Project

General

Profile

Bug #2017 » suricata.yaml

Ryan Cote, 02/03/2017 09:29 PM

 
1
%YAML 1.1
2
---
3

    
4
# Suricata configuration file. In addition to the comments describing all
5
# options in this file, full documentation can be found at:
6
# https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricatayaml
7

    
8

    
9
# Number of packets preallocated per thread. The default is 1024. A higher number 
10
# will make sure each CPU will be more easily kept busy, but may negatively 
11
# impact caching.
12
#
13
# If you are using the CUDA pattern matcher (mpm-algo: ac-cuda), different rules
14
# apply. In that case try something like 60000 or more. This is because the CUDA
15
# pattern matcher buffers and scans as many packets as possible in parallel.
16
max-pending-packets: 2048
17

    
18
# Runmode the engine should use. Please check --list-runmodes to get the available
19
# runmodes for each packet acquisition method. Defaults to "autofp" (auto flow pinned
20
# load balancing).
21
runmode: autofp
22

    
23
# Specifies the kind of flow load balancer used by the flow pinned autofp mode.
24
#
25
# Supported schedulers are:
26
#
27
# round-robin       - Flows assigned to threads in a round robin fashion.
28
# active-packets    - Flows assigned to threads that have the lowest number of
29
#                     unprocessed packets (default).
30
# hash              - Flow alloted usihng the address hash. More of a random
31
#                     technique. Was the default in Suricata 1.2.1 and older.
32
#
33
#autofp-scheduler: active-packets
34

    
35
# If suricata box is a router for the sniffed networks, set it to 'router'. If
36
# it is a pure sniffing setup, set it to 'sniffer-only'.
37
# If set to auto, the variable is internally switch to 'router' in IPS mode
38
# and 'sniffer-only' in IDS mode.
39
# This feature is currently only used by the reject* keywords.
40
host-mode: router
41

    
42
# Run suricata as user and group.
43
#run-as:
44
#  user: suri
45
#  group: suri
46

    
47
# Some logging module will use that name in event as identifier. The default
48
# value is the hostname
49
sensor-name: suricata01
50

    
51
# Default pid file.
52
# Will use this file if no --pidfile in command options.
53
#pid-file: /usr/local/var/run/suricata.pid
54

    
55
# Daemon working directory
56
# Suricata will change directory to this one if provided
57
# Default: "/"
58
#daemon-directory: "/"
59

    
60
# Preallocated size for packet. Default is 1514 which is the classical
61
# size for pcap on ethernet. You should adjust this value to the highest
62
# packet size (MTU + hardware header) on your system.
63
#default-packet-size: 1514
64

    
65
# The default logging directory.  Any log or output file will be
66
# placed here if its not specified with a full path name.  This can be
67
# overridden with the -l command line parameter.
68
default-log-dir: /root/suricata/
69

    
70
# Unix command socket can be used to pass commands to suricata.
71
# An external tool can then connect to get information from suricata
72
# or trigger some modifications of the engine. Set enabled to yes
73
# to activate the feature. You can use the filename variable to set
74
# the file name of the socket.
75
unix-command:
76
  enabled: no
77
  #filename: custom.socket
78

    
79
# global stats configuration
80
stats:
81
  enabled: yes
82
  # The interval field (in seconds) controls at what interval
83
  # the loggers are invoked.
84
  interval: 8
85

    
86
# Configure the type of alert (and other) logging you would like.
87
outputs:
88

    
89
  # a line based alerts log similar to Snort's fast.log
90
  - fast:
91
      enabled: no 
92
      filename: fast.log
93
      append: yes
94
      #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
95

    
96
  - eve-log:
97
      enabled: yes
98
      filetype: regular
99
      filename: stats.json
100
      types:
101
        - stats:
102
            totals: yes       # stats for all threads merged together
103
            threads: no       # per thread stats
104
            deltas: yes       # include delta values
105
  - eve-log:
106
     enabled: no
107
     filetype: redis
108
     redis:
109
      server: 127.0.0.1
110
      port: 6379
111
      mode: channel
112
      key: 'EVE:alert'
113
     types:
114
      - alert:
115
            xff:
116
              enabled: yes
117
              mode: extra-data
118
              deployment: reverse
119
              header: X-Forwarded-For
120

    
121

    
122
  - eve-log:
123
      enabled: yes
124
      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
125
      filename: alert.json
126
      limit: 1gb
127
      types:
128
        - alert:
129
            payload: yes           # enable dumping payload in Base64
130
            payload-printable: yes # enable dumping payload in printable (lossy) format
131
            http: yes              # enable dumping of http fields
132
            tls: yes               # enable dumping of tls fields
133
            ssh: yes               # enable dumping of ssh fields
134
            smtp: yes              # enable dumping of smtp fields
135
            xff:
136
              enabled: no
137
              mode: extra-data
138
              deployment: reverse
139
              header: X-Forwarded-For
140

    
141

    
142
  - eve-log:
143
      enabled: yes
144
      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
145
      filename: dns.json
146
      limit: 1gb
147
      types:
148
        - dns
149

    
150
  - eve-log:
151
      enabled: yes
152
      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
153
      filename: flow.json
154
      limit: 1gb
155
      types:
156
        - netflow
157

    
158

    
159
  - eve-log:
160
      enabled: yes
161
      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
162
      filename: eve.json
163
      limit: 1gb
164
      types:
165
        - http:
166
            extended: yes     # enable this for extended logging information
167
        - tls:
168
            #extended: yes     # enable this for extended logging information
169
        - files:
170
            #force-magic: no   # force logging magic on all logged files
171
            force-md5: yes    # force logging of md5 checksums
172
        - drop:
173
            alerts: yes      # log alerts that caused drops
174
        #- smtp:
175
            #extended: yes # enable this for extended logging information
176
        - ssh
177
        - smtp
178

    
179
  # Extensible Event Format (nicknamed EVE) event log in JSON format
180
  - eve-log:
181
      enabled: no 
182
      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
183
      filename: eve2.json
184
      limit: 1gb
185
      #prefix: "@cee: " # prefix to prepend to each log entry
186
      # the following are valid when type: syslog above
187
      #identity: "suricata"
188
      #facility: local5
189
      #level: Info ## possible levels: Emergency, Alert, Critical,
190
                   ## Error, Warning, Notice, Info, Debug
191
      #redis:
192
      #  server: 127.0.0.1
193
      #  port: 6379
194
      #  mode: list ## possible values: list (default), channel
195
      #  key: suricata ## key or channel to use (default to suricata)
196
      # Redis pipelining set up. This will enable to only do a query every
197
      # 'batch-size' events. This should lower the latency induced by network
198
      # connection at the cost of some memory. There is no flushing implemented
199
      # so this setting as to be reserved to high traffic suricata.
200
      #  pipelining:
201
      #    enabled: yes ## set enable to yes to enable query pipelining
202
      #    batch-size: 10 ## number of entry to keep in buffer
203
      types:
204
        - alert:
205
            payload: yes           # enable dumping payload in Base64
206
            payload-printable: yes # enable dumping payload in printable (lossy) format
207
            # packet: yes            # enable dumping of packet (without stream segments)
208
            http: yes              # enable dumping of http fields
209
            tls: yes               # enable dumping of tls fields
210
            ssh: yes               # enable dumping of ssh fields
211
            smtp: yes              # enable dumping of smtp fields
212

    
213
            # HTTP X-Forwarded-For support by adding an extra field or overwriting
214
            # the source or destination IP address (depending on flow direction)
215
            # with the one reported in the X-Forwarded-For HTTP header. This is
216
            # helpful when reviewing alerts for traffic that is being reverse
217
            # or forward proxied.
218
            xff:
219
              enabled: no
220
              # Two operation modes are available, "extra-data" and "overwrite".
221
              mode: extra-data
222
              # Two proxy deployments are supported, "reverse" and "forward". In
223
              # a "reverse" deployment the IP address used is the last one, in a
224
              # "forward" deployment the first IP address is used.
225
              deployment: reverse
226
              # Header name where the actual IP address will be reported, if more
227
              # than one IP address is present, the last IP address will be the
228
              # one taken into consideration.
229
              header: X-Forwarded-For
230
        - http:
231
            extended: yes     # enable this for extended logging information
232
            # custom allows additional http fields to be included in eve-log
233
            # the example below adds three additional fields when uncommented
234
            #custom: [Accept-Encoding, Accept-Language, Authorization]
235
        - dns
236
        - tls:
237
            #extended: yes     # enable this for extended logging information
238
        - files:
239
            #force-magic: no   # force logging magic on all logged files
240
            force-md5: yes    # force logging of md5 checksums
241
        - drop:
242
            alerts: yes      # log alerts that caused drops
243
        #- smtp:
244
            #extended: yes # enable this for extended logging information
245
            # this includes: bcc, message-id, subject, x_mailer, user-agent
246
            # custom fields logging from the list:
247
            #  reply-to, bcc, message-id, subject, x-mailer, user-agent, received,
248
            #  x-originating-ip, in-reply-to, references, importance, priority,
249
            #  sensitivity, organization, content-md5, date
250
            #custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc]
251
            # output md5 of fields: body, subject
252
            # for the body you need to set app-layer.protocols.smtp.mime.body-md5
253
            # to yes
254
            #md5: [body, subject]
255

    
256
        - ssh
257
        #- stats:
258
            #totals: yes       # stats for all threads merged together
259
            #threads: no       # per thread stats
260
            #deltas: no        # include delta values
261
        # bi-directional flows
262
        #- flow
263
        # uni-directional flows
264
        - netflow
265
        - smtp
266

    
267
  # alert output for use with Barnyard2
268
  - unified2-alert:
269
      enabled: no
270
      filename: unified2.alert
271

    
272
      # File size limit.  Can be specified in kb, mb, gb.  Just a number
273
      # is parsed as bytes.
274
      #limit: 32mb
275

    
276
      # Sensor ID field of unified2 alerts.
277
      #sensor-id: 0
278

    
279
      # Include payload of packets related to alerts. Defaults to true, set to
280
      # false if payload is not required.
281
      #payload: yes
282

    
283
      # HTTP X-Forwarded-For support by adding the unified2 extra header or
284
      # overwriting the source or destination IP address (depending on flow
285
      # direction) with the one reported in the X-Forwarded-For HTTP header.
286
      # This is helpful when reviewing alerts for traffic that is being reverse
287
      # or forward proxied.
288
      xff:
289
        enabled: no
290
        # Two operation modes are available, "extra-data" and "overwrite". Note
291
        # that in the "overwrite" mode, if the reported IP address in the HTTP
292
        # X-Forwarded-For header is of a different version of the packet
293
        # received, it will fall-back to "extra-data" mode.
294
        mode: extra-data
295
        # Two proxy deployments are supported, "reverse" and "forward". In
296
        # a "reverse" deployment the IP address used is the last one, in a
297
        # "forward" deployment the first IP address is used.
298
        deployment: reverse
299
        # Header name where the actual IP address will be reported, if more
300
        # than one IP address is present, the last IP address will be the
301
        # one taken into consideration.
302
        header: X-Forwarded-For
303

    
304
  # a line based log of HTTP requests (no alerts)
305
  - http-log:
306
      enabled: no
307
      filename: http.log
308
      append: yes
309
      #extended: yes     # enable this for extended logging information
310
      #custom: yes       # enabled the custom logging format (defined by customformat)
311
      #customformat: "%{%D-%H:%M:%S}t.%z %{X-Forwarded-For}i %H %m %h %u %s %B %a:%p -> %A:%P"
312
      #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
313

    
314
  # a line based log of TLS handshake parameters (no alerts)
315
  - tls-log:
316
      enabled: no  # Log TLS connections.
317
      filename: tls.log # File to store TLS logs.
318
      append: yes
319
      #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
320
      #extended: yes # Log extended information like fingerprint
321

    
322
  # output module to store certificates chain to disk
323
  - tls-store:
324
      enabled: no
325
      #certs-log-dir: certs # directory to store the certificates files
326

    
327
  # a line based log of DNS requests and/or replies (no alerts)
328
  - dns-log:
329
      enabled: no
330
      filename: dns.log
331
      append: yes
332
      #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
333

    
334
  # Packet log... log packets in pcap format. 3 modes of operation: "normal"
335
  # "multi" and "sguil".
336
  #
337
  # In normal mode a pcap file "filename" is created in the default-log-dir,
338
  # or are as specified by "dir".
339
  # In multi mode, a file is created per thread. This will perform much
340
  # better, but will create multiple files where 'normal' would create one.
341
  # In multi mode the filename takes a few special variables:
342
  # - %n -- thread number
343
  # - %i -- thread id
344
  # - %t -- timestamp (secs or secs.usecs based on 'ts-format'
345
  # E.g. filename: pcap.%n.%t
346
  #
347
  # Note that it's possible to use directories, but the directories are not
348
  # created by Suricata. E.g. filename: pcaps/%n/log.%s will log into the
349
  # per thread directory.
350
  #
351
  # Also note that the limit and max-files settings are enforced per thread.
352
  # So the size limit when using 8 threads with 1000mb files and 2000 files
353
  # is: 8*1000*2000 ~ 16TiB.
354
  #
355
  # In Sguil mode "dir" indicates the base directory. In this base dir the
356
  # pcaps are created in th directory structure Sguil expects:
357
  #
358
  # $sguil-base-dir/YYYY-MM-DD/$filename.<timestamp>
359
  #
360
  # By default all packets are logged except:
361
  # - TCP streams beyond stream.reassembly.depth
362
  # - encrypted streams after the key exchange
363
  #
364
  - pcap-log:
365
      enabled:  no
366
      filename: log.pcap
367

    
368
      # File size limit.  Can be specified in kb, mb, gb.  Just a number
369
      # is parsed as bytes.
370
      limit: 1000mb
371

    
372
      # If set to a value will enable ring buffer mode. Will keep Maximum of "max-files" of size "limit"
373
      max-files: 2000
374

    
375
      mode: normal # normal, multi or sguil.
376
      #sguil-base-dir: /nsm_data/
377
      #ts-format: usec # sec or usec second format (default) is filename.sec usec is filename.sec.usec
378
      use-stream-depth: no #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets
379
      honor-pass-rules: no # If set to "yes", flows in which a pass rule matched will stopped being logged.
380

    
381
  # a full alerts log containing much information for signature writers
382
  # or for investigating suspected false positives.
383
  - alert-debug:
384
      enabled: no
385
      filename: alert-debug.log
386
      append: yes
387
      #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
388

    
389
  # alert output to prelude (http://www.prelude-technologies.com/) only
390
  # available if Suricata has been compiled with --enable-prelude
391
  - alert-prelude:
392
      enabled: no
393
      profile: suricata
394
      log-packet-content: no
395
      log-packet-header: yes
396

    
397
  # Stats.log contains data from various counters of the suricata engine.
398
  - stats:
399
      enabled: no
400
      filename: stats.log
401
      totals: yes       # stats for all threads merged together
402
      threads: no       # per thread stats
403
      #null-values: yes  # print counters that have value 0
404

    
405
  # a line based alerts log similar to fast.log into syslog
406
  - syslog:
407
      enabled: no
408
      # reported identity to syslog. If ommited the program name (usually
409
      # suricata) will be used.
410
      #identity: "suricata"
411
      facility: local5
412
      #level: Info ## possible levels: Emergency, Alert, Critical,
413
                   ## Error, Warning, Notice, Info, Debug
414

    
415
  # a line based information for dropped packets in IPS mode
416
  - drop:
417
      enabled: no
418
      filename: drop.log
419
      append: yes
420
      #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
421

    
422
  # output module to store extracted files to disk
423
  #
424
  # The files are stored to the log-dir in a format "file.<id>" where <id> is
425
  # an incrementing number starting at 1. For each file "file.<id>" a meta
426
  # file "file.<id>.meta" is created.
427
  #
428
  # File extraction depends on a lot of things to be fully done:
429
  # - stream reassembly depth. For optimal results, set this to 0 (unlimited)
430
  # - http request / response body sizes. Again set to 0 for optimal results.
431
  # - rules that contain the "filestore" keyword.
432
  - file-store:
433
      enabled: no       # set to yes to enable
434
      log-dir: files    # directory to store the files
435
      force-magic: no   # force logging magic on all stored files
436
      force-md5: no     # force logging of md5 checksums
437
      #waldo: file.waldo # waldo file to store the file_id across runs
438

    
439
  # output module to log files tracked in a easily parsable json format
440
  - file-log:
441
      enabled: no
442
      filename: files-json.log
443
      append: yes
444
      #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
445

    
446
      force-magic: no   # force logging magic on all logged files
447
      force-md5: no     # force logging of md5 checksums
448

    
449
  # Log TCP data after stream normalization
450
  # 2 types: file or dir. File logs into a single logfile. Dir creates
451
  # 2 files per TCP session and stores the raw TCP data into them.
452
  # Using 'both' will enable both file and dir modes.
453
  #
454
  # Note: limited by stream.depth
455
  - tcp-data:
456
      enabled: no
457
      type: file
458
      filename: tcp-data.log
459

    
460
  # Log HTTP body data after normalization, dechunking and unzipping.
461
  # 2 types: file or dir. File logs into a single logfile. Dir creates
462
  # 2 files per HTTP session and stores the normalized data into them.
463
  # Using 'both' will enable both file and dir modes.
464
  #
465
  # Note: limited by the body limit settings
466
  - http-body-data:
467
      enabled: no
468
      type: file
469
      filename: http-data.log
470

    
471
  # Lua Output Support - execute lua script to generate alert and event
472
  # output.
473
  # Documented at:
474
  # https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Lua_Output
475
  - lua:
476
      enabled: no
477
      #scripts-dir: /etc/suricata/lua-output/
478
      scripts:
479
      #   - script1.lua
480

    
481
# Magic file. The extension .mgc is added to the value here.
482
#magic-file: /usr/share/file/magic
483
magic-file: /usr/share/file/magic
484

    
485
# When running in NFQ inline mode, it is possible to use a simulated
486
# non-terminal NFQUEUE verdict.
487
# This permit to do send all needed packet to suricata via this a rule:
488
#        iptables -I FORWARD -m mark ! --mark $MARK/$MASK -j NFQUEUE
489
# And below, you can have your standard filtering ruleset. To activate
490
# this mode, you need to set mode to 'repeat'
491
# If you want packet to be sent to another queue after an ACCEPT decision
492
# set mode to 'route' and set next-queue value.
493
# On linux >= 3.1, you can set batchcount to a value > 1 to improve performance
494
# by processing several packets before sending a verdict (worker runmode only).
495
# On linux >= 3.6, you can set the fail-open option to yes to have the kernel
496
# accept the packet if suricata is not able to keep pace.
497
nfq:
498
#  mode: accept
499
#  repeat-mark: 1
500
#  repeat-mask: 1
501
#  route-queue: 2
502
#  batchcount: 20
503
  fail-open: yes
504

    
505
#nflog support
506
nflog:
507
    # netlink multicast group
508
    # (the same as the iptables --nflog-group param)
509
    # Group 0 is used by the kernel, so you can't use it
510
  - group: 2
511
    # netlink buffer size
512
    buffer-size: 18432
513
    # put default value here
514
  - group: default
515
    # set number of packet to queue inside kernel
516
    qthreshold: 1
517
    # set the delay before flushing packet in the queue inside kernel
518
    qtimeout: 100
519
    # netlink max buffer size
520
    max-size: 20000
521

    
522
# af-packet support
523

    
524
# Set threads to > 1 to use PACKET_FANOUT support
525
af-packet:
526
  - interface: eth1
527
    # Number of receive threads. "auto" uses the number of cores
528
    threads: 4
529
    # Default clusterid.  AF_PACKET will load balance packets based on flow.
530
    # All threads/processes that will participate need to have the same
531
    # clusterid.
532
    cluster-id: 99
533
    # Default AF_PACKET cluster type. AF_PACKET can load balance per flow or per hash.
534
    # This is only supported for Linux kernel > 3.1
535
    # possible value are:
536
    #  * cluster_round_robin: round robin load balancing
537
    #  * cluster_flow: all packets of a given flow are send to the same socket
538
    #  * cluster_cpu: all packets treated in kernel by a CPU are send to the same socket
539
    #  * cluster_qm: all packets linked by network card to a RSS queue are sent to the same
540
    #  socket. Requires at least Linux 3.14.
541
    #  * cluster_random: packets are sent randomly to sockets but with an equipartition.
542
    #  Requires at least Linux 3.14.
543
    #  * cluster_rollover: kernel rotates between sockets filling each socket before moving
544
    #  to the next. Requires at least Linux 3.10.
545
    # Recommended modes are cluster_flow on most boxes and cluster_cpu or cluster_qm on system
546
    # with capture card using RSS (require cpu affinity tuning and system irq tuning)
547
    cluster-type: cluster_flow
548
    # In some fragmentation case, the hash can not be computed. If "defrag" is set
549
    # to yes, the kernel will do the needed defragmentation before sending the packets.
550
    defrag: yes
551
    # After Linux kernel 3.10 it is possible to activate the rollover option: if a socket is
552
    # full then kernel will send the packet on the next socket with room available. This option
553
    # can minimize packet drop and increase the treated bandwith on single intensive flow.
554
    #rollover: yes
555
    # To use the ring feature of AF_PACKET, set 'use-mmap' to yes
556
    use-mmap: yes
557
    # Ring size will be computed with respect to max_pending_packets and number
558
    # of threads. You can set manually the ring size in number of packets by setting
559
    # the following value. If you are using flow cluster-type and have really network
560
    # intensive single-flow you could want to set the ring-size independantly of the number
561
    # of threads:
562
    #ring-size: 2048
563
    # On busy system, this could help to set it to yes to recover from a packet drop
564
    # phase. This will result in some packets (at max a ring flush) being non treated.
565
    #use-emergency-flush: yes
566
    # recv buffer size, increase value could improve performance
567
    # buffer-size: 32768
568
    # Set to yes to disable promiscuous mode
569
    # disable-promisc: no
570
    # Choose checksum verification mode for the interface. At the moment
571
    # of the capture, some packets may be with an invalid checksum due to
572
    # offloading to the network card of the checksum computation.
573
    # Possible values are:
574
    #  - kernel: use indication sent by kernel for each packet (default)
575
    #  - yes: checksum validation is forced
576
    #  - no: checksum validation is disabled
577
    #  - auto: suricata uses a statistical approach to detect when
578
    #  checksum off-loading is used.
579
    # Warning: 'checksum-validation' must be set to yes to have any validation
580
    #checksum-checks: kernel
581
    # BPF filter to apply to this interface. The pcap filter syntax apply here.
582
    #bpf-filter: port 80 or udp
583
    # You can use the following variables to activate AF_PACKET tap od IPS mode.
584
    # If copy-mode is set to ips or tap, the traffic coming to the current
585
    # interface will be copied to the copy-iface interface. If 'tap' is set, the
586
    # copy is complete. If 'ips' is set, the packet matching a 'drop' action
587
    # will not be copied.
588
    #copy-mode: ips
589
    #copy-iface: eth1
590
  #- interface: eth1
591
    #threads: 2
592
    #cluster-id: 98
593
    #cluster-type: cluster_flow
594
    #defrag: no
595
    #use-mmap: yes
596
    #copy-mode: ips
597
    #copy-iface: eth0
598
    # buffer-size: 32768
599
    # disable-promisc: no
600
  # Put default values here
601
    #threads: auto
602
    #use-mmap: yes
603
    #rollover: yes
604

    
605
# Netmap support
606
#
607
# Netmap operates with NIC directly in driver, so you need FreeBSD wich have
608
# built-in netmap support or compile and install netmap module and appropriate
609
# NIC driver on your Linux system.
610
# To reach maximum throughput disable all receive-, segmentation-,
611
# checksum- offloadings on NIC.
612
# Disabling Tx checksum offloading is *required* for connecting OS endpoint
613
# with NIC endpoint.
614
# You can find more information at https://github.com/luigirizzo/netmap
615
#
616
netmap:
617
   # To specify OS endpoint add plus sign at the end (e.g. "eth0+")
618
 - interface: eth2
619
   # Number of receive threads. "auto" uses number of RSS queues on interface.
620
   threads: auto
621
   # You can use the following variables to activate netmap tap or IPS mode.
622
   # If copy-mode is set to ips or tap, the traffic coming to the current
623
   # interface will be copied to the copy-iface interface. If 'tap' is set, the
624
   # copy is complete. If 'ips' is set, the packet matching a 'drop' action
625
   # will not be copied.
626
   # To specify the OS as the copy-iface (so the OS can route packets, or forward
627
   # to a service running on the same machine) add a plus sign at the end
628
   # (e.g. "copy-iface: eth0+"). Don't forget to set up a symmetrical eth0+ -> eth0
629
   # for return packets. Hardware checksumming must be *off* on the interface if
630
   # using an OS endpoint (e.g. 'ifconfig eth0 -rxcsum -txcsum -rxcsum6 -txcsum6' for FreeBSD
631
   # or 'ethtool -K eth0 tx off rx off' for Linux).
632
   #copy-mode: tap
633
   #copy-iface: eth3
634
   # Set to yes to disable promiscuous mode
635
   # disable-promisc: no
636
   # Choose checksum verification mode for the interface. At the moment
637
   # of the capture, some packets may be with an invalid checksum due to
638
   # offloading to the network card of the checksum computation.
639
   # Possible values are:
640
   #  - yes: checksum validation is forced
641
   #  - no: checksum validation is disabled
642
   #  - auto: suricata uses a statistical approach to detect when
643
   #  checksum off-loading is used.
644
   # Warning: 'checksum-validation' must be set to yes to have any validation
645
   #checksum-checks: auto
646
   # BPF filter to apply to this interface. The pcap filter syntax apply here.
647
   #bpf-filter: port 80 or udp
648
 #- interface: eth3
649
   #threads: auto
650
   #copy-mode: tap
651
   #copy-iface: eth2
652
   # Put default values here
653
 - interface: default
654

    
655
legacy:
656
  uricontent: enabled
657

    
658
# You can specify a threshold config file by setting "threshold-file"
659
# to the path of the threshold config file:
660
# threshold-file: /etc/suricata/threshold.config
661

    
662
# The detection engine builds internal groups of signatures. The engine
663
# allow us to specify the profile to use for them, to manage memory on an
664
# efficient way keeping a good performance. For the profile keyword you
665
# can use the words "low", "medium", "high" or "custom". If you use custom
666
# make sure to define the values at "- custom-values" as your convenience.
667
# Usually you would prefer medium/high/low.
668
#
669
# "sgh mpm-context", indicates how the staging should allot mpm contexts for
670
# the signature groups.  "single" indicates the use of a single context for
671
# all the signature group heads.  "full" indicates a mpm-context for each
672
# group head.  "auto" lets the engine decide the distribution of contexts
673
# based on the information the engine gathers on the patterns from each
674
# group head.
675
#
676
# The option inspection-recursion-limit is used to limit the recursive calls
677
# in the content inspection code.  For certain payload-sig combinations, we
678
# might end up taking too much time in the content inspection code.
679
# If the argument specified is 0, the engine uses an internally defined
680
# default limit.  On not specifying a value, we use no limits on the recursion.
681
detect-engine:
682
  - profile: medium
683
  - custom-values:
684
      toclient-src-groups: 2
685
      toclient-dst-groups: 2
686
      toclient-sp-groups: 2
687
      toclient-dp-groups: 3
688
      toserver-src-groups: 2
689
      toserver-dst-groups: 4
690
      toserver-sp-groups: 2
691
      toserver-dp-groups: 25
692
  - sgh-mpm-context: auto
693
  - inspection-recursion-limit: 3000
694
  # If set to yes, the loading of signatures will be made after the capture
695
  # is started. This will limit the downtime in IPS mode.
696
  - delayed-detect: yes
697

    
698
# Suricata is multi-threaded. Here the threading can be influenced.
699
threading:
700
  # On some cpu's/architectures it is beneficial to tie individual threads
701
  # to specific CPU's/CPU cores. In this case all threads are tied to CPU0,
702
  # and each extra CPU/core has one "detect" thread.
703
  #
704
  # On Intel Core2 and Nehalem CPU's enabling this will degrade performance.
705
  #
706
  set-cpu-affinity: no
707
  # Tune cpu affinity of suricata threads. Each family of threads can be bound
708
  # on specific CPUs.
709
  cpu-affinity:
710
    - management-cpu-set:
711
        cpu: [ 0 ]  # include only these cpus in affinity settings
712
    - receive-cpu-set:
713
        cpu: [ 0 ]  # include only these cpus in affinity settings
714
    - decode-cpu-set:
715
        cpu: [ 0, 1 ]
716
        mode: "balanced"
717
    - stream-cpu-set:
718
        cpu: [ "0-1" ]
719
    - detect-cpu-set:
720
        cpu: [ "all" ]
721
        mode: "exclusive" # run detect threads in these cpus
722
        # Use explicitely 3 threads and don't compute number by using
723
        # detect-thread-ratio variable:
724
        # threads: 3
725
        prio:
726
          low: [ 0 ]
727
          medium: [ "1-2" ]
728
          high: [ 3 ]
729
          default: "medium"
730
    - verdict-cpu-set:
731
        cpu: [ 0 ]
732
        prio:
733
          default: "high"
734
    - reject-cpu-set:
735
        cpu: [ 0 ]
736
        prio:
737
          default: "low"
738
    - output-cpu-set:
739
        cpu: [ "all" ]
740
        prio:
741
           default: "medium"
742
  #
743
  # By default Suricata creates one "detect" thread per available CPU/CPU core.
744
  # This setting allows controlling this behaviour. A ratio setting of 2 will
745
  # create 2 detect threads for each CPU/CPU core. So for a dual core CPU this
746
  # will result in 4 detect threads. If values below 1 are used, less threads
747
  # are created. So on a dual core CPU a setting of 0.5 results in 1 detect
748
  # thread being created. Regardless of the setting at a minimum 1 detect
749
  # thread will always be created.
750
  #
751
  detect-thread-ratio: 1.5
752

    
753
# Cuda configuration.
754
cuda:
755
  # The "mpm" profile.  On not specifying any of these parameters, the engine's
756
  # internal default values are used, which are same as the ones specified in
757
  # in the default conf file.
758
  mpm:
759
    # The minimum length required to buffer data to the gpu.
760
    # Anything below this is MPM'ed on the CPU.
761
    # Can be specified in kb, mb, gb.  Just a number indicates it's in bytes.
762
    # A value of 0 indicates there's no limit.
763
    data-buffer-size-min-limit: 0
764
    # The maximum length for data that we would buffer to the gpu.
765
    # Anything over this is MPM'ed on the CPU.
766
    # Can be specified in kb, mb, gb.  Just a number indicates it's in bytes.
767
    data-buffer-size-max-limit: 1500
768
    # The ring buffer size used by the CudaBuffer API to buffer data.
769
    cudabuffer-buffer-size: 500mb
770
    # The max chunk size that can be sent to the gpu in a single go.
771
    gpu-transfer-size: 50mb
772
    # The timeout limit for batching of packets in microseconds.
773
    batching-timeout: 2000
774
    # The device to use for the mpm.  Currently we don't support load balancing
775
    # on multiple gpus.  In case you have multiple devices on your system, you
776
    # can specify the device to use, using this conf.  By default we hold 0, to
777
    # specify the first device cuda sees.  To find out device-id associated with
778
    # the card(s) on the system run "suricata --list-cuda-cards".
779
    device-id: 0
780
    # No of Cuda streams used for asynchronous processing. All values > 0 are valid.
781
    # For this option you need a device with Compute Capability > 1.0.
782
    cuda-streams: 2
783

    
784
# Select the multi pattern algorithm you want to run for scan/search the
785
# in the engine. The supported algorithms are b2g, b3g, wumanber,
786
# ac, ac-bs and ac-gfbs.
787
#
788
# The mpm you choose also decides the distribution of mpm contexts for
789
# signature groups, specified by the conf - "detect-engine.sgh-mpm-context".
790
# Selecting "ac" as the mpm would require "detect-engine.sgh-mpm-context"
791
# to be set to "single", because of ac's memory requirements, unless the
792
# ruleset is small enough to fit in one's memory, in which case one can
793
# use "full" with "ac".  Rest of the mpms can be run in "full" mode.
794
#
795
# There is also a CUDA pattern matcher (only available if Suricata was
796
# compiled with --enable-cuda: b2g_cuda. Make sure to update your
797
# max-pending-packets setting above as well if you use b2g_cuda.
798

    
799
mpm-algo: ac
800

    
801
# The memory settings for hash size of these algorithms can vary from lowest
802
# (2048) - low (4096) - medium (8192) - high (16384) - higher (32768) - max
803
# (65536). The bloomfilter sizes of these algorithms can vary from low (512) -
804
# medium (1024) - high (2048).
805
#
806
# For B2g/B3g algorithms, there is a support for two different scan/search
807
# algorithms. For B2g the scan algorithms are B2gScan & B2gScanBNDMq, and
808
# search algorithms are B2gSearch & B2gSearchBNDMq. For B3g scan algorithms
809
# are B3gScan & B3gScanBNDMq, and search algorithms are B3gSearch &
810
# B3gSearchBNDMq.
811
#
812
# For B2g the different scan/search algorithms and, hash and bloom
813
# filter size settings. For B3g the different scan/search algorithms and, hash
814
# and bloom filter size settings. For wumanber the hash and bloom filter size
815
# settings.
816

    
817
pattern-matcher:
818
  - b2g:
819
      search-algo: B2gSearchBNDMq
820
      hash-size: low
821
      bf-size: medium
822
  - b3g:
823
      search-algo: B3gSearchBNDMq
824
      hash-size: low
825
      bf-size: medium
826
  - wumanber:
827
      hash-size: low
828
      bf-size: medium
829

    
830
# Defrag settings:
831

    
832
defrag:
833
  memcap: 32mb
834
  hash-size: 65536
835
  trackers: 65535 # number of defragmented flows to follow
836
  max-frags: 65535 # number of fragments to keep (higher than trackers)
837
  prealloc: yes
838
  timeout: 60
839

    
840
# Enable defrag per host settings
841
#  host-config:
842
#
843
#    - dmz:
844
#        timeout: 30
845
#        address: [192.168.1.0/24, 127.0.0.0/8, 1.1.1.0/24, 2.2.2.0/24, "1.1.1.1", "2.2.2.2", "::1"]
846
#
847
#    - lan:
848
#        timeout: 45
849
#        address:
850
#          - 192.168.0.0/24
851
#          - 192.168.10.0/24
852
#          - 172.16.14.0/24
853

    
854
# Flow settings:
855
# By default, the reserved memory (memcap) for flows is 32MB. This is the limit
856
# for flow allocation inside the engine. You can change this value to allow
857
# more memory usage for flows.
858
# The hash-size determine the size of the hash used to identify flows inside
859
# the engine, and by default the value is 65536.
860
# At the startup, the engine can preallocate a number of flows, to get a better
861
# performance. The number of flows preallocated is 10000 by default.
862
# emergency-recovery is the percentage of flows that the engine need to
863
# prune before unsetting the emergency state. The emergency state is activated
864
# when the memcap limit is reached, allowing to create new flows, but
865
# prunning them with the emergency timeouts (they are defined below).
866
# If the memcap is reached, the engine will try to prune flows
867
# with the default timeouts. If it doens't find a flow to prune, it will set
868
# the emergency bit and it will try again with more agressive timeouts.
869
# If that doesn't work, then it will try to kill the last time seen flows
870
# not in use.
871
# The memcap can be specified in kb, mb, gb.  Just a number indicates it's
872
# in bytes.
873

    
874
flow:
875
  memcap: 64mb
876
  hash-size: 65536
877
  prealloc: 10000
878
  emergency-recovery: 30
879
  #managers: 1 # default to one flow manager
880
  #recyclers: 1 # default to one flow recycler thread
881

    
882
# This option controls the use of vlan ids in the flow (and defrag)
883
# hashing. Normally this should be enabled, but in some (broken)
884
# setups where both sides of a flow are not tagged with the same vlan
885
# tag, we can ignore the vlan id's in the flow hashing.
886
vlan:
887
  use-for-tracking: true
888

    
889
# Specific timeouts for flows. Here you can specify the timeouts that the
890
# active flows will wait to transit from the current state to another, on each
891
# protocol. The value of "new" determine the seconds to wait after a hanshake or
892
# stream startup before the engine free the data of that flow it doesn't
893
# change the state to established (usually if we don't receive more packets
894
# of that flow). The value of "established" is the amount of
895
# seconds that the engine will wait to free the flow if it spend that amount
896
# without receiving new packets or closing the connection. "closed" is the
897
# amount of time to wait after a flow is closed (usually zero).
898
#
899
# There's an emergency mode that will become active under attack circumstances,
900
# making the engine to check flow status faster. This configuration variables
901
# use the prefix "emergency-" and work similar as the normal ones.
902
# Some timeouts doesn't apply to all the protocols, like "closed", for udp and
903
# icmp.
904

    
905
flow-timeouts:
906

    
907
  default:
908
    new: 30
909
    established: 300
910
    closed: 0
911
    emergency-new: 10
912
    emergency-established: 100
913
    emergency-closed: 0
914
  tcp:
915
    new: 60
916
    established: 3600
917
    closed: 120
918
    emergency-new: 10
919
    emergency-established: 300
920
    emergency-closed: 20
921
  udp:
922
    new: 30
923
    established: 300
924
    emergency-new: 10
925
    emergency-established: 100
926
  icmp:
927
    new: 30
928
    established: 300
929
    emergency-new: 10
930
    emergency-established: 100
931

    
932
# Stream engine settings. Here the TCP stream tracking and reassembly
933
# engine is configured.
934
#
935
# stream:
936
#   memcap: 32mb                # Can be specified in kb, mb, gb.  Just a
937
#                               # number indicates it's in bytes.
938
#   checksum-validation: yes    # To validate the checksum of received
939
#                               # packet. If csum validation is specified as
940
#                               # "yes", then packet with invalid csum will not
941
#                               # be processed by the engine stream/app layer.
942
#                               # Warning: locally generated trafic can be
943
#                               # generated without checksum due to hardware offload
944
#                               # of checksum. You can control the handling of checksum
945
#                               # on a per-interface basis via the 'checksum-checks'
946
#                               # option
947
#   prealloc-sessions: 2k       # 2k sessions prealloc'd per stream thread
948
#   midstream: false            # don't allow midstream session pickups
949
#   async-oneside: false        # don't enable async stream handling
950
#   inline: no                  # stream inline mode
951
#   max-synack-queued: 5        # Max different SYN/ACKs to queue
952
#
953
#   reassembly:
954
#     memcap: 64mb              # Can be specified in kb, mb, gb.  Just a number
955
#                               # indicates it's in bytes.
956
#     depth: 1mb                # Can be specified in kb, mb, gb.  Just a number
957
#                               # indicates it's in bytes.
958
#     toserver-chunk-size: 2560 # inspect raw stream in chunks of at least
959
#                               # this size.  Can be specified in kb, mb,
960
#                               # gb.  Just a number indicates it's in bytes.
961
#                               # The max acceptable size is 4024 bytes.
962
#     toclient-chunk-size: 2560 # inspect raw stream in chunks of at least
963
#                               # this size.  Can be specified in kb, mb,
964
#                               # gb.  Just a number indicates it's in bytes.
965
#                               # The max acceptable size is 4024 bytes.
966
#     randomize-chunk-size: yes # Take a random value for chunk size around the specified value.
967
#                               # This lower the risk of some evasion technics but could lead
968
#                               # detection change between runs. It is set to 'yes' by default.
969
#     randomize-chunk-range: 10 # If randomize-chunk-size is active, the value of chunk-size is
970
#                               # a random value between (1 - randomize-chunk-range/100)*randomize-chunk-size
971
#                               # and (1 + randomize-chunk-range/100)*randomize-chunk-size. Default value
972
#                               # of randomize-chunk-range is 10.
973
#
974
#     raw: yes                  # 'Raw' reassembly enabled or disabled.
975
#                               # raw is for content inspection by detection
976
#                               # engine.
977
#
978
#     chunk-prealloc: 250       # Number of preallocated stream chunks. These
979
#                               # are used during stream inspection (raw).
980
#     segments:                 # Settings for reassembly segment pool.
981
#       - size: 4               # Size of the (data)segment for a pool
982
#         prealloc: 256         # Number of segments to prealloc and keep
983
#                               # in the pool.
984
#     zero-copy-size: 128       # This option sets in bytes the value at
985
#                               # which segment data is passed to the app
986
#                               # layer API directly. Data sizes equal to
987
#                               # and higher than the value set are passed
988
#                               # on directly.
989
#
990
stream:
991
  memcap: 32mb
992
  checksum-validation: no       # reject wrong csums
993
  midstream: true
994
  inline: yes                   # auto will use inline mode in IPS mode, yes or no set it statically
995
  reassembly:
996
    memcap: 128mb
997
    depth: 1mb                  # reassemble 1mb into a stream
998
    toserver-chunk-size: 2560
999
    toclient-chunk-size: 2560
1000
    randomize-chunk-size: yes
1001
    #randomize-chunk-range: 10
1002
    #raw: yes
1003
    #chunk-prealloc: 250
1004
    #segments:
1005
    #  - size: 4
1006
    #    prealloc: 256
1007
    #  - size: 16
1008
    #    prealloc: 512
1009
    #  - size: 112
1010
    #    prealloc: 512
1011
    #  - size: 248
1012
    #    prealloc: 512
1013
    #  - size: 512
1014
    #    prealloc: 512
1015
    #  - size: 768
1016
    #    prealloc: 1024
1017
    #  - size: 1448
1018
    #    prealloc: 1024
1019
    #  - size: 65535
1020
    #    prealloc: 128
1021
    #zero-copy-size: 128
1022

    
1023
# Host table:
1024
#
1025
# Host table is used by tagging and per host thresholding subsystems.
1026
#
1027
host:
1028
  hash-size: 4096
1029
  prealloc: 1000
1030
  memcap: 16777216
1031

    
1032
# IP Pair table:
1033
#
1034
# Used by xbits 'ippair' tracking.
1035
#
1036
#ippair:
1037
#  hash-size: 4096
1038
#  prealloc: 1000
1039
#  memcap: 16777216
1040

    
1041
# Logging configuration.  This is not about logging IDS alerts, but
1042
# IDS output about what its doing, errors, etc.
1043
logging:
1044

    
1045
  # The default log level, can be overridden in an output section.
1046
  # Note that debug level logging will only be emitted if Suricata was
1047
  # compiled with the --enable-debug configure option.
1048
  #
1049
  # This value is overriden by the SC_LOG_LEVEL env var.
1050
  default-log-level: notice
1051

    
1052
  # The default output format.  Optional parameter, should default to
1053
  # something reasonable if not provided.  Can be overriden in an
1054
  # output section.  You can leave this out to get the default.
1055
  #
1056
  # This value is overriden by the SC_LOG_FORMAT env var.
1057
  #default-log-format: "[%i] %t - (%f:%l) <%d> (%n) -- "
1058

    
1059
  # A regex to filter output.  Can be overridden in an output section.
1060
  # Defaults to empty (no filter).
1061
  #
1062
  # This value is overriden by the SC_LOG_OP_FILTER env var.
1063
  default-output-filter:
1064

    
1065
  # Define your logging outputs.  If none are defined, or they are all
1066
  # disabled you will get the default - console output.
1067
  outputs:
1068
  - console:
1069
      enabled: no 
1070
      # type: json
1071
  - file:
1072
      enabled: yes
1073
      filename: /root/suricata/suricata.log
1074
      type: json
1075
  - syslog:
1076
      enabled: no
1077
      facility: local5
1078
      format: "[%i] <%d> -- "
1079
      # type: json
1080

    
1081
# Tilera mpipe configuration. for use on Tilera TILE-Gx.
1082
mpipe:
1083

    
1084
  # Load balancing modes: "static", "dynamic", "sticky", or "round-robin".
1085
  load-balance: dynamic
1086

    
1087
  # Number of Packets in each ingress packet queue. Must be 128, 512, 2028 or 65536
1088
  iqueue-packets: 2048
1089

    
1090
  # List of interfaces we will listen on.
1091
  inputs:
1092
  - interface: xgbe2
1093
  - interface: xgbe3
1094
  - interface: xgbe4
1095

    
1096

    
1097
  # Relative weight of memory for packets of each mPipe buffer size.
1098
  stack:
1099
    size128: 0
1100
    size256: 9
1101
    size512: 0
1102
    size1024: 0
1103
    size1664: 7
1104
    size4096: 0
1105
    size10386: 0
1106
    size16384: 0
1107

    
1108
# PF_RING configuration. for use with native PF_RING support
1109
# for more info see http://www.ntop.org/products/pf_ring/
1110
pfring:
1111
  - interface: eth0
1112
    # Number of receive threads (>1 will enable experimental flow pinned
1113
    # runmode)
1114
    threads: 1
1115

    
1116
    # Default clusterid.  PF_RING will load balance packets based on flow.
1117
    # All threads/processes that will participate need to have the same
1118
    # clusterid.
1119
    cluster-id: 99
1120

    
1121
    # Default PF_RING cluster type. PF_RING can load balance per flow.
1122
    # Possible values are cluster_flow or cluster_round_robin.
1123
    cluster-type: cluster_flow
1124
    # bpf filter for this interface
1125
    #bpf-filter: tcp
1126
    # Choose checksum verification mode for the interface. At the moment
1127
    # of the capture, some packets may be with an invalid checksum due to
1128
    # offloading to the network card of the checksum computation.
1129
    # Possible values are:
1130
    #  - rxonly: only compute checksum for packets received by network card.
1131
    #  - yes: checksum validation is forced
1132
    #  - no: checksum validation is disabled
1133
    #  - auto: suricata uses a statistical approach to detect when
1134
    #  checksum off-loading is used. (default)
1135
    # Warning: 'checksum-validation' must be set to yes to have any validation
1136
    #checksum-checks: auto
1137
  # Second interface
1138
  #- interface: eth1
1139
  #  threads: 3
1140
  #  cluster-id: 93
1141
  #  cluster-type: cluster_flow
1142
  # Put default values here
1143
  - interface: default
1144
    #threads: 2
1145

    
1146
pcap:
1147
  - interface: eth0
1148
    # On Linux, pcap will try to use mmaped capture and will use buffer-size
1149
    # as total of memory used by the ring. So set this to something bigger
1150
    # than 1% of your bandwidth.
1151
    #buffer-size: 16777216
1152
    #bpf-filter: "tcp and port 25"
1153
    # Choose checksum verification mode for the interface. At the moment
1154
    # of the capture, some packets may be with an invalid checksum due to
1155
    # offloading to the network card of the checksum computation.
1156
    # Possible values are:
1157
    #  - yes: checksum validation is forced
1158
    #  - no: checksum validation is disabled
1159
    #  - auto: suricata uses a statistical approach to detect when
1160
    #  checksum off-loading is used. (default)
1161
    # Warning: 'checksum-validation' must be set to yes to have any validation
1162
    #checksum-checks: auto
1163
    # With some accelerator cards using a modified libpcap (like myricom), you
1164
    # may want to have the same number of capture threads as the number of capture
1165
    # rings. In this case, set up the threads variable to N to start N threads
1166
    # listening on the same interface.
1167
    #threads: 16
1168
    # set to no to disable promiscuous mode:
1169
    #promisc: no
1170
    # set snaplen, if not set it defaults to MTU if MTU can be known
1171
    # via ioctl call and to full capture if not.
1172
    #snaplen: 1518
1173
  # Put default values here
1174
  - interface: default
1175
    #checksum-checks: auto
1176

    
1177
pcap-file:
1178
  # Possible values are:
1179
  #  - yes: checksum validation is forced
1180
  #  - no: checksum validation is disabled
1181
  #  - auto: suricata uses a statistical approach to detect when
1182
  #  checksum off-loading is used. (default)
1183
  # Warning: 'checksum-validation' must be set to yes to have checksum tested
1184
  checksum-checks: auto
1185

    
1186
# For FreeBSD ipfw(8) divert(4) support.
1187
# Please make sure you have ipfw_load="YES" and ipdivert_load="YES"
1188
# in /etc/loader.conf or kldload'ing the appropriate kernel modules.
1189
# Additionally, you need to have an ipfw rule for the engine to see
1190
# the packets from ipfw.  For Example:
1191
#
1192
#   ipfw add 100 divert 8000 ip from any to any
1193
#
1194
# The 8000 above should be the same number you passed on the command
1195
# line, i.e. -d 8000
1196
#
1197
ipfw:
1198

    
1199
  # Reinject packets at the specified ipfw rule number.  This config
1200
  # option is the ipfw rule number AT WHICH rule processing continues
1201
  # in the ipfw processing system after the engine has finished
1202
  # inspecting the packet for acceptance.  If no rule number is specified,
1203
  # accepted packets are reinjected at the divert rule which they entered
1204
  # and IPFW rule processing continues.  No check is done to verify
1205
  # this will rule makes sense so care must be taken to avoid loops in ipfw.
1206
  #
1207
  ## The following example tells the engine to reinject packets
1208
  # back into the ipfw firewall AT rule number 5500:
1209
  #
1210
  # ipfw-reinjection-rule-number: 5500
1211

    
1212
# Set the default rule path here to search for the files.
1213
# if not set, it will look at the current working dir
1214
default-rule-path: /etc/suricata/rules
1215
rule-files:
1216
 #- local.rules
1217
 #- testing.rules
1218
 #- bad.rules
1219
 - botcc.rules
1220
 - ciarmy.rules
1221
 - compromised.rules
1222
 - drop.rules
1223
 - dshield.rules
1224
 - emerging-activex.rules
1225
 - emerging-attack_response.rules
1226
 #- emerging-chat.rules
1227
 - emerging-current_events.rules
1228
 - emerging-dns.rules
1229
 - emerging-dos.rules
1230
 - emerging-exploit.rules
1231
 - emerging-ftp.rules
1232
 #- emerging-games.rules
1233
 #- emerging-icmp_info.rules
1234
# - emerging-icmp.rules
1235
 - emerging-imap.rules
1236
 #- emerging-inappropriate.rules
1237
 - emerging-malware.rules
1238
 - emerging-misc.rules
1239
 - emerging-mobile_malware.rules
1240
 - emerging-netbios.rules
1241
 - emerging-p2p.rules
1242
 #- emerging-policy.rules
1243
 - emerging-pop3.rules
1244
 - emerging-rpc.rules
1245
 #- emerging-scada.rules
1246
 - emerging-scan.rules
1247
 - emerging-shellcode.rules
1248
 #- emerging-smtp.rules
1249
 #- emerging-snmp.rules
1250
 #- emerging-sql.rules
1251
 - emerging-telnet.rules
1252
 - emerging-tftp.rules
1253
 - emerging-trojan.rules
1254
 #- emerging-user_agents.rules
1255
 #- emerging-voip.rules
1256
 - emerging-web_client.rules
1257
 #- emerging-web_server.rules
1258
 - emerging-web_specific_apps.rules
1259
 - emerging-worm.rules
1260
 - tor.rules
1261
 #- decoder-events.rules # available in suricata sources under rules dir
1262
 #- stream-events.rules  # available in suricata sources under rules dir
1263
 #- http-events.rules    # available in suricata sources under rules dir
1264
 #- smtp-events.rules    # available in suricata sources under rules dir
1265
 #- dns-events.rules     # available in suricata sources under rules dir
1266
 #- tls-events.rules     # available in suricata sources under rules dir
1267
# - modbus-events.rules  # available in suricata sources under rules dir
1268
 #- app-layer-events.rules  # available in suricata sources under rules dir
1269

    
1270
classification-file: /etc/suricata/classification.config
1271
reference-config-file: /etc/suricata/reference.config
1272

    
1273
# Holds variables that would be used by the engine.
1274
vars:
1275

    
1276
  # Holds the address group vars that would be passed in a Signature.
1277
  # These would be retrieved during the Signature address parsing stage.
1278
  address-groups:
1279

    
1280
    HOME_NET: "[192.168.0.0/16,10.0.0.0/8]"
1281

    
1282
    EXTERNAL_NET: "any"
1283

    
1284
    HTTP_SERVERS: "$HOME_NET"
1285

    
1286
    SMTP_SERVERS: "$HOME_NET"
1287

    
1288
    SQL_SERVERS: "$HOME_NET"
1289

    
1290
    DNS_SERVERS: "$HOME_NET"
1291

    
1292
    TELNET_SERVERS: "$HOME_NET"
1293

    
1294
    AIM_SERVERS: "$EXTERNAL_NET"
1295

    
1296
    DNP3_SERVER: "$HOME_NET"
1297

    
1298
    DNP3_CLIENT: "$HOME_NET"
1299

    
1300
    MODBUS_CLIENT: "$HOME_NET"
1301

    
1302
    MODBUS_SERVER: "$HOME_NET"
1303

    
1304
    ENIP_CLIENT: "$HOME_NET"
1305

    
1306
    ENIP_SERVER: "$HOME_NET"
1307

    
1308
  # Holds the port group vars that would be passed in a Signature.
1309
  # These would be retrieved during the Signature port parsing stage.
1310
  port-groups:
1311

    
1312
    HTTP_PORTS: "80"
1313

    
1314
    SHELLCODE_PORTS: "!80"
1315

    
1316
    ORACLE_PORTS: 1521
1317

    
1318
    SSH_PORTS: 22
1319

    
1320
    DNP3_PORTS: 20000
1321

    
1322
    MODBUS_PORTS: 502
1323

    
1324
# Set the order of alerts bassed on actions
1325
# The default order is pass, drop, reject, alert
1326
# action-order:
1327
#   - pass
1328
#   - drop
1329
#   - reject
1330
#   - alert
1331

    
1332
# IP Reputation
1333
#reputation-categories-file: /usr/local/etc/suricata/iprep/categories.txt
1334
#default-reputation-path: /usr/local/etc/suricata/iprep
1335
#reputation-files:
1336
# - reputation.list
1337

    
1338
# Host specific policies for defragmentation and TCP stream
1339
# reassembly.  The host OS lookup is done using a radix tree, just
1340
# like a routing table so the most specific entry matches.
1341
host-os-policy:
1342
  # Make the default policy windows.
1343
  windows: [0.0.0.0/0]
1344
  bsd: []
1345
  bsd-right: []
1346
  old-linux: []
1347
  linux: [10.0.0.0/8, 192.168.1.100, "8762:2352:6241:7245:E000:0000:0000:0000"]
1348
  old-solaris: []
1349
  solaris: ["::1"]
1350
  hpux10: []
1351
  hpux11: []
1352
  irix: []
1353
  macos: []
1354
  vista: []
1355
  windows2k3: []
1356

    
1357

    
1358
# Limit for the maximum number of asn1 frames to decode (default 256)
1359
asn1-max-frames: 256
1360

    
1361
# When run with the option --engine-analysis, the engine will read each of
1362
# the parameters below, and print reports for each of the enabled sections
1363
# and exit.  The reports are printed to a file in the default log dir
1364
# given by the parameter "default-log-dir", with engine reporting
1365
# subsection below printing reports in its own report file.
1366
engine-analysis:
1367
  # enables printing reports for fast-pattern for every rule.
1368
  rules-fast-pattern: yes
1369
  # enables printing reports for each rule
1370
  rules: yes
1371

    
1372
#recursion and match limits for PCRE where supported
1373
pcre:
1374
  match-limit: 3500
1375
  match-limit-recursion: 1500
1376

    
1377
# Holds details on the app-layer. The protocols section details each protocol.
1378
# Under each protocol, the default value for detection-enabled and "
1379
# parsed-enabled is yes, unless specified otherwise.
1380
# Each protocol covers enabling/disabling parsers for all ipprotos
1381
# the app-layer protocol runs on.  For example "dcerpc" refers to the tcp
1382
# version of the protocol as well as the udp version of the protocol.
1383
# The option "enabled" takes 3 values - "yes", "no", "detection-only".
1384
# "yes" enables both detection and the parser, "no" disables both, and
1385
# "detection-only" enables detection only(parser disabled).
1386
app-layer:
1387
  protocols:
1388
    tls:
1389
      enabled: yes
1390
      detection-ports:
1391
        dp: 443
1392

    
1393
      #no-reassemble: yes
1394
    dcerpc:
1395
      enabled: yes
1396
    ftp:
1397
      enabled: yes
1398
    ssh:
1399
      enabled: yes
1400
    smtp:
1401
      enabled: yes
1402
      # Configure SMTP-MIME Decoder
1403
      mime:
1404
        # Decode MIME messages from SMTP transactions
1405
        # (may be resource intensive)
1406
        # This field supercedes all others because it turns the entire
1407
        # process on or off
1408
        decode-mime: yes
1409

    
1410
        # Decode MIME entity bodies (ie. base64, quoted-printable, etc.)
1411
        decode-base64: yes
1412
        decode-quoted-printable: yes
1413

    
1414
        # Maximum bytes per header data value stored in the data structure
1415
        # (default is 2000)
1416
        header-value-depth: 2000
1417

    
1418
        # Extract URLs and save in state data structure
1419
        extract-urls: yes
1420
        # Set to yes to compute the md5 of the mail body. You will then
1421
        # be able to journalize it.
1422
        body-md5: no
1423
      # Configure inspected-tracker for file_data keyword
1424
      inspected-tracker:
1425
        content-limit: 1000
1426
        content-inspect-min-size: 1000
1427
        content-inspect-window: 1000
1428
    imap:
1429
      enabled: detection-only
1430
    msn:
1431
      enabled: detection-only
1432
    smb:
1433
      enabled: yes
1434
      detection-ports:
1435
        dp: 139
1436
    # Note: Modbus probe parser is minimalist due to the poor significant field
1437
    # Only Modbus message length (greater than Modbus header length)
1438
    # And Protocol ID (equal to 0) are checked in probing parser
1439
    # It is important to enable detection port and define Modbus port
1440
    # to avoid false positive
1441
    modbus:
1442
      # How many unreplied Modbus requests are considered a flood.
1443
      # If the limit is reached, app-layer-event:modbus.flooded; will match.
1444
      #request-flood: 500
1445

    
1446
      enabled: no
1447
      detection-ports:
1448
        dp: 502
1449
      # According to MODBUS Messaging on TCP/IP Implementation Guide V1.0b, it 
1450
      # is recommended to keep the TCP connection opened with a remote device 
1451
      # and not to open and close it for each MODBUS/TCP transaction. In that 
1452
      # case, it is important to set the depth of the stream reassembling as
1453
      # unlimited (stream.reassembly.depth: 0)
1454
    # smb2 detection is disabled internally inside the engine.
1455
    #smb2:
1456
    #  enabled: yes
1457
    dns:
1458
      # memcaps. Globally and per flow/state.
1459
      #global-memcap: 16mb
1460
      #state-memcap: 512kb
1461

    
1462
      # How many unreplied DNS requests are considered a flood.
1463
      # If the limit is reached, app-layer-event:dns.flooded; will match.
1464
      #request-flood: 500
1465

    
1466
      tcp:
1467
        enabled: yes
1468
        detection-ports:
1469
          dp: 53
1470
      udp:
1471
        enabled: yes
1472
        detection-ports:
1473
          dp: 53
1474
    http:
1475
      enabled: yes
1476
      # memcap: 64mb
1477

    
1478
      ###########################################################################
1479
      # Configure libhtp.
1480
      #
1481
      #
1482
      # default-config:           Used when no server-config matches
1483
      #   personality:            List of personalities used by default
1484
      #   request-body-limit:     Limit reassembly of request body for inspection
1485
      #                           by http_client_body & pcre /P option.
1486
      #   response-body-limit:    Limit reassembly of response body for inspection
1487
      #                           by file_data, http_server_body & pcre /Q option.
1488
      #   double-decode-path:     Double decode path section of the URI
1489
      #   double-decode-query:    Double decode query section of the URI
1490
      #
1491
      # server-config:            List of server configurations to use if address matches
1492
      #   address:                List of ip addresses or networks for this block
1493
      #   personalitiy:           List of personalities used by this block
1494
      #   request-body-limit:     Limit reassembly of request body for inspection
1495
      #                           by http_client_body & pcre /P option.
1496
      #   response-body-limit:    Limit reassembly of response body for inspection
1497
      #                           by file_data, http_server_body & pcre /Q option.
1498
      #   double-decode-path:     Double decode path section of the URI
1499
      #   double-decode-query:    Double decode query section of the URI
1500
      #
1501
      #   uri-include-all:        Include all parts of the URI. By default the
1502
      #                           'scheme', username/password, hostname and port
1503
      #                           are excluded. Setting this option to true adds
1504
      #                           all of them to the normalized uri as inspected
1505
      #                           by http_uri, urilen, pcre with /U and the other
1506
      #                           keywords that inspect the normalized uri.
1507
      #                           Note that this does not affect http_raw_uri.
1508
      #                           Also, note that including all was the default in
1509
      #                           1.4 and 2.0beta1.
1510
      #
1511
      #   meta-field-limit:       Hard size limit for request and response size
1512
      #                           limits. Applies to request line and headers,
1513
      #                           response line and headers. Does not apply to
1514
      #                           request or response bodies. Default is 18k.
1515
      #                           If this limit is reached an event is raised.
1516
      #
1517
      # Currently Available Personalities:
1518
      #   Minimal
1519
      #   Generic
1520
      #   IDS (default)
1521
      #   IIS_4_0
1522
      #   IIS_5_0
1523
      #   IIS_5_1
1524
      #   IIS_6_0
1525
      #   IIS_7_0
1526
      #   IIS_7_5
1527
      #   Apache_2
1528
      ###########################################################################
1529
      libhtp:
1530

    
1531
         default-config:
1532
           personality: IDS
1533

    
1534
           # Can be specified in kb, mb, gb.  Just a number indicates
1535
           # it's in bytes.
1536
           request-body-limit: 100kb
1537
           response-body-limit: 100kb
1538

    
1539
           # inspection limits
1540
           request-body-minimal-inspect-size: 32kb
1541
           request-body-inspect-window: 4kb
1542
           response-body-minimal-inspect-size: 40kb
1543
           response-body-inspect-window: 16kb
1544

    
1545
           # auto will use http-body-inline mode in IPS mode, yes or no set it statically
1546
           http-body-inline: auto
1547

    
1548
           # Take a random value for inspection sizes around the specified value.
1549
           # This lower the risk of some evasion technics but could lead
1550
           # detection change between runs. It is set to 'yes' by default.
1551
           #randomize-inspection-sizes: yes
1552
           # If randomize-inspection-sizes is active, the value of various
1553
           # inspection size will be choosen in the [1 - range%, 1 + range%]
1554
           # range
1555
           # Default value of randomize-inspection-range is 10.
1556
           #randomize-inspection-range: 10
1557

    
1558
           # decoding
1559
           double-decode-path: no
1560
           double-decode-query: no
1561

    
1562
         server-config:
1563

    
1564
           #- apache:
1565
           #    address: [192.168.1.0/24, 127.0.0.0/8, "::1"]
1566
           #    personality: Apache_2
1567
           #    # Can be specified in kb, mb, gb.  Just a number indicates
1568
           #    # it's in bytes.
1569
           #    request-body-limit: 4096
1570
           #    response-body-limit: 4096
1571
           #    double-decode-path: no
1572
           #    double-decode-query: no
1573

    
1574
           #- iis7:
1575
           #    address:
1576
           #      - 192.168.0.0/24
1577
           #      - 192.168.10.0/24
1578
           #    personality: IIS_7_0
1579
           #    # Can be specified in kb, mb, gb.  Just a number indicates
1580
           #    # it's in bytes.
1581
           #    request-body-limit: 4096
1582
           #    response-body-limit: 4096
1583
           #    double-decode-path: no
1584
           #    double-decode-query: no
1585

    
1586
# Profiling settings. Only effective if Suricata has been built with the
1587
# the --enable-profiling configure flag.
1588
#
1589
profiling:
1590
  # Run profiling for every xth packet. The default is 1, which means we
1591
  # profile every packet. If set to 1000, one packet is profiled for every
1592
  # 1000 received.
1593
  #sample-rate: 1000
1594

    
1595
  # rule profiling
1596
  rules:
1597

    
1598
    # Profiling can be disabled here, but it will still have a
1599
    # performance impact if compiled in.
1600
    enabled: no
1601
    filename: rule_perf.log
1602
    append: yes
1603

    
1604
    # Sort options: ticks, avgticks, checks, matches, maxticks
1605
    sort: avgticks
1606

    
1607
    # Limit the number of items printed at exit (ignored for json).
1608
    limit: 100
1609

    
1610
    # output to json
1611
    json: true
1612

    
1613
  # per keyword profiling
1614
  keywords:
1615
    enabled: no
1616
    filename: keyword_perf.log
1617
    append: yes
1618

    
1619
  # packet profiling
1620
  packets:
1621

    
1622
    # Profiling can be disabled here, but it will still have a
1623
    # performance impact if compiled in.
1624
    enabled: no
1625
    filename: packet_stats.log
1626
    append: yes
1627

    
1628
    # per packet csv output
1629
    csv:
1630

    
1631
      # Output can be disabled here, but it will still have a
1632
      # performance impact if compiled in.
1633
      enabled: no
1634
      filename: packet_stats.csv
1635

    
1636
  # profiling of locking. Only available when Suricata was built with
1637
  # --enable-profiling-locks.
1638
  locks:
1639
    enabled: no
1640
    filename: lock_stats.log
1641
    append: yes
1642

    
1643
  pcap-log:
1644
    enabled: no
1645
    filename: pcaplog_stats.log
1646
    append: yes
1647

    
1648
# Suricata core dump configuration. Limits the size of the core dump file to
1649
# approximately max-dump. The actual core dump size will be a multiple of the
1650
# page size. Core dumps that would be larger than max-dump are truncated. On
1651
# Linux, the actual core dump size may be a few pages larger than max-dump.
1652
# Setting max-dump to 0 disables core dumping.
1653
# Setting max-dump to 'unlimited' will give the full core dump file.
1654
# On 32-bit Linux, a max-dump value >= ULONG_MAX may cause the core dump size
1655
# to be 'unlimited'.
1656

    
1657
coredump:
1658
  max-dump: unlimited
1659

    
1660
napatech:
1661
    # The Host Buffer Allowance for all streams
1662
    # (-1 = OFF, 1 - 100 = percentage of the host buffer that can be held back)
1663
    hba: -1
1664

    
1665
    # use_all_streams set to "yes" will query the Napatech service for all configured
1666
    # streams and listen on all of them. When set to "no" the streams config array
1667
    # will be used.
1668
    use-all-streams: yes
1669

    
1670
    # The streams to listen on
1671
    streams: [1, 2, 3]
1672

    
1673
# Includes.  Files included here will be handled as if they were
1674
# inlined in this configuration file.
1675
#include: include1.yaml
1676
#include: include2.yaml
(1-1/3)