suricata defaults and annotation

salt/suricata/defaults.yaml

@@ -97,6 +97,11 @@ suricata:
           - 4789
         TEREDO_PORTS:
           - 3544
+        SIP_PORTS:
+          - 5060
+          - 5061
+        GENEVE_PORTS:
+          - 6081
     default-log-dir: /var/log/suricata/
     stats:
       enabled: "yes"
@@ -195,6 +200,9 @@ suricata:
           enabled: "yes"
           detection-ports:
             dp: 443
+          ja3-fingerprints: auto
+          ja4-fingerprints: auto
+          encryption-handling: track-only
         dcerpc:
           enabled: "yes"
         ftp:
@@ -244,19 +252,21 @@ suricata:
           libhtp:
              default-config:
                personality: IDS
-               request-body-limit: 100kb
-               response-body-limit: 100kb
-               request-body-minimal-inspect-size: 32kb
-               request-body-inspect-window: 4kb
-               response-body-minimal-inspect-size: 40kb
-               response-body-inspect-window: 16kb
+               request-body-limit: 100 KiB
+               response-body-limit: 100 KiB
+               request-body-minimal-inspect-size: 32 KiB
+               request-body-inspect-window: 4 KiB
+               response-body-minimal-inspect-size: 40 KiB
+               response-body-inspect-window: 16 KiB
                response-body-decompress-layer-limit: 2
                http-body-inline: auto
                swf-decompression:
-                 enabled: "yes"
+                 enabled: "no"
                  type: both
-                 compress-depth: 0
-                 decompress-depth: 0
+                 compress-depth: 100 KiB
+                 decompress-depth: 100 KiB
+               randomize-inspection-sizes: "yes"
+               randomize-inspection-range: 10
                double-decode-path: "no"
                double-decode-query: "no"
              server-config:
@@ -390,8 +400,12 @@ suricata:
       vxlan:
         enabled: true
         ports: $VXLAN_PORTS
-      erspan:
+      geneve:
         enabled: true
+        ports: $GENEVE_PORTS
+        max-layers: 16
+      recursion-level:
+        use-for-tracking: true
     detect:
       profile: medium
       custom-values:
@@ -411,7 +425,12 @@ suricata:
     spm-algo: auto
     luajit:
       states: 128
-
+    security:
+      lua:
+        allow-rules: false
+        max-bytes: 500000 
+        max-instructions: 500000
+        allow-restricted-functions: false
     profiling:
       rules:
         enabled: "yes"
@@ -452,6 +471,3 @@ suricata:
     classification-file: /etc/suricata/classification.config
     reference-config-file: /etc/suricata/reference.config
     threshold-file: /etc/suricata/threshold.conf
-
-
-# ENABLE for 

salt/suricata/soc_suricata.yaml

@@ -190,6 +190,8 @@ suricata:
         FTP_PORTS: *suriportgroup
         VXLAN_PORTS: *suriportgroup
         TEREDO_PORTS: *suriportgroup
+        SIP_PORTS: *suriportgroup
+        GENEVE_PORTS: *suriportgroup
     outputs:
       eve-log:
         types:
@@ -209,7 +211,7 @@ suricata:
                 helpLink: suricata.html
       pcap-log:
         enabled:
-          description: This value is ignored by SO. pcapengine in globals takes precidence.
+          description: This value is ignored by SO. pcapengine in globals takes precedence.
           readonly: True
           helpLink: suricata.html
           advanced: True        
@@ -297,3 +299,10 @@ suricata:
         ports: 
           description: Ports to listen for. This should be a variable.    
           helpLink: suricata.html
+      geneve:
+        enabled:
+          description: Enable VXLAN capabilities.
+          helpLink: suricata.html
+        ports: 
+          description: Ports to listen for. This should be a variable.    
+          helpLink: suricata.html