CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 09:12:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

Consolidate PCAP settings

Browse Source
This commit is contained in:
Mike Reeves
2024-03-06 12:56:09 -05:00
parent 9a413a2e31
commit 7f1e786e3d
2 changed files with 50 additions and 50 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
salt/suricata/defaults.yaml
View File

@@ -3,6 +3,14 @@ suricata:
pcap:
filesize: 1000mb
maxsize: 25
compression: "none"
lz4-checksum: "no"
lz4-level: 8
filename: "%n/so-pcap.%t"
mode: "multi"
use-stream-depth: "no"
conditional: "all"
dir: "/nsm/suripcap"
config:
threading:
set-cpu-affinity: "no"
@@ -131,14 +139,6 @@ suricata:
enabled: "no"
pcap-log:
enabled: "no"
compression: "none"
lz4-checksum: "no"
lz4-level: 8
filename: "%n/so-pcap.%t"
mode: "multi"
use-stream-depth: "no"
conditional: "all"
dir: "/nsm/suripcap"
alert-debug:
enabled: "no"
alert-prelude:

82
salt/suricata/soc_suricata.yaml
View File

@@ -27,6 +27,47 @@ suricata:
maxsize:
description: Size in GB for total usage size of PCAP on disk.
helplink: suricata.html
compression:
description: Enable compression of Suricata PCAP. Currently unsupported
advanced: True
readonly: True
helpLink: suricata.html
lz4-checksum:
description: Enable PCAP lz4 checksum. Currently unsupported
advanced: True
readonly: True
helpLink: suricata.html
lz4-level:
description: lz4 compression level of PCAP. 0 for no compression 16 for max compression. Currently unsupported
advanced: True
readonly: True
helpLink: suricata.html
filename:
description: Filename output for Suricata PCAP.
advanced: True
readonly: True
helpLink: suricata.html
mode:
description: Suricata PCAP mode. Currently only multi is supported.
advanced: True
readonly: True
helpLink: suricata.html
use-stream-depth:
description: Set to "no" to ignore the stream depth and capture the entire flow. Set this to "yes" to truncate the flow based on the stream depth.
advanced: True
regex: ^(yes|no)$
regexFailureMessage: You must enter either yes or no.
helpLink: suricata.html
conditional:
description: Set to "all" to capture PCAP for all flows. Set to "alert" to capture PCAP just for alerts or set to "tag" to capture PCAP for just tagged rules.
regex: ^(all|alert|tag)$
regexFailureMessage: You must enter either all, alert or tag.
helpLink: suricata.html
dir:
description: Parent directory to store PCAP.
advanced: True
readonly: True
helpLink: suricata.html
config:
af-packet:
interface:
@@ -176,47 +217,6 @@ suricata:
readonly: True
helpLink: suricata.html
advanced: True
compression:
description: Enable compression of Suricata PCAP. Currently unsupported
advanced: True
readonly: True
helpLink: suricata.html
lz4-checksum:
description: Enable PCAP lz4 checksum. Currently unsupported
advanced: True
readonly: True
helpLink: suricata.html
lz4-level:
description: lz4 compression level of PCAP. 0 for no compression 16 for max compression. Currently unsupported
advanced: True
readonly: True
helpLink: suricata.html
filename:
description: Filename output for Suricata PCAP.
advanced: True
readonly: True
helpLink: suricata.html
mode:
description: Suricata PCAP mode. Currently only multi is supported.
advanced: True
readonly: True
helpLink: suricata.html
use-stream-depth:
description: Set to "no" to ignore the stream depth and capture the entire flow. Set this to "yes" to truncate the flow based on the stream depth.
advanced: True
regex: ^(yes|no)$
regexFailureMessage: You must enter either yes or no.
helpLink: suricata.html
conditional:
description: Set to "all" to capture PCAP for all flows. Set to "alert" to capture PCAP just for alerts or set to "tag" to capture PCAP for just tagged rules.
regex: ^(all|alert|tag)$
regexFailureMessage: You must enter either all, alert or tag.
helpLink: suricata.html
dir:
description: Parent directory to store PCAP.
advanced: True
readonly: True
helpLink: suricata.html
asn1-max-frames:
description: Maximum nuber of asn1 frames to decode.
helpLink: suricata.html