mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2026-02-06 23:33:31 +01:00
336 lines
14 KiB
YAML
336 lines
14 KiB
YAML
suricata:
|
|
enabled:
|
|
description: You can enable or disable Suricata.
|
|
helpLink: suricata.html
|
|
thresholding:
|
|
sids__yaml:
|
|
description: Threshold SIDS List
|
|
syntax: yaml
|
|
file: True
|
|
global: True
|
|
multiline: True
|
|
title: SIDS
|
|
helpLink: suricata.html
|
|
classification:
|
|
classification__config:
|
|
description: Classifications config file.
|
|
file: True
|
|
global: True
|
|
multiline: True
|
|
title: Classifications
|
|
helpLink: suricata.html
|
|
pcap:
|
|
filesize:
|
|
description: Maximum file size for individual PCAP files written by Suricata. Increasing this number could improve write performance at the expense of pcap retrieval time.
|
|
advanced: True
|
|
helpLink: suricata.html
|
|
maxsize:
|
|
description: Maximum size in GB for total disk usage of all PCAP files written by Suricata.
|
|
helpLink: suricata.html
|
|
compression:
|
|
description: Enable compression of Suricata PCAP files.
|
|
advanced: True
|
|
helpLink: suricata.html
|
|
lz4-checksum:
|
|
description: Enable PCAP lz4 checksum.
|
|
advanced: True
|
|
helpLink: suricata.html
|
|
lz4-level:
|
|
description: lz4 compression level of PCAP files. Set to 0 for no compression. Set to 16 for maximum compression.
|
|
advanced: True
|
|
helpLink: suricata.html
|
|
filename:
|
|
description: Filename output for Suricata PCAP files.
|
|
advanced: True
|
|
readonly: True
|
|
helpLink: suricata.html
|
|
mode:
|
|
description: Suricata PCAP mode. Currently only multi is supported.
|
|
advanced: True
|
|
readonly: True
|
|
helpLink: suricata.html
|
|
use-stream-depth:
|
|
description: Set to "no" to ignore the stream depth and capture the entire flow. Set to "yes" to truncate the flow based on the stream depth.
|
|
advanced: True
|
|
regex: ^(yes|no)$
|
|
regexFailureMessage: You must enter either yes or no.
|
|
helpLink: suricata.html
|
|
conditional:
|
|
description: Set to "all" to record PCAP for all flows. Set to "alerts" to only record PCAP for Suricata alerts. Set to "tag" to only record PCAP for tagged rules.
|
|
regex: ^(all|alerts|tag)$
|
|
regexFailureMessage: You must enter either all, alert or tag.
|
|
helpLink: suricata.html
|
|
dir:
|
|
description: Parent directory to store PCAP.
|
|
advanced: True
|
|
readonly: True
|
|
helpLink: suricata.html
|
|
config:
|
|
af-packet:
|
|
interface:
|
|
description: The network interface that Suricata will monitor. This is set under sensor > interface.
|
|
advanced: True
|
|
readonly: True
|
|
helpLink: suricata.html
|
|
cluster-id:
|
|
advanced: True
|
|
cluster-type:
|
|
advanced: True
|
|
regex: ^(cluster_flow|cluster_qm)$
|
|
defrag:
|
|
advanced: True
|
|
regex: ^(yes|no)$
|
|
use-mmap:
|
|
advanced: True
|
|
readonly: True
|
|
mmap-locked:
|
|
description: Prevent swapping by locking the memory map.
|
|
advanced: True
|
|
regex: ^(yes|no)$
|
|
helpLink: suricata.html
|
|
threads:
|
|
description: The amount of worker threads.
|
|
helpLink: suricata.html
|
|
forcedType: int
|
|
tpacket-v3:
|
|
advanced: True
|
|
readonly: True
|
|
ring-size:
|
|
description: Buffer size for packets per thread.
|
|
forcedType: int
|
|
helpLink: suricata.html
|
|
block-size:
|
|
description: This must be configured to a sufficiently high value to accommodate a significant number of packets, considering byte size and MTU constraints. Ensure it aligns with a power of 2 and is a multiple of the page size.
|
|
advanced: True
|
|
forcedType: int
|
|
helpLink: suricata.html
|
|
block-timeout:
|
|
description: If a block remains unfilled after the specified block-timeout milliseconds, it is passed to userspace.
|
|
advanced: True
|
|
forcedType: int
|
|
helpLink: suricata.html
|
|
use-emergency-flush:
|
|
description: In high-traffic environments, enabling this option to 'yes' aids in recovering from packet drop occurrences. However, it may lead to some packets, possibly at max ring flush, not being inspected.
|
|
advanced: True
|
|
regex: ^(yes|no)$
|
|
helpLink: suricata.html
|
|
buffer-size:
|
|
description: Increasing the value of the receive buffer may improve performance.
|
|
advanced: True
|
|
forcedType: int
|
|
helpLink: suricata.html
|
|
disable-promisc:
|
|
description: Promiscuous mode can be disabled by setting this to "yes".
|
|
advanced: True
|
|
regex: ^(yes|no)$
|
|
helpLink: suricata.html
|
|
checksum-checks:
|
|
description: "Opt for the checksum verification mode suitable for the interface. During capture, it's possible that some packets may exhibit invalid checksums due to the network card handling the checksum computation. You have several options: 'kernel': Relies on indications sent by the kernel for each packet (default). 'yes': Enforces checksum validation. 'no': Disables checksum validation. 'auto': Suricata employs a statistical approach to detect checksum offloading."
|
|
advanced: True
|
|
regex: ^(kernel|yes|no|auto)$
|
|
helpLink: suricata.html
|
|
threading:
|
|
set-cpu-affinity:
|
|
description: Bind(yes) or unbind(no) management and worker threads to a core or range of cores.
|
|
regex: ^(yes|no)$
|
|
regexFailureMessage: You must enter either yes or no.
|
|
helpLink: suricata.html
|
|
cpu-affinity:
|
|
management-cpu-set:
|
|
cpu:
|
|
description: Bind management threads to a core or range of cores. This can be a sigle core, list of cores, or list of range of cores. set-cpu-affinity must be set to 'yes' for this to be used.
|
|
forcedType: "[]string"
|
|
helpLink: suricata.html
|
|
worker-cpu-set:
|
|
cpu:
|
|
description: Bind worker threads to a core or range of cores. This can be a sigle core, list of cores, or list of range of cores. set-cpu-affinity must be set to 'yes' for this to be used.
|
|
forcedType: "[]string"
|
|
helpLink: suricata.html
|
|
vars:
|
|
address-groups:
|
|
HOME_NET:
|
|
description: List of hosts or networks.
|
|
regex: ^(((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\/([0-9]|[1-2][0-9]|3[0-2]))?$|^((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?))|:))|(([0-9A-Fa-f]{1,4}:){5}((:[0-9A-Fa-f]{1,4}){1,2}|:((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)|:))|(([0-9A-Fa-f]{1,4}:){4}((:[0-9A-Fa-f]{1,4}){1,3}|:((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)|:))|(([0-9A-Fa-f]{1,4}:){3}((:[0-9A-Fa-f]{1,4}){1,4}|:((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)|:))|(([0-9A-Fa-f]{1,4}:){2}((:[0-9A-Fa-f]{1,4}){1,5}|:((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)|:))|(([0-9A-Fa-f]{1,4}:){1}((:[0-9A-Fa-f]{1,4}){1,6}|:((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)|:))|(:((:[0-9A-Fa-f]{1,4}){1,7}|:)))(\/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8]))?$
|
|
regexFailureMessage: You must enter a valid IP address or CIDR.
|
|
helpLink: suricata.html
|
|
EXTERNAL_NET:
|
|
description: List of hosts or networks.
|
|
helpLink: suricata.html
|
|
HTTP_SERVERS:
|
|
description: List of hosts or networks.
|
|
helpLink: suricata.html
|
|
SMTP_SERVERS:
|
|
description: List of hosts or networks.
|
|
helpLink: suricata.html
|
|
SQL_SERVERS:
|
|
description: List of hosts or networks.
|
|
helpLink: suricata.html
|
|
DNS_SERVERS:
|
|
description: List of hosts or networks.
|
|
helpLink: suricata.html
|
|
TELNET_SERVERS:
|
|
description: List of hosts or networks.
|
|
helpLink: suricata.html
|
|
AIM_SERVERS:
|
|
description: List of hosts or networks.
|
|
helpLink: suricata.html
|
|
DC_SERVERS:
|
|
description: List of hosts or networks.
|
|
helpLink: suricata.html
|
|
DNP3_SERVER:
|
|
description: List of hosts or networks.
|
|
helpLink: suricata.html
|
|
DNP3_CLIENT:
|
|
description: List of hosts or networks.
|
|
helpLink: suricata.html
|
|
MODBUS_CLIENT:
|
|
description: List of hosts or networks.
|
|
helpLink: suricata.html
|
|
MODBUS_SERVER:
|
|
description: List of hosts or networks.
|
|
helpLink: suricata.html
|
|
ENIP_CLIENT:
|
|
description: List of hosts or networks.
|
|
helpLink: suricata.html
|
|
ENIP_SERVER:
|
|
description: List of hosts or networks.
|
|
helpLink: suricata.html
|
|
port-groups:
|
|
HTTP_PORTS:
|
|
description: List of ports to look for HTTP traffic on.
|
|
helpLink: suricata.html
|
|
SHELLCODE_PORTS:
|
|
description: List of ports to look for SHELLCODE traffic on.
|
|
helpLink: suricata.html
|
|
ORACLE_PORTS:
|
|
description: List of ports to look for ORACLE traffic on.
|
|
helpLink: suricata.html
|
|
SSH_PORTS:
|
|
description: List of ports to look for SSH traffic on.
|
|
helpLink: suricata.html
|
|
DNP3_PORTS:
|
|
description: List of ports to look for DNP3 traffic on.
|
|
helpLink: suricata.html
|
|
MODBUS_PORTS:
|
|
description: List of ports to look for MODBUS traffic on.
|
|
helpLink: suricata.html
|
|
FILE_DATA_PORTS:
|
|
description: List of ports to look for FILE_DATA traffic on.
|
|
helpLink: suricata.html
|
|
FTP_PORTS:
|
|
description: List of ports to look for FTP traffic on.
|
|
helpLink: suricata.html
|
|
VXLAN_PORTS:
|
|
description: List of ports to look for VXLAN traffic on.
|
|
helpLink: suricata.html
|
|
TEREDO_PORTS:
|
|
description: List of ports to look for TEREDO traffic on.
|
|
helpLink: suricata.html
|
|
outputs:
|
|
eve-log:
|
|
types:
|
|
alert:
|
|
xff:
|
|
enabled:
|
|
description: Enable X-Forward-For support.
|
|
helpLink: suricata.html
|
|
mode:
|
|
description: Operation mode. This should always be extra-data if you use PCAP.
|
|
helpLink: suricata.html
|
|
deployment:
|
|
description: forward would use the first IP address and reverse would use the last.
|
|
helpLink: suricata.html
|
|
header:
|
|
description: Header name where the actual IP address will be reported.
|
|
helpLink: suricata.html
|
|
pcap-log:
|
|
enabled:
|
|
description: This value is ignored by SO. pcapengine in globals takes precidence.
|
|
readonly: True
|
|
helpLink: suricata.html
|
|
advanced: True
|
|
asn1-max-frames:
|
|
description: Maximum nuber of asn1 frames to decode.
|
|
helpLink: suricata.html
|
|
max-pending-packets:
|
|
description: Number of packets preallocated per thread.
|
|
helpLink: suricata.html
|
|
default-packet-size:
|
|
description: Preallocated size for each packet.
|
|
helpLink: suricata.html
|
|
pcre:
|
|
match-limit:
|
|
description: Match limit for PCRE.
|
|
helpLink: suricata.html
|
|
match-limit-recursion:
|
|
description: Recursion limit for PCRE.
|
|
helpLink: suricata.html
|
|
defrag:
|
|
memcap:
|
|
description: Max memory to use for defrag. You should only change this if you know what you are doing.
|
|
helpLink: suricata.html
|
|
hash-size:
|
|
description: Hash size
|
|
helpLink: suricata.html
|
|
trackers:
|
|
description: Number of defragmented flows to follow.
|
|
helpLink: suricata.html
|
|
max-frags:
|
|
description: Max number of fragments to keep
|
|
helpLink: suricata.html
|
|
prealloc:
|
|
description: Preallocate memory.
|
|
helpLink: suricata.html
|
|
timeout:
|
|
description: Timeout value.
|
|
helpLink: suricata.html
|
|
flow:
|
|
memcap:
|
|
description: Reserverd memory for flows.
|
|
helpLink: suricata.html
|
|
hash-size:
|
|
description: Determines the size of the hash used to identify flows inside the engine.
|
|
helpLink: suricata.html
|
|
prealloc:
|
|
description: Number of preallocated flows.
|
|
helpLink: suricata.html
|
|
stream:
|
|
memcap:
|
|
description: Can be specified in kb,mb,gb.
|
|
helpLink: suricata.html
|
|
checksum-validation:
|
|
description: Validate checksum of packets.
|
|
helpLink: suricata.html
|
|
reassembly:
|
|
memcap:
|
|
description: Can be specified in kb,mb,gb.
|
|
helpLink: suricata.html
|
|
depth:
|
|
description: Controls how far into a stream that reassembly is done.
|
|
helpLink: suricata.html
|
|
host:
|
|
hash-size:
|
|
description: Hash size in bytes.
|
|
helpLink: suricata.html
|
|
prealloc:
|
|
description: How many streams to preallocate.
|
|
helpLink: suricata.html
|
|
memcap:
|
|
description: Memory settings for host.
|
|
helpLink: suricata.html
|
|
decoder:
|
|
teredo:
|
|
enabled:
|
|
description: Enable TEREDO capabilities
|
|
helpLink: suricata.html
|
|
ports:
|
|
description: Ports to listen for. This should be a variable.
|
|
helpLink: suricata.html
|
|
vxlan:
|
|
enabled:
|
|
description: Enable VXLAN capabilities.
|
|
helpLink: suricata.html
|
|
ports:
|
|
description: Ports to listen for. This should be a variable.
|
|
helpLink: suricata.html
|