nixos/suricata: add description fields for configuration
This commit is contained in:
parent
8dc497720d
commit
9e608d46a9
@ -31,21 +31,96 @@ in
|
|||||||
type = (
|
type = (
|
||||||
types.submodule {
|
types.submodule {
|
||||||
options = {
|
options = {
|
||||||
HOME_NET = mkOption { default = "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"; };
|
HOME_NET = mkOption {
|
||||||
EXTERNAL_NET = mkOption { default = "!$HOME_NET"; };
|
default = "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]";
|
||||||
HTTP_SERVERS = mkOption { default = "$HOME_NET"; };
|
description = ''
|
||||||
SMTP_SERVERS = mkOption { default = "$HOME_NET"; };
|
HOME_NET variable.
|
||||||
SQL_SERVERS = mkOption { default = "$HOME_NET"; };
|
'';
|
||||||
DNS_SERVERS = mkOption { default = "$HOME_NET"; };
|
};
|
||||||
TELNET_SERVERS = mkOption { default = "$HOME_NET"; };
|
EXTERNAL_NET = mkOption {
|
||||||
AIM_SERVERS = mkOption { default = "$EXTERNAL_NET"; };
|
default = "!$HOME_NET";
|
||||||
DC_SERVERS = mkOption { default = "$HOME_NET"; };
|
description = ''
|
||||||
DNP3_SERVER = mkOption { default = "$HOME_NET"; };
|
EXTERNAL_NET variable.
|
||||||
DNP3_CLIENT = mkOption { default = "$HOME_NET"; };
|
'';
|
||||||
MODBUS_CLIENT = mkOption { default = "$HOME_NET"; };
|
};
|
||||||
MODBUS_SERVER = mkOption { default = "$HOME_NET"; };
|
HTTP_SERVERS = mkOption {
|
||||||
ENIP_CLIENT = mkOption { default = "$HOME_NET"; };
|
default = "$HOME_NET";
|
||||||
ENIP_SERVER = mkOption { default = "$HOME_NET"; };
|
description = ''
|
||||||
|
HTTP_SERVERS variable.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
SMTP_SERVERS = mkOption {
|
||||||
|
default = "$HOME_NET";
|
||||||
|
description = ''
|
||||||
|
SMTP_SERVERS variable.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
SQL_SERVERS = mkOption {
|
||||||
|
default = "$HOME_NET";
|
||||||
|
description = ''
|
||||||
|
SQL_SERVERS variable.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
DNS_SERVERS = mkOption {
|
||||||
|
default = "$HOME_NET";
|
||||||
|
description = ''
|
||||||
|
DNS_SERVERS variable.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
TELNET_SERVERS = mkOption {
|
||||||
|
default = "$HOME_NET";
|
||||||
|
description = ''
|
||||||
|
TELNET_SERVERS variable.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
AIM_SERVERS = mkOption {
|
||||||
|
default = "$EXTERNAL_NET";
|
||||||
|
description = ''
|
||||||
|
AIM_SERVERS variable.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
DC_SERVERS = mkOption {
|
||||||
|
default = "$HOME_NET";
|
||||||
|
description = ''
|
||||||
|
DC_SERVERS variable.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
DNP3_SERVER = mkOption {
|
||||||
|
default = "$HOME_NET";
|
||||||
|
description = ''
|
||||||
|
DNP3_SERVER variable.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
DNP3_CLIENT = mkOption {
|
||||||
|
default = "$HOME_NET";
|
||||||
|
description = ''
|
||||||
|
DNP3_CLIENT variable.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
MODBUS_CLIENT = mkOption {
|
||||||
|
default = "$HOME_NET";
|
||||||
|
description = ''
|
||||||
|
MODBUS_CLIENT variable
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
MODBUS_SERVER = mkOption {
|
||||||
|
default = "$HOME_NET";
|
||||||
|
description = ''
|
||||||
|
MODBUS_SERVER variable.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
ENIP_CLIENT = mkOption {
|
||||||
|
default = "$HOME_NET";
|
||||||
|
description = ''
|
||||||
|
ENIP_CLIENT variable.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
ENIP_SERVER = mkOption {
|
||||||
|
default = "$HOME_NET";
|
||||||
|
description = ''
|
||||||
|
ENIP_SERVER variable.
|
||||||
|
'';
|
||||||
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
);
|
);
|
||||||
@ -97,6 +172,9 @@ in
|
|||||||
}
|
}
|
||||||
);
|
);
|
||||||
default = { }; # add default values to config
|
default = { }; # add default values to config
|
||||||
|
description = ''
|
||||||
|
Variables to be used within the suricata rules.
|
||||||
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
stats = mkOption {
|
stats = mkOption {
|
||||||
@ -142,13 +220,16 @@ in
|
|||||||
};
|
};
|
||||||
});
|
});
|
||||||
default = null; # do not add to config unless specified
|
default = null; # do not add to config unless specified
|
||||||
|
description = ''
|
||||||
|
Engine statistics such as packet counters, memory use counters and others can be logged in several ways. A separate text log 'stats.log' and an EVE record type 'stats' are enabled by default.
|
||||||
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
plugins = mkOption {
|
plugins = mkOption {
|
||||||
type = with types; nullOr (listOf path);
|
type = with types; nullOr (listOf path);
|
||||||
default = null;
|
default = null;
|
||||||
description = ''
|
description = ''
|
||||||
Plugins -- Experimental -- specify the filename for each plugin shared object
|
Plugins -- Experimental -- specify the filename for each plugin shared object.
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
@ -282,7 +363,7 @@ in
|
|||||||
];
|
];
|
||||||
default = "info";
|
default = "info";
|
||||||
description = ''
|
description = ''
|
||||||
Loglevel for logs written to the logfile
|
Loglevel for logs written to the logfile.
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
@ -290,7 +371,7 @@ in
|
|||||||
type = types.str;
|
type = types.str;
|
||||||
default = "suricata.log";
|
default = "suricata.log";
|
||||||
description = ''
|
description = ''
|
||||||
Filename of the logfile
|
Filename of the logfile.
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
@ -298,7 +379,7 @@ in
|
|||||||
type = types.nullOr types.str;
|
type = types.nullOr types.str;
|
||||||
default = null;
|
default = null;
|
||||||
description = ''
|
description = ''
|
||||||
Logformat for logs written to the logfile
|
Logformat for logs written to the logfile.
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
@ -306,7 +387,7 @@ in
|
|||||||
type = types.nullOr types.str;
|
type = types.nullOr types.str;
|
||||||
default = null;
|
default = null;
|
||||||
description = ''
|
description = ''
|
||||||
Type of logfile
|
Type of logfile.
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
@ -317,7 +398,7 @@ in
|
|||||||
type = types.str;
|
type = types.str;
|
||||||
default = "local5";
|
default = "local5";
|
||||||
description = ''
|
description = ''
|
||||||
Facility to log to
|
Facility to log to.
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
@ -325,7 +406,7 @@ in
|
|||||||
type = types.nullOr types.str;
|
type = types.nullOr types.str;
|
||||||
default = null;
|
default = null;
|
||||||
description = ''
|
description = ''
|
||||||
Logformat for logs send to syslog
|
Logformat for logs send to syslog.
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
@ -333,7 +414,7 @@ in
|
|||||||
type = types.nullOr types.str;
|
type = types.nullOr types.str;
|
||||||
default = null;
|
default = null;
|
||||||
description = ''
|
description = ''
|
||||||
Type of logs send to syslog
|
Type of logs send to syslog.
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
@ -350,13 +431,16 @@ in
|
|||||||
interface = mkOption {
|
interface = mkOption {
|
||||||
type = types.str;
|
type = types.str;
|
||||||
default = null;
|
default = null;
|
||||||
|
description = ''
|
||||||
|
af-packet capture interface, see [upstream docs reagrding tuning](https://docs.suricata.io/en/latest/performance/tuning-considerations.html#af-packet).
|
||||||
|
'';
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
})
|
})
|
||||||
);
|
);
|
||||||
default = null;
|
default = null;
|
||||||
description = ''
|
description = ''
|
||||||
Linux high speed capture support
|
Linux high speed capture support.
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
@ -370,6 +454,9 @@ in
|
|||||||
interface = mkOption {
|
interface = mkOption {
|
||||||
type = types.str;
|
type = types.str;
|
||||||
default = null;
|
default = null;
|
||||||
|
description = ''
|
||||||
|
af-xdp capture interface, see [upstream docs](https://docs.suricata.io/en/latest/capture-hardware/af-xdp.html).
|
||||||
|
'';
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
})
|
})
|
||||||
@ -377,7 +464,7 @@ in
|
|||||||
default = null;
|
default = null;
|
||||||
description = ''
|
description = ''
|
||||||
Linux high speed af-xdp capture support, see
|
Linux high speed af-xdp capture support, see
|
||||||
[docs/capture-hardware/af-xdp](https://docs.suricata.io/en/suricata-7.0.3/capture-hardware/af-xdp.html)
|
[docs/capture-hardware/af-xdp](https://docs.suricata.io/en/suricata-7.0.3/capture-hardware/af-xdp.html).
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
@ -389,6 +476,9 @@ in
|
|||||||
eal-params.proc-type = mkOption {
|
eal-params.proc-type = mkOption {
|
||||||
type = with types; nullOr str;
|
type = with types; nullOr str;
|
||||||
default = null;
|
default = null;
|
||||||
|
description = ''
|
||||||
|
dpdk eal-params.proc-type, see [data plane development kit docs](https://doc.dpdk.org/guides/linux_gsg/linux_eal_parameters.html#multiprocessing-related-options).
|
||||||
|
'';
|
||||||
};
|
};
|
||||||
interfaces = mkOption {
|
interfaces = mkOption {
|
||||||
type =
|
type =
|
||||||
@ -400,18 +490,26 @@ in
|
|||||||
interface = mkOption {
|
interface = mkOption {
|
||||||
type = types.str;
|
type = types.str;
|
||||||
default = null;
|
default = null;
|
||||||
|
description = ''
|
||||||
|
See upstream docs: [docs/capture-hardware/dpdk](https://docs.suricata.io/en/suricata-7.0.7/capture-hardware/dpdk.html) and [docs/configuration/suricata-yaml.html#data-plane-development-kit-dpdk](https://docs.suricata.io/en/suricata-7.0.7/configuration/suricata-yaml.html#data-plane-development-kit-dpdk).
|
||||||
|
'';
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
})
|
})
|
||||||
);
|
);
|
||||||
default = null;
|
default = null;
|
||||||
|
description = ''
|
||||||
|
See upstream docs: [docs/capture-hardware/dpdk](https://docs.suricata.io/en/suricata-7.0.7/capture-hardware/dpdk.html) and [docs/configuration/suricata-yaml.html#data-plane-development-kit-dpdk](https://docs.suricata.io/en/suricata-7.0.7/configuration/suricata-yaml.html#data-plane-development-kit-dpdk).
|
||||||
|
'';
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
});
|
});
|
||||||
default = null;
|
default = null;
|
||||||
description = ''
|
description = ''
|
||||||
DPDK capture support, see
|
Data Plane Development Kit is a framework for fast packet processing in data plane applications running on a wide variety of CPU architectures. DPDK's Environment Abstraction Layer (EAL) provides a generic interface to low-level resources. It is a unique way how DPDK libraries access NICs. EAL creates an API for an application to access NIC resources from the userspace level. In DPDK, packets are not retrieved via interrupt handling. Instead, the application polls the NIC for newly received packets.
|
||||||
[docs/capture-hardware/dpdk](https://docs.suricata.io/en/suricata-7.0.3/capture-hardware/dpdk.html)
|
|
||||||
|
DPDK allows the user space application to directly access memory where the NIC stores the packets. As a result, neither DPDK nor the application copies the packets for the inspection. The application directly processes packets via passed packet descriptors.
|
||||||
|
See [docs/capture-hardware/dpdk](https://docs.suricata.io/en/suricata-7.0.7/capture-hardware/dpdk.html) and [docs/configuration/suricata-yaml.html#data-plane-development-kit-dpdk](https://docs.suricata.io/en/suricata-7.0.7/configuration/suricata-yaml.html#data-plane-development-kit-dpdk).
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
@ -425,13 +523,16 @@ in
|
|||||||
interface = mkOption {
|
interface = mkOption {
|
||||||
type = types.str;
|
type = types.str;
|
||||||
default = null;
|
default = null;
|
||||||
|
description = ''
|
||||||
|
pcap capture interface, see [upstream docs](https://docs.suricata.io/en/latest/manpages/suricata.html).
|
||||||
|
'';
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
})
|
})
|
||||||
);
|
);
|
||||||
default = null;
|
default = null;
|
||||||
description = ''
|
description = ''
|
||||||
Cross platform libpcap capture support
|
Cross platform libpcap capture support.
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
@ -448,7 +549,7 @@ in
|
|||||||
- no: checksum validation is disabled
|
- no: checksum validation is disabled
|
||||||
- auto: Suricata uses a statistical approach to detect when
|
- auto: Suricata uses a statistical approach to detect when
|
||||||
checksum off-loading is used. (default)
|
checksum off-loading is used. (default)
|
||||||
Warning: 'checksum-validation' must be set to yes to have checksum tested
|
Warning: 'checksum-validation' must be set to yes to have checksum tested.
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
@ -498,22 +599,28 @@ in
|
|||||||
})
|
})
|
||||||
);
|
);
|
||||||
default = null;
|
default = null;
|
||||||
|
description = ''
|
||||||
|
app-layer protocols, see [upstream docs](https://docs.suricata.io/en/latest/rules/app-layer.html).
|
||||||
|
'';
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
});
|
});
|
||||||
default = null; # do not add to config unless specified
|
default = null; # do not add to config unless specified
|
||||||
|
description = ''
|
||||||
|
app-layer configuration, see [upstream docs](https://docs.suricata.io/en/latest/rules/app-layer.html).
|
||||||
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
"run-as" = {
|
"run-as" = {
|
||||||
user = mkOption {
|
user = mkOption {
|
||||||
type = types.str;
|
type = types.str;
|
||||||
default = "suricata";
|
default = "suricata";
|
||||||
description = "Run Suricata with a specific user-id";
|
description = "Run Suricata with a specific user-id.";
|
||||||
};
|
};
|
||||||
group = mkOption {
|
group = mkOption {
|
||||||
type = types.str;
|
type = types.str;
|
||||||
default = "suricata";
|
default = "suricata";
|
||||||
description = "Run Suricata with a specific group-id";
|
description = "Run Suricata with a specific group-id.";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
@ -540,10 +647,16 @@ in
|
|||||||
enabled = mkOption {
|
enabled = mkOption {
|
||||||
type = types.either types.bool (types.enum [ "auto" ]);
|
type = types.either types.bool (types.enum [ "auto" ]);
|
||||||
default = "auto";
|
default = "auto";
|
||||||
|
description = ''
|
||||||
|
Enable unix-command socket.
|
||||||
|
'';
|
||||||
};
|
};
|
||||||
filename = mkOption {
|
filename = mkOption {
|
||||||
type = types.path;
|
type = types.path;
|
||||||
default = "/run/suricata/suricata-command.socket";
|
default = "/run/suricata/suricata-command.socket";
|
||||||
|
description = ''
|
||||||
|
Filename for unix-command socket.
|
||||||
|
'';
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
});
|
});
|
||||||
@ -585,31 +698,33 @@ in
|
|||||||
"default-rule-path" = mkOption {
|
"default-rule-path" = mkOption {
|
||||||
type = types.path;
|
type = types.path;
|
||||||
default = "/var/lib/suricata/rules";
|
default = "/var/lib/suricata/rules";
|
||||||
description = "Path in which suricata-update managed rules are stored by default";
|
description = "Path in which suricata-update managed rules are stored by default.";
|
||||||
};
|
};
|
||||||
|
|
||||||
"rule-files" = mkOption {
|
"rule-files" = mkOption {
|
||||||
type = types.listOf types.str;
|
type = types.listOf types.str;
|
||||||
default = [ "suricata.rules" ];
|
default = [ "suricata.rules" ];
|
||||||
description = "Files to load suricata-update managed rules, relative to 'default-rule-path'";
|
description = "Files to load suricata-update managed rules, relative to 'default-rule-path'.";
|
||||||
};
|
};
|
||||||
|
|
||||||
"classification-file" = mkOption {
|
"classification-file" = mkOption {
|
||||||
type = types.str;
|
type = types.str;
|
||||||
default = "/var/lib/suricata/rules/classification.config";
|
default = "/var/lib/suricata/rules/classification.config";
|
||||||
description = "Suricata classification configuration file";
|
description = "Suricata classification configuration file.";
|
||||||
};
|
};
|
||||||
|
|
||||||
"reference-config-file" = mkOption {
|
"reference-config-file" = mkOption {
|
||||||
type = types.str;
|
type = types.str;
|
||||||
default = "${cfg.package}/etc/suricata/reference.config";
|
default = "${cfg.package}/etc/suricata/reference.config";
|
||||||
description = "Suricata reference configuration file";
|
defaultText = "\${config.services.suricata.package}/etc/suricata/reference.config";
|
||||||
|
description = "Suricata reference configuration file.";
|
||||||
};
|
};
|
||||||
|
|
||||||
"threshold-file" = mkOption {
|
"threshold-file" = mkOption {
|
||||||
type = types.str;
|
type = types.str;
|
||||||
default = "${cfg.package}/etc/suricata/threshold.config";
|
default = "${cfg.package}/etc/suricata/threshold.config";
|
||||||
description = "Suricata threshold configuration file";
|
defaultText = "\${config.services.suricata.package}/etc/suricata/threshold.config";
|
||||||
|
description = "Suricata threshold configuration file.";
|
||||||
};
|
};
|
||||||
|
|
||||||
includes = mkOption {
|
includes = mkOption {
|
||||||
|
Loading…
Reference in New Issue
Block a user