|
27 | 27 | <type>select_multiple</type> |
28 | 28 | <help>Select interface(s) to use. When enabling IPS, make sure the (virtual) driver supports this feature.</help> |
29 | 29 | </field> |
30 | | - <field> |
31 | | - <type>header</type> |
32 | | - <label>Detection</label> |
33 | | - </field> |
34 | 30 | <field> |
35 | 31 | <id>ids.general.MPMAlgo</id> |
36 | 32 | <label>Pattern matcher</label> |
37 | 33 | <type>dropdown</type> |
38 | 34 | <help>Select the multi-pattern matcher algorithm to use.</help> |
| 35 | + <advanced>true</advanced> |
39 | 36 | </field> |
40 | 37 | <field> |
41 | 38 | <id>ids.general.detect.Profile</id> |
42 | 39 | <label>Detect Profile</label> |
43 | 40 | <type>dropdown</type> |
44 | | - <advanced>true</advanced> |
45 | 41 | <help>The detection engine builds internal groups of signatures. The engine allow us to specify the profile to use for them, to manage memory on an efficient way keeping a good performance.</help> |
| 42 | + <advanced>true</advanced> |
46 | 43 | </field> |
47 | 44 | <field> |
48 | 45 | <id>ids.general.detect.toclient_groups</id> |
49 | 46 | <label>ToClient</label> |
50 | 47 | <style>detect_custom</style> |
51 | 48 | <type>text</type> |
52 | | - <advanced>true</advanced> |
53 | 49 | <help>If Custom is specified. The detection engine tries to split out separate signatures into groups so that a packet is only inspected against signatures that can actually match. As in large rule set this would result in way too many groups and memory usage similar groups are merged together.</help> |
| 50 | + <advanced>true</advanced> |
54 | 51 | </field> |
55 | 52 | <field> |
56 | 53 | <id>ids.general.detect.toserver_groups</id> |
57 | 54 | <label>ToServer</label> |
58 | 55 | <style>detect_custom</style> |
59 | 56 | <type>text</type> |
60 | | - <advanced>true</advanced> |
61 | 57 | <help>If Custom is specified. The detection engine tries to split out separate signatures into groups so that a packet is only inspected against signatures that can actually match. As in large rule set this would result in way too many groups and memory usage similar groups are merged together.</help> |
| 58 | + <advanced>true</advanced> |
62 | 59 | </field> |
63 | 60 | <field> |
64 | 61 | <id>ids.general.homenet</id> |
|
73 | 70 | <id>ids.general.defaultPacketSize</id> |
74 | 71 | <label>default packet size</label> |
75 | 72 | <type>text</type> |
76 | | - <advanced>true</advanced> |
77 | 73 | <help>With this option, you can set the size of the packets on your network. It is possible that bigger packets have to be processed sometimes. The engine can still process these bigger packets, but processing it will lower the performance.</help> |
| 74 | + <advanced>true</advanced> |
78 | 75 | </field> |
79 | 76 | <field> |
80 | 77 | <type>header</type> |
|
85 | 82 | <label>Enable syslog alerts</label> |
86 | 83 | <type>checkbox</type> |
87 | 84 | <help>Send alerts to system log in fast log format. This will not change the alert logging used by the product itself.</help> |
| 85 | + <advanced>true</advanced> |
88 | 86 | </field> |
89 | 87 | <field> |
90 | 88 | <id>ids.general.syslog_eve</id> |
|
95 | 93 | This will not change the alert logging used by the product itself. |
96 | 94 | Drop logs will only be send to the internal logger, due to restrictions in suricata. |
97 | 95 | </help> |
| 96 | + <advanced>true</advanced> |
98 | 97 | </field> |
99 | 98 | <field> |
100 | 99 | <id>ids.general.verbosity</id> |
|
104 | 103 | <advanced>true</advanced> |
105 | 104 | </field> |
106 | 105 | <field> |
107 | | - <id>ids.general.AlertLogrotate</id> |
108 | | - <label>Rotate log</label> |
109 | | - <type>dropdown</type> |
110 | | - <help>Rotate alert logs at provided interval.</help> |
| 106 | + <id>ids.general.eveLog.types</id> |
| 107 | + <label>EVE log types</label> |
| 108 | + <type>select_multiple</type> |
| 109 | + <help>The type of events to include in the EVE log.</help> |
111 | 110 | </field> |
112 | 111 | <field> |
113 | | - <id>ids.general.AlertSaveLogs</id> |
114 | | - <label>Save logs</label> |
115 | | - <type>text</type> |
116 | | - <help>Number of logs to keep.</help> |
| 112 | + <id>ids.general.eveLog.extend</id> |
| 113 | + <label>EVE log extended types</label> |
| 114 | + <type>select_multiple</type> |
| 115 | + <help>The type of events which, if enabled in the EVE log, will contain extended information.</help> |
117 | 116 | </field> |
118 | 117 | <field> |
119 | | - <id>ids.general.LogPayload</id> |
120 | | - <label>Log package payload</label> |
121 | | - <type>checkbox</type> |
122 | | - <help>Send package payload to the log for further analyses.</help> |
| 118 | + <id>ids.general.eveLog.rotate.count</id> |
| 119 | + <label>EVE log retention count</label> |
| 120 | + <type>text</type> |
| 121 | + <help>The number of EVE logs to retain.</help> |
123 | 122 | <advanced>true</advanced> |
124 | 123 | </field> |
125 | 124 | <field> |
126 | | - <id>ids.general.eveLog.http.enable</id> |
127 | | - <label>Enable eve HTTP logging</label> |
128 | | - <type>checkbox</type> |
129 | | - <help>Send HTTP metadata to eve-log for further analyses.</help> |
| 125 | + <id>ids.general.eveLog.rotate.size</id> |
| 126 | + <label>EVE log rotation size</label> |
| 127 | + <type>text</type> |
| 128 | + <help>Rotate EVE log past defined size in kilobytes.</help> |
130 | 129 | <advanced>true</advanced> |
131 | 130 | </field> |
132 | 131 | <field> |
133 | | - <id>ids.general.eveLog.http.extended</id> |
134 | | - <label>Eve HTTP extended logging</label> |
135 | | - <type>checkbox</type> |
136 | | - <help>Add extended information to eve HTTP logging.</help> |
| 132 | + <id>ids.general.eveLog.rotate.frequency</id> |
| 133 | + <label>EVE log rotation frequency</label> |
| 134 | + <type>dropdown</type> |
| 135 | + <help>Rotate EVE log at defined interval.</help> |
137 | 136 | <advanced>true</advanced> |
138 | 137 | </field> |
139 | 138 | <field> |
|
144 | 143 | <advanced>true</advanced> |
145 | 144 | </field> |
146 | 145 | <field> |
147 | | - <id>ids.general.eveLog.tls.enable</id> |
148 | | - <label>Enable eve TLS logging</label> |
| 146 | + <id>ids.general.eveLog.tls.sessionResumption</id> |
| 147 | + <label>Eve TLS log session resumption</label> |
149 | 148 | <type>checkbox</type> |
150 | | - <help>Send TLS metadata to eve-log for further analyses.</help> |
| 149 | + <help>Output TLS transaction where the session is resumed using a session id.</help> |
| 150 | + <advanced>true</advanced> |
| 151 | + </field> |
| 152 | + <field> |
| 153 | + <id>ids.general.eveLog.tls.custom</id> |
| 154 | + <label>Eve TLS custom logging</label> |
| 155 | + <type>select_multiple</type> |
| 156 | + <help>Custom TLS fields to include in eve-log for TLS. (Overrides extended if non-empty).</help> |
| 157 | + <advanced>true</advanced> |
| 158 | + </field> |
| 159 | + <field> |
| 160 | + <id>ids.general.eveLog.files.forceHash</id> |
| 161 | + <label>Force EVE's file hash logging</label> |
| 162 | + <type>select_multiple</type> |
| 163 | + <help>Forcefully extend file events in EVE log with the file's hash(es).</help> |
151 | 164 | <advanced>true</advanced> |
152 | 165 | </field> |
153 | 166 | <field> |
154 | | - <id>ids.general.eveLog.tls.extended</id> |
155 | | - <label>Eve TLS extended logging</label> |
| 167 | + <id>ids.general.eveLog.smtp.custom</id> |
| 168 | + <label>Customize EVE's SMTP logging</label> |
| 169 | + <type>select_multiple</type> |
| 170 | + <help>Extend SMTP events in EVE log with custom fields, overriding the default extended SMTP logging.</help> |
| 171 | + <advanced>true</advanced> |
| 172 | + </field> |
| 173 | + <field> |
| 174 | + <id>ids.general.eveLog.metadata.enable</id> |
| 175 | + <label>Enable EVE's metadata logging</label> |
156 | 176 | <type>checkbox</type> |
157 | | - <help>Add extended information to eve TLS logging. For example, SNI field.</help> |
| 177 | + <help>Log verbose metadata event to EVE log (i.e., triggers whenever a pktvar is saved).</help> |
158 | 178 | <advanced>true</advanced> |
159 | 179 | </field> |
160 | 180 | <field> |
161 | | - <id>ids.general.eveLog.tls.sessionResumption</id> |
162 | | - <label>Eve TLS log session resumption</label> |
| 181 | + <id>ids.general.pcapLog.enable</id> |
| 182 | + <label>Enable pcap logging</label> |
163 | 183 | <type>checkbox</type> |
164 | | - <help>Output TLS transaction where the session is resumed using a session id</help> |
| 184 | + <help>Enable the logging of packets in pcap format.</help> |
165 | 185 | <advanced>true</advanced> |
166 | 186 | </field> |
167 | 187 | <field> |
168 | | - <id>ids.general.eveLog.tls.custom</id> |
169 | | - <label>Eve TLS custom logging</label> |
170 | | - <type>select_multiple</type> |
171 | | - <help>Custom TLS fields to include in eve-log for TLS. (Overrides extended if non-empty).</help> |
| 188 | + <id>ids.general.pcapLog.limit</id> |
| 189 | + <label>Pcap file size limit</label> |
| 190 | + <type>text</type> |
| 191 | + <help>Limit the pcap file to a size in megabytes.</help> |
| 192 | + <advanced>true</advanced> |
| 193 | + </field> |
| 194 | + <field> |
| 195 | + <id>ids.general.pcapLog.maxFiles</id> |
| 196 | + <label>Pcap file count limit</label> |
| 197 | + <type>text</type> |
| 198 | + <help>Limit the amount of pcap files to retain.</help> |
| 199 | + <advanced>true</advanced> |
| 200 | + </field> |
| 201 | + <field> |
| 202 | + <id>ids.general.bpfFilter</id> |
| 203 | + <label>BPF Filter</label> |
| 204 | + <type>text</type> |
| 205 | + <help>BPF filter to apply on the interfaces (the pcap filter syntax applies here). A BPF filter should be used when logs are exported (especially pcap files) to avoid self-caused noise and amplifications.</help> |
172 | 206 | <advanced>true</advanced> |
173 | 207 | </field> |
174 | 208 | </form> |
0 commit comments