From bb0da2a5c5b21e23fe54f18dc78d23bb77f9e963 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 22 Mar 2024 14:34:14 -0400 Subject: [PATCH] add additional suricata af-packet config items --- salt/suricata/defaults.yaml | 7 +++++++ salt/suricata/map.jinja | 7 +++++++ salt/suricata/soc_suricata.yaml | 35 +++++++++++++++++++++++++++++++++ 3 files changed, 49 insertions(+) diff --git a/salt/suricata/defaults.yaml b/salt/suricata/defaults.yaml index 0252d3a81..8680fbda2 100644 --- a/salt/suricata/defaults.yaml +++ b/salt/suricata/defaults.yaml @@ -33,6 +33,13 @@ suricata: threads: 1 tpacket-v3: "yes" ring-size: 5000 + mmap-locked: "yes" + block-size: 32768 + block-timeout: 10 + use-emergency-flush: "yes" + buffer-size: 32768 + disable-promisc: "no" + checksum-checks: kernel vars: address-groups: HOME_NET: diff --git a/salt/suricata/map.jinja b/salt/suricata/map.jinja index 7f7b04aef..9d5581030 100644 --- a/salt/suricata/map.jinja +++ b/salt/suricata/map.jinja @@ -37,6 +37,13 @@ threads: {{ SURICATAMERGED.config['af-packet'].threads }} tpacket-v3: {{ SURICATAMERGED.config['af-packet']['tpacket-v3'] }} ring-size: {{ SURICATAMERGED.config['af-packet']['ring-size'] }} + mmap-locked: {{ SURICATAMERGED.config['af-packet']['mmap-locked'] }} + block-size: {{ SURICATAMERGED.config['af-packet']['block-size'] }} + block-timeout: {{ SURICATAMERGED.config['af-packet']['block-timeout'] }} + use-emergency-flush: {{ SURICATAMERGED.config['af-packet']['use-emergency-flush'] }} + buffer-size: {{ SURICATAMERGED.config['af-packet']['buffer-size'] }} + disable-promisc: {{ SURICATAMERGED.config['af-packet']['disable-promisc'] }} + checksum-checks: {{ SURICATAMERGED.config['af-packet']['checksum-checks'] }} {% endload %} {% do SURICATAMERGED.config.pop('af-packet') %} {% do SURICATAMERGED.config.update({'af-packet': afpacket}) %} diff --git a/salt/suricata/soc_suricata.yaml b/salt/suricata/soc_suricata.yaml index 13a709c4a..9843d8c97 100644 --- a/salt/suricata/soc_suricata.yaml +++ b/salt/suricata/soc_suricata.yaml @@ -94,6 +94,41 @@ suricata: description: Buffer size for packets per thread. forcedType: int helpLink: suricata.html + mmap-locked: + description: Prevent swapping by locking the memory map. + advanced: True + regex: ^(yes|no)$ + helpLink: suricata.html + block-size: + description: This must be configured to a sufficiently high value to accommodate a significant number of packets, considering byte size and MTU constraints. Ensure it aligns with a power of 2 and is a multiple of the page size. + advanced: True + forcedType: int + helpLink: suricata.html + block-timeout: + description: If a block remains unfilled after the specified block-timeout milliseconds, it is passed to userspace. + advanced: True + forcedType: int + helpLink: suricata.html + use-emergency-flush: + description: In high-traffic environments, enabling this option to 'yes' aids in recovering from packet drop occurrences. However, it may lead to some packets, possibly at max ring flush, not being inspected. + advanced: True + regex: ^(yes|no)$ + helpLink: suricata.html + buffer-size: + description: Increasing the value of the receive buffer may improve performance. + advanced: True + forcedType: int + helpLink: suricata.html + disable-promisc: + description: Promiscuous mode can be disabled by setting this to "yes". + advanced: True + regex: ^(yes|no)$ + helpLink: suricata.html + checksum-checks: + description: "Opt for the checksum verification mode suitable for the interface. During capture, it's possible that some packets may exhibit invalid checksums due to the network card handling the checksum computation. You have several options: 'kernel': Relies on indications sent by the kernel for each packet (default). 'yes': Enforces checksum validation. 'no': Disables checksum validation. 'auto': Suricata employs a statistical approach to detect checksum offloading." + advanced: True + regex: ^(kernel|yes|no|auto)$ + helpLink: suricata.html threading: set-cpu-affinity: description: Bind(yes) or unbind(no) management and worker threads to a core or range of cores.