From: Michael Tremer <michael.tremer@ipfire.org>
Date: Fri, 16 Aug 2024 13:05:25 +0000 (+0000)
Subject: suricata: Disable logging of App Layer events by default
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1674ec72052f7d32b3583737c0c6673fd3571c72;p=people%2Fmfischer%2Fipfire-2.x.git

suricata: Disable logging of App Layer events by default

This might only be useful for debugging (and even that is questionable).
So instead of flooding logs, we disable this, but it can be easily
enabled for development again.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/config/cfgroot/ids-functions.pl b/config/cfgroot/ids-functions.pl
index 3eb883aa9..399f5cbf8 100644
--- a/config/cfgroot/ids-functions.pl
+++ b/config/cfgroot/ids-functions.pl
@@ -152,6 +152,9 @@ my @http_ports = ('80', '81');
 # Array which contains a list of rulefiles which always will be included if they exist.
 my @static_included_rulefiles = ('local.rules', 'whitelist.rules');
 
+# Log App Layer Events? (Useful for debugging only)
+my $LOG_APP_LAYER_EVENTS = 0;
+
 # Array which contains a list of allways enabled application layer protocols.
 my @static_enabled_app_layer_protos = ('app-layer', 'decoder', 'files', 'stream');
 
@@ -1437,31 +1440,33 @@ sub write_used_rulefiles_file (@) {
 		}
 	}
 
-	print FILE "\n#Default rules for used application layer protocols.\n";
-	foreach my $enabled_app_layer_proto (@enabled_app_layer_protos) {
-		# Check if the current processed app layer proto needs to be translated
-		# into an application name.
-		if (exists($tr_app_layer_proto{$enabled_app_layer_proto})) {
-			# Obtain the translated application name for this protocol.
-			$enabled_app_layer_proto = $tr_app_layer_proto{$enabled_app_layer_proto};
-		}
+	if ($LOG_APP_LAYER_EVENTS) {
+		print FILE "\n#Default rules for used application layer protocols.\n";
+		foreach my $enabled_app_layer_proto (@enabled_app_layer_protos) {
+			# Check if the current processed app layer proto needs to be translated
+			# into an application name.
+			if (exists($tr_app_layer_proto{$enabled_app_layer_proto})) {
+				# Obtain the translated application name for this protocol.
+				$enabled_app_layer_proto = $tr_app_layer_proto{$enabled_app_layer_proto};
+			}
 
-		# Generate filename.
-		my $rulesfile = "$default_rulespath/$enabled_app_layer_proto\.rules";
+			# Generate filename.
+			my $rulesfile = "$default_rulespath/$enabled_app_layer_proto\.rules";
 
-		# Check if such a file exists.
-		if (-f "$rulesfile") {
-			# Write the rulesfile name to the file.
-			print FILE " - $rulesfile\n";
-		}
+			# Check if such a file exists.
+			if (-f "$rulesfile") {
+				# Write the rulesfile name to the file.
+				print FILE " - $rulesfile\n";
+			}
 
-		# Generate filename with "events" in filename.
-		$rulesfile = "$default_rulespath/$enabled_app_layer_proto\-events.rules";
+			# Generate filename with "events" in filename.
+			$rulesfile = "$default_rulespath/$enabled_app_layer_proto\-events.rules";
 
-		# Check if this file exists.
-		if (-f "$rulesfile" ) {
-			# Write the rulesfile name to the file.
-			print FILE " - $rulesfile\n";
+			# Check if this file exists.
+			if (-f "$rulesfile" ) {
+				# Write the rulesfile name to the file.
+				print FILE " - $rulesfile\n";
+			}
 		}
 	}