suricata: Disable logging of App Layer events by default

This might only be useful for debugging (and even that is questionable). So instead of flooding logs, we disable this, but it can be easily enabled for development again. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2026-04-27 19:23:24 +02:00 · 2024-08-16 13:05:25 +00:00
parent 33a2aff416
commit 1674ec7205
1 changed files with 26 additions and 21 deletions
--- a/config/cfgroot/ids-functions.pl
+++ b/config/cfgroot/ids-functions.pl
@@ -152,6 +152,9 @@ my @http_ports = ('80', '81');
 # Array which contains a list of rulefiles which always will be included if they exist.
 my @static_included_rulefiles = ('local.rules', 'whitelist.rules');

+# Log App Layer Events? (Useful for debugging only)
+my $LOG_APP_LAYER_EVENTS = 0;
+
 # Array which contains a list of allways enabled application layer protocols.
 my @static_enabled_app_layer_protos = ('app-layer', 'decoder', 'files', 'stream');

@@ -1437,31 +1440,33 @@ sub write_used_rulefiles_file (@) {
 		}
 	}

-	print FILE "\n#Default rules for used application layer protocols.\n";
-	foreach my $enabled_app_layer_proto (@enabled_app_layer_protos) {
-		# Check if the current processed app layer proto needs to be translated
-		# into an application name.
-		if (exists($tr_app_layer_proto{$enabled_app_layer_proto})) {
-			# Obtain the translated application name for this protocol.
-			$enabled_app_layer_proto = $tr_app_layer_proto{$enabled_app_layer_proto};
-		}
+	if ($LOG_APP_LAYER_EVENTS) {
+		print FILE "\n#Default rules for used application layer protocols.\n";
+		foreach my $enabled_app_layer_proto (@enabled_app_layer_protos) {
+			# Check if the current processed app layer proto needs to be translated
+			# into an application name.
+			if (exists($tr_app_layer_proto{$enabled_app_layer_proto})) {
+				# Obtain the translated application name for this protocol.
+				$enabled_app_layer_proto = $tr_app_layer_proto{$enabled_app_layer_proto};
+			}

-		# Generate filename.
-		my $rulesfile = "$default_rulespath/$enabled_app_layer_proto\.rules";
+			# Generate filename.
+			my $rulesfile = "$default_rulespath/$enabled_app_layer_proto\.rules";

-		# Check if such a file exists.
-		if (-f "$rulesfile") {
-			# Write the rulesfile name to the file.
-			print FILE " - $rulesfile\n";
-		}
+			# Check if such a file exists.
+			if (-f "$rulesfile") {
+				# Write the rulesfile name to the file.
+				print FILE " - $rulesfile\n";
+			}

-		# Generate filename with "events" in filename.
-		$rulesfile = "$default_rulespath/$enabled_app_layer_proto\-events.rules";
+			# Generate filename with "events" in filename.
+			$rulesfile = "$default_rulespath/$enabled_app_layer_proto\-events.rules";

-		# Check if this file exists.
-		if (-f "$rulesfile" ) {
-			# Write the rulesfile name to the file.
-			print FILE " - $rulesfile\n";
+			# Check if this file exists.
+			if (-f "$rulesfile" ) {
+				# Write the rulesfile name to the file.
+				print FILE " - $rulesfile\n";
+			}
 		}
 	}