Feature #4242
openconfig: support predefined default configuration profiles
Description
The idea is that Suricata can run in various scenarios: a pure IDS engine (alert generator), NSM (all logs), IPS. Each have their own set of recommended config settings. This ticket is about adding explicit profiles:
E.g. --profile=ids
or --profile=nsm
.
Feature | IDS | NSM | IPS | Notes |
---|---|---|---|---|
stream midstream | disabled | enabled | disabled | |
stream async | disabled | enabled | disabled | |
stream depth | 1mb | unlimited | ?? | IDS rules are generally written with a limit in mind |
stream events | enabled | disabled? | enabled | Noisy |
eve protocol logging | only in alerts | enabled | only in alerts | eve protocol logging is expensive |
Updated by Jason Ish almost 4 years ago
For profiles you have examples of "ids", "nsm" and "ips"? Would it not be true that you may want to run "ips" in an "ids" configuration or an "nsm" configuration as well?
The stream alerts is tricky. I often here users disable them, or as part of post-processing shuffled away into storage and only looked at as part of a larger investigation. I wonder if that makes them more applicable to "nsm" rather than "ids", or even part of a forensics profile. I guess anything to do with stream alerts should also handle stream anomaly logs as well?
Updated by Philippe Antoine 6 months ago
- Assignee set to OISF Dev
- Target version set to TBD