Suricata: Add support for all available EVE types #8442
Conversation
0xThiebaut
force-pushed
the
suricata-types
branch
from
07f193c to
ff15041
Compare
0xThiebaut
force-pushed
the
suricata-types
branch
from
ff15041 to
f93f671
Compare
| #- netflow | ||
| extended: yes | ||
| {% elif opt == 'mqtt' and opt in eveLog_types_extended %} | ||
| passwords: yes # enable output of passwords |
There was a problem hiding this comment.
this feels like a possible security concern...
There was a problem hiding this comment.
I agree it is a security concern but due to the fact it transits in plaintext over the wire, not due to its logging. A similar already existing risk is the logging of HTTP headers which might contain bearer tokens and/or cookies.
If you nonetheless object to this specific logging, I can remove it from the fields supporting extended logging.
There was a problem hiding this comment.
@0xThiebaut that's true, let me think about this, adding an extra warning in the help text might be enough and more generic anyway.
| @@ -942,7 +895,7 @@ app-layer: | |||
| #encryption-handling: default | |||
|
|
|||
| pgsql: | |||
| enabled: no | |||
| enabled: {{ 'yes' if 'pgsql' in eveLog_types_enabled else 'no' }} | |||
There was a problem hiding this comment.
shouldn't this also move into the loop? I expect it duplicates the item now, or am I mistaken?
There was a problem hiding this comment.
I believe this is the engine's application layer configuration (i.e., used for detections), not related to the EVE logging configuration.
I don't think this (and following) causes duplicated logging entries.
There was a problem hiding this comment.
@0xThiebaut ok, thanks, I'll need to try this on my end before merging. these yaml files can be sensitive in my experience.
There was a problem hiding this comment.
Thanks, I really appreciate the time and care you're taking for community contributions!
There was a problem hiding this comment.
@0xThiebaut you're welcome, we can't pull-in everything, but do make an effort when possible.
| # Configure inspected-tracker for file_data keyword | ||
| inspected-tracker: | ||
| content-limit: 100000 | ||
| content-inspect-min-size: 32768 | ||
| content-inspect-window: 4096 | ||
| imap: | ||
| enabled: detection-only | ||
| enabled: {{ 'yes' if 'imap' in eveLog_types_enabled else 'detection-only' }} |
| @@ -1171,7 +1124,7 @@ app-layer: | |||
|
|
|||
| # DNP3 | |||
| dnp3: | |||
| enabled: no | |||
| enabled: {{ 'yes' if 'dnp3' in eveLog_types_enabled else 'no' }} | |||
| @@ -1192,7 +1145,7 @@ app-layer: | |||
| enabled: yes | |||
|
|
|||
| sip: | |||
| #enabled: yes | |||
| enabled: {{ 'yes' if 'sip' in eveLog_types_enabled else 'no' }} | |||
Add support for all available Suricata EVE types.
This PR avoids migrations for existing types (e.g.,
http,tls,alert,ssh, ...) and hence does not offer the best UX. A migration will be proposed at a later stage.