From 1674ec72052f7d32b3583737c0c6673fd3571c72 Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Fri, 16 Aug 2024 13:05:25 +0000
Subject: [PATCH] suricata: Disable logging of App Layer events by default

This might only be useful for debugging (and even that is questionable).
So instead of flooding logs, we disable this, but it can be easily
enabled for development again.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 config/cfgroot/ids-functions.pl | 47 ++++++++++++++++++---------------
 1 file changed, 26 insertions(+), 21 deletions(-)

diff --git a/config/cfgroot/ids-functions.pl b/config/cfgroot/ids-functions.pl
index 3eb883aa9..399f5cbf8 100644
--- a/config/cfgroot/ids-functions.pl
+++ b/config/cfgroot/ids-functions.pl
@@ -152,6 +152,9 @@ my @http_ports = ('80', '81');
 # Array which contains a list of rulefiles which always will be included if they exist.
 my @static_included_rulefiles = ('local.rules', 'whitelist.rules');
 
+# Log App Layer Events? (Useful for debugging only)
+my $LOG_APP_LAYER_EVENTS = 0;
+
 # Array which contains a list of allways enabled application layer protocols.
 my @static_enabled_app_layer_protos = ('app-layer', 'decoder', 'files', 'stream');
 
@@ -1437,31 +1440,33 @@ sub write_used_rulefiles_file (@) {
 		}
 	}
 
-	print FILE "\n#Default rules for used application layer protocols.\n";
-	foreach my $enabled_app_layer_proto (@enabled_app_layer_protos) {
-		# Check if the current processed app layer proto needs to be translated
-		# into an application name.
-		if (exists($tr_app_layer_proto{$enabled_app_layer_proto})) {
-			# Obtain the translated application name for this protocol.
-			$enabled_app_layer_proto = $tr_app_layer_proto{$enabled_app_layer_proto};
-		}
+	if ($LOG_APP_LAYER_EVENTS) {
+		print FILE "\n#Default rules for used application layer protocols.\n";
+		foreach my $enabled_app_layer_proto (@enabled_app_layer_protos) {
+			# Check if the current processed app layer proto needs to be translated
+			# into an application name.
+			if (exists($tr_app_layer_proto{$enabled_app_layer_proto})) {
+				# Obtain the translated application name for this protocol.
+				$enabled_app_layer_proto = $tr_app_layer_proto{$enabled_app_layer_proto};
+			}
 
-		# Generate filename.
-		my $rulesfile = "$default_rulespath/$enabled_app_layer_proto\.rules";
+			# Generate filename.
+			my $rulesfile = "$default_rulespath/$enabled_app_layer_proto\.rules";
 
-		# Check if such a file exists.
-		if (-f "$rulesfile") {
-			# Write the rulesfile name to the file.
-			print FILE " - $rulesfile\n";
-		}
+			# Check if such a file exists.
+			if (-f "$rulesfile") {
+				# Write the rulesfile name to the file.
+				print FILE " - $rulesfile\n";
+			}
 
-		# Generate filename with "events" in filename.
-		$rulesfile = "$default_rulespath/$enabled_app_layer_proto\-events.rules";
+			# Generate filename with "events" in filename.
+			$rulesfile = "$default_rulespath/$enabled_app_layer_proto\-events.rules";
 
-		# Check if this file exists.
-		if (-f "$rulesfile" ) {
-			# Write the rulesfile name to the file.
-			print FILE " - $rulesfile\n";
+			# Check if this file exists.
+			if (-f "$rulesfile" ) {
+				# Write the rulesfile name to the file.
+				print FILE " - $rulesfile\n";
+			}
 		}
 	}
 
-- 
2.39.5