mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2025-12-06 17:22:49 +01:00
Consolidate PCAP settings
This commit is contained in:
Mike Reeves
@@ -3,6 +3,14 @@ suricata:
|
|||||||
pcap:
|
pcap:
|
||||||
filesize: 1000mb
|
filesize: 1000mb
|
||||||
maxsize: 25
|
maxsize: 25
|
||||||
|
compression: "none"
|
||||||
|
lz4-checksum: "no"
|
||||||
|
lz4-level: 8
|
||||||
|
filename: "%n/so-pcap.%t"
|
||||||
|
mode: "multi"
|
||||||
|
use-stream-depth: "no"
|
||||||
|
conditional: "all"
|
||||||
|
dir: "/nsm/suripcap"
|
||||||
config:
|
config:
|
||||||
threading:
|
threading:
|
||||||
set-cpu-affinity: "no"
|
set-cpu-affinity: "no"
|
||||||
@@ -131,14 +139,6 @@ suricata:
|
|||||||
enabled: "no"
|
enabled: "no"
|
||||||
pcap-log:
|
pcap-log:
|
||||||
enabled: "no"
|
enabled: "no"
|
||||||
compression: "none"
|
|
||||||
lz4-checksum: "no"
|
|
||||||
lz4-level: 8
|
|
||||||
filename: "%n/so-pcap.%t"
|
|
||||||
mode: "multi"
|
|
||||||
use-stream-depth: "no"
|
|
||||||
conditional: "all"
|
|
||||||
dir: "/nsm/suripcap"
|
|
||||||
alert-debug:
|
alert-debug:
|
||||||
enabled: "no"
|
enabled: "no"
|
||||||
alert-prelude:
|
alert-prelude:
|
||||||
|
|||||||
@@ -27,6 +27,47 @@ suricata:
|
|||||||
maxsize:
|
maxsize:
|
||||||
description: Size in GB for total usage size of PCAP on disk.
|
description: Size in GB for total usage size of PCAP on disk.
|
||||||
helplink: suricata.html
|
helplink: suricata.html
|
||||||
|
compression:
|
||||||
|
description: Enable compression of Suricata PCAP. Currently unsupported
|
||||||
|
advanced: True
|
||||||
|
readonly: True
|
||||||
|
helpLink: suricata.html
|
||||||
|
lz4-checksum:
|
||||||
|
description: Enable PCAP lz4 checksum. Currently unsupported
|
||||||
|
advanced: True
|
||||||
|
readonly: True
|
||||||
|
helpLink: suricata.html
|
||||||
|
lz4-level:
|
||||||
|
description: lz4 compression level of PCAP. 0 for no compression 16 for max compression. Currently unsupported
|
||||||
|
advanced: True
|
||||||
|
readonly: True
|
||||||
|
helpLink: suricata.html
|
||||||
|
filename:
|
||||||
|
description: Filename output for Suricata PCAP.
|
||||||
|
advanced: True
|
||||||
|
readonly: True
|
||||||
|
helpLink: suricata.html
|
||||||
|
mode:
|
||||||
|
description: Suricata PCAP mode. Currently only multi is supported.
|
||||||
|
advanced: True
|
||||||
|
readonly: True
|
||||||
|
helpLink: suricata.html
|
||||||
|
use-stream-depth:
|
||||||
|
description: Set to "no" to ignore the stream depth and capture the entire flow. Set this to "yes" to truncate the flow based on the stream depth.
|
||||||
|
advanced: True
|
||||||
|
regex: ^(yes|no)$
|
||||||
|
regexFailureMessage: You must enter either yes or no.
|
||||||
|
helpLink: suricata.html
|
||||||
|
conditional:
|
||||||
|
description: Set to "all" to capture PCAP for all flows. Set to "alert" to capture PCAP just for alerts or set to "tag" to capture PCAP for just tagged rules.
|
||||||
|
regex: ^(all|alert|tag)$
|
||||||
|
regexFailureMessage: You must enter either all, alert or tag.
|
||||||
|
helpLink: suricata.html
|
||||||
|
dir:
|
||||||
|
description: Parent directory to store PCAP.
|
||||||
|
advanced: True
|
||||||
|
readonly: True
|
||||||
|
helpLink: suricata.html
|
||||||
config:
|
config:
|
||||||
af-packet:
|
af-packet:
|
||||||
interface:
|
interface:
|
||||||
@@ -176,47 +217,6 @@ suricata:
|
|||||||
readonly: True
|
readonly: True
|
||||||
helpLink: suricata.html
|
helpLink: suricata.html
|
||||||
advanced: True
|
advanced: True
|
||||||
compression:
|
|
||||||
description: Enable compression of Suricata PCAP. Currently unsupported
|
|
||||||
advanced: True
|
|
||||||
readonly: True
|
|
||||||
helpLink: suricata.html
|
|
||||||
lz4-checksum:
|
|
||||||
description: Enable PCAP lz4 checksum. Currently unsupported
|
|
||||||
advanced: True
|
|
||||||
readonly: True
|
|
||||||
helpLink: suricata.html
|
|
||||||
lz4-level:
|
|
||||||
description: lz4 compression level of PCAP. 0 for no compression 16 for max compression. Currently unsupported
|
|
||||||
advanced: True
|
|
||||||
readonly: True
|
|
||||||
helpLink: suricata.html
|
|
||||||
filename:
|
|
||||||
description: Filename output for Suricata PCAP.
|
|
||||||
advanced: True
|
|
||||||
readonly: True
|
|
||||||
helpLink: suricata.html
|
|
||||||
mode:
|
|
||||||
description: Suricata PCAP mode. Currently only multi is supported.
|
|
||||||
advanced: True
|
|
||||||
readonly: True
|
|
||||||
helpLink: suricata.html
|
|
||||||
use-stream-depth:
|
|
||||||
description: Set to "no" to ignore the stream depth and capture the entire flow. Set this to "yes" to truncate the flow based on the stream depth.
|
|
||||||
advanced: True
|
|
||||||
regex: ^(yes|no)$
|
|
||||||
regexFailureMessage: You must enter either yes or no.
|
|
||||||
helpLink: suricata.html
|
|
||||||
conditional:
|
|
||||||
description: Set to "all" to capture PCAP for all flows. Set to "alert" to capture PCAP just for alerts or set to "tag" to capture PCAP for just tagged rules.
|
|
||||||
regex: ^(all|alert|tag)$
|
|
||||||
regexFailureMessage: You must enter either all, alert or tag.
|
|
||||||
helpLink: suricata.html
|
|
||||||
dir:
|
|
||||||
description: Parent directory to store PCAP.
|
|
||||||
advanced: True
|
|
||||||
readonly: True
|
|
||||||
helpLink: suricata.html
|
|
||||||
asn1-max-frames:
|
asn1-max-frames:
|
||||||
description: Maximum nuber of asn1 frames to decode.
|
description: Maximum nuber of asn1 frames to decode.
|
||||||
helpLink: suricata.html
|
helpLink: suricata.html
|
||||||
|
|||||||
Reference in New Issue
Block a user