Feature #234: add option disable/enable individual app layer protocol inspection modules - Suricata - Open Information Security Foundation

Custom queries

8.0.0 Stories
Good First Issues
OISF community

Actions

Copy link

Feature #234

closed

add option disable/enable individual app layer protocol inspection modules

Added by Victor Julien over 14 years ago. Updated about 11 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Anoop Saldanha

Target version:

2.0beta2

Effort:

Difficulty:

Label:

Description

Not everyone is interested in having all app layer parsing/inspection modules enabled all the time. In the suricata.yaml configuration file we should give the user the option to disable individual parsers.

Ideas for how this should be done in the configuration file are welcome.

History
Notes
Property changes

Actions

Copy link

Updated by delta yeh almost 14 years ago

how about

app-layer-modules:
-http
-ftp
-ssh

those module not in this list would not be enabled.

Actions

Copy link

Updated by Victor Julien almost 14 years ago

I think I would prefer something like:

app-layer-parsers:
- http
enabled: yes
- ftp
enabled: no

This would allow us to add other options to them...

Thoughts?

Actions

Copy link

Updated by delta yeh over 13 years ago

Victor Julien wrote:

I think I would prefer something like:

app-layer-parsers:
- http
enabled: yes
- ftp
enabled: no

This would allow us to add other options to them...

Thoughts?

Sounds good to me!

Actions

Copy link

Updated by Victor Julien over 13 years ago

Assignee changed from Victor Julien to Anonymous

This would be fairly easy to implement as we can just disable the parser registration for the disabled protocols.

Actions

Copy link

Updated by delta yeh about 13 years ago

Victor Julien wrote:

This would be fairly easy to implement as we can just disable the parser registration for the disabled protocols.

I will take this.

Actions

Copy link

Updated by Victor Julien about 13 years ago

Status changed from New to Assigned
Assignee changed from Anonymous to delta yeh
Target version set to 1.2

Cool, thanks!

Actions

Copy link

Updated by Victor Julien almost 13 years ago

Target version changed from 1.2 to TBD

Have you been able to look into this?

Actions

Copy link

Updated by Victor Julien over 12 years ago

Assignee changed from delta yeh to Anoop Saldanha
Target version changed from TBD to 1.4beta2

Actions

Copy link

Updated by Victor Julien about 12 years ago

Target version changed from 1.4beta2 to 1.4beta3

Actions

Copy link

#10

Updated by Victor Julien about 12 years ago

Priority changed from Normal to Low

Actions

Copy link

#11

Updated by Victor Julien about 12 years ago

Target version changed from 1.4beta3 to 1.4rc1

Actions

Copy link

#12

Updated by Anoop Saldanha about 12 years ago

https://github.com/inliniac/suricata/pull/222

Actions

Copy link

#13

Updated by Victor Julien about 12 years ago

Target version changed from 1.4rc1 to 2.0rc2

Actions

Copy link

#14

Updated by Anoop Saldanha almost 12 years ago

https://github.com/inliniac/suricata/pull/279

The above PR does a lot more than provide a feature to enable/disable app layer modules.

We have an update PP proto detection engine, feature to enable proto detection/parser both of which are now separate options in the conf file, ability to specify detection ports in conf file, sig port validation.

Actions

Copy link

#15