-
Notifications
You must be signed in to change notification settings - Fork 8
/
Copy pathfever.yaml
170 lines (155 loc) · 5.23 KB
/
fever.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
# Config file for FEVER
# ---------------------
# Output additional debug information.
# verbose: true
# Enable output of profiling information to specified file.
# profile: profile.out
# Use the given size for defining the size of data blocks to be handled at once.
# chunksize: 50000
# Do not submit data to the sinks, only print on stdout.
# dummy: true
# Retry connection to sockets or servers for at most the given amount of times before
# giving up. Use the value of 0 to never give up.
# reconnect-retries: 5
# Specify time interval or number of items to cache before flushing to
# database, whichever happens first.
# flushtime: 1m
# flushcount: 100000
# Configuration for PostgreSQL 9.5+ database connection.
database:
enable: false
host: localhost
user: user
password: pass
database: test
# Set to true to use the MongoDB interface instead of PostgreSQL.
mongo: false
# Time interval after which a new table is created and background
# indexing is started.
rotate: 1h
# Maximum size in gigabytes.
maxtablesize: 50
# Configuration for input (from Suricata side). Only one of 'socket'
# or 'redis' is supported at the same time, comment/uncomment to choose.
input:
# Path to the socket that Suricata writes to.
socket: /tmp/suri.sock
# Buffer length for EVE items parsed from input socket. Useful to help FEVER
# keep up with input from Suricata in case the processing pipeline is
# temporarily slow.
# Will track current buffer size in the `input_queue_length` metric.
buffer: 500000
# Rather drop items from a full buffer than causing writes to the input
# socket to block.
# This avoids congestion effects in Suricata (up to packet drops) if FEVER
# or its forwarding receiver remains slow for a longer period of time.
# Will count the number of dropped items in the `input_queue_dropped` metric.
buffer-drop: true
#redis:
# # Redis server hostname. We assume the 'suricata' list as a source.
# server: localhost
# # Disables Redis pipelining.
# nopipe: true
# Configure forwarding of events processed by FEVER, i.e. define what event
# types to forward.
multi-forward:
# Set 'all' to true to forward everything received from Suricata, otherwise
# use the 'types' list to choose. Example:
# socketall:
# socket: /tmp/out-all.sock
# buffer-length: 100000
# all: true
# types: []
socketalerts:
socket: /tmp/suri-forward.sock
all: false
buffer-length: 1000
types:
- alert
- stats
# Configuration for flow report submission.
flowreport:
# Interval used for aggregation.
interval: 60s
submission-url: amqp://guest:guest@localhost:5672/
submission-exchange: aggregations
# Set to true to disable gzip compression for uploads.
nocompress: false
# If both srcip and destip are non-empty, inject an extra flow record for
# these towards the given destination port.
#testdata-srcip: 0.0.0.1
#testdata-destip: 0.0.0.2
#testdata-destport: 99999
# Set to true to count _all_ flows, not just TCP bidirectional ones.
all: false
# Configuration for metrics (i.e. InfluxDB) submission.
metrics:
enable: true
submission-url: amqp://guest:guest@localhost:5672/
submission-exchange: metrics
# Configuration for passive DNS submission.
pdns:
enable: true
submission-url: amqp://guest:guest@localhost:5672/
submission-exchange: pdns
# If test-domain is non-empty, add an extra A observation for this rrname to
# all submissions
#test-domain: heartbeat.fever-heartbeat
# Configuration for alert-associated metadata submission.
context:
enable: false
cache-timeout: 1h
submission-url: amqp://guest:guest@localhost:5672/
submission-exchange: context
# Extra fields to add to each forwarded event.
#add-fields:
# sensor-id: foobar
# Send 'heartbeat' HTTP or alert event
heartbeat:
enable: false
# 24h HH:MM strings with local times to send heartbeat as HTTP event
times:
- "00:01"
# 24h HH:MM strings with local times to send heartbeat as alert
#alert-times:
# - "00:02"
# Configuration for detailed flow metadata submission.
flowextract:
enable: false
submission-url: amqp://guest:guest@localhost:5672/
submission-exchange: aggregations
# Uncomment to enable flow collection only for IPs in the given
# Bloom filter.
# bloom-selector: /tmp/flows.bloom
# Configuration for Bloom filter alerting on HTTP, DNS and
# TLS metadata events.
#bloom:
# file: ./in.bloom.gz
# zipped: true
# alert-prefix: BLF
# blacklist-iocs:
# - /
# - /index.htm
# - /index.html
# Configuration for active information gathering.
active:
# Enable reverse DNS lookups for src/dst IPs.
rdns: false
# Only do reverse lookups for RFC 1918 IPs.
rdns-private-only: true
# Duration to cache lookup redults for to avoid excessive DNS load.
rdns-cache-expiry: 120s
# Configuration for FEVER's log file handling.
logging:
# Insert file name here to redirect logs to separate file. If left blank, logs
# will be printed to the stdout/stderr of the FEVER process.
file:
# Set to true to enable JSON output.
json: false
# Configuration for FEVER's remote management interface.
mgmt:
# Use local socket for gRPC communication.
socket: /tmp/fever-mgmt.sock
# Use network server for gRPC commmunication.
#network: tcp
#host: localhost:9999