disable ids logs by default

pkg/netconf/configurator.go

@@ -56,6 +56,7 @@ type (
 	FirewallConfigurator struct {
 		CommonConfigurator
 		EnableDNSProxy bool
+		EnableIDS      bool
 	}
 )
 
@@ -96,7 +97,7 @@ func (configurator FirewallConfigurator) Configure() {
 	kb := configurator.Kb
 	applyCommonConfiguration(Firewall, kb)
 
-	configurator.ConfugureNftables()
+	configurator.ConfigureNftables()
 
 	chrony, err := NewChronyServiceEnabler(configurator.Kb)
 	if err != nil {
@@ -124,32 +125,35 @@ func (configurator FirewallConfigurator) Configure() {
 		}
 	}
 
-	src := mustTmpFile("suricata_")
-	applier, err := NewSuricataDefaultsApplier(kb, src)
+	configurator.ConfigureSuricataDefaults()
+	configurator.ConfigureSuricata()
+}
+
+func (configurator FirewallConfigurator) ConfigureNftables() {
+	src := mustTmpFile("nftrules_")
+	validator := NftablesValidator{src}
+	applier := NewNftablesConfigApplier(configurator.Kb, validator, configurator.EnableDNSProxy)
+	applyAndCleanUp(applier, TplNftables, src, "/etc/nftables/rules", FileModeDefault)
+}
 
+func (configurator FirewallConfigurator) ConfigureSuricataDefaults() {
+	src := mustTmpFile("suricata_")
+	applier, err := NewSuricataDefaultsApplier(configurator.Kb, src)
 	if err != nil {
 		log.Warnf("failed to configure suricata defaults: %v", err)
 	}
-
 	applyAndCleanUp(applier, tplSuricataDefaults, src, "/etc/default/suricata", FileModeSixFourFour)
+}
 
-	src = mustTmpFile("suricata.yaml_")
-	applier, err = NewSuricataConfigApplier(kb, src)
-
+func (configurator FirewallConfigurator) ConfigureSuricata() {
+	src := mustTmpFile("suricata.yaml_")
+	applier, err := NewSuricataConfigApplier(configurator.Kb, src, configurator.EnableIDS)
 	if err != nil {
 		log.Warnf("failed to configure suricata: %v", err)
 	}
-
 	applyAndCleanUp(applier, TplSuricataConfig, src, "/etc/suricata/suricata.yaml", FileModeSixFourFour)
 }
 
-func (configurator FirewallConfigurator) ConfugureNftables() {
-	src := mustTmpFile("nftrules_")
-	validator := NftablesValidator{src}
-	applier := NewNftablesConfigApplier(configurator.Kb, validator, configurator.EnableDNSProxy)
-	applyAndCleanUp(applier, TplNftables, src, "/etc/nftables/rules", FileModeDefault)
-}
-
 func (configurator FirewallConfigurator) getUnits() []unitConfiguration {
 	return []unitConfiguration{
 		{

pkg/netconf/suricata_config.go

@@ -14,6 +14,7 @@ type SuricataConfigData struct {
 	Comment         string
 	DefaultRouteVrf string
 	Interface       string
+	EnableIDS       bool
 }
 
 // SuricataConfigValidator can validate configuration for suricata.
@@ -22,14 +23,19 @@ type SuricataConfigValidator struct {
 }
 
 // NewSuricataConfigApplier constructs a new instance of this type.
-func NewSuricataConfigApplier(kb KnowledgeBase, tmpFile string) (net.Applier, error) {
+func NewSuricataConfigApplier(kb KnowledgeBase, tmpFile string, enableIDS bool) (net.Applier, error) {
 	defaultRouteVrf, err := kb.getDefaultRouteVRFName()
 	if err != nil {
 		return nil, err
 	}
 
 	i := strings.Replace(defaultRouteVrf, "vrf", "vlan", 1)
-	data := SuricataConfigData{Comment: versionHeader(kb.Machineuuid), DefaultRouteVrf: defaultRouteVrf, Interface: i}
+	data := SuricataConfigData{
+		Comment:         versionHeader(kb.Machineuuid),
+		DefaultRouteVrf: defaultRouteVrf,
+		Interface:       i,
+		EnableIDS:       enableIDS,
+	}
 	validator := SuricataConfigValidator{tmpFile}
 
 	return net.NewNetworkApplier(data, validator, nil), nil

pkg/netconf/tpl/suricata_config.yaml.tpl

@@ -81,9 +81,10 @@ outputs:
 
   # Extensible Event Format (nicknamed EVE) event log in JSON format
   - eve-log:
+      {{- if .EnableIDS }}
       enabled: yes
-      filetype: regular
-      filename: eve.json
+      filetype: unix_dgram
+      filename: /var/log/suricata/eve.socket
       #prefix: "@cee: " # prefix to prepend to each log entry
       # the following are valid when type: syslog above
       #identity: "suricata"
@@ -287,6 +288,9 @@ outputs:
         # and will include the pktvars, flowvars, flowbits and
         # flowints.
         #- metadata
+      {{- else }}
+      enabled: no
+      {{- end }}
 
   # deprecated - unified2 alert format for use with Barnyard2
   - unified2-alert: