Merge pull request #12651 from Security-Onion-Solutions/issue/12637

Allow for additional af-packet tuning options for Suricata
2025-12-06 17:22:49 +01:00 · 2024-03-25 09:37:52 -04:00
parent b8d33ab983 029d8a0e8f
commit 7898277a9b
3 changed files with 49 additions and 3 deletions
--- a/salt/suricata/defaults.yaml
+++ b/salt/suricata/defaults.yaml
@@ -33,6 +33,12 @@ suricata:
      threads: 1
      tpacket-v3: "yes"
      ring-size: 5000
+      block-size: 32768
+      block-timeout: 10
+      use-emergency-flush: "yes"
+      buffer-size: 32768
+      disable-promisc: "no"
+      checksum-checks: kernel
    vars:
      address-groups:
        HOME_NET:
--- a/salt/suricata/map.jinja
+++ b/salt/suricata/map.jinja
@@ -32,11 +32,21 @@
 - interface: {{ GLOBALS.sensor.interface }}
  cluster-id: {{ SURICATAMERGED.config['af-packet']['cluster-id'] }}
  cluster-type: {{ SURICATAMERGED.config['af-packet']['cluster-type'] }}
-  defrag: {{ SURICATAMERGED.config['af-packet'].defrag }}
-  use-mmap: {{ SURICATAMERGED.config['af-packet']['use-mmap'] }}
+  defrag: "{{ SURICATAMERGED.config['af-packet'].defrag }}"
+  use-mmap: "{{ SURICATAMERGED.config['af-packet']['use-mmap'] }}"
  threads: {{ SURICATAMERGED.config['af-packet'].threads }}
-  tpacket-v3: {{ SURICATAMERGED.config['af-packet']['tpacket-v3'] }}
+  tpacket-v3: "{{ SURICATAMERGED.config['af-packet']['tpacket-v3'] }}"
  ring-size: {{ SURICATAMERGED.config['af-packet']['ring-size'] }}
+  block-size: {{ SURICATAMERGED.config['af-packet']['block-size'] }}
+  block-timeout: {{ SURICATAMERGED.config['af-packet']['block-timeout'] }}
+  use-emergency-flush: "{{ SURICATAMERGED.config['af-packet']['use-emergency-flush'] }}"
+  buffer-size: {{ SURICATAMERGED.config['af-packet']['buffer-size'] }}
+  disable-promisc: "{{ SURICATAMERGED.config['af-packet']['disable-promisc'] }}"
+{%   if SURICATAMERGED.config['af-packet']['checksum-checks'] in ['yes', 'no'] %}
+  checksum-checks: "{{ SURICATAMERGED.config['af-packet']['checksum-checks'] }}"
+{%   else %}
+  checksum-checks: {{ SURICATAMERGED.config['af-packet']['checksum-checks'] }}
+{%   endif %}
 {% endload %}
 {% do SURICATAMERGED.config.pop('af-packet') %}
 {% do SURICATAMERGED.config.update({'af-packet': afpacket}) %}
--- a/salt/suricata/soc_suricata.yaml
+++ b/salt/suricata/soc_suricata.yaml
@@ -94,6 +94,36 @@ suricata:
        description: Buffer size for packets per thread.
        forcedType: int
        helpLink: suricata.html
+      block-size:
+        description: This must be configured to a sufficiently high value to accommodate a significant number of packets, considering byte size and MTU constraints. Ensure it aligns with a power of 2 and is a multiple of the page size.
+        advanced: True
+        forcedType: int
+        helpLink: suricata.html
+      block-timeout:
+        description: If a block remains unfilled after the specified block-timeout milliseconds, it is passed to userspace.
+        advanced: True
+        forcedType: int
+        helpLink: suricata.html
+      use-emergency-flush:
+        description: In high-traffic environments, enabling this option to 'yes' aids in recovering from packet drop occurrences. However, it may lead to some packets, possibly at max ring flush, not being inspected.
+        advanced: True
+        regex: ^(yes|no)$
+        helpLink: suricata.html
+      buffer-size:
+        description: Increasing the value of the receive buffer may improve performance.
+        advanced: True
+        forcedType: int
+        helpLink: suricata.html
+      disable-promisc:
+        description: Promiscuous mode can be disabled by setting this to "yes".
+        advanced: True
+        regex: ^(yes|no)$
+        helpLink: suricata.html
+      checksum-checks:
+        description: "Opt for the checksum verification mode suitable for the interface. During capture, it's possible that some packets may exhibit invalid checksums due to the network card handling the checksum computation. You have several options: 'kernel': Relies on indications sent by the kernel for each packet (default). 'yes': Enforces checksum validation. 'no': Disables checksum validation. 'auto': Suricata employs a statistical approach to detect checksum offloading."
+        advanced: True
+        regex: ^(kernel|yes|no|auto)$
+        helpLink: suricata.html
    threading:
      set-cpu-affinity:
        description: Bind(yes) or unbind(no) management and worker threads to a core or range of cores.