Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nixos/suricata: Fix module and add to module-list #349826

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
+133 −22
Open

nixos/suricata: Fix module and add to module-list #349826

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
1da48bc
nixos/suricata: add description fields for configuration
felbinger Oct 19, 2024
e420853
nixos/suricata: add module to modules-list
felbinger Oct 19, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions nixos/modules/module-list.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1227,6 +1227,7 @@
./services/networking/sunshine.nix
./services/networking/supplicant.nix
./services/networking/supybot.nix
./services/networking/suricata/default.nix
./services/networking/syncplay.nix
./services/networking/syncthing-relay.nix
./services/networking/syncthing.nix
Expand Down
149 changes: 132 additions & 17 deletions nixos/modules/services/networking/suricata/settings.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,21 +31,96 @@ in
type = (
types.submodule {
options = {
HOME_NET = mkOption { default = "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"; };
EXTERNAL_NET = mkOption { default = "!$HOME_NET"; };
HTTP_SERVERS = mkOption { default = "$HOME_NET"; };
SMTP_SERVERS = mkOption { default = "$HOME_NET"; };
SQL_SERVERS = mkOption { default = "$HOME_NET"; };
DNS_SERVERS = mkOption { default = "$HOME_NET"; };
TELNET_SERVERS = mkOption { default = "$HOME_NET"; };
AIM_SERVERS = mkOption { default = "$EXTERNAL_NET"; };
DC_SERVERS = mkOption { default = "$HOME_NET"; };
DNP3_SERVER = mkOption { default = "$HOME_NET"; };
DNP3_CLIENT = mkOption { default = "$HOME_NET"; };
MODBUS_CLIENT = mkOption { default = "$HOME_NET"; };
MODBUS_SERVER = mkOption { default = "$HOME_NET"; };
ENIP_CLIENT = mkOption { default = "$HOME_NET"; };
ENIP_SERVER = mkOption { default = "$HOME_NET"; };
HOME_NET = mkOption {
default = "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]";
description = ''
HOME_NET variable
'';
};
EXTERNAL_NET = mkOption {
default = "!$HOME_NET";
description = ''
EXTERNAL_NET variable
'';
};
HTTP_SERVERS = mkOption {
default = "$HOME_NET";
description = ''
HTTP_SERVERS variable
'';
};
SMTP_SERVERS = mkOption {
default = "$HOME_NET";
description = ''
SMTP_SERVERS variable
'';
};
SQL_SERVERS = mkOption {
default = "$HOME_NET";
description = ''
SQL_SERVERS variable
'';
};
DNS_SERVERS = mkOption {
default = "$HOME_NET";
description = ''
DNS_SERVERS variable
'';
};
TELNET_SERVERS = mkOption {
default = "$HOME_NET";
description = ''
TELNET_SERVERS variable
'';
};
AIM_SERVERS = mkOption {
default = "$EXTERNAL_NET";
description = ''
AIM_SERVERS variable
'';
};
DC_SERVERS = mkOption {
default = "$HOME_NET";
description = ''
DC_SERVERS variable
'';
};
DNP3_SERVER = mkOption {
default = "$HOME_NET";
description = ''
DNP3_SERVER variable
'';
};
DNP3_CLIENT = mkOption {
default = "$HOME_NET";
description = ''
DNP3_CLIENT variable
'';
};
MODBUS_CLIENT = mkOption {
default = "$HOME_NET";
description = ''
MODBUS_CLIENT variable
'';
};
MODBUS_SERVER = mkOption {
default = "$HOME_NET";
description = ''
MODBUS_SERVER variable
'';
};
ENIP_CLIENT = mkOption {
default = "$HOME_NET";
description = ''
ENIP_CLIENT variable
'';
};
ENIP_SERVER = mkOption {
default = "$HOME_NET";
description = ''
ENIP_SERVER variable
'';
};
};
}
);
Expand Down Expand Up @@ -97,6 +172,9 @@ in
}
);
default = { }; # add default values to config
description = ''
Variables to be used within the suricata rules
'';
};

stats = mkOption {
Expand Down Expand Up @@ -142,6 +220,9 @@ in
};
});
default = null; # do not add to config unless specified
description = ''
Engine statistics such as packet counters, memory use counters and others can be logged in several ways. A separate text log 'stats.log' and an EVE record type 'stats' are enabled by default.
'';
};

plugins = mkOption {
Expand Down Expand Up @@ -350,6 +431,9 @@ in
interface = mkOption {
type = types.str;
default = null;
description = ''
af-packet capture interface, see [upstream docs reagrding tuning](https://docs.suricata.io/en/latest/performance/tuning-considerations.html#af-packet)
'';
};
};
})
Expand All @@ -370,6 +454,9 @@ in
interface = mkOption {
type = types.str;
default = null;
description = ''
af-xdp capture interface, see [upstream docs](https://docs.suricata.io/en/latest/capture-hardware/af-xdp.html)
'';
};
};
})
Expand All @@ -389,6 +476,9 @@ in
eal-params.proc-type = mkOption {
type = with types; nullOr str;
default = null;
description = ''
dpdk eal-params.proc-type, see [data plane development kit docs](https://doc.dpdk.org/guides/linux_gsg/linux_eal_parameters.html#multiprocessing-related-options)
'';
};
interfaces = mkOption {
type =
Expand All @@ -400,18 +490,26 @@ in
interface = mkOption {
type = types.str;
default = null;
description = ''
See upstream docs: [docs/capture-hardware/dpdk](https://docs.suricata.io/en/suricata-7.0.7/capture-hardware/dpdk.html) and [docs/configuration/suricata-yaml.html#data-plane-development-kit-dpdk](https://docs.suricata.io/en/suricata-7.0.7/configuration/suricata-yaml.html#data-plane-development-kit-dpdk)
'';
};
};
})
);
default = null;
description = ''
See upstream docs: [docs/capture-hardware/dpdk](https://docs.suricata.io/en/suricata-7.0.7/capture-hardware/dpdk.html) and [docs/configuration/suricata-yaml.html#data-plane-development-kit-dpdk](https://docs.suricata.io/en/suricata-7.0.7/configuration/suricata-yaml.html#data-plane-development-kit-dpdk)
'';
};
};
});
default = null;
description = ''
DPDK capture support, see
[docs/capture-hardware/dpdk](https://docs.suricata.io/en/suricata-7.0.3/capture-hardware/dpdk.html)
Data Plane Development Kit is a framework for fast packet processing in data plane applications running on a wide variety of CPU architectures. DPDK's Environment Abstraction Layer (EAL) provides a generic interface to low-level resources. It is a unique way how DPDK libraries access NICs. EAL creates an API for an application to access NIC resources from the userspace level. In DPDK, packets are not retrieved via interrupt handling. Instead, the application polls the NIC for newly received packets.

DPDK allows the user space application to directly access memory where the NIC stores the packets. As a result, neither DPDK nor the application copies the packets for the inspection. The application directly processes packets via passed packet descriptors.
See [docs/capture-hardware/dpdk](https://docs.suricata.io/en/suricata-7.0.7/capture-hardware/dpdk.html) and [docs/configuration/suricata-yaml.html#data-plane-development-kit-dpdk](https://docs.suricata.io/en/suricata-7.0.7/configuration/suricata-yaml.html#data-plane-development-kit-dpdk)
'';
};

Expand All @@ -425,6 +523,9 @@ in
interface = mkOption {
type = types.str;
default = null;
description = ''
pcap capture interface, see [upstream docs](https://docs.suricata.io/en/latest/manpages/suricata.html)
'';
};
};
})
Expand Down Expand Up @@ -498,10 +599,16 @@ in
})
);
default = null;
description = ''
app-layer protocols, see [upstream docs](https://docs.suricata.io/en/latest/rules/app-layer.html)
'';
};
};
});
default = null; # do not add to config unless specified
description = ''
app-layer configuration, see [upstream docs](https://docs.suricata.io/en/latest/rules/app-layer.html)
'';
};

"run-as" = {
Expand Down Expand Up @@ -540,10 +647,16 @@ in
enabled = mkOption {
type = types.either types.bool (types.enum [ "auto" ]);
default = "auto";
description = ''
Enable unix-command socket
'';
};
filename = mkOption {
type = types.path;
default = "/run/suricata/suricata-command.socket";
description = ''
Filename for unix-command socket
'';
};
};
});
Expand Down Expand Up @@ -603,12 +716,14 @@ in
"reference-config-file" = mkOption {
type = types.str;
default = "${cfg.package}/etc/suricata/reference.config";
defaultText = "\${config.services.suricata.package}/etc/suricata/reference.config";
description = "Suricata reference configuration file";
};

"threshold-file" = mkOption {
type = types.str;
default = "${cfg.package}/etc/suricata/threshold.config";
defaultText = "\${config.services.suricata.package}/etc/suricata/threshold.config";
description = "Suricata threshold configuration file";
};

Expand Down
5 changes: 0 additions & 5 deletions nixos/tests/suricata.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,11 +6,6 @@ import ./make-test-python.nix (

nodes = {
ids = {
imports = [
../modules/profiles/minimal.nix
../modules/services/networking/suricata/default.nix
felbinger marked this conversation as resolved.
Show resolved Hide resolved
];

networking.interfaces.eth1 = {
useDHCP = false;
ipv4.addresses = [
Expand Down
Loading