···
8
+
cfg = config.services.suricata;
24
+
freeformType = yaml.type;
27
+
type = types.nullOr (
30
+
address-groups = mkOption {
34
+
HOME_NET = mkOption { default = "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"; };
35
+
EXTERNAL_NET = mkOption { default = "!$HOME_NET"; };
36
+
HTTP_SERVERS = mkOption { default = "$HOME_NET"; };
37
+
SMTP_SERVERS = mkOption { default = "$HOME_NET"; };
38
+
SQL_SERVERS = mkOption { default = "$HOME_NET"; };
39
+
DNS_SERVERS = mkOption { default = "$HOME_NET"; };
40
+
TELNET_SERVERS = mkOption { default = "$HOME_NET"; };
41
+
AIM_SERVERS = mkOption { default = "$EXTERNAL_NET"; };
42
+
DC_SERVERS = mkOption { default = "$HOME_NET"; };
43
+
DNP3_SERVER = mkOption { default = "$HOME_NET"; };
44
+
DNP3_CLIENT = mkOption { default = "$HOME_NET"; };
45
+
MODBUS_CLIENT = mkOption { default = "$HOME_NET"; };
46
+
MODBUS_SERVER = mkOption { default = "$HOME_NET"; };
47
+
ENIP_CLIENT = mkOption { default = "$HOME_NET"; };
48
+
ENIP_SERVER = mkOption { default = "$HOME_NET"; };
54
+
HOME_NET = "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]";
55
+
EXTERNAL_NET = "!$HOME_NET";
56
+
HTTP_SERVERS = "$HOME_NET";
57
+
SMTP_SERVERS = "$HOME_NET";
58
+
SQL_SERVERS = "$HOME_NET";
59
+
DNS_SERVERS = "$HOME_NET";
60
+
TELNET_SERVERS = "$HOME_NET";
61
+
AIM_SERVERS = "$EXTERNAL_NET";
62
+
DC_SERVERS = "$HOME_NET";
63
+
DNP3_SERVER = "$HOME_NET";
64
+
DNP3_CLIENT = "$HOME_NET";
65
+
MODBUS_CLIENT = "$HOME_NET";
66
+
MODBUS_SERVER = "$HOME_NET";
67
+
ENIP_CLIENT = "$HOME_NET";
68
+
ENIP_SERVER = "$HOME_NET";
71
+
The address group variables for suricata, if not defined the
72
+
default value of suricata (see example) will be used.
73
+
Your settings will extend the predefined values in example.
77
+
port-groups = mkOption {
78
+
type = with types; nullOr (attrsOf str);
81
+
SHELLCODE_PORTS = "!80";
82
+
ORACLE_PORTS = "1521";
84
+
DNP3_PORTS = "20000";
85
+
MODBUS_PORTS = "502";
86
+
FILE_DATA_PORTS = "[$HTTP_PORTS,110,143]";
88
+
GENEVE_PORTS = "6081";
89
+
VXLAN_PORTS = "4789";
90
+
TEREDO_PORTS = "3544";
93
+
The port group variables for suricata.
99
+
default = { }; # add default values to config
105
+
nullOr (submodule {
107
+
enable = mkEnableOption "suricata global stats";
109
+
interval = mkOption {
113
+
The interval field (in seconds) controls the interval at
114
+
which stats are updated in the log.
118
+
decoder-events = mkOption {
122
+
Add decode events to stats
126
+
decoder-events-prefix = mkOption {
128
+
default = "decoder.event";
130
+
Decoder event prefix in stats. Has been 'decoder' before, but that leads
131
+
to missing events in the eve.stats records.
135
+
stream-events = mkOption {
139
+
Add stream events as stats.
144
+
default = null; # do not add to config unless specified
147
+
plugins = mkOption {
148
+
type = with types; nullOr (listOf path);
151
+
Plugins -- Experimental -- specify the filename for each plugin shared object
155
+
outputs = mkOption {
160
+
attrsOf (submodule {
161
+
freeformType = yaml.type;
163
+
enabled = mkEnableOption "<NAME>";
169
+
example = literalExpression ''
174
+
filename = "fast.log";
181
+
filetype = "regular";
182
+
filename = "eve.json";
183
+
community-id = true;
186
+
alert.tagged-packets = "yes";
194
+
Configure the type of alert (and other) logging you would like.
196
+
Valid values for <NAME> are e. g. `fast`, `eve-log`, `syslog`, `file-store`, ...
197
+
- `fast`: a line based alerts log similar to Snort's fast.log
198
+
- `eve-log`: Extensible Event Format (nicknamed EVE) event log in JSON format
200
+
For more details regarding the configuration, checkout the shipped suricata.yaml
202
+
nix-shell -p suricata yq coreutils-full --command 'yq < $(dirname $(which suricata))/../etc/suricata/suricata.yaml'
204
+
and the [suricata documentation](https://docs.suricata.io/en/latest/output/index.html).
208
+
"default-log-dir" = mkOption {
210
+
default = "/var/log/suricata";
212
+
The default logging directory. Any log or output file will be placed here if it's
213
+
not specified with a full path name. This can be overridden with the -l command
219
+
"default-log-level" = mkOption {
220
+
type = types.enum [
229
+
default = "notice";
231
+
The default log level: can be overridden in an output section.
232
+
Note that debug level logging will only be emitted if Suricata was
233
+
compiled with the --enable-debug configure option.
237
+
"default-log-format" = mkOption {
238
+
type = types.nullOr types.str;
241
+
The default output format. Optional parameter, should default to
242
+
something reasonable if not provided. Can be overridden in an
243
+
output section. You can leave this out to get the default.
247
+
"default-output-filter" = mkOption {
248
+
type = types.nullOr types.str;
251
+
A regex to filter output. Can be overridden in an output section.
252
+
Defaults to empty (no filter).
256
+
"stacktrace-on-signal" = mkOption {
257
+
type = types.nullOr types.str;
260
+
Requires libunwind to be available when Suricata is configured and built.
261
+
If a signal unexpectedly terminates Suricata, displays a brief diagnostic
262
+
message with the offending stacktrace if enabled.
268
+
enable = mkDisableOption "logging to console";
271
+
enable = mkDisableOption "logging to file";
274
+
type = types.enum [
285
+
Loglevel for logs written to the logfile
289
+
filename = mkOption {
291
+
default = "suricata.log";
293
+
Filename of the logfile
297
+
format = mkOption {
298
+
type = types.nullOr types.str;
301
+
Logformat for logs written to the logfile
306
+
type = types.nullOr types.str;
314
+
enable = mkEnableOption "logging to syslog";
316
+
facility = mkOption {
318
+
default = "local5";
324
+
format = mkOption {
325
+
type = types.nullOr types.str;
328
+
Logformat for logs send to syslog
333
+
type = types.nullOr types.str;
336
+
Type of logs send to syslog
343
+
"af-packet" = mkOption {
347
+
listOf (submodule {
348
+
freeformType = yaml.type;
350
+
interface = mkOption {
359
+
Linux high speed capture support
363
+
"af-xdp" = mkOption {
367
+
listOf (submodule {
368
+
freeformType = yaml.type;
370
+
interface = mkOption {
379
+
Linux high speed af-xdp capture support, see
380
+
[docs/capture-hardware/af-xdp](https://docs.suricata.io/en/suricata-7.0.3/capture-hardware/af-xdp.html)
384
+
"dpdk" = mkOption {
387
+
nullOr (submodule {
389
+
eal-params.proc-type = mkOption {
390
+
type = with types; nullOr str;
393
+
interfaces = mkOption {
397
+
listOf (submodule {
398
+
freeformType = yaml.type;
400
+
interface = mkOption {
413
+
DPDK capture support, see
414
+
[docs/capture-hardware/dpdk](https://docs.suricata.io/en/suricata-7.0.3/capture-hardware/dpdk.html)
418
+
"pcap" = mkOption {
422
+
listOf (submodule {
423
+
freeformType = yaml.type;
425
+
interface = mkOption {
434
+
Cross platform libpcap capture support
438
+
"pcap-file".checksum-checks = mkOption {
439
+
type = types.enum [
446
+
Possible values are:
447
+
- yes: checksum validation is forced
448
+
- no: checksum validation is disabled
449
+
- auto: Suricata uses a statistical approach to detect when
450
+
checksum off-loading is used. (default)
451
+
Warning: 'checksum-validation' must be set to yes to have checksum tested
455
+
"app-layer" = mkOption {
458
+
nullOr (submodule {
460
+
"error-policy" = mkOption {
461
+
type = types.enum [
470
+
default = "ignore";
472
+
The error-policy setting applies to all app-layer parsers. Values can be
473
+
"drop-flow", "pass-flow", "bypass", "drop-packet", "pass-packet", "reject" or
474
+
"ignore" (the default).
477
+
protocols = mkOption {
481
+
attrsOf (submodule {
482
+
freeformType = yaml.type;
484
+
enabled = mkOption {
485
+
type = types.enum [
492
+
The option "enabled" takes 3 values - "yes", "no", "detection-only".
493
+
"yes" enables both detection and the parser, "no" disables both, and
494
+
"detection-only" enables protocol detection only (parser disabled).
504
+
default = null; # do not add to config unless specified
510
+
default = "suricata";
511
+
description = "Run Suricata with a specific user-id";
515
+
default = "suricata";
516
+
description = "Run Suricata with a specific group-id";
520
+
"host-mode" = mkOption {
521
+
type = types.enum [
528
+
If the Suricata box is a router for the sniffed networks, set it to 'router'. If
529
+
it is a pure sniffing setup, set it to 'sniffer-only'. If set to auto, the variable
530
+
is internally switched to 'router' in IPS mode and 'sniffer-only' in IDS mode.
531
+
This feature is currently only used by the reject* keywords.
535
+
"unix-command" = mkOption {
538
+
nullOr (submodule {
540
+
enabled = mkOption {
541
+
type = types.either types.bool (types.enum [ "auto" ]);
544
+
filename = mkOption {
546
+
default = "/run/suricata/suricata-command.socket";
552
+
Unix command socket that can be used to pass commands to Suricata.
553
+
An external tool can then connect to get information from Suricata
554
+
or trigger some modifications of the engine. Set enabled to yes
555
+
to activate the feature. In auto mode, the feature will only be
556
+
activated in live capture mode. You can use the filename variable to set
557
+
the file name of the socket.
561
+
"exception-policy" = mkOption {
562
+
type = types.enum [
574
+
Define a common behavior for all exception policies.
575
+
In IPS mode, the default is drop-flow. For cases when that's not possible, the
576
+
engine will fall to drop-packet. To fallback to old behavior (setting each of
577
+
them individually, or ignoring all), set this to ignore.
578
+
All values available for exception policies can be used, and there is one
579
+
extra option: auto - which means drop-flow or drop-packet (as explained above)
580
+
in IPS mode, and ignore in IDS mode. Exception policy values are: drop-packet,
581
+
drop-flow, reject, bypass, pass-packet, pass-flow, ignore (disable).
585
+
"default-rule-path" = mkOption {
587
+
default = "/var/lib/suricata/rules";
588
+
description = "Path in which suricata-update managed rules are stored by default";
591
+
"rule-files" = mkOption {
592
+
type = types.listOf types.str;
593
+
default = [ "suricata.rules" ];
594
+
description = "Files to load suricata-update managed rules, relative to 'default-rule-path'";
597
+
"classification-file" = mkOption {
599
+
default = "/var/lib/suricata/rules/classification.config";
600
+
description = "Suricata classification configuration file";
603
+
"reference-config-file" = mkOption {
605
+
default = "${cfg.package}/etc/suricata/reference.config";
606
+
description = "Suricata reference configuration file";
609
+
"threshold-file" = mkOption {
611
+
default = "${cfg.package}/etc/suricata/threshold.config";
612
+
description = "Suricata threshold configuration file";
615
+
includes = mkOption {
616
+
type = with types; nullOr (listOf path);
619
+
Files to include in the suricata configuration. See
620
+
[docs/configuration/suricata-yaml](https://docs.suricata.io/en/suricata-7.0.3/configuration/suricata-yaml.html)
621
+
for available options.
pyrox.dev