Project

General

Profile

Actions

Feature #4242

open

config: support predefined default configuration profiles

Added by Victor Julien almost 4 years ago. Updated 6 months ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

The idea is that Suricata can run in various scenarios: a pure IDS engine (alert generator), NSM (all logs), IPS. Each have their own set of recommended config settings. This ticket is about adding explicit profiles:
E.g. --profile=ids or --profile=nsm.

WIP
Feature IDS NSM IPS Notes
stream midstream disabled enabled disabled
stream async disabled enabled disabled
stream depth 1mb unlimited ?? IDS rules are generally written with a limit in mind
stream events enabled disabled? enabled Noisy
eve protocol logging only in alerts enabled only in alerts eve protocol logging is expensive
Actions #1

Updated by Jason Ish almost 4 years ago

For profiles you have examples of "ids", "nsm" and "ips"? Would it not be true that you may want to run "ips" in an "ids" configuration or an "nsm" configuration as well?

The stream alerts is tricky. I often here users disable them, or as part of post-processing shuffled away into storage and only looked at as part of a larger investigation. I wonder if that makes them more applicable to "nsm" rather than "ids", or even part of a forensics profile. I guess anything to do with stream alerts should also handle stream anomaly logs as well?

Actions #2

Updated by Philippe Antoine 6 months ago

  • Assignee set to OISF Dev
  • Target version set to TBD
Actions

Also available in: Atom PDF