mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2026-04-24 21:47:48 +02:00
Doug Burks
307 lines
13 KiB
YAML
307 lines
13 KiB
YAML
suricata:
|
|
enabled:
|
|
description: Enables or disables the Suricata process. This process is used for triggering alerts and optionally for protocol metadata collection and full packet capture.
|
|
helpLink: suricata
|
|
thresholding:
|
|
sids__yaml:
|
|
description: Threshold SIDS List. This setting is readonly; Use the Detections screen to modify rules.
|
|
syntax: yaml
|
|
file: True
|
|
global: True
|
|
multiline: True
|
|
title: SIDS
|
|
helpLink: suricata
|
|
readonlyUi: True
|
|
advanced: True
|
|
classification:
|
|
classification__config:
|
|
description: Classifications config file.
|
|
file: True
|
|
global: True
|
|
multiline: True
|
|
title: Classifications
|
|
helpLink: suricata
|
|
pcap:
|
|
enabled:
|
|
description: Enables or disables the Suricata packet recording process.
|
|
forcedType: bool
|
|
helpLink: suricata
|
|
filesize:
|
|
description: Maximum file size for individual PCAP files written by Suricata. Increasing this number could improve write performance at the expense of pcap retrieval time.
|
|
advanced: True
|
|
helpLink: suricata
|
|
maxsize:
|
|
description: Maximum size in GB for total disk usage of all PCAP files written by Suricata.
|
|
helpLink: suricata
|
|
compression:
|
|
description: Enable compression of Suricata PCAP files.
|
|
advanced: True
|
|
helpLink: suricata
|
|
lz4-checksum:
|
|
description: Enable PCAP lz4 checksum.
|
|
advanced: True
|
|
helpLink: suricata
|
|
lz4-level:
|
|
description: lz4 compression level of PCAP files. Set to 0 for no compression. Set to 16 for maximum compression.
|
|
advanced: True
|
|
helpLink: suricata
|
|
filename:
|
|
description: Filename output for Suricata PCAP files.
|
|
advanced: True
|
|
readonly: True
|
|
helpLink: suricata
|
|
mode:
|
|
description: Suricata PCAP mode. Currently only multi is supported.
|
|
advanced: True
|
|
readonly: True
|
|
helpLink: suricata
|
|
use-stream-depth:
|
|
description: Set to "no" to ignore the stream depth and capture the entire flow. Set to "yes" to truncate the flow based on the stream depth.
|
|
advanced: True
|
|
regex: ^(yes|no)$
|
|
regexFailureMessage: You must enter either yes or no.
|
|
helpLink: suricata
|
|
conditional:
|
|
description: Set to "all" to record PCAP for all flows. Set to "alerts" to only record PCAP for Suricata alerts. Set to "tag" to only record PCAP for tagged rules.
|
|
regex: ^(all|alerts|tag)$
|
|
regexFailureMessage: You must enter either all, alert or tag.
|
|
helpLink: suricata
|
|
dir:
|
|
description: Parent directory to store PCAP.
|
|
advanced: True
|
|
readonly: True
|
|
helpLink: suricata
|
|
config:
|
|
af-packet:
|
|
interface:
|
|
description: The network interface that Suricata will monitor. This is set under sensor > interface.
|
|
advanced: True
|
|
readonly: True
|
|
helpLink: suricata
|
|
cluster-id:
|
|
advanced: True
|
|
cluster-type:
|
|
advanced: True
|
|
regex: ^(cluster_flow|cluster_qm)$
|
|
defrag:
|
|
advanced: True
|
|
regex: ^(yes|no)$
|
|
use-mmap:
|
|
advanced: True
|
|
readonly: True
|
|
mmap-locked:
|
|
description: Prevent swapping by locking the memory map.
|
|
advanced: True
|
|
regex: ^(yes|no)$
|
|
helpLink: suricata
|
|
threads:
|
|
description: The amount of worker threads.
|
|
helpLink: suricata
|
|
forcedType: int
|
|
tpacket-v3:
|
|
advanced: True
|
|
readonly: True
|
|
ring-size:
|
|
description: Buffer size for packets per thread.
|
|
forcedType: int
|
|
helpLink: suricata
|
|
block-size:
|
|
description: This must be configured to a sufficiently high value to accommodate a significant number of packets, considering byte size and MTU constraints. Ensure it aligns with a power of 2 and is a multiple of the page size.
|
|
advanced: True
|
|
forcedType: int
|
|
helpLink: suricata
|
|
block-timeout:
|
|
description: If a block remains unfilled after the specified block-timeout milliseconds, it is passed to userspace.
|
|
advanced: True
|
|
forcedType: int
|
|
helpLink: suricata
|
|
use-emergency-flush:
|
|
description: In high-traffic environments, enabling this option to 'yes' aids in recovering from packet drop occurrences. However, it may lead to some packets, possibly at max ring flush, not being inspected.
|
|
advanced: True
|
|
regex: ^(yes|no)$
|
|
helpLink: suricata
|
|
buffer-size:
|
|
description: Increasing the value of the receive buffer may improve performance.
|
|
advanced: True
|
|
forcedType: int
|
|
helpLink: suricata
|
|
disable-promisc:
|
|
description: Promiscuous mode can be disabled by setting this to "yes".
|
|
advanced: True
|
|
regex: ^(yes|no)$
|
|
helpLink: suricata
|
|
checksum-checks:
|
|
description: "Opt for the checksum verification mode suitable for the interface. During capture, it's possible that some packets may exhibit invalid checksums due to the network card handling the checksum computation. You have several options: 'kernel': Relies on indications sent by the kernel for each packet (default). 'yes': Enforces checksum validation. 'no': Disables checksum validation. 'auto': Suricata employs a statistical approach to detect checksum offloading."
|
|
advanced: True
|
|
regex: ^(kernel|yes|no|auto)$
|
|
helpLink: suricata
|
|
threading:
|
|
set-cpu-affinity:
|
|
description: Bind(yes) or unbind(no) management and worker threads to a core or range of cores.
|
|
regex: ^(yes|no)$
|
|
regexFailureMessage: You must enter either yes or no.
|
|
helpLink: suricata
|
|
cpu-affinity:
|
|
management-cpu-set:
|
|
cpu:
|
|
description: Bind management threads to a core or range of cores. This can be a sigle core, list of cores, or list of range of cores. set-cpu-affinity must be set to 'yes' for this to be used.
|
|
forcedType: "[]string"
|
|
helpLink: suricata
|
|
worker-cpu-set:
|
|
cpu:
|
|
description: Bind worker threads to a core or range of cores. This can be a sigle core, list of cores, or list of range of cores. set-cpu-affinity must be set to 'yes' for this to be used.
|
|
forcedType: "[]string"
|
|
helpLink: suricata
|
|
vars:
|
|
address-groups:
|
|
HOME_NET:
|
|
description: Assign a list of hosts, or networks, using CIDR notation, to this Suricata variable. The variable can then be re-used within Suricata rules. This allows for a single adjustment to the variable that will then affect all rules referencing the variable.
|
|
regex: ^(((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\/([0-9]|[1-2][0-9]|3[0-2]))?$|^((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?))|:))|(([0-9A-Fa-f]{1,4}:){5}((:[0-9A-Fa-f]{1,4}){1,2}|:((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)|:))|(([0-9A-Fa-f]{1,4}:){4}((:[0-9A-Fa-f]{1,4}){1,3}|:((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)|:))|(([0-9A-Fa-f]{1,4}:){3}((:[0-9A-Fa-f]{1,4}){1,4}|:((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)|:))|(([0-9A-Fa-f]{1,4}:){2}((:[0-9A-Fa-f]{1,4}){1,5}|:((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)|:))|(([0-9A-Fa-f]{1,4}:){1}((:[0-9A-Fa-f]{1,4}){1,6}|:((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)|:))|(:((:[0-9A-Fa-f]{1,4}){1,7}|:)))(\/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8]))?$
|
|
regexFailureMessage: You must enter a valid IP address or CIDR.
|
|
forcedType: "[]string"
|
|
duplicates: True
|
|
helpLink: suricata
|
|
EXTERNAL_NET: &suriaddressgroup
|
|
description: Assign a list of hosts, or networks, or other customization, to this Suricata variable. The variable can then be re-used within Suricata rules. This allows for a single adjustment to the variable that will then affect all rules referencing the variable.
|
|
forcedType: "[]string"
|
|
duplicates: True
|
|
helpLink: suricata
|
|
HTTP_SERVERS: *suriaddressgroup
|
|
SMTP_SERVERS: *suriaddressgroup
|
|
SQL_SERVERS: *suriaddressgroup
|
|
DNS_SERVERS: *suriaddressgroup
|
|
TELNET_SERVERS: *suriaddressgroup
|
|
AIM_SERVERS: *suriaddressgroup
|
|
DC_SERVERS: *suriaddressgroup
|
|
DNP3_SERVER: *suriaddressgroup
|
|
DNP3_CLIENT: *suriaddressgroup
|
|
MODBUS_CLIENT: *suriaddressgroup
|
|
MODBUS_SERVER: *suriaddressgroup
|
|
ENIP_CLIENT: *suriaddressgroup
|
|
ENIP_SERVER: *suriaddressgroup
|
|
port-groups:
|
|
HTTP_PORTS: &suriportgroup
|
|
description: Assign a list of network port numbers to this Suricata variable. The variable can then be re-used within Suricata rules. This allows for a single adjustment to the variable that will then affect all rules referencing the variable.
|
|
forcedType: "[]string"
|
|
duplicates: True
|
|
helpLink: suricata
|
|
SHELLCODE_PORTS: *suriportgroup
|
|
ORACLE_PORTS: *suriportgroup
|
|
SSH_PORTS: *suriportgroup
|
|
DNP3_PORTS: *suriportgroup
|
|
MODBUS_PORTS: *suriportgroup
|
|
FILE_DATA_PORTS: *suriportgroup
|
|
FTP_PORTS: *suriportgroup
|
|
VXLAN_PORTS: *suriportgroup
|
|
TEREDO_PORTS: *suriportgroup
|
|
SIP_PORTS: *suriportgroup
|
|
GENEVE_PORTS: *suriportgroup
|
|
outputs:
|
|
eve-log:
|
|
types:
|
|
alert:
|
|
xff:
|
|
enabled:
|
|
description: Enable X-Forward-For support.
|
|
helpLink: suricata
|
|
mode:
|
|
description: Operation mode. This should always be extra-data if you use PCAP.
|
|
helpLink: suricata
|
|
deployment:
|
|
description: forward would use the first IP address and reverse would use the last.
|
|
helpLink: suricata
|
|
header:
|
|
description: Header name where the actual IP address will be reported.
|
|
helpLink: suricata
|
|
asn1-max-frames:
|
|
description: Maximum nuber of asn1 frames to decode.
|
|
helpLink: suricata
|
|
max-pending-packets:
|
|
description: Number of packets preallocated per thread.
|
|
helpLink: suricata
|
|
default-packet-size:
|
|
description: Preallocated size for each packet.
|
|
helpLink: suricata
|
|
pcre:
|
|
match-limit:
|
|
description: Match limit for PCRE.
|
|
helpLink: suricata
|
|
match-limit-recursion:
|
|
description: Recursion limit for PCRE.
|
|
helpLink: suricata
|
|
defrag:
|
|
memcap:
|
|
description: Max memory to use for defrag. You should only change this if you know what you are doing.
|
|
helpLink: suricata
|
|
hash-size:
|
|
description: Hash size
|
|
helpLink: suricata
|
|
trackers:
|
|
description: Number of defragmented flows to follow.
|
|
helpLink: suricata
|
|
max-frags:
|
|
description: Max number of fragments to keep
|
|
helpLink: suricata
|
|
prealloc:
|
|
description: Preallocate memory.
|
|
helpLink: suricata
|
|
timeout:
|
|
description: Timeout value.
|
|
helpLink: suricata
|
|
flow:
|
|
memcap:
|
|
description: Reserverd memory for flows.
|
|
helpLink: suricata
|
|
hash-size:
|
|
description: Determines the size of the hash used to identify flows inside the engine.
|
|
helpLink: suricata
|
|
prealloc:
|
|
description: Number of preallocated flows.
|
|
helpLink: suricata
|
|
stream:
|
|
memcap:
|
|
description: Can be specified in kb,mb,gb.
|
|
helpLink: suricata
|
|
checksum-validation:
|
|
description: Validate checksum of packets.
|
|
helpLink: suricata
|
|
reassembly:
|
|
memcap:
|
|
description: Can be specified in kb,mb,gb.
|
|
helpLink: suricata
|
|
depth:
|
|
description: Controls how far into a stream that reassembly is done.
|
|
helpLink: suricata
|
|
host:
|
|
hash-size:
|
|
description: Hash size in bytes.
|
|
helpLink: suricata
|
|
prealloc:
|
|
description: How many streams to preallocate.
|
|
helpLink: suricata
|
|
memcap:
|
|
description: Memory settings for host.
|
|
helpLink: suricata
|
|
decoder:
|
|
teredo:
|
|
enabled:
|
|
description: Enable TEREDO capabilities
|
|
helpLink: suricata
|
|
ports:
|
|
description: Ports to listen for. This should be a variable.
|
|
helpLink: suricata
|
|
vxlan:
|
|
enabled:
|
|
description: Enable VXLAN capabilities.
|
|
helpLink: suricata
|
|
ports:
|
|
description: Ports to listen for. This should be a variable.
|
|
helpLink: suricata
|
|
geneve:
|
|
enabled:
|
|
description: Enable VXLAN capabilities.
|
|
helpLink: suricata
|
|
ports:
|
|
description: Ports to listen for. This should be a variable.
|
|
helpLink: suricata
|