Andrew Geissler | f1e4406 | 2021-04-15 15:52:46 -0500 | [diff] [blame] | 1 | %YAML 1.1 |
| 2 | --- |
| 3 | |
| 4 | # Suricata configuration file. In addition to the comments describing all |
| 5 | # options in this file, full documentation can be found at: |
| 6 | # https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricatayaml |
| 7 | |
| 8 | |
| 9 | # Number of packets allowed to be processed simultaneously. Default is a |
| 10 | # conservative 1024. A higher number will make sure CPU's/CPU cores will be |
| 11 | # more easily kept busy, but may negatively impact caching. |
| 12 | # |
| 13 | # If you are using the CUDA pattern matcher (mpm-algo: ac-cuda), different rules |
| 14 | # apply. In that case try something like 60000 or more. This is because the CUDA |
| 15 | # pattern matcher buffers and scans as many packets as possible in parallel. |
| 16 | #max-pending-packets: 1024 |
| 17 | |
| 18 | # Runmode the engine should use. Please check --list-runmodes to get the available |
| 19 | # runmodes for each packet acquisition method. Defaults to "autofp" (auto flow pinned |
| 20 | # load balancing). |
| 21 | #runmode: autofp |
| 22 | |
| 23 | # Specifies the kind of flow load balancer used by the flow pinned autofp mode. |
| 24 | # |
| 25 | # Supported schedulers are: |
| 26 | # |
| 27 | # round-robin - Flows assigned to threads in a round robin fashion. |
| 28 | # active-packets - Flows assigned to threads that have the lowest number of |
| 29 | # unprocessed packets (default). |
| 30 | # hash - Flow alloted usihng the address hash. More of a random |
| 31 | # technique. Was the default in Suricata 1.2.1 and older. |
| 32 | # |
| 33 | #autofp-scheduler: active-packets |
| 34 | |
| 35 | # If suricata box is a router for the sniffed networks, set it to 'router'. If |
| 36 | # it is a pure sniffing setup, set it to 'sniffer-only'. |
| 37 | # If set to auto, the variable is internally switch to 'router' in IPS mode |
| 38 | # and 'sniffer-only' in IDS mode. |
| 39 | # This feature is currently only used by the reject* keywords. |
| 40 | host-mode: auto |
| 41 | |
| 42 | # Run suricata as user and group. |
| 43 | #run-as: |
| 44 | # user: suri |
| 45 | # group: suri |
| 46 | |
| 47 | # Default pid file. |
| 48 | # Will use this file if no --pidfile in command options. |
| 49 | #pid-file: /var/run/suricata.pid |
| 50 | |
| 51 | # Daemon working directory |
| 52 | # Suricata will change directory to this one if provided |
| 53 | # Default: "/" |
| 54 | #daemon-directory: "/" |
| 55 | |
| 56 | # Preallocated size for packet. Default is 1514 which is the classical |
| 57 | # size for pcap on ethernet. You should adjust this value to the highest |
| 58 | # packet size (MTU + hardware header) on your system. |
| 59 | #default-packet-size: 1514 |
| 60 | |
| 61 | # The default logging directory. Any log or output file will be |
| 62 | # placed here if its not specified with a full path name. This can be |
| 63 | # overridden with the -l command line parameter. |
| 64 | default-log-dir: /var/log/suricata/ |
| 65 | |
| 66 | # Unix command socket can be used to pass commands to suricata. |
| 67 | # An external tool can then connect to get information from suricata |
| 68 | # or trigger some modifications of the engine. Set enabled to yes |
| 69 | # to activate the feature. You can use the filename variable to set |
| 70 | # the file name of the socket. |
| 71 | unix-command: |
| 72 | enabled: no |
| 73 | #filename: custom.socket |
| 74 | |
| 75 | # Configure the type of alert (and other) logging you would like. |
| 76 | outputs: |
| 77 | |
| 78 | # a line based alerts log similar to Snort's fast.log |
| 79 | - fast: |
| 80 | enabled: yes |
| 81 | filename: fast.log |
| 82 | append: yes |
| 83 | #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' |
| 84 | |
| 85 | # Extensible Event Format (nicknamed EVE) event log in JSON format |
| 86 | - eve-log: |
| 87 | enabled: yes |
| 88 | type: file #file|syslog|unix_dgram|unix_stream |
| 89 | filename: eve.json |
| 90 | # the following are valid when type: syslog above |
| 91 | #identity: "suricata" |
| 92 | #facility: local5 |
| 93 | #level: Info ## possible levels: Emergency, Alert, Critical, |
| 94 | ## Error, Warning, Notice, Info, Debug |
| 95 | types: |
| 96 | - alert |
| 97 | - http: |
| 98 | extended: yes # enable this for extended logging information |
| 99 | # custom allows additional http fields to be included in eve-log |
| 100 | # the example below adds three additional fields when uncommented |
| 101 | #custom: [Accept-Encoding, Accept-Language, Authorization] |
| 102 | - dns |
| 103 | - tls: |
| 104 | extended: yes # enable this for extended logging information |
| 105 | - files: |
| 106 | force-magic: no # force logging magic on all logged files |
| 107 | force-md5: no # force logging of md5 checksums |
| 108 | #- drop |
| 109 | - ssh |
| 110 | |
| 111 | # alert output for use with Barnyard2 |
| 112 | - unified2-alert: |
| 113 | enabled: yes |
| 114 | filename: unified2.alert |
| 115 | |
| 116 | # File size limit. Can be specified in kb, mb, gb. Just a number |
| 117 | # is parsed as bytes. |
| 118 | #limit: 32mb |
| 119 | |
| 120 | # Sensor ID field of unified2 alerts. |
| 121 | #sensor-id: 0 |
| 122 | |
| 123 | # HTTP X-Forwarded-For support by adding the unified2 extra header that |
| 124 | # will contain the actual client IP address or by overwriting the source |
| 125 | # IP address (helpful when inspecting traffic that is being reversed |
| 126 | # proxied). |
| 127 | xff: |
| 128 | enabled: no |
| 129 | # Two operation modes are available, "extra-data" and "overwrite". Note |
| 130 | # that in the "overwrite" mode, if the reported IP address in the HTTP |
| 131 | # X-Forwarded-For header is of a different version of the packet |
| 132 | # received, it will fall-back to "extra-data" mode. |
| 133 | mode: extra-data |
| 134 | # Header name were the actual IP address will be reported, if more than |
| 135 | # one IP address is present, the last IP address will be the one taken |
| 136 | # into consideration. |
| 137 | header: X-Forwarded-For |
| 138 | |
| 139 | # a line based log of HTTP requests (no alerts) |
| 140 | - http-log: |
| 141 | enabled: yes |
| 142 | filename: http.log |
| 143 | append: yes |
| 144 | #extended: yes # enable this for extended logging information |
| 145 | #custom: yes # enabled the custom logging format (defined by customformat) |
| 146 | #customformat: "%{%D-%H:%M:%S}t.%z %{X-Forwarded-For}i %H %m %h %u %s %B %a:%p -> %A:%P" |
| 147 | #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' |
| 148 | |
| 149 | # a line based log of TLS handshake parameters (no alerts) |
| 150 | - tls-log: |
| 151 | enabled: no # Log TLS connections. |
| 152 | filename: tls.log # File to store TLS logs. |
| 153 | append: yes |
| 154 | #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' |
| 155 | #extended: yes # Log extended information like fingerprint |
| 156 | certs-log-dir: certs # directory to store the certificates files |
| 157 | |
| 158 | # a line based log of DNS requests and/or replies (no alerts) |
| 159 | - dns-log: |
| 160 | enabled: no |
| 161 | filename: dns.log |
| 162 | append: yes |
| 163 | #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' |
| 164 | |
| 165 | # a line based log to used with pcap file study. |
| 166 | # this module is dedicated to offline pcap parsing (empty output |
| 167 | # if used with another kind of input). It can interoperate with |
| 168 | # pcap parser like wireshark via the suriwire plugin. |
| 169 | - pcap-info: |
| 170 | enabled: no |
| 171 | |
| 172 | # Packet log... log packets in pcap format. 2 modes of operation: "normal" |
| 173 | # and "sguil". |
| 174 | # |
| 175 | # In normal mode a pcap file "filename" is created in the default-log-dir, |
| 176 | # or are as specified by "dir". In Sguil mode "dir" indicates the base directory. |
| 177 | # In this base dir the pcaps are created in th directory structure Sguil expects: |
| 178 | # |
| 179 | # $sguil-base-dir/YYYY-MM-DD/$filename.<timestamp> |
| 180 | # |
| 181 | # By default all packets are logged except: |
| 182 | # - TCP streams beyond stream.reassembly.depth |
| 183 | # - encrypted streams after the key exchange |
| 184 | # |
| 185 | - pcap-log: |
| 186 | enabled: no |
| 187 | filename: log.pcap |
| 188 | |
| 189 | # File size limit. Can be specified in kb, mb, gb. Just a number |
| 190 | # is parsed as bytes. |
| 191 | limit: 1000mb |
| 192 | |
| 193 | # If set to a value will enable ring buffer mode. Will keep Maximum of "max-files" of size "limit" |
| 194 | max-files: 2000 |
| 195 | |
| 196 | mode: normal # normal or sguil. |
| 197 | #sguil-base-dir: /nsm_data/ |
| 198 | #ts-format: usec # sec or usec second format (default) is filename.sec usec is filename.sec.usec |
| 199 | use-stream-depth: no #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets |
| 200 | |
| 201 | # a full alerts log containing much information for signature writers |
| 202 | # or for investigating suspected false positives. |
| 203 | - alert-debug: |
| 204 | enabled: no |
| 205 | filename: alert-debug.log |
| 206 | append: yes |
| 207 | #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' |
| 208 | |
| 209 | # alert output to prelude (http://www.prelude-technologies.com/) only |
| 210 | # available if Suricata has been compiled with --enable-prelude |
| 211 | - alert-prelude: |
| 212 | enabled: no |
| 213 | profile: suricata |
| 214 | log-packet-content: no |
| 215 | log-packet-header: yes |
| 216 | |
| 217 | # Stats.log contains data from various counters of the suricata engine. |
| 218 | # The interval field (in seconds) tells after how long output will be written |
| 219 | # on the log file. |
| 220 | - stats: |
| 221 | enabled: yes |
| 222 | filename: stats.log |
| 223 | interval: 8 |
| 224 | |
| 225 | # a line based alerts log similar to fast.log into syslog |
| 226 | - syslog: |
| 227 | enabled: no |
| 228 | # reported identity to syslog. If ommited the program name (usually |
| 229 | # suricata) will be used. |
| 230 | #identity: "suricata" |
| 231 | facility: local5 |
| 232 | #level: Info ## possible levels: Emergency, Alert, Critical, |
| 233 | ## Error, Warning, Notice, Info, Debug |
| 234 | |
| 235 | # a line based information for dropped packets in IPS mode |
| 236 | - drop: |
| 237 | enabled: no |
| 238 | filename: drop.log |
| 239 | append: yes |
| 240 | #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' |
| 241 | |
| 242 | # output module to store extracted files to disk |
| 243 | # |
| 244 | # The files are stored to the log-dir in a format "file.<id>" where <id> is |
| 245 | # an incrementing number starting at 1. For each file "file.<id>" a meta |
| 246 | # file "file.<id>.meta" is created. |
| 247 | # |
| 248 | # File extraction depends on a lot of things to be fully done: |
| 249 | # - stream reassembly depth. For optimal results, set this to 0 (unlimited) |
| 250 | # - http request / response body sizes. Again set to 0 for optimal results. |
| 251 | # - rules that contain the "filestore" keyword. |
| 252 | - file-store: |
| 253 | enabled: no # set to yes to enable |
| 254 | log-dir: files # directory to store the files |
| 255 | force-magic: no # force logging magic on all stored files |
| 256 | force-md5: no # force logging of md5 checksums |
| 257 | #waldo: file.waldo # waldo file to store the file_id across runs |
| 258 | |
| 259 | # output module to log files tracked in a easily parsable json format |
| 260 | - file-log: |
| 261 | enabled: no |
| 262 | filename: files-json.log |
| 263 | append: yes |
| 264 | #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' |
| 265 | |
| 266 | force-magic: no # force logging magic on all logged files |
| 267 | force-md5: no # force logging of md5 checksums |
| 268 | |
| 269 | # Magic file. The extension .mgc is added to the value here. |
| 270 | #magic-file: /usr/share/file/magic |
| 271 | magic-file: /usr/share/misc/magic.mgc |
| 272 | |
| 273 | # When running in NFQ inline mode, it is possible to use a simulated |
| 274 | # non-terminal NFQUEUE verdict. |
| 275 | # This permit to do send all needed packet to suricata via this a rule: |
| 276 | # iptables -I FORWARD -m mark ! --mark $MARK/$MASK -j NFQUEUE |
| 277 | # And below, you can have your standard filtering ruleset. To activate |
| 278 | # this mode, you need to set mode to 'repeat' |
| 279 | # If you want packet to be sent to another queue after an ACCEPT decision |
| 280 | # set mode to 'route' and set next-queue value. |
| 281 | # On linux >= 3.1, you can set batchcount to a value > 1 to improve performance |
| 282 | # by processing several packets before sending a verdict (worker runmode only). |
| 283 | # On linux >= 3.6, you can set the fail-open option to yes to have the kernel |
| 284 | # accept the packet if suricata is not able to keep pace. |
| 285 | nfq: |
| 286 | # mode: accept |
| 287 | # repeat-mark: 1 |
| 288 | # repeat-mask: 1 |
| 289 | # route-queue: 2 |
| 290 | # batchcount: 20 |
| 291 | # fail-open: yes |
| 292 | |
| 293 | #nflog support |
| 294 | nflog: |
| 295 | # netlink multicast group |
| 296 | # (the same as the iptables --nflog-group param) |
| 297 | # Group 0 is used by the kernel, so you can't use it |
| 298 | - group: 2 |
| 299 | # netlink buffer size |
| 300 | buffer-size: 18432 |
| 301 | # put default value here |
| 302 | - group: default |
| 303 | # set number of packet to queue inside kernel |
| 304 | qthreshold: 1 |
| 305 | # set the delay before flushing packet in the queue inside kernel |
| 306 | qtimeout: 100 |
| 307 | # netlink max buffer size |
| 308 | max-size: 20000 |
| 309 | |
| 310 | # af-packet support |
| 311 | # Set threads to > 1 to use PACKET_FANOUT support |
| 312 | af-packet: |
| 313 | - interface: eth0 |
| 314 | # Number of receive threads (>1 will enable experimental flow pinned |
| 315 | # runmode) |
| 316 | threads: 1 |
| 317 | # Default clusterid. AF_PACKET will load balance packets based on flow. |
| 318 | # All threads/processes that will participate need to have the same |
| 319 | # clusterid. |
| 320 | cluster-id: 99 |
| 321 | # Default AF_PACKET cluster type. AF_PACKET can load balance per flow or per hash. |
| 322 | # This is only supported for Linux kernel > 3.1 |
| 323 | # possible value are: |
| 324 | # * cluster_round_robin: round robin load balancing |
| 325 | # * cluster_flow: all packets of a given flow are send to the same socket |
| 326 | # * cluster_cpu: all packets treated in kernel by a CPU are send to the same socket |
| 327 | cluster-type: cluster_flow |
| 328 | # In some fragmentation case, the hash can not be computed. If "defrag" is set |
| 329 | # to yes, the kernel will do the needed defragmentation before sending the packets. |
| 330 | defrag: yes |
| 331 | # To use the ring feature of AF_PACKET, set 'use-mmap' to yes |
| 332 | use-mmap: yes |
| 333 | # Ring size will be computed with respect to max_pending_packets and number |
| 334 | # of threads. You can set manually the ring size in number of packets by setting |
| 335 | # the following value. If you are using flow cluster-type and have really network |
| 336 | # intensive single-flow you could want to set the ring-size independantly of the number |
| 337 | # of threads: |
| 338 | #ring-size: 2048 |
| 339 | # On busy system, this could help to set it to yes to recover from a packet drop |
| 340 | # phase. This will result in some packets (at max a ring flush) being non treated. |
| 341 | #use-emergency-flush: yes |
| 342 | # recv buffer size, increase value could improve performance |
| 343 | # buffer-size: 32768 |
| 344 | # Set to yes to disable promiscuous mode |
| 345 | # disable-promisc: no |
| 346 | # Choose checksum verification mode for the interface. At the moment |
| 347 | # of the capture, some packets may be with an invalid checksum due to |
| 348 | # offloading to the network card of the checksum computation. |
| 349 | # Possible values are: |
| 350 | # - kernel: use indication sent by kernel for each packet (default) |
| 351 | # - yes: checksum validation is forced |
| 352 | # - no: checksum validation is disabled |
| 353 | # - auto: suricata uses a statistical approach to detect when |
| 354 | # checksum off-loading is used. |
| 355 | # Warning: 'checksum-validation' must be set to yes to have any validation |
| 356 | #checksum-checks: kernel |
| 357 | # BPF filter to apply to this interface. The pcap filter syntax apply here. |
| 358 | #bpf-filter: port 80 or udp |
| 359 | # You can use the following variables to activate AF_PACKET tap od IPS mode. |
| 360 | # If copy-mode is set to ips or tap, the traffic coming to the current |
| 361 | # interface will be copied to the copy-iface interface. If 'tap' is set, the |
| 362 | # copy is complete. If 'ips' is set, the packet matching a 'drop' action |
| 363 | # will not be copied. |
| 364 | #copy-mode: ips |
| 365 | #copy-iface: eth1 |
| 366 | - interface: eth1 |
| 367 | threads: 1 |
| 368 | cluster-id: 98 |
| 369 | cluster-type: cluster_flow |
| 370 | defrag: yes |
| 371 | # buffer-size: 32768 |
| 372 | # disable-promisc: no |
| 373 | # Put default values here |
| 374 | - interface: default |
| 375 | #threads: 2 |
| 376 | #use-mmap: yes |
| 377 | |
| 378 | legacy: |
| 379 | uricontent: enabled |
| 380 | |
| 381 | # You can specify a threshold config file by setting "threshold-file" |
| 382 | # to the path of the threshold config file: |
| 383 | # threshold-file: /etc/suricata/threshold.config |
| 384 | |
| 385 | # The detection engine builds internal groups of signatures. The engine |
| 386 | # allow us to specify the profile to use for them, to manage memory on an |
| 387 | # efficient way keeping a good performance. For the profile keyword you |
| 388 | # can use the words "low", "medium", "high" or "custom". If you use custom |
| 389 | # make sure to define the values at "- custom-values" as your convenience. |
| 390 | # Usually you would prefer medium/high/low. |
| 391 | # |
| 392 | # "sgh mpm-context", indicates how the staging should allot mpm contexts for |
| 393 | # the signature groups. "single" indicates the use of a single context for |
| 394 | # all the signature group heads. "full" indicates a mpm-context for each |
| 395 | # group head. "auto" lets the engine decide the distribution of contexts |
| 396 | # based on the information the engine gathers on the patterns from each |
| 397 | # group head. |
| 398 | # |
| 399 | # The option inspection-recursion-limit is used to limit the recursive calls |
| 400 | # in the content inspection code. For certain payload-sig combinations, we |
| 401 | # might end up taking too much time in the content inspection code. |
| 402 | # If the argument specified is 0, the engine uses an internally defined |
| 403 | # default limit. On not specifying a value, we use no limits on the recursion. |
| 404 | detect-engine: |
| 405 | - profile: medium |
| 406 | - custom-values: |
| 407 | toclient-src-groups: 2 |
| 408 | toclient-dst-groups: 2 |
| 409 | toclient-sp-groups: 2 |
| 410 | toclient-dp-groups: 3 |
| 411 | toserver-src-groups: 2 |
| 412 | toserver-dst-groups: 4 |
| 413 | toserver-sp-groups: 2 |
| 414 | toserver-dp-groups: 25 |
| 415 | - sgh-mpm-context: auto |
| 416 | - inspection-recursion-limit: 3000 |
| 417 | # When rule-reload is enabled, sending a USR2 signal to the Suricata process |
| 418 | # will trigger a live rule reload. Experimental feature, use with care. |
| 419 | #- rule-reload: true |
| 420 | # If set to yes, the loading of signatures will be made after the capture |
| 421 | # is started. This will limit the downtime in IPS mode. |
| 422 | #- delayed-detect: yes |
| 423 | |
| 424 | # Suricata is multi-threaded. Here the threading can be influenced. |
| 425 | threading: |
| 426 | # On some cpu's/architectures it is beneficial to tie individual threads |
| 427 | # to specific CPU's/CPU cores. In this case all threads are tied to CPU0, |
| 428 | # and each extra CPU/core has one "detect" thread. |
| 429 | # |
| 430 | # On Intel Core2 and Nehalem CPU's enabling this will degrade performance. |
| 431 | # |
| 432 | set-cpu-affinity: no |
| 433 | # Tune cpu affinity of suricata threads. Each family of threads can be bound |
| 434 | # on specific CPUs. |
| 435 | cpu-affinity: |
| 436 | - management-cpu-set: |
| 437 | cpu: [ 0 ] # include only these cpus in affinity settings |
| 438 | - receive-cpu-set: |
| 439 | cpu: [ 0 ] # include only these cpus in affinity settings |
| 440 | - decode-cpu-set: |
| 441 | cpu: [ 0, 1 ] |
| 442 | mode: "balanced" |
| 443 | - stream-cpu-set: |
| 444 | cpu: [ "0-1" ] |
| 445 | - detect-cpu-set: |
| 446 | cpu: [ "all" ] |
| 447 | mode: "exclusive" # run detect threads in these cpus |
| 448 | # Use explicitely 3 threads and don't compute number by using |
| 449 | # detect-thread-ratio variable: |
| 450 | # threads: 3 |
| 451 | prio: |
| 452 | low: [ 0 ] |
| 453 | medium: [ "1-2" ] |
| 454 | high: [ 3 ] |
| 455 | default: "medium" |
| 456 | - verdict-cpu-set: |
| 457 | cpu: [ 0 ] |
| 458 | prio: |
| 459 | default: "high" |
| 460 | - reject-cpu-set: |
| 461 | cpu: [ 0 ] |
| 462 | prio: |
| 463 | default: "low" |
| 464 | - output-cpu-set: |
| 465 | cpu: [ "all" ] |
| 466 | prio: |
| 467 | default: "medium" |
| 468 | # |
| 469 | # By default Suricata creates one "detect" thread per available CPU/CPU core. |
| 470 | # This setting allows controlling this behaviour. A ratio setting of 2 will |
| 471 | # create 2 detect threads for each CPU/CPU core. So for a dual core CPU this |
| 472 | # will result in 4 detect threads. If values below 1 are used, less threads |
| 473 | # are created. So on a dual core CPU a setting of 0.5 results in 1 detect |
| 474 | # thread being created. Regardless of the setting at a minimum 1 detect |
| 475 | # thread will always be created. |
| 476 | # |
| 477 | detect-thread-ratio: 1.5 |
| 478 | |
| 479 | # Cuda configuration. |
| 480 | cuda: |
| 481 | # The "mpm" profile. On not specifying any of these parameters, the engine's |
| 482 | # internal default values are used, which are same as the ones specified in |
| 483 | # in the default conf file. |
| 484 | mpm: |
| 485 | # The minimum length required to buffer data to the gpu. |
| 486 | # Anything below this is MPM'ed on the CPU. |
| 487 | # Can be specified in kb, mb, gb. Just a number indicates it's in bytes. |
| 488 | # A value of 0 indicates there's no limit. |
| 489 | data-buffer-size-min-limit: 0 |
| 490 | # The maximum length for data that we would buffer to the gpu. |
| 491 | # Anything over this is MPM'ed on the CPU. |
| 492 | # Can be specified in kb, mb, gb. Just a number indicates it's in bytes. |
| 493 | data-buffer-size-max-limit: 1500 |
| 494 | # The ring buffer size used by the CudaBuffer API to buffer data. |
| 495 | cudabuffer-buffer-size: 500mb |
| 496 | # The max chunk size that can be sent to the gpu in a single go. |
| 497 | gpu-transfer-size: 50mb |
| 498 | # The timeout limit for batching of packets in microseconds. |
| 499 | batching-timeout: 2000 |
| 500 | # The device to use for the mpm. Currently we don't support load balancing |
| 501 | # on multiple gpus. In case you have multiple devices on your system, you |
| 502 | # can specify the device to use, using this conf. By default we hold 0, to |
| 503 | # specify the first device cuda sees. To find out device-id associated with |
| 504 | # the card(s) on the system run "suricata --list-cuda-cards". |
| 505 | device-id: 0 |
| 506 | # No of Cuda streams used for asynchronous processing. All values > 0 are valid. |
| 507 | # For this option you need a device with Compute Capability > 1.0. |
| 508 | cuda-streams: 2 |
| 509 | |
| 510 | # Select the multi pattern algorithm you want to run for scan/search the |
| 511 | # in the engine. The supported algorithms are b2g, b2gc, b2gm, b3g, wumanber, |
| 512 | # ac and ac-gfbs. |
| 513 | # |
| 514 | # The mpm you choose also decides the distribution of mpm contexts for |
| 515 | # signature groups, specified by the conf - "detect-engine.sgh-mpm-context". |
| 516 | # Selecting "ac" as the mpm would require "detect-engine.sgh-mpm-context" |
| 517 | # to be set to "single", because of ac's memory requirements, unless the |
| 518 | # ruleset is small enough to fit in one's memory, in which case one can |
| 519 | # use "full" with "ac". Rest of the mpms can be run in "full" mode. |
| 520 | # |
| 521 | # There is also a CUDA pattern matcher (only available if Suricata was |
| 522 | # compiled with --enable-cuda: b2g_cuda. Make sure to update your |
| 523 | # max-pending-packets setting above as well if you use b2g_cuda. |
| 524 | |
| 525 | mpm-algo: ac |
| 526 | |
| 527 | # The memory settings for hash size of these algorithms can vary from lowest |
| 528 | # (2048) - low (4096) - medium (8192) - high (16384) - higher (32768) - max |
| 529 | # (65536). The bloomfilter sizes of these algorithms can vary from low (512) - |
| 530 | # medium (1024) - high (2048). |
| 531 | # |
| 532 | # For B2g/B3g algorithms, there is a support for two different scan/search |
| 533 | # algorithms. For B2g the scan algorithms are B2gScan & B2gScanBNDMq, and |
| 534 | # search algorithms are B2gSearch & B2gSearchBNDMq. For B3g scan algorithms |
| 535 | # are B3gScan & B3gScanBNDMq, and search algorithms are B3gSearch & |
| 536 | # B3gSearchBNDMq. |
| 537 | # |
| 538 | # For B2g the different scan/search algorithms and, hash and bloom |
| 539 | # filter size settings. For B3g the different scan/search algorithms and, hash |
| 540 | # and bloom filter size settings. For wumanber the hash and bloom filter size |
| 541 | # settings. |
| 542 | |
| 543 | pattern-matcher: |
| 544 | - b2gc: |
| 545 | search-algo: B2gSearchBNDMq |
| 546 | hash-size: low |
| 547 | bf-size: medium |
| 548 | - b2gm: |
| 549 | search-algo: B2gSearchBNDMq |
| 550 | hash-size: low |
| 551 | bf-size: medium |
| 552 | - b2g: |
| 553 | search-algo: B2gSearchBNDMq |
| 554 | hash-size: low |
| 555 | bf-size: medium |
| 556 | - b3g: |
| 557 | search-algo: B3gSearchBNDMq |
| 558 | hash-size: low |
| 559 | bf-size: medium |
| 560 | - wumanber: |
| 561 | hash-size: low |
| 562 | bf-size: medium |
| 563 | |
| 564 | # Defrag settings: |
| 565 | |
| 566 | defrag: |
| 567 | memcap: 32mb |
| 568 | hash-size: 65536 |
| 569 | trackers: 65535 # number of defragmented flows to follow |
| 570 | max-frags: 65535 # number of fragments to keep (higher than trackers) |
| 571 | prealloc: yes |
| 572 | timeout: 60 |
| 573 | |
| 574 | # Enable defrag per host settings |
| 575 | # host-config: |
| 576 | # |
| 577 | # - dmz: |
| 578 | # timeout: 30 |
| 579 | # address: [192.168.1.0/24, 127.0.0.0/8, 1.1.1.0/24, 2.2.2.0/24, "1.1.1.1", "2.2.2.2", "::1"] |
| 580 | # |
| 581 | # - lan: |
| 582 | # timeout: 45 |
| 583 | # address: |
| 584 | # - 192.168.0.0/24 |
| 585 | # - 192.168.10.0/24 |
| 586 | # - 172.16.14.0/24 |
| 587 | |
| 588 | # Flow settings: |
| 589 | # By default, the reserved memory (memcap) for flows is 32MB. This is the limit |
| 590 | # for flow allocation inside the engine. You can change this value to allow |
| 591 | # more memory usage for flows. |
| 592 | # The hash-size determine the size of the hash used to identify flows inside |
| 593 | # the engine, and by default the value is 65536. |
| 594 | # At the startup, the engine can preallocate a number of flows, to get a better |
| 595 | # performance. The number of flows preallocated is 10000 by default. |
| 596 | # emergency-recovery is the percentage of flows that the engine need to |
| 597 | # prune before unsetting the emergency state. The emergency state is activated |
| 598 | # when the memcap limit is reached, allowing to create new flows, but |
| 599 | # prunning them with the emergency timeouts (they are defined below). |
| 600 | # If the memcap is reached, the engine will try to prune flows |
| 601 | # with the default timeouts. If it doens't find a flow to prune, it will set |
| 602 | # the emergency bit and it will try again with more agressive timeouts. |
| 603 | # If that doesn't work, then it will try to kill the last time seen flows |
| 604 | # not in use. |
| 605 | # The memcap can be specified in kb, mb, gb. Just a number indicates it's |
| 606 | # in bytes. |
| 607 | |
| 608 | flow: |
| 609 | memcap: 64mb |
| 610 | hash-size: 65536 |
| 611 | prealloc: 10000 |
| 612 | emergency-recovery: 30 |
| 613 | |
| 614 | # This option controls the use of vlan ids in the flow (and defrag) |
| 615 | # hashing. Normally this should be enabled, but in some (broken) |
| 616 | # setups where both sides of a flow are not tagged with the same vlan |
| 617 | # tag, we can ignore the vlan id's in the flow hashing. |
| 618 | vlan: |
| 619 | use-for-tracking: true |
| 620 | |
| 621 | # Specific timeouts for flows. Here you can specify the timeouts that the |
| 622 | # active flows will wait to transit from the current state to another, on each |
| 623 | # protocol. The value of "new" determine the seconds to wait after a hanshake or |
| 624 | # stream startup before the engine free the data of that flow it doesn't |
| 625 | # change the state to established (usually if we don't receive more packets |
| 626 | # of that flow). The value of "established" is the amount of |
| 627 | # seconds that the engine will wait to free the flow if it spend that amount |
| 628 | # without receiving new packets or closing the connection. "closed" is the |
| 629 | # amount of time to wait after a flow is closed (usually zero). |
| 630 | # |
| 631 | # There's an emergency mode that will become active under attack circumstances, |
| 632 | # making the engine to check flow status faster. This configuration variables |
| 633 | # use the prefix "emergency-" and work similar as the normal ones. |
| 634 | # Some timeouts doesn't apply to all the protocols, like "closed", for udp and |
| 635 | # icmp. |
| 636 | |
| 637 | flow-timeouts: |
| 638 | |
| 639 | default: |
| 640 | new: 30 |
| 641 | established: 300 |
| 642 | closed: 0 |
| 643 | emergency-new: 10 |
| 644 | emergency-established: 100 |
| 645 | emergency-closed: 0 |
| 646 | tcp: |
| 647 | new: 60 |
| 648 | established: 3600 |
| 649 | closed: 120 |
| 650 | emergency-new: 10 |
| 651 | emergency-established: 300 |
| 652 | emergency-closed: 20 |
| 653 | udp: |
| 654 | new: 30 |
| 655 | established: 300 |
| 656 | emergency-new: 10 |
| 657 | emergency-established: 100 |
| 658 | icmp: |
| 659 | new: 30 |
| 660 | established: 300 |
| 661 | emergency-new: 10 |
| 662 | emergency-established: 100 |
| 663 | |
| 664 | # Stream engine settings. Here the TCP stream tracking and reassembly |
| 665 | # engine is configured. |
| 666 | # |
| 667 | # stream: |
| 668 | # memcap: 32mb # Can be specified in kb, mb, gb. Just a |
| 669 | # # number indicates it's in bytes. |
| 670 | # checksum-validation: yes # To validate the checksum of received |
| 671 | # # packet. If csum validation is specified as |
| 672 | # # "yes", then packet with invalid csum will not |
| 673 | # # be processed by the engine stream/app layer. |
| 674 | # # Warning: locally generated trafic can be |
| 675 | # # generated without checksum due to hardware offload |
| 676 | # # of checksum. You can control the handling of checksum |
| 677 | # # on a per-interface basis via the 'checksum-checks' |
| 678 | # # option |
| 679 | # prealloc-sessions: 2k # 2k sessions prealloc'd per stream thread |
| 680 | # midstream: false # don't allow midstream session pickups |
| 681 | # async-oneside: false # don't enable async stream handling |
| 682 | # inline: no # stream inline mode |
| 683 | # max-synack-queued: 5 # Max different SYN/ACKs to queue |
| 684 | # |
| 685 | # reassembly: |
| 686 | # memcap: 64mb # Can be specified in kb, mb, gb. Just a number |
| 687 | # # indicates it's in bytes. |
| 688 | # depth: 1mb # Can be specified in kb, mb, gb. Just a number |
| 689 | # # indicates it's in bytes. |
| 690 | # toserver-chunk-size: 2560 # inspect raw stream in chunks of at least |
| 691 | # # this size. Can be specified in kb, mb, |
| 692 | # # gb. Just a number indicates it's in bytes. |
| 693 | # # The max acceptable size is 4024 bytes. |
| 694 | # toclient-chunk-size: 2560 # inspect raw stream in chunks of at least |
| 695 | # # this size. Can be specified in kb, mb, |
| 696 | # # gb. Just a number indicates it's in bytes. |
| 697 | # # The max acceptable size is 4024 bytes. |
| 698 | # randomize-chunk-size: yes # Take a random value for chunk size around the specified value. |
| 699 | # # This lower the risk of some evasion technics but could lead |
| 700 | # # detection change between runs. It is set to 'yes' by default. |
| 701 | # randomize-chunk-range: 10 # If randomize-chunk-size is active, the value of chunk-size is |
| 702 | # # a random value between (1 - randomize-chunk-range/100)*randomize-chunk-size |
| 703 | # # and (1 + randomize-chunk-range/100)*randomize-chunk-size. Default value |
| 704 | # # of randomize-chunk-range is 10. |
| 705 | # |
| 706 | # raw: yes # 'Raw' reassembly enabled or disabled. |
| 707 | # # raw is for content inspection by detection |
| 708 | # # engine. |
| 709 | # |
| 710 | # chunk-prealloc: 250 # Number of preallocated stream chunks. These |
| 711 | # # are used during stream inspection (raw). |
| 712 | # segments: # Settings for reassembly segment pool. |
| 713 | # - size: 4 # Size of the (data)segment for a pool |
| 714 | # prealloc: 256 # Number of segments to prealloc and keep |
| 715 | # # in the pool. |
| 716 | # |
| 717 | stream: |
| 718 | memcap: 32mb |
| 719 | checksum-validation: yes # reject wrong csums |
| 720 | inline: auto # auto will use inline mode in IPS mode, yes or no set it statically |
| 721 | reassembly: |
| 722 | memcap: 128mb |
| 723 | depth: 1mb # reassemble 1mb into a stream |
| 724 | toserver-chunk-size: 2560 |
| 725 | toclient-chunk-size: 2560 |
| 726 | randomize-chunk-size: yes |
| 727 | #randomize-chunk-range: 10 |
| 728 | #raw: yes |
| 729 | #chunk-prealloc: 250 |
| 730 | #segments: |
| 731 | # - size: 4 |
| 732 | # prealloc: 256 |
| 733 | # - size: 16 |
| 734 | # prealloc: 512 |
| 735 | # - size: 112 |
| 736 | # prealloc: 512 |
| 737 | # - size: 248 |
| 738 | # prealloc: 512 |
| 739 | # - size: 512 |
| 740 | # prealloc: 512 |
| 741 | # - size: 768 |
| 742 | # prealloc: 1024 |
| 743 | # - size: 1448 |
| 744 | # prealloc: 1024 |
| 745 | # - size: 65535 |
| 746 | # prealloc: 128 |
| 747 | |
| 748 | # Host table: |
| 749 | # |
| 750 | # Host table is used by tagging and per host thresholding subsystems. |
| 751 | # |
| 752 | host: |
| 753 | hash-size: 4096 |
| 754 | prealloc: 1000 |
| 755 | memcap: 16777216 |
| 756 | |
| 757 | # Logging configuration. This is not about logging IDS alerts, but |
| 758 | # IDS output about what its doing, errors, etc. |
| 759 | logging: |
| 760 | |
| 761 | # The default log level, can be overridden in an output section. |
| 762 | # Note that debug level logging will only be emitted if Suricata was |
| 763 | # compiled with the --enable-debug configure option. |
| 764 | # |
| 765 | # This value is overriden by the SC_LOG_LEVEL env var. |
| 766 | default-log-level: notice |
| 767 | |
| 768 | # The default output format. Optional parameter, should default to |
| 769 | # something reasonable if not provided. Can be overriden in an |
| 770 | # output section. You can leave this out to get the default. |
| 771 | # |
| 772 | # This value is overriden by the SC_LOG_FORMAT env var. |
| 773 | #default-log-format: "[%i] %t - (%f:%l) <%d> (%n) -- " |
| 774 | |
| 775 | # A regex to filter output. Can be overridden in an output section. |
| 776 | # Defaults to empty (no filter). |
| 777 | # |
| 778 | # This value is overriden by the SC_LOG_OP_FILTER env var. |
| 779 | default-output-filter: |
| 780 | |
| 781 | # Define your logging outputs. If none are defined, or they are all |
| 782 | # disabled you will get the default - console output. |
| 783 | outputs: |
| 784 | - console: |
| 785 | enabled: yes |
| 786 | - file: |
| 787 | enabled: no |
| 788 | filename: /var/log/suricata.log |
| 789 | - syslog: |
| 790 | enabled: yes |
| 791 | facility: local5 |
| 792 | format: "[%i] <%d> -- " |
| 793 | |
| 794 | # Tilera mpipe configuration. for use on Tilera TILE-Gx. |
| 795 | mpipe: |
| 796 | |
| 797 | # Load balancing modes: "static", "dynamic", "sticky", or "round-robin". |
| 798 | load-balance: dynamic |
| 799 | |
| 800 | # Number of Packets in each ingress packet queue. Must be 128, 512, 2028 or 65536 |
| 801 | iqueue-packets: 2048 |
| 802 | |
| 803 | # List of interfaces we will listen on. |
| 804 | inputs: |
| 805 | - interface: xgbe2 |
| 806 | - interface: xgbe3 |
| 807 | - interface: xgbe4 |
| 808 | |
| 809 | |
| 810 | # Relative weight of memory for packets of each mPipe buffer size. |
| 811 | stack: |
| 812 | size128: 0 |
| 813 | size256: 9 |
| 814 | size512: 0 |
| 815 | size1024: 0 |
| 816 | size1664: 7 |
| 817 | size4096: 0 |
| 818 | size10386: 0 |
| 819 | size16384: 0 |
| 820 | |
| 821 | # PF_RING configuration. for use with native PF_RING support |
| 822 | # for more info see http://www.ntop.org/PF_RING.html |
| 823 | pfring: |
| 824 | - interface: eth0 |
| 825 | # Number of receive threads (>1 will enable experimental flow pinned |
| 826 | # runmode) |
| 827 | threads: 1 |
| 828 | |
| 829 | # Default clusterid. PF_RING will load balance packets based on flow. |
| 830 | # All threads/processes that will participate need to have the same |
| 831 | # clusterid. |
| 832 | cluster-id: 99 |
| 833 | |
| 834 | # Default PF_RING cluster type. PF_RING can load balance per flow or per hash. |
| 835 | # This is only supported in versions of PF_RING > 4.1.1. |
| 836 | cluster-type: cluster_flow |
| 837 | # bpf filter for this interface |
| 838 | #bpf-filter: tcp |
| 839 | # Choose checksum verification mode for the interface. At the moment |
| 840 | # of the capture, some packets may be with an invalid checksum due to |
| 841 | # offloading to the network card of the checksum computation. |
| 842 | # Possible values are: |
| 843 | # - rxonly: only compute checksum for packets received by network card. |
| 844 | # - yes: checksum validation is forced |
| 845 | # - no: checksum validation is disabled |
| 846 | # - auto: suricata uses a statistical approach to detect when |
| 847 | # checksum off-loading is used. (default) |
| 848 | # Warning: 'checksum-validation' must be set to yes to have any validation |
| 849 | #checksum-checks: auto |
| 850 | # Second interface |
| 851 | #- interface: eth1 |
| 852 | # threads: 3 |
| 853 | # cluster-id: 93 |
| 854 | # cluster-type: cluster_flow |
| 855 | # Put default values here |
| 856 | - interface: default |
| 857 | #threads: 2 |
| 858 | |
| 859 | pcap: |
| 860 | - interface: eth0 |
| 861 | # On Linux, pcap will try to use mmaped capture and will use buffer-size |
| 862 | # as total of memory used by the ring. So set this to something bigger |
| 863 | # than 1% of your bandwidth. |
| 864 | #buffer-size: 16777216 |
| 865 | #bpf-filter: "tcp and port 25" |
| 866 | # Choose checksum verification mode for the interface. At the moment |
| 867 | # of the capture, some packets may be with an invalid checksum due to |
| 868 | # offloading to the network card of the checksum computation. |
| 869 | # Possible values are: |
| 870 | # - yes: checksum validation is forced |
| 871 | # - no: checksum validation is disabled |
| 872 | # - auto: suricata uses a statistical approach to detect when |
| 873 | # checksum off-loading is used. (default) |
| 874 | # Warning: 'checksum-validation' must be set to yes to have any validation |
| 875 | #checksum-checks: auto |
| 876 | # With some accelerator cards using a modified libpcap (like myricom), you |
| 877 | # may want to have the same number of capture threads as the number of capture |
| 878 | # rings. In this case, set up the threads variable to N to start N threads |
| 879 | # listening on the same interface. |
| 880 | #threads: 16 |
| 881 | # set to no to disable promiscuous mode: |
| 882 | #promisc: no |
| 883 | # set snaplen, if not set it defaults to MTU if MTU can be known |
| 884 | # via ioctl call and to full capture if not. |
| 885 | #snaplen: 1518 |
| 886 | # Put default values here |
| 887 | - interface: default |
| 888 | #checksum-checks: auto |
| 889 | |
| 890 | pcap-file: |
| 891 | # Possible values are: |
| 892 | # - yes: checksum validation is forced |
| 893 | # - no: checksum validation is disabled |
| 894 | # - auto: suricata uses a statistical approach to detect when |
| 895 | # checksum off-loading is used. (default) |
| 896 | # Warning: 'checksum-validation' must be set to yes to have checksum tested |
| 897 | checksum-checks: auto |
| 898 | |
| 899 | # For FreeBSD ipfw(8) divert(4) support. |
| 900 | # Please make sure you have ipfw_load="YES" and ipdivert_load="YES" |
| 901 | # in /etc/loader.conf or kldload'ing the appropriate kernel modules. |
| 902 | # Additionally, you need to have an ipfw rule for the engine to see |
| 903 | # the packets from ipfw. For Example: |
| 904 | # |
| 905 | # ipfw add 100 divert 8000 ip from any to any |
| 906 | # |
| 907 | # The 8000 above should be the same number you passed on the command |
| 908 | # line, i.e. -d 8000 |
| 909 | # |
| 910 | ipfw: |
| 911 | |
| 912 | # Reinject packets at the specified ipfw rule number. This config |
| 913 | # option is the ipfw rule number AT WHICH rule processing continues |
| 914 | # in the ipfw processing system after the engine has finished |
| 915 | # inspecting the packet for acceptance. If no rule number is specified, |
| 916 | # accepted packets are reinjected at the divert rule which they entered |
| 917 | # and IPFW rule processing continues. No check is done to verify |
| 918 | # this will rule makes sense so care must be taken to avoid loops in ipfw. |
| 919 | # |
| 920 | ## The following example tells the engine to reinject packets |
| 921 | # back into the ipfw firewall AT rule number 5500: |
| 922 | # |
| 923 | # ipfw-reinjection-rule-number: 5500 |
| 924 | |
| 925 | # Set the default rule path here to search for the files. |
| 926 | # if not set, it will look at the current working dir |
| 927 | default-rule-path: /etc/suricata/rules |
| 928 | rule-files: |
| 929 | - botcc.rules |
| 930 | - ciarmy.rules |
| 931 | - compromised.rules |
| 932 | - drop.rules |
| 933 | - dshield.rules |
| 934 | - emerging-activex.rules |
| 935 | - emerging-attack_response.rules |
| 936 | - emerging-chat.rules |
| 937 | - emerging-current_events.rules |
| 938 | - emerging-dns.rules |
| 939 | - emerging-dos.rules |
| 940 | - emerging-exploit.rules |
| 941 | - emerging-ftp.rules |
| 942 | - emerging-games.rules |
| 943 | - emerging-icmp_info.rules |
| 944 | # - emerging-icmp.rules |
| 945 | - emerging-imap.rules |
| 946 | - emerging-inappropriate.rules |
| 947 | - emerging-malware.rules |
| 948 | - emerging-misc.rules |
| 949 | - emerging-mobile_malware.rules |
| 950 | - emerging-netbios.rules |
| 951 | - emerging-p2p.rules |
| 952 | - emerging-policy.rules |
| 953 | - emerging-pop3.rules |
| 954 | - emerging-rpc.rules |
| 955 | - emerging-scada.rules |
| 956 | - emerging-scan.rules |
| 957 | - emerging-shellcode.rules |
| 958 | - emerging-smtp.rules |
| 959 | - emerging-snmp.rules |
| 960 | - emerging-sql.rules |
| 961 | - emerging-telnet.rules |
| 962 | - emerging-tftp.rules |
| 963 | - emerging-trojan.rules |
| 964 | - emerging-user_agents.rules |
| 965 | - emerging-voip.rules |
| 966 | - emerging-web_client.rules |
| 967 | - emerging-web_server.rules |
| 968 | - emerging-web_specific_apps.rules |
| 969 | - emerging-worm.rules |
| 970 | - tor.rules |
| 971 | - decoder-events.rules # available in suricata sources under rules dir |
| 972 | - stream-events.rules # available in suricata sources under rules dir |
| 973 | - http-events.rules # available in suricata sources under rules dir |
| 974 | - smtp-events.rules # available in suricata sources under rules dir |
| 975 | - dns-events.rules # available in suricata sources under rules dir |
| 976 | - tls-events.rules # available in suricata sources under rules dir |
| 977 | |
| 978 | classification-file: /etc/suricata/classification.config |
| 979 | reference-config-file: /etc/suricata/reference.config |
| 980 | |
| 981 | # Holds variables that would be used by the engine. |
| 982 | vars: |
| 983 | |
| 984 | # Holds the address group vars that would be passed in a Signature. |
| 985 | # These would be retrieved during the Signature address parsing stage. |
| 986 | address-groups: |
| 987 | |
| 988 | HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]" |
| 989 | |
| 990 | EXTERNAL_NET: "!$HOME_NET" |
| 991 | |
| 992 | HTTP_SERVERS: "$HOME_NET" |
| 993 | |
| 994 | SMTP_SERVERS: "$HOME_NET" |
| 995 | |
| 996 | SQL_SERVERS: "$HOME_NET" |
| 997 | |
| 998 | DNS_SERVERS: "$HOME_NET" |
| 999 | |
| 1000 | TELNET_SERVERS: "$HOME_NET" |
| 1001 | |
| 1002 | AIM_SERVERS: "$EXTERNAL_NET" |
| 1003 | |
| 1004 | DNP3_SERVER: "$HOME_NET" |
| 1005 | |
| 1006 | DNP3_CLIENT: "$HOME_NET" |
| 1007 | |
| 1008 | MODBUS_CLIENT: "$HOME_NET" |
| 1009 | |
| 1010 | MODBUS_SERVER: "$HOME_NET" |
| 1011 | |
| 1012 | ENIP_CLIENT: "$HOME_NET" |
| 1013 | |
| 1014 | ENIP_SERVER: "$HOME_NET" |
| 1015 | |
| 1016 | # Holds the port group vars that would be passed in a Signature. |
| 1017 | # These would be retrieved during the Signature port parsing stage. |
| 1018 | port-groups: |
| 1019 | |
| 1020 | HTTP_PORTS: "80" |
| 1021 | |
| 1022 | SHELLCODE_PORTS: "!80" |
| 1023 | |
| 1024 | ORACLE_PORTS: 1521 |
| 1025 | |
| 1026 | SSH_PORTS: 22 |
| 1027 | |
| 1028 | DNP3_PORTS: 20000 |
| 1029 | |
| 1030 | # Set the order of alerts bassed on actions |
| 1031 | # The default order is pass, drop, reject, alert |
| 1032 | action-order: |
| 1033 | - pass |
| 1034 | - drop |
| 1035 | - reject |
| 1036 | - alert |
| 1037 | |
| 1038 | # IP Reputation |
| 1039 | #reputation-categories-file: /etc/suricata/iprep/categories.txt |
| 1040 | #default-reputation-path: /etc/suricata/iprep |
| 1041 | #reputation-files: |
| 1042 | # - reputation.list |
| 1043 | |
| 1044 | # Host specific policies for defragmentation and TCP stream |
| 1045 | # reassembly. The host OS lookup is done using a radix tree, just |
| 1046 | # like a routing table so the most specific entry matches. |
| 1047 | host-os-policy: |
| 1048 | # Make the default policy windows. |
| 1049 | windows: [0.0.0.0/0] |
| 1050 | bsd: [] |
| 1051 | bsd-right: [] |
| 1052 | old-linux: [] |
| 1053 | linux: [10.0.0.0/8, 192.168.1.100, "8762:2352:6241:7245:E000:0000:0000:0000"] |
| 1054 | old-solaris: [] |
| 1055 | solaris: ["::1"] |
| 1056 | hpux10: [] |
| 1057 | hpux11: [] |
| 1058 | irix: [] |
| 1059 | macos: [] |
| 1060 | vista: [] |
| 1061 | windows2k3: [] |
| 1062 | |
| 1063 | |
| 1064 | # Limit for the maximum number of asn1 frames to decode (default 256) |
| 1065 | asn1-max-frames: 256 |
| 1066 | |
| 1067 | # When run with the option --engine-analysis, the engine will read each of |
| 1068 | # the parameters below, and print reports for each of the enabled sections |
| 1069 | # and exit. The reports are printed to a file in the default log dir |
| 1070 | # given by the parameter "default-log-dir", with engine reporting |
| 1071 | # subsection below printing reports in its own report file. |
| 1072 | engine-analysis: |
| 1073 | # enables printing reports for fast-pattern for every rule. |
| 1074 | rules-fast-pattern: yes |
| 1075 | # enables printing reports for each rule |
| 1076 | rules: yes |
| 1077 | |
| 1078 | #recursion and match limits for PCRE where supported |
| 1079 | pcre: |
| 1080 | match-limit: 3500 |
| 1081 | match-limit-recursion: 1500 |
| 1082 | |
| 1083 | # Holds details on the app-layer. The protocols section details each protocol. |
| 1084 | # Under each protocol, the default value for detection-enabled and " |
| 1085 | # parsed-enabled is yes, unless specified otherwise. |
| 1086 | # Each protocol covers enabling/disabling parsers for all ipprotos |
| 1087 | # the app-layer protocol runs on. For example "dcerpc" refers to the tcp |
| 1088 | # version of the protocol as well as the udp version of the protocol. |
| 1089 | # The option "enabled" takes 3 values - "yes", "no", "detection-only". |
| 1090 | # "yes" enables both detection and the parser, "no" disables both, and |
| 1091 | # "detection-only" enables detection only(parser disabled). |
| 1092 | app-layer: |
| 1093 | protocols: |
| 1094 | tls: |
| 1095 | enabled: yes |
| 1096 | detection-ports: |
| 1097 | dp: 443 |
| 1098 | |
| 1099 | #no-reassemble: yes |
| 1100 | dcerpc: |
| 1101 | enabled: yes |
| 1102 | ftp: |
| 1103 | enabled: yes |
| 1104 | ssh: |
| 1105 | enabled: yes |
| 1106 | smtp: |
| 1107 | enabled: yes |
| 1108 | imap: |
| 1109 | enabled: detection-only |
| 1110 | msn: |
| 1111 | enabled: detection-only |
| 1112 | smb: |
| 1113 | enabled: yes |
| 1114 | detection-ports: |
| 1115 | dp: 139 |
| 1116 | # smb2 detection is disabled internally inside the engine. |
| 1117 | #smb2: |
| 1118 | # enabled: yes |
| 1119 | dns: |
| 1120 | # memcaps. Globally and per flow/state. |
| 1121 | #global-memcap: 16mb |
| 1122 | #state-memcap: 512kb |
| 1123 | |
| 1124 | # How many unreplied DNS requests are considered a flood. |
| 1125 | # If the limit is reached, app-layer-event:dns.flooded; will match. |
| 1126 | #request-flood: 500 |
| 1127 | |
| 1128 | tcp: |
| 1129 | enabled: yes |
| 1130 | detection-ports: |
| 1131 | dp: 53 |
| 1132 | udp: |
| 1133 | enabled: yes |
| 1134 | detection-ports: |
| 1135 | dp: 53 |
| 1136 | http: |
| 1137 | enabled: yes |
| 1138 | # memcap: 64mb |
| 1139 | |
| 1140 | ########################################################################### |
| 1141 | # Configure libhtp. |
| 1142 | # |
| 1143 | # |
| 1144 | # default-config: Used when no server-config matches |
| 1145 | # personality: List of personalities used by default |
| 1146 | # request-body-limit: Limit reassembly of request body for inspection |
| 1147 | # by http_client_body & pcre /P option. |
| 1148 | # response-body-limit: Limit reassembly of response body for inspection |
| 1149 | # by file_data, http_server_body & pcre /Q option. |
| 1150 | # double-decode-path: Double decode path section of the URI |
| 1151 | # double-decode-query: Double decode query section of the URI |
| 1152 | # |
| 1153 | # server-config: List of server configurations to use if address matches |
| 1154 | # address: List of ip addresses or networks for this block |
| 1155 | # personalitiy: List of personalities used by this block |
| 1156 | # request-body-limit: Limit reassembly of request body for inspection |
| 1157 | # by http_client_body & pcre /P option. |
| 1158 | # response-body-limit: Limit reassembly of response body for inspection |
| 1159 | # by file_data, http_server_body & pcre /Q option. |
| 1160 | # double-decode-path: Double decode path section of the URI |
| 1161 | # double-decode-query: Double decode query section of the URI |
| 1162 | # |
| 1163 | # uri-include-all: Include all parts of the URI. By default the |
| 1164 | # 'scheme', username/password, hostname and port |
| 1165 | # are excluded. Setting this option to true adds |
| 1166 | # all of them to the normalized uri as inspected |
| 1167 | # by http_uri, urilen, pcre with /U and the other |
| 1168 | # keywords that inspect the normalized uri. |
| 1169 | # Note that this does not affect http_raw_uri. |
| 1170 | # Also, note that including all was the default in |
| 1171 | # 1.4 and 2.0beta1. |
| 1172 | # |
| 1173 | # meta-field-limit: Hard size limit for request and response size |
| 1174 | # limits. Applies to request line and headers, |
| 1175 | # response line and headers. Does not apply to |
| 1176 | # request or response bodies. Default is 18k. |
| 1177 | # If this limit is reached an event is raised. |
| 1178 | # |
| 1179 | # Currently Available Personalities: |
| 1180 | # Minimal |
| 1181 | # Generic |
| 1182 | # IDS (default) |
| 1183 | # IIS_4_0 |
| 1184 | # IIS_5_0 |
| 1185 | # IIS_5_1 |
| 1186 | # IIS_6_0 |
| 1187 | # IIS_7_0 |
| 1188 | # IIS_7_5 |
| 1189 | # Apache_2 |
| 1190 | ########################################################################### |
| 1191 | libhtp: |
| 1192 | |
| 1193 | default-config: |
| 1194 | personality: IDS |
| 1195 | |
| 1196 | # Can be specified in kb, mb, gb. Just a number indicates |
| 1197 | # it's in bytes. |
| 1198 | request-body-limit: 3072 |
| 1199 | response-body-limit: 3072 |
| 1200 | |
| 1201 | # inspection limits |
| 1202 | request-body-minimal-inspect-size: 32kb |
| 1203 | request-body-inspect-window: 4kb |
| 1204 | response-body-minimal-inspect-size: 32kb |
| 1205 | response-body-inspect-window: 4kb |
| 1206 | # Take a random value for inspection sizes around the specified value. |
| 1207 | # This lower the risk of some evasion technics but could lead |
| 1208 | # detection change between runs. It is set to 'yes' by default. |
| 1209 | #randomize-inspection-sizes: yes |
| 1210 | # If randomize-inspection-sizes is active, the value of various |
| 1211 | # inspection size will be choosen in the [1 - range%, 1 + range%] |
| 1212 | # range |
| 1213 | # Default value of randomize-inspection-range is 10. |
| 1214 | #randomize-inspection-range: 10 |
| 1215 | |
| 1216 | # decoding |
| 1217 | double-decode-path: no |
| 1218 | double-decode-query: no |
| 1219 | |
| 1220 | server-config: |
| 1221 | |
| 1222 | #- apache: |
| 1223 | # address: [192.168.1.0/24, 127.0.0.0/8, "::1"] |
| 1224 | # personality: Apache_2 |
| 1225 | # # Can be specified in kb, mb, gb. Just a number indicates |
| 1226 | # # it's in bytes. |
| 1227 | # request-body-limit: 4096 |
| 1228 | # response-body-limit: 4096 |
| 1229 | # double-decode-path: no |
| 1230 | # double-decode-query: no |
| 1231 | |
| 1232 | #- iis7: |
| 1233 | # address: |
| 1234 | # - 192.168.0.0/24 |
| 1235 | # - 192.168.10.0/24 |
| 1236 | # personality: IIS_7_0 |
| 1237 | # # Can be specified in kb, mb, gb. Just a number indicates |
| 1238 | # # it's in bytes. |
| 1239 | # request-body-limit: 4096 |
| 1240 | # response-body-limit: 4096 |
| 1241 | # double-decode-path: no |
| 1242 | # double-decode-query: no |
| 1243 | |
| 1244 | # Profiling settings. Only effective if Suricata has been built with the |
| 1245 | # the --enable-profiling configure flag. |
| 1246 | # |
| 1247 | profiling: |
| 1248 | # Run profiling for every xth packet. The default is 1, which means we |
| 1249 | # profile every packet. If set to 1000, one packet is profiled for every |
| 1250 | # 1000 received. |
| 1251 | #sample-rate: 1000 |
| 1252 | |
| 1253 | # rule profiling |
| 1254 | rules: |
| 1255 | |
| 1256 | # Profiling can be disabled here, but it will still have a |
| 1257 | # performance impact if compiled in. |
| 1258 | enabled: yes |
| 1259 | filename: rule_perf.log |
| 1260 | append: yes |
| 1261 | |
| 1262 | # Sort options: ticks, avgticks, checks, matches, maxticks |
| 1263 | sort: avgticks |
| 1264 | |
| 1265 | # Limit the number of items printed at exit. |
| 1266 | limit: 100 |
| 1267 | |
| 1268 | # per keyword profiling |
| 1269 | keywords: |
| 1270 | enabled: yes |
| 1271 | filename: keyword_perf.log |
| 1272 | append: yes |
| 1273 | |
| 1274 | # packet profiling |
| 1275 | packets: |
| 1276 | |
| 1277 | # Profiling can be disabled here, but it will still have a |
| 1278 | # performance impact if compiled in. |
| 1279 | enabled: yes |
| 1280 | filename: packet_stats.log |
| 1281 | append: yes |
| 1282 | |
| 1283 | # per packet csv output |
| 1284 | csv: |
| 1285 | |
| 1286 | # Output can be disabled here, but it will still have a |
| 1287 | # performance impact if compiled in. |
| 1288 | enabled: no |
| 1289 | filename: packet_stats.csv |
| 1290 | |
| 1291 | # profiling of locking. Only available when Suricata was built with |
| 1292 | # --enable-profiling-locks. |
| 1293 | locks: |
| 1294 | enabled: no |
| 1295 | filename: lock_stats.log |
| 1296 | append: yes |
| 1297 | |
| 1298 | # Suricata core dump configuration. Limits the size of the core dump file to |
| 1299 | # approximately max-dump. The actual core dump size will be a multiple of the |
| 1300 | # page size. Core dumps that would be larger than max-dump are truncated. On |
| 1301 | # Linux, the actual core dump size may be a few pages larger than max-dump. |
| 1302 | # Setting max-dump to 0 disables core dumping. |
| 1303 | # Setting max-dump to 'unlimited' will give the full core dump file. |
| 1304 | # On 32-bit Linux, a max-dump value >= ULONG_MAX may cause the core dump size |
| 1305 | # to be 'unlimited'. |
| 1306 | |
| 1307 | coredump: |
| 1308 | max-dump: unlimited |
| 1309 | |
| 1310 | napatech: |
| 1311 | # The Host Buffer Allowance for all streams |
| 1312 | # (-1 = OFF, 1 - 100 = percentage of the host buffer that can be held back) |
| 1313 | hba: -1 |
| 1314 | |
| 1315 | # use_all_streams set to "yes" will query the Napatech service for all configured |
| 1316 | # streams and listen on all of them. When set to "no" the streams config array |
| 1317 | # will be used. |
| 1318 | use-all-streams: yes |
| 1319 | |
| 1320 | # The streams to listen on |
| 1321 | streams: [1, 2, 3] |
| 1322 | |
| 1323 | # Includes. Files included here will be handled as if they were |
| 1324 | # inlined in this configuration file. |
| 1325 | #include: include1.yaml |
| 1326 | #include: include2.yaml |