Project

General

Profile

Actions

Feature #234

closed

add option disable/enable individual app layer protocol inspection modules

Added by Victor Julien over 14 years ago. Updated about 11 years ago.

Status:
Closed
Priority:
Normal
Target version:
Effort:
Difficulty:
Label:

Description

Not everyone is interested in having all app layer parsing/inspection modules enabled all the time. In the suricata.yaml configuration file we should give the user the option to disable individual parsers.

Ideas for how this should be done in the configuration file are welcome.

Actions #1

Updated by delta yeh about 14 years ago

how about

app-layer-modules:
-http
-ftp
-ssh

those module not in this list would not be enabled.

Actions #2

Updated by Victor Julien almost 14 years ago

I think I would prefer something like:

app-layer-parsers:
- http
enabled: yes
- ftp
enabled: no

This would allow us to add other options to them...

Thoughts?

Actions #3

Updated by delta yeh over 13 years ago

Victor Julien wrote:

I think I would prefer something like:

app-layer-parsers:
- http
enabled: yes
- ftp
enabled: no

This would allow us to add other options to them...

Thoughts?

Sounds good to me!

Actions #4

Updated by Victor Julien over 13 years ago

  • Assignee changed from Victor Julien to Anonymous

This would be fairly easy to implement as we can just disable the parser registration for the disabled protocols.

Actions #5

Updated by delta yeh about 13 years ago

Victor Julien wrote:

This would be fairly easy to implement as we can just disable the parser registration for the disabled protocols.

I will take this.

Actions #6

Updated by Victor Julien about 13 years ago

  • Status changed from New to Assigned
  • Assignee changed from Anonymous to delta yeh
  • Target version set to 1.2

Cool, thanks!

Actions #7

Updated by Victor Julien almost 13 years ago

  • Target version changed from 1.2 to TBD

Have you been able to look into this?

Actions #8

Updated by Victor Julien over 12 years ago

  • Assignee changed from delta yeh to Anoop Saldanha
  • Target version changed from TBD to 1.4beta2
Actions #9

Updated by Victor Julien about 12 years ago

  • Target version changed from 1.4beta2 to 1.4beta3
Actions #10

Updated by Victor Julien about 12 years ago

  • Priority changed from Normal to Low
Actions #11

Updated by Victor Julien about 12 years ago

  • Target version changed from 1.4beta3 to 1.4rc1
Actions #13

Updated by Victor Julien about 12 years ago

  • Target version changed from 1.4rc1 to 2.0rc2
Actions #14

Updated by Anoop Saldanha almost 12 years ago

https://github.com/inliniac/suricata/pull/279

The above PR does a lot more than provide a feature to enable/disable app layer modules.

We have an update PP proto detection engine, feature to enable proto detection/parser both of which are now separate options in the conf file, ability to specify detection ports in conf file, sig port validation.

Actions #15

Updated by Victor Julien over 11 years ago

  • Priority changed from Low to Normal
  • Target version changed from 2.0rc2 to 2.0beta2
Actions

Also available in: Atom PDF