diff --git a/src/opnsense/mvc/app/controllers/OPNsense/IDS/forms/generalSettings.xml b/src/opnsense/mvc/app/controllers/OPNsense/IDS/forms/generalSettings.xml
index 0e8ec0d3a24..0d07b4c6b01 100644
--- a/src/opnsense/mvc/app/controllers/OPNsense/IDS/forms/generalSettings.xml
+++ b/src/opnsense/mvc/app/controllers/OPNsense/IDS/forms/generalSettings.xml
@@ -171,4 +171,16 @@
Custom TLS fields to include in eve-log for TLS. (Overrides extended if non-empty).true
+
+ ids.general.eveLog.types.enabled
+
+ select_multiple
+ The type of events to include in the EVE log.
+
+
+ ids.general.eveLog.types.extended
+
+ select_multiple
+ The type of events which, if enabled in the EVE log, will contain extended information.
+
diff --git a/src/opnsense/mvc/app/models/OPNsense/IDS/IDS.xml b/src/opnsense/mvc/app/models/OPNsense/IDS/IDS.xml
index 37b0a40ffcb..818e7f9cedf 100644
--- a/src/opnsense/mvc/app/models/OPNsense/IDS/IDS.xml
+++ b/src/opnsense/mvc/app/models/OPNsense/IDS/IDS.xml
@@ -293,6 +293,47 @@
Y
+
+
+
+ DNS
+ Files
+ SMTP
+ DNP3
+ FTP
+ RDP
+ NFS
+ SMB
+ TFTP
+ IKE
+ DCE-RPC
+ Kerberos
+ BitTorrent DHT
+ SNMP
+ RFB/VNC
+ SIP
+ QUIC
+ DHCP
+ MQTT
+ HTTP/2
+ PostgreSQL
+ Statistics
+ Bi-directional Flows
+ Uni-directional Netflows
+
+ Y
+
+
+
+ Files
+ SMTP
+ DHCP
+ MQTT
+ PostgreSQL
+
+ Y
+
+
diff --git a/src/opnsense/service/templates/OPNsense/IDS/suricata.yaml b/src/opnsense/service/templates/OPNsense/IDS/suricata.yaml
index 666fbc94599..fcaade6d728 100644
--- a/src/opnsense/service/templates/OPNsense/IDS/suricata.yaml
+++ b/src/opnsense/service/templates/OPNsense/IDS/suricata.yaml
@@ -220,34 +220,6 @@ outputs:
dump-all-headers: {{OPNsense.IDS.general.eveLog.http.dumpAllHeaders}}
{% endif %}
{% endif %}
-# - dns:
- # This configuration uses the new DNS logging format,
- # the old configuration is still available:
- # https://docs.suricata.io/en/latest/output/eve/eve-json-output.html#dns-v1-format
-
- # As of Suricata 5.0, version 2 of the eve dns output
- # format is the default.
- #version: 2
-
- # Enable/disable this logger. Default: enabled.
- #enabled: yes
-
- # Control logging of requests and responses:
- # - requests: enable logging of DNS queries
- # - responses: enable logging of DNS answers
- # By default both requests and responses are logged.
- #requests: no
- #responses: no
-
- # Format of answer logging:
- # - detailed: array item per answer
- # - grouped: answers aggregated by type
- # Default: all
- #formats: [detailed, grouped]
-
- # DNS record types to log, based on the query type.
- # Default: all.
- #types: [a, aaaa, cname, mx, ns, ptr, txt]
{% if not helpers.empty('OPNsense.IDS.general.eveLog.tls.enable') %}
- tls:
extended: {{ 'no' if helpers.empty('OPNsense.IDS.general.eveLog.tls.extended') else 'yes' }}
@@ -259,19 +231,25 @@ outputs:
custom: [{{ OPNsense.IDS.general.eveLog.tls.custom }}]
{% endif %}
{% endif %}
- #- files:
- force-magic: no # force logging magic on all logged files
- # force logging of checksums, available hash functions are md5,
- # sha1 and sha256
- #force-hash: [md5]
- drop:
alerts: yes # log alerts that caused drops
flows: start # start or all: 'start' logs only a single drop
# per flow direction. All logs each dropped pkt.
- #- smtp:
- #extended: yes # enable this for extended logging information
+ - ssh
+
+{% set eveLog_types_enabled = (OPNsense.IDS.general.eveLog.types.enabled|default('')).split(',') %}
+{% set eveLog_types_extended = (OPNsense.IDS.general.eveLog.types.extended|default('')).split(',') %}
+{% for opt in eveLog_types_enabled %}
+ - {{opt}}:
+{% if opt == 'files' and opt in eveLog_types_extended %}
+ force-magic: yes # force logging magic on all logged files
+ # force logging of checksums, available hash functions are md5,
+ # sha1 and sha256
+ #force-hash: [md5]
+{% elif opt == 'smtp' and opt in eveLog_types_extended %}
+ extended: yes # enable this for extended logging information
# this includes: bcc, message-id, subject, x_mailer, user-agent
# custom fields logging from the list:
# reply-to, bcc, message-id, subject, x-mailer, user-agent, received,
@@ -282,43 +260,18 @@ outputs:
# for the body you need to set app-layer.protocols.smtp.mime.body-md5
# to yes
#md5: [body, subject]
-
- #- dnp3
- #- ftp
- #- rdp
- #- nfs
- #- smb
- #- tftp
- #- ike
- #- dcerpc
- #- krb5
- #- bittorrent-dht
- #- snmp
- #- rfb
- #- sip
- #- quic
- #- dhcp:
- #enabled: yes
+{% elif opt == 'dhcp' and opt in eveLog_types_extended %}
# When extended mode is on, all DHCP messages are logged
# with full detail. When extended mode is off (the
# default), just enough information to map a MAC address
# to an IP address is logged.
- #extended: no
- - ssh
- #- mqtt:
- # passwords: yes # enable output of passwords
- #- http2
- #- pgsql:
- #enabled: no
- # passwords: yes # enable output of passwords. Disabled by default
- #- stats:
- #totals: yes # stats for all threads merged together
- #threads: no # per thread stats
- #deltas: no # include delta values
- # bi-directional flows
- #- flow
- # uni-directional flows
- #- netflow
+ extended: yes
+{% elif opt == 'mqtt' and opt in eveLog_types_extended %}
+ passwords: yes # enable output of passwords
+{% elif opt == 'pgsql' and opt in eveLog_types_extended %}
+ passwords: yes # enable output of passwords. Disabled by default
+{% endif %}
+{% endfor %}
# Metadata event type. Triggered whenever a pktvar is saved
# and will include the pktvars, flowvars, flowbits and
@@ -942,7 +895,7 @@ app-layer:
#encryption-handling: default
pgsql:
- enabled: no
+ enabled: {{ 'yes' if 'pgsql' in eveLog_types_enabled else 'no' }}
# Stream reassembly size for PostgreSQL. By default, track it completely.
stream-depth: 0
# Maximum number of live PostgreSQL transactions per flow
@@ -998,14 +951,14 @@ app-layer:
#log-url-scheme: yes
# Set to yes to compute the md5 of the mail body. You will then
# be able to journalize it.
- body-md5: no
+ body-md5: {{ 'yes' if 'smtp' in eveLog_types_extended else 'no' }}
# Configure inspected-tracker for file_data keyword
inspected-tracker:
content-limit: 100000
content-inspect-min-size: 32768
content-inspect-window: 4096
imap:
- enabled: detection-only
+ enabled: {{ 'yes' if 'imap' in eveLog_types_enabled else 'detection-only' }}
smb:
enabled: yes
detection-ports:
@@ -1171,7 +1124,7 @@ app-layer:
# DNP3
dnp3:
- enabled: no
+ enabled: {{ 'yes' if 'dnp3' in eveLog_types_enabled else 'no' }}
detection-ports:
dp: 20000
@@ -1192,7 +1145,7 @@ app-layer:
enabled: yes
sip:
- #enabled: yes
+ enabled: {{ 'yes' if 'sip' in eveLog_types_enabled else 'no' }}
# Limit for the maximum number of asn1 frames to decode (default 256)
asn1-max-frames: 256