mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2026-01-26 09:53:30 +01:00
237 lines
8.1 KiB
YAML
237 lines
8.1 KiB
YAML
suricata:
|
|
enabled:
|
|
description: You can enable or disable Suricata.
|
|
helpLink: suricata.html
|
|
thresholding:
|
|
sids__yaml:
|
|
description: Threshold SIDS List
|
|
syntax: yaml
|
|
file: True
|
|
global: True
|
|
multiline: True
|
|
title: SIDS
|
|
helpLink: suricata.html
|
|
config:
|
|
af-packet:
|
|
interface:
|
|
description: The network interface that Suricata will monitor. This is set under sensor > interface.
|
|
advanced: True
|
|
readonly: True
|
|
helpLink: suricata.html
|
|
cluster-id:
|
|
advanced: True
|
|
cluster-type:
|
|
advanced: True
|
|
regex: ^(cluster_flow|cluster_qm)$
|
|
defrag:
|
|
advanced: True
|
|
regex: ^(yes|no)$
|
|
use-mmap:
|
|
advanced: True
|
|
readonly: True
|
|
threads:
|
|
description: The amount of worker threads.
|
|
helpLink: suricata.html
|
|
forcedType: int
|
|
tpacket-v3:
|
|
advanced: True
|
|
readonly: True
|
|
ring-size:
|
|
description: Buffer size for packets per thread.
|
|
forcedType: int
|
|
helpLink: suricata.html
|
|
threading:
|
|
set-cpu-affinity:
|
|
description: Bind(yes) or unbind(no) management and worker threads to a core or range of cores.
|
|
regex: ^(yes|no)$
|
|
helpLink: suricata.html
|
|
cpu-affinity:
|
|
management-cpu-set:
|
|
cpu:
|
|
description: Bind management threads to a core or range of cores. This can be a sigle core, list of cores, or list of range of cores. set-cpu-affinity must be set to 'yes' for this to be used.
|
|
forcedType: "[]string"
|
|
helpLink: suricata.html
|
|
worker-cpu-set:
|
|
cpu:
|
|
description: Bind worker threads to a core or range of cores. This can be a sigle core, list of cores, or list of range of cores. set-cpu-affinity must be set to 'yes' for this to be used.
|
|
forcedType: "[]string"
|
|
helpLink: suricata.html
|
|
vars:
|
|
address-groups:
|
|
HOME_NET:
|
|
description: List of hosts or networks.
|
|
regex: ^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?)?$
|
|
regexFailureMessage: You must enter a valid IP address or CIDR.
|
|
helpLink: suricata.html
|
|
EXTERNAL_NET:
|
|
description: List of hosts or networks.
|
|
helpLink: suricata.html
|
|
HTTP_SERVERS:
|
|
description: List of hosts or networks.
|
|
helpLink: suricata.html
|
|
SMTP_SERVERS:
|
|
description: List of hosts or networks.
|
|
helpLink: suricata.html
|
|
SQL_SERVERS:
|
|
description: List of hosts or networks.
|
|
helpLink: suricata.html
|
|
DNS_SERVERS:
|
|
description: List of hosts or networks.
|
|
helpLink: suricata.html
|
|
TELNET_SERVERS:
|
|
description: List of hosts or networks.
|
|
helpLink: suricata.html
|
|
AIM_SERVERS:
|
|
description: List of hosts or networks.
|
|
helpLink: suricata.html
|
|
DC_SERVERS:
|
|
description: List of hosts or networks.
|
|
helpLink: suricata.html
|
|
DNP3_SERVER:
|
|
description: List of hosts or networks.
|
|
helpLink: suricata.html
|
|
DNP3_CLIENT:
|
|
description: List of hosts or networks.
|
|
helpLink: suricata.html
|
|
MODBUS_CLIENT:
|
|
description: List of hosts or networks.
|
|
helpLink: suricata.html
|
|
MODBUS_SERVER:
|
|
description: List of hosts or networks.
|
|
helpLink: suricata.html
|
|
ENIP_CLIENT:
|
|
description: List of hosts or networks.
|
|
helpLink: suricata.html
|
|
ENIP_SERVER:
|
|
description: List of hosts or networks.
|
|
helpLink: suricata.html
|
|
port-groups:
|
|
HTTP_PORTS:
|
|
description: List of ports to look for HTTP traffic on.
|
|
helpLink: suricata.html
|
|
SHELLCODE_PORTS:
|
|
description: List of ports to look for SHELLCODE traffic on.
|
|
helpLink: suricata.html
|
|
ORACLE_PORTS:
|
|
description: List of ports to look for ORACLE traffic on.
|
|
helpLink: suricata.html
|
|
SSH_PORTS:
|
|
description: List of ports to look for SSH traffic on.
|
|
helpLink: suricata.html
|
|
DNP3_PORTS:
|
|
description: List of ports to look for DNP3 traffic on.
|
|
helpLink: suricata.html
|
|
MODBUS_PORTS:
|
|
description: List of ports to look for MODBUS traffic on.
|
|
helpLink: suricata.html
|
|
FILE_DATA_PORTS:
|
|
description: List of ports to look for FILE_DATA traffic on.
|
|
helpLink: suricata.html
|
|
FTP_PORTS:
|
|
description: List of ports to look for FTP traffic on.
|
|
helpLink: suricata.html
|
|
VXLAN_PORTS:
|
|
description: List of ports to look for VXLAN traffic on.
|
|
helpLink: suricata.html
|
|
TEREDO_PORTS:
|
|
description: List of ports to look for TEREDO traffic on.
|
|
helpLink: suricata.html
|
|
outputs:
|
|
eve-log:
|
|
types:
|
|
alert:
|
|
xff:
|
|
enabled:
|
|
description: Enable X-Forward-For support.
|
|
helpLink: suricata.html
|
|
mode:
|
|
description: Operation mode. This should always be extra-data if you use PCAP.
|
|
helpLink: suricata.html
|
|
deployment:
|
|
description: forward would use the first IP address and reverse would use the last.
|
|
helpLink: suricata.html
|
|
header:
|
|
description: Header name where the actual IP address will be reported.
|
|
helpLink: suricata.html
|
|
asn1-max-frames:
|
|
description: Maximum nuber of asn1 frames to decode.
|
|
helpLink: suricata.html
|
|
max-pending-packets:
|
|
description: Number of packets preallocated per thread.
|
|
helpLink: suricata.html
|
|
default-packet-size:
|
|
description: Preallocated size for each packet.
|
|
helpLink: suricata.html
|
|
pcre:
|
|
match-limit:
|
|
description: Match limit for PCRE.
|
|
helpLink: suricata.html
|
|
match-limit-recursion:
|
|
description: Recursion limit for PCRE.
|
|
helpLink: suricata.html
|
|
defrag:
|
|
memcap:
|
|
description: Max memory to use for defrag. You should only change this if you know what you are doing.
|
|
helpLink: suricata.html
|
|
hash-size:
|
|
description: Hash size
|
|
helpLink: suricata.html
|
|
trackers:
|
|
description: Number of defragmented flows to follow.
|
|
helpLink: suricata.html
|
|
max-frags:
|
|
description: Max number of fragments to keep
|
|
helpLink: suricata.html
|
|
prealloc:
|
|
description: Preallocate memory.
|
|
helpLink: suricata.html
|
|
timeout:
|
|
description: Timeout value.
|
|
helpLink: suricata.html
|
|
flow:
|
|
memcap:
|
|
description: Reserverd memory for flows.
|
|
helpLink: suricata.html
|
|
hash-size:
|
|
description: Determines the size of the hash used to identify flows inside the engine.
|
|
helpLink: suricata.html
|
|
prealloc:
|
|
description: Number of preallocated flows.
|
|
helpLink: suricata.html
|
|
stream:
|
|
memcap:
|
|
description: Can be specified in kb,mb,gb.
|
|
helpLink: suricata.html
|
|
checksum-validation:
|
|
description: Validate checksum of packets.
|
|
helpLink: suricata.html
|
|
reassembly:
|
|
memcap:
|
|
description: Can be specified in kb,mb,gb.
|
|
helpLink: suricata.html
|
|
host:
|
|
hash-size:
|
|
description: Hash size in bytes.
|
|
helpLink: suricata.html
|
|
prealloc:
|
|
description: How many streams to preallocate.
|
|
helpLink: suricata.html
|
|
memcap:
|
|
description: Memory settings for host.
|
|
helpLink: suricata.html
|
|
decoder:
|
|
teredo:
|
|
enabled:
|
|
description: Enable TEREDO capabilities
|
|
helpLink: suricata.html
|
|
ports:
|
|
description: Ports to listen for. This should be a variable.
|
|
helpLink: suricata.html
|
|
vxlan:
|
|
enabled:
|
|
description: Enable VXLAN capabilities.
|
|
helpLink: suricata.html
|
|
ports:
|
|
description: Ports to listen for. This should be a variable.
|
|
helpLink: suricata.html
|