CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 09:12:45 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
87477ae4f66903d0fcf08a744bd74365b0b2af47
securityonion/salt/suricata/soc_suricata.yaml
Josh Patterson 245ceb2d49 suricata defaults and annotation
2025-11-10 16:40:11 -05:00

309 lines
13 KiB
YAML
Raw Blame History

suricata:
enabled:
description: Enables or disables the Suricata process. This process is used for triggering alerts and optionally for protocol metadata collection and full packet capture.
helpLink: suricata.html
thresholding:
sids__yaml:
description: Threshold SIDS List. This setting is readonly; Use the Detections screen to modify rules.
syntax: yaml
file: True
global: True
multiline: True
title: SIDS
helpLink: suricata.html
readonlyUi: True
advanced: True
classification:
classification__config:
description: Classifications config file.
file: True
global: True
multiline: True
title: Classifications
helpLink: suricata.html
pcap:
filesize:
description: Maximum file size for individual PCAP files written by Suricata. Increasing this number could improve write performance at the expense of pcap retrieval time.
advanced: True
helpLink: suricata.html
maxsize:
description: Maximum size in GB for total disk usage of all PCAP files written by Suricata.
helpLink: suricata.html
compression:
description: Enable compression of Suricata PCAP files.
advanced: True
helpLink: suricata.html
lz4-checksum:
description: Enable PCAP lz4 checksum.
advanced: True
helpLink: suricata.html
lz4-level:
description: lz4 compression level of PCAP files. Set to 0 for no compression. Set to 16 for maximum compression.
advanced: True
helpLink: suricata.html
filename:
description: Filename output for Suricata PCAP files.
advanced: True
readonly: True
helpLink: suricata.html
mode:
description: Suricata PCAP mode. Currently only multi is supported.
advanced: True
readonly: True
helpLink: suricata.html
use-stream-depth:
description: Set to "no" to ignore the stream depth and capture the entire flow. Set to "yes" to truncate the flow based on the stream depth.
advanced: True
regex: ^(yes|no)$
regexFailureMessage: You must enter either yes or no.
helpLink: suricata.html
conditional:
description: Set to "all" to record PCAP for all flows. Set to "alerts" to only record PCAP for Suricata alerts. Set to "tag" to only record PCAP for tagged rules.
regex: ^(all|alerts|tag)$
regexFailureMessage: You must enter either all, alert or tag.
helpLink: suricata.html
dir:
description: Parent directory to store PCAP.
advanced: True
readonly: True
helpLink: suricata.html
config:
af-packet:
interface:
description: The network interface that Suricata will monitor. This is set under sensor > interface.
advanced: True
readonly: True
helpLink: suricata.html
cluster-id:
advanced: True
cluster-type:
advanced: True
regex: ^(cluster_flow|cluster_qm)$
defrag:
advanced: True
regex: ^(yes|no)$
use-mmap:
advanced: True
readonly: True
mmap-locked:
description: Prevent swapping by locking the memory map.
advanced: True
regex: ^(yes|no)$
helpLink: suricata.html
threads:
description: The amount of worker threads.
helpLink: suricata.html
forcedType: int
tpacket-v3:
advanced: True
readonly: True
ring-size:
description: Buffer size for packets per thread.
forcedType: int
helpLink: suricata.html
block-size:
description: This must be configured to a sufficiently high value to accommodate a significant number of packets, considering byte size and MTU constraints. Ensure it aligns with a power of 2 and is a multiple of the page size.
advanced: True
forcedType: int
helpLink: suricata.html
block-timeout:
description: If a block remains unfilled after the specified block-timeout milliseconds, it is passed to userspace.
advanced: True
forcedType: int
helpLink: suricata.html
use-emergency-flush:
description: In high-traffic environments, enabling this option to 'yes' aids in recovering from packet drop occurrences. However, it may lead to some packets, possibly at max ring flush, not being inspected.
advanced: True
regex: ^(yes|no)$
helpLink: suricata.html
buffer-size:
description: Increasing the value of the receive buffer may improve performance.
advanced: True
forcedType: int
helpLink: suricata.html
disable-promisc:
description: Promiscuous mode can be disabled by setting this to "yes".
advanced: True
regex: ^(yes|no)$
helpLink: suricata.html
checksum-checks:
description: "Opt for the checksum verification mode suitable for the interface. During capture, it's possible that some packets may exhibit invalid checksums due to the network card handling the checksum computation. You have several options: 'kernel': Relies on indications sent by the kernel for each packet (default). 'yes': Enforces checksum validation. 'no': Disables checksum validation. 'auto': Suricata employs a statistical approach to detect checksum offloading."
advanced: True
regex: ^(kernel|yes|no|auto)$
helpLink: suricata.html
threading:
set-cpu-affinity:
description: Bind(yes) or unbind(no) management and worker threads to a core or range of cores.
regex: ^(yes|no)$
regexFailureMessage: You must enter either yes or no.
helpLink: suricata.html
cpu-affinity:
management-cpu-set:
cpu:
description: Bind management threads to a core or range of cores. This can be a sigle core, list of cores, or list of range of cores. set-cpu-affinity must be set to 'yes' for this to be used.
forcedType: "[]string"
helpLink: suricata.html
worker-cpu-set:
cpu:
description: Bind worker threads to a core or range of cores. This can be a sigle core, list of cores, or list of range of cores. set-cpu-affinity must be set to 'yes' for this to be used.
forcedType: "[]string"
helpLink: suricata.html
vars:
address-groups:
HOME_NET:
description: Assign a list of hosts, or networks, using CIDR notation, to this Suricata variable. The variable can then be re-used within Suricata rules. This allows for a single adjustment to the variable that will then affect all rules referencing the variable.
regex: ^(((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\/([0-9]|[1-2][0-9]|3[0-2]))?$|^((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?))|:))|(([0-9A-Fa-f]{1,4}:){5}((:[0-9A-Fa-f]{1,4}){1,2}|:((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)|:))|(([0-9A-Fa-f]{1,4}:){4}((:[0-9A-Fa-f]{1,4}){1,3}|:((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)|:))|(([0-9A-Fa-f]{1,4}:){3}((:[0-9A-Fa-f]{1,4}){1,4}|:((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)|:))|(([0-9A-Fa-f]{1,4}:){2}((:[0-9A-Fa-f]{1,4}){1,5}|:((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)|:))|(([0-9A-Fa-f]{1,4}:){1}((:[0-9A-Fa-f]{1,4}){1,6}|:((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)|:))|(:((:[0-9A-Fa-f]{1,4}){1,7}|:)))(\/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8]))?$
regexFailureMessage: You must enter a valid IP address or CIDR.
forcedType: "[]string"
duplicates: True
helpLink: suricata.html
EXTERNAL_NET: &suriaddressgroup
description: Assign a list of hosts, or networks, or other customization, to this Suricata variable. The variable can then be re-used within Suricata rules. This allows for a single adjustment to the variable that will then affect all rules referencing the variable.
forcedType: "[]string"
duplicates: True
helpLink: suricata.html
HTTP_SERVERS: *suriaddressgroup
SMTP_SERVERS: *suriaddressgroup
SQL_SERVERS: *suriaddressgroup
DNS_SERVERS: *suriaddressgroup
TELNET_SERVERS: *suriaddressgroup
AIM_SERVERS: *suriaddressgroup
DC_SERVERS: *suriaddressgroup
DNP3_SERVER: *suriaddressgroup
DNP3_CLIENT: *suriaddressgroup
MODBUS_CLIENT: *suriaddressgroup
MODBUS_SERVER: *suriaddressgroup
ENIP_CLIENT: *suriaddressgroup
ENIP_SERVER: *suriaddressgroup
port-groups:
HTTP_PORTS: &suriportgroup
description: Assign a list of network port numbers to this Suricata variable. The variable can then be re-used within Suricata rules. This allows for a single adjustment to the variable that will then affect all rules referencing the variable.
forcedType: "[]string"
duplicates: True
helpLink: suricata.html
SHELLCODE_PORTS: *suriportgroup
ORACLE_PORTS: *suriportgroup
SSH_PORTS: *suriportgroup
DNP3_PORTS: *suriportgroup
MODBUS_PORTS: *suriportgroup
FILE_DATA_PORTS: *suriportgroup
FTP_PORTS: *suriportgroup
VXLAN_PORTS: *suriportgroup
TEREDO_PORTS: *suriportgroup
SIP_PORTS: *suriportgroup
GENEVE_PORTS: *suriportgroup
outputs:
eve-log:
types:
alert:
xff:
enabled:
description: Enable X-Forward-For support.
helpLink: suricata.html
mode:
description: Operation mode. This should always be extra-data if you use PCAP.
helpLink: suricata.html
deployment:
description: forward would use the first IP address and reverse would use the last.
helpLink: suricata.html
header:
description: Header name where the actual IP address will be reported.
helpLink: suricata.html
pcap-log:
enabled:
description: This value is ignored by SO. pcapengine in globals takes precedence.
readonly: True
helpLink: suricata.html
advanced: True
asn1-max-frames:
description: Maximum nuber of asn1 frames to decode.
helpLink: suricata.html
max-pending-packets:
description: Number of packets preallocated per thread.
helpLink: suricata.html
default-packet-size:
description: Preallocated size for each packet.
helpLink: suricata.html
pcre:
match-limit:
description: Match limit for PCRE.
helpLink: suricata.html
match-limit-recursion:
description: Recursion limit for PCRE.
helpLink: suricata.html
defrag:
memcap:
description: Max memory to use for defrag. You should only change this if you know what you are doing.
helpLink: suricata.html
hash-size:
description: Hash size
helpLink: suricata.html
trackers:
description: Number of defragmented flows to follow.
helpLink: suricata.html
max-frags:
description: Max number of fragments to keep
helpLink: suricata.html
prealloc:
description: Preallocate memory.
helpLink: suricata.html
timeout:
description: Timeout value.
helpLink: suricata.html
flow:
memcap:
description: Reserverd memory for flows.
helpLink: suricata.html
hash-size:
description: Determines the size of the hash used to identify flows inside the engine.
helpLink: suricata.html
prealloc:
description: Number of preallocated flows.
helpLink: suricata.html
stream:
memcap:
description: Can be specified in kb,mb,gb.
helpLink: suricata.html
checksum-validation:
description: Validate checksum of packets.
helpLink: suricata.html
reassembly:
memcap:
description: Can be specified in kb,mb,gb.
helpLink: suricata.html
depth:
description: Controls how far into a stream that reassembly is done.
helpLink: suricata.html
host:
hash-size:
description: Hash size in bytes.
helpLink: suricata.html
prealloc:
description: How many streams to preallocate.
helpLink: suricata.html
memcap:
description: Memory settings for host.
helpLink: suricata.html
decoder:
teredo:
enabled:
description: Enable TEREDO capabilities
helpLink: suricata.html
ports:
description: Ports to listen for. This should be a variable.
helpLink: suricata.html
vxlan:
enabled:
description: Enable VXLAN capabilities.
helpLink: suricata.html
ports:
description: Ports to listen for. This should be a variable.
helpLink: suricata.html
geneve:
enabled:
description: Enable VXLAN capabilities.
helpLink: suricata.html
ports:
description: Ports to listen for. This should be a variable.
helpLink: suricata.html
Reference in New Issue View Git Blame Copy Permalink