Task #5939


config: deprecate multiple "include" statements at the same level

Added by Jason Ish 6 months ago. Updated 4 months ago.

Target version:


Currently multiple include statements can be provided in the Suricata configuration like:

include: somefile.yaml
include: some-other-file.yaml

However, this is invalid YAML as duplicate keys are forbidden, and some YAML parsers, in particular Rust serde_yaml will error out on these duplicate keys. Other parsers may as well, or only keep one of these values.

This works for us as we use a rather low level event emitting YAML parser and can provide our own "magic" to the YAML. It would be nice to move to a YAML format that is parseable by any third party parser.

Multiple include files could still be used at the same level by using an array:

  - somefile.yaml
  - some-other-file.yaml

As order shouldn't change the resulting YAML, setups like the following could be converted:

include: somefile.yaml

 - ...

include: some-other-file.yaml

Also, include statements at different levels would still be supported (however, this has never been officially tested, but appears to work)

include: outputs.yaml
  include: vars.yaml

With Serde, or any other higher level parser we'd be presented with a rather abstract tree of values that we'd would then parse and resolve the includes, so it would be a 2 stage parser.

The main benefit here is to move away from essentially is our own YAML parsing implementation allowing us to use libraries to completely parse the YAML.

I'd like to deprecate with a warning multiple include statements for 7.0 so we can transition YAML libraries for 8.0.

Related issues 1 (1 open0 closed)

Related to Suricata - Feature #4782: config: add command to dump all active settingsIn ProgressJason IshActions
Actions #1

Updated by Jason Ish 6 months ago

  • Description updated (diff)
Actions #2

Updated by Jason Ish 6 months ago

  • Related to Feature #4782: config: add command to dump all active settings added
Actions #3

Updated by Juliana Fajardini Reichow 4 months ago

  • Priority changed from Normal to High
Actions #4

Updated by Jason Ish 4 months ago

  • Status changed from Assigned to In Review

This work was done and merged with

However, documentation was missing. Documentation is ready for review:

Actions #5

Updated by Jason Ish 4 months ago

  • Status changed from In Review to Closed

Documentation has now been merged, closing.


Also available in: Atom PDF