Can't seem to get "!include" working

joshua.bigler · March 17, 2023, 11:43pm

The documentation mentions the ability to split out config files into other files using either the ‘include’ key, or with a value beginning with ‘!include’. I’m trying to use the latter to separate items such as af-packet configs, address-groups, port-groups, etc into separate files, for a cleaner config file and it’s also a little easier for me to manage with puppet (avoids a template with a massive amount of variables). However, when I try to actually do this, it does not seem to pick up the file.

Example section in /etc/suricata/suricata.yaml:
af-packet: "!include interfaces.yaml"

/etc/suricata/interfaces.yaml

- interface: enp0s3
  cluster-id: 99
  threads: auto

Attempting to run manually:

# /sbin/suricata -c /etc/suricata/suricata.yaml --af-packet
17/3/2023 -- 23:36:15 - <Warning> - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - Invalid logging method: interface, ignoring
17/3/2023 -- 23:36:15 - <Notice> - This is Suricata version 6.0.9 RELEASE running in SYSTEM mode
17/3/2023 -- 23:36:15 - <Error> - [ERRCODE: SC_ERR_INITIALIZATION(45)] - No interface found in config for af-packet

Any idea what I’m doing wrong here? It also doesn’t seem to load other sections that I try to use ‘!include’ for, such as the address groups, etc

I’m using the suricata rpm from the Rocky Linux 8 EPEL repo.

/sbin/suricata -V
This is Suricata version 6.0.9 RELEASE

Andreas_Herz · March 17, 2023, 11:48pm

You should try to move the af-packet: part into the interfaces.yaml and include this as a whole.

So for example in the suricata.yaml in the end:

# include af-packet section
include: interfaces.yaml

and the interfaces.yaml looks like:

%YAML 1.1
---

af-packet:
- interface: enp0s3
  cluster-id: 99
  threads: auto

joshua.bigler · March 20, 2023, 4:41pm

I can change my puppet code to do it that way. If it is the case that the “!include” value does not actually import the contents of a file as the value, and the “include” key should be the only one used, should the documentation be updated to reflect that?

ish · March 20, 2023, 10:28pm

You don’t want the quotes here, instead use:

af-packet: !include interfaces.yaml

However, what Andreas’ suggests in Can't seem to get "!include" working - #2 by Andreas_Herz is probably easier to reason about.

Topic		Replies	Views
Ignoring my config file and using incorrect interface Help suricata	11	52	September 10, 2024
BPF filter file with af_packet not functioning Help	3	2099	May 5, 2020
Enable include file by default Developers	6	799	September 7, 2021
Suricata af-packet ips Help ips	1	664	January 17, 2023
Overide suricata configuation file Help configuration , suricata	3	298	February 28, 2024

Can't seem to get "!include" working

Related topics