aboutsummaryrefslogtreecommitdiffstats
path: root/config/suricata/suricata_generate_yaml.php
diff options
context:
space:
mode:
Diffstat (limited to 'config/suricata/suricata_generate_yaml.php')
-rw-r--r--config/suricata/suricata_generate_yaml.php171
1 files changed, 164 insertions, 7 deletions
diff --git a/config/suricata/suricata_generate_yaml.php b/config/suricata/suricata_generate_yaml.php
index bd3ce368..91dc06a5 100644
--- a/config/suricata/suricata_generate_yaml.php
+++ b/config/suricata/suricata_generate_yaml.php
@@ -85,7 +85,7 @@ $suricata_servers = array (
"dns_servers" => "\$HOME_NET", "smtp_servers" => "\$HOME_NET", "http_servers" => "\$HOME_NET",
"sql_servers" => "\$HOME_NET", "telnet_servers" => "\$HOME_NET", "dnp3_server" => "\$HOME_NET",
"dnp3_client" => "\$HOME_NET", "modbus_server" => "\$HOME_NET", "modbus_client" => "\$HOME_NET",
- "enip_server" => "\$HOME_NET", "enip_client" => "\$HOME_NET",
+ "enip_server" => "\$HOME_NET", "enip_client" => "\$HOME_NET", "ftp_servers" => "\$HOME_NET", "ssh_servers" => "\$HOME_NET",
"aim_servers" => "64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24"
);
$addr_vars = "";
@@ -102,6 +102,7 @@ if(is_array($config['system']['ssh']) && isset($config['system']['ssh']['port'])
else
$ssh_port = "22";
$suricata_ports = array(
+ "ftp_ports" => "21",
"http_ports" => "80",
"oracle_ports" => "1521",
"ssh_ports" => $ssh_port,
@@ -184,6 +185,26 @@ if ($suricatacfg['alertsystemlog'] == 'on')
else
$alert_syslog = "no";
+if (!empty($suricatacfg['alertsystemlog_facility']))
+ $alert_syslog_facility = $suricatacfg['alertsystemlog_facility'];
+else
+ $alert_syslog_facility = "local5";
+
+if (!empty($suricatacfg['alertsystemlog_priority']))
+ $alert_syslog_priority = $suricatacfg['alertsystemlog_priority'];
+else
+ $alert_syslog_priority = "Info";
+
+if ($suricatacfg['enable_dns_log'] == 'on')
+ $dns_log_enabled = "yes";
+else
+ $dns_log_enabled = "no";
+
+if ($suricatacfg['append_dns_log'] == 'on')
+ $dns_log_append = "yes";
+else
+ $dns_log_append = "no";
+
if ($suricatacfg['enable_stats_log'] == 'on')
$stats_log_enabled = "yes";
else
@@ -209,6 +230,11 @@ if ($suricatacfg['append_http_log'] == 'on')
else
$http_log_append = "no";
+if ($suricatacfg['http_log_extended'] == 'on')
+ $http_log_extended = "yes";
+else
+ $http_log_extended = "no";
+
if ($suricatacfg['enable_tls_log'] == 'on')
$tls_log_enabled = "yes";
else
@@ -277,6 +303,66 @@ if (isset($suricatacfg['barnyard_sensor_id']))
else
$unified2_sensor_id = "0";
+// EVE JSON log output settings
+if ($suricatacfg['enable_eve_log'] == 'on')
+ $enable_eve_log = "yes";
+else
+ $enable_eve_log = "no";
+
+if ($suricatacfg['eve_output_type'] == 'syslog')
+ $eve_output_type = "syslog";
+else
+ $eve_output_type = "file";
+
+if (!empty($suricatacfg['eve_systemlog_facility']))
+ $eve_systemlog_facility = $suricatacfg['eve_systemlog_facility'];
+else
+ $eve_systemlog_facility = "local1";
+
+if (!empty($suricatacfg['eve_systemlog_priority']))
+ $eve_systemlog_priority = $suricatacfg['eve_systemlog_priority'];
+else
+ $eve_systemlog_priority = "info";
+
+// EVE log output included information
+$eve_out_types = "";
+if ($suricatacfg['eve_log_alerts'] == 'on')
+ $eve_out_types .= "\n - alert";
+
+if ($suricatacfg['eve_log_http'] == 'on') {
+ $eve_out_types .= "\n - http:";
+ if ($suricatacfg['http_log_extended'] == 'on')
+ $eve_out_types .= "\n extended: yes";
+ else
+ $eve_out_types .= "\n extended: no";
+}
+
+if ($suricatacfg['eve_log_dns'] == 'on')
+ $eve_out_types .= "\n - dns";
+
+if ($suricatacfg['eve_log_tls'] == 'on') {
+ $eve_out_types .= "\n - tls:";
+ if ($suricatacfg['tls_log_extended'] == 'on')
+ $eve_out_types .= "\n extended: yes";
+ else
+ $eve_out_types .= "\n extended: no";
+}
+
+if ($suricatacfg['eve_log_files'] == 'on') {
+ $eve_out_types .= "\n - files:";
+ if ($suricatacfg['enable_tracked_files_magic'] == 'on')
+ $eve_out_types .= "\n force-magic: yes";
+ else
+ $eve_out_types .= "\n force-magic: no";
+ if ($suricatacfg['enable_tracked_files_md5'] == 'on')
+ $eve_out_types .= "\n force-md5: yes";
+ else
+ $eve_out_types .= "\n force-md5: no";
+}
+
+if ($suricatacfg['eve_log_ssh'] == 'on')
+ $eve_out_types .= "\n - ssh";
+
// Add interface-specific IP defrag settings
if (!empty($suricatacfg['frag_memcap']))
$frag_memcap = $suricatacfg['frag_memcap'];
@@ -406,11 +492,6 @@ if (!empty($suricatacfg['stream_memcap']))
else
$stream_memcap = "33554432";
-if (!empty($suricatacfg['stream_max_sessions']))
- $stream_max_sessions = $suricatacfg['stream_max_sessions'];
-else
- $stream_max_sessions = "262144";
-
if (!empty($suricatacfg['stream_prealloc_sessions']))
$stream_prealloc_sessions = $suricatacfg['stream_prealloc_sessions'];
else
@@ -492,7 +573,7 @@ if (!is_array($suricatacfg['libhtp_policy']['item']))
$suricatacfg['libhtp_policy']['item'] = array();
if (empty($suricatacfg['libhtp_policy']['item'])) {
$http_hosts_default_policy = "default-config:\n personality: IDS\n request-body-limit: 4096\n response-body-limit: 4096\n";
- $http_hosts_default_policy .= " double-decode-path: no\n double-decode-query: no\n";
+ $http_hosts_default_policy .= " double-decode-path: no\n double-decode-query: no\n uri-include-all: no\n";
}
else {
foreach ($suricatacfg['libhtp_policy']['item'] as $k => $v) {
@@ -519,6 +600,7 @@ else {
$engine .= " response-body-limit: {$v['response-body-limit']}\n";
$engine .= " double-decode-path: {$v['double-decode-path']}\n";
$engine .= " double-decode-query: {$v['double-decode-query']}\n";
+ $engine .= " uri-include-all: {$v['uri-include-all']}\n";
$http_hosts_policy .= " {$engine}\n";
}
else {
@@ -531,6 +613,7 @@ else {
$http_hosts_default_policy .= " response-body-limit: {$v['response-body-limit']}\n";
$http_hosts_default_policy .= " double-decode-path: {$v['double-decode-path']}\n";
$http_hosts_default_policy .= " double-decode-query: {$v['double-decode-query']}\n";
+ $http_hosts_default_policy .= " uri-include-all: {$v['uri-include-all']}\n";
}
}
// Remove trailing newline
@@ -544,6 +627,75 @@ if (!empty($suricatacfg['asn1_max_frames']))
else
$asn1_max_frames = "256";
+// Configure App-Layer Parsers/Detection
+if (!empty($suricatacfg['tls_parser']))
+ $tls_parser = $suricatacfg['tls_parser'];
+else
+ $tls_parser = "yes";
+if (!empty($suricatacfg['dcerpc_parser']))
+ $dcerpc_parser = $suricatacfg['dcerpc_parser'];
+else
+ $dcerpc_parser = "yes";
+if (!empty($suricatacfg['ftp_parser']))
+ $ftp_parser = $suricatacfg['ftp_parser'];
+else
+ $ftp_parser = "yes";
+if (!empty($suricatacfg['ssh_parser']))
+ $ssh_parser = $suricatacfg['ssh_parser'];
+else
+ $ssh_parser = "yes";
+if (!empty($suricatacfg['smtp_parser']))
+ $smtp_parser = $suricatacfg['smtp_parser'];
+else
+ $smtp_parser = "yes";
+if (!empty($suricatacfg['imap_parser']))
+ $imap_parser = $suricatacfg['imap_parser'];
+else
+ $imap_parser = "detection-only";
+if (!empty($suricatacfg['msn_parser']))
+ $msn_parser = $suricatacfg['msn_parser'];
+else
+ $msn_parser = "detection-only";
+if (!empty($suricatacfg['smb_parser']))
+ $smb_parser = $suricatacfg['smb_parser'];
+else
+ $smb_parser = "yes";
+
+/* DNS Parser */
+if (!empty($suricatacfg['dns_parser_tcp']))
+ $dns_parser_tcp = $suricatacfg['dns_parser_tcp'];
+else
+ $dns_parser_tcp = "yes";
+if (!empty($suricatacfg['dns_parser_udp']))
+ $dns_parser_udp = $suricatacfg['dns_parser_udp'];
+else
+ $dns_parser_udp = "yes";
+if (!empty($suricatacfg['dns_global_memcap']))
+ $dns_global_memcap = $suricatacfg['dns_global_memcap'];
+else
+ $dns_global_memcap = "16777216";
+if (!empty($suricatacfg['dns_state_memcap']))
+ $dns_state_memcap = $suricatacfg['dns_state_memcap'];
+else
+ $dns_state_memcap = "524288";
+if (!empty($suricatacfg['dns_request_flood_limit']))
+ $dns_request_flood_limit = $suricatacfg['dns_request_flood_limit'];
+else
+ $dns_request_flood_limit = "500";
+
+/* HTTP Parser */
+if (!empty($suricatacfg['http_parser']))
+ $http_parser = $suricatacfg['http_parser'];
+else
+ $http_parser = "yes";
+if (!empty($suricatacfg['http_parser_memcap']))
+ $http_parser_memcap = $suricatacfg['http_parser_memcap'];
+else
+ $http_parser_memcap = "67108864";
+
+/* Configure the IP REP section */
+$iprep_path = rtrim(IPREP_PATH, '/');
+
// Create the rules files and save in the interface directory
suricata_prepare_rule_files($suricatacfg, $suricatacfgdir);
@@ -563,4 +715,9 @@ if ($config['installedpackages']['suricata']['config'][0]['log_to_systemlog'] ==
else
$suricata_use_syslog = "no";
+if (!empty($config['installedpackages']['suricata']['config'][0]['log_to_systemlog']))
+ $suricata_use_syslog_facility = $config['installedpackages']['suricata']['config'][0]['log_to_systemlog'];
+else
+ $suricata_use_syslog_facility = "local1";
+
?>