|
Warning: Output_interface not supplied by user. Falling back on default_output_interface "Console"
|
|
24/2/2015 -- 15:47:21 - <Notice> - This is Suricata version 2.0.6 RELEASE
|
|
24/2/2015 -- 15:47:21 - <Info> - CPUs/cores online: 12
|
|
default-log-dir = /var/log/suricata/
|
|
unix-command = (null)
|
|
unix-command.enabled = no
|
|
outputs = (null)
|
|
outputs.0 = fast
|
|
outputs.0.fast = (null)
|
|
outputs.0.fast.enabled = yes
|
|
outputs.0.fast.filename = fast.log
|
|
outputs.0.fast.append = yes
|
|
outputs.1 = unified2-alert
|
|
outputs.1.unified2-alert = (null)
|
|
outputs.1.unified2-alert.enabled = no
|
|
outputs.1.unified2-alert.filename = unified2.alert
|
|
outputs.2 = http-log
|
|
outputs.2.http-log = (null)
|
|
outputs.2.http-log.enabled = yes
|
|
outputs.2.http-log.filename = http.log
|
|
outputs.2.http-log.append = yes
|
|
outputs.3 = tls-log
|
|
outputs.3.tls-log = (null)
|
|
outputs.3.tls-log.enabled = no
|
|
outputs.3.tls-log.filename = tls.log
|
|
outputs.3.tls-log.certs-log-dir = certs
|
|
outputs.4 = pcap-info
|
|
outputs.4.pcap-info = (null)
|
|
outputs.4.pcap-info.enabled = no
|
|
outputs.5 = pcap-log
|
|
outputs.5.pcap-log = (null)
|
|
outputs.5.pcap-log.enabled = no
|
|
outputs.5.pcap-log.filename = log.pcap
|
|
outputs.5.pcap-log.limit = 1000mb
|
|
outputs.5.pcap-log.max-files = 2000
|
|
outputs.5.pcap-log.mode = normal
|
|
outputs.5.pcap-log.use-stream-depth = no
|
|
outputs.6 = alert-debug
|
|
outputs.6.alert-debug = (null)
|
|
outputs.6.alert-debug.enabled = no
|
|
outputs.6.alert-debug.filename = alert-debug.log
|
|
outputs.6.alert-debug.append = yes
|
|
outputs.7 = alert-prelude
|
|
outputs.7.alert-prelude = (null)
|
|
outputs.7.alert-prelude.enabled = no
|
|
outputs.7.alert-prelude.profile = suricata
|
|
outputs.7.alert-prelude.log-packet-content = no
|
|
outputs.7.alert-prelude.log-packet-header = yes
|
|
outputs.8 = stats
|
|
outputs.8.stats = (null)
|
|
outputs.8.stats.enabled = yes
|
|
outputs.8.stats.filename = stats.log
|
|
outputs.8.stats.interval = 300
|
|
outputs.9 = syslog
|
|
outputs.9.syslog = (null)
|
|
outputs.9.syslog.enabled = no
|
|
outputs.9.syslog.facility = local5
|
|
outputs.10 = drop
|
|
outputs.10.drop = (null)
|
|
outputs.10.drop.enabled = no
|
|
outputs.10.drop.filename = drop.log
|
|
outputs.10.drop.append = yes
|
|
outputs.11 = file-store
|
|
outputs.11.file-store = (null)
|
|
outputs.11.file-store.enabled = no
|
|
outputs.11.file-store.log-dir = files
|
|
outputs.11.file-store.force-magic = no
|
|
outputs.11.file-store.force-md5 = no
|
|
outputs.12 = file-log
|
|
outputs.12.file-log = (null)
|
|
outputs.12.file-log.enabled = no
|
|
outputs.12.file-log.filename = files-json.log
|
|
outputs.12.file-log.append = yes
|
|
outputs.12.file-log.force-magic = no
|
|
outputs.12.file-log.force-md5 = no
|
|
magic-file = /usr/share/file/magic
|
|
nfq =
|
|
af-packet = (null)
|
|
af-packet.0 = interface
|
|
af-packet.0.interface = eth0
|
|
af-packet.0.threads = 1
|
|
af-packet.0.cluster-id = 99
|
|
af-packet.0.cluster-type = cluster_flow
|
|
af-packet.0.defrag = yes
|
|
af-packet.0.use-mmap = yes
|
|
af-packet.1 = interface
|
|
af-packet.1.interface = eth1
|
|
af-packet.1.threads = 1
|
|
af-packet.1.cluster-id = 98
|
|
af-packet.1.cluster-type = cluster_flow
|
|
af-packet.1.defrag = yes
|
|
af-packet.2 = interface
|
|
af-packet.2.interface = default
|
|
detect-engine = (null)
|
|
detect-engine.0 = profile
|
|
detect-engine.0.profile = medium
|
|
detect-engine.1 = custom-values
|
|
detect-engine.1.custom-values = (null)
|
|
detect-engine.1.custom-values.toclient-src-groups = 2
|
|
detect-engine.1.custom-values.toclient-dst-groups = 2
|
|
detect-engine.1.custom-values.toclient-sp-groups = 2
|
|
detect-engine.1.custom-values.toclient-dp-groups = 3
|
|
detect-engine.1.custom-values.toserver-src-groups = 2
|
|
detect-engine.1.custom-values.toserver-dst-groups = 4
|
|
detect-engine.1.custom-values.toserver-sp-groups = 2
|
|
detect-engine.1.custom-values.toserver-dp-groups = 25
|
|
detect-engine.2 = sgh-mpm-context
|
|
detect-engine.2.sgh-mpm-context = auto
|
|
detect-engine.3 = inspection-recursion-limit
|
|
detect-engine.3.inspection-recursion-limit = 3000
|
|
threading = (null)
|
|
threading.set-cpu-affinity = yes
|
|
threading.cpu-affinity = (null)
|
|
threading.cpu-affinity.0 = management-cpu-set
|
|
threading.cpu-affinity.0.management-cpu-set = (null)
|
|
threading.cpu-affinity.0.management-cpu-set.cpu = (null)
|
|
threading.cpu-affinity.0.management-cpu-set.cpu.0 = 0
|
|
threading.cpu-affinity.1 = receive-cpu-set
|
|
threading.cpu-affinity.1.receive-cpu-set = (null)
|
|
threading.cpu-affinity.1.receive-cpu-set.cpu = (null)
|
|
threading.cpu-affinity.1.receive-cpu-set.cpu.0 = 1
|
|
threading.cpu-affinity.2 = decode-cpu-set
|
|
threading.cpu-affinity.2.decode-cpu-set = (null)
|
|
threading.cpu-affinity.2.decode-cpu-set.cpu = (null)
|
|
threading.cpu-affinity.2.decode-cpu-set.cpu.0 = 2
|
|
threading.cpu-affinity.2.decode-cpu-set.mode = balanced
|
|
threading.cpu-affinity.3 = stream-cpu-set
|
|
threading.cpu-affinity.3.stream-cpu-set = (null)
|
|
threading.cpu-affinity.3.stream-cpu-set.cpu = (null)
|
|
threading.cpu-affinity.3.stream-cpu-set.cpu.0 = 0-4
|
|
threading.cpu-affinity.4 = detect-cpu-set
|
|
threading.cpu-affinity.4.detect-cpu-set = (null)
|
|
threading.cpu-affinity.4.detect-cpu-set.cpu = (null)
|
|
threading.cpu-affinity.4.detect-cpu-set.cpu.0 = 6
|
|
threading.cpu-affinity.4.detect-cpu-set.cpu.1 = 7
|
|
threading.cpu-affinity.4.detect-cpu-set.cpu.2 = 8
|
|
threading.cpu-affinity.4.detect-cpu-set.mode = exclusive
|
|
threading.cpu-affinity.4.detect-cpu-set.threads = 3
|
|
threading.cpu-affinity.4.detect-cpu-set.prio = (null)
|
|
threading.cpu-affinity.4.detect-cpu-set.prio.low = (null)
|
|
threading.cpu-affinity.4.detect-cpu-set.prio.low.0 = 0-4
|
|
threading.cpu-affinity.4.detect-cpu-set.prio.medium = (null)
|
|
threading.cpu-affinity.4.detect-cpu-set.prio.medium.0 = 5-23
|
|
threading.cpu-affinity.4.detect-cpu-set.prio.default = medium
|
|
threading.cpu-affinity.5 = verdict-cpu-set
|
|
threading.cpu-affinity.5.verdict-cpu-set = (null)
|
|
threading.cpu-affinity.5.verdict-cpu-set.cpu = (null)
|
|
threading.cpu-affinity.5.verdict-cpu-set.cpu.0 = 0
|
|
threading.cpu-affinity.5.verdict-cpu-set.prio = (null)
|
|
threading.cpu-affinity.5.verdict-cpu-set.prio.default = high
|
|
threading.cpu-affinity.6 = reject-cpu-set
|
|
threading.cpu-affinity.6.reject-cpu-set = (null)
|
|
threading.cpu-affinity.6.reject-cpu-set.cpu = (null)
|
|
threading.cpu-affinity.6.reject-cpu-set.cpu.0 = 0
|
|
threading.cpu-affinity.6.reject-cpu-set.prio = (null)
|
|
threading.cpu-affinity.6.reject-cpu-set.prio.default = low
|
|
threading.cpu-affinity.7 = output-cpu-set
|
|
threading.cpu-affinity.7.output-cpu-set = (null)
|
|
threading.cpu-affinity.7.output-cpu-set.cpu = (null)
|
|
threading.cpu-affinity.7.output-cpu-set.cpu.0 = 0
|
|
threading.cpu-affinity.7.output-cpu-set.prio = (null)
|
|
threading.cpu-affinity.7.output-cpu-set.prio.default = medium
|
|
threading.detect-thread-ratio = 1.5
|
|
cuda = (null)
|
|
cuda.0 = mpm
|
|
cuda.0.mpm = (null)
|
|
cuda.0.mpm.packet-buffer-limit = 2400
|
|
cuda.0.mpm.packet-size-limit = 1500
|
|
cuda.0.mpm.packet-buffers = 10
|
|
cuda.0.mpm.batching-timeout = 1
|
|
cuda.0.mpm.page-locked = enabled
|
|
cuda.0.mpm.device-id = 0
|
|
cuda.0.mpm.cuda-streams = 2
|
|
mpm-algo = ac
|
|
pattern-matcher = (null)
|
|
pattern-matcher.0 = b2gc
|
|
pattern-matcher.0.b2gc = (null)
|
|
pattern-matcher.0.b2gc.search-algo = B2gSearchBNDMq
|
|
pattern-matcher.0.b2gc.hash-size = low
|
|
pattern-matcher.0.b2gc.bf-size = medium
|
|
pattern-matcher.1 = b2gm
|
|
pattern-matcher.1.b2gm = (null)
|
|
pattern-matcher.1.b2gm.search-algo = B2gSearchBNDMq
|
|
pattern-matcher.1.b2gm.hash-size = low
|
|
pattern-matcher.1.b2gm.bf-size = medium
|
|
pattern-matcher.2 = b2g
|
|
pattern-matcher.2.b2g = (null)
|
|
pattern-matcher.2.b2g.search-algo = B2gSearchBNDMq
|
|
pattern-matcher.2.b2g.hash-size = low
|
|
pattern-matcher.2.b2g.bf-size = medium
|
|
pattern-matcher.3 = b3g
|
|
pattern-matcher.3.b3g = (null)
|
|
pattern-matcher.3.b3g.search-algo = B3gSearchBNDMq
|
|
pattern-matcher.3.b3g.hash-size = low
|
|
pattern-matcher.3.b3g.bf-size = medium
|
|
pattern-matcher.4 = wumanber
|
|
pattern-matcher.4.wumanber = (null)
|
|
pattern-matcher.4.wumanber.hash-size = low
|
|
pattern-matcher.4.wumanber.bf-size = medium
|
|
defrag = (null)
|
|
defrag.memcap = 32mb
|
|
defrag.hash-size = 65536
|
|
defrag.trackers = 65535
|
|
defrag.max-frags = 65535
|
|
defrag.prealloc = yes
|
|
defrag.timeout = 60
|
|
flow = (null)
|
|
flow.memcap = 512mb
|
|
flow.hash-size = 65536
|
|
flow.prealloc = 10000
|
|
flow.emergency-recovery = 30
|
|
flow-timeouts = (null)
|
|
flow-timeouts.default = (null)
|
|
flow-timeouts.default.new = 30
|
|
flow-timeouts.default.established = 300
|
|
flow-timeouts.default.closed = 0
|
|
flow-timeouts.default.emergency-new = 10
|
|
flow-timeouts.default.emergency-established = 100
|
|
flow-timeouts.default.emergency-closed = 0
|
|
flow-timeouts.tcp = (null)
|
|
flow-timeouts.tcp.new = 60
|
|
flow-timeouts.tcp.established = 3600
|
|
flow-timeouts.tcp.closed = 120
|
|
flow-timeouts.tcp.emergency-new = 10
|
|
flow-timeouts.tcp.emergency-established = 300
|
|
flow-timeouts.tcp.emergency-closed = 20
|
|
flow-timeouts.udp = (null)
|
|
flow-timeouts.udp.new = 30
|
|
flow-timeouts.udp.established = 300
|
|
flow-timeouts.udp.emergency-new = 10
|
|
flow-timeouts.udp.emergency-established = 100
|
|
flow-timeouts.icmp = (null)
|
|
flow-timeouts.icmp.new = 30
|
|
flow-timeouts.icmp.established = 300
|
|
flow-timeouts.icmp.emergency-new = 10
|
|
flow-timeouts.icmp.emergency-established = 100
|
|
stream = (null)
|
|
stream.memcap = 128mb
|
|
stream.checksum-validation = yes
|
|
stream.inline = auto
|
|
stream.reassembly = (null)
|
|
stream.reassembly.memcap = 64mb
|
|
stream.reassembly.depth = 1mb
|
|
stream.reassembly.toserver-chunk-size = 2560
|
|
stream.reassembly.toclient-chunk-size = 2560
|
|
host = (null)
|
|
host.hash-size = 4096
|
|
host.prealloc = 1000
|
|
host.memcap = 16777216
|
|
logging = (null)
|
|
logging.default-log-level = info
|
|
logging.default-output-filter =
|
|
logging.outputs = (null)
|
|
logging.outputs.0 = console
|
|
logging.outputs.0.console = (null)
|
|
logging.outputs.0.console.enabled = no
|
|
logging.outputs.1 = file
|
|
logging.outputs.1.file = (null)
|
|
logging.outputs.1.file.enabled = no
|
|
logging.outputs.1.file.filename = /var/log/suricata.log
|
|
logging.outputs.2 = syslog
|
|
logging.outputs.2.syslog = (null)
|
|
logging.outputs.2.syslog.enabled = no
|
|
logging.outputs.2.syslog.facility = local5
|
|
logging.outputs.2.syslog.format = [%i] <%d> --
|
|
pfring = (null)
|
|
pfring.0 = interface
|
|
pfring.0.interface = eth0
|
|
pfring.0.threads = 1
|
|
pfring.0.cluster-id = 99
|
|
pfring.0.cluster-type = cluster_flow
|
|
pfring.1 = interface
|
|
pfring.1.interface = default
|
|
pcap = (null)
|
|
pcap.0 = interface
|
|
pcap.0.interface = eth0
|
|
pcap.1 = interface
|
|
pcap.1.interface = default
|
|
ipfw =
|
|
default-rule-path = /etc/suricata/rules
|
|
rule-files = (null)
|
|
rule-files.0 = hackingtools.rules
|
|
rule-files.1 = malware.rules
|
|
rule-files.2 = policy.rules
|
|
rule-files.3 = threats.rules
|
|
rule-files.4 = uri-apt.rules
|
|
rule-files.5 = apt-gen-list.rules
|
|
rule-files.6 = SQLi.rules
|
|
classification-file = /etc/suricata/classification.config
|
|
reference-config-file = /etc/suricata/reference.config
|
|
vars = (null)
|
|
vars.address-groups = (null)
|
|
vars.address-groups.HOME_NET = [192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]
|
|
vars.address-groups.EXTERNAL_NET = !$HOME_NET
|
|
vars.address-groups.HTTP_SERVERS = $HOME_NET
|
|
vars.address-groups.SMTP_SERVERS = $HOME_NET
|
|
vars.address-groups.SQL_SERVERS = $HOME_NET
|
|
vars.address-groups.DNS_SERVERS = $HOME_NET
|
|
vars.address-groups.TELNET_SERVERS = $HOME_NET
|
|
vars.address-groups.AIM_SERVERS = $EXTERNAL_NET
|
|
vars.address-groups.DNP3_SERVER = $HOME_NET
|
|
vars.address-groups.DNP3_CLIENT = $HOME_NET
|
|
vars.address-groups.MODBUS_CLIENT = $HOME_NET
|
|
vars.address-groups.MODBUS_SERVER = $HOME_NET
|
|
vars.address-groups.ENIP_CLIENT = $HOME_NET
|
|
vars.address-groups.ENIP_SERVER = $HOME_NET
|
|
vars.port-groups = (null)
|
|
vars.port-groups.HTTP_PORTS = 80
|
|
vars.port-groups.SHELLCODE_PORTS = !80
|
|
vars.port-groups.ORACLE_PORTS = 1521
|
|
vars.port-groups.SSH_PORTS = 22
|
|
vars.port-groups.DNP3_PORTS = 20000
|
|
action-order = (null)
|
|
action-order.0 = pass
|
|
action-order.1 = drop
|
|
action-order.2 = reject
|
|
action-order.3 = alert
|
|
host-os-policy = (null)
|
|
host-os-policy.windows = (null)
|
|
host-os-policy.windows.0 = 0.0.0.0/0
|
|
host-os-policy.bsd = (null)
|
|
host-os-policy.bsd-right = (null)
|
|
host-os-policy.old-linu0x = (null)
|
|
host-os-policy.linux = (null)
|
|
host-os-policy.old-solaris = (null)
|
|
host-os-policy.solaris = (null)
|
|
host-os-policy.solaris.0 = ::1
|
|
host-os-policy.hpux10 = (null)
|
|
host-os-policy.hpux11 = (null)
|
|
host-os-policy.irix = (null)
|
|
host-os-policy.macos = (null)
|
|
host-os-policy.vista = (null)
|
|
host-os-policy.windows2k3 = (null)
|
|
asn1-max-frames = 256
|
|
engine-analysis = (null)
|
|
engine-analysis.rules-fast-pattern = yes
|
|
engine-analysis.rules = yes
|
|
pcre = (null)
|
|
pcre.match-limit = 3500
|
|
pcre.match-limit-recursion = 1500
|
|
libhtp = (null)
|
|
libhtp.default-config = (null)
|
|
libhtp.default-config.personality = IDS
|
|
libhtp.default-config.request-body-limit = 3072
|
|
libhtp.default-config.response-body-limit = 3072
|
|
libhtp.default-config.request-body-minimal-inspect-size = 32kb
|
|
libhtp.default-config.request-body-inspect-window = 4kb
|
|
libhtp.default-config.response-body-minimal-inspect-size = 32kb
|
|
libhtp.default-config.response-body-inspect-window = 4kb
|
|
libhtp.default-config.double-decode-path = no
|
|
libhtp.default-config.double-decode-query = no
|
|
libhtp.server-config = (null)
|
|
libhtp.server-config.0 = apache
|
|
libhtp.server-config.0.apache = (null)
|
|
libhtp.server-config.0.apache.address = (null)
|
|
libhtp.server-config.0.apache.personality = Apache_2_2
|
|
libhtp.server-config.0.apache.request-body-limit = 4096
|
|
libhtp.server-config.0.apache.response-body-limit = 4096
|
|
libhtp.server-config.0.apache.double-decode-path = no
|
|
libhtp.server-config.0.apache.double-decode-query = no
|
|
libhtp.server-config.1 = iis7
|
|
libhtp.server-config.1.iis7 = (null)
|
|
libhtp.server-config.1.iis7.address = (null)
|
|
libhtp.server-config.1.iis7.personality = IIS_7_0
|
|
libhtp.server-config.1.iis7.request-body-limit = 4096
|
|
libhtp.server-config.1.iis7.response-body-limit = 4096
|
|
libhtp.server-config.1.iis7.double-decode-path = no
|
|
libhtp.server-config.1.iis7.double-decode-query = no
|
|
profiling = (null)
|
|
profiling.rules = (null)
|
|
profiling.rules.enabled = yes
|
|
profiling.rules.filename = rule_perf.log
|
|
profiling.rules.append = yes
|
|
profiling.rules.sort = avgticks
|
|
profiling.rules.limit = 100
|
|
profiling.packets = (null)
|
|
profiling.packets.enabled = yes
|
|
profiling.packets.filename = packet_stats.log
|
|
profiling.packets.append = yes
|
|
profiling.packets.csv = (null)
|
|
profiling.packets.csv.enabled = no
|
|
profiling.packets.csv.filename = packet_stats.csv
|
|
profiling.locks = (null)
|
|
profiling.locks.enabled = no
|
|
profiling.locks.filename = lock_stats.log
|
|
profiling.locks.append = yes
|
|
coredump = (null)
|
|
coredump.max-dump = unlimited
|
|
napatech = (null)
|
|
napatech.hba = -1
|
|
napatech.use-all-streams = yes
|
|
napatech.streams = (null)
|
|
napatech.streams.0 = 1
|
|
napatech.streams.1 = 2
|
|
napatech.streams.2 = 3
|