Feature #3636
Updated by Jason Ish over 2 years ago
One issue with upgrading Suricata is that new protocols will not be logged by default as outputs aren't enabled unless they are explicitly added to the @types@ in the @eve-log@ configuration section. This is different than the app-layer protocols that usually are enabled by default if not found in the configuration (their are exceptions to this).
It should be easier to enable the default set of outputs without having to list them all and we should use this in our default configuration. This will mean that the recommended by default outputs stays current over upgrades.
The main issue is that YAML (or maybe any configuration format) makes this hard to express.
NOTE: The following is for discussion purposes only at this time.
h5. Magic Keywords
Introduce magic type names like:
* all
* defaults
(These could be @__all@, @__defaults@, etc if we're worried about name conflicts.)
Then our default configuration file could look like:
<pre>
types:
- defaults
</pre>
Which would enable all the outputs except @drop@, @netflow@, @dnp3@, and @metadata@ as these are not currently enabled in the default configuration. This would also be the default set enabled if the output was missing the @types@ field.
Then to use the defaults with netflow the following configuration could be used:
<pre>
types:
- defaults
- netflow
</pre>
and if the configuration for an output needed to be modified:
<pre>
types:
- defaults
- dns:
# Custom options
</pre>
DNS being explicitly listed with options would override its inclusion as part of @defaults@.
h5. Exclusion List
If only a few specific outputs are desired its easy to explicitly list them, however its harder to express a configuration with @all@ or @defaults@ *except* specific outputs. To address this an @exclude_types@ field could be added:
<pre>
types:
- defaults
exclude_types:
- smb
- nfs
</pre>
[maybe @disable_types@ is better]
h5. New Default Configuration
<pre>
types:
- defaults
exclude_types: []
</pre>