forked from cisagov/Malcolm
-
Notifications
You must be signed in to change notification settings - Fork 54
/
control_vars.conf
189 lines (174 loc) · 6.93 KB
/
control_vars.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
export CAPTURE_INTERFACE=lo
export CAPTURE_FILTER=""
export PCAP_PATH=/home/sensor/net_cap
export PCAP_TCPDUMP_FILENAME_PATTERN=%Y%m%d_%H%M%S.pcap
export PCAP_NETSNIFF_MAGIC=0xa1b2c3d4
export PCAP_ROTATE_SECONDS=3600
export PCAP_ROTATE_MEGABYTES=4096
export PCAP_SNAPLEN=0
export PCAP_MAX_DISK_FILL=90
export PCAP_PRUNE_CHECK_SECONDS=60
export ARKIME_VIEWER_PORT=8005
export ARKIME_PACKET_THREADS=5
export ARKIME_ECS_PROVIDER=arkime
export ARKIME_ECS_DATASET=session
export ARKIME_COMPRESSION_TYPE=zstd
export ARKIME_COMPRESSION_LEVEL=3
# ARKIME_VIEWER_(CERT|KEY) are under "$SUPERVISOR_PATH"/arkime/
export ARKIME_VIEWER_CERT=viewer.crt
export ARKIME_VIEWER_KEY=viewer.key
# Password hash secret for Arkime viewer cluster (see https://arkime.com/settings)
export ARKIME_PASSWORD_SECRET=Malcolm
export ARKIME_FREESPACEG=7%
export ARKIME_ROTATE_INDEX=daily
export ARKIME_DEBUG_LEVEL=0
# AUTOSTART_EXTRACTED_FILE_HTTP_SERVER below controls whether or not to serve the
# directory containing Zeek-extracted over HTTP at ./extracted-files/
export EXTRACTED_FILE_HTTP_SERVER_PORT=8006
export EXTRACTED_FILE_HTTP_ASSETS_DIR=/opt/sensor/assets
# Whether or not Zeek-extracted files served over HTTP will be archived in a Zip file
export EXTRACTED_FILE_HTTP_SERVER_ZIP=false
# Specifies the password for encrypted Zeek-extracted files served over HTTP
# If EXTRACTED_FILE_HTTP_SERVER_ZIP is true this is the password for the Zip file,
# otherwise it is the AES-256-CBC decryption password
export EXTRACTED_FILE_HTTP_SERVER_KEY=infected
# Whether or not to use libmagic to show MIME types for Zeek-extracted files served
export EXTRACTED_FILE_HTTP_SERVER_MAGIC=false
# HTTP server will look in subdirectories for requested filename (e.g., in "/quarantined" and "/preserved")
export EXTRACTED_FILE_HTTP_SERVER_RECURSIVE=true
# files used for FileBeat -> Logstash TLS and extracted file HTTP server
export BEAT_LS_SSL_CLIENT_CRT=/opt/sensor/sensor_ctl/logstash-client-certificates/client.crt
export BEAT_LS_SSL_CLIENT_KEY=/opt/sensor/sensor_ctl/logstash-client-certificates/client.key
export BEAT_LS_SSL_CA_CRT=/opt/sensor/sensor_ctl/logstash-client-certificates/ca.crt
export MALCOLM_REQUEST_ACL=
export MALCOLM_REQUEST_PORTS=$ARKIME_VIEWER_PORT,$EXTRACTED_FILE_HTTP_SERVER_PORT
export DOCUMENTATION_PORT=8420
export MISCBEAT_PORT=9516
export FLUENTBIT_METRICS_INTERVAL=30
export FLUENTBIT_THERMAL_INTERVAL=10
export FLUENTBIT_AIDE_INTERVAL=86400
export ZEEK_LOG_PATH=/home/sensor/zeek_logs
export ZEEK_MAX_DISK_FILL=90
export ZEEK_PRUNE_CHECK_SECONDS=90
# Zeek performance tuning (node.cfg, see idaholab/Malcolm#36 for details)
export ZEEK_PIN_CPUS_LOGGER=
export ZEEK_PIN_CPUS_MANAGER=
export ZEEK_PIN_CPUS_PROXY=
# zeekdeploy.sh will also use (if present, where n is the number of capture interfaces):
# - ZEEK_PIN_CPUS_WORKER_1 .. ZEEK_PIN_CPUS_WORKER_n
# - ZEEK_LB_PROCS_WORKER_1 .. ZEEK_LB_PROCS_WORKER_n (falling back to ZEEK_LB_PROCS)
export ZEEK_LB_PROCS=1
export ZEEK_LB_METHOD=custom
export ZEEK_AF_PACKET_BUFFER_SIZE=67108864
export ZEEK_LOCAL_NETS=
export ZEEK_JSON=
export ZEEK_RULESET=local
export ZEEK_INTEL_REFRESH_ON_DEPLOY=true
export ZEEK_INTEL_REFRESH_CRON_EXPRESSION=
export ZEEK_INTEL_ITEM_EXPIRATION=-1min
export ZEEK_INTEL_FEED_SINCE=
export ZEEK_EXTRACTOR_MODE=none
export ZEEK_EXTRACTOR_OVERRIDE_FILE=
export EXTRACTED_FILE_MIN_BYTES=64
export EXTRACTED_FILE_MAX_BYTES=134217728
export EXTRACTED_FILE_PRESERVATION=quarantined
export ZEEK_DISABLE_STATS=true
export ZEEK_DISABLE_HASH_ALL_FILES=
export ZEEK_DISABLE_LOG_PASSWORDS=
export ZEEK_DISABLE_SSL_VALIDATE_CERTS=
export ZEEK_DISABLE_TRACK_ALL_ASSETS=
export ZEEK_DISABLE_SPICY_DHCP=true
export ZEEK_DISABLE_SPICY_DNS=true
export ZEEK_DISABLE_SPICY_HTTP=true
export ZEEK_DISABLE_SPICY_IPSEC=
export ZEEK_DISABLE_SPICY_LDAP=
export ZEEK_DISABLE_SPICY_OPENVPN=
export ZEEK_DISABLE_SPICY_QUIC=true
export ZEEK_DISABLE_SPICY_STUN=
export ZEEK_DISABLE_SPICY_TAILSCALE=
export ZEEK_DISABLE_SPICY_TFTP=
export ZEEK_DISABLE_SPICY_WIREGUARD=
export ZEEK_DISABLE_ICS_ALL=
export ZEEK_DISABLE_ICS_BACNET=
export ZEEK_DISABLE_ICS_BSAP=
export ZEEK_DISABLE_ICS_DNP3=
export ZEEK_DISABLE_ICS_ENIP=
export ZEEK_DISABLE_ICS_ETHERCAT=
export ZEEK_DISABLE_ICS_GENISYS=true
export ZEEK_DISABLE_ICS_OPCUA_BINARY=
export ZEEK_DISABLE_ICS_MODBUS=
export ZEEK_DISABLE_ICS_PROFINET=
export ZEEK_DISABLE_ICS_PROFINET_IO_CM=
export ZEEK_DISABLE_ICS_S7COMM=
export ZEEK_DISABLE_ICS_SYNCHROPHASOR=
export ZEEK_SYNCHROPHASOR_PORTS=
export ZEEK_SYNCHROPHASOR_DETAILED=
export ZEEK_GENISYS_PORTS=
export ZEEK_ENIP_PORTS=
export ZEEK_DISABLE_BEST_GUESS_ICS=true
# Suricata
export SURICATA_CUSTOM_RULES_ONLY=false
export SURICATA_DISABLE_ICS_ALL=false
export SURICATA_RUNMODE=workers
export SURICATA_LIVE_CAPTURE=true
export SURICATA_AF_PACKET_BLOCK_SIZE=32768
export SURICATA_AF_PACKET_BLOCK_TIMEOUT=10
export SURICATA_AF_PACKET_BUFFER_SIZE=32768
export SURICATA_AF_PACKET_CHECKSUM_CHECKS=kernel
export SURICATA_AF_PACKET_CLUSTER_TYPE=cluster_flow
export SURICATA_AF_PACKET_DEFRAG=yes
export SURICATA_AF_PACKET_EMERGENCY_FLUSH=no
export SURICATA_AF_PACKET_IFACE_THREADS=auto
export SURICATA_AF_PACKET_MMAP_LOCKED=no
export SURICATA_AF_PACKET_RING_SIZE=2048
export SURICATA_AF_PACKET_TPACKET_V3=yes
export SURICATA_AF_PACKET_USE_MMAP=yes
export SURICATA_CAPTURE_CHECKSUM_VALIDATION=none
export SURICATA_CAPTURE_DISABLE_OFFLOADING=true
export SURICATA_MANAGED_DIR=/var/lib/suricata
export SURICATA_MANAGED_RULES_DIR="$SURICATA_MANAGED_DIR"/rules
export SURICATA_REFRESH_CRON_EXPRESSION="15 2 * * *"
export SURICATA_UPDATE_ETOPEN=true
export SURICATA_STATS_ENABLED=false
export SURICATA_STATS_EVE_ENABLED=false
export SURICATA_STATS_INTERVAL=30
export SURICATA_STATS_DECODER_EVENTS=false
# affects Arkime only for now: beats values are stored in keystores per-beat
export OS_PROTOCOL=https
export OS_HOST=127.0.0.1
export OS_PORT=9200
export OS_USERNAME=sensor
export OS_PASSWORD=%70%61%73%73%77%6F%72%64
export OS_SSL_VERIFY=none
export VTOT_REQUESTS_PER_MINUTE=4
export VTOT_API2_KEY=""
export CLAMD_MAX_REQUESTS=8
export EXTRACTED_FILE_YARA_CUSTOM_ONLY=false
export YARA_MAX_REQUESTS=8
export YARA_RULES_DIR=/opt/yara-rules
export YARA_RULES_SRC_DIR=/opt/yara-rules-src
export CAPA_VERBOSE=false
export CAPA_MAX_REQUESTS=4
export ZEEK_FILE_WATCH=false
export ZEEK_FILE_SCAN_CLAMAV=false
export ZEEK_FILE_SCAN_VTOT=false
export ZEEK_FILE_SCAN_YARA=false
export ZEEK_FILE_SCAN_CAPA=false
export AUTOSTART_ARKIME=false
export AUTOSTART_CLAMAV_UPDATES=false
export AUTOSTART_EXTRACTED_FILE_HTTP_SERVER=false
export AUTOSTART_FILEBEAT=false
export AUTOSTART_FLUENTBIT_AIDE=false
export AUTOSTART_FLUENTBIT_AUDITLOG=false
export AUTOSTART_FLUENTBIT_KMSG=false
export AUTOSTART_FLUENTBIT_METRICS=false
export AUTOSTART_FLUENTBIT_SYSTEMD=false
export AUTOSTART_FLUENTBIT_THERMAL=false
export AUTOSTART_MISCBEAT=false
export AUTOSTART_NETSNIFF=false
export AUTOSTART_PRUNE_PCAP=false
export AUTOSTART_PRUNE_ZEEK=false
export AUTOSTART_SURICATA=false
export AUTOSTART_SURICATA_UPDATES=false
export AUTOSTART_TCPDUMP=false
export AUTOSTART_ZEEK=false