Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- %YAML 1.1
- ---
- vars:
- address-groups:
- HOME_NET: "[SERVERIP]"
- EXTERNAL_NET: "!$HOME_NET"
- HTTP_SERVERS: "$HOME_NET"
- SMTP_SERVERS: "$HOME_NET"
- SQL_SERVERS: "$HOME_NET"
- DNS_SERVERS: "$HOME_NET"
- TELNET_SERVERS: "$HOME_NET"
- AIM_SERVERS: "$EXTERNAL_NET"
- DNP3_SERVER: "$HOME_NET"
- DNP3_CLIENT: "$HOME_NET"
- MODBUS_CLIENT: "$HOME_NET"
- MODBUS_SERVER: "$HOME_NET"
- ENIP_CLIENT: "$HOME_NET"
- ENIP_SERVER: "$HOME_NET"
- port-groups:
- HTTP_PORTS: "80"
- SHELLCODE_PORTS: "!80"
- ORACLE_PORTS: 1521
- SSH_PORTS: 22
- DNP3_PORTS: 20000
- MODBUS_PORTS: 502
- default-rule-path: /etc/suricata/rules
- rule-files:
- - botcc.rules
- - ciarmy.rules
- - compromised.rules
- - drop.rules
- - dshield.rules
- - emerging-attack_response.rules
- - emerging-chat.rules
- - emerging-current_events.rules
- - emerging-dns.rules
- - emerging-dos.rules
- - emerging-exploit.rules
- - emerging-ftp.rules
- - emerging-imap.rules
- - emerging-malware.rules
- - emerging-misc.rules
- - emerging-mobile_malware.rules
- - emerging-netbios.rules
- - emerging-p2p.rules
- - emerging-policy.rules
- - emerging-pop3.rules
- - emerging-rpc.rules
- - emerging-scada.rules
- - emerging-scan.rules
- - emerging-smtp.rules
- - emerging-snmp.rules
- - emerging-sql.rules
- - emerging-telnet.rules
- - emerging-tftp.rules
- - emerging-trojan.rules
- - emerging-user_agents.rules
- - emerging-voip.rules
- - emerging-web_client.rules
- - emerging-web_server.rules
- - emerging-worm.rules
- - tor.rules
- - http-events.rules # available in suricata sources under rules dir
- - smtp-events.rules # available in suricata sources under rules dir
- - dns-events.rules # available in suricata sources under rules dir
- - tls-events.rules # available in suricata sources under rules dir
- - local.rules # locally defined rules
- classification-file: /etc/suricata/classification.config
- reference-config-file: /etc/suricata/reference.config
- default-log-dir: /var/log/suricata
- stats:
- enabled: yes
- interval: 8
- outputs:
- - fast:
- enabled: yes
- filename: fast.log
- append: yes
- - eve-log:
- enabled: no
- filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
- filename: eve.json
- types:
- - alert:
- http: yes # enable dumping of http fields
- tls: yes # enable dumping of tls fields
- ssh: yes # enable dumping of ssh fields
- smtp: yes # enable dumping of smtp fields
- tagged-packets: yes
- xff:
- enabled: no
- mode: extra-data
- deployment: reverse
- header: X-Forwarded-For
- - http:
- extended: yes # enable this for extended logging information
- - dns:
- query: yes # enable logging of DNS queries
- answer: yes # enable logging of DNS answers
- - tls:
- extended: yes # enable this for extended logging information
- - files:
- force-magic: no # force logging magic on all logged files
- force-md5: no # force logging of md5 checksums
- - smtp:
- - ssh
- - stats:
- totals: yes # stats for all threads merged together
- threads: no # per thread stats
- deltas: no # include delta values
- - flow
- - unified2-alert:
- enabled: no
- filename: unified2.alert
- xff:
- enabled: no
- mode: extra-data
- deployment: reverse
- header: X-Forwarded-For
- - http-log:
- enabled: no
- filename: http.log
- append: yes
- - tls-log:
- enabled: no # Log TLS connections.
- filename: tls.log # File to store TLS logs.
- append: yes
- - tls-store:
- enabled: no
- - dns-log:
- enabled: yes
- filename: dns.log
- append: yes
- filetype: regular
- - pcap-log:
- enabled: no
- filename: log.pcap
- limit: 1000mb
- max-files: 2000
- mode: normal # normal, multi or sguil.
- use-stream-depth: no #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets
- honor-pass-rules: no # If set to "yes", flows in which a pass rule matched will stopped being logged.
- - alert-debug:
- enabled: no
- filename: alert-debug.log
- append: yes
- - alert-prelude:
- enabled: no
- profile: suricata
- log-packet-content: no
- log-packet-header: yes
- - stats:
- enabled: yes
- filename: stats.log
- totals: yes # stats for all threads merged together
- threads: no # per thread stats
- - syslog:
- enabled: no
- facility: local5
- - drop:
- enabled: yes
- filename: drop.log
- append: yes
- - file-store:
- enabled: no # set to yes to enable
- log-dir: files # directory to store the files
- force-magic: no # force logging magic on all stored files
- force-md5: no # force logging of md5 checksums
- force-filestore: no # force storing of all files
- - file-log:
- enabled: no
- filename: files-json.log
- append: yes
- force-magic: no # force logging magic on all logged files
- force-md5: no # force logging of md5 checksums
- - tcp-data:
- enabled: no
- type: file
- filename: tcp-data.log
- - http-body-data:
- enabled: no
- type: file
- filename: http-data.log
- - lua:
- enabled: no
- scripts:
- logging:
- default-log-level: notice
- default-output-filter:
- outputs:
- - console:
- enabled: yes
- - file:
- enabled: yes
- level: info
- filename: /var/log/suricata/suricata.log
- - syslog:
- enabled: no
- facility: local5
- format: "[%i] <%d> -- "
- af-packet:
- - interface: eth0
- cluster-id: 99
- cluster-type: cluster_flow
- defrag: yes
- - interface: default
- pcap:
- - interface: eth0
- - interface: default
- pcap-file:
- checksum-checks: auto
- app-layer:
- protocols:
- tls:
- enabled: yes
- detection-ports:
- dp: 443
- dcerpc:
- enabled: yes
- ftp:
- enabled: yes
- ssh:
- enabled: yes
- smtp:
- enabled: yes
- mime:
- decode-mime: yes
- decode-base64: yes
- decode-quoted-printable: yes
- header-value-depth: 2000
- extract-urls: yes
- body-md5: no
- inspected-tracker:
- content-limit: 100000
- content-inspect-min-size: 32768
- content-inspect-window: 4096
- imap:
- enabled: detection-only
- msn:
- enabled: detection-only
- smb:
- enabled: yes
- detection-ports:
- dp: 139
- modbus:
- enabled: no
- detection-ports:
- dp: 502
- dns:
- tcp:
- enabled: yes
- detection-ports:
- dp: 53
- udp:
- enabled: yes
- detection-ports:
- dp: 53
- http:
- enabled: yes
- libhtp:
- default-config:
- personality: IDS
- request-body-limit: 100kb
- response-body-limit: 100kb
- request-body-minimal-inspect-size: 32kb
- request-body-inspect-window: 4kb
- response-body-minimal-inspect-size: 40kb
- response-body-inspect-window: 16kb
- response-body-decompress-layer-limit: 2
- http-body-inline: auto
- double-decode-path: no
- double-decode-query: no
- server-config:
- asn1-max-frames: 256
- coredump:
- max-dump: unlimited
- host-mode: router
- unix-command:
- enabled: no
- legacy:
- uricontent: enabled
- engine-analysis:
- rules-fast-pattern: yes
- rules: yes
- pcre:
- match-limit: 3500
- match-limit-recursion: 1500
- host-os-policy:
- windows: []
- bsd: []
- bsd-right: []
- old-linux: []
- linux: []
- old-solaris: []
- solaris: []
- hpux10: []
- hpux11: []
- irix: []
- macos: []
- vista: []
- windows2k3: []
- defrag:
- memcap: 32mb
- hash-size: 65536
- trackers: 65535 # number of defragmented flows to follow
- max-frags: 65535 # number of fragments to keep (higher than trackers)
- prealloc: yes
- timeout: 60
- flow:
- memcap: 128mb
- hash-size: 65536
- prealloc: 10000
- emergency-recovery: 30
- vlan:
- use-for-tracking: true
- flow-timeouts:
- default:
- new: 30
- established: 300
- closed: 0
- emergency-new: 10
- emergency-established: 100
- emergency-closed: 0
- tcp:
- new: 60
- established: 600
- closed: 60
- emergency-new: 5
- emergency-established: 100
- emergency-closed: 10
- udp:
- new: 30
- established: 300
- emergency-new: 10
- emergency-established: 100
- icmp:
- new: 30
- established: 300
- emergency-new: 10
- emergency-established: 100
- stream:
- memcap: 64mb
- checksum-validation: yes # reject wrong csums
- inline: auto # auto will use inline mode in IPS mode, yes or no set it statically
- reassembly:
- memcap: 256mb
- depth: 1mb # reassemble 1mb into a stream
- toserver-chunk-size: 2560
- toclient-chunk-size: 2560
- randomize-chunk-size: yes
- host:
- hash-size: 4096
- prealloc: 1000
- memcap: 32mb
- detect:
- profile: medium
- custom-values:
- toclient-groups: 3
- toserver-groups: 25
- sgh-mpm-context: auto
- inspection-recursion-limit: 3000
- grouping:
- profiling:
- grouping:
- dump-to-disk: false
- include-rules: false # very verbose
- include-mpm-stats: false
- mpm-algo: auto
- spm-algo: auto
- threading:
- set-cpu-affinity: no
- cpu-affinity:
- - management-cpu-set:
- cpu: [ 0 ] # include only these cpus in affinity settings
- - receive-cpu-set:
- cpu: [ 0 ] # include only these cpus in affinity settings
- - worker-cpu-set:
- cpu: [ "all" ]
- mode: "exclusive"
- prio:
- low: [ 0 ]
- medium: [ "1-2" ]
- high: [ 3 ]
- default: "medium"
- detect-thread-ratio: 1.0
- profiling:
- rules:
- enabled: yes
- filename: rule_perf.log
- append: yes
- sort: avgticks
- limit: 100
- json: yes
- keywords:
- enabled: yes
- filename: keyword_perf.log
- append: yes
- rulegroups:
- enabled: yes
- filename: rule_group_perf.log
- append: yes
- packets:
- enabled: yes
- filename: packet_stats.log
- append: yes
- csv:
- enabled: no
- filename: packet_stats.csv
- locks:
- enabled: no
- filename: lock_stats.log
- append: yes
- pcap-log:
- enabled: no
- filename: pcaplog_stats.log
- append: yes
- nfq:
- nflog:
- - group: 2
- buffer-size: 18432
- - group: default
- qthreshold: 1
- qtimeout: 100
- max-size: 20000
- netmap:
- - interface: eth2
- - interface: default
- pfring:
- - interface: eth0
- threads: 1
- cluster-id: 99
- cluster-type: cluster_flow
- - interface: default
- ipfw:
- napatech:
- hba: -1
- use-all-streams: yes
- streams: [1, 2, 3]
- mpipe:
- load-balance: dynamic
- iqueue-packets: 2048
- inputs:
- - interface: xgbe2
- - interface: xgbe3
- - interface: xgbe4
- stack:
- size128: 0
- size256: 9
- size512: 0
- size1024: 0
- size1664: 7
- size4096: 0
- size10386: 0
- size16384: 0
- cuda:
- mpm:
- data-buffer-size-min-limit: 0
- data-buffer-size-max-limit: 1500
- cudabuffer-buffer-size: 500mb
- gpu-transfer-size: 50mb
- batching-timeout: 2000
- device-id: 0
- cuda-streams: 2
Add Comment
Please, Sign In to add comment