Hello Stefan, thank you for submitting this. There is one very minor comment, please see below. Apart from it, this patch looks good to me. Reviewed-by: Peter Müller Thanks, and best regards, Peter Müller > Signed-off-by: Stefan Schantl > --- > config/rootfiles/common/suricata | 1 + > config/suricata/suricata-default-rules.yaml | 22 ++++++++++++++++++ > config/suricata/suricata.yaml | 25 ++++----------------- > lfs/suricata | 3 +++ > 4 files changed, 30 insertions(+), 21 deletions(-) > create mode 100644 config/suricata/suricata-default-rules.yaml > > diff --git a/config/rootfiles/common/suricata b/config/rootfiles/common/suricata > index ff31ec7d2..41193f4ea 100644 > --- a/config/rootfiles/common/suricata > +++ b/config/rootfiles/common/suricata > @@ -37,6 +37,7 @@ usr/share/suricata > #usr/share/suricata/rules/smtp-events.rules > #usr/share/suricata/rules/stream-events.rules > #usr/share/suricata/rules/tls-events.rules > +var/ipfire/suricata/suricata-default-rules.yaml > var/lib/suricata > var/lib/suricata/classification.config > var/lib/suricata/reference.config > diff --git a/config/suricata/suricata-default-rules.yaml b/config/suricata/suricata-default-rules.yaml > new file mode 100644 > index 000000000..d13aa622a > --- /dev/null > +++ b/config/suricata/suricata-default-rules.yaml > @@ -0,0 +1,22 @@ > +%YAML 1.1 > +--- > + > +# Default rules which helps ... to keep things nice and tidy? Looks like the second half of the comment is missing. :-) > + - /usr/share/suricata/rules/app-layer-events.rules > + - /usr/share/suricata/rules/decoder-events.rules > + - /usr/share/suricata/rules/dhcp-events.rules > + - /usr/share/suricata/rules/dnp3-events.rules > + - /usr/share/suricata/rules/dns-events.rules > + - /usr/share/suricata/rules/files.rules > + - /usr/share/suricata/rules/http2-events.rules > + - /usr/share/suricata/rules/http-events.rules > + - /usr/share/suricata/rules/ipsec-events.rules > + - /usr/share/suricata/rules/kerberos-events.rules > + - /usr/share/suricata/rules/modbus-events.rules > + - /usr/share/suricata/rules/mqtt-events.rules > + - /usr/share/suricata/rules/nfs-events.rules > + - /usr/share/suricata/rules/ntp-events.rules > + - /usr/share/suricata/rules/smb-events.rules > + - /usr/share/suricata/rules/smtp-events.rules > + - /usr/share/suricata/rules/stream-events.rules > + - /usr/share/suricata/rules/tls-events.rules > diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml > index 49921db86..7b2557fce 100644 > --- a/config/suricata/suricata.yaml > +++ b/config/suricata/suricata.yaml > @@ -46,28 +46,11 @@ vars: > ## > default-rule-path: /var/lib/suricata > rule-files: > - # Default rules > - - /usr/share/suricata/rules/app-layer-events.rules > - - /usr/share/suricata/rules/decoder-events.rules > - - /usr/share/suricata/rules/dhcp-events.rules > - - /usr/share/suricata/rules/dnp3-events.rules > - - /usr/share/suricata/rules/dns-events.rules > - - /usr/share/suricata/rules/files.rules > - - /usr/share/suricata/rules/http2-events.rules > - - /usr/share/suricata/rules/http-events.rules > - - /usr/share/suricata/rules/ipsec-events.rules > - - /usr/share/suricata/rules/kerberos-events.rules > - - /usr/share/suricata/rules/modbus-events.rules > - - /usr/share/suricata/rules/mqtt-events.rules > - - /usr/share/suricata/rules/nfs-events.rules > - - /usr/share/suricata/rules/ntp-events.rules > - - /usr/share/suricata/rules/smb-events.rules > - - /usr/share/suricata/rules/smtp-events.rules > - - /usr/share/suricata/rules/stream-events.rules > - - /usr/share/suricata/rules/tls-events.rules > - > # Include enabled ruleset files from external file > - - !include: /var/ipfire/suricata/suricata-used-rulefiles.yaml > + include: /var/ipfire/suricata/suricata-used-rulefiles.yaml > + > + # Include default rules. > + include: /var/ipfire/suricata/suricata-default-rules.yaml > > classification-file: /var/lib/suricata/classification.config > reference-config-file: /var/lib/suricata/reference.config > diff --git a/lfs/suricata b/lfs/suricata > index f5b68da8f..96c2b33fe 100644 > --- a/lfs/suricata > +++ b/lfs/suricata > @@ -96,6 +96,9 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) > # Install IPFire related config file. > install -m 0644 $(DIR_SRC)/config/suricata/suricata.yaml /etc/suricata > > + # Install yaml file for loading default rules. > + install -m 0664 $(DIR_SRC)/config/suricata/suricata-default-rules.yaml /var/ipfire/suricata > + > # Create emtpy rules directory. > -mkdir -p /var/lib/suricata > >