suricata: Move default loaded rulefiles to own included file.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Acked-by: Michael Tremer <michael.tremer@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
2026-04-11 11:35:54 +02:00 · 2021-12-08 18:10:30 +01:00
parent 3b1482e939
commit 74070fe153
4 changed files with 30 additions and 21 deletions
--- a/config/rootfiles/common/suricata
+++ b/config/rootfiles/common/suricata
@@ -37,6 +37,7 @@ usr/share/suricata
 #usr/share/suricata/rules/smtp-events.rules
 #usr/share/suricata/rules/stream-events.rules
 #usr/share/suricata/rules/tls-events.rules
+var/ipfire/suricata/suricata-default-rules.yaml
 var/lib/suricata
 var/lib/suricata/classification.config
 var/lib/suricata/reference.config
--- a/config/suricata/suricata-default-rules.yaml
+++ b/config/suricata/suricata-default-rules.yaml
@@ -0,0 +1,22 @@
+%YAML 1.1
+---
+
+# Default rules which helps
+ - /usr/share/suricata/rules/app-layer-events.rules
+ - /usr/share/suricata/rules/decoder-events.rules
+ - /usr/share/suricata/rules/dhcp-events.rules
+ - /usr/share/suricata/rules/dnp3-events.rules
+ - /usr/share/suricata/rules/dns-events.rules
+ - /usr/share/suricata/rules/files.rules
+ - /usr/share/suricata/rules/http2-events.rules
+ - /usr/share/suricata/rules/http-events.rules
+ - /usr/share/suricata/rules/ipsec-events.rules
+ - /usr/share/suricata/rules/kerberos-events.rules
+ - /usr/share/suricata/rules/modbus-events.rules
+ - /usr/share/suricata/rules/mqtt-events.rules
+ - /usr/share/suricata/rules/nfs-events.rules
+ - /usr/share/suricata/rules/ntp-events.rules
+ - /usr/share/suricata/rules/smb-events.rules
+ - /usr/share/suricata/rules/smtp-events.rules
+ - /usr/share/suricata/rules/stream-events.rules
+ - /usr/share/suricata/rules/tls-events.rules
--- a/config/suricata/suricata.yaml
+++ b/config/suricata/suricata.yaml
@@ -46,28 +46,11 @@ vars:
 ##
 default-rule-path: /var/lib/suricata
 rule-files:
-    # Default rules
-    - /usr/share/suricata/rules/app-layer-events.rules
-    - /usr/share/suricata/rules/decoder-events.rules
-    - /usr/share/suricata/rules/dhcp-events.rules
-    - /usr/share/suricata/rules/dnp3-events.rules
-    - /usr/share/suricata/rules/dns-events.rules
-    - /usr/share/suricata/rules/files.rules
-    - /usr/share/suricata/rules/http2-events.rules
-    - /usr/share/suricata/rules/http-events.rules
-    - /usr/share/suricata/rules/ipsec-events.rules
-    - /usr/share/suricata/rules/kerberos-events.rules
-    - /usr/share/suricata/rules/modbus-events.rules
-    - /usr/share/suricata/rules/mqtt-events.rules
-    - /usr/share/suricata/rules/nfs-events.rules
-    - /usr/share/suricata/rules/ntp-events.rules
-    - /usr/share/suricata/rules/smb-events.rules
-    - /usr/share/suricata/rules/smtp-events.rules
-    - /usr/share/suricata/rules/stream-events.rules
-    - /usr/share/suricata/rules/tls-events.rules
-
    # Include enabled ruleset files from external file
-    - !include: /var/ipfire/suricata/suricata-used-rulefiles.yaml
+    include: /var/ipfire/suricata/suricata-used-rulefiles.yaml
+
+    # Include default rules.
+    include: /var/ipfire/suricata/suricata-default-rules.yaml

 classification-file: /var/lib/suricata/classification.config
 reference-config-file: /var/lib/suricata/reference.config
--- a/lfs/suricata
+++ b/lfs/suricata
@@ -96,6 +96,9 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	# Install IPFire related config file.
 	install -m 0644 $(DIR_SRC)/config/suricata/suricata.yaml /etc/suricata

+	# Install yaml file for loading default rules.
+	install -m 0664 $(DIR_SRC)/config/suricata/suricata-default-rules.yaml /var/ipfire/suricata
+
 	# Create emtpy rules directory.
 	-mkdir -p /var/lib/suricata