Suricata

Suricata.yaml should have the option to supply a database connection string to the load a ruleset from a database. There are too many rules to be managed and searched from files alone, and searching, editing, creating new rules in files can be a nightmare. I'd use pythonids to parse a set of files in a directory, then keep the raw rule as a column in a database. At start time, suricata could optionally read this table and load the rules that are enabled / disabled from that table. You could optionally send data back to the database provided you've kept the sid column of any alert. Database table might look like this: | id | raw_rule | sid | message | comment | enabled | classtype | content | rev. Any feedback appreciated.