On 20-09-17 20:34, Arturo Borrero Gonzalez wrote: > On Mon, 30 Jan 2017 12:16:42 +0100 Sascha Steinbiss <[email protected]> wrote: >> >> the suricata package is currently configured by default to store its >> rules files in /etc/suricata/rules, which as a subdirectory under /etc >> is meant to hold 'static' files according to FHS section 3.7 [1]. While >> it is not strongly defined what exactly is meant by the term 'static', >> one might argue that a frequent updates of the rules files from an >> external source (e.g. via oinkmaster or pulledpork, which is quite >> common) might disqualify them as being largely static. >> >> As a suitable alternative location, one might think of something along >> the lines of /var/lib/suricata/rules -- FHS states that the contents of >> /var/lib should reflect a program’s variable internal state while >> running [2], and the rules may be a special case here (as they change >> the internal state of Suricata only when loaded or reloaded). It is also >> stated that the user should never need to modify these files, but I am >> not sure whether this also includes using a specific automation tool >> such as oinkmaster or pulledpork for that purpose. >> Still, this sounds like the best option. Any comments? >> >> >> [1] http://refspecs.linuxfoundation.org/FHS_3.0/fhs/ch03s07.html >> [2] http://refspecs.linuxfoundation.org/FHS_3.0/fhs/ch05s08.html > > Hi, > > thinking again about this, I believe you are right. > > However, this movement is something I would like to coordinate with > upstream (CC'ing Victor), > since it doesn't make sense to me to point in Debian to one location > while Suricata upstream points to another (in docs, recommendations, > defaults, etc.) > > @Victor, any comment? > > Using /var/lib/suricata/rules sounds good to me. >
We're discussing this internally currently, but we tend to agree. However we want to have a good look at what it would mean for users. Ideally we'd update Suricata to support multiple rule locations cleanly. -- --------------------------------------------- Victor Julien http://www.inliniac.net/ PGP: http://www.inliniac.net/victorjulien.asc ---------------------------------------------
