Hi Hamish,
thanks for the reminder.
The default configuration still seems to be broken.
The provided suricata.yaml refers to /etc/suricata/rules/suricata.rules
as the rules file, but none is provided.
suricata-update writes rules to /var/lib/suricata, so even after running
suricata-update, the config is invalid.
You are right. This seems to be because we're not installing
suricata-update with Suricata on Debian [0], which causes the
"ruledirprefix" variable in the configure script to be left at the
default of "sysconfdir", which is /etc. This leads to the
"e_defaultruledir" being /etc/suricata/rules, which ends up in the
default configuration.
I think the best option we have to address this issue is to force the
default rule path in the suricata.yaml that is installed in Debian to be
/var/lib/suricata/rules. Then provide an empty file by default. This
would address your immediate concern, and also keeps compatibility with
suricata-update, should the user decide to use it. That writes into the
same location, so the new rules are picked up automatically
(/var/lib/suricata/rules/suricata.rules).
Any comments? If not I'll implement this in an upcoming package update.
Note that the 'default installation' (i.e. completely unconfigured by
the user) is likely to be 'broken' still because one still needs to at
least define an actual inspection interface to use so Suricata can
start. The default is "eth0" which is unlikely to exist on modern
systems (also see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895342).
Best
Sascha
[0] By passing --disable-suricata-update and patching the Makefile.
OpenPGP_signature
Description: OpenPGP digital signature
