diff --git a/salt/suricata/soc_suricata.yaml b/salt/suricata/soc_suricata.yaml index 60dbea356..34399fc7a 100644 --- a/salt/suricata/soc_suricata.yaml +++ b/salt/suricata/soc_suricata.yaml @@ -199,8 +199,39 @@ suricata: GENEVE_PORTS: *suriportgroup outputs: eve-log: + pcap-file: + description: Log the PCAP filename that a packet was read from when processing pcap files. + forcedType: bool + advanced: True + helpLink: suricata + community-id: + description: Enable Community ID flow hashing for consistent event correlation across tools. + forcedType: bool + helpLink: suricata types: alert: + metadata: + app-layer: + description: Include app-layer metadata in alert events. + forcedType: bool + advanced: True + helpLink: suricata + flow: + description: Include flow metadata in alert events. + forcedType: bool + advanced: True + helpLink: suricata + rule: + metadata: + description: Include rule metadata in alert events. + forcedType: bool + advanced: True + helpLink: suricata + raw: + description: Include raw rule text in alert events. + forcedType: bool + advanced: True + helpLink: suricata xff: enabled: description: Enable X-Forward-For support. @@ -287,6 +318,7 @@ suricata: teredo: enabled: description: Enable TEREDO capabilities + forcedType: bool helpLink: suricata ports: description: Ports to listen for. This should be a variable. @@ -294,14 +326,58 @@ suricata: vxlan: enabled: description: Enable VXLAN capabilities. + forcedType: bool helpLink: suricata - ports: - description: Ports to listen for. This should be a variable. + ports: + description: Ports to listen for. This should be a variable. helpLink: suricata geneve: enabled: description: Enable VXLAN capabilities. + forcedType: bool helpLink: suricata - ports: - description: Ports to listen for. This should be a variable. + ports: + description: Ports to listen for. This should be a variable. + helpLink: suricata + recursion-level: + use-for-tracking: + description: Controls whether the decoder recursion level is used for flow tracking. + forcedType: bool + advanced: True + helpLink: suricata + vlan: + use-for-tracking: + description: Enable VLAN tracking for flow identification. When enabled, VLAN tags are used to differentiate flows. + forcedType: bool + advanced: True + helpLink: suricata + detect: + profiling: + grouping: + dump-to-disk: + description: Dump detection engine grouping information to disk for analysis. + forcedType: bool + advanced: True + helpLink: suricata + include-rules: + description: Include individual rule details in grouping profiling output. + forcedType: bool + advanced: True + helpLink: suricata + include-mpm-stats: + description: Include multi-pattern matcher statistics in grouping profiling output. + forcedType: bool + advanced: True + helpLink: suricata + security: + lua: + allow-rules: + description: Allow Lua rules in the Suricata ruleset. Enabling Lua rules may introduce security risks. + forcedType: bool + advanced: True + helpLink: suricata + allow-restricted-functions: + description: Allow restricted Lua functions such as file I/O. Enabling this may introduce security risks. + forcedType: bool + advanced: True helpLink: suricata