-k option equivalence in suricata.yaml

adliwahid · May 13, 2020, 11:14pm

Hi - I understand the -k option used to analysig stand-alone pcaps. In suricata.yaml I can see the following:

capture:

disable checksum validation. Same as setting ‘-k none’ on the

commandline.

#checksum-validation: none

There’s also a checksum-validation parameter in the stream: section Should this be set to none as well?

2ndly, there is ‘checksum-checks:’ parameter in interfaces section (af-packet, pcap, netmap). Is there any relation to the checksum-validation parameter above?

Andreas_Herz · May 14, 2020, 10:09pm

If this is set to yes packets with invalid checksum values won’t be processed by the engine stream/app layer. So this should be set to no based on the use case.

Yes, checksum-validation needs to be set to yes if you want to set a specific option for this particular interface. So the checksum-checks defines how the checksum checking should be done at this specific interface, so you can enable it global but disable it on some of the used interfaces.

konstantin · May 15, 2020, 2:10pm

Are you sure the value in stream is none and not no?

Andreas_Herz · May 15, 2020, 7:21pm

you’re correct, my bad (fixed it)

Topic		Replies	Views
Suricata 7.0 conditional pcap does not record entire flow packets to pcap as expected	6	413	August 1, 2023
Suricata Pcap options Developers	1	485	January 26, 2022
Hello, I'm a novice. May I ask you a question（dpdk,suricata）Thank you Help	15	1084	November 17, 2022
Suricata parse http error, lots of /libhtp::request_uri_not_seen and http request info lose Help suricata	3	365	August 31, 2023
Generic Protocol Command Decode Help	13	12558	March 13, 2021

-k option equivalence in suricata.yaml

disable checksum validation. Same as setting ‘-k none’ on the

commandline.

Related Topics