Is there a way to split suricata configuration file into a default configuration file and a more specific configuration file that takes precedence over the default file? What would be the best approach to achieve that?
Kind of.
If you look at the bottom of the default Suricata configuration file you will see:
include: include.yaml
This can override the defaults, but its not that useful. For example if your include.yaml contains:
outputs:
- eve-log:
...
it override the complete outputs section from the default configuration.
7.0, which is not yet released will be a little better, allowing for individual values to be overriden. For example your include.yaml could look like:
stream.midstream: true
which allows for modifying one nested value without having to redefine the complete top level object. That should be much more useful when released.
Suricata 7 is now released but I did not see anything mentioning improved configuration overriding in the release notes. Does suricata 7 allows individual values to be overridden? If yes I guess it works fine with with nested dictionaries. How about lists?
The example Jason mentioned would already work. Did you try it?