Hi Hamish,
thanks for the reminder.
The default configuration still seems to be broken.The provided suricata.yaml refers to /etc/suricata/rules/suricata.rules as the rules file, but none is provided.suricata-update writes rules to /var/lib/suricata, so even after running suricata-update, the config is invalid.
You are right. This seems to be because we're not installing suricata-update with Suricata on Debian [0], which causes the "ruledirprefix" variable in the configure script to be left at the default of "sysconfdir", which is /etc. This leads to the "e_defaultruledir" being /etc/suricata/rules, which ends up in the default configuration. I think the best option we have to address this issue is to force the default rule path in the suricata.yaml that is installed in Debian to be /var/lib/suricata/rules. Then provide an empty file by default. This would address your immediate concern, and also keeps compatibility with suricata-update, should the user decide to use it. That writes into the same location, so the new rules are picked up automatically (/var/lib/suricata/rules/suricata.rules). Any comments? If not I'll implement this in an upcoming package update. Note that the 'default installation' (i.e. completely unconfigured by the user) is likely to be 'broken' still because one still needs to at least define an actual inspection interface to use so Suricata canstart. The default is "eth0" which is unlikely to exist on modern systems (also see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895342).
Best Sascha [0] By passing --disable-suricata-update and patching the Makefile.
OpenPGP_signature
Description: OpenPGP digital signature

