mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2026-03-22 04:35:29 +01:00
Compare commits
26 Commits
quickfixes
...
delta
| Author | SHA1 | Date | |
|---|---|---|---|
|
f0f9de4b44 | ||
|
|
e857a8487a | ||
|
|
fa4bf218d5 | ||
|
|
2186872317 | ||
|
|
6e3986b0b0 | ||
|
|
2585bdd23f | ||
|
|
ca588d2e78 | ||
|
|
f756ecb396 | ||
|
|
82107f00a1 | ||
|
|
5c53244b54 | ||
|
|
3b269e8b82 | ||
|
|
7ece93d7e0 | ||
|
|
14d254e81b | ||
|
|
7af6efda1e | ||
|
|
ce972238fe | ||
|
|
442bd1499d | ||
|
|
30ea309dff | ||
|
|
bfeefeea2f | ||
|
|
8251d56a96 | ||
|
|
1b1e602716 | ||
|
|
034b1d045b | ||
|
|
20bf88b338 | ||
|
|
d3f819017b | ||
|
|
c92aedfff3 | ||
|
7aded184b3 | ||
|
|
c2c5aea244 |
@@ -1,6 +1,7 @@
|
||||
elastalert:
|
||||
enabled:
|
||||
description: Enables or disables the ElastAlert 2 process. This process is critical for ensuring alerts arrive in SOC, and for outbound notification delivery.
|
||||
forcedType: bool
|
||||
helpLink: elastalert
|
||||
alerter_parameters:
|
||||
title: Custom Configuration Parameters
|
||||
@@ -96,8 +97,15 @@ elastalert:
|
||||
file: True
|
||||
helpLink: elastalert
|
||||
config:
|
||||
scan_subdirectories:
|
||||
description: Recursively scan subdirectories for rules.
|
||||
forcedType: bool
|
||||
advanced: True
|
||||
global: True
|
||||
helpLink: elastalert
|
||||
disable_rules_on_error:
|
||||
description: Disable rules on failure.
|
||||
forcedType: bool
|
||||
global: True
|
||||
helpLink: elastalert
|
||||
run_every:
|
||||
@@ -123,6 +131,18 @@ elastalert:
|
||||
description: The maximum number of documents that will be returned from Elasticsearch in a single query.
|
||||
global: True
|
||||
helpLink: elastalert
|
||||
use_ssl:
|
||||
description: Use SSL to connect to Elasticsearch.
|
||||
forcedType: bool
|
||||
advanced: True
|
||||
global: True
|
||||
helpLink: elastalert
|
||||
verify_certs:
|
||||
description: Verify TLS certificates when connecting to Elasticsearch.
|
||||
forcedType: bool
|
||||
advanced: True
|
||||
global: True
|
||||
helpLink: elastalert
|
||||
alert_time_limit:
|
||||
days:
|
||||
description: The retry window for failed alerts.
|
||||
@@ -137,3 +157,24 @@ elastalert:
|
||||
description: The number of replicas for elastalert indices.
|
||||
global: True
|
||||
helpLink: elastalert
|
||||
logging:
|
||||
incremental:
|
||||
description: When incremental is false (the default), the logging configuration is applied in full, replacing any existing logging setup. When true, only the level attributes of existing loggers and handlers are updated, leaving the rest of the logging configuration unchanged.
|
||||
forcedType: bool
|
||||
advanced: True
|
||||
global: True
|
||||
helpLink: elastalert
|
||||
disable_existing_loggers:
|
||||
description: Disable existing loggers.
|
||||
forcedType: bool
|
||||
advanced: True
|
||||
global: True
|
||||
helpLink: elastalert
|
||||
loggers:
|
||||
'':
|
||||
propagate:
|
||||
description: Propagate log messages to parent loggers.
|
||||
forcedType: bool
|
||||
advanced: True
|
||||
global: True
|
||||
helpLink: elastalert
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
elastic_fleet_package_registry:
|
||||
enabled:
|
||||
description: Enables or disables the Fleet package registry process. This process must remain enabled to allow Elastic Agent packages to be updated.
|
||||
forcedType: bool
|
||||
advanced: True
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
elasticagent:
|
||||
enabled:
|
||||
description: Enables or disables the Elastic Agent process. This process must remain enabled to allow collection of node events.
|
||||
forcedType: bool
|
||||
advanced: True
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
elasticfleet:
|
||||
enabled:
|
||||
description: Enables or disables the Elastic Fleet process. This process is critical for managing Elastic Agents.
|
||||
forcedType: bool
|
||||
advanced: True
|
||||
helpLink: elastic-fleet
|
||||
enable_manager_output:
|
||||
@@ -37,6 +38,7 @@ elasticfleet:
|
||||
defend_filters:
|
||||
enable_auto_configuration:
|
||||
description: Enable auto-configuration and management of the Elastic Defend Exclusion filters.
|
||||
forcedType: bool
|
||||
global: True
|
||||
helpLink: elastic-fleet
|
||||
advanced: True
|
||||
@@ -99,6 +101,7 @@ elasticfleet:
|
||||
forcedType: "[]string"
|
||||
enable_auto_configuration:
|
||||
description: Enable auto-configuration of Logstash Outputs & Fleet Host URLs.
|
||||
forcedType: bool
|
||||
global: True
|
||||
helpLink: elastic-fleet
|
||||
advanced: True
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
elasticsearch:
|
||||
enabled:
|
||||
description: Enables or disables the Elasticsearch process. This process provides the log event storage system. WARNING - Disabling this process is unsupported.
|
||||
forcedType: bool
|
||||
advanced: True
|
||||
helpLink: elasticsearch
|
||||
version:
|
||||
@@ -42,8 +43,9 @@ elasticsearch:
|
||||
routing:
|
||||
allocation:
|
||||
disk:
|
||||
threshold_enabled:
|
||||
threshold_enabled:
|
||||
description: Specifies whether the Elasticsearch node will monitor the available disk space for low disk space conditions and take action to protect the cluster.
|
||||
forcedType: bool
|
||||
helpLink: elasticsearch
|
||||
watermark:
|
||||
low:
|
||||
@@ -55,18 +57,64 @@ elasticsearch:
|
||||
flood_stage:
|
||||
description: The max percentage of used disk space that will cause the node to take protective actions, such as blocking incoming events.
|
||||
helpLink: elasticsearch
|
||||
action:
|
||||
destructive_requires_name:
|
||||
description: Requires explicit index names when deleting indices. Prevents accidental deletion of indices via wildcard patterns.
|
||||
advanced: True
|
||||
forcedType: bool
|
||||
helpLink: elasticsearch
|
||||
script:
|
||||
max_compilations_rate:
|
||||
max_compilations_rate:
|
||||
description: Max rate of script compilations permitted in the Elasticsearch cluster. Larger values will consume more resources.
|
||||
global: True
|
||||
helpLink: elasticsearch
|
||||
indices:
|
||||
id_field_data:
|
||||
enabled:
|
||||
description: Enables or disables loading of field data on the _id field.
|
||||
advanced: True
|
||||
forcedType: bool
|
||||
helpLink: elasticsearch
|
||||
query:
|
||||
bool:
|
||||
max_clause_count:
|
||||
max_clause_count:
|
||||
description: Max number of boolean clauses per query.
|
||||
global: True
|
||||
helpLink: elasticsearch
|
||||
xpack:
|
||||
ml:
|
||||
enabled:
|
||||
description: Enables or disables machine learning on the node.
|
||||
forcedType: bool
|
||||
advanced: True
|
||||
helpLink: elasticsearch
|
||||
security:
|
||||
enabled:
|
||||
description: Enables or disables Elasticsearch security features.
|
||||
forcedType: bool
|
||||
advanced: True
|
||||
helpLink: elasticsearch
|
||||
authc:
|
||||
anonymous:
|
||||
authz_exception:
|
||||
description: Controls whether an authorization exception is thrown when anonymous user does not have the required privileges.
|
||||
advanced: True
|
||||
forcedType: bool
|
||||
helpLink: elasticsearch
|
||||
http:
|
||||
ssl:
|
||||
enabled:
|
||||
description: Enables or disables TLS/SSL for the HTTP layer.
|
||||
advanced: True
|
||||
forcedType: bool
|
||||
helpLink: elasticsearch
|
||||
transport:
|
||||
ssl:
|
||||
enabled:
|
||||
description: Enables or disables TLS/SSL for the transport layer.
|
||||
advanced: True
|
||||
forcedType: bool
|
||||
helpLink: elasticsearch
|
||||
pipelines:
|
||||
custom001: &pipelines
|
||||
description:
|
||||
@@ -264,8 +312,9 @@ elasticsearch:
|
||||
global: True
|
||||
helpLink: elasticsearch
|
||||
so-logs: &indexSettings
|
||||
index_sorting:
|
||||
index_sorting:
|
||||
description: Sorts the index by event time, at the cost of additional processing resource consumption.
|
||||
forcedType: bool
|
||||
global: True
|
||||
advanced: True
|
||||
helpLink: elasticsearch
|
||||
@@ -609,6 +658,7 @@ elasticsearch:
|
||||
so-metrics-fleet_server_x_agent_status: &fleetMetricsSettings
|
||||
index_sorting:
|
||||
description: Sorts the index by event time, at the cost of additional processing resource consumption.
|
||||
forcedType: bool
|
||||
advanced: True
|
||||
readonly: True
|
||||
helpLink: elasticsearch
|
||||
@@ -649,11 +699,13 @@ elasticsearch:
|
||||
data_stream:
|
||||
hidden:
|
||||
description: Hide the data stream.
|
||||
forcedType: bool
|
||||
advanced: True
|
||||
readonly: True
|
||||
helpLink: elasticsearch
|
||||
allow_custom_routing:
|
||||
description: Allow custom routing for the data stream.
|
||||
forcedType: bool
|
||||
advanced: True
|
||||
readonly: True
|
||||
helpLink: elasticsearch
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
hydra:
|
||||
enabled:
|
||||
description: Enables or disables the API authentication system, used for service account authentication. Enabling this feature requires a valid Security Onion license key. Defaults to False.
|
||||
description: Enables or disables the API authentication system, used for service account authentication. Enabling this feature requires a valid Security Onion license key. Defaults to False.
|
||||
forcedType: bool
|
||||
helpLink: connect-api
|
||||
global: True
|
||||
config:
|
||||
|
||||
@@ -1,6 +1,11 @@
|
||||
idh:
|
||||
enabled:
|
||||
description: Enables or disables the Intrusion Detection Honeypot (IDH) process.
|
||||
description: Enables or disables the Intrusion Detection Honeypot (IDH) process.
|
||||
forcedType: bool
|
||||
helpLink: idh
|
||||
restrict_management_ip:
|
||||
description: Restricts management IP access to the IDH node.
|
||||
forcedType: bool
|
||||
helpLink: idh
|
||||
opencanary:
|
||||
config:
|
||||
@@ -24,6 +29,7 @@ idh:
|
||||
filename: *loggingOptions
|
||||
portscan_x_enabled: &serviceOptions
|
||||
description: To enable this opencanary module, set this value to true. To disable set to false. This option only applies to IDH nodes within your grid.
|
||||
forcedType: bool
|
||||
helpLink: idh
|
||||
portscan_x_logfile: *loggingOptions
|
||||
portscan_x_synrate:
|
||||
@@ -125,8 +131,9 @@ idh:
|
||||
vnc_x_enabled: *serviceOptions
|
||||
vnc_x_port: *portOptions
|
||||
openssh:
|
||||
enable:
|
||||
enable:
|
||||
description: This is the real SSH service for the host machine.
|
||||
forcedType: bool
|
||||
helpLink: idh
|
||||
config:
|
||||
port:
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
influxdb:
|
||||
enabled:
|
||||
description: Enables the grid metrics collection storage system. Security Onion grid health monitoring requires this process to remain enabled. WARNING - Disabling the process is unsupported, and will cause unexpected results.
|
||||
forcedType: bool
|
||||
helpLink: influxdb
|
||||
config:
|
||||
assets-path:
|
||||
@@ -25,11 +26,13 @@ influxdb:
|
||||
helpLink: influxdb
|
||||
flux-log-enabled:
|
||||
description: Controls whether detailed flux query logging is enabled.
|
||||
forcedType: bool
|
||||
global: True
|
||||
advanced: True
|
||||
helpLink: influxdb
|
||||
hardening-enabled:
|
||||
description: If true, enforces outbound connections from the InfluxDB process must never attempt to reach an internal, private network address.
|
||||
forcedType: bool
|
||||
global: True
|
||||
advanced: True
|
||||
helpLink: influxdb
|
||||
@@ -86,16 +89,19 @@ influxdb:
|
||||
helpLink: influxdb
|
||||
metrics-disabled:
|
||||
description: If true, the HTTP endpoint that exposes internal InfluxDB metrics will be inaccessible.
|
||||
forcedType: bool
|
||||
global: True
|
||||
advanced: True
|
||||
helpLink: influxdb
|
||||
no-tasks:
|
||||
description: If true, the task system will not process any queued tasks. Useful for troubleshooting startup problems.
|
||||
forcedType: bool
|
||||
global: True
|
||||
advanced: True
|
||||
helpLink: influxdb
|
||||
pprof-disabled:
|
||||
description: If true, the profiling data HTTP endpoint will be inaccessible.
|
||||
forcedType: bool
|
||||
global: True
|
||||
advanced: True
|
||||
helpLink: influxdb
|
||||
@@ -126,6 +132,7 @@ influxdb:
|
||||
helpLink: influxdb
|
||||
reporting-disabled:
|
||||
description: If true, prevents InfluxDB from sending telemetry updates to InfluxData's servers.
|
||||
forcedType: bool
|
||||
global: True
|
||||
advanced: True
|
||||
helpLink: influxdb
|
||||
@@ -142,6 +149,7 @@ influxdb:
|
||||
helpLink: influxdb
|
||||
session-renew-disabled:
|
||||
description: If true, user login sessions will renew after each request.
|
||||
forcedType: bool
|
||||
global: True
|
||||
advanced: True
|
||||
helpLink: influxdb
|
||||
@@ -187,6 +195,7 @@ influxdb:
|
||||
helpLink: influxdb
|
||||
storage-no-validate-field-size:
|
||||
description: If true, incoming requests will skip the field size validation.
|
||||
forcedType: bool
|
||||
global: True
|
||||
advanced: True
|
||||
helpLink: influxdb
|
||||
@@ -217,11 +226,13 @@ influxdb:
|
||||
helpLink: influxdb
|
||||
storage-tsm-use-madv-willneed:
|
||||
description: If true, InfluxDB will manage TSM memory paging.
|
||||
forcedType: bool
|
||||
global: True
|
||||
advanced: True
|
||||
helpLink: influxdb
|
||||
storage-validate-keys:
|
||||
description: If true, validates incoming requests for supported characters.
|
||||
forcedType: bool
|
||||
global: True
|
||||
advanced: True
|
||||
helpLink: influxdb
|
||||
@@ -268,6 +279,7 @@ influxdb:
|
||||
helpLink: influxdb
|
||||
tls-strict-ciphers:
|
||||
description: If true, the allowed ciphers used with TLS connections are ECDHE_RSA_WITH_AES_256_GCM_SHA384, ECDHE_RSA_WITH_AES_256_CBC_SHA, RSA_WITH_AES_256_GCM_SHA384, or RSA_WITH_AES_256_CBC_SHA.
|
||||
forcedType: bool
|
||||
global: True
|
||||
advanced: True
|
||||
helpLink: influxdb
|
||||
@@ -276,8 +288,9 @@ influxdb:
|
||||
global: True
|
||||
advanced: True
|
||||
helpLink: influxdb
|
||||
ui-disabled:
|
||||
ui-disabled:
|
||||
description: If true, the InfluxDB HTTP user interface will be disabled. This will prevent use of the included InfluxDB dashboard visualizations.
|
||||
forcedType: bool
|
||||
global: True
|
||||
advanced: True
|
||||
helpLink: influxdb
|
||||
@@ -316,8 +329,9 @@ influxdb:
|
||||
global: True
|
||||
advanced: True
|
||||
helpLink: influxdb
|
||||
vault-skip-verify:
|
||||
vault-skip-verify:
|
||||
description: Skip certification validation of the Vault server.
|
||||
forcedType: bool
|
||||
global: True
|
||||
advanced: True
|
||||
helpLink: influxdb
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
kafka:
|
||||
enabled:
|
||||
description: Set to True to enable Kafka. To avoid grid problems, do not enable Kafka until the related configuration is in place. Requires a valid Security Onion license key.
|
||||
forcedType: bool
|
||||
helpLink: kafka
|
||||
cluster_id:
|
||||
description: The ID of the Kafka cluster.
|
||||
|
||||
@@ -1,10 +1,46 @@
|
||||
kibana:
|
||||
enabled:
|
||||
enabled:
|
||||
description: Enables or disables the Kibana front-end interface to Elasticsearch. Due to Kibana being used for loading certain configuration details in Elasticsearch, this process should remain enabled. WARNING - Disabling the process is unsupported, and will cause unexpected results.
|
||||
forcedType: bool
|
||||
helpLink: kibana
|
||||
config:
|
||||
server:
|
||||
rewriteBasePath:
|
||||
description: Specifies whether Kibana should rewrite requests that are prefixed with the server basePath.
|
||||
forcedType: bool
|
||||
global: True
|
||||
advanced: True
|
||||
helpLink: kibana
|
||||
elasticsearch:
|
||||
requestTimeout:
|
||||
description: The length of time before the request reaches timeout.
|
||||
global: True
|
||||
helpLink: kibana
|
||||
telemetry:
|
||||
enabled:
|
||||
description: Enables or disables telemetry data collection in Kibana.
|
||||
forcedType: bool
|
||||
global: True
|
||||
advanced: True
|
||||
helpLink: kibana
|
||||
xpack:
|
||||
security:
|
||||
secureCookies:
|
||||
description: Sets the secure flag on session cookies. Cookies are only sent over HTTPS when enabled.
|
||||
forcedType: bool
|
||||
global: True
|
||||
advanced: True
|
||||
helpLink: kibana
|
||||
showInsecureClusterWarning:
|
||||
description: Shows a warning in Kibana when the cluster does not have security enabled.
|
||||
forcedType: bool
|
||||
global: True
|
||||
advanced: True
|
||||
helpLink: kibana
|
||||
apm:
|
||||
enabled:
|
||||
description: Enables or disables the APM agent in Kibana.
|
||||
forcedType: bool
|
||||
global: True
|
||||
advanced: True
|
||||
helpLink: kibana
|
||||
|
||||
@@ -1,12 +1,14 @@
|
||||
kratos:
|
||||
enabled:
|
||||
description: Enables or disables the Kratos authentication system. WARNING - Disabling this process will cause the grid to malfunction. Re-enabling this setting will require manual effort via SSH.
|
||||
forcedType: bool
|
||||
advanced: True
|
||||
helpLink: kratos
|
||||
|
||||
oidc:
|
||||
enabled:
|
||||
enabled:
|
||||
description: Set to True to enable OIDC / Single Sign-On (SSO) to SOC. Requires a valid Security Onion license key.
|
||||
forcedType: bool
|
||||
global: True
|
||||
helpLink: oidc
|
||||
config:
|
||||
@@ -80,6 +82,7 @@ kratos:
|
||||
email:
|
||||
essential:
|
||||
description: Specifies whether the email claim is necessary. Typically leave this value set to true.
|
||||
forcedType: bool
|
||||
advanced: True
|
||||
global: True
|
||||
helpLink: oidc
|
||||
@@ -107,19 +110,22 @@ kratos:
|
||||
selfservice:
|
||||
methods:
|
||||
password:
|
||||
enabled:
|
||||
enabled:
|
||||
description: Set to True to enable traditional password authentication to SOC. Typically set to true, except when exclusively using OIDC authentication. Some external tool interfaces may not be accessible if local password authentication is disabled.
|
||||
forcedType: bool
|
||||
global: True
|
||||
advanced: True
|
||||
helpLink: oidc
|
||||
config:
|
||||
haveibeenpwned_enabled:
|
||||
description: Set to True to check if a newly chosen password has ever been found in a published list of previously-compromised passwords. Requires outbound Internet connectivity when enabled.
|
||||
forcedType: bool
|
||||
global: True
|
||||
helpLink: kratos
|
||||
totp:
|
||||
enabled:
|
||||
enabled:
|
||||
description: Set to True to enable Time-based One-Time Password (TOTP) multi-factor authentication (MFA) to SOC. Enable to ensure proper security protections remain in place. Be aware that disabling this setting, after users have already setup TOTP, may prevent users from logging in.
|
||||
forcedType: bool
|
||||
global: True
|
||||
helpLink: kratos
|
||||
config:
|
||||
@@ -130,11 +136,13 @@ kratos:
|
||||
webauthn:
|
||||
enabled:
|
||||
description: Set to True to enable Security Keys (WebAuthn / PassKeys) for passwordless or multi-factor authentication (MFA) SOC logins. Security Keys are a Public-Key Infrastructure (PKI) based authentication method, typically involving biometric hardware devices, such as laptop fingerprint scanners and USB hardware keys. Be aware that disabling this setting, after users have already setup their accounts with Security Keys, may prevent users from logging in.
|
||||
forcedType: bool
|
||||
global: True
|
||||
helpLink: kratos
|
||||
config:
|
||||
passwordless:
|
||||
passwordless:
|
||||
description: Set to True to utilize Security Keys (WebAuthn / PassKeys) for passwordless logins. Set to false to utilize Security Keys as a multi-factor authentication (MFA) method supplementing password logins. Be aware that changing this value, after users have already setup their accounts with the previous value, may prevent users from logging in.
|
||||
forcedType: bool
|
||||
global: True
|
||||
helpLink: kratos
|
||||
rp:
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
logstash:
|
||||
enabled:
|
||||
enabled:
|
||||
description: Enables or disables the Logstash log event forwarding process. On most grid installations, when this process is disabled log events are unable to be ingested into the SOC backend.
|
||||
forcedType: bool
|
||||
helpLink: logstash
|
||||
assigned_pipelines:
|
||||
roles:
|
||||
|
||||
@@ -2,6 +2,7 @@ manager:
|
||||
reposync:
|
||||
enabled:
|
||||
description: This is the daily task of syncing the Security Onion OS packages. It is recommended that this setting remain enabled to ensure important updates are applied to the grid on an automated, scheduled basis.
|
||||
forcedType: bool
|
||||
global: True
|
||||
helpLink: soup
|
||||
hour:
|
||||
|
||||
@@ -383,23 +383,72 @@ check_minimum_version() {
|
||||
|
||||
### 3.0.0 Scripts ###
|
||||
|
||||
up_to_3.0.0() {
|
||||
determine_elastic_agent_upgrade
|
||||
migrate_pcap_to_suricata
|
||||
convert_suricata_yes_no() {
|
||||
echo "Starting suricata yes/no values to true/false conversion."
|
||||
local SURICATA_FILE=/opt/so/saltstack/local/pillar/suricata/soc_suricata.sls
|
||||
local MINIONDIR=/opt/so/saltstack/local/pillar/minions
|
||||
local pillar_files=()
|
||||
|
||||
INSTALLEDVERSION=3.0.0
|
||||
[[ -f "$SURICATA_FILE" ]] && pillar_files+=("$SURICATA_FILE")
|
||||
for suffix in _eval _heavynode _sensor _standalone; do
|
||||
for f in "$MINIONDIR"/*${suffix}.sls; do
|
||||
[[ -f "$f" ]] && pillar_files+=("$f")
|
||||
done
|
||||
done
|
||||
|
||||
for pillar_file in "${pillar_files[@]}"; do
|
||||
echo "Checking $pillar_file for suricata yes/no values."
|
||||
local yaml_output
|
||||
yaml_output=$(so-yaml.py get -r "$pillar_file" suricata 2>/dev/null) || continue
|
||||
|
||||
local keys_to_fix
|
||||
keys_to_fix=$(python3 -c "
|
||||
import yaml, sys
|
||||
def find(d, prefix=''):
|
||||
if isinstance(d, dict):
|
||||
for k, v in d.items():
|
||||
path = f'{prefix}.{k}' if prefix else k
|
||||
if isinstance(v, dict):
|
||||
find(v, path)
|
||||
elif isinstance(v, str) and v.lower() in ('yes', 'no'):
|
||||
print(f'{path} {v.lower()}')
|
||||
find(yaml.safe_load(sys.stdin) or {})
|
||||
" <<< "$yaml_output") || continue
|
||||
|
||||
while IFS=' ' read -r key value; do
|
||||
[[ -z "$key" ]] && continue
|
||||
if [[ "$value" == "yes" ]]; then
|
||||
echo "Replacing suricata.${key} yes -> true in $pillar_file"
|
||||
so-yaml.py replace "$pillar_file" "suricata.${key}" true
|
||||
else
|
||||
echo "Replacing suricata.${key} no -> false in $pillar_file"
|
||||
so-yaml.py replace "$pillar_file" "suricata.${key}" false
|
||||
fi
|
||||
done <<< "$keys_to_fix"
|
||||
done
|
||||
echo "Completed suricata yes/no conversion."
|
||||
}
|
||||
|
||||
migrate_pcap_to_suricata() {
|
||||
echo "Starting pillar pcap.enabled to suricata.pcap.enabled migration."
|
||||
local MINIONDIR=/opt/so/saltstack/local/pillar/minions
|
||||
local PCAPFILE=/opt/so/saltstack/local/pillar/pcap/soc_pcap.sls
|
||||
|
||||
for pillar_file in "$PCAPFILE" "$MINIONDIR"/*.sls; do
|
||||
[[ -f "$pillar_file" ]] || continue
|
||||
pcap_enabled=$(so-yaml.py get -r "$pillar_file" pcap.enabled 2>/dev/null) || continue
|
||||
echo "Migrating pcap.enabled -> suricata.pcap.enabled in $pillar_file"
|
||||
so-yaml.py add "$pillar_file" suricata.pcap.enabled "$pcap_enabled"
|
||||
so-yaml.py remove "$pillar_file" pcap
|
||||
done
|
||||
echo "Completed pcap.enabled to suricata.pcap.enabled pillar migration."
|
||||
}
|
||||
|
||||
up_to_3.0.0() {
|
||||
determine_elastic_agent_upgrade
|
||||
migrate_pcap_to_suricata
|
||||
|
||||
INSTALLEDVERSION=3.0.0
|
||||
}
|
||||
|
||||
post_to_3.0.0() {
|
||||
@@ -412,6 +461,9 @@ post_to_3.0.0() {
|
||||
so-elasticsearch-query $idx/_ilm/remove -XPOST
|
||||
done
|
||||
|
||||
# convert yes/no in suricata pillars to true/false
|
||||
convert_suricata_yes_no
|
||||
|
||||
POSTVERSION=3.0.0
|
||||
}
|
||||
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
nginx:
|
||||
enabled:
|
||||
enabled:
|
||||
description: Enables or disables the Nginx web server and reverse proxy. WARNING - Disabling this process will prevent access to SOC and other important web interfaces and APIs. Re-enabling the process is a manual effort. Do not change this setting without instruction from Security Onion support.
|
||||
forcedType: bool
|
||||
advanced: True
|
||||
helpLink: nginx
|
||||
external_suricata:
|
||||
|
||||
@@ -2,6 +2,7 @@ patch:
|
||||
os:
|
||||
enabled:
|
||||
description: Enable OS updates. WARNING - Disabling this setting will prevent important operating system updates from being applied on a scheduled basis.
|
||||
forcedType: bool
|
||||
helpLink: soup
|
||||
schedule_to_run:
|
||||
description: Currently running schedule for updates.
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
redis:
|
||||
enabled:
|
||||
enabled:
|
||||
description: Enables the log event in-memory buffering process. This process might already be disabled on some installation types. Disabling this process on distributed-capable grids can result in loss of log events.
|
||||
forcedType: bool
|
||||
helpLink: redis
|
||||
config:
|
||||
bind:
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
registry:
|
||||
enabled:
|
||||
description: Enables or disables the Docker registry on the manager node. WARNING - If this process is disabled the grid will malfunction and a manual effort may be needed to re-enable the setting.
|
||||
forcedType: bool
|
||||
advanced: True
|
||||
|
||||
@@ -1,12 +1,14 @@
|
||||
sensoroni:
|
||||
enabled:
|
||||
description: Enable or disable the per-node SOC agent process. This process is used for performing node-related jobs and reporting node metrics back to SOC. Disabling this process is unsupported and will result in an improperly functioning grid.
|
||||
forcedType: bool
|
||||
advanced: True
|
||||
helpLink: grid
|
||||
config:
|
||||
analyze:
|
||||
enabled:
|
||||
description: Enable or disable the analyzer.
|
||||
forcedType: bool
|
||||
advanced: True
|
||||
helpLink: cases
|
||||
timeout_ms:
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
soc:
|
||||
enabled:
|
||||
description: Enables or disables SOC. WARNING - Disabling this setting is unsupported and will cause the grid to malfunction. Re-enabling this setting is a manual effort via SSH.
|
||||
forcedType: bool
|
||||
advanced: True
|
||||
telemetryEnabled:
|
||||
title: SOC Telemetry
|
||||
|
||||
@@ -1,7 +1,8 @@
|
||||
strelka:
|
||||
backend:
|
||||
enabled:
|
||||
enabled:
|
||||
description: Enables or disables the Strelka file analysis process.
|
||||
forcedType: bool
|
||||
helpLink: strelka
|
||||
config:
|
||||
backend:
|
||||
@@ -420,8 +421,9 @@ strelka:
|
||||
helpLink: strelka
|
||||
multiline: True
|
||||
filestream:
|
||||
enabled:
|
||||
enabled:
|
||||
description: You can enable or disable Strelka filestream.
|
||||
forcedType: bool
|
||||
helpLink: strelka
|
||||
config:
|
||||
conn:
|
||||
@@ -478,12 +480,14 @@ strelka:
|
||||
advanced: True
|
||||
delete:
|
||||
description: Boolean that determines if files should be deleted after being sent for scanning.
|
||||
forcedType: bool
|
||||
readonly: False
|
||||
global: False
|
||||
helpLink: strelka
|
||||
advanced: True
|
||||
gatekeeper:
|
||||
description: Boolean that determines if events should be pulled from the temporary event cache.
|
||||
forcedType: bool
|
||||
readonly: False
|
||||
global: False
|
||||
helpLink: strelka
|
||||
@@ -514,8 +518,9 @@ strelka:
|
||||
helpLink: strelka
|
||||
advanced: True
|
||||
frontend:
|
||||
enabled:
|
||||
enabled:
|
||||
description: You can enable or disable Strelka frontend.
|
||||
forcedType: bool
|
||||
helpLink: strelka
|
||||
config:
|
||||
server:
|
||||
@@ -564,8 +569,9 @@ strelka:
|
||||
helpLink: strelka
|
||||
advanced: True
|
||||
manager:
|
||||
enabled:
|
||||
enabled:
|
||||
description: You can enable or disable Strelka manager.
|
||||
forcedType: bool
|
||||
helpLink: strelka
|
||||
config:
|
||||
coordinator:
|
||||
@@ -582,16 +588,19 @@ strelka:
|
||||
helpLink: strelka
|
||||
advanced: True
|
||||
coordinator:
|
||||
enabled:
|
||||
enabled:
|
||||
description: You can enable or disable Strelka coordinator.
|
||||
forcedType: bool
|
||||
helpLink: strelka
|
||||
gatekeeper:
|
||||
enabled:
|
||||
enabled:
|
||||
description: You can enable or disable Strelka gatekeeper.
|
||||
forcedType: bool
|
||||
helpLink: strelka
|
||||
rules:
|
||||
enabled:
|
||||
description: Boolean that determines if yara rules sync from the Salt manager to the backend nodes.
|
||||
forcedType: bool
|
||||
readonly: False
|
||||
global: False
|
||||
helpLink: strelka
|
||||
|
||||
@@ -1,20 +1,20 @@
|
||||
suricata:
|
||||
enabled: False
|
||||
pcap:
|
||||
enabled: "no"
|
||||
enabled: false
|
||||
filesize: 1000mb
|
||||
maxsize: 25
|
||||
compression: "none"
|
||||
lz4-checksum: "no"
|
||||
lz4-checksum: false
|
||||
lz4-level: 8
|
||||
filename: "%n/so-pcap.%t"
|
||||
mode: "multi"
|
||||
use-stream-depth: "no"
|
||||
use-stream-depth: false
|
||||
conditional: "all"
|
||||
dir: "/nsm/suripcap"
|
||||
config:
|
||||
threading:
|
||||
set-cpu-affinity: "no"
|
||||
set-cpu-affinity: false
|
||||
cpu-affinity:
|
||||
management-cpu-set:
|
||||
cpu:
|
||||
@@ -29,17 +29,17 @@ suricata:
|
||||
interface: bond0
|
||||
cluster-id: 59
|
||||
cluster-type: cluster_flow
|
||||
defrag: "yes"
|
||||
use-mmap: "yes"
|
||||
mmap-locked: "no"
|
||||
defrag: true
|
||||
use-mmap: true
|
||||
mmap-locked: false
|
||||
threads: 1
|
||||
tpacket-v3: "yes"
|
||||
tpacket-v3: true
|
||||
ring-size: 5000
|
||||
block-size: 69632
|
||||
block-timeout: 10
|
||||
use-emergency-flush: "yes"
|
||||
use-emergency-flush: true
|
||||
buffer-size: 32768
|
||||
disable-promisc: "no"
|
||||
disable-promisc: false
|
||||
checksum-checks: kernel
|
||||
vars:
|
||||
address-groups:
|
||||
@@ -105,15 +105,15 @@ suricata:
|
||||
- 6081
|
||||
default-log-dir: /var/log/suricata/
|
||||
stats:
|
||||
enabled: "yes"
|
||||
enabled: true
|
||||
interval: 30
|
||||
outputs:
|
||||
fast:
|
||||
enabled: "no"
|
||||
enabled: false
|
||||
filename: fast.log
|
||||
append: "yes"
|
||||
append: true
|
||||
eve-log:
|
||||
enabled: "yes"
|
||||
enabled: true
|
||||
filetype: regular
|
||||
filename: /nsm/eve-%Y-%m-%d-%H:%M.json
|
||||
rotate-interval: hour
|
||||
@@ -122,104 +122,104 @@ suricata:
|
||||
community-id-seed: 0
|
||||
types:
|
||||
alert:
|
||||
payload: "no"
|
||||
payload: false
|
||||
payload-buffer-size: 4kb
|
||||
payload-printable: "yes"
|
||||
packet: "yes"
|
||||
payload-printable: true
|
||||
packet: true
|
||||
metadata:
|
||||
app-layer: false
|
||||
flow: false
|
||||
rule:
|
||||
metadata: true
|
||||
raw: true
|
||||
tagged-packets: "no"
|
||||
tagged-packets: false
|
||||
xff:
|
||||
enabled: "no"
|
||||
enabled: false
|
||||
mode: extra-data
|
||||
deployment: reverse
|
||||
header: X-Forwarded-For
|
||||
unified2-alert:
|
||||
enabled: "no"
|
||||
enabled: false
|
||||
tls-store:
|
||||
enabled: "no"
|
||||
enabled: false
|
||||
alert-debug:
|
||||
enabled: "no"
|
||||
enabled: false
|
||||
alert-prelude:
|
||||
enabled: "no"
|
||||
enabled: false
|
||||
stats:
|
||||
enabled: "yes"
|
||||
enabled: true
|
||||
filename: stats.log
|
||||
append: "yes"
|
||||
totals: "yes"
|
||||
threads: "no"
|
||||
null-values: "yes"
|
||||
append: true
|
||||
totals: true
|
||||
threads: false
|
||||
null-values: true
|
||||
drop:
|
||||
enabled: "no"
|
||||
enabled: false
|
||||
file-store:
|
||||
version: 2
|
||||
enabled: "no"
|
||||
enabled: false
|
||||
xff:
|
||||
enabled: "no"
|
||||
enabled: false
|
||||
mode: extra-data
|
||||
deployment: reverse
|
||||
header: X-Forwarded-For
|
||||
tcp-data:
|
||||
enabled: "no"
|
||||
enabled: false
|
||||
type: file
|
||||
filename: tcp-data.log
|
||||
http-body-data:
|
||||
enabled: "no"
|
||||
enabled: false
|
||||
type: file
|
||||
filename: http-data.log
|
||||
lua:
|
||||
enabled: "no"
|
||||
enabled: false
|
||||
scripts:
|
||||
logging:
|
||||
default-log-level: notice
|
||||
outputs:
|
||||
- console:
|
||||
enabled: "yes"
|
||||
enabled: true
|
||||
- file:
|
||||
enabled: "yes"
|
||||
enabled: true
|
||||
level: info
|
||||
filename: suricata.log
|
||||
- syslog:
|
||||
enabled: "no"
|
||||
enabled: false
|
||||
facility: local5
|
||||
format: "[%i] <%d> -- "
|
||||
app-layer:
|
||||
protocols:
|
||||
krb5:
|
||||
enabled: "yes"
|
||||
enabled: true
|
||||
snmp:
|
||||
enabled: "yes"
|
||||
enabled: true
|
||||
ikev2:
|
||||
enabled: "yes"
|
||||
enabled: true
|
||||
tls:
|
||||
enabled: "yes"
|
||||
enabled: true
|
||||
detection-ports:
|
||||
dp: 443
|
||||
ja3-fingerprints: auto
|
||||
ja4-fingerprints: auto
|
||||
encryption-handling: track-only
|
||||
dcerpc:
|
||||
enabled: "yes"
|
||||
enabled: true
|
||||
ftp:
|
||||
enabled: "yes"
|
||||
enabled: true
|
||||
rdp:
|
||||
enabled: "yes"
|
||||
enabled: true
|
||||
ssh:
|
||||
enabled: "yes"
|
||||
enabled: true
|
||||
smtp:
|
||||
enabled: "yes"
|
||||
raw-extraction: "no"
|
||||
enabled: true
|
||||
raw-extraction: false
|
||||
mime:
|
||||
decode-mime: "yes"
|
||||
decode-base64: "yes"
|
||||
decode-quoted-printable: "yes"
|
||||
decode-mime: true
|
||||
decode-base64: true
|
||||
decode-quoted-printable: true
|
||||
header-value-depth: 2000
|
||||
extract-urls: "yes"
|
||||
body-md5: "no"
|
||||
extract-urls: true
|
||||
body-md5: false
|
||||
inspected-tracker:
|
||||
content-limit: 100000
|
||||
content-inspect-min-size: 32768
|
||||
@@ -227,27 +227,27 @@ suricata:
|
||||
imap:
|
||||
enabled: detection-only
|
||||
smb:
|
||||
enabled: "yes"
|
||||
enabled: true
|
||||
detection-ports:
|
||||
dp: 139, 445
|
||||
nfs:
|
||||
enabled: "yes"
|
||||
enabled: true
|
||||
tftp:
|
||||
enabled: "yes"
|
||||
enabled: true
|
||||
dns:
|
||||
global-memcap: 16mb
|
||||
state-memcap: 512kb
|
||||
request-flood: 500
|
||||
tcp:
|
||||
enabled: "yes"
|
||||
enabled: true
|
||||
detection-ports:
|
||||
dp: 53
|
||||
udp:
|
||||
enabled: "yes"
|
||||
enabled: true
|
||||
detection-ports:
|
||||
dp: 53
|
||||
http:
|
||||
enabled: "yes"
|
||||
enabled: true
|
||||
libhtp:
|
||||
default-config:
|
||||
personality: IDS
|
||||
@@ -260,43 +260,43 @@ suricata:
|
||||
response-body-decompress-layer-limit: 2
|
||||
http-body-inline: auto
|
||||
swf-decompression:
|
||||
enabled: "no"
|
||||
enabled: false
|
||||
type: both
|
||||
compress-depth: 100 KiB
|
||||
decompress-depth: 100 KiB
|
||||
randomize-inspection-sizes: "yes"
|
||||
randomize-inspection-sizes: true
|
||||
randomize-inspection-range: 10
|
||||
double-decode-path: "no"
|
||||
double-decode-query: "no"
|
||||
double-decode-path: false
|
||||
double-decode-query: false
|
||||
server-config:
|
||||
modbus:
|
||||
enabled: "yes"
|
||||
enabled: true
|
||||
detection-ports:
|
||||
dp: 502
|
||||
stream-depth: 0
|
||||
dnp3:
|
||||
enabled: "yes"
|
||||
enabled: true
|
||||
detection-ports:
|
||||
dp: 20000
|
||||
enip:
|
||||
enabled: "yes"
|
||||
enabled: true
|
||||
detection-ports:
|
||||
dp: 44818
|
||||
sp: 44818
|
||||
ntp:
|
||||
enabled: "yes"
|
||||
enabled: true
|
||||
dhcp:
|
||||
enabled: "yes"
|
||||
enabled: true
|
||||
sip:
|
||||
enabled: "yes"
|
||||
enabled: true
|
||||
rfb:
|
||||
enabled: 'yes'
|
||||
enabled: true
|
||||
detection-ports:
|
||||
dp: 5900, 5901, 5902, 5903, 5904, 5905, 5906, 5907, 5908, 5909
|
||||
mqtt:
|
||||
enabled: 'no'
|
||||
enabled: false
|
||||
http2:
|
||||
enabled: 'yes'
|
||||
enabled: true
|
||||
asn1-max-frames: 256
|
||||
run-as:
|
||||
user: suricata
|
||||
@@ -312,8 +312,8 @@ suricata:
|
||||
legacy:
|
||||
uricontent: enabled
|
||||
engine-analysis:
|
||||
rules-fast-pattern: "yes"
|
||||
rules: "yes"
|
||||
rules-fast-pattern: true
|
||||
rules: true
|
||||
pcre:
|
||||
match-limit: 3500
|
||||
match-limit-recursion: 1500
|
||||
@@ -336,7 +336,7 @@ suricata:
|
||||
hash-size: 65536
|
||||
trackers: 65535
|
||||
max-frags: 65535
|
||||
prealloc: "yes"
|
||||
prealloc: true
|
||||
timeout: 60
|
||||
flow:
|
||||
memcap: 128mb
|
||||
@@ -380,14 +380,14 @@ suricata:
|
||||
emergency-bypassed: 50
|
||||
stream:
|
||||
memcap: 64mb
|
||||
checksum-validation: "yes"
|
||||
checksum-validation: true
|
||||
inline: auto
|
||||
reassembly:
|
||||
memcap: 256mb
|
||||
depth: 1mb
|
||||
toserver-chunk-size: 2560
|
||||
toclient-chunk-size: 2560
|
||||
randomize-chunk-size: "yes"
|
||||
randomize-chunk-size: true
|
||||
host:
|
||||
hash-size: 4096
|
||||
prealloc: 1000
|
||||
@@ -432,38 +432,38 @@ suricata:
|
||||
allow-restricted-functions: false
|
||||
profiling:
|
||||
rules:
|
||||
enabled: "yes"
|
||||
enabled: true
|
||||
filename: rule_perf.log
|
||||
append: "yes"
|
||||
append: true
|
||||
limit: 10
|
||||
json: "yes"
|
||||
json: true
|
||||
keywords:
|
||||
enabled: "yes"
|
||||
enabled: true
|
||||
filename: keyword_perf.log
|
||||
append: "yes"
|
||||
append: true
|
||||
prefilter:
|
||||
enabled: "yes"
|
||||
enabled: true
|
||||
filename: prefilter_perf.log
|
||||
append: "yes"
|
||||
append: true
|
||||
rulegroups:
|
||||
enabled: "yes"
|
||||
enabled: true
|
||||
filename: rule_group_perf.log
|
||||
append: "yes"
|
||||
append: true
|
||||
packets:
|
||||
enabled: "yes"
|
||||
enabled: true
|
||||
filename: packet_stats.log
|
||||
append: "yes"
|
||||
append: true
|
||||
csv:
|
||||
enabled: "no"
|
||||
enabled: false
|
||||
filename: packet_stats.csv
|
||||
locks:
|
||||
enabled: "no"
|
||||
enabled: false
|
||||
filename: lock_stats.log
|
||||
append: "yes"
|
||||
append: true
|
||||
pcap-log:
|
||||
enabled: "no"
|
||||
enabled: false
|
||||
filename: pcaplog_stats.log
|
||||
append: "yes"
|
||||
append: true
|
||||
default-rule-path: /etc/suricata/rules
|
||||
rule-files:
|
||||
- all-rulesets.rules
|
||||
|
||||
@@ -43,22 +43,18 @@
|
||||
- interface: {{ GLOBALS.sensor.interface }}
|
||||
cluster-id: {{ SURICATAMERGED.config['af-packet']['cluster-id'] }}
|
||||
cluster-type: {{ SURICATAMERGED.config['af-packet']['cluster-type'] }}
|
||||
defrag: "{{ SURICATAMERGED.config['af-packet'].defrag }}"
|
||||
use-mmap: "{{ SURICATAMERGED.config['af-packet']['use-mmap'] }}"
|
||||
mmap-locked: "{{ SURICATAMERGED.config['af-packet']['mmap-locked'] }}"
|
||||
defrag: {{ SURICATAMERGED.config['af-packet'].defrag }}
|
||||
use-mmap: {{ SURICATAMERGED.config['af-packet']['use-mmap'] }}
|
||||
mmap-locked: {{ SURICATAMERGED.config['af-packet']['mmap-locked'] }}
|
||||
threads: {{ SURICATAMERGED.config['af-packet'].threads }}
|
||||
tpacket-v3: "{{ SURICATAMERGED.config['af-packet']['tpacket-v3'] }}"
|
||||
tpacket-v3: {{ SURICATAMERGED.config['af-packet']['tpacket-v3'] }}
|
||||
ring-size: {{ SURICATAMERGED.config['af-packet']['ring-size'] }}
|
||||
block-size: {{ SURICATAMERGED.config['af-packet']['block-size'] }}
|
||||
block-timeout: {{ SURICATAMERGED.config['af-packet']['block-timeout'] }}
|
||||
use-emergency-flush: "{{ SURICATAMERGED.config['af-packet']['use-emergency-flush'] }}"
|
||||
use-emergency-flush: {{ SURICATAMERGED.config['af-packet']['use-emergency-flush'] }}
|
||||
buffer-size: {{ SURICATAMERGED.config['af-packet']['buffer-size'] }}
|
||||
disable-promisc: "{{ SURICATAMERGED.config['af-packet']['disable-promisc'] }}"
|
||||
{% if SURICATAMERGED.config['af-packet']['checksum-checks'] in ['yes', 'no'] %}
|
||||
checksum-checks: "{{ SURICATAMERGED.config['af-packet']['checksum-checks'] }}"
|
||||
{% else %}
|
||||
disable-promisc: {{ SURICATAMERGED.config['af-packet']['disable-promisc'] }}
|
||||
checksum-checks: {{ SURICATAMERGED.config['af-packet']['checksum-checks'] }}
|
||||
{% endif %}
|
||||
{% endload %}
|
||||
{% do SURICATAMERGED.config.pop('af-packet') %}
|
||||
{% do SURICATAMERGED.config.update({'af-packet': afpacket}) %}
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
suricata:
|
||||
enabled:
|
||||
enabled:
|
||||
description: Enables or disables the Suricata process. This process is used for triggering alerts and optionally for protocol metadata collection and full packet capture.
|
||||
forcedType: bool
|
||||
helpLink: suricata
|
||||
thresholding:
|
||||
sids__yaml:
|
||||
@@ -37,8 +38,9 @@ suricata:
|
||||
description: Enable compression of Suricata PCAP files.
|
||||
advanced: True
|
||||
helpLink: suricata
|
||||
lz4-checksum:
|
||||
lz4-checksum:
|
||||
description: Enable PCAP lz4 checksum.
|
||||
forcedType: bool
|
||||
advanced: True
|
||||
helpLink: suricata
|
||||
lz4-level:
|
||||
@@ -55,11 +57,10 @@ suricata:
|
||||
advanced: True
|
||||
readonly: True
|
||||
helpLink: suricata
|
||||
use-stream-depth:
|
||||
description: Set to "no" to ignore the stream depth and capture the entire flow. Set to "yes" to truncate the flow based on the stream depth.
|
||||
use-stream-depth:
|
||||
description: Set to false to ignore the stream depth and capture the entire flow. Set to true to truncate the flow based on the stream depth.
|
||||
forcedType: bool
|
||||
advanced: True
|
||||
regex: ^(yes|no)$
|
||||
regexFailureMessage: You must enter either yes or no.
|
||||
helpLink: suricata
|
||||
conditional:
|
||||
description: Set to "all" to record PCAP for all flows. Set to "alerts" to only record PCAP for Suricata alerts. Set to "tag" to only record PCAP for tagged rules.
|
||||
@@ -84,15 +85,16 @@ suricata:
|
||||
advanced: True
|
||||
regex: ^(cluster_flow|cluster_qm)$
|
||||
defrag:
|
||||
description: Enable defragmentation of IP packets before processing.
|
||||
forcedType: bool
|
||||
advanced: True
|
||||
regex: ^(yes|no)$
|
||||
use-mmap:
|
||||
advanced: True
|
||||
readonly: True
|
||||
mmap-locked:
|
||||
description: Prevent swapping by locking the memory map.
|
||||
forcedType: bool
|
||||
advanced: True
|
||||
regex: ^(yes|no)$
|
||||
helpLink: suricata
|
||||
threads:
|
||||
description: The amount of worker threads.
|
||||
@@ -116,9 +118,9 @@ suricata:
|
||||
forcedType: int
|
||||
helpLink: suricata
|
||||
use-emergency-flush:
|
||||
description: In high-traffic environments, enabling this option to 'yes' aids in recovering from packet drop occurrences. However, it may lead to some packets, possibly at max ring flush, not being inspected.
|
||||
description: In high-traffic environments, enabling this option aids in recovering from packet drop occurrences. However, it may lead to some packets, possibly at max ring flush, not being inspected.
|
||||
forcedType: bool
|
||||
advanced: True
|
||||
regex: ^(yes|no)$
|
||||
helpLink: suricata
|
||||
buffer-size:
|
||||
description: Increasing the value of the receive buffer may improve performance.
|
||||
@@ -126,30 +128,33 @@ suricata:
|
||||
forcedType: int
|
||||
helpLink: suricata
|
||||
disable-promisc:
|
||||
description: Promiscuous mode can be disabled by setting this to "yes".
|
||||
description: Disable promiscuous mode on the capture interface.
|
||||
forcedType: bool
|
||||
advanced: True
|
||||
regex: ^(yes|no)$
|
||||
helpLink: suricata
|
||||
checksum-checks:
|
||||
description: "Opt for the checksum verification mode suitable for the interface. During capture, it's possible that some packets may exhibit invalid checksums due to the network card handling the checksum computation. You have several options: 'kernel': Relies on indications sent by the kernel for each packet (default). 'yes': Enforces checksum validation. 'no': Disables checksum validation. 'auto': Suricata employs a statistical approach to detect checksum offloading."
|
||||
advanced: True
|
||||
regex: ^(kernel|yes|no|auto)$
|
||||
options:
|
||||
- kernel
|
||||
- yes
|
||||
- no
|
||||
- auto
|
||||
helpLink: suricata
|
||||
threading:
|
||||
set-cpu-affinity:
|
||||
description: Bind(yes) or unbind(no) management and worker threads to a core or range of cores.
|
||||
regex: ^(yes|no)$
|
||||
regexFailureMessage: You must enter either yes or no.
|
||||
description: Bind or unbind management and worker threads to a core or range of cores.
|
||||
forcedType: bool
|
||||
helpLink: suricata
|
||||
cpu-affinity:
|
||||
management-cpu-set:
|
||||
cpu:
|
||||
description: Bind management threads to a core or range of cores. This can be a sigle core, list of cores, or list of range of cores. set-cpu-affinity must be set to 'yes' for this to be used.
|
||||
description: Bind management threads to a core or range of cores. This can be a sigle core, list of cores, or list of range of cores. set-cpu-affinity must be set to true for this to be used.
|
||||
forcedType: "[]string"
|
||||
helpLink: suricata
|
||||
worker-cpu-set:
|
||||
cpu:
|
||||
description: Bind worker threads to a core or range of cores. This can be a sigle core, list of cores, or list of range of cores. set-cpu-affinity must be set to 'yes' for this to be used.
|
||||
description: Bind worker threads to a core or range of cores. This can be a sigle core, list of cores, or list of range of cores. set-cpu-affinity must be set to true for this to be used.
|
||||
forcedType: "[]string"
|
||||
helpLink: suricata
|
||||
vars:
|
||||
@@ -198,11 +203,44 @@ suricata:
|
||||
GENEVE_PORTS: *suriportgroup
|
||||
outputs:
|
||||
eve-log:
|
||||
pcap-file:
|
||||
description: Log the PCAP filename that a packet was read from when processing pcap files.
|
||||
forcedType: bool
|
||||
advanced: True
|
||||
helpLink: suricata
|
||||
community-id:
|
||||
description: Enable Community ID flow hashing for consistent event correlation across tools.
|
||||
forcedType: bool
|
||||
advanced: True
|
||||
helpLink: suricata
|
||||
types:
|
||||
alert:
|
||||
metadata:
|
||||
app-layer:
|
||||
description: Include app-layer metadata in alert events.
|
||||
forcedType: bool
|
||||
advanced: True
|
||||
helpLink: suricata
|
||||
flow:
|
||||
description: Include flow metadata in alert events.
|
||||
forcedType: bool
|
||||
advanced: True
|
||||
helpLink: suricata
|
||||
rule:
|
||||
metadata:
|
||||
description: Include rule metadata in alert events.
|
||||
forcedType: bool
|
||||
advanced: True
|
||||
helpLink: suricata
|
||||
raw:
|
||||
description: Include raw rule text in alert events.
|
||||
forcedType: bool
|
||||
advanced: True
|
||||
helpLink: suricata
|
||||
xff:
|
||||
enabled:
|
||||
description: Enable X-Forward-For support.
|
||||
forcedType: bool
|
||||
helpLink: suricata
|
||||
mode:
|
||||
description: Operation mode. This should always be extra-data if you use PCAP.
|
||||
@@ -242,8 +280,9 @@ suricata:
|
||||
max-frags:
|
||||
description: Max number of fragments to keep
|
||||
helpLink: suricata
|
||||
prealloc:
|
||||
prealloc:
|
||||
description: Preallocate memory.
|
||||
forcedType: bool
|
||||
helpLink: suricata
|
||||
timeout:
|
||||
description: Timeout value.
|
||||
@@ -264,6 +303,7 @@ suricata:
|
||||
helpLink: suricata
|
||||
checksum-validation:
|
||||
description: Validate checksum of packets.
|
||||
forcedType: bool
|
||||
helpLink: suricata
|
||||
reassembly:
|
||||
memcap:
|
||||
@@ -286,6 +326,7 @@ suricata:
|
||||
teredo:
|
||||
enabled:
|
||||
description: Enable TEREDO capabilities
|
||||
forcedType: bool
|
||||
helpLink: suricata
|
||||
ports:
|
||||
description: Ports to listen for. This should be a variable.
|
||||
@@ -293,14 +334,58 @@ suricata:
|
||||
vxlan:
|
||||
enabled:
|
||||
description: Enable VXLAN capabilities.
|
||||
forcedType: bool
|
||||
helpLink: suricata
|
||||
ports:
|
||||
description: Ports to listen for. This should be a variable.
|
||||
ports:
|
||||
description: Ports to listen for. This should be a variable.
|
||||
helpLink: suricata
|
||||
geneve:
|
||||
enabled:
|
||||
description: Enable VXLAN capabilities.
|
||||
forcedType: bool
|
||||
helpLink: suricata
|
||||
ports:
|
||||
description: Ports to listen for. This should be a variable.
|
||||
ports:
|
||||
description: Ports to listen for. This should be a variable.
|
||||
helpLink: suricata
|
||||
recursion-level:
|
||||
use-for-tracking:
|
||||
description: Controls whether the decoder recursion level is used for flow tracking.
|
||||
forcedType: bool
|
||||
advanced: True
|
||||
helpLink: suricata
|
||||
vlan:
|
||||
use-for-tracking:
|
||||
description: Enable VLAN tracking for flow identification. When enabled, VLAN tags are used to differentiate flows.
|
||||
forcedType: bool
|
||||
advanced: True
|
||||
helpLink: suricata
|
||||
detect:
|
||||
profiling:
|
||||
grouping:
|
||||
dump-to-disk:
|
||||
description: Dump detection engine grouping information to disk for analysis.
|
||||
forcedType: bool
|
||||
advanced: True
|
||||
helpLink: suricata
|
||||
include-rules:
|
||||
description: Include individual rule details in grouping profiling output.
|
||||
forcedType: bool
|
||||
advanced: True
|
||||
helpLink: suricata
|
||||
include-mpm-stats:
|
||||
description: Include multi-pattern matcher statistics in grouping profiling output.
|
||||
forcedType: bool
|
||||
advanced: True
|
||||
helpLink: suricata
|
||||
security:
|
||||
lua:
|
||||
allow-rules:
|
||||
description: Allow Lua rules in the Suricata ruleset. Enabling Lua rules may introduce security risks.
|
||||
forcedType: bool
|
||||
advanced: True
|
||||
helpLink: suricata
|
||||
allow-restricted-functions:
|
||||
description: Allow restricted Lua functions such as file I/O. Enabling this may introduce security risks.
|
||||
forcedType: bool
|
||||
advanced: True
|
||||
helpLink: suricata
|
||||
|
||||
@@ -7,8 +7,8 @@ telegraf:
|
||||
collection_jitter: '0s'
|
||||
flush_interval: '10s'
|
||||
flush_jitter: '0s'
|
||||
debug: 'false'
|
||||
quiet: 'false'
|
||||
debug: false
|
||||
quiet: false
|
||||
scripts:
|
||||
eval:
|
||||
- agentstatus.sh
|
||||
|
||||
@@ -56,9 +56,9 @@
|
||||
|
||||
## Logging configuration:
|
||||
## Run telegraf with debug log messages.
|
||||
debug = {{ TELEGRAFMERGED.config.debug }}
|
||||
debug = {{ 'true' if TELEGRAFMERGED.config.debug else 'false' }}
|
||||
## Run telegraf in quiet mode (error log messages only).
|
||||
quiet = false
|
||||
quiet = {{ 'true' if TELEGRAFMERGED.config.quiet else 'false'}}
|
||||
## Specify the log file name. The empty string means to log to stderr.
|
||||
logfile = "/var/log/telegraf/telegraf.log"
|
||||
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
telegraf:
|
||||
enabled:
|
||||
enabled:
|
||||
description: Enables the grid metrics collection process. WARNING - Security Onion grid health monitoring requires this process to remain enabled. Disabling it will cause unexpected and unsupported results.
|
||||
forcedType: bool
|
||||
advanced: True
|
||||
helpLink: influxdb
|
||||
config:
|
||||
@@ -34,13 +35,13 @@ telegraf:
|
||||
advanced: True
|
||||
helpLink: influxdb
|
||||
debug:
|
||||
description: Data collection interval.
|
||||
global: True
|
||||
description: Run telegraf with debug log messages
|
||||
forcedType: bool
|
||||
advanced: True
|
||||
helpLink: influxdb
|
||||
quiet:
|
||||
description: Data collection interval.
|
||||
global: True
|
||||
description: Run telegraf in quiet mode (error log messages only).
|
||||
forcedType: bool
|
||||
advanced: True
|
||||
helpLink: influxdb
|
||||
scripts:
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
zeek:
|
||||
enabled:
|
||||
description: Controls whether the Zeek (network packet inspection) process runs. Disabling this process could result in loss of network protocol metadata. If Suricata was selected as the protocol metadata engine during setup then this will already be disabled.
|
||||
forcedType: bool
|
||||
helpLink: zeek
|
||||
ja4plus:
|
||||
enabled:
|
||||
|
||||
Reference in New Issue
Block a user