SHARE
TWEET

Untitled

a guest Feb 14th, 2020 260 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. %YAML 1.1
  2. ---
  3.  
  4. # Suricata configuration file. In addition to the comments describing all
  5. # options in this file, full documentation can be found at:
  6. # https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricatayaml
  7.  
  8. ##
  9. ## Step 1: inform Suricata about your network
  10. ##
  11.  
  12. vars:
  13.   # more specifc is better for alert accuracy and performance
  14.   address-groups:
  15.     HOME_NET: "[VPC_CIDR_RANGE]"
  16.     #HOME_NET: "[192.168.0.0/16]"
  17.     #HOME_NET: "[10.0.0.0/8]"
  18.     #HOME_NET: "[172.16.0.0/12]"
  19.     #HOME_NET: "any"
  20.  
  21.     EXTERNAL_NET: "!$HOME_NET"
  22.     #EXTERNAL_NET: "any"
  23.  
  24.     HTTP_SERVERS: "$HOME_NET"
  25.     SMTP_SERVERS: "$HOME_NET"
  26.     SQL_SERVERS: "$HOME_NET"
  27.     DNS_SERVERS: "$HOME_NET"
  28.     TELNET_SERVERS: "$HOME_NET"
  29.     AIM_SERVERS: "$EXTERNAL_NET"
  30.     DNP3_SERVER: "$HOME_NET"
  31.     DNP3_CLIENT: "$HOME_NET"
  32.     MODBUS_CLIENT: "$HOME_NET"
  33.     MODBUS_SERVER: "$HOME_NET"
  34.     ENIP_CLIENT: "$HOME_NET"
  35.     ENIP_SERVER: "$HOME_NET"
  36.  
  37.   port-groups:
  38.     HTTP_PORTS: "80"
  39.     SHELLCODE_PORTS: "!80"
  40.     ORACLE_PORTS: 1521
  41.     SSH_PORTS: 22
  42.     DNP3_PORTS: 20000
  43.     MODBUS_PORTS: 502
  44.     FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
  45.     FTP_PORTS: 21
  46.  
  47.  
  48. ##
  49. ## Step 2: select the rules to enable or disable
  50. ##
  51.  
  52. default-rule-path: /etc/suricata/rules
  53. rule-files:
  54.  - botcc.rules
  55.  # - botcc.portgrouped.rules
  56.  - ciarmy.rules
  57.  - compromised.rules
  58.  - drop.rules
  59.  - dshield.rules
  60. # - emerging-activex.rules
  61.  - emerging-attack_response.rules
  62.  - emerging-chat.rules
  63.  - emerging-current_events.rules
  64.  - emerging-dns.rules
  65.  - emerging-dos.rules
  66.  - emerging-exploit.rules
  67.  - emerging-ftp.rules
  68. # - emerging-games.rules
  69. # - emerging-icmp_info.rules
  70. # - emerging-icmp.rules
  71.  - emerging-imap.rules
  72. # - emerging-inappropriate.rules
  73. # - emerging-info.rules
  74.  - emerging-malware.rules
  75.  - emerging-misc.rules
  76.  - emerging-mobile_malware.rules
  77.  - emerging-netbios.rules
  78.  - emerging-p2p.rules
  79.  - emerging-policy.rules
  80.  - emerging-pop3.rules
  81.  - emerging-rpc.rules
  82. # - emerging-scada.rules
  83. # - emerging-scada_special.rules
  84.  - emerging-scan.rules
  85. # - emerging-shellcode.rules
  86.  - emerging-smtp.rules
  87.  - emerging-snmp.rules
  88.  - emerging-sql.rules
  89.  - emerging-telnet.rules
  90.  - emerging-tftp.rules
  91.  - emerging-trojan.rules
  92.  - emerging-user_agents.rules
  93.  - emerging-voip.rules
  94.  - emerging-web_client.rules
  95.  - emerging-web_server.rules
  96. # - emerging-web_specific_apps.rules
  97.  - emerging-worm.rules
  98.  - tor.rules
  99. # - decoder-events.rules # available in suricata sources under rules dir
  100. # - stream-events.rules  # available in suricata sources under rules dir
  101.  - http-events.rules    # available in suricata sources under rules dir
  102.  - smtp-events.rules    # available in suricata sources under rules dir
  103.  - dns-events.rules     # available in suricata sources under rules dir
  104.  - tls-events.rules     # available in suricata sources under rules dir
  105. # - modbus-events.rules  # available in suricata sources under rules dir
  106. # - app-layer-events.rules  # available in suricata sources under rules dir
  107. # - dnp3-events.rules       # available in suricata sources under rules dir
  108. # - ntp-events.rules       # available in suricata sources under rules dir
  109.  
  110. classification-file: /etc/suricata/classification.config
  111. reference-config-file: /etc/suricata/reference.config
  112. # threshold-file: /etc/suricata/threshold.config
  113.  
  114.  
  115. ##
  116. ## Step 3: select outputs to enable
  117. ##
  118.  
  119. # The default logging directory.  Any log or output file will be
  120. # placed here if its not specified with a full path name. This can be
  121. # overridden with the -l command line parameter.
  122. default-log-dir: /var/log/suricata/
  123.  
  124. # global stats configuration
  125. stats:
  126.   enabled: yes
  127.   # The interval field (in seconds) controls at what interval
  128.   # the loggers are invoked.
  129.   interval: 8
  130.  
  131. # Configure the type of alert (and other) logging you would like.
  132. outputs:
  133.   # a line based alerts log similar to Snort's fast.log
  134.   - fast:
  135.       enabled: yes
  136.       filename: fast.log
  137.       append: yes
  138.       #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
  139.  
  140.   # Extensible Event Format (nicknamed EVE) event log in JSON format
  141.   - eve-log:
  142.       enabled: yes
  143.       filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
  144.       filename: eve.json
  145.       #prefix: "@cee: " # prefix to prepend to each log entry
  146.       # the following are valid when type: syslog above
  147.       #identity: "suricata"
  148.       #facility: local5
  149.       #level: Info ## possible levels: Emergency, Alert, Critical,
  150.                    ## Error, Warning, Notice, Info, Debug
  151.       #redis:
  152.       #  server: 127.0.0.1
  153.       #  port: 6379
  154.       #  async: true ## if redis replies are read asynchronously
  155.       #  mode: list ## possible values: list|lpush (default), rpush, channel|publish
  156.       #             ## lpush and rpush are using a Redis list. "list" is an alias for lpush
  157.       #             ## publish is using a Redis channel. "channel" is an alias for publish
  158.       #  key: suricata ## key or channel to use (default to suricata)
  159.       # Redis pipelining set up. This will enable to only do a query every
  160.       # 'batch-size' events. This should lower the latency induced by network
  161.       # connection at the cost of some memory. There is no flushing implemented
  162.       # so this setting as to be reserved to high traffic suricata.
  163.       #  pipelining:
  164.       #    enabled: yes ## set enable to yes to enable query pipelining
  165.       #    batch-size: 10 ## number of entry to keep in buffer
  166.       types:
  167.         - alert:
  168.             # payload: yes             # enable dumping payload in Base64
  169.             # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log
  170.             # payload-printable: yes   # enable dumping payload in printable (lossy) format
  171.             # packet: yes              # enable dumping of packet (without stream segments)
  172.             # http-body: yes           # enable dumping of http body in Base64
  173.             # http-body-printable: yes # enable dumping of http body in printable format
  174.             metadata: yes              # add L7/applayer fields, flowbit and other vars to the alert
  175.  
  176.             # Enable the logging of tagged packets for rules using the
  177.             # "tag" keyword.
  178.             tagged-packets: yes
  179.  
  180.             # HTTP X-Forwarded-For support by adding an extra field or overwriting
  181.             # the source or destination IP address (depending on flow direction)
  182.             # with the one reported in the X-Forwarded-For HTTP header. This is
  183.             # helpful when reviewing alerts for traffic that is being reverse
  184.             # or forward proxied.
  185.             xff:
  186.               enabled: no
  187.               # Two operation modes are available, "extra-data" and "overwrite".
  188.               mode: extra-data
  189.               # Two proxy deployments are supported, "reverse" and "forward". In
  190.               # a "reverse" deployment the IP address used is the last one, in a
  191.               # "forward" deployment the first IP address is used.
  192.               deployment: reverse
  193.               # Header name where the actual IP address will be reported, if more
  194.               # than one IP address is present, the last IP address will be the
  195.               # one taken into consideration.
  196.               header: X-Forwarded-For
  197.         - http:
  198.             extended: yes     # enable this for extended logging information
  199.             # custom allows additional http fields to be included in eve-log
  200.             # the example below adds three additional fields when uncommented
  201.             #custom: [Accept-Encoding, Accept-Language, Authorization]
  202.         - dns:
  203.             # control logging of queries and answers
  204.             # default yes, no to disable
  205.             query: yes     # enable logging of DNS queries
  206.             answer: yes    # enable logging of DNS answers
  207.             # control which RR types are logged
  208.             # all enabled if custom not specified
  209.             #custom: [a, aaaa, cname, mx, ns, ptr, txt]
  210.         - tls:
  211.             extended: yes     # enable this for extended logging information
  212.             # output TLS transaction where the session is resumed using a
  213.             # session id
  214.             #session-resumption: no
  215.             # custom allows to control which tls fields that are included
  216.             # in eve-log
  217.             #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain]
  218.         - files:
  219.             force-magic: no   # force logging magic on all logged files
  220.             # force logging of checksums, available hash functions are md5,
  221.             # sha1 and sha256
  222.             #force-hash: [md5]
  223.         #- drop:
  224.         #    alerts: yes      # log alerts that caused drops
  225.         #    flows: all       # start or all: 'start' logs only a single drop
  226.         #                     # per flow direction. All logs each dropped pkt.
  227.         - smtp:
  228.             #extended: yes # enable this for extended logging information
  229.             # this includes: bcc, message-id, subject, x_mailer, user-agent
  230.             # custom fields logging from the list:
  231.             #  reply-to, bcc, message-id, subject, x-mailer, user-agent, received,
  232.             #  x-originating-ip, in-reply-to, references, importance, priority,
  233.             #  sensitivity, organization, content-md5, date
  234.             #custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc]
  235.             # output md5 of fields: body, subject
  236.             # for the body you need to set app-layer.protocols.smtp.mime.body-md5
  237.             # to yes
  238.             #md5: [body, subject]
  239.  
  240.         #- dnp3
  241.         #- nfs
  242.         - ssh
  243.         - stats:
  244.             totals: yes       # stats for all threads merged together
  245.             threads: no       # per thread stats
  246.             deltas: no        # include delta values
  247.         # bi-directional flows
  248.         - flow
  249.         # uni-directional flows
  250.         #- netflow
  251.         # Vars log flowbits and other packet and flow vars
  252.         #- vars
  253.  
  254.   # alert output for use with Barnyard2
  255.   - unified2-alert:
  256.       enabled: no
  257.       filename: unified2.alert
  258.  
  259.       # File size limit.  Can be specified in kb, mb, gb.  Just a number
  260.       # is parsed as bytes.
  261.       #limit: 32mb
  262.  
  263.       # By default unified2 log files have the file creation time (in
  264.       # unix epoch format) appended to the filename. Set this to yes to
  265.       # disable this behaviour.
  266.       #nostamp: no
  267.  
  268.       # Sensor ID field of unified2 alerts.
  269.       #sensor-id: 0
  270.  
  271.       # Include payload of packets related to alerts. Defaults to true, set to
  272.       # false if payload is not required.
  273.       #payload: yes
  274.  
  275.       # HTTP X-Forwarded-For support by adding the unified2 extra header or
  276.       # overwriting the source or destination IP address (depending on flow
  277.       # direction) with the one reported in the X-Forwarded-For HTTP header.
  278.       # This is helpful when reviewing alerts for traffic that is being reverse
  279.       # or forward proxied.
  280.       xff:
  281.         enabled: no
  282.         # Two operation modes are available, "extra-data" and "overwrite". Note
  283.         # that in the "overwrite" mode, if the reported IP address in the HTTP
  284.         # X-Forwarded-For header is of a different version of the packet
  285.         # received, it will fall-back to "extra-data" mode.
  286.         mode: extra-data
  287.         # Two proxy deployments are supported, "reverse" and "forward". In
  288.         # a "reverse" deployment the IP address used is the last one, in a
  289.         # "forward" deployment the first IP address is used.
  290.         deployment: reverse
  291.         # Header name where the actual IP address will be reported, if more
  292.         # than one IP address is present, the last IP address will be the
  293.         # one taken into consideration.
  294.         header: X-Forwarded-For
  295.  
  296.   # a line based log of HTTP requests (no alerts)
  297.   - http-log:
  298.       enabled: no
  299.       filename: http.log
  300.       append: yes
  301.       #extended: yes     # enable this for extended logging information
  302.       #custom: yes       # enabled the custom logging format (defined by customformat)
  303.       #customformat: "%{%D-%H:%M:%S}t.%z %{X-Forwarded-For}i %H %m %h %u %s %B %a:%p -> %A:%P"
  304.       #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
  305.  
  306.   # a line based log of TLS handshake parameters (no alerts)
  307.   - tls-log:
  308.       enabled: no  # Log TLS connections.
  309.       filename: tls.log # File to store TLS logs.
  310.       append: yes
  311.       #extended: yes     # Log extended information like fingerprint
  312.       #custom: yes       # enabled the custom logging format (defined by customformat)
  313.       #customformat: "%{%D-%H:%M:%S}t.%z %a:%p -> %A:%P %v %n %d %D"
  314.       #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
  315.       # output TLS transaction where the session is resumed using a
  316.       # session id
  317.       #session-resumption: no
  318.  
  319.   # output module to store certificates chain to disk
  320.   - tls-store:
  321.       enabled: no
  322.       #certs-log-dir: certs # directory to store the certificates files
  323.  
  324.   # a line based log of DNS requests and/or replies (no alerts)
  325.   - dns-log:
  326.       enabled: no
  327.       filename: dns.log
  328.       append: yes
  329.       #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
  330.  
  331.   # Packet log... log packets in pcap format. 3 modes of operation: "normal"
  332.   # "multi" and "sguil".
  333.   #
  334.   # In normal mode a pcap file "filename" is created in the default-log-dir,
  335.   # or are as specified by "dir".
  336.   # In multi mode, a file is created per thread. This will perform much
  337.   # better, but will create multiple files where 'normal' would create one.
  338.   # In multi mode the filename takes a few special variables:
  339.   # - %n -- thread number
  340.   # - %i -- thread id
  341.   # - %t -- timestamp (secs or secs.usecs based on 'ts-format'
  342.   # E.g. filename: pcap.%n.%t
  343.   #
  344.   # Note that it's possible to use directories, but the directories are not
  345.   # created by Suricata. E.g. filename: pcaps/%n/log.%s will log into the
  346.   # per thread directory.
  347.   #
  348.   # Also note that the limit and max-files settings are enforced per thread.
  349.   # So the size limit when using 8 threads with 1000mb files and 2000 files
  350.   # is: 8*1000*2000 ~ 16TiB.
  351.   #
  352.   # In Sguil mode "dir" indicates the base directory. In this base dir the
  353.   # pcaps are created in th directory structure Sguil expects:
  354.   #
  355.   # $sguil-base-dir/YYYY-MM-DD/$filename.<timestamp>
  356.   #
  357.   # By default all packets are logged except:
  358.   # - TCP streams beyond stream.reassembly.depth
  359.   # - encrypted streams after the key exchange
  360.   #
  361.   - pcap-log:
  362.       enabled: yes
  363.       filename: packet-capture
  364.  
  365.       # File size limit.  Can be specified in kb, mb, gb.  Just a number
  366.       # is parsed as bytes.
  367.       limit: 500mb
  368.  
  369.       # If set to a value will enable ring buffer mode. Will keep Maximum of "max-files" of size "limit"
  370.       # max-files: 4
  371.  
  372.       mode: normal # normal, multi or sguil.
  373.  
  374.       # Directory to place pcap files. If not provided the default log
  375.       # directory will be used. Required for "sguil" mode.
  376.       dir: /pcap-data/
  377.  
  378.       #ts-format: usec # sec or usec second format (default) is filename.sec usec is filename.sec.usec
  379.       use-stream-depth: no #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets
  380.       honor-pass-rules: no # If set to "yes", flows in which a pass rule matched will stopped being logged.
  381.  
  382.   # a full alerts log containing much information for signature writers
  383.   # or for investigating suspected false positives.
  384.   - alert-debug:
  385.       enabled: no
  386.       filename: alert-debug.log
  387.       append: yes
  388.       #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
  389.  
  390.   # alert output to prelude (http://www.prelude-technologies.com/) only
  391.   # available if Suricata has been compiled with --enable-prelude
  392.   - alert-prelude:
  393.       enabled: no
  394.       profile: suricata
  395.       log-packet-content: no
  396.       log-packet-header: yes
  397.  
  398.   # Stats.log contains data from various counters of the suricata engine.
  399.   - stats:
  400.       enabled: yes
  401.       filename: stats.log
  402.       append: yes       # append to file (yes) or overwrite it (no)
  403.       totals: yes       # stats for all threads merged together
  404.       threads: no       # per thread stats
  405.       #null-values: yes  # print counters that have value 0
  406.  
  407.   # a line based alerts log similar to fast.log into syslog
  408.   - syslog:
  409.       enabled: no
  410.       # reported identity to syslog. If ommited the program name (usually
  411.       # suricata) will be used.
  412.       #identity: "suricata"
  413.       facility: local5
  414.       #level: Info ## possible levels: Emergency, Alert, Critical,
  415.                    ## Error, Warning, Notice, Info, Debug
  416.  
  417.   # a line based information for dropped packets in IPS mode
  418.   - drop:
  419.       enabled: no
  420.       filename: drop.log
  421.       append: yes
  422.       #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
  423.  
  424.   # output module to store extracted files to disk
  425.   #
  426.   # The files are stored to the log-dir in a format "file.<id>" where <id> is
  427.   # an incrementing number starting at 1. For each file "file.<id>" a meta
  428.   # file "file.<id>.meta" is created.
  429.   #
  430.   # File extraction depends on a lot of things to be fully done:
  431.   # - file-store stream-depth. For optimal results, set this to 0 (unlimited)
  432.   # - http request / response body sizes. Again set to 0 for optimal results.
  433.   # - rules that contain the "filestore" keyword.
  434.   - file-store:
  435.       enabled: no       # set to yes to enable
  436.       log-dir: files    # directory to store the files
  437.       force-magic: no   # force logging magic on all stored files
  438.       # force logging of checksums, available hash functions are md5,
  439.       # sha1 and sha256
  440.       #force-hash: [md5]
  441.       force-filestore: no # force storing of all files
  442.       # override global stream-depth for sessions in which we want to
  443.       # perform file extraction. Set to 0 for unlimited.
  444.       #stream-depth: 0
  445.       #waldo: file.waldo # waldo file to store the file_id across runs
  446.       # uncomment to disable meta file writing
  447.       #write-meta: no
  448.       # uncomment the following variable to define how many files can
  449.       # remain open for filestore by Suricata. Default value is 0 which
  450.       # means files get closed after each write
  451.       #max-open-files: 1000
  452.  
  453.   # output module to log files tracked in a easily parsable json format
  454.   - file-log:
  455.       enabled: no
  456.       filename: files-json.log
  457.       append: yes
  458.       #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
  459.  
  460.       force-magic: no   # force logging magic on all logged files
  461.       # force logging of checksums, available hash functions are md5,
  462.       # sha1 and sha256
  463.       #force-hash: [md5]
  464.  
  465.   # Log TCP data after stream normalization
  466.   # 2 types: file or dir. File logs into a single logfile. Dir creates
  467.   # 2 files per TCP session and stores the raw TCP data into them.
  468.   # Using 'both' will enable both file and dir modes.
  469.   #
  470.   # Note: limited by stream.depth
  471.   - tcp-data:
  472.       enabled: no
  473.       type: file
  474.       filename: tcp-data.log
  475.  
  476.   # Log HTTP body data after normalization, dechunking and unzipping.
  477.   # 2 types: file or dir. File logs into a single logfile. Dir creates
  478.   # 2 files per HTTP session and stores the normalized data into them.
  479.   # Using 'both' will enable both file and dir modes.
  480.   #
  481.   # Note: limited by the body limit settings
  482.   - http-body-data:
  483.       enabled: no
  484.       type: file
  485.       filename: http-data.log
  486.  
  487.   # Lua Output Support - execute lua script to generate alert and event
  488.   # output.
  489.   # Documented at:
  490.   # https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Lua_Output
  491.   - lua:
  492.       enabled: no
  493.       #scripts-dir: /etc/suricata/lua-output/
  494.       scripts:
  495.       #   - script1.lua
  496.  
  497. # Logging configuration.  This is not about logging IDS alerts/events, but
  498. # output about what Suricata is doing, like startup messages, errors, etc.
  499. logging:
  500.   # The default log level, can be overridden in an output section.
  501.   # Note that debug level logging will only be emitted if Suricata was
  502.   # compiled with the --enable-debug configure option.
  503.   #
  504.   # This value is overriden by the SC_LOG_LEVEL env var.
  505.   default-log-level: notice
  506.  
  507.   # The default output format.  Optional parameter, should default to
  508.   # something reasonable if not provided.  Can be overriden in an
  509.   # output section.  You can leave this out to get the default.
  510.   #
  511.   # This value is overriden by the SC_LOG_FORMAT env var.
  512.   #default-log-format: "[%i] %t - (%f:%l) <%d> (%n) -- "
  513.  
  514.   # A regex to filter output.  Can be overridden in an output section.
  515.   # Defaults to empty (no filter).
  516.   #
  517.   # This value is overriden by the SC_LOG_OP_FILTER env var.
  518.   default-output-filter:
  519.  
  520.   # Define your logging outputs.  If none are defined, or they are all
  521.   # disabled you will get the default - console output.
  522.   outputs:
  523.   - console:
  524.       enabled: yes
  525.       # type: json
  526.   - file:
  527.       enabled: yes
  528.       level: info
  529.       filename: /var/log/suricata/suricata.log
  530.       # type: json
  531.   - syslog:
  532.       enabled: no
  533.       facility: local5
  534.       format: "[%i] <%d> -- "
  535.       # type: json
  536.  
  537.  
  538. ##
  539. ## Step 4: configure common capture settings
  540. ##
  541. ## See "Advanced Capture Options" below for more options, including NETMAP
  542. ## and PF_RING.
  543. ##
  544.  
  545. # Linux high speed capture support
  546. af-packet:
  547.   - interface: eth0
  548.     # Number of receive threads. "auto" uses the number of cores
  549.     #threads: auto
  550.     # Default clusterid. AF_PACKET will load balance packets based on flow.
  551.     cluster-id: 99
  552.     # Default AF_PACKET cluster type. AF_PACKET can load balance per flow or per hash.
  553.     # This is only supported for Linux kernel > 3.1
  554.     # possible value are:
  555.     #  * cluster_round_robin: round robin load balancing
  556.     #  * cluster_flow: all packets of a given flow are send to the same socket
  557.     #  * cluster_cpu: all packets treated in kernel by a CPU are send to the same socket
  558.     #  * cluster_qm: all packets linked by network card to a RSS queue are sent to the same
  559.     #  socket. Requires at least Linux 3.14.
  560.     #  * cluster_random: packets are sent randomly to sockets but with an equipartition.
  561.     #  Requires at least Linux 3.14.
  562.     #  * cluster_rollover: kernel rotates between sockets filling each socket before moving
  563.     #  to the next. Requires at least Linux 3.10.
  564.     # Recommended modes are cluster_flow on most boxes and cluster_cpu or cluster_qm on system
  565.     # with capture card using RSS (require cpu affinity tuning and system irq tuning)
  566.     cluster-type: cluster_flow
  567.     # In some fragmentation case, the hash can not be computed. If "defrag" is set
  568.     # to yes, the kernel will do the needed defragmentation before sending the packets.
  569.     defrag: yes
  570.     # After Linux kernel 3.10 it is possible to activate the rollover option: if a socket is
  571.     # full then kernel will send the packet on the next socket with room available. This option
  572.     # can minimize packet drop and increase the treated bandwidth on single intensive flow.
  573.     #rollover: yes
  574.     # To use the ring feature of AF_PACKET, set 'use-mmap' to yes
  575.     #use-mmap: yes
  576.     # Lock memory map to avoid it goes to swap. Be careful that over suscribing could lock
  577.     # your system
  578.     #mmap-locked: yes
  579.     # Use tpacket_v3 capture mode, only active if use-mmap is true
  580.     # Don't use it in IPS or TAP mode as it causes severe latency
  581.     #tpacket-v3: yes
  582.     # Ring size will be computed with respect to max_pending_packets and number
  583.     # of threads. You can set manually the ring size in number of packets by setting
  584.     # the following value. If you are using flow cluster-type and have really network
  585.     # intensive single-flow you could want to set the ring-size independently of the number
  586.     # of threads:
  587.     #ring-size: 2048
  588.     # Block size is used by tpacket_v3 only. It should set to a value high enough to contain
  589.     # a decent number of packets. Size is in bytes so please consider your MTU. It should be
  590.     # a power of 2 and it must be multiple of page size (usually 4096).
  591.     #block-size: 32768
  592.     # tpacket_v3 block timeout: an open block is passed to userspace if it is not
  593.     # filled after block-timeout milliseconds.
  594.     #block-timeout: 10
  595.     # On busy system, this could help to set it to yes to recover from a packet drop
  596.     # phase. This will result in some packets (at max a ring flush) being non treated.
  597.     #use-emergency-flush: yes
  598.     # recv buffer size, increase value could improve performance
  599.     # buffer-size: 32768
  600.     # Set to yes to disable promiscuous mode
  601.     # disable-promisc: no
  602.     # Choose checksum verification mode for the interface. At the moment
  603.     # of the capture, some packets may be with an invalid checksum due to
  604.     # offloading to the network card of the checksum computation.
  605.     # Possible values are:
  606.     #  - kernel: use indication sent by kernel for each packet (default)
  607.     #  - yes: checksum validation is forced
  608.     #  - no: checksum validation is disabled
  609.     #  - auto: suricata uses a statistical approach to detect when
  610.     #  checksum off-loading is used.
  611.     # Warning: 'checksum-validation' must be set to yes to have any validation
  612.     #checksum-checks: kernel
  613.     # BPF filter to apply to this interface. The pcap filter syntax apply here.
  614.     #bpf-filter: port 80 or udp
  615.     # You can use the following variables to activate AF_PACKET tap or IPS mode.
  616.     # If copy-mode is set to ips or tap, the traffic coming to the current
  617.     # interface will be copied to the copy-iface interface. If 'tap' is set, the
  618.     # copy is complete. If 'ips' is set, the packet matching a 'drop' action
  619.     # will not be copied.
  620.     #copy-mode: ips
  621.     #copy-iface: eth1
  622.  
  623.   # Put default values here. These will be used for an interface that is not
  624.   # in the list above.
  625.   - interface: default
  626.     #threads: auto
  627.     #use-mmap: no
  628.     #rollover: yes
  629.     #tpacket-v3: yes
  630.  
  631. # Cross platform libpcap capture support
  632. pcap:
  633.   - interface: eth0
  634.     # On Linux, pcap will try to use mmaped capture and will use buffer-size
  635.     # as total of memory used by the ring. So set this to something bigger
  636.     # than 1% of your bandwidth.
  637.     #buffer-size: 16777216
  638.     #bpf-filter: "tcp and port 25"
  639.     # Choose checksum verification mode for the interface. At the moment
  640.     # of the capture, some packets may be with an invalid checksum due to
  641.     # offloading to the network card of the checksum computation.
  642.     # Possible values are:
  643.     #  - yes: checksum validation is forced
  644.     #  - no: checksum validation is disabled
  645.     #  - auto: suricata uses a statistical approach to detect when
  646.     #  checksum off-loading is used. (default)
  647.     # Warning: 'checksum-validation' must be set to yes to have any validation
  648.     #checksum-checks: auto
  649.     # With some accelerator cards using a modified libpcap (like myricom), you
  650.     # may want to have the same number of capture threads as the number of capture
  651.     # rings. In this case, set up the threads variable to N to start N threads
  652.     # listening on the same interface.
  653.     #threads: 16
  654.     # set to no to disable promiscuous mode:
  655.     #promisc: no
  656.     # set snaplen, if not set it defaults to MTU if MTU can be known
  657.     # via ioctl call and to full capture if not.
  658.     #snaplen: 1518
  659.   # Put default values here
  660.   - interface: default
  661.     #checksum-checks: auto
  662.  
  663. # Settings for reading pcap files
  664. pcap-file:
  665.   # Possible values are:
  666.   #  - yes: checksum validation is forced
  667.   #  - no: checksum validation is disabled
  668.   #  - auto: suricata uses a statistical approach to detect when
  669.   #  checksum off-loading is used. (default)
  670.   # Warning: 'checksum-validation' must be set to yes to have checksum tested
  671.   checksum-checks: auto
  672.  
  673. # See "Advanced Capture Options" below for more options, including NETMAP
  674. # and PF_RING.
  675.  
  676.  
  677. ##
  678. ## Step 5: App Layer Protocol Configuration
  679. ##
  680.  
  681. # Configure the app-layer parsers. The protocols section details each
  682. # protocol.
  683. #
  684. # The option "enabled" takes 3 values - "yes", "no", "detection-only".
  685. # "yes" enables both detection and the parser, "no" disables both, and
  686. # "detection-only" enables protocol detection only (parser disabled).
  687. app-layer:
  688.   protocols:
  689.     tls:
  690.       enabled: yes
  691.       detection-ports:
  692.         dp: 443
  693.  
  694.       # Completely stop processing TLS/SSL session after the handshake
  695.       # completed. If bypass is enabled this will also trigger flow
  696.       # bypass. If disabled (the default), TLS/SSL session is still
  697.       # tracked for Heartbleed and other anomalies.
  698.       #no-reassemble: yes
  699.     dcerpc:
  700.       enabled: yes
  701.     ftp:
  702.       enabled: yes
  703.     ssh:
  704.       enabled: yes
  705.     smtp:
  706.       enabled: yes
  707.       # Configure SMTP-MIME Decoder
  708.       mime:
  709.         # Decode MIME messages from SMTP transactions
  710.         # (may be resource intensive)
  711.         # This field supercedes all others because it turns the entire
  712.         # process on or off
  713.         decode-mime: yes
  714.  
  715.         # Decode MIME entity bodies (ie. base64, quoted-printable, etc.)
  716.         decode-base64: yes
  717.         decode-quoted-printable: yes
  718.  
  719.         # Maximum bytes per header data value stored in the data structure
  720.         # (default is 2000)
  721.         header-value-depth: 2000
  722.  
  723.         # Extract URLs and save in state data structure
  724.         extract-urls: yes
  725.         # Set to yes to compute the md5 of the mail body. You will then
  726.         # be able to journalize it.
  727.         body-md5: no
  728.       # Configure inspected-tracker for file_data keyword
  729.       inspected-tracker:
  730.         content-limit: 100000
  731.         content-inspect-min-size: 32768
  732.         content-inspect-window: 4096
  733.     imap:
  734.       enabled: detection-only
  735.     msn:
  736.       enabled: detection-only
  737.     smb:
  738.       enabled: yes
  739.       detection-ports:
  740.         dp: 139, 445
  741.     # smb2 detection is disabled internally inside the engine.
  742.     #smb2:
  743.     #  enabled: yes
  744.     # Note: NFS parser depends on Rust support: pass --enable-rust
  745.     # to configure.
  746.     nfs:
  747.       enabled: no
  748.     dns:
  749.       # memcaps. Globally and per flow/state.
  750.       #global-memcap: 16mb
  751.       #state-memcap: 512kb
  752.  
  753.       # How many unreplied DNS requests are considered a flood.
  754.       # If the limit is reached, app-layer-event:dns.flooded; will match.
  755.       #request-flood: 500
  756.  
  757.       tcp:
  758.         enabled: yes
  759.         detection-ports:
  760.           dp: 53
  761.       udp:
  762.         enabled: yes
  763.         detection-ports:
  764.           dp: 53
  765.     http:
  766.       enabled: yes
  767.       # memcap: 64mb
  768.  
  769.       # default-config:           Used when no server-config matches
  770.       #   personality:            List of personalities used by default
  771.       #   request-body-limit:     Limit reassembly of request body for inspection
  772.       #                           by http_client_body & pcre /P option.
  773.       #   response-body-limit:    Limit reassembly of response body for inspection
  774.       #                           by file_data, http_server_body & pcre /Q option.
  775.       #   double-decode-path:     Double decode path section of the URI
  776.       #   double-decode-query:    Double decode query section of the URI
  777.       #   response-body-decompress-layer-limit:
  778.       #                           Limit to how many layers of compression will be
  779.       #                           decompressed. Defaults to 2.
  780.       #
  781.       # server-config:            List of server configurations to use if address matches
  782.       #   address:                List of ip addresses or networks for this block
  783.       #   personalitiy:           List of personalities used by this block
  784.       #   request-body-limit:     Limit reassembly of request body for inspection
  785.       #                           by http_client_body & pcre /P option.
  786.       #   response-body-limit:    Limit reassembly of response body for inspection
  787.       #                           by file_data, http_server_body & pcre /Q option.
  788.       #   double-decode-path:     Double decode path section of the URI
  789.       #   double-decode-query:    Double decode query section of the URI
  790.       #
  791.       #   uri-include-all:        Include all parts of the URI. By default the
  792.       #                           'scheme', username/password, hostname and port
  793.       #                           are excluded. Setting this option to true adds
  794.       #                           all of them to the normalized uri as inspected
  795.       #                           by http_uri, urilen, pcre with /U and the other
  796.       #                           keywords that inspect the normalized uri.
  797.       #                           Note that this does not affect http_raw_uri.
  798.       #                           Also, note that including all was the default in
  799.       #                           1.4 and 2.0beta1.
  800.       #
  801.       #   meta-field-limit:       Hard size limit for request and response size
  802.       #                           limits. Applies to request line and headers,
  803.       #                           response line and headers. Does not apply to
  804.       #                           request or response bodies. Default is 18k.
  805.       #                           If this limit is reached an event is raised.
  806.       #
  807.       # Currently Available Personalities:
  808.       #   Minimal, Generic, IDS (default), IIS_4_0, IIS_5_0, IIS_5_1, IIS_6_0,
  809.       #   IIS_7_0, IIS_7_5, Apache_2
  810.       libhtp:
  811.          default-config:
  812.            personality: IDS
  813.  
  814.            # Can be specified in kb, mb, gb.  Just a number indicates
  815.            # it's in bytes.
  816.            request-body-limit: 100kb
  817.            response-body-limit: 100kb
  818.  
  819.            # inspection limits
  820.            request-body-minimal-inspect-size: 32kb
  821.            request-body-inspect-window: 4kb
  822.            response-body-minimal-inspect-size: 40kb
  823.            response-body-inspect-window: 16kb
  824.  
  825.            # response body decompression (0 disables)
  826.            response-body-decompress-layer-limit: 2
  827.  
  828.            # auto will use http-body-inline mode in IPS mode, yes or no set it statically
  829.            http-body-inline: auto
  830.  
  831.            # Take a random value for inspection sizes around the specified value.
  832.            # This lower the risk of some evasion technics but could lead
  833.            # detection change between runs. It is set to 'yes' by default.
  834.            #randomize-inspection-sizes: yes
  835.            # If randomize-inspection-sizes is active, the value of various
  836.            # inspection size will be choosen in the [1 - range%, 1 + range%]
  837.            # range
  838.            # Default value of randomize-inspection-range is 10.
  839.            #randomize-inspection-range: 10
  840.  
  841.            # decoding
  842.            double-decode-path: no
  843.            double-decode-query: no
  844.  
  845.          server-config:
  846.  
  847.            #- apache:
  848.            #    address: [192.168.1.0/24, 127.0.0.0/8, "::1"]
  849.            #    personality: Apache_2
  850.            #    # Can be specified in kb, mb, gb.  Just a number indicates
  851.            #    # it's in bytes.
  852.            #    request-body-limit: 4096
  853.            #    response-body-limit: 4096
  854.            #    double-decode-path: no
  855.            #    double-decode-query: no
  856.  
  857.            #- iis7:
  858.            #    address:
  859.            #      - 192.168.0.0/24
  860.            #      - 192.168.10.0/24
  861.            #    personality: IIS_7_0
  862.            #    # Can be specified in kb, mb, gb.  Just a number indicates
  863.            #    # it's in bytes.
  864.            #    request-body-limit: 4096
  865.            #    response-body-limit: 4096
  866.            #    double-decode-path: no
  867.            #    double-decode-query: no
  868.  
  869.     # Note: Modbus probe parser is minimalist due to the poor significant field
  870.     # Only Modbus message length (greater than Modbus header length)
  871.     # And Protocol ID (equal to 0) are checked in probing parser
  872.     # It is important to enable detection port and define Modbus port
  873.     # to avoid false positive
  874.     modbus:
  875.       # How many unreplied Modbus requests are considered a flood.
  876.       # If the limit is reached, app-layer-event:modbus.flooded; will match.
  877.       #request-flood: 500
  878.  
  879.       enabled: no
  880.       detection-ports:
  881.         dp: 502
  882.       # According to MODBUS Messaging on TCP/IP Implementation Guide V1.0b, it
  883.       # is recommended to keep the TCP connection opened with a remote device
  884.       # and not to open and close it for each MODBUS/TCP transaction. In that
  885.       # case, it is important to set the depth of the stream reassembling as
  886.       # unlimited (stream.reassembly.depth: 0)
  887.  
  888.       # Stream reassembly size for modbus. By default track it completely.
  889.       stream-depth: 0
  890.  
  891.     # DNP3
  892.     dnp3:
  893.       enabled: no
  894.       detection-ports:
  895.         dp: 20000
  896.  
  897.     # SCADA EtherNet/IP and CIP protocol support
  898.     enip:
  899.       enabled: no
  900.       detection-ports:
  901.         dp: 44818
  902.         sp: 44818
  903.  
  904.     # Note: parser depends on experimental Rust support
  905.     # with --enable-rust-experimental passed to configure
  906.     ntp:
  907.       enabled: no
  908.  
  909. # Limit for the maximum number of asn1 frames to decode (default 256)
  910. asn1-max-frames: 256
  911.  
  912.  
  913. ##############################################################################
  914. ##
  915. ## Advanced settings below
  916. ##
  917. ##############################################################################
  918.  
  919. ##
  920. ## Run Options
  921. ##
  922.  
  923. # Run suricata as user and group.
  924. #run-as:
  925. #  user: suri
  926. #  group: suri
  927.  
  928. # Some logging module will use that name in event as identifier. The default
  929. # value is the hostname
  930. #sensor-name: suricata
  931.  
  932. # Default location of the pid file. The pid file is only used in
  933. # daemon mode (start Suricata with -D). If not running in daemon mode
  934. # the --pidfile command line option must be used to create a pid file.
  935. #pid-file: /var/run/suricata.pid
  936.  
  937. # Daemon working directory
  938. # Suricata will change directory to this one if provided
  939. # Default: "/"
  940. #daemon-directory: "/"
  941.  
  942. # Suricata core dump configuration. Limits the size of the core dump file to
  943. # approximately max-dump. The actual core dump size will be a multiple of the
  944. # page size. Core dumps that would be larger than max-dump are truncated. On
  945. # Linux, the actual core dump size may be a few pages larger than max-dump.
  946. # Setting max-dump to 0 disables core dumping.
  947. # Setting max-dump to 'unlimited' will give the full core dump file.
  948. # On 32-bit Linux, a max-dump value >= ULONG_MAX may cause the core dump size
  949. # to be 'unlimited'.
  950.  
  951. coredump:
  952.   max-dump: unlimited
  953.  
  954. # If suricata box is a router for the sniffed networks, set it to 'router'. If
  955. # it is a pure sniffing setup, set it to 'sniffer-only'.
  956. # If set to auto, the variable is internally switch to 'router' in IPS mode
  957. # and 'sniffer-only' in IDS mode.
  958. # This feature is currently only used by the reject* keywords.
  959. host-mode: auto
  960.  
  961. # Number of packets preallocated per thread. The default is 1024. A higher number
  962. # will make sure each CPU will be more easily kept busy, but may negatively
  963. # impact caching.
  964. #
  965. # If you are using the CUDA pattern matcher (mpm-algo: ac-cuda), different rules
  966. # apply. In that case try something like 60000 or more. This is because the CUDA
  967. # pattern matcher buffers and scans as many packets as possible in parallel.
  968. #max-pending-packets: 1024
  969.  
  970. # Runmode the engine should use. Please check --list-runmodes to get the available
  971. # runmodes for each packet acquisition method. Defaults to "autofp" (auto flow pinned
  972. # load balancing).
  973. #runmode: autofp
  974.  
  975. # Specifies the kind of flow load balancer used by the flow pinned autofp mode.
  976. #
  977. # Supported schedulers are:
  978. #
  979. # round-robin       - Flows assigned to threads in a round robin fashion.
  980. # active-packets    - Flows assigned to threads that have the lowest number of
  981. #                     unprocessed packets (default).
  982. # hash              - Flow alloted usihng the address hash. More of a random
  983. #                     technique. Was the default in Suricata 1.2.1 and older.
  984. #
  985. #autofp-scheduler: active-packets
  986.  
  987. # Preallocated size for packet. Default is 1514 which is the classical
  988. # size for pcap on ethernet. You should adjust this value to the highest
  989. # packet size (MTU + hardware header) on your system.
  990. #default-packet-size: 1514
  991.  
  992. # Unix command socket can be used to pass commands to suricata.
  993. # An external tool can then connect to get information from suricata
  994. # or trigger some modifications of the engine. Set enabled to yes
  995. # to activate the feature. In auto mode, the feature will only be
  996. # activated in live capture mode. You can use the filename variable to set
  997. # the file name of the socket.
  998. unix-command:
  999.   enabled: auto
  1000.   #filename: custom.socket
  1001.  
  1002. # Magic file. The extension .mgc is added to the value here.
  1003. #magic-file: /usr/share/file/magic
  1004. #magic-file:
  1005.  
  1006. legacy:
  1007.   uricontent: enabled
  1008.  
  1009. ##
  1010. ## Detection settings
  1011. ##
  1012.  
  1013. # Set the order of alerts bassed on actions
  1014. # The default order is pass, drop, reject, alert
  1015. # action-order:
  1016. #   - pass
  1017. #   - drop
  1018. #   - reject
  1019. #   - alert
  1020.  
  1021. # IP Reputation
  1022. #reputation-categories-file: /etc/suricata/iprep/categories.txt
  1023. #default-reputation-path: /etc/suricata/iprep
  1024. #reputation-files:
  1025. # - reputation.list
  1026.  
  1027. # When run with the option --engine-analysis, the engine will read each of
  1028. # the parameters below, and print reports for each of the enabled sections
  1029. # and exit.  The reports are printed to a file in the default log dir
  1030. # given by the parameter "default-log-dir", with engine reporting
  1031. # subsection below printing reports in its own report file.
  1032. engine-analysis:
  1033.   # enables printing reports for fast-pattern for every rule.
  1034.   rules-fast-pattern: yes
  1035.   # enables printing reports for each rule
  1036.   rules: yes
  1037.  
  1038. #recursion and match limits for PCRE where supported
  1039. pcre:
  1040.   match-limit: 3500
  1041.   match-limit-recursion: 1500
  1042.  
  1043. ##
  1044. ## Advanced Traffic Tracking and Reconstruction Settings
  1045. ##
  1046.  
  1047. # Host specific policies for defragmentation and TCP stream
  1048. # reassembly. The host OS lookup is done using a radix tree, just
  1049. # like a routing table so the most specific entry matches.
  1050. host-os-policy:
  1051.   # Make the default policy windows.
  1052.   windows: []
  1053.   bsd: []
  1054.   bsd-right: []
  1055.   old-linux: []
  1056.   linux: [0.0.0.0/0]
  1057.   old-solaris: []
  1058.   solaris: []
  1059.   hpux10: []
  1060.   hpux11: []
  1061.   irix: []
  1062.   macos: []
  1063.   vista: []
  1064.   windows2k3: []
  1065.  
  1066. # Defrag settings:
  1067.  
  1068. defrag:
  1069.   memcap: 32mb
  1070.   hash-size: 65536
  1071.   trackers: 65535 # number of defragmented flows to follow
  1072.   max-frags: 65535 # number of fragments to keep (higher than trackers)
  1073.   prealloc: yes
  1074.   timeout: 60
  1075.  
  1076. # Enable defrag per host settings
  1077. #  host-config:
  1078. #
  1079. #    - dmz:
  1080. #        timeout: 30
  1081. #        address: [192.168.1.0/24, 127.0.0.0/8, 1.1.1.0/24, 2.2.2.0/24, "1.1.1.1", "2.2.2.2", "::1"]
  1082. #
  1083. #    - lan:
  1084. #        timeout: 45
  1085. #        address:
  1086. #          - 192.168.0.0/24
  1087. #          - 192.168.10.0/24
  1088. #          - 172.16.14.0/24
  1089.  
  1090. # Flow settings:
  1091. # By default, the reserved memory (memcap) for flows is 32MB. This is the limit
  1092. # for flow allocation inside the engine. You can change this value to allow
  1093. # more memory usage for flows.
  1094. # The hash-size determine the size of the hash used to identify flows inside
  1095. # the engine, and by default the value is 65536.
  1096. # At the startup, the engine can preallocate a number of flows, to get a better
  1097. # performance. The number of flows preallocated is 10000 by default.
  1098. # emergency-recovery is the percentage of flows that the engine need to
  1099. # prune before unsetting the emergency state. The emergency state is activated
  1100. # when the memcap limit is reached, allowing to create new flows, but
  1101. # prunning them with the emergency timeouts (they are defined below).
  1102. # If the memcap is reached, the engine will try to prune flows
  1103. # with the default timeouts. If it doens't find a flow to prune, it will set
  1104. # the emergency bit and it will try again with more agressive timeouts.
  1105. # If that doesn't work, then it will try to kill the last time seen flows
  1106. # not in use.
  1107. # The memcap can be specified in kb, mb, gb.  Just a number indicates it's
  1108. # in bytes.
  1109.  
  1110. flow:
  1111.   memcap: 128mb
  1112.   hash-size: 65536
  1113.   prealloc: 10000
  1114.   emergency-recovery: 30
  1115.   #managers: 1 # default to one flow manager
  1116.   #recyclers: 1 # default to one flow recycler thread
  1117.  
  1118. # This option controls the use of vlan ids in the flow (and defrag)
  1119. # hashing. Normally this should be enabled, but in some (broken)
  1120. # setups where both sides of a flow are not tagged with the same vlan
  1121. # tag, we can ignore the vlan id's in the flow hashing.
  1122. vlan:
  1123.   use-for-tracking: true
  1124.  
  1125. # Specific timeouts for flows. Here you can specify the timeouts that the
  1126. # active flows will wait to transit from the current state to another, on each
  1127. # protocol. The value of "new" determine the seconds to wait after a hanshake or
  1128. # stream startup before the engine free the data of that flow it doesn't
  1129. # change the state to established (usually if we don't receive more packets
  1130. # of that flow). The value of "established" is the amount of
  1131. # seconds that the engine will wait to free the flow if it spend that amount
  1132. # without receiving new packets or closing the connection. "closed" is the
  1133. # amount of time to wait after a flow is closed (usually zero). "bypassed"
  1134. # timeout controls locally bypassed flows. For these flows we don't do any other
  1135. # tracking. If no packets have been seen after this timeout, the flow is discarded.
  1136. #
  1137. # There's an emergency mode that will become active under attack circumstances,
  1138. # making the engine to check flow status faster. This configuration variables
  1139. # use the prefix "emergency-" and work similar as the normal ones.
  1140. # Some timeouts doesn't apply to all the protocols, like "closed", for udp and
  1141. # icmp.
  1142.  
  1143. flow-timeouts:
  1144.  
  1145.   default:
  1146.     new: 30
  1147.     established: 300
  1148.     closed: 0
  1149.     bypassed: 100
  1150.     emergency-new: 10
  1151.     emergency-established: 100
  1152.     emergency-closed: 0
  1153.     emergency-bypassed: 50
  1154.   tcp:
  1155.     new: 60
  1156.     established: 600
  1157.     closed: 60
  1158.     bypassed: 100
  1159.     emergency-new: 5
  1160.     emergency-established: 100
  1161.     emergency-closed: 10
  1162.     emergency-bypassed: 50
  1163.   udp:
  1164.     new: 30
  1165.     established: 300
  1166.     bypassed: 100
  1167.     emergency-new: 10
  1168.     emergency-established: 100
  1169.     emergency-bypassed: 50
  1170.   icmp:
  1171.     new: 30
  1172.     established: 300
  1173.     bypassed: 100
  1174.     emergency-new: 10
  1175.     emergency-established: 100
  1176.     emergency-bypassed: 50
  1177.  
  1178. # Stream engine settings. Here the TCP stream tracking and reassembly
  1179. # engine is configured.
  1180. #
  1181. # stream:
  1182. #   memcap: 32mb                # Can be specified in kb, mb, gb.  Just a
  1183. #                               # number indicates it's in bytes.
  1184. #   checksum-validation: yes    # To validate the checksum of received
  1185. #                               # packet. If csum validation is specified as
  1186. #                               # "yes", then packet with invalid csum will not
  1187. #                               # be processed by the engine stream/app layer.
  1188. #                               # Warning: locally generated trafic can be
  1189. #                               # generated without checksum due to hardware offload
  1190. #                               # of checksum. You can control the handling of checksum
  1191. #                               # on a per-interface basis via the 'checksum-checks'
  1192. #                               # option
  1193. #   prealloc-sessions: 2k       # 2k sessions prealloc'd per stream thread
  1194. #   midstream: false            # don't allow midstream session pickups
  1195. #   async-oneside: false        # don't enable async stream handling
  1196. #   inline: no                  # stream inline mode
  1197. #   drop-invalid: yes           # in inline mode, drop packets that are invalid with regards to streaming engine
  1198. #   max-synack-queued: 5        # Max different SYN/ACKs to queue
  1199. #   bypass: no                  # Bypass packets when stream.depth is reached
  1200. #
  1201. #   reassembly:
  1202. #     memcap: 64mb              # Can be specified in kb, mb, gb.  Just a number
  1203. #                               # indicates it's in bytes.
  1204. #     depth: 1mb                # Can be specified in kb, mb, gb.  Just a number
  1205. #                               # indicates it's in bytes.
  1206. #     toserver-chunk-size: 2560 # inspect raw stream in chunks of at least
  1207. #                               # this size.  Can be specified in kb, mb,
  1208. #                               # gb.  Just a number indicates it's in bytes.
  1209. #     toclient-chunk-size: 2560 # inspect raw stream in chunks of at least
  1210. #                               # this size.  Can be specified in kb, mb,
  1211. #                               # gb.  Just a number indicates it's in bytes.
  1212. #     randomize-chunk-size: yes # Take a random value for chunk size around the specified value.
  1213. #                               # This lower the risk of some evasion technics but could lead
  1214. #                               # detection change between runs. It is set to 'yes' by default.
  1215. #     randomize-chunk-range: 10 # If randomize-chunk-size is active, the value of chunk-size is
  1216. #                               # a random value between (1 - randomize-chunk-range/100)*toserver-chunk-size
  1217. #                               # and (1 + randomize-chunk-range/100)*toserver-chunk-size and the same
  1218. #                               # calculation for toclient-chunk-size.
  1219. #                               # Default value of randomize-chunk-range is 10.
  1220. #
  1221. #     raw: yes                  # 'Raw' reassembly enabled or disabled.
  1222. #                               # raw is for content inspection by detection
  1223. #                               # engine.
  1224. #
  1225. #     segment-prealloc: 2048    # number of segments preallocated per thread
  1226. #
  1227. #     check-overlap-different-data: true|false
  1228. #                               # check if a segment contains different data
  1229. #                               # than what we've already seen for that
  1230. #                               # position in the stream.
  1231. #                               # This is enabled automatically if inline mode
  1232. #                               # is used or when stream-event:reassembly_overlap_different_data;
  1233. #                               # is used in a rule.
  1234. #
  1235. stream:
  1236.   memcap: 64mb
  1237.   checksum-validation: yes      # reject wrong csums
  1238.   inline: auto                  # auto will use inline mode in IPS mode, yes or no set it statically
  1239.   reassembly:
  1240.     memcap: 256mb
  1241.     depth: 1mb                  # reassemble 1mb into a stream
  1242.     toserver-chunk-size: 2560
  1243.     toclient-chunk-size: 2560
  1244.     randomize-chunk-size: yes
  1245.     #randomize-chunk-range: 10
  1246.     #raw: yes
  1247.     #segment-prealloc: 2048
  1248.     #check-overlap-different-data: true
  1249.  
  1250. # Host table:
  1251. #
  1252. # Host table is used by tagging and per host thresholding subsystems.
  1253. #
  1254. host:
  1255.   hash-size: 4096
  1256.   prealloc: 1000
  1257.   memcap: 32mb
  1258.  
  1259. # IP Pair table:
  1260. #
  1261. # Used by xbits 'ippair' tracking.
  1262. #
  1263. #ippair:
  1264. #  hash-size: 4096
  1265. #  prealloc: 1000
  1266. #  memcap: 32mb
  1267.  
  1268. # Decoder settings
  1269.  
  1270. decoder:
  1271.   # Teredo decoder is known to not be completely accurate
  1272.   # it will sometimes detect non-teredo as teredo.
  1273.   teredo:
  1274.     enabled: true
  1275.  
  1276.  
  1277. ##
  1278. ## Performance tuning and profiling
  1279. ##
  1280.  
  1281. # The detection engine builds internal groups of signatures. The engine
  1282. # allow us to specify the profile to use for them, to manage memory on an
  1283. # efficient way keeping a good performance. For the profile keyword you
  1284. # can use the words "low", "medium", "high" or "custom". If you use custom
  1285. # make sure to define the values at "- custom-values" as your convenience.
  1286. # Usually you would prefer medium/high/low.
  1287. #
  1288. # "sgh mpm-context", indicates how the staging should allot mpm contexts for
  1289. # the signature groups.  "single" indicates the use of a single context for
  1290. # all the signature group heads.  "full" indicates a mpm-context for each
  1291. # group head.  "auto" lets the engine decide the distribution of contexts
  1292. # based on the information the engine gathers on the patterns from each
  1293. # group head.
  1294. #
  1295. # The option inspection-recursion-limit is used to limit the recursive calls
  1296. # in the content inspection code.  For certain payload-sig combinations, we
  1297. # might end up taking too much time in the content inspection code.
  1298. # If the argument specified is 0, the engine uses an internally defined
  1299. # default limit.  On not specifying a value, we use no limits on the recursion.
  1300. detect:
  1301.   profile: medium
  1302.   custom-values:
  1303.     toclient-groups: 3
  1304.     toserver-groups: 25
  1305.   sgh-mpm-context: auto
  1306.   inspection-recursion-limit: 3000
  1307.   # If set to yes, the loading of signatures will be made after the capture
  1308.   # is started. This will limit the downtime in IPS mode.
  1309.   #delayed-detect: yes
  1310.  
  1311.   prefilter:
  1312.     # default prefiltering setting. "mpm" only creates MPM/fast_pattern
  1313.     # engines. "auto" also sets up prefilter engines for other keywords.
  1314.     # Use --list-keywords=all to see which keywords support prefiltering.
  1315.     default: mpm
  1316.  
  1317.   # the grouping values above control how many groups are created per
  1318.   # direction. Port whitelisting forces that port to get it's own group.
  1319.   # Very common ports will benefit, as well as ports with many expensive
  1320.   # rules.
  1321.   grouping:
  1322.     #tcp-whitelist: 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
  1323.     #udp-whitelist: 53, 135, 5060
  1324.  
  1325.   profiling:
  1326.     # Log the rules that made it past the prefilter stage, per packet
  1327.     # default is off. The threshold setting determines how many rules
  1328.     # must have made it past pre-filter for that rule to trigger the
  1329.     # logging.
  1330.     #inspect-logging-threshold: 200
  1331.     grouping:
  1332.       dump-to-disk: false
  1333.       include-rules: false      # very verbose
  1334.       include-mpm-stats: false
  1335.  
  1336. # Select the multi pattern algorithm you want to run for scan/search the
  1337. # in the engine.
  1338. #
  1339. # The supported algorithms are:
  1340. # "ac"      - Aho-Corasick, default implementation
  1341. # "ac-bs"   - Aho-Corasick, reduced memory implementation
  1342. # "ac-cuda" - Aho-Corasick, CUDA implementation
  1343. # "ac-ks"   - Aho-Corasick, "Ken Steele" variant
  1344. # "hs"      - Hyperscan, available when built with Hyperscan support
  1345. #
  1346. # The default mpm-algo value of "auto" will use "hs" if Hyperscan is
  1347. # available, "ac" otherwise.
  1348. #
  1349. # The mpm you choose also decides the distribution of mpm contexts for
  1350. # signature groups, specified by the conf - "detect.sgh-mpm-context".
  1351. # Selecting "ac" as the mpm would require "detect.sgh-mpm-context"
  1352. # to be set to "single", because of ac's memory requirements, unless the
  1353. # ruleset is small enough to fit in one's memory, in which case one can
  1354. # use "full" with "ac".  Rest of the mpms can be run in "full" mode.
  1355. #
  1356. # There is also a CUDA pattern matcher (only available if Suricata was
  1357. # compiled with --enable-cuda: b2g_cuda. Make sure to update your
  1358. # max-pending-packets setting above as well if you use b2g_cuda.
  1359.  
  1360. mpm-algo: auto
  1361.  
  1362. # Select the matching algorithm you want to use for single-pattern searches.
  1363. #
  1364. # Supported algorithms are "bm" (Boyer-Moore) and "hs" (Hyperscan, only
  1365. # available if Suricata has been built with Hyperscan support).
  1366. #
  1367. # The default of "auto" will use "hs" if available, otherwise "bm".
  1368.  
  1369. spm-algo: auto
  1370.  
  1371. # Suricata is multi-threaded. Here the threading can be influenced.
  1372. threading:
  1373.   set-cpu-affinity: no
  1374.   # Tune cpu affinity of threads. Each family of threads can be bound
  1375.   # on specific CPUs.
  1376.   #
  1377.   # These 2 apply to the all runmodes:
  1378.   # management-cpu-set is used for flow timeout handling, counters
  1379.   # worker-cpu-set is used for 'worker' threads
  1380.   #
  1381.   # Additionally, for autofp these apply:
  1382.   # receive-cpu-set is used for capture threads
  1383.   # verdict-cpu-set is used for IPS verdict threads
  1384.   #
  1385.   cpu-affinity:
  1386.     - management-cpu-set:
  1387.         cpu: [ 0 ]  # include only these cpus in affinity settings
  1388.     - receive-cpu-set:
  1389.         cpu: [ 0 ]  # include only these cpus in affinity settings
  1390.     - worker-cpu-set:
  1391.         cpu: [ "all" ]
  1392.         mode: "exclusive"
  1393.         # Use explicitely 3 threads and don't compute number by using
  1394.         # detect-thread-ratio variable:
  1395.         # threads: 3
  1396.         prio:
  1397.           low: [ 0 ]
  1398.           medium: [ "1-2" ]
  1399.           high: [ 3 ]
  1400.           default: "medium"
  1401.     #- verdict-cpu-set:
  1402.     #    cpu: [ 0 ]
  1403.     #    prio:
  1404.     #      default: "high"
  1405.   #
  1406.   # By default Suricata creates one "detect" thread per available CPU/CPU core.
  1407.   # This setting allows controlling this behaviour. A ratio setting of 2 will
  1408.   # create 2 detect threads for each CPU/CPU core. So for a dual core CPU this
  1409.   # will result in 4 detect threads. If values below 1 are used, less threads
  1410.   # are created. So on a dual core CPU a setting of 0.5 results in 1 detect
  1411.   # thread being created. Regardless of the setting at a minimum 1 detect
  1412.   # thread will always be created.
  1413.   #
  1414.   detect-thread-ratio: 1.0
  1415.  
  1416. # Luajit has a strange memory requirement, it's 'states' need to be in the
  1417. # first 2G of the process' memory.
  1418. #
  1419. # 'luajit.states' is used to control how many states are preallocated.
  1420. # State use: per detect script: 1 per detect thread. Per output script: 1 per
  1421. # script.
  1422. luajit:
  1423.   states: 128
  1424.  
  1425. # Profiling settings. Only effective if Suricata has been built with the
  1426. # the --enable-profiling configure flag.
  1427. #
  1428. profiling:
  1429.   # Run profiling for every xth packet. The default is 1, which means we
  1430.   # profile every packet. If set to 1000, one packet is profiled for every
  1431.   # 1000 received.
  1432.   #sample-rate: 1000
  1433.  
  1434.   # rule profiling
  1435.   rules:
  1436.  
  1437.     # Profiling can be disabled here, but it will still have a
  1438.     # performance impact if compiled in.
  1439.     enabled: yes
  1440.     filename: rule_perf.log
  1441.     append: yes
  1442.  
  1443.     # Sort options: ticks, avgticks, checks, matches, maxticks
  1444.     # If commented out all the sort options will be used.
  1445.     #sort: avgticks
  1446.  
  1447.     # Limit the number of sids for which stats are shown at exit (per sort).
  1448.     limit: 10
  1449.  
  1450.     # output to json
  1451.     json: yes
  1452.  
  1453.   # per keyword profiling
  1454.   keywords:
  1455.     enabled: yes
  1456.     filename: keyword_perf.log
  1457.     append: yes
  1458.  
  1459.   # per rulegroup profiling
  1460.   rulegroups:
  1461.     enabled: yes
  1462.     filename: rule_group_perf.log
  1463.     append: yes
  1464.  
  1465.   # packet profiling
  1466.   packets:
  1467.  
  1468.     # Profiling can be disabled here, but it will still have a
  1469.     # performance impact if compiled in.
  1470.     enabled: yes
  1471.     filename: packet_stats.log
  1472.     append: yes
  1473.  
  1474.     # per packet csv output
  1475.     csv:
  1476.  
  1477.       # Output can be disabled here, but it will still have a
  1478.       # performance impact if compiled in.
  1479.       enabled: no
  1480.       filename: packet_stats.csv
  1481.  
  1482.   # profiling of locking. Only available when Suricata was built with
  1483.   # --enable-profiling-locks.
  1484.   locks:
  1485.     enabled: no
  1486.     filename: lock_stats.log
  1487.     append: yes
  1488.  
  1489.   pcap-log:
  1490.     enabled: no
  1491.     filename: pcaplog_stats.log
  1492.     append: yes
  1493.  
  1494. ##
  1495. ## Netfilter integration
  1496. ##
  1497.  
  1498. # When running in NFQ inline mode, it is possible to use a simulated
  1499. # non-terminal NFQUEUE verdict.
  1500. # This permit to do send all needed packet to suricata via this a rule:
  1501. #        iptables -I FORWARD -m mark ! --mark $MARK/$MASK -j NFQUEUE
  1502. # And below, you can have your standard filtering ruleset. To activate
  1503. # this mode, you need to set mode to 'repeat'
  1504. # If you want packet to be sent to another queue after an ACCEPT decision
  1505. # set mode to 'route' and set next-queue value.
  1506. # On linux >= 3.1, you can set batchcount to a value > 1 to improve performance
  1507. # by processing several packets before sending a verdict (worker runmode only).
  1508. # On linux >= 3.6, you can set the fail-open option to yes to have the kernel
  1509. # accept the packet if suricata is not able to keep pace.
  1510. # bypass mark and mask can be used to implement NFQ bypass. If bypass mark is
  1511. # set then the NFQ bypass is activated. Suricata will set the bypass mark/mask
  1512. # on packet of a flow that need to be bypassed. The Nefilter ruleset has to
  1513. # directly accept all packets of a flow once a packet has been marked.
  1514. nfq:
  1515. #  mode: accept
  1516. #  repeat-mark: 1
  1517. #  repeat-mask: 1
  1518. #  bypass-mark: 1
  1519. #  bypass-mask: 1
  1520. #  route-queue: 2
  1521. #  batchcount: 20
  1522. #  fail-open: yes
  1523.  
  1524. #nflog support
  1525. nflog:
  1526.     # netlink multicast group
  1527.     # (the same as the iptables --nflog-group param)
  1528.     # Group 0 is used by the kernel, so you can't use it
  1529.   - group: 2
  1530.     # netlink buffer size
  1531.     buffer-size: 18432
  1532.     # put default value here
  1533.   - group: default
  1534.     # set number of packet to queue inside kernel
  1535.     qthreshold: 1
  1536.     # set the delay before flushing packet in the queue inside kernel
  1537.     qtimeout: 100
  1538.     # netlink max buffer size
  1539.     max-size: 20000
  1540.  
  1541. ##
  1542. ## Advanced Capture Options
  1543. ##
  1544.  
  1545. # general settings affecting packet capture
  1546. capture:
  1547.   # disable NIC offloading. It's restored when Suricata exists.
  1548.   # Enabled by default
  1549.   #disable-offloading: false
  1550.   #
  1551.   # disable checksum validation. Same as setting '-k none' on the
  1552.   # commandline
  1553.   #checksum-validation: none
  1554.  
  1555. # Netmap support
  1556. #
  1557. # Netmap operates with NIC directly in driver, so you need FreeBSD wich have
  1558. # built-in netmap support or compile and install netmap module and appropriate
  1559. # NIC driver on your Linux system.
  1560. # To reach maximum throughput disable all receive-, segmentation-,
  1561. # checksum- offloadings on NIC.
  1562. # Disabling Tx checksum offloading is *required* for connecting OS endpoint
  1563. # with NIC endpoint.
  1564. # You can find more information at https://github.com/luigirizzo/netmap
  1565. #
  1566. netmap:
  1567.    # To specify OS endpoint add plus sign at the end (e.g. "eth0+")
  1568.  - interface: eth2
  1569.    # Number of receive threads. "auto" uses number of RSS queues on interface.
  1570.    #threads: auto
  1571.    # You can use the following variables to activate netmap tap or IPS mode.
  1572.    # If copy-mode is set to ips or tap, the traffic coming to the current
  1573.    # interface will be copied to the copy-iface interface. If 'tap' is set, the
  1574.    # copy is complete. If 'ips' is set, the packet matching a 'drop' action
  1575.    # will not be copied.
  1576.    # To specify the OS as the copy-iface (so the OS can route packets, or forward
  1577.    # to a service running on the same machine) add a plus sign at the end
  1578.    # (e.g. "copy-iface: eth0+"). Don't forget to set up a symmetrical eth0+ -> eth0
  1579.    # for return packets. Hardware checksumming must be *off* on the interface if
  1580.    # using an OS endpoint (e.g. 'ifconfig eth0 -rxcsum -txcsum -rxcsum6 -txcsum6' for FreeBSD
  1581.    # or 'ethtool -K eth0 tx off rx off' for Linux).
  1582.    #copy-mode: tap
  1583.    #copy-iface: eth3
  1584.    # Set to yes to disable promiscuous mode
  1585.    # disable-promisc: no
  1586.    # Choose checksum verification mode for the interface. At the moment
  1587.    # of the capture, some packets may be with an invalid checksum due to
  1588.    # offloading to the network card of the checksum computation.
  1589.    # Possible values are:
  1590.    #  - yes: checksum validation is forced
  1591.    #  - no: checksum validation is disabled
  1592.    #  - auto: suricata uses a statistical approach to detect when
  1593.    #  checksum off-loading is used.
  1594.    # Warning: 'checksum-validation' must be set to yes to have any validation
  1595.    #checksum-checks: auto
  1596.    # BPF filter to apply to this interface. The pcap filter syntax apply here.
  1597.    #bpf-filter: port 80 or udp
  1598.  #- interface: eth3
  1599.    #threads: auto
  1600.    #copy-mode: tap
  1601.    #copy-iface: eth2
  1602.    # Put default values here
  1603.  - interface: default
  1604.  
  1605. # PF_RING configuration. for use with native PF_RING support
  1606. # for more info see http://www.ntop.org/products/pf_ring/
  1607. pfring:
  1608.   - interface: eth0
  1609.     # Number of receive threads (>1 will enable experimental flow pinned
  1610.     # runmode)
  1611.     threads: 1
  1612.  
  1613.     # Default clusterid.  PF_RING will load balance packets based on flow.
  1614.     # All threads/processes that will participate need to have the same
  1615.     # clusterid.
  1616.     cluster-id: 99
  1617.  
  1618.     # Default PF_RING cluster type. PF_RING can load balance per flow.
  1619.     # Possible values are cluster_flow or cluster_round_robin.
  1620.     cluster-type: cluster_flow
  1621.     # bpf filter for this interface
  1622.     #bpf-filter: tcp
  1623.     # Choose checksum verification mode for the interface. At the moment
  1624.     # of the capture, some packets may be with an invalid checksum due to
  1625.     # offloading to the network card of the checksum computation.
  1626.     # Possible values are:
  1627.     #  - rxonly: only compute checksum for packets received by network card.
  1628.     #  - yes: checksum validation is forced
  1629.     #  - no: checksum validation is disabled
  1630.     #  - auto: suricata uses a statistical approach to detect when
  1631.     #  checksum off-loading is used. (default)
  1632.     # Warning: 'checksum-validation' must be set to yes to have any validation
  1633.     #checksum-checks: auto
  1634.   # Second interface
  1635.   #- interface: eth1
  1636.   #  threads: 3
  1637.   #  cluster-id: 93
  1638.   #  cluster-type: cluster_flow
  1639.   # Put default values here
  1640.   - interface: default
  1641.     #threads: 2
  1642.  
  1643. # For FreeBSD ipfw(8) divert(4) support.
  1644. # Please make sure you have ipfw_load="YES" and ipdivert_load="YES"
  1645. # in /etc/loader.conf or kldload'ing the appropriate kernel modules.
  1646. # Additionally, you need to have an ipfw rule for the engine to see
  1647. # the packets from ipfw.  For Example:
  1648. #
  1649. #   ipfw add 100 divert 8000 ip from any to any
  1650. #
  1651. # The 8000 above should be the same number you passed on the command
  1652. # line, i.e. -d 8000
  1653. #
  1654. ipfw:
  1655.  
  1656.   # Reinject packets at the specified ipfw rule number.  This config
  1657.   # option is the ipfw rule number AT WHICH rule processing continues
  1658.   # in the ipfw processing system after the engine has finished
  1659.   # inspecting the packet for acceptance.  If no rule number is specified,
  1660.   # accepted packets are reinjected at the divert rule which they entered
  1661.   # and IPFW rule processing continues.  No check is done to verify
  1662.   # this will rule makes sense so care must be taken to avoid loops in ipfw.
  1663.   #
  1664.   ## The following example tells the engine to reinject packets
  1665.   # back into the ipfw firewall AT rule number 5500:
  1666.   #
  1667.   # ipfw-reinjection-rule-number: 5500
  1668.  
  1669.  
  1670. napatech:
  1671.     # The Host Buffer Allowance for all streams
  1672.     # (-1 = OFF, 1 - 100 = percentage of the host buffer that can be held back)
  1673.     # This may be enabled when sharing streams with another application.
  1674.     # Otherwise, it should be turned off.
  1675.     hba: -1
  1676.  
  1677.     # use_all_streams set to "yes" will query the Napatech service for all configured
  1678.     # streams and listen on all of them. When set to "no" the streams config array
  1679.     # will be used.
  1680.     use-all-streams: yes
  1681.  
  1682.     # The streams to listen on.  This can be either:
  1683.     #   a list of individual streams (e.g. streams: [0,1,2,3])
  1684.     # or
  1685.     #   a range of streams (e.g. streams: ["0-3"])
  1686.     streams: ["0-3"]
  1687.  
  1688. # Tilera mpipe configuration. for use on Tilera TILE-Gx.
  1689. mpipe:
  1690.  
  1691.   # Load balancing modes: "static", "dynamic", "sticky", or "round-robin".
  1692.   load-balance: dynamic
  1693.  
  1694.   # Number of Packets in each ingress packet queue. Must be 128, 512, 2028 or 65536
  1695.   iqueue-packets: 2048
  1696.  
  1697.   # List of interfaces we will listen on.
  1698.   inputs:
  1699.   - interface: xgbe2
  1700.   - interface: xgbe3
  1701.   - interface: xgbe4
  1702.  
  1703.  
  1704.   # Relative weight of memory for packets of each mPipe buffer size.
  1705.   stack:
  1706.     size128: 0
  1707.     size256: 9
  1708.     size512: 0
  1709.     size1024: 0
  1710.     size1664: 7
  1711.     size4096: 0
  1712.     size10386: 0
  1713.     size16384: 0
  1714.  
  1715. ##
  1716. ## Hardware accelaration
  1717. ##
  1718.  
  1719. # Cuda configuration.
  1720. cuda:
  1721.   # The "mpm" profile.  On not specifying any of these parameters, the engine's
  1722.   # internal default values are used, which are same as the ones specified in
  1723.   # in the default conf file.
  1724.   mpm:
  1725.     # The minimum length required to buffer data to the gpu.
  1726.     # Anything below this is MPM'ed on the CPU.
  1727.     # Can be specified in kb, mb, gb.  Just a number indicates it's in bytes.
  1728.     # A value of 0 indicates there's no limit.
  1729.     data-buffer-size-min-limit: 0
  1730.     # The maximum length for data that we would buffer to the gpu.
  1731.     # Anything over this is MPM'ed on the CPU.
  1732.     # Can be specified in kb, mb, gb.  Just a number indicates it's in bytes.
  1733.     data-buffer-size-max-limit: 1500
  1734.     # The ring buffer size used by the CudaBuffer API to buffer data.
  1735.     cudabuffer-buffer-size: 500mb
  1736.     # The max chunk size that can be sent to the gpu in a single go.
  1737.     gpu-transfer-size: 50mb
  1738.     # The timeout limit for batching of packets in microseconds.
  1739.     batching-timeout: 2000
  1740.     # The device to use for the mpm.  Currently we don't support load balancing
  1741.     # on multiple gpus.  In case you have multiple devices on your system, you
  1742.     # can specify the device to use, using this conf.  By default we hold 0, to
  1743.     # specify the first device cuda sees.  To find out device-id associated with
  1744.     # the card(s) on the system run "suricata --list-cuda-cards".
  1745.     device-id: 0
  1746.     # No of Cuda streams used for asynchronous processing. All values > 0 are valid.
  1747.     # For this option you need a device with Compute Capability > 1.0.
  1748.     cuda-streams: 2
  1749.  
  1750. ##
  1751. ## Include other configs
  1752. ##
  1753.  
  1754. # Includes.  Files included here will be handled as if they were
  1755. # inlined in this configuration file.
  1756. #include: include1.yaml
  1757. #include: include2.yaml
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top