suricata: Disable logging of App Layer events by default

This might only be useful for debugging (and even that is questionable).
So instead of flooding logs, we disable this, but it can be easily
enabled for development again.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/config/cfgroot/ids-functions.pl b/config/cfgroot/ids-functions.pl
index 3eb883aa94f558b0f9dba83c52adce21ca181f2f..399f5cbf8bfac4c5737f14e2e6dc861b58c35153 100644 (file)
--- a/config/cfgroot/ids-functions.pl
+++ b/config/cfgroot/ids-functions.pl
@@ -152,6 +152,9 @@ my @http_ports = ('80', '81');
 # Array which contains a list of rulefiles which always will be included if they exist.
 my @static_included_rulefiles = ('local.rules', 'whitelist.rules');
 
+# Log App Layer Events? (Useful for debugging only)
+my $LOG_APP_LAYER_EVENTS = 0;
+
 # Array which contains a list of allways enabled application layer protocols.
 my @static_enabled_app_layer_protos = ('app-layer', 'decoder', 'files', 'stream');
 
@@ -1437,31 +1440,33 @@ sub write_used_rulefiles_file (@) {
                }
        }
 
-       print FILE "\n#Default rules for used application layer protocols.\n";
-       foreach my $enabled_app_layer_proto (@enabled_app_layer_protos) {
-               # Check if the current processed app layer proto needs to be translated
-               # into an application name.
-               if (exists($tr_app_layer_proto{$enabled_app_layer_proto})) {
-                       # Obtain the translated application name for this protocol.
-                       $enabled_app_layer_proto = $tr_app_layer_proto{$enabled_app_layer_proto};
-               }
+       if ($LOG_APP_LAYER_EVENTS) {
+               print FILE "\n#Default rules for used application layer protocols.\n";
+               foreach my $enabled_app_layer_proto (@enabled_app_layer_protos) {
+                       # Check if the current processed app layer proto needs to be translated
+                       # into an application name.
+                       if (exists($tr_app_layer_proto{$enabled_app_layer_proto})) {
+                               # Obtain the translated application name for this protocol.
+                               $enabled_app_layer_proto = $tr_app_layer_proto{$enabled_app_layer_proto};
+                       }
 
-               # Generate filename.
-               my $rulesfile = "$default_rulespath/$enabled_app_layer_proto\.rules";
+                       # Generate filename.
+                       my $rulesfile = "$default_rulespath/$enabled_app_layer_proto\.rules";
 
-               # Check if such a file exists.
-               if (-f "$rulesfile") {
-                       # Write the rulesfile name to the file.
-                       print FILE " - $rulesfile\n";
-               }
+                       # Check if such a file exists.
+                       if (-f "$rulesfile") {
+                               # Write the rulesfile name to the file.
+                               print FILE " - $rulesfile\n";
+                       }
 
-               # Generate filename with "events" in filename.
-               $rulesfile = "$default_rulespath/$enabled_app_layer_proto\-events.rules";
+                       # Generate filename with "events" in filename.
+                       $rulesfile = "$default_rulespath/$enabled_app_layer_proto\-events.rules";
 
-               # Check if this file exists.
-               if (-f "$rulesfile" ) {
-                       # Write the rulesfile name to the file.
-                       print FILE " - $rulesfile\n";
+                       # Check if this file exists.
+                       if (-f "$rulesfile" ) {
+                               # Write the rulesfile name to the file.
+                               print FILE " - $rulesfile\n";
+                       }
                }
        }