· 7 years ago · Nov 19, 2018, 06:04 PM
1%YAML 1.1
2---
3
4# Suricata configuration file. In addition to the comments describing all
5# options in this file, full documentation can be found at:
6# https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricatayaml
7
8##
9## Step 1: inform Suricata about your network
10##
11
12vars:
13 # more specifc is better for alert accuracy and performance
14 address-groups:
15 HOME_NET: "[10.1.0.0/16,208.67.220.220,208.67.222.222]"
16 #HOME_NET: "[192.168.0.0/16]"
17 #HOME_NET: "[10.0.0.0/8]"
18 #HOME_NET: "[172.16.0.0/12]"
19 #HOME_NET: "any"
20
21 EXTERNAL_NET: "!$HOME_NET"
22 #EXTERNAL_NET: "any"
23
24 HTTP_SERVERS: "$HOME_NET"
25 SMTP_SERVERS: "$HOME_NET"
26 SQL_SERVERS: "$HOME_NET"
27 DNS_SERVERS: "[10.1.14.250,10.0.10.10,10.253.0.11,10.0.6.158,10.0.6.160,208.67.220.220,208.67.222.222]"
28 TELNET_SERVERS: "$HOME_NET"
29 AIM_SERVERS: "$EXTERNAL_NET"
30 DNP3_SERVER: "$HOME_NET"
31 DNP3_CLIENT: "$HOME_NET"
32 MODBUS_CLIENT: "$HOME_NET"
33 MODBUS_SERVER: "$HOME_NET"
34 ENIP_CLIENT: "$HOME_NET"
35 ENIP_SERVER: "$HOME_NET"
36
37 port-groups:
38 HTTP_PORTS: "80"
39 SHELLCODE_PORTS: "!80"
40 ORACLE_PORTS: 1521
41 SSH_PORTS: 22
42 DNP3_PORTS: 20000
43 MODBUS_PORTS: 502
44 FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
45 FTP_PORTS: "21"
46
47##
48## Step 2: select the rules to enable or disable
49##
50
51default-rule-path: /usr/local/etc/suricata/rules
52rule-files:
53 - snort.rules
54 - et.rules
55 - feodo.rules
56 - sslipblacklist.rules
57 - sslblacklist.rules
58 - lists.rules
59 - zeus.rules
60
61classification-file: /usr/local/etc/suricata/classification.config
62reference-config-file: /usr/local/etc/suricata/reference.config
63# threshold-file: /usr/local/etc/suricata/threshold.config
64
65
66##
67## Step 3: select outputs to enable
68##
69
70# The default logging directory. Any log or output file will be
71# placed here if its not specified with a full path name. This can be
72# overridden with the -l command line parameter.
73default-log-dir: /var/log/suricata/
74
75# global stats configuration
76stats:
77 enabled: yes
78 # The interval field (in seconds) controls at what interval
79 # the loggers are invoked.
80 interval: 8
81
82# Configure the type of alert (and other) logging you would like.
83outputs:
84 # a line based alerts log similar to Snort's fast.log
85 - fast:
86 enabled: yes
87 filename: fast.log
88 append: yes
89 #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
90
91 # Extensible Event Format (nicknamed EVE) event log in JSON format
92 - eve-log:
93 enabled: yes
94 filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
95 filename: eve.json
96 #prefix: "@cee: " # prefix to prepend to each log entry
97 # the following are valid when type: syslog above
98 #identity: "suricata"
99 #facility: local5
100 #level: Info ## possible levels: Emergency, Alert, Critical,
101 ## Error, Warning, Notice, Info, Debug
102 #redis:
103 # server: 127.0.0.1
104 # port: 6379
105 # mode: list ## possible values: list (default), channel
106 # key: suricata ## key or channel to use (default to suricata)
107 # Redis pipelining set up. This will enable to only do a query every
108 # 'batch-size' events. This should lower the latency induced by network
109 # connection at the cost of some memory. There is no flushing implemented
110 # so this setting as to be reserved to high traffic suricata.
111 # pipelining:
112 # enabled: yes ## set enable to yes to enable query pipelining
113 # batch-size: 10 ## number of entry to keep in buffer
114 types:
115 - alert:
116 # payload: yes # enable dumping payload in Base64
117 # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log
118 # payload-printable: yes # enable dumping payload in printable (lossy) format
119 # packet: yes # enable dumping of packet (without stream segments)
120 http: yes # enable dumping of http fields
121 tls: yes # enable dumping of tls fields
122 ssh: yes # enable dumping of ssh fields
123 smtp: yes # enable dumping of smtp fields
124 dnp3: yes # enable dumping of DNP3 fields
125
126 # Enable the logging of tagged packets for rules using the
127 # "tag" keyword.
128 tagged-packets: yes
129
130 # HTTP X-Forwarded-For support by adding an extra field or overwriting
131 # the source or destination IP address (depending on flow direction)
132 # with the one reported in the X-Forwarded-For HTTP header. This is
133 # helpful when reviewing alerts for traffic that is being reverse
134 # or forward proxied.
135 xff:
136 enabled: no
137 # Two operation modes are available, "extra-data" and "overwrite".
138 mode: extra-data
139 # Two proxy deployments are supported, "reverse" and "forward". In
140 # a "reverse" deployment the IP address used is the last one, in a
141 # "forward" deployment the first IP address is used.
142 deployment: reverse
143 # Header name where the actual IP address will be reported, if more
144 # than one IP address is present, the last IP address will be the
145 # one taken into consideration.
146 header: X-Forwarded-For
147 - http:
148 extended: yes # enable this for extended logging information
149 # custom allows additional http fields to be included in eve-log
150 # the example below adds three additional fields when uncommented
151 #custom: [Accept-Encoding, Accept-Language, Authorization]
152 - dns:
153 # control logging of queries and answers
154 # default yes, no to disable
155 query: yes # enable logging of DNS queries
156 answer: yes # enable logging of DNS answers
157 # control which RR types are logged
158 # all enabled if custom not specified
159 #custom: [a, aaaa, cname, mx, ns, ptr, txt]
160 - tls:
161 extended: yes # enable this for extended logging information
162 - files:
163 force-magic: no # force logging magic on all logged files
164 # force logging of checksums, available hash functions are md5,
165 # sha1 and sha256
166 #force-hash: [md5]
167 #- drop:
168 # alerts: yes # log alerts that caused drops
169 # flows: all # start or all: 'start' logs only a single drop
170 # # per flow direction. All logs each dropped pkt.
171 - smtp:
172 #extended: yes # enable this for extended logging information
173 # this includes: bcc, message-id, subject, x_mailer, user-agent
174 # custom fields logging from the list:
175 # reply-to, bcc, message-id, subject, x-mailer, user-agent, received,
176 # x-originating-ip, in-reply-to, references, importance, priority,
177 # sensitivity, organization, content-md5, date
178 #custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc]
179 # output md5 of fields: body, subject
180 # for the body you need to set app-layer.protocols.smtp.mime.body-md5
181 # to yes
182 #md5: [body, subject]
183
184 - ssh
185 - stats:
186 totals: yes # stats for all threads merged together
187 threads: no # per thread stats
188 deltas: no # include delta values
189 # bi-directional flows
190 - flow
191 # uni-directional flows
192 #- netflow
193 #- dnp3
194
195 # alert output for use with Barnyard2
196 - unified2-alert:
197 enabled: yes
198 filename: suricata.u2
199
200 # File size limit. Can be specified in kb, mb, gb. Just a number
201 # is parsed as bytes.
202 #limit: 32mb
203
204 # Sensor ID field of unified2 alerts.
205 #sensor-id: 0
206
207 # Include payload of packets related to alerts. Defaults to true, set to
208 # false if payload is not required.
209 #payload: yes
210
211 # HTTP X-Forwarded-For support by adding the unified2 extra header or
212 # overwriting the source or destination IP address (depending on flow
213 # direction) with the one reported in the X-Forwarded-For HTTP header.
214 # This is helpful when reviewing alerts for traffic that is being reverse
215 # or forward proxied.
216 xff:
217 enabled: no
218 # Two operation modes are available, "extra-data" and "overwrite". Note
219 # that in the "overwrite" mode, if the reported IP address in the HTTP
220 # X-Forwarded-For header is of a different version of the packet
221 # received, it will fall-back to "extra-data" mode.
222 mode: extra-data
223 # Two proxy deployments are supported, "reverse" and "forward". In
224 # a "reverse" deployment the IP address used is the last one, in a
225 # "forward" deployment the first IP address is used.
226 deployment: reverse
227 # Header name where the actual IP address will be reported, if more
228 # than one IP address is present, the last IP address will be the
229 # one taken into consideration.
230 header: X-Forwarded-For
231
232 # a line based log of HTTP requests (no alerts)
233 - http-log:
234 enabled: no
235 filename: http.log
236 append: yes
237 #extended: yes # enable this for extended logging information
238 #custom: yes # enabled the custom logging format (defined by customformat)
239 #customformat: "%{%D-%H:%M:%S}t.%z %{X-Forwarded-For}i %H %m %h %u %s %B %a:%p -> %A:%P"
240 #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
241
242 # a line based log of TLS handshake parameters (no alerts)
243 - tls-log:
244 enabled: no # Log TLS connections.
245 filename: tls.log # File to store TLS logs.
246 append: yes
247 #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
248 #extended: yes # Log extended information like fingerprint
249
250 # output module to store certificates chain to disk
251 - tls-store:
252 enabled: no
253 #certs-log-dir: certs # directory to store the certificates files
254
255 # a line based log of DNS requests and/or replies (no alerts)
256 - dns-log:
257 enabled: no
258 filename: dns.log
259 append: yes
260 #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
261
262 # Packet log... log packets in pcap format. 3 modes of operation: "normal"
263 # "multi" and "sguil".
264 #
265 # In normal mode a pcap file "filename" is created in the default-log-dir,
266 # or are as specified by "dir".
267 # In multi mode, a file is created per thread. This will perform much
268 # better, but will create multiple files where 'normal' would create one.
269 # In multi mode the filename takes a few special variables:
270 # - %n -- thread number
271 # - %i -- thread id
272 # - %t -- timestamp (secs or secs.usecs based on 'ts-format'
273 # E.g. filename: pcap.%n.%t
274 #
275 # Note that it's possible to use directories, but the directories are not
276 # created by Suricata. E.g. filename: pcaps/%n/log.%s will log into the
277 # per thread directory.
278 #
279 # Also note that the limit and max-files settings are enforced per thread.
280 # So the size limit when using 8 threads with 1000mb files and 2000 files
281 # is: 8*1000*2000 ~ 16TiB.
282 #
283 # In Sguil mode "dir" indicates the base directory. In this base dir the
284 # pcaps are created in th directory structure Sguil expects:
285 #
286 # $sguil-base-dir/YYYY-MM-DD/$filename.<timestamp>
287 #
288 # By default all packets are logged except:
289 # - TCP streams beyond stream.reassembly.depth
290 # - encrypted streams after the key exchange
291 #
292 - pcap-log:
293 enabled: no
294 filename: log.pcap
295
296 # File size limit. Can be specified in kb, mb, gb. Just a number
297 # is parsed as bytes.
298 limit: 1000mb
299
300 # If set to a value will enable ring buffer mode. Will keep Maximum of "max-files" of size "limit"
301 max-files: 2000
302
303 mode: normal # normal, multi or sguil.
304
305 # Directory to place pcap files. If not provided the default log
306 # directory will be used. Required for "sguil" mode.
307 #dir: /nsm_data/
308
309 #ts-format: usec # sec or usec second format (default) is filename.sec usec is filename.sec.usec
310 use-stream-depth: no #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets
311 honor-pass-rules: no # If set to "yes", flows in which a pass rule matched will stopped being logged.
312
313 # a full alerts log containing much information for signature writers
314 # or for investigating suspected false positives.
315 - alert-debug:
316 enabled: no
317 filename: alert-debug.log
318 append: yes
319 #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
320
321 # alert output to prelude (http://www.prelude-technologies.com/) only
322 # available if Suricata has been compiled with --enable-prelude
323 - alert-prelude:
324 enabled: no
325 profile: suricata
326 log-packet-content: no
327 log-packet-header: yes
328
329 # Stats.log contains data from various counters of the suricata engine.
330 - stats:
331 enabled: yes
332 filename: stats.log
333 totals: yes # stats for all threads merged together
334 threads: no # per thread stats
335 #null-values: yes # print counters that have value 0
336
337 # a line based alerts log similar to fast.log into syslog
338 - syslog:
339 enabled: no
340 # reported identity to syslog. If ommited the program name (usually
341 # suricata) will be used.
342 #identity: "suricata"
343 facility: local5
344 #level: Info ## possible levels: Emergency, Alert, Critical,
345 ## Error, Warning, Notice, Info, Debug
346
347 # a line based information for dropped packets in IPS mode
348 - drop:
349 enabled: yes
350 filename: drop.log
351 append: yes
352 #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
353
354 # output module to store extracted files to disk
355 #
356 # The files are stored to the log-dir in a format "file.<id>" where <id> is
357 # an incrementing number starting at 1. For each file "file.<id>" a meta
358 # file "file.<id>.meta" is created.
359 #
360 # File extraction depends on a lot of things to be fully done:
361 # - file-store stream-depth. For optimal results, set this to 0 (unlimited)
362 # - http request / response body sizes. Again set to 0 for optimal results.
363 # - rules that contain the "filestore" keyword.
364 - file-store:
365 enabled: no # set to yes to enable
366 log-dir: files # directory to store the files
367 force-magic: no # force logging magic on all stored files
368 # force logging of checksums, available hash functions are md5,
369 # sha1 and sha256
370 #force-hash: [md5]
371 force-filestore: no # force storing of all files
372 # override global stream-depth for sessions in which we want to
373 # perform file extraction. Set to 0 for unlimited.
374 #stream-depth: 0
375 #waldo: file.waldo # waldo file to store the file_id across runs
376
377 # output module to log files tracked in a easily parsable json format
378 - file-log:
379 enabled: no
380 filename: files-json.log
381 append: yes
382 #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
383
384 force-magic: no # force logging magic on all logged files
385 # force logging of checksums, available hash functions are md5,
386 # sha1 and sha256
387 #force-hash: [md5]
388
389 # Log TCP data after stream normalization
390 # 2 types: file or dir. File logs into a single logfile. Dir creates
391 # 2 files per TCP session and stores the raw TCP data into them.
392 # Using 'both' will enable both file and dir modes.
393 #
394 # Note: limited by stream.depth
395 - tcp-data:
396 enabled: no
397 type: file
398 filename: tcp-data.log
399
400 # Log HTTP body data after normalization, dechunking and unzipping.
401 # 2 types: file or dir. File logs into a single logfile. Dir creates
402 # 2 files per HTTP session and stores the normalized data into them.
403 # Using 'both' will enable both file and dir modes.
404 #
405 # Note: limited by the body limit settings
406 - http-body-data:
407 enabled: no
408 type: file
409 filename: http-data.log
410
411 # Lua Output Support - execute lua script to generate alert and event
412 # output.
413 # Documented at:
414 # https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Lua_Output
415 - lua:
416 enabled: no
417 #scripts-dir: /etc/suricata/lua-output/
418 scripts:
419 # - script1.lua
420
421# Logging configuration. This is not about logging IDS alerts/events, but
422# output about what Suricata is doing, like startup messages, errors, etc.
423logging:
424 # The default log level, can be overridden in an output section.
425 # Note that debug level logging will only be emitted if Suricata was
426 # compiled with the --enable-debug configure option.
427 #
428 # This value is overriden by the SC_LOG_LEVEL env var.
429 default-log-level: debug
430
431 # The default output format. Optional parameter, should default to
432 # something reasonable if not provided. Can be overriden in an
433 # output section. You can leave this out to get the default.
434 #
435 # This value is overriden by the SC_LOG_FORMAT env var.
436 #default-log-format: "[%i] %t - (%f:%l) <%d> (%n) -- "
437
438 # A regex to filter output. Can be overridden in an output section.
439 # Defaults to empty (no filter).
440 #
441 # This value is overriden by the SC_LOG_OP_FILTER env var.
442 default-output-filter:
443
444 # Define your logging outputs. If none are defined, or they are all
445 # disabled you will get the default - console output.
446 outputs:
447 - console:
448 enabled: yes
449 # type: json
450 - file:
451 enabled: yes
452 level: debug
453 filename: /var/log/suricata/suricata.log
454 # type: json
455 - syslog:
456 enabled: no
457 facility: local5
458 format: "[%i] <%d> -- "
459 # type: json
460
461
462##
463## Step 4: configure common capture settings
464##
465## See "Advanced Capture Options" below for more options, including NETMAP
466## and PF_RING.
467##
468
469# Linux high speed capture support
470af-packet:
471 - interface: eth0
472 # Number of receive threads. "auto" uses the number of cores
473 #threads: auto
474 # Default clusterid. AF_PACKET will load balance packets based on flow.
475 cluster-id: 99
476 # Default AF_PACKET cluster type. AF_PACKET can load balance per flow or per hash.
477 # This is only supported for Linux kernel > 3.1
478 # possible value are:
479 # * cluster_round_robin: round robin load balancing
480 # * cluster_flow: all packets of a given flow are send to the same socket
481 # * cluster_cpu: all packets treated in kernel by a CPU are send to the same socket
482 # * cluster_qm: all packets linked by network card to a RSS queue are sent to the same
483 # socket. Requires at least Linux 3.14.
484 # * cluster_random: packets are sent randomly to sockets but with an equipartition.
485 # Requires at least Linux 3.14.
486 # * cluster_rollover: kernel rotates between sockets filling each socket before moving
487 # to the next. Requires at least Linux 3.10.
488 # Recommended modes are cluster_flow on most boxes and cluster_cpu or cluster_qm on system
489 # with capture card using RSS (require cpu affinity tuning and system irq tuning)
490 cluster-type: cluster_flow
491 # In some fragmentation case, the hash can not be computed. If "defrag" is set
492 # to yes, the kernel will do the needed defragmentation before sending the packets.
493 defrag: yes
494 # After Linux kernel 3.10 it is possible to activate the rollover option: if a socket is
495 # full then kernel will send the packet on the next socket with room available. This option
496 # can minimize packet drop and increase the treated bandwidth on single intensive flow.
497 #rollover: yes
498 # To use the ring feature of AF_PACKET, set 'use-mmap' to yes
499 #use-mmap: yes
500 # Lock memory map to avoid it goes to swap. Be careful that over suscribing could lock
501 # your system
502 #mmap-locked: yes
503 # Use experimental tpacket_v3 capture mode, only active if use-mmap is true
504 #tpacket-v3: yes
505 # Ring size will be computed with respect to max_pending_packets and number
506 # of threads. You can set manually the ring size in number of packets by setting
507 # the following value. If you are using flow cluster-type and have really network
508 # intensive single-flow you could want to set the ring-size independently of the number
509 # of threads:
510 #ring-size: 2048
511 # Block size is used by tpacket_v3 only. It should set to a value high enough to contain
512 # a decent number of packets. Size is in bytes so please consider your MTU. It should be
513 # a power of 2 and it must be multiple of page size (usually 4096).
514 #block-size: 32768
515 # tpacket_v3 block timeout: an open block is passed to userspace if it is not
516 # filled after block-timeout milliseconds.
517 #block-timeout: 10
518 # On busy system, this could help to set it to yes to recover from a packet drop
519 # phase. This will result in some packets (at max a ring flush) being non treated.
520 #use-emergency-flush: yes
521 # recv buffer size, increase value could improve performance
522 # buffer-size: 32768
523 # Set to yes to disable promiscuous mode
524 # disable-promisc: no
525 # Choose checksum verification mode for the interface. At the moment
526 # of the capture, some packets may be with an invalid checksum due to
527 # offloading to the network card of the checksum computation.
528 # Possible values are:
529 # - kernel: use indication sent by kernel for each packet (default)
530 # - yes: checksum validation is forced
531 # - no: checksum validation is disabled
532 # - auto: suricata uses a statistical approach to detect when
533 # checksum off-loading is used.
534 # Warning: 'checksum-validation' must be set to yes to have any validation
535 #checksum-checks: kernel
536 # BPF filter to apply to this interface. The pcap filter syntax apply here.
537 #bpf-filter: port 80 or udp
538 # You can use the following variables to activate AF_PACKET tap or IPS mode.
539 # If copy-mode is set to ips or tap, the traffic coming to the current
540 # interface will be copied to the copy-iface interface. If 'tap' is set, the
541 # copy is complete. If 'ips' is set, the packet matching a 'drop' action
542 # will not be copied.
543 #copy-mode: ips
544 #copy-iface: eth1
545
546 # Put default values here. These will be used for an interface that is not
547 # in the list above.
548 - interface: default
549 #threads: auto
550 #use-mmap: no
551 #rollover: yes
552 #tpacket-v3: yes
553
554# Cross platform libpcap capture support
555pcap:
556 - interface: eth0
557 # On Linux, pcap will try to use mmaped capture and will use buffer-size
558 # as total of memory used by the ring. So set this to something bigger
559 # than 1% of your bandwidth.
560 #buffer-size: 16777216
561 #bpf-filter: "tcp and port 25"
562 # Choose checksum verification mode for the interface. At the moment
563 # of the capture, some packets may be with an invalid checksum due to
564 # offloading to the network card of the checksum computation.
565 # Possible values are:
566 # - yes: checksum validation is forced
567 # - no: checksum validation is disabled
568 # - auto: suricata uses a statistical approach to detect when
569 # checksum off-loading is used. (default)
570 # Warning: 'checksum-validation' must be set to yes to have any validation
571 #checksum-checks: auto
572 # With some accelerator cards using a modified libpcap (like myricom), you
573 # may want to have the same number of capture threads as the number of capture
574 # rings. In this case, set up the threads variable to N to start N threads
575 # listening on the same interface.
576 #threads: 16
577 # set to no to disable promiscuous mode:
578 #promisc: no
579 # set snaplen, if not set it defaults to MTU if MTU can be known
580 # via ioctl call and to full capture if not.
581 #snaplen: 1518
582 # Put default values here
583 - interface: default
584 #checksum-checks: auto
585
586# Settings for reading pcap files
587pcap-file:
588 # Possible values are:
589 # - yes: checksum validation is forced
590 # - no: checksum validation is disabled
591 # - auto: suricata uses a statistical approach to detect when
592 # checksum off-loading is used. (default)
593 # Warning: 'checksum-validation' must be set to yes to have checksum tested
594 checksum-checks: auto
595
596# See "Advanced Capture Options" below for more options, including NETMAP
597# and PF_RING.
598
599
600##
601## Step 5: App Layer Protocol Configuration
602##
603
604# Configure the app-layer parsers. The protocols section details each
605# protocol.
606#
607# The option "enabled" takes 3 values - "yes", "no", "detection-only".
608# "yes" enables both detection and the parser, "no" disables both, and
609# "detection-only" enables protocol detection only (parser disabled).
610app-layer:
611 protocols:
612 tls:
613 enabled: yes
614 detection-ports:
615 dp: 443
616
617 # Completely stop processing TLS/SSL session after the handshake
618 # completed. If bypass is enabled this will also trigger flow
619 # bypass. If disabled (the default), TLS/SSL session is still
620 # tracked for Heartbleed and other anomalies.
621 #no-reassemble: yes
622 dcerpc:
623 enabled: yes
624 ftp:
625 enabled: yes
626 ssh:
627 enabled: yes
628 smtp:
629 enabled: yes
630 # Configure SMTP-MIME Decoder
631 mime:
632 # Decode MIME messages from SMTP transactions
633 # (may be resource intensive)
634 # This field supercedes all others because it turns the entire
635 # process on or off
636 decode-mime: yes
637
638 # Decode MIME entity bodies (ie. base64, quoted-printable, etc.)
639 decode-base64: yes
640 decode-quoted-printable: yes
641
642 # Maximum bytes per header data value stored in the data structure
643 # (default is 2000)
644 header-value-depth: 2000
645
646 # Extract URLs and save in state data structure
647 extract-urls: yes
648 # Set to yes to compute the md5 of the mail body. You will then
649 # be able to journalize it.
650 body-md5: no
651 # Configure inspected-tracker for file_data keyword
652 inspected-tracker:
653 content-limit: 100000
654 content-inspect-min-size: 32768
655 content-inspect-window: 4096
656 imap:
657 enabled: detection-only
658 msn:
659 enabled: detection-only
660 smb:
661 enabled: yes
662 detection-ports:
663 dp: 139, 445
664 # smb2 detection is disabled internally inside the engine.
665 #smb2:
666 # enabled: yes
667 dns:
668 # memcaps. Globally and per flow/state.
669 #global-memcap: 16mb
670 #state-memcap: 512kb
671
672 # How many unreplied DNS requests are considered a flood.
673 # If the limit is reached, app-layer-event:dns.flooded; will match.
674 #request-flood: 500
675
676 tcp:
677 enabled: yes
678 detection-ports:
679 dp: 53
680 udp:
681 enabled: yes
682 detection-ports:
683 dp: 53
684 http:
685 enabled: yes
686 # memcap: 64mb
687
688 # default-config: Used when no server-config matches
689 # personality: List of personalities used by default
690 # request-body-limit: Limit reassembly of request body for inspection
691 # by http_client_body & pcre /P option.
692 # response-body-limit: Limit reassembly of response body for inspection
693 # by file_data, http_server_body & pcre /Q option.
694 # double-decode-path: Double decode path section of the URI
695 # double-decode-query: Double decode query section of the URI
696 # response-body-decompress-layer-limit:
697 # Limit to how many layers of compression will be
698 # decompressed. Defaults to 2.
699 #
700 # server-config: List of server configurations to use if address matches
701 # address: List of ip addresses or networks for this block
702 # personalitiy: List of personalities used by this block
703 # request-body-limit: Limit reassembly of request body for inspection
704 # by http_client_body & pcre /P option.
705 # response-body-limit: Limit reassembly of response body for inspection
706 # by file_data, http_server_body & pcre /Q option.
707 # double-decode-path: Double decode path section of the URI
708 # double-decode-query: Double decode query section of the URI
709 #
710 # uri-include-all: Include all parts of the URI. By default the
711 # 'scheme', username/password, hostname and port
712 # are excluded. Setting this option to true adds
713 # all of them to the normalized uri as inspected
714 # by http_uri, urilen, pcre with /U and the other
715 # keywords that inspect the normalized uri.
716 # Note that this does not affect http_raw_uri.
717 # Also, note that including all was the default in
718 # 1.4 and 2.0beta1.
719 #
720 # meta-field-limit: Hard size limit for request and response size
721 # limits. Applies to request line and headers,
722 # response line and headers. Does not apply to
723 # request or response bodies. Default is 18k.
724 # If this limit is reached an event is raised.
725 #
726 # Currently Available Personalities:
727 # Minimal, Generic, IDS (default), IIS_4_0, IIS_5_0, IIS_5_1, IIS_6_0,
728 # IIS_7_0, IIS_7_5, Apache_2
729 libhtp:
730 default-config:
731 personality: IDS
732
733 # Can be specified in kb, mb, gb. Just a number indicates
734 # it's in bytes.
735 request-body-limit: 100kb
736 response-body-limit: 100kb
737
738 # inspection limits
739 request-body-minimal-inspect-size: 32kb
740 request-body-inspect-window: 4kb
741 response-body-minimal-inspect-size: 40kb
742 response-body-inspect-window: 16kb
743
744 # response body decompression (0 disables)
745 response-body-decompress-layer-limit: 2
746
747 # auto will use http-body-inline mode in IPS mode, yes or no set it statically
748 http-body-inline: auto
749
750 # Take a random value for inspection sizes around the specified value.
751 # This lower the risk of some evasion technics but could lead
752 # detection change between runs. It is set to 'yes' by default.
753 #randomize-inspection-sizes: yes
754 # If randomize-inspection-sizes is active, the value of various
755 # inspection size will be choosen in the [1 - range%, 1 + range%]
756 # range
757 # Default value of randomize-inspection-range is 10.
758 #randomize-inspection-range: 10
759
760 # decoding
761 double-decode-path: no
762 double-decode-query: no
763
764 server-config:
765
766 #- apache:
767 # address: [192.168.1.0/24, 127.0.0.0/8, "::1"]
768 # personality: Apache_2
769 # # Can be specified in kb, mb, gb. Just a number indicates
770 # # it's in bytes.
771 # request-body-limit: 4096
772 # response-body-limit: 4096
773 # double-decode-path: no
774 # double-decode-query: no
775
776 #- iis7:
777 # address:
778 # - 192.168.0.0/24
779 # - 192.168.10.0/24
780 # personality: IIS_7_0
781 # # Can be specified in kb, mb, gb. Just a number indicates
782 # # it's in bytes.
783 # request-body-limit: 4096
784 # response-body-limit: 4096
785 # double-decode-path: no
786 # double-decode-query: no
787
788 # Note: Modbus probe parser is minimalist due to the poor significant field
789 # Only Modbus message length (greater than Modbus header length)
790 # And Protocol ID (equal to 0) are checked in probing parser
791 # It is important to enable detection port and define Modbus port
792 # to avoid false positive
793 modbus:
794 # How many unreplied Modbus requests are considered a flood.
795 # If the limit is reached, app-layer-event:modbus.flooded; will match.
796 #request-flood: 500
797
798 enabled: no
799 detection-ports:
800 dp: 502
801 # According to MODBUS Messaging on TCP/IP Implementation Guide V1.0b, it
802 # is recommended to keep the TCP connection opened with a remote device
803 # and not to open and close it for each MODBUS/TCP transaction. In that
804 # case, it is important to set the depth of the stream reassembling as
805 # unlimited (stream.reassembly.depth: 0)
806
807 # Stream reassembly size for modbus. By default track it completely.
808 stream-depth: 0
809
810 # DNP3
811 dnp3:
812 enabled: no
813 detection-ports:
814 dp: 20000
815
816 # SCADA EtherNet/IP and CIP protocol support
817 enip:
818 enabled: no
819 detection-ports:
820 dp: 44818
821 sp: 44818
822
823# Limit for the maximum number of asn1 frames to decode (default 256)
824asn1-max-frames: 256
825
826
827##############################################################################
828##
829## Advanced settings below
830##
831##############################################################################
832
833##
834## Run Options
835##
836
837# Run suricata as user and group.
838#run-as:
839# user: suri
840# group: suri
841
842# Some logging module will use that name in event as identifier. The default
843# value is the hostname
844#sensor-name: suricata
845
846# Default pid file.
847# Will use this file if no --pidfile in command options.
848#pid-file: /var/run/suricata.pid
849
850# Daemon working directory
851# Suricata will change directory to this one if provided
852# Default: "/"
853#daemon-directory: "/"
854
855# Suricata core dump configuration. Limits the size of the core dump file to
856# approximately max-dump. The actual core dump size will be a multiple of the
857# page size. Core dumps that would be larger than max-dump are truncated. On
858# Linux, the actual core dump size may be a few pages larger than max-dump.
859# Setting max-dump to 0 disables core dumping.
860# Setting max-dump to 'unlimited' will give the full core dump file.
861# On 32-bit Linux, a max-dump value >= ULONG_MAX may cause the core dump size
862# to be 'unlimited'.
863
864coredump:
865 max-dump: unlimited
866
867# If suricata box is a router for the sniffed networks, set it to 'router'. If
868# it is a pure sniffing setup, set it to 'sniffer-only'.
869# If set to auto, the variable is internally switch to 'router' in IPS mode
870# and 'sniffer-only' in IDS mode.
871# This feature is currently only used by the reject* keywords.
872host-mode: router
873
874# Number of packets preallocated per thread. The default is 1024. A higher number
875# will make sure each CPU will be more easily kept busy, but may negatively
876# impact caching.
877#
878# If you are using the CUDA pattern matcher (mpm-algo: ac-cuda), different rules
879# apply. In that case try something like 60000 or more. This is because the CUDA
880# pattern matcher buffers and scans as many packets as possible in parallel.
881max-pending-packets: 2048
882
883# Runmode the engine should use. Please check --list-runmodes to get the available
884# runmodes for each packet acquisition method. Defaults to "autofp" (auto flow pinned
885# load balancing).
886runmode: workers
887
888# Specifies the kind of flow load balancer used by the flow pinned autofp mode.
889#
890# Supported schedulers are:
891#
892# round-robin - Flows assigned to threads in a round robin fashion.
893# active-packets - Flows assigned to threads that have the lowest number of
894# unprocessed packets (default).
895# hash - Flow alloted usihng the address hash. More of a random
896# technique. Was the default in Suricata 1.2.1 and older.
897#
898#autofp-scheduler: active-packets
899
900# Preallocated size for packet. Default is 1514 which is the classical
901# size for pcap on ethernet. You should adjust this value to the highest
902# packet size (MTU + hardware header) on your system.
903#default-packet-size: 1514
904
905# Unix command socket can be used to pass commands to suricata.
906# An external tool can then connect to get information from suricata
907# or trigger some modifications of the engine. Set enabled to yes
908# to activate the feature. In auto mode, the feature will only be
909# activated in live capture mode. You can use the filename variable to set
910# the file name of the socket.
911unix-command:
912 enabled: no
913 #filename: custom.socket
914
915# Magic file. The extension .mgc is added to the value here.
916#magic-file: /usr/share/file/magic
917#magic-file:
918
919legacy:
920 uricontent: enabled
921
922##
923## Detection settings
924##
925
926# Set the order of alerts bassed on actions
927# The default order is pass, drop, reject, alert
928# action-order:
929# - pass
930# - drop
931# - reject
932# - alert
933
934# IP Reputation
935reputation-categories-file: /usr/local/etc/suricata/iprep/categories.txt
936default-reputation-path: /usr/local/etc/suricata/iprep
937reputation-files:
938 - reputation.list
939
940# When run with the option --engine-analysis, the engine will read each of
941# the parameters below, and print reports for each of the enabled sections
942# and exit. The reports are printed to a file in the default log dir
943# given by the parameter "default-log-dir", with engine reporting
944# subsection below printing reports in its own report file.
945engine-analysis:
946 # enables printing reports for fast-pattern for every rule.
947 rules-fast-pattern: yes
948 # enables printing reports for each rule
949 rules: yes
950
951#recursion and match limits for PCRE where supported
952pcre:
953 match-limit: 3500
954 match-limit-recursion: 1500
955
956##
957## Advanced Traffic Tracking and Reconstruction Settings
958##
959
960# Host specific policies for defragmentation and TCP stream
961# reassembly. The host OS lookup is done using a radix tree, just
962# like a routing table so the most specific entry matches.
963host-os-policy:
964 # Make the default policy windows.
965 windows: [0.0.0.0/0]
966 bsd: []
967 bsd-right: []
968 old-linux: []
969 linux: []
970 old-solaris: []
971 solaris: []
972 hpux10: []
973 hpux11: []
974 irix: []
975 macos: []
976 vista: []
977 windows2k3: []
978
979# Defrag settings:
980
981defrag:
982 memcap: 32mb
983 hash-size: 65536
984 trackers: 65535 # number of defragmented flows to follow
985 max-frags: 65535 # number of fragments to keep (higher than trackers)
986 prealloc: yes
987 timeout: 60
988
989# Enable defrag per host settings
990# host-config:
991#
992# - dmz:
993# timeout: 30
994# address: [192.168.1.0/24, 127.0.0.0/8, 1.1.1.0/24, 2.2.2.0/24, "1.1.1.1", "2.2.2.2", "::1"]
995#
996# - lan:
997# timeout: 45
998# address:
999# - 192.168.0.0/24
1000# - 192.168.10.0/24
1001# - 172.16.14.0/24
1002
1003# Flow settings:
1004# By default, the reserved memory (memcap) for flows is 32MB. This is the limit
1005# for flow allocation inside the engine. You can change this value to allow
1006# more memory usage for flows.
1007# The hash-size determine the size of the hash used to identify flows inside
1008# the engine, and by default the value is 65536.
1009# At the startup, the engine can preallocate a number of flows, to get a better
1010# performance. The number of flows preallocated is 10000 by default.
1011# emergency-recovery is the percentage of flows that the engine need to
1012# prune before unsetting the emergency state. The emergency state is activated
1013# when the memcap limit is reached, allowing to create new flows, but
1014# prunning them with the emergency timeouts (they are defined below).
1015# If the memcap is reached, the engine will try to prune flows
1016# with the default timeouts. If it doens't find a flow to prune, it will set
1017# the emergency bit and it will try again with more agressive timeouts.
1018# If that doesn't work, then it will try to kill the last time seen flows
1019# not in use.
1020# The memcap can be specified in kb, mb, gb. Just a number indicates it's
1021# in bytes.
1022
1023flow:
1024 memcap: 128mb
1025 hash-size: 65536
1026 prealloc: 10000
1027 emergency-recovery: 30
1028 #managers: 1 # default to one flow manager
1029 #recyclers: 1 # default to one flow recycler thread
1030
1031# This option controls the use of vlan ids in the flow (and defrag)
1032# hashing. Normally this should be enabled, but in some (broken)
1033# setups where both sides of a flow are not tagged with the same vlan
1034# tag, we can ignore the vlan id's in the flow hashing.
1035vlan:
1036 use-for-tracking: true
1037
1038# Specific timeouts for flows. Here you can specify the timeouts that the
1039# active flows will wait to transit from the current state to another, on each
1040# protocol. The value of "new" determine the seconds to wait after a hanshake or
1041# stream startup before the engine free the data of that flow it doesn't
1042# change the state to established (usually if we don't receive more packets
1043# of that flow). The value of "established" is the amount of
1044# seconds that the engine will wait to free the flow if it spend that amount
1045# without receiving new packets or closing the connection. "closed" is the
1046# amount of time to wait after a flow is closed (usually zero). "bypassed"
1047# timeout controls locally bypassed flows. For these flows we don't do any other
1048# tracking. If no packets have been seen after this timeout, the flow is discarded.
1049#
1050# There's an emergency mode that will become active under attack circumstances,
1051# making the engine to check flow status faster. This configuration variables
1052# use the prefix "emergency-" and work similar as the normal ones.
1053# Some timeouts doesn't apply to all the protocols, like "closed", for udp and
1054# icmp.
1055
1056flow-timeouts:
1057
1058 default:
1059 new: 30
1060 established: 300
1061 closed: 0
1062 bypassed: 100
1063 emergency-new: 10
1064 emergency-established: 100
1065 emergency-closed: 0
1066 emergency-bypassed: 50
1067 tcp:
1068 new: 40
1069 established: 400
1070 closed: 40
1071 bypassed: 100
1072 emergency-new: 5
1073 emergency-established: 100
1074 emergency-closed: 10
1075 emergency-bypassed: 50
1076 udp:
1077 new: 30
1078 established: 300
1079 bypassed: 100
1080 emergency-new: 10
1081 emergency-established: 100
1082 emergency-bypassed: 50
1083 icmp:
1084 new: 30
1085 established: 300
1086 bypassed: 100
1087 emergency-new: 10
1088 emergency-established: 100
1089 emergency-bypassed: 50
1090
1091# Stream engine settings. Here the TCP stream tracking and reassembly
1092# engine is configured.
1093#
1094# stream:
1095# memcap: 32mb # Can be specified in kb, mb, gb. Just a
1096# # number indicates it's in bytes.
1097# checksum-validation: yes # To validate the checksum of received
1098# # packet. If csum validation is specified as
1099# # "yes", then packet with invalid csum will not
1100# # be processed by the engine stream/app layer.
1101# # Warning: locally generated trafic can be
1102# # generated without checksum due to hardware offload
1103# # of checksum. You can control the handling of checksum
1104# # on a per-interface basis via the 'checksum-checks'
1105# # option
1106# prealloc-sessions: 2k # 2k sessions prealloc'd per stream thread
1107# midstream: false # don't allow midstream session pickups
1108# async-oneside: false # don't enable async stream handling
1109# inline: no # stream inline mode
1110# max-synack-queued: 5 # Max different SYN/ACKs to queue
1111# bypass: no # Bypass packets when stream.depth is reached
1112#
1113# reassembly:
1114# memcap: 64mb # Can be specified in kb, mb, gb. Just a number
1115# # indicates it's in bytes.
1116# depth: 1mb # Can be specified in kb, mb, gb. Just a number
1117# # indicates it's in bytes.
1118# toserver-chunk-size: 2560 # inspect raw stream in chunks of at least
1119# # this size. Can be specified in kb, mb,
1120# # gb. Just a number indicates it's in bytes.
1121# # The max acceptable size is 4024 bytes.
1122# toclient-chunk-size: 2560 # inspect raw stream in chunks of at least
1123# # this size. Can be specified in kb, mb,
1124# # gb. Just a number indicates it's in bytes.
1125# # The max acceptable size is 4024 bytes.
1126# randomize-chunk-size: yes # Take a random value for chunk size around the specified value.
1127# # This lower the risk of some evasion technics but could lead
1128# # detection change between runs. It is set to 'yes' by default.
1129# randomize-chunk-range: 10 # If randomize-chunk-size is active, the value of chunk-size is
1130# # a random value between (1 - randomize-chunk-range/100)*toserver-chunk-size
1131# # and (1 + randomize-chunk-range/100)*toserver-chunk-size and the same
1132# # calculation for toclient-chunk-size.
1133# # Default value of randomize-chunk-range is 10.
1134#
1135# raw: yes # 'Raw' reassembly enabled or disabled.
1136# # raw is for content inspection by detection
1137# # engine.
1138#
1139# chunk-prealloc: 250 # Number of preallocated stream chunks. These
1140# # are used during stream inspection (raw).
1141# segments: # Settings for reassembly segment pool.
1142# - size: 4 # Size of the (data)segment for a pool
1143# prealloc: 256 # Number of segments to prealloc and keep
1144# # in the pool.
1145# zero-copy-size: 128 # This option sets in bytes the value at
1146# # which segment data is passed to the app
1147# # layer API directly. Data sizes equal to
1148# # and higher than the value set are passed
1149# # on directly.
1150#
1151stream:
1152 memcap: 256mb
1153 checksum-validation: no # reject wrong csums
1154 inline: auto # auto will use inline mode in IPS mode, yes or no set it statically
1155 reassembly:
1156 memcap: 512mb
1157 depth: 1mb # reassemble 1mb into a stream
1158 toserver-chunk-size: 2560
1159 toclient-chunk-size: 2560
1160 randomize-chunk-size: yes
1161 #randomize-chunk-range: 10
1162 #raw: yes
1163 #chunk-prealloc: 250
1164 #segments:
1165 # - size: 4
1166 # prealloc: 256
1167 # - size: 16
1168 # prealloc: 512
1169 # - size: 112
1170 # prealloc: 512
1171 # - size: 248
1172 # prealloc: 512
1173 # - size: 512
1174 # prealloc: 512
1175 # - size: 768
1176 # prealloc: 1024
1177 # 'from_mtu' means that the size is mtu - 40,
1178 # or 1460 if mtu couldn't be determined.
1179 # - size: from_mtu
1180 # prealloc: 1024
1181 # - size: 65535
1182 # prealloc: 128
1183 #zero-copy-size: 128
1184
1185# Host table:
1186#
1187# Host table is used by tagging and per host thresholding subsystems.
1188#
1189host:
1190 hash-size: 4096
1191 prealloc: 1000
1192 memcap: 32mb
1193
1194# IP Pair table:
1195#
1196# Used by xbits 'ippair' tracking.
1197#
1198#ippair:
1199# hash-size: 4096
1200# prealloc: 1000
1201# memcap: 32mb
1202
1203
1204##
1205## Performance tuning and profiling
1206##
1207
1208# The detection engine builds internal groups of signatures. The engine
1209# allow us to specify the profile to use for them, to manage memory on an
1210# efficient way keeping a good performance. For the profile keyword you
1211# can use the words "low", "medium", "high" or "custom". If you use custom
1212# make sure to define the values at "- custom-values" as your convenience.
1213# Usually you would prefer medium/high/low.
1214#
1215# "sgh mpm-context", indicates how the staging should allot mpm contexts for
1216# the signature groups. "single" indicates the use of a single context for
1217# all the signature group heads. "full" indicates a mpm-context for each
1218# group head. "auto" lets the engine decide the distribution of contexts
1219# based on the information the engine gathers on the patterns from each
1220# group head.
1221#
1222# The option inspection-recursion-limit is used to limit the recursive calls
1223# in the content inspection code. For certain payload-sig combinations, we
1224# might end up taking too much time in the content inspection code.
1225# If the argument specified is 0, the engine uses an internally defined
1226# default limit. On not specifying a value, we use no limits on the recursion.
1227detect:
1228 profile: medium
1229 custom-values:
1230 toclient-groups: 100
1231 toserver-groups: 100
1232 sgh-mpm-context: full
1233 inspection-recursion-limit: 3000
1234 # If set to yes, the loading of signatures will be made after the capture
1235 # is started. This will limit the downtime in IPS mode.
1236 #delayed-detect: yes
1237
1238 prefilter:
1239 # default prefiltering setting. "mpm" only creates MPM/fast_pattern
1240 # engines. "auto" also sets up prefilter engines for other keywords.
1241 # Use --list-keywords=all to see which keywords support prefiltering.
1242 default: mpm
1243
1244 # the grouping values above control how many groups are created per
1245 # direction. Port whitelisting forces that port to get it's own group.
1246 # Very common ports will benefit, as well as ports with many expensive
1247 # rules.
1248 grouping:
1249 #tcp-whitelist: 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
1250 #udp-whitelist: 53, 135, 5060
1251
1252 profiling:
1253 # Log the rules that made it past the prefilter stage, per packet
1254 # default is off. The threshold setting determines how many rules
1255 # must have made it past pre-filter for that rule to trigger the
1256 # logging.
1257 #inspect-logging-threshold: 200
1258 grouping:
1259 dump-to-disk: false
1260 include-rules: false # very verbose
1261 include-mpm-stats: false
1262
1263# Select the multi pattern algorithm you want to run for scan/search the
1264# in the engine.
1265#
1266# The supported algorithms are:
1267# "ac" - Aho-Corasick, default implementation
1268# "ac-bs" - Aho-Corasick, reduced memory implementation
1269# "ac-cuda" - Aho-Corasick, CUDA implementation
1270# "ac-ks" - Aho-Corasick, "Ken Steele" variant
1271# "hs" - Hyperscan, available when built with Hyperscan support
1272#
1273# The default mpm-algo value of "auto" will use "hs" if Hyperscan is
1274# available, "ac" otherwise.
1275#
1276# The mpm you choose also decides the distribution of mpm contexts for
1277# signature groups, specified by the conf - "detect.sgh-mpm-context".
1278# Selecting "ac" as the mpm would require "detect.sgh-mpm-context"
1279# to be set to "single", because of ac's memory requirements, unless the
1280# ruleset is small enough to fit in one's memory, in which case one can
1281# use "full" with "ac". Rest of the mpms can be run in "full" mode.
1282#
1283# There is also a CUDA pattern matcher (only available if Suricata was
1284# compiled with --enable-cuda: b2g_cuda. Make sure to update your
1285# max-pending-packets setting above as well if you use b2g_cuda.
1286
1287mpm-algo: ac-ks
1288
1289# Select the matching algorithm you want to use for single-pattern searches.
1290#
1291# Supported algorithms are "bm" (Boyer-Moore) and "hs" (Hyperscan, only
1292# available if Suricata has been built with Hyperscan support).
1293#
1294# The default of "auto" will use "hs" if available, otherwise "bm".
1295
1296spm-algo: bm
1297
1298# Suricata is multi-threaded. Here the threading can be influenced.
1299threading:
1300 set-cpu-affinity: no
1301 # Tune cpu affinity of threads. Each family of threads can be bound
1302 # on specific CPUs.
1303 #
1304 # These 2 apply to the all runmodes:
1305 # management-cpu-set is used for flow timeout handling, counters
1306 # worker-cpu-set is used for 'worker' threads
1307 #
1308 # Additionally, for autofp these apply:
1309 # receive-cpu-set is used for capture threads
1310 # verdict-cpu-set is used for IPS verdict threads
1311 #
1312 cpu-affinity:
1313 - management-cpu-set:
1314 cpu: [ 0 ] # include only these cpus in affinity settings
1315 - receive-cpu-set:
1316 cpu: [ 0 ] # include only these cpus in affinity settings
1317 - worker-cpu-set:
1318 cpu: [ "all" ]
1319 mode: "exclusive"
1320 # Use explicitely 3 threads and don't compute number by using
1321 # detect-thread-ratio variable:
1322 # threads: 3
1323 prio:
1324 low: [ 0 ]
1325 medium: [ "1-2" ]
1326 high: [ 3 ]
1327 default: "medium"
1328 #- verdict-cpu-set:
1329 # cpu: [ 0 ]
1330 # prio:
1331 # default: "high"
1332 #
1333 # By default Suricata creates one "detect" thread per available CPU/CPU core.
1334 # This setting allows controlling this behaviour. A ratio setting of 2 will
1335 # create 2 detect threads for each CPU/CPU core. So for a dual core CPU this
1336 # will result in 4 detect threads. If values below 1 are used, less threads
1337 # are created. So on a dual core CPU a setting of 0.5 results in 1 detect
1338 # thread being created. Regardless of the setting at a minimum 1 detect
1339 # thread will always be created.
1340 #
1341 detect-thread-ratio: 1.0
1342
1343# Luajit has a strange memory requirement, it's 'states' need to be in the
1344# first 2G of the process' memory.
1345#
1346# 'luajit.states' is used to control how many states are preallocated.
1347# State use: per detect script: 1 per detect thread. Per output script: 1 per
1348# script.
1349luajit:
1350 states: 128
1351
1352# Profiling settings. Only effective if Suricata has been built with the
1353# the --enable-profiling configure flag.
1354#
1355profiling:
1356 # Run profiling for every xth packet. The default is 1, which means we
1357 # profile every packet. If set to 1000, one packet is profiled for every
1358 # 1000 received.
1359 #sample-rate: 1000
1360
1361 # rule profiling
1362 rules:
1363
1364 # Profiling can be disabled here, but it will still have a
1365 # performance impact if compiled in.
1366 enabled: yes
1367 filename: rule_perf.log
1368 append: yes
1369
1370 # Sort options: ticks, avgticks, checks, matches, maxticks
1371 sort: avgticks
1372
1373 # Limit the number of items printed at exit (ignored for json).
1374 limit: 100
1375
1376 # output to json
1377 json: yes
1378
1379 # per keyword profiling
1380 keywords:
1381 enabled: yes
1382 filename: keyword_perf.log
1383 append: yes
1384
1385 # per rulegroup profiling
1386 rulegroups:
1387 enabled: yes
1388 filename: rule_group_perf.log
1389 append: yes
1390
1391 # packet profiling
1392 packets:
1393
1394 # Profiling can be disabled here, but it will still have a
1395 # performance impact if compiled in.
1396 enabled: yes
1397 filename: packet_stats.log
1398 append: yes
1399
1400 # per packet csv output
1401 csv:
1402
1403 # Output can be disabled here, but it will still have a
1404 # performance impact if compiled in.
1405 enabled: no
1406 filename: packet_stats.csv
1407
1408 # profiling of locking. Only available when Suricata was built with
1409 # --enable-profiling-locks.
1410 locks:
1411 enabled: no
1412 filename: lock_stats.log
1413 append: yes
1414
1415 pcap-log:
1416 enabled: no
1417 filename: pcaplog_stats.log
1418 append: yes
1419
1420##
1421## Netfilter integration
1422##
1423
1424# When running in NFQ inline mode, it is possible to use a simulated
1425# non-terminal NFQUEUE verdict.
1426# This permit to do send all needed packet to suricata via this a rule:
1427# iptables -I FORWARD -m mark ! --mark $MARK/$MASK -j NFQUEUE
1428# And below, you can have your standard filtering ruleset. To activate
1429# this mode, you need to set mode to 'repeat'
1430# If you want packet to be sent to another queue after an ACCEPT decision
1431# set mode to 'route' and set next-queue value.
1432# On linux >= 3.1, you can set batchcount to a value > 1 to improve performance
1433# by processing several packets before sending a verdict (worker runmode only).
1434# On linux >= 3.6, you can set the fail-open option to yes to have the kernel
1435# accept the packet if suricata is not able to keep pace.
1436# bypass mark and mask can be used to implement NFQ bypass. If bypass mark is
1437# set then the NFQ bypass is activated. Suricata will set the bypass mark/mask
1438# on packet of a flow that need to be bypassed. The Nefilter ruleset has to
1439# directly accept all packets of a flow once a packet has been marked.
1440nfq:
1441# mode: accept
1442# repeat-mark: 1
1443# repeat-mask: 1
1444# bypass-mark: 1
1445# bypass-mask: 1
1446# route-queue: 2
1447# batchcount: 20
1448# fail-open: yes
1449
1450#nflog support
1451nflog:
1452 # netlink multicast group
1453 # (the same as the iptables --nflog-group param)
1454 # Group 0 is used by the kernel, so you can't use it
1455 - group: 2
1456 # netlink buffer size
1457 buffer-size: 18432
1458 # put default value here
1459 - group: default
1460 # set number of packet to queue inside kernel
1461 qthreshold: 1
1462 # set the delay before flushing packet in the queue inside kernel
1463 qtimeout: 100
1464 # netlink max buffer size
1465 max-size: 20000
1466
1467##
1468## Advanced Capture Options
1469##
1470
1471# general settings affecting packet capture
1472capture:
1473 # disable NIC offloading. It's restored when Suricata exists.
1474 # Enabled by default
1475 #disable-offloading: false
1476 #
1477 # disable checksum validation. Same as setting '-k none' on the
1478 # commandline
1479 #checksum-validation: none
1480
1481# Netmap support
1482#
1483# Netmap operates with NIC directly in driver, so you need FreeBSD wich have
1484# built-in netmap support or compile and install netmap module and appropriate
1485# NIC driver on your Linux system.
1486# To reach maximum throughput disable all receive-, segmentation-,
1487# checksum- offloadings on NIC.
1488# Disabling Tx checksum offloading is *required* for connecting OS endpoint
1489# with NIC endpoint.
1490# You can find more information at https://github.com/luigirizzo/netmap
1491#
1492netmap:
1493 # To specify OS endpoint add plus sign at the end (e.g. "eth0+")
1494 - interface: igb0
1495 # Number of receive threads. "auto" uses number of RSS queues on interface.
1496 threads: auto
1497 # You can use the following variables to activate netmap tap or IPS mode.
1498 # If copy-mode is set to ips or tap, the traffic coming to the current
1499 # interface will be copied to the copy-iface interface. If 'tap' is set, the
1500 # copy is complete. If 'ips' is set, the packet matching a 'drop' action
1501 # will not be copied.
1502 # To specify the OS as the copy-iface (so the OS can route packets, or forward
1503 # to a service running on the same machine) add a plus sign at the end
1504 # (e.g. "copy-iface: eth0+"). Don't forget to set up a symmetrical eth0+ -> eth0
1505 # for return packets. Hardware checksumming must be *off* on the interface if
1506 # using an OS endpoint (e.g. 'ifconfig eth0 -rxcsum -txcsum -rxcsum6 -txcsum6' for FreeBSD
1507 # or 'ethtool -K eth0 tx off rx off' for Linux).
1508 copy-mode: ips
1509 copy-iface: igb1
1510 # Set to yes to disable promiscuous mode
1511 # disable-promisc: no
1512 # Choose checksum verification mode for the interface. At the moment
1513 # of the capture, some packets may be with an invalid checksum due to
1514 # offloading to the network card of the checksum computation.
1515 # Possible values are:
1516 # - yes: checksum validation is forced
1517 # - no: checksum validation is disabled
1518 # - auto: suricata uses a statistical approach to detect when
1519 # checksum off-loading is used.
1520 # Warning: 'checksum-validation' must be set to yes to have any validation
1521 #checksum-checks: auto
1522 # BPF filter to apply to this interface. The pcap filter syntax apply here.
1523 #bpf-filter: port 80 or udp
1524 - interface: igb1
1525 threads: auto
1526 copy-mode: ips
1527 copy-iface: igb0
1528 # Put default values here
1529 #- interface: default
1530
1531# PF_RING configuration. for use with native PF_RING support
1532# for more info see http://www.ntop.org/products/pf_ring/
1533pfring:
1534 - interface: eth0
1535 # Number of receive threads (>1 will enable experimental flow pinned
1536 # runmode)
1537 threads: 1
1538
1539 # Default clusterid. PF_RING will load balance packets based on flow.
1540 # All threads/processes that will participate need to have the same
1541 # clusterid.
1542 cluster-id: 99
1543
1544 # Default PF_RING cluster type. PF_RING can load balance per flow.
1545 # Possible values are cluster_flow or cluster_round_robin.
1546 cluster-type: cluster_flow
1547 # bpf filter for this interface
1548 #bpf-filter: tcp
1549 # Choose checksum verification mode for the interface. At the moment
1550 # of the capture, some packets may be with an invalid checksum due to
1551 # offloading to the network card of the checksum computation.
1552 # Possible values are:
1553 # - rxonly: only compute checksum for packets received by network card.
1554 # - yes: checksum validation is forced
1555 # - no: checksum validation is disabled
1556 # - auto: suricata uses a statistical approach to detect when
1557 # checksum off-loading is used. (default)
1558 # Warning: 'checksum-validation' must be set to yes to have any validation
1559 #checksum-checks: auto
1560 # Second interface
1561 #- interface: eth1
1562 # threads: 3
1563 # cluster-id: 93
1564 # cluster-type: cluster_flow
1565 # Put default values here
1566 - interface: default
1567 #threads: 2
1568
1569# For FreeBSD ipfw(8) divert(4) support.
1570# Please make sure you have ipfw_load="YES" and ipdivert_load="YES"
1571# in /etc/loader.conf or kldload'ing the appropriate kernel modules.
1572# Additionally, you need to have an ipfw rule for the engine to see
1573# the packets from ipfw. For Example:
1574#
1575# ipfw add 100 divert 8000 ip from any to any
1576#
1577# The 8000 above should be the same number you passed on the command
1578# line, i.e. -d 8000
1579#
1580ipfw:
1581
1582 # Reinject packets at the specified ipfw rule number. This config
1583 # option is the ipfw rule number AT WHICH rule processing continues
1584 # in the ipfw processing system after the engine has finished
1585 # inspecting the packet for acceptance. If no rule number is specified,
1586 # accepted packets are reinjected at the divert rule which they entered
1587 # and IPFW rule processing continues. No check is done to verify
1588 # this will rule makes sense so care must be taken to avoid loops in ipfw.
1589 #
1590 ## The following example tells the engine to reinject packets
1591 # back into the ipfw firewall AT rule number 5500:
1592 #
1593 # ipfw-reinjection-rule-number: 5500
1594
1595
1596napatech:
1597 # The Host Buffer Allowance for all streams
1598 # (-1 = OFF, 1 - 100 = percentage of the host buffer that can be held back)
1599 hba: -1
1600
1601 # use_all_streams set to "yes" will query the Napatech service for all configured
1602 # streams and listen on all of them. When set to "no" the streams config array
1603 # will be used.
1604 use-all-streams: yes
1605
1606 # The streams to listen on
1607 streams: [1, 2, 3]
1608
1609# Tilera mpipe configuration. for use on Tilera TILE-Gx.
1610mpipe:
1611
1612 # Load balancing modes: "static", "dynamic", "sticky", or "round-robin".
1613 load-balance: dynamic
1614
1615 # Number of Packets in each ingress packet queue. Must be 128, 512, 2028 or 65536
1616 iqueue-packets: 2048
1617
1618 # List of interfaces we will listen on.
1619 inputs:
1620 - interface: xgbe2
1621 - interface: xgbe3
1622 - interface: xgbe4
1623
1624
1625 # Relative weight of memory for packets of each mPipe buffer size.
1626 stack:
1627 size128: 0
1628 size256: 9
1629 size512: 0
1630 size1024: 0
1631 size1664: 7
1632 size4096: 0
1633 size10386: 0
1634 size16384: 0
1635
1636##
1637## Hardware accelaration
1638##
1639
1640# Cuda configuration.
1641cuda:
1642 # The "mpm" profile. On not specifying any of these parameters, the engine's
1643 # internal default values are used, which are same as the ones specified in
1644 # in the default conf file.
1645 mpm:
1646 # The minimum length required to buffer data to the gpu.
1647 # Anything below this is MPM'ed on the CPU.
1648 # Can be specified in kb, mb, gb. Just a number indicates it's in bytes.
1649 # A value of 0 indicates there's no limit.
1650 data-buffer-size-min-limit: 0
1651 # The maximum length for data that we would buffer to the gpu.
1652 # Anything over this is MPM'ed on the CPU.
1653 # Can be specified in kb, mb, gb. Just a number indicates it's in bytes.
1654 data-buffer-size-max-limit: 1500
1655 # The ring buffer size used by the CudaBuffer API to buffer data.
1656 cudabuffer-buffer-size: 500mb
1657 # The max chunk size that can be sent to the gpu in a single go.
1658 gpu-transfer-size: 50mb
1659 # The timeout limit for batching of packets in microseconds.
1660 batching-timeout: 2000
1661 # The device to use for the mpm. Currently we don't support load balancing
1662 # on multiple gpus. In case you have multiple devices on your system, you
1663 # can specify the device to use, using this conf. By default we hold 0, to
1664 # specify the first device cuda sees. To find out device-id associated with
1665 # the card(s) on the system run "suricata --list-cuda-cards".
1666 device-id: 0
1667 # No of Cuda streams used for asynchronous processing. All values > 0 are valid.
1668 # For this option you need a device with Compute Capability > 1.0.
1669 cuda-streams: 2
1670
1671##
1672## Include other configs
1673##
1674
1675# Includes. Files included here will be handled as if they were
1676# inlined in this configuration file.
1677include: reputation.yaml
1678#include: include2.yaml