multitenancy: 'lite' tenants
I'm currently using Suricata as a daemon with the unix-socket interface. The #1 purpose for this is starting Suricata takes ~60 seconds, and scanning the file takes ~2 seconds. The problem is when I want to scan a file with a non-standard home_net I have to alter the configuration file then make suricata start up from scratch, loading all rules again (and taking another 60 seconds).
I see multi-tenancy offers a way to load multiple partial configuration files on-the-fly. However currently I have to specify a rule set for the tenant and the engine has to load those rules. Ideally I could specify a tenant without any rule files (just no rules section in the tenant yaml), and in this case Suricata would just use the rules loaded by the default configuration file. This would allow changing variables, such as HOME_NET, quickly without reloading the entire ruleset.
Updated by Victor Julien almost 7 years ago
- Subject changed from Allow changing of configuration variables, perhaps through multi-tenancy, without reloading rules to multitenancy: 'lite' tenants
- Assignee set to Anonymous
- Target version set to TBD
Calling this 'lite' tenants.
Technically it seems challenging due to how tenants work (they are complete detection engines currently).