CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

add new pcap annotations

Browse Source
This commit is contained in:
Jason Ertel
2024-03-06 08:14:33 -05:00
parent 4b5f00cef4
commit 12653eec8c
5 changed files with 71 additions and 59 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
salt/sensoroni/defaults.yaml
View File

@@ -8,6 +8,8 @@ sensoroni:
node_checkin_interval_ms: 10000 node_checkin_interval_ms: 10000
sensoronikey: sensoronikey:
soc_host: soc_host:
suripcap:
pcapMaxCount: 999999
analyzers: analyzers:
echotrail: echotrail:
base_url: https://api.echotrail.io/insights/ base_url: https://api.echotrail.io/insights/

3
salt/sensoroni/files/sensoroni.json
View File

@@ -39,7 +39,8 @@
"suriquery": { "suriquery": {
"executablePath": "/opt/sensoroni/scripts/suriquery.sh", "executablePath": "/opt/sensoroni/scripts/suriquery.sh",
"pcapInputPath": "/nsm/suripcap", "pcapInputPath": "/nsm/suripcap",
"pcapOutputPath": "/nsm/pcapout" "pcapOutputPath": "/nsm/pcapout",
"pcapMaxCount": {{ SENSORONIMERGED.config.suripcap.pcapMaxCount }}
} }
{% endif %} {% endif %}
{%- else %} {%- else %}

5
salt/sensoroni/soc_sensoroni.yaml
View File

@@ -37,6 +37,11 @@ sensoroni:
helpLink: grid.html helpLink: grid.html
global: True global: True
advanced: True advanced: True
suripcap:
pcapMaxCount:
description: The maximum number of PCAP packets to extract from eligible PCAP files, for PCAP jobs. If there are issues fetching excessively large packet streams consider lowering this value to reduce the number of collected packets returned to the user interface.
helpLink: sensoroni.html
advanced: True
analyzers: analyzers:
echotrail: echotrail:
api_key: api_key:

1
salt/soc/defaults.yaml
View File

@@ -1103,6 +1103,7 @@ soc:
esSearchOffsetMs: 1800000 esSearchOffsetMs: 1800000
maxLogLength: 1024 maxLogLength: 1024
asyncThreshold: 10 asyncThreshold: 10
lookupTunnelParent: true
influxdb: influxdb:
hostUrl: hostUrl:
token: token:

3
salt/soc/soc_soc.yaml
View File

@@ -126,6 +126,9 @@ soc:
description: Maximum number of events that can be acknowledged synchronously. When acknowledging large numbers of events, where the count exceeds this value, the acknowledge update will be performed in the background, as it can take several minutes to complete. description: Maximum number of events that can be acknowledged synchronously. When acknowledging large numbers of events, where the count exceeds this value, the acknowledge update will be performed in the background, as it can take several minutes to complete.
global: True global: True
advanced: True advanced: True
lookupTunnelParent:
description: When true, if a pivoted event appears to be encapsulated, such as in a VxLan packet, then SOC will pivot to the VxLan packet stream. This can be useful if the PCAP parser is unable to locate the encapsulated packets. However, if the parser is written in a way that it can find a given filter even if its encapsulated, this is best left to false, as the analyst will see the intended packet data rather than the wrapping packet data.
global: True
sostatus: sostatus:
refreshIntervalMs: refreshIntervalMs:
description: Duration (in milliseconds) between refreshes of the grid status. Shortening this duration may not have expected results, as the backend systems feeding this sostatus data will continue their updates as scheduled. description: Duration (in milliseconds) between refreshes of the grid status. Shortening this duration may not have expected results, as the backend systems feeding this sostatus data will continue their updates as scheduled.