diff --git a/salt/common/tools/sbin/so-log-check b/salt/common/tools/sbin/so-log-check index b8c68ffa11..3bf2bc778d 100755 --- a/salt/common/tools/sbin/so-log-check +++ b/salt/common/tools/sbin/so-log-check @@ -122,6 +122,7 @@ if [[ $EXCLUDE_STARTUP_ERRORS == 'Y' ]]; then EXCLUDED_ERRORS="$EXCLUDED_ERRORS|error while communicating" # Elasticsearch MS -> HN "sensor" temporarily unavailable EXCLUDED_ERRORS="$EXCLUDED_ERRORS|tls handshake error" # Docker registry container when new node comes onlines EXCLUDED_ERRORS="$EXCLUDED_ERRORS|Unable to get license information" # Logstash trying to contact ES before it's ready + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|process already finished" # Telegraf script finished just as the auto kill timeout kicked in fi if [[ $EXCLUDE_FALSE_POSITIVE_ERRORS == 'Y' ]]; then diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index 2274018b16..c70b0419a3 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -227,6 +227,113 @@ elasticsearch: sort: field: '@timestamp' order: desc + so-logs-soc: + close: 30 + delete: 365 + index_sorting: false + index_template: + composed_of: + - agent-mappings + - dtc-agent-mappings + - base-mappings + - dtc-base-mappings + - client-mappings + - dtc-client-mappings + - container-mappings + - destination-mappings + - dtc-destination-mappings + - pb-override-destination-mappings + - dll-mappings + - dns-mappings + - dtc-dns-mappings + - ecs-mappings + - dtc-ecs-mappings + - error-mappings + - event-mappings + - dtc-event-mappings + - file-mappings + - dtc-file-mappings + - group-mappings + - host-mappings + - dtc-host-mappings + - http-mappings + - dtc-http-mappings + - log-mappings + - network-mappings + - dtc-network-mappings + - observer-mappings + - dtc-observer-mappings + - organization-mappings + - package-mappings + - process-mappings + - dtc-process-mappings + - related-mappings + - rule-mappings + - dtc-rule-mappings + - server-mappings + - service-mappings + - dtc-service-mappings + - source-mappings + - dtc-source-mappings + - pb-override-source-mappings + - threat-mappings + - tls-mappings + - url-mappings + - user_agent-mappings + - dtc-user_agent-mappings + - common-settings + - common-dynamic-mappings + data_stream: {} + index_patterns: + - logs-soc-so* + priority: 500 + template: + mappings: + date_detection: false + dynamic_templates: + - strings_as_keyword: + mapping: + ignore_above: 1024 + type: keyword + match_mapping_type: string + settings: + index: + lifecycle: + name: so-soc-logs + mapping: + total_fields: + limit: 5000 + number_of_replicas: 0 + number_of_shards: 1 + refresh_interval: 30s + sort: + field: '@timestamp' + order: desc + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + warm: 7 so-common: close: 30 delete: 365 diff --git a/salt/elasticsearch/files/ingest-dynamic/common b/salt/elasticsearch/files/ingest-dynamic/common index 94f5ffef75..836b8d4af0 100644 --- a/salt/elasticsearch/files/ingest-dynamic/common +++ b/salt/elasticsearch/files/ingest-dynamic/common @@ -57,11 +57,11 @@ { "convert": { "field": "log.id.uid", "type": "string", "ignore_failure": true, "ignore_missing": true } }, { "convert": { "field": "agent.id", "type": "string", "ignore_failure": true, "ignore_missing": true } }, { "convert": { "field": "event.severity", "type": "integer", "ignore_failure": true, "ignore_missing": true } }, - { "set": { "field": "event.dataset", "ignore_empty_value":true, "copy_from": "event.dataset_temp" }}, + { "set": { "field": "event.dataset", "ignore_empty_value":true, "copy_from": "event.dataset_temp" } }, { "set": { "if": "ctx.event?.dataset != null && !ctx.event.dataset.contains('.')", "field": "event.dataset", "value": "{{event.module}}.{{event.dataset}}" } }, { "split": { "if": "ctx.event?.dataset != null && ctx.event.dataset.contains('.')", "field": "event.dataset", "separator": "\\.", "target_field": "dataset_tag_temp" } }, - { "append": { "if": "ctx.dataset_tag_temp != null", "field": "tags", "value": "{{dataset_tag_temp.1}}" }}, - { "grok": { "if": "ctx.http?.response?.status_code != null", "field": "http.response.status_code", "patterns": ["%{NUMBER:http.response.status_code:long} %{GREEDYDATA}"]}}, + { "append": { "if": "ctx.dataset_tag_temp != null", "field": "tags", "value": "{{dataset_tag_temp.1}}" } }, + { "grok": { "if": "ctx.http?.response?.status_code != null", "field": "http.response.status_code", "patterns": ["%{NUMBER:http.response.status_code:long} %{GREEDYDATA}"]} }, { "remove": { "field": [ "message2", "type", "fields", "category", "module", "dataset", "dataset_tag_temp", "event.dataset_temp" ], "ignore_missing": true, "ignore_failure": true } } {%- endraw %} {%- if HIGHLANDER %} diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 8b78f2e917..8bb180567c 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -92,6 +92,7 @@ soc: - http_request.headers.x-real-ip - identity_id - http_request.headers.user-agent + - event.dataset '::conn': - soc_timestamp - source.ip @@ -102,6 +103,7 @@ soc: - network.protocol - log.id.uid - network.community_id + - event.dataset '::dce_rpc': - soc_timestamp - source.ip @@ -112,6 +114,7 @@ soc: - dce_rpc.named_pipe - dce_rpc.operation - log.id.uid + - event.dataset '::dhcp': - soc_timestamp - client.address @@ -120,6 +123,7 @@ soc: - host.hostname - dhcp.message_types - log.id.uid + - event.dataset '::dnp3': - soc_timestamp - source.ip @@ -128,6 +132,7 @@ soc: - destination.port - dnp3.fc_reply - log.id.uid + - event.dataset '::dnp3_control': - soc_timestamp - source.ip @@ -137,6 +142,7 @@ soc: - dnp3.function_code - dnp3.block_type - log.id.uid + - event.dataset '::dnp3_objects': - soc_timestamp - source.ip @@ -146,6 +152,7 @@ soc: - dnp3.function_code - dnp3.object_type - log.id.uid + - event.dataset '::dns': - soc_timestamp - source.ip @@ -158,6 +165,7 @@ soc: - dns.response.code_name - log.id.uid - network.community_id + - event.dataset '::dpd': - soc_timestamp - source.ip @@ -168,6 +176,7 @@ soc: - observer.analyser - error.reason - log.id.uid + - event.dataset '::file': - soc_timestamp - source.ip @@ -178,6 +187,7 @@ soc: - file.bytes.total - log.id.fuid - log.id.uid + - event.dataset '::ftp': - soc_timestamp - source.ip @@ -190,6 +200,7 @@ soc: - ftp.reply_code - file.size - log.id.uid + - event.dataset '::http': - soc_timestamp - source.ip @@ -204,6 +215,7 @@ soc: - http.response.body.length - log.id.uid - network.community_id + - event.dataset '::intel': - soc_timestamp - source.ip @@ -214,6 +226,7 @@ soc: - intel.indicator_type - intel.seen_where - log.id.uid + - event.dataset '::irc': - soc_timestamp - source.ip @@ -226,6 +239,7 @@ soc: - irc.command.value - irc.command.info - log.id.uid + - event.dataset '::kerberos': - soc_timestamp - source.ip @@ -236,6 +250,7 @@ soc: - kerberos.service - kerberos.request_type - log.id.uid + - event.dataset '::modbus': - soc_timestamp - source.ip @@ -244,6 +259,7 @@ soc: - destination.port - modbus.function - log.id.uid + - event.dataset '::mysql': - soc_timestamp - source.ip @@ -255,6 +271,7 @@ soc: - mysql.success - mysql.response - log.id.uid + - event.dataset '::notice': - soc_timestamp - source.ip @@ -266,6 +283,7 @@ soc: - log.id.fuid - log.id.uid - network.community_id + - event.dataset '::ntlm': - soc_timestamp - source.ip @@ -278,6 +296,7 @@ soc: - ntlm.server.nb.name - ntlm.server.tree.name - log.id.uid + - event.dataset '::pe': - soc_timestamp - file.is_64bit @@ -286,6 +305,7 @@ soc: - file.os - file.subsystem - log.id.fuid + - event.dataset '::radius': - soc_timestamp - source.ip @@ -297,6 +317,7 @@ soc: - radius.framed_address - radius.reply_message - radius.result + - event.dataset '::rdp': - soc_timestamp - source.ip @@ -312,6 +333,7 @@ soc: - rdp.result - rdp.security_protocol - log.id.uid + - event.dataset '::rfb': - soc_timestamp - source.ip @@ -323,6 +345,7 @@ soc: - rfb.share_flag - rfb.desktop.name - log.id.uid + - event.dataset '::signatures': - soc_timestamp - source.ip @@ -336,6 +359,7 @@ soc: - signature_count - host.count - log.id.uid + - event.dataset '::sip': - soc_timestamp - source.ip @@ -353,6 +377,7 @@ soc: - sip.user_agent - sip.status_code - log.id.uid + - event.dataset '::smb_files': - soc_timestamp - source.ip @@ -366,6 +391,7 @@ soc: - file.size - file.prev_name - log.id.uid + - event.dataset '::smb_mapping': - soc_timestamp - source.ip @@ -376,6 +402,7 @@ soc: - smb.service - smb.share_type - log.id.uid + - event.dataset '::smtp': - soc_timestamp - source.ip @@ -388,6 +415,7 @@ soc: - smtp.useragent - log.id.uid - network.community_id + - event.dataset '::snmp': - soc_timestamp - source.ip @@ -397,6 +425,7 @@ soc: - snmp.community - snmp.version - log.id.uid + - event.dataset '::socks': - soc_timestamp - source.ip @@ -408,11 +437,13 @@ soc: - socks.request.port - socks.status - log.id.uid + - event.dataset '::software': - soc_timestamp - source.ip - software.name - software.type + - event.dataset '::ssh': - soc_timestamp - source.ip @@ -425,6 +456,7 @@ soc: - ssh.client - ssh.server - log.id.uid + - event.dataset '::ssl': - soc_timestamp - source.ip @@ -436,6 +468,7 @@ soc: - ssl.validation_status - ssl.version - log.id.uid + - event.dataset ':zeek:syslog': - soc_timestamp - source.ip @@ -446,6 +479,7 @@ soc: - network.protocol - syslog.severity - log.id.uid + - event.dataset '::tunnels': - soc_timestamp - source.ip @@ -455,6 +489,7 @@ soc: - tunnel_type - action - log.id.uid + - event.dataset '::weird': - soc_timestamp - source.ip @@ -463,6 +498,7 @@ soc: - destination.port - weird.name - log.id.uid + - event.dataset '::x509': - soc_timestamp - x509.certificate.subject @@ -470,6 +506,7 @@ soc: - x509.certificate.key.length - x509.certificate.issuer - log.id.fuid + - event.dataset '::firewall': - soc_timestamp - source.ip @@ -481,6 +518,7 @@ soc: - observer.ingress.interface.name - event.action - network.community_id + - event.dataset ':pfsense:': - soc_timestamp - source.ip @@ -492,6 +530,7 @@ soc: - observer.ingress.interface.name - event.action - network.community_id + - event.dataset ':osquery:': - soc_timestamp - source.ip @@ -499,9 +538,9 @@ soc: - destination.ip - destination.port - source.hostname - - event.dataset - process.executable - user.name + - event.dataset ':strelka:file': - soc_timestamp - file.name @@ -510,6 +549,7 @@ soc: - file.source - file.mime_type - log.id.fuid + - event.dataset ':suricata:': - soc_timestamp - source.ip @@ -521,9 +561,11 @@ soc: - event.severity_label - log.id.uid - network.community_id + - event.dataset ':windows_eventlog:': - soc_timestamp - user.name + - event.dataset ':elasticsearch:': - soc_timestamp - agent.name @@ -545,6 +587,7 @@ soc: - real_message - syslog.priority - syslog.application + - event.dataset ':aws:': - soc_timestamp - aws.cloudtrail.event_category @@ -556,6 +599,7 @@ soc: - user.name - source.ip - source.geo.region_iso_code + - event.dataset ':squid:': - soc_timestamp - url.original @@ -563,6 +607,7 @@ soc: - destination.geo.country_iso_code - user.name - source.ip + - event.dataset '::sysmon_operational': - soc_timestamp - event.action @@ -570,6 +615,7 @@ soc: - user.name - process.executable - process.pid + - event.dataset '::network_connection': - soc_timestamp - source.ip @@ -577,44 +623,50 @@ soc: - destination.ip - destination.port - source.hostname - - event.dataset - process.executable - user.name + - event.dataset '::process_terminated': - soc_timestamp - process.executable - process.pid - winlog.computer_name + - event.dataset '::file_create': - soc_timestamp - file.target - process.executable - process.pid - winlog.computer_name + - event.dataset '::registry_value_set': - soc_timestamp - winlog.event_data.TargetObject - process.executable - process.pid - winlog.computer_name + - event.dataset '::process_creation': - soc_timestamp - process.command_line - process.pid - process.parent.executable - process.working_directory + - event.dataset '::registry_create_delete': - soc_timestamp - winlog.event_data.TargetObject - process.executable - process.pid - winlog.computer_name + - event.dataset '::dns_query': - soc_timestamp - dns.query.name - dns.answers.name - process.executable - winlog.computer_name + - event.dataset '::file_create_stream_hash': - soc_timestamp - file.target @@ -623,6 +675,7 @@ soc: - process.executable - process.pid - winlog.computer_name + - event.dataset '::bacnet': - soc_timestamp - source.ip @@ -632,6 +685,7 @@ soc: - bacnet.bclv.function - bacnet.result.code - log.id.uid + - event.dataset '::bacnet_discovery': - soc_timestamp - source.ip @@ -641,6 +695,7 @@ soc: - bacnet.vendor - bacnet.pdu.service - log.id.uid + - event.dataset '::bacnet_property': - soc_timestamp - source.ip @@ -650,6 +705,7 @@ soc: - bacnet.property - bacnet.pdu.service - log.id.uid + - event.dataset '::bsap_ip_header': - soc_timestamp - source.ip @@ -659,12 +715,14 @@ soc: - bsap.message.type - bsap.number.messages - log.id.uid + - event.dataset '::bsap_ip_rdb': - soc_timestamp - bsap.application.function - bsap.application.sub.function - bsap.vector.variables - log.id.uid + - event.dataset '::bsap_serial_header': - soc_timestamp - source.ip @@ -675,11 +733,13 @@ soc: - bsap.destination.function - bsap.message.type - log.id.uid + - event.dataset '::bsap_serial_rdb': - soc_timestamp - bsap.rdb.function - bsap.vector.variables - log.id.uid + - event.dataset '::cip': - soc_timestamp - source.ip @@ -699,6 +759,7 @@ soc: - cip.device.type.name - cip.vendor.name - log.id.uid + - event.dataset '::cip_io': - soc_timestamp - source.ip @@ -708,6 +769,7 @@ soc: - cip.connection.id - cip.io.data - log.id.uid + - event.dataset '::cotp': - soc_timestamp - source.ip @@ -716,6 +778,7 @@ soc: - destination.port - cotp.pdu.name - log.id.uid + - event.dataset '::ecat_arp_info': - soc_timestamp - source.ip @@ -723,6 +786,7 @@ soc: - source.mac - destination.mac - ecat.arp.type + - event.dataset '::ecat_aoe_info': - soc_timestamp - source.mac @@ -730,6 +794,7 @@ soc: - destination.mac - destination.port - ecat.command + - event.dataset '::ecat_coe_info': - soc_timestamp - ecat.message.number @@ -737,6 +802,7 @@ soc: - ecat.request.response.type - ecat.index - ecat.sub.index + - event.dataset '::ecat_dev_info': - soc_timestamp - ecat.device.type @@ -744,17 +810,20 @@ soc: - ecat.ram.size - ecat.revision - ecat.slave.address + - event.dataset '::ecat_log_address': - soc_timestamp - source.mac - destination.mac - ecat.command + - event.dataset '::ecat_registers': - soc_timestamp - source.mac - destination.mac - ecat.command - ecat.register.type + - event.dataset '::enip': - soc_timestamp - source.ip @@ -773,6 +842,7 @@ soc: - destination.port - modbus.function - log.id.uid + - event.dataset '::opcua_binary': - soc_timestamp - source.ip @@ -782,6 +852,7 @@ soc: - opcua.identifier_string - opcua.message_type - log.id.uid + - event.dataset '::opcua_binary_activate_session': - soc_timestamp - source.ip @@ -792,6 +863,7 @@ soc: - opcua.identifier_string - opcua.user_name - log.id.uid + - event.dataset '::opcua_binary_activate_session_diagnostic_info': - soc_timestamp - source.ip @@ -801,6 +873,7 @@ soc: - opcua.activate_session_diag_info_link_id - opcua.diag_info_link_id - log.id.uid + - event.dataset '::opcua_binary_activate_session_locale_id': - soc_timestamp - source.ip @@ -810,6 +883,7 @@ soc: - opcua.local_id - opcua.locale_link_id - log.id.uid + - event.dataset '::opcua_binary_browse': - soc_timestamp - source.ip @@ -819,6 +893,7 @@ soc: - opcua.link_id - opcua.service_type - log.id.uid + - event.dataset '::opcua_binary_browse_description': - soc_timestamp - source.ip @@ -826,6 +901,7 @@ soc: - destination.ip - destination.port - log.id.uid + - event.dataset '::opcua_binary_browse_response_references': - soc_timestamp - source.ip @@ -835,6 +911,7 @@ soc: - opcua.node_class - opcua.display_name_text - log.id.uid + - event.dataset '::opcua_binary_browse_result': - soc_timestamp - source.ip @@ -843,6 +920,7 @@ soc: - destination.port - opcua.response_link_id - log.id.uid + - event.dataset '::opcua_binary_create_session': - soc_timestamp - source.ip @@ -851,6 +929,7 @@ soc: - destination.port - opcua.link_id - log.id.uid + - event.dataset '::opcua_binary_create_session_endpoints': - soc_timestamp - source.ip @@ -860,6 +939,7 @@ soc: - opcua.endpoint_link_id - opcua.endpoint_url - log.id.uid + - event.dataset '::opcua_binary_create_session_user_token': - soc_timestamp - source.ip @@ -868,6 +948,7 @@ soc: - destination.port - opcua.user_token_link_id - log.id.uid + - event.dataset '::opcua_binary_create_subscription': - soc_timestamp - source.ip @@ -876,6 +957,7 @@ soc: - destination.port - opcua.link_id - log.id.uid + - event.dataset '::opcua_binary_get_endpoints': - soc_timestamp - source.ip @@ -885,6 +967,7 @@ soc: - opcua.endpoint_url - opcua.link_id - log.id.uid + - event.dataset '::opcua_binary_get_endpoints_description': - soc_timestamp - source.ip @@ -894,6 +977,7 @@ soc: - opcua.endpoint_description_link_id - opcua.endpoint_uri - log.id.uid + - event.dataset '::opcua_binary_get_endpoints_user_token': - soc_timestamp - source.ip @@ -903,6 +987,7 @@ soc: - opcua.user_token_link_id - opcua.user_token_type - log.id.uid + - event.dataset '::opcua_binary_read': - soc_timestamp - source.ip @@ -912,6 +997,7 @@ soc: - opcua.link_id - opcua.read_results_link_id - log.id.uid + - event.dataset '::opcua_binary_status_code_detail': - soc_timestamp - source.ip @@ -921,6 +1007,7 @@ soc: - opcua.info_type_string - opcua.source_string - log.id.uid + - event.dataset '::profinet': - soc_timestamp - source.ip @@ -930,6 +1017,7 @@ soc: - profinet.index - profinet.operation_type - log.id.uid + - event.dataset '::profinet_dce_rpc': - soc_timestamp - source.ip @@ -938,6 +1026,7 @@ soc: - destination.port - profinet.operation - log.id.uid + - event.dataset '::s7comm': - soc_timestamp - source.ip @@ -947,6 +1036,7 @@ soc: - s7.ros.control.name - s7.function.name - log.id.uid + - event.dataset '::s7comm_plus': - soc_timestamp - source.ip @@ -956,6 +1046,7 @@ soc: - s7.opcode.name - s7.version - log.id.uid + - event.dataset '::s7comm_read_szl': - soc_timestamp - source.ip @@ -965,6 +1056,7 @@ soc: - s7.szl_id_name - s7.return_code_name - log.id.uid + - event.dataset '::s7comm_upload_download': - soc_timestamp - source.ip @@ -974,6 +1066,7 @@ soc: - s7.ros.control.name - s7.function_code - log.id.uid + - event.dataset '::tds': - soc_timestamp - source.ip @@ -1064,6 +1157,15 @@ soc: - event.action - event.outcome - event.dataset + ':system:': + - soc_timestamp + - process.name + - process.pid + - user.effective.name + - user.name + - system.auth.sudo.command + - event.dataset + - message server: bindAddress: 0.0.0.0:9822 baseUrl: / @@ -1084,6 +1186,10 @@ soc: denyRegex: '' elastAlertRulesFolder: /opt/sensoroni/elastalert rulesFingerprintFile: /opt/sensoroni/fingerprints/sigma.fingerprint + rulesRepos: + - repo: https://github.com/Security-Onion-Solutions/securityonion-resources + license: DRL + folder: sigma/stable sigmaRulePackages: - core - emerging_threats_addon @@ -1157,7 +1263,7 @@ soc: tipTimeoutMs: 6000 cacheExpirationMs: 300000 casesEnabled: true - detectionsEnabled: false + detectionsEnabled: true inactiveTools: ['toolUnused'] tools: - name: toolKibana @@ -1881,8 +1987,9 @@ soc: default: - so_detection.title - so_detection.isEnabled - - so_detection.language - so_detection.severity + - so_detection.language + - so_detection.ruleset queries: - name: "All Detections" query: "_id:*" diff --git a/salt/suricata/defaults.yaml b/salt/suricata/defaults.yaml index 0252d3a813..914c045b10 100644 --- a/salt/suricata/defaults.yaml +++ b/salt/suricata/defaults.yaml @@ -33,6 +33,12 @@ suricata: threads: 1 tpacket-v3: "yes" ring-size: 5000 + block-size: 32768 + block-timeout: 10 + use-emergency-flush: "yes" + buffer-size: 32768 + disable-promisc: "no" + checksum-checks: kernel vars: address-groups: HOME_NET: diff --git a/salt/suricata/map.jinja b/salt/suricata/map.jinja index 7f7b04aeff..2a3adf5f18 100644 --- a/salt/suricata/map.jinja +++ b/salt/suricata/map.jinja @@ -32,11 +32,21 @@ - interface: {{ GLOBALS.sensor.interface }} cluster-id: {{ SURICATAMERGED.config['af-packet']['cluster-id'] }} cluster-type: {{ SURICATAMERGED.config['af-packet']['cluster-type'] }} - defrag: {{ SURICATAMERGED.config['af-packet'].defrag }} - use-mmap: {{ SURICATAMERGED.config['af-packet']['use-mmap'] }} + defrag: "{{ SURICATAMERGED.config['af-packet'].defrag }}" + use-mmap: "{{ SURICATAMERGED.config['af-packet']['use-mmap'] }}" threads: {{ SURICATAMERGED.config['af-packet'].threads }} - tpacket-v3: {{ SURICATAMERGED.config['af-packet']['tpacket-v3'] }} + tpacket-v3: "{{ SURICATAMERGED.config['af-packet']['tpacket-v3'] }}" ring-size: {{ SURICATAMERGED.config['af-packet']['ring-size'] }} + block-size: {{ SURICATAMERGED.config['af-packet']['block-size'] }} + block-timeout: {{ SURICATAMERGED.config['af-packet']['block-timeout'] }} + use-emergency-flush: "{{ SURICATAMERGED.config['af-packet']['use-emergency-flush'] }}" + buffer-size: {{ SURICATAMERGED.config['af-packet']['buffer-size'] }} + disable-promisc: "{{ SURICATAMERGED.config['af-packet']['disable-promisc'] }}" +{% if SURICATAMERGED.config['af-packet']['checksum-checks'] in ['yes', 'no'] %} + checksum-checks: "{{ SURICATAMERGED.config['af-packet']['checksum-checks'] }}" +{% else %} + checksum-checks: {{ SURICATAMERGED.config['af-packet']['checksum-checks'] }} +{% endif %} {% endload %} {% do SURICATAMERGED.config.pop('af-packet') %} {% do SURICATAMERGED.config.update({'af-packet': afpacket}) %} diff --git a/salt/suricata/soc_suricata.yaml b/salt/suricata/soc_suricata.yaml index 13a709c4a1..c9ba80f013 100644 --- a/salt/suricata/soc_suricata.yaml +++ b/salt/suricata/soc_suricata.yaml @@ -94,6 +94,36 @@ suricata: description: Buffer size for packets per thread. forcedType: int helpLink: suricata.html + block-size: + description: This must be configured to a sufficiently high value to accommodate a significant number of packets, considering byte size and MTU constraints. Ensure it aligns with a power of 2 and is a multiple of the page size. + advanced: True + forcedType: int + helpLink: suricata.html + block-timeout: + description: If a block remains unfilled after the specified block-timeout milliseconds, it is passed to userspace. + advanced: True + forcedType: int + helpLink: suricata.html + use-emergency-flush: + description: In high-traffic environments, enabling this option to 'yes' aids in recovering from packet drop occurrences. However, it may lead to some packets, possibly at max ring flush, not being inspected. + advanced: True + regex: ^(yes|no)$ + helpLink: suricata.html + buffer-size: + description: Increasing the value of the receive buffer may improve performance. + advanced: True + forcedType: int + helpLink: suricata.html + disable-promisc: + description: Promiscuous mode can be disabled by setting this to "yes". + advanced: True + regex: ^(yes|no)$ + helpLink: suricata.html + checksum-checks: + description: "Opt for the checksum verification mode suitable for the interface. During capture, it's possible that some packets may exhibit invalid checksums due to the network card handling the checksum computation. You have several options: 'kernel': Relies on indications sent by the kernel for each packet (default). 'yes': Enforces checksum validation. 'no': Disables checksum validation. 'auto': Suricata employs a statistical approach to detect checksum offloading." + advanced: True + regex: ^(kernel|yes|no|auto)$ + helpLink: suricata.html threading: set-cpu-affinity: description: Bind(yes) or unbind(no) management and worker threads to a core or range of cores. diff --git a/setup/so-whiptail b/setup/so-whiptail index ff8c9fe8d5..904654c9b0 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -288,9 +288,9 @@ whiptail_dhcp_or_static() { [ -n "$TESTING" ] && return address_type=$(whiptail --title "$whiptail_title" --menu \ - "Choose how to set up your management interface:" 20 78 4 \ - "STATIC" "Set a static IPv4 address" \ - "DHCP" "Use DHCP to configure the Management Interface" 3>&1 1>&2 2>&3 ) + "Choose how to set up your management interface. We recommend using a static IP address." 20 78 4 \ + "STATIC" "Set a static IPv4 address (recommended)" \ + "DHCP" "Use DHCP to configure the management interface" 3>&1 1>&2 2>&3 ) local exitstatus=$? whiptail_check_exitstatus $exitstatus