Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

allow user to include other suricata config YML files #302

Closed
mmguero opened this issue Nov 29, 2023 · 4 comments
Closed

allow user to include other suricata config YML files #302

mmguero opened this issue Nov 29, 2023 · 4 comments
Assignees
@mmguero
Labels
enhancement New feature or request suricata
Milestone
v23.12.0

Comments

@mmguero
Copy link
Collaborator

mmguero commented Nov 29, 2023

The suricata.yaml file supports the following:

# Includes:  Files included here will be handled as if they were in-lined
# in this configuration file. Files with relative pathnames will be
# searched for in the same directory as this configuration file. You may
# use absolute pathnames too.
#include:
#  - include1.yaml
#  - include2.yaml

For Malcolm users who want to do extra suricata config that's not handled by the environment variables prefixed by SURICATA_ which we then put in the config file when it gets generated, we could allow them to drop yaml files in another bind-mounted directory and include: them as above.
@mmguero mmguero added enhancement New feature or request suricata labels Nov 29, 2023
@mmguero mmguero added this to the v23.11.0 milestone Nov 29, 2023
@mmguero mmguero self-assigned this Nov 29, 2023
@mmguero
Copy link
Collaborator Author

mmguero commented Nov 29, 2023
edited
Loading

With these changes:

suricata@suricata:/tmp$ suricata -v -c /tmp/suricata.yaml -l /tmp/ -Tr
29/11/2023 -- 21:09:16 - <Info> - Running suricata under test mode
29/11/2023 -- 21:09:16 - <Info> - Including configuration file /opt/suricata/include-configs/testing.yaml.
29/11/2023 -- 21:09:16 - <Info> - Including configuration file /opt/suricata/include-configs/testing2.yaml.

For what it's worth, the files in the directory (./suricata/include-configs/) need to have:

%YAML 1.1
---

at the beginning of the YAML file, and have a .yaml extension.

mmguero added a commit to mmguero-dev/Malcolm that referenced this issue Nov 29, 2023
@mmguero
idaholab#302, allow user to include other suricata config YML files
70684fb
@mmguero
Copy link
Collaborator Author

mmguero commented Nov 29, 2023
edited
Loading

Tested locally with docker install, need to test on

  • Malcolm ISO (should be the same)
  • Hedgehog
  • Kubernetes

before closing.

@mmguero
Copy link
Collaborator Author

mmguero commented Nov 29, 2023

Note this comment I put in the suricata_config_populate.py:

Hackety-hack, don't talk back! Despite the "Including multiple files" section of https://docs.suricata.io/en/latest/configuration/includes.html#including-multiple-files saying this can be set as an array, it does not seem to be working for me.
The sample suricata.yaml file shows it should be done like this:

    include: include1.yaml
    include: include2.yaml

The reason this is a pain is that this is not actually valid YAML. So what we are going to do is remove the 'include' section here, write the YAML to a file, and then append the include:s afterwards just in plain text.

@mmguero mmguero mentioned this issue Nov 29, 2023
Closed
mmguero added a commit to mmguero-dev/Malcolm that referenced this issue Nov 30, 2023
@mmguero
documentation updates for idaholab#302 and idaholab#303, custom confi…
e46b8d6 
…guration for Suricata and Zeek
@mmguero
Copy link
Collaborator Author

mmguero commented Nov 30, 2023

Tested in Malcolm and on Hedgehog, closing.

@mmguero mmguero closed this as completed Nov 30, 2023
This was referenced Dec 4, 2023
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mmguero mmguero

Labels
enhancement New feature or request suricata
Projects
Malcolm
Status: Released
Milestone
v23.12.0
Development

No branches or pull requests
1 participant
@mmguero