diff --git a/src/opnsense/mvc/app/controllers/OPNsense/IDS/forms/generalSettings.xml b/src/opnsense/mvc/app/controllers/OPNsense/IDS/forms/generalSettings.xml
index 0e8ec0d3a24..f8e68b676fc 100644
--- a/src/opnsense/mvc/app/controllers/OPNsense/IDS/forms/generalSettings.xml
+++ b/src/opnsense/mvc/app/controllers/OPNsense/IDS/forms/generalSettings.xml
@@ -5,21 +5,21 @@
ids.general.enabled
-
+
checkbox
- Enable intrusion detection system.
+ Enable IDS (Intrusion Detection System).ids.general.ipscheckbox
- Before enabling, please disable all hardware offloading first in advanced network.]]>
+ Before enabling, please disable all hardware offloading first in advanced network.]]>ids.general.promisccheckbox
- Enable promiscuous mode, for certain setups (like IPS with vlans), this is required to actually capture data on the physical interface.
+ Enable promiscuous mode, for certain setups (e.g., IPS with VLANs) this is required to actually capture data on the physical interface.ids.general.interfaces
@@ -35,30 +35,30 @@
ids.general.MPMAlgodropdown
- Select the multi-pattern matcher algorithm to use.
+ Select the multi-pattern matcher algorithm to use for the engine's scan/search.ids.general.detect.Profile
-
+
dropdowntrueThe detection engine builds internal groups of signatures. The engine allow us to specify the profile to use for them, to manage memory on an efficient way keeping a good performance.ids.general.detect.toclient_groups
-
+
texttrue
- If Custom is specified. The detection engine tries to split out separate signatures into groups so that a packet is only inspected against signatures that can actually match. As in large rule set this would result in way too many groups and memory usage similar groups are merged together.
+ The number of groups for signatures to a client. The detection engine tries to split out separate signatures into groups so that a packet is only inspected against signatures that can actually match. As in large rule set this would result in way too many groups and memory usage similar groups are merged together.ids.general.detect.toserver_groups
-
+
texttrue
- If Custom is specified. The detection engine tries to split out separate signatures into groups so that a packet is only inspected against signatures that can actually match. As in large rule set this would result in way too many groups and memory usage similar groups are merged together.
+ The number of groups for signatures to a server. The detection engine tries to split out separate signatures into groups so that a packet is only inspected against signatures that can actually match. As in large rule set this would result in way too many groups and memory usage similar groups are merged together.ids.general.homenet
@@ -66,12 +66,12 @@
select_multipletrue
- Networks to interpret as local
+ Networks to interpret as local.trueids.general.defaultPacketSize
-
+
texttrueWith this option, you can set the size of the packets on your network. It is possible that bigger packets have to be processed sometimes. The engine can still process these bigger packets, but processing it will lower the performance.
@@ -88,87 +88,352 @@
ids.general.syslog_eve
-
+
checkbox
- Send alerts in eve format to syslog, using log level info.
+ Send alerts in EVE format to syslog, using the log level info.
This will not change the alert logging used by the product itself.
- Drop logs will only be send to the internal logger, due to restrictions in suricata.
+ Drop logs will only be sent to the internal logger, due to restrictions in Suricata.
ids.general.verbositydropdown
- Increase the verbosity of the Suricata application logging by increasing the log level from the default.
+ Increase the verbosity of the Suricata application logging by increasing the default log level.true
- ids.general.AlertLogrotate
-
- dropdown
- Rotate alert logs at provided interval.
+ ids.general.eveLog.rotate.count
+
+ text
+ The number of EVE logs to retain.
- ids.general.AlertSaveLogs
-
+ ids.general.eveLog.rotate.size
+
text
- Number of logs to keep.
+ Rotate EVE log past defined size in kilobytes.
+
+
+ ids.general.eveLog.rotate.frequency
+
+ dropdown
+ Rotate EVE log at defined interval.
- ids.general.LogPayload
-
+ ids.general.eveLog.alert.payload
+
checkbox
- Send package payload to the log for further analyses.
+ Log packet payload to EVE log.trueids.general.eveLog.http.enable
-
+
checkbox
- Send HTTP metadata to eve-log for further analyses.
+ Log HTTP events to EVE log.trueids.general.eveLog.http.extended
-
+
checkbox
- Add extended information to eve HTTP logging.
+ Extend HTTP events in EVE log.trueids.general.eveLog.http.dumpAllHeaders
-
+
dropdown
- Make eve HTTP logging dump all HTTP headers. You may choose to dump headers for requests or responses or both.
+ Dump all, request, or response headers from HTTP events in EVE log.
+ true
+
+
+ ids.general.eveLog.dns.enable
+
+ checkbox
+ Log DNS events to EVE log.trueids.general.eveLog.tls.enable
-
+
checkbox
- Send TLS metadata to eve-log for further analyses.
+ Log TLS events to EVE log.trueids.general.eveLog.tls.extended
-
+
checkbox
- Add extended information to eve TLS logging. For example, SNI field.
+ Extend TLS events in EVE log with additional fields (e.g., SNI).trueids.general.eveLog.tls.sessionResumption
-
+
checkbox
- Output TLS transaction where the session is resumed using a session id
+ Log TLS events with session resumptions to EVE log (i.e., transactions with a session identifier).trueids.general.eveLog.tls.custom
-
+
select_multiple
- Custom TLS fields to include in eve-log for TLS. (Overrides extended if non-empty).
+ Extend TLS events in EVE log with custom fields, overriding the default extended TLS logging.
+ true
+
+
+ ids.general.eveLog.files.enable
+
+ checkbox
+ Log file events to EVE log.
+ true
+
+
+ ids.general.eveLog.files.forceMagic
+
+ checkbox
+ Forcefully extend file events in EVE log with the file's magic.
+ true
+
+
+ ids.general.eveLog.files.forceHash
+
+ select_multiple
+ Forcefully extend file events in EVE log with the file's hash(es).
+ true
+
+
+ ids.general.eveLog.smtp.enable
+
+ checkbox
+ Log SMTP events to EVE log.
+ true
+
+
+ ids.general.eveLog.smtp.extended
+
+ checkbox
+ Extend SMTP events in EVE log with additional fields (e.g., bcc, message-id, subject, x_mailer, user-agent).
+ true
+
+
+ ids.general.eveLog.smtp.custom
+
+ select_multiple
+ Extend SMTP events in EVE log with custom fields, overriding the default extended SMTP logging.
+ true
+
+
+ ids.general.eveLog.dnp3.enable
+
+ checkbox
+ Log DNP3 (Distributed Network Protocol 3) events to EVE log.
+ true
+
+
+ ids.general.eveLog.ftp.enable
+
+ checkbox
+ Log FTP (File Transfer Protocol) events to EVE log.
+ true
+
+
+ ids.general.eveLog.rdp.enable
+
+ checkbox
+ Log RDP (Remote Desktop Protocol) events to EVE log.
+ true
+
+
+ ids.general.eveLog.nfs.enable
+
+ checkbox
+ Log NFS (Network File System) events to EVE log.
+ true
+
+
+ ids.general.eveLog.smb.enable
+
+ checkbox
+ Log SMB (Server Message Block) events to EVE log.
+ true
+
+
+ ids.general.eveLog.tftp.enable
+
+ checkbox
+ Log TFTP (Trivial File Transfer Protocol) events to EVE log.
+ true
+
+
+ ids.general.eveLog.ike.enable
+
+ checkbox
+ Log IKE (Internet Key Exchange) events to EVE log.
+ true
+
+
+ ids.general.eveLog.dcerpc.enable
+
+ checkbox
+ Log DCE/RPC (Distributed Computing Environment / Remote Procedure Call) events to EVE log.
+ true
+
+
+ ids.general.eveLog.krb5.enable
+
+ checkbox
+ Log Kerberos events to EVE log.
+ true
+
+
+ ids.general.eveLog.bittorrentDht.enable
+
+ checkbox
+ Log BitTorrent DHT events to EVE log.
+ true
+
+
+ ids.general.eveLog.snmp.enable
+
+ checkbox
+ Log SNMP (Simple Network Management Protocol) events to EVE log.
+ true
+
+
+ ids.general.eveLog.rfb.enable
+
+ checkbox
+ Log RFB (Remote FrameBuffer) events to EVE log, also known as VNC (Virtual Network Computing).
+ true
+
+
+ ids.general.eveLog.sip.enable
+
+ checkbox
+ Log SIP (Session Initiation Protocol) events to EVE log, also known as Voice-over-IP.
+ true
+
+
+ ids.general.eveLog.quic.enable
+
+ checkbox
+ Log QUIC events to EVE log.
+ true
+
+
+ ids.general.eveLog.dhcp.enable
+
+ checkbox
+ Log DHCP events to EVE log.
+ true
+
+
+ ids.general.eveLog.dhcp.extended
+
+ checkbox
+ Extend DHCP events in EVE log with additional fields (includes all DHCP messages).
+ true
+
+
+ ids.general.eveLog.ssh.enable
+
+ checkbox
+ Log SSH events to EVE log.
+ true
+
+
+ ids.general.eveLog.mqtt.enable
+
+ checkbox
+ Log MQTT (Message Queuing Telemetry Transport) events to EVE log.
+ true
+
+
+ ids.general.eveLog.mqtt.passwords
+
+ checkbox
+ Extend MQTT events in EVE log with additional fields (i.e., passwords).
+ true
+
+
+ ids.general.eveLog.http2.enable
+
+ checkbox
+ Log HTTP2 events to EVE log.
+ true
+
+
+ ids.general.eveLog.pgsql.enable
+
+ checkbox
+ Log PGSQL events to EVE log.
+ true
+
+
+ ids.general.eveLog.pgsql.passwords
+
+ checkbox
+ Extend PGSQL events in EVE log with additional fields (i.e., passwords).
+ true
+
+
+ ids.general.eveLog.stats.enable
+
+ checkbox
+ Log thread statistics to EVE log.
+ true
+
+
+ ids.general.eveLog.flow.enable
+
+ checkbox
+ Log bi-directional flows to EVE log.
+ true
+
+
+ ids.general.eveLog.netflow.enable
+
+ checkbox
+ Log uni-directional flows to EVE log.
+ true
+
+
+ ids.general.eveLog.metadata.enable
+
+ checkbox
+ Log verbose metadata event to EVE log (i.e., triggers whenever a pktvar is saved).
+ true
+
+
+ ids.general.pcapLog.enable
+
+ checkbox
+ Enable the logging of packets in pcap format.
+ true
+
+
+ ids.general.pcapLog.limit
+
+ text
+ Limit the pcap file to a size in megabytes.
+ true
+
+
+ ids.general.pcapLog.maxFiles
+
+ text
+ Limit the amount of pcap files to retain.
+ true
+
+
+ ids.general.bpfFilter
+
+ text
+ BPF filter to apply on the interfaces (the pcap filter syntax applies here). A BPF filter should be used when logs are exported (especially pcap files) to avoid self-caused noise and amplifications.true
diff --git a/src/opnsense/mvc/app/models/OPNsense/IDS/IDS.xml b/src/opnsense/mvc/app/models/OPNsense/IDS/IDS.xml
index 37b0a40ffcb..41ebd3f7a1b 100644
--- a/src/opnsense/mvc/app/models/OPNsense/IDS/IDS.xml
+++ b/src/opnsense/mvc/app/models/OPNsense/IDS/IDS.xml
@@ -1,6 +1,6 @@
//OPNsense/IDS
- 1.1.0
+ 1.1.1OPNsense IDS
@@ -174,22 +174,6 @@
Related cron not found.
-
- Y
- W0D23
-
- Weekly
- Daily
-
- Please select a valid rotation
-
-
- Y
- 4
- 1
- 1000
- Enter a valid number of logs to save
- Default
@@ -230,10 +214,6 @@
0Y
-
- 0
- Y
- DEFAULT (0)
@@ -244,6 +224,35 @@
+
+
+ Y
+ W0D0
+
+ Weekly
+ Daily
+
+ Please select a valid rotation frequency
+
+
+ Y
+ 500000
+ 1
+ Enter a valid number of kilobytes
+
+
+ Y
+ 4
+ 1
+ Enter a valid number of logs to save
+
+
+
+
+ 0
+ Y
+
+ 0
@@ -261,6 +270,12 @@
+
+
+ 0
+ Y
+
+ 0
@@ -289,11 +304,232 @@
chainja3ja3s
+ ja4Y
+
+
+ 0
+ Y
+
+
+ 0
+ Y
+
+
+
+ md5
+ sha1
+ sha256
+
+ Y
+
+
+
+
+ 0
+ Y
+
+
+ 0
+ Y
+
+
+
+ reply-to
+ bcc
+ message-id
+ subject
+ x-mailer
+ user-agent
+ received
+ x-originating-ip
+ in-reply-to
+ references
+ importance
+ priority
+ sensitivity
+ organization
+ content-md5
+ date
+
+ Y
+
+
+
+
+ 0
+ Y
+
+
+
+
+ 0
+ Y
+
+
+
+
+ 0
+ Y
+
+
+
+
+ 0
+ Y
+
+
+
+
+ 0
+ Y
+
+
+
+
+ 0
+ Y
+
+
+
+
+ 0
+ Y
+
+
+
+
+ 0
+ Y
+
+
+
+
+ 0
+ Y
+
+
+
+
+ 0
+ Y
+
+
+
+
+ 0
+ Y
+
+
+
+
+ 0
+ Y
+
+
+
+
+ 0
+ Y
+
+
+
+
+ 0
+ Y
+
+
+
+
+ 0
+ Y
+
+
+ 0
+ Y
+
+
+
+
+ 0
+ Y
+
+
+
+
+ 0
+ Y
+
+
+ 0
+ Y
+
+
+
+
+ 0
+ Y
+
+
+
+
+ 0
+ Y
+
+
+ 0
+ Y
+
+
+
+
+ 0
+ Y
+
+
+
+
+ 0
+ Y
+
+
+
+
+ 0
+ Y
+
+
+
+
+ 0
+ Y
+
+
+
+
+ 0
+ Y
+
+
+ Limit should be a number.
+ Y
+ 1000
+ 1
+
+
+ Maximum files should be a number.
+ Y
+ 2000
+ 1
+
+
+
+ Y
+
diff --git a/src/opnsense/mvc/app/models/OPNsense/IDS/Migrations/M1_1_1.php b/src/opnsense/mvc/app/models/OPNsense/IDS/Migrations/M1_1_1.php
new file mode 100755
index 00000000000..504edcc6f70
--- /dev/null
+++ b/src/opnsense/mvc/app/models/OPNsense/IDS/Migrations/M1_1_1.php
@@ -0,0 +1,63 @@
+object();
+ if (isset($cfgObj->OPNsense->IDS->general->AlertLogrotate)) {
+ $cfgObj->OPNsense->IDS->general->eveLog->rotate->count = $cfgObj->OPNsense->IDS->general->AlertLogrotate;
+ }
+ if (isset($cfgObj->OPNsense->IDS->general->AlertSaveLogs)) {
+ $cfgObj->OPNsense->IDS->general->eveLog->rotate->size = $cfgObj->OPNsense->IDS->general->AlertSaveLogs;
+ }
+ if (isset($cfgObj->OPNsense->IDS->general->LogPayload)) {
+ $cfgObj->OPNsense->IDS->general->eveLog->alert->payload = $cfgObj->OPNsense->IDS->general->LogPayload;
+ }
+ }
+
+ public function post($model)
+ {
+ $config = Config::getInstance()->object();
+ unset($config->OPNsense->IDS->general->AlertLogrotate);
+ unset($config->OPNsense->IDS->general->AlertSaveLogs);
+ unset($config->OPNsense->IDS->general->LogPayload);
+ }
+}
diff --git a/src/opnsense/service/templates/OPNsense/IDS/newsyslog.conf b/src/opnsense/service/templates/OPNsense/IDS/newsyslog.conf
index a6a4db0c563..31aa907f50d 100644
--- a/src/opnsense/service/templates/OPNsense/IDS/newsyslog.conf
+++ b/src/opnsense/service/templates/OPNsense/IDS/newsyslog.conf
@@ -1,7 +1,4 @@
# logfilename [owner:group] mode count size when flags [/pid_file] [sig_num]
{% if not helpers.empty('OPNsense.IDS.general.enabled') %}
-/var/log/suricata/stats.log root:wheel 640 7 * $D0 B /var/run/suricata.pid 1
-/var/log/suricata/eve.json root:wheel 640 {{ OPNsense.IDS.general.AlertSaveLogs }} 500000 ${{
- OPNsense.IDS.general.AlertLogrotate
-}} B /var/run/suricata.pid 1
+/var/log/suricata/eve.json root:wheel 640 {{ OPNsense.IDS.general.eveLog.rotate.count }} {{ OPNsense.IDS.general.eveLog.rotate.size }} ${{ OPNsense.IDS.general.eveLog.rotate.frequency }} B /var/run/suricata.pid 1
{% endif %}
diff --git a/src/opnsense/service/templates/OPNsense/IDS/suricata.yaml b/src/opnsense/service/templates/OPNsense/IDS/suricata.yaml
index 666fbc94599..efd4d7d52f0 100644
--- a/src/opnsense/service/templates/OPNsense/IDS/suricata.yaml
+++ b/src/opnsense/service/templates/OPNsense/IDS/suricata.yaml
@@ -5,6 +5,9 @@
# options in this file, full documentation can be found at:
# https://docs.suricata.io/en/latest/configuration/suricata-yaml.html
+# This configuration file generated by Suricata 7.0.8.
+suricata-version: ""
+
##
## Step 1: Inform Suricata about your network
##
@@ -13,7 +16,14 @@ vars:
# more specific is better for alert accuracy and performance
address-groups:
HOME_NET: "[{{OPNsense.IDS.general.homenet}}]"
+ #HOME_NET: "[192.168.0.0/16]"
+ #HOME_NET: "[10.0.0.0/8]"
+ #HOME_NET: "[172.16.0.0/12]"
+ #HOME_NET: "any"
+
EXTERNAL_NET: "!$HOME_NET"
+ #EXTERNAL_NET: "any"
+
HTTP_SERVERS: "$HOME_NET"
SMTP_SERVERS: "$HOME_NET"
SQL_SERVERS: "$HOME_NET"
@@ -41,12 +51,10 @@ vars:
VXLAN_PORTS: 4789
TEREDO_PORTS: 3544
-
##
## Step 2: Select outputs to enable
##
-
# The default logging directory. Any log or output file will be
# placed here if it's not specified with a full path name. This can be
# overridden with the -l command line parameter.
@@ -57,7 +65,7 @@ stats:
enabled: yes
# The interval field (in seconds) controls the interval at
# which stats are updated in the log.
- interval: 300
+ interval: 8
# Add decode events to stats.
#decoder-events: true
# Decoder event prefix in stats. Has been 'decoder' before, but that leads
@@ -72,7 +80,6 @@ plugins:
# Configure the type of alert (and other) logging you would like.
outputs:
-
# a line based alerts log similar to Snort's fast.log
- fast:
enabled: no
@@ -148,30 +155,30 @@ outputs:
# one taken into consideration.
header: X-Forwarded-For
-
types:
- alert:
-{% if not helpers.empty('OPNsense.IDS.general.LogPayload') %}
- payload: yes
- payload-buffer-size: 100kb
- payload-printable: yes
+{% if not helpers.empty('OPNsense.IDS.general.eveLog.alert.payload') %}
+ payload: yes # enable dumping payload in Base64
+ payload-buffer-size: 4kb # max size of payload buffer to output in eve-log
+ payload-printable: yes # enable dumping payload in printable (lossy) format
{% endif %}
- # packet: yes # enable dumping of packet (without stream segments)
- # metadata: no # enable inclusion of app layer metadata with alert. Default yes
- # http-body: yes # Requires metadata; enable dumping of http body in Base64
- # http-body-printable: yes # Requires metadata; enable dumping of http body in printable format
-
- # Enable the logging of tagged packets for rules using the
- # "tag" keyword.
- tagged-packets: yes
- # Enable logging the final action taken on a packet by the engine
- # (e.g: the alert may have action 'allowed' but the verdict be
- # 'drop' due to another alert. That's the engine's verdict)
- # verdict: yes
+ # packet: yes # enable dumping of packet (without stream segments)
+ # metadata: no # enable inclusion of app layer metadata with alert. Default yes
+ # http-body: yes # Requires metadata; enable dumping of HTTP body in Base64
+ # http-body-printable: yes # Requires metadata; enable dumping of HTTP body in printable format
+
+ # Enable the logging of tagged packets for rules using the
+ # "tag" keyword.
+ tagged-packets: yes
+ # Enable logging the final action taken on a packet by the engine
+ # (e.g: the alert may have action 'allowed' but the verdict be
+ # 'drop' due to another alert. That's the engine's verdict)
+ # verdict: yes
# app layer frames
- frame:
# disabled by default as this is very verbose.
enabled: no
+ # payload-buffer-size: 4kb # max size of frame payload buffer to output in eve-log
- anomaly:
# Anomaly log records describe unexpected conditions such
# as truncated packets, packets with invalid IP/UDP/TCP
@@ -206,8 +213,6 @@ outputs:
# stream: no
# applayer: yes
#packethdr: no
-
-
{% if not helpers.empty('OPNsense.IDS.general.eveLog.http.enable') %}
- http:
extended: {{ 'no' if helpers.empty('OPNsense.IDS.general.eveLog.http.extended') else 'yes' }}
@@ -218,9 +223,13 @@ outputs:
# to dump all HTTP headers for every HTTP request and/or response
{% if not helpers.empty('OPNsense.IDS.general.eveLog.http.dumpAllHeaders') %}
dump-all-headers: {{OPNsense.IDS.general.eveLog.http.dumpAllHeaders}}
+{% else %}
+ # dump-all-headers: none
{% endif %}
+{% else %}
+ #- http
{% endif %}
-# - dns:
+ - dns:
# This configuration uses the new DNS logging format,
# the old configuration is still available:
# https://docs.suricata.io/en/latest/output/eve/eve-json-output.html#dns-v1-format
@@ -230,7 +239,7 @@ outputs:
#version: 2
# Enable/disable this logger. Default: enabled.
- #enabled: yes
+ enabled: {{ 'no' if helpers.empty('OPNsense.IDS.general.eveLog.dns.enable') else 'yes' }}
# Control logging of requests and responses:
# - requests: enable logging of DNS queries
@@ -254,121 +263,126 @@ outputs:
# output TLS transaction where the session is resumed using a
# session id
session-resumption: {{ 'no' if helpers.empty('OPNsense.IDS.general.eveLog.tls.sessionResumption') else 'yes' }}
+ # ja4 hashes in tls records will never be logged unless
+ # the following is set to on. (Default off)
+ ja4: {{ 'on' if helpers.empty('OPNsense.IDS.general.eveLog.tls.custom') or 'ja4' in OPNsense.IDS.general.eveLog.tls.custom else 'off' }}
# custom controls which TLS fields that are included in eve-log
{% if not helpers.empty('OPNsense.IDS.general.eveLog.tls.custom') %}
custom: [{{ OPNsense.IDS.general.eveLog.tls.custom }}]
+{% else %}
+ #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3, ja3s, ja4]
{% endif %}
+{% else %}
+ #- tls
{% endif %}
- #- files:
- force-magic: no # force logging magic on all logged files
+{% if not helpers.empty('OPNsense.IDS.general.eveLog.files.enable') %}
+ - files:
+ force-magic: {{ 'no' if helpers.empty('OPNsense.IDS.general.eveLog.files.forceMagic') else 'yes' }} # force logging magic on all logged files
# force logging of checksums, available hash functions are md5,
# sha1 and sha256
+{% if not helpers.empty('OPNsense.IDS.general.eveLog.files.forceHash') %}
+ force-hash: [{{ OPNsense.IDS.general.eveLog.files.forceHash }}]
+{% else %}
#force-hash: [md5]
-
- - drop:
- alerts: yes # log alerts that caused drops
- flows: start # start or all: 'start' logs only a single drop
- # per flow direction. All logs each dropped pkt.
-
- #- smtp:
- #extended: yes # enable this for extended logging information
+{% endif %}
+{% else %}
+ #- files
+{% endif %}
+ #- drop:
+ # alerts: yes # log alerts that caused drops
+ # flows: all # start or all: 'start' logs only a single drop
+ # # per flow direction. All logs each dropped pkt.
+ # Enable logging the final action taken on a packet by the engine
+ # (will show more information in case of a drop caused by 'reject')
+ # verdict: yes
+{% if not helpers.empty('OPNsense.IDS.general.eveLog.smtp.enable') %}
+ - smtp:
+ extended: {{ 'no' if helpers.empty('OPNsense.IDS.general.eveLog.smtp.extended') else 'yes' }} # enable this for extended logging information
# this includes: bcc, message-id, subject, x_mailer, user-agent
# custom fields logging from the list:
# reply-to, bcc, message-id, subject, x-mailer, user-agent, received,
# x-originating-ip, in-reply-to, references, importance, priority,
# sensitivity, organization, content-md5, date
+{% if not helpers.empty('OPNsense.IDS.general.eveLog.smtp.custom') %}
+ custom: [{{ OPNsense.IDS.general.eveLog.smtp.custom }}]
+{% else %}
#custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc]
+{% endif %}
# output md5 of fields: body, subject
# for the body you need to set app-layer.protocols.smtp.mime.body-md5
# to yes
#md5: [body, subject]
+{% else %}
+ #- smtp
+{% endif %}
- #- dnp3
- #- ftp
- #- rdp
- #- nfs
- #- smb
- #- tftp
- #- ike
- #- dcerpc
- #- krb5
- #- bittorrent-dht
- #- snmp
- #- rfb
- #- sip
+ {{ '#' if helpers.empty('OPNsense.IDS.general.eveLog.dnp3.enable') else '' }}- dnp3
+ {{ '#' if helpers.empty('OPNsense.IDS.general.eveLog.ftp.enable') else '' }}- ftp
+ {{ '#' if helpers.empty('OPNsense.IDS.general.eveLog.rdp.enable') else '' }}- rdp
+ {{ '#' if helpers.empty('OPNsense.IDS.general.eveLog.nfs.enable') else '' }}- nfs
+ {{ '#' if helpers.empty('OPNsense.IDS.general.eveLog.smb.enable') else '' }}- smb
+ {{ '#' if helpers.empty('OPNsense.IDS.general.eveLog.tftp.enable') else '' }}- tftp
+ {{ '#' if helpers.empty('OPNsense.IDS.general.eveLog.ike.enable') else '' }}- ike
+ {{ '#' if helpers.empty('OPNsense.IDS.general.eveLog.dcerpc.enable') else '' }}- dcerpc
+ {{ '#' if helpers.empty('OPNsense.IDS.general.eveLog.krb5.enable') else '' }}- krb5
+ {{ '#' if helpers.empty('OPNsense.IDS.general.eveLog.bittorrentDht.enable') else '' }}- bittorrent-dht
+ {{ '#' if helpers.empty('OPNsense.IDS.general.eveLog.snmp.enable') else '' }}- snmp
+ {{ '#' if helpers.empty('OPNsense.IDS.general.eveLog.rfb.enable') else '' }}- rfb
+ {{ '#' if helpers.empty('OPNsense.IDS.general.eveLog.sip.enable') else '' }}- sip
+{% if not helpers.empty('OPNsense.IDS.general.eveLog.quic.enable') %}
+ - quic:
+ # ja4 hashes in quic records will never be logged unless
+ # the following is set to on. (Default off)
+ ja4: {{ 'on' if helpers.empty('OPNsense.IDS.general.eveLog.tls.custom') or 'ja4' in OPNsense.IDS.general.eveLog.tls.custom else 'off' }}
+{% else %}
#- quic
- #- dhcp:
- #enabled: yes
+{% endif %}
+ - dhcp:
+ enabled: {{ 'no' if helpers.empty('OPNsense.IDS.general.eveLog.dhcp.enable') else 'yes' }}
# When extended mode is on, all DHCP messages are logged
# with full detail. When extended mode is off (the
# default), just enough information to map a MAC address
# to an IP address is logged.
- #extended: no
- - ssh
- #- mqtt:
- # passwords: yes # enable output of passwords
- #- http2
- #- pgsql:
- #enabled: no
- # passwords: yes # enable output of passwords. Disabled by default
- #- stats:
- #totals: yes # stats for all threads merged together
- #threads: no # per thread stats
- #deltas: no # include delta values
+ extended: {{ 'no' if helpers.empty('OPNsense.IDS.general.eveLog.dhcp.extended') else 'yes' }}
+ {{ '#' if helpers.empty('OPNsense.IDS.general.eveLog.ssh.enable') else '' }}- ssh
+{% if not helpers.empty('OPNsense.IDS.general.eveLog.mqtt.enable') %}
+ - mqtt:
+ passwords: {{ 'no' if helpers.empty('OPNsense.IDS.general.eveLog.mqtt.passwords') else 'yes' }} # enable output of passwords
+{% else %}
+ #- mqtt
+{% endif %}
+ {{ '#' if helpers.empty('OPNsense.IDS.general.eveLog.http2.enable') else '' }}- http2
+ - pgsql:
+ enabled: {{ 'no' if helpers.empty('OPNsense.IDS.general.eveLog.pgsql.enable') else 'yes' }}
+ passwords: {{ 'no' if helpers.empty('OPNsense.IDS.general.eveLog.pgsql.passwords') else 'yes' }} # enable output of passwords. Disabled by default
+{% if not helpers.empty('OPNsense.IDS.general.eveLog.stats.enable') %}
+ - stats:
+ totals: yes # stats for all threads merged together
+ threads: no # per thread stats
+ deltas: no # include delta values
+{% else %}
+ #- stats
+{% endif %}
# bi-directional flows
- #- flow
+ {{ '#' if helpers.empty('OPNsense.IDS.general.eveLog.flow.enable') else '' }}- flow
# uni-directional flows
- #- netflow
+ {{ '#' if helpers.empty('OPNsense.IDS.general.eveLog.netflow.enable') else '' }}- netflow
# Metadata event type. Triggered whenever a pktvar is saved
# and will include the pktvars, flowvars, flowbits and
# flowints.
- #- metadata
+ {{ '#' if helpers.empty('OPNsense.IDS.general.eveLog.metadata.enable') else '' }}- metadata
# EXPERIMENTAL per packet output giving TCP state tracking details
# including internal state, flags, etc.
# This output is experimental, meant for debugging and subject to
# change in both config and output without any notice.
-
#- stream:
# all: false # log all TCP packets
# event-set: false # log packets that have a decoder/stream event
-
# state-update: false # log packets triggering a TCP state update
# spurious-retransmission: false # log spurious retransmission packets
-{% if not helpers.empty('OPNsense.IDS.general.syslog_eve') %}
- # Extensible Event Format (nicknamed EVE) to syslog
- - eve-log:
- enabled: yes
- type: syslog
- identity: "suricata"
- facility: local5
- level: Info
- community-id: true
- community-id-seed: 0
- xff:
- enabled: yes
- mode: extra-data
- deployment: reverse
- header: X-Forwarded-For
- types:
- - alert:
-{% if not helpers.empty('OPNsense.IDS.general.LogPayload') %}
- payload: no
- payload-buffer-size: 4kb
- payload-printable: yes
-{% endif %}
- metadata: yes
- tagged-packets: yes
-{% endif %}
-
- # deprecated - unified2 alert format for use with Barnyard2
- - unified2-alert:
- enabled: no
- # for further options see:
- # https://suricata.readthedocs.io/en/suricata-5.0.0/configuration/suricata-yaml.html#alert-output-for-use-with-barnyard2-unified2-alert
-
# a line based log of HTTP requests (no alerts)
- http-log:
enabled: no
@@ -397,8 +411,8 @@ outputs:
enabled: no
#certs-log-dir: certs # directory to store the certificates files
- # Packet log... log packets in pcap format. 2 modes of operation: "normal"
- # and "multi".
+ # Packet log... log packets in pcap format. 3 modes of operation: "normal"
+ # "multi" and "sguil".
#
# In normal mode a pcap file "filename" is created in the default-log-dir,
# or as specified by "dir".
@@ -418,24 +432,30 @@ outputs:
# So the size limit when using 8 threads with 1000mb files and 2000 files
# is: 8*1000*2000 ~ 16TiB.
#
+ # In Sguil mode "dir" indicates the base directory. In this base dir the
+ # pcaps are created in the directory structure Sguil expects:
+ #
+ # $sguil-base-dir/YYYY-MM-DD/$filename.
+ #
# By default all packets are logged except:
# - TCP streams beyond stream.reassembly.depth
# - encrypted streams after the key exchange
#
- pcap-log:
- enabled: no
+ enabled: {{ 'no' if helpers.empty('OPNsense.IDS.general.pcapLog.enable') else 'yes' }}
filename: log.pcap
# File size limit. Can be specified in kb, mb, gb. Just a number
# is parsed as bytes.
- limit: 1000mb
+ limit: {{OPNsense.IDS.general.pcapLog.limit|default('1000')}}mb
# If set to a value, ring buffer mode is enabled. Will keep maximum of
# "max-files" of size "limit"
- max-files: 2000
+ max-files: {{OPNsense.IDS.general.pcapLog.maxFiles|default('2000')}}
# Compression algorithm for pcap files. Possible values: none, lz4.
- # Note also that on Windows, enabling compression will *increase* disk I/O.
+ # Enabling compression is incompatible with the sguil mode. Note also
+ # that on Windows, enabling compression will *increase* disk I/O.
compression: none
# Further options for lz4 compression. The compression level can be set
@@ -444,10 +464,10 @@ outputs:
#lz4-checksum: no
#lz4-level: 0
- mode: normal # normal or multi
+ mode: normal # normal, multi or sguil.
# Directory to place pcap files. If not provided the default log
- # directory will be used.
+ # directory will be used. Required for "sguil" mode.
#dir: /nsm_data/
#ts-format: usec # sec or usec second format (default) is filename.sec usec is filename.sec.usec
@@ -467,7 +487,7 @@ outputs:
# Stats.log contains data from various counters of the Suricata engine.
- stats:
- enabled: yes
+ enabled: no
filename: stats.log
append: yes # append to file (yes) or overwrite it (no)
totals: yes # stats for all threads merged together
@@ -476,14 +496,13 @@ outputs:
# a line based alerts log similar to fast.log into syslog
- syslog:
- enabled: {% if helpers.empty('OPNsense.IDS.general.syslog') %}no{% else %}yes{% endif %}
-
+ enabled: {{ 'no' if helpers.empty('OPNsense.IDS.general.syslog') else 'yes' }}
# reported identity to syslog. If omitted the program name (usually
# suricata) will be used.
#identity: "suricata"
facility: local5
- level: Notice ## possible levels: Emergency, Alert, Critical,
- ## Error, Warning, Notice, Info, Debug
+ #level: Info ## possible levels: Emergency, Alert, Critical,
+ ## Error, Warning, Notice, Info, Debug
# Output module for storing files on disk. Files are stored in
# directory names consisting of the first 2 characters of the
@@ -624,10 +643,10 @@ logging:
- console:
enabled: no
# type: json
- #- file:
- #enabled: yes
- #level: info
- #filename: suricata.log
+ - file:
+ enabled: no
+ level: info
+ filename: suricata.log
# format: "[%i - %m] %z %d: %S: %M"
# type: json
- syslog:
@@ -636,6 +655,7 @@ logging:
format: "[%i] <%d> -- "
# type: json
+
##
## Step 3: Configure common capture settings
##
@@ -645,7 +665,7 @@ logging:
# Linux high speed capture support
af-packet:
- - interface: eth0
+ - interface: default
# Number of receive threads. "auto" uses the number of cores
#threads: auto
# Default clusterid. AF_PACKET will load balance packets based on flow.
@@ -706,7 +726,11 @@ af-packet:
# Warning: 'capture.checksum-validation' must be set to yes to have any validation
#checksum-checks: kernel
# BPF filter to apply to this interface. The pcap filter syntax applies here.
+{% if not helpers.empty('OPNsense.IDS.general.bpfFilter') %}
+ bpf-filter: {{ OPNsense.IDS.general.bpfFilter }}
+{% else %}
#bpf-filter: port 80 or udp
+{% endif %}
# You can use the following variables to activate AF_PACKET tap or IPS mode.
# If copy-mode is set to ips or tap, the traffic coming to the current
# interface will be copied to the copy-iface interface. If 'tap' is set, the
@@ -719,7 +743,7 @@ af-packet:
# Put default values here. These will be used for an interface that is not
# in the list above.
- - interface: default
+ #- interface: default
#threads: auto
#use-mmap: no
#tpacket-v3: yes
@@ -786,7 +810,7 @@ dpdk:
# - auto takes all cores
# in IPS mode it is required to specify the number of cores and the numbers on both interfaces must match
threads: auto
- # interrupt-mode: false # true to switch to interrupt mode
+ # interrupt-mode: false # true to switch to interrupt mode
promisc: true # promiscuous mode - capture all packets
multicast: true # enables also detection on multicast packets
checksum-checks: true # if Suricata should validate checksums
@@ -843,7 +867,11 @@ pcap:
# as total memory used by the ring. So set this to something bigger
# than 1% of your bandwidth.
#buffer-size: 16777216
+{% if not helpers.empty('OPNsense.IDS.general.bpfFilter') %}
+ bpf-filter: {{ OPNsense.IDS.general.bpfFilter }}
+{% else %}
#bpf-filter: "tcp and port 25"
+{% endif %}
# Choose checksum verification mode for the interface. At the moment
# of the capture, some packets may have an invalid checksum due to
# the checksum computation being offloaded to the network card.
@@ -860,10 +888,13 @@ pcap:
# listening on the same interface.
#threads: 16
# set to no to disable promiscuous mode:
- promisc: {% if not helpers.empty('OPNsense.IDS.general.promisc') %}yes{% else %}no{% endif %} # promiscuous mode
+ promisc: {{ 'no' if helpers.empty('OPNsense.IDS.general.promisc') else 'yes' }} # promiscuous mode
# set snaplen, if not set it defaults to MTU if MTU can be known
# via ioctl call and to full capture if not.
#snaplen: 1518
+ # Put default values here
+ #- interface: default
+ #checksum-checks: auto
# Settings for reading pcap files
pcap-file:
@@ -895,7 +926,7 @@ pcap-file:
# "yes" enables both detection and the parser, "no" disables both, and
# "detection-only" enables protocol detection only (parser disabled).
app-layer:
- error-policy: ignore
+ # error-policy: ignore
protocols:
telnet:
enabled: yes
@@ -923,9 +954,10 @@ app-layer:
detection-ports:
dp: 443
- # Generate JA3 fingerprint from client hello. If not specified it
+ # Generate JA3/JA4 fingerprints from client hello. If not specified it
# will be disabled by default, but enabled if rules require it.
ja3-fingerprints: yes
+ ja4-fingerprints: yes
# What to do when the encrypted communications start:
# - default: keep tracking TLS session, check for protocol anomalies,
@@ -942,7 +974,7 @@ app-layer:
#encryption-handling: default
pgsql:
- enabled: no
+ enabled: yes
# Stream reassembly size for PostgreSQL. By default, track it completely.
stream-depth: 0
# Maximum number of live PostgreSQL transactions per flow
@@ -1005,7 +1037,7 @@ app-layer:
content-inspect-min-size: 32768
content-inspect-window: 4096
imap:
- enabled: detection-only
+ enabled: yes
smb:
enabled: yes
detection-ports:
@@ -1030,7 +1062,6 @@ app-layer:
enabled: yes
detection-ports:
dp: 53
-
http:
enabled: yes
@@ -1122,6 +1153,8 @@ app-layer:
#decompression-time-limit: 100000
# Maximum number of live transactions per flow
#max-tx: 512
+ # Maximum used number of HTTP1 headers in one request or response
+ #headers-limit: 1024
server-config:
@@ -1171,13 +1204,13 @@ app-layer:
# DNP3
dnp3:
- enabled: no
+ enabled: yes
detection-ports:
dp: 20000
# SCADA EtherNet/IP and CIP protocol support
enip:
- enabled: no
+ enabled: yes
detection-ports:
dp: 44818
sp: 44818
@@ -1192,7 +1225,7 @@ app-layer:
enabled: yes
sip:
- #enabled: yes
+ enabled: yes
# Limit for the maximum number of asn1 frames to decode (default 256)
asn1-max-frames: 256
@@ -1234,19 +1267,19 @@ datasets:
security:
# if true, prevents process creation from Suricata by calling
# setrlimit(RLIMIT_NPROC, 0)
- #limit-noproc: true
+ limit-noproc: true
# Use landlock security module under Linux
- #landlock:
- #enabled: no
- #directories:
+ landlock:
+ enabled: no
+ directories:
#write:
- # - @e_rundir@
+ # - /var/run/
# /usr and /etc folders are added to read list to allow
# file magic to be used.
- #read:
- # - /usr/
- # - /etc/
- # - @e_sysconfdir@
+ read:
+ - /usr/
+ - /etc/
+ - /usr/local/etc/suricata/
lua:
# Allow Lua rules. Disabled by default.
@@ -1290,9 +1323,8 @@ coredump:
# This feature is currently only used by the reject* keywords.
host-mode: auto
-
-# Number of packets preallocated per thread. The default is 1024. A higher number
-# will make sure each CPU will be more easily kept busy, but may negatively
+# Number of packets preallocated per thread. The default is 1024. A higher number
+# will make sure each CPU will be more easily kept busy, but may negatively
# impact caching.
#max-pending-packets: 1024
@@ -1312,16 +1344,16 @@ runmode: workers
#
#autofp-scheduler: hash
-
# Preallocated size for each packet. Default is 1514 which is the classical
# size for pcap on Ethernet. You should adjust this value to the highest
# packet size (MTU + hardware header) on your system.
{% if helpers.exists('OPNsense.IDS.general.defaultPacketSize') %}
default-packet-size: {{OPNsense.IDS.general.defaultPacketSize|default('1514')}}
+{% else %}
+#default-packet-size: 1514
{% endif %}
-
-# Unix command socket can be used to pass commands to Suricata.
+# Unix command socket that can be used to pass commands to Suricata.
# An external tool can then connect to get information from Suricata
# or trigger some modifications of the engine. Set enabled to yes
# to activate the feature. In auto mode, the feature will only be
@@ -1331,11 +1363,9 @@ unix-command:
enabled: no
#filename: custom.socket
-
# Magic file. The extension .mgc is added to the value here.
#magic-file: /usr/share/file/magic
-magic-file: /usr/share/misc/magic
-
+#magic-file:
# GeoIP2 database file. Specify path and filename of GeoIP2 database
# if using rules with "geoip" rule option.
@@ -1370,7 +1400,7 @@ legacy:
# extra option: auto - which means drop-flow or drop-packet (as explained above)
# in IPS mode, and ignore in IDS mode. Exception policy values are: drop-packet,
# drop-flow, reject, bypass, pass-packet, pass-flow, ignore (disable).
-exception-policy: ignore
+exception-policy: auto
# IP Reputation
#reputation-categories-file: /usr/local/etc/suricata/iprep/categories.txt
@@ -1468,6 +1498,7 @@ defrag:
flow:
memcap: 128mb
+ #memcap-policy: ignore
hash-size: 65536
prealloc: 10000
emergency-recovery: 30
@@ -1485,7 +1516,7 @@ vlan:
# hashing. This is enabled by default and should be disabled if
# multiple live devices are used to capture traffic from the same network
livedev:
- use-for-tracking: false
+ use-for-tracking: true
# Specific timeouts for flows. Here you can specify the timeouts that the
# active flows will wait to transit from the current state to another, on each
@@ -1615,10 +1646,14 @@ stream:
memcap: 64mb
#memcap-policy: ignore
checksum-validation: yes # reject incorrect csums
- inline: {% if OPNsense.IDS.general.ips|default("0") == "1" %}true{% else %}auto{% endif %}
-
- midstream-policy: ignore
+ #midstream: false
+ #midstream-policy: ignore
+ inline: auto # auto will use inline mode in IPS mode, yes or no set it statically
reassembly:
+ # experimental TCP urgent handling logic
+ #urgent:
+ # policy: inline # drop, inline, oob (1 byte, see RFC 6093, 3.1), gap
+ # oob-limit-policy: drop
memcap: 256mb
#memcap-policy: ignore
depth: 1mb # reassemble 1mb into a stream
@@ -1649,6 +1684,7 @@ host:
# memcap: 32mb
# Decoder settings
+
decoder:
# Teredo decoder is known to not be completely accurate
# as it will sometimes detect non-teredo as teredo.
@@ -1697,15 +1733,17 @@ decoder:
# If the argument specified is 0, the engine uses an internally defined
# default limit. When a value is not specified, there are no limits on the recursion.
detect:
- profile: {% if helpers.exists('OPNsense.IDS.general.detect') %} {{ OPNsense.IDS.general.detect.Profile|default("medium")}} {% else %}medium{% endif %}
-
+ profile: {{ OPNsense.IDS.general.detect.Profile|default("medium") }}
custom-values:
- toclient-groups: {% if helpers.exists('OPNsense.IDS.general.detect') %} {{ OPNsense.IDS.general.detect.toclient_groups|default("3")}} {% else %}3{% endif %}
-
- toserver-groups: {% if helpers.exists('OPNsense.IDS.general.detect') %} {{ OPNsense.IDS.general.detect.toserver_groups|default("25")}} {% else %}25{% endif %}
-
+ toclient-groups: {{ OPNsense.IDS.general.detect.toclient_groups|default("3") }}
+ toserver-groups: {{ OPNsense.IDS.general.detect.toserver_groups|default("25") }}
sgh-mpm-context: auto
inspection-recursion-limit: 3000
+ # try to tie an app-layer transaction for rules without app-layer keywords
+ # if there is only one live transaction for the flow
+ # allows to log app-layer metadata in alert
+ # but the transaction may not be the relevant one.
+ # guess-applayer-tx: no
# If set to yes, the loading of signatures will be made after the capture
# is started. This will limit the downtime in IPS mode.
#delayed-detect: yes
@@ -1754,7 +1792,7 @@ detect:
# ruleset is small enough to fit in memory, in which case one can
# use "full" with "ac". The rest of the mpms can be run in "full" mode.
-mpm-algo: {% if helpers.exists('OPNsense.IDS.general') %} {{ OPNsense.IDS.general.MPMAlgo|default("ac")}} {% else %}ac{% endif %}
+mpm-algo: {{ OPNsense.IDS.general.MPMAlgo|default("auto") }}
# Select the matching algorithm you want to use for single-pattern searches.
#
@@ -1844,6 +1882,10 @@ profiling:
enabled: yes
filename: rule_perf.log
append: yes
+ # Set active to yes to enable rules profiling at start
+ # if set to no (default), the rules profiling will have to be started
+ # via unix socket commands.
+ #active:no
# Sort options: ticks, avgticks, checks, matches, maxticks
# If commented out all the sort options will be used.
@@ -1853,7 +1895,7 @@ profiling:
limit: 10
# output to json
- #json: @e_enable_evelog@
+ json: yes
# per keyword profiling
keywords:
@@ -1979,7 +2021,7 @@ netmap:
# Number of capture threads. "auto" uses number of RSS queues on interface.
# Warning: unless the RSS hashing is symmetrical, this will lead to
# accuracy issues.
- threads: auto
+ #threads: auto
# You can use the following variables to activate netmap tap or IPS mode.
# If copy-mode is set to ips or tap, the traffic coming to the current
# interface will be copied to the copy-iface interface. If 'tap' is set, the
@@ -1991,10 +2033,10 @@ netmap:
# for return packets. Hardware checksumming must be *off* on the interface if
# using an OS endpoint (e.g. 'ifconfig eth0 -rxcsum -txcsum -rxcsum6 -txcsum6' for FreeBSD
# or 'ethtool -K eth0 tx off rx off' for Linux).
- copy-mode: ips
+ copy-mode: {{ 'tap' if helpers.empty('OPNsense.IDS.general.ips') else 'ips' }}
#copy-iface: eth3
# Set to yes to disable promiscuous mode
- disable-promisc: {% if helpers.empty('OPNsense.IDS.general.promisc') %}yes{% else %}no{% endif %} # promiscuous mode
+ disable-promisc: {{ 'yes' if helpers.empty('OPNsense.IDS.general.promisc') else 'no' }} # promiscuous mode
# Choose checksum verification mode for the interface. At the moment
# of the capture, some packets may have an invalid checksum due to
# the checksum computation being offloaded to the network card.
@@ -2004,22 +2046,96 @@ netmap:
# - auto: Suricata uses a statistical approach to detect when
# checksum off-loading is used.
# Warning: 'checksum-validation' must be set to yes to have any validation
- checksum-checks: auto
+ #checksum-checks: auto
# BPF filter to apply to this interface. The pcap filter syntax apply here.
+{% if not helpers.empty('OPNsense.IDS.general.bpfFilter') %}
+ bpf-filter: {{ OPNsense.IDS.general.bpfFilter }}
+{% else %}
#bpf-filter: port 80 or udp
-
+{% endif %}
+ #- interface: eth3
+ #threads: auto
+ #copy-mode: tap
+ #copy-iface: eth2
+ # Put default values here
+ #- interface: default
{% if helpers.exists('OPNsense.IDS.general.interfaces') %}
{% for intfName in OPNsense.IDS.general.interfaces.split(',') %}
- interface: {{helpers.physical_interface(intfName)}}
+{% if not helpers.empty('OPNsense.IDS.general.bpfFilter') %}
+ bpf-filter: {{ OPNsense.IDS.general.bpfFilter }}
+{% endif %}
+ copy-mode: {{ 'tap' if helpers.empty('OPNsense.IDS.general.ips') else 'ips' }}
copy-iface: {{helpers.physical_interface(intfName)}}^
+ disable-promisc: {{ 'yes' if helpers.empty('OPNsense.IDS.general.promisc') else 'no' }} # promiscuous mode
- interface: {{helpers.physical_interface(intfName)}}^
+{% if not helpers.empty('OPNsense.IDS.general.bpfFilter') %}
+ bpf-filter: {{ OPNsense.IDS.general.bpfFilter }}
+{% endif %}
+ copy-mode: {{ 'tap' if helpers.empty('OPNsense.IDS.general.ips') else 'ips' }}
copy-iface: {{helpers.physical_interface(intfName)}}
+ disable-promisc: {{ 'yes' if helpers.empty('OPNsense.IDS.general.promisc') else 'no' }} # promiscuous mode
{% endfor %}
{% endif %}
+# PF_RING configuration: for use with native PF_RING support
+# for more info see http://www.ntop.org/products/pf_ring/
+pfring:
+ - interface: default
+ # Number of receive threads. If set to 'auto' Suricata will first try
+ # to use CPU (core) count and otherwise RSS queue count.
+ threads: auto
+
+ # Default clusterid. PF_RING will load balance packets based on flow.
+ # All threads/processes that will participate need to have the same
+ # clusterid.
+ cluster-id: 99
+
+ # Default PF_RING cluster type. PF_RING can load balance per flow.
+ # Possible values are:
+ # - cluster_flow: 6-tuple:
+ # - cluster_inner_flow: 6-tuple:
+ # - cluster_inner_flow_2_tuple: 2-tuple:
+ # - cluster_inner_flow_4_tuple: 4-tuple:
+ # - cluster_inner_flow_5_tuple: 5-tuple:
+ # - cluster_round_robin (NOT RECOMMENDED)
+ cluster-type: cluster_flow
+
+ # bpf filter for this interface
+{% if not helpers.empty('OPNsense.IDS.general.bpfFilter') %}
+ bpf-filter: {{ OPNsense.IDS.general.bpfFilter }}
+{% else %}
+ #bpf-filter: port 80 or udp
+{% endif %}
+
+ # If bypass is set then the PF_RING hw bypass is activated, when supported
+ # by the network interface. Suricata will instruct the interface to bypass
+ # all future packets for a flow that need to be bypassed.
+ #bypass: yes
+
+ # Choose checksum verification mode for the interface. At the moment
+ # of the capture, some packets may have an invalid checksum due to
+ # the checksum computation being offloaded to the network card.
+ # Possible values are:
+ # - rxonly: only compute checksum for packets received by network card.
+ # - yes: checksum validation is forced
+ # - no: checksum validation is disabled
+ # - auto: Suricata uses a statistical approach to detect when
+ # checksum off-loading is used. (default)
+ # Warning: 'checksum-validation' must be set to yes to have any validation
+ #checksum-checks: auto
+ # Second interface
+ #- interface: eth1
+ # threads: 3
+ # cluster-id: 93
+ # cluster-type: cluster_flow
+ # Put default values here
+ #- interface: default
+ #threads: 2
+
# For FreeBSD ipfw(8) divert(4) support.
# Please make sure you have ipfw_load="YES" and ipdivert_load="YES"
# in /etc/loader.conf or kldload'ing the appropriate kernel modules.
@@ -2163,9 +2279,6 @@ reference-config-file: /usr/local/etc/suricata/reference.config
# in this configuration file. Files with relative pathnames will be
# searched for in the same directory as this configuration file. You may
# use absolute pathnames too.
-
-# include installed rules list (generated by OPNsense install rules script)
-# include custom file (may be persistently modified)
include:
- installed_rules.yaml
- custom.yaml