Documentation #4665
open
Update docs to include information about file* functionality
Added by Jascha Sticher over 2 years ago.
Updated over 2 years ago.
Description
Hi Everyone,
we deploy our own custom ruleset via suricata-update. We recently added filehashes and stumbled upon a curious quirk, that doesn't seem to be documented very well.
When deploying hashes-files with the *.tgz file, they are only put into /var/lib/suricata if they are also referenced by a rule.
I volunteer to update the documentation to reflect this behaviour, but I'm not sure on where the correct place inside the docs is.
Kind regards,
Jascha
Yeah, there isn't really a section that is suitable for this information right now. I think its less of a quirk than it may seem tho.
Suricata-Update ignores files it doesn't know what to do with.. Like the README that may be in some archives, or other random files that end up in these archive files. Hash lists are the same, until referenced by a rule, Suricata-Update doesn't know what the file is for so doesn't make any assumption.
I get that. This information alone would be helpful though.
As I see it, there isn't a section about the expected format of rule packages (and files that are automatically used like 'classification.conf') in general. I think that would be a good addition as a subsection in 'suricata-update - Update'.
- Tracker changed from Bug to Documentation
- Assignee changed from Shivani Bhardwaj to Jason Ish
I've been thinking of a doc section on guidelines for publishing a ruleset. It might not be the best location for this type of information, but its a better section than what we have now.
Also available in: Atom
PDF