Policy configuration and settings¶
The individual policies control what content can be pushed to sensors, what integrations are enabled, and how to process Suricata rulesets.
Policy settings¶
Corelight core packages use input files to manage whitelists for package tuning.
If default_input
is enabled, templates for those input files will be copied to the local-input folder. See Locally managed sources below for the path.
Every time a new intel file or Suricata ruleset is generated, a copy of the file with the current timestamp is also created. The retention of the timestamped copies can be independently controlled with the following settings (in hours):
settings: default_input: true intel_file_cleanup: true max_intel_file_age: 24 suricata_file_cleanup: true max_suricata_file_age: 48
Push content settings¶
You can use Corelight-update to push content to your Corelight Sensors. It supports both Fleet-managed and stand-alone sensors. To push content to sensors, it must be enabled in a policy. Pushing content is disabled by default.
Once pushing content is enabled at the policy level, it can be overridden for non-Fleet-managed at the individual sensor level in the inventory file assigned to that policy. See Policy inventory settings for details.
The policy settings for pushing content are:
# Push Content to Sensors
push_content:
intel: false
input: false
package_bundle: false
suricata: false
suricata_configs: false
Tip
Force Pushing Content
By default, Corelight-update will only push new content to sensors. If you add a sensor to the policy, no content is pushed to it until new content is generated. You can use the CLI to force push existing content to sensors. See CLI commands for details.
Locally managed sources¶
In addition to downloading content from external sources for your sensors, Corelight-update will also accept locally-sourced content and configurations. Corelight-update provides threat and intel folders at the Global-level, and Policy-level, where you can place content for distribution to your sensors.
/etc/corelight-update/configs/<policy>/local-input /etc/corelight-update/configs/<policy>/local-intel /etc/corelight-update/configs/<policy>/local-suricata /etc/corelight-update/global/global-input /etc/corelight-update/global/global-intel /etc/corelight-update/global/global-suricata
For example, if an intel file is placed in the global-intel
folder, the contents are added to the intel.dat file for all policies. If an intel file is placed in a policy local-intel
folder, the contents are automatically added to the intel.dat file only for that policy.
When using the
local-intel
folder, the content must be in a Zeek or Bro compatible format. Forlocal-suricata
, the content must be in the Suricata rule format.
The following functions do not require any additional configuration:
Any file placed in the
global-intel
folder is added to all policies as an intel file.Any file placed in a
local-intel
folder is added to that policy as an intel file.All Zeek or Bro compatible formatted files in the
global-intel
,local-intel
, or generated by an enabled integration are automatically merged into a single intel.dat file.Any “.rules” or “.rules.tar.gz” ruleset files placed in the
global-suricata
folder are available to all policies.Any “.rules” or “.rules.tar.gz” ruleset placed in a
local-suricata
folder are available to that policy.Any of the following Suricata configuration files placed in the root of the policy folder are used when testing the Suricata ruleset:
suricata.yaml
classification.config
reference.config
threshold.config
Any file placed in a
local-input
folder will automatically get pushed to sensors in that policy (if push_input is enabled).Any file placed in the
global-input
folder that is not in thelocal-input
folder, will get pushed to sensors (if push_input is enabled).
To review the order that the configurations are processed in, see Order of operations.
Integrated content feed settings¶
See Third-party integrations settings for details on the available content integrations.
Suricata settings¶
See Suricata configuration for details about Suricata rule management and optimization.
Policy sources¶
See Policy sources for details on configuring policy sources.