Suricata policy settings¶
The configuration options mentioned in Suricata configuration can be changed with the following settings:
# Suricata ruleset processing
suricata:
suricata_file_cleanup: true
max_suricata_file_age: 48
corelight_recommended_disable: true
corelight_recommended_enable: true
corelight_recommended_modify: true
write_disabled_rules: false
ip_extraction: true
ip_do_notice: true
ja3_extraction: true
ja3_do_notice: true
test_ruleset: true
resolve_bit_dependencies: false
modify_bit_dependencies: false
fail_on_ruleset_error: false
remote_conf_files:
- name:
url:
auth_type:
auth_token:
auth_token_header:
username:
encrypted_pass:
ignore_tls: false
Atomic rule extraction
Currently, only IP and JA3 based rules can be extracted. For IP based rules, the rule has to have a subnet or IP address in the rule. If it only uses a address group, it will not get extracted.
Remote config files¶
If you maintain a centralized set of Suricata configuration files for ruleset tuning and management, you can configure Corelight-update to automatically download the files from a remote source, and apply them to the Corelight-update connected sensors.
The Suricata configuration files disable.conf
, enable.conf
and modify.conf
can be applied at a global, and at a policy level.
To learn about the processing order, see Order of operations.
For information about setting Suricata configuration files at the Global level, see Configuration settings.
For example, to pull a modify.conf
file from GitHub:
remote_conf_files:
- name: modify.conf
url: https://raw.githubusercontent.com/fakeuser/conf/main/modify.conf
auth_type: basic
username: fakeuser
encrypted_pass: 8946af417b8c3a13358ac42e6f6fbb3f256e2f5cc778a08...
The supported authentication types are no auth
, basic
, or token
. When using the no auth option, leave the auth_type
field empty.
Supported Suricata configuration files include:
disable.conf
enable.conf
modify.conf
suricata.yaml
classification.config
reference.config
threshold.config