From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject:
 Re: [PATCH 2/3] suricata: Move default loaded rulefiles to own included file.
Date: Thu, 09 Dec 2021 16:39:25 +0000
Message-ID: <FA461AD9-7616-45DF-98BA-FF30292169D5@ipfire.org>
In-Reply-To: <20211208171031.308639-2-stefan.schantl@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============2023987033546975846=="
List-Id: <development.lists.ipfire.org>

--===============2023987033546975846==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Acked-by: Michael Tremer <michael.tremer(a)ipfire.org>

> On 8 Dec 2021, at 17:10, Stefan Schantl <stefan.schantl(a)ipfire.org> wrote:
>=20
> Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
> ---
> config/rootfiles/common/suricata            |  1 +
> config/suricata/suricata-default-rules.yaml | 22 ++++++++++++++++++
> config/suricata/suricata.yaml               | 25 ++++-----------------
> lfs/suricata                                |  3 +++
> 4 files changed, 30 insertions(+), 21 deletions(-)
> create mode 100644 config/suricata/suricata-default-rules.yaml
>=20
> diff --git a/config/rootfiles/common/suricata b/config/rootfiles/common/sur=
icata
> index ff31ec7d2..41193f4ea 100644
> --- a/config/rootfiles/common/suricata
> +++ b/config/rootfiles/common/suricata
> @@ -37,6 +37,7 @@ usr/share/suricata
> #usr/share/suricata/rules/smtp-events.rules
> #usr/share/suricata/rules/stream-events.rules
> #usr/share/suricata/rules/tls-events.rules
> +var/ipfire/suricata/suricata-default-rules.yaml
> var/lib/suricata
> var/lib/suricata/classification.config
> var/lib/suricata/reference.config
> diff --git a/config/suricata/suricata-default-rules.yaml b/config/suricata/=
suricata-default-rules.yaml
> new file mode 100644
> index 000000000..d13aa622a
> --- /dev/null
> +++ b/config/suricata/suricata-default-rules.yaml
> @@ -0,0 +1,22 @@
> +%YAML 1.1
> +---
> +
> +# Default rules which helps
> + - /usr/share/suricata/rules/app-layer-events.rules
> + - /usr/share/suricata/rules/decoder-events.rules
> + - /usr/share/suricata/rules/dhcp-events.rules
> + - /usr/share/suricata/rules/dnp3-events.rules
> + - /usr/share/suricata/rules/dns-events.rules
> + - /usr/share/suricata/rules/files.rules
> + - /usr/share/suricata/rules/http2-events.rules
> + - /usr/share/suricata/rules/http-events.rules
> + - /usr/share/suricata/rules/ipsec-events.rules
> + - /usr/share/suricata/rules/kerberos-events.rules
> + - /usr/share/suricata/rules/modbus-events.rules
> + - /usr/share/suricata/rules/mqtt-events.rules
> + - /usr/share/suricata/rules/nfs-events.rules
> + - /usr/share/suricata/rules/ntp-events.rules
> + - /usr/share/suricata/rules/smb-events.rules
> + - /usr/share/suricata/rules/smtp-events.rules
> + - /usr/share/suricata/rules/stream-events.rules
> + - /usr/share/suricata/rules/tls-events.rules
> diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml
> index 49921db86..7b2557fce 100644
> --- a/config/suricata/suricata.yaml
> +++ b/config/suricata/suricata.yaml
> @@ -46,28 +46,11 @@ vars:
> ##
> default-rule-path: /var/lib/suricata
> rule-files:
> -    # Default rules
> -    - /usr/share/suricata/rules/app-layer-events.rules
> -    - /usr/share/suricata/rules/decoder-events.rules
> -    - /usr/share/suricata/rules/dhcp-events.rules
> -    - /usr/share/suricata/rules/dnp3-events.rules
> -    - /usr/share/suricata/rules/dns-events.rules
> -    - /usr/share/suricata/rules/files.rules
> -    - /usr/share/suricata/rules/http2-events.rules
> -    - /usr/share/suricata/rules/http-events.rules
> -    - /usr/share/suricata/rules/ipsec-events.rules
> -    - /usr/share/suricata/rules/kerberos-events.rules
> -    - /usr/share/suricata/rules/modbus-events.rules
> -    - /usr/share/suricata/rules/mqtt-events.rules
> -    - /usr/share/suricata/rules/nfs-events.rules
> -    - /usr/share/suricata/rules/ntp-events.rules
> -    - /usr/share/suricata/rules/smb-events.rules
> -    - /usr/share/suricata/rules/smtp-events.rules
> -    - /usr/share/suricata/rules/stream-events.rules
> -    - /usr/share/suricata/rules/tls-events.rules
> -
>     # Include enabled ruleset files from external file
> -    - !include: /var/ipfire/suricata/suricata-used-rulefiles.yaml
> +    include: /var/ipfire/suricata/suricata-used-rulefiles.yaml
> +
> +    # Include default rules.
> +    include: /var/ipfire/suricata/suricata-default-rules.yaml
>=20
> classification-file: /var/lib/suricata/classification.config
> reference-config-file: /var/lib/suricata/reference.config
> diff --git a/lfs/suricata b/lfs/suricata
> index f5b68da8f..96c2b33fe 100644
> --- a/lfs/suricata
> +++ b/lfs/suricata
> @@ -96,6 +96,9 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
> 	# Install IPFire related config file.
> 	install -m 0644 $(DIR_SRC)/config/suricata/suricata.yaml /etc/suricata
>=20
> +	# Install yaml file for loading default rules.
> +	install -m 0664 $(DIR_SRC)/config/suricata/suricata-default-rules.yaml /v=
ar/ipfire/suricata
> +
> 	# Create emtpy rules directory.
> 	-mkdir -p /var/lib/suricata
>=20
> --=20
> 2.30.2
>=20


--===============2023987033546975846==--