diff --git a/salt/suricata/defaults.yaml b/salt/suricata/defaults.yaml index e1b68e9d1..9c9a7a8ed 100644 --- a/salt/suricata/defaults.yaml +++ b/salt/suricata/defaults.yaml @@ -97,6 +97,11 @@ suricata: - 4789 TEREDO_PORTS: - 3544 + SIP_PORTS: + - 5060 + - 5061 + GENEVE_PORTS: + - 6081 default-log-dir: /var/log/suricata/ stats: enabled: "yes" @@ -195,6 +200,9 @@ suricata: enabled: "yes" detection-ports: dp: 443 + ja3-fingerprints: auto + ja4-fingerprints: auto + encryption-handling: track-only dcerpc: enabled: "yes" ftp: @@ -244,19 +252,21 @@ suricata: libhtp: default-config: personality: IDS - request-body-limit: 100kb - response-body-limit: 100kb - request-body-minimal-inspect-size: 32kb - request-body-inspect-window: 4kb - response-body-minimal-inspect-size: 40kb - response-body-inspect-window: 16kb + request-body-limit: 100 KiB + response-body-limit: 100 KiB + request-body-minimal-inspect-size: 32 KiB + request-body-inspect-window: 4 KiB + response-body-minimal-inspect-size: 40 KiB + response-body-inspect-window: 16 KiB response-body-decompress-layer-limit: 2 http-body-inline: auto swf-decompression: - enabled: "yes" + enabled: "no" type: both - compress-depth: 0 - decompress-depth: 0 + compress-depth: 100 KiB + decompress-depth: 100 KiB + randomize-inspection-sizes: "yes" + randomize-inspection-range: 10 double-decode-path: "no" double-decode-query: "no" server-config: @@ -390,8 +400,12 @@ suricata: vxlan: enabled: true ports: $VXLAN_PORTS - erspan: + geneve: enabled: true + ports: $GENEVE_PORTS + max-layers: 16 + recursion-level: + use-for-tracking: true detect: profile: medium custom-values: @@ -411,7 +425,12 @@ suricata: spm-algo: auto luajit: states: 128 - + security: + lua: + allow-rules: false + max-bytes: 500000 + max-instructions: 500000 + allow-restricted-functions: false profiling: rules: enabled: "yes" @@ -452,6 +471,3 @@ suricata: classification-file: /etc/suricata/classification.config reference-config-file: /etc/suricata/reference.config threshold-file: /etc/suricata/threshold.conf - - -# ENABLE for diff --git a/salt/suricata/soc_suricata.yaml b/salt/suricata/soc_suricata.yaml index 8b5ce7b11..03f30be75 100644 --- a/salt/suricata/soc_suricata.yaml +++ b/salt/suricata/soc_suricata.yaml @@ -190,6 +190,8 @@ suricata: FTP_PORTS: *suriportgroup VXLAN_PORTS: *suriportgroup TEREDO_PORTS: *suriportgroup + SIP_PORTS: *suriportgroup + GENEVE_PORTS: *suriportgroup outputs: eve-log: types: @@ -209,7 +211,7 @@ suricata: helpLink: suricata.html pcap-log: enabled: - description: This value is ignored by SO. pcapengine in globals takes precidence. + description: This value is ignored by SO. pcapengine in globals takes precedence. readonly: True helpLink: suricata.html advanced: True @@ -297,3 +299,10 @@ suricata: ports: description: Ports to listen for. This should be a variable. helpLink: suricata.html + geneve: + enabled: + description: Enable VXLAN capabilities. + helpLink: suricata.html + ports: + description: Ports to listen for. This should be a variable. + helpLink: suricata.html