Hopefully the EVE log will display some more content when trying to debug suricata events and rules.
Fixes #12315.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org --- config/suricata/suricata.yaml | 209 ++++++++++++++++++++++++++++++++++ 1 file changed, 209 insertions(+)
diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml index 973b2686c..1f33ea0f3 100644 --- a/config/suricata/suricata.yaml +++ b/config/suricata/suricata.yaml @@ -92,6 +92,215 @@ outputs: threads: no # per thread stats #null-values: yes # print counters that have value 0
+ # Extensible Event Format (nicknamed EVE) event log in JSON format + - eve-log: + enabled: no + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + #prefix: "@cee: " # prefix to prepend to each log entry + # the following are valid when type: syslog above + #identity: "suricata" + #facility: local5 + #level: Info ## possible levels: Emergency, Alert, Critical, + ## Error, Warning, Notice, Info, Debug + #redis: + # server: 127.0.0.1 + # port: 6379 + # async: true ## if redis replies are read asynchronously + # mode: list ## possible values: list|lpush (default), rpush, channel|publish + # ## lpush and rpush are using a Redis list. "list" is an alias for lpush + # ## publish is using a Redis channel. "channel" is an alias for publish + # key: suricata ## key or channel to use (default to suricata) + # Redis pipelining set up. This will enable to only do a query every + # 'batch-size' events. This should lower the latency induced by network + # connection at the cost of some memory. There is no flushing implemented + # so this setting as to be reserved to high traffic suricata. + # pipelining: + # enabled: yes ## set enable to yes to enable query pipelining + # batch-size: 10 ## number of entry to keep in buffer + + # Include top level metadata. Default yes. + #metadata: no + + # include the name of the input pcap file in pcap file processing mode + pcap-file: false + + # Community Flow ID + # Adds a 'community_id' field to EVE records. These are meant to give + # a records a predictable flow id that can be used to match records to + # output of other tools such as Bro. + # + # Takes a 'seed' that needs to be same across sensors and tools + # to make the id less predictable. + + # enable/disable the community id feature. + community-id: false + # Seed value for the ID output. Valid values are 0-65535. + community-id-seed: 0 + + # HTTP X-Forwarded-For support by adding an extra field or overwriting + # the source or destination IP address (depending on flow direction) + # with the one reported in the X-Forwarded-For HTTP header. This is + # helpful when reviewing alerts for traffic that is being reverse + # or forward proxied. + xff: + enabled: no + # Two operation modes are available, "extra-data" and "overwrite". + mode: extra-data + # Two proxy deployments are supported, "reverse" and "forward". In + # a "reverse" deployment the IP address used is the last one, in a + # "forward" deployment the first IP address is used. + deployment: reverse + # Header name where the actual IP address will be reported, if more + # than one IP address is present, the last IP address will be the + # one taken into consideration. + header: X-Forwarded-For + + types: + - alert: + # payload: yes # enable dumping payload in Base64 + # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log + # payload-printable: yes # enable dumping payload in printable (lossy) format + # packet: yes # enable dumping of packet (without stream segments) + # metadata: no # enable inclusion of app layer metadata with alert. Default yes + # http-body: yes # Requires metadata; enable dumping of http body in Base64 + # http-body-printable: yes # Requires metadata; enable dumping of http body in printable format + + # Enable the logging of tagged packets for rules using the + # "tag" keyword. + tagged-packets: yes + - anomaly: + # Anomaly log records describe unexpected conditions such + # as truncated packets, packets with invalid IP/UDP/TCP + # length values, and other events that render the packet + # invalid for further processing or describe unexpected + # behavior on an established stream. Networks which + # experience high occurrences of anomalies may experience + # packet processing degradation. + # + # Anomalies are reported for the following: + # 1. Decode: Values and conditions that are detected while + # decoding individual packets. This includes invalid or + # unexpected values for low-level protocol lengths as well + # as stream related events (TCP 3-way handshake issues, + # unexpected sequence number, etc). + # 2. Stream: This includes stream related events (TCP + # 3-way handshake issues, unexpected sequence number, + # etc). + # 3. Application layer: These denote application layer + # specific conditions that are unexpected, invalid or are + # unexpected given the application monitoring state. + # + # By default, anomaly logging is disabled. When anomaly + # logging is enabled, applayer anomaly reporting is + # enabled. + enabled: yes + # + # Choose one or more types of anomaly logging and whether to enable + # logging of the packet header for packet anomalies. + types: + # decode: no + # stream: no + # applayer: yes + #packethdr: no + - http: + extended: yes # enable this for extended logging information + # custom allows additional http fields to be included in eve-log + # the example below adds three additional fields when uncommented + #custom: [Accept-Encoding, Accept-Language, Authorization] + # set this value to one and only one among {both, request, response} + # to dump all http headers for every http request and/or response + # dump-all-headers: none + - dns: + # This configuration uses the new DNS logging format, + # the old configuration is still available: + # https://suricata.readthedocs.io/en/latest/output/eve/eve-json-output.html#dn... + + # As of Suricata 5.0, version 2 of the eve dns output + # format is the default. + #version: 2 + + # Enable/disable this logger. Default: enabled. + #enabled: yes + + # Control logging of requests and responses: + # - requests: enable logging of DNS queries + # - responses: enable logging of DNS answers + # By default both requests and responses are logged. + #requests: no + #responses: no + + # Format of answer logging: + # - detailed: array item per answer + # - grouped: answers aggregated by type + # Default: all + #formats: [detailed, grouped] + + # Types to log, based on the query type. + # Default: all. + #types: [a, aaaa, cname, mx, ns, ptr, txt] + - tls: + extended: yes # enable this for extended logging information + # output TLS transaction where the session is resumed using a + # session id + #session-resumption: no + # custom allows to control which tls fields that are included + # in eve-log + #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3, ja3s] + - files: + force-magic: no # force logging magic on all logged files + # force logging of checksums, available hash functions are md5, + # sha1 and sha256 + #force-hash: [md5] + #- drop: + # alerts: yes # log alerts that caused drops + # flows: all # start or all: 'start' logs only a single drop + # # per flow direction. All logs each dropped pkt. + - smtp: + #extended: yes # enable this for extended logging information + # this includes: bcc, message-id, subject, x_mailer, user-agent + # custom fields logging from the list: + # reply-to, bcc, message-id, subject, x-mailer, user-agent, received, + # x-originating-ip, in-reply-to, references, importance, priority, + # sensitivity, organization, content-md5, date + #custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc] + # output md5 of fields: body, subject + # for the body you need to set app-layer.protocols.smtp.mime.body-md5 + # to yes + #md5: [body, subject] + + #- dnp3 + - ftp + #- rdp + - nfs + - smb + - tftp + - ikev2 + - krb5 + - snmp + #- sip + - dhcp: + enabled: yes + # When extended mode is on, all DHCP messages are logged + # with full detail. When extended mode is off (the + # default), just enough information to map a MAC address + # to an IP address is logged. + extended: no + - ssh + - stats: + totals: yes # stats for all threads merged together + threads: no # per thread stats + deltas: no # include delta values + # bi-directional flows + - flow + # uni-directional flows + #- netflow + + # Metadata event type. Triggered whenever a pktvar is saved + # and will include the pktvars, flowvars, flowbits and + # flowints. + #- metadata + logging: # The default log level, can be overridden in an output section. # Note that debug level logging will only be emitted if Suricata was
Acked-by: Michael Tremer michael.tremer@ipfire.org
On 5 Apr 2020, at 12:03, Stefan Schantl stefan.schantl@ipfire.org wrote:
Hopefully the EVE log will display some more content when trying to debug suricata events and rules.
Fixes #12315.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
config/suricata/suricata.yaml | 209 ++++++++++++++++++++++++++++++++++ 1 file changed, 209 insertions(+)
diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml index 973b2686c..1f33ea0f3 100644 --- a/config/suricata/suricata.yaml +++ b/config/suricata/suricata.yaml @@ -92,6 +92,215 @@ outputs: threads: no # per thread stats #null-values: yes # print counters that have value 0
- # Extensible Event Format (nicknamed EVE) event log in JSON format
- eve-log:
enabled: nofiletype: regular #regular|syslog|unix_dgram|unix_stream|redisfilename: eve.json#prefix: "@cee: " # prefix to prepend to each log entry# the following are valid when type: syslog above#identity: "suricata"#facility: local5#level: Info ## possible levels: Emergency, Alert, Critical,## Error, Warning, Notice, Info, Debug#redis:# server: 127.0.0.1# port: 6379# async: true ## if redis replies are read asynchronously# mode: list ## possible values: list|lpush (default), rpush, channel|publish# ## lpush and rpush are using a Redis list. "list" is an alias for lpush# ## publish is using a Redis channel. "channel" is an alias for publish# key: suricata ## key or channel to use (default to suricata)# Redis pipelining set up. This will enable to only do a query every# 'batch-size' events. This should lower the latency induced by network# connection at the cost of some memory. There is no flushing implemented# so this setting as to be reserved to high traffic suricata.# pipelining:# enabled: yes ## set enable to yes to enable query pipelining# batch-size: 10 ## number of entry to keep in buffer# Include top level metadata. Default yes.#metadata: no# include the name of the input pcap file in pcap file processing modepcap-file: false# Community Flow ID# Adds a 'community_id' field to EVE records. These are meant to give# a records a predictable flow id that can be used to match records to# output of other tools such as Bro.## Takes a 'seed' that needs to be same across sensors and tools# to make the id less predictable.# enable/disable the community id feature.community-id: false# Seed value for the ID output. Valid values are 0-65535.community-id-seed: 0# HTTP X-Forwarded-For support by adding an extra field or overwriting# the source or destination IP address (depending on flow direction)# with the one reported in the X-Forwarded-For HTTP header. This is# helpful when reviewing alerts for traffic that is being reverse# or forward proxied.xff:enabled: no# Two operation modes are available, "extra-data" and "overwrite".mode: extra-data# Two proxy deployments are supported, "reverse" and "forward". In# a "reverse" deployment the IP address used is the last one, in a# "forward" deployment the first IP address is used.deployment: reverse# Header name where the actual IP address will be reported, if more# than one IP address is present, the last IP address will be the# one taken into consideration.header: X-Forwarded-Fortypes:- alert:# payload: yes # enable dumping payload in Base64# payload-buffer-size: 4kb # max size of payload buffer to output in eve-log# payload-printable: yes # enable dumping payload in printable (lossy) format# packet: yes # enable dumping of packet (without stream segments)# metadata: no # enable inclusion of app layer metadata with alert. Default yes# http-body: yes # Requires metadata; enable dumping of http body in Base64# http-body-printable: yes # Requires metadata; enable dumping of http body in printable format# Enable the logging of tagged packets for rules using the# "tag" keyword.tagged-packets: yes- anomaly:# Anomaly log records describe unexpected conditions such# as truncated packets, packets with invalid IP/UDP/TCP# length values, and other events that render the packet# invalid for further processing or describe unexpected# behavior on an established stream. Networks which# experience high occurrences of anomalies may experience# packet processing degradation.## Anomalies are reported for the following:# 1. Decode: Values and conditions that are detected while# decoding individual packets. This includes invalid or# unexpected values for low-level protocol lengths as well# as stream related events (TCP 3-way handshake issues,# unexpected sequence number, etc).# 2. Stream: This includes stream related events (TCP# 3-way handshake issues, unexpected sequence number,# etc).# 3. Application layer: These denote application layer# specific conditions that are unexpected, invalid or are# unexpected given the application monitoring state.## By default, anomaly logging is disabled. When anomaly# logging is enabled, applayer anomaly reporting is# enabled.enabled: yes## Choose one or more types of anomaly logging and whether to enable# logging of the packet header for packet anomalies.types:# decode: no# stream: no# applayer: yes#packethdr: no- http:extended: yes # enable this for extended logging information# custom allows additional http fields to be included in eve-log# the example below adds three additional fields when uncommented#custom: [Accept-Encoding, Accept-Language, Authorization]# set this value to one and only one among {both, request, response}# to dump all http headers for every http request and/or response# dump-all-headers: none- dns:# This configuration uses the new DNS logging format,# the old configuration is still available:# https://suricata.readthedocs.io/en/latest/output/eve/eve-json-output.html#dns-v1-format# As of Suricata 5.0, version 2 of the eve dns output# format is the default.#version: 2# Enable/disable this logger. Default: enabled.#enabled: yes# Control logging of requests and responses:# - requests: enable logging of DNS queries# - responses: enable logging of DNS answers# By default both requests and responses are logged.#requests: no#responses: no# Format of answer logging:# - detailed: array item per answer# - grouped: answers aggregated by type# Default: all#formats: [detailed, grouped]# Types to log, based on the query type.# Default: all.#types: [a, aaaa, cname, mx, ns, ptr, txt]- tls:extended: yes # enable this for extended logging information# output TLS transaction where the session is resumed using a# session id#session-resumption: no# custom allows to control which tls fields that are included# in eve-log#custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3, ja3s]- files:force-magic: no # force logging magic on all logged files# force logging of checksums, available hash functions are md5,# sha1 and sha256#force-hash: [md5]#- drop:# alerts: yes # log alerts that caused drops# flows: all # start or all: 'start' logs only a single drop# # per flow direction. All logs each dropped pkt.- smtp:#extended: yes # enable this for extended logging information# this includes: bcc, message-id, subject, x_mailer, user-agent# custom fields logging from the list:# reply-to, bcc, message-id, subject, x-mailer, user-agent, received,# x-originating-ip, in-reply-to, references, importance, priority,# sensitivity, organization, content-md5, date#custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc]# output md5 of fields: body, subject# for the body you need to set app-layer.protocols.smtp.mime.body-md5# to yes#md5: [body, subject]#- dnp3- ftp#- rdp- nfs- smb- tftp- ikev2- krb5- snmp#- sip- dhcp:enabled: yes# When extended mode is on, all DHCP messages are logged# with full detail. When extended mode is off (the# default), just enough information to map a MAC address# to an IP address is logged.extended: no- ssh- stats:totals: yes # stats for all threads merged togetherthreads: no # per thread statsdeltas: no # include delta values# bi-directional flows- flow# uni-directional flows#- netflow# Metadata event type. Triggered whenever a pktvar is saved# and will include the pktvars, flowvars, flowbits and# flowints.#- metadatalogging: # The default log level, can be overridden in an output section.
# Note that debug level logging will only be emitted if Suricata was
2.26.0
-
Michael Tremer -
Stefan Schantl