Defaults and Annotations

2025-12-06 09:12:45 +01:00 · 2024-01-25 09:59:26 -05:00
parent d2d70d1c5b
commit 762a3bea17
2 changed files with 60 additions and 0 deletions
--- a/salt/suricata/defaults.yaml
+++ b/salt/suricata/defaults.yaml
@@ -128,6 +128,16 @@ suricata:
        enabled: "no"
      pcap-log:
        enabled: "no"
+        compression: "none"
+        lz4-checksum: "no"
+        lz4-level: 8
+        filename: "%n/so-pcap.%t"
+        limit: "1000mb"
+        mode: "multi"
+        max-files: 10
+        use-stream-depth: "no"
+        conditional: "all"
+        dir: "/nsm/pcap"
      alert-debug:
        enabled: "no"
      alert-prelude:
--- a/salt/suricata/soc_suricata.yaml
+++ b/salt/suricata/soc_suricata.yaml
@@ -153,6 +153,53 @@ suricata:
              header:
                description: Header name where the actual IP address will be reported.
                helpLink: suricata.html
+      pcap-log:
+        enabled:
+          description: Enable Suricata to collect PCAP.
+          helpLink: suricata.html
+        compression: 
+          description: Enable compression of Suricata PCAP. Currently unsupported
+          advanced: True
+          readonly: True
+          helpLink: suricata.html
+        lz4-checksum: 
+          description: Enable PCAP lz4 checksum. Currently unsupported
+          advanced: True
+          readonly: True
+          helpLink: suricata.html
+        lz4-level: 
+          description: lz4 compression level of PCAP. 0 for no compression 16 for max compression. Currently unsupported
+          advanced: True
+          readonly: True
+          helpLink: suricata.html
+        filename:
+          description: Filename output for Suricata PCAP.
+          advanced: True
+          readonly: True
+          helpLink: suricata.html
+        limit:
+          description: File size limit per thread. To determine max PCAP size multiple threads x max-files x limit.
+          helpLink: suricata.html
+        mode: 
+          description: Suricata PCAP mode. Currenlty only multi is supported.
+          advanced: True
+          readonly: True
+          helpLink: suricata.html
+        max-files: 
+          description: Max PCAP files per thread. To determine max PCAP size multiple threads x max-files x limit.
+          helpLink: suricata.html
+        use-stream-depth: 
+          description: Set to "no" to ignore the stream depth and capture the entire flow. Set this to "yes" to truncate the flow based on the stream depth. 
+          advanced: True
+          helpLink: suricata.html
+        conditional: 
+          description: Set to "all" to capture PCAP for all flows. Set to "alert" to capture PCAP just for alerts or set to "tag" to capture PCAP for just tagged rules.
+          helpLink: suricata.html
+        dir:
+          description: Parent directory to store PCAP.
+          advanced: True
+          readonly: True
+          helpLink: suricata.html
    asn1-max-frames:
      description: Maximum nuber of asn1 frames to decode.
      helpLink: suricata.html
@@ -209,6 +256,9 @@ suricata:
        memcap:
          description: Can be specified in kb,mb,gb.
          helpLink: suricata.html
+        depth:
+          description: Controls how far into a stream that reassembly is done.  
+          helpLink: suricata.html
    host:
      hash-size:
        description: Hash size in bytes.