From 549089a970e39d1ea09c10af5eaf8f696dd19d40 Mon Sep 17 00:00:00 2001 From: Maxime THIEBAUT <46688461+0xThiebaut@users.noreply.github.com> Date: Wed, 1 May 2024 22:16:03 +0200 Subject: suricata: T751: Initial support for suricata --- data/templates/ids/suricata.j2 | 1280 ++++++++++++++++++++++++++++++ data/templates/ids/suricata_logrotate.j2 | 17 + 2 files changed, 1297 insertions(+) create mode 100644 data/templates/ids/suricata.j2 create mode 100644 data/templates/ids/suricata_logrotate.j2 (limited to 'data/templates') diff --git a/data/templates/ids/suricata.j2 b/data/templates/ids/suricata.j2 new file mode 100644 index 000000000..1bd90b67f --- /dev/null +++ b/data/templates/ids/suricata.j2 @@ -0,0 +1,1280 @@ +%YAML 1.1 +--- + +# Suricata configuration file. In addition to the comments describing all +# options in this file, full documentation can be found at: +# https://suricata.readthedocs.io/en/latest/configuration/suricata-yaml.html +# +# This configuration file generated by: +# Suricata 6.0.10 + +## +## Step 1: Inform Suricata about your network +## + +vars: + # more specific is better for alert accuracy and performance + address-groups: +{% for (name, value) in suricata['address-group'] %} + {{ name }}: "[{{ value | join(',') }}]" +{% endfor %} + + port-groups: +{% for (name, value) in suricata['port-group'] %} + {{ name }}: "[{{ value | join(',') }}]" +{% endfor %} + +## +## Step 2: Select outputs to enable +## + +# The default logging directory. Any log or output file will be +# placed here if it's not specified with a full path name. This can be +# overridden with the -l command line parameter. +default-log-dir: /var/log/suricata/ + +# Configure the type of alert (and other) logging you would like. +{% if suricata.log is vyos_defined %} +outputs: +{% if suricata.log.eve is vyos_defined %} + # Extensible Event Format (nicknamed EVE) event log in JSON format + - eve-log: + enabled: yes + filetype: {{ suricata.log.eve.filetype }} #regular|syslog|unix_dgram|unix_stream|redis + filename: {{ suricata.log.eve.filename }} + + types: +{% if suricata.log.eve.type is not vyos_defined or "alert" in suricata.log.eve.type %} + - alert: + tagged-packets: yes +{% endif %} +{% if "http" in suricata.log.eve.type %} + - http: + enabled: yes + extended: yes +{% endif %} +{% if "tls" in suricata.log.eve.type %} + - tls: + enabled: yes + extended: yes # enable this for extended logging information +{% endif %} +{% for protocol in suricata.log.eve.type %} +{% if protocol not in ["alert","http","tls"] %} + - {{ protocol }}: + enabled: yes +{% endif %} +{% endfor %} +{% endif %} +{% endif %} + +## +## Step 3: Configure common capture settings +## +## See "Advanced Capture Options" below for more options, including Netmap +## and PF_RING. +## + +# Linux high speed capture support +af-packet: +{% for interface in suricata.interface %} + - interface: {{ interface }} + # Default clusterid. AF_PACKET will load balance packets based on flow. + cluster-id: 99 + # Default AF_PACKET cluster type. AF_PACKET can load balance per flow or per hash. + # This is only supported for Linux kernel > 3.1 + # possible value are: + # * cluster_flow: all packets of a given flow are sent to the same socket + # * cluster_cpu: all packets treated in kernel by a CPU are sent to the same socket + # * cluster_qm: all packets linked by network card to a RSS queue are sent to the same + # socket. Requires at least Linux 3.14. + # * cluster_ebpf: eBPF file load balancing. See doc/userguide/capture-hardware/ebpf-xdp.rst for + # more info. + # Recommended modes are cluster_flow on most boxes and cluster_cpu or cluster_qm on system + # with capture card using RSS (requires cpu affinity tuning and system IRQ tuning) + cluster-type: cluster_flow + # In some fragmentation cases, the hash can not be computed. If "defrag" is set + # to yes, the kernel will do the needed defragmentation before sending the packets. + defrag: yes +{% endfor %} + +# Cross platform libpcap capture support +pcap: +{% for interface in suricata.interface %} + - interface: {{ interface }} +{% endfor %} + +# Settings for reading pcap files +pcap-file: + # Possible values are: + # - yes: checksum validation is forced + # - no: checksum validation is disabled + # - auto: Suricata uses a statistical approach to detect when + # checksum off-loading is used. (default) + # Warning: 'checksum-validation' must be set to yes to have checksum tested + checksum-checks: auto + +# See "Advanced Capture Options" below for more options, including Netmap +# and PF_RING. + + +## +## Step 4: App Layer Protocol configuration +## + +# Configure the app-layer parsers. +# +# The error-policy setting applies to all app-layer parsers. Values can be +# "drop-flow", "pass-flow", "bypass", "drop-packet", "pass-packet", "reject" or +# "ignore" (the default). +# +# The protocol's section details each protocol. +# +# The option "enabled" takes 3 values - "yes", "no", "detection-only". +# "yes" enables both detection and the parser, "no" disables both, and +# "detection-only" enables protocol detection only (parser disabled). +app-layer: + # error-policy: ignore + protocols: + rfb: + enabled: yes + detection-ports: + dp: 5900, 5901, 5902, 5903, 5904, 5905, 5906, 5907, 5908, 5909 + # MQTT, disabled by default. + mqtt: + enabled: yes + # max-msg-length: 1mb + # subscribe-topic-match-limit: 100 + # unsubscribe-topic-match-limit: 100 + # Maximum number of live MQTT transactions per flow + # max-tx: 4096 + krb5: + enabled: yes + snmp: + enabled: yes + ikev2: + enabled: yes + tls: + enabled: yes + detection-ports: + dp: 443 + + # Generate JA3 fingerprint from client hello. If not specified it + # will be disabled by default, but enabled if rules require it. + #ja3-fingerprints: auto + + # What to do when the encrypted communications start: + # - default: keep tracking TLS session, check for protocol anomalies, + # inspect tls_* keywords. Disables inspection of unmodified + # 'content' signatures. + # - bypass: stop processing this flow as much as possible. No further + # TLS parsing and inspection. Offload flow bypass to kernel + # or hardware if possible. + # - full: keep tracking and inspection as normal. Unmodified content + # keyword signatures are inspected as well. + # + # For best performance, select 'bypass'. + # + #encryption-handling: default + + dcerpc: + enabled: yes + ftp: + enabled: yes + # memcap: 64mb + rdp: + enabled: yes + ssh: + enabled: yes + #hassh: yes + # HTTP2: Experimental HTTP 2 support. Disabled by default. + http2: + enabled: no + # use http keywords on HTTP2 traffic + http1-rules: no + smtp: + enabled: yes + raw-extraction: no + # Configure SMTP-MIME Decoder + mime: + # Decode MIME messages from SMTP transactions + # (may be resource intensive) + # This field supersedes all others because it turns the entire + # process on or off + decode-mime: yes + + # Decode MIME entity bodies (ie. Base64, quoted-printable, etc.) + decode-base64: yes + decode-quoted-printable: yes + + # Maximum bytes per header data value stored in the data structure + # (default is 2000) + header-value-depth: 2000 + + # Extract URLs and save in state data structure + extract-urls: yes + # Set to yes to compute the md5 of the mail body. You will then + # be able to journalize it. + body-md5: no + # Configure inspected-tracker for file_data keyword + inspected-tracker: + content-limit: 100000 + content-inspect-min-size: 32768 + content-inspect-window: 4096 + imap: + enabled: detection-only + smb: + enabled: yes + detection-ports: + dp: 139, 445 + + # Stream reassembly size for SMB streams. By default track it completely. + #stream-depth: 0 + + nfs: + enabled: yes + tftp: + enabled: yes + dns: + tcp: + enabled: yes + detection-ports: + dp: 53 + udp: + enabled: yes + detection-ports: + dp: 53 + http: + enabled: yes + # memcap: Maximum memory capacity for HTTP + # Default is unlimited, values can be 64mb, e.g. + + # default-config: Used when no server-config matches + # personality: List of personalities used by default + # request-body-limit: Limit reassembly of request body for inspection + # by http_client_body & pcre /P option. + # response-body-limit: Limit reassembly of response body for inspection + # by file_data, http_server_body & pcre /Q option. + # + # For advanced options, see the user guide + + + # server-config: List of server configurations to use if address matches + # address: List of IP addresses or networks for this block + # personality: List of personalities used by this block + # + # Then, all the fields from default-config can be overloaded + # + # Currently Available Personalities: + # Minimal, Generic, IDS (default), IIS_4_0, IIS_5_0, IIS_5_1, IIS_6_0, + # IIS_7_0, IIS_7_5, Apache_2 + libhtp: + default-config: + personality: IDS + + # Can be specified in kb, mb, gb. Just a number indicates + # it's in bytes. + request-body-limit: 100kb + response-body-limit: 100kb + + # inspection limits + request-body-minimal-inspect-size: 32kb + request-body-inspect-window: 4kb + response-body-minimal-inspect-size: 40kb + response-body-inspect-window: 16kb + + # response body decompression (0 disables) + response-body-decompress-layer-limit: 2 + + # auto will use http-body-inline mode in IPS mode, yes or no set it statically + http-body-inline: auto + + # Decompress SWF files. + # Two types: 'deflate', 'lzma', 'both' will decompress deflate and lzma + # compress-depth: + # Specifies the maximum amount of data to decompress, + # set 0 for unlimited. + # decompress-depth: + # Specifies the maximum amount of decompressed data to obtain, + # set 0 for unlimited. + swf-decompression: + enabled: yes + type: both + compress-depth: 100kb + decompress-depth: 100kb + + # Use a random value for inspection sizes around the specified value. + # This lowers the risk of some evasion techniques but could lead + # to detection change between runs. It is set to 'yes' by default. + #randomize-inspection-sizes: yes + # If "randomize-inspection-sizes" is active, the value of various + # inspection size will be chosen from the [1 - range%, 1 + range%] + # range + # Default value of "randomize-inspection-range" is 10. + #randomize-inspection-range: 10 + + # decoding + double-decode-path: no + double-decode-query: no + + # Can enable LZMA decompression + #lzma-enabled: false + # Memory limit usage for LZMA decompression dictionary + # Data is decompressed until dictionary reaches this size + #lzma-memlimit: 1mb + # Maximum decompressed size with a compression ratio + # above 2048 (only LZMA can reach this ratio, deflate cannot) + #compression-bomb-limit: 1mb + # Maximum time spent decompressing a single transaction in usec + #decompression-time-limit: 100000 + + server-config: + + #- apache: + # address: [192.168.1.0/24, 127.0.0.0/8, "::1"] + # personality: Apache_2 + # # Can be specified in kb, mb, gb. Just a number indicates + # # it's in bytes. + # request-body-limit: 4096 + # response-body-limit: 4096 + # double-decode-path: no + # double-decode-query: no + + #- iis7: + # address: + # - 192.168.0.0/24 + # - 192.168.10.0/24 + # personality: IIS_7_0 + # # Can be specified in kb, mb, gb. Just a number indicates + # # it's in bytes. + # request-body-limit: 4096 + # response-body-limit: 4096 + # double-decode-path: no + # double-decode-query: no + + # Note: Modbus probe parser is minimalist due to the limited usage in the field. + # Only Modbus message length (greater than Modbus header length) + # and protocol ID (equal to 0) are checked in probing parser + # It is important to enable detection port and define Modbus port + # to avoid false positives + modbus: + # How many unanswered Modbus requests are considered a flood. + # If the limit is reached, the app-layer-event:modbus.flooded; will match. + #request-flood: 500 + + enabled: no + detection-ports: + dp: 502 + # According to MODBUS Messaging on TCP/IP Implementation Guide V1.0b, it + # is recommended to keep the TCP connection opened with a remote device + # and not to open and close it for each MODBUS/TCP transaction. In that + # case, it is important to set the depth of the stream reassembling as + # unlimited (stream.reassembly.depth: 0) + + # Stream reassembly size for modbus. By default track it completely. + stream-depth: 0 + + # DNP3 + dnp3: + enabled: no + detection-ports: + dp: 20000 + + # SCADA EtherNet/IP and CIP protocol support + enip: + enabled: no + detection-ports: + dp: 44818 + sp: 44818 + + ntp: + enabled: yes + + dhcp: + enabled: yes + + sip: + enabled: yes + +# Limit for the maximum number of asn1 frames to decode (default 256) +asn1-max-frames: 256 + +# Datasets default settings +# datasets: +# # Default fallback memcap and hashsize values for datasets in case these +# # were not explicitly defined. +# defaults: +# memcap: 100mb +# hashsize: 2048 + +############################################################################## +## +## Advanced settings below +## +############################################################################## + +## +## Run Options +## + +# Run Suricata with a specific user-id and group-id: +#run-as: +# user: suri +# group: suri + +# Some logging modules will use that name in event as identifier. The default +# value is the hostname +#sensor-name: suricata + +# Default location of the pid file. The pid file is only used in +# daemon mode (start Suricata with -D). If not running in daemon mode +# the --pidfile command line option must be used to create a pid file. +#pid-file: /var/run/suricata.pid + +# Daemon working directory +# Suricata will change directory to this one if provided +# Default: "/" +#daemon-directory: "/" + +# Umask. +# Suricata will use this umask if it is provided. By default it will use the +# umask passed on by the shell. +#umask: 022 + +# Suricata core dump configuration. Limits the size of the core dump file to +# approximately max-dump. The actual core dump size will be a multiple of the +# page size. Core dumps that would be larger than max-dump are truncated. On +# Linux, the actual core dump size may be a few pages larger than max-dump. +# Setting max-dump to 0 disables core dumping. +# Setting max-dump to 'unlimited' will give the full core dump file. +# On 32-bit Linux, a max-dump value >= ULONG_MAX may cause the core dump size +# to be 'unlimited'. + +coredump: + max-dump: unlimited + +# If the Suricata box is a router for the sniffed networks, set it to 'router'. If +# it is a pure sniffing setup, set it to 'sniffer-only'. +# If set to auto, the variable is internally switched to 'router' in IPS mode +# and 'sniffer-only' in IDS mode. +# This feature is currently only used by the reject* keywords. +host-mode: auto + +# Number of packets preallocated per thread. The default is 1024. A higher number +# will make sure each CPU will be more easily kept busy, but may negatively +# impact caching. +#max-pending-packets: 1024 + +# Runmode the engine should use. Please check --list-runmodes to get the available +# runmodes for each packet acquisition method. Default depends on selected capture +# method. 'workers' generally gives best performance. +#runmode: autofp + +# Specifies the kind of flow load balancer used by the flow pinned autofp mode. +# +# Supported schedulers are: +# +# hash - Flow assigned to threads using the 5-7 tuple hash. +# ippair - Flow assigned to threads using addresses only. +# +#autofp-scheduler: hash + +# Preallocated size for each packet. Default is 1514 which is the classical +# size for pcap on Ethernet. You should adjust this value to the highest +# packet size (MTU + hardware header) on your system. +#default-packet-size: 1514 + +# Unix command socket that can be used to pass commands to Suricata. +# An external tool can then connect to get information from Suricata +# or trigger some modifications of the engine. Set enabled to yes +# to activate the feature. In auto mode, the feature will only be +# activated in live capture mode. You can use the filename variable to set +# the file name of the socket. +unix-command: + enabled: yes + filename: /run/suricata/suricata.socket + +# Magic file. The extension .mgc is added to the value here. +#magic-file: /usr/share/file/magic +#magic-file: + +# GeoIP2 database file. Specify path and filename of GeoIP2 database +# if using rules with "geoip" rule option. +#geoip-database: /usr/local/share/GeoLite2/GeoLite2-Country.mmdb + +legacy: + uricontent: enabled + +## +## Detection settings +## + +# Set the order of alerts based on actions +# The default order is pass, drop, reject, alert +# action-order: +# - pass +# - drop +# - reject +# - alert + +# Define maximum number of possible alerts that can be triggered for the same +# packet. Default is 15 +#packet-alert-max: 15 + +# IP Reputation +#reputation-categories-file: /etc/suricata/iprep/categories.txt +#default-reputation-path: /etc/suricata/iprep +#reputation-files: +# - reputation.list + +# When run with the option --engine-analysis, the engine will read each of +# the parameters below, and print reports for each of the enabled sections +# and exit. The reports are printed to a file in the default log dir +# given by the parameter "default-log-dir", with engine reporting +# subsection below printing reports in its own report file. +engine-analysis: + # enables printing reports for fast-pattern for every rule. + rules-fast-pattern: yes + # enables printing reports for each rule + rules: yes + +#recursion and match limits for PCRE where supported +pcre: + match-limit: 3500 + match-limit-recursion: 1500 + +## +## Advanced Traffic Tracking and Reconstruction Settings +## + +# Host specific policies for defragmentation and TCP stream +# reassembly. The host OS lookup is done using a radix tree, just +# like a routing table so the most specific entry matches. +host-os-policy: + # Make the default policy windows. + windows: [0.0.0.0/0] + bsd: [] + bsd-right: [] + old-linux: [] + linux: [] + old-solaris: [] + solaris: [] + hpux10: [] + hpux11: [] + irix: [] + macos: [] + vista: [] + windows2k3: [] + +# Defrag settings: + +# The memcap-policy value can be "drop-flow", "pass-flow", "bypass", +# "drop-packet", "pass-packet", "reject" or "ignore" (which is the default). +defrag: + memcap: 32mb + # memcap-policy: ignore + hash-size: 65536 + trackers: 65535 # number of defragmented flows to follow + max-frags: 65535 # number of fragments to keep (higher than trackers) + prealloc: yes + timeout: 60 + +# Enable defrag per host settings +# host-config: +# +# - dmz: +# timeout: 30 +# address: [192.168.1.0/24, 127.0.0.0/8, 1.1.1.0/24, 2.2.2.0/24, "1.1.1.1", "2.2.2.2", "::1"] +# +# - lan: +# timeout: 45 +# address: +# - 192.168.0.0/24 +# - 192.168.10.0/24 +# - 172.16.14.0/24 + +# Flow settings: +# By default, the reserved memory (memcap) for flows is 32MB. This is the limit +# for flow allocation inside the engine. You can change this value to allow +# more memory usage for flows. +# The hash-size determines the size of the hash used to identify flows inside +# the engine, and by default the value is 65536. +# At startup, the engine can preallocate a number of flows, to get better +# performance. The number of flows preallocated is 10000 by default. +# emergency-recovery is the percentage of flows that the engine needs to +# prune before clearing the emergency state. The emergency state is activated +# when the memcap limit is reached, allowing new flows to be created, but +# pruning them with the emergency timeouts (they are defined below). +# If the memcap is reached, the engine will try to prune flows +# with the default timeouts. If it doesn't find a flow to prune, it will set +# the emergency bit and it will try again with more aggressive timeouts. +# If that doesn't work, then it will try to kill the oldest flows using +# last time seen flows. +# The memcap can be specified in kb, mb, gb. Just a number indicates it's +# in bytes. +# The memcap-policy can be "drop-flow", "pass-flow", "bypass", "drop-packet", +# "pass-packet", "reject" or "ignore" (which is the default). + +flow: + memcap: 128mb + #memcap-policy: ignore + hash-size: 65536 + prealloc: 10000 + emergency-recovery: 30 + #managers: 1 # default to one flow manager + #recyclers: 1 # default to one flow recycler thread + +# This option controls the use of VLAN ids in the flow (and defrag) +# hashing. Normally this should be enabled, but in some (broken) +# setups where both sides of a flow are not tagged with the same VLAN +# tag, we can ignore the VLAN id's in the flow hashing. +vlan: + use-for-tracking: true + +# Specific timeouts for flows. Here you can specify the timeouts that the +# active flows will wait to transit from the current state to another, on each +# protocol. The value of "new" determines the seconds to wait after a handshake or +# stream startup before the engine frees the data of that flow it doesn't +# change the state to established (usually if we don't receive more packets +# of that flow). The value of "established" is the amount of +# seconds that the engine will wait to free the flow if that time elapses +# without receiving new packets or closing the connection. "closed" is the +# amount of time to wait after a flow is closed (usually zero). "bypassed" +# timeout controls locally bypassed flows. For these flows we don't do any other +# tracking. If no packets have been seen after this timeout, the flow is discarded. +# +# There's an emergency mode that will become active under attack circumstances, +# making the engine to check flow status faster. This configuration variables +# use the prefix "emergency-" and work similar as the normal ones. +# Some timeouts doesn't apply to all the protocols, like "closed", for udp and +# icmp. + +flow-timeouts: + + default: + new: 30 + established: 300 + closed: 0 + bypassed: 100 + emergency-new: 10 + emergency-established: 100 + emergency-closed: 0 + emergency-bypassed: 50 + tcp: + new: 60 + established: 600 + closed: 60 + bypassed: 100 + emergency-new: 5 + emergency-established: 100 + emergency-closed: 10 + emergency-bypassed: 50 + udp: + new: 30 + established: 300 + bypassed: 100 + emergency-new: 10 + emergency-established: 100 + emergency-bypassed: 50 + icmp: + new: 30 + established: 300 + bypassed: 100 + emergency-new: 10 + emergency-established: 100 + emergency-bypassed: 50 + +# Stream engine settings. Here the TCP stream tracking and reassembly +# engine is configured. +# +# stream: +# memcap: 64mb # Can be specified in kb, mb, gb. Just a +# # number indicates it's in bytes. +# memcap-policy: ignore # Can be "drop-flow", "pass-flow", "bypass", +# # "drop-packet", "pass-packet", "reject" or +# # "ignore" default is "ignore" +# checksum-validation: yes # To validate the checksum of received +# # packet. If csum validation is specified as +# # "yes", then packets with invalid csum values will not +# # be processed by the engine stream/app layer. +# # Warning: locally generated traffic can be +# # generated without checksum due to hardware offload +# # of checksum. You can control the handling of checksum +# # on a per-interface basis via the 'checksum-checks' +# # option +# prealloc-sessions: 2k # 2k sessions prealloc'd per stream thread +# midstream: false # don't allow midstream session pickups +# midstream-policy: ignore # Can be "drop-flow", "pass-flow", "bypass", +# # "drop-packet", "pass-packet", "reject" or +# # "ignore" default is "ignore" +# async-oneside: false # don't enable async stream handling +# inline: no # stream inline mode +# drop-invalid: yes # in inline mode, drop packets that are invalid with regards to streaming engine +# max-synack-queued: 5 # Max different SYN/ACKs to queue +# bypass: no # Bypass packets when stream.reassembly.depth is reached. +# # Warning: first side to reach this triggers +# # the bypass. +# +# reassembly: +# memcap: 256mb # Can be specified in kb, mb, gb. Just a number +# # indicates it's in bytes. +# memcap-policy: ignore # Can be "drop-flow", "pass-flow", "bypass", +# # "drop-packet", "pass-packet", "reject" or +# # "ignore" default is "ignore" +# depth: 1mb # Can be specified in kb, mb, gb. Just a number +# # indicates it's in bytes. +# toserver-chunk-size: 2560 # inspect raw stream in chunks of at least +# # this size. Can be specified in kb, mb, +# # gb. Just a number indicates it's in bytes. +# toclient-chunk-size: 2560 # inspect raw stream in chunks of at least +# # this size. Can be specified in kb, mb, +# # gb. Just a number indicates it's in bytes. +# randomize-chunk-size: yes # Take a random value for chunk size around the specified value. +# # This lowers the risk of some evasion techniques but could lead +# # to detection change between runs. It is set to 'yes' by default. +# randomize-chunk-range: 10 # If randomize-chunk-size is active, the value of chunk-size is +# # a random value between (1 - randomize-chunk-range/100)*toserver-chunk-size +# # and (1 + randomize-chunk-range/100)*toserver-chunk-size and the same +# # calculation for toclient-chunk-size. +# # Default value of randomize-chunk-range is 10. +# +# raw: yes # 'Raw' reassembly enabled or disabled. +# # raw is for content inspection by detection +# # engine. +# +# segment-prealloc: 2048 # number of segments preallocated per thread +# +# check-overlap-different-data: true|false +# # check if a segment contains different data +# # than what we've already seen for that +# # position in the stream. +# # This is enabled automatically if inline mode +# # is used or when stream-event:reassembly_overlap_different_data; +# # is used in a rule. +# +stream: + memcap: 64mb + #memcap-policy: ignore + checksum-validation: yes # reject incorrect csums + #midstream: false + #midstream-policy: ignore + inline: auto # auto will use inline mode in IPS mode, yes or no set it statically + reassembly: + memcap: 256mb + #memcap-policy: ignore + depth: 1mb # reassemble 1mb into a stream + toserver-chunk-size: 2560 + toclient-chunk-size: 2560 + randomize-chunk-size: yes + #randomize-chunk-range: 10 + #raw: yes + #segment-prealloc: 2048 + #check-overlap-different-data: true + +# Host table: +# +# Host table is used by the tagging and per host thresholding subsystems. +# +host: + hash-size: 4096 + prealloc: 1000 + memcap: 32mb + +# IP Pair table: +# +# Used by xbits 'ippair' tracking. +# +#ippair: +# hash-size: 4096 +# prealloc: 1000 +# memcap: 32mb + +# Decoder settings + +decoder: + # Teredo decoder is known to not be completely accurate + # as it will sometimes detect non-teredo as teredo. + teredo: + enabled: true + # ports to look for Teredo. Max 4 ports. If no ports are given, or + # the value is set to 'any', Teredo detection runs on _all_ UDP packets. + ports: $TEREDO_PORTS # syntax: '[3544, 1234]' or '3533' or 'any'. + + # VXLAN decoder is assigned to up to 4 UDP ports. By default only the + # IANA assigned port 4789 is enabled. + vxlan: + enabled: true + ports: $VXLAN_PORTS # syntax: '[8472, 4789]' or '4789'. + + # VNTag decode support + vntag: + enabled: false + + # Geneve decoder is assigned to up to 4 UDP ports. By default only the + # IANA assigned port 6081 is enabled. + geneve: + enabled: true + ports: $GENEVE_PORTS # syntax: '[6081, 1234]' or '6081'. + + # maximum number of decoder layers for a packet + # max-layers: 16 + +## +## Performance tuning and profiling +## + +# The detection engine builds internal groups of signatures. The engine +# allows us to specify the profile to use for them, to manage memory in an +# efficient way keeping good performance. For the profile keyword you +# can use the words "low", "medium", "high" or "custom". If you use custom, +# make sure to define the values in the "custom-values" section. +# Usually you would prefer medium/high/low. +# +# "sgh mpm-context", indicates how the staging should allot mpm contexts for +# the signature groups. "single" indicates the use of a single context for +# all the signature group heads. "full" indicates a mpm-context for each +# group head. "auto" lets the engine decide the distribution of contexts +# based on the information the engine gathers on the patterns from each +# group head. +# +# The option inspection-recursion-limit is used to limit the recursive calls +# in the content inspection code. For certain payload-sig combinations, we +# might end up taking too much time in the content inspection code. +# If the argument specified is 0, the engine uses an internally defined +# default limit. When a value is not specified, there are no limits on the recursion. +detect: + profile: medium + custom-values: + toclient-groups: 3 + toserver-groups: 25 + sgh-mpm-context: auto + inspection-recursion-limit: 3000 + # If set to yes, the loading of signatures will be made after the capture + # is started. This will limit the downtime in IPS mode. + #delayed-detect: yes + + prefilter: + # default prefiltering setting. "mpm" only creates MPM/fast_pattern + # engines. "auto" also sets up prefilter engines for other keywords. + # Use --list-keywords=all to see which keywords support prefiltering. + default: mpm + + # the grouping values above control how many groups are created per + # direction. Port whitelisting forces that port to get its own group. + # Very common ports will benefit, as well as ports with many expensive + # rules. + grouping: + #tcp-whitelist: 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080 + #udp-whitelist: 53, 135, 5060 + + profiling: + # Log the rules that made it past the prefilter stage, per packet + # default is off. The threshold setting determines how many rules + # must have made it past pre-filter for that rule to trigger the + # logging. + #inspect-logging-threshold: 200 + grouping: + dump-to-disk: false + include-rules: false # very verbose + include-mpm-stats: false + +# Select the multi pattern algorithm you want to run for scan/search the +# in the engine. +# +# The supported algorithms are: +# "ac" - Aho-Corasick, default implementation +# "ac-bs" - Aho-Corasick, reduced memory implementation +# "ac-ks" - Aho-Corasick, "Ken Steele" variant +# "hs" - Hyperscan, available when built with Hyperscan support +# +# The default mpm-algo value of "auto" will use "hs" if Hyperscan is +# available, "ac" otherwise. +# +# The mpm you choose also decides the distribution of mpm contexts for +# signature groups, specified by the conf - "detect.sgh-mpm-context". +# Selecting "ac" as the mpm would require "detect.sgh-mpm-context" +# to be set to "single", because of ac's memory requirements, unless the +# ruleset is small enough to fit in memory, in which case one can +# use "full" with "ac". The rest of the mpms can be run in "full" mode. + +mpm-algo: auto + +# Select the matching algorithm you want to use for single-pattern searches. +# +# Supported algorithms are "bm" (Boyer-Moore) and "hs" (Hyperscan, only +# available if Suricata has been built with Hyperscan support). +# +# The default of "auto" will use "hs" if available, otherwise "bm". + +spm-algo: auto + +# Suricata is multi-threaded. Here the threading can be influenced. +threading: + set-cpu-affinity: no + # Tune cpu affinity of threads. Each family of threads can be bound + # to specific CPUs. + # + # These 2 apply to the all runmodes: + # management-cpu-set is used for flow timeout handling, counters + # worker-cpu-set is used for 'worker' threads + # + # Additionally, for autofp these apply: + # receive-cpu-set is used for capture threads + # verdict-cpu-set is used for IPS verdict threads + # + cpu-affinity: + - management-cpu-set: + cpu: [ 0 ] # include only these CPUs in affinity settings + - receive-cpu-set: + cpu: [ 0 ] # include only these CPUs in affinity settings + - worker-cpu-set: + cpu: [ "all" ] + mode: "exclusive" + # Use explicitly 3 threads and don't compute number by using + # detect-thread-ratio variable: + # threads: 3 + prio: + low: [ 0 ] + medium: [ "1-2" ] + high: [ 3 ] + default: "medium" + #- verdict-cpu-set: + # cpu: [ 0 ] + # prio: + # default: "high" + # + # By default Suricata creates one "detect" thread per available CPU/CPU core. + # This setting allows controlling this behaviour. A ratio setting of 2 will + # create 2 detect threads for each CPU/CPU core. So for a dual core CPU this + # will result in 4 detect threads. If values below 1 are used, less threads + # are created. So on a dual core CPU a setting of 0.5 results in 1 detect + # thread being created. Regardless of the setting at a minimum 1 detect + # thread will always be created. + # + detect-thread-ratio: 1.0 + # + # By default, the per-thread stack size is left to its default setting. If + # the default thread stack size is too small, use the following configuration + # setting to change the size. Note that if any thread's stack size cannot be + # set to this value, a fatal error occurs. + # + # Generally, the per-thread stack-size should not exceed 8MB. + #stack-size: 8mb + +# Luajit has a strange memory requirement, its 'states' need to be in the +# first 2G of the process' memory. +# +# 'luajit.states' is used to control how many states are preallocated. +# State use: per detect script: 1 per detect thread. Per output script: 1 per +# script. +luajit: + states: 128 + +# Profiling settings. Only effective if Suricata has been built with +# the --enable-profiling configure flag. +# +profiling: + # Run profiling for every X-th packet. The default is 1, which means we + # profile every packet. If set to 1000, one packet is profiled for every + # 1000 received. + #sample-rate: 1000 + + # rule profiling + rules: + + # Profiling can be disabled here, but it will still have a + # performance impact if compiled in. + enabled: yes + filename: rule_perf.log + append: yes + + # Sort options: ticks, avgticks, checks, matches, maxticks + # If commented out all the sort options will be used. + #sort: avgticks + + # Limit the number of sids for which stats are shown at exit (per sort). + limit: 10 + + # output to json + json: yes + + # per keyword profiling + keywords: + enabled: yes + filename: keyword_perf.log + append: yes + + prefilter: + enabled: yes + filename: prefilter_perf.log + append: yes + + # per rulegroup profiling + rulegroups: + enabled: yes + filename: rule_group_perf.log + append: yes + + # packet profiling + packets: + + # Profiling can be disabled here, but it will still have a + # performance impact if compiled in. + enabled: yes + filename: packet_stats.log + append: yes + + # per packet csv output + csv: + + # Output can be disabled here, but it will still have a + # performance impact if compiled in. + enabled: no + filename: packet_stats.csv + + # profiling of locking. Only available when Suricata was built with + # --enable-profiling-locks. + locks: + enabled: no + filename: lock_stats.log + append: yes + + pcap-log: + enabled: no + filename: pcaplog_stats.log + append: yes + +## +## Netfilter integration +## + +# When running in NFQ inline mode, it is possible to use a simulated +# non-terminal NFQUEUE verdict. +# This permits sending all needed packet to Suricata via this rule: +# iptables -I FORWARD -m mark ! --mark $MARK/$MASK -j NFQUEUE +# And below, you can have your standard filtering ruleset. To activate +# this mode, you need to set mode to 'repeat' +# If you want a packet to be sent to another queue after an ACCEPT decision +# set the mode to 'route' and set next-queue value. +# On Linux >= 3.1, you can set batchcount to a value > 1 to improve performance +# by processing several packets before sending a verdict (worker runmode only). +# On Linux >= 3.6, you can set the fail-open option to yes to have the kernel +# accept the packet if Suricata is not able to keep pace. +# bypass mark and mask can be used to implement NFQ bypass. If bypass mark is +# set then the NFQ bypass is activated. Suricata will set the bypass mark/mask +# on packet of a flow that need to be bypassed. The Nefilter ruleset has to +# directly accept all packets of a flow once a packet has been marked. +nfq: +# mode: accept +# repeat-mark: 1 +# repeat-mask: 1 +# bypass-mark: 1 +# bypass-mask: 1 +# route-queue: 2 +# batchcount: 20 +# fail-open: yes + +#nflog support +nflog: + # netlink multicast group + # (the same as the iptables --nflog-group param) + # Group 0 is used by the kernel, so you can't use it + - group: 2 + # netlink buffer size + buffer-size: 18432 + # put default value here + - group: default + # set number of packets to queue inside kernel + qthreshold: 1 + # set the delay before flushing packet in the kernel's queue + qtimeout: 100 + # netlink max buffer size + max-size: 20000 + +## +## Advanced Capture Options +## + +# General settings affecting packet capture +capture: + # disable NIC offloading. It's restored when Suricata exits. + # Enabled by default. + #disable-offloading: false + # + # disable checksum validation. Same as setting '-k none' on the + # commandline. + #checksum-validation: none + +# Netmap support +# +# Netmap operates with NIC directly in driver, so you need FreeBSD 11+ which has +# built-in Netmap support or compile and install the Netmap module and appropriate +# NIC driver for your Linux system. +# To reach maximum throughput disable all receive-, segmentation-, +# checksum- offloading on your NIC (using ethtool or similar). +# Disabling TX checksum offloading is *required* for connecting OS endpoint +# with NIC endpoint. +# You can find more information at https://github.com/luigirizzo/netmap +# +netmap: + - interface: default + +# PF_RING configuration: for use with native PF_RING support +# for more info see http://www.ntop.org/products/pf_ring/ +pfring: + - interface: default + #threads: 2 + +# For FreeBSD ipfw(8) divert(4) support. +# Please make sure you have ipfw_load="YES" and ipdivert_load="YES" +# in /etc/loader.conf or kldload'ing the appropriate kernel modules. +# Additionally, you need to have an ipfw rule for the engine to see +# the packets from ipfw. For Example: +# +# ipfw add 100 divert 8000 ip from any to any +# +# N.B. This example uses "8000" -- this number must mach the values +# you passed on the command line, i.e., -d 8000 +# +ipfw: + + # Reinject packets at the specified ipfw rule number. This config + # option is the ipfw rule number AT WHICH rule processing continues + # in the ipfw processing system after the engine has finished + # inspecting the packet for acceptance. If no rule number is specified, + # accepted packets are reinjected at the divert rule which they entered + # and IPFW rule processing continues. No check is done to verify + # this will rule makes sense so care must be taken to avoid loops in ipfw. + # + ## The following example tells the engine to reinject packets + # back into the ipfw firewall AT rule number 5500: + # + # ipfw-reinjection-rule-number: 5500 + + +napatech: + # When use_all_streams is set to "yes" the initialization code will query + # the Napatech service for all configured streams and listen on all of them. + # When set to "no" the streams config array will be used. + # + # This option necessitates running the appropriate NTPL commands to create + # the desired streams prior to running Suricata. + #use-all-streams: no + + # The streams to listen on when auto-config is disabled or when and threading + # cpu-affinity is disabled. This can be either: + # an individual stream (e.g. streams: [0]) + # or + # a range of streams (e.g. streams: ["0-3"]) + # + streams: ["0-3"] + + # Stream stats can be enabled to provide fine grain packet and byte counters + # for each thread/stream that is configured. + # + enable-stream-stats: no + + # When auto-config is enabled the streams will be created and assigned + # automatically to the NUMA node where the thread resides. If cpu-affinity + # is enabled in the threading section. Then the streams will be created + # according to the number of worker threads specified in the worker-cpu-set. + # Otherwise, the streams array is used to define the streams. + # + # This option is intended primarily to support legacy configurations. + # + # This option cannot be used simultaneously with either "use-all-streams" + # or "hardware-bypass". + # + auto-config: yes + + # Enable hardware level flow bypass. + # + hardware-bypass: yes + + # Enable inline operation. When enabled traffic arriving on a given port is + # automatically forwarded out its peer port after analysis by Suricata. + # + inline: no + + # Ports indicates which Napatech ports are to be used in auto-config mode. + # these are the port IDs of the ports that will be merged prior to the + # traffic being distributed to the streams. + # + # When hardware-bypass is enabled the ports must be configured as a segment. + # specify the port(s) on which upstream and downstream traffic will arrive. + # This information is necessary for the hardware to properly process flows. + # + # When using a tap configuration one of the ports will receive inbound traffic + # for the network and the other will receive outbound traffic. The two ports on a + # given segment must reside on the same network adapter. + # + # When using a SPAN-port configuration the upstream and downstream traffic + # arrives on a single port. This is configured by setting the two sides of the + # segment to reference the same port. (e.g. 0-0 to configure a SPAN port on + # port 0). + # + # port segments are specified in the form: + # ports: [0-1,2-3,4-5,6-6,7-7] + # + # For legacy systems when hardware-bypass is disabled this can be specified in any + # of the following ways: + # + # a list of individual ports (e.g. ports: [0,1,2,3]) + # + # a range of ports (e.g. ports: [0-3]) + # + # "all" to indicate that all ports are to be merged together + # (e.g. ports: [all]) + # + # This parameter has no effect if auto-config is disabled. + # + ports: [0-1,2-3] + + # When auto-config is enabled the hashmode specifies the algorithm for + # determining to which stream a given packet is to be delivered. + # This can be any valid Napatech NTPL hashmode command. + # + # The most common hashmode commands are: hash2tuple, hash2tuplesorted, + # hash5tuple, hash5tuplesorted and roundrobin. + # + # See Napatech NTPL documentation other hashmodes and details on their use. + # + # This parameter has no effect if auto-config is disabled. + # + hashmode: hash5tuplesorted + +## +## Configure Suricata to load Suricata-Update managed rules. +## + +# As VyOS leverages suricata-update, the default rule path points to the +# generated rules instead of the built-in rules. +# +# default-rule-path: /etc/suricata/rules +default-rule-path: /var/lib/suricata/rules + +rule-files: + - suricata.rules + +## +## Auxiliary configuration files. +## + +# As VyOS leverages suricata-update, the classification file points to the +# generated classification instead of the built-in one. +# +# classification-file: /etc/suricata/classification.config +classification-file: /var/lib/suricata/rules/classification.config +reference-config-file: /etc/suricata/reference.config +# threshold-file: /etc/suricata/threshold.config + +## +## Include other configs +## + +# Includes: Files included here will be handled as if they were in-lined +# in this configuration file. Files with relative pathnames will be +# searched for in the same directory as this configuration file. You may +# use absolute pathnames too. +# You can specify more than 2 configuration files, if needed. +#include: include1.yaml +#include: include2.yaml diff --git a/data/templates/ids/suricata_logrotate.j2 b/data/templates/ids/suricata_logrotate.j2 new file mode 100644 index 000000000..62773fc68 --- /dev/null +++ b/data/templates/ids/suricata_logrotate.j2 @@ -0,0 +1,17 @@ +{% for filename in [(log.eve.filename | default("eve.json"))] %} +{{ filename if filename.startswith("/") else ("/var/log/suricata/" + filename) }} +{% endfor %}{ + weekly + dateext + dateformat _%Y-%m-%d_%H-%M-%S + maxsize 10M + rotate 10 + missingok + nocompress + nocreate + nomail + sharedscripts + postrotate + /bin/kill -HUP `cat /run/suricata/suricata.pid 2>/dev/null` 2>/dev/null || true + endscript +} -- cgit v1.2.3 From 01464a6069fa7cf02d5545c02ed03fa69679c32c Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Thu, 23 May 2024 21:54:41 +0200 Subject: suricata: T751: use key_mangling in get_config_dict() --- data/templates/ids/suricata.j2 | 4 ++-- src/conf_mode/service_suricata.py | 18 +++++++++--------- 2 files changed, 11 insertions(+), 11 deletions(-) (limited to 'data/templates') diff --git a/data/templates/ids/suricata.j2 b/data/templates/ids/suricata.j2 index 1bd90b67f..585db93eb 100644 --- a/data/templates/ids/suricata.j2 +++ b/data/templates/ids/suricata.j2 @@ -15,12 +15,12 @@ vars: # more specific is better for alert accuracy and performance address-groups: -{% for (name, value) in suricata['address-group'] %} +{% for (name, value) in suricata['address_group'] %} {{ name }}: "[{{ value | join(',') }}]" {% endfor %} port-groups: -{% for (name, value) in suricata['port-group'] %} +{% for (name, value) in suricata['port_group'] %} {{ name }}: "[{{ value | join(',') }}]" {% endfor %} diff --git a/src/conf_mode/service_suricata.py b/src/conf_mode/service_suricata.py index 06d68a637..69b369e0b 100755 --- a/src/conf_mode/service_suricata.py +++ b/src/conf_mode/service_suricata.py @@ -39,7 +39,7 @@ def get_config(config=None): if not conf.exists(base): return None - suricata = conf.get_config_dict(base, + suricata = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True, with_recursive_defaults=True) return suricata @@ -81,19 +81,19 @@ def verify(suricata): if 'interface' not in suricata: raise ConfigError('No interfaces configured!') - if 'address-group' not in suricata: + if 'address_group' not in suricata: raise ConfigError('No address-group configured!') - if 'port-group' not in suricata: + if 'port_group' not in suricata: raise ConfigError('No port-group configured!') try: - topological_sort(suricata['address-group']) + topological_sort(suricata['address_group']) except (ConfigError,StopIteration) as e: raise ConfigError(f'Invalid address-group: {e}') try: - topological_sort(suricata['port-group']) + topological_sort(suricata['port_group']) except (ConfigError,StopIteration) as e: raise ConfigError(f'Invalid port-group: {e}') @@ -126,12 +126,12 @@ def generate(suricata): return format_group # Format the address group - suricata['address-group'] = map(to_config('address'), - topological_sort(suricata['address-group'])) + suricata['address_group'] = map(to_config('address'), + topological_sort(suricata['address_group'])) # Format the port group - suricata['port-group'] = map(to_config('port'), - topological_sort(suricata['port-group'])) + suricata['port_group'] = map(to_config('port'), + topological_sort(suricata['port_group'])) render(config_file, 'ids/suricata.j2', {'suricata': suricata}) render(rotate_file, 'ids/suricata_logrotate.j2', suricata) -- cgit v1.2.3