-
Notifications
You must be signed in to change notification settings - Fork 342
/
Copy pathcontrol_vars.conf
232 lines (213 loc) · 8.72 KB
/
control_vars.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
export CAPTURE_INTERFACE=lo
export CAPTURE_FILTER=
export PCAP_PATH=/home/sensor/net_cap
export PCAP_TCPDUMP_FILENAME_PATTERN=%Y%m%d_%H%M%S.pcap
export PCAP_NETSNIFF_MAGIC=0xa1b2c3d4
export PCAP_ROTATE_SECONDS=3600
export PCAP_ROTATE_MEGABYTES=4096
export PCAP_SNAPLEN=0
export PCAP_MAX_DISK_FILL=90
export PCAP_PRUNE_CHECK_SECONDS=60
export ARKIME_ECS_PROVIDER=arkime
export ARKIME_ECS_DATASET=session
export ARKIME_VIEWER_PORT=8005
export ARKIME_COMPRESSION_TYPE=zstd
export ARKIME_COMPRESSION_LEVEL=3
export ARKIME_PACKET_THREADS=2
export ARKIME_DB_BULK_SIZE=4000000
export ARKIME_MAGIC_MODE=basic
export ARKIME_MAX_PACKETS_IN_QUEUE=300000
export ARKIME_PCAP_WRITE_METHOD=simple
export ARKIME_PCAP_WRITE_SIZE=2560000
export ARKIME_PCAP_READ_METHOD=tpacketv3
export ARKIME_TPACKETV3_NUM_THREADS=2
export ARKIME_TPACKETV3_BLOCK_SIZE=8388608
# ARKIME_VIEWER_(CERT|KEY) are under "$SUPERVISOR_PATH"/arkime/
export ARKIME_VIEWER_CERT=viewer.crt
export ARKIME_VIEWER_KEY=viewer.key
# Password hash secret for Arkime viewer cluster (see https://arkime.com/settings)
export ARKIME_PASSWORD_SECRET=Malcolm
export ARKIME_FREESPACEG=7%
export ARKIME_ROTATE_INDEX=daily
export ARKIME_DEBUG_LEVEL=0
# AUTOSTART_EXTRACTED_FILE_HTTP_SERVER below controls whether or not to serve the
# directory containing Zeek-extracted over HTTP at ./extracted-files/
export EXTRACTED_FILE_HTTP_SERVER_PORT=8006
export EXTRACTED_FILE_HTTP_ASSETS_DIR=/opt/sensor/assets
# Whether or not Zeek-extracted files served over HTTP will be archived in a Zip file
export EXTRACTED_FILE_HTTP_SERVER_ZIP=false
# Specifies the password for encrypted Zeek-extracted files served over HTTP
# If EXTRACTED_FILE_HTTP_SERVER_ZIP is true this is the password for the Zip file,
# otherwise it is the AES-256-CBC decryption password
export EXTRACTED_FILE_HTTP_SERVER_KEY=infected
# Whether or not to use libmagic to show MIME types for Zeek-extracted files served
export EXTRACTED_FILE_HTTP_SERVER_MAGIC=false
# HTTP server will look in subdirectories for requested filename (e.g., in "/quarantined" and "/preserved")
export EXTRACTED_FILE_HTTP_SERVER_RECURSIVE=true
# files used for FileBeat -> Logstash TLS and extracted file HTTP server
export BEAT_LS_SSL_CLIENT_CRT=/opt/sensor/sensor_ctl/logstash-client-certificates/client.crt
export BEAT_LS_SSL_CLIENT_KEY=/opt/sensor/sensor_ctl/logstash-client-certificates/client.key
export BEAT_LS_SSL_CA_CRT=/opt/sensor/sensor_ctl/logstash-client-certificates/ca.crt
export MALCOLM_REQUEST_ACL=
export MALCOLM_REQUEST_PORTS=$ARKIME_VIEWER_PORT,$EXTRACTED_FILE_HTTP_SERVER_PORT
# Comma-separated list of tags for data forwarded to Malcolm via filebeat, A-Za-z0-9._- allowed
export MALCOLM_EXTRA_TAGS=
export NETBOX_SITE=
export DOCUMENTATION_PORT=8420
export MISCBEAT_PORT=9516
export FLUENTBIT_METRICS_INTERVAL=30
export FLUENTBIT_THERMAL_INTERVAL=10
export FLUENTBIT_AIDE_INTERVAL=86400
export ZEEK_LOG_PATH=/home/sensor/zeek_logs
export ZEEK_MAX_DISK_FILL=90
export ZEEK_PRUNE_CHECK_SECONDS=90
# Zeek performance tuning
# See idaholab/Malcolm#475 and idaholab/Malcolm#36 for details)
# AF_Packet ring buffer size in bytes
export ZEEK_AF_PACKET_BUFFER_SIZE=67108864
# Zeek Workers
# default number of processes for each worker (if ZEEK_LB_PROCS_WORKER_n is unspecified)
# a value of '0' means "autocalculate based on the number of CPUs the system has"
export ZEEK_LB_PROCS_WORKER_DEFAULT=2
# automatically pin worker CPUs (default 'false')
export ZEEK_PIN_CPUS_WORKER_AUTO=false
# zeekdeploy.sh will also use these for workers (if present, where n is the number of capture interfaces):
# ZEEK_PIN_CPUS_WORKER_1 .. ZEEK_PIN_CPUS_WORKER_n
# ZEEK_LB_PROCS_WORKER_1 .. ZEEK_LB_PROCS_WORKER_n
# Zeek Loggers, Proxies, and Manager
# the number of processors for loggers
export ZEEK_LB_PROCS_LOGGER=1
# the number of processors for proxies
export ZEEK_LB_PROCS_PROXY=1
# automatically pin CPUs for manager, loggers, and proxies if possible (default false)
export ZEEK_PIN_CPUS_OTHER_AUTO=false
# ZEEK_PIN_CPUS_(LOGGER|MANAGER|PROXY) specify either a list of CPUs to pin for those
# respective processes (only used if ZEEK_PIN_CPUS_OTHER_AUTO is false)
export ZEEK_PIN_CPUS_LOGGER=
export ZEEK_PIN_CPUS_MANAGER=
export ZEEK_PIN_CPUS_PROXY=
# if ZEEK_LB_PROCS_WORKER_DEFAULT is '0' (autocalculate), exclude this
# number of CPUs from the autocalculation (defaults to
# 1 (kernel) + 1 (manager) + ZEEK_LB_PROCS_LOGGER + ZEEK_LB_PROCS_PROXY;
# may wish to increase as there are non-Zeek processes using CPU as well)
export ZEEK_LB_PROCS_CPUS_RESERVED=
export ZEEK_LOCAL_NETS=
export ZEEK_JSON=
export ZEEK_RULESET=local
export ZEEK_INTEL_REFRESH_ON_DEPLOY=true
export ZEEK_INTEL_REFRESH_CRON_EXPRESSION=
export ZEEK_INTEL_ITEM_EXPIRATION=-1min
export ZEEK_INTEL_FEED_SINCE=
export INTEL_DIR=/opt/sensor/sensor_ctl/zeek/intel
export ZEEK_EXTRACTOR_MODE=none
export ZEEK_EXTRACTOR_OVERRIDE_FILE=
export EXTRACTED_FILE_MIN_BYTES=64
export EXTRACTED_FILE_MAX_BYTES=134217728
export EXTRACTED_FILE_PRESERVATION=quarantined
export ZEEK_DISABLE_STATS=true
export ZEEK_DISABLE_HASH_ALL_FILES=
export ZEEK_DISABLE_LOG_PASSWORDS=
export ZEEK_DISABLE_SSL_VALIDATE_CERTS=
export ZEEK_DISABLE_TRACK_ALL_ASSETS=
export ZEEK_DISABLE_DETECT_ROUTERS=true
export ZEEK_DISABLE_SPICY_IPSEC=
export ZEEK_DISABLE_SPICY_LDAP=
export ZEEK_DISABLE_SPICY_OPENVPN=
export ZEEK_DISABLE_SPICY_QUIC=true
export ZEEK_DISABLE_SPICY_STUN=
export ZEEK_DISABLE_SPICY_TAILSCALE=
export ZEEK_DISABLE_SPICY_TFTP=
export ZEEK_DISABLE_SPICY_WIREGUARD=
export ZEEK_DISABLE_ICS_ALL=
export ZEEK_DISABLE_ICS_BACNET=
export ZEEK_DISABLE_ICS_BSAP=
export ZEEK_DISABLE_ICS_DNP3=
export ZEEK_DISABLE_ICS_ENIP=
export ZEEK_DISABLE_ICS_ETHERCAT=
export ZEEK_DISABLE_ICS_GENISYS=true
export ZEEK_DISABLE_ICS_GE_SRTP=true
export ZEEK_DISABLE_ICS_HART_IP=
export ZEEK_DISABLE_ICS_OPCUA_BINARY=
export ZEEK_DISABLE_ICS_OMRON_FINS=
export ZEEK_DISABLE_ICS_MODBUS=
export ZEEK_DISABLE_ICS_PROFINET=
export ZEEK_DISABLE_ICS_PROFINET_IO_CM=
export ZEEK_DISABLE_ICS_S7COMM=
export ZEEK_DISABLE_ICS_SYNCHROPHASOR=
export ZEEK_JA4SSH_PACKET_COUNT=200
export ZEEK_SYNCHROPHASOR_PORTS=
export ZEEK_SYNCHROPHASOR_DETAILED=
export ZEEK_OMRON_FINS_DETAILED=true
export ZEEK_GENISYS_PORTS=
export ZEEK_ENIP_PORTS=
export ZEEK_DISABLE_BEST_GUESS_ICS=true
export ZEEK_KAFKA_ENABLED=
export ZEEK_KAFKA_BROKERS=kafka.local:9091
export ZEEK_KAFKA_TOPIC=zeek
# Suricata
export SURICATA_CUSTOM_RULES_ONLY=false
export SURICATA_DISABLE_ICS_ALL=false
export SURICATA_RUNMODE=workers
export SURICATA_LIVE_CAPTURE=true
export SURICATA_AF_PACKET_BLOCK_SIZE=1048576
export SURICATA_AF_PACKET_BLOCK_TIMEOUT=10
export SURICATA_AF_PACKET_BUFFER_SIZE=0
export SURICATA_AF_PACKET_CHECKSUM_CHECKS=kernel
export SURICATA_AF_PACKET_CLUSTER_TYPE=cluster_flow
export SURICATA_AF_PACKET_DEFRAG=yes
export SURICATA_AF_PACKET_EMERGENCY_FLUSH=no
export SURICATA_AF_PACKET_IFACE_THREADS=2
export SURICATA_AF_PACKET_MMAP_LOCKED=yes
export SURICATA_AF_PACKET_RING_SIZE=0
export SURICATA_MAX_PENDING_PACKETS=10000
export SURICATA_AF_PACKET_TPACKET_V3=yes
export SURICATA_AF_PACKET_USE_MMAP=yes
export SURICATA_CAPTURE_CHECKSUM_VALIDATION=none
export SURICATA_CAPTURE_DISABLE_OFFLOADING=true
export SURICATA_MANAGED_DIR=/var/lib/suricata
export SURICATA_MANAGED_RULES_DIR="$SURICATA_MANAGED_DIR"/rules
export SURICATA_REFRESH_CRON_EXPRESSION="15 2 * * *"
export SURICATA_UPDATE_ETOPEN=true
export SURICATA_STATS_ENABLED=false
export SURICATA_STATS_EVE_ENABLED=false
export SURICATA_STATS_INTERVAL=30
export SURICATA_STATS_DECODER_EVENTS=false
# affects Arkime only for now: beats values are stored in keystores per-beat
export OS_PROTOCOL=https
export OS_HOST=127.0.0.1
export OS_PORT=9200
export OS_USERNAME=sensor
export OS_PASSWORD=%70%61%73%73%77%6F%72%64
export OS_SSL_VERIFY=none
export VTOT_REQUESTS_PER_MINUTE=4
export VTOT_API2_KEY=
export CLAMD_MAX_REQUESTS=8
export EXTRACTED_FILE_YARA_CUSTOM_ONLY=false
export YARA_MAX_REQUESTS=8
export YARA_RULES_DIR=/opt/yara-rules
export YARA_RULES_SRC_DIR=/opt/yara-rules-src
export CAPA_VERBOSE=false
export CAPA_MAX_REQUESTS=4
export ZEEK_FILE_WATCH=false
export ZEEK_FILE_SCAN_CLAMAV=false
export ZEEK_FILE_SCAN_VTOT=false
export ZEEK_FILE_SCAN_YARA=false
export ZEEK_FILE_SCAN_CAPA=false
export AUTOSTART_ARKIME=false
export AUTOSTART_CLAMAV_UPDATES=false
export AUTOSTART_EXTRACTED_FILE_HTTP_SERVER=false
export AUTOSTART_FILEBEAT=false
export AUTOSTART_FLUENTBIT_AIDE=false
export AUTOSTART_FLUENTBIT_AUDITLOG=false
export AUTOSTART_FLUENTBIT_KMSG=false
export AUTOSTART_FLUENTBIT_METRICS=false
export AUTOSTART_FLUENTBIT_SYSTEMD=false
export AUTOSTART_FLUENTBIT_THERMAL=false
export AUTOSTART_MISCBEAT=false
export AUTOSTART_NETSNIFF=false
export AUTOSTART_PRUNE_PCAP=false
export AUTOSTART_PRUNE_ZEEK=false
export AUTOSTART_SURICATA=false
export AUTOSTART_SURICATA_UPDATES=false
export AUTOSTART_TCPDUMP=false
export AUTOSTART_ZEEK=false