|
%YAML 1.1
|
|
---
|
|
host-mode: sniffer-only
|
|
default-log-dir: /nsm/suricata/
|
|
unix-command:
|
|
enabled: no
|
|
stats:
|
|
enabled: yes
|
|
interval: 8
|
|
outputs:
|
|
- fast:
|
|
enabled: no
|
|
filename: fast.log
|
|
append: yes
|
|
- eve-log:
|
|
enabled: yes
|
|
filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
|
|
filename: eve.json
|
|
types:
|
|
- alert:
|
|
payload: yes # enable dumping payload in Base64
|
|
payload-printable: yes # enable dumping payload in printable (lossy) format
|
|
packet: yes # enable dumping of packet (without stream segments)
|
|
http: yes # enable dumping of http fields
|
|
tls: yes # enable dumping of tls fields
|
|
ssh: yes # enable dumping of ssh fields
|
|
smtp: yes # enable dumping of smtp fields
|
|
xff:
|
|
enabled: yes
|
|
mode: extra-data
|
|
deployment: reverse
|
|
header: X-Forwarded-For
|
|
- http:
|
|
extended: yes # enable this for extended logging information
|
|
custom: [accept, accept-charset, accept-encoding, accept-language, accept-ranges, age, allow, authorization, cache-control, connection, content-encoding, content-language, content-length, content-location, content-md5, content-range, content-type, date, etag, expect, expires, from, host, if-match, if-modified-since, if-none-match, if-range, if-unmodified-since, last-modified, location, max-forwards, pragma, proxy-authenticate, proxy-authorization, range, referer, retry-after, server, te, trailer, transfer-encoding, upgrade, user-agent, vary, via, warning, www-authenticate]
|
|
- dns
|
|
- tls:
|
|
extended: yes # enable this for extended logging information
|
|
- files:
|
|
force-magic: yes # force logging magic on all logged files
|
|
force-md5: yes # force logging of md5 checksums
|
|
- smtp:
|
|
extended: yes # enable this for extended logging information
|
|
- ssh
|
|
# - stats:
|
|
# totals: yes # stats for all threads merged together
|
|
# threads: no # per thread stats
|
|
# deltas: no # include delta values
|
|
- flow
|
|
- unified2-alert:
|
|
enabled: no
|
|
filename: unified2.alert
|
|
xff:
|
|
enabled: no
|
|
mode: extra-data
|
|
deployment: reverse
|
|
header: X-Forwarded-For
|
|
- http-log:
|
|
enabled: no
|
|
filename: http.log
|
|
append: yes
|
|
- tls-log:
|
|
enabled: no # Log TLS connections.
|
|
filename: tls.log # File to store TLS logs.
|
|
append: yes
|
|
- tls-store:
|
|
enabled: no
|
|
- dns-log:
|
|
enabled: no
|
|
filename: dns.log
|
|
append: yes
|
|
- pcap-log:
|
|
enabled: no
|
|
filename: log.pcap
|
|
limit: 1000mb
|
|
max-files: 2000
|
|
mode: normal # normal, multi or sguil.
|
|
use-stream-depth: no #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" lo gs all packets
|
|
honor-pass-rules: no # If set to "yes", flows in which a pass rule matched will stopped being logged.
|
|
- alert-debug:
|
|
enabled: no
|
|
filename: alert-debug.log
|
|
append: yes
|
|
- alert-prelude:
|
|
enabled: no
|
|
profile: suricata
|
|
log-packet-content: no
|
|
log-packet-header: yes
|
|
- stats:
|
|
enabled: yes
|
|
filename: stats.log
|
|
totals: no # stats for all threads merged together
|
|
threads: yes # per thread stats
|
|
- syslog:
|
|
enabled: no
|
|
facility: local5
|
|
- drop:
|
|
enabled: no
|
|
filename: drop.log
|
|
append: yes
|
|
- file-store:
|
|
enabled: no # set to yes to enable
|
|
log-dir: files # directory to store the files
|
|
force-magic: no # force logging magic on all stored files
|
|
force-md5: no # force logging of md5 checksums
|
|
force-filestore: no # force storing of all files
|
|
- file-log:
|
|
enabled: no
|
|
filename: files-json.log
|
|
append: yes
|
|
force-magic: no # force logging magic on all logged files
|
|
force-md5: no # force logging of md5 checksums
|
|
- tcp-data:
|
|
enabled: no
|
|
type: file
|
|
filename: tcp-data.log
|
|
- http-body-data:
|
|
enabled: no
|
|
type: file
|
|
filename: http-data.log
|
|
- lua:
|
|
enabled: no
|
|
scripts:
|
|
nfq:
|
|
nflog:
|
|
- group: 2
|
|
buffer-size: 18432
|
|
- group: default
|
|
qthreshold: 1
|
|
qtimeout: 100
|
|
max-size: 20000
|
|
af-packet:
|
|
- interface: enp2s0
|
|
threads: auto
|
|
cluster-id: 99
|
|
cluster-type: cluster_flow
|
|
defrag: yes
|
|
use-mmap: yes
|
|
bpf-filter: "not src net 10 or not dst net 10 and not net 192.168"
|
|
- interface: enp6s0
|
|
threads: auto
|
|
cluster-id: 98
|
|
cluster-type: cluster_flow
|
|
defrag: yes
|
|
use-mmap: yes
|
|
bpf-filter: "not src net 10 or not dst net 10 and not net 192.168"
|
|
netmap:
|
|
- interface: enp2s0
|
|
threads: auto
|
|
- interface: enp6s0
|
|
threads: auto
|
|
legacy:
|
|
uricontent: enabled
|
|
detect-engine:
|
|
- profile: medium
|
|
- custom-values:
|
|
toclient-src-groups: 2
|
|
toclient-dst-groups: 2
|
|
toclient-sp-groups: 2
|
|
toclient-dp-groups: 3
|
|
toserver-src-groups: 2
|
|
toserver-dst-groups: 4
|
|
toserver-sp-groups: 2
|
|
toserver-dp-groups: 25
|
|
- sgh-mpm-context: auto
|
|
- inspection-recursion-limit: 3000
|
|
threading:
|
|
set-cpu-affinity: no
|
|
cpu-affinity:
|
|
- management-cpu-set:
|
|
cpu: [ 0 ] # include only these cpus in affinity settings
|
|
- receive-cpu-set:
|
|
cpu: [ 0 ] # include only these cpus in affinity settings
|
|
- decode-cpu-set:
|
|
cpu: [ 0, 1 ]
|
|
mode: "balanced"
|
|
- stream-cpu-set:
|
|
cpu: [ "0-1" ]
|
|
- detect-cpu-set:
|
|
cpu: [ "all" ]
|
|
mode: "exclusive" # run detect threads in these cpus
|
|
prio:
|
|
low: [ 0 ]
|
|
medium: [ "1-2" ]
|
|
high: [ 3 ]
|
|
default: "medium"
|
|
- verdict-cpu-set:
|
|
cpu: [ 0 ]
|
|
prio:
|
|
default: "high"
|
|
- reject-cpu-set:
|
|
cpu: [ 0 ]
|
|
prio:
|
|
default: "low"
|
|
- output-cpu-set:
|
|
cpu: [ "all" ]
|
|
prio:
|
|
default: "medium"
|
|
detect-thread-ratio: 1.5
|
|
cuda:
|
|
mpm:
|
|
data-buffer-size-min-limit: 0
|
|
data-buffer-size-max-limit: 1500
|
|
cudabuffer-buffer-size: 500mb
|
|
gpu-transfer-size: 50mb
|
|
batching-timeout: 2000
|
|
device-id: 0
|
|
cuda-streams: 2
|
|
mpm-algo: ac
|
|
pattern-matcher:
|
|
- b2g:
|
|
search-algo: B2gSearchBNDMq
|
|
hash-size: low
|
|
bf-size: medium
|
|
- b3g:
|
|
search-algo: B3gSearchBNDMq
|
|
hash-size: low
|
|
bf-size: medium
|
|
- wumanber:
|
|
hash-size: low
|
|
bf-size: medium
|
|
defrag:
|
|
memcap: 32mb
|
|
hash-size: 65536
|
|
trackers: 65535 # number of defragmented flows to follow
|
|
max-frags: 65535 # number of fragments to keep (higher than trackers)
|
|
prealloc: yes
|
|
timeout: 60
|
|
flow:
|
|
memcap: 64mb
|
|
hash-size: 65536
|
|
prealloc: 10000
|
|
emergency-recovery: 30
|
|
vlan:
|
|
use-for-tracking: true
|
|
flow-timeouts:
|
|
default:
|
|
new: 30
|
|
established: 300
|
|
closed: 0
|
|
emergency-new: 10
|
|
emergency-established: 100
|
|
emergency-closed: 0
|
|
tcp:
|
|
new: 60
|
|
established: 3600
|
|
closed: 120
|
|
emergency-new: 10
|
|
emergency-established: 300
|
|
emergency-closed: 20
|
|
udp:
|
|
new: 30
|
|
established: 300
|
|
emergency-new: 10
|
|
emergency-established: 100
|
|
icmp:
|
|
new: 30
|
|
established: 300
|
|
emergency-new: 10
|
|
emergency-established: 100
|
|
stream:
|
|
memcap: 32mb
|
|
checksum-validation: yes # reject wrong csums
|
|
# async-oneside: true
|
|
inline: auto # auto will use inline mode in IPS mode, yes or no set it statically
|
|
reassembly:
|
|
memcap: 256mb
|
|
depth: 2mb # reassemble 1mb into a stream
|
|
toserver-chunk-size: 2560
|
|
toclient-chunk-size: 2560
|
|
randomize-chunk-size: yes
|
|
host:
|
|
hash-size: 4096
|
|
prealloc: 1000
|
|
memcap: 16777216
|
|
logging:
|
|
default-log-level: notice
|
|
default-output-filter:
|
|
outputs:
|
|
- console:
|
|
enabled: yes
|
|
- file:
|
|
enabled: yes
|
|
filename: /var/log/suricata/suricata.log
|
|
- syslog:
|
|
enabled: no
|
|
facility: local5
|
|
format: "[%i] <%d> -- "
|
|
mpipe:
|
|
load-balance: dynamic
|
|
iqueue-packets: 2048
|
|
inputs:
|
|
- interface: enp2s0
|
|
- interface: enp6s0
|
|
stack:
|
|
size128: 0
|
|
size256: 9
|
|
size512: 0
|
|
size1024: 0
|
|
size1664: 7
|
|
size4096: 0
|
|
size10386: 0
|
|
size16384: 0
|
|
pcap:
|
|
- interface: enp2s0
|
|
- interface: enp6s0
|
|
pcap-file:
|
|
checksum-checks: auto
|
|
ipfw:
|
|
default-rule-path: /etc/suricata/rules
|
|
##RULES
|
|
rule-files:
|
|
- local.rules
|
|
- app-detect.rules
|
|
- attack-responses.rules
|
|
- backdoor.rules
|
|
- bad-traffic.rules
|
|
- blacklist.rules
|
|
- botcc.portgrouped.rules
|
|
- botcc.rules
|
|
- botnet-cnc.rules
|
|
- browser-chrome.rules
|
|
- browser-firefox.rules
|
|
- browser-ie.rules
|
|
- browser-other.rules
|
|
- browser-plugins.rules
|
|
- browser-webkit.rules
|
|
- chat.rules
|
|
- ciarmy.rules
|
|
- compromised.rules
|
|
- content-replace.rules
|
|
- ddos.rules
|
|
# - decoder-events.rules
|
|
- dns.rules
|
|
- dos.rules
|
|
- drop.rules
|
|
- dshield.rules
|
|
- emerging-activex.rules
|
|
- emerging-attack_response.rules
|
|
- emerging-chat.rules
|
|
- emerging-current_events.rules
|
|
- emerging-deleted.rules
|
|
- emerging-dns.rules
|
|
- emerging-dos.rules
|
|
- emerging-exploit.rules
|
|
- emerging-ftp.rules
|
|
- emerging-games.rules
|
|
- emerging-icmp.rules
|
|
- emerging-icmp_info.rules
|
|
- emerging-imap.rules
|
|
- emerging-inappropriate.rules
|
|
- emerging-info.rules
|
|
- emerging-malware.rules
|
|
- emerging-misc.rules
|
|
- emerging-mobile_malware.rules
|
|
- emerging-netbios.rules
|
|
- emerging-p2p.rules
|
|
- emerging-policy.rules
|
|
- emerging-pop3.rules
|
|
- emerging-rpc.rules
|
|
- emerging-scada.rules
|
|
- emerging-scan.rules
|
|
- emerging-shellcode.rules
|
|
- emerging-smtp.rules
|
|
- emerging-snmp.rules
|
|
- emerging-sql.rules
|
|
- emerging-telnet.rules
|
|
- emerging-tftp.rules
|
|
- emerging-trojan.rules
|
|
- emerging-user_agents.rules
|
|
- emerging-voip.rules
|
|
- emerging-web_client.rules
|
|
- emerging-web_server.rules
|
|
- emerging-web_specific_apps.rules
|
|
- emerging-worm.rules
|
|
- experimental.rules
|
|
- exploit-kit.rules
|
|
- exploit.rules
|
|
- file-executable.rules
|
|
- file-flash.rules
|
|
- file-identify.rules
|
|
- file-image.rules
|
|
- file-java.rules
|
|
- file-multimedia.rules
|
|
- file-office.rules
|
|
- file-other.rules
|
|
- file-pdf.rules
|
|
- files.rules
|
|
- finger.rules
|
|
- ftp.rules
|
|
- http-events.rules
|
|
- icmp-info.rules
|
|
- icmp.rules
|
|
- imap.rules
|
|
- indicator-compromise.rules
|
|
- indicator-obfuscation.rules
|
|
- indicator-scan.rules
|
|
- indicator-shellcode.rules
|
|
- info.rules
|
|
- malware-backdoor.rules
|
|
- malware-cnc.rules
|
|
- malware-other.rules
|
|
- malware-tools.rules
|
|
- misc.rules
|
|
- multimedia.rules
|
|
- mysql.rules
|
|
- netbios.rules
|
|
- nntp.rules
|
|
- oracle.rules
|
|
- os-linux.rules
|
|
- os-mobile.rules
|
|
- os-other.rules
|
|
- os-solaris.rules
|
|
- os-windows.rules
|
|
- other-ids.rules
|
|
- p2p.rules
|
|
- phishing-spam.rules
|
|
- policy-multimedia.rules
|
|
- policy-other.rules
|
|
- policy-social.rules
|
|
- policy-spam.rules
|
|
- policy.rules
|
|
- pop2.rules
|
|
- pop3.rules
|
|
- protocol-dns.rules
|
|
- protocol-finger.rules
|
|
- protocol-ftp.rules
|
|
- protocol-icmp.rules
|
|
- protocol-imap.rules
|
|
- protocol-nntp.rules
|
|
- protocol-other.rules
|
|
- protocol-pop.rules
|
|
- protocol-rpc.rules
|
|
- protocol-scada.rules
|
|
- protocol-services.rules
|
|
- protocol-snmp.rules
|
|
- protocol-telnet.rules
|
|
- protocol-tftp.rules
|
|
- protocol-voip.rules
|
|
- pua-adware.rules
|
|
- pua-other.rules
|
|
- pua-p2p.rules
|
|
- pua-toolbars.rules
|
|
- rbn-malvertisers.rules
|
|
- rbn.rules
|
|
- rpc.rules
|
|
- rservices.rules
|
|
- scada.rules
|
|
- scan.rules
|
|
- server-apache.rules
|
|
- server-iis.rules
|
|
- server-mail.rules
|
|
- server-mssql.rules
|
|
- server-mysql.rules
|
|
- server-oracle.rules
|
|
- server-other.rules
|
|
- server-samba.rules
|
|
- server-webapp.rules
|
|
- shellcode.rules
|
|
- smtp-events.rules
|
|
- smtp.rules
|
|
- snmp.rules
|
|
- specific-threats.rules
|
|
- spyware-put.rules
|
|
- sql.rules
|
|
# - stream-events.rules
|
|
- telnet.rules
|
|
- tftp.rules
|
|
- tls-events.rules
|
|
- tor.rules
|
|
- virus.rules
|
|
- voip.rules
|
|
- web-activex.rules
|
|
- web-attacks.rules
|
|
- web-cgi.rules
|
|
- web-client.rules
|
|
- web-coldfusion.rules
|
|
- web-frontpage.rules
|
|
- web-iis.rules
|
|
- web-misc.rules
|
|
- web-php.rules
|
|
- x11.rules
|
|
##ENDRULES
|
|
classification-file: /etc/suricata/classification.config
|
|
reference-config-file: /etc/suricata/reference.config
|
|
threshold-file: /etc/suricata/rules/threshold.conf
|
|
vars:
|
|
address-groups:
|
|
HOME_NET: "[10.0.0.0/8]"
|
|
EXTERNAL_NET: "!$HOME_NET"
|
|
HTTP_SERVERS: "$HOME_NET"
|
|
SMTP_SERVERS: "$HOME_NET"
|
|
SQL_SERVERS: "$HOME_NET"
|
|
DNS_SERVERS: "$HOME_NET"
|
|
TELNET_SERVERS: "$HOME_NET"
|
|
AIM_SERVERS: "$EXTERNAL_NET"
|
|
DNP3_SERVER: "$HOME_NET"
|
|
DNP3_CLIENT: "$HOME_NET"
|
|
MODBUS_CLIENT: "$HOME_NET"
|
|
MODBUS_SERVER: "$HOME_NET"
|
|
ENIP_CLIENT: "$HOME_NET"
|
|
ENIP_SERVER: "$HOME_NET"
|
|
port-groups:
|
|
HTTP_PORTS: "[80,8080]"
|
|
SHELLCODE_PORTS: "!$HTTP_PORTS"
|
|
ORACLE_PORTS: 1521
|
|
SSH_PORTS: 22
|
|
DNP3_PORTS: 20000
|
|
MODBUS_PORTS: 502
|
|
FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
|
|
FTP_PORTS: 21
|
|
host-os-policy:
|
|
windows: [0.0.0.0/0]
|
|
bsd: []
|
|
bsd-right: []
|
|
old-linux: []
|
|
linux: [10.0.0.0/8, 192.168.1.100, "8762:2352:6241:7245:E000:0000:0000:0000"]
|
|
old-solaris: []
|
|
solaris: ["::1"]
|
|
hpux10: []
|
|
hpux11: []
|
|
irix: []
|
|
macos: []
|
|
vista: []
|
|
windows2k3: []
|
|
asn1-max-frames: 256
|
|
engine-analysis:
|
|
rules-fast-pattern: yes
|
|
rules: yes
|
|
pcre:
|
|
match-limit: 3500
|
|
match-limit-recursion: 1500
|
|
app-layer:
|
|
protocols:
|
|
tls:
|
|
enabled: yes
|
|
detection-ports:
|
|
dp: 443
|
|
dcerpc:
|
|
enabled: yes
|
|
ftp:
|
|
enabled: yes
|
|
ssh:
|
|
enabled: yes
|
|
smtp:
|
|
enabled: yes
|
|
mime:
|
|
decode-mime: yes
|
|
decode-base64: yes
|
|
decode-quoted-printable: yes
|
|
header-value-depth: 2000
|
|
extract-urls: yes
|
|
body-md5: no
|
|
inspected-tracker:
|
|
content-limit: 100000
|
|
content-inspect-min-size: 32768
|
|
content-inspect-window: 4096
|
|
imap:
|
|
enabled: detection-only
|
|
msn:
|
|
enabled: detection-only
|
|
smb:
|
|
enabled: yes
|
|
detection-ports:
|
|
dp: 139
|
|
modbus:
|
|
enabled: no
|
|
detection-ports:
|
|
dp: 502
|
|
dns:
|
|
tcp:
|
|
enabled: yes
|
|
detection-ports:
|
|
dp: 53
|
|
udp:
|
|
enabled: yes
|
|
detection-ports:
|
|
dp: 53
|
|
http:
|
|
enabled: yes
|
|
libhtp:
|
|
default-config:
|
|
personality: IDS
|
|
request-body-limit: 100kb
|
|
response-body-limit: 100kb
|
|
request-body-minimal-inspect-size: 32kb
|
|
request-body-inspect-window: 4kb
|
|
response-body-minimal-inspect-size: 40kb
|
|
response-body-inspect-window: 16kb
|
|
http-body-inline: auto
|
|
double-decode-path: no
|
|
double-decode-query: no
|
|
server-config:
|
|
profiling:
|
|
rules:
|
|
enabled: yes
|
|
filename: rule_perf.log
|
|
append: yes
|
|
sort: avgticks
|
|
limit: 100
|
|
json: true
|
|
keywords:
|
|
enabled: yes
|
|
filename: keyword_perf.log
|
|
append: yes
|
|
packets:
|
|
enabled: yes
|
|
filename: packet_stats.log
|
|
append: yes
|
|
csv:
|
|
enabled: no
|
|
filename: packet_stats.csv
|
|
locks:
|
|
enabled: no
|
|
filename: lock_stats.log
|
|
append: yes
|
|
pcap-log:
|
|
enabled: no
|
|
filename: pcaplog_stats.log
|
|
append: yes
|
|
coredump:
|
|
max-dump: unlimited
|
|
napatech:
|
|
hba: -1
|
|
use-all-streams: yes
|
|
streams: [1, 2, 3]
|