|
%YAML 1.1
|
|
---
|
|
|
|
nfq:
|
|
mode: repeat
|
|
repeat-mark: 1
|
|
repeat-mask: 1
|
|
fail-open: yes
|
|
|
|
default-rule-path: /etc/suricata/rules
|
|
rule-files:
|
|
# - botcc.rules
|
|
# - ciarmy.rules
|
|
# - compromised.rules
|
|
# - dshield.rules
|
|
# - emerging-attack_response.rules
|
|
# - emerging-chat.rules
|
|
# - emerging-current_events.rules
|
|
# - emerging-dns.rules
|
|
# - emerging-dos.rules
|
|
# - emerging-exploit.rules
|
|
- emerging-icmp.rules
|
|
# - emerging-inappropriate.rules
|
|
# - emerging-malware.rules
|
|
# - emerging-misc.rules
|
|
# - emerging-policy.rules
|
|
# - emerging-scan.rules
|
|
# - emerging-shellcode.rules
|
|
# - emerging-sql.rules
|
|
# - emerging-telnet.rules
|
|
# - emerging-trojan.rules
|
|
# - emerging-user_agents.rules
|
|
# - emerging-web_client.rules
|
|
# - emerging-web_server.rules
|
|
# - emerging-worm.rules
|
|
# - stream-events.rules
|
|
# - decoder-events.rules
|
|
# - http-events.rules
|
|
# - tls-events.rules
|
|
# - http-events.rules
|
|
# - decoder-events.rules
|
|
# - tls-events.rules
|
|
# - app-layer-events.rules
|
|
# - dns-events.rules
|
|
|
|
classification-file: /etc/suricata/classification.config
|
|
reference-config-file: /etc/suricata/reference.config
|
|
|
|
vars:
|
|
|
|
# Holds the address group vars that would be passed in a Signature.
|
|
# These would be retrieved during the Signature address parsing stage.
|
|
address-groups:
|
|
|
|
HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
|
|
|
|
EXTERNAL_NET: "!$HOME_NET"
|
|
|
|
HTTP_SERVERS: "$HOME_NET"
|
|
|
|
SMTP_SERVERS: "$HOME_NET"
|
|
|
|
SQL_SERVERS: "$HOME_NET"
|
|
|
|
DNS_SERVERS: "$HOME_NET"
|
|
|
|
TELNET_SERVERS: "$HOME_NET"
|
|
|
|
AIM_SERVERS: "$EXTERNAL_NET"
|
|
|
|
DNP3_SERVER: "$HOME_NET"
|
|
|
|
DNP3_CLIENT: "$HOME_NET"
|
|
|
|
MODBUS_CLIENT: "$HOME_NET"
|
|
|
|
MODBUS_SERVER: "$HOME_NET"
|
|
|
|
ENIP_CLIENT: "$HOME_NET"
|
|
|
|
ENIP_SERVER: "$HOME_NET"
|
|
|
|
# Holds the port group vars that would be passed in a Signature.
|
|
# These would be retrieved during the Signature port parsing stage.
|
|
port-groups:
|
|
|
|
HTTP_PORTS: "80"
|
|
|
|
SHELLCODE_PORTS: "!80"
|
|
|
|
ORACLE_PORTS: 1521
|
|
|
|
SSH_PORTS: 22
|
|
|
|
DNP3_PORTS: 20000
|
|
|
|
action-order:
|
|
- pass
|
|
- drop
|
|
- reject
|
|
- alert
|
|
|
|
host-os-policy:
|
|
# Make the default policy windows.
|
|
windows: [0.0.0.0/0]
|
|
bsd: []
|
|
bsd-right: []
|
|
old-linux: []
|
|
linux: [10.0.0.0/8, 192.168.1.100, "8762:2352:6241:7245:E000:0000:0000:0000"]
|
|
old-solaris: []
|
|
solaris: ["::1"]
|
|
hpux10: []
|
|
hpux11: []
|
|
irix: []
|
|
macos: []
|
|
vista: []
|
|
windows2k3: []
|
|
|
|
|
|
app-layer:
|
|
protocols:
|
|
tls:
|
|
enabled: yes
|
|
detection-ports:
|
|
dp: 443
|
|
#no-reassemble: yes
|
|
dcerpc:
|
|
enabled: yes
|
|
ftp:
|
|
enabled: yes
|
|
ssh:
|
|
enabled: yes
|
|
smtp:
|
|
enabled: yes
|
|
imap:
|
|
enabled: detection-only
|
|
msn:
|
|
enabled: detection-only
|
|
smb:
|
|
enabled: yes
|
|
detection-ports:
|
|
dp: 139
|
|
# smb2 detection is disabled internally inside the engine.
|
|
#smb2:
|
|
# enabled: yes
|
|
dns:
|
|
# memcaps. Globally and per flow/state.
|
|
#global-memcap: 16mb
|
|
#state-memcap: 512kb
|
|
|
|
# How many unreplied DNS requests are considered a flood.
|
|
# If the limit is reached, app-layer-event:dns.flooded; will match.
|
|
#request-flood: 500
|
|
|
|
tcp:
|
|
enabled: yes
|
|
detection-ports:
|
|
dp: 53
|
|
udp:
|
|
enabled: yes
|
|
detection-ports:
|
|
dp: 53
|
|
http:
|
|
enabled: yes
|
|
# memcap: 64mb
|
|
|