Project

General

Profile

Download (4 KB)

Support #1781 » sanitized suricata 2.yaml

Jon Zeolla, 05/09/2016 01:06 PM

 
%YAML 1.1
---
max-pending-packets: 2048
runmode: workers
host-mode: sniffer-only

af-packet:
- interface: em1
# auto uses the number of cores
threads: auto
cluster-id: 99
cluster-type: cluster_flow
defrag: yes
# Rollover requires a Linux kernel of 3.10 or newer
rollover: yes
use-mmap: yes
use-emergency-flush: yes
checksum-checks: no

default-packet-size: 9006

default-log-dir: /var/log/suricata

stats:
enabled: yes
interval: 300

outputs:
- fast:
enabled: yes
filename: fast.log
append: yes
- unified2-alert:
enabled: yes
filename: unified2.alert
- stats:
enabled: yes
filename: stats.log
totals: yes
threads: no
null-values: yes


detect-engine:
- profile: medium
- custom-values:
toclient-src-groups: 2000
toclient-dst-groups: 2000
toclient-sp-groups: 2000
toclient-dp-groups: 3000
toserver-src-groups: 2000
toserver-dst-groups: 4000
toserver-sp-groups: 2000
toserver-dp-groups: 2500
- sgh-mpm-context: full
- inspection-recursion-limit: 3000

threading:
set-cpu-affinity: no
cpu-affinity:
- management-cpu-set:
cpu: [ "all" ]
mode: "balanced"
prio:
default: "low"
- detect-cpu-set:
cpu: [ "all" ]
mode: "exclusive"
prio:
default: "high"

mpm-algo: ac

pattern-matcher:
- b2gc:
search-algo: B2gSearchBNDMq
hash-size: low
bf-size: medium
- b2gm:
search-algo: B2gSearchBNDMq
hash-size: low
bf-size: medium
- b2g:
search-algo: B2gSearchBNDMq
hash-size: low
bf-size: medium
- b3g:
search-algo: B3gSearchBNDMq
hash-size: low
bf-size: medium
- wumanber:
hash-size: low
bf-size: medium

defrag:
memcap: 265mb
trackers: 65535
max-frags: 65535
prealloc: yes

threshold-file: /etc/suricata/threshold.config
classification-file: /etc/suricata/classification.config
reference-config-file: /etc/suricata/reference.config

flow:
memcap: 8gb
hash-size: 65536
prealloc: 10000
emergency-recovery: 30
prune-flows: 1

flow-timeouts:
default:
new: 5
established: 10
closed: 0
emergency-new: 1
emergency-established: 2
emergency-closed: 0
tcp:
new: 5
established: 300
closed: 10
emergency-new: 1
emergency-established: 5
emergency-closed: 20
udp:
new: 5
established: 5
emergency-new: 5
emergency-established: 5
icmp:
new: 5
established: 5
emergency-new: 5
emergency-established: 5

stream:
memcap: 24gb
prealloc-sessions: 2500000
inline: no
midstream: true
reassembly:
memcap: 30gb
depth: 8mb
toserver-chunk-size: 2560
toclient-chunk-size: 2560

host:
hash-size: 4096
prealloc: 1000
memcap: 167772160

logging:
default-log-level: info
outputs:
- file:
enabled: yes
filename: /var/log/suricata.log


pcap:
- interface: em1
buffer-size: 2000mb
checksum-checks: no
threads: 15

default-rule-path: /etc/suricata/rules
rule-files:
- et.rules
- local.rules

vars:
address-groups:
HOME_NET: "[x.x.x.x]"
EXTERNAL_NET: "!$HOME_NET"
HTTP_SERVERS: "$HOME_NET"
SMTP_SERVERS: "[y.y.y.y]"
SQL_SERVERS: "$HOME_NET"
DNS_SERVERS: "$HOME_NET"
TELNET_SERVERS: "$HOME_NET"
AIM_SERVERS: "$EXTERNAL_NET"
DNP3_SERVER: "$HOME_NET"
DNP3_CLIENT: "$HOME_NET"
MODBUS_CLIENT: "$HOME_NET"
MODBUS_SERVER: "$HOME_NET"
ENIP_CLIENT: "$HOME_NET"
ENIP_SERVER: "$HOME_NET"
port-groups:
HTTP_PORTS: "#####"
SHELLCODE_PORTS: "#####"
ORACLE_PORTS: #####
SSH_PORTS: #####
DNP3_PORTS: #####

action-order:
- pass
- drop
- reject
- alert

host-os-policy:
windows: [0.0.0.0/0]
bsd: []
bsd-right: []
old-linux: []
linux: [0.0.0.0/0]
old-solaris: []
solaris: []
hpux10: []
hpux11: []
irix: []
macos: []
vista: []
windows2k3: []

asn1-max-frames: 256

pcre:
match-limit: 3500
match-limit-recursion: 1500
(5-5/8)