From 5c53244b54b7d491fcda253f38595bf219f69f7a Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Thu, 19 Mar 2026 16:41:17 -0400 Subject: [PATCH] convert suricata config yes/no to true/false --- salt/suricata/defaults.yaml | 184 ++++++++++++++++---------------- salt/suricata/soc_suricata.yaml | 45 ++++---- 2 files changed, 118 insertions(+), 111 deletions(-) diff --git a/salt/suricata/defaults.yaml b/salt/suricata/defaults.yaml index 811053cd0..818a7bf89 100644 --- a/salt/suricata/defaults.yaml +++ b/salt/suricata/defaults.yaml @@ -1,20 +1,20 @@ suricata: enabled: False pcap: - enabled: "no" + enabled: false filesize: 1000mb maxsize: 25 compression: "none" - lz4-checksum: "no" + lz4-checksum: false lz4-level: 8 filename: "%n/so-pcap.%t" mode: "multi" - use-stream-depth: "no" + use-stream-depth: false conditional: "all" dir: "/nsm/suripcap" config: threading: - set-cpu-affinity: "no" + set-cpu-affinity: false cpu-affinity: management-cpu-set: cpu: @@ -29,17 +29,17 @@ suricata: interface: bond0 cluster-id: 59 cluster-type: cluster_flow - defrag: "yes" - use-mmap: "yes" - mmap-locked: "no" + defrag: true + use-mmap: true + mmap-locked: false threads: 1 - tpacket-v3: "yes" + tpacket-v3: true ring-size: 5000 block-size: 69632 block-timeout: 10 - use-emergency-flush: "yes" + use-emergency-flush: true buffer-size: 32768 - disable-promisc: "no" + disable-promisc: false checksum-checks: kernel vars: address-groups: @@ -105,15 +105,15 @@ suricata: - 6081 default-log-dir: /var/log/suricata/ stats: - enabled: "yes" + enabled: true interval: 30 outputs: fast: - enabled: "no" + enabled: false filename: fast.log - append: "yes" + append: true eve-log: - enabled: "yes" + enabled: true filetype: regular filename: /nsm/eve-%Y-%m-%d-%H:%M.json rotate-interval: hour @@ -122,104 +122,104 @@ suricata: community-id-seed: 0 types: alert: - payload: "no" + payload: false payload-buffer-size: 4kb - payload-printable: "yes" - packet: "yes" + payload-printable: true + packet: true metadata: app-layer: false flow: false rule: metadata: true raw: true - tagged-packets: "no" + tagged-packets: false xff: - enabled: "no" + enabled: false mode: extra-data deployment: reverse header: X-Forwarded-For unified2-alert: - enabled: "no" + enabled: false tls-store: - enabled: "no" + enabled: false alert-debug: - enabled: "no" + enabled: false alert-prelude: - enabled: "no" + enabled: false stats: - enabled: "yes" + enabled: true filename: stats.log - append: "yes" - totals: "yes" - threads: "no" - null-values: "yes" + append: true + totals: true + threads: false + null-values: true drop: - enabled: "no" + enabled: false file-store: version: 2 - enabled: "no" + enabled: false xff: - enabled: "no" + enabled: false mode: extra-data deployment: reverse header: X-Forwarded-For tcp-data: - enabled: "no" + enabled: false type: file filename: tcp-data.log http-body-data: - enabled: "no" + enabled: false type: file filename: http-data.log lua: - enabled: "no" + enabled: false scripts: logging: default-log-level: notice outputs: - console: - enabled: "yes" + enabled: true - file: - enabled: "yes" + enabled: true level: info filename: suricata.log - syslog: - enabled: "no" + enabled: false facility: local5 format: "[%i] <%d> -- " app-layer: protocols: krb5: - enabled: "yes" + enabled: true snmp: - enabled: "yes" + enabled: true ikev2: - enabled: "yes" + enabled: true tls: - enabled: "yes" + enabled: true detection-ports: dp: 443 ja3-fingerprints: auto ja4-fingerprints: auto encryption-handling: track-only dcerpc: - enabled: "yes" + enabled: true ftp: - enabled: "yes" + enabled: true rdp: - enabled: "yes" + enabled: true ssh: - enabled: "yes" + enabled: true smtp: - enabled: "yes" - raw-extraction: "no" + enabled: true + raw-extraction: false mime: - decode-mime: "yes" - decode-base64: "yes" - decode-quoted-printable: "yes" + decode-mime: true + decode-base64: true + decode-quoted-printable: true header-value-depth: 2000 - extract-urls: "yes" - body-md5: "no" + extract-urls: true + body-md5: false inspected-tracker: content-limit: 100000 content-inspect-min-size: 32768 @@ -227,27 +227,27 @@ suricata: imap: enabled: detection-only smb: - enabled: "yes" + enabled: true detection-ports: dp: 139, 445 nfs: - enabled: "yes" + enabled: true tftp: - enabled: "yes" + enabled: true dns: global-memcap: 16mb state-memcap: 512kb request-flood: 500 tcp: - enabled: "yes" + enabled: true detection-ports: dp: 53 udp: - enabled: "yes" + enabled: true detection-ports: dp: 53 http: - enabled: "yes" + enabled: true libhtp: default-config: personality: IDS @@ -260,43 +260,43 @@ suricata: response-body-decompress-layer-limit: 2 http-body-inline: auto swf-decompression: - enabled: "no" + enabled: false type: both compress-depth: 100 KiB decompress-depth: 100 KiB - randomize-inspection-sizes: "yes" + randomize-inspection-sizes: true randomize-inspection-range: 10 - double-decode-path: "no" - double-decode-query: "no" + double-decode-path: false + double-decode-query: false server-config: modbus: - enabled: "yes" + enabled: true detection-ports: dp: 502 stream-depth: 0 dnp3: - enabled: "yes" + enabled: true detection-ports: dp: 20000 enip: - enabled: "yes" + enabled: true detection-ports: dp: 44818 sp: 44818 ntp: - enabled: "yes" + enabled: true dhcp: - enabled: "yes" + enabled: true sip: - enabled: "yes" + enabled: true rfb: - enabled: 'yes' + enabled: true detection-ports: dp: 5900, 5901, 5902, 5903, 5904, 5905, 5906, 5907, 5908, 5909 mqtt: - enabled: 'no' + enabled: false http2: - enabled: 'yes' + enabled: true asn1-max-frames: 256 run-as: user: suricata @@ -312,8 +312,8 @@ suricata: legacy: uricontent: enabled engine-analysis: - rules-fast-pattern: "yes" - rules: "yes" + rules-fast-pattern: true + rules: true pcre: match-limit: 3500 match-limit-recursion: 1500 @@ -336,7 +336,7 @@ suricata: hash-size: 65536 trackers: 65535 max-frags: 65535 - prealloc: "yes" + prealloc: true timeout: 60 flow: memcap: 128mb @@ -380,14 +380,14 @@ suricata: emergency-bypassed: 50 stream: memcap: 64mb - checksum-validation: "yes" + checksum-validation: true inline: auto reassembly: memcap: 256mb depth: 1mb toserver-chunk-size: 2560 toclient-chunk-size: 2560 - randomize-chunk-size: "yes" + randomize-chunk-size: true host: hash-size: 4096 prealloc: 1000 @@ -432,38 +432,38 @@ suricata: allow-restricted-functions: false profiling: rules: - enabled: "yes" + enabled: true filename: rule_perf.log - append: "yes" + append: true limit: 10 - json: "yes" + json: true keywords: - enabled: "yes" + enabled: true filename: keyword_perf.log - append: "yes" + append: true prefilter: - enabled: "yes" + enabled: true filename: prefilter_perf.log - append: "yes" + append: true rulegroups: - enabled: "yes" + enabled: true filename: rule_group_perf.log - append: "yes" + append: true packets: - enabled: "yes" + enabled: true filename: packet_stats.log - append: "yes" + append: true csv: - enabled: "no" + enabled: false filename: packet_stats.csv locks: - enabled: "no" + enabled: false filename: lock_stats.log - append: "yes" + append: true pcap-log: - enabled: "no" + enabled: false filename: pcaplog_stats.log - append: "yes" + append: true default-rule-path: /etc/suricata/rules rule-files: - all-rulesets.rules diff --git a/salt/suricata/soc_suricata.yaml b/salt/suricata/soc_suricata.yaml index 34399fc7a..6a1a78f54 100644 --- a/salt/suricata/soc_suricata.yaml +++ b/salt/suricata/soc_suricata.yaml @@ -38,8 +38,9 @@ suricata: description: Enable compression of Suricata PCAP files. advanced: True helpLink: suricata - lz4-checksum: + lz4-checksum: description: Enable PCAP lz4 checksum. + forcedType: bool advanced: True helpLink: suricata lz4-level: @@ -56,11 +57,10 @@ suricata: advanced: True readonly: True helpLink: suricata - use-stream-depth: - description: Set to "no" to ignore the stream depth and capture the entire flow. Set to "yes" to truncate the flow based on the stream depth. + use-stream-depth: + description: Set to false to ignore the stream depth and capture the entire flow. Set to true to truncate the flow based on the stream depth. + forcedType: bool advanced: True - regex: ^(yes|no)$ - regexFailureMessage: You must enter either yes or no. helpLink: suricata conditional: description: Set to "all" to record PCAP for all flows. Set to "alerts" to only record PCAP for Suricata alerts. Set to "tag" to only record PCAP for tagged rules. @@ -85,15 +85,16 @@ suricata: advanced: True regex: ^(cluster_flow|cluster_qm)$ defrag: + description: Enable defragmentation of IP packets before processing. + forcedType: bool advanced: True - regex: ^(yes|no)$ use-mmap: advanced: True readonly: True mmap-locked: description: Prevent swapping by locking the memory map. + forcedType: bool advanced: True - regex: ^(yes|no)$ helpLink: suricata threads: description: The amount of worker threads. @@ -117,9 +118,9 @@ suricata: forcedType: int helpLink: suricata use-emergency-flush: - description: In high-traffic environments, enabling this option to 'yes' aids in recovering from packet drop occurrences. However, it may lead to some packets, possibly at max ring flush, not being inspected. + description: In high-traffic environments, enabling this option aids in recovering from packet drop occurrences. However, it may lead to some packets, possibly at max ring flush, not being inspected. + forcedType: bool advanced: True - regex: ^(yes|no)$ helpLink: suricata buffer-size: description: Increasing the value of the receive buffer may improve performance. @@ -127,30 +128,33 @@ suricata: forcedType: int helpLink: suricata disable-promisc: - description: Promiscuous mode can be disabled by setting this to "yes". + description: Disable promiscuous mode on the capture interface. + forcedType: bool advanced: True - regex: ^(yes|no)$ helpLink: suricata checksum-checks: - description: "Opt for the checksum verification mode suitable for the interface. During capture, it's possible that some packets may exhibit invalid checksums due to the network card handling the checksum computation. You have several options: 'kernel': Relies on indications sent by the kernel for each packet (default). 'yes': Enforces checksum validation. 'no': Disables checksum validation. 'auto': Suricata employs a statistical approach to detect checksum offloading." + description: "Opt for the checksum verification mode suitable for the interface. During capture, it's possible that some packets may exhibit invalid checksums due to the network card handling the checksum computation." advanced: True - regex: ^(kernel|yes|no|auto)$ + options: + - kernel + - "true" + - "false" + - auto helpLink: suricata threading: set-cpu-affinity: - description: Bind(yes) or unbind(no) management and worker threads to a core or range of cores. - regex: ^(yes|no)$ - regexFailureMessage: You must enter either yes or no. + description: Bind or unbind management and worker threads to a core or range of cores. + forcedType: bool helpLink: suricata cpu-affinity: management-cpu-set: cpu: - description: Bind management threads to a core or range of cores. This can be a sigle core, list of cores, or list of range of cores. set-cpu-affinity must be set to 'yes' for this to be used. + description: Bind management threads to a core or range of cores. This can be a sigle core, list of cores, or list of range of cores. set-cpu-affinity must be set to true for this to be used. forcedType: "[]string" helpLink: suricata worker-cpu-set: cpu: - description: Bind worker threads to a core or range of cores. This can be a sigle core, list of cores, or list of range of cores. set-cpu-affinity must be set to 'yes' for this to be used. + description: Bind worker threads to a core or range of cores. This can be a sigle core, list of cores, or list of range of cores. set-cpu-affinity must be set to true for this to be used. forcedType: "[]string" helpLink: suricata vars: @@ -235,6 +239,7 @@ suricata: xff: enabled: description: Enable X-Forward-For support. + forcedType: bool helpLink: suricata mode: description: Operation mode. This should always be extra-data if you use PCAP. @@ -274,8 +279,9 @@ suricata: max-frags: description: Max number of fragments to keep helpLink: suricata - prealloc: + prealloc: description: Preallocate memory. + forcedType: bool helpLink: suricata timeout: description: Timeout value. @@ -296,6 +302,7 @@ suricata: helpLink: suricata checksum-validation: description: Validate checksum of packets. + forcedType: bool helpLink: suricata reassembly: memcap: