CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2026-06-15 14:48:43 +02:00
Code Issues Packages Projects Releases Wiki Activity

convert suricata config yes/no to true/false

Browse Source
This commit is contained in:
Josh Patterson
2026-03-19 16:41:17 -04:00
parent 3b269e8b82
commit 5c53244b54
2 changed files with 118 additions and 111 deletions
Download Patch File Download Diff File Expand all files Collapse all files
salt/suricata/defaults.yaml
+92 -92
View File
@@ -1,20 +1,20 @@
suricata: suricata:
enabled: False enabled: False
pcap: pcap:
enabled: "no" enabled: false
filesize: 1000mb filesize: 1000mb
maxsize: 25 maxsize: 25
compression: "none" compression: "none"
lz4-checksum: "no" lz4-checksum: false
lz4-level: 8 lz4-level: 8
filename: "%n/so-pcap.%t" filename: "%n/so-pcap.%t"
mode: "multi" mode: "multi"
use-stream-depth: "no" use-stream-depth: false
conditional: "all" conditional: "all"
dir: "/nsm/suripcap" dir: "/nsm/suripcap"
config: config:
threading: threading:
set-cpu-affinity: "no" set-cpu-affinity: false
cpu-affinity: cpu-affinity:
management-cpu-set: management-cpu-set:
cpu: cpu:
@@ -29,17 +29,17 @@ suricata:
interface: bond0 interface: bond0
cluster-id: 59 cluster-id: 59
cluster-type: cluster_flow cluster-type: cluster_flow
defrag: "yes" defrag: true
use-mmap: "yes" use-mmap: true
mmap-locked: "no" mmap-locked: false
threads: 1 threads: 1
tpacket-v3: "yes" tpacket-v3: true
ring-size: 5000 ring-size: 5000
block-size: 69632 block-size: 69632
block-timeout: 10 block-timeout: 10
use-emergency-flush: "yes" use-emergency-flush: true
buffer-size: 32768 buffer-size: 32768
disable-promisc: "no" disable-promisc: false
checksum-checks: kernel checksum-checks: kernel
vars: vars:
address-groups: address-groups:
@@ -105,15 +105,15 @@ suricata:
- 6081 - 6081
default-log-dir: /var/log/suricata/ default-log-dir: /var/log/suricata/
stats: stats:
enabled: "yes" enabled: true
interval: 30 interval: 30
outputs: outputs:
fast: fast:
enabled: "no" enabled: false
filename: fast.log filename: fast.log
append: "yes" append: true
eve-log: eve-log:
enabled: "yes" enabled: true
filetype: regular filetype: regular
filename: /nsm/eve-%Y-%m-%d-%H:%M.json filename: /nsm/eve-%Y-%m-%d-%H:%M.json
rotate-interval: hour rotate-interval: hour
@@ -122,104 +122,104 @@ suricata:
community-id-seed: 0 community-id-seed: 0
types: types:
alert: alert:
payload: "no" payload: false
payload-buffer-size: 4kb payload-buffer-size: 4kb
payload-printable: "yes" payload-printable: true
packet: "yes" packet: true
metadata: metadata:
app-layer: false app-layer: false
flow: false flow: false
rule: rule:
metadata: true metadata: true
raw: true raw: true
tagged-packets: "no" tagged-packets: false
xff: xff:
enabled: "no" enabled: false
mode: extra-data mode: extra-data
deployment: reverse deployment: reverse
header: X-Forwarded-For header: X-Forwarded-For
unified2-alert: unified2-alert:
enabled: "no" enabled: false
tls-store: tls-store:
enabled: "no" enabled: false
alert-debug: alert-debug:
enabled: "no" enabled: false
alert-prelude: alert-prelude:
enabled: "no" enabled: false
stats: stats:
enabled: "yes" enabled: true
filename: stats.log filename: stats.log
append: "yes" append: true
totals: "yes" totals: true
threads: "no" threads: false
null-values: "yes" null-values: true
drop: drop:
enabled: "no" enabled: false
file-store: file-store:
version: 2 version: 2
enabled: "no" enabled: false
xff: xff:
enabled: "no" enabled: false
mode: extra-data mode: extra-data
deployment: reverse deployment: reverse
header: X-Forwarded-For header: X-Forwarded-For
tcp-data: tcp-data:
enabled: "no" enabled: false
type: file type: file
filename: tcp-data.log filename: tcp-data.log
http-body-data: http-body-data:
enabled: "no" enabled: false
type: file type: file
filename: http-data.log filename: http-data.log
lua: lua:
enabled: "no" enabled: false
scripts: scripts:
logging: logging:
default-log-level: notice default-log-level: notice
outputs: outputs:
- console: - console:
enabled: "yes" enabled: true
- file: - file:
enabled: "yes" enabled: true
level: info level: info
filename: suricata.log filename: suricata.log
- syslog: - syslog:
enabled: "no" enabled: false
facility: local5 facility: local5
format: "[%i] <%d> -- " format: "[%i] <%d> -- "
app-layer: app-layer:
protocols: protocols:
krb5: krb5:
enabled: "yes" enabled: true
snmp: snmp:
enabled: "yes" enabled: true
ikev2: ikev2:
enabled: "yes" enabled: true
tls: tls:
enabled: "yes" enabled: true
detection-ports: detection-ports:
dp: 443 dp: 443
ja3-fingerprints: auto ja3-fingerprints: auto
ja4-fingerprints: auto ja4-fingerprints: auto
encryption-handling: track-only encryption-handling: track-only
dcerpc: dcerpc:
enabled: "yes" enabled: true
ftp: ftp:
enabled: "yes" enabled: true
rdp: rdp:
enabled: "yes" enabled: true
ssh: ssh:
enabled: "yes" enabled: true
smtp: smtp:
enabled: "yes" enabled: true
raw-extraction: "no" raw-extraction: false
mime: mime:
decode-mime: "yes" decode-mime: true
decode-base64: "yes" decode-base64: true
decode-quoted-printable: "yes" decode-quoted-printable: true
header-value-depth: 2000 header-value-depth: 2000
extract-urls: "yes" extract-urls: true
body-md5: "no" body-md5: false
inspected-tracker: inspected-tracker:
content-limit: 100000 content-limit: 100000
content-inspect-min-size: 32768 content-inspect-min-size: 32768
@@ -227,27 +227,27 @@ suricata:
imap: imap:
enabled: detection-only enabled: detection-only
smb: smb:
enabled: "yes" enabled: true
detection-ports: detection-ports:
dp: 139, 445 dp: 139, 445
nfs: nfs:
enabled: "yes" enabled: true
tftp: tftp:
enabled: "yes" enabled: true
dns: dns:
global-memcap: 16mb global-memcap: 16mb
state-memcap: 512kb state-memcap: 512kb
request-flood: 500 request-flood: 500
tcp: tcp:
enabled: "yes" enabled: true
detection-ports: detection-ports:
dp: 53 dp: 53
udp: udp:
enabled: "yes" enabled: true
detection-ports: detection-ports:
dp: 53 dp: 53
http: http:
enabled: "yes" enabled: true
libhtp: libhtp:
default-config: default-config:
personality: IDS personality: IDS
@@ -260,43 +260,43 @@ suricata:
response-body-decompress-layer-limit: 2 response-body-decompress-layer-limit: 2
http-body-inline: auto http-body-inline: auto
swf-decompression: swf-decompression:
enabled: "no" enabled: false
type: both type: both
compress-depth: 100 KiB compress-depth: 100 KiB
decompress-depth: 100 KiB decompress-depth: 100 KiB
randomize-inspection-sizes: "yes" randomize-inspection-sizes: true
randomize-inspection-range: 10 randomize-inspection-range: 10
double-decode-path: "no" double-decode-path: false
double-decode-query: "no" double-decode-query: false
server-config: server-config:
modbus: modbus:
enabled: "yes" enabled: true
detection-ports: detection-ports:
dp: 502 dp: 502
stream-depth: 0 stream-depth: 0
dnp3: dnp3:
enabled: "yes" enabled: true
detection-ports: detection-ports:
dp: 20000 dp: 20000
enip: enip:
enabled: "yes" enabled: true
detection-ports: detection-ports:
dp: 44818 dp: 44818
sp: 44818 sp: 44818
ntp: ntp:
enabled: "yes" enabled: true
dhcp: dhcp:
enabled: "yes" enabled: true
sip: sip:
enabled: "yes" enabled: true
rfb: rfb:
enabled: 'yes' enabled: true
detection-ports: detection-ports:
dp: 5900, 5901, 5902, 5903, 5904, 5905, 5906, 5907, 5908, 5909 dp: 5900, 5901, 5902, 5903, 5904, 5905, 5906, 5907, 5908, 5909
mqtt: mqtt:
enabled: 'no' enabled: false
http2: http2:
enabled: 'yes' enabled: true
asn1-max-frames: 256 asn1-max-frames: 256
run-as: run-as:
user: suricata user: suricata
@@ -312,8 +312,8 @@ suricata:
legacy: legacy:
uricontent: enabled uricontent: enabled
engine-analysis: engine-analysis:
rules-fast-pattern: "yes" rules-fast-pattern: true
rules: "yes" rules: true
pcre: pcre:
match-limit: 3500 match-limit: 3500
match-limit-recursion: 1500 match-limit-recursion: 1500
@@ -336,7 +336,7 @@ suricata:
hash-size: 65536 hash-size: 65536
trackers: 65535 trackers: 65535
max-frags: 65535 max-frags: 65535
prealloc: "yes" prealloc: true
timeout: 60 timeout: 60
flow: flow:
memcap: 128mb memcap: 128mb
@@ -380,14 +380,14 @@ suricata:
emergency-bypassed: 50 emergency-bypassed: 50
stream: stream:
memcap: 64mb memcap: 64mb
checksum-validation: "yes" checksum-validation: true
inline: auto inline: auto
reassembly: reassembly:
memcap: 256mb memcap: 256mb
depth: 1mb depth: 1mb
toserver-chunk-size: 2560 toserver-chunk-size: 2560
toclient-chunk-size: 2560 toclient-chunk-size: 2560
randomize-chunk-size: "yes" randomize-chunk-size: true
host: host:
hash-size: 4096 hash-size: 4096
prealloc: 1000 prealloc: 1000
@@ -432,38 +432,38 @@ suricata:
allow-restricted-functions: false allow-restricted-functions: false
profiling: profiling:
rules: rules:
enabled: "yes" enabled: true
filename: rule_perf.log filename: rule_perf.log
append: "yes" append: true
limit: 10 limit: 10
json: "yes" json: true
keywords: keywords:
enabled: "yes" enabled: true
filename: keyword_perf.log filename: keyword_perf.log
append: "yes" append: true
prefilter: prefilter:
enabled: "yes" enabled: true
filename: prefilter_perf.log filename: prefilter_perf.log
append: "yes" append: true
rulegroups: rulegroups:
enabled: "yes" enabled: true
filename: rule_group_perf.log filename: rule_group_perf.log
append: "yes" append: true
packets: packets:
enabled: "yes" enabled: true
filename: packet_stats.log filename: packet_stats.log
append: "yes" append: true
csv: csv:
enabled: "no" enabled: false
filename: packet_stats.csv filename: packet_stats.csv
locks: locks:
enabled: "no" enabled: false
filename: lock_stats.log filename: lock_stats.log
append: "yes" append: true
pcap-log: pcap-log:
enabled: "no" enabled: false
filename: pcaplog_stats.log filename: pcaplog_stats.log
append: "yes" append: true
default-rule-path: /etc/suricata/rules default-rule-path: /etc/suricata/rules
rule-files: rule-files:
- all-rulesets.rules - all-rulesets.rules
salt/suricata/soc_suricata.yaml
+26 -19
View File
@@ -38,8 +38,9 @@ suricata:
description: Enable compression of Suricata PCAP files. description: Enable compression of Suricata PCAP files.
advanced: True advanced: True
helpLink: suricata helpLink: suricata
lz4-checksum: lz4-checksum:
description: Enable PCAP lz4 checksum. description: Enable PCAP lz4 checksum.
forcedType: bool
advanced: True advanced: True
helpLink: suricata helpLink: suricata
lz4-level: lz4-level:
@@ -56,11 +57,10 @@ suricata:
advanced: True advanced: True
readonly: True readonly: True
helpLink: suricata helpLink: suricata
use-stream-depth: use-stream-depth:
description: Set to "no" to ignore the stream depth and capture the entire flow. Set to "yes" to truncate the flow based on the stream depth. description: Set to false to ignore the stream depth and capture the entire flow. Set to true to truncate the flow based on the stream depth.
forcedType: bool
advanced: True advanced: True
regex: ^(yes|no)$
regexFailureMessage: You must enter either yes or no.
helpLink: suricata helpLink: suricata
conditional: conditional:
description: Set to "all" to record PCAP for all flows. Set to "alerts" to only record PCAP for Suricata alerts. Set to "tag" to only record PCAP for tagged rules. description: Set to "all" to record PCAP for all flows. Set to "alerts" to only record PCAP for Suricata alerts. Set to "tag" to only record PCAP for tagged rules.
@@ -85,15 +85,16 @@ suricata:
advanced: True advanced: True
regex: ^(cluster_flow|cluster_qm)$ regex: ^(cluster_flow|cluster_qm)$
defrag: defrag:
description: Enable defragmentation of IP packets before processing.
forcedType: bool
advanced: True advanced: True
regex: ^(yes|no)$
use-mmap: use-mmap:
advanced: True advanced: True
readonly: True readonly: True
mmap-locked: mmap-locked:
description: Prevent swapping by locking the memory map. description: Prevent swapping by locking the memory map.
forcedType: bool
advanced: True advanced: True
regex: ^(yes|no)$
helpLink: suricata helpLink: suricata
threads: threads:
description: The amount of worker threads. description: The amount of worker threads.
@@ -117,9 +118,9 @@ suricata:
forcedType: int forcedType: int
helpLink: suricata helpLink: suricata
use-emergency-flush: use-emergency-flush:
description: In high-traffic environments, enabling this option to 'yes' aids in recovering from packet drop occurrences. However, it may lead to some packets, possibly at max ring flush, not being inspected. description: In high-traffic environments, enabling this option aids in recovering from packet drop occurrences. However, it may lead to some packets, possibly at max ring flush, not being inspected.
forcedType: bool
advanced: True advanced: True
regex: ^(yes|no)$
helpLink: suricata helpLink: suricata
buffer-size: buffer-size:
description: Increasing the value of the receive buffer may improve performance. description: Increasing the value of the receive buffer may improve performance.
@@ -127,30 +128,33 @@ suricata:
forcedType: int forcedType: int
helpLink: suricata helpLink: suricata
disable-promisc: disable-promisc:
description: Promiscuous mode can be disabled by setting this to "yes". description: Disable promiscuous mode on the capture interface.
forcedType: bool
advanced: True advanced: True
regex: ^(yes|no)$
helpLink: suricata helpLink: suricata
checksum-checks: checksum-checks:
description: "Opt for the checksum verification mode suitable for the interface. During capture, it's possible that some packets may exhibit invalid checksums due to the network card handling the checksum computation. You have several options: 'kernel': Relies on indications sent by the kernel for each packet (default). 'yes': Enforces checksum validation. 'no': Disables checksum validation. 'auto': Suricata employs a statistical approach to detect checksum offloading." description: "Opt for the checksum verification mode suitable for the interface. During capture, it's possible that some packets may exhibit invalid checksums due to the network card handling the checksum computation."
advanced: True advanced: True
regex: ^(kernel|yes|no|auto)$ options:
- kernel
- "true"
- "false"
- auto
helpLink: suricata helpLink: suricata
threading: threading:
set-cpu-affinity: set-cpu-affinity:
description: Bind(yes) or unbind(no) management and worker threads to a core or range of cores. description: Bind or unbind management and worker threads to a core or range of cores.
regex: ^(yes|no)$ forcedType: bool
regexFailureMessage: You must enter either yes or no.
helpLink: suricata helpLink: suricata
cpu-affinity: cpu-affinity:
management-cpu-set: management-cpu-set:
cpu: cpu:
description: Bind management threads to a core or range of cores. This can be a sigle core, list of cores, or list of range of cores. set-cpu-affinity must be set to 'yes' for this to be used. description: Bind management threads to a core or range of cores. This can be a sigle core, list of cores, or list of range of cores. set-cpu-affinity must be set to true for this to be used.
forcedType: "[]string" forcedType: "[]string"
helpLink: suricata helpLink: suricata
worker-cpu-set: worker-cpu-set:
cpu: cpu:
description: Bind worker threads to a core or range of cores. This can be a sigle core, list of cores, or list of range of cores. set-cpu-affinity must be set to 'yes' for this to be used. description: Bind worker threads to a core or range of cores. This can be a sigle core, list of cores, or list of range of cores. set-cpu-affinity must be set to true for this to be used.
forcedType: "[]string" forcedType: "[]string"
helpLink: suricata helpLink: suricata
vars: vars:
@@ -235,6 +239,7 @@ suricata:
xff: xff:
enabled: enabled:
description: Enable X-Forward-For support. description: Enable X-Forward-For support.
forcedType: bool
helpLink: suricata helpLink: suricata
mode: mode:
description: Operation mode. This should always be extra-data if you use PCAP. description: Operation mode. This should always be extra-data if you use PCAP.
@@ -274,8 +279,9 @@ suricata:
max-frags: max-frags:
description: Max number of fragments to keep description: Max number of fragments to keep
helpLink: suricata helpLink: suricata
prealloc: prealloc:
description: Preallocate memory. description: Preallocate memory.
forcedType: bool
helpLink: suricata helpLink: suricata
timeout: timeout:
description: Timeout value. description: Timeout value.
@@ -296,6 +302,7 @@ suricata:
helpLink: suricata helpLink: suricata
checksum-validation: checksum-validation:
description: Validate checksum of packets. description: Validate checksum of packets.
forcedType: bool
helpLink: suricata helpLink: suricata
reassembly: reassembly:
memcap: memcap: