Suricata policy settings¶
The configuration options mentioned in Suricata configuration can be changed with the following settings:
# Suricata ruleset processing
suricata:
corelight_recommended_disable: true
corelight_recommended_enable: true
corelight_recommended_modify: true
write_disabled_rules: false
ip_extraction: true
ip_do_notice: true
ja3_extraction: true
ja3_do_notice: true
test_ruleset: true
fail_on_ruleset_error: false
remote_conf_files:
- name:
url:
auth_type:
auth_token:
auth_token_header:
username:
encrypted_pass:
ignore_tls: false
Atomic rule extraction
Currently, only IP and JA3 based rules can be extracted. For IP based rules, the rule has to have a subnet or IP address in the rule. If it only uses a address group, it will not get extracted.
Remote config files¶
If you maintain a centralized set of Suricata configuration files for ruleset tuning and management, you can configure Corelight-update to automatically download the files from a remote source, and apply them to the Corelight-update connected sensors.
The Suricata configuration files disable.conf
, enable.conf
and modify.conf
can be applied at a global, and at a policy level.
To learn about the processing order, see Order of operations.
For information about setting Suricata configuration files at the Global level, see Global configuration and policy settings.
For example, to pull a modify.conf
file from GitHub:
remote_conf_files:
- name: modify.conf
url: https://raw.githubusercontent.com/fakeuser/conf/main/modify.conf
auth_type: basic
auth_token: ""
auth_token_header:
username: fakeuser
encrypted_pass: 8946af417b8c3a13358ac42e6f6fbb3f256e2f5cc778a08...
ignore_tls: false
The supported authentication types are no auth, basic
, or token
. When using the no auth option, leave the auth_type
field empty.
Supported Suricata configuration files include:
disable.conf
enable.conf
modify.conf
suricata.yaml
classification.config
reference.config
threshold.config