Enable include file by default

Matt-Yorkley · August 12, 2020, 8:21pm

Hi, I’ve got a very small feature request for config management.

I love the YAML configs, sensible defaults and ability to override selected configs via includes, specifically this last bit in suricata.yaml:

##
## Include other configs
##

# Includes:  Files included here will be handled as if they were in-lined
# in this configuration file. Files with relative pathnames will be
# searched for in the same directory as this configuration file. You may
# use absolute pathnames too.
# You can specify more than 2 configuration files, if needed.
#include: include1.yaml
#include: include2.yaml

In order to actually use this feature I have to modify the original file provided by the package (installing via apt). Would it be possible to add a default include here (in the packaged file), so a set of configs can be added without editing the package’s original files? Something like:

##
## Include other configs
##

# Includes:  Files included here will be handled as if they were in-lined
# in this configuration file. Files with relative pathnames will be
# searched for in the same directory as this configuration file. You may
# use absolute pathnames too.
# You can specify more than 2 configuration files, if needed.
#include: include1.yaml
#include: include2.yaml

include: suricata-overrides.yaml

That way custom configs can be added locally without creating any potential conflicts if the package is later updated…

ish · August 12, 2020, 9:23pm

I’ve been thinking about making this better by default. What you suggest is along the right path, or perhaps a conf.d type directory (or both).

I’d like to tie it in with an override format that looks like:

one.two.three: value

so you don’t have to completely replicate the structure. Something I used recently did this and I thought it was handy, just can’t remember what it was.

Matt-Yorkley · August 12, 2020, 9:42pm

Yeah, I was also thinking the conf.d pattern might be a nice addition.

In terms of the one.two.three: value format, I’m pretty sure it already works as part of basic YAML processing? I’m using this line in my config for example:

vars.address-groups.HOME-NET: "[192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12, <my-ip-address>]"

ish · August 12, 2020, 9:44pm

Nah, this should create a YAML key of “vars.address-groups.HOME-NET”… Something in our processing is breaking it up - but it does make the experience better for us. I don’t think this will work everywhere though.

Matt-Yorkley · August 12, 2020, 9:48pm

I think I’ve seen something similar in Kafka or ElasticStack configs…?

Peter · September 7, 2021, 8:43am

Hello,
Was wondering if there’s a plan to add /etc/suricata/conf.d/ or similar config override functionality?
Yes, this technique is used by many packages, like nginx and elastic and logstash.

Andreas_Herz · September 7, 2021, 8:30pm

Not yet, what is possible to use the include option, see 10.1. Suricata.yaml — Suricata 7.0.0-dev documentation

Topic		Replies	Views
Overide suricata configuation file Help configuration , suricata	3	251	February 28, 2024
Suricata-update question abou file update.yaml Help	5	426	June 22, 2023
What to do with no disable.conf Help	5	109	March 26, 2024
Unable to find disable.conf, enable.confi,etc Help	1	679	February 9, 2022
Create suricata custom rule with suricata-update	3	1888	September 30, 2021

Enable include file by default

Related Topics