|
30 | 30 | <field> |
31 | 31 | <type>header</type> |
32 | 32 | <label>Detection</label> |
| 33 | + <advanced>true</advanced> |
33 | 34 | </field> |
34 | 35 | <field> |
35 | 36 | <id>ids.general.MPMAlgo</id> |
36 | 37 | <label>Pattern matcher</label> |
37 | 38 | <type>dropdown</type> |
38 | 39 | <help>Select the multi-pattern matcher algorithm to use.</help> |
| 40 | + <advanced>true</advanced> |
39 | 41 | </field> |
40 | 42 | <field> |
41 | 43 | <id>ids.general.detect.Profile</id> |
|
85 | 87 | <label>Enable syslog alerts</label> |
86 | 88 | <type>checkbox</type> |
87 | 89 | <help>Send alerts to system log in fast log format. This will not change the alert logging used by the product itself.</help> |
| 90 | + <advanced>true</advanced> |
88 | 91 | </field> |
89 | 92 | <field> |
90 | 93 | <id>ids.general.syslog_eve</id> |
|
95 | 98 | This will not change the alert logging used by the product itself. |
96 | 99 | Drop logs will only be send to the internal logger, due to restrictions in suricata. |
97 | 100 | </help> |
| 101 | + <advanced>true</advanced> |
98 | 102 | </field> |
99 | 103 | <field> |
100 | 104 | <id>ids.general.verbosity</id> |
|
104 | 108 | <advanced>true</advanced> |
105 | 109 | </field> |
106 | 110 | <field> |
107 | | - <id>ids.general.AlertLogrotate</id> |
108 | | - <label>Rotate log</label> |
109 | | - <type>dropdown</type> |
110 | | - <help>Rotate alert logs at provided interval.</help> |
| 111 | + <id>ids.general.eveLog.types</id> |
| 112 | + <label>EVE log types</label> |
| 113 | + <type>select_multiple</type> |
| 114 | + <help>The type of events to include in the EVE log.</help> |
111 | 115 | </field> |
112 | 116 | <field> |
113 | | - <id>ids.general.AlertSaveLogs</id> |
114 | | - <label>Save logs</label> |
115 | | - <type>text</type> |
116 | | - <help>Number of logs to keep.</help> |
| 117 | + <id>ids.general.eveLog.extend</id> |
| 118 | + <label>EVE log extended types</label> |
| 119 | + <type>select_multiple</type> |
| 120 | + <help>The type of events which, if enabled in the EVE log, will contain extended information.</help> |
117 | 121 | </field> |
118 | 122 | <field> |
119 | | - <id>ids.general.LogPayload</id> |
120 | | - <label>Log package payload</label> |
121 | | - <type>checkbox</type> |
122 | | - <help>Send package payload to the log for further analyses.</help> |
| 123 | + <id>ids.general.eveLog.rotate.count</id> |
| 124 | + <label>EVE log retention count</label> |
| 125 | + <type>text</type> |
| 126 | + <help>The number of EVE logs to retain.</help> |
123 | 127 | <advanced>true</advanced> |
124 | 128 | </field> |
125 | 129 | <field> |
126 | | - <id>ids.general.eveLog.http.enable</id> |
127 | | - <label>Enable eve HTTP logging</label> |
128 | | - <type>checkbox</type> |
129 | | - <help>Send HTTP metadata to eve-log for further analyses.</help> |
| 130 | + <id>ids.general.eveLog.rotate.size</id> |
| 131 | + <label>EVE log rotation size</label> |
| 132 | + <type>text</type> |
| 133 | + <help>Rotate EVE log past defined size in kilobytes.</help> |
130 | 134 | <advanced>true</advanced> |
131 | 135 | </field> |
132 | 136 | <field> |
133 | | - <id>ids.general.eveLog.http.extended</id> |
134 | | - <label>Eve HTTP extended logging</label> |
135 | | - <type>checkbox</type> |
136 | | - <help>Add extended information to eve HTTP logging.</help> |
| 137 | + <id>ids.general.eveLog.rotate.frequency</id> |
| 138 | + <label>EVE log rotation frequency</label> |
| 139 | + <type>dropdown</type> |
| 140 | + <help>Rotate EVE log at defined interval.</help> |
137 | 141 | <advanced>true</advanced> |
138 | 142 | </field> |
139 | 143 | <field> |
|
144 | 148 | <advanced>true</advanced> |
145 | 149 | </field> |
146 | 150 | <field> |
147 | | - <id>ids.general.eveLog.tls.enable</id> |
148 | | - <label>Enable eve TLS logging</label> |
| 151 | + <id>ids.general.eveLog.tls.sessionResumption</id> |
| 152 | + <label>Eve TLS log session resumption</label> |
149 | 153 | <type>checkbox</type> |
150 | | - <help>Send TLS metadata to eve-log for further analyses.</help> |
| 154 | + <help>Output TLS transaction where the session is resumed using a session id.</help> |
| 155 | + <advanced>true</advanced> |
| 156 | + </field> |
| 157 | + <field> |
| 158 | + <id>ids.general.eveLog.tls.custom</id> |
| 159 | + <label>Eve TLS custom logging</label> |
| 160 | + <type>select_multiple</type> |
| 161 | + <help>Custom TLS fields to include in eve-log for TLS. (Overrides extended if non-empty).</help> |
151 | 162 | <advanced>true</advanced> |
152 | 163 | </field> |
153 | 164 | <field> |
154 | | - <id>ids.general.eveLog.tls.extended</id> |
155 | | - <label>Eve TLS extended logging</label> |
| 165 | + <id>ids.general.eveLog.files.forceHash</id> |
| 166 | + <label>Force EVE's file hash logging</label> |
| 167 | + <type>select_multiple</type> |
| 168 | + <help>Forcefully extend file events in EVE log with the file's hash(es).</help> |
| 169 | + <advanced>true</advanced> |
| 170 | + </field> |
| 171 | + <field> |
| 172 | + <id>ids.general.eveLog.smtp.custom</id> |
| 173 | + <label>Customize EVE's SMTP logging</label> |
| 174 | + <type>select_multiple</type> |
| 175 | + <help>Extend SMTP events in EVE log with custom fields, overriding the default extended SMTP logging.</help> |
| 176 | + <advanced>true</advanced> |
| 177 | + </field> |
| 178 | + <field> |
| 179 | + <id>ids.general.eveLog.metadata.enable</id> |
| 180 | + <label>Enable EVE's metadata logging</label> |
156 | 181 | <type>checkbox</type> |
157 | | - <help>Add extended information to eve TLS logging. For example, SNI field.</help> |
| 182 | + <help>Log verbose metadata event to EVE log (i.e., triggers whenever a pktvar is saved).</help> |
158 | 183 | <advanced>true</advanced> |
159 | 184 | </field> |
160 | 185 | <field> |
161 | | - <id>ids.general.eveLog.tls.sessionResumption</id> |
162 | | - <label>Eve TLS log session resumption</label> |
| 186 | + <id>ids.general.pcapLog.enable</id> |
| 187 | + <label>Enable pcap logging</label> |
163 | 188 | <type>checkbox</type> |
164 | | - <help>Output TLS transaction where the session is resumed using a session id</help> |
| 189 | + <help>Enable the logging of packets in pcap format.</help> |
165 | 190 | <advanced>true</advanced> |
166 | 191 | </field> |
167 | 192 | <field> |
168 | | - <id>ids.general.eveLog.tls.custom</id> |
169 | | - <label>Eve TLS custom logging</label> |
170 | | - <type>select_multiple</type> |
171 | | - <help>Custom TLS fields to include in eve-log for TLS. (Overrides extended if non-empty).</help> |
| 193 | + <id>ids.general.pcapLog.limit</id> |
| 194 | + <label>Pcap file size limit</label> |
| 195 | + <type>text</type> |
| 196 | + <help>Limit the pcap file to a size in megabytes.</help> |
| 197 | + <advanced>true</advanced> |
| 198 | + </field> |
| 199 | + <field> |
| 200 | + <id>ids.general.pcapLog.maxFiles</id> |
| 201 | + <label>Pcap file count limit</label> |
| 202 | + <type>text</type> |
| 203 | + <help>Limit the amount of pcap files to retain.</help> |
| 204 | + <advanced>true</advanced> |
| 205 | + </field> |
| 206 | + <field> |
| 207 | + <id>ids.general.bpfFilter</id> |
| 208 | + <label>BPF Filter</label> |
| 209 | + <type>text</type> |
| 210 | + <help>BPF filter to apply on the interfaces (the pcap filter syntax applies here). A BPF filter should be used when logs are exported (especially pcap files) to avoid self-caused noise and amplifications.</help> |
172 | 211 | <advanced>true</advanced> |
173 | 212 | </field> |
174 | 213 | </form> |
0 commit comments