-
Notifications
You must be signed in to change notification settings - Fork 6
/
pillar.example
161 lines (161 loc) · 9.54 KB
/
pillar.example
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
# -*- coding: utf-8 -*-
# vim: ft=yaml
---
# suricata docs https://suricata.readthedocs.io/en/latest/
suricata:
lookup:
suricata:
base_dir: '/etc/suricata' # /etc/suricata is default for package install
default_log_dir: '/var/log/suricata' # Default log directory
{% if grains['os_family'] == 'RedHat' %}
{% if grains['osmajorrelease'] == 7 %}
python_pyyaml_pkg: 'PyYAML' # PyYAML package for suricata-update. Install PyYAML(7), python3-pyyaml(8) for RHEL based OS
config_version: 'v41' # Sets config file version to use for v4x or v5x based on defaults for OS
{% elif grains['osmajorrelease'] == 8 %}
python_pyyaml_pkg: 'python3-pyyaml' # PyYAML package for suricata-update. Install PyYAML(7), python3-pyyaml(8) for RHEL based OS
config_version: 'v50' # Sets config file version to use for v4x or v5x based on defaults for OS
{% endif %}
{% elif grains['os_family'] == 'Debian' %}
python_pyyaml_pkg: 'python3-yaml' # PyYAML package for suricata-update. Install python3-yaml for Debian based OS
config_version: 'v50' # Sets config file version to use for v4x or v5x based on defaults for OS
{% endif %}
python_pip_cmd: 'python3 -m pip' # Use pip to install suricata-update
mode: 'af-packet' # Set listen mode: pcap, nfqueue or af-packet
use_pfring: 'False' # If pf_ring is installed set this to True
pfring_lb_procs: '2' # Threads to run workers with. If set to 'auto' try CPU(core) count, otherwise RSS queue count
{% if grains['os_family'] == 'RedHat' %}
user: 'suricata' # Default user to run suricata as on RHEL based OS
startup_overrides_path: '/etc/sysconfig/suricata' # System overrides /etc/sysconfig or /etc/defaults depending on OS
{% elif grains['os_family'] == 'Debian' %}
user: 'root' # Default user to run suricata as on Debian based OS
startup_overrides_path: '/etc/default/suricata' # System overrides /etc/sysconfig or /etc/defaults depending on OS
service_file: 'suricata.init' # Using the oisf ppa requires some mods to the init file for setup
{% endif %}
address_groups: # Set defaults for address groups
HOME_NET: '192.168.0.0/16,10.0.0.0/8,172.16.0.0/12'
EXTERNAL_NET: '!$HOME_NET'
use_suricata_update: 'True' # If using suricata-update for rule management
use_suricata_update_cron: 'True' # If using suricata-update set cron to run daily
update_config: 'suricata-update.yaml' # Local path for suricata-update config
update_path: '/var/lib/suricata/update' # Local path for suricata-update cache
rules_path: '/var/lib/suricata/rules' # Local path for consolidated rule file
rules_file: 'suricata.rules' # Consolidated file for all rules
reload_command: 'suricatasc -c reload-rules' # Reload command to run upon successful rule download
disable_conf: 'disable.conf' # File for disable rules
enable_conf: 'enable.conf' # File for enable rules
drop_conf: 'drop.conf' # File for drop rules
modify_conf: 'modify.conf' # File for modify rules
threshold_file: 'threshold.config' # File for threshold rules
classification_file: 'classification.config' # File for classifications config
remote_rule_sources: # List of remote rule sources (check update.yaml for examples)
- 'https://rules.emergingthreats.net/open/suricata-%(__version__)s/emerging.rules.tar.gz'
- 'https://sslbl.abuse.ch/blacklist/sslblacklist.rules'
local_rule_files: # List of local rule paths (check update.yaml for examples)
- '/etc/suricata/rules'
ignore_rule_files: # List of rules files to ignore
- '*deleted.rules'
- 'dnp3-events.rules'
- 'modbus-events.rules'
- 'ntp.rules'
- 'smtp-events.rules'
stats:
enable_global_stats: 'yes' # Enabled global stats
global_stats_interval: '8' # Interval in seconds to capture device stats
bpf:
use_BPFconf: 'False' # Use Berkeley Packet Filter(BPF) on capture interfaces
bpf_rules_file: 'capture-filter.bpf' # Add custom BPF rules
interfaces:
ip_binary_path: '/sbin/ip' # path to ip binary for managing
management: 'eth0' # Management interface name
capture:
enable: 'True'
device_names: 'eth1' # Capture interface name (currently only supports 1 interface)
enable_tx: '0' # Enable tx send on this interface (default is 0)
min_num_slots: '4096' # Min Slots check support on card using ethtool -g eth1
cluster_type: 'cluster_flow' # Flow type used for af_packet or pf_ring setups (Recommended is cluster_flow)
log_outputs:
fast_log:
enabled: "yes" # Line based alerts log similar to Snort's fast.log
eve_log:
enabled: "yes" # Enable eve log format
metadata: "yes" # Enable top level metadata Default is yes
xff:
enabled: "no" # HTTP X-Forwarded-For support
mode: "extra-data" # Two modes are available, "extra-data" and "overwrite".
deployment: "reverse" # Two proxy deployments are supported, "reverse" and "forward".
header: "X-Forwarded-For" # Header name where the actual IP address will be reported
types:
alert:
payload: "yes" # Enable dumping payload in Base64
payload_buffer_size: "4kb" # Max size of payload buffer to output in eve-log
payload_printable: "yes" # Enable dumping payload in printable (lossy) format
packet: "yes" # Enable dumping of packet (without stream segments)
http_body: "yes" # Enable dumping of http body in Base64
http_body_printable: "yes" # Enable dumping of http body in printable format
metadata: "yes" # Add L7/applayer fields, flowbit and other vars to the alert
tagged_packets: "yes" # Enable logging of tagged packets for rules using the "tag" keyword.
http:
extended: "yes" # Enable this for extended logging information
dns:
enabled: "no" # Enable this for dns logging information Default is yes
pcap_log:
enabled: "no" # Enable pcap-log default is no
filename: "log.pcap" # Filename to be used for log file
limit: "100mb" # File size limit. Can be specified in kb, mb, gb
compression: "none" # Compression algorithm for pcap files. Possible values: none, lz4
max_files: "2000" # If set, will enable ring buffer mode. Will keep Maximum of "max-files" of size "limit"
mode: "normal" # Use normal, multi or sguil as values
dir: "" # Directory to place pcap files. If not provided the default log directory will be used
ts_format: 'usec' # Seconds format is sec or usec (default) is filename.sec usec is filename.sec.usec
use_stream_depth: "no" # If set to "yes" packets seen after reaching stream inspection depth are ignored
honor_pass_rules: "no" # If set to "yes", flows in which a pass rule matched will stopped being logged
app_protocol_parsers: # The option "enabled" takes 3 values - "yes", "no", "detection-only"
krb5:
enabled: "yes"
ikev2:
enabled: "yes"
tls:
enabled: "yes"
dcerpc:
enabled: "no"
ftp:
enabled: "yes"
ssh:
enabled: "yes"
smtp:
enabled: "yes"
imap:
enabled: "detection-only"
msn:
enabled: "detection-only"
smb:
enabled: "no" # Note: parser depends on Rust support
nfs:
enabled: "no" # Note: parser depends on Rust support
tftp:
enabled: "no"
dns:
tcp:
enabled: "yes"
udp:
enabled: "yes"
http:
enabled: "yes"
modbus:
enabled: "no"
dnp3:
enabled: "no"
enip:
enabled: "no"
ntp:
enabled: "no" # Note: parser depends on Rust support
dhcp:
enabled: "no"
ja3:
enabled: "yes" # Aded for v5.0.x configuration support
rdp:
enabled: "no" # Aded for v5.0.x configuration support
snmp:
enabled: "no" # Aded for v5.0.x configuration support
sip:
enabled: "no" # Aded for v5.0.x configuration support