Policy configuration and settings

The individual policies control what content can be pushed to sensors, what integrations are enabled, and how to process Suricata rulesets.

Policy settings

Corelight core packages use input files to manage whitelists for package tuning. If default_input is enabled, templates for those input files will be copied to the local-input folder. See Locally managed sources below for the path.

Every time a new intel file or Suricata ruleset is generated, a copy of the file with the current timestamp is also created. The retention of the timestamped copies can be independently controlled with the following settings (in hours):

settings:
  default_input:         true
  intel_file_cleanup:    true
  max_intel_file_age:    24
  suricata_file_cleanup: true
  max_suricata_file_age: 48

Push content settings

You can use Corelight-update to push content to your Corelight Sensors. It supports both Fleet-managed and stand-alone sensors. To push content to sensors, it must be enabled in a policy. Pushing content is disabled by default.

Once pushing content is enabled at the policy level, it can be overridden for non-Fleet-managed at the individual sensor level in the inventory file assigned to that policy. See Policy inventory settings for details.

The policy settings for pushing content are:

# Push Content to Sensors
push_content:
    intel:            false
    input:            false
    package_bundle:   false
    suricata:         false
    suricata_configs: false

Tip

Force Pushing Content

By default, Corelight-update will only push new content to sensors. If you add a sensor to the policy, no content is pushed to it until new content is generated. You can use the CLI to force push existing content to sensors. See CLI commands for details.

Locally managed sources

In addition to downloading content from external sources for your sensors, Corelight-update will also accept locally-sourced content and configurations. Corelight-update provides threat and intel folders at the Global-level, and Policy-level, where you can place content for distribution to your sensors.

/etc/corelight-update/configs/<policy>/local-input
/etc/corelight-update/configs/<policy>/local-intel
/etc/corelight-update/configs/<policy>/local-suricata
/etc/corelight-update/global/global-input
/etc/corelight-update/global/global-intel
/etc/corelight-update/global/global-suricata

For example, if an intel file is placed in the global-intel folder, the contents are added to the intel.dat file for all policies. If an intel file is placed in a policy local-intel folder, the contents are automatically added to the intel.dat file only for that policy.

  • When using the local-intel folder, the content must be in a Zeek or Bro compatible format. For local-suricata, the content must be in the Suricata rule format.

The following functions do not require any additional configuration:

  • Any file placed in the global-intel folder is added to all policies as an intel file.

  • Any file placed in a local-intel folder is added to that policy as an intel file.

  • All Zeek or Bro compatible formatted files in the global-intel, local-intel, or generated by an enabled integration are automatically merged into a single intel.dat file.

  • Any “.rules” or “.rules.tar.gz” ruleset files placed in the global-suricata folder are available to all policies.

  • Any “.rules” or “.rules.tar.gz” ruleset placed in a local-suricata folder are available to that policy.

  • Any of the following Suricata configuration files placed in the root of the policy folder are used when testing the Suricata ruleset:

    • suricata.yaml

    • classification.config

    • reference.config

    • threshold.config

  • Any file placed in a local-input folder will automatically get pushed to sensors in that policy (if push_input is enabled).

  • Any file placed in the global-input folder that is not in the local-input folder, will get pushed to sensors (if push_input is enabled).

To review the order that the configurations are processed in, see Order of operations.

Integrated content feed settings

See Third-party integrations settings for details on the available content integrations.

Suricata settings

See Suricata configuration for details about Suricata rule management and optimization.

Policy sources

See Policy sources for details on configuring policy sources.