suricata: Move default loaded rulefiles to own included file.

author Stefan Schantl <stefan.schantl@ipfire.org>

Wed, 8 Dec 2021 17:10:30 +0000 (18:10 +0100)

committer Arne Fitzenreiter <arne_f@ipfire.org>

Sat, 11 Dec 2021 09:49:22 +0000 (09:49 +0000)
author Stefan Schantl <stefan.schantl@ipfire.org>
Wed, 8 Dec 2021 17:10:30 +0000 (18:10 +0100)
committer Arne Fitzenreiter <arne_f@ipfire.org>
Sat, 11 Dec 2021 09:49:22 +0000 (09:49 +0000)
diff --git a/config/rootfiles/common/suricata b/config/rootfiles/common/suricata

index ff31ec7d231ef83783b8564f125979b1ad265112..41193f4ead4d2b612e164d843bc3101ca8714567 100644 (file)
--- a/config/rootfiles/common/suricata
+++ b/config/rootfiles/common/suricata
@@ -37,6 +37,7 @@ usr/share/suricata
  #usr/share/suricata/rules/smtp-events.rules
  #usr/share/suricata/rules/stream-events.rules
  #usr/share/suricata/rules/tls-events.rules
+var/ipfire/suricata/suricata-default-rules.yaml
  var/lib/suricata
  var/lib/suricata/classification.config
  var/lib/suricata/reference.config
diff --git a/config/suricata/suricata-default-rules.yaml b/config/suricata/suricata-default-rules.yaml

new file mode 100644 (file)

index 0000000..d13aa62
--- /dev/null
+++ b/config/suricata/suricata-default-rules.yaml
@@ -0,0 +1,22 @@
+%YAML 1.1
+---
+
+# Default rules which helps
+ - /usr/share/suricata/rules/app-layer-events.rules
+ - /usr/share/suricata/rules/decoder-events.rules
+ - /usr/share/suricata/rules/dhcp-events.rules
+ - /usr/share/suricata/rules/dnp3-events.rules
+ - /usr/share/suricata/rules/dns-events.rules
+ - /usr/share/suricata/rules/files.rules
+ - /usr/share/suricata/rules/http2-events.rules
+ - /usr/share/suricata/rules/http-events.rules
+ - /usr/share/suricata/rules/ipsec-events.rules
+ - /usr/share/suricata/rules/kerberos-events.rules
+ - /usr/share/suricata/rules/modbus-events.rules
+ - /usr/share/suricata/rules/mqtt-events.rules
+ - /usr/share/suricata/rules/nfs-events.rules
+ - /usr/share/suricata/rules/ntp-events.rules
+ - /usr/share/suricata/rules/smb-events.rules
+ - /usr/share/suricata/rules/smtp-events.rules
+ - /usr/share/suricata/rules/stream-events.rules
+ - /usr/share/suricata/rules/tls-events.rules
diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml

index 0ad36e705864793c98120b3328c6c17a650bc675..b4a188d4045287b3e46ebc7eda6c7ef6a2174101 100644 (file)
--- a/config/suricata/suricata.yaml
+++ b/config/suricata/suricata.yaml
@@ -46,28 +46,11 @@ vars:
  ##
  default-rule-path: /var/lib/suricata
  rule-files:
-    # Default rules
-    - /usr/share/suricata/rules/app-layer-events.rules
-    - /usr/share/suricata/rules/decoder-events.rules
-    - /usr/share/suricata/rules/dhcp-events.rules
-    - /usr/share/suricata/rules/dnp3-events.rules
-    - /usr/share/suricata/rules/dns-events.rules
-    - /usr/share/suricata/rules/files.rules
-    - /usr/share/suricata/rules/http2-events.rules
-    - /usr/share/suricata/rules/http-events.rules
-    - /usr/share/suricata/rules/ipsec-events.rules
-    - /usr/share/suricata/rules/kerberos-events.rules
-    - /usr/share/suricata/rules/modbus-events.rules
-    - /usr/share/suricata/rules/mqtt-events.rules
-    - /usr/share/suricata/rules/nfs-events.rules
-    - /usr/share/suricata/rules/ntp-events.rules
-    - /usr/share/suricata/rules/smb-events.rules
-    - /usr/share/suricata/rules/smtp-events.rules
-    - /usr/share/suricata/rules/stream-events.rules
-    - /usr/share/suricata/rules/tls-events.rules
-
      # Include enabled ruleset files from external file
-    - !include: /var/ipfire/suricata/suricata-used-rulefiles.yaml
+    include: /var/ipfire/suricata/suricata-used-rulefiles.yaml
+
+    # Include default rules.
+    include: /var/ipfire/suricata/suricata-default-rules.yaml
  
  classification-file: /var/lib/suricata/classification.config
  reference-config-file: /var/lib/suricata/reference.config
diff --git a/lfs/suricata b/lfs/suricata

index f5b68da8f19471e82a77eb54a7f2a142586294b7..96c2b33fe45833e2181bdaafdad62f7a17caacf0 100644 (file)
--- a/lfs/suricata
+++ b/lfs/suricata
@@ -96,6 +96,9 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
         # Install IPFire related config file.
         install -m 0644 $(DIR_SRC)/config/suricata/suricata.yaml /etc/suricata
  
+       # Install yaml file for loading default rules.
+       install -m 0664 $(DIR_SRC)/config/suricata/suricata-default-rules.yaml /var/ipfire/suricata
+
         # Create emtpy rules directory.
         -mkdir -p /var/lib/suricata
author	Stefan Schantl <stefan.schantl@ipfire.org>
	Wed, 8 Dec 2021 17:10:30 +0000 (18:10 +0100)
committer	Arne Fitzenreiter <arne_f@ipfire.org>
	Sat, 11 Dec 2021 09:49:22 +0000 (09:49 +0000)
config/rootfiles/common/suricata		patch \| blob \| blame \| history
config/suricata/suricata-default-rules.yaml	[new file with mode: 0644]	patch \| blob
config/suricata/suricata.yaml		patch \| blob \| blame \| history
lfs/suricata		patch \| blob \| blame \| history