mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2026-04-18 18:51:51 +02:00
396 lines
16 KiB
YAML
396 lines
16 KiB
YAML
suricata:
|
|
enabled:
|
|
description: Enables or disables the Suricata process. This process is used for triggering alerts and optionally for protocol metadata collection and full packet capture.
|
|
forcedType: bool
|
|
helpLink: suricata
|
|
thresholding:
|
|
sids__yaml:
|
|
description: Threshold SIDS List. This setting is readonly; Use the Detections screen to modify rules.
|
|
syntax: yaml
|
|
file: True
|
|
global: True
|
|
multiline: True
|
|
title: SIDS
|
|
helpLink: suricata
|
|
readonlyUi: True
|
|
advanced: True
|
|
classification:
|
|
classification__config:
|
|
description: Classifications config file.
|
|
file: True
|
|
global: True
|
|
multiline: True
|
|
title: Classifications
|
|
helpLink: suricata
|
|
pcap:
|
|
enabled:
|
|
description: Enables or disables the Suricata packet recording process.
|
|
forcedType: bool
|
|
helpLink: suricata
|
|
filesize:
|
|
description: Maximum file size for individual PCAP files written by Suricata. Increasing this number could improve write performance at the expense of pcap retrieval time.
|
|
advanced: True
|
|
helpLink: suricata
|
|
maxsize:
|
|
description: Maximum size in GB for total disk usage of all PCAP files written by Suricata.
|
|
helpLink: suricata
|
|
compression:
|
|
description: Enable compression of Suricata PCAP files.
|
|
advanced: True
|
|
helpLink: suricata
|
|
lz4-checksum:
|
|
description: Enable PCAP lz4 checksum.
|
|
forcedType: bool
|
|
advanced: True
|
|
helpLink: suricata
|
|
lz4-level:
|
|
description: lz4 compression level of PCAP files. Set to 0 for no compression. Set to 16 for maximum compression.
|
|
advanced: True
|
|
helpLink: suricata
|
|
filename:
|
|
description: Filename output for Suricata PCAP files.
|
|
advanced: True
|
|
readonly: True
|
|
helpLink: suricata
|
|
mode:
|
|
description: Suricata PCAP mode. Currently only multi is supported.
|
|
advanced: True
|
|
readonly: True
|
|
helpLink: suricata
|
|
use-stream-depth:
|
|
description: Set to false to ignore the stream depth and capture the entire flow. Set to true to truncate the flow based on the stream depth.
|
|
forcedType: bool
|
|
advanced: True
|
|
helpLink: suricata
|
|
conditional:
|
|
description: Set to "all" to record PCAP for all flows. Set to "alerts" to only record PCAP for Suricata alerts. Set to "tag" to only record PCAP for tagged rules.
|
|
options:
|
|
- all
|
|
- alerts
|
|
- tag
|
|
helpLink: suricata
|
|
dir:
|
|
description: Parent directory to store PCAP.
|
|
advanced: True
|
|
readonly: True
|
|
helpLink: suricata
|
|
config:
|
|
af-packet:
|
|
interface:
|
|
description: The network interface that Suricata will monitor. This is set under sensor > interface.
|
|
advanced: True
|
|
readonly: True
|
|
helpLink: suricata
|
|
cluster-id:
|
|
advanced: True
|
|
cluster-type:
|
|
advanced: True
|
|
options:
|
|
- cluster_flow
|
|
- cluster_qm
|
|
defrag:
|
|
description: Enable defragmentation of IP packets before processing.
|
|
forcedType: bool
|
|
advanced: True
|
|
use-mmap:
|
|
advanced: True
|
|
readonly: True
|
|
mmap-locked:
|
|
description: Prevent swapping by locking the memory map.
|
|
forcedType: bool
|
|
advanced: True
|
|
helpLink: suricata
|
|
threads:
|
|
description: The amount of worker threads.
|
|
helpLink: suricata
|
|
forcedType: int
|
|
tpacket-v3:
|
|
advanced: True
|
|
readonly: True
|
|
ring-size:
|
|
description: Buffer size for packets per thread.
|
|
forcedType: int
|
|
helpLink: suricata
|
|
block-size:
|
|
description: This must be configured to a sufficiently high value to accommodate a significant number of packets, considering byte size and MTU constraints. Ensure it aligns with a power of 2 and is a multiple of the page size.
|
|
advanced: True
|
|
forcedType: int
|
|
helpLink: suricata
|
|
block-timeout:
|
|
description: If a block remains unfilled after the specified block-timeout milliseconds, it is passed to userspace.
|
|
advanced: True
|
|
forcedType: int
|
|
helpLink: suricata
|
|
use-emergency-flush:
|
|
description: In high-traffic environments, enabling this option aids in recovering from packet drop occurrences. However, it may lead to some packets, possibly at max ring flush, not being inspected.
|
|
forcedType: bool
|
|
advanced: True
|
|
helpLink: suricata
|
|
buffer-size:
|
|
description: Increasing the value of the receive buffer may improve performance.
|
|
advanced: True
|
|
forcedType: int
|
|
helpLink: suricata
|
|
disable-promisc:
|
|
description: Disable promiscuous mode on the capture interface.
|
|
forcedType: bool
|
|
advanced: True
|
|
helpLink: suricata
|
|
checksum-checks:
|
|
description: "Opt for the checksum verification mode suitable for the interface. During capture, it's possible that some packets may exhibit invalid checksums due to the network card handling the checksum computation. You have several options: 'kernel': Relies on indications sent by the kernel for each packet (default). 'yes': Enforces checksum validation. 'no': Disables checksum validation. 'auto': Suricata employs a statistical approach to detect checksum offloading."
|
|
advanced: True
|
|
options:
|
|
- kernel
|
|
- yes
|
|
- no
|
|
- auto
|
|
helpLink: suricata
|
|
threading:
|
|
set-cpu-affinity:
|
|
description: Bind or unbind management and worker threads to a core or range of cores.
|
|
forcedType: bool
|
|
helpLink: suricata
|
|
cpu-affinity:
|
|
management-cpu-set:
|
|
cpu:
|
|
description: Bind management threads to a core or range of cores. This can be a sigle core, list of cores, or list of range of cores. set-cpu-affinity must be set to true for this to be used.
|
|
forcedType: "[]string"
|
|
helpLink: suricata
|
|
worker-cpu-set:
|
|
cpu:
|
|
description: Bind worker threads to a core or range of cores. This can be a sigle core, list of cores, or list of range of cores. set-cpu-affinity must be set to true for this to be used.
|
|
forcedType: "[]string"
|
|
helpLink: suricata
|
|
vars:
|
|
address-groups:
|
|
HOME_NET:
|
|
description: Assign a list of hosts, or networks, using CIDR notation, to this Suricata variable. The variable can then be re-used within Suricata rules. This allows for a single adjustment to the variable that will then affect all rules referencing the variable.
|
|
regex: ^!?((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\/([0-9]|[1-2][0-9]|3[0-2]))?$|^!?((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)|:))|(([0-9A-Fa-f]{1,4}:){5}((:[0-9A-Fa-f]{1,4}){1,2}|:((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)|:))|(([0-9A-Fa-f]{1,4}:){4}((:[0-9A-Fa-f]{1,4}){1,3}|:((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)|:))|(([0-9A-Fa-f]{1,4}:){3}((:[0-9A-Fa-f]{1,4}){1,4}|:((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)|:))|(([0-9A-Fa-f]{1,4}:){2}((:[0-9A-Fa-f]{1,4}){1,5}|:((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)|:))|(([0-9A-Fa-f]{1,4}:){1}((:[0-9A-Fa-f]{1,4}){1,6}|:((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)|:))|(:((:[0-9A-Fa-f]{1,4}){1,7}|:)))(\/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8]))?$
|
|
regexFailureMessage: You must enter a valid IP address or CIDR.
|
|
forcedType: "[]string"
|
|
duplicates: True
|
|
helpLink: suricata
|
|
EXTERNAL_NET: &suriaddressgroup
|
|
description: Assign a list of hosts, or networks, or other customization, to this Suricata variable. The variable can then be re-used within Suricata rules. This allows for a single adjustment to the variable that will then affect all rules referencing the variable.
|
|
forcedType: "[]string"
|
|
duplicates: True
|
|
helpLink: suricata
|
|
HTTP_SERVERS: *suriaddressgroup
|
|
SMTP_SERVERS: *suriaddressgroup
|
|
SQL_SERVERS: *suriaddressgroup
|
|
DNS_SERVERS: *suriaddressgroup
|
|
TELNET_SERVERS: *suriaddressgroup
|
|
AIM_SERVERS: *suriaddressgroup
|
|
DC_SERVERS: *suriaddressgroup
|
|
DNP3_SERVER: *suriaddressgroup
|
|
DNP3_CLIENT: *suriaddressgroup
|
|
MODBUS_CLIENT: *suriaddressgroup
|
|
MODBUS_SERVER: *suriaddressgroup
|
|
ENIP_CLIENT: *suriaddressgroup
|
|
ENIP_SERVER: *suriaddressgroup
|
|
port-groups:
|
|
HTTP_PORTS: &suriportgroup
|
|
description: Assign a list of network port numbers to this Suricata variable. The variable can then be re-used within Suricata rules. This allows for a single adjustment to the variable that will then affect all rules referencing the variable.
|
|
forcedType: "[]string"
|
|
duplicates: True
|
|
helpLink: suricata
|
|
SHELLCODE_PORTS: *suriportgroup
|
|
ORACLE_PORTS: *suriportgroup
|
|
SSH_PORTS: *suriportgroup
|
|
DNP3_PORTS: *suriportgroup
|
|
MODBUS_PORTS: *suriportgroup
|
|
FILE_DATA_PORTS: *suriportgroup
|
|
FTP_PORTS: *suriportgroup
|
|
VXLAN_PORTS: *suriportgroup
|
|
TEREDO_PORTS: *suriportgroup
|
|
SIP_PORTS: *suriportgroup
|
|
GENEVE_PORTS: *suriportgroup
|
|
outputs:
|
|
eve-log:
|
|
pcap-file:
|
|
description: Log the PCAP filename that a packet was read from when processing pcap files.
|
|
forcedType: bool
|
|
advanced: True
|
|
helpLink: suricata
|
|
community-id:
|
|
description: Enable Community ID flow hashing for consistent event correlation across tools.
|
|
forcedType: bool
|
|
advanced: True
|
|
helpLink: suricata
|
|
types:
|
|
alert:
|
|
metadata:
|
|
app-layer:
|
|
description: Include app-layer metadata in alert events.
|
|
forcedType: bool
|
|
advanced: True
|
|
helpLink: suricata
|
|
flow:
|
|
description: Include flow metadata in alert events.
|
|
forcedType: bool
|
|
advanced: True
|
|
helpLink: suricata
|
|
rule:
|
|
metadata:
|
|
description: Include rule metadata in alert events.
|
|
forcedType: bool
|
|
advanced: True
|
|
helpLink: suricata
|
|
raw:
|
|
description: Include raw rule text in alert events.
|
|
forcedType: bool
|
|
advanced: True
|
|
helpLink: suricata
|
|
xff:
|
|
enabled:
|
|
description: Enable X-Forward-For support.
|
|
forcedType: bool
|
|
helpLink: suricata
|
|
mode:
|
|
description: Operation mode. This should always be extra-data if you use PCAP.
|
|
helpLink: suricata
|
|
deployment:
|
|
description: forward would use the first IP address and reverse would use the last.
|
|
helpLink: suricata
|
|
header:
|
|
description: Header name where the actual IP address will be reported.
|
|
helpLink: suricata
|
|
asn1-max-frames:
|
|
description: Maximum nuber of asn1 frames to decode.
|
|
helpLink: suricata
|
|
max-pending-packets:
|
|
description: Number of packets preallocated per thread.
|
|
helpLink: suricata
|
|
default-packet-size:
|
|
description: Preallocated size for each packet.
|
|
helpLink: suricata
|
|
pcre:
|
|
match-limit:
|
|
description: Match limit for PCRE.
|
|
helpLink: suricata
|
|
match-limit-recursion:
|
|
description: Recursion limit for PCRE.
|
|
helpLink: suricata
|
|
defrag:
|
|
memcap:
|
|
description: Max memory to use for defrag. You should only change this if you know what you are doing.
|
|
helpLink: suricata
|
|
hash-size:
|
|
description: Hash size
|
|
helpLink: suricata
|
|
trackers:
|
|
description: Number of defragmented flows to follow.
|
|
helpLink: suricata
|
|
max-frags:
|
|
description: Max number of fragments to keep
|
|
helpLink: suricata
|
|
prealloc:
|
|
description: Preallocate memory.
|
|
forcedType: bool
|
|
helpLink: suricata
|
|
timeout:
|
|
description: Timeout value.
|
|
helpLink: suricata
|
|
flow:
|
|
memcap:
|
|
description: Reserverd memory for flows.
|
|
helpLink: suricata
|
|
hash-size:
|
|
description: Determines the size of the hash used to identify flows inside the engine.
|
|
helpLink: suricata
|
|
prealloc:
|
|
description: Number of preallocated flows.
|
|
helpLink: suricata
|
|
stream:
|
|
memcap:
|
|
description: Can be specified in kb,mb,gb.
|
|
helpLink: suricata
|
|
checksum-validation:
|
|
description: Validate checksum of packets.
|
|
forcedType: bool
|
|
helpLink: suricata
|
|
reassembly:
|
|
memcap:
|
|
description: Can be specified in kb,mb,gb.
|
|
helpLink: suricata
|
|
depth:
|
|
description: Controls how far into a stream that reassembly is done.
|
|
helpLink: suricata
|
|
host:
|
|
hash-size:
|
|
description: Hash size in bytes.
|
|
helpLink: suricata
|
|
prealloc:
|
|
description: How many streams to preallocate.
|
|
helpLink: suricata
|
|
memcap:
|
|
description: Memory settings for host.
|
|
helpLink: suricata
|
|
decoder:
|
|
teredo:
|
|
enabled:
|
|
description: Enable TEREDO capabilities
|
|
forcedType: bool
|
|
helpLink: suricata
|
|
ports:
|
|
description: Ports to listen for. This should be a variable.
|
|
helpLink: suricata
|
|
vxlan:
|
|
enabled:
|
|
description: Enable VXLAN capabilities.
|
|
forcedType: bool
|
|
helpLink: suricata
|
|
ports:
|
|
description: Ports to listen for. This should be a variable.
|
|
helpLink: suricata
|
|
geneve:
|
|
enabled:
|
|
description: Enable VXLAN capabilities.
|
|
forcedType: bool
|
|
helpLink: suricata
|
|
ports:
|
|
description: Ports to listen for. This should be a variable.
|
|
helpLink: suricata
|
|
recursion-level:
|
|
use-for-tracking:
|
|
description: Controls whether the decoder recursion level is used for flow tracking.
|
|
forcedType: bool
|
|
advanced: True
|
|
helpLink: suricata
|
|
vlan:
|
|
use-for-tracking:
|
|
description: Enable VLAN tracking for flow identification. When enabled, VLAN tags are used to differentiate flows.
|
|
forcedType: bool
|
|
advanced: True
|
|
helpLink: suricata
|
|
detect:
|
|
profiling:
|
|
grouping:
|
|
dump-to-disk:
|
|
description: Dump detection engine grouping information to disk for analysis.
|
|
forcedType: bool
|
|
advanced: True
|
|
helpLink: suricata
|
|
include-rules:
|
|
description: Include individual rule details in grouping profiling output.
|
|
forcedType: bool
|
|
advanced: True
|
|
helpLink: suricata
|
|
include-mpm-stats:
|
|
description: Include multi-pattern matcher statistics in grouping profiling output.
|
|
forcedType: bool
|
|
advanced: True
|
|
helpLink: suricata
|
|
security:
|
|
lua:
|
|
allow-rules:
|
|
description: Allow Lua rules in the Suricata ruleset. Enabling Lua rules may introduce security risks.
|
|
forcedType: bool
|
|
advanced: True
|
|
helpLink: suricata
|
|
allow-restricted-functions:
|
|
description: Allow restricted Lua functions such as file I/O. Enabling this may introduce security risks.
|
|
forcedType: bool
|
|
advanced: True
|
|
helpLink: suricata
|