5 Apr
2020
5 Apr
'20
2:48 p.m.
Acked-by: Michael Tremer michael.tremer@ipfire.org
On 5 Apr 2020, at 12:03, Stefan Schantl stefan.schantl@ipfire.org wrote:
Hopefully the EVE log will display some more content when trying to debug suricata events and rules.
Fixes #12315.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
config/suricata/suricata.yaml | 209 ++++++++++++++++++++++++++++++++++ 1 file changed, 209 insertions(+)
diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml index 973b2686c..1f33ea0f3 100644 --- a/config/suricata/suricata.yaml +++ b/config/suricata/suricata.yaml @@ -92,6 +92,215 @@ outputs: threads: no # per thread stats #null-values: yes # print counters that have value 0
- # Extensible Event Format (nicknamed EVE) event log in JSON format
- eve-log:
enabled: nofiletype: regular #regular|syslog|unix_dgram|unix_stream|redisfilename: eve.json#prefix: "@cee: " # prefix to prepend to each log entry# the following are valid when type: syslog above#identity: "suricata"#facility: local5#level: Info ## possible levels: Emergency, Alert, Critical,## Error, Warning, Notice, Info, Debug#redis:# server: 127.0.0.1# port: 6379# async: true ## if redis replies are read asynchronously# mode: list ## possible values: list|lpush (default), rpush, channel|publish# ## lpush and rpush are using a Redis list. "list" is an alias for lpush# ## publish is using a Redis channel. "channel" is an alias for publish# key: suricata ## key or channel to use (default to suricata)# Redis pipelining set up. This will enable to only do a query every# 'batch-size' events. This should lower the latency induced by network# connection at the cost of some memory. There is no flushing implemented# so this setting as to be reserved to high traffic suricata.# pipelining:# enabled: yes ## set enable to yes to enable query pipelining# batch-size: 10 ## number of entry to keep in buffer# Include top level metadata. Default yes.#metadata: no# include the name of the input pcap file in pcap file processing modepcap-file: false# Community Flow ID# Adds a 'community_id' field to EVE records. These are meant to give# a records a predictable flow id that can be used to match records to# output of other tools such as Bro.## Takes a 'seed' that needs to be same across sensors and tools# to make the id less predictable.# enable/disable the community id feature.community-id: false# Seed value for the ID output. Valid values are 0-65535.community-id-seed: 0# HTTP X-Forwarded-For support by adding an extra field or overwriting# the source or destination IP address (depending on flow direction)# with the one reported in the X-Forwarded-For HTTP header. This is# helpful when reviewing alerts for traffic that is being reverse# or forward proxied.xff:enabled: no# Two operation modes are available, "extra-data" and "overwrite".mode: extra-data# Two proxy deployments are supported, "reverse" and "forward". In# a "reverse" deployment the IP address used is the last one, in a# "forward" deployment the first IP address is used.deployment: reverse# Header name where the actual IP address will be reported, if more# than one IP address is present, the last IP address will be the# one taken into consideration.header: X-Forwarded-Fortypes:- alert:# payload: yes # enable dumping payload in Base64# payload-buffer-size: 4kb # max size of payload buffer to output in eve-log# payload-printable: yes # enable dumping payload in printable (lossy) format# packet: yes # enable dumping of packet (without stream segments)# metadata: no # enable inclusion of app layer metadata with alert. Default yes# http-body: yes # Requires metadata; enable dumping of http body in Base64# http-body-printable: yes # Requires metadata; enable dumping of http body in printable format# Enable the logging of tagged packets for rules using the# "tag" keyword.tagged-packets: yes- anomaly:# Anomaly log records describe unexpected conditions such# as truncated packets, packets with invalid IP/UDP/TCP# length values, and other events that render the packet# invalid for further processing or describe unexpected# behavior on an established stream. Networks which# experience high occurrences of anomalies may experience# packet processing degradation.## Anomalies are reported for the following:# 1. Decode: Values and conditions that are detected while# decoding individual packets. This includes invalid or# unexpected values for low-level protocol lengths as well# as stream related events (TCP 3-way handshake issues,# unexpected sequence number, etc).# 2. Stream: This includes stream related events (TCP# 3-way handshake issues, unexpected sequence number,# etc).# 3. Application layer: These denote application layer# specific conditions that are unexpected, invalid or are# unexpected given the application monitoring state.## By default, anomaly logging is disabled. When anomaly# logging is enabled, applayer anomaly reporting is# enabled.enabled: yes## Choose one or more types of anomaly logging and whether to enable# logging of the packet header for packet anomalies.types:# decode: no# stream: no# applayer: yes#packethdr: no- http:extended: yes # enable this for extended logging information# custom allows additional http fields to be included in eve-log# the example below adds three additional fields when uncommented#custom: [Accept-Encoding, Accept-Language, Authorization]# set this value to one and only one among {both, request, response}# to dump all http headers for every http request and/or response# dump-all-headers: none- dns:# This configuration uses the new DNS logging format,# the old configuration is still available:# https://suricata.readthedocs.io/en/latest/output/eve/eve-json-output.html#dns-v1-format# As of Suricata 5.0, version 2 of the eve dns output# format is the default.#version: 2# Enable/disable this logger. Default: enabled.#enabled: yes# Control logging of requests and responses:# - requests: enable logging of DNS queries# - responses: enable logging of DNS answers# By default both requests and responses are logged.#requests: no#responses: no# Format of answer logging:# - detailed: array item per answer# - grouped: answers aggregated by type# Default: all#formats: [detailed, grouped]# Types to log, based on the query type.# Default: all.#types: [a, aaaa, cname, mx, ns, ptr, txt]- tls:extended: yes # enable this for extended logging information# output TLS transaction where the session is resumed using a# session id#session-resumption: no# custom allows to control which tls fields that are included# in eve-log#custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3, ja3s]- files:force-magic: no # force logging magic on all logged files# force logging of checksums, available hash functions are md5,# sha1 and sha256#force-hash: [md5]#- drop:# alerts: yes # log alerts that caused drops# flows: all # start or all: 'start' logs only a single drop# # per flow direction. All logs each dropped pkt.- smtp:#extended: yes # enable this for extended logging information# this includes: bcc, message-id, subject, x_mailer, user-agent# custom fields logging from the list:# reply-to, bcc, message-id, subject, x-mailer, user-agent, received,# x-originating-ip, in-reply-to, references, importance, priority,# sensitivity, organization, content-md5, date#custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc]# output md5 of fields: body, subject# for the body you need to set app-layer.protocols.smtp.mime.body-md5# to yes#md5: [body, subject]#- dnp3- ftp#- rdp- nfs- smb- tftp- ikev2- krb5- snmp#- sip- dhcp:enabled: yes# When extended mode is on, all DHCP messages are logged# with full detail. When extended mode is off (the# default), just enough information to map a MAC address# to an IP address is logged.extended: no- ssh- stats:totals: yes # stats for all threads merged togetherthreads: no # per thread statsdeltas: no # include delta values# bi-directional flows- flow# uni-directional flows#- netflow# Metadata event type. Triggered whenever a pktvar is saved# and will include the pktvars, flowvars, flowbits and# flowints.#- metadatalogging: # The default log level, can be overridden in an output section.
# Note that debug level logging will only be emitted if Suricata was
2.26.0