CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2026-04-26 06:27:50 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'origin/3/dev' into delta

Browse Source
This commit is contained in:
Josh Patterson
2026-03-18 13:05:02 -04:00
parent 738ce62d35 20c4da50b1
commit 74ad2990a7
33 changed files with 802 additions and 776 deletions
Download Patch File Download Diff File Expand all files Collapse all files
salt/suricata/soc_suricata.yaml
+61 -61
View File
@@ -1,7 +1,7 @@
suricata:
enabled:
description: Enables or disables the Suricata process. This process is used for triggering alerts and optionally for protocol metadata collection and full packet capture.
helpLink: suricata.html
helpLink: suricata
thresholding:
sids__yaml:
description: Threshold SIDS List. This setting is readonly; Use the Detections screen to modify rules.
@@ -10,7 +10,7 @@ suricata:
global: True
multiline: True
title: SIDS
helpLink: suricata.html
helpLink: suricata
readonlyUi: True
advanced: True
classification:
@@ -20,64 +20,64 @@ suricata:
global: True
multiline: True
title: Classifications
helpLink: suricata.html
helpLink: suricata
pcap:
enabled:
description: Enables or disables the Suricata packet recording process.
forcedType: bool
helpLink: suricata.html
helpLink: suricata
filesize:
description: Maximum file size for individual PCAP files written by Suricata. Increasing this number could improve write performance at the expense of pcap retrieval time.
advanced: True
helpLink: suricata.html
helpLink: suricata
maxsize:
description: Maximum size in GB for total disk usage of all PCAP files written by Suricata.
helpLink: suricata.html
helpLink: suricata
compression:
description: Enable compression of Suricata PCAP files.
advanced: True
helpLink: suricata.html
helpLink: suricata
lz4-checksum:
description: Enable PCAP lz4 checksum.
advanced: True
helpLink: suricata.html
helpLink: suricata
lz4-level:
description: lz4 compression level of PCAP files. Set to 0 for no compression. Set to 16 for maximum compression.
advanced: True
helpLink: suricata.html
helpLink: suricata
filename:
description: Filename output for Suricata PCAP files.
advanced: True
readonly: True
helpLink: suricata.html
helpLink: suricata
mode:
description: Suricata PCAP mode. Currently only multi is supported.
advanced: True
readonly: True
helpLink: suricata.html
helpLink: suricata
use-stream-depth:
description: Set to "no" to ignore the stream depth and capture the entire flow. Set to "yes" to truncate the flow based on the stream depth.
advanced: True
regex: ^(yes|no)$
regexFailureMessage: You must enter either yes or no.
helpLink: suricata.html
helpLink: suricata
conditional:
description: Set to "all" to record PCAP for all flows. Set to "alerts" to only record PCAP for Suricata alerts. Set to "tag" to only record PCAP for tagged rules.
regex: ^(all|alerts|tag)$
regexFailureMessage: You must enter either all, alert or tag.
helpLink: suricata.html
helpLink: suricata
dir:
description: Parent directory to store PCAP.
advanced: True
readonly: True
helpLink: suricata.html
helpLink: suricata
config:
af-packet:
interface:
description: The network interface that Suricata will monitor. This is set under sensor > interface.
advanced: True
readonly: True
helpLink: suricata.html
helpLink: suricata
cluster-id:
advanced: True
cluster-type:
@@ -93,10 +93,10 @@ suricata:
description: Prevent swapping by locking the memory map.
advanced: True
regex: ^(yes|no)$
helpLink: suricata.html
helpLink: suricata
threads:
description: The amount of worker threads.
helpLink: suricata.html
helpLink: suricata
forcedType: int
tpacket-v3:
advanced: True
@@ -104,54 +104,54 @@ suricata:
ring-size:
description: Buffer size for packets per thread.
forcedType: int
helpLink: suricata.html
helpLink: suricata
block-size:
description: This must be configured to a sufficiently high value to accommodate a significant number of packets, considering byte size and MTU constraints. Ensure it aligns with a power of 2 and is a multiple of the page size.
advanced: True
forcedType: int
helpLink: suricata.html
helpLink: suricata
block-timeout:
description: If a block remains unfilled after the specified block-timeout milliseconds, it is passed to userspace.
advanced: True
forcedType: int
helpLink: suricata.html
helpLink: suricata
use-emergency-flush:
description: In high-traffic environments, enabling this option to 'yes' aids in recovering from packet drop occurrences. However, it may lead to some packets, possibly at max ring flush, not being inspected.
advanced: True
regex: ^(yes|no)$
helpLink: suricata.html
helpLink: suricata
buffer-size:
description: Increasing the value of the receive buffer may improve performance.
advanced: True
forcedType: int
helpLink: suricata.html
helpLink: suricata
disable-promisc:
description: Promiscuous mode can be disabled by setting this to "yes".
advanced: True
regex: ^(yes|no)$
helpLink: suricata.html
helpLink: suricata
checksum-checks:
description: "Opt for the checksum verification mode suitable for the interface. During capture, it's possible that some packets may exhibit invalid checksums due to the network card handling the checksum computation. You have several options: 'kernel': Relies on indications sent by the kernel for each packet (default). 'yes': Enforces checksum validation. 'no': Disables checksum validation. 'auto': Suricata employs a statistical approach to detect checksum offloading."
advanced: True
regex: ^(kernel|yes|no|auto)$
helpLink: suricata.html
helpLink: suricata
threading:
set-cpu-affinity:
description: Bind(yes) or unbind(no) management and worker threads to a core or range of cores.
regex: ^(yes|no)$
regexFailureMessage: You must enter either yes or no.
helpLink: suricata.html
helpLink: suricata
cpu-affinity:
management-cpu-set:
cpu:
description: Bind management threads to a core or range of cores. This can be a sigle core, list of cores, or list of range of cores. set-cpu-affinity must be set to 'yes' for this to be used.
forcedType: "[]string"
helpLink: suricata.html
helpLink: suricata
worker-cpu-set:
cpu:
description: Bind worker threads to a core or range of cores. This can be a sigle core, list of cores, or list of range of cores. set-cpu-affinity must be set to 'yes' for this to be used.
forcedType: "[]string"
helpLink: suricata.html
helpLink: suricata
vars:
address-groups:
HOME_NET:
@@ -160,12 +160,12 @@ suricata:
regexFailureMessage: You must enter a valid IP address or CIDR.
forcedType: "[]string"
duplicates: True
helpLink: suricata.html
helpLink: suricata
EXTERNAL_NET: &suriaddressgroup
description: Assign a list of hosts, or networks, or other customization, to this Suricata variable. The variable can then be re-used within Suricata rules. This allows for a single adjustment to the variable that will then affect all rules referencing the variable.
forcedType: "[]string"
duplicates: True
helpLink: suricata.html
helpLink: suricata
HTTP_SERVERS: *suriaddressgroup
SMTP_SERVERS: *suriaddressgroup
SQL_SERVERS: *suriaddressgroup
@@ -184,7 +184,7 @@ suricata:
description: Assign a list of network port numbers to this Suricata variable. The variable can then be re-used within Suricata rules. This allows for a single adjustment to the variable that will then affect all rules referencing the variable.
forcedType: "[]string"
duplicates: True
helpLink: suricata.html
helpLink: suricata
SHELLCODE_PORTS: *suriportgroup
ORACLE_PORTS: *suriportgroup
SSH_PORTS: *suriportgroup
@@ -203,104 +203,104 @@ suricata:
xff:
enabled:
description: Enable X-Forward-For support.
helpLink: suricata.html
helpLink: suricata
mode:
description: Operation mode. This should always be extra-data if you use PCAP.
helpLink: suricata.html
helpLink: suricata
deployment:
description: forward would use the first IP address and reverse would use the last.
helpLink: suricata.html
helpLink: suricata
header:
description: Header name where the actual IP address will be reported.
helpLink: suricata.html
helpLink: suricata
asn1-max-frames:
description: Maximum nuber of asn1 frames to decode.
helpLink: suricata.html
helpLink: suricata
max-pending-packets:
description: Number of packets preallocated per thread.
helpLink: suricata.html
helpLink: suricata
default-packet-size:
description: Preallocated size for each packet.
helpLink: suricata.html
helpLink: suricata
pcre:
match-limit:
description: Match limit for PCRE.
helpLink: suricata.html
helpLink: suricata
match-limit-recursion:
description: Recursion limit for PCRE.
helpLink: suricata.html
helpLink: suricata
defrag:
memcap:
description: Max memory to use for defrag. You should only change this if you know what you are doing.
helpLink: suricata.html
helpLink: suricata
hash-size:
description: Hash size
helpLink: suricata.html
helpLink: suricata
trackers:
description: Number of defragmented flows to follow.
helpLink: suricata.html
helpLink: suricata
max-frags:
description: Max number of fragments to keep
helpLink: suricata.html
helpLink: suricata
prealloc:
description: Preallocate memory.
helpLink: suricata.html
helpLink: suricata
timeout:
description: Timeout value.
helpLink: suricata.html
helpLink: suricata
flow:
memcap:
description: Reserverd memory for flows.
helpLink: suricata.html
helpLink: suricata
hash-size:
description: Determines the size of the hash used to identify flows inside the engine.
helpLink: suricata.html
helpLink: suricata
prealloc:
description: Number of preallocated flows.
helpLink: suricata.html
helpLink: suricata
stream:
memcap:
description: Can be specified in kb,mb,gb.
helpLink: suricata.html
helpLink: suricata
checksum-validation:
description: Validate checksum of packets.
helpLink: suricata.html
helpLink: suricata
reassembly:
memcap:
description: Can be specified in kb,mb,gb.
helpLink: suricata.html
helpLink: suricata
depth:
description: Controls how far into a stream that reassembly is done.
helpLink: suricata.html
helpLink: suricata
host:
hash-size:
description: Hash size in bytes.
helpLink: suricata.html
helpLink: suricata
prealloc:
description: How many streams to preallocate.
helpLink: suricata.html
helpLink: suricata
memcap:
description: Memory settings for host.
helpLink: suricata.html
helpLink: suricata
decoder:
teredo:
enabled:
description: Enable TEREDO capabilities
helpLink: suricata.html
helpLink: suricata
ports:
description: Ports to listen for. This should be a variable.
helpLink: suricata.html
helpLink: suricata
vxlan:
enabled:
description: Enable VXLAN capabilities.
helpLink: suricata.html
helpLink: suricata
ports:
description: Ports to listen for. This should be a variable.
helpLink: suricata.html
helpLink: suricata
geneve:
enabled:
description: Enable VXLAN capabilities.
helpLink: suricata.html
helpLink: suricata
ports:
description: Ports to listen for. This should be a variable.
helpLink: suricata.html
helpLink: suricata