%YAML 1.1---# Suricata configuration file. In addition to the comments des

1. %YAML 1.1
2. ---
3.  
4. # Suricata configuration file. In addition to the comments describing all
5. # options in this file, full documentation can be found at:
6. # https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricatayaml
7.  
8.  
9. # Number of packets allowed to be processed simultaneously. Default is a
10. # conservative 1024. A higher number will make sure CPU's/CPU cores will be
11. # more easily kept busy, but may negatively impact caching.
12. #
13. # If you are using the CUDA pattern matcher (mpm-algo: ac-cuda), different rules
14. # apply. In that case try something like 60000 or more. This is because the CUDA
15. # pattern matcher buffers and scans as many packets as possible in parallel.
16. max-pending-packets: 10000
17.  
18. # Runmode the engine should use. Please check --list-runmodes to get the available
19. # runmodes for each packet acquisition method. Defaults to "autofp" (auto flow pinned
20. # load balancing).
21. runmode: autofp
22.  
23. # Specifies the kind of flow load balancer used by the flow pinned autofp mode.
24. #
25. # Supported schedulers are:
26. #
27. # round-robin - Flows assigned to threads in a round robin fashion.
28. # active-packets - Flows assigned to threads that have the lowest number of
29. # unprocessed packets (default).
30. # hash - Flow alloted usihng the address hash. More of a random
31. # technique. Was the default in Suricata 1.2.1 and older.
32. #
33. autofp-scheduler: active-packets
34.  
35. # If suricata box is a router for the sniffed networks, set it to 'router'. If
36. # it is a pure sniffing setup, set it to 'sniffer-only'.
37. # If set to auto, the variable is internally switch to 'router' in IPS mode
38. # and 'sniffer-only' in IDS mode.
39. # This feature is currently only used by the reject* keywords.
40. host-mode: sniffer-only
41.  
42. # Run suricata as user and group.
43. run-as:
44. user: sguil
45. group: sguil
46.  
47. # Default pid file.
48. # Will use this file if no --pidfile in command options.
49. #pid-file: /var/run/suricata.pid
50.  
51. # Daemon working directory
52. # Suricata will change directory to this one if provided
53. # Default: "/"
54. #daemon-directory: "/"
55.  
56. # Preallocated size for packet. Default is 1514 which is the classical
57. # size for pcap on ethernet. You should adjust this value to the highest
58. # packet size (MTU + hardware header) on your system.
59. #default-packet-size: 1514
60.  
61. # The default logging directory. Any log or output file will be
62. # placed here if its not specified with a full path name. This can be
63. # overridden with the -l command line parameter.
64. default-log-dir: /var/log/nsm/
65.  
66. # Unix command socket can be used to pass commands to suricata.
67. # An external tool can then connect to get information from suricata
68. # or trigger some modifications of the engine. Set enabled to yes
69. # to activate the feature. You can use the filename variable to set
70. # the file name of the socket.
71. unix-command:
72. enabled: no
73. #filename: custom.socket
74.  
75. # Configure the type of alert (and other) logging you would like.
76. outputs:
77.  
78. # a line based alerts log similar to Snort's fast.log
79. - fast:
80. enabled: no
81. filename: fast.log
82. append: yes
83. #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
84.  
85. # Extensible Event Format (nicknamed EVE) event log in JSON format
86. - eve-log:
87. enabled: no
88. type: file #file|syslog|unix_dgram|unix_stream
89. filename: eve.json
90. # the following are valid when type: syslog above
91. #identity: "suricata"
92. #facility: local5
93. #level: Info ## possible levels: Emergency, Alert, Critical,
94. ## Error, Warning, Notice, Info, Debug
95. types:
96. - alert
97. - http:
98. extended: yes # enable this for extended logging information
99. # custom allows additional http fields to be included in eve-log
100. # the example below adds three additional fields when uncommented
101. #custom: [Accept-Encoding, Accept-Language, Authorization]
102. - dns
103. - tls:
104. extended: yes # enable this for extended logging information
105. - files:
106. force-magic: no # force logging magic on all logged files
107. force-md5: no # force logging of md5 checksums
108. #- drop
109. - ssh
110.  
111. # alert output for use with Barnyard2
112. - unified2-alert:
113. enabled: yes
114. filename: snort.unified2
115.  
116. # File size limit. Can be specified in kb, mb, gb. Just a number
117. # is parsed as bytes.
118. #limit: 32mb
119.  
120. # Sensor ID field of unified2 alerts.
121. #sensor-id: 0
122.  
123. # HTTP X-Forwarded-For support by adding the unified2 extra header that
124. # will contain the actual client IP address or by overwriting the source
125. # IP address (helpful when inspecting traffic that is being reversed
126. # proxied).
127. xff:
128. enabled: no
129. # Two operation modes are available, "extra-data" and "overwrite". Note
130. # that in the "overwrite" mode, if the reported IP address in the HTTP
131. # X-Forwarded-For header is of a different version of the packet
132. # received, it will fall-back to "extra-data" mode.
133. mode: extra-data
134. # Header name were the actual IP address will be reported, if more than
135. # one IP address is present, the last IP address will be the one taken
136. # into consideration.
137. header: X-Forwarded-For
138.  
139. # a line based log of HTTP requests (no alerts)
140. - http-log:
141. enabled: no
142. filename: http.log
143. append: yes
144. #extended: yes # enable this for extended logging information
145. #custom: yes # enabled the custom logging format (defined by customformat)
146. #customformat: "%{%D-%H:%M:%S}t.%z %{X-Forwarded-For}i %H %m %h %u %s %B %a:%p -> %A:%P"
147. #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
148.  
149. # a line based log of TLS handshake parameters (no alerts)
150. - tls-log:
151. enabled: no # Log TLS connections.
152. filename: tls.log # File to store TLS logs.
153. append: yes
154. #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
155. #extended: yes # Log extended information like fingerprint
156. certs-log-dir: certs # directory to store the certificates files
157.  
158. # a line based log of DNS requests and/or replies (no alerts)
159. - dns-log:
160. enabled: no
161. filename: dns.log
162. append: yes
163. #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
164.  
165. # a line based log to used with pcap file study.
166. # this module is dedicated to offline pcap parsing (empty output
167. # if used with another kind of input). It can interoperate with
168. # pcap parser like wireshark via the suriwire plugin.
169. - pcap-info:
170. enabled: no
171.  
172. # Packet log... log packets in pcap format. 2 modes of operation: "normal"
173. # and "sguil".
174. #
175. # In normal mode a pcap file "filename" is created in the default-log-dir,
176. # or are as specified by "dir". In Sguil mode "dir" indicates the base directory.
177. # In this base dir the pcaps are created in th directory structure Sguil expects:
178. #
179. # $sguil-base-dir/YYYY-MM-DD/$filename.<timestamp>
180. #
181. # By default all packets are logged except:
182. # - TCP streams beyond stream.reassembly.depth
183. # - encrypted streams after the key exchange
184. #
185. - pcap-log:
186. enabled: no
187. filename: log.pcap
188.  
189. # File size limit. Can be specified in kb, mb, gb. Just a number
190. # is parsed as bytes.
191. limit: 1000mb
192.  
193. # If set to a value will enable ring buffer mode. Will keep Maximum of "max-files" of size "limit"
194. max-files: 2000
195.  
196. mode: normal # normal or sguil.
197. #sguil-base-dir: /nsm_data/
198. #ts-format: usec # sec or usec second format (default) is filename.sec usec is filename.sec.usec
199. use-stream-depth: no #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets
200.  
201. # a full alerts log containing much information for signature writers
202. # or for investigating suspected false positives.
203. - alert-debug:
204. enabled: no
205. filename: alert-debug.log
206. append: yes
207. #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
208.  
209. # alert output to prelude (http://www.prelude-technologies.com/) only
210. # available if Suricata has been compiled with --enable-prelude
211. - alert-prelude:
212. enabled: no
213. profile: suricata
214. log-packet-content: no
215. log-packet-header: yes
216.  
217. # Stats.log contains data from various counters of the suricata engine.
218. # The interval field (in seconds) tells after how long output will be written
219. # on the log file.
220. - stats:
221. enabled: yes
222. filename: stats.log
223. interval: 60
224.  
225. # a line based alerts log similar to fast.log into syslog
226. - syslog:
227. enabled: no
228. # reported identity to syslog. If ommited the program name (usually
229. # suricata) will be used.
230. #identity: "suricata"
231. facility: local5
232. #level: Info ## possible levels: Emergency, Alert, Critical,
233. ## Error, Warning, Notice, Info, Debug
234.  
235. # a line based information for dropped packets in IPS mode
236. - drop:
237. enabled: no
238. filename: drop.log
239. append: yes
240. #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
241.  
242. # output module to store extracted files to disk
243. #
244. # The files are stored to the log-dir in a format "file.<id>" where <id> is
245. # an incrementing number starting at 1. For each file "file.<id>" a meta
246. # file "file.<id>.meta" is created.
247. #
248. # File extraction depends on a lot of things to be fully done:
249. # - stream reassembly depth. For optimal results, set this to 0 (unlimited)
250. # - http request / response body sizes. Again set to 0 for optimal results.
251. # - rules that contain the "filestore" keyword.
252. - file-store:
253. enabled: no # set to yes to enable
254. log-dir: files # directory to store the files
255. force-magic: no # force logging magic on all stored files
256. force-md5: no # force logging of md5 checksums
257. #waldo: file.waldo # waldo file to store the file_id across runs
258.  
259. # output module to log files tracked in a easily parsable json format
260. - file-log:
261. enabled: no
262. filename: files-json.log
263. append: yes
264. #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
265.  
266. force-magic: no # force logging magic on all logged files
267. force-md5: no # force logging of md5 checksums
268.  
269. # Magic file. The extension .mgc is added to the value here.
270. #magic-file: /usr/share/file/magic
271. magic-file: /usr/share/file/magic
272.  
273. # When running in NFQ inline mode, it is possible to use a simulated
274. # non-terminal NFQUEUE verdict.
275. # This permit to do send all needed packet to suricata via this a rule:
276. # iptables -I FORWARD -m mark ! --mark $MARK/$MASK -j NFQUEUE
277. # And below, you can have your standard filtering ruleset. To activate
278. # this mode, you need to set mode to 'repeat'
279. # If you want packet to be sent to another queue after an ACCEPT decision
280. # set mode to 'route' and set next-queue value.
281. # On linux >= 3.1, you can set batchcount to a value > 1 to improve performance
282. # by processing several packets before sending a verdict (worker runmode only).
283. # On linux >= 3.6, you can set the fail-open option to yes to have the kernel
284. # accept the packet if suricata is not able to keep pace.
285. #nfq:
286. # mode: accept
287. # repeat-mark: 1
288. # repeat-mask: 1
289. # route-queue: 2
290. # batchcount: 20
291. # fail-open: yes
292.  
293. # af-packet support
294. # Set threads to > 1 to use PACKET_FANOUT support
295. af-packet:
296. - interface: eth1
297. # Number of receive threads (>1 will enable experimental flow pinned
298. # runmode)
299. threads: 2
300. # Default clusterid. AF_PACKET will load balance packets based on flow.
301. # All threads/processes that will participate need to have the same
302. # clusterid.
303. cluster-id: 51
304. # Default AF_PACKET cluster type. AF_PACKET can load balance per flow or per hash.
305. # This is only supported for Linux kernel > 3.1
306. # possible value are:
307. # * cluster_round_robin: round robin load balancing
308. # * cluster_flow: all packets of a given flow are send to the same socket
309. # * cluster_cpu: all packets treated in kernel by a CPU are send to the same socket
310. cluster-type: cluster_flow
311. # In some fragmentation case, the hash can not be computed. If "defrag" is set
312. # to yes, the kernel will do the needed defragmentation before sending the packets.
313. defrag: yes
314. # To use the ring feature of AF_PACKET, set 'use-mmap' to yes
315. use-mmap: yes
316. # Ring size will be computed with respect to max_pending_packets and number
317. # of threads. You can set manually the ring size in number of packets by setting
318. # the following value. If you are using flow cluster-type and have really network
319. # intensive single-flow you could want to set the ring-size independantly of the number
320. # of threads:
321. #ring-size: 2048
322. # On busy system, this could help to set it to yes to recover from a packet drop
323. # phase. This will result in some packets (at max a ring flush) being non treated.
324. #use-emergency-flush: yes
325. # recv buffer size, increase value could improve performance
326. # buffer-size: 32768
327. # Set to yes to disable promiscuous mode
328. # disable-promisc: no
329. # Choose checksum verification mode for the interface. At the moment
330. # of the capture, some packets may be with an invalid checksum due to
331. # offloading to the network card of the checksum computation.
332. # Possible values are:
333. # - kernel: use indication sent by kernel for each packet (default)
334. # - yes: checksum validation is forced
335. # - no: checksum validation is disabled
336. # - auto: suricata uses a statistical approach to detect when
337. # checksum off-loading is used.
338. # Warning: 'checksum-validation' must be set to yes to have any validation
339. #checksum-checks: kernel
340. # BPF filter to apply to this interface. The pcap filter syntax apply here.
341. #bpf-filter: port 80 or udp
342. # You can use the following variables to activate AF_PACKET tap od IPS mode.
343. # If copy-mode is set to ips or tap, the traffic coming to the current
344. # interface will be copied to the copy-iface interface. If 'tap' is set, the
345. # copy is complete. If 'ips' is set, the packet matching a 'drop' action
346. # will not be copied.
347. #copy-mode: ips
348. #copy-iface: eth1
349. - interface: eth1
350. threads: 2
351. cluster-id: 51
352. cluster-type: cluster_flow
353. defrag: yes
354. # buffer-size: 32768
355. # disable-promisc: no
356. # Put default values here
357. - interface: default
358. #threads: 2
359. #use-mmap: yes
360.  
361. legacy:
362. uricontent: enabled
363.  
364. # You can specify a threshold config file by setting "threshold-file"
365. # to the path of the threshold config file:
366. threshold-file: /etc/nsm/hera-na0-eth1/threshold.conf
367.  
368. # The detection engine builds internal groups of signatures. The engine
369. # allow us to specify the profile to use for them, to manage memory on an
370. # efficient way keeping a good performance. For the profile keyword you
371. # can use the words "low", "medium", "high" or "custom". If you use custom
372. # make sure to define the values at "- custom-values" as your convenience.
373. # Usually you would prefer medium/high/low.
374. #
375. # "sgh mpm-context", indicates how the staging should allot mpm contexts for
376. # the signature groups. "single" indicates the use of a single context for
377. # all the signature group heads. "full" indicates a mpm-context for each
378. # group head. "auto" lets the engine decide the distribution of contexts
379. # based on the information the engine gathers on the patterns from each
380. # group head.
381. #
382. # The option inspection-recursion-limit is used to limit the recursive calls
383. # in the content inspection code. For certain payload-sig combinations, we
384. # might end up taking too much time in the content inspection code.
385. # If the argument specified is 0, the engine uses an internally defined
386. # default limit. On not specifying a value, we use no limits on the recursion.
387. detect-engine:
388. - profile: high
389. - custom-values:
390. toclient-src-groups: 2
391. toclient-dst-groups: 2
392. toclient-sp-groups: 2
393. toclient-dp-groups: 3
394. toserver-src-groups: 2
395. toserver-dst-groups: 4
396. toserver-sp-groups: 2
397. toserver-dp-groups: 25
398. - sgh-mpm-context: auto
399. - inspection-recursion-limit: 3000
400. # When rule-reload is enabled, sending a USR2 signal to the Suricata process
401. # will trigger a live rule reload. Experimental feature, use with care.
402. #- rule-reload: true
403. # If set to yes, the loading of signatures will be made after the capture
404. # is started. This will limit the downtime in IPS mode.
405. #- delayed-detect: yes
406.  
407. # Suricata is multi-threaded. Here the threading can be influenced.
408. threading:
409. # On some cpu's/architectures it is beneficial to tie individual threads
410. # to specific CPU's/CPU cores. In this case all threads are tied to CPU0,
411. # and each extra CPU/core has one "detect" thread.
412. #
413. # On Intel Core2 and Nehalem CPU's enabling this will degrade performance.
414. #
415. set-cpu-affinity: no
416. # Tune cpu affinity of suricata threads. Each family of threads can be bound
417. # on specific CPUs.
418. cpu-affinity:
419. - management-cpu-set:
420. cpu: [ 0 ] # include only these cpus in affinity settings
421. - receive-cpu-set:
422. cpu: [ 0 ] # include only these cpus in affinity settings
423. - decode-cpu-set:
424. cpu: [ 0, 1 ]
425. mode: "balanced"
426. - stream-cpu-set:
427. cpu: [ "0-1" ]
428. - detect-cpu-set:
429. cpu: [ "all" ]
430. mode: "exclusive" # run detect threads in these cpus
431. # Use explicitely 3 threads and don't compute number by using
432. # detect-thread-ratio variable:
433. # threads: 3
434. prio:
435. low: [ 0 ]
436. medium: [ "1-2" ]
437. high: [ 3 ]
438. default: "medium"
439. - verdict-cpu-set:
440. cpu: [ 0 ]
441. prio:
442. default: "high"
443. - reject-cpu-set:
444. cpu: [ 0 ]
445. prio:
446. default: "low"
447. - output-cpu-set:
448. cpu: [ "all" ]
449. prio:
450. default: "medium"
451. #
452. # By default Suricata creates one "detect" thread per available CPU/CPU core.
453. # This setting allows controlling this behaviour. A ratio setting of 2 will
454. # create 2 detect threads for each CPU/CPU core. So for a dual core CPU this
455. # will result in 4 detect threads. If values below 1 are used, less threads
456. # are created. So on a dual core CPU a setting of 0.5 results in 1 detect
457. # thread being created. Regardless of the setting at a minimum 1 detect
458. # thread will always be created.
459. #
460. detect-thread-ratio: 1
461.  
462. # Cuda configuration.
463. cuda:
464. # The "mpm" profile. On not specifying any of these parameters, the engine's
465. # internal default values are used, which are same as the ones specified in
466. # in the default conf file.
467. mpm:
468. # The minimum length required to buffer data to the gpu.
469. # Anything below this is MPM'ed on the CPU.
470. # Can be specified in kb, mb, gb. Just a number indicates it's in bytes.
471. # A value of 0 indicates there's no limit.
472. data-buffer-size-min-limit: 0
473. # The maximum length for data that we would buffer to the gpu.
474. # Anything over this is MPM'ed on the CPU.
475. # Can be specified in kb, mb, gb. Just a number indicates it's in bytes.
476. data-buffer-size-max-limit: 1500
477. # The ring buffer size used by the CudaBuffer API to buffer data.
478. cudabuffer-buffer-size: 500mb
479. # The max chunk size that can be sent to the gpu in a single go.
480. gpu-transfer-size: 50mb
481. # The timeout limit for batching of packets in microseconds.
482. batching-timeout: 2000
483. # The device to use for the mpm. Currently we don't support load balancing
484. # on multiple gpus. In case you have multiple devices on your system, you
485. # can specify the device to use, using this conf. By default we hold 0, to
486. # specify the first device cuda sees. To find out device-id associated with
487. # the card(s) on the system run "suricata --list-cuda-cards".
488. device-id: 0
489. # No of Cuda streams used for asynchronous processing. All values > 0 are valid.
490. # For this option you need a device with Compute Capability > 1.0.
491. cuda-streams: 2
492.  
493. # Select the multi pattern algorithm you want to run for scan/search the
494. # in the engine. The supported algorithms are b2g, b2gc, b2gm, b3g, wumanber,
495. # ac and ac-gfbs.
496. #
497. # The mpm you choose also decides the distribution of mpm contexts for
498. # signature groups, specified by the conf - "detect-engine.sgh-mpm-context".
499. # Selecting "ac" as the mpm would require "detect-engine.sgh-mpm-context"
500. # to be set to "single", because of ac's memory requirements, unless the
501. # ruleset is small enough to fit in one's memory, in which case one can
502. # use "full" with "ac". Rest of the mpms can be run in "full" mode.
503. #
504. # There is also a CUDA pattern matcher (only available if Suricata was
505. # compiled with --enable-cuda: b2g_cuda. Make sure to update your
506. # max-pending-packets setting above as well if you use b2g_cuda.
507.  
508. mpm-algo: ac
509.  
510. # The memory settings for hash size of these algorithms can vary from lowest
511. # (2048) - low (4096) - medium (8192) - high (16384) - higher (32768) - max
512. # (65536). The bloomfilter sizes of these algorithms can vary from low (512) -
513. # medium (1024) - high (2048).
514. #
515. # For B2g/B3g algorithms, there is a support for two different scan/search
516. # algorithms. For B2g the scan algorithms are B2gScan & B2gScanBNDMq, and
517. # search algorithms are B2gSearch & B2gSearchBNDMq. For B3g scan algorithms
518. # are B3gScan & B3gScanBNDMq, and search algorithms are B3gSearch &
519. # B3gSearchBNDMq.
520. #
521. # For B2g the different scan/search algorithms and, hash and bloom
522. # filter size settings. For B3g the different scan/search algorithms and, hash
523. # and bloom filter size settings. For wumanber the hash and bloom filter size
524. # settings.
525.  
526. pattern-matcher:
527. - b2gc:
528. search-algo: B2gSearchBNDMq
529. hash-size: medium
530. bf-size: medium
531. - b2gm:
532. search-algo: B2gSearchBNDMq
533. hash-size: medium
534. bf-size: medium
535. - b2g:
536. search-algo: B2gSearchBNDMq
537. hash-size: medium
538. bf-size: medium
539. - b3g:
540. search-algo: B3gSearchBNDMq
541. hash-size: medium
542. bf-size: medium
543. - wumanber:
544. hash-size: medium
545. bf-size: medium
546.  
547. # Defrag settings:
548.  
549. defrag:
550. memcap: 32mb
551. hash-size: 65536
552. trackers: 65535 # number of defragmented flows to follow
553. max-frags: 131072 # number of fragments to keep (higher than trackers)
554. prealloc: yes
555. timeout: 60
556.  
557. # Enable defrag per host settings
558. # host-config:
559. #
560. # - dmz:
561. # timeout: 30
562. # address: [192.168.1.0/24, 127.0.0.0/8, 1.1.1.0/24, 2.2.2.0/24, "1.1.1.1", "2.2.2.2", "::1"]
563. #
564. # - lan:
565. # timeout: 45
566. # address:
567. # - 192.168.0.0/24
568. # - 192.168.10.0/24
569. # - 172.16.14.0/24
570.  
571. # Flow settings:
572. # By default, the reserved memory (memcap) for flows is 32MB. This is the limit
573. # for flow allocation inside the engine. You can change this value to allow
574. # more memory usage for flows.
575. # The hash-size determine the size of the hash used to identify flows inside
576. # the engine, and by default the value is 65536.
577. # At the startup, the engine can preallocate a number of flows, to get a better
578. # performance. The number of flows preallocated is 10000 by default.
579. # emergency-recovery is the percentage of flows that the engine need to
580. # prune before unsetting the emergency state. The emergency state is activated
581. # when the memcap limit is reached, allowing to create new flows, but
582. # prunning them with the emergency timeouts (they are defined below).
583. # If the memcap is reached, the engine will try to prune flows
584. # with the default timeouts. If it doens't find a flow to prune, it will set
585. # the emergency bit and it will try again with more agressive timeouts.
586. # If that doesn't work, then it will try to kill the last time seen flows
587. # not in use.
588. # The memcap can be specified in kb, mb, gb. Just a number indicates it's
589. # in bytes.
590.  
591. flow:
592. memcap: 256mb
593. hash-size: 65536
594. prealloc: 20000
595. emergency-recovery: 30
596.  
597. # This option controls the use of vlan ids in the flow (and defrag)
598. # hashing. Normally this should be enabled, but in some (broken)
599. # setups where both sides of a flow are not tagged with the same vlan
600. # tag, we can ignore the vlan id's in the flow hashing.
601. vlan:
602. use-for-tracking: false
603.  
604. # Specific timeouts for flows. Here you can specify the timeouts that the
605. # active flows will wait to transit from the current state to another, on each
606. # protocol. The value of "new" determine the seconds to wait after a hanshake or
607. # stream startup before the engine free the data of that flow it doesn't
608. # change the state to established (usually if we don't receive more packets
609. # of that flow). The value of "established" is the amount of
610. # seconds that the engine will wait to free the flow if it spend that amount
611. # without receiving new packets or closing the connection. "closed" is the
612. # amount of time to wait after a flow is closed (usually zero).
613. #
614. # There's an emergency mode that will become active under attack circumstances,
615. # making the engine to check flow status faster. This configuration variables
616. # use the prefix "emergency-" and work similar as the normal ones.
617. # Some timeouts doesn't apply to all the protocols, like "closed", for udp and
618. # icmp.
619.  
620. flow-timeouts:
621.  
622. default:
623. new: 30
624. established: 300
625. closed: 0
626. emergency-new: 10
627. emergency-established: 100
628. emergency-closed: 0
629. tcp:
630. new: 60
631. established: 3600
632. closed: 120
633. emergency-new: 10
634. emergency-established: 300
635. emergency-closed: 20
636. udp:
637. new: 30
638. established: 300
639. emergency-new: 10
640. emergency-established: 100
641. icmp:
642. new: 30
643. established: 300
644. emergency-new: 10
645. emergency-established: 100
646.  
647. # Stream engine settings. Here the TCP stream tracking and reassembly
648. # engine is configured.
649. #
650. # stream:
651. # memcap: 32mb # Can be specified in kb, mb, gb. Just a
652. # # number indicates it's in bytes.
653. # checksum-validation: yes # To validate the checksum of received
654. # # packet. If csum validation is specified as
655. # # "yes", then packet with invalid csum will not
656. # # be processed by the engine stream/app layer.
657. # # Warning: locally generated trafic can be
658. # # generated without checksum due to hardware offload
659. # # of checksum. You can control the handling of checksum
660. # # on a per-interface basis via the 'checksum-checks'
661. # # option
662. # prealloc-sessions: 2k # 2k sessions prealloc'd per stream thread
663. # midstream: false # don't allow midstream session pickups
664. # async-oneside: false # don't enable async stream handling
665. # inline: no # stream inline mode
666. # max-synack-queued: 5 # Max different SYN/ACKs to queue
667. #
668. # reassembly:
669. # memcap: 64mb # Can be specified in kb, mb, gb. Just a number
670. # # indicates it's in bytes.
671. # depth: 1mb # Can be specified in kb, mb, gb. Just a number
672. # # indicates it's in bytes.
673. # toserver-chunk-size: 2560 # inspect raw stream in chunks of at least
674. # # this size. Can be specified in kb, mb,
675. # # gb. Just a number indicates it's in bytes.
676. # # The max acceptable size is 4024 bytes.
677. # toclient-chunk-size: 2560 # inspect raw stream in chunks of at least
678. # # this size. Can be specified in kb, mb,
679. # # gb. Just a number indicates it's in bytes.
680. # # The max acceptable size is 4024 bytes.
681. # randomize-chunk-size: yes # Take a random value for chunk size around the specified value.
682. # # This lower the risk of some evasion technics but could lead
683. # # detection change between runs. It is set to 'yes' by default.
684. # randomize-chunk-range: 10 # If randomize-chunk-size is active, the value of chunk-size is
685. # # a random value between (1 - randomize-chunk-range/100)*randomize-chunk-size
686. # # and (1 + randomize-chunk-range/100)*randomize-chunk-size. Default value
687. # # of randomize-chunk-range is 10.
688. #
689. # raw: yes # 'Raw' reassembly enabled or disabled.
690. # # raw is for content inspection by detection
691. # # engine.
692. #
693. # chunk-prealloc: 250 # Number of preallocated stream chunks. These
694. # # are used during stream inspection (raw).
695. # segments: # Settings for reassembly segment pool.
696. # - size: 4 # Size of the (data)segment for a pool
697. # prealloc: 256 # Number of segments to prealloc and keep
698. # # in the pool.
699. #
700. stream:
701. memcap: 1gb
702. checksum-validation: no # reject wrong csums
703. prealloc-sessions: 100000
704. inline: no # auto will use inline mode in IPS mode, yes or no set it statically
705. reassembly:
706. memcap: 4gb
707. depth: 2mb # reassemble 1mb into a stream
708. toserver-chunk-size: 2560
709. toclient-chunk-size: 2560
710. randomize-chunk-size: yes
711. #randomize-chunk-range: 10
712. raw: yes
713. chunk-prealloc: 2500
714. segments:
715. - size: 4
716. prealloc: 256
717. - size: 16
718. prealloc: 1500
719. - size: 112
720. prealloc: 2000
721. - size: 248
722. prealloc: 12500
723. - size: 512
724. prealloc: 12500
725. - size: 768
726. prealloc: 1024
727. - size: 1448
728. prealloc: 3500
729. - size: 65535
730. prealloc: 2000
731.  
732. # Host table:
733. #
734. # Host table is used by tagging and per host thresholding subsystems.
735. #
736. host:
737. hash-size: 4096
738. prealloc: 1500
739. memcap: 16777216
740.  
741. # Logging configuration. This is not about logging IDS alerts, but
742. # IDS output about what its doing, errors, etc.
743. logging:
744.  
745. # The default log level, can be overridden in an output section.
746. # Note that debug level logging will only be emitted if Suricata was
747. # compiled with the --enable-debug configure option.
748. #
749. # This value is overriden by the SC_LOG_LEVEL env var.
750. default-log-level: notice
751.  
752. # The default output format. Optional parameter, should default to
753. # something reasonable if not provided. Can be overriden in an
754. # output section. You can leave this out to get the default.
755. #
756. # This value is overriden by the SC_LOG_FORMAT env var.
757. #default-log-format: "[%i] %t - (%f:%l) <%d> (%n) -- "
758.  
759. # A regex to filter output. Can be overridden in an output section.
760. # Defaults to empty (no filter).
761. #
762. # This value is overriden by the SC_LOG_OP_FILTER env var.
763. default-output-filter:
764.  
765. # Define your logging outputs. If none are defined, or they are all
766. # disabled you will get the default - console output.
767. outputs:
768. - console:
769. enabled: yes
770. - file:
771. enabled: no
772. filename: /var/log/suricata.log
773. - syslog:
774. enabled: no
775. facility: local5
776. format: "[%i] <%d> -- "
777.  
778. # Tilera mpipe configuration. for use on Tilera TILE-Gx.
779. mpipe:
780.  
781. # Load balancing modes: "static", "dynamic", "sticky", or "round-robin".
782. load-balance: dynamic
783.  
784. # Number of Packets in each ingress packet queue. Must be 128, 512, 2028 or 65536
785. iqueue-packets: 2048
786.  
787. # List of interfaces we will listen on.
788. inputs:
789. - interface: xgbe2
790. - interface: xgbe3
791. - interface: xgbe4
792.  
793.  
794. # Relative weight of memory for packets of each mPipe buffer size.
795. stack:
796. size128: 0
797. size256: 9
798. size512: 0
799. size1024: 0
800. size1664: 7
801. size4096: 0
802. size10386: 0
803. size16384: 0
804.  
805. # PF_RING configuration. for use with native PF_RING support
806. # for more info see http://www.ntop.org/PF_RING.html
807. pfring:
808. - interface: eth1
809. # Number of receive threads (>1 will enable experimental flow pinned
810. # runmode)
811. threads: 2
812.  
813. # Default clusterid. PF_RING will load balance packets based on flow.
814. # All threads/processes that will participate need to have the same
815. # clusterid.
816. cluster-id: 51
817.  
818. # Default PF_RING cluster type. PF_RING can load balance per flow or per hash.
819. # This is only supported in versions of PF_RING > 4.1.1.
820. cluster-type: cluster_flow
821. # bpf filter for this interface
822. #bpf-filter: tcp
823. # Choose checksum verification mode for the interface. At the moment
824. # of the capture, some packets may be with an invalid checksum due to
825. # offloading to the network card of the checksum computation.
826. # Possible values are:
827. # - rxonly: only compute checksum for packets received by network card.
828. # - yes: checksum validation is forced
829. # - no: checksum validation is disabled
830. # - auto: suricata uses a statistical approach to detect when
831. # checksum off-loading is used. (default)
832. # Warning: 'checksum-validation' must be set to yes to have any validation
833. #checksum-checks: auto
834. # Second interface
835. #- interface: eth1
836. # threads: 3
837. # cluster-id: 51
838. # cluster-type: cluster_flow
839. # Put default values here
840. - interface: default
841. #threads: 2
842.  
843. pcap:
844. - interface: eth1
845. # On Linux, pcap will try to use mmaped capture and will use buffer-size
846. # as total of memory used by the ring. So set this to something bigger
847. # than 1% of your bandwidth.
848. #buffer-size: 16777216
849. #bpf-filter: "tcp and port 25"
850. # Choose checksum verification mode for the interface. At the moment
851. # of the capture, some packets may be with an invalid checksum due to
852. # offloading to the network card of the checksum computation.
853. # Possible values are:
854. # - yes: checksum validation is forced
855. # - no: checksum validation is disabled
856. # - auto: suricata uses a statistical approach to detect when
857. # checksum off-loading is used. (default)
858. # Warning: 'checksum-validation' must be set to yes to have any validation
859. #checksum-checks: auto
860. # With some accelerator cards using a modified libpcap (like myricom), you
861. # may want to have the same number of capture threads as the number of capture
862. # rings. In this case, set up the threads variable to N to start N threads
863. # listening on the same interface.
864. #threads: 16
865. # set to no to disable promiscuous mode:
866. #promisc: no
867. # set snaplen, if not set it defaults to MTU if MTU can be known
868. # via ioctl call and to full capture if not.
869. #snaplen: 1518
870. # Put default values here
871. - interface: default
872. #checksum-checks: auto
873.  
874. pcap-file:
875. # Possible values are:
876. # - yes: checksum validation is forced
877. # - no: checksum validation is disabled
878. # - auto: suricata uses a statistical approach to detect when
879. # checksum off-loading is used. (default)
880. # Warning: 'checksum-validation' must be set to yes to have checksum tested
881. checksum-checks: auto
882.  
883. # For FreeBSD ipfw(8) divert(4) support.
884. # Please make sure you have ipfw_load="YES" and ipdivert_load="YES"
885. # in /etc/loader.conf or kldload'ing the appropriate kernel modules.
886. # Additionally, you need to have an ipfw rule for the engine to see
887. # the packets from ipfw. For Example:
888. #
889. # ipfw add 100 divert 8000 ip from any to any
890. #
891. # The 8000 above should be the same number you passed on the command
892. # line, i.e. -d 8000
893. #
894. ipfw:
895.  
896. # Reinject packets at the specified ipfw rule number. This config
897. # option is the ipfw rule number AT WHICH rule processing continues
898. # in the ipfw processing system after the engine has finished
899. # inspecting the packet for acceptance. If no rule number is specified,
900. # accepted packets are reinjected at the divert rule which they entered
901. # and IPFW rule processing continues. No check is done to verify
902. # this will rule makes sense so care must be taken to avoid loops in ipfw.
903. #
904. ## The following example tells the engine to reinject packets
905. # back into the ipfw firewall AT rule number 5500:
906. #
907. # ipfw-reinjection-rule-number: 5500
908.  
909. # Set the default rule path here to search for the files.
910. # if not set, it will look at the current working dir
911. default-rule-path: /etc/nsm/rules/
912. rule-files:
913. - local.rules
914. - downloaded.rules
915.  
916. classification-file: /etc/nsm/hera-na0-eth1/classification.config
917. reference-config-file: /etc/nsm/hera-na0-eth1/reference.config
918.  
919. # Holds variables that would be used by the engine.
920. vars:
921.  
922. # Holds the address group vars that would be passed in a Signature.
923. # These would be retrieved during the Signature address parsing stage.
924. address-groups:
925.  
926. HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
927.  
928. EXTERNAL_NET: "!$HOME_NET"
929.  
930. HTTP_SERVERS: "$HOME_NET"
931.  
932. SMTP_SERVERS: "$HOME_NET"
933.  
934. SQL_SERVERS: "$HOME_NET"
935.  
936. DNS_SERVERS: "$HOME_NET"
937.  
938. TELNET_SERVERS: "$HOME_NET"
939.  
940. AIM_SERVERS: "$EXTERNAL_NET"
941.  
942. DNP3_SERVER: "$HOME_NET"
943.  
944. DNP3_CLIENT: "$HOME_NET"
945.  
946. MODBUS_CLIENT: "$HOME_NET"
947.  
948. MODBUS_SERVER: "$HOME_NET"
949.  
950. ENIP_CLIENT: "$HOME_NET"
951.  
952. ENIP_SERVER: "$HOME_NET"
953.  
954. # Holds the port group vars that would be passed in a Signature.
955. # These would be retrieved during the Signature port parsing stage.
956. port-groups:
957.  
958. HTTP_PORTS: "80"
959.  
960. SHELLCODE_PORTS: "!80"
961.  
962. ORACLE_PORTS: 1521
963.  
964. SSH_PORTS: 22
965.  
966. DNP3_PORTS: 20000
967.  
968. # Set the order of alerts bassed on actions
969. # The default order is pass, drop, reject, alert
970. action-order:
971. - pass
972. - drop
973. - reject
974. - alert
975.  
976. # IP Reputation
977. #reputation-categories-file: @e_sysconfdir@iprep/categories.txt
978. #default-reputation-path: @e_sysconfdir@iprep
979. #reputation-files:
980. # - reputation.list
981.  
982. # Host specific policies for defragmentation and TCP stream
983. # reassembly. The host OS lookup is done using a radix tree, just
984. # like a routing table so the most specific entry matches.
985. host-os-policy:
986. # Make the default policy windows.
987. windows: [0.0.0.0/0]
988. bsd: []
989. bsd-right: []
990. old-linux: []
991. linux: []
992. old-solaris: []
993. solaris: []
994. hpux10: []
995. hpux11: []
996. irix: []
997. macos: []
998. vista: []
999. windows2k3: []
1000.  
1001.  
1002. # Limit for the maximum number of asn1 frames to decode (default 256)
1003. asn1-max-frames: 256
1004.  
1005. # When run with the option --engine-analysis, the engine will read each of
1006. # the parameters below, and print reports for each of the enabled sections
1007. # and exit. The reports are printed to a file in the default log dir
1008. # given by the parameter "default-log-dir", with engine reporting
1009. # subsection below printing reports in its own report file.
1010. engine-analysis:
1011. # enables printing reports for fast-pattern for every rule.
1012. rules-fast-pattern: yes
1013. # enables printing reports for each rule
1014. rules: yes
1015.  
1016. #recursion and match limits for PCRE where supported
1017. pcre:
1018. match-limit: 3500
1019. match-limit-recursion: 1500
1020.  
1021. # Holds details on the app-layer. The protocols section details each protocol.
1022. # Under each protocol, the default value for detection-enabled and "
1023. # parsed-enabled is yes, unless specified otherwise.
1024. # Each protocol covers enabling/disabling parsers for all ipprotos
1025. # the app-layer protocol runs on. For example "dcerpc" refers to the tcp
1026. # version of the protocol as well as the udp version of the protocol.
1027. # The option "enabled" takes 3 values - "yes", "no", "detection-only".
1028. # "yes" enables both detection and the parser, "no" disables both, and
1029. # "detection-only" enables detection only(parser disabled).
1030. app-layer:
1031. protocols:
1032. tls:
1033. enabled: yes
1034. detection-ports:
1035. dp: 443
1036.  
1037. #no-reassemble: yes
1038. dcerpc:
1039. enabled: yes
1040. ftp:
1041. enabled: yes
1042. ssh:
1043. enabled: yes
1044. smtp:
1045. enabled: yes
1046. imap:
1047. enabled: detection-only
1048. msn:
1049. enabled: detection-only
1050. smb:
1051. enabled: yes
1052. detection-ports:
1053. dp: 139
1054. # smb2 detection is disabled internally inside the engine.
1055. #smb2:
1056. # enabled: yes
1057. dns:
1058. # memcaps. Globally and per flow/state.
1059. #global-memcap: 16mb
1060. #state-memcap: 512kb
1061.  
1062. # How many unreplied DNS requests are considered a flood.
1063. # If the limit is reached, app-layer-event:dns.flooded; will match.
1064. #request-flood: 500
1065.  
1066. tcp:
1067. enabled: yes
1068. detection-ports:
1069. dp: 53
1070. udp:
1071. enabled: yes
1072. detection-ports:
1073. dp: 53
1074. http:
1075. enabled: yes
1076. memcap: 256mb
1077.  
1078. ###########################################################################
1079. # Configure libhtp.
1080. #
1081. #
1082. # default-config: Used when no server-config matches
1083. # personality: List of personalities used by default
1084. # request-body-limit: Limit reassembly of request body for inspection
1085. # by http_client_body & pcre /P option.
1086. # response-body-limit: Limit reassembly of response body for inspection
1087. # by file_data, http_server_body & pcre /Q option.
1088. # double-decode-path: Double decode path section of the URI
1089. # double-decode-query: Double decode query section of the URI
1090. #
1091. # server-config: List of server configurations to use if address matches
1092. # address: List of ip addresses or networks for this block
1093. # personalitiy: List of personalities used by this block
1094. # request-body-limit: Limit reassembly of request body for inspection
1095. # by http_client_body & pcre /P option.
1096. # response-body-limit: Limit reassembly of response body for inspection
1097. # by file_data, http_server_body & pcre /Q option.
1098. # double-decode-path: Double decode path section of the URI
1099. # double-decode-query: Double decode query section of the URI
1100. #
1101. # uri-include-all: Include all parts of the URI. By default the
1102. # 'scheme', username/password, hostname and port
1103. # are excluded. Setting this option to true adds
1104. # all of them to the normalized uri as inspected
1105. # by http_uri, urilen, pcre with /U and the other
1106. # keywords that inspect the normalized uri.
1107. # Note that this does not affect http_raw_uri.
1108. # Also, note that including all was the default in
1109. # 1.4 and 2.0beta1.
1110. #
1111. # meta-field-limit: Hard size limit for request and response size
1112. # limits. Applies to request line and headers,
1113. # response line and headers. Does not apply to
1114. # request or response bodies. Default is 18k.
1115. # If this limit is reached an event is raised.
1116. #
1117. # Currently Available Personalities:
1118. # Minimal
1119. # Generic
1120. # IDS (default)
1121. # IIS_4_0
1122. # IIS_5_0
1123. # IIS_5_1
1124. # IIS_6_0
1125. # IIS_7_0
1126. # IIS_7_5
1127. # Apache_2
1128. ###########################################################################
1129. libhtp:
1130.  
1131. default-config:
1132. personality: IDS
1133.  
1134. # Can be specified in kb, mb, gb. Just a number indicates
1135. # it's in bytes.
1136. request-body-limit: 3072
1137. response-body-limit: 3072
1138.  
1139. # inspection limits
1140. request-body-minimal-inspect-size: 32kb
1141. request-body-inspect-window: 4kb
1142. response-body-minimal-inspect-size: 32kb
1143. response-body-inspect-window: 4kb
1144. # Take a random value for inspection sizes around the specified value.
1145. # This lower the risk of some evasion technics but could lead
1146. # detection change between runs. It is set to 'yes' by default.
1147. #randomize-inspection-sizes: yes
1148. # If randomize-inspection-sizes is active, the value of various
1149. # inspection size will be choosen in the [1 - range%, 1 + range%]
1150. # range
1151. # Default value of randomize-inspection-range is 10.
1152. #randomize-inspection-range: 10
1153.  
1154. # decoding
1155. double-decode-path: no
1156. double-decode-query: no
1157.  
1158. server-config:
1159.  
1160. #- apache:
1161. # address: [192.168.1.0/24, 127.0.0.0/8, "::1"]
1162. # personality: Apache_2
1163. # # Can be specified in kb, mb, gb. Just a number indicates
1164. # # it's in bytes.
1165. # request-body-limit: 4096
1166. # response-body-limit: 4096
1167. # double-decode-path: no
1168. # double-decode-query: no
1169.  
1170. #- iis7:
1171. # address:
1172. # - 192.168.0.0/24
1173. # - 192.168.10.0/24
1174. # personality: IIS_7_0
1175. # # Can be specified in kb, mb, gb. Just a number indicates
1176. # # it's in bytes.
1177. # request-body-limit: 4096
1178. # response-body-limit: 4096
1179. # double-decode-path: no
1180. # double-decode-query: no
1181.  
1182. # Profiling settings. Only effective if Suricata has been built with the
1183. # the --enable-profiling configure flag.
1184. #
1185. profiling:
1186. # Run profiling for every xth packet. The default is 1, which means we
1187. # profile every packet. If set to 1000, one packet is profiled for every
1188. # 1000 received.
1189. #sample-rate: 1000
1190.  
1191. # rule profiling
1192. rules:
1193.  
1194. # Profiling can be disabled here, but it will still have a
1195. # performance impact if compiled in.
1196. enabled: no
1197. filename: rule_perf.log
1198. append: yes
1199.  
1200. # Sort options: ticks, avgticks, checks, matches, maxticks
1201. sort: avgticks
1202.  
1203. # Limit the number of items printed at exit.
1204. limit: 100
1205.  
1206. # per keyword profiling
1207. keywords:
1208. enabled: no
1209. filename: keyword_perf.log
1210. append: yes
1211.  
1212. # packet profiling
1213. packets:
1214.  
1215. # Profiling can be disabled here, but it will still have a
1216. # performance impact if compiled in.
1217. enabled: no
1218. filename: packet_stats.log
1219. append: yes
1220.  
1221. # per packet csv output
1222. csv:
1223.  
1224. # Output can be disabled here, but it will still have a
1225. # performance impact if compiled in.
1226. enabled: no
1227. filename: packet_stats.csv
1228.  
1229. # profiling of locking. Only available when Suricata was built with
1230. # --enable-profiling-locks.
1231. locks:
1232. enabled: no
1233. filename: lock_stats.log
1234. append: yes
1235.  
1236. # Suricata core dump configuration. Limits the size of the core dump file to
1237. # approximately max-dump. The actual core dump size will be a multiple of the
1238. # page size. Core dumps that would be larger than max-dump are truncated. On
1239. # Linux, the actual core dump size may be a few pages larger than max-dump.
1240. # Setting max-dump to 0 disables core dumping.
1241. # Setting max-dump to 'unlimited' will give the full core dump file.
1242. # On 32-bit Linux, a max-dump value >= ULONG_MAX may cause the core dump size
1243. # to be 'unlimited'.
1244.  
1245. coredump:
1246. max-dump: unlimited
1247.  
1248. napatech:
1249. # The Host Buffer Allowance for all streams
1250. # (-1 = OFF, 1 - 100 = percentage of the host buffer that can be held back)
1251. hba: -1
1252.  
1253. # use_all_streams set to "yes" will query the Napatech service for all configured
1254. # streams and listen on all of them. When set to "no" the streams config array
1255. # will be used.
1256. use-all-streams: yes
1257.  
1258. # The streams to listen on
1259. streams: [1, 2, 3]
1260.  
1261. # Includes. Files included here will be handled as if they were
1262. # inlined in this configuration file.
1263. #include: include1.yaml
1264. #include: include2.yaml