blob: 8d06a27449a985b1063b43a5271930e9f60c1d84 [file] [log] [blame]
Andrew Geisslerf1e44062021-04-15 15:52:46 -05001%YAML 1.1
2---
3
4# Suricata configuration file. In addition to the comments describing all
5# options in this file, full documentation can be found at:
6# https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricatayaml
7
8
9# Number of packets allowed to be processed simultaneously. Default is a
10# conservative 1024. A higher number will make sure CPU's/CPU cores will be
11# more easily kept busy, but may negatively impact caching.
12#
13# If you are using the CUDA pattern matcher (mpm-algo: ac-cuda), different rules
14# apply. In that case try something like 60000 or more. This is because the CUDA
15# pattern matcher buffers and scans as many packets as possible in parallel.
16#max-pending-packets: 1024
17
18# Runmode the engine should use. Please check --list-runmodes to get the available
19# runmodes for each packet acquisition method. Defaults to "autofp" (auto flow pinned
20# load balancing).
21#runmode: autofp
22
23# Specifies the kind of flow load balancer used by the flow pinned autofp mode.
24#
25# Supported schedulers are:
26#
27# round-robin - Flows assigned to threads in a round robin fashion.
28# active-packets - Flows assigned to threads that have the lowest number of
29# unprocessed packets (default).
30# hash - Flow alloted usihng the address hash. More of a random
31# technique. Was the default in Suricata 1.2.1 and older.
32#
33#autofp-scheduler: active-packets
34
35# If suricata box is a router for the sniffed networks, set it to 'router'. If
36# it is a pure sniffing setup, set it to 'sniffer-only'.
37# If set to auto, the variable is internally switch to 'router' in IPS mode
38# and 'sniffer-only' in IDS mode.
39# This feature is currently only used by the reject* keywords.
40host-mode: auto
41
42# Run suricata as user and group.
43#run-as:
44# user: suri
45# group: suri
46
47# Default pid file.
48# Will use this file if no --pidfile in command options.
49#pid-file: /var/run/suricata.pid
50
51# Daemon working directory
52# Suricata will change directory to this one if provided
53# Default: "/"
54#daemon-directory: "/"
55
56# Preallocated size for packet. Default is 1514 which is the classical
57# size for pcap on ethernet. You should adjust this value to the highest
58# packet size (MTU + hardware header) on your system.
59#default-packet-size: 1514
60
61# The default logging directory. Any log or output file will be
62# placed here if its not specified with a full path name. This can be
63# overridden with the -l command line parameter.
64default-log-dir: /var/log/suricata/
65
66# Unix command socket can be used to pass commands to suricata.
67# An external tool can then connect to get information from suricata
68# or trigger some modifications of the engine. Set enabled to yes
69# to activate the feature. You can use the filename variable to set
70# the file name of the socket.
71unix-command:
72 enabled: no
73 #filename: custom.socket
74
75# Configure the type of alert (and other) logging you would like.
76outputs:
77
78 # a line based alerts log similar to Snort's fast.log
79 - fast:
80 enabled: yes
81 filename: fast.log
82 append: yes
83 #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
84
85 # Extensible Event Format (nicknamed EVE) event log in JSON format
86 - eve-log:
87 enabled: yes
88 type: file #file|syslog|unix_dgram|unix_stream
89 filename: eve.json
90 # the following are valid when type: syslog above
91 #identity: "suricata"
92 #facility: local5
93 #level: Info ## possible levels: Emergency, Alert, Critical,
94 ## Error, Warning, Notice, Info, Debug
95 types:
96 - alert
97 - http:
98 extended: yes # enable this for extended logging information
99 # custom allows additional http fields to be included in eve-log
100 # the example below adds three additional fields when uncommented
101 #custom: [Accept-Encoding, Accept-Language, Authorization]
102 - dns
103 - tls:
104 extended: yes # enable this for extended logging information
105 - files:
106 force-magic: no # force logging magic on all logged files
107 force-md5: no # force logging of md5 checksums
108 #- drop
109 - ssh
110
111 # alert output for use with Barnyard2
112 - unified2-alert:
113 enabled: yes
114 filename: unified2.alert
115
116 # File size limit. Can be specified in kb, mb, gb. Just a number
117 # is parsed as bytes.
118 #limit: 32mb
119
120 # Sensor ID field of unified2 alerts.
121 #sensor-id: 0
122
123 # HTTP X-Forwarded-For support by adding the unified2 extra header that
124 # will contain the actual client IP address or by overwriting the source
125 # IP address (helpful when inspecting traffic that is being reversed
126 # proxied).
127 xff:
128 enabled: no
129 # Two operation modes are available, "extra-data" and "overwrite". Note
130 # that in the "overwrite" mode, if the reported IP address in the HTTP
131 # X-Forwarded-For header is of a different version of the packet
132 # received, it will fall-back to "extra-data" mode.
133 mode: extra-data
134 # Header name were the actual IP address will be reported, if more than
135 # one IP address is present, the last IP address will be the one taken
136 # into consideration.
137 header: X-Forwarded-For
138
139 # a line based log of HTTP requests (no alerts)
140 - http-log:
141 enabled: yes
142 filename: http.log
143 append: yes
144 #extended: yes # enable this for extended logging information
145 #custom: yes # enabled the custom logging format (defined by customformat)
146 #customformat: "%{%D-%H:%M:%S}t.%z %{X-Forwarded-For}i %H %m %h %u %s %B %a:%p -> %A:%P"
147 #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
148
149 # a line based log of TLS handshake parameters (no alerts)
150 - tls-log:
151 enabled: no # Log TLS connections.
152 filename: tls.log # File to store TLS logs.
153 append: yes
154 #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
155 #extended: yes # Log extended information like fingerprint
156 certs-log-dir: certs # directory to store the certificates files
157
158 # a line based log of DNS requests and/or replies (no alerts)
159 - dns-log:
160 enabled: no
161 filename: dns.log
162 append: yes
163 #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
164
165 # a line based log to used with pcap file study.
166 # this module is dedicated to offline pcap parsing (empty output
167 # if used with another kind of input). It can interoperate with
168 # pcap parser like wireshark via the suriwire plugin.
169 - pcap-info:
170 enabled: no
171
172 # Packet log... log packets in pcap format. 2 modes of operation: "normal"
173 # and "sguil".
174 #
175 # In normal mode a pcap file "filename" is created in the default-log-dir,
176 # or are as specified by "dir". In Sguil mode "dir" indicates the base directory.
177 # In this base dir the pcaps are created in th directory structure Sguil expects:
178 #
179 # $sguil-base-dir/YYYY-MM-DD/$filename.<timestamp>
180 #
181 # By default all packets are logged except:
182 # - TCP streams beyond stream.reassembly.depth
183 # - encrypted streams after the key exchange
184 #
185 - pcap-log:
186 enabled: no
187 filename: log.pcap
188
189 # File size limit. Can be specified in kb, mb, gb. Just a number
190 # is parsed as bytes.
191 limit: 1000mb
192
193 # If set to a value will enable ring buffer mode. Will keep Maximum of "max-files" of size "limit"
194 max-files: 2000
195
196 mode: normal # normal or sguil.
197 #sguil-base-dir: /nsm_data/
198 #ts-format: usec # sec or usec second format (default) is filename.sec usec is filename.sec.usec
199 use-stream-depth: no #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets
200
201 # a full alerts log containing much information for signature writers
202 # or for investigating suspected false positives.
203 - alert-debug:
204 enabled: no
205 filename: alert-debug.log
206 append: yes
207 #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
208
209 # alert output to prelude (http://www.prelude-technologies.com/) only
210 # available if Suricata has been compiled with --enable-prelude
211 - alert-prelude:
212 enabled: no
213 profile: suricata
214 log-packet-content: no
215 log-packet-header: yes
216
217 # Stats.log contains data from various counters of the suricata engine.
218 # The interval field (in seconds) tells after how long output will be written
219 # on the log file.
220 - stats:
221 enabled: yes
222 filename: stats.log
223 interval: 8
224
225 # a line based alerts log similar to fast.log into syslog
226 - syslog:
227 enabled: no
228 # reported identity to syslog. If ommited the program name (usually
229 # suricata) will be used.
230 #identity: "suricata"
231 facility: local5
232 #level: Info ## possible levels: Emergency, Alert, Critical,
233 ## Error, Warning, Notice, Info, Debug
234
235 # a line based information for dropped packets in IPS mode
236 - drop:
237 enabled: no
238 filename: drop.log
239 append: yes
240 #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
241
242 # output module to store extracted files to disk
243 #
244 # The files are stored to the log-dir in a format "file.<id>" where <id> is
245 # an incrementing number starting at 1. For each file "file.<id>" a meta
246 # file "file.<id>.meta" is created.
247 #
248 # File extraction depends on a lot of things to be fully done:
249 # - stream reassembly depth. For optimal results, set this to 0 (unlimited)
250 # - http request / response body sizes. Again set to 0 for optimal results.
251 # - rules that contain the "filestore" keyword.
252 - file-store:
253 enabled: no # set to yes to enable
254 log-dir: files # directory to store the files
255 force-magic: no # force logging magic on all stored files
256 force-md5: no # force logging of md5 checksums
257 #waldo: file.waldo # waldo file to store the file_id across runs
258
259 # output module to log files tracked in a easily parsable json format
260 - file-log:
261 enabled: no
262 filename: files-json.log
263 append: yes
264 #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
265
266 force-magic: no # force logging magic on all logged files
267 force-md5: no # force logging of md5 checksums
268
269# Magic file. The extension .mgc is added to the value here.
270#magic-file: /usr/share/file/magic
271magic-file: /usr/share/misc/magic.mgc
272
273# When running in NFQ inline mode, it is possible to use a simulated
274# non-terminal NFQUEUE verdict.
275# This permit to do send all needed packet to suricata via this a rule:
276# iptables -I FORWARD -m mark ! --mark $MARK/$MASK -j NFQUEUE
277# And below, you can have your standard filtering ruleset. To activate
278# this mode, you need to set mode to 'repeat'
279# If you want packet to be sent to another queue after an ACCEPT decision
280# set mode to 'route' and set next-queue value.
281# On linux >= 3.1, you can set batchcount to a value > 1 to improve performance
282# by processing several packets before sending a verdict (worker runmode only).
283# On linux >= 3.6, you can set the fail-open option to yes to have the kernel
284# accept the packet if suricata is not able to keep pace.
285nfq:
286# mode: accept
287# repeat-mark: 1
288# repeat-mask: 1
289# route-queue: 2
290# batchcount: 20
291# fail-open: yes
292
293#nflog support
294nflog:
295 # netlink multicast group
296 # (the same as the iptables --nflog-group param)
297 # Group 0 is used by the kernel, so you can't use it
298 - group: 2
299 # netlink buffer size
300 buffer-size: 18432
301 # put default value here
302 - group: default
303 # set number of packet to queue inside kernel
304 qthreshold: 1
305 # set the delay before flushing packet in the queue inside kernel
306 qtimeout: 100
307 # netlink max buffer size
308 max-size: 20000
309
310# af-packet support
311# Set threads to > 1 to use PACKET_FANOUT support
312af-packet:
313 - interface: eth0
314 # Number of receive threads (>1 will enable experimental flow pinned
315 # runmode)
316 threads: 1
317 # Default clusterid. AF_PACKET will load balance packets based on flow.
318 # All threads/processes that will participate need to have the same
319 # clusterid.
320 cluster-id: 99
321 # Default AF_PACKET cluster type. AF_PACKET can load balance per flow or per hash.
322 # This is only supported for Linux kernel > 3.1
323 # possible value are:
324 # * cluster_round_robin: round robin load balancing
325 # * cluster_flow: all packets of a given flow are send to the same socket
326 # * cluster_cpu: all packets treated in kernel by a CPU are send to the same socket
327 cluster-type: cluster_flow
328 # In some fragmentation case, the hash can not be computed. If "defrag" is set
329 # to yes, the kernel will do the needed defragmentation before sending the packets.
330 defrag: yes
331 # To use the ring feature of AF_PACKET, set 'use-mmap' to yes
332 use-mmap: yes
333 # Ring size will be computed with respect to max_pending_packets and number
334 # of threads. You can set manually the ring size in number of packets by setting
335 # the following value. If you are using flow cluster-type and have really network
336 # intensive single-flow you could want to set the ring-size independantly of the number
337 # of threads:
338 #ring-size: 2048
339 # On busy system, this could help to set it to yes to recover from a packet drop
340 # phase. This will result in some packets (at max a ring flush) being non treated.
341 #use-emergency-flush: yes
342 # recv buffer size, increase value could improve performance
343 # buffer-size: 32768
344 # Set to yes to disable promiscuous mode
345 # disable-promisc: no
346 # Choose checksum verification mode for the interface. At the moment
347 # of the capture, some packets may be with an invalid checksum due to
348 # offloading to the network card of the checksum computation.
349 # Possible values are:
350 # - kernel: use indication sent by kernel for each packet (default)
351 # - yes: checksum validation is forced
352 # - no: checksum validation is disabled
353 # - auto: suricata uses a statistical approach to detect when
354 # checksum off-loading is used.
355 # Warning: 'checksum-validation' must be set to yes to have any validation
356 #checksum-checks: kernel
357 # BPF filter to apply to this interface. The pcap filter syntax apply here.
358 #bpf-filter: port 80 or udp
359 # You can use the following variables to activate AF_PACKET tap od IPS mode.
360 # If copy-mode is set to ips or tap, the traffic coming to the current
361 # interface will be copied to the copy-iface interface. If 'tap' is set, the
362 # copy is complete. If 'ips' is set, the packet matching a 'drop' action
363 # will not be copied.
364 #copy-mode: ips
365 #copy-iface: eth1
366 - interface: eth1
367 threads: 1
368 cluster-id: 98
369 cluster-type: cluster_flow
370 defrag: yes
371 # buffer-size: 32768
372 # disable-promisc: no
373 # Put default values here
374 - interface: default
375 #threads: 2
376 #use-mmap: yes
377
378legacy:
379 uricontent: enabled
380
381# You can specify a threshold config file by setting "threshold-file"
382# to the path of the threshold config file:
383# threshold-file: /etc/suricata/threshold.config
384
385# The detection engine builds internal groups of signatures. The engine
386# allow us to specify the profile to use for them, to manage memory on an
387# efficient way keeping a good performance. For the profile keyword you
388# can use the words "low", "medium", "high" or "custom". If you use custom
389# make sure to define the values at "- custom-values" as your convenience.
390# Usually you would prefer medium/high/low.
391#
392# "sgh mpm-context", indicates how the staging should allot mpm contexts for
393# the signature groups. "single" indicates the use of a single context for
394# all the signature group heads. "full" indicates a mpm-context for each
395# group head. "auto" lets the engine decide the distribution of contexts
396# based on the information the engine gathers on the patterns from each
397# group head.
398#
399# The option inspection-recursion-limit is used to limit the recursive calls
400# in the content inspection code. For certain payload-sig combinations, we
401# might end up taking too much time in the content inspection code.
402# If the argument specified is 0, the engine uses an internally defined
403# default limit. On not specifying a value, we use no limits on the recursion.
404detect-engine:
405 - profile: medium
406 - custom-values:
407 toclient-src-groups: 2
408 toclient-dst-groups: 2
409 toclient-sp-groups: 2
410 toclient-dp-groups: 3
411 toserver-src-groups: 2
412 toserver-dst-groups: 4
413 toserver-sp-groups: 2
414 toserver-dp-groups: 25
415 - sgh-mpm-context: auto
416 - inspection-recursion-limit: 3000
417 # When rule-reload is enabled, sending a USR2 signal to the Suricata process
418 # will trigger a live rule reload. Experimental feature, use with care.
419 #- rule-reload: true
420 # If set to yes, the loading of signatures will be made after the capture
421 # is started. This will limit the downtime in IPS mode.
422 #- delayed-detect: yes
423
424# Suricata is multi-threaded. Here the threading can be influenced.
425threading:
426 # On some cpu's/architectures it is beneficial to tie individual threads
427 # to specific CPU's/CPU cores. In this case all threads are tied to CPU0,
428 # and each extra CPU/core has one "detect" thread.
429 #
430 # On Intel Core2 and Nehalem CPU's enabling this will degrade performance.
431 #
432 set-cpu-affinity: no
433 # Tune cpu affinity of suricata threads. Each family of threads can be bound
434 # on specific CPUs.
435 cpu-affinity:
436 - management-cpu-set:
437 cpu: [ 0 ] # include only these cpus in affinity settings
438 - receive-cpu-set:
439 cpu: [ 0 ] # include only these cpus in affinity settings
440 - decode-cpu-set:
441 cpu: [ 0, 1 ]
442 mode: "balanced"
443 - stream-cpu-set:
444 cpu: [ "0-1" ]
445 - detect-cpu-set:
446 cpu: [ "all" ]
447 mode: "exclusive" # run detect threads in these cpus
448 # Use explicitely 3 threads and don't compute number by using
449 # detect-thread-ratio variable:
450 # threads: 3
451 prio:
452 low: [ 0 ]
453 medium: [ "1-2" ]
454 high: [ 3 ]
455 default: "medium"
456 - verdict-cpu-set:
457 cpu: [ 0 ]
458 prio:
459 default: "high"
460 - reject-cpu-set:
461 cpu: [ 0 ]
462 prio:
463 default: "low"
464 - output-cpu-set:
465 cpu: [ "all" ]
466 prio:
467 default: "medium"
468 #
469 # By default Suricata creates one "detect" thread per available CPU/CPU core.
470 # This setting allows controlling this behaviour. A ratio setting of 2 will
471 # create 2 detect threads for each CPU/CPU core. So for a dual core CPU this
472 # will result in 4 detect threads. If values below 1 are used, less threads
473 # are created. So on a dual core CPU a setting of 0.5 results in 1 detect
474 # thread being created. Regardless of the setting at a minimum 1 detect
475 # thread will always be created.
476 #
477 detect-thread-ratio: 1.5
478
479# Cuda configuration.
480cuda:
481 # The "mpm" profile. On not specifying any of these parameters, the engine's
482 # internal default values are used, which are same as the ones specified in
483 # in the default conf file.
484 mpm:
485 # The minimum length required to buffer data to the gpu.
486 # Anything below this is MPM'ed on the CPU.
487 # Can be specified in kb, mb, gb. Just a number indicates it's in bytes.
488 # A value of 0 indicates there's no limit.
489 data-buffer-size-min-limit: 0
490 # The maximum length for data that we would buffer to the gpu.
491 # Anything over this is MPM'ed on the CPU.
492 # Can be specified in kb, mb, gb. Just a number indicates it's in bytes.
493 data-buffer-size-max-limit: 1500
494 # The ring buffer size used by the CudaBuffer API to buffer data.
495 cudabuffer-buffer-size: 500mb
496 # The max chunk size that can be sent to the gpu in a single go.
497 gpu-transfer-size: 50mb
498 # The timeout limit for batching of packets in microseconds.
499 batching-timeout: 2000
500 # The device to use for the mpm. Currently we don't support load balancing
501 # on multiple gpus. In case you have multiple devices on your system, you
502 # can specify the device to use, using this conf. By default we hold 0, to
503 # specify the first device cuda sees. To find out device-id associated with
504 # the card(s) on the system run "suricata --list-cuda-cards".
505 device-id: 0
506 # No of Cuda streams used for asynchronous processing. All values > 0 are valid.
507 # For this option you need a device with Compute Capability > 1.0.
508 cuda-streams: 2
509
510# Select the multi pattern algorithm you want to run for scan/search the
511# in the engine. The supported algorithms are b2g, b2gc, b2gm, b3g, wumanber,
512# ac and ac-gfbs.
513#
514# The mpm you choose also decides the distribution of mpm contexts for
515# signature groups, specified by the conf - "detect-engine.sgh-mpm-context".
516# Selecting "ac" as the mpm would require "detect-engine.sgh-mpm-context"
517# to be set to "single", because of ac's memory requirements, unless the
518# ruleset is small enough to fit in one's memory, in which case one can
519# use "full" with "ac". Rest of the mpms can be run in "full" mode.
520#
521# There is also a CUDA pattern matcher (only available if Suricata was
522# compiled with --enable-cuda: b2g_cuda. Make sure to update your
523# max-pending-packets setting above as well if you use b2g_cuda.
524
525mpm-algo: ac
526
527# The memory settings for hash size of these algorithms can vary from lowest
528# (2048) - low (4096) - medium (8192) - high (16384) - higher (32768) - max
529# (65536). The bloomfilter sizes of these algorithms can vary from low (512) -
530# medium (1024) - high (2048).
531#
532# For B2g/B3g algorithms, there is a support for two different scan/search
533# algorithms. For B2g the scan algorithms are B2gScan & B2gScanBNDMq, and
534# search algorithms are B2gSearch & B2gSearchBNDMq. For B3g scan algorithms
535# are B3gScan & B3gScanBNDMq, and search algorithms are B3gSearch &
536# B3gSearchBNDMq.
537#
538# For B2g the different scan/search algorithms and, hash and bloom
539# filter size settings. For B3g the different scan/search algorithms and, hash
540# and bloom filter size settings. For wumanber the hash and bloom filter size
541# settings.
542
543pattern-matcher:
544 - b2gc:
545 search-algo: B2gSearchBNDMq
546 hash-size: low
547 bf-size: medium
548 - b2gm:
549 search-algo: B2gSearchBNDMq
550 hash-size: low
551 bf-size: medium
552 - b2g:
553 search-algo: B2gSearchBNDMq
554 hash-size: low
555 bf-size: medium
556 - b3g:
557 search-algo: B3gSearchBNDMq
558 hash-size: low
559 bf-size: medium
560 - wumanber:
561 hash-size: low
562 bf-size: medium
563
564# Defrag settings:
565
566defrag:
567 memcap: 32mb
568 hash-size: 65536
569 trackers: 65535 # number of defragmented flows to follow
570 max-frags: 65535 # number of fragments to keep (higher than trackers)
571 prealloc: yes
572 timeout: 60
573
574# Enable defrag per host settings
575# host-config:
576#
577# - dmz:
578# timeout: 30
579# address: [192.168.1.0/24, 127.0.0.0/8, 1.1.1.0/24, 2.2.2.0/24, "1.1.1.1", "2.2.2.2", "::1"]
580#
581# - lan:
582# timeout: 45
583# address:
584# - 192.168.0.0/24
585# - 192.168.10.0/24
586# - 172.16.14.0/24
587
588# Flow settings:
589# By default, the reserved memory (memcap) for flows is 32MB. This is the limit
590# for flow allocation inside the engine. You can change this value to allow
591# more memory usage for flows.
592# The hash-size determine the size of the hash used to identify flows inside
593# the engine, and by default the value is 65536.
594# At the startup, the engine can preallocate a number of flows, to get a better
595# performance. The number of flows preallocated is 10000 by default.
596# emergency-recovery is the percentage of flows that the engine need to
597# prune before unsetting the emergency state. The emergency state is activated
598# when the memcap limit is reached, allowing to create new flows, but
599# prunning them with the emergency timeouts (they are defined below).
600# If the memcap is reached, the engine will try to prune flows
601# with the default timeouts. If it doens't find a flow to prune, it will set
602# the emergency bit and it will try again with more agressive timeouts.
603# If that doesn't work, then it will try to kill the last time seen flows
604# not in use.
605# The memcap can be specified in kb, mb, gb. Just a number indicates it's
606# in bytes.
607
608flow:
609 memcap: 64mb
610 hash-size: 65536
611 prealloc: 10000
612 emergency-recovery: 30
613
614# This option controls the use of vlan ids in the flow (and defrag)
615# hashing. Normally this should be enabled, but in some (broken)
616# setups where both sides of a flow are not tagged with the same vlan
617# tag, we can ignore the vlan id's in the flow hashing.
618vlan:
619 use-for-tracking: true
620
621# Specific timeouts for flows. Here you can specify the timeouts that the
622# active flows will wait to transit from the current state to another, on each
623# protocol. The value of "new" determine the seconds to wait after a hanshake or
624# stream startup before the engine free the data of that flow it doesn't
625# change the state to established (usually if we don't receive more packets
626# of that flow). The value of "established" is the amount of
627# seconds that the engine will wait to free the flow if it spend that amount
628# without receiving new packets or closing the connection. "closed" is the
629# amount of time to wait after a flow is closed (usually zero).
630#
631# There's an emergency mode that will become active under attack circumstances,
632# making the engine to check flow status faster. This configuration variables
633# use the prefix "emergency-" and work similar as the normal ones.
634# Some timeouts doesn't apply to all the protocols, like "closed", for udp and
635# icmp.
636
637flow-timeouts:
638
639 default:
640 new: 30
641 established: 300
642 closed: 0
643 emergency-new: 10
644 emergency-established: 100
645 emergency-closed: 0
646 tcp:
647 new: 60
648 established: 3600
649 closed: 120
650 emergency-new: 10
651 emergency-established: 300
652 emergency-closed: 20
653 udp:
654 new: 30
655 established: 300
656 emergency-new: 10
657 emergency-established: 100
658 icmp:
659 new: 30
660 established: 300
661 emergency-new: 10
662 emergency-established: 100
663
664# Stream engine settings. Here the TCP stream tracking and reassembly
665# engine is configured.
666#
667# stream:
668# memcap: 32mb # Can be specified in kb, mb, gb. Just a
669# # number indicates it's in bytes.
670# checksum-validation: yes # To validate the checksum of received
671# # packet. If csum validation is specified as
672# # "yes", then packet with invalid csum will not
673# # be processed by the engine stream/app layer.
674# # Warning: locally generated trafic can be
675# # generated without checksum due to hardware offload
676# # of checksum. You can control the handling of checksum
677# # on a per-interface basis via the 'checksum-checks'
678# # option
679# prealloc-sessions: 2k # 2k sessions prealloc'd per stream thread
680# midstream: false # don't allow midstream session pickups
681# async-oneside: false # don't enable async stream handling
682# inline: no # stream inline mode
683# max-synack-queued: 5 # Max different SYN/ACKs to queue
684#
685# reassembly:
686# memcap: 64mb # Can be specified in kb, mb, gb. Just a number
687# # indicates it's in bytes.
688# depth: 1mb # Can be specified in kb, mb, gb. Just a number
689# # indicates it's in bytes.
690# toserver-chunk-size: 2560 # inspect raw stream in chunks of at least
691# # this size. Can be specified in kb, mb,
692# # gb. Just a number indicates it's in bytes.
693# # The max acceptable size is 4024 bytes.
694# toclient-chunk-size: 2560 # inspect raw stream in chunks of at least
695# # this size. Can be specified in kb, mb,
696# # gb. Just a number indicates it's in bytes.
697# # The max acceptable size is 4024 bytes.
698# randomize-chunk-size: yes # Take a random value for chunk size around the specified value.
699# # This lower the risk of some evasion technics but could lead
700# # detection change between runs. It is set to 'yes' by default.
701# randomize-chunk-range: 10 # If randomize-chunk-size is active, the value of chunk-size is
702# # a random value between (1 - randomize-chunk-range/100)*randomize-chunk-size
703# # and (1 + randomize-chunk-range/100)*randomize-chunk-size. Default value
704# # of randomize-chunk-range is 10.
705#
706# raw: yes # 'Raw' reassembly enabled or disabled.
707# # raw is for content inspection by detection
708# # engine.
709#
710# chunk-prealloc: 250 # Number of preallocated stream chunks. These
711# # are used during stream inspection (raw).
712# segments: # Settings for reassembly segment pool.
713# - size: 4 # Size of the (data)segment for a pool
714# prealloc: 256 # Number of segments to prealloc and keep
715# # in the pool.
716#
717stream:
718 memcap: 32mb
719 checksum-validation: yes # reject wrong csums
720 inline: auto # auto will use inline mode in IPS mode, yes or no set it statically
721 reassembly:
722 memcap: 128mb
723 depth: 1mb # reassemble 1mb into a stream
724 toserver-chunk-size: 2560
725 toclient-chunk-size: 2560
726 randomize-chunk-size: yes
727 #randomize-chunk-range: 10
728 #raw: yes
729 #chunk-prealloc: 250
730 #segments:
731 # - size: 4
732 # prealloc: 256
733 # - size: 16
734 # prealloc: 512
735 # - size: 112
736 # prealloc: 512
737 # - size: 248
738 # prealloc: 512
739 # - size: 512
740 # prealloc: 512
741 # - size: 768
742 # prealloc: 1024
743 # - size: 1448
744 # prealloc: 1024
745 # - size: 65535
746 # prealloc: 128
747
748# Host table:
749#
750# Host table is used by tagging and per host thresholding subsystems.
751#
752host:
753 hash-size: 4096
754 prealloc: 1000
755 memcap: 16777216
756
757# Logging configuration. This is not about logging IDS alerts, but
758# IDS output about what its doing, errors, etc.
759logging:
760
761 # The default log level, can be overridden in an output section.
762 # Note that debug level logging will only be emitted if Suricata was
763 # compiled with the --enable-debug configure option.
764 #
765 # This value is overriden by the SC_LOG_LEVEL env var.
766 default-log-level: notice
767
768 # The default output format. Optional parameter, should default to
769 # something reasonable if not provided. Can be overriden in an
770 # output section. You can leave this out to get the default.
771 #
772 # This value is overriden by the SC_LOG_FORMAT env var.
773 #default-log-format: "[%i] %t - (%f:%l) <%d> (%n) -- "
774
775 # A regex to filter output. Can be overridden in an output section.
776 # Defaults to empty (no filter).
777 #
778 # This value is overriden by the SC_LOG_OP_FILTER env var.
779 default-output-filter:
780
781 # Define your logging outputs. If none are defined, or they are all
782 # disabled you will get the default - console output.
783 outputs:
784 - console:
785 enabled: yes
786 - file:
787 enabled: no
788 filename: /var/log/suricata.log
789 - syslog:
790 enabled: yes
791 facility: local5
792 format: "[%i] <%d> -- "
793
794# Tilera mpipe configuration. for use on Tilera TILE-Gx.
795mpipe:
796
797 # Load balancing modes: "static", "dynamic", "sticky", or "round-robin".
798 load-balance: dynamic
799
800 # Number of Packets in each ingress packet queue. Must be 128, 512, 2028 or 65536
801 iqueue-packets: 2048
802
803 # List of interfaces we will listen on.
804 inputs:
805 - interface: xgbe2
806 - interface: xgbe3
807 - interface: xgbe4
808
809
810 # Relative weight of memory for packets of each mPipe buffer size.
811 stack:
812 size128: 0
813 size256: 9
814 size512: 0
815 size1024: 0
816 size1664: 7
817 size4096: 0
818 size10386: 0
819 size16384: 0
820
821# PF_RING configuration. for use with native PF_RING support
822# for more info see http://www.ntop.org/PF_RING.html
823pfring:
824 - interface: eth0
825 # Number of receive threads (>1 will enable experimental flow pinned
826 # runmode)
827 threads: 1
828
829 # Default clusterid. PF_RING will load balance packets based on flow.
830 # All threads/processes that will participate need to have the same
831 # clusterid.
832 cluster-id: 99
833
834 # Default PF_RING cluster type. PF_RING can load balance per flow or per hash.
835 # This is only supported in versions of PF_RING > 4.1.1.
836 cluster-type: cluster_flow
837 # bpf filter for this interface
838 #bpf-filter: tcp
839 # Choose checksum verification mode for the interface. At the moment
840 # of the capture, some packets may be with an invalid checksum due to
841 # offloading to the network card of the checksum computation.
842 # Possible values are:
843 # - rxonly: only compute checksum for packets received by network card.
844 # - yes: checksum validation is forced
845 # - no: checksum validation is disabled
846 # - auto: suricata uses a statistical approach to detect when
847 # checksum off-loading is used. (default)
848 # Warning: 'checksum-validation' must be set to yes to have any validation
849 #checksum-checks: auto
850 # Second interface
851 #- interface: eth1
852 # threads: 3
853 # cluster-id: 93
854 # cluster-type: cluster_flow
855 # Put default values here
856 - interface: default
857 #threads: 2
858
859pcap:
860 - interface: eth0
861 # On Linux, pcap will try to use mmaped capture and will use buffer-size
862 # as total of memory used by the ring. So set this to something bigger
863 # than 1% of your bandwidth.
864 #buffer-size: 16777216
865 #bpf-filter: "tcp and port 25"
866 # Choose checksum verification mode for the interface. At the moment
867 # of the capture, some packets may be with an invalid checksum due to
868 # offloading to the network card of the checksum computation.
869 # Possible values are:
870 # - yes: checksum validation is forced
871 # - no: checksum validation is disabled
872 # - auto: suricata uses a statistical approach to detect when
873 # checksum off-loading is used. (default)
874 # Warning: 'checksum-validation' must be set to yes to have any validation
875 #checksum-checks: auto
876 # With some accelerator cards using a modified libpcap (like myricom), you
877 # may want to have the same number of capture threads as the number of capture
878 # rings. In this case, set up the threads variable to N to start N threads
879 # listening on the same interface.
880 #threads: 16
881 # set to no to disable promiscuous mode:
882 #promisc: no
883 # set snaplen, if not set it defaults to MTU if MTU can be known
884 # via ioctl call and to full capture if not.
885 #snaplen: 1518
886 # Put default values here
887 - interface: default
888 #checksum-checks: auto
889
890pcap-file:
891 # Possible values are:
892 # - yes: checksum validation is forced
893 # - no: checksum validation is disabled
894 # - auto: suricata uses a statistical approach to detect when
895 # checksum off-loading is used. (default)
896 # Warning: 'checksum-validation' must be set to yes to have checksum tested
897 checksum-checks: auto
898
899# For FreeBSD ipfw(8) divert(4) support.
900# Please make sure you have ipfw_load="YES" and ipdivert_load="YES"
901# in /etc/loader.conf or kldload'ing the appropriate kernel modules.
902# Additionally, you need to have an ipfw rule for the engine to see
903# the packets from ipfw. For Example:
904#
905# ipfw add 100 divert 8000 ip from any to any
906#
907# The 8000 above should be the same number you passed on the command
908# line, i.e. -d 8000
909#
910ipfw:
911
912 # Reinject packets at the specified ipfw rule number. This config
913 # option is the ipfw rule number AT WHICH rule processing continues
914 # in the ipfw processing system after the engine has finished
915 # inspecting the packet for acceptance. If no rule number is specified,
916 # accepted packets are reinjected at the divert rule which they entered
917 # and IPFW rule processing continues. No check is done to verify
918 # this will rule makes sense so care must be taken to avoid loops in ipfw.
919 #
920 ## The following example tells the engine to reinject packets
921 # back into the ipfw firewall AT rule number 5500:
922 #
923 # ipfw-reinjection-rule-number: 5500
924
925# Set the default rule path here to search for the files.
926# if not set, it will look at the current working dir
927default-rule-path: /etc/suricata/rules
928rule-files:
929 - botcc.rules
930 - ciarmy.rules
931 - compromised.rules
932 - drop.rules
933 - dshield.rules
934 - emerging-activex.rules
935 - emerging-attack_response.rules
936 - emerging-chat.rules
937 - emerging-current_events.rules
938 - emerging-dns.rules
939 - emerging-dos.rules
940 - emerging-exploit.rules
941 - emerging-ftp.rules
942 - emerging-games.rules
943 - emerging-icmp_info.rules
944# - emerging-icmp.rules
945 - emerging-imap.rules
946 - emerging-inappropriate.rules
947 - emerging-malware.rules
948 - emerging-misc.rules
949 - emerging-mobile_malware.rules
950 - emerging-netbios.rules
951 - emerging-p2p.rules
952 - emerging-policy.rules
953 - emerging-pop3.rules
954 - emerging-rpc.rules
955 - emerging-scada.rules
956 - emerging-scan.rules
957 - emerging-shellcode.rules
958 - emerging-smtp.rules
959 - emerging-snmp.rules
960 - emerging-sql.rules
961 - emerging-telnet.rules
962 - emerging-tftp.rules
963 - emerging-trojan.rules
964 - emerging-user_agents.rules
965 - emerging-voip.rules
966 - emerging-web_client.rules
967 - emerging-web_server.rules
968 - emerging-web_specific_apps.rules
969 - emerging-worm.rules
970 - tor.rules
971 - decoder-events.rules # available in suricata sources under rules dir
972 - stream-events.rules # available in suricata sources under rules dir
973 - http-events.rules # available in suricata sources under rules dir
974 - smtp-events.rules # available in suricata sources under rules dir
975 - dns-events.rules # available in suricata sources under rules dir
976 - tls-events.rules # available in suricata sources under rules dir
977
978classification-file: /etc/suricata/classification.config
979reference-config-file: /etc/suricata/reference.config
980
981# Holds variables that would be used by the engine.
982vars:
983
984 # Holds the address group vars that would be passed in a Signature.
985 # These would be retrieved during the Signature address parsing stage.
986 address-groups:
987
988 HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
989
990 EXTERNAL_NET: "!$HOME_NET"
991
992 HTTP_SERVERS: "$HOME_NET"
993
994 SMTP_SERVERS: "$HOME_NET"
995
996 SQL_SERVERS: "$HOME_NET"
997
998 DNS_SERVERS: "$HOME_NET"
999
1000 TELNET_SERVERS: "$HOME_NET"
1001
1002 AIM_SERVERS: "$EXTERNAL_NET"
1003
1004 DNP3_SERVER: "$HOME_NET"
1005
1006 DNP3_CLIENT: "$HOME_NET"
1007
1008 MODBUS_CLIENT: "$HOME_NET"
1009
1010 MODBUS_SERVER: "$HOME_NET"
1011
1012 ENIP_CLIENT: "$HOME_NET"
1013
1014 ENIP_SERVER: "$HOME_NET"
1015
1016 # Holds the port group vars that would be passed in a Signature.
1017 # These would be retrieved during the Signature port parsing stage.
1018 port-groups:
1019
1020 HTTP_PORTS: "80"
1021
1022 SHELLCODE_PORTS: "!80"
1023
1024 ORACLE_PORTS: 1521
1025
1026 SSH_PORTS: 22
1027
1028 DNP3_PORTS: 20000
1029
1030# Set the order of alerts bassed on actions
1031# The default order is pass, drop, reject, alert
1032action-order:
1033 - pass
1034 - drop
1035 - reject
1036 - alert
1037
1038# IP Reputation
1039#reputation-categories-file: /etc/suricata/iprep/categories.txt
1040#default-reputation-path: /etc/suricata/iprep
1041#reputation-files:
1042# - reputation.list
1043
1044# Host specific policies for defragmentation and TCP stream
1045# reassembly. The host OS lookup is done using a radix tree, just
1046# like a routing table so the most specific entry matches.
1047host-os-policy:
1048 # Make the default policy windows.
1049 windows: [0.0.0.0/0]
1050 bsd: []
1051 bsd-right: []
1052 old-linux: []
1053 linux: [10.0.0.0/8, 192.168.1.100, "8762:2352:6241:7245:E000:0000:0000:0000"]
1054 old-solaris: []
1055 solaris: ["::1"]
1056 hpux10: []
1057 hpux11: []
1058 irix: []
1059 macos: []
1060 vista: []
1061 windows2k3: []
1062
1063
1064# Limit for the maximum number of asn1 frames to decode (default 256)
1065asn1-max-frames: 256
1066
1067# When run with the option --engine-analysis, the engine will read each of
1068# the parameters below, and print reports for each of the enabled sections
1069# and exit. The reports are printed to a file in the default log dir
1070# given by the parameter "default-log-dir", with engine reporting
1071# subsection below printing reports in its own report file.
1072engine-analysis:
1073 # enables printing reports for fast-pattern for every rule.
1074 rules-fast-pattern: yes
1075 # enables printing reports for each rule
1076 rules: yes
1077
1078#recursion and match limits for PCRE where supported
1079pcre:
1080 match-limit: 3500
1081 match-limit-recursion: 1500
1082
1083# Holds details on the app-layer. The protocols section details each protocol.
1084# Under each protocol, the default value for detection-enabled and "
1085# parsed-enabled is yes, unless specified otherwise.
1086# Each protocol covers enabling/disabling parsers for all ipprotos
1087# the app-layer protocol runs on. For example "dcerpc" refers to the tcp
1088# version of the protocol as well as the udp version of the protocol.
1089# The option "enabled" takes 3 values - "yes", "no", "detection-only".
1090# "yes" enables both detection and the parser, "no" disables both, and
1091# "detection-only" enables detection only(parser disabled).
1092app-layer:
1093 protocols:
1094 tls:
1095 enabled: yes
1096 detection-ports:
1097 dp: 443
1098
1099 #no-reassemble: yes
1100 dcerpc:
1101 enabled: yes
1102 ftp:
1103 enabled: yes
1104 ssh:
1105 enabled: yes
1106 smtp:
1107 enabled: yes
1108 imap:
1109 enabled: detection-only
1110 msn:
1111 enabled: detection-only
1112 smb:
1113 enabled: yes
1114 detection-ports:
1115 dp: 139
1116 # smb2 detection is disabled internally inside the engine.
1117 #smb2:
1118 # enabled: yes
1119 dns:
1120 # memcaps. Globally and per flow/state.
1121 #global-memcap: 16mb
1122 #state-memcap: 512kb
1123
1124 # How many unreplied DNS requests are considered a flood.
1125 # If the limit is reached, app-layer-event:dns.flooded; will match.
1126 #request-flood: 500
1127
1128 tcp:
1129 enabled: yes
1130 detection-ports:
1131 dp: 53
1132 udp:
1133 enabled: yes
1134 detection-ports:
1135 dp: 53
1136 http:
1137 enabled: yes
1138 # memcap: 64mb
1139
1140 ###########################################################################
1141 # Configure libhtp.
1142 #
1143 #
1144 # default-config: Used when no server-config matches
1145 # personality: List of personalities used by default
1146 # request-body-limit: Limit reassembly of request body for inspection
1147 # by http_client_body & pcre /P option.
1148 # response-body-limit: Limit reassembly of response body for inspection
1149 # by file_data, http_server_body & pcre /Q option.
1150 # double-decode-path: Double decode path section of the URI
1151 # double-decode-query: Double decode query section of the URI
1152 #
1153 # server-config: List of server configurations to use if address matches
1154 # address: List of ip addresses or networks for this block
1155 # personalitiy: List of personalities used by this block
1156 # request-body-limit: Limit reassembly of request body for inspection
1157 # by http_client_body & pcre /P option.
1158 # response-body-limit: Limit reassembly of response body for inspection
1159 # by file_data, http_server_body & pcre /Q option.
1160 # double-decode-path: Double decode path section of the URI
1161 # double-decode-query: Double decode query section of the URI
1162 #
1163 # uri-include-all: Include all parts of the URI. By default the
1164 # 'scheme', username/password, hostname and port
1165 # are excluded. Setting this option to true adds
1166 # all of them to the normalized uri as inspected
1167 # by http_uri, urilen, pcre with /U and the other
1168 # keywords that inspect the normalized uri.
1169 # Note that this does not affect http_raw_uri.
1170 # Also, note that including all was the default in
1171 # 1.4 and 2.0beta1.
1172 #
1173 # meta-field-limit: Hard size limit for request and response size
1174 # limits. Applies to request line and headers,
1175 # response line and headers. Does not apply to
1176 # request or response bodies. Default is 18k.
1177 # If this limit is reached an event is raised.
1178 #
1179 # Currently Available Personalities:
1180 # Minimal
1181 # Generic
1182 # IDS (default)
1183 # IIS_4_0
1184 # IIS_5_0
1185 # IIS_5_1
1186 # IIS_6_0
1187 # IIS_7_0
1188 # IIS_7_5
1189 # Apache_2
1190 ###########################################################################
1191 libhtp:
1192
1193 default-config:
1194 personality: IDS
1195
1196 # Can be specified in kb, mb, gb. Just a number indicates
1197 # it's in bytes.
1198 request-body-limit: 3072
1199 response-body-limit: 3072
1200
1201 # inspection limits
1202 request-body-minimal-inspect-size: 32kb
1203 request-body-inspect-window: 4kb
1204 response-body-minimal-inspect-size: 32kb
1205 response-body-inspect-window: 4kb
1206 # Take a random value for inspection sizes around the specified value.
1207 # This lower the risk of some evasion technics but could lead
1208 # detection change between runs. It is set to 'yes' by default.
1209 #randomize-inspection-sizes: yes
1210 # If randomize-inspection-sizes is active, the value of various
1211 # inspection size will be choosen in the [1 - range%, 1 + range%]
1212 # range
1213 # Default value of randomize-inspection-range is 10.
1214 #randomize-inspection-range: 10
1215
1216 # decoding
1217 double-decode-path: no
1218 double-decode-query: no
1219
1220 server-config:
1221
1222 #- apache:
1223 # address: [192.168.1.0/24, 127.0.0.0/8, "::1"]
1224 # personality: Apache_2
1225 # # Can be specified in kb, mb, gb. Just a number indicates
1226 # # it's in bytes.
1227 # request-body-limit: 4096
1228 # response-body-limit: 4096
1229 # double-decode-path: no
1230 # double-decode-query: no
1231
1232 #- iis7:
1233 # address:
1234 # - 192.168.0.0/24
1235 # - 192.168.10.0/24
1236 # personality: IIS_7_0
1237 # # Can be specified in kb, mb, gb. Just a number indicates
1238 # # it's in bytes.
1239 # request-body-limit: 4096
1240 # response-body-limit: 4096
1241 # double-decode-path: no
1242 # double-decode-query: no
1243
1244# Profiling settings. Only effective if Suricata has been built with the
1245# the --enable-profiling configure flag.
1246#
1247profiling:
1248 # Run profiling for every xth packet. The default is 1, which means we
1249 # profile every packet. If set to 1000, one packet is profiled for every
1250 # 1000 received.
1251 #sample-rate: 1000
1252
1253 # rule profiling
1254 rules:
1255
1256 # Profiling can be disabled here, but it will still have a
1257 # performance impact if compiled in.
1258 enabled: yes
1259 filename: rule_perf.log
1260 append: yes
1261
1262 # Sort options: ticks, avgticks, checks, matches, maxticks
1263 sort: avgticks
1264
1265 # Limit the number of items printed at exit.
1266 limit: 100
1267
1268 # per keyword profiling
1269 keywords:
1270 enabled: yes
1271 filename: keyword_perf.log
1272 append: yes
1273
1274 # packet profiling
1275 packets:
1276
1277 # Profiling can be disabled here, but it will still have a
1278 # performance impact if compiled in.
1279 enabled: yes
1280 filename: packet_stats.log
1281 append: yes
1282
1283 # per packet csv output
1284 csv:
1285
1286 # Output can be disabled here, but it will still have a
1287 # performance impact if compiled in.
1288 enabled: no
1289 filename: packet_stats.csv
1290
1291 # profiling of locking. Only available when Suricata was built with
1292 # --enable-profiling-locks.
1293 locks:
1294 enabled: no
1295 filename: lock_stats.log
1296 append: yes
1297
1298# Suricata core dump configuration. Limits the size of the core dump file to
1299# approximately max-dump. The actual core dump size will be a multiple of the
1300# page size. Core dumps that would be larger than max-dump are truncated. On
1301# Linux, the actual core dump size may be a few pages larger than max-dump.
1302# Setting max-dump to 0 disables core dumping.
1303# Setting max-dump to 'unlimited' will give the full core dump file.
1304# On 32-bit Linux, a max-dump value >= ULONG_MAX may cause the core dump size
1305# to be 'unlimited'.
1306
1307coredump:
1308 max-dump: unlimited
1309
1310napatech:
1311 # The Host Buffer Allowance for all streams
1312 # (-1 = OFF, 1 - 100 = percentage of the host buffer that can be held back)
1313 hba: -1
1314
1315 # use_all_streams set to "yes" will query the Napatech service for all configured
1316 # streams and listen on all of them. When set to "no" the streams config array
1317 # will be used.
1318 use-all-streams: yes
1319
1320 # The streams to listen on
1321 streams: [1, 2, 3]
1322
1323# Includes. Files included here will be handled as if they were
1324# inlined in this configuration file.
1325#include: include1.yaml
1326#include: include2.yaml