Suricata: Add support for all available EVE types #8442
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -220,34 +220,6 @@ outputs: | |
| dump-all-headers: {{OPNsense.IDS.general.eveLog.http.dumpAllHeaders}} | ||
| {% endif %} | ||
| {% endif %} | ||
| {% if not helpers.empty('OPNsense.IDS.general.eveLog.tls.enable') %} | ||
| - tls: | ||
| extended: {{ 'no' if helpers.empty('OPNsense.IDS.general.eveLog.tls.extended') else 'yes' }} | ||
|
|
@@ -259,19 +231,25 @@ outputs: | |
| custom: [{{ OPNsense.IDS.general.eveLog.tls.custom }}] | ||
| {% endif %} | ||
| {% endif %} | ||
|
|
||
| - drop: | ||
| alerts: yes # log alerts that caused drops | ||
| flows: start # start or all: 'start' logs only a single drop | ||
| # per flow direction. All logs each dropped pkt. | ||
|
|
||
| - ssh | ||
|
|
||
| {% set eveLog_types_enabled = (OPNsense.IDS.general.eveLog.types.enabled|default('')).split(',') %} | ||
| {% set eveLog_types_extended = (OPNsense.IDS.general.eveLog.types.extended|default('')).split(',') %} | ||
| {% 8000 for opt in eveLog_types_enabled %} | ||
| - {{opt}}: | ||
| {% if opt == 'files' and opt in eveLog_types_extended %} | ||
| force-magic: yes # force logging magic on all logged files | ||
| # force logging of checksums, available hash functions are md5, | ||
| # sha1 and sha256 | ||
| #force-hash: [md5] | ||
| {% elif opt == 'smtp' and opt in eveLog_types_extended %} | ||
| extended: yes # enable this for extended logging information | ||
| # this includes: bcc, message-id, subject, x_mailer, user-agent | ||
| # custom fields logging from the list: | ||
| # reply-to, bcc, message-id, subject, x-mailer, user-agent, received, | ||
|
|
@@ -282,43 +260,18 @@ outputs: | |
| # for the body you need to set app-layer.protocols.smtp.mime.body-md5 | ||
| # to yes | ||
| #md5: [body, subject] | ||
| {% elif opt == 'dhcp' and opt in eveLog_types_extended %} | ||
| # When extended mode is on, all DHCP messages are logged | ||
| # with full detail. When extended mode is off (the | ||
| # default), just enough information to map a MAC address | ||
| # to an IP address is logged. | ||
| extended: yes | ||
| {% elif opt == 'mqtt' and opt in eveLog_types_extended %} | ||
| passwords: yes # enable output of passwords | ||
| {% elif opt == 'pgsql' and opt in eveLog_types_extended %} | ||
| passwords: yes # enable output of passwords. Disabled by default | ||
| {% endif %} | ||
| {% endfor %} | ||
|
|
||
| # Metadata event type. Triggered whenever a pktvar is saved | ||
| # and will include the pktvars, flowvars, flowbits and | ||
|
|
@@ -942,7 +895,7 @@ app-layer: | |
| #encryption-handling: default | ||
|
|
||
| pgsql: | ||
| enabled: {{ 'yes' if 'pgsql' in eveLog_types_enabled else 'no' }} | ||
|
There was a problem hiding this comment. shouldn't this also move into the loop? I expect it duplicates the item now, or am I mistaken? There was a problem hiding this comment. I believe this is the engine's application layer configuration (i.e., used for detections), not related to the EVE logging configuration. I don't think this (and following) causes duplicated logging entries. There was a problem hiding this comment. @0xThiebaut ok, thanks, I'll need to try this on my end before merging. these yaml files can be sensitive in my experience. There was a problem hiding this comment. Thanks, I really appreciate the time and care you're taking for community contributions! There was a problem hiding this comment. @0xThiebaut you're welcome, we can't pull-in everything, but do make an effort when possible. |
||
| # Stream reassembly size for PostgreSQL. By default, track it completely. | ||
| stream-depth: 0 | ||
| # Maximum number of live PostgreSQL transactions per flow | ||
|
|
@@ -998,14 +951,14 @@ app-layer: | |
| #log-url-scheme: yes | ||
| # Set to yes to compute the md5 of the mail body. You will then | ||
| # be able to journalize it. | ||
| body-md5: {{ 'yes' if 'smtp' in eveLog_types_extended else 'no' }} | ||
| # Configure inspected-tracker for file_data keyword | ||
| inspected-tracker: | ||
| content-limit: 100000 | ||
| content-inspect-min-size: 32768 | ||
| content-inspect-window: 4096 | ||
| imap: | ||
| enabled: {{ 'yes' if 'imap' in eveLog_types_enabled else 'detection-only' }} | ||
|
|
||
| smb: | ||
| enabled: yes | ||
| detection-ports: | ||
|
|
@@ -1171,7 +1124,7 @@ app-layer: | |
|
|
||
| # DNP3 | ||
| dnp3: | ||
| enabled: {{ 'yes' if 'dnp3' in eveLog_types_enabled else 'no' }} | ||
|
|
||
| detection-ports: | ||
| dp: 20000 | ||
|
|
||
|
|
@@ -1192,7 +1145,7 @@ app-layer: | |
| enabled: yes | ||
|
|
||
| sip: | ||
| enabled: {{ 'yes' if 'sip' in eveLog_types_enabled else 'no' }} | ||
|
|
||
|
|
||
| # Limit for the maximum number of asn1 frames to decode (default 256) | ||
| asn1-max-frames: 256 | ||
|
|
||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this feels like a possible security concern...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree it is a security concern but due to the fact it transits in plaintext over the wire, not due to its logging. A similar already existing risk is the logging of HTTP headers which might contain bearer tokens and/or cookies.
If you nonetheless object to this specific logging, I can remove it from the fields supporting extended logging.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@0xThiebaut that's true, let me think about this, adding an extra warning in the help text might be enough and more generic anyway.