|
%YAML 1.1
|
|
---
|
|
host-mode: auto
|
|
unix-command:
|
|
enabled: no
|
|
default-log-dir: /var/log/suricata/
|
|
max-pending-packets: 8192
|
|
default-packet-size: 1600
|
|
runmode: workers
|
|
outputs:
|
|
- fast:
|
|
append: yes
|
|
filename: fast.log
|
|
enabled: no
|
|
- eve-log:
|
|
sensor-id: 76
|
|
identity: !<!> suricata
|
|
types:
|
|
- alert:
|
|
payload: no
|
|
packet: no
|
|
enabled: yes
|
|
type: syslog
|
|
facility: local0
|
|
level: Alert
|
|
- unified2-alert:
|
|
xff:
|
|
header: X-Forwarded-For
|
|
enabled: no
|
|
mode: extra-data
|
|
enabled: no
|
|
filename: unified2.alert
|
|
- http-log:
|
|
append: yes
|
|
filename: http.log
|
|
enabled: no
|
|
- tls-log:
|
|
enabled: no
|
|
certs-log-dir: certs
|
|
filename: tls.log
|
|
append: yes
|
|
- dns-log:
|
|
enabled: no
|
|
append: yes
|
|
filename: dns.log
|
|
- pcap-info:
|
|
enabled: no
|
|
- pcap-log:
|
|
max-files: 2000
|
|
filename: log.pcap
|
|
enabled: no
|
|
limit: 1000mb
|
|
mode: normal
|
|
use-stream-depth: no
|
|
- alert-debug:
|
|
filename: alert-debug.log
|
|
enabled: no
|
|
append: yes
|
|
- alert-prelude:
|
|
enabled: no
|
|
log-packet-content: no
|
|
profile: suricata
|
|
log-packet-header: yes
|
|
- stats:
|
|
interval: 8
|
|
filename: stats.log
|
|
enabled: yes
|
|
- syslog:
|
|
enabled: no
|
|
facility: local5
|
|
- drop:
|
|
append: yes
|
|
enabled: no
|
|
filename: drop.log
|
|
- file-store:
|
|
enabled: no
|
|
force-magic: no
|
|
force-md5: no
|
|
log-dir: files
|
|
- file-log:
|
|
append: yes
|
|
force-magic: no
|
|
enabled: no
|
|
filename: files-json.log
|
|
force-md5: no
|
|
threading:
|
|
cpu-affinity:
|
|
- management-cpu-set:
|
|
cpu:
|
|
- 0
|
|
- receive-cpu-set:
|
|
cpu:
|
|
- 0
|
|
- decode-cpu-set:
|
|
mode: !<!> balanced
|
|
cpu:
|
|
- 0
|
|
- 1
|
|
- stream-cpu-set:
|
|
cpu:
|
|
- !<!> 0-1
|
|
- detect-cpu-set:
|
|
cpu:
|
|
- !<!> all
|
|
mode: !<!> exclusive
|
|
prio:
|
|
high:
|
|
- 3
|
|
low:
|
|
- 0
|
|
medium:
|
|
- !<!> 1-2
|
|
default: !<!> medium
|
|
- verdict-cpu-set:
|
|
cpu:
|
|
- 0
|
|
prio:
|
|
default: !<!> high
|
|
- reject-cpu-set:
|
|
cpu:
|
|
- 0
|
|
prio:
|
|
default: !<!> low
|
|
- output-cpu-set:
|
|
prio:
|
|
default: !<!> medium
|
|
cpu:
|
|
- !<!> all
|
|
set-cpu-affinity: no
|
|
detect-thread-ratio: 1.5
|
|
nfq: ~
|
|
magic-file: /usr/share/file/magic
|
|
detect-engine:
|
|
- profile: medium
|
|
- custom-values:
|
|
toclient-dst-groups: 2
|
|
toclient-src-groups: 2
|
|
toclient-dp-groups: 3
|
|
toclient-sp-groups: 2
|
|
toserver-src-groups: 2
|
|
toserver-sp-groups: 2
|
|
toserver-dst-groups: 4
|
|
toserver-dp-groups: 25
|
|
- sgh-mpm-context: auto
|
|
- inspection-recursion-limit: 3000
|
|
legacy:
|
|
uricontent: enabled
|
|
cuda:
|
|
mpm:
|
|
device-id: 0
|
|
gpu-transfer-size: 50mb
|
|
cudabuffer-buffer-size: 500mb
|
|
data-buffer-size-max-limit: 1500
|
|
data-buffer-size-min-limit: 0
|
|
cuda-streams: 2
|
|
batching-timeout: 2000
|
|
flow-timeouts:
|
|
default:
|
|
emergency-closed: 0
|
|
emergency-new: 10
|
|
closed: 0
|
|
established: 30
|
|
new: 3
|
|
emergency-established: 100
|
|
tcp:
|
|
emergency-closed: 2
|
|
emergency-new: 6
|
|
established: 100
|
|
closed: 12
|
|
new: 6
|
|
emergency-established: 10
|
|
udp:
|
|
emergency-new: 3
|
|
established: 30
|
|
emergency-established: 10
|
|
new: 3
|
|
icmp:
|
|
established: 30
|
|
new: 3
|
|
emergency-new: 3
|
|
emergency-established: 10
|
|
mpm-algo: ac
|
|
defrag:
|
|
trackers: 65535
|
|
max-frags: 65535
|
|
hash-size: 65536
|
|
memcap: 512mb
|
|
prealloc: yes
|
|
timeout: 30
|
|
pattern-matcher:
|
|
- b2g:
|
|
hash-size: low
|
|
search-algo: B2gSearchBNDMq
|
|
bf-size: medium
|
|
- b3g:
|
|
bf-size: medium
|
|
search-algo: B3gSearchBNDMq
|
|
hash-size: low
|
|
- wumanber:
|
|
hash-size: low
|
|
bf-size: medium
|
|
flow:
|
|
prealloc: 1048576
|
|
hash-size: 1048576
|
|
memcap: 512mb
|
|
emergency-recovery: 30
|
|
vlan:
|
|
use-for-tracking: true
|
|
stream:
|
|
reassembly:
|
|
memcap: 128mb
|
|
toserver-chunk-size: 2560
|
|
depth: 512kb
|
|
toclient-chunk-size: 2560
|
|
randomize-chunk-size: yes
|
|
memcap: 512mb
|
|
inline: auto
|
|
checksum-validation: yes
|
|
logging:
|
|
default-output-filter:
|
|
default-log-level: debug
|
|
outputs:
|
|
- console:
|
|
enabled: yes
|
|
- file:
|
|
enabled: no
|
|
filename: /var/log/suricata.log
|
|
- syslog:
|
|
format: !<!> "[%i] <%d> -- "
|
|
enabled: no
|
|
facility: local5
|
|
host:
|
|
prealloc: 10000
|
|
memcap: 16777216
|
|
hash-size: 40960
|
|
reference-config-file: /etc/suricata/reference.config
|
|
mpipe:
|
|
inputs:
|
|
- interface: xgbe2
|
|
- interface: xgbe3
|
|
- interface: xgbe4
|
|
load-balance: dynamic
|
|
iqueue-packets: 2048
|
|
stack:
|
|
size512: 0
|
|
size1024: 0
|
|
size256: 9
|
|
size128: 0
|
|
size1664: 7
|
|
size10386: 0
|
|
size4096: 0
|
|
size16384: 0
|
|
pcap:
|
|
- interface: eth0
|
|
- interface: default
|
|
ipfw: ~
|
|
classification-file: /etc/suricata/classification.config
|
|
pcap-file:
|
|
checksum-checks: auto
|
|
default-rule-path: /etc/suricata/rules
|
|
vars:
|
|
address-groups:
|
|
HTTP_SERVERS: !<!> $HOME_NET
|
|
ENIP_CLIENT: !<!> $HOME_NET
|
|
MODBUS_CLIENT: !<!> $HOME_NET
|
|
AIM_SERVERS: !<!> $HOME_NET
|
|
DNP3_SERVER: !<!> $HOME_NET
|
|
EXTERNAL_NET: !<!> any
|
|
DNS_SERVERS: !<!> $HOME_NET
|
|
TELNET_SERVERS: !<!> $HOME_NET
|
|
MODBUS_SERVER: !<!> $HOME_NET
|
|
SMTP_SERVERS: !<!> $HOME_NET
|
|
HOME_NET: !<!> 89.175.167.0/24
|
|
SQL_SERVERS: !<!> $HOME_NET
|
|
DNP3_CLIENT: !<!> $HOME_NET
|
|
ENIP_SERVER: !<!> $HOME_NET
|
|
port-groups:
|
|
DNP3_PORTS: 20000
|
|
SHELLCODE_PORTS: !<!> "!80"
|
|
HTTP_PORTS: !<!> "[80,81,311,591,593,901,1220,1414,1830,2301,2381,2809,3128,3702,4343,5250,7001,7145,7510,7777,7779,8000,8008,8014,8028,8080,8088,8118,8123,8180,8181,8243,8280,8800,8888,8899,9080,9090,9091,9443,9999,11371,55555]"
|
|
ORACLE_PORTS: 1521
|
|
SSH_PORTS: 22
|
|
rule-files:
|
|
- received_from_ncc.rules
|
|
default-reputation-path: /etc/suricata
|
|
reputation-categories-file: /etc/suricata/iprep_categories.txt
|
|
reputation-files:
|
|
- iprep_data.list
|
|
action-order:
|
|
- pass
|
|
- drop
|
|
- reject
|
|
- alert
|
|
engine-analysis:
|
|
rules-fast-pattern: yes
|
|
rules: yes
|
|
host-os-policy:
|
|
vista:
|
|
[]
|
|
old-solaris:
|
|
[]
|
|
linux:
|
|
- 10.0.0.0/8
|
|
- 192.168.1.100
|
|
- !<!> 8762:2352:6241:7245:E000:0000:0000:0000
|
|
windows:
|
|
- 0.0.0.0/0
|
|
old-linux:
|
|
[]
|
|
bsd-right:
|
|
[]
|
|
irix:
|
|
[]
|
|
hpux11:
|
|
[]
|
|
bsd:
|
|
[]
|
|
windows2k3:
|
|
[]
|
|
macos:
|
|
[]
|
|
solaris:
|
|
- !<!> ::1
|
|
hpux10:
|
|
[]
|
|
asn1-max-frames: 256
|
|
pcre:
|
|
match-limit-recursion: 1500
|
|
match-limit: 3500
|
|
app-layer:
|
|
protocols:
|
|
ftp:
|
|
enabled: yes
|
|
dcerpc:
|
|
enabled: yes
|
|
imap:
|
|
enabled: detection-only
|
|
smtp:
|
|
enabled: yes
|
|
ssh:
|
|
enabled: yes
|
|
msn:
|
|
enabled: detection-only
|
|
tls:
|
|
detection-ports:
|
|
dp: 443
|
|
enabled: yes
|
|
dns:
|
|
udp:
|
|
detection-ports:
|
|
dp: 53
|
|
enabled: yes
|
|
tcp:
|
|
enabled: yes
|
|
detection-ports:
|
|
dp: 53
|
|
smb:
|
|
detection-ports:
|
|
dp: 139
|
|
enabled: yes
|
|
http:
|
|
memcap: 1024mb
|
|
enabled: yes
|
|
libhtp:
|
|
default-config:
|
|
response-body-limit: 512kb
|
|
request-body-minimal-inspect-size: 32kb
|
|
double-decode-path: no
|
|
personality: IDS
|
|
response-body-minimal-inspect-size: 32kb
|
|
request-body-inspect-window: 4kb
|
|
request-body-limit: 512kb
|
|
response-body-inspect-window: 4kb
|
|
double-decode-query: no
|
|
server-config: ~
|
|
profiling:
|
|
packets:
|
|
append: yes
|
|
filename: packet_stats.log
|
|
csv:
|
|
filename: packet_stats.csv
|
|
enabled: no
|
|
enabled: yes
|
|
rules:
|
|
filename: rule_perf.log
|
|
sort: avgticks
|
|
enabled: yes
|
|
append: yes
|
|
limit: 100
|
|
keywords:
|
|
append: yes
|
|
filename: keyword_perf.log
|
|
enabled: yes
|
|
locks:
|
|
append: yes
|
|
enabled: no
|
|
filename: lock_stats.log
|
|
coredump:
|
|
max-dump: unlimited
|
|
napatech:
|
|
streams:
|
|
- 1
|
|
- 2
|
|
- 3
|
|
use-all-streams: yes
|
|
hba: -1
|
|
af-packet:
|
|
- interface: eth0
|
|
copy-iface: eth1
|
|
defrag: yes
|
|
threads: 11
|
|
cluster-id: 1
|
|
cluster-type: cluster_flow
|
|
use-mmap: yes
|
|
copy-mode: ips
|
|
buffer-size: 65535
|
|
- interface: eth1
|
|
copy-iface: eth0
|
|
defrag: yes
|
|
threads: 11
|
|
cluster-id: 2
|
|
cluster-type: cluster_flow
|
|
use-mmap: yes
|
|
copy-mode: ips
|
|
buffer-size: 65535
|
|
|