Consolidate PCAP settings

2025-12-06 09:12:45 +01:00 · 2024-03-06 12:56:09 -05:00
parent 9a413a2e31
commit 7f1e786e3d
2 changed files with 50 additions and 50 deletions
--- a/salt/suricata/defaults.yaml
+++ b/salt/suricata/defaults.yaml
@@ -3,6 +3,14 @@ suricata:
  pcap:
    filesize: 1000mb
    maxsize: 25
+    compression: "none"
+    lz4-checksum: "no"
+    lz4-level: 8
+    filename: "%n/so-pcap.%t"
+    mode: "multi"
+    use-stream-depth: "no"
+    conditional: "all"
+    dir: "/nsm/suripcap"
  config:
    threading:
      set-cpu-affinity: "no"
@@ -131,14 +139,6 @@ suricata:
        enabled: "no"
      pcap-log:
        enabled: "no"
-        compression: "none"
-        lz4-checksum: "no"
-        lz4-level: 8
-        filename: "%n/so-pcap.%t"
-        mode: "multi"
-        use-stream-depth: "no"
-        conditional: "all"
-        dir: "/nsm/suripcap"
      alert-debug:
        enabled: "no"
      alert-prelude:
--- a/salt/suricata/soc_suricata.yaml
+++ b/salt/suricata/soc_suricata.yaml
@@ -27,6 +27,47 @@ suricata:
    maxsize:
      description: Size in GB for total usage size of PCAP on disk. 
      helplink: suricata.html
+    compression: 
+      description: Enable compression of Suricata PCAP. Currently unsupported
+      advanced: True
+      readonly: True
+      helpLink: suricata.html
+    lz4-checksum: 
+      description: Enable PCAP lz4 checksum. Currently unsupported
+      advanced: True
+      readonly: True
+      helpLink: suricata.html
+    lz4-level: 
+      description: lz4 compression level of PCAP. 0 for no compression 16 for max compression. Currently unsupported
+      advanced: True
+      readonly: True
+      helpLink: suricata.html
+    filename:
+      description: Filename output for Suricata PCAP.
+      advanced: True
+      readonly: True
+      helpLink: suricata.html
+    mode: 
+      description: Suricata PCAP mode. Currently only multi is supported.
+      advanced: True
+      readonly: True
+      helpLink: suricata.html
+    use-stream-depth: 
+      description: Set to "no" to ignore the stream depth and capture the entire flow. Set this to "yes" to truncate the flow based on the stream depth. 
+      advanced: True
+      regex: ^(yes|no)$
+      regexFailureMessage: You must enter either yes or no.
+      helpLink: suricata.html
+    conditional: 
+      description: Set to "all" to capture PCAP for all flows. Set to "alert" to capture PCAP just for alerts or set to "tag" to capture PCAP for just tagged rules.
+      regex: ^(all|alert|tag)$
+      regexFailureMessage: You must enter either all, alert or tag.
+      helpLink: suricata.html
+    dir:
+      description: Parent directory to store PCAP.
+      advanced: True
+      readonly: True
+      helpLink: suricata.html
  config:
    af-packet:
      interface:
@@ -175,48 +216,7 @@ suricata:
          description: This value is ignored by SO. pcapengine in globals takes precidence.
          readonly: True
          helpLink: suricata.html
-          advanced: True
-        compression: 
-          description: Enable compression of Suricata PCAP. Currently unsupported
-          advanced: True
-          readonly: True
-          helpLink: suricata.html
-        lz4-checksum: 
-          description: Enable PCAP lz4 checksum. Currently unsupported
-          advanced: True
-          readonly: True
-          helpLink: suricata.html
-        lz4-level: 
-          description: lz4 compression level of PCAP. 0 for no compression 16 for max compression. Currently unsupported
-          advanced: True
-          readonly: True
-          helpLink: suricata.html
-        filename:
-          description: Filename output for Suricata PCAP.
-          advanced: True
-          readonly: True
-          helpLink: suricata.html
-        mode: 
-          description: Suricata PCAP mode. Currently only multi is supported.
-          advanced: True
-          readonly: True
-          helpLink: suricata.html
-        use-stream-depth: 
-          description: Set to "no" to ignore the stream depth and capture the entire flow. Set this to "yes" to truncate the flow based on the stream depth. 
-          advanced: True
-          regex: ^(yes|no)$
-          regexFailureMessage: You must enter either yes or no.
-          helpLink: suricata.html
-        conditional: 
-          description: Set to "all" to capture PCAP for all flows. Set to "alert" to capture PCAP just for alerts or set to "tag" to capture PCAP for just tagged rules.
-          regex: ^(all|alert|tag)$
-          regexFailureMessage: You must enter either all, alert or tag.
-          helpLink: suricata.html
-        dir:
-          description: Parent directory to store PCAP.
-          advanced: True
-          readonly: True
-          helpLink: suricata.html
+          advanced: True        
    asn1-max-frames:
      description: Maximum nuber of asn1 frames to decode.
      helpLink: suricata.html