https://redmine.openinfosecfoundation.org/https://redmine.openinfosecfoundation.org/favicon.ico?17011170022019-06-18T20:59:13ZOpen Information Security FoundationSuricata - Documentation #3046: Document each default value from the config filehttps://redmine.openinfosecfoundation.org/issues/3046?journal_id=126542019-06-18T20:59:13ZAndreas Herzoisf@herzandreas.de
<ul></ul><p>I would add those to the documentation AND the config, any objections?</p> Suricata - Documentation #3046: Document each default value from the config filehttps://redmine.openinfosecfoundation.org/issues/3046?journal_id=131082019-07-25T08:12:56ZVictor Julienvictor@inliniac.net
<ul></ul><p>Not sure, maybe this needs to be looked at on a case by case basis. The default yaml is a monster, so adding more things to it is something that I would like to do carefully.</p>
<p>I didn't find a ticket for having multiple yamls (e.g. minimal/normal/everything, or split out yamls), but maybe its time to revisit this.</p> Suricata - Documentation #3046: Document each default value from the config filehttps://redmine.openinfosecfoundation.org/issues/3046?journal_id=132542019-08-12T19:53:29ZAndreas Herzoisf@herzandreas.de
<ul></ul><p>Another approach would be to make the current config much smaller, even remove all comments and just rely on the documentation where it's also easier to keep the defaults?</p>
<p>If not, adding the defaults to the current config shouldn't be too much.</p>
<p>Jason, do you know any nice way to deal with multiple yamls?</p> Suricata - Documentation #3046: Document each default value from the config filehttps://redmine.openinfosecfoundation.org/issues/3046?journal_id=137942019-09-25T19:16:20ZAndreas Herzoisf@herzandreas.de
<ul><li><strong>Tracker</strong> changed from <i>Optimization</i> to <i>Documentation</i></li></ul> Suricata - Documentation #3046: Document each default value from the config filehttps://redmine.openinfosecfoundation.org/issues/3046?journal_id=138292019-09-25T19:23:56ZAndreas Herzoisf@herzandreas.de
<ul><li><strong>Target version</strong> changed from <i>Documentation</i> to <i>TBD</i></li></ul> Suricata - Documentation #3046: Document each default value from the config filehttps://redmine.openinfosecfoundation.org/issues/3046?journal_id=160972020-04-17T06:20:40ZVictor Julienvictor@inliniac.net
<ul></ul><p>In general the question of what to have and haven't be part of the yaml shouldn't block already improving the userguide.</p> Suricata - Documentation #3046: Document each default value from the config filehttps://redmine.openinfosecfoundation.org/issues/3046?journal_id=161162020-04-17T17:50:53ZJason Ishjason.ish@oisf.net
<ul></ul><p>I think right now we could break it up into multiple files with include statements. It would make sense to keep commonly updated stuff in the suricata.yaml, and less commonly updated stuff in includes.</p>
<p>Assuming the includes are in some system directory, say /usr/share/suricata/config/app-layer.yaml, then tweaking stuff includes does become harder. You would have to make a complete copy of the top level object and modify it, as we don't have a way to override just one deeply nested configuration parameters in a file, but you can do it with the --set.</p>
<p>I've seen in some other projects (maybe docker-compose files? filebeat configuration maybe?) where they provide a dotted syntax to override nested settings.. For example we may have:<br /><pre>
vars:
address-groups:
HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
EXTERNAL_NET: "!$HOME_NET"
</pre><br />I've seen overrides provided in the format:<br /><pre>
vars.address-groups.HOME_NET: "7.1.0.0/16"
</pre><br />which could be convenient. However it gets a little tricker for the arrays we have, which will probably have settings where overrides make sense as well.</p>
<p>It would be nice to define what we want to break out, and maybe go from there.</p>
<p>PostgreSQL has a rather large configuration file when all options are present. What they do is install a smaller file with some common option, then the rest get their default. Their documentation then covers all options, and while I'm not sure if this is maintained anymore, they also had an annotated exchaustive configuration file with defaults:</p>
<p><a class="external" href="http://www.varlena.com/GeneralBits/Tidbits/annotated_conf_e.html">http://www.varlena.com/GeneralBits/Tidbits/annotated_conf_e.html</a></p>
<p>While it does increase overhead, we could make the sample suricata.yaml in the doc exhaustive, and perhaps trim down what we have in the installed one.</p> Suricata - Documentation #3046: Document each default value from the config filehttps://redmine.openinfosecfoundation.org/issues/3046?journal_id=210442021-10-22T20:42:59ZAndreas Herzoisf@herzandreas.de
<ul><li><strong>Related to</strong> <i><a class="issue tracker-5 status-2 priority-4 priority-default child" href="/issues/4762">Task #4762</a>: Suricon 2021 brainstorm</i> added</li></ul> Suricata - Documentation #3046: Document each default value from the config filehttps://redmine.openinfosecfoundation.org/issues/3046?journal_id=247132022-10-11T13:57:06ZAndreas Herzoisf@herzandreas.de
<ul><li><strong>Priority</strong> changed from <i>Normal</i> to <i>Low</i></li></ul> Suricata - Documentation #3046: Document each default value from the config filehttps://redmine.openinfosecfoundation.org/issues/3046?journal_id=247152022-10-11T14:01:21ZAndreas Herzoisf@herzandreas.de
<ul><li><strong>Priority</strong> changed from <i>Low</i> to <i>Normal</i></li></ul> Suricata - Documentation #3046: Document each default value from the config filehttps://redmine.openinfosecfoundation.org/issues/3046?journal_id=247162022-10-11T14:25:32ZAndreas Herzoisf@herzandreas.de
<ul><li><strong>Subject</strong> changed from <i>Document each default value from the config</i> to <i>Document each default value from the config file</i></li></ul> Suricata - Documentation #3046: Document each default value from the config filehttps://redmine.openinfosecfoundation.org/issues/3046?journal_id=247172022-10-11T14:53:19ZAndreas Herzoisf@herzandreas.de
<ul><li><strong>Subject</strong> changed from <i>Document each default value from the config file</i> to <i>Document each default value from the config</i></li></ul> Suricata - Documentation #3046: Document each default value from the config filehttps://redmine.openinfosecfoundation.org/issues/3046?journal_id=247182022-10-11T14:54:13ZAndreas Herzoisf@herzandreas.de
<ul><li><strong>Effort</strong> changed from <i>medium</i> to <i>high</i></li></ul> Suricata - Documentation #3046: Document each default value from the config filehttps://redmine.openinfosecfoundation.org/issues/3046?journal_id=247192022-10-11T18:38:05ZAndreas Herzoisf@herzandreas.de
<ul><li><strong>Subject</strong> changed from <i>Document each default value from the config</i> to <i>Document each default value from the config file</i></li></ul> Suricata - Documentation #3046: Document each default value from the config filehttps://redmine.openinfosecfoundation.org/issues/3046?journal_id=247202022-10-11T18:42:40ZAndreas Herzoisf@herzandreas.de
<ul><li><strong>Subject</strong> changed from <i>Document each default value from the config file</i> to <i>Document each default value from the config</i></li></ul> Suricata - Documentation #3046: Document each default value from the config filehttps://redmine.openinfosecfoundation.org/issues/3046?journal_id=247212022-10-11T18:45:45ZAndreas Herzoisf@herzandreas.de
<ul><li><strong>Subject</strong> changed from <i>Document each default value from the config</i> to <i>Document each default value from the config file</i></li></ul>