<?xml version="1.0"?> <interfaceDefinition> <node name="service"> <children> <node name="suricata" owner="${vyos_conf_scripts_dir}/service_suricata.py"> <properties> <help>Network IDS, IPS and Security Monitoring</help> <priority>740</priority> </properties> <children> #include <include/generic-interface-multi.xml.i> <tagNode name="address-group"> <properties> <help>Address group name</help> <constraint> <regex>[a-z0-9-]+</regex> </constraint> </properties> <children> <leafNode name="address"> <properties> <help>IP address or subnet</help> <valueHelp> <format>ipv4</format> <description>IPv4 address to match</description> </valueHelp> <valueHelp> <format>ipv6</format> <description>IPv6 address to match</description> </valueHelp> <valueHelp> <format>ipv4net</format> <description>IPv4 prefix to match</description> </valueHelp> <valueHelp> <format>ipv6net</format> <description>IPv6 prefix to match</description> </valueHelp> <valueHelp> <format>!ipv4</format> <description>Exclude the specified IPv4 address from matches</description> </valueHelp> <valueHelp> <format>!ipv6</format> <description>Exclude the specified IPv6 address from matches</description> </valueHelp> <valueHelp> <format>!ipv4net</format> <description>Exclude the specified IPv6 prefix from matches</description> </valueHelp> <valueHelp> <format>!ipv6net</format> <description>Exclude the specified IPv6 prefix from matches</description> </valueHelp> <constraint> <validator name="ipv4-address"/> <validator name="ipv6-address"/> <validator name="ipv4-prefix"/> <validator name="ipv6-prefix"/> <validator name="ipv4-address-exclude"/> <validator name="ipv6-address-exclude"/> <validator name="ipv4-prefix-exclude"/> <validator name="ipv6-prefix-exclude"/> </constraint> <multi/> </properties> </leafNode> <leafNode name="group"> <properties> <help>Address group</help> <completionHelp> <path>service ids suricata address-group</path> </completionHelp> <valueHelp> <format>txt</format> <description>Address group to match</description> </valueHelp> <valueHelp> <format>!txt</format> <description>Exclude the specified address group from matches</description> </valueHelp> <constraint> <regex>!?[a-z0-9-]+</regex> </constraint> <multi/> </properties> </leafNode> </children> </tagNode> <tagNode name="port-group"> <properties> <help>Port group name</help> <constraint> <regex>[a-z0-9-]+</regex> </constraint> </properties> <children> <leafNode name="port"> <properties> <help>Port number</help> <valueHelp> <format>u32:1-65535</format> <description>Numeric port to match</description> </valueHelp> <valueHelp> <format>!u32:1-65535</format> <description>Numeric port to exclude from matches</description> </valueHelp> <valueHelp> <format>start-end</format> <description>Numbered port range (e.g. 1001-1005) to match</description> </valueHelp> <valueHelp> <format>!start-end</format> <description>Numbered port range (e.g. !1001-1005) to exclude from matches</description> </valueHelp> <constraint> <validator name="port-range"/> <validator name="port-range-exclude"/> </constraint> <multi/> </properties> </leafNode> <leafNode name="group"> <properties> <help>Port group</help> <completionHelp> <path>service ids suricata port-group</path> </completionHelp> <valueHelp> <format>txt</format> <description>Port group to match</description> </valueHelp> <valueHelp> <format>!txt</format> <description>Exclude the specified port group from matches</description> </valueHelp> <constraint> <regex>!?[a-z0-9-]+</regex> </constraint> <multi/> </properties> </leafNode> </children> </tagNode> <node name="log"> <properties> <help>Suricata log outputs</help> </properties> <children> <node name="eve"> <properties> <help>Extensible Event Format (EVE)</help> </properties> <children> <leafNode name="filetype"> <properties> <help>EVE logging destination</help> <completionHelp> <list>regular syslog</list> </completionHelp> <valueHelp> <format>regular</format> <description>Log to filename</description> </valueHelp> <valueHelp> <format>syslog</format> <description>Log to syslog</description> </valueHelp> <constraint> <regex>(regular|syslog)</regex> </constraint> </properties> <defaultValue>regular</defaultValue> </leafNode> <leafNode name="filename"> <properties> <help>Log file</help> <valueHelp> <format>filename</format> <description>File name in default Suricata log directory</description> </valueHelp> <valueHelp> <format>/path</format> <description>Absolute file path</description> </valueHelp> </properties> <defaultValue>eve.json</defaultValue> </leafNode> <leafNode name="type"> <properties> <help>Log types</help> <completionHelp> <list>alert anomaly drop files http dns tls smtp dnp3 ftp rdp nfs smb tftp ikev2 dcerpc krb5 snmp rfb sip dhcp ssh mqtt http2 flow netflow</list> </completionHelp> <valueHelp> <format>alert</format> <description>Record events for rule matches</description> </valueHelp> <valueHelp> <format>anomaly</format> <description>Record unexpected conditions such as truncated packets, packets with invalid IP/UDP/TCP length values, and other events that render the packet invalid for further processing or describe unexpected behavior on an established stream</description> </valueHelp> <valueHelp> <format>drop</format> <description>Record events for dropped packets</description> </valueHelp> <valueHelp> <format>file</format> <description>Record file details (e.g., MD5) for files extracted from application protocols (e.g., HTTP)</description> </valueHelp> <valueHelp> <format>application (http, dns, tls, ...)</format> <description>Record application-level transactions</description> </valueHelp> <valueHelp> <format>flow</format> <description>Record bi-directional flows</description> </valueHelp> <valueHelp> <format>netflow</format> <description>Record uni-directional flows</description> </valueHelp> <constraint> <regex>(alert|anomaly|http|dns|tls|files|drop|smtp|dnp3|ftp|rdp|nfs|smb|tftp|ikev2|dcerpc|krb5|snmp|rfb|sip|dhcp|ssh|mqtt|http2|flow|netflow)</regex> </constraint> <multi/> </properties> </leafNode> </children> </node> </children> </node> </children> </node> </children> </node> </interfaceDefinition>