michu162

suricata

Sep 26th, 2016
68
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
YAML 66.51 KB | None | 0 0
  1. This is Suricata version 3.1.2 RELEASE
  2. Features: NFQ PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HAVE_LUA HAVE_LUAJIT HAVE_LIBJANSSON TLS
  3. SIMD support: none
  4. Atomic intrisics: 1 2 4 8 byte(s)
  5. 64-bits, Little-endian architecture
  6. GCC version 4.8.4, C version 199901
  7. compiled with -fstack-protector
  8. compiled with _FORTIFY_SOURCE=2
  9. L1 cache line size (CLS)=64
  10. thread local storage method: __thread
  11. compiled with LibHTP v0.5.22, linked against LibHTP v0.5.22
  12.  
  13. Suricata Configuration:
  14.   AF_PACKET support:                      yes
  15.   PF_RING support:                        no
  16.   NFQueue support:                        yes
  17.   NFLOG support:                          no
  18.   IPFW support:                           no
  19.   Netmap support:                         no
  20.   DAG enabled:                            no
  21.   Napatech enabled:                       no
  22.  
  23.   Unix socket enabled:                    yes
  24.   Detection enabled:                      yes
  25.  
  26.   libnss support:                         yes
  27.   libnspr support:                        yes
  28.   libjansson support:                     yes
  29.   hiredis support:                        yes
  30.   Prelude support:                        no
  31.   PCRE jit:                               yes
  32.   LUA support:                            yes, through luajit
  33.   libluajit:                              yes
  34.   libgeoip:                               yes
  35.   Non-bundled htp:                        yes
  36.   Old barnyard2 support:                  no
  37.   CUDA enabled:                           no
  38.   Hyperscan support:                      no
  39.   Libnet support:                         yes
  40.  
  41.   Suricatasc install:                     yes
  42.  
  43.   Profiling enabled:                      no
  44.   Profiling locks enabled:                no
  45.  
  46. Development settings:
  47.   Coccinelle / spatch:                    no
  48.   Unit tests enabled:                     no
  49.   Debug output enabled:                   no
  50.   Debug validation enabled:               no
  51.  
  52. Generic build parameters:
  53.   Installation prefix:                    /usr
  54.   Configuration directory:                /etc/suricata/
  55.   Log directory:                          /var/log/suricata/
  56.  
  57.   --prefix                                 /usr
  58.   --sysconfdir                             /etc
  59.   --localstatedir                          /var
  60.  
  61.   Host:                                   x86_64-pc-linux-gnu
  62.   Compiler:                               gcc (exec name) / gcc (real)
  63.   GCC Protect enabled:                    yes
  64.   GCC march native enabled:               no
  65.   GCC Profile enabled:                    no
  66.   Position Independent Executable enabled: yes
  67.   CFLAGS                                   -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security
  68.   PCAP_CFLAGS                               -I/usr/include
  69.   SECCFLAGS                                -fstack-protector -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security
  70.  
  71. %YAML 1.1
  72. ---
  73.  
  74. # Suricata configuration file. In addition to the comments describing all
  75. # options in this file, full documentation can be found at:
  76. # https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricatayaml
  77.  
  78. ##
  79. ## Step 1: inform Suricata about your network
  80. ##
  81.  
  82. vars:
  83.  # more specifc is better for alert accuracy and performance
  84.   address-groups:
  85.     HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
  86.     #HOME_NET: "[192.168.0.0/16]"
  87.     #HOME_NET: "[10.0.0.0/8]"
  88.     #HOME_NET: "[172.16.0.0/12]"
  89.     #HOME_NET: "any"
  90.  
  91.     EXTERNAL_NET: "!$HOME_NET"
  92.     #EXTERNAL_NET: "any"
  93.  
  94.     HTTP_SERVERS: "$HOME_NET"
  95.     SMTP_SERVERS: "$HOME_NET"
  96.     SQL_SERVERS: "$HOME_NET"
  97.     DNS_SERVERS: "$HOME_NET"
  98.     TELNET_SERVERS: "$HOME_NET"
  99.     AIM_SERVERS: "$EXTERNAL_NET"
  100.     DNP3_SERVER: "$HOME_NET"
  101.     DNP3_CLIENT: "$HOME_NET"
  102.     MODBUS_CLIENT: "$HOME_NET"
  103.     MODBUS_SERVER: "$HOME_NET"
  104.     ENIP_CLIENT: "$HOME_NET"
  105.     ENIP_SERVER: "$HOME_NET"
  106.  
  107.   port-groups:
  108.     HTTP_PORTS: "80"
  109.     SHELLCODE_PORTS: "!80"
  110.     ORACLE_PORTS: 1521
  111.     SSH_PORTS: 22
  112.     DNP3_PORTS: 20000
  113.     MODBUS_PORTS: 502
  114.  
  115.  
  116. ##
  117. ## Step 2: select the rules to enable or disable
  118. ##
  119.  
  120. default-rule-path: /etc/suricata/rules
  121. #rule-files:
  122. # - botcc.rules
  123. # - ciarmy.rules
  124. # - compromised.rules
  125. # - drop.rules
  126. # - dshield.rules
  127. # - emerging-activex.rules
  128. # - emerging-attack_response.rules
  129. # - emerging-chat.rules
  130. # - emerging-current_events.rules
  131. # - emerging-dns.rules
  132. # - emerging-dos.rules
  133. # - emerging-exploit.rules
  134. # - emerging-ftp.rules
  135. # - emerging-games.rules
  136. # - emerging-icmp_info.rules
  137. # - emerging-icmp.rules
  138. # - emerging-imap.rules
  139. # - emerging-inappropriate.rules
  140. # - emerging-malware.rules
  141. # - emerging-misc.rules
  142. # - emerging-mobile_malware.rules
  143. # - emerging-netbios.rules
  144. # - emerging-p2p.rules
  145. # - emerging-policy.rules
  146. # - emerging-pop3.rules
  147. # - emerging-rpc.rules
  148. # - emerging-scada.rules
  149. # - emerging-scan.rules
  150. # - emerging-shellcode.rules
  151. # - emerging-smtp.rules
  152. # - emerging-snmp.rules
  153. # - emerging-sql.rules
  154. # - emerging-telnet.rules
  155. # - emerging-tftp.rules
  156. # - emerging-trojan.rules
  157. # - emerging-user_agents.rules
  158. # - emerging-voip.rules
  159. # - emerging-web_client.rules
  160. # - emerging-web_server.rules
  161. # - emerging-web_specific_apps.rules
  162. # - emerging-worm.rules
  163. # - tor.rules
  164. # - decoder-events.rules # available in suricata sources under rules dir
  165. # - stream-events.rules  # available in suricata sources under rules dir
  166. # - http-events.rules    # available in suricata sources under rules dir
  167. # - smtp-events.rules    # available in suricata sources under rules dir
  168. # - dns-events.rules     # available in suricata sources under rules dir
  169. # - tls-events.rules     # available in suricata sources under rules dir
  170. # - modbus-events.rules  # available in suricata sources under rules dir
  171. # - app-layer-events.rules  # available in suricata sources under rules dir
  172.  
  173. classification-file: /etc/suricata/classification.config
  174. reference-config-file: /etc/suricata/reference.config
  175. # threshold-file: /etc/suricata/threshold.config
  176.  
  177.  
  178. ##
  179. ## Step 3: select outputs to enable
  180. ##
  181.  
  182. # The default logging directory.  Any log or output file will be
  183. # placed here if its not specified with a full path name. This can be
  184. # overridden with the -l command line parameter.
  185. default-log-dir: /var/log/suricata/
  186.  
  187. # global stats configuration
  188. stats:
  189.   enabled: yes
  190.   # The interval field (in seconds) controls at what interval
  191.   # the loggers are invoked.
  192.   interval: 8
  193.  
  194. # Configure the type of alert (and other) logging you would like.
  195. outputs:
  196.  # a line based alerts log similar to Snort's fast.log
  197.   - fast:
  198.       enabled: no
  199.       filename: fast.log
  200.       append: yes
  201.       #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
  202.  
  203.   - eve-log:
  204.       enabled: yes
  205.       filetype: regular
  206.       filename: http.json
  207.       types:
  208.         - http:
  209.             extended: yes
  210.         - tls:
  211.             extended: yes
  212.         - drop:
  213.             alerts: no
  214.         - alert:
  215.             http: yes                # enable dumping of http fields
  216.             tls: yes                 # enable dumping of tls fields
  217. #            xff:
  218. #              enabled: no
  219. #              mode: extra-data
  220. #              deployment: reverse
  221. #              header: X-Forwarded-For
  222. #        - files:
  223. #            force-magic: no   # force logging magic on all logged files
  224. #            force-md5: no     # force logging of md5 checksums
  225.   - eve-log:
  226.       enabled: yes
  227.       filetype: regular
  228.       filename: dns.json
  229.       types:
  230.        - dns
  231.   # Extensible Event Format (nicknamed EVE) event log in JSON format
  232. #  - eve-log:
  233. #      enabled: yes
  234. #      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
  235. #      filename: eve.json
  236.       #prefix: "@cee: " # prefix to prepend to each log entry
  237.       # the following are valid when type: syslog above
  238.       #identity: "suricata"
  239.       #facility: local5
  240.       #level: Info ## possible levels: Emergency, Alert, Critical,
  241.                    ## Error, Warning, Notice, Info, Debug
  242.       #redis:
  243.       #  server: 127.0.0.1
  244.       #  port: 6379
  245.       #  mode: list ## possible values: list (default), channel
  246.       #  key: suricata ## key or channel to use (default to suricata)
  247.       # Redis pipelining set up. This will enable to only do a query every
  248.       # 'batch-size' events. This should lower the latency induced by network
  249.       # connection at the cost of some memory. There is no flushing implemented
  250.       # so this setting as to be reserved to high traffic suricata.
  251.       #  pipelining:
  252.       #    enabled: yes ## set enable to yes to enable query pipelining
  253.       #    batch-size: 10 ## number of entry to keep in buffer
  254. #      types:
  255. #        - alert:
  256.             # payload: yes             # enable dumping payload in Base64
  257.             # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log
  258.             # payload-printable: yes   # enable dumping payload in printable (lossy) format
  259.             # packet: yes              # enable dumping of packet (without stream segments)
  260. #            http: yes                # enable dumping of http fields
  261. #            tls: yes                 # enable dumping of tls fields
  262. #            ssh: yes                 # enable dumping of ssh fields
  263. #            smtp: yes                # enable dumping of smtp fields
  264.  
  265.             # HTTP X-Forwarded-For support by adding an extra field or overwriting
  266.             # the source or destination IP address (depending on flow direction)
  267.             # with the one reported in the X-Forwarded-For HTTP header. This is
  268.             # helpful when reviewing alerts for traffic that is being reverse
  269.             # or forward proxied.
  270. #            xff:
  271. #              enabled: no
  272.               # Two operation modes are available, "extra-data" and "overwrite".
  273. #              mode: extra-data
  274.               # Two proxy deployments are supported, "reverse" and "forward". In
  275.               # a "reverse" deployment the IP address used is the last one, in a
  276.               # "forward" deployment the first IP address is used.
  277. #              deployment: reverse
  278.               # Header name where the actual IP address will be reported, if more
  279.               # than one IP address is present, the last IP address will be the
  280.               # one taken into consideration.
  281. #              header: X-Forwarded-For
  282. #        - http:
  283. #            extended: yes     # enable this for extended logging information
  284.             # custom allows additional http fields to be included in eve-log
  285.             # the example below adds three additional fields when uncommented
  286.             #custom: [Accept-Encoding, Accept-Language, Authorization]
  287. #        - dns
  288. #        - tls:
  289. #            extended: yes     # enable this for extended logging information
  290. #        - files:
  291. #            force-magic: no   # force logging magic on all logged files
  292. #            force-md5: no     # force logging of md5 checksums
  293.         #- drop:
  294.         #    alerts: no       # log alerts that caused drops
  295. #        - smtp:
  296.             #extended: yes # enable this for extended logging information
  297.             # this includes: bcc, message-id, subject, x_mailer, user-agent
  298.             # custom fields logging from the list:
  299.             #  reply-to, bcc, message-id, subject, x-mailer, user-agent, received,
  300.             #  x-originating-ip, in-reply-to, references, importance, priority,
  301.             #  sensitivity, organization, content-md5, date
  302.             #custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc]
  303.             # output md5 of fields: body, subject
  304.             # for the body you need to set app-layer.protocols.smtp.mime.body-md5
  305.             # to yes
  306.             #md5: [body, subject]
  307.  
  308.  #       - ssh
  309.  #       - stats:
  310.  #           totals: yes       # stats for all threads merged together
  311.  #           threads: no       # per thread stats
  312.  #           deltas: no        # include delta values
  313.         # bi-directional flows
  314. #        - flow
  315.         # uni-directional flows
  316.         #- netflow
  317.  
  318.   # alert output for use with Barnyard2
  319.   - unified2-alert:
  320.       enabled: no
  321.       filename: unified2.alert
  322.  
  323.       # File size limit.  Can be specified in kb, mb, gb.  Just a number
  324.       # is parsed as bytes.
  325.       #limit: 32mb
  326.  
  327.       # Sensor ID field of unified2 alerts.
  328.       #sensor-id: 0
  329.  
  330.       # Include payload of packets related to alerts. Defaults to true, set to
  331.       # false if payload is not required.
  332.       #payload: yes
  333.  
  334.       # HTTP X-Forwarded-For support by adding the unified2 extra header or
  335.       # overwriting the source or destination IP address (depending on flow
  336.       # direction) with the one reported in the X-Forwarded-For HTTP header.
  337.       # This is helpful when reviewing alerts for traffic that is being reverse
  338.       # or forward proxied.
  339.       xff:
  340.         enabled: no
  341.         # Two operation modes are available, "extra-data" and "overwrite". Note
  342.         # that in the "overwrite" mode, if the reported IP address in the HTTP
  343.         # X-Forwarded-For header is of a different version of the packet
  344.         # received, it will fall-back to "extra-data" mode.
  345.         mode: extra-data
  346.         # Two proxy deployments are supported, "reverse" and "forward". In
  347.         # a "reverse" deployment the IP address used is the last one, in a
  348.         # "forward" deployment the first IP address is used.
  349.         deployment: reverse
  350.         # Header name where the actual IP address will be reported, if more
  351.         # than one IP address is present, the last IP address will be the
  352.         # one taken into consideration.
  353.         header: X-Forwarded-For
  354.  
  355.   # a line based log of HTTP requests (no alerts)
  356.   - http-log:
  357.       enabled: no
  358.       filename: http.log
  359.       append: yes
  360.       #extended: yes     # enable this for extended logging information
  361.       #custom: yes       # enabled the custom logging format (defined by customformat)
  362.       #customformat: "%{%D-%H:%M:%S}t.%z %{X-Forwarded-For}i %H %m %h %u %s %B %a:%p -> %A:%P"
  363.       #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
  364.  
  365.   # a line based log of TLS handshake parameters (no alerts)
  366.   - tls-log:
  367.       enabled: no  # Log TLS connections.
  368.       filename: tls.log # File to store TLS logs.
  369.       append: yes
  370.       #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
  371.       #extended: yes # Log extended information like fingerprint
  372.  
  373.   # output module to store certificates chain to disk
  374.   - tls-store:
  375.       enabled: no
  376.       #certs-log-dir: certs # directory to store the certificates files
  377.  
  378.   # a line based log of DNS requests and/or replies (no alerts)
  379.   - dns-log:
  380.       enabled: no
  381.       filename: dns.log
  382.       append: yes
  383.       #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
  384.  
  385.   # Packet log... log packets in pcap format. 3 modes of operation: "normal"
  386.   # "multi" and "sguil".
  387.   #
  388.   # In normal mode a pcap file "filename" is created in the default-log-dir,
  389.   # or are as specified by "dir".
  390.   # In multi mode, a file is created per thread. This will perform much
  391.   # better, but will create multiple files where 'normal' would create one.
  392.   # In multi mode the filename takes a few special variables:
  393.   # - %n -- thread number
  394.   # - %i -- thread id
  395.   # - %t -- timestamp (secs or secs.usecs based on 'ts-format'
  396.   # E.g. filename: pcap.%n.%t
  397.   #
  398.   # Note that it's possible to use directories, but the directories are not
  399.   # created by Suricata. E.g. filename: pcaps/%n/log.%s will log into the
  400.   # per thread directory.
  401.   #
  402.   # Also note that the limit and max-files settings are enforced per thread.
  403.   # So the size limit when using 8 threads with 1000mb files and 2000 files
  404.   # is: 8*1000*2000 ~ 16TiB.
  405.   #
  406.   # In Sguil mode "dir" indicates the base directory. In this base dir the
  407.   # pcaps are created in th directory structure Sguil expects:
  408.   #
  409.   # $sguil-base-dir/YYYY-MM-DD/$filename.<timestamp>
  410.   #
  411.   # By default all packets are logged except:
  412.   # - TCP streams beyond stream.reassembly.depth
  413.   # - encrypted streams after the key exchange
  414.   #
  415.   - pcap-log:
  416.       enabled: no
  417.       filename: log.pcap
  418.  
  419.       # File size limit.  Can be specified in kb, mb, gb.  Just a number
  420.       # is parsed as bytes.
  421.       limit: 1000mb
  422.  
  423.       # If set to a value will enable ring buffer mode. Will keep Maximum of "max-files" of size "limit"
  424.       max-files: 2000
  425.  
  426.       mode: normal # normal, multi or sguil.
  427.       #sguil-base-dir: /nsm_data/
  428.       #ts-format: usec # sec or usec second format (default) is filename.sec usec is filename.sec.usec
  429.       use-stream-depth: no #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets
  430.       honor-pass-rules: no # If set to "yes", flows in which a pass rule matched will stopped being logged.
  431.  
  432.   # a full alerts log containing much information for signature writers
  433.   # or for investigating suspected false positives.
  434.   - alert-debug:
  435.       enabled: no
  436.       filename: alert-debug.log
  437.       append: yes
  438.       #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
  439.  
  440.   # alert output to prelude (http://www.prelude-technologies.com/) only
  441.   # available if Suricata has been compiled with --enable-prelude
  442.   - alert-prelude:
  443.       enabled: no
  444.       profile: suricata
  445.       log-packet-content: no
  446.       log-packet-header: yes
  447.  
  448.   # Stats.log contains data from various counters of the suricata engine.
  449.   - stats:
  450.       enabled: yes
  451.       filename: stats.log
  452.       totals: yes       # stats for all threads merged together
  453.       threads: no       # per thread stats
  454.       #null-values: yes  # print counters that have value 0
  455.  
  456.   # a line based alerts log similar to fast.log into syslog
  457.   - syslog:
  458.       enabled: no
  459.       # reported identity to syslog. If ommited the program name (usually
  460.       # suricata) will be used.
  461.       #identity: "suricata"
  462.       facility: local5
  463.       #level: Info ## possible levels: Emergency, Alert, Critical,
  464.                    ## Error, Warning, Notice, Info, Debug
  465.  
  466.   # a line based information for dropped packets in IPS mode
  467.   - drop:
  468.       enabled: no
  469.       filename: drop.log
  470.       append: yes
  471.       #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
  472.  
  473.   # output module to store extracted files to disk
  474.   #
  475.   # The files are stored to the log-dir in a format "file.<id>" where <id> is
  476.   # an incrementing number starting at 1. For each file "file.<id>" a meta
  477.   # file "file.<id>.meta" is created.
  478.   #
  479.   # File extraction depends on a lot of things to be fully done:
  480.   # - stream reassembly depth. For optimal results, set this to 0 (unlimited)
  481.   # - http request / response body sizes. Again set to 0 for optimal results.
  482.   # - rules that contain the "filestore" keyword.
  483.   - file-store:
  484.       enabled: no       # set to yes to enable
  485.       log-dir: files    # directory to store the files
  486.       force-magic: no   # force logging magic on all stored files
  487.       force-md5: no     # force logging of md5 checksums
  488.       force-filestore: no # force storing of all files
  489.       #waldo: file.waldo # waldo file to store the file_id across runs
  490.  
  491.   # output module to log files tracked in a easily parsable json format
  492.   - file-log:
  493.       enabled: no
  494.       filename: files-json.log
  495.       append: yes
  496.       #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
  497.  
  498.       force-magic: no   # force logging magic on all logged files
  499.       force-md5: no     # force logging of md5 checksums
  500.  
  501.   # Log TCP data after stream normalization
  502.   # 2 types: file or dir. File logs into a single logfile. Dir creates
  503.   # 2 files per TCP session and stores the raw TCP data into them.
  504.   # Using 'both' will enable both file and dir modes.
  505.   #
  506.   # Note: limited by stream.depth
  507.   - tcp-data:
  508.       enabled: no
  509.       type: file
  510.       filename: tcp-data.log
  511.  
  512.   # Log HTTP body data after normalization, dechunking and unzipping.
  513.   # 2 types: file or dir. File logs into a single logfile. Dir creates
  514.   # 2 files per HTTP session and stores the normalized data into them.
  515.   # Using 'both' will enable both file and dir modes.
  516.   #
  517.   # Note: limited by the body limit settings
  518.   - http-body-data:
  519.       enabled: no
  520.       type: file
  521.       filename: http-data.log
  522.  
  523.   # Lua Output Support - execute lua script to generate alert and event
  524.   # output.
  525.   # Documented at:
  526.   # https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Lua_Output
  527.   - lua:
  528.       enabled: no
  529.       #scripts-dir: /etc/suricata/lua-output/
  530.       scripts:
  531.      #   - script1.lua
  532.  
  533. # Logging configuration.  This is not about logging IDS alerts/events, but
  534. # output about what Suricata is doing, like startup messages, errors, etc.
  535. logging:
  536.  # The default log level, can be overridden in an output section.
  537.   # Note that debug level logging will only be emitted if Suricata was
  538.   # compiled with the --enable-debug configure option.
  539.   #
  540.   # This value is overriden by the SC_LOG_LEVEL env var.
  541.   default-log-level: notice
  542.  
  543.   # The default output format.  Optional parameter, should default to
  544.   # something reasonable if not provided.  Can be overriden in an
  545.   # output section.  You can leave this out to get the default.
  546.   #
  547.   # This value is overriden by the SC_LOG_FORMAT env var.
  548.  
  549.  
  550.   # A regex to filter output.  Can be overridden in an output section.
  551.   # Defaults to empty (no filter).
  552.   #
  553.   # This value is overriden by the SC_LOG_OP_FILTER env var.
  554.   default-output-filter:
  555.   # Define your logging outputs.  If none are defined, or they are all
  556.   # disabled you will get the default - console output.
  557.   outputs:
  558.   - console:
  559.       enabled: yes
  560.       # type: json
  561.   - file:
  562.       enabled: yes
  563.       level: info
  564.       filename: /var/log/suricata/suricata.log
  565.       # type: json
  566.   - syslog:
  567.       enabled: no
  568.       facility: local5
  569.       # type: json
  570.  
  571.  
  572. ##
  573. ## Step 4: configure common capture settings
  574. ##
  575. ## See "Advanced Capture Options" below for more options, including NETMAP
  576. ## and PF_RING.
  577. ##
  578.  
  579. # Linux high speed capture support
  580. af-packet:
  581.   - interface: p2p1
  582.     # Number of receive threads. "auto" uses the number of cores
  583.     threads: 3
  584.     # Default clusterid. AF_PACKET will load balance packets based on flow.
  585.     cluster-id: 99
  586.     # Default AF_PACKET cluster type. AF_PACKET can load balance per flow or per hash.
  587.     # This is only supported for Linux kernel > 3.1
  588.     # possible value are:
  589.     #  * cluster_round_robin: round robin load balancing
  590.     #  * cluster_flow: all packets of a given flow are send to the same socket
  591.     #  * cluster_cpu: all packets treated in kernel by a CPU are send to the same socket
  592.     #  * cluster_qm: all packets linked by network card to a RSS queue are sent to the same
  593.     #  socket. Requires at least Linux 3.14.
  594.     #  * cluster_random: packets are sent randomly to sockets but with an equipartition.
  595.     #  Requires at least Linux 3.14.
  596.     #  * cluster_rollover: kernel rotates between sockets filling each socket before moving
  597.     #  to the next. Requires at least Linux 3.10.
  598.     # Recommended modes are cluster_flow on most boxes and cluster_cpu or cluster_qm on system
  599.     # with capture card using RSS (require cpu affinity tuning and system irq tuning)
  600.     cluster-type: cluster_flow
  601.     # In some fragmentation case, the hash can not be computed. If "defrag" is set
  602.     # to yes, the kernel will do the needed defragmentation before sending the packets.
  603.     #defrag: yes
  604.     # After Linux kernel 3.10 it is possible to activate the rollover option: if a socket is
  605.     # full then kernel will send the packet on the next socket with room available. This option
  606.     # can minimize packet drop and increase the treated bandwidth on single intensive flow.
  607.     #rollover: yes
  608.     # To use the ring feature of AF_PACKET, set 'use-mmap' to yes
  609.     use-mmap: yes
  610.     # Lock memory map to avoid it goes to swap. Be careful that over suscribing could lock
  611.     # your system
  612.     #mmap-locked: yes
  613.     # Use experimental tpacket_v3 capture mode, only active if use-mmap is true
  614.     #tpacket-v3: yes
  615.     # Ring size will be computed with respect to max_pending_packets and number
  616.     # of threads. You can set manually the ring size in number of packets by setting
  617.     # the following value. If you are using flow cluster-type and have really network
  618.     # intensive single-flow you could want to set the ring-size independently of the number
  619.     # of threads:
  620.     #ring-size: 2048
  621.     # Block size is used by tpacket_v3 only. It should set to a value high enough to contain
  622.     # a decent number of packets. Size is in bytes so please consider your MTU. It should be
  623.     # a power of 2 and it must be multiple of page size (usually 4096).
  624.     #block-size: 32768
  625.     # tpacket_v3 block timeout: an open block is passed to userspace if it is not
  626.     # filled after block-timeout milliseconds.
  627.     #block-timeout: 10
  628.     # On busy system, this could help to set it to yes to recover from a packet drop
  629.     # phase. This will result in some packets (at max a ring flush) being non treated.
  630.     #use-emergency-flush: yes
  631.     # recv buffer size, increase value could improve performance
  632.     # buffer-size: 32768
  633.     # Set to yes to disable promiscuous mode
  634.     # disable-promisc: no
  635.     # Choose checksum verification mode for the interface. At the moment
  636.     # of the capture, some packets may be with an invalid checksum due to
  637.     # offloading to the network card of the checksum computation.
  638.     # Possible values are:
  639.     #  - kernel: use indication sent by kernel for each packet (default)
  640.     #  - yes: checksum validation is forced
  641.     #  - no: checksum validation is disabled
  642.     #  - auto: suricata uses a statistical approach to detect when
  643.     #  checksum off-loading is used.
  644.     # Warning: 'checksum-validation' must be set to yes to have any validation
  645.     #checksum-checks: kernel
  646.     # BPF filter to apply to this interface. The pcap filter syntax apply here.
  647.     #bpf-filter: port 80 or udp
  648.     # You can use the following variables to activate AF_PACKET tap or IPS mode.
  649.     # If copy-mode is set to ips or tap, the traffic coming to the current
  650.     # interface will be copied to the copy-iface interface. If 'tap' is set, the
  651.     # copy is complete. If 'ips' is set, the packet matching a 'drop' action
  652.     # will not be copied.
  653.     #copy-mode: ips
  654.     #copy-iface: eth1
  655.   - interface: p2p2
  656.     threads: 3
  657.     cluster-id: 98
  658.     cluster-type: cluster_flow
  659. #    defrag: yes
  660.     use-mmap: yes
  661.   # Put default values here. These will be used for an interface that is not
  662.   # in the list above.
  663.   - interface: default
  664.     #threads: auto
  665.     #use-mmap: no
  666.     #rollover: yes
  667.     #tpacket-v3: yes
  668.  
  669. # Cross platform libpcap capture support
  670. pcap:
  671.   - interface: p2p1
  672.     threads: 3
  673.     checksum-checks: no
  674.   - interface: p2p2
  675.     threads: 3
  676.     # On Linux, pcap will try to use mmaped capture and will use buffer-size
  677.     # as total of memory used by the ring. So set this to something bigger
  678.     # than 1% of your bandwidth.
  679.     #buffer-size: 16777216
  680.     #bpf-filter: "tcp and port 25"
  681.     # Choose checksum verification mode for the interface. At the moment
  682.     # of the capture, some packets may be with an invalid checksum due to
  683.     # offloading to the network card of the checksum computation.
  684.     # Possible values are:
  685.     #  - yes: checksum validation is forced
  686.     #  - no: checksum validation is disabled
  687.     #  - auto: suricata uses a statistical approach to detect when
  688.     #  checksum off-loading is used. (default)
  689.     # Warning: 'checksum-validation' must be set to yes to have any validation
  690.     checksum-checks: no
  691.     # With some accelerator cards using a modified libpcap (like myricom), you
  692.     # may want to have the same number of capture threads as the number of capture
  693.     # rings. In this case, set up the threads variable to N to start N threads
  694.     # listening on the same interface.
  695.     #threads: 16
  696.     # set to no to disable promiscuous mode:
  697.     #promisc: no
  698.     # set snaplen, if not set it defaults to MTU if MTU can be known
  699.     # via ioctl call and to full capture if not.
  700.     #snaplen: 1518
  701.   # Put default values here
  702.   - interface: default
  703.     #checksum-checks: auto
  704.  
  705. # Settings for reading pcap files
  706. pcap-file:
  707.  # Possible values are:
  708.   #  - yes: checksum validation is forced
  709.   #  - no: checksum validation is disabled
  710.   #  - auto: suricata uses a statistical approach to detect when
  711.   #  checksum off-loading is used. (default)
  712.   # Warning: 'checksum-validation' must be set to yes to have checksum tested
  713.   checksum-checks: auto
  714.  
  715. # See "Advanced Capture Options" below for more options, including NETMAP
  716. # and PF_RING.
  717.  
  718.  
  719. ##
  720. ## Step 5: App Layer Protocol Configuration
  721. ##
  722.  
  723. # Configure the app-layer parsers. The protocols section details each
  724. # protocol.
  725. #
  726. # The option "enabled" takes 3 values - "yes", "no", "detection-only".
  727. # "yes" enables both detection and the parser, "no" disables both, and
  728. # "detection-only" enables protocol detection only (parser disabled).
  729. app-layer:
  730.   protocols:
  731.     tls:
  732.       enabled: no
  733.       detection-ports:
  734.         dp: 443
  735.  
  736.       #no-reassemble: yes
  737.     dcerpc:
  738.       enabled: no
  739.     ftp:
  740.       enabled: no
  741.     ssh:
  742.       enabled: no
  743.     smtp:
  744.       enabled: no
  745.       # Configure SMTP-MIME Decoder
  746.       mime:
  747.        # Decode MIME messages from SMTP transactions
  748.         # (may be resource intensive)
  749.         # This field supercedes all others because it turns the entire
  750.         # process on or off
  751.         decode-mime: yes
  752.  
  753.         # Decode MIME entity bodies (ie. base64, quoted-printable, etc.)
  754.         decode-base64: yes
  755.         decode-quoted-printable: yes
  756.  
  757.         # Maximum bytes per header data value stored in the data structure
  758.         # (default is 2000)
  759.         header-value-depth: 2000
  760.  
  761.         # Extract URLs and save in state data structure
  762.         extract-urls: yes
  763.         # Set to yes to compute the md5 of the mail body. You will then
  764.         # be able to journalize it.
  765.         body-md5: no
  766.       # Configure inspected-tracker for file_data keyword
  767.       inspected-tracker:
  768.         content-limit: 100000
  769.         content-inspect-min-size: 32768
  770.         content-inspect-window: 4096
  771.     imap:
  772.       enabled: detection-only
  773.     msn:
  774.       enabled: detection-only
  775.     smb:
  776.       enabled: no
  777.       detection-ports:
  778.         dp: 139
  779.     # Note: Modbus probe parser is minimalist due to the poor significant field
  780.     # Only Modbus message length (greater than Modbus header length)
  781.     # And Protocol ID (equal to 0) are checked in probing parser
  782.     # It is important to enable detection port and define Modbus port
  783.     # to avoid false positive
  784.     modbus:
  785.      # How many unreplied Modbus requests are considered a flood.
  786.       # If the limit is reached, app-layer-event:modbus.flooded; will match.
  787.       #request-flood: 500
  788.  
  789.       enabled: no
  790.       detection-ports:
  791.         dp: 502
  792.       # According to MODBUS Messaging on TCP/IP Implementation Guide V1.0b, it
  793.       # is recommended to keep the TCP connection opened with a remote device
  794.       # and not to open and close it for each MODBUS/TCP transaction. In that
  795.       # case, it is important to set the depth of the stream reassembling as
  796.       # unlimited (stream.reassembly.depth: 0)
  797.     # smb2 detection is disabled internally inside the engine.
  798.     #smb2:
  799.     #  enabled: yes
  800.     dns:
  801.      # memcaps. Globally and per flow/state.
  802.       #global-memcap: 16mb
  803.       #state-memcap: 512kb
  804.  
  805.       # How many unreplied DNS requests are considered a flood.
  806.       # If the limit is reached, app-layer-event:dns.flooded; will match.
  807.       #request-flood: 500
  808.  
  809.       tcp:
  810.         enabled: yes
  811.         detection-ports:
  812.           dp: 53
  813.       udp:
  814.         enabled: yes
  815.         detection-ports:
  816.           dp: 53
  817.     http:
  818.       enabled: yes
  819.       # memcap: 64mb
  820.  
  821.       # default-config:           Used when no server-config matches
  822.       #   personality:            List of personalities used by default
  823.       #   request-body-limit:     Limit reassembly of request body for inspection
  824.       #                           by http_client_body & pcre /P option.
  825.       #   response-body-limit:    Limit reassembly of response body for inspection
  826.       #                           by file_data, http_server_body & pcre /Q option.
  827.       #   double-decode-path:     Double decode path section of the URI
  828.       #   double-decode-query:    Double decode query section of the URI
  829.       #   response-body-decompress-layer-limit:
  830.       #                           Limit to how many layers of compression will be
  831.       #                           decompressed. Defaults to 2.
  832.       #
  833.       # server-config:            List of server configurations to use if address matches
  834.       #   address:                List of ip addresses or networks for this block
  835.       #   personalitiy:           List of personalities used by this block
  836.       #   request-body-limit:     Limit reassembly of request body for inspection
  837.       #                           by http_client_body & pcre /P option.
  838.       #   response-body-limit:    Limit reassembly of response body for inspection
  839.       #                           by file_data, http_server_body & pcre /Q option.
  840.       #   double-decode-path:     Double decode path section of the URI
  841.       #   double-decode-query:    Double decode query section of the URI
  842.       #
  843.       #   uri-include-all:        Include all parts of the URI. By default the
  844.       #                           'scheme', username/password, hostname and port
  845.       #                           are excluded. Setting this option to true adds
  846.       #                           all of them to the normalized uri as inspected
  847.       #                           by http_uri, urilen, pcre with /U and the other
  848.       #                           keywords that inspect the normalized uri.
  849.       #                           Note that this does not affect http_raw_uri.
  850.       #                           Also, note that including all was the default in
  851.       #                           1.4 and 2.0beta1.
  852.       #
  853.       #   meta-field-limit:       Hard size limit for request and response size
  854.       #                           limits. Applies to request line and headers,
  855.       #                           response line and headers. Does not apply to
  856.       #                           request or response bodies. Default is 18k.
  857.       #                           If this limit is reached an event is raised.
  858.       #
  859.       # Currently Available Personalities:
  860.       #   Minimal, Generic, IDS (default), IIS_4_0, IIS_5_0, IIS_5_1, IIS_6_0,
  861.       #   IIS_7_0, IIS_7_5, Apache_2
  862.       libhtp:
  863.          default-config:
  864.            personality: IDS
  865.  
  866.            # Can be specified in kb, mb, gb.  Just a number indicates
  867.            # it's in bytes.
  868.            request-body-limit: 12mb
  869.            response-body-limit: 12mb
  870.  
  871.            # inspection limits
  872.            request-body-minimal-inspect-size: 32kb
  873.            request-body-inspect-window: 4kb
  874.            response-body-minimal-inspect-size: 40kb
  875.            response-body-inspect-window: 16kb
  876.  
  877.            # response body decompression (0 disables)
  878.            response-body-decompress-layer-limit: 0
  879.  
  880.            # auto will use http-body-inline mode in IPS mode, yes or no set it statically
  881.            http-body-inline: no
  882.  
  883.            # Take a random value for inspection sizes around the specified value.
  884.            # This lower the risk of some evasion technics but could lead
  885.            # detection change between runs. It is set to 'yes' by default.
  886.            #randomize-inspection-sizes: yes
  887.            # If randomize-inspection-sizes is active, the value of various
  888.            # inspection size will be choosen in the [1 - range%, 1 + range%]
  889.            # range
  890.            # Default value of randomize-inspection-range is 10.
  891.            #randomize-inspection-range: 10
  892.  
  893.            # decoding
  894.            double-decode-path: no
  895.            double-decode-query: no
  896.  
  897.          server-config:
  898.            #- apache:
  899.            #    address: [192.168.1.0/24, 127.0.0.0/8, "::1"]
  900.            #    personality: Apache_2
  901.            #    # Can be specified in kb, mb, gb.  Just a number indicates
  902.            #    # it's in bytes.
  903.            #    request-body-limit: 4096
  904.            #    response-body-limit: 4096
  905.            #    double-decode-path: no
  906.            #    double-decode-query: no
  907.  
  908.            #- iis7:
  909.            #    address:
  910.            #      - 192.168.0.0/24
  911.            #      - 192.168.10.0/24
  912.            #    personality: IIS_7_0
  913.            #    # Can be specified in kb, mb, gb.  Just a number indicates
  914.            #    # it's in bytes.
  915.            #    request-body-limit: 4096
  916.            #    response-body-limit: 4096
  917.            #    double-decode-path: no
  918.            #    double-decode-query: no
  919.  
  920. # Limit for the maximum number of asn1 frames to decode (default 256)
  921. asn1-max-frames: 256
  922.  
  923.  
  924. ##############################################################################
  925. ##
  926. ## Advanced settings below
  927. ##
  928. ##############################################################################
  929.  
  930. ##
  931. ## Run Options
  932. ##
  933.  
  934. # Run suricata as user and group.
  935. #run-as:
  936. #  user: suri
  937. #  group: suri
  938.  
  939. # Some logging module will use that name in event as identifier. The default
  940. # value is the hostname
  941. #sensor-name: suricata
  942.  
  943. # Default pid file.
  944. # Will use this file if no --pidfile in command options.
  945. #pid-file: /var/run/suricata.pid
  946.  
  947. # Daemon working directory
  948. # Suricata will change directory to this one if provided
  949. # Default: "/"
  950. #daemon-directory: "/"
  951.  
  952. # Suricata core dump configuration. Limits the size of the core dump file to
  953. # approximately max-dump. The actual core dump size will be a multiple of the
  954. # page size. Core dumps that would be larger than max-dump are truncated. On
  955. # Linux, the actual core dump size may be a few pages larger than max-dump.
  956. # Setting max-dump to 0 disables core dumping.
  957. # Setting max-dump to 'unlimited' will give the full core dump file.
  958. # On 32-bit Linux, a max-dump value >= ULONG_MAX may cause the core dump size
  959. # to be 'unlimited'.
  960.  
  961. coredump:
  962.   max-dump: unlimited
  963.  
  964. # If suricata box is a router for the sniffed networks, set it to 'router'. If
  965. # it is a pure sniffing setup, set it to 'sniffer-only'.
  966. # If set to auto, the variable is internally switch to 'router' in IPS mode
  967. # and 'sniffer-only' in IDS mode.
  968. # This feature is currently only used by the reject* keywords.
  969. host-mode: auto
  970.  
  971. # Number of packets preallocated per thread. The default is 1024. A higher number
  972. # will make sure each CPU will be more easily kept busy, but may negatively
  973. # impact caching.
  974. #
  975. # If you are using the CUDA pattern matcher (mpm-algo: ac-cuda), different rules
  976. # apply. In that case try something like 60000 or more. This is because the CUDA
  977. # pattern matcher buffers and scans as many packets as possible in parallel.
  978. max-pending-packets: 63000
  979.  
  980. # Runmode the engine should use. Please check --list-runmodes to get the available
  981. # runmodes for each packet acquisition method. Defaults to "autofp" (auto flow pinned
  982. # load balancing).
  983. runmode: workers
  984.  
  985. # Specifies the kind of flow load balancer used by the flow pinned autofp mode.
  986. #
  987. # Supported schedulers are:
  988. #
  989. # round-robin       - Flows assigned to threads in a round robin fashion.
  990. # active-packets    - Flows assigned to threads that have the lowest number of
  991. #                     unprocessed packets (default).
  992. # hash              - Flow alloted usihng the address hash. More of a random
  993. #                     technique. Was the default in Suricata 1.2.1 and older.
  994. #
  995. #autofp-scheduler: active-packets
  996.  
  997. # Preallocated size for packet. Default is 1514 which is the classical
  998. # size for pcap on ethernet. You should adjust this value to the highest
  999. # packet size (MTU + hardware header) on your system.
  1000. #default-packet-size: 1514
  1001.  
  1002. # Unix command socket can be used to pass commands to suricata.
  1003. # An external tool can then connect to get information from suricata
  1004. # or trigger some modifications of the engine. Set enabled to yes
  1005. # to activate the feature. You can use the filename variable to set
  1006. # the file name of the socket.
  1007. unix-command:
  1008.   enabled: yes
  1009.   #filename: custom.socket
  1010.  
  1011. # Magic file. The extension .mgc is added to the value here.
  1012. #magic-file: /usr/share/file/magic
  1013. #magic-file:
  1014.  
  1015. legacy:
  1016.   uricontent: enabled
  1017.  
  1018. ##
  1019. ## Detection settings
  1020. ##
  1021.  
  1022. # Set the order of alerts bassed on actions
  1023. # The default order is pass, drop, reject, alert
  1024. # action-order:
  1025. #   - pass
  1026. #   - drop
  1027. #   - reject
  1028. #   - alert
  1029.  
  1030. # IP Reputation
  1031. #reputation-categories-file: /etc/suricata/iprep/categories.txt
  1032. #default-reputation-path: /etc/suricata/iprep
  1033. #reputation-files:
  1034. # - reputation.list
  1035.  
  1036. # When run with the option --engine-analysis, the engine will read each of
  1037. # the parameters below, and print reports for each of the enabled sections
  1038. # and exit.  The reports are printed to a file in the default log dir
  1039. # given by the parameter "default-log-dir", with engine reporting
  1040. # subsection below printing reports in its own report file.
  1041. engine-analysis:
  1042.  # enables printing reports for fast-pattern for every rule.
  1043.   rules-fast-pattern: no
  1044.   # enables printing reports for each rule
  1045.   rules: no
  1046.  
  1047. #recursion and match limits for PCRE where supported
  1048. pcre:
  1049.   match-limit: 3500
  1050.   match-limit-recursion: 1500
  1051.  
  1052. ##
  1053. ## Advanced Traffic Tracking and Reconstruction Settings
  1054. ##
  1055.  
  1056. # Host specific policies for defragmentation and TCP stream
  1057. # reassembly. The host OS lookup is done using a radix tree, just
  1058. # like a routing table so the most specific entry matches.
  1059. host-os-policy:
  1060.  # Make the default policy windows.
  1061.   windows: [0.0.0.0/0]
  1062.   bsd: []
  1063.   bsd-right: []
  1064.   old-linux: []
  1065.   linux: []
  1066.   old-solaris: []
  1067.   solaris: []
  1068.   hpux10: []
  1069.   hpux11: []
  1070.   irix: []
  1071.   macos: []
  1072.   vista: []
  1073.   windows2k3: []
  1074.  
  1075. # Defrag settings:
  1076.  
  1077. defrag:
  1078.   memcap: 512mb
  1079.   hash-size: 65536
  1080.   trackers: 65535 # number of defragmented flows to follow
  1081.   max-frags: 65535 # number of fragments to keep (higher than trackers)
  1082.   prealloc: yes
  1083.   timeout: 10
  1084.  
  1085. # Enable defrag per host settings
  1086. #  host-config:
  1087. #
  1088. #    - dmz:
  1089. #        timeout: 30
  1090. #        address: [192.168.1.0/24, 127.0.0.0/8, 1.1.1.0/24, 2.2.2.0/24, "1.1.1.1", "2.2.2.2", "::1"]
  1091. #
  1092. #    - lan:
  1093. #        timeout: 45
  1094. #        address:
  1095. #          - 192.168.0.0/24
  1096. #          - 192.168.10.0/24
  1097. #          - 172.16.14.0/24
  1098.  
  1099. # Flow settings:
  1100. # By default, the reserved memory (memcap) for flows is 32MB. This is the limit
  1101. # for flow allocation inside the engine. You can change this value to allow
  1102. # more memory usage for flows.
  1103. # The hash-size determine the size of the hash used to identify flows inside
  1104. # the engine, and by default the value is 65536.
  1105. # At the startup, the engine can preallocate a number of flows, to get a better
  1106. # performance. The number of flows preallocated is 10000 by default.
  1107. # emergency-recovery is the percentage of flows that the engine need to
  1108. # prune before unsetting the emergency state. The emergency state is activated
  1109. # when the memcap limit is reached, allowing to create new flows, but
  1110. # prunning them with the emergency timeouts (they are defined below).
  1111. # If the memcap is reached, the engine will try to prune flows
  1112. # with the default timeouts. If it doens't find a flow to prune, it will set
  1113. # the emergency bit and it will try again with more agressive timeouts.
  1114. # If that doesn't work, then it will try to kill the last time seen flows
  1115. # not in use.
  1116. # The memcap can be specified in kb, mb, gb.  Just a number indicates it's
  1117. # in bytes.
  1118.  
  1119. flow:
  1120.   memcap: 1gb
  1121.   hash-size: 1048576
  1122.   prealloc: 1048576
  1123.   emergency-recovery: 30
  1124.   #managers: 1 # default to one flow manager
  1125.   #recyclers: 1 # default to one flow recycler thread
  1126.  
  1127. # This option controls the use of vlan ids in the flow (and defrag)
  1128. # hashing. Normally this should be enabled, but in some (broken)
  1129. # setups where both sides of a flow are not tagged with the same vlan
  1130. # tag, we can ignore the vlan id's in the flow hashing.
  1131. vlan:
  1132.   use-for-tracking: true
  1133.  
  1134. # Specific timeouts for flows. Here you can specify the timeouts that the
  1135. # active flows will wait to transit from the current state to another, on each
  1136. # protocol. The value of "new" determine the seconds to wait after a hanshake or
  1137. # stream startup before the engine free the data of that flow it doesn't
  1138. # change the state to established (usually if we don't receive more packets
  1139. # of that flow). The value of "established" is the amount of
  1140. # seconds that the engine will wait to free the flow if it spend that amount
  1141. # without receiving new packets or closing the connection. "closed" is the
  1142. # amount of time to wait after a flow is closed (usually zero).
  1143. #
  1144. # There's an emergency mode that will become active under attack circumstances,
  1145. # making the engine to check flow status faster. This configuration variables
  1146. # use the prefix "emergency-" and work similar as the normal ones.
  1147. # Some timeouts doesn't apply to all the protocols, like "closed", for udp and
  1148. # icmp.
  1149.  
  1150. flow-timeouts:
  1151.   default:
  1152.     new: 3
  1153.     established: 100
  1154.     closed: 0
  1155.     emergency-new: 10
  1156.     emergency-established: 10
  1157.     emergency-closed: 0
  1158.   tcp:
  1159.     new: 6
  1160.     established: 100
  1161.     closed: 3
  1162.     emergency-new: 1
  1163.     emergency-established: 5
  1164.     emergency-closed: 2
  1165.   udp:
  1166.     new: 30
  1167.     established: 100
  1168.     emergency-new: 10
  1169.     emergency-established: 100
  1170.   icmp:
  1171.     new: 30
  1172.     established: 100
  1173.     emergency-new: 10
  1174.     emergency-established: 100
  1175.  
  1176. # Stream engine settings. Here the TCP stream tracking and reassembly
  1177. # engine is configured.
  1178. #
  1179. # stream:
  1180. #   memcap: 5gb                # Can be specified in kb, mb, gb.  Just a
  1181. #                               # number indicates it's in bytes.
  1182. #   checksum-validation: no    # To validate the checksum of received
  1183. #                               # packet. If csum validation is specified as
  1184. #                               # "yes", then packet with invalid csum will not
  1185. #                               # be processed by the engine stream/app layer.
  1186. #                               # Warning: locally generated trafic can be
  1187. #                               # generated without checksum due to hardware offload
  1188. #                               # of checksum. You can control the handling of checksum
  1189. #                               # on a per-interface basis via the 'checksum-checks'
  1190. #                               # option
  1191. #   prealloc-sessions: 2k       # 2k sessions prealloc'd per stream thread
  1192. #   midstream: false            # don't allow midstream session pickups
  1193. #   async-oneside: false        # don't enable async stream handling
  1194. #   inline: no                  # stream inline mode
  1195. #   max-synack-queued: 5        # Max different SYN/ACKs to queue
  1196. #
  1197. #   reassembly:
  1198. #     memcap: 64mb              # Can be specified in kb, mb, gb.  Just a number
  1199. #                               # indicates it's in bytes.
  1200. #     depth: 1mb                # Can be specified in kb, mb, gb.  Just a number
  1201. #                               # indicates it's in bytes.
  1202. #     toserver-chunk-size: 2560 # inspect raw stream in chunks of at least
  1203. #                               # this size.  Can be specified in kb, mb,
  1204. #                               # gb.  Just a number indicates it's in bytes.
  1205. #                               # The max acceptable size is 4024 bytes.
  1206. #     toclient-chunk-size: 2560 # inspect raw stream in chunks of at least
  1207. #                               # this size.  Can be specified in kb, mb,
  1208. #                               # gb.  Just a number indicates it's in bytes.
  1209. #                               # The max acceptable size is 4024 bytes.
  1210. #     randomize-chunk-size: yes # Take a random value for chunk size around the specified value.
  1211. #                               # This lower the risk of some evasion technics but could lead
  1212. #                               # detection change between runs. It is set to 'yes' by default.
  1213. #     randomize-chunk-range: 10 # If randomize-chunk-size is active, the value of chunk-size is
  1214. #                               # a random value between (1 - randomize-chunk-range/100)*toserver-chunk-size
  1215. #                               # and (1 + randomize-chunk-range/100)*toserver-chunk-size and the same
  1216. #                               # calculation for toclient-chunk-size.
  1217. #                               # Default value of randomize-chunk-range is 10.
  1218. #
  1219. #     raw: yes                  # 'Raw' reassembly enabled or disabled.
  1220. #                               # raw is for content inspection by detection
  1221. #                               # engine.
  1222. #
  1223. #     chunk-prealloc: 250       # Number of preallocated stream chunks. These
  1224. #                               # are used during stream inspection (raw).
  1225. #     segments:                 # Settings for reassembly segment pool.
  1226. #       - size: 4               # Size of the (data)segment for a pool
  1227. #         prealloc: 256         # Number of segments to prealloc and keep
  1228. #                               # in the pool.
  1229. #     zero-copy-size: 128       # This option sets in bytes the value at
  1230. #                               # which segment data is passed to the app
  1231. #                               # layer API directly. Data sizes equal to
  1232. #                               # and higher than the value set are passed
  1233. #                               # on directly.
  1234. #
  1235. stream:
  1236.   memcap: 12gb
  1237.   checksum-validation: no      # reject wrong csums
  1238.   inline: no                  # auto will use inline mode in IPS mode, yes or no set it statically
  1239. #   midstream: false            # don't allow midstream session pickups
  1240.   async-oneside: true        # don't enable async stream handling
  1241.   reassembly:
  1242.     memcap: 5gb
  1243.     depth: 100mb                  # reassemble 1mb into a stream
  1244.     toserver-chunk-size: 2560
  1245.     toclient-chunk-size: 2560
  1246.     randomize-chunk-size: yes
  1247.     #randomize-chunk-range: 10
  1248.     #raw: yes
  1249.     #chunk-prealloc: 250
  1250.     #segments:
  1251.     #  - size: 4
  1252.     #    prealloc: 256
  1253.     #  - size: 16
  1254.     #    prealloc: 512
  1255.     #  - size: 112
  1256.     #    prealloc: 512
  1257.     #  - size: 248
  1258.     #    prealloc: 512
  1259.     #  - size: 512
  1260.     #    prealloc: 512
  1261.     #  - size: 768
  1262.     #    prealloc: 1024
  1263.     #  - size: 1448
  1264.     #    prealloc: 1024
  1265.     #  - size: 65535
  1266.     #    prealloc: 128
  1267.     #zero-copy-size: 128
  1268.  
  1269. # Host table:
  1270. #
  1271. # Host table is used by tagging and per host thresholding subsystems.
  1272. #
  1273. host:
  1274.   hash-size: 4096
  1275.   prealloc: 1000
  1276.   memcap: 32mb
  1277.  
  1278. # IP Pair table:
  1279. #
  1280. # Used by xbits 'ippair' tracking.
  1281. #
  1282. #ippair:
  1283. #  hash-size: 4096
  1284. #  prealloc: 1000
  1285. #  memcap: 32mb
  1286.  
  1287.  
  1288. ##
  1289. ## Performance tuning and profiling
  1290. ##
  1291.  
  1292. # The detection engine builds internal groups of signatures. The engine
  1293. # allow us to specify the profile to use for them, to manage memory on an
  1294. # efficient way keeping a good performance. For the profile keyword you
  1295. # can use the words "low", "medium", "high" or "custom". If you use custom
  1296. # make sure to define the values at "- custom-values" as your convenience.
  1297. # Usually you would prefer medium/high/low.
  1298. #
  1299. # "sgh mpm-context", indicates how the staging should allot mpm contexts for
  1300. # the signature groups.  "single" indicates the use of a single context for
  1301. # all the signature group heads.  "full" indicates a mpm-context for each
  1302. # group head.  "auto" lets the engine decide the distribution of contexts
  1303. # based on the information the engine gathers on the patterns from each
  1304. # group head.
  1305. #
  1306. # The option inspection-recursion-limit is used to limit the recursive calls
  1307. # in the content inspection code.  For certain payload-sig combinations, we
  1308. # might end up taking too much time in the content inspection code.
  1309. # If the argument specified is 0, the engine uses an internally defined
  1310. # default limit.  On not specifying a value, we use no limits on the recursion.
  1311. detect:
  1312.   profile: medium
  1313.   custom-values:
  1314.     toclient-groups: 3
  1315.     toserver-groups: 25
  1316.   sgh-mpm-context: auto
  1317.   inspection-recursion-limit: 3000
  1318.   # If set to yes, the loading of signatures will be made after the capture
  1319.   # is started. This will limit the downtime in IPS mode.
  1320.   #delayed-detect: yes
  1321.  
  1322.   # the grouping values above control how many groups are created per
  1323.   # direction. Port whitelisting forces that port to get it's own group.
  1324.   # Very common ports will benefit, as well as ports with many expensive
  1325.   # rules.
  1326.   grouping:
  1327.    #tcp-whitelist: 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
  1328.     #udp-whitelist: 53, 135, 5060
  1329.  
  1330.   profiling:
  1331.    # Log the rules that made it past the prefilter stage, per packet
  1332.     # default is off. The threshold setting determines how many rules
  1333.     # must have made it past pre-filter for that rule to trigger the
  1334.     # logging.
  1335.     #inspect-logging-threshold: 200
  1336.     grouping:
  1337.       dump-to-disk: false
  1338.       include-rules: false      # very verbose
  1339.       include-mpm-stats: false
  1340.  
  1341. # Select the multi pattern algorithm you want to run for scan/search the
  1342. # in the engine.
  1343. #
  1344. # The supported algorithms are:
  1345. # "ac"      - Aho-Corasick, default implementation
  1346. # "ac-bs"   - Aho-Corasick, reduced memory implementation
  1347. # "ac-cuda" - Aho-Corasick, CUDA implementation
  1348. # "ac-ks"   - Aho-Corasick, "Ken Steele" variant
  1349. # "hs"      - Hyperscan, available when built with Hyperscan support
  1350. #
  1351. # The default mpm-algo value of "auto" will use "hs" if Hyperscan is
  1352. # available, "ac" otherwise.
  1353. #
  1354. # The mpm you choose also decides the distribution of mpm contexts for
  1355. # signature groups, specified by the conf - "detect.sgh-mpm-context".
  1356. # Selecting "ac" as the mpm would require "detect.sgh-mpm-context"
  1357. # to be set to "single", because of ac's memory requirements, unless the
  1358. # ruleset is small enough to fit in one's memory, in which case one can
  1359. # use "full" with "ac".  Rest of the mpms can be run in "full" mode.
  1360. #
  1361. # There is also a CUDA pattern matcher (only available if Suricata was
  1362. # compiled with --enable-cuda: b2g_cuda. Make sure to update your
  1363. # max-pending-packets setting above as well if you use b2g_cuda.
  1364.  
  1365. mpm-algo: auto
  1366.  
  1367. # Select the matching algorithm you want to use for single-pattern searches.
  1368. #
  1369. # Supported algorithms are "bm" (Boyer-Moore) and "hs" (Hyperscan, only
  1370. # available if Suricata has been built with Hyperscan support).
  1371. #
  1372. # The default of "auto" will use "hs" if available, otherwise "bm".
  1373.  
  1374. spm-algo: auto
  1375.  
  1376. # Suricata is multi-threaded. Here the threading can be influenced.
  1377. threading:
  1378.   set-cpu-affinity: no
  1379.   # Tune cpu affinity of threads. Each family of threads can be bound
  1380.   # on specific CPUs.
  1381.   #
  1382.   # These 2 apply to the all runmodes:
  1383.   # management-cpu-set is used for flow timeout handling, counters
  1384.   # worker-cpu-set is used for 'worker' threads
  1385.   #
  1386.   # Additionally, for autofp these apply:
  1387.   # receive-cpu-set is used for capture threads
  1388.   # verdict-cpu-set is used for IPS verdict threads
  1389.   #
  1390.   cpu-affinity:
  1391.     - management-cpu-set:
  1392.         cpu: [ 0 ]  # include only these cpus in affinity settings
  1393.     - receive-cpu-set:
  1394.         cpu: [ 0 ]  # include only these cpus in affinity settings
  1395.     - worker-cpu-set:
  1396.         cpu: [ "all" ]
  1397.         mode: "exclusive"
  1398.         # Use explicitely 3 threads and don't compute number by using
  1399.         # detect-thread-ratio variable:
  1400.         # threads: 3
  1401.         prio:
  1402.           low: [ 0 ]
  1403.           medium: [ "1-2" ]
  1404.           high: [ 3 ]
  1405.           default: "medium"
  1406.     #- verdict-cpu-set:
  1407.     #    cpu: [ 0 ]
  1408.     #    prio:
  1409.     #      default: "high"
  1410.   #
  1411.   # By default Suricata creates one "detect" thread per available CPU/CPU core.
  1412.   # This setting allows controlling this behaviour. A ratio setting of 2 will
  1413.   # create 2 detect threads for each CPU/CPU core. So for a dual core CPU this
  1414.   # will result in 4 detect threads. If values below 1 are used, less threads
  1415.   # are created. So on a dual core CPU a setting of 0.5 results in 1 detect
  1416.   # thread being created. Regardless of the setting at a minimum 1 detect
  1417.   # thread will always be created.
  1418.   #
  1419.   detect-thread-ratio: 1.0
  1420.  
  1421. # Profiling settings. Only effective if Suricata has been built with the
  1422. # the --enable-profiling configure flag.
  1423. #
  1424. profiling:
  1425.  # Run profiling for every xth packet. The default is 1, which means we
  1426.   # profile every packet. If set to 1000, one packet is profiled for every
  1427.   # 1000 received.
  1428.   #sample-rate: 1000
  1429.  
  1430.   # rule profiling
  1431.   rules:
  1432.     # Profiling can be disabled here, but it will still have a
  1433.     # performance impact if compiled in.
  1434.     enabled: yes
  1435.     filename: rule_perf.log
  1436.     append: yes
  1437.  
  1438.     # Sort options: ticks, avgticks, checks, matches, maxticks
  1439.     sort: avgticks
  1440.  
  1441.     # Limit the number of items printed at exit (ignored for json).
  1442.     limit: 100
  1443.  
  1444.     # output to json
  1445.     json: yes
  1446.  
  1447.   # per keyword profiling
  1448.   keywords:
  1449.     enabled: yes
  1450.     filename: keyword_perf.log
  1451.     append: yes
  1452.  
  1453.   # per rulegroup profiling
  1454.   rulegroups:
  1455.     enabled: yes
  1456.     filename: rule_group_perf.log
  1457.     append: yes
  1458.  
  1459.   # packet profiling
  1460.   packets:
  1461.     # Profiling can be disabled here, but it will still have a
  1462.     # performance impact if compiled in.
  1463.     enabled: yes
  1464.     filename: packet_stats.log
  1465.     append: yes
  1466.  
  1467.     # per packet csv output
  1468.     csv:
  1469.       # Output can be disabled here, but it will still have a
  1470.       # performance impact if compiled in.
  1471.       enabled: no
  1472.       filename: packet_stats.csv
  1473.  
  1474.   # profiling of locking. Only available when Suricata was built with
  1475.   # --enable-profiling-locks.
  1476.   locks:
  1477.     enabled: no
  1478.     filename: lock_stats.log
  1479.     append: yes
  1480.  
  1481.   pcap-log:
  1482.     enabled: no
  1483.     filename: pcaplog_stats.log
  1484.     append: yes
  1485.  
  1486. ##
  1487. ## Netfilter integration
  1488. ##
  1489.  
  1490. # When running in NFQ inline mode, it is possible to use a simulated
  1491. # non-terminal NFQUEUE verdict.
  1492. # This permit to do send all needed packet to suricata via this a rule:
  1493. #        iptables -I FORWARD -m mark ! --mark $MARK/$MASK -j NFQUEUE
  1494. # And below, you can have your standard filtering ruleset. To activate
  1495. # this mode, you need to set mode to 'repeat'
  1496. # If you want packet to be sent to another queue after an ACCEPT decision
  1497. # set mode to 'route' and set next-queue value.
  1498. # On linux >= 3.1, you can set batchcount to a value > 1 to improve performance
  1499. # by processing several packets before sending a verdict (worker runmode only).
  1500. # On linux >= 3.6, you can set the fail-open option to yes to have the kernel
  1501. # accept the packet if suricata is not able to keep pace.
  1502. nfq:
  1503. #  mode: accept
  1504. #  repeat-mark: 1
  1505. #  repeat-mask: 1
  1506. #  route-queue: 2
  1507. #  batchcount: 20
  1508. #  fail-open: yes
  1509.  
  1510. #nflog support
  1511. nflog:
  1512.    # netlink multicast group
  1513.     # (the same as the iptables --nflog-group param)
  1514.     # Group 0 is used by the kernel, so you can't use it
  1515.   - group: 2
  1516.     # netlink buffer size
  1517.     buffer-size: 18432
  1518.     # put default value here
  1519.   - group: default
  1520.     # set number of packet to queue inside kernel
  1521.     qthreshold: 1
  1522.     # set the delay before flushing packet in the queue inside kernel
  1523.     qtimeout: 100
  1524.     # netlink max buffer size
  1525.     max-size: 20000
  1526.  
  1527. ##
  1528. ## Advanced Capture Options
  1529. ##
  1530.  
  1531. # Netmap support
  1532. #
  1533. # Netmap operates with NIC directly in driver, so you need FreeBSD wich have
  1534. # built-in netmap support or compile and install netmap module and appropriate
  1535. # NIC driver on your Linux system.
  1536. # To reach maximum throughput disable all receive-, segmentation-,
  1537. # checksum- offloadings on NIC.
  1538. # Disabling Tx checksum offloading is *required* for connecting OS endpoint
  1539. # with NIC endpoint.
  1540. # You can find more information at https://github.com/luigirizzo/netmap
  1541. #
  1542. netmap:
  1543.   # To specify OS endpoint add plus sign at the end (e.g. "eth0+")
  1544.  - interface: eth2
  1545.    # Number of receive threads. "auto" uses number of RSS queues on interface.
  1546.    #threads: auto
  1547.    # You can use the following variables to activate netmap tap or IPS mode.
  1548.    # If copy-mode is set to ips or tap, the traffic coming to the current
  1549.    # interface will be copied to the copy-iface interface. If 'tap' is set, the
  1550.    # copy is complete. If 'ips' is set, the packet matching a 'drop' action
  1551.    # will not be copied.
  1552.    # To specify the OS as the copy-iface (so the OS can route packets, or forward
  1553.    # to a service running on the same machine) add a plus sign at the end
  1554.    # (e.g. "copy-iface: eth0+"). Don't forget to set up a symmetrical eth0+ -> eth0
  1555.    # for return packets. Hardware checksumming must be *off* on the interface if
  1556.    # using an OS endpoint (e.g. 'ifconfig eth0 -rxcsum -txcsum -rxcsum6 -txcsum6' for FreeBSD
  1557.    # or 'ethtool -K eth0 tx off rx off' for Linux).
  1558.    #copy-mode: tap
  1559.    #copy-iface: eth3
  1560.    # Set to yes to disable promiscuous mode
  1561.    # disable-promisc: no
  1562.    # Choose checksum verification mode for the interface. At the moment
  1563.    # of the capture, some packets may be with an invalid checksum due to
  1564.    # offloading to the network card of the checksum computation.
  1565.    # Possible values are:
  1566.    #  - yes: checksum validation is forced
  1567.    #  - no: checksum validation is disabled
  1568.    #  - auto: suricata uses a statistical approach to detect when
  1569.    #  checksum off-loading is used.
  1570.    # Warning: 'checksum-validation' must be set to yes to have any validation
  1571.    #checksum-checks: auto
  1572.    # BPF filter to apply to this interface. The pcap filter syntax apply here.
  1573.    #bpf-filter: port 80 or udp
  1574.  #- interface: eth3
  1575.    #threads: auto
  1576.    #copy-mode: tap
  1577.    #copy-iface: eth2
  1578.    # Put default values here
  1579.  - interface: default
  1580.  
  1581. # PF_RING configuration. for use with native PF_RING support
  1582. # for more info see http://www.ntop.org/products/pf_ring/
  1583. pfring:
  1584.   - interface: eth0
  1585.     # Number of receive threads (>1 will enable experimental flow pinned
  1586.     # runmode)
  1587.     threads: 1
  1588.  
  1589.     # Default clusterid.  PF_RING will load balance packets based on flow.
  1590.     # All threads/processes that will participate need to have the same
  1591.     # clusterid.
  1592.     cluster-id: 99
  1593.  
  1594.     # Default PF_RING cluster type. PF_RING can load balance per flow.
  1595.     # Possible values are cluster_flow or cluster_round_robin.
  1596.     cluster-type: cluster_flow
  1597.     # bpf filter for this interface
  1598.     #bpf-filter: tcp
  1599.     # Choose checksum verification mode for the interface. At the moment
  1600.     # of the capture, some packets may be with an invalid checksum due to
  1601.     # offloading to the network card of the checksum computation.
  1602.     # Possible values are:
  1603.     #  - rxonly: only compute checksum for packets received by network card.
  1604.     #  - yes: checksum validation is forced
  1605.     #  - no: checksum validation is disabled
  1606.     #  - auto: suricata uses a statistical approach to detect when
  1607.     #  checksum off-loading is used. (default)
  1608.     # Warning: 'checksum-validation' must be set to yes to have any validation
  1609.     #checksum-checks: auto
  1610.   # Second interface
  1611.   #- interface: eth1
  1612.   #  threads: 3
  1613.   #  cluster-id: 93
  1614.   #  cluster-type: cluster_flow
  1615.   # Put default values here
  1616.   - interface: default
  1617.     #threads: 2
  1618.  
  1619. # For FreeBSD ipfw(8) divert(4) support.
  1620. # Please make sure you have ipfw_load="YES" and ipdivert_load="YES"
  1621. # in /etc/loader.conf or kldload'ing the appropriate kernel modules.
  1622. # Additionally, you need to have an ipfw rule for the engine to see
  1623. # the packets from ipfw.  For Example:
  1624. #
  1625. #   ipfw add 100 divert 8000 ip from any to any
  1626. #
  1627. # The 8000 above should be the same number you passed on the command
  1628. # line, i.e. -d 8000
  1629. #
  1630. ipfw:
  1631.   # Reinject packets at the specified ipfw rule number.  This config
  1632.   # option is the ipfw rule number AT WHICH rule processing continues
  1633.   # in the ipfw processing system after the engine has finished
  1634.   # inspecting the packet for acceptance.  If no rule number is specified,
  1635.   # accepted packets are reinjected at the divert rule which they entered
  1636.   # and IPFW rule processing continues.  No check is done to verify
  1637.   # this will rule makes sense so care must be taken to avoid loops in ipfw.
  1638.   #
  1639.   ## The following example tells the engine to reinject packets
  1640.   # back into the ipfw firewall AT rule number 5500:
  1641.   #
  1642.   # ipfw-reinjection-rule-number: 5500
  1643.  
  1644.  
  1645. napatech:
  1646.    # The Host Buffer Allowance for all streams
  1647.     # (-1 = OFF, 1 - 100 = percentage of the host buffer that can be held back)
  1648.     hba: -1
  1649.  
  1650.     # use_all_streams set to "yes" will query the Napatech service for all configured
  1651.     # streams and listen on all of them. When set to "no" the streams config array
  1652.     # will be used.
  1653.     use-all-streams: yes
  1654.  
  1655.     # The streams to listen on
  1656.     streams: [1, 2, 3]
  1657.  
  1658. # Tilera mpipe configuration. for use on Tilera TILE-Gx.
  1659. mpipe:
  1660.   # Load balancing modes: "static", "dynamic", "sticky", or "round-robin".
  1661.   load-balance: dynamic
  1662.  
  1663.   # Number of Packets in each ingress packet queue. Must be 128, 512, 2028 or 65536
  1664.   iqueue-packets: 2048
  1665.  
  1666.   # List of interfaces we will listen on.
  1667.   inputs:
  1668.   - interface: xgbe2
  1669.   - interface: xgbe3
  1670.   - interface: xgbe4
  1671.  
  1672.  
  1673.   # Relative weight of memory for packets of each mPipe buffer size.
  1674.   stack:
  1675.     size128: 0
  1676.     size256: 9
  1677.     size512: 0
  1678.     size1024: 0
  1679.     size1664: 7
  1680.     size4096: 0
  1681.     size10386: 0
  1682.     size16384: 0
  1683.  
  1684. ##
  1685. ## Hardware accelaration
  1686. ##
  1687.  
  1688. # Cuda configuration.
  1689. cuda:
  1690.  # The "mpm" profile.  On not specifying any of these parameters, the engine's
  1691.   # internal default values are used, which are same as the ones specified in
  1692.   # in the default conf file.
  1693.   mpm:
  1694.    # The minimum length required to buffer data to the gpu.
  1695.     # Anything below this is MPM'ed on the CPU.
  1696.     # Can be specified in kb, mb, gb.  Just a number indicates it's in bytes.
  1697.     # A value of 0 indicates there's no limit.
  1698.     data-buffer-size-min-limit: 0
  1699.     # The maximum length for data that we would buffer to the gpu.
  1700.     # Anything over this is MPM'ed on the CPU.
  1701.     # Can be specified in kb, mb, gb.  Just a number indicates it's in bytes.
  1702.     data-buffer-size-max-limit: 1500
  1703.     # The ring buffer size used by the CudaBuffer API to buffer data.
  1704.     cudabuffer-buffer-size: 500mb
  1705.     # The max chunk size that can be sent to the gpu in a single go.
  1706.     gpu-transfer-size: 50mb
  1707.     # The timeout limit for batching of packets in microseconds.
  1708.     batching-timeout: 2000
  1709.     # The device to use for the mpm.  Currently we don't support load balancing
  1710.     # on multiple gpus.  In case you have multiple devices on your system, you
  1711.     # can specify the device to use, using this conf.  By default we hold 0, to
  1712.     # specify the first device cuda sees.  To find out device-id associated with
  1713.     # the card(s) on the system run "suricata --list-cuda-cards".
  1714.     device-id: 0
  1715.     # No of Cuda streams used for asynchronous processing. All values > 0 are valid.
  1716.     # For this option you need a device with Compute Capability > 1.0.
  1717.     cuda-streams: 2
  1718.  
  1719. ##
  1720. ## Include other configs
  1721. ##
  1722.  
  1723. # Includes.  Files included here will be handled as if they were
  1724. # inlined in this configuration file.
  1725. #include: include1.yaml
  1726. #include: include2.yaml
Add Comment
Please, Sign In to add comment