Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Extend Suricata support #8372

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Extend Suricata support #8372

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
120 changes: 77 additions & 43 deletions src/opnsense/mvc/app/controllers/OPNsense/IDS/forms/generalSettings.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,38 +27,35 @@
<type>select_multiple</type>
<help>Select interface(s) to use. When enabling IPS, make sure the (virtual) driver supports this feature.</help>
</field>
<field>
<type>header</type>
<label>Detection</label>
</field>
<field>
<id>ids.general.MPMAlgo</id>
<label>Pattern matcher</label>
<type>dropdown</type>
<help>Select the multi-pattern matcher algorithm to use.</help>
<advanced>true</advanced>
</field>
<field>
<id>ids.general.detect.Profile</id>
<label>Detect Profile</label>
<type>dropdown</type>
<advanced>true</advanced>
<help>The detection engine builds internal groups of signatures. The engine allow us to specify the profile to use for them, to manage memory on an efficient way keeping a good performance.</help>
<advanced>true</advanced>
</field>
<field>
<id>ids.general.detect.toclient_groups</id>
<label>ToClient</label>
<style>detect_custom</style>
<type>text</type>
<advanced>true</advanced>
<help>If Custom is specified. The detection engine tries to split out separate signatures into groups so that a packet is only inspected against signatures that can actually match. As in large rule set this would result in way too many groups and memory usage similar groups are merged together.</help>
<advanced>true</advanced>
</field>
<field>
<id>ids.general.detect.toserver_groups</id>
<label>ToServer</label>
<style>detect_custom</style>
<type>text</type>
<advanced>true</advanced>
<help>If Custom is specified. The detection engine tries to split out separate signatures into groups so that a packet is only inspected against signatures that can actually match. As in large rule set this would result in way too many groups and memory usage similar groups are merged together.</help>
<advanced>true</advanced>
</field>
<field>
<id>ids.general.homenet</id>
Expand All @@ -73,8 +70,8 @@
<id>ids.general.defaultPacketSize</id>
<label>default packet size</label>
<type>text</type>
<advanced>true</advanced>
<help>With this option, you can set the size of the packets on your network. It is possible that bigger packets have to be processed sometimes. The engine can still process these bigger packets, but processing it will lower the performance.</help>
<advanced>true</advanced>
</field>
<field>
<type>header</type>
Expand All @@ -85,6 +82,7 @@
<label>Enable syslog alerts</label>
<type>checkbox</type>
<help>Send alerts to system log in fast log format. This will not change the alert logging used by the product itself.</help>
<advanced>true</advanced>
</field>
<field>
<id>ids.general.syslog_eve</id>
Expand All @@ -95,6 +93,7 @@
This will not change the alert logging used by the product itself.
Drop logs will only be send to the internal logger, due to restrictions in suricata.
</help>
<advanced>true</advanced>
</field>
<field>
<id>ids.general.verbosity</id>
Expand All @@ -104,71 +103,106 @@
<advanced>true</advanced>
</field>
<field>
<id>ids.general.AlertLogrotate</id>
<label>Rotate log</label>
<type>dropdown</type>
<help>Rotate alert logs at provided interval.</help>
<id>ids.general.eveLog.types</id>
<label>EVE log types</label>
<type>select_multiple</type>
<help>The type of events to include in the EVE log.</help>
</field>
<field>
<id>ids.general.AlertSaveLogs</id>
<label>Save logs</label>
<type>text</type>
<help>Number of logs to keep.</help>
<id>ids.general.eveLog.extend</id>
<label>EVE log extended types</label>
<type>select_multiple</type>
<help>The type of events which, if enabled in the EVE log, will contain extended information.</help>
</field>
<field>
<id>ids.general.LogPayload</id>
<label>Log package payload</label>
<type>checkbox</type>
<help>Send package payload to the log for further analyses.</help>
<id>ids.general.eveLog.rotate.count</id>
<label>EVE log retention count</label>
<type>text</type>
<help>The number of EVE logs to retain.</help>
<advanced>true</advanced>
</field>
<field>
<id>ids.general.eveLog.http.enable</id>
<label>Enable eve HTTP logging</label>
<type>checkbox</type>
<help>Send HTTP metadata to eve-log for further analyses.</help>
<id>ids.general.eveLog.rotate.size</id>
<label>EVE log rotation size</label>
<type>text</type>
<help>Rotate EVE log past defined size in kilobytes.</help>
<advanced>true</advanced>
</field>
<field>
<id>ids.general.eveLog.http.extended</id>
<label>Eve HTTP extended logging</label>
<type>checkbox</type>
<help>Add extended information to eve HTTP logging.</help>
<id>ids.general.eveLog.rotate.frequency</id>
<label>EVE log rotation frequency</label>
<type>dropdown</type>
<help>Rotate EVE log at defined interval.</help>
<advanced>true</advanced>
</field>
<field>
<id>ids.general.eveLog.http.dumpAllHeaders</id>
<label>Eve HTTP dump all headers</label>
<label>Enable EVE's HTTP header logging</label>
<type>dropdown</type>
<help>Make eve HTTP logging dump all HTTP headers. You may choose to dump headers for requests or responses or both.</help>
<help>Dump all, request, or response headers from HTTP events in EVE log.</help>
<advanced>true</advanced>
</field>
<field>
<id>ids.general.eveLog.tls.enable</id>
<label>Enable eve TLS logging</label>
<id>ids.general.eveLog.tls.sessionResumption</id>
<label>Enable EVE's TLS session resumption logging</label>
<type>checkbox</type>
<help>Send TLS metadata to eve-log for further analyses.</help>
<help>Log TLS events with session resumptions to EVE log (i.e., transactions with a session identifier).</help>
<advanced>true</advanced>
</field>
<field>
<id>ids.general.eveLog.tls.extended</id>
<label>Eve TLS extended logging</label>
<id>ids.general.eveLog.tls.custom</id>
<label>Customize EVE's TLS logging</label>
<type>select_multiple</type>
<help>Extend TLS events in EVE log with custom fields, overriding the default extended TLS logging.</help>
<advanced>true</advanced>
</field>
<field>
<id>ids.general.eveLog.files.forceHash</id>
<label>Force EVE's file hash logging</label>
<type>select_multiple</type>
<help>Forcefully extend file events in EVE log with the file's hash(es).</help>
<advanced>true</advanced>
</field>
<field>
<id>ids.general.eveLog.smtp.custom</id>
<label>Customize EVE's SMTP logging</label>
<type>select_multiple</type>
<help>Extend SMTP events in EVE log with custom fields, overriding the default extended SMTP logging.</help>
<advanced>true</advanced>
</field>
<field>
<id>ids.general.eveLog.metadata.enable</id>
<label>Enable EVE's metadata logging</label>
<type>checkbox</type>
<help>Add extended information to eve TLS logging. For example, SNI field.</help>
<help>Log verbose metadata event to EVE log (i.e., triggers whenever a pktvar is saved).</help>
<advanced>true</advanced>
</field>
<field>
<id>ids.general.eveLog.tls.sessionResumption</id>
<label>Eve TLS log session resumption</label>
<id>ids.general.pcapLog.enable</id>
<label>Enable pcap logging</label>
<type>checkbox</type>
<help>Output TLS transaction where the session is resumed using a session id</help>
<help>Enable the logging of packets in pcap format.</help>
<advanced>true</advanced>
</field>
<field>
<id>ids.general.eveLog.tls.custom</id>
<label>Eve TLS custom logging</label>
<type>select_multiple</type>
<help>Custom TLS fields to include in eve-log for TLS. (Overrides extended if non-empty).</help>
<id>ids.general.pcapLog.limit</id>
<label>Pcap file size limit</label>
<type>text</type>
<help>Limit the pcap file to a size in megabytes.</help>
<advanced>true</advanced>
</field>
<field>
<id>ids.general.pcapLog.maxFiles</id>
<label>Pcap file count limit</label>
<type>text</type>
<help>Limit the amount of pcap files to retain.</help>
<advanced>true</advanced>
</field>
<field>
<id>ids.general.bpfFilter</id>
<label>BPF Filter</label>
<type>text</type>
<help>BPF filter to apply on the interfaces (the pcap filter syntax applies here). A BPF filter should be used when logs are exported (especially pcap files) to avoid self-caused noise and amplifications.</help>
<advanced>true</advanced>
</field>
</form>
Loading