Advertisement
Guest User

Untitled

a guest
Jun 18th, 2014
26
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 47.89 KB | None | 0 0
  1. %YAML 1.1
  2. ---
  3.  
  4. # Suricata configuration file. In addition to the comments describing all
  5. # options in this file, full documentation can be found at:
  6. # https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricatayaml
  7.  
  8.  
  9. # Number of packets allowed to be processed simultaneously. Default is a
  10. # conservative 1024. A higher number will make sure CPU's/CPU cores will be
  11. # more easily kept busy, but may negatively impact caching.
  12. #
  13. # If you are using the CUDA pattern matcher (mpm-algo: ac-cuda), different rules
  14. # apply. In that case try something like 60000 or more. This is because the CUDA
  15. # pattern matcher buffers and scans as many packets as possible in parallel.
  16. #max-pending-packets: 5000
  17.  
  18. # Runmode the engine should use. Please check --list-runmodes to get the available
  19. # runmodes for each packet acquisition method. Defaults to "autofp" (auto flow pinned
  20. # load balancing).
  21. #runmode: autofp
  22.  
  23. # Specifies the kind of flow load balancer used by the flow pinned autofp mode.
  24. #
  25. # Supported schedulers are:
  26. #
  27. # round-robin - Flows assigned to threads in a round robin fashion.
  28. # active-packets - Flows assigned to threads that have the lowest number of
  29. # unprocessed packets (default).
  30. # hash - Flow alloted usihng the address hash. More of a random
  31. # technique. Was the default in Suricata 1.2.1 and older.
  32. #
  33. #autofp-scheduler: active-packets
  34.  
  35. # If suricata box is a router for the sniffed networks, set it to 'router'. If
  36. # it is a pure sniffing setup, set it to 'sniffer-only'.
  37. # If set to auto, the variable is internally switch to 'router' in IPS mode
  38. # and 'sniffer-only' in IDS mode.
  39. # This feature is currently only used by the reject* keywords.
  40. host-mode: sniffer-only
  41.  
  42. # Run suricata as user and group.
  43. run-as:
  44. user: sguil
  45. group: sguil
  46.  
  47. # Default pid file.
  48. # Will use this file if no --pidfile in command options.
  49. #pid-file: /var/run/suricata.pid
  50.  
  51. # Daemon working directory
  52. # Suricata will change directory to this one if provided
  53. # Default: "/"
  54. #daemon-directory: "/"
  55.  
  56. # Preallocated size for packet. Default is 1514 which is the classical
  57. # size for pcap on ethernet. You should adjust this value to the highest
  58. # packet size (MTU + hardware header) on your system.
  59. #default-packet-size: 1514
  60.  
  61. # The default logging directory. Any log or output file will be
  62. # placed here if its not specified with a full path name. This can be
  63. # overridden with the -l command line parameter.
  64. default-log-dir: /var/log/nsm/
  65.  
  66. # Unix command socket can be used to pass commands to suricata.
  67. # An external tool can then connect to get information from suricata
  68. # or trigger some modifications of the engine. Set enabled to yes
  69. # to activate the feature. You can use the filename variable to set
  70. # the file name of the socket.
  71. unix-command:
  72. enabled: no
  73. #filename: custom.socket
  74.  
  75. # Configure the type of alert (and other) logging you would like.
  76. outputs:
  77.  
  78. # a line based alerts log similar to Snort's fast.log
  79. - fast:
  80. enabled: no
  81. filename: fast.log
  82. append: yes
  83. #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
  84.  
  85. # Extensible Event Format (nicknamed EVE) event log in JSON format
  86. - eve-log:
  87. enabled: no
  88. type: file #file|syslog|unix_dgram|unix_stream
  89. filename: eve.json
  90. # the following are valid when type: syslog above
  91. #identity: "suricata"
  92. #facility: local5
  93. #level: Info ## possible levels: Emergency, Alert, Critical,
  94. ## Error, Warning, Notice, Info, Debug
  95. types:
  96. - alert
  97. - http:
  98. extended: yes # enable this for extended logging information
  99. # custom allows additional http fields to be included in eve-log
  100. # the example below adds three additional fields when uncommented
  101. #custom: [Accept-Encoding, Accept-Language, Authorization]
  102. - dns
  103. - tls:
  104. extended: yes # enable this for extended logging information
  105. - files:
  106. force-magic: no # force logging magic on all logged files
  107. force-md5: no # force logging of md5 checksums
  108. #- drop
  109. - ssh
  110.  
  111. # alert output for use with Barnyard2
  112. - unified2-alert:
  113. enabled: yes
  114. filename: snort.unified2
  115.  
  116. # File size limit. Can be specified in kb, mb, gb. Just a number
  117. # is parsed as bytes.
  118. #limit: 32mb
  119.  
  120. # Sensor ID field of unified2 alerts.
  121. #sensor-id: 0
  122.  
  123. # HTTP X-Forwarded-For support by adding the unified2 extra header that
  124. # will contain the actual client IP address or by overwriting the source
  125. # IP address (helpful when inspecting traffic that is being reversed
  126. # proxied).
  127. xff:
  128. enabled: no
  129. # Two operation modes are available, "extra-data" and "overwrite". Note
  130. # that in the "overwrite" mode, if the reported IP address in the HTTP
  131. # X-Forwarded-For header is of a different version of the packet
  132. # received, it will fall-back to "extra-data" mode.
  133. mode: extra-data
  134. # Header name were the actual IP address will be reported, if more than
  135. # one IP address is present, the last IP address will be the one taken
  136. # into consideration.
  137. header: X-Forwarded-For
  138.  
  139. # a line based log of HTTP requests (no alerts)
  140. - http-log:
  141. enabled: no
  142. filename: http.log
  143. append: yes
  144. #extended: yes # enable this for extended logging information
  145. #custom: yes # enabled the custom logging format (defined by customformat)
  146. #customformat: "%{%D-%H:%M:%S}t.%z %{X-Forwarded-For}i %H %m %h %u %s %B %a:%p -> %A:%P"
  147. #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
  148.  
  149. # a line based log of TLS handshake parameters (no alerts)
  150. - tls-log:
  151. enabled: no # Log TLS connections.
  152. filename: tls.log # File to store TLS logs.
  153. append: yes
  154. #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
  155. #extended: yes # Log extended information like fingerprint
  156. certs-log-dir: certs # directory to store the certificates files
  157.  
  158. # a line based log of DNS requests and/or replies (no alerts)
  159. - dns-log:
  160. enabled: no
  161. filename: dns.log
  162. append: yes
  163. #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
  164.  
  165. # a line based log to used with pcap file study.
  166. # this module is dedicated to offline pcap parsing (empty output
  167. # if used with another kind of input). It can interoperate with
  168. # pcap parser like wireshark via the suriwire plugin.
  169. - pcap-info:
  170. enabled: no
  171.  
  172. # Packet log... log packets in pcap format. 2 modes of operation: "normal"
  173. # and "sguil".
  174. #
  175. # In normal mode a pcap file "filename" is created in the default-log-dir,
  176. # or are as specified by "dir". In Sguil mode "dir" indicates the base directory.
  177. # In this base dir the pcaps are created in th directory structure Sguil expects:
  178. #
  179. # $sguil-base-dir/YYYY-MM-DD/$filename.<timestamp>
  180. #
  181. # By default all packets are logged except:
  182. # - TCP streams beyond stream.reassembly.depth
  183. # - encrypted streams after the key exchange
  184. #
  185. - pcap-log:
  186. enabled: no
  187. filename: log.pcap
  188.  
  189. # File size limit. Can be specified in kb, mb, gb. Just a number
  190. # is parsed as bytes.
  191. limit: 1000mb
  192.  
  193. # If set to a value will enable ring buffer mode. Will keep Maximum of "max-files" of size "limit"
  194. max-files: 2000
  195.  
  196. mode: normal # normal or sguil.
  197. #sguil-base-dir: /nsm_data/
  198. #ts-format: usec # sec or usec second format (default) is filename.sec usec is filename.sec.usec
  199. use-stream-depth: no #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets
  200.  
  201. # a full alerts log containing much information for signature writers
  202. # or for investigating suspected false positives.
  203. - alert-debug:
  204. enabled: no
  205. filename: alert-debug.log
  206. append: yes
  207. #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
  208.  
  209. # alert output to prelude (http://www.prelude-technologies.com/) only
  210. # available if Suricata has been compiled with --enable-prelude
  211. - alert-prelude:
  212. enabled: no
  213. profile: suricata
  214. log-packet-content: no
  215. log-packet-header: yes
  216.  
  217. # Stats.log contains data from various counters of the suricata engine.
  218. # The interval field (in seconds) tells after how long output will be written
  219. # on the log file.
  220. - stats:
  221. enabled: yes
  222. filename: stats.log
  223. interval: 60
  224.  
  225. # a line based alerts log similar to fast.log into syslog
  226. - syslog:
  227. enabled: no
  228. # reported identity to syslog. If ommited the program name (usually
  229. # suricata) will be used.
  230. #identity: "suricata"
  231. facility: local5
  232. #level: Info ## possible levels: Emergency, Alert, Critical,
  233. ## Error, Warning, Notice, Info, Debug
  234.  
  235. # a line based information for dropped packets in IPS mode
  236. - drop:
  237. enabled: no
  238. filename: drop.log
  239. append: yes
  240. #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
  241.  
  242. # output module to store extracted files to disk
  243. #
  244. # The files are stored to the log-dir in a format "file.<id>" where <id> is
  245. # an incrementing number starting at 1. For each file "file.<id>" a meta
  246. # file "file.<id>.meta" is created.
  247. #
  248. # File extraction depends on a lot of things to be fully done:
  249. # - stream reassembly depth. For optimal results, set this to 0 (unlimited)
  250. # - http request / response body sizes. Again set to 0 for optimal results.
  251. # - rules that contain the "filestore" keyword.
  252. - file-store:
  253. enabled: no # set to yes to enable
  254. log-dir: files # directory to store the files
  255. force-magic: no # force logging magic on all stored files
  256. force-md5: no # force logging of md5 checksums
  257. #waldo: file.waldo # waldo file to store the file_id across runs
  258.  
  259. # output module to log files tracked in a easily parsable json format
  260. - file-log:
  261. enabled: no
  262. filename: files-json.log
  263. append: yes
  264. #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
  265.  
  266. force-magic: no # force logging magic on all logged files
  267. force-md5: no # force logging of md5 checksums
  268.  
  269. # Magic file. The extension .mgc is added to the value here.
  270. #magic-file: /usr/share/file/magic
  271. magic-file: /usr/share/file/magic
  272.  
  273. # When running in NFQ inline mode, it is possible to use a simulated
  274. # non-terminal NFQUEUE verdict.
  275. # This permit to do send all needed packet to suricata via this a rule:
  276. # iptables -I FORWARD -m mark ! --mark $MARK/$MASK -j NFQUEUE
  277. # And below, you can have your standard filtering ruleset. To activate
  278. # this mode, you need to set mode to 'repeat'
  279. # If you want packet to be sent to another queue after an ACCEPT decision
  280. # set mode to 'route' and set next-queue value.
  281. # On linux >= 3.1, you can set batchcount to a value > 1 to improve performance
  282. # by processing several packets before sending a verdict (worker runmode only).
  283. # On linux >= 3.6, you can set the fail-open option to yes to have the kernel
  284. # accept the packet if suricata is not able to keep pace.
  285. nfq:
  286. # mode: accept
  287. # repeat-mark: 1
  288. # repeat-mask: 1
  289. # route-queue: 2
  290. # batchcount: 20
  291. # fail-open: yes
  292.  
  293. # af-packet support
  294. # Set threads to > 1 to use PACKET_FANOUT support
  295. af-packet:
  296. - interface: eth1
  297. # Number of receive threads (>1 will enable experimental flow pinned
  298. # runmode)
  299. threads: 2
  300. # Default clusterid. AF_PACKET will load balance packets based on flow.
  301. # All threads/processes that will participate need to have the same
  302. # clusterid.
  303. cluster-id: 51
  304. # Default AF_PACKET cluster type. AF_PACKET can load balance per flow or per hash.
  305. # This is only supported for Linux kernel > 3.1
  306. # possible value are:
  307. # * cluster_round_robin: round robin load balancing
  308. # * cluster_flow: all packets of a given flow are send to the same socket
  309. # * cluster_cpu: all packets treated in kernel by a CPU are send to the same socket
  310. cluster-type: cluster_flow
  311. # In some fragmentation case, the hash can not be computed. If "defrag" is set
  312. # to yes, the kernel will do the needed defragmentation before sending the packets.
  313. defrag: yes
  314. # To use the ring feature of AF_PACKET, set 'use-mmap' to yes
  315. use-mmap: yes
  316. # Ring size will be computed with respect to max_pending_packets and number
  317. # of threads. You can set manually the ring size in number of packets by setting
  318. # the following value. If you are using flow cluster-type and have really network
  319. # intensive single-flow you could want to set the ring-size independantly of the number
  320. # of threads:
  321. #ring-size: 2048
  322. # On busy system, this could help to set it to yes to recover from a packet drop
  323. # phase. This will result in some packets (at max a ring flush) being non treated.
  324. #use-emergency-flush: yes
  325. # recv buffer size, increase value could improve performance
  326. # buffer-size: 32768
  327. # Set to yes to disable promiscuous mode
  328. # disable-promisc: no
  329. # Choose checksum verification mode for the interface. At the moment
  330. # of the capture, some packets may be with an invalid checksum due to
  331. # offloading to the network card of the checksum computation.
  332. # Possible values are:
  333. # - kernel: use indication sent by kernel for each packet (default)
  334. # - yes: checksum validation is forced
  335. # - no: checksum validation is disabled
  336. # - auto: suricata uses a statistical approach to detect when
  337. # checksum off-loading is used.
  338. # Warning: 'checksum-validation' must be set to yes to have any validation
  339. #checksum-checks: kernel
  340. # BPF filter to apply to this interface. The pcap filter syntax apply here.
  341. #bpf-filter: port 80 or udp
  342. # You can use the following variables to activate AF_PACKET tap od IPS mode.
  343. # If copy-mode is set to ips or tap, the traffic coming to the current
  344. # interface will be copied to the copy-iface interface. If 'tap' is set, the
  345. # copy is complete. If 'ips' is set, the packet matching a 'drop' action
  346. # will not be copied.
  347. #copy-mode: ips
  348. #copy-iface: eth1
  349. - interface: eth1
  350. threads: 2
  351. cluster-id: 51
  352. cluster-type: cluster_flow
  353. defrag: yes
  354. # buffer-size: 32768
  355. # disable-promisc: no
  356. # Put default values here
  357. - interface: default
  358. #threads: 2
  359. #use-mmap: yes
  360.  
  361. legacy:
  362. uricontent: enabled
  363.  
  364. # You can specify a threshold config file by setting "threshold-file"
  365. # to the path of the threshold config file:
  366. threshold-file: /etc/nsm/hera-na0-eth1/threshold.conf
  367.  
  368. # The detection engine builds internal groups of signatures. The engine
  369. # allow us to specify the profile to use for them, to manage memory on an
  370. # efficient way keeping a good performance. For the profile keyword you
  371. # can use the words "low", "medium", "high" or "custom". If you use custom
  372. # make sure to define the values at "- custom-values" as your convenience.
  373. # Usually you would prefer medium/high/low.
  374. #
  375. # "sgh mpm-context", indicates how the staging should allot mpm contexts for
  376. # the signature groups. "single" indicates the use of a single context for
  377. # all the signature group heads. "full" indicates a mpm-context for each
  378. # group head. "auto" lets the engine decide the distribution of contexts
  379. # based on the information the engine gathers on the patterns from each
  380. # group head.
  381. #
  382. # The option inspection-recursion-limit is used to limit the recursive calls
  383. # in the content inspection code. For certain payload-sig combinations, we
  384. # might end up taking too much time in the content inspection code.
  385. # If the argument specified is 0, the engine uses an internally defined
  386. # default limit. On not specifying a value, we use no limits on the recursion.
  387. detect-engine:
  388. - profile: medium
  389. - custom-values:
  390. toclient-src-groups: 2
  391. toclient-dst-groups: 2
  392. toclient-sp-groups: 2
  393. toclient-dp-groups: 3
  394. toserver-src-groups: 2
  395. toserver-dst-groups: 4
  396. toserver-sp-groups: 2
  397. toserver-dp-groups: 25
  398. - sgh-mpm-context: auto
  399. - inspection-recursion-limit: 3000
  400. # When rule-reload is enabled, sending a USR2 signal to the Suricata process
  401. # will trigger a live rule reload. Experimental feature, use with care.
  402. #- rule-reload: true
  403. # If set to yes, the loading of signatures will be made after the capture
  404. # is started. This will limit the downtime in IPS mode.
  405. #- delayed-detect: yes
  406.  
  407. # Suricata is multi-threaded. Here the threading can be influenced.
  408. threading:
  409. # On some cpu's/architectures it is beneficial to tie individual threads
  410. # to specific CPU's/CPU cores. In this case all threads are tied to CPU0,
  411. # and each extra CPU/core has one "detect" thread.
  412. #
  413. # On Intel Core2 and Nehalem CPU's enabling this will degrade performance.
  414. #
  415. set-cpu-affinity: no
  416. # Tune cpu affinity of suricata threads. Each family of threads can be bound
  417. # on specific CPUs.
  418. cpu-affinity:
  419. - management-cpu-set:
  420. cpu: [ 0 ] # include only these cpus in affinity settings
  421. - receive-cpu-set:
  422. cpu: [ 0 ] # include only these cpus in affinity settings
  423. - decode-cpu-set:
  424. cpu: [ 0, 1 ]
  425. mode: "balanced"
  426. - stream-cpu-set:
  427. cpu: [ "0-1" ]
  428. - detect-cpu-set:
  429. cpu: [ "all" ]
  430. mode: "exclusive" # run detect threads in these cpus
  431. # Use explicitely 3 threads and don't compute number by using
  432. # detect-thread-ratio variable:
  433. # threads: 3
  434. prio:
  435. low: [ 0 ]
  436. medium: [ "1-2" ]
  437. high: [ 3 ]
  438. default: "medium"
  439. - verdict-cpu-set:
  440. cpu: [ 0 ]
  441. prio:
  442. default: "high"
  443. - reject-cpu-set:
  444. cpu: [ 0 ]
  445. prio:
  446. default: "low"
  447. - output-cpu-set:
  448. cpu: [ "all" ]
  449. prio:
  450. default: "medium"
  451. #
  452. # By default Suricata creates one "detect" thread per available CPU/CPU core.
  453. # This setting allows controlling this behaviour. A ratio setting of 2 will
  454. # create 2 detect threads for each CPU/CPU core. So for a dual core CPU this
  455. # will result in 4 detect threads. If values below 1 are used, less threads
  456. # are created. So on a dual core CPU a setting of 0.5 results in 1 detect
  457. # thread being created. Regardless of the setting at a minimum 1 detect
  458. # thread will always be created.
  459. #
  460. detect-thread-ratio: 1.5
  461.  
  462. # Cuda configuration.
  463. cuda:
  464. # The "mpm" profile. On not specifying any of these parameters, the engine's
  465. # internal default values are used, which are same as the ones specified in
  466. # in the default conf file.
  467. mpm:
  468. # The minimum length required to buffer data to the gpu.
  469. # Anything below this is MPM'ed on the CPU.
  470. # Can be specified in kb, mb, gb. Just a number indicates it's in bytes.
  471. # A value of 0 indicates there's no limit.
  472. data-buffer-size-min-limit: 0
  473. # The maximum length for data that we would buffer to the gpu.
  474. # Anything over this is MPM'ed on the CPU.
  475. # Can be specified in kb, mb, gb. Just a number indicates it's in bytes.
  476. data-buffer-size-max-limit: 1500
  477. # The ring buffer size used by the CudaBuffer API to buffer data.
  478. cudabuffer-buffer-size: 500mb
  479. # The max chunk size that can be sent to the gpu in a single go.
  480. gpu-transfer-size: 50mb
  481. # The timeout limit for batching of packets in microseconds.
  482. batching-timeout: 2000
  483. # The device to use for the mpm. Currently we don't support load balancing
  484. # on multiple gpus. In case you have multiple devices on your system, you
  485. # can specify the device to use, using this conf. By default we hold 0, to
  486. # specify the first device cuda sees. To find out device-id associated with
  487. # the card(s) on the system run "suricata --list-cuda-cards".
  488. device-id: 0
  489. # No of Cuda streams used for asynchronous processing. All values > 0 are valid.
  490. # For this option you need a device with Compute Capability > 1.0.
  491. cuda-streams: 2
  492.  
  493. # Select the multi pattern algorithm you want to run for scan/search the
  494. # in the engine. The supported algorithms are b2g, b2gc, b2gm, b3g, wumanber,
  495. # ac and ac-gfbs.
  496. #
  497. # The mpm you choose also decides the distribution of mpm contexts for
  498. # signature groups, specified by the conf - "detect-engine.sgh-mpm-context".
  499. # Selecting "ac" as the mpm would require "detect-engine.sgh-mpm-context"
  500. # to be set to "single", because of ac's memory requirements, unless the
  501. # ruleset is small enough to fit in one's memory, in which case one can
  502. # use "full" with "ac". Rest of the mpms can be run in "full" mode.
  503. #
  504. # There is also a CUDA pattern matcher (only available if Suricata was
  505. # compiled with --enable-cuda: b2g_cuda. Make sure to update your
  506. # max-pending-packets setting above as well if you use b2g_cuda.
  507.  
  508. mpm-algo: ac
  509.  
  510. # The memory settings for hash size of these algorithms can vary from lowest
  511. # (2048) - low (4096) - medium (8192) - high (16384) - higher (32768) - max
  512. # (65536). The bloomfilter sizes of these algorithms can vary from low (512) -
  513. # medium (1024) - high (2048).
  514. #
  515. # For B2g/B3g algorithms, there is a support for two different scan/search
  516. # algorithms. For B2g the scan algorithms are B2gScan & B2gScanBNDMq, and
  517. # search algorithms are B2gSearch & B2gSearchBNDMq. For B3g scan algorithms
  518. # are B3gScan & B3gScanBNDMq, and search algorithms are B3gSearch &
  519. # B3gSearchBNDMq.
  520. #
  521. # For B2g the different scan/search algorithms and, hash and bloom
  522. # filter size settings. For B3g the different scan/search algorithms and, hash
  523. # and bloom filter size settings. For wumanber the hash and bloom filter size
  524. # settings.
  525.  
  526. pattern-matcher:
  527. - b2gc:
  528. search-algo: B2gSearchBNDMq
  529. hash-size: low
  530. bf-size: medium
  531. - b2gm:
  532. search-algo: B2gSearchBNDMq
  533. hash-size: low
  534. bf-size: medium
  535. - b2g:
  536. search-algo: B2gSearchBNDMq
  537. hash-size: low
  538. bf-size: medium
  539. - b3g:
  540. search-algo: B3gSearchBNDMq
  541. hash-size: low
  542. bf-size: medium
  543. - wumanber:
  544. hash-size: low
  545. bf-size: medium
  546.  
  547. # Defrag settings:
  548.  
  549. defrag:
  550. memcap: 32mb
  551. hash-size: 65536
  552. trackers: 65535 # number of defragmented flows to follow
  553. max-frags: 65535 # number of fragments to keep (higher than trackers)
  554. prealloc: yes
  555. timeout: 60
  556.  
  557. # Enable defrag per host settings
  558. # host-config:
  559. #
  560. # - dmz:
  561. # timeout: 30
  562. # address: [192.168.1.0/24, 127.0.0.0/8, 1.1.1.0/24, 2.2.2.0/24, "1.1.1.1", "2.2.2.2", "::1"]
  563. #
  564. # - lan:
  565. # timeout: 45
  566. # address:
  567. # - 192.168.0.0/24
  568. # - 192.168.10.0/24
  569. # - 172.16.14.0/24
  570.  
  571. # Flow settings:
  572. # By default, the reserved memory (memcap) for flows is 32MB. This is the limit
  573. # for flow allocation inside the engine. You can change this value to allow
  574. # more memory usage for flows.
  575. # The hash-size determine the size of the hash used to identify flows inside
  576. # the engine, and by default the value is 65536.
  577. # At the startup, the engine can preallocate a number of flows, to get a better
  578. # performance. The number of flows preallocated is 10000 by default.
  579. # emergency-recovery is the percentage of flows that the engine need to
  580. # prune before unsetting the emergency state. The emergency state is activated
  581. # when the memcap limit is reached, allowing to create new flows, but
  582. # prunning them with the emergency timeouts (they are defined below).
  583. # If the memcap is reached, the engine will try to prune flows
  584. # with the default timeouts. If it doens't find a flow to prune, it will set
  585. # the emergency bit and it will try again with more agressive timeouts.
  586. # If that doesn't work, then it will try to kill the last time seen flows
  587. # not in use.
  588. # The memcap can be specified in kb, mb, gb. Just a number indicates it's
  589. # in bytes.
  590.  
  591. flow:
  592. memcap: 128mb
  593. hash-size: 65536
  594. prealloc: 5000
  595. emergency-recovery: 30
  596.  
  597. # This option controls the use of vlan ids in the flow (and defrag)
  598. # hashing. Normally this should be enabled, but in some (broken)
  599. # setups where both sides of a flow are not tagged with the same vlan
  600. # tag, we can ignore the vlan id's in the flow hashing.
  601. vlan:
  602. use-for-tracking: false
  603.  
  604. # Specific timeouts for flows. Here you can specify the timeouts that the
  605. # active flows will wait to transit from the current state to another, on each
  606. # protocol. The value of "new" determine the seconds to wait after a hanshake or
  607. # stream startup before the engine free the data of that flow it doesn't
  608. # change the state to established (usually if we don't receive more packets
  609. # of that flow). The value of "established" is the amount of
  610. # seconds that the engine will wait to free the flow if it spend that amount
  611. # without receiving new packets or closing the connection. "closed" is the
  612. # amount of time to wait after a flow is closed (usually zero).
  613. #
  614. # There's an emergency mode that will become active under attack circumstances,
  615. # making the engine to check flow status faster. This configuration variables
  616. # use the prefix "emergency-" and work similar as the normal ones.
  617. # Some timeouts doesn't apply to all the protocols, like "closed", for udp and
  618. # icmp.
  619.  
  620. flow-timeouts:
  621.  
  622. default:
  623. new: 30
  624. established: 300
  625. closed: 0
  626. emergency-new: 10
  627. emergency-established: 100
  628. emergency-closed: 0
  629. tcp:
  630. new: 60
  631. established: 3600
  632. closed: 120
  633. emergency-new: 10
  634. emergency-established: 300
  635. emergency-closed: 20
  636. udp:
  637. new: 30
  638. established: 300
  639. emergency-new: 10
  640. emergency-established: 100
  641. icmp:
  642. new: 30
  643. established: 300
  644. emergency-new: 10
  645. emergency-established: 100
  646.  
  647. # Stream engine settings. Here the TCP stream tracking and reassembly
  648. # engine is configured.
  649. #
  650. # stream:
  651. # memcap: 32mb # Can be specified in kb, mb, gb. Just a
  652. # # number indicates it's in bytes.
  653. # checksum-validation: yes # To validate the checksum of received
  654. # # packet. If csum validation is specified as
  655. # # "yes", then packet with invalid csum will not
  656. # # be processed by the engine stream/app layer.
  657. # # Warning: locally generated trafic can be
  658. # # generated without checksum due to hardware offload
  659. # # of checksum. You can control the handling of checksum
  660. # # on a per-interface basis via the 'checksum-checks'
  661. # # option
  662. # prealloc-sessions: 2k # 2k sessions prealloc'd per stream thread
  663. # midstream: false # don't allow midstream session pickups
  664. # async-oneside: false # don't enable async stream handling
  665. # inline: no # stream inline mode
  666. # max-synack-queued: 5 # Max different SYN/ACKs to queue
  667. #
  668. # reassembly:
  669. # memcap: 64mb # Can be specified in kb, mb, gb. Just a number
  670. # # indicates it's in bytes.
  671. # depth: 1mb # Can be specified in kb, mb, gb. Just a number
  672. # # indicates it's in bytes.
  673. # toserver-chunk-size: 2560 # inspect raw stream in chunks of at least
  674. # # this size. Can be specified in kb, mb,
  675. # # gb. Just a number indicates it's in bytes.
  676. # # The max acceptable size is 4024 bytes.
  677. # toclient-chunk-size: 2560 # inspect raw stream in chunks of at least
  678. # # this size. Can be specified in kb, mb,
  679. # # gb. Just a number indicates it's in bytes.
  680. # # The max acceptable size is 4024 bytes.
  681. # randomize-chunk-size: yes # Take a random value for chunk size around the specified value.
  682. # # This lower the risk of some evasion technics but could lead
  683. # # detection change between runs. It is set to 'yes' by default.
  684. # randomize-chunk-range: 10 # If randomize-chunk-size is active, the value of chunk-size is
  685. # # a random value between (1 - randomize-chunk-range/100)*randomize-chunk-size
  686. # # and (1 + randomize-chunk-range/100)*randomize-chunk-size. Default value
  687. # # of randomize-chunk-range is 10.
  688. #
  689. # raw: yes # 'Raw' reassembly enabled or disabled.
  690. # # raw is for content inspection by detection
  691. # # engine.
  692. #
  693. # chunk-prealloc: 250 # Number of preallocated stream chunks. These
  694. # # are used during stream inspection (raw).
  695. # segments: # Settings for reassembly segment pool.
  696. # - size: 4 # Size of the (data)segment for a pool
  697. # prealloc: 256 # Number of segments to prealloc and keep
  698. # # in the pool.
  699. #
  700. stream:
  701. memcap: 128mb
  702. checksum-validation: yes # reject wrong csums
  703. inline: no # auto will use inline mode in IPS mode, yes or no set it statically
  704. reassembly:
  705. memcap: 2gb
  706. depth: 4mb # reassemble 1mb into a stream
  707. toserver-chunk-size: 2560
  708. toclient-chunk-size: 2560
  709. randomize-chunk-size: yes
  710. #randomize-chunk-range: 10
  711. raw: yes
  712. chunk-prealloc: 250
  713. segments:
  714. - size: 4
  715. prealloc: 256
  716. - size: 16
  717. prealloc: 1500
  718. - size: 112
  719. prealloc: 2000
  720. - size: 248
  721. prealloc: 12500
  722. - size: 512
  723. prealloc: 12500
  724. - size: 768
  725. prealloc: 1024
  726. - size: 1448
  727. prealloc: 3500
  728. - size: 65535
  729. prealloc: 2000
  730.  
  731. # Host table:
  732. #
  733. # Host table is used by tagging and per host thresholding subsystems.
  734. #
  735. host:
  736. hash-size: 4096
  737. prealloc: 1000
  738. memcap: 16777216
  739.  
  740. # Logging configuration. This is not about logging IDS alerts, but
  741. # IDS output about what its doing, errors, etc.
  742. logging:
  743.  
  744. # The default log level, can be overridden in an output section.
  745. # Note that debug level logging will only be emitted if Suricata was
  746. # compiled with the --enable-debug configure option.
  747. #
  748. # This value is overriden by the SC_LOG_LEVEL env var.
  749. default-log-level: notice
  750.  
  751. # The default output format. Optional parameter, should default to
  752. # something reasonable if not provided. Can be overriden in an
  753. # output section. You can leave this out to get the default.
  754. #
  755. # This value is overriden by the SC_LOG_FORMAT env var.
  756. #default-log-format: "[%i] %t - (%f:%l) <%d> (%n) -- "
  757.  
  758. # A regex to filter output. Can be overridden in an output section.
  759. # Defaults to empty (no filter).
  760. #
  761. # This value is overriden by the SC_LOG_OP_FILTER env var.
  762. default-output-filter:
  763.  
  764. # Define your logging outputs. If none are defined, or they are all
  765. # disabled you will get the default - console output.
  766. outputs:
  767. - console:
  768. enabled: yes
  769. - file:
  770. enabled: no
  771. filename: /var/log/suricata.log
  772. - syslog:
  773. enabled: no
  774. facility: local5
  775. format: "[%i] <%d> -- "
  776.  
  777. # Tilera mpipe configuration. for use on Tilera TILE-Gx.
  778. mpipe:
  779.  
  780. # Load balancing modes: "static", "dynamic", "sticky", or "round-robin".
  781. load-balance: dynamic
  782.  
  783. # Number of Packets in each ingress packet queue. Must be 128, 512, 2028 or 65536
  784. iqueue-packets: 2048
  785.  
  786. # List of interfaces we will listen on.
  787. inputs:
  788. - interface: xgbe2
  789. - interface: xgbe3
  790. - interface: xgbe4
  791.  
  792.  
  793. # Relative weight of memory for packets of each mPipe buffer size.
  794. stack:
  795. size128: 0
  796. size256: 9
  797. size512: 0
  798. size1024: 0
  799. size1664: 7
  800. size4096: 0
  801. size10386: 0
  802. size16384: 0
  803.  
  804. # PF_RING configuration. for use with native PF_RING support
  805. # for more info see http://www.ntop.org/PF_RING.html
  806. pfring:
  807. - interface: eth1
  808. # Number of receive threads (>1 will enable experimental flow pinned
  809. # runmode)
  810. threads: 2
  811.  
  812. # Default clusterid. PF_RING will load balance packets based on flow.
  813. # All threads/processes that will participate need to have the same
  814. # clusterid.
  815. cluster-id: 51
  816.  
  817. # Default PF_RING cluster type. PF_RING can load balance per flow or per hash.
  818. # This is only supported in versions of PF_RING > 4.1.1.
  819. cluster-type: cluster_flow
  820. # bpf filter for this interface
  821. #bpf-filter: tcp
  822. # Choose checksum verification mode for the interface. At the moment
  823. # of the capture, some packets may be with an invalid checksum due to
  824. # offloading to the network card of the checksum computation.
  825. # Possible values are:
  826. # - rxonly: only compute checksum for packets received by network card.
  827. # - yes: checksum validation is forced
  828. # - no: checksum validation is disabled
  829. # - auto: suricata uses a statistical approach to detect when
  830. # checksum off-loading is used. (default)
  831. # Warning: 'checksum-validation' must be set to yes to have any validation
  832. #checksum-checks: auto
  833. # Second interface
  834. #- interface: eth1
  835. # threads: 3
  836. # cluster-id: 51
  837. # cluster-type: cluster_flow
  838. # Put default values here
  839. - interface: default
  840. #threads: 2
  841.  
  842. pcap:
  843. - interface: eth1
  844. # On Linux, pcap will try to use mmaped capture and will use buffer-size
  845. # as total of memory used by the ring. So set this to something bigger
  846. # than 1% of your bandwidth.
  847. #buffer-size: 16777216
  848. #bpf-filter: "tcp and port 25"
  849. # Choose checksum verification mode for the interface. At the moment
  850. # of the capture, some packets may be with an invalid checksum due to
  851. # offloading to the network card of the checksum computation.
  852. # Possible values are:
  853. # - yes: checksum validation is forced
  854. # - no: checksum validation is disabled
  855. # - auto: suricata uses a statistical approach to detect when
  856. # checksum off-loading is used. (default)
  857. # Warning: 'checksum-validation' must be set to yes to have any validation
  858. #checksum-checks: auto
  859. # With some accelerator cards using a modified libpcap (like myricom), you
  860. # may want to have the same number of capture threads as the number of capture
  861. # rings. In this case, set up the threads variable to N to start N threads
  862. # listening on the same interface.
  863. #threads: 16
  864. # set to no to disable promiscuous mode:
  865. #promisc: no
  866. # set snaplen, if not set it defaults to MTU if MTU can be known
  867. # via ioctl call and to full capture if not.
  868. #snaplen: 1518
  869. # Put default values here
  870. - interface: default
  871. #checksum-checks: auto
  872.  
  873. pcap-file:
  874. # Possible values are:
  875. # - yes: checksum validation is forced
  876. # - no: checksum validation is disabled
  877. # - auto: suricata uses a statistical approach to detect when
  878. # checksum off-loading is used. (default)
  879. # Warning: 'checksum-validation' must be set to yes to have checksum tested
  880. checksum-checks: auto
  881.  
  882. # For FreeBSD ipfw(8) divert(4) support.
  883. # Please make sure you have ipfw_load="YES" and ipdivert_load="YES"
  884. # in /etc/loader.conf or kldload'ing the appropriate kernel modules.
  885. # Additionally, you need to have an ipfw rule for the engine to see
  886. # the packets from ipfw. For Example:
  887. #
  888. # ipfw add 100 divert 8000 ip from any to any
  889. #
  890. # The 8000 above should be the same number you passed on the command
  891. # line, i.e. -d 8000
  892. #
  893. ipfw:
  894.  
  895. # Reinject packets at the specified ipfw rule number. This config
  896. # option is the ipfw rule number AT WHICH rule processing continues
  897. # in the ipfw processing system after the engine has finished
  898. # inspecting the packet for acceptance. If no rule number is specified,
  899. # accepted packets are reinjected at the divert rule which they entered
  900. # and IPFW rule processing continues. No check is done to verify
  901. # this will rule makes sense so care must be taken to avoid loops in ipfw.
  902. #
  903. ## The following example tells the engine to reinject packets
  904. # back into the ipfw firewall AT rule number 5500:
  905. #
  906. # ipfw-reinjection-rule-number: 5500
  907.  
  908. # Set the default rule path here to search for the files.
  909. # if not set, it will look at the current working dir
  910. default-rule-path: /etc/nsm/rules/
  911. rule-files:
  912. - local.rules
  913. - downloaded.rules
  914.  
  915. classification-file: /etc/nsm/hera-na0-eth1/classification.config
  916. reference-config-file: /etc/nsm/hera-na0-eth1/reference.config
  917.  
  918. # Holds variables that would be used by the engine.
  919. vars:
  920.  
  921. # Holds the address group vars that would be passed in a Signature.
  922. # These would be retrieved during the Signature address parsing stage.
  923. address-groups:
  924.  
  925. HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
  926.  
  927. EXTERNAL_NET: "!$HOME_NET"
  928.  
  929. HTTP_SERVERS: "$HOME_NET"
  930.  
  931. SMTP_SERVERS: "$HOME_NET"
  932.  
  933. SQL_SERVERS: "$HOME_NET"
  934.  
  935. DNS_SERVERS: "$HOME_NET"
  936.  
  937. TELNET_SERVERS: "$HOME_NET"
  938.  
  939. AIM_SERVERS: "$EXTERNAL_NET"
  940.  
  941. DNP3_SERVER: "$HOME_NET"
  942.  
  943. DNP3_CLIENT: "$HOME_NET"
  944.  
  945. MODBUS_CLIENT: "$HOME_NET"
  946.  
  947. MODBUS_SERVER: "$HOME_NET"
  948.  
  949. ENIP_CLIENT: "$HOME_NET"
  950.  
  951. ENIP_SERVER: "$HOME_NET"
  952.  
  953. # Holds the port group vars that would be passed in a Signature.
  954. # These would be retrieved during the Signature port parsing stage.
  955. port-groups:
  956.  
  957. HTTP_PORTS: "80"
  958.  
  959. SHELLCODE_PORTS: "!80"
  960.  
  961. ORACLE_PORTS: 1521
  962.  
  963. SSH_PORTS: 22
  964.  
  965. DNP3_PORTS: 20000
  966.  
  967. # Set the order of alerts bassed on actions
  968. # The default order is pass, drop, reject, alert
  969. action-order:
  970. - pass
  971. - drop
  972. - reject
  973. - alert
  974.  
  975. # IP Reputation
  976. #reputation-categories-file: @e_sysconfdir@iprep/categories.txt
  977. #default-reputation-path: @e_sysconfdir@iprep
  978. #reputation-files:
  979. # - reputation.list
  980.  
  981. # Host specific policies for defragmentation and TCP stream
  982. # reassembly. The host OS lookup is done using a radix tree, just
  983. # like a routing table so the most specific entry matches.
  984. host-os-policy:
  985. # Make the default policy windows.
  986. windows: [0.0.0.0/0]
  987. bsd: []
  988. bsd-right: []
  989. old-linux: []
  990. linux: []
  991. old-solaris: []
  992. solaris: []
  993. hpux10: []
  994. hpux11: []
  995. irix: []
  996. macos: []
  997. vista: []
  998. windows2k3: []
  999.  
  1000.  
  1001. # Limit for the maximum number of asn1 frames to decode (default 256)
  1002. asn1-max-frames: 256
  1003.  
  1004. # When run with the option --engine-analysis, the engine will read each of
  1005. # the parameters below, and print reports for each of the enabled sections
  1006. # and exit. The reports are printed to a file in the default log dir
  1007. # given by the parameter "default-log-dir", with engine reporting
  1008. # subsection below printing reports in its own report file.
  1009. engine-analysis:
  1010. # enables printing reports for fast-pattern for every rule.
  1011. rules-fast-pattern: yes
  1012. # enables printing reports for each rule
  1013. rules: yes
  1014.  
  1015. #recursion and match limits for PCRE where supported
  1016. pcre:
  1017. match-limit: 3500
  1018. match-limit-recursion: 1500
  1019.  
  1020. # Holds details on the app-layer. The protocols section details each protocol.
  1021. # Under each protocol, the default value for detection-enabled and "
  1022. # parsed-enabled is yes, unless specified otherwise.
  1023. # Each protocol covers enabling/disabling parsers for all ipprotos
  1024. # the app-layer protocol runs on. For example "dcerpc" refers to the tcp
  1025. # version of the protocol as well as the udp version of the protocol.
  1026. # The option "enabled" takes 3 values - "yes", "no", "detection-only".
  1027. # "yes" enables both detection and the parser, "no" disables both, and
  1028. # "detection-only" enables detection only(parser disabled).
  1029. app-layer:
  1030. protocols:
  1031. tls:
  1032. enabled: yes
  1033. detection-ports:
  1034. dp: 443
  1035.  
  1036. #no-reassemble: yes
  1037. dcerpc:
  1038. enabled: yes
  1039. ftp:
  1040. enabled: yes
  1041. ssh:
  1042. enabled: yes
  1043. smtp:
  1044. enabled: yes
  1045. imap:
  1046. enabled: detection-only
  1047. msn:
  1048. enabled: detection-only
  1049. smb:
  1050. enabled: yes
  1051. detection-ports:
  1052. dp: 139
  1053. # smb2 detection is disabled internally inside the engine.
  1054. #smb2:
  1055. # enabled: yes
  1056. dns:
  1057. # memcaps. Globally and per flow/state.
  1058. #global-memcap: 16mb
  1059. #state-memcap: 512kb
  1060.  
  1061. # How many unreplied DNS requests are considered a flood.
  1062. # If the limit is reached, app-layer-event:dns.flooded; will match.
  1063. #request-flood: 500
  1064.  
  1065. tcp:
  1066. enabled: yes
  1067. detection-ports:
  1068. dp: 53
  1069. udp:
  1070. enabled: yes
  1071. detection-ports:
  1072. dp: 53
  1073. http:
  1074. enabled: yes
  1075. memcap: 256mb
  1076.  
  1077. ###########################################################################
  1078. # Configure libhtp.
  1079. #
  1080. #
  1081. # default-config: Used when no server-config matches
  1082. # personality: List of personalities used by default
  1083. # request-body-limit: Limit reassembly of request body for inspection
  1084. # by http_client_body & pcre /P option.
  1085. # response-body-limit: Limit reassembly of response body for inspection
  1086. # by file_data, http_server_body & pcre /Q option.
  1087. # double-decode-path: Double decode path section of the URI
  1088. # double-decode-query: Double decode query section of the URI
  1089. #
  1090. # server-config: List of server configurations to use if address matches
  1091. # address: List of ip addresses or networks for this block
  1092. # personalitiy: List of personalities used by this block
  1093. # request-body-limit: Limit reassembly of request body for inspection
  1094. # by http_client_body & pcre /P option.
  1095. # response-body-limit: Limit reassembly of response body for inspection
  1096. # by file_data, http_server_body & pcre /Q option.
  1097. # double-decode-path: Double decode path section of the URI
  1098. # double-decode-query: Double decode query section of the URI
  1099. #
  1100. # uri-include-all: Include all parts of the URI. By default the
  1101. # 'scheme', username/password, hostname and port
  1102. # are excluded. Setting this option to true adds
  1103. # all of them to the normalized uri as inspected
  1104. # by http_uri, urilen, pcre with /U and the other
  1105. # keywords that inspect the normalized uri.
  1106. # Note that this does not affect http_raw_uri.
  1107. # Also, note that including all was the default in
  1108. # 1.4 and 2.0beta1.
  1109. #
  1110. # meta-field-limit: Hard size limit for request and response size
  1111. # limits. Applies to request line and headers,
  1112. # response line and headers. Does not apply to
  1113. # request or response bodies. Default is 18k.
  1114. # If this limit is reached an event is raised.
  1115. #
  1116. # Currently Available Personalities:
  1117. # Minimal
  1118. # Generic
  1119. # IDS (default)
  1120. # IIS_4_0
  1121. # IIS_5_0
  1122. # IIS_5_1
  1123. # IIS_6_0
  1124. # IIS_7_0
  1125. # IIS_7_5
  1126. # Apache_2
  1127. ###########################################################################
  1128. libhtp:
  1129.  
  1130. default-config:
  1131. personality: IDS
  1132.  
  1133. # Can be specified in kb, mb, gb. Just a number indicates
  1134. # it's in bytes.
  1135. request-body-limit: 3072
  1136. response-body-limit: 3072
  1137.  
  1138. # inspection limits
  1139. request-body-minimal-inspect-size: 32kb
  1140. request-body-inspect-window: 4kb
  1141. response-body-minimal-inspect-size: 32kb
  1142. response-body-inspect-window: 4kb
  1143. # Take a random value for inspection sizes around the specified value.
  1144. # This lower the risk of some evasion technics but could lead
  1145. # detection change between runs. It is set to 'yes' by default.
  1146. #randomize-inspection-sizes: yes
  1147. # If randomize-inspection-sizes is active, the value of various
  1148. # inspection size will be choosen in the [1 - range%, 1 + range%]
  1149. # range
  1150. # Default value of randomize-inspection-range is 10.
  1151. #randomize-inspection-range: 10
  1152.  
  1153. # decoding
  1154. double-decode-path: no
  1155. double-decode-query: no
  1156.  
  1157. server-config:
  1158.  
  1159. #- apache:
  1160. # address: [192.168.1.0/24, 127.0.0.0/8, "::1"]
  1161. # personality: Apache_2
  1162. # # Can be specified in kb, mb, gb. Just a number indicates
  1163. # # it's in bytes.
  1164. # request-body-limit: 4096
  1165. # response-body-limit: 4096
  1166. # double-decode-path: no
  1167. # double-decode-query: no
  1168.  
  1169. #- iis7:
  1170. # address:
  1171. # - 192.168.0.0/24
  1172. # - 192.168.10.0/24
  1173. # personality: IIS_7_0
  1174. # # Can be specified in kb, mb, gb. Just a number indicates
  1175. # # it's in bytes.
  1176. # request-body-limit: 4096
  1177. # response-body-limit: 4096
  1178. # double-decode-path: no
  1179. # double-decode-query: no
  1180.  
  1181. # Profiling settings. Only effective if Suricata has been built with the
  1182. # the --enable-profiling configure flag.
  1183. #
  1184. profiling:
  1185. # Run profiling for every xth packet. The default is 1, which means we
  1186. # profile every packet. If set to 1000, one packet is profiled for every
  1187. # 1000 received.
  1188. #sample-rate: 1000
  1189.  
  1190. # rule profiling
  1191. rules:
  1192.  
  1193. # Profiling can be disabled here, but it will still have a
  1194. # performance impact if compiled in.
  1195. enabled: no
  1196. filename: rule_perf.log
  1197. append: yes
  1198.  
  1199. # Sort options: ticks, avgticks, checks, matches, maxticks
  1200. sort: avgticks
  1201.  
  1202. # Limit the number of items printed at exit.
  1203. limit: 100
  1204.  
  1205. # per keyword profiling
  1206. keywords:
  1207. enabled: no
  1208. filename: keyword_perf.log
  1209. append: yes
  1210.  
  1211. # packet profiling
  1212. packets:
  1213.  
  1214. # Profiling can be disabled here, but it will still have a
  1215. # performance impact if compiled in.
  1216. enabled: no
  1217. filename: packet_stats.log
  1218. append: yes
  1219.  
  1220. # per packet csv output
  1221. csv:
  1222.  
  1223. # Output can be disabled here, but it will still have a
  1224. # performance impact if compiled in.
  1225. enabled: no
  1226. filename: packet_stats.csv
  1227.  
  1228. # profiling of locking. Only available when Suricata was built with
  1229. # --enable-profiling-locks.
  1230. locks:
  1231. enabled: no
  1232. filename: lock_stats.log
  1233. append: yes
  1234.  
  1235. # Suricata core dump configuration. Limits the size of the core dump file to
  1236. # approximately max-dump. The actual core dump size will be a multiple of the
  1237. # page size. Core dumps that would be larger than max-dump are truncated. On
  1238. # Linux, the actual core dump size may be a few pages larger than max-dump.
  1239. # Setting max-dump to 0 disables core dumping.
  1240. # Setting max-dump to 'unlimited' will give the full core dump file.
  1241. # On 32-bit Linux, a max-dump value >= ULONG_MAX may cause the core dump size
  1242. # to be 'unlimited'.
  1243.  
  1244. coredump:
  1245. max-dump: unlimited
  1246.  
  1247. napatech:
  1248. # The Host Buffer Allowance for all streams
  1249. # (-1 = OFF, 1 - 100 = percentage of the host buffer that can be held back)
  1250. hba: -1
  1251.  
  1252. # use_all_streams set to "yes" will query the Napatech service for all configured
  1253. # streams and listen on all of them. When set to "no" the streams config array
  1254. # will be used.
  1255. use-all-streams: yes
  1256.  
  1257. # The streams to listen on
  1258. streams: [1, 2, 3]
  1259.  
  1260. # Includes. Files included here will be handled as if they were
  1261. # inlined in this configuration file.
  1262. #include: include1.yaml
  1263. #include: include2.yaml
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement