Merge pull request #12651 from Security-Onion-Solutions/issue/12637

Allow for additional af-packet tuning options for Suricata
Security-Onion-Solutions · Mar 25, 2024 · 7898277 · 7898277
2 parents b8d33ab + 029d8a0
commit 7898277
Show file tree

Hide file tree

Showing 3 changed files with 49 additions and 3 deletions.
diff --git a/salt/suricata/defaults.yaml b/salt/suricata/defaults.yaml
@@ -33,6 +33,12 @@ suricata:
       threads: 1
       tpacket-v3: "yes"
       ring-size: 5000
+      block-size: 32768
+      block-timeout: 10
+      use-emergency-flush: "yes"
+      buffer-size: 32768
+      disable-promisc: "no"
+      checksum-checks: kernel
     vars:
       address-groups:
         HOME_NET:

diff --git a/salt/suricata/map.jinja b/salt/suricata/map.jinja
@@ -32,11 +32,21 @@
 - interface: {{ GLOBALS.sensor.interface }}
   cluster-id: {{ SURICATAMERGED.config['af-packet']['cluster-id'] }}
   cluster-type: {{ SURICATAMERGED.config['af-packet']['cluster-type'] }}
-  defrag: {{ SURICATAMERGED.config['af-packet'].defrag }}
-  use-mmap: {{ SURICATAMERGED.config['af-packet']['use-mmap'] }}
+  defrag: "{{ SURICATAMERGED.config['af-packet'].defrag }}"
+  use-mmap: "{{ SURICATAMERGED.config['af-packet']['use-mmap'] }}"
   threads: {{ SURICATAMERGED.config['af-packet'].threads }}
-  tpacket-v3: {{ SURICATAMERGED.config['af-packet']['tpacket-v3'] }}
+  tpacket-v3: "{{ SURICATAMERGED.config['af-packet']['tpacket-v3'] }}"
   ring-size: {{ SURICATAMERGED.config['af-packet']['ring-size'] }}
+  block-size: {{ SURICATAMERGED.config['af-packet']['block-size'] }}
+  block-timeout: {{ SURICATAMERGED.config['af-packet']['block-timeout'] }}
+  use-emergency-flush: "{{ SURICATAMERGED.config['af-packet']['use-emergency-flush'] }}"
+  buffer-size: {{ SURICATAMERGED.config['af-packet']['buffer-size'] }}
+  disable-promisc: "{{ SURICATAMERGED.config['af-packet']['disable-promisc'] }}"
+{%   if SURICATAMERGED.config['af-packet']['checksum-checks'] in ['yes', 'no'] %}
+  checksum-checks: "{{ SURICATAMERGED.config['af-packet']['checksum-checks'] }}"
+{%   else %}
+  checksum-checks: {{ SURICATAMERGED.config['af-packet']['checksum-checks'] }}
+{%   endif %}
 {% endload %}
 {% do SURICATAMERGED.config.pop('af-packet') %}
 {% do SURICATAMERGED.config.update({'af-packet': afpacket}) %}

diff --git a/salt/suricata/soc_suricata.yaml b/salt/suricata/soc_suricata.yaml
@@ -94,6 +94,36 @@ suricata:
         description: Buffer size for packets per thread.
         forcedType: int
         helpLink: suricata.html
+      block-size:
+        description: This must be configured to a sufficiently high value to accommodate a significant number of packets, considering byte size and MTU constraints. Ensure it aligns with a power of 2 and is a multiple of the page size.
+        advanced: True
+        forcedType: int
+        helpLink: suricata.html
+      block-timeout:
+        description: If a block remains unfilled after the specified block-timeout milliseconds, it is passed to userspace.
+        advanced: True
+        forcedType: int
+        helpLink: suricata.html
+      use-emergency-flush:
+        description: In high-traffic environments, enabling this option to 'yes' aids in recovering from packet drop occurrences. However, it may lead to some packets, possibly at max ring flush, not being inspected.
+        advanced: True
+        regex: ^(yes|no)$
+        helpLink: suricata.html
+      buffer-size:
+        description: Increasing the value of the receive buffer may improve performance.
+        advanced: True
+        forcedType: int
+        helpLink: suricata.html
+      disable-promisc:
+        description: Promiscuous mode can be disabled by setting this to "yes".
+        advanced: True
+        regex: ^(yes|no)$
+        helpLink: suricata.html
+      checksum-checks:
+        description: "Opt for the checksum verification mode suitable for the interface. During capture, it's possible that some packets may exhibit invalid checksums due to the network card handling the checksum computation. You have several options: 'kernel': Relies on indications sent by the kernel for each packet (default). 'yes': Enforces checksum validation. 'no': Disables checksum validation. 'auto': Suricata employs a statistical approach to detect checksum offloading."
+        advanced: True
+        regex: ^(kernel|yes|no|auto)$
+        helpLink: suricata.html
     threading:
       set-cpu-affinity:
         description: Bind(yes) or unbind(no) management and worker threads to a core or range of cores.