On Mon, 30 Jan 2017 12:16:42 +0100 Sascha Steinbiss <sa...@debian.org> wrote: > > the suricata package is currently configured by default to store its > rules files in /etc/suricata/rules, which as a subdirectory under /etc > is meant to hold 'static' files according to FHS section 3.7 [1]. While > it is not strongly defined what exactly is meant by the term 'static', > one might argue that a frequent updates of the rules files from an > external source (e.g. via oinkmaster or pulledpork, which is quite > common) might disqualify them as being largely static. > > As a suitable alternative location, one might think of something along > the lines of /var/lib/suricata/rules -- FHS states that the contents of > /var/lib should reflect a program’s variable internal state while > running [2], and the rules may be a special case here (as they change > the internal state of Suricata only when loaded or reloaded). It is also > stated that the user should never need to modify these files, but I am > not sure whether this also includes using a specific automation tool > such as oinkmaster or pulledpork for that purpose. > Still, this sounds like the best option. Any comments? > > > [1] http://refspecs.linuxfoundation.org/FHS_3.0/fhs/ch03s07.html > [2] http://refspecs.linuxfoundation.org/FHS_3.0/fhs/ch05s08.html
Hi, thinking again about this, I believe you are right. However, this movement is something I would like to coordinate with upstream (CC'ing Victor), since it doesn't make sense to me to point in Debian to one location while Suricata upstream points to another (in docs, recommendations, defaults, etc.) @Victor, any comment? Using /var/lib/suricata/rules sounds good to me.
