Could you please tell me what's the difference between blacklist.yml and primary_blacklist.yml? Why split the blacklist into separate files?

Each is used by a different module. primary_blacklists.yml is used by NERDd/blackists.py module, which downloads the full blacklists and creates records for all listed IP addresses, blacklists.yml is used by scripts/blacklists2redis.py and NERDd/modules/redis_bl.py, which only enrichs existing records, i.e. adds information about presence on blacklists for records created by some other module.

Generally, in NERD, "primary" modules recevie data about malicious IPs and can create new records in the database, "secondary" modules only add some information to already existing records.

Any yes, all blacklists could in a single file, differentiated by some attribute. But I think the current way with multiple files is also OK and it was easier to implement.

Overall, I know the current way the configuration is split into files is not ideal, it's one of the (many) things I would like to change, but it's not a priority now.

I see. Thanks for your reply.