CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2026-06-14 22:28:43 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'origin/3/dev' into delta

Browse Source
This commit is contained in:
Josh Patterson
2026-03-18 13:05:02 -04:00
parent 738ce62d35 20c4da50b1
commit 74ad2990a7
33 changed files with 802 additions and 776 deletions
Download Patch File Download Diff File Expand all files Collapse all files
salt/zeek/soc_zeek.yaml
+18 -18
View File
@@ -1,32 +1,32 @@
zeek:
enabled:
description: Controls whether the Zeek (network packet inspection) process runs. Disabling this process could result in loss of network protocol metadata. If Suricata was selected as the protocol metadata engine during setup then this will already be disabled.
helpLink: zeek.html
helpLink: zeek
ja4plus_enabled:
description: "Enables JA4+ fingerprinting (JA4S, JA4D, JA4H, JA4L, JA4SSH, JA4T, JA4TS, JA4X). By enabling this, you agree to the terms of the JA4+ license (https://github.com/FoxIO-LLC/ja4/blob/main/LICENSE-JA4)."
forcedType: bool
helpLink: zeek.html
helpLink: zeek
config:
local:
load:
description: Contains a list of policies and scripts loaded by Zeek. Values in the Current Grid Value dialog box apply to every instance of Zeek. Values in a dialog box for a specific node will only apply to that node.
forcedType: "[]string"
helpLink: zeek.html
helpLink: zeek
load-sigs:
description: Contains a list of signatures loaded by Zeek. Values placed in the Current Grid Value dialog box apply to every instance of Zeek. Values placed in a dialog box for a specific node will only apply to that node.
forcedType: "[]string"
helpLink: zeek.html
helpLink: zeek
redef:
description: List of Zeek variables to redefine. Values placed in the Current Grid Value dialog box apply to every instance of Zeek. Values placed in a dialog box for a specific node will only apply to that node.
forcedType: "[]string"
advanced: True
helpLink: zeek.html
helpLink: zeek
networks:
HOME_NET:
description: List of IP or CIDR blocks to define as the HOME_NET.
forcedType: "[]string"
advanced: False
helpLink: zeek.html
helpLink: zeek
multiline: True
regex: ^(((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\/([0-9]|[1-2][0-9]|3[0-2]))?$|^((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?))|:))|(([0-9A-Fa-f]{1,4}:){5}((:[0-9A-Fa-f]{1,4}){1,2}|:((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)|:))|(([0-9A-Fa-f]{1,4}:){4}((:[0-9A-Fa-f]{1,4}){1,3}|:((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)|:))|(([0-9A-Fa-f]{1,4}:){3}((:[0-9A-Fa-f]{1,4}){1,4}|:((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)|:))|(([0-9A-Fa-f]{1,4}:){2}((:[0-9A-Fa-f]{1,4}){1,5}|:((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)|:))|(([0-9A-Fa-f]{1,4}:){1}((:[0-9A-Fa-f]{1,4}){1,6}|:((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)|:))|(:((:[0-9A-Fa-f]{1,4}){1,7}|:)))(\/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8]))?$
regexFailureMessage: You must enter a valid IP address or CIDR.
@@ -34,13 +34,13 @@ zeek:
lb_procs:
description: Contains the number of CPU cores or workers used by Zeek. This setting should only be applied to individual nodes and will be ignored if CPU affinity is enabled.
title: workers
helpLink: zeek.html
helpLink: zeek
node: True
pins_enabled:
description: Enabling this setting allows you to pin Zeek to specific CPUs.
title: cpu affinity enabled
forcedType: bool
helpLink: zeek.html
helpLink: zeek
node: True
advanced: True
pins:
@@ -48,61 +48,61 @@ zeek:
title: cpu affinity
multiline: True
forcedType: "[]string"
helpLink: zeek.html
helpLink: zeek
node: True
advanced: True
zeekctl:
CompressLogs:
description: This setting enables compression of Zeek logs. If you are seeing packet loss at the top of the hour in Zeek or PCAP you might need to disable this by seting it to 0. This will use more disk space but save IO and CPU.
helpLink: zeek.html
helpLink: zeek
policy:
custom:
filters:
conn:
description: Conn Filter for Zeek. This is an advanced setting and will take further action to enable.
helpLink: zeek.html
helpLink: zeek
file: True
global: True
advanced: True
duplicates: True
dns:
description: DNS Filter for Zeek. This is an advanced setting and will take further action to enable.
helpLink: zeek.html
helpLink: zeek
file: True
global: True
advanced: True
duplicates: True
files:
description: Files Filter for Zeek. This is an advanced setting and will take further action to enable.
helpLink: zeek.html
helpLink: zeek
file: True
global: True
advanced: True
duplicates: True
httphost:
description: HTTP Hosts Filter for Zeek. This is an advanced setting and will take further action to enable.
helpLink: zeek.html
helpLink: zeek
file: True
global: True
advanced: True
duplicates: True
httpuri:
description: HTTP URI Filter for Zeek. This is an advanced setting and will take further action to enable.
helpLink: zeek.html
helpLink: zeek
file: True
global: True
advanced: True
duplicates: True
ssl:
description: SSL Filter for Zeek. This is an advanced setting and will take further action to enable.
helpLink: zeek.html
helpLink: zeek
file: True
global: True
advanced: True
duplicates: True
tunnel:
description: Tunnel Filter for Zeek. This is an advanced setting and will take further action to enable.
helpLink: zeek.html
helpLink: zeek
file: True
global: True
advanced: True
@@ -110,4 +110,4 @@ zeek:
file_extraction:
description: Contains a list of file or MIME types Zeek will extract from the network streams. Values must adhere to the following format - {"MIME_TYPE":"FILE_EXTENSION"}
forcedType: "[]{}"
helpLink: zeek.html
helpLink: zeek