CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2026-03-21 04:05:34 +01:00
Code Issues Packages Projects Releases Wiki Activity

convert suricata config yes/no to true/false

Browse Source
This commit is contained in:
Josh Patterson
2026-03-19 16:41:17 -04:00
parent 3b269e8b82
commit 5c53244b54
2 changed files with 118 additions and 111 deletions
Download Patch File Download Diff File Expand all files Collapse all files

184
salt/suricata/defaults.yaml
View File

@@ -1,20 +1,20 @@
suricata:
enabled: False
pcap:
enabled: "no"
enabled: false
filesize: 1000mb
maxsize: 25
compression: "none"
lz4-checksum: "no"
lz4-checksum: false
lz4-level: 8
filename: "%n/so-pcap.%t"
mode: "multi"
use-stream-depth: "no"
use-stream-depth: false
conditional: "all"
dir: "/nsm/suripcap"
config:
threading:
set-cpu-affinity: "no"
set-cpu-affinity: false
cpu-affinity:
management-cpu-set:
cpu:
@@ -29,17 +29,17 @@ suricata:
interface: bond0
cluster-id: 59
cluster-type: cluster_flow
defrag: "yes"
use-mmap: "yes"
mmap-locked: "no"
defrag: true
use-mmap: true
mmap-locked: false
threads: 1
tpacket-v3: "yes"
tpacket-v3: true
ring-size: 5000
block-size: 69632
block-timeout: 10
use-emergency-flush: "yes"
use-emergency-flush: true
buffer-size: 32768
disable-promisc: "no"
disable-promisc: false
checksum-checks: kernel
vars:
address-groups:
@@ -105,15 +105,15 @@ suricata:
- 6081
default-log-dir: /var/log/suricata/
stats:
enabled: "yes"
enabled: true
interval: 30
outputs:
fast:
enabled: "no"
enabled: false
filename: fast.log
append: "yes"
append: true
eve-log:
enabled: "yes"
enabled: true
filetype: regular
filename: /nsm/eve-%Y-%m-%d-%H:%M.json
rotate-interval: hour
@@ -122,104 +122,104 @@ suricata:
community-id-seed: 0
types:
alert:
payload: "no"
payload: false
payload-buffer-size: 4kb
payload-printable: "yes"
packet: "yes"
payload-printable: true
packet: true
metadata:
app-layer: false
flow: false
rule:
metadata: true
raw: true
tagged-packets: "no"
tagged-packets: false
xff:
enabled: "no"
enabled: false
mode: extra-data
deployment: reverse
header: X-Forwarded-For
unified2-alert:
enabled: "no"
enabled: false
tls-store:
enabled: "no"
enabled: false
alert-debug:
enabled: "no"
enabled: false
alert-prelude:
enabled: "no"
enabled: false
stats:
enabled: "yes"
enabled: true
filename: stats.log
append: "yes"
totals: "yes"
threads: "no"
null-values: "yes"
append: true
totals: true
threads: false
null-values: true
drop:
enabled: "no"
enabled: false
file-store:
version: 2
enabled: "no"
enabled: false
xff:
enabled: "no"
enabled: false
mode: extra-data
deployment: reverse
header: X-Forwarded-For
tcp-data:
enabled: "no"
enabled: false
type: file
filename: tcp-data.log
http-body-data:
enabled: "no"
enabled: false
type: file
filename: http-data.log
lua:
enabled: "no"
enabled: false
scripts:
logging:
default-log-level: notice
outputs:
- console:
enabled: "yes"
enabled: true
- file:
enabled: "yes"
enabled: true
level: info
filename: suricata.log
- syslog:
enabled: "no"
enabled: false
facility: local5
format: "[%i] <%d> -- "
app-layer:
protocols:
krb5:
enabled: "yes"
enabled: true
snmp:
enabled: "yes"
enabled: true
ikev2:
enabled: "yes"
enabled: true
tls:
enabled: "yes"
enabled: true
detection-ports:
dp: 443
ja3-fingerprints: auto
ja4-fingerprints: auto
encryption-handling: track-only
dcerpc:
enabled: "yes"
enabled: true
ftp:
enabled: "yes"
enabled: true
rdp:
enabled: "yes"
enabled: true
ssh:
enabled: "yes"
enabled: true
smtp:
enabled: "yes"
raw-extraction: "no"
enabled: true
raw-extraction: false
mime:
decode-mime: "yes"
decode-base64: "yes"
decode-quoted-printable: "yes"
decode-mime: true
decode-base64: true
decode-quoted-printable: true
header-value-depth: 2000
extract-urls: "yes"
body-md5: "no"
extract-urls: true
body-md5: false
inspected-tracker:
content-limit: 100000
content-inspect-min-size: 32768
@@ -227,27 +227,27 @@ suricata:
imap:
enabled: detection-only
smb:
enabled: "yes"
enabled: true
detection-ports:
dp: 139, 445
nfs:
enabled: "yes"
enabled: true
tftp:
enabled: "yes"
enabled: true
dns:
global-memcap: 16mb
state-memcap: 512kb
request-flood: 500
tcp:
enabled: "yes"
enabled: true
detection-ports:
dp: 53
udp:
enabled: "yes"
enabled: true
detection-ports:
dp: 53
http:
enabled: "yes"
enabled: true
libhtp:
default-config:
personality: IDS
@@ -260,43 +260,43 @@ suricata:
response-body-decompress-layer-limit: 2
http-body-inline: auto
swf-decompression:
enabled: "no"
enabled: false
type: both
compress-depth: 100 KiB
decompress-depth: 100 KiB
randomize-inspection-sizes: "yes"
randomize-inspection-sizes: true
randomize-inspection-range: 10
double-decode-path: "no"
double-decode-query: "no"
double-decode-path: false
double-decode-query: false
server-config:
modbus:
enabled: "yes"
enabled: true
detection-ports:
dp: 502
stream-depth: 0
dnp3:
enabled: "yes"
enabled: true
detection-ports:
dp: 20000
enip:
enabled: "yes"
enabled: true
detection-ports:
dp: 44818
sp: 44818
ntp:
enabled: "yes"
enabled: true
dhcp:
enabled: "yes"
enabled: true
sip:
enabled: "yes"
enabled: true
rfb:
enabled: 'yes'
enabled: true
detection-ports:
dp: 5900, 5901, 5902, 5903, 5904, 5905, 5906, 5907, 5908, 5909
mqtt:
enabled: 'no'
enabled: false
http2:
enabled: 'yes'
enabled: true
asn1-max-frames: 256
run-as:
user: suricata
@@ -312,8 +312,8 @@ suricata:
legacy:
uricontent: enabled
engine-analysis:
rules-fast-pattern: "yes"
rules: "yes"
rules-fast-pattern: true
rules: true
pcre:
match-limit: 3500
match-limit-recursion: 1500
@@ -336,7 +336,7 @@ suricata:
hash-size: 65536
trackers: 65535
max-frags: 65535
prealloc: "yes"
prealloc: true
timeout: 60
flow:
memcap: 128mb
@@ -380,14 +380,14 @@ suricata:
emergency-bypassed: 50
stream:
memcap: 64mb
checksum-validation: "yes"
checksum-validation: true
inline: auto
reassembly:
memcap: 256mb
depth: 1mb
toserver-chunk-size: 2560
toclient-chunk-size: 2560
randomize-chunk-size: "yes"
randomize-chunk-size: true
host:
hash-size: 4096
prealloc: 1000
@@ -432,38 +432,38 @@ suricata:
allow-restricted-functions: false
profiling:
rules:
enabled: "yes"
enabled: true
filename: rule_perf.log
append: "yes"
append: true
limit: 10
json: "yes"
json: true
keywords:
enabled: "yes"
enabled: true
filename: keyword_perf.log
append: "yes"
append: true
prefilter:
enabled: "yes"
enabled: true
filename: prefilter_perf.log
append: "yes"
append: true
rulegroups:
enabled: "yes"
enabled: true
filename: rule_group_perf.log
append: "yes"
append: true
packets:
enabled: "yes"
enabled: true
filename: packet_stats.log
append: "yes"
append: true
csv:
enabled: "no"
enabled: false
filename: packet_stats.csv
locks:
enabled: "no"
enabled: false
filename: lock_stats.log
append: "yes"
append: true
pcap-log:
enabled: "no"
enabled: false
filename: pcaplog_stats.log
append: "yes"
append: true
default-rule-path: /etc/suricata/rules
rule-files:
- all-rulesets.rules

45
salt/suricata/soc_suricata.yaml
View File

@@ -38,8 +38,9 @@ suricata:
description: Enable compression of Suricata PCAP files.
advanced: True
helpLink: suricata
lz4-checksum:
lz4-checksum:
description: Enable PCAP lz4 checksum.
forcedType: bool
advanced: True
helpLink: suricata
lz4-level:
@@ -56,11 +57,10 @@ suricata:
advanced: True
readonly: True
helpLink: suricata
use-stream-depth:
description: Set to "no" to ignore the stream depth and capture the entire flow. Set to "yes" to truncate the flow based on the stream depth.
use-stream-depth:
description: Set to false to ignore the stream depth and capture the entire flow. Set to true to truncate the flow based on the stream depth.
forcedType: bool
advanced: True
regex: ^(yes|no)$
regexFailureMessage: You must enter either yes or no.
helpLink: suricata
conditional:
description: Set to "all" to record PCAP for all flows. Set to "alerts" to only record PCAP for Suricata alerts. Set to "tag" to only record PCAP for tagged rules.
@@ -85,15 +85,16 @@ suricata:
advanced: True
regex: ^(cluster_flow|cluster_qm)$
defrag:
description: Enable defragmentation of IP packets before processing.
forcedType: bool
advanced: True
regex: ^(yes|no)$
use-mmap:
advanced: True
readonly: True
mmap-locked:
description: Prevent swapping by locking the memory map.
forcedType: bool
advanced: True
regex: ^(yes|no)$
helpLink: suricata
threads:
description: The amount of worker threads.
@@ -117,9 +118,9 @@ suricata:
forcedType: int
helpLink: suricata
use-emergency-flush:
description: In high-traffic environments, enabling this option to 'yes' aids in recovering from packet drop occurrences. However, it may lead to some packets, possibly at max ring flush, not being inspected.
description: In high-traffic environments, enabling this option aids in recovering from packet drop occurrences. However, it may lead to some packets, possibly at max ring flush, not being inspected.
forcedType: bool
advanced: True
regex: ^(yes|no)$
helpLink: suricata
buffer-size:
description: Increasing the value of the receive buffer may improve performance.
@@ -127,30 +128,33 @@ suricata:
forcedType: int
helpLink: suricata
disable-promisc:
description: Promiscuous mode can be disabled by setting this to "yes".
description: Disable promiscuous mode on the capture interface.
forcedType: bool
advanced: True
regex: ^(yes|no)$
helpLink: suricata
checksum-checks:
description: "Opt for the checksum verification mode suitable for the interface. During capture, it's possible that some packets may exhibit invalid checksums due to the network card handling the checksum computation. You have several options: 'kernel': Relies on indications sent by the kernel for each packet (default). 'yes': Enforces checksum validation. 'no': Disables checksum validation. 'auto': Suricata employs a statistical approach to detect checksum offloading."
description: "Opt for the checksum verification mode suitable for the interface. During capture, it's possible that some packets may exhibit invalid checksums due to the network card handling the checksum computation."
advanced: True
regex: ^(kernel|yes|no|auto)$
options:
- kernel
- "true"
- "false"
- auto
helpLink: suricata
threading:
set-cpu-affinity:
description: Bind(yes) or unbind(no) management and worker threads to a core or range of cores.
regex: ^(yes|no)$
regexFailureMessage: You must enter either yes or no.
description: Bind or unbind management and worker threads to a core or range of cores.
forcedType: bool
helpLink: suricata
cpu-affinity:
management-cpu-set:
cpu:
description: Bind management threads to a core or range of cores. This can be a sigle core, list of cores, or list of range of cores. set-cpu-affinity must be set to 'yes' for this to be used.
description: Bind management threads to a core or range of cores. This can be a sigle core, list of cores, or list of range of cores. set-cpu-affinity must be set to true for this to be used.
forcedType: "[]string"
helpLink: suricata
worker-cpu-set:
cpu:
description: Bind worker threads to a core or range of cores. This can be a sigle core, list of cores, or list of range of cores. set-cpu-affinity must be set to 'yes' for this to be used.
description: Bind worker threads to a core or range of cores. This can be a sigle core, list of cores, or list of range of cores. set-cpu-affinity must be set to true for this to be used.
forcedType: "[]string"
helpLink: suricata
vars:
@@ -235,6 +239,7 @@ suricata:
xff:
enabled:
description: Enable X-Forward-For support.
forcedType: bool
helpLink: suricata
mode:
description: Operation mode. This should always be extra-data if you use PCAP.
@@ -274,8 +279,9 @@ suricata:
max-frags:
description: Max number of fragments to keep
helpLink: suricata
prealloc:
prealloc:
description: Preallocate memory.
forcedType: bool
helpLink: suricata
timeout:
description: Timeout value.
@@ -296,6 +302,7 @@ suricata:
helpLink: suricata
checksum-validation:
description: Validate checksum of packets.
forcedType: bool
helpLink: suricata
reassembly:
memcap: