mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2026-04-29 07:57:52 +02:00
Mike Reeves
302 lines
11 KiB
YAML
302 lines
11 KiB
YAML
suricata:
|
|
enabled:
|
|
description: You can enable or disable Suricata.
|
|
helpLink: suricata.html
|
|
thresholding:
|
|
sids__yaml:
|
|
description: Threshold SIDS List
|
|
syntax: yaml
|
|
file: True
|
|
global: True
|
|
multiline: True
|
|
title: SIDS
|
|
helpLink: suricata.html
|
|
classification:
|
|
classification__config:
|
|
description: Classifications config file.
|
|
file: True
|
|
global: True
|
|
multiline: True
|
|
title: Classifications
|
|
helpLink: suricata.html
|
|
config:
|
|
af-packet:
|
|
interface:
|
|
description: The network interface that Suricata will monitor. This is set under sensor > interface.
|
|
advanced: True
|
|
readonly: True
|
|
helpLink: suricata.html
|
|
cluster-id:
|
|
advanced: True
|
|
cluster-type:
|
|
advanced: True
|
|
regex: ^(cluster_flow|cluster_qm)$
|
|
defrag:
|
|
advanced: True
|
|
regex: ^(yes|no)$
|
|
use-mmap:
|
|
advanced: True
|
|
readonly: True
|
|
threads:
|
|
description: The amount of worker threads.
|
|
helpLink: suricata.html
|
|
forcedType: int
|
|
tpacket-v3:
|
|
advanced: True
|
|
readonly: True
|
|
ring-size:
|
|
description: Buffer size for packets per thread.
|
|
forcedType: int
|
|
helpLink: suricata.html
|
|
threading:
|
|
set-cpu-affinity:
|
|
description: Bind(yes) or unbind(no) management and worker threads to a core or range of cores.
|
|
regex: ^(yes|no)$
|
|
regexFailureMessage: You must enter either yes or no.
|
|
helpLink: suricata.html
|
|
cpu-affinity:
|
|
management-cpu-set:
|
|
cpu:
|
|
description: Bind management threads to a core or range of cores. This can be a sigle core, list of cores, or list of range of cores. set-cpu-affinity must be set to 'yes' for this to be used.
|
|
forcedType: "[]string"
|
|
helpLink: suricata.html
|
|
worker-cpu-set:
|
|
cpu:
|
|
description: Bind worker threads to a core or range of cores. This can be a sigle core, list of cores, or list of range of cores. set-cpu-affinity must be set to 'yes' for this to be used.
|
|
forcedType: "[]string"
|
|
helpLink: suricata.html
|
|
vars:
|
|
address-groups:
|
|
HOME_NET:
|
|
description: List of hosts or networks.
|
|
regex: ^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?)?$
|
|
regexFailureMessage: You must enter a valid IP address or CIDR.
|
|
helpLink: suricata.html
|
|
EXTERNAL_NET:
|
|
description: List of hosts or networks.
|
|
helpLink: suricata.html
|
|
HTTP_SERVERS:
|
|
description: List of hosts or networks.
|
|
helpLink: suricata.html
|
|
SMTP_SERVERS:
|
|
description: List of hosts or networks.
|
|
helpLink: suricata.html
|
|
SQL_SERVERS:
|
|
description: List of hosts or networks.
|
|
helpLink: suricata.html
|
|
DNS_SERVERS:
|
|
description: List of hosts or networks.
|
|
helpLink: suricata.html
|
|
TELNET_SERVERS:
|
|
description: List of hosts or networks.
|
|
helpLink: suricata.html
|
|
AIM_SERVERS:
|
|
description: List of hosts or networks.
|
|
helpLink: suricata.html
|
|
DC_SERVERS:
|
|
description: List of hosts or networks.
|
|
helpLink: suricata.html
|
|
DNP3_SERVER:
|
|
description: List of hosts or networks.
|
|
helpLink: suricata.html
|
|
DNP3_CLIENT:
|
|
description: List of hosts or networks.
|
|
helpLink: suricata.html
|
|
MODBUS_CLIENT:
|
|
description: List of hosts or networks.
|
|
helpLink: suricata.html
|
|
MODBUS_SERVER:
|
|
description: List of hosts or networks.
|
|
helpLink: suricata.html
|
|
ENIP_CLIENT:
|
|
description: List of hosts or networks.
|
|
helpLink: suricata.html
|
|
ENIP_SERVER:
|
|
description: List of hosts or networks.
|
|
helpLink: suricata.html
|
|
port-groups:
|
|
HTTP_PORTS:
|
|
description: List of ports to look for HTTP traffic on.
|
|
helpLink: suricata.html
|
|
SHELLCODE_PORTS:
|
|
description: List of ports to look for SHELLCODE traffic on.
|
|
helpLink: suricata.html
|
|
ORACLE_PORTS:
|
|
description: List of ports to look for ORACLE traffic on.
|
|
helpLink: suricata.html
|
|
SSH_PORTS:
|
|
description: List of ports to look for SSH traffic on.
|
|
helpLink: suricata.html
|
|
DNP3_PORTS:
|
|
description: List of ports to look for DNP3 traffic on.
|
|
helpLink: suricata.html
|
|
MODBUS_PORTS:
|
|
description: List of ports to look for MODBUS traffic on.
|
|
helpLink: suricata.html
|
|
FILE_DATA_PORTS:
|
|
description: List of ports to look for FILE_DATA traffic on.
|
|
helpLink: suricata.html
|
|
FTP_PORTS:
|
|
description: List of ports to look for FTP traffic on.
|
|
helpLink: suricata.html
|
|
VXLAN_PORTS:
|
|
description: List of ports to look for VXLAN traffic on.
|
|
helpLink: suricata.html
|
|
TEREDO_PORTS:
|
|
description: List of ports to look for TEREDO traffic on.
|
|
helpLink: suricata.html
|
|
outputs:
|
|
eve-log:
|
|
types:
|
|
alert:
|
|
xff:
|
|
enabled:
|
|
description: Enable X-Forward-For support.
|
|
helpLink: suricata.html
|
|
mode:
|
|
description: Operation mode. This should always be extra-data if you use PCAP.
|
|
helpLink: suricata.html
|
|
deployment:
|
|
description: forward would use the first IP address and reverse would use the last.
|
|
helpLink: suricata.html
|
|
header:
|
|
description: Header name where the actual IP address will be reported.
|
|
helpLink: suricata.html
|
|
pcap-log:
|
|
enabled:
|
|
description: This value is ignored by SO. pcapengine in globals takes precidence.
|
|
readonly: True
|
|
helpLink: suricata.html
|
|
advanced: True
|
|
compression:
|
|
description: Enable compression of Suricata PCAP. Currently unsupported
|
|
advanced: True
|
|
readonly: True
|
|
helpLink: suricata.html
|
|
lz4-checksum:
|
|
description: Enable PCAP lz4 checksum. Currently unsupported
|
|
advanced: True
|
|
readonly: True
|
|
helpLink: suricata.html
|
|
lz4-level:
|
|
description: lz4 compression level of PCAP. 0 for no compression 16 for max compression. Currently unsupported
|
|
advanced: True
|
|
readonly: True
|
|
helpLink: suricata.html
|
|
filename:
|
|
description: Filename output for Suricata PCAP.
|
|
advanced: True
|
|
readonly: True
|
|
helpLink: suricata.html
|
|
limit:
|
|
description: File size limit per thread. To determine max PCAP size multiple threads x max-files x limit.
|
|
helpLink: suricata.html
|
|
mode:
|
|
description: Suricata PCAP mode. Currently only multi is supported.
|
|
advanced: True
|
|
readonly: True
|
|
helpLink: suricata.html
|
|
max-files:
|
|
description: Max PCAP files per thread. To determine max PCAP size multiple threads x max-files x limit.
|
|
helpLink: suricata.html
|
|
use-stream-depth:
|
|
description: Set to "no" to ignore the stream depth and capture the entire flow. Set this to "yes" to truncate the flow based on the stream depth.
|
|
advanced: True
|
|
regex: ^(yes|no)$
|
|
regexFailureMessage: You must enter either yes or no.
|
|
helpLink: suricata.html
|
|
conditional:
|
|
description: Set to "all" to capture PCAP for all flows. Set to "alert" to capture PCAP just for alerts or set to "tag" to capture PCAP for just tagged rules.
|
|
regex: ^(all|alert|tag)$
|
|
regexFailureMessage: You must enter either all, alert or tag.
|
|
helpLink: suricata.html
|
|
dir:
|
|
description: Parent directory to store PCAP.
|
|
advanced: True
|
|
readonly: True
|
|
helpLink: suricata.html
|
|
asn1-max-frames:
|
|
description: Maximum nuber of asn1 frames to decode.
|
|
helpLink: suricata.html
|
|
max-pending-packets:
|
|
description: Number of packets preallocated per thread.
|
|
helpLink: suricata.html
|
|
default-packet-size:
|
|
description: Preallocated size for each packet.
|
|
helpLink: suricata.html
|
|
pcre:
|
|
match-limit:
|
|
description: Match limit for PCRE.
|
|
helpLink: suricata.html
|
|
match-limit-recursion:
|
|
description: Recursion limit for PCRE.
|
|
helpLink: suricata.html
|
|
defrag:
|
|
memcap:
|
|
description: Max memory to use for defrag. You should only change this if you know what you are doing.
|
|
helpLink: suricata.html
|
|
hash-size:
|
|
description: Hash size
|
|
helpLink: suricata.html
|
|
trackers:
|
|
description: Number of defragmented flows to follow.
|
|
helpLink: suricata.html
|
|
max-frags:
|
|
description: Max number of fragments to keep
|
|
helpLink: suricata.html
|
|
prealloc:
|
|
description: Preallocate memory.
|
|
helpLink: suricata.html
|
|
timeout:
|
|
description: Timeout value.
|
|
helpLink: suricata.html
|
|
flow:
|
|
memcap:
|
|
description: Reserverd memory for flows.
|
|
helpLink: suricata.html
|
|
hash-size:
|
|
description: Determines the size of the hash used to identify flows inside the engine.
|
|
helpLink: suricata.html
|
|
prealloc:
|
|
description: Number of preallocated flows.
|
|
helpLink: suricata.html
|
|
stream:
|
|
memcap:
|
|
description: Can be specified in kb,mb,gb.
|
|
helpLink: suricata.html
|
|
checksum-validation:
|
|
description: Validate checksum of packets.
|
|
helpLink: suricata.html
|
|
reassembly:
|
|
memcap:
|
|
description: Can be specified in kb,mb,gb.
|
|
helpLink: suricata.html
|
|
depth:
|
|
description: Controls how far into a stream that reassembly is done.
|
|
helpLink: suricata.html
|
|
host:
|
|
hash-size:
|
|
description: Hash size in bytes.
|
|
helpLink: suricata.html
|
|
prealloc:
|
|
description: How many streams to preallocate.
|
|
helpLink: suricata.html
|
|
memcap:
|
|
description: Memory settings for host.
|
|
helpLink: suricata.html
|
|
decoder:
|
|
teredo:
|
|
enabled:
|
|
description: Enable TEREDO capabilities
|
|
helpLink: suricata.html
|
|
ports:
|
|
description: Ports to listen for. This should be a variable.
|
|
helpLink: suricata.html
|
|
vxlan:
|
|
enabled:
|
|
description: Enable VXLAN capabilities.
|
|
helpLink: suricata.html
|
|
ports:
|
|
description: Ports to listen for. This should be a variable.
|
|
helpLink: suricata.html
|