suricata: Include all default rules

These rules do not drop anything, but only alert when internal parts of
the engine trigger an event. This will allow us more insight on what is
happening.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/config/rootfiles/common/suricata b/config/rootfiles/common/suricata
index 32358483a06f6bde78ac7a7ae2ece7f631b19939..21dbeae64ca7170d74d807b3b4c4511066a6bfd5 100644 (file)
--- a/config/rootfiles/common/suricata
+++ b/config/rootfiles/common/suricata
@@ -19,6 +19,28 @@ usr/bin/suricata
 #usr/share/man/man1/suricatactl-filestore.1
 #usr/share/man/man1/suricatactl.1
 #usr/share/man/man1/suricatasc.1
+usr/share/suricata/
+#usr/share/suricata/classification.config
+#usr/share/suricata/reference.config
+#usr/share/suricata/rules
+#usr/share/suricata/rules/app-layer-events.rules
+#usr/share/suricata/rules/decoder-events.rules
+#usr/share/suricata/rules/dhcp-events.rules
+#usr/share/suricata/rules/dnp3-events.rules
+#usr/share/suricata/rules/dns-events.rules
+#usr/share/suricata/rules/files.rules
+#usr/share/suricata/rules/http2-events.rules
+#usr/share/suricata/rules/http-events.rules
+#usr/share/suricata/rules/ipsec-events.rules
+#usr/share/suricata/rules/kerberos-events.rules
+#usr/share/suricata/rules/modbus-events.rules
+#usr/share/suricata/rules/mqtt-events.rules
+#usr/share/suricata/rules/nfs-events.rules
+#usr/share/suricata/rules/ntp-events.rules
+#usr/share/suricata/rules/smb-events.rules
+#usr/share/suricata/rules/smtp-events.rules
+#usr/share/suricata/rules/stream-events.rules
+#usr/share/suricata/rules/tls-events.rules
 var/lib/suricata
 var/lib/suricata/classification.config
 var/lib/suricata/reference.config

diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml
index 6f37671c8c9e727f5001c97744b59d6de7f23d45..0ad36e705864793c98120b3328c6c17a650bc675 100644 (file)
--- a/config/suricata/suricata.yaml
+++ b/config/suricata/suricata.yaml
@@ -46,8 +46,28 @@ vars:
 ##
 default-rule-path: /var/lib/suricata
 rule-files:
-    # Include enabled ruleset files from external file.
-    include: /var/ipfire/suricata/suricata-used-rulefiles.yaml
+    # Default rules
+    - /usr/share/suricata/rules/app-layer-events.rules
+    - /usr/share/suricata/rules/decoder-events.rules
+    - /usr/share/suricata/rules/dhcp-events.rules
+    - /usr/share/suricata/rules/dnp3-events.rules
+    - /usr/share/suricata/rules/dns-events.rules
+    - /usr/share/suricata/rules/files.rules
+    - /usr/share/suricata/rules/http2-events.rules
+    - /usr/share/suricata/rules/http-events.rules
+    - /usr/share/suricata/rules/ipsec-events.rules
+    - /usr/share/suricata/rules/kerberos-events.rules
+    - /usr/share/suricata/rules/modbus-events.rules
+    - /usr/share/suricata/rules/mqtt-events.rules
+    - /usr/share/suricata/rules/nfs-events.rules
+    - /usr/share/suricata/rules/ntp-events.rules
+    - /usr/share/suricata/rules/smb-events.rules
+    - /usr/share/suricata/rules/smtp-events.rules
+    - /usr/share/suricata/rules/stream-events.rules
+    - /usr/share/suricata/rules/tls-events.rules
+
+    # Include enabled ruleset files from external file
+    - !include: /var/ipfire/suricata/suricata-used-rulefiles.yaml
 
 classification-file: /var/lib/suricata/classification.config
 reference-config-file: /var/lib/suricata/reference.config

diff --git a/lfs/suricata b/lfs/suricata
index 700556dd2b9860bd921ed265e577c7f8f98abab4..d06fef7760f5ca59fe6e17e1cb44d08d9be5fb0f 100644 (file)
--- a/lfs/suricata
+++ b/lfs/suricata
@@ -96,9 +96,6 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
        # Install IPFire related config file.
        install -m 0644 $(DIR_SRC)/config/suricata/suricata.yaml /etc/suricata
 
-       # Remove shipped rules.
-       rm -rvf /usr/share/suricata
-
        # Create emtpy rules directory.
        -mkdir -p /var/lib/suricata