%YAML 1.1---# Suricata configuration file. In addition to the comments des

1. %YAML 1.1
2. ---
3.  
4. # Suricata configuration file. In addition to the comments describing all
5. # options in this file, full documentation can be found at:
6. # https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricatayaml
7.  
8.  
9. # Number of packets allowed to be processed simultaneously. Default is a
10. # conservative 1024. A higher number will make sure CPU's/CPU cores will be
11. # more easily kept busy, but may negatively impact caching.
12. #
13. # If you are using the CUDA pattern matcher (mpm-algo: ac-cuda), different rules
14. # apply. In that case try something like 60000 or more. This is because the CUDA
15. # pattern matcher buffers and scans as many packets as possible in parallel.
16. #max-pending-packets: 1024
17.  
18. # Runmode the engine should use. Please check --list-runmodes to get the available
19. # runmodes for each packet acquisition method. Defaults to "autofp" (auto flow pinned
20. # load balancing).
21. #runmode: autofp
22.  
23. # Specifies the kind of flow load balancer used by the flow pinned autofp mode.
24. #
25. # Supported schedulers are:
26. #
27. # round-robin - Flows assigned to threads in a round robin fashion.
28. # active-packets - Flows assigned to threads that have the lowest number of
29. # unprocessed packets (default).
30. # hash - Flow alloted usihng the address hash. More of a random
31. # technique. Was the default in Suricata 1.2.1 and older.
32. #
33. #autofp-scheduler: active-packets
34.  
35. # If suricata box is a router for the sniffed networks, set it to 'router'. If
36. # it is a pure sniffing setup, set it to 'sniffer-only'.
37. # If set to auto, the variable is internally switch to 'router' in IPS mode
38. # and 'sniffer-only' in IDS mode.
39. # This feature is currently only used by the reject* keywords.
40. host-mode: auto
41.  
42. # Run suricata as user and group.
43. #run-as:
44. # user: suri
45. # group: suri
46.  
47. # Default pid file.
48. # Will use this file if no --pidfile in command options.
49. #pid-file: /var/run/suricata.pid
50.  
51. # Daemon working directory
52. # Suricata will change directory to this one if provided
53. # Default: "/"
54. #daemon-directory: "/"
55.  
56. # Preallocated size for packet. Default is 1514 which is the classical
57. # size for pcap on ethernet. You should adjust this value to the highest
58. # packet size (MTU + hardware header) on your system.
59. #default-packet-size: 1514
60.  
61. # The default logging directory. Any log or output file will be
62. # placed here if its not specified with a full path name. This can be
63. # overridden with the -l command line parameter.
64. default-log-dir: .
65.  
66. # Unix command socket can be used to pass commands to suricata.
67. # An external tool can then connect to get information from suricata
68. # or trigger some modifications of the engine. Set enabled to yes
69. # to activate the feature. You can use the filename variable to set
70. # the file name of the socket.
71. unix-command:
72. enabled: no
73. #filename: custom.socket
74.  
75. # Configure the type of alert (and other) logging you would like.
76. outputs:
77.  
78. # a line based alerts log similar to Snort's fast.log
79. - fast:
80. enabled: yes
81. filename: fast.log
82. append: no
83. #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
84.  
85. # Extensible Event Format (nicknamed EVE) event log in JSON format
86. - eve-log:
87. enabled: yes
88. type: file #file|syslog|unix_dgram|unix_stream
89. filename: eve.json
90. # the following are valid when type: syslog above
91. #identity: "suricata"
92. #facility: local5
93. #level: Info ## possible levels: Emergency, Alert, Critical,
94. ## Error, Warning, Notice, Info, Debug
95. types:
96. - alert
97. - http:
98. extended: yes # enable this for extended logging information
99. # custom allows additional http fields to be included in eve-log
100. # the example below adds three additional fields when uncommented
101. #custom: [Accept-Encoding, Accept-Language, Authorization]
102. - dns
103. - tls:
104. extended: yes # enable this for extended logging information
105. - files:
106. force-magic: no # force logging magic on all logged files
107. #force-md5: no # force logging of md5 checksums
108. #- drop
109. - ssh
110.  
111. # alert output for use with Barnyard2
112. - unified2-alert:
113. enabled: no
114. filename: unified2.alert
115.  
116. # File size limit. Can be specified in kb, mb, gb. Just a number
117. # is parsed as bytes.
118. #limit: 32mb
119.  
120. # Sensor ID field of unified2 alerts.
121. #sensor-id: 0
122.  
123. # HTTP X-Forwarded-For support by adding the unified2 extra header that
124. # will contain the actual client IP address or by overwriting the source
125. # IP address (helpful when inspecting traffic that is being reversed
126. # proxied).
127. xff:
128. enabled: no
129. # Two operation modes are available, "extra-data" and "overwrite". Note
130. # that in the "overwrite" mode, if the reported IP address in the HTTP
131. # X-Forwarded-For header is of a different version of the packet
132. # received, it will fall-back to "extra-data" mode.
133. mode: extra-data
134. # Header name were the actual IP address will be reported, if more than
135. # one IP address is present, the last IP address will be the one taken
136. # into consideration.
137. header: X-Forwarded-For
138.  
139. # a line based log of HTTP requests (no alerts)
140. - http-log:
141. enabled: yes
142. filename: http.log
143. append: yes
144. #extended: yes # enable this for extended logging information
145. #custom: yes # enabled the custom logging format (defined by customformat)
146. #customformat: "%{%D-%H:%M:%S}t.%z %{X-Forwarded-For}i %H %m %h %u %s %B %a:%p -> %A:%P"
147. #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
148.  
149. # a line based log of TLS handshake parameters (no alerts)
150. - tls-log:
151. enabled: no # Log TLS connections.
152. filename: tls.log # File to store TLS logs.
153. append: yes
154. #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
155. #extended: yes # Log extended information like fingerprint
156. certs-log-dir: certs # directory to store the certificates files
157.  
158. # a line based log of DNS requests and/or replies (no alerts)
159. - dns-log:
160. enabled: no
161. filename: dns.log
162. append: yes
163. #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
164.  
165. # a line based log to used with pcap file study.
166. # this module is dedicated to offline pcap parsing (empty output
167. # if used with another kind of input). It can interoperate with
168. # pcap parser like wireshark via the suriwire plugin.
169. - pcap-info:
170. enabled: no
171.  
172. # Packet log... log packets in pcap format. 2 modes of operation: "normal"
173. # and "sguil".
174. #
175. # In normal mode a pcap file "filename" is created in the default-log-dir,
176. # or are as specified by "dir". In Sguil mode "dir" indicates the base directory.
177. # In this base dir the pcaps are created in th directory structure Sguil expects:
178. #
179. # $sguil-base-dir/YYYY-MM-DD/$filename.<timestamp>
180. #
181. # By default all packets are logged except:
182. # - TCP streams beyond stream.reassembly.depth
183. # - encrypted streams after the key exchange
184. #
185. - pcap-log:
186. enabled: no
187. filename: log.pcap
188.  
189. # File size limit. Can be specified in kb, mb, gb. Just a number
190. # is parsed as bytes.
191. limit: 1000mb
192.  
193. # If set to a value will enable ring buffer mode. Will keep Maximum of "max-files" of size "limit"
194. max-files: 2000
195.  
196. mode: normal # normal or sguil.
197. #sguil-base-dir: /nsm_data/
198. #ts-format: usec # sec or usec second format (default) is filename.sec usec is filename.sec.usec
199. use-stream-depth: no #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets
200.  
201. # a full alerts log containing much information for signature writers
202. # or for investigating suspected false positives.
203. - alert-debug:
204. enabled: yes
205. filename: alert-debug.log
206. append: yes
207. #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
208.  
209. # alert output to prelude (http://www.prelude-technologies.com/) only
210. # available if Suricata has been compiled with --enable-prelude
211. - alert-prelude:
212. enabled: no
213. profile: suricata
214. log-packet-content: no
215. log-packet-header: yes
216.  
217. # Stats.log contains data from various counters of the suricata engine.
218. # The interval field (in seconds) tells after how long output will be written
219. # on the log file.
220. - stats:
221. enabled: yes
222. filename: stats.log
223. interval: 8
224.  
225. # a line based alerts log similar to fast.log into syslog
226. - syslog:
227. enabled: no
228. # reported identity to syslog. If ommited the program name (usually
229. # suricata) will be used.
230. #identity: "suricata"
231. facility: local5
232. #level: Info ## possible levels: Emergency, Alert, Critical,
233. ## Error, Warning, Notice, Info, Debug
234.  
235. # a line based information for dropped packets in IPS mode
236. - drop:
237. enabled: no
238. filename: drop.log
239. append: yes
240. #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
241.  
242. # output module to store extracted files to disk
243. #
244. # The files are stored to the log-dir in a format "file.<id>" where <id> is
245. # an incrementing number starting at 1. For each file "file.<id>" a meta
246. # file "file.<id>.meta" is created.
247. #
248. # File extraction depends on a lot of things to be fully done:
249. # - stream reassembly depth. For optimal results, set this to 0 (unlimited)
250. # - http request / response body sizes. Again set to 0 for optimal results.
251. # - rules that contain the "filestore" keyword.
252. - file-store:
253. enabled: yes # set to yes to enable
254. log-dir: ./bins # directory to store the files
255. force-magic: no # force logging magic on all stored files
256. #force-md5: no # force logging of md5 checksums
257. #waldo: file.waldo # waldo file to store the file_id across runs
258.  
259. # output module to log files tracked in a easily parsable json format
260. - file-log:
261. enabled: no
262. filename: files-json.log
263. append: yes
264. #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
265.  
266. force-magic: no # force logging magic on all logged files
267. #force-md5: no # force logging of md5 checksums
268.  
269. # Magic file. The extension .mgc is added to the value here.
270. #magic-file: /usr/share/file/magic
271. magic-file: /usr/share/file/magic
272.  
273. # When running in NFQ inline mode, it is possible to use a simulated
274. # non-terminal NFQUEUE verdict.
275. # This permit to do send all needed packet to suricata via this a rule:
276. # iptables -I FORWARD -m mark ! --mark $MARK/$MASK -j NFQUEUE
277. # And below, you can have your standard filtering ruleset. To activate
278. # this mode, you need to set mode to 'repeat'
279. # If you want packet to be sent to another queue after an ACCEPT decision
280. # set mode to 'route' and set next-queue value.
281. # On linux >= 3.1, you can set batchcount to a value > 1 to improve performance
282. # by processing several packets before sending a verdict (worker runmode only).
283. # On linux >= 3.6, you can set the fail-open option to yes to have the kernel
284. # accept the packet if suricata is not able to keep pace.
285. nfq:
286. # mode: accept
287. # repeat-mark: 1
288. # repeat-mask: 1
289. # route-queue: 2
290. # batchcount: 20
291. # fail-open: yes
292.  
293. #nflog support
294. nflog:
295. # netlink multicast group
296. # (the same as the iptables --nflog-group param)
297. # Group 0 is used by the kernel, so you can't use it
298. - group: 2
299. # netlink buffer size
300. buffer-size: 18432
301. # put default value here
302. - group: default
303. # set number of packet to queue inside kernel
304. qthreshold: 1
305. # set the delay before flushing packet in the queue inside kernel
306. qtimeout: 100
307. # netlink max buffer size
308. max-size: 20000
309.  
310. # af-packet support
311. # Set threads to > 1 to use PACKET_FANOUT support
312. af-packet:
313. - interface: eth0
314. # Number of receive threads (>1 will enable experimental flow pinned
315. # runmode)
316. threads: 1
317. # Default clusterid. AF_PACKET will load balance packets based on flow.
318. # All threads/processes that will participate need to have the same
319. # clusterid.
320. cluster-id: 99
321. # Default AF_PACKET cluster type. AF_PACKET can load balance per flow or per hash.
322. # This is only supported for Linux kernel > 3.1
323. # possible value are:
324. # * cluster_round_robin: round robin load balancing
325. # * cluster_flow: all packets of a given flow are send to the same socket
326. # * cluster_cpu: all packets treated in kernel by a CPU are send to the same socket
327. cluster-type: cluster_flow
328. # In some fragmentation case, the hash can not be computed. If "defrag" is set
329. # to yes, the kernel will do the needed defragmentation before sending the packets.
330. defrag: yes
331. # To use the ring feature of AF_PACKET, set 'use-mmap' to yes
332. use-mmap: yes
333. # Ring size will be computed with respect to max_pending_packets and number
334. # of threads. You can set manually the ring size in number of packets by setting
335. # the following value. If you are using flow cluster-type and have really network
336. # intensive single-flow you could want to set the ring-size independantly of the number
337. # of threads:
338. #ring-size: 2048
339. # On busy system, this could help to set it to yes to recover from a packet drop
340. # phase. This will result in some packets (at max a ring flush) being non treated.
341. #use-emergency-flush: yes
342. # recv buffer size, increase value could improve performance
343. # buffer-size: 32768
344. # Set to yes to disable promiscuous mode
345. # disable-promisc: no
346. # Choose checksum verification mode for the interface. At the moment
347. # of the capture, some packets may be with an invalid checksum due to
348. # offloading to the network card of the checksum computation.
349. # Possible values are:
350. # - kernel: use indication sent by kernel for each packet (default)
351. # - yes: checksum validation is forced
352. # - no: checksum validation is disabled
353. # - auto: suricata uses a statistical approach to detect when
354. # checksum off-loading is used.
355. # Warning: 'checksum-validation' must be set to yes to have any validation
356. #checksum-checks: kernel
357. # BPF filter to apply to this interface. The pcap filter syntax apply here.
358. #bpf-filter: port 80 or udp
359. # You can use the following variables to activate AF_PACKET tap od IPS mode.
360. # If copy-mode is set to ips or tap, the traffic coming to the current
361. # interface will be copied to the copy-iface interface. If 'tap' is set, the
362. # copy is complete. If 'ips' is set, the packet matching a 'drop' action
363. # will not be copied.
364. #copy-mode: ips
365. #copy-iface: eth1
366. - interface: eth1
367. threads: 1
368. cluster-id: 98
369. cluster-type: cluster_flow
370. defrag: yes
371. # buffer-size: 32768
372. # disable-promisc: no
373. # Put default values here
374. - interface: default
375. #threads: 2
376. #use-mmap: yes
377.  
378. legacy:
379. uricontent: enabled
380.  
381. # You can specify a threshold config file by setting "threshold-file"
382. # to the path of the threshold config file:
383. # threshold-file: /etc/suricata/threshold.config
384.  
385. # The detection engine builds internal groups of signatures. The engine
386. # allow us to specify the profile to use for them, to manage memory on an
387. # efficient way keeping a good performance. For the profile keyword you
388. # can use the words "low", "medium", "high" or "custom". If you use custom
389. # make sure to define the values at "- custom-values" as your convenience.
390. # Usually you would prefer medium/high/low.
391. #
392. # "sgh mpm-context", indicates how the staging should allot mpm contexts for
393. # the signature groups. "single" indicates the use of a single context for
394. # all the signature group heads. "full" indicates a mpm-context for each
395. # group head. "auto" lets the engine decide the distribution of contexts
396. # based on the information the engine gathers on the patterns from each
397. # group head.
398. #
399. # The option inspection-recursion-limit is used to limit the recursive calls
400. # in the content inspection code. For certain payload-sig combinations, we
401. # might end up taking too much time in the content inspection code.
402. # If the argument specified is 0, the engine uses an internally defined
403. # default limit. On not specifying a value, we use no limits on the recursion.
404. detect-engine:
405. - profile: medium
406. - custom-values:
407. toclient-src-groups: 2
408. toclient-dst-groups: 2
409. toclient-sp-groups: 2
410. toclient-dp-groups: 3
411. toserver-src-groups: 2
412. toserver-dst-groups: 4
413. toserver-sp-groups: 2
414. toserver-dp-groups: 25
415. - sgh-mpm-context: auto
416. - inspection-recursion-limit: 3000
417. # When rule-reload is enabled, sending a USR2 signal to the Suricata process
418. # will trigger a live rule reload. Experimental feature, use with care.
419. #- rule-reload: true
420. # If set to yes, the loading of signatures will be made after the capture
421. # is started. This will limit the downtime in IPS mode.
422. #- delayed-detect: yes
423.  
424. # Suricata is multi-threaded. Here the threading can be influenced.
425. threading:
426. # On some cpu's/architectures it is beneficial to tie individual threads
427. # to specific CPU's/CPU cores. In this case all threads are tied to CPU0,
428. # and each extra CPU/core has one "detect" thread.
429. #
430. # On Intel Core2 and Nehalem CPU's enabling this will degrade performance.
431. #
432. set-cpu-affinity: no
433. # Tune cpu affinity of suricata threads. Each family of threads can be bound
434. # on specific CPUs.
435. cpu-affinity:
436. - management-cpu-set:
437. cpu: [ 0 ] # include only these cpus in affinity settings
438. - receive-cpu-set:
439. cpu: [ 0 ] # include only these cpus in affinity settings
440. - decode-cpu-set:
441. cpu: [ 0, 1 ]
442. mode: "balanced"
443. - stream-cpu-set:
444. cpu: [ "0-1" ]
445. - detect-cpu-set:
446. cpu: [ "all" ]
447. mode: "exclusive" # run detect threads in these cpus
448. # Use explicitely 3 threads and don't compute number by using
449. # detect-thread-ratio variable:
450. # threads: 3
451. prio:
452. low: [ 0 ]
453. medium: [ "1-2" ]
454. high: [ 3 ]
455. default: "medium"
456. - verdict-cpu-set:
457. cpu: [ 0 ]
458. prio:
459. default: "high"
460. - reject-cpu-set:
461. cpu: [ 0 ]
462. prio:
463. default: "low"
464. - output-cpu-set:
465. cpu: [ "all" ]
466. prio:
467. default: "medium"
468. #
469. # By default Suricata creates one "detect" thread per available CPU/CPU core.
470. # This setting allows controlling this behaviour. A ratio setting of 2 will
471. # create 2 detect threads for each CPU/CPU core. So for a dual core CPU this
472. # will result in 4 detect threads. If values below 1 are used, less threads
473. # are created. So on a dual core CPU a setting of 0.5 results in 1 detect
474. # thread being created. Regardless of the setting at a minimum 1 detect
475. # thread will always be created.
476. #
477. detect-thread-ratio: 1.5
478.  
479. # Cuda configuration.
480. cuda:
481. # The "mpm" profile. On not specifying any of these parameters, the engine's
482. # internal default values are used, which are same as the ones specified in
483. # in the default conf file.
484. mpm:
485. # The minimum length required to buffer data to the gpu.
486. # Anything below this is MPM'ed on the CPU.
487. # Can be specified in kb, mb, gb. Just a number indicates it's in bytes.
488. # A value of 0 indicates there's no limit.
489. data-buffer-size-min-limit: 0
490. # The maximum length for data that we would buffer to the gpu.
491. # Anything over this is MPM'ed on the CPU.
492. # Can be specified in kb, mb, gb. Just a number indicates it's in bytes.
493. data-buffer-size-max-limit: 1500
494. # The ring buffer size used by the CudaBuffer API to buffer data.
495. cudabuffer-buffer-size: 500mb
496. # The max chunk size that can be sent to the gpu in a single go.
497. gpu-transfer-size: 50mb
498. # The timeout limit for batching of packets in microseconds.
499. batching-timeout: 2000
500. # The device to use for the mpm. Currently we don't support load balancing
501. # on multiple gpus. In case you have multiple devices on your system, you
502. # can specify the device to use, using this conf. By default we hold 0, to
503. # specify the first device cuda sees. To find out device-id associated with
504. # the card(s) on the system run "suricata --list-cuda-cards".
505. device-id: 0
506. # No of Cuda streams used for asynchronous processing. All values > 0 are valid.
507. # For this option you need a device with Compute Capability > 1.0.
508. cuda-streams: 2
509.  
510. # Select the multi pattern algorithm you want to run for scan/search the
511. # in the engine. The supported algorithms are b2g, b2gc, b2gm, b3g, wumanber,
512. # ac and ac-gfbs.
513. #
514. # The mpm you choose also decides the distribution of mpm contexts for
515. # signature groups, specified by the conf - "detect-engine.sgh-mpm-context".
516. # Selecting "ac" as the mpm would require "detect-engine.sgh-mpm-context"
517. # to be set to "single", because of ac's memory requirements, unless the
518. # ruleset is small enough to fit in one's memory, in which case one can
519. # use "full" with "ac". Rest of the mpms can be run in "full" mode.
520. #
521. # There is also a CUDA pattern matcher (only available if Suricata was
522. # compiled with --enable-cuda: b2g_cuda. Make sure to update your
523. # max-pending-packets setting above as well if you use b2g_cuda.
524.  
525. mpm-algo: ac
526.  
527. # The memory settings for hash size of these algorithms can vary from lowest
528. # (2048) - low (4096) - medium (8192) - high (16384) - higher (32768) - max
529. # (65536). The bloomfilter sizes of these algorithms can vary from low (512) -
530. # medium (1024) - high (2048).
531. #
532. # For B2g/B3g algorithms, there is a support for two different scan/search
533. # algorithms. For B2g the scan algorithms are B2gScan & B2gScanBNDMq, and
534. # search algorithms are B2gSearch & B2gSearchBNDMq. For B3g scan algorithms
535. # are B3gScan & B3gScanBNDMq, and search algorithms are B3gSearch &
536. # B3gSearchBNDMq.
537. #
538. # For B2g the different scan/search algorithms and, hash and bloom
539. # filter size settings. For B3g the different scan/search algorithms and, hash
540. # and bloom filter size settings. For wumanber the hash and bloom filter size
541. # settings.
542.  
543. pattern-matcher:
544. - b2gc:
545. search-algo: B2gSearchBNDMq
546. hash-size: low
547. bf-size: medium
548. - b2gm:
549. search-algo: B2gSearchBNDMq
550. hash-size: low
551. bf-size: medium
552. - b2g:
553. search-algo: B2gSearchBNDMq
554. hash-size: low
555. bf-size: medium
556. - b3g:
557. search-algo: B3gSearchBNDMq
558. hash-size: low
559. bf-size: medium
560. - wumanber:
561. hash-size: low
562. bf-size: medium
563.  
564. # Defrag settings:
565.  
566. defrag:
567. memcap: 32mb
568. hash-size: 65536
569. trackers: 65535 # number of defragmented flows to follow
570. max-frags: 65535 # number of fragments to keep (higher than trackers)
571. prealloc: yes
572. timeout: 60
573.  
574. # Enable defrag per host settings
575. # host-config:
576. #
577. # - dmz:
578. # timeout: 30
579. # address: [192.168.1.0/24, 127.0.0.0/8, 1.1.1.0/24, 2.2.2.0/24, "1.1.1.1", "2.2.2.2", "::1"]
580. #
581. # - lan:
582. # timeout: 45
583. # address:
584. # - 192.168.0.0/24
585. # - 192.168.10.0/24
586. # - 172.16.14.0/24
587.  
588. # Flow settings:
589. # By default, the reserved memory (memcap) for flows is 32MB. This is the limit
590. # for flow allocation inside the engine. You can change this value to allow
591. # more memory usage for flows.
592. # The hash-size determine the size of the hash used to identify flows inside
593. # the engine, and by default the value is 65536.
594. # At the startup, the engine can preallocate a number of flows, to get a better
595. # performance. The number of flows preallocated is 10000 by default.
596. # emergency-recovery is the percentage of flows that the engine need to
597. # prune before unsetting the emergency state. The emergency state is activated
598. # when the memcap limit is reached, allowing to create new flows, but
599. # prunning them with the emergency timeouts (they are defined below).
600. # If the memcap is reached, the engine will try to prune flows
601. # with the default timeouts. If it doens't find a flow to prune, it will set
602. # the emergency bit and it will try again with more agressive timeouts.
603. # If that doesn't work, then it will try to kill the last time seen flows
604. # not in use.
605. # The memcap can be specified in kb, mb, gb. Just a number indicates it's
606. # in bytes.
607.  
608. flow:
609. memcap: 64mb
610. hash-size: 65536
611. prealloc: 10000
612. emergency-recovery: 30
613.  
614. # This option controls the use of vlan ids in the flow (and defrag)
615. # hashing. Normally this should be enabled, but in some (broken)
616. # setups where both sides of a flow are not tagged with the same vlan
617. # tag, we can ignore the vlan id's in the flow hashing.
618. vlan:
619. use-for-tracking: true
620.  
621. # Specific timeouts for flows. Here you can specify the timeouts that the
622. # active flows will wait to transit from the current state to another, on each
623. # protocol. The value of "new" determine the seconds to wait after a hanshake or
624. # stream startup before the engine free the data of that flow it doesn't
625. # change the state to established (usually if we don't receive more packets
626. # of that flow). The value of "established" is the amount of
627. # seconds that the engine will wait to free the flow if it spend that amount
628. # without receiving new packets or closing the connection. "closed" is the
629. # amount of time to wait after a flow is closed (usually zero).
630. #
631. # There's an emergency mode that will become active under attack circumstances,
632. # making the engine to check flow status faster. This configuration variables
633. # use the prefix "emergency-" and work similar as the normal ones.
634. # Some timeouts doesn't apply to all the protocols, like "closed", for udp and
635. # icmp.
636.  
637. flow-timeouts:
638.  
639. default:
640. new: 30
641. established: 300
642. closed: 0
643. emergency-new: 10
644. emergency-established: 100
645. emergency-closed: 0
646. tcp:
647. new: 60
648. established: 3600
649. closed: 120
650. emergency-new: 10
651. emergency-established: 300
652. emergency-closed: 20
653. udp:
654. new: 30
655. established: 300
656. emergency-new: 10
657. emergency-established: 100
658. icmp:
659. new: 30
660. established: 300
661. emergency-new: 10
662. emergency-established: 100
663.  
664. # Stream engine settings. Here the TCP stream tracking and reassembly
665. # engine is configured.
666. #
667. # stream:
668. # memcap: 32mb # Can be specified in kb, mb, gb. Just a
669. # # number indicates it's in bytes.
670. # checksum-validation: yes # To validate the checksum of received
671. # # packet. If csum validation is specified as
672. # # "yes", then packet with invalid csum will not
673. # # be processed by the engine stream/app layer.
674. # # Warning: locally generated trafic can be
675. # # generated without checksum due to hardware offload
676. # # of checksum. You can control the handling of checksum
677. # # on a per-interface basis via the 'checksum-checks'
678. # # option
679. # prealloc-sessions: 2k # 2k sessions prealloc'd per stream thread
680. # midstream: false # don't allow midstream session pickups
681. # async-oneside: false # don't enable async stream handling
682. # inline: no # stream inline mode
683. # max-synack-queued: 5 # Max different SYN/ACKs to queue
684. #
685. # reassembly:
686. # memcap: 64mb # Can be specified in kb, mb, gb. Just a number
687. # # indicates it's in bytes.
688. # depth: 1mb # Can be specified in kb, mb, gb. Just a number
689. # # indicates it's in bytes.
690. # toserver-chunk-size: 2560 # inspect raw stream in chunks of at least
691. # # this size. Can be specified in kb, mb,
692. # # gb. Just a number indicates it's in bytes.
693. # # The max acceptable size is 4024 bytes.
694. # toclient-chunk-size: 2560 # inspect raw stream in chunks of at least
695. # # this size. Can be specified in kb, mb,
696. # # gb. Just a number indicates it's in bytes.
697. # # The max acceptable size is 4024 bytes.
698. # randomize-chunk-size: yes # Take a random value for chunk size around the specified value.
699. # # This lower the risk of some evasion technics but could lead
700. # # detection change between runs. It is set to 'yes' by default.
701. # randomize-chunk-range: 10 # If randomize-chunk-size is active, the value of chunk-size is
702. # # a random value between (1 - randomize-chunk-range/100)*randomize-chunk-size
703. # # and (1 + randomize-chunk-range/100)*randomize-chunk-size. Default value
704. # # of randomize-chunk-range is 10.
705. #
706. # raw: yes # 'Raw' reassembly enabled or disabled.
707. # # raw is for content inspection by detection
708. # # engine.
709. #
710. # chunk-prealloc: 250 # Number of preallocated stream chunks. These
711. # # are used during stream inspection (raw).
712. # segments: # Settings for reassembly segment pool.
713. # - size: 4 # Size of the (data)segment for a pool
714. # prealloc: 256 # Number of segments to prealloc and keep
715. # # in the pool.
716. #
717. stream:
718. memcap: 32mb
719. checksum-validation: yes # reject wrong csums
720. inline: auto # auto will use inline mode in IPS mode, yes or no set it statically
721. reassembly:
722. memcap: 128mb
723. depth: 1mb # reassemble 1mb into a stream
724. toserver-chunk-size: 2560
725. toclient-chunk-size: 2560
726. randomize-chunk-size: yes
727. #randomize-chunk-range: 10
728. #raw: yes
729. #chunk-prealloc: 250
730. #segments:
731. # - size: 4
732. # prealloc: 256
733. # - size: 16
734. # prealloc: 512
735. # - size: 112
736. # prealloc: 512
737. # - size: 248
738. # prealloc: 512
739. # - size: 512
740. # prealloc: 512
741. # - size: 768
742. # prealloc: 1024
743. # - size: 1448
744. # prealloc: 1024
745. # - size: 65535
746. # prealloc: 128
747.  
748. # Host table:
749. #
750. # Host table is used by tagging and per host thresholding subsystems.
751. #
752. host:
753. hash-size: 4096
754. prealloc: 1000
755. memcap: 16777216
756.  
757. # Logging configuration. This is not about logging IDS alerts, but
758. # IDS output about what its doing, errors, etc.
759. logging:
760.  
761. # The default log level, can be overridden in an output section.
762. # Note that debug level logging will only be emitted if Suricata was
763. # compiled with the --enable-debug configure option.
764. #
765. # This value is overriden by the SC_LOG_LEVEL env var.
766. default-log-level: notice
767.  
768. # The default output format. Optional parameter, should default to
769. # something reasonable if not provided. Can be overriden in an
770. # output section. You can leave this out to get the default.
771. #
772. # This value is overriden by the SC_LOG_FORMAT env var.
773. #default-log-format: "[%i] %t - (%f:%l) <%d> (%n) -- "
774.  
775. # A regex to filter output. Can be overridden in an output section.
776. # Defaults to empty (no filter).
777. #
778. # This value is overriden by the SC_LOG_OP_FILTER env var.
779. default-output-filter:
780.  
781. # Define your logging outputs. If none are defined, or they are all
782. # disabled you will get the default - console output.
783. outputs:
784. - console:
785. enabled: yes
786. - file:
787. enabled: no
788. filename: suricata.log
789. - syslog:
790. enabled: no
791. facility: local5
792. format: "[%i] <%d> -- "
793.  
794. # Tilera mpipe configuration. for use on Tilera TILE-Gx.
795. mpipe:
796.  
797. # Load balancing modes: "static", "dynamic", "sticky", or "round-robin".
798. load-balance: dynamic
799.  
800. # Number of Packets in each ingress packet queue. Must be 128, 512, 2028 or 65536
801. iqueue-packets: 2048
802.  
803. # List of interfaces we will listen on.
804. inputs:
805. - interface: xgbe2
806. - interface: xgbe3
807. - interface: xgbe4
808.  
809.  
810. # Relative weight of memory for packets of each mPipe buffer size.
811. stack:
812. size128: 0
813. size256: 9
814. size512: 0
815. size1024: 0
816. size1664: 7
817. size4096: 0
818. size10386: 0
819. size16384: 0
820.  
821. # PF_RING configuration. for use with native PF_RING support
822. # for more info see http://www.ntop.org/PF_RING.html
823. pfring:
824. - interface: eth0
825. # Number of receive threads (>1 will enable experimental flow pinned
826. # runmode)
827. threads: 1
828.  
829. # Default clusterid. PF_RING will load balance packets based on flow.
830. # All threads/processes that will participate need to have the same
831. # clusterid.
832. cluster-id: 99
833.  
834. # Default PF_RING cluster type. PF_RING can load balance per flow or per hash.
835. # This is only supported in versions of PF_RING > 4.1.1.
836. cluster-type: cluster_flow
837. # bpf filter for this interface
838. #bpf-filter: tcp
839. # Choose checksum verification mode for the interface. At the moment
840. # of the capture, some packets may be with an invalid checksum due to
841. # offloading to the network card of the checksum computation.
842. # Possible values are:
843. # - rxonly: only compute checksum for packets received by network card.
844. # - yes: checksum validation is forced
845. # - no: checksum validation is disabled
846. # - auto: suricata uses a statistical approach to detect when
847. # checksum off-loading is used. (default)
848. # Warning: 'checksum-validation' must be set to yes to have any validation
849. #checksum-checks: auto
850. # Second interface
851. #- interface: eth1
852. # threads: 3
853. # cluster-id: 93
854. # cluster-type: cluster_flow
855. # Put default values here
856. - interface: default
857. #threads: 2
858.  
859. pcap:
860. - interface: eth0
861. # On Linux, pcap will try to use mmaped capture and will use buffer-size
862. # as total of memory used by the ring. So set this to something bigger
863. # than 1% of your bandwidth.
864. #buffer-size: 16777216
865. #bpf-filter: "tcp and port 25"
866. # Choose checksum verification mode for the interface. At the moment
867. # of the capture, some packets may be with an invalid checksum due to
868. # offloading to the network card of the checksum computation.
869. # Possible values are:
870. # - yes: checksum validation is forced
871. # - no: checksum validation is disabled
872. # - auto: suricata uses a statistical approach to detect when
873. # checksum off-loading is used. (default)
874. # Warning: 'checksum-validation' must be set to yes to have any validation
875. #checksum-checks: auto
876. # With some accelerator cards using a modified libpcap (like myricom), you
877. # may want to have the same number of capture threads as the number of capture
878. # rings. In this case, set up the threads variable to N to start N threads
879. # listening on the same interface.
880. #threads: 16
881. # set to no to disable promiscuous mode:
882. #promisc: no
883. # set snaplen, if not set it defaults to MTU if MTU can be known
884. # via ioctl call and to full capture if not.
885. #snaplen: 1518
886. # Put default values here
887. - interface: default
888. #checksum-checks: auto
889.  
890. pcap-file:
891. # Possible values are:
892. # - yes: checksum validation is forced
893. # - no: checksum validation is disabled
894. # - auto: suricata uses a statistical approach to detect when
895. # checksum off-loading is used. (default)
896. # Warning: 'checksum-validation' must be set to yes to have checksum tested
897. checksum-checks: auto
898.  
899. # For FreeBSD ipfw(8) divert(4) support.
900. # Please make sure you have ipfw_load="YES" and ipdivert_load="YES"
901. # in /etc/loader.conf or kldload'ing the appropriate kernel modules.
902. # Additionally, you need to have an ipfw rule for the engine to see
903. # the packets from ipfw. For Example:
904. #
905. # ipfw add 100 divert 8000 ip from any to any
906. #
907. # The 8000 above should be the same number you passed on the command
908. # line, i.e. -d 8000
909. #
910. ipfw:
911.  
912. # Reinject packets at the specified ipfw rule number. This config
913. # option is the ipfw rule number AT WHICH rule processing continues
914. # in the ipfw processing system after the engine has finished
915. # inspecting the packet for acceptance. If no rule number is specified,
916. # accepted packets are reinjected at the divert rule which they entered
917. # and IPFW rule processing continues. No check is done to verify
918. # this will rule makes sense so care must be taken to avoid loops in ipfw.
919. #
920. ## The following example tells the engine to reinject packets
921. # back into the ipfw firewall AT rule number 5500:
922. #
923. # ipfw-reinjection-rule-number: 5500
924.  
925. # Set the default rule path here to search for the files.
926. # if not set, it will look at the current working dir
927. default-rule-path: /etc/suricata/rules
928. rule-files:
929. - etpro-activex.rules
930. - etpro-attack_response.rules
931. - etpro-chat.rules
932. - etpro-current_events.rules
933. - etpro-dns.rules
934. - etpro-dos.rules
935. - etpro-exploit.rules
936. - etpro-ftp.rules
937. - etpro-games.rules
938. - etpro-icmp_info.rules
939. # - etpro-icmp.rules
940. - etpro-imap.rules
941. - etpro-inappropriate.rules
942. - etpro-malware.rules
943. - etpro-misc.rules
944. - etpro-mobile_malware.rules
945. - etpro-netbios.rules
946. - etpro-p2p.rules
947. - etpro-policy.rules
948. - etpro-pop3.rules
949. - etpro-rpc.rules
950. - etpro-scada.rules
951. - etpro-scan.rules
952. - etpro-shellcode.rules
953. - etpro-smtp.rules
954. - etpro-snmp.rules
955. - etpro-sql.rules
956. - etpro-telnet.rules
957. - etpro-tftp.rules
958. - etpro-trojan.rules
959. - etpro-user_agents.rules
960. - etpro-voip.rules
961. - etpro-web_client.rules
962. - etpro-web_server.rules
963. - etpro-web_specific_apps.rules
964. - etpro-worm.rules
965.  
966. classification-file: /etc/suricata/classification.config
967. reference-config-file: /etc/suricata/reference.config
968.  
969. # Holds variables that would be used by the engine.
970. vars:
971.  
972. # Holds the address group vars that would be passed in a Signature.
973. # These would be retrieved during the Signature address parsing stage.
974. address-groups:
975.  
976. HOME_NET: "any"
977.  
978. EXTERNAL_NET: "any"
979.  
980. HTTP_SERVERS: "$HOME_NET"
981.  
982. SMTP_SERVERS: "$HOME_NET"
983.  
984. SQL_SERVERS: "$HOME_NET"
985.  
986. DNS_SERVERS: "$HOME_NET"
987.  
988. TELNET_SERVERS: "$HOME_NET"
989.  
990. AIM_SERVERS: "$EXTERNAL_NET"
991.  
992. DNP3_SERVER: "$HOME_NET"
993.  
994. DNP3_CLIENT: "$HOME_NET"
995.  
996. MODBUS_CLIENT: "$HOME_NET"
997.  
998. MODBUS_SERVER: "$HOME_NET"
999.  
1000. ENIP_CLIENT: "$HOME_NET"
1001.  
1002. ENIP_SERVER: "$HOME_NET"
1003.  
1004. # Holds the port group vars that would be passed in a Signature.
1005. # These would be retrieved during the Signature port parsing stage.
1006. port-groups:
1007.  
1008. HTTP_PORTS: "80"
1009.  
1010. SHELLCODE_PORTS: "!80"
1011.  
1012. ORACLE_PORTS: 1521
1013.  
1014. SSH_PORTS: 22
1015.  
1016. DNP3_PORTS: 20000
1017.  
1018. # Set the order of alerts bassed on actions
1019. # The default order is pass, drop, reject, alert
1020. action-order:
1021. - pass
1022. - drop
1023. - reject
1024. - alert
1025.  
1026. # IP Reputation
1027. #reputation-categories-file: /etc/suricata/iprep/categories.txt
1028. #default-reputation-path: /etc/suricata/iprep
1029. #reputation-files:
1030. # - reputation.list
1031.  
1032. # Host specific policies for defragmentation and TCP stream
1033. # reassembly. The host OS lookup is done using a radix tree, just
1034. # like a routing table so the most specific entry matches.
1035. host-os-policy:
1036. # Make the default policy windows.
1037. windows: [0.0.0.0/0]
1038. bsd: []
1039. bsd-right: []
1040. old-linux: []
1041. linux: [10.0.0.0/8, 192.168.1.100, "8762:2352:6241:7245:E000:0000:0000:0000"]
1042. old-solaris: []
1043. solaris: ["::1"]
1044. hpux10: []
1045. hpux11: []
1046. irix: []
1047. macos: []
1048. vista: []
1049. windows2k3: []
1050.  
1051.  
1052. # Limit for the maximum number of asn1 frames to decode (default 256)
1053. asn1-max-frames: 256
1054.  
1055. # When run with the option --engine-analysis, the engine will read each of
1056. # the parameters below, and print reports for each of the enabled sections
1057. # and exit. The reports are printed to a file in the default log dir
1058. # given by the parameter "default-log-dir", with engine reporting
1059. # subsection below printing reports in its own report file.
1060. engine-analysis:
1061. # enables printing reports for fast-pattern for every rule.
1062. rules-fast-pattern: yes
1063. # enables printing reports for each rule
1064. rules: yes
1065.  
1066. #recursion and match limits for PCRE where supported
1067. pcre:
1068. match-limit: 3500
1069. match-limit-recursion: 1500
1070.  
1071. # Holds details on the app-layer. The protocols section details each protocol.
1072. # Under each protocol, the default value for detection-enabled and "
1073. # parsed-enabled is yes, unless specified otherwise.
1074. # Each protocol covers enabling/disabling parsers for all ipprotos
1075. # the app-layer protocol runs on. For example "dcerpc" refers to the tcp
1076. # version of the protocol as well as the udp version of the protocol.
1077. # The option "enabled" takes 3 values - "yes", "no", "detection-only".
1078. # "yes" enables both detection and the parser, "no" disables both, and
1079. # "detection-only" enables detection only(parser disabled).
1080. app-layer:
1081. protocols:
1082. tls:
1083. enabled: yes
1084. detection-ports:
1085. dp: 443
1086.  
1087. #no-reassemble: yes
1088. dcerpc:
1089. enabled: yes
1090. ftp:
1091. enabled: yes
1092. ssh:
1093. enabled: yes
1094. smtp:
1095. enabled: yes
1096. imap:
1097. enabled: detection-only
1098. msn:
1099. enabled: detection-only
1100. smb:
1101. enabled: yes
1102. detection-ports:
1103. dp: 139
1104. # smb2 detection is disabled internally inside the engine.
1105. #smb2:
1106. # enabled: yes
1107. dns:
1108. # memcaps. Globally and per flow/state.
1109. #global-memcap: 16mb
1110. #state-memcap: 512kb
1111.  
1112. # How many unreplied DNS requests are considered a flood.
1113. # If the limit is reached, app-layer-event:dns.flooded; will match.
1114. #request-flood: 500
1115.  
1116. tcp:
1117. enabled: yes
1118. detection-ports:
1119. dp: 53
1120. udp:
1121. enabled: yes
1122. detection-ports:
1123. dp: 53
1124. http:
1125. enabled: yes
1126. # memcap: 64mb
1127.  
1128. ###########################################################################
1129. # Configure libhtp.
1130. #
1131. #
1132. # default-config: Used when no server-config matches
1133. # personality: List of personalities used by default
1134. # request-body-limit: Limit reassembly of request body for inspection
1135. # by http_client_body & pcre /P option.
1136. # response-body-limit: Limit reassembly of response body for inspection
1137. # by file_data, http_server_body & pcre /Q option.
1138. # double-decode-path: Double decode path section of the URI
1139. # double-decode-query: Double decode query section of the URI
1140. #
1141. # server-config: List of server configurations to use if address matches
1142. # address: List of ip addresses or networks for this block
1143. # personalitiy: List of personalities used by this block
1144. # request-body-limit: Limit reassembly of request body for inspection
1145. # by http_client_body & pcre /P option.
1146. # response-body-limit: Limit reassembly of response body for inspection
1147. # by file_data, http_server_body & pcre /Q option.
1148. # double-decode-path: Double decode path section of the URI
1149. # double-decode-query: Double decode query section of the URI
1150. #
1151. # uri-include-all: Include all parts of the URI. By default the
1152. # 'scheme', username/password, hostname and port
1153. # are excluded. Setting this option to true adds
1154. # all of them to the normalized uri as inspected
1155. # by http_uri, urilen, pcre with /U and the other
1156. # keywords that inspect the normalized uri.
1157. # Note that this does not affect http_raw_uri.
1158. # Also, note that including all was the default in
1159. # 1.4 and 2.0beta1.
1160. #
1161. # meta-field-limit: Hard size limit for request and response size
1162. # limits. Applies to request line and headers,
1163. # response line and headers. Does not apply to
1164. # request or response bodies. Default is 18k.
1165. # If this limit is reached an event is raised.
1166. #
1167. # Currently Available Personalities:
1168. # Minimal
1169. # Generic
1170. # IDS (default)
1171. # IIS_4_0
1172. # IIS_5_0
1173. # IIS_5_1
1174. # IIS_6_0
1175. # IIS_7_0
1176. # IIS_7_5
1177. # Apache_2
1178. ###########################################################################
1179. libhtp:
1180.  
1181. default-config:
1182. personality: IDS
1183.  
1184. # Can be specified in kb, mb, gb. Just a number indicates
1185. # it's in bytes.
1186. request-body-limit: 0
1187. response-body-limit: 0
1188.  
1189. # inspection limits
1190. request-body-minimal-inspect-size: 16kb
1191. request-body-inspect-window: 16kb
1192. response-body-minimal-inspect-size: 40kb
1193. response-body-inspect-window: 16kb
1194. # Take a random value for inspection sizes around the specified value.
1195. # This lower the risk of some evasion technics but could lead
1196. # detection change between runs. It is set to 'yes' by default.
1197. #randomize-inspection-sizes: yes
1198. # If randomize-inspection-sizes is active, the value of various
1199. # inspection size will be choosen in the [1 - range%, 1 + range%]
1200. # range
1201. # Default value of randomize-inspection-range is 10.
1202. #randomize-inspection-range: 10
1203.  
1204. # decoding
1205. double-decode-path: no
1206. double-decode-query: no
1207.  
1208. server-config:
1209.  
1210. #- apache:
1211. # address: [192.168.1.0/24, 127.0.0.0/8, "::1"]
1212. # personality: Apache_2
1213. # # Can be specified in kb, mb, gb. Just a number indicates
1214. # # it's in bytes.
1215. # request-body-limit: 4096
1216. # response-body-limit: 4096
1217. # double-decode-path: no
1218. # double-decode-query: no
1219.  
1220. #- iis7:
1221. # address:
1222. # - 192.168.0.0/24
1223. # - 192.168.10.0/24
1224. # personality: IIS_7_0
1225. # # Can be specified in kb, mb, gb. Just a number indicates
1226. # # it's in bytes.
1227. # request-body-limit: 4096
1228. # response-body-limit: 4096
1229. # double-decode-path: no
1230. # double-decode-query: no
1231.  
1232. # Profiling settings. Only effective if Suricata has been built with the
1233. # the --enable-profiling configure flag.
1234. #
1235. profiling:
1236. # Run profiling for every xth packet. The default is 1, which means we
1237. # profile every packet. If set to 1000, one packet is profiled for every
1238. # 1000 received.
1239. #sample-rate: 1000
1240.  
1241. # rule profiling
1242. rules:
1243.  
1244. # Profiling can be disabled here, but it will still have a
1245. # performance impact if compiled in.
1246. enabled: yes
1247. filename: rule_perf.log
1248. append: yes
1249.  
1250. # Sort options: ticks, avgticks, checks, matches, maxticks
1251. sort: avgticks
1252.  
1253. # Limit the number of items printed at exit.
1254. limit: 100
1255.  
1256. # per keyword profiling
1257. keywords:
1258. enabled: yes
1259. filename: keyword_perf.log
1260. append: yes
1261.  
1262. # packet profiling
1263. packets:
1264.  
1265. # Profiling can be disabled here, but it will still have a
1266. # performance impact if compiled in.
1267. enabled: yes
1268. filename: packet_stats.log
1269. append: yes
1270.  
1271. # per packet csv output
1272. csv:
1273.  
1274. # Output can be disabled here, but it will still have a
1275. # performance impact if compiled in.
1276. enabled: no
1277. filename: packet_stats.csv
1278.  
1279. # profiling of locking. Only available when Suricata was built with
1280. # --enable-profiling-locks.
1281. locks:
1282. enabled: no
1283. filename: lock_stats.log
1284. append: yes
1285.  
1286. # Suricata core dump configuration. Limits the size of the core dump file to
1287. # approximately max-dump. The actual core dump size will be a multiple of the
1288. # page size. Core dumps that would be larger than max-dump are truncated. On
1289. # Linux, the actual core dump size may be a few pages larger than max-dump.
1290. # Setting max-dump to 0 disables core dumping.
1291. # Setting max-dump to 'unlimited' will give the full core dump file.
1292. # On 32-bit Linux, a max-dump value >= ULONG_MAX may cause the core dump size
1293. # to be 'unlimited'.
1294.  
1295. coredump:
1296. max-dump: unlimited
1297.  
1298. napatech:
1299. # The Host Buffer Allowance for all streams
1300. # (-1 = OFF, 1 - 100 = percentage of the host buffer that can be held back)
1301. hba: -1
1302.  
1303. # use_all_streams set to "yes" will query the Napatech service for all configured
1304. # streams and listen on all of them. When set to "no" the streams config array
1305. # will be used.
1306. use-all-streams: yes
1307.  
1308. # The streams to listen on
1309. streams: [1, 2, 3]
1310.  
1311. # Includes. Files included here will be handled as if they were
1312. # inlined in this configuration file.
1313. #include: include1.yaml
1314. #include: include2.yaml