Hi - I understand the -k option used to analysig stand-alone pcaps. In suricata.yaml I can see the following:
capture:
disable checksum validation. Same as setting ‘-k none’ on the
commandline.
#checksum-validation: none
There’s also a checksum-validation parameter in the stream: section Should this be set to none as well?
2ndly, there is ‘checksum-checks:’ parameter in interfaces section (af-packet, pcap, netmap). Is there any relation to the checksum-validation parameter above?
If this is set to yes packets with invalid checksum values won’t be processed by the engine stream/app layer. So this should be set to no based on the use case.
Yes, checksum-validation needs to be set to yes if you want to set a specific option for this particular interface. So the checksum-checks defines how the checksum checking should be done at this specific interface, so you can enable it global but disable it on some of the used interfaces.