > ... to keep things nice and tidy? Looks like the second half of the comment= is missing. :-) >=20 >> + - /usr/share/suricata/rules/app-layer-events.rules >> + - /usr/share/suricata/rules/decoder-events.rules >> + - /usr/share/suricata/rules/dhcp-events.rules >> + - /usr/share/suricata/rules/dnp3-events.rules >> + - /usr/share/suricata/rules/dns-events.rules >> + - /usr/share/suricata/rules/files.rules >> + - /usr/share/suricata/rules/http2-events.rules >> + - /usr/share/suricata/rules/http-events.rules >> + - /usr/share/suricata/rules/ipsec-events.rules >> + - /usr/share/suricata/rules/kerberos-events.rules >> + - /usr/share/suricata/rules/modbus-events.rules >> + - /usr/share/suricata/rules/mqtt-events.rules >> + - /usr/share/suricata/rules/nfs-events.rules >> + - /usr/share/suricata/rules/ntp-events.rules >> + - /usr/share/suricata/rules/smb-events.rules >> + - /usr/share/suricata/rules/smtp-events.rules >> + - /usr/share/suricata/rules/stream-events.rules >> + - /usr/share/suricata/rules/tls-events.rules >> diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml >> index 49921db86..7b2557fce 100644 >> --- a/config/suricata/suricata.yaml >> +++ b/config/suricata/suricata.yaml >> @@ -46,28 +46,11 @@ vars: >> ## >> default-rule-path: /var/lib/suricata >> rule-files: >> - # Default rules >> - - /usr/share/suricata/rules/app-layer-events.rules >> - - /usr/share/suricata/rules/decoder-events.rules >> - - /usr/share/suricata/rules/dhcp-events.rules >> - - /usr/share/suricata/rules/dnp3-events.rules >> - - /usr/share/suricata/rules/dns-events.rules >> - - /usr/share/suricata/rules/files.rules >> - - /usr/share/suricata/rules/http2-events.rules >> - - /usr/share/suricata/rules/http-events.rules >> - - /usr/share/suricata/rules/ipsec-events.rules >> - - /usr/share/suricata/rules/kerberos-events.rules >> - - /usr/share/suricata/rules/modbus-events.rules >> - - /usr/share/suricata/rules/mqtt-events.rules >> - - /usr/share/suricata/rules/nfs-events.rules >> - - /usr/share/suricata/rules/ntp-events.rules >> - - /usr/share/suricata/rules/smb-events.rules >> - - /usr/share/suricata/rules/smtp-events.rules >> - - /usr/share/suricata/rules/stream-events.rules >> - - /usr/share/suricata/rules/tls-events.rules >> - >> # Include enabled ruleset files from external file >> - - !include: /var/ipfire/suricata/suricata-used-rulefiles.yaml >> + include: /var/ipfire/suricata/suricata-used-rulefiles.yaml >> + >> + # Include default rules. >> + include: /var/ipfire/suricata/suricata-default-rules.yaml >> =20 >> classification-file: /var/lib/suricata/classification.config >> reference-config-file: /var/lib/suricata/reference.config >> diff --git a/lfs/suricata b/lfs/suricata >> index f5b68da8f..96c2b33fe 100644 >> --- a/lfs/suricata >> +++ b/lfs/suricata >> @@ -96,6 +96,9 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) >> # Install IPFire related config file. >> install -m 0644 $(DIR_SRC)/config/suricata/suricata.yaml /etc/suricata >> =20 >> + # Install yaml file for loading default rules. >> + install -m 0664 $(DIR_SRC)/config/suricata/suricata-default-rules.yaml /= var/ipfire/suricata >> + >> # Create emtpy rules directory. >> -mkdir -p /var/lib/suricata >> =20 >> --===============8757297929825710083==--