opnsense
diff --git a/‎src/opnsense/mvc/app/controllers/OPNsense/IDS/forms/generalSettings.xml
+91-57 b/‎src/opnsense/mvc/app/controllers/OPNsense/IDS/forms/generalSettings.xml
+91-57
@@ -5,76 +5,73 @@
     </field>
     <field>
         <id>ids.general.enabled</id>
-        <label>Enabled</label>
+        <label>Enable</label>
         <type>checkbox</type>
-        <help>Enable intrusion detection system.</help>
+        <help>Enable IDS (Intrusion Detection System).</help>
     </field>
     <field>
         <id>ids.general.ips</id>
         <label>IPS mode</label>
         <type>checkbox</type>
-        <help><![CDATA[Enable protection mode (block traffic).<br />Before enabling, please disable all hardware offloading first <a href="/system_advanced_network.php">in advanced network</a>.]]></help>
+        <help><![CDATA[Enable IPS (Intrusion Prevention System) mode to block traffic.<br />Before enabling, please disable all hardware offloading first <a href="/system_advanced_network.php">in advanced network</a>.]]></help>
     </field>
     <field>
         <id>ids.general.promisc</id>
         <label>Promiscuous mode</label>
         <type>checkbox</type>
-        <help>Enable promiscuous mode, for certain setups (like IPS with vlans), this is required to actually capture data on the physical interface.</help>
+        <help>Enable promiscuous mode, for certain setups (e.g., IPS with VLANs) this is required to actually capture data on the physical interface.</help>
     </field>
     <field>
         <id>ids.general.interfaces</id>
         <label>Interfaces</label>
         <type>select_multiple</type>
         <help>Select interface(s) to use. When enabling IPS, make sure the (virtual) driver supports this feature.</help>
     </field>
-    <field>
-        <type>header</type>
-        <label>Detection</label>
-    </field>
     <field>
         <id>ids.general.MPMAlgo</id>
         <label>Pattern matcher</label>
         <type>dropdown</type>
-        <help>Select the multi-pattern matcher algorithm to use.</help>
+        <help>Select the multi-pattern matcher algorithm to use for the engine's scan/search.</help>
+        <advanced>true</advanced>
     </field>
     <field>
         <id>ids.general.detect.Profile</id>
-        <label>Detect Profile</label>
+        <label>Detection profile</label>
         <type>dropdown</type>
-        <advanced>true</advanced>
         <help>The detection engine builds internal groups of signatures. The engine allow us to specify the profile to use for them, to manage memory on an efficient way keeping a good performance.</help>
+        <advanced>true</advanced>
     </field>
     <field>
         <id>ids.general.detect.toclient_groups</id>
-        <label>ToClient</label>
+        <label>ToClient groups</label>
         <style>detect_custom</style>
         <type>text</type>
+        <help>The number of groups for signatures to a client. The detection engine tries to split out separate signatures into groups so that a packet is only inspected against signatures that can actually match. As in large rule set this would result in way too many groups and memory usage similar groups are merged together.</help>
         <advanced>true</advanced>
-        <help>If Custom is specified. The detection engine tries to split out separate signatures into groups so that a packet is only inspected against signatures that can actually match. As in large rule set this would result in way too many groups and memory usage similar groups are merged together.</help>
     </field>
     <field>
         <id>ids.general.detect.toserver_groups</id>
-        <label>ToServer</label>
+        <label>ToServer groups</label>
         <style>detect_custom</style>
         <type>text</type>
+        <help>The number of groups for signatures to a server. The detection engine tries to split out separate signatures into groups so that a packet is only inspected against signatures that can actually match. As in large rule set this would result in way too many groups and memory usage similar groups are merged together.</help>
         <advanced>true</advanced>
-        <help>If Custom is specified. The detection engine tries to split out separate signatures into groups so that a packet is only inspected against signatures that can actually match. As in large rule set this would result in way too many groups and memory usage similar groups are merged together.</help>
     </field>
     <field>
         <id>ids.general.homenet</id>
         <label>Home networks</label>
         <type>select_multiple</type>
         <style>tokenize</style>
         <allownew>true</allownew>
-        <help>Networks to interpret as local</help>
+        <help>Networks to interpret as local.</help>
         <advanced>true</advanced>
     </field>
     <field>
         <id>ids.general.defaultPacketSize</id>
-        <label>default packet size</label>
+        <label>Default packet size</label>
         <type>text</type>
-        <advanced>true</advanced>
         <help>With this option, you can set the size of the packets on your network. It is possible that bigger packets have to be processed sometimes. The engine can still process these bigger packets, but processing it will lower the performance.</help>
+        <advanced>true</advanced>
     </field>
     <field>
         <type>header</type>
@@ -85,90 +82,127 @@
         <label>Enable syslog alerts</label>
         <type>checkbox</type>
         <help>Send alerts to system log in fast log format. This will not change the alert logging used by the product itself.</help>
+        <advanced>true</advanced>
     </field>
     <field>
         <id>ids.general.syslog_eve</id>
-        <label>Enable eve syslog output</label>
+        <label>Enable EVE syslog output</label>
         <type>checkbox</type>
         <help>
-          Send alerts in eve format to syslog, using log level info.
+          Send alerts in EVE format to syslog, using the log level info.
           This will not change the alert logging used by the product itself.
-          Drop logs will only be send to the internal logger, due to restrictions in suricata.
+          Drop logs will only be sent to the internal logger, due to restrictions in Suricata.
         </help>
+        <advanced>true</advanced>
     </field>
     <field>
         <id>ids.general.verbosity</id>
         <label>Syslog verbosity</label>
         <type>dropdown</type>
-        <help>Increase the verbosity of the Suricata application logging by increasing the log level from the default.</help>
+        <help>Increase the verbosity of the Suricata application logging by increasing the default log level.</help>
         <advanced>true</advanced>
     </field>
     <field>
-        <id>ids.general.AlertLogrotate</id>
-        <label>Rotate log</label>
-        <type>dropdown</type>
-        <help>Rotate alert logs at provided interval.</help>
+        <id>ids.general.eveLog.types</id>
+        <label>EVE log types</label>
+        <type>select_multiple</type>
+        <help>The type of events to include in the EVE log.</help>
     </field>
     <field>
-        <id>ids.general.AlertSaveLogs</id>
-        <label>Save logs</label>
-        <type>text</type>
-        <help>Number of logs to keep.</help>
+        <id>ids.general.eveLog.extend</id>
+        <label>EVE log extended types</label>
+        <type>select_multiple</type>
+        <help>The type of events which, if enabled in the EVE log, will contain extended information.</help>
     </field>
     <field>
-        <id>ids.general.LogPayload</id>
-        <label>Log package payload</label>
-        <type>checkbox</type>
-        <help>Send package payload to the log for further analyses.</help>
+        <id>ids.general.eveLog.rotate.count</id>
+        <label>EVE log retention count</label>
+        <type>text</type>
+        <help>The number of EVE logs to retain.</help>
         <advanced>true</advanced>
     </field>
     <field>
-        <id>ids.general.eveLog.http.enable</id>
-        <label>Enable eve HTTP logging</label>
-        <type>checkbox</type>
-        <help>Send HTTP metadata to eve-log for further analyses.</help>
+        <id>ids.general.eveLog.rotate.size</id>
+        <label>EVE log rotation size</label>
+        <type>text</type>
+        <help>Rotate EVE log past defined size in kilobytes.</help>
         <advanced>true</advanced>
     </field>
     <field>
-        <id>ids.general.eveLog.http.extended</id>
-        <label>Eve HTTP extended logging</label>
-        <type>checkbox</type>
-        <help>Add extended information to eve HTTP logging.</help>
+        <id>ids.general.eveLog.rotate.frequency</id>
+        <label>EVE log rotation frequency</label>
+        <type>dropdown</type>
+        <help>Rotate EVE log at defined interval.</help>
         <advanced>true</advanced>
     </field>
     <field>
         <id>ids.general.eveLog.http.dumpAllHeaders</id>
-        <label>Eve HTTP dump all headers</label>
+        <label>Enable EVE's HTTP header logging</label>
         <type>dropdown</type>
-        <help>Make eve HTTP logging dump all HTTP headers. You may choose to dump headers for requests or responses or both.</help>
+        <help>Dump all, request, or response headers from HTTP events in EVE log.</help>
         <advanced>true</advanced>
     </field>
     <field>
-        <id>ids.general.eveLog.tls.enable</id>
-        <label>Enable eve TLS logging</label>
+        <id>ids.general.eveLog.tls.sessionResumption</id>
+        <label>Enable EVE's TLS session resumption logging</label>
         <type>checkbox</type>
-        <help>Send TLS metadata to eve-log for further analyses.</help>
+        <help>Log TLS events with session resumptions to EVE log (i.e., transactions with a session identifier).</help>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>ids.general.eveLog.tls.custom</id>
+        <label>Customize EVE's TLS logging</label>
+        <type>select_multiple</type>
+        <help>Extend TLS events in EVE log with custom fields, overriding the default extended TLS logging.</help>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>ids.general.eveLog.files.forceHash</id>
+        <label>Force EVE's file hash logging</label>
+        <type>select_multiple</type>
+        <help>Forcefully extend file events in EVE log with the file's hash(es).</help>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>ids.general.eveLog.smtp.custom</id>
+        <label>Customize EVE's SMTP logging</label>
+        <type>select_multiple</type>
+        <help>Extend SMTP events in EVE log with custom fields, overriding the default extended SMTP logging.</help>
         <advanced>true</advanced>
     </field>
     <field>
-        <id>ids.general.eveLog.tls.extended</id>
-        <label>Eve TLS extended logging</label>
+        <id>ids.general.eveLog.metadata.enable</id>
+        <label>Enable EVE's metadata logging</label>
         <type>checkbox</type>
-        <help>Add extended information to eve TLS logging. For example, SNI field.</help>
+        <help>Log verbose metadata event to EVE log (i.e., triggers whenever a pktvar is saved).</help>
         <advanced>true</advanced>
     </field>
     <field>
-        <id>ids.general.eveLog.tls.sessionResumption</id>
-        <label>Eve TLS log session resumption</label>
+        <id>ids.general.pcapLog.enable</id>
+        <label>Enable pcap logging</label>
         <type>checkbox</type>
-        <help>Output TLS transaction where the session is resumed using a session id</help>
+        <help>Enable the logging of packets in pcap format.</help>
         <advanced>true</advanced>
     </field>
     <field>
-        <id>ids.general.eveLog.tls.custom</id>
-        <label>Eve TLS custom logging</label>
-        <type>select_multiple</type>
-        <help>Custom TLS fields to include in eve-log for TLS. (Overrides extended if non-empty).</help>
+        <id>ids.general.pcapLog.limit</id>
+        <label>Pcap file size limit</label>
+        <type>text</type>
+        <help>Limit the pcap file to a size in megabytes.</help>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>ids.general.pcapLog.maxFiles</id>
+        <label>Pcap file count limit</label>
+        <type>text</type>
+        <help>Limit the amount of pcap files to retain.</help>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>ids.general.bpfFilter</id>
+        <label>BPF Filter</label>
+        <type>text</type>
+        <help>BPF filter to apply on the interfaces (the pcap filter syntax applies here). A BPF filter should be used when logs are exported (especially pcap files) to avoid self-caused noise and amplifications.</help>
         <advanced>true</advanced>
     </field>
 </form>