Suricata » Suricata-Update

There's this hack that kinda works but it eats up any log messages even the error logs so not sure if its a good idea: https://github.com/shivan1b/suricata-update/commit/794c1e8a15f605828b1214d8e1aa0d71ddeae31a
Other solution would require some code refactoring such that the checks for the conf files do not happen if they are not required. This will take some time.

We should probably push this back til after 1.1.0. As Suricata-Update configures itself all at once, it will be a non-trivial change to have it just partially configure itself.

Even update-sources depends somewhat on the configuration, in particular the localstatedir of `suricata --build-info` to know where to push the sources file.

So to make this happen the configuration phase will need to be broken up to configure only whats needed for the specific operation. Which might be more effort than its worth.

It probably does not make much difference but is this really a bug? All of my customer run Suricata-update on a stand alone host that does not have Suricata installed on it. The automation we setup uses command line options to point to the config file, manually define the Suricata version and define where to save the suricata.rules file. I log this information to audit their setups, however, it's not critical.

At a minimum, I would reclassify this change as a Task or Optimization, not a bug. Make your stats look better.

James Lagermann wrote in #note-9:

It probably does not make much difference but is this really a bug? All of my customer run Suricata-update on a stand alone host that does not have Suricata installed on it. The automation we setup uses command line options to point to the config file, manually define the Suricata version and define where to save the suricata.rules file. I log this information to audit their setups, however, it's not critical.

At a minimum, I would reclassify this change as a Task or Optimization, not a bug. Make your stats look better.

Thanks. Updated.

I think the lines starting with Using can become debug. Its harder to decide about the warning that Suricata is not installed. If Suricata is installed, its going to determine where the index is saved. If Suricata is not installed, we're going to fallback to a well known default, unless an output directory is not installed.

Maybe we can also supporess the warning about Suricata not being installed, and making it more of a localized warning. For example, if we need the localstatedir location, AND Suricata is not installed, and no output directory is provided, then we log that we've made an assumption. Otherwise it should be quiet. Should be involved moving/adding some log statements and perhaps a few conditionals around it.