Task #5939
Updated by Jason Ish over 1 year ago
Currently multiple include statements can be provided in the Suricata configuration like:
<pre>
include: somefile.yaml
include: some-other-file.yaml
</pre>
However, this is invalid YAML as duplicate keys are forbidden, and some YAML parsers, in particular Rust @serde_yaml@ will error out on these duplicate keys. Other parsers may as well, or only keep one of these values.
This works for us as we use a rather low level event emitting YAML parser and can provide our own "magic" to the YAML. It would be nice to move to a YAML format that is parseable by any third party parser.
Multiple include files could still be used at the same level by using an array:
<pre>
include:
- somefile.yaml
- some-other-file.yaml
</pre>
As order shouldn't change the resulting YAML, setups like the following could be converted:
<pre>
include: somefile.yaml
outputs:
- ...
include: some-other-file.yaml
</pre>
Also, @include@ statements at different levels would still be supported (however, this has never been officially tested, but appears to work)
<pre>
include: outputs.yaml
vars:
include: vars.yaml
</pre>
With Serde, or any other higher level parser we'd be presented with a rather abstract tree of values that we'd would then parse and resolve the includes, so it would be a 2 stage parser.
The main benefit here is to move away from essentially is our own YAML parsing implementation allowing us to use libraries to completely parse the YAML.
I'd like to deprecate with a warning multiple include statements for 7.0 so we can transition YAML libraries for 8.0.