%YAML 1.1---vars: address-groups: HOME_NET: "[SERVERIP]" EXTERN

1. %YAML 1.1
2. ---
3. vars:
4. address-groups:
5. HOME_NET: "[SERVERIP]"
6. EXTERNAL_NET: "!$HOME_NET"
7. HTTP_SERVERS: "$HOME_NET"
8. SMTP_SERVERS: "$HOME_NET"
9. SQL_SERVERS: "$HOME_NET"
10. DNS_SERVERS: "$HOME_NET"
11. TELNET_SERVERS: "$HOME_NET"
12. AIM_SERVERS: "$EXTERNAL_NET"
13. DNP3_SERVER: "$HOME_NET"
14. DNP3_CLIENT: "$HOME_NET"
15. MODBUS_CLIENT: "$HOME_NET"
16. MODBUS_SERVER: "$HOME_NET"
17. ENIP_CLIENT: "$HOME_NET"
18. ENIP_SERVER: "$HOME_NET"
19. port-groups:
20. HTTP_PORTS: "80"
21. SHELLCODE_PORTS: "!80"
22. ORACLE_PORTS: 1521
23. SSH_PORTS: 22
24. DNP3_PORTS: 20000
25. MODBUS_PORTS: 502
26. default-rule-path: /etc/suricata/rules
27. rule-files:
28. - botcc.rules
29. - ciarmy.rules
30. - compromised.rules
31. - drop.rules
32. - dshield.rules
33. - emerging-attack_response.rules
34. - emerging-chat.rules
35. - emerging-current_events.rules
36. - emerging-dns.rules
37. - emerging-dos.rules
38. - emerging-exploit.rules
39. - emerging-ftp.rules
40. - emerging-imap.rules
41. - emerging-malware.rules
42. - emerging-misc.rules
43. - emerging-mobile_malware.rules
44. - emerging-netbios.rules
45. - emerging-p2p.rules
46. - emerging-policy.rules
47. - emerging-pop3.rules
48. - emerging-rpc.rules
49. - emerging-scada.rules
50. - emerging-scan.rules
51. - emerging-smtp.rules
52. - emerging-snmp.rules
53. - emerging-sql.rules
54. - emerging-telnet.rules
55. - emerging-tftp.rules
56. - emerging-trojan.rules
57. - emerging-user_agents.rules
58. - emerging-voip.rules
59. - emerging-web_client.rules
60. - emerging-web_server.rules
61. - emerging-worm.rules
62. - tor.rules
63. - http-events.rules # available in suricata sources under rules dir
64. - smtp-events.rules # available in suricata sources under rules dir
65. - dns-events.rules # available in suricata sources under rules dir
66. - tls-events.rules # available in suricata sources under rules dir
67. - local.rules # locally defined rules
68. classification-file: /etc/suricata/classification.config
69. reference-config-file: /etc/suricata/reference.config
70. default-log-dir: /var/log/suricata
71. stats:
72. enabled: yes
73. interval: 8
74. outputs:
75. - fast:
76. enabled: yes
77. filename: fast.log
78. append: yes
79. - eve-log:
80. enabled: no
81. filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
82. filename: eve.json
83. types:
84. - alert:
85. http: yes # enable dumping of http fields
86. tls: yes # enable dumping of tls fields
87. ssh: yes # enable dumping of ssh fields
88. smtp: yes # enable dumping of smtp fields
89. tagged-packets: yes
90. xff:
91. enabled: no
92. mode: extra-data
93. deployment: reverse
94. header: X-Forwarded-For
95. - http:
96. extended: yes # enable this for extended logging information
97. - dns:
98. query: yes # enable logging of DNS queries
99. answer: yes # enable logging of DNS answers
100. - tls:
101. extended: yes # enable this for extended logging information
102. - files:
103. force-magic: no # force logging magic on all logged files
104. force-md5: no # force logging of md5 checksums
105. - smtp:
106. - ssh
107. - stats:
108. totals: yes # stats for all threads merged together
109. threads: no # per thread stats
110. deltas: no # include delta values
111. - flow
112. - unified2-alert:
113. enabled: no
114. filename: unified2.alert
115. xff:
116. enabled: no
117. mode: extra-data
118. deployment: reverse
119. header: X-Forwarded-For
120. - http-log:
121. enabled: no
122. filename: http.log
123. append: yes
124. - tls-log:
125. enabled: no # Log TLS connections.
126. filename: tls.log # File to store TLS logs.
127. append: yes
128. - tls-store:
129. enabled: no
130. - dns-log:
131. enabled: yes
132. filename: dns.log
133. append: yes
134. filetype: regular
135. - pcap-log:
136. enabled: no
137. filename: log.pcap
138. limit: 1000mb
139. max-files: 2000
140. mode: normal # normal, multi or sguil.
141. use-stream-depth: no #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets
142. honor-pass-rules: no # If set to "yes", flows in which a pass rule matched will stopped being logged.
143. - alert-debug:
144. enabled: no
145. filename: alert-debug.log
146. append: yes
147. - alert-prelude:
148. enabled: no
149. profile: suricata
150. log-packet-content: no
151. log-packet-header: yes
152. - stats:
153. enabled: yes
154. filename: stats.log
155. totals: yes # stats for all threads merged together
156. threads: no # per thread stats
157. - syslog:
158. enabled: no
159. facility: local5
160. - drop:
161. enabled: yes
162. filename: drop.log
163. append: yes
164. - file-store:
165. enabled: no # set to yes to enable
166. log-dir: files # directory to store the files
167. force-magic: no # force logging magic on all stored files
168. force-md5: no # force logging of md5 checksums
169. force-filestore: no # force storing of all files
170. - file-log:
171. enabled: no
172. filename: files-json.log
173. append: yes
174. force-magic: no # force logging magic on all logged files
175. force-md5: no # force logging of md5 checksums
176. - tcp-data:
177. enabled: no
178. type: file
179. filename: tcp-data.log
180. - http-body-data:
181. enabled: no
182. type: file
183. filename: http-data.log
184. - lua:
185. enabled: no
186. scripts:
187. logging:
188. default-log-level: notice
189. default-output-filter:
190. outputs:
191. - console:
192. enabled: yes
193. - file:
194. enabled: yes
195. level: info
196. filename: /var/log/suricata/suricata.log
197. - syslog:
198. enabled: no
199. facility: local5
200. format: "[%i] <%d> -- "
201. af-packet:
202. - interface: eth0
203. cluster-id: 99
204. cluster-type: cluster_flow
205. defrag: yes
206. - interface: default
207. pcap:
208. - interface: eth0
209. - interface: default
210. pcap-file:
211. checksum-checks: auto
212. app-layer:
213. protocols:
214. tls:
215. enabled: yes
216. detection-ports:
217. dp: 443
218. dcerpc:
219. enabled: yes
220. ftp:
221. enabled: yes
222. ssh:
223. enabled: yes
224. smtp:
225. enabled: yes
226. mime:
227. decode-mime: yes
228. decode-base64: yes
229. decode-quoted-printable: yes
230. header-value-depth: 2000
231. extract-urls: yes
232. body-md5: no
233. inspected-tracker:
234. content-limit: 100000
235. content-inspect-min-size: 32768
236. content-inspect-window: 4096
237. imap:
238. enabled: detection-only
239. msn:
240. enabled: detection-only
241. smb:
242. enabled: yes
243. detection-ports:
244. dp: 139
245. modbus:
246. enabled: no
247. detection-ports:
248. dp: 502
249. dns:
250. tcp:
251. enabled: yes
252. detection-ports:
253. dp: 53
254. udp:
255. enabled: yes
256. detection-ports:
257. dp: 53
258. http:
259. enabled: yes
260. libhtp:
261. default-config:
262. personality: IDS
263. request-body-limit: 100kb
264. response-body-limit: 100kb
265. request-body-minimal-inspect-size: 32kb
266. request-body-inspect-window: 4kb
267. response-body-minimal-inspect-size: 40kb
268. response-body-inspect-window: 16kb
269. response-body-decompress-layer-limit: 2
270. http-body-inline: auto
271. double-decode-path: no
272. double-decode-query: no
273. server-config:
274. asn1-max-frames: 256
275. coredump:
276. max-dump: unlimited
277. host-mode: router
278. unix-command:
279. enabled: no
280. legacy:
281. uricontent: enabled
282. engine-analysis:
283. rules-fast-pattern: yes
284. rules: yes
285. pcre:
286. match-limit: 3500
287. match-limit-recursion: 1500
288. host-os-policy:
289. windows: []
290. bsd: []
291. bsd-right: []
292. old-linux: []
293. linux: []
294. old-solaris: []
295. solaris: []
296. hpux10: []
297. hpux11: []
298. irix: []
299. macos: []
300. vista: []
301. windows2k3: []
302. defrag:
303. memcap: 32mb
304. hash-size: 65536
305. trackers: 65535 # number of defragmented flows to follow
306. max-frags: 65535 # number of fragments to keep (higher than trackers)
307. prealloc: yes
308. timeout: 60
309. flow:
310. memcap: 128mb
311. hash-size: 65536
312. prealloc: 10000
313. emergency-recovery: 30
314. vlan:
315. use-for-tracking: true
316. flow-timeouts:
317. default:
318. new: 30
319. established: 300
320. closed: 0
321. emergency-new: 10
322. emergency-established: 100
323. emergency-closed: 0
324. tcp:
325. new: 60
326. established: 600
327. closed: 60
328. emergency-new: 5
329. emergency-established: 100
330. emergency-closed: 10
331. udp:
332. new: 30
333. established: 300
334. emergency-new: 10
335. emergency-established: 100
336. icmp:
337. new: 30
338. established: 300
339. emergency-new: 10
340. emergency-established: 100
341. stream:
342. memcap: 64mb
343. checksum-validation: yes # reject wrong csums
344. inline: auto # auto will use inline mode in IPS mode, yes or no set it statically
345. reassembly:
346. memcap: 256mb
347. depth: 1mb # reassemble 1mb into a stream
348. toserver-chunk-size: 2560
349. toclient-chunk-size: 2560
350. randomize-chunk-size: yes
351. host:
352. hash-size: 4096
353. prealloc: 1000
354. memcap: 32mb
355. detect:
356. profile: medium
357. custom-values:
358. toclient-groups: 3
359. toserver-groups: 25
360. sgh-mpm-context: auto
361. inspection-recursion-limit: 3000
362. grouping:
363. profiling:
364. grouping:
365. dump-to-disk: false
366. include-rules: false # very verbose
367. include-mpm-stats: false
368. mpm-algo: auto
369. spm-algo: auto
370. threading:
371. set-cpu-affinity: no
372. cpu-affinity:
373. - management-cpu-set:
374. cpu: [ 0 ] # include only these cpus in affinity settings
375. - receive-cpu-set:
376. cpu: [ 0 ] # include only these cpus in affinity settings
377. - worker-cpu-set:
378. cpu: [ "all" ]
379. mode: "exclusive"
380. prio:
381. low: [ 0 ]
382. medium: [ "1-2" ]
383. high: [ 3 ]
384. default: "medium"
385. detect-thread-ratio: 1.0
386. profiling:
387. rules:
388. enabled: yes
389. filename: rule_perf.log
390. append: yes
391. sort: avgticks
392. limit: 100
393. json: yes
394. keywords:
395. enabled: yes
396. filename: keyword_perf.log
397. append: yes
398. rulegroups:
399. enabled: yes
400. filename: rule_group_perf.log
401. append: yes
402. packets:
403. enabled: yes
404. filename: packet_stats.log
405. append: yes
406. csv:
407. enabled: no
408. filename: packet_stats.csv
409. locks:
410. enabled: no
411. filename: lock_stats.log
412. append: yes
413. pcap-log:
414. enabled: no
415. filename: pcaplog_stats.log
416. append: yes
417. nfq:
418. nflog:
419. - group: 2
420. buffer-size: 18432
421. - group: default
422. qthreshold: 1
423. qtimeout: 100
424. max-size: 20000
425. netmap:
426. - interface: eth2
427. - interface: default
428. pfring:
429. - interface: eth0
430. threads: 1
431. cluster-id: 99
432. cluster-type: cluster_flow
433. - interface: default
434. ipfw:
435. napatech:
436. hba: -1
437. use-all-streams: yes
438. streams: [1, 2, 3]
439. mpipe:
440. load-balance: dynamic
441. iqueue-packets: 2048
442. inputs:
443. - interface: xgbe2
444. - interface: xgbe3
445. - interface: xgbe4
446. stack:
447. size128: 0
448. size256: 9
449. size512: 0
450. size1024: 0
451. size1664: 7
452. size4096: 0
453. size10386: 0
454. size16384: 0
455. cuda:
456. mpm:
457. data-buffer-size-min-limit: 0
458. data-buffer-size-max-limit: 1500
459. cudabuffer-buffer-size: 500mb
460. gpu-transfer-size: 50mb
461. batching-timeout: 2000
462. device-id: 0
463. cuda-streams: 2