|
%YAML 1.1
|
|
---
|
|
max-pending-packets: 2048
|
|
runmode: workers
|
|
host-mode: sniffer-only
|
|
|
|
af-packet:
|
|
- interface: em1
|
|
# auto uses the number of cores
|
|
threads: auto
|
|
cluster-id: 99
|
|
cluster-type: cluster_flow
|
|
defrag: yes
|
|
# Rollover requires a Linux kernel of 3.10 or newer
|
|
rollover: yes
|
|
use-mmap: yes
|
|
use-emergency-flush: yes
|
|
checksum-checks: no
|
|
|
|
default-packet-size: 9006
|
|
|
|
default-log-dir: /var/log/suricata
|
|
|
|
stats:
|
|
enabled: yes
|
|
interval: 300
|
|
|
|
outputs:
|
|
- fast:
|
|
enabled: yes
|
|
filename: fast.log
|
|
append: yes
|
|
- unified2-alert:
|
|
enabled: yes
|
|
filename: unified2.alert
|
|
- stats:
|
|
enabled: yes
|
|
filename: stats.log
|
|
totals: yes
|
|
threads: no
|
|
null-values: yes
|
|
|
|
|
|
detect-engine:
|
|
- profile: medium
|
|
- custom-values:
|
|
toclient-src-groups: 2000
|
|
toclient-dst-groups: 2000
|
|
toclient-sp-groups: 2000
|
|
toclient-dp-groups: 3000
|
|
toserver-src-groups: 2000
|
|
toserver-dst-groups: 4000
|
|
toserver-sp-groups: 2000
|
|
toserver-dp-groups: 2500
|
|
- sgh-mpm-context: full
|
|
- inspection-recursion-limit: 3000
|
|
|
|
threading:
|
|
set-cpu-affinity: no
|
|
cpu-affinity:
|
|
- management-cpu-set:
|
|
cpu: [ "all" ]
|
|
mode: "balanced"
|
|
prio:
|
|
default: "low"
|
|
- detect-cpu-set:
|
|
cpu: [ "all" ]
|
|
mode: "exclusive"
|
|
prio:
|
|
default: "high"
|
|
|
|
mpm-algo: ac
|
|
|
|
pattern-matcher:
|
|
- b2gc:
|
|
search-algo: B2gSearchBNDMq
|
|
hash-size: low
|
|
bf-size: medium
|
|
- b2gm:
|
|
search-algo: B2gSearchBNDMq
|
|
hash-size: low
|
|
bf-size: medium
|
|
- b2g:
|
|
search-algo: B2gSearchBNDMq
|
|
hash-size: low
|
|
bf-size: medium
|
|
- b3g:
|
|
search-algo: B3gSearchBNDMq
|
|
hash-size: low
|
|
bf-size: medium
|
|
- wumanber:
|
|
hash-size: low
|
|
bf-size: medium
|
|
|
|
defrag:
|
|
memcap: 265mb
|
|
trackers: 65535
|
|
max-frags: 65535
|
|
prealloc: yes
|
|
|
|
threshold-file: /etc/suricata/threshold.config
|
|
classification-file: /etc/suricata/classification.config
|
|
reference-config-file: /etc/suricata/reference.config
|
|
|
|
flow:
|
|
memcap: 8gb
|
|
hash-size: 65536
|
|
prealloc: 10000
|
|
emergency-recovery: 30
|
|
prune-flows: 1
|
|
|
|
flow-timeouts:
|
|
default:
|
|
new: 5
|
|
established: 10
|
|
closed: 0
|
|
emergency-new: 1
|
|
emergency-established: 2
|
|
emergency-closed: 0
|
|
tcp:
|
|
new: 5
|
|
established: 300
|
|
closed: 10
|
|
emergency-new: 1
|
|
emergency-established: 5
|
|
emergency-closed: 20
|
|
udp:
|
|
new: 5
|
|
established: 5
|
|
emergency-new: 5
|
|
emergency-established: 5
|
|
icmp:
|
|
new: 5
|
|
established: 5
|
|
emergency-new: 5
|
|
emergency-established: 5
|
|
|
|
stream:
|
|
memcap: 24gb
|
|
prealloc-sessions: 2500000
|
|
inline: no
|
|
midstream: true
|
|
reassembly:
|
|
memcap: 12gb
|
|
depth: 8mb
|
|
toserver-chunk-size: 2560
|
|
toclient-chunk-size: 2560
|
|
|
|
host:
|
|
hash-size: 4096
|
|
prealloc: 1000
|
|
memcap: 167772160
|
|
|
|
logging:
|
|
default-log-level: info
|
|
outputs:
|
|
- file:
|
|
enabled: yes
|
|
filename: /var/log/suricata.log
|
|
|
|
|
|
pcap:
|
|
- interface: em1
|
|
buffer-size: 2000mb
|
|
checksum-checks: no
|
|
threads: 15
|
|
|
|
default-rule-path: /etc/suricata/rules
|
|
rule-files:
|
|
- et.rules
|
|
- local.rules
|
|
|
|
vars:
|
|
address-groups:
|
|
HOME_NET: "[x.x.x.x]"
|
|
EXTERNAL_NET: "!$HOME_NET"
|
|
HTTP_SERVERS: "$HOME_NET"
|
|
SMTP_SERVERS: "[y.y.y.y]"
|
|
SQL_SERVERS: "$HOME_NET"
|
|
DNS_SERVERS: "$HOME_NET"
|
|
TELNET_SERVERS: "$HOME_NET"
|
|
AIM_SERVERS: "$EXTERNAL_NET"
|
|
DNP3_SERVER: "$HOME_NET"
|
|
DNP3_CLIENT: "$HOME_NET"
|
|
MODBUS_CLIENT: "$HOME_NET"
|
|
MODBUS_SERVER: "$HOME_NET"
|
|
ENIP_CLIENT: "$HOME_NET"
|
|
ENIP_SERVER: "$HOME_NET"
|
|
port-groups:
|
|
HTTP_PORTS: "#####"
|
|
SHELLCODE_PORTS: "#####"
|
|
ORACLE_PORTS: #####
|
|
SSH_PORTS: #####
|
|
DNP3_PORTS: #####
|
|
|
|
action-order:
|
|
- pass
|
|
- drop
|
|
- reject
|
|
- alert
|
|
|
|
host-os-policy:
|
|
windows: [0.0.0.0/0]
|
|
bsd: []
|
|
bsd-right: []
|
|
old-linux: []
|
|
linux: [0.0.0.0/0]
|
|
old-solaris: []
|
|
solaris: []
|
|
hpux10: []
|
|
hpux11: []
|
|
irix: []
|
|
macos: []
|
|
vista: []
|
|
windows2k3: []
|
|
|
|
asn1-max-frames: 256
|
|
|
|
pcre:
|
|
match-limit: 3500
|
|
match-limit-recursion: 1500
|