Project

General

Profile

Bug #2423 » suricata.yaml

configured 4.0.3 yaml file - Steve Castellarin, 01/18/2018 08:47 AM

 
1
%YAML 1.1
2
---
3

    
4
# Suricata configuration file. In addition to the comments describing all
5
# options in this file, full documentation can be found at:
6
# https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricatayaml
7

    
8
##
9
## Step 1: inform Suricata about your network
10
##
11

    
12
vars:
13
  # more specifc is better for alert accuracy and performance
14
  address-groups:
15
    HOME_NET: "[]"
16
    EXTERNAL_NET: "!$HOME_NET"
17
    HTTP_SERVERS: "$HOME_NET"
18
    SMTP_SERVERS: "$HOME_NET"
19
    SQL_SERVERS: "$HOME_NET"
20
    DNS_SERVERS: "$HOME_NET"
21
    TELNET_SERVERS: "$HOME_NET"
22
    AIM_SERVERS: "$EXTERNAL_NET"
23
    DNP3_SERVER: "$HOME_NET"
24
    DNP3_CLIENT: "$HOME_NET"
25
    MODBUS_CLIENT: "$HOME_NET"
26
    MODBUS_SERVER: "$HOME_NET"
27
    ENIP_CLIENT: "$HOME_NET"
28
    ENIP_SERVER: "$HOME_NET"
29

    
30
  port-groups:
31
    HTTP_PORTS: "80,8080"
32
    SHELLCODE_PORTS: "!80"
33
    ORACLE_PORTS: 1521
34
    SSH_PORTS: 22
35
    DNP3_PORTS: 20000
36
    MODBUS_PORTS: 502
37
    FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
38
    FTP_PORTS: 21
39
    SERVER_PORTS: "21,22,23,80,81,443,591,901,1533,3128,8000,8080,8081,8443"
40

    
41
##
42
## Step 2: select the rules to enable or disable
43
##
44

    
45
default-rule-path: /etc/suricata/rules
46
rule-files:
47
 - etpro/exploit.rules
48
 - etpro/malware.rules
49
 - etpro/mobile_malware.rules
50
 - etpro/scan.rules
51
 - etpro/trojan.rules
52
 - etpro/worm.rules
53
 - etpro/current_events.rules
54
 - etpro/user_agents.rules
55
 - etpro/web_server.rules
56
 - custom.rules
57

    
58
classification-file: /etc/suricata/classification.config
59
reference-config-file: /etc/suricata/reference.config
60
# threshold-file: /etc/suricata/threshold.config
61

    
62
##
63
## Step 3: select outputs to enable
64
##
65

    
66
# The default logging directory.  Any log or output file will be
67
# placed here if its not specified with a full path name. This can be
68
# overridden with the -l command line parameter.
69
default-log-dir: /var/log/suricata/
70

    
71
# global stats configuration
72
stats:
73
  enabled: yes
74
  # The interval field (in seconds) controls at what interval
75
  # the loggers are invoked.
76
  interval: 8
77

    
78
# Configure the type of alert (and other) logging you would like.
79
outputs:
80
  # a line based alerts log similar to Snort's fast.log
81
  - fast:
82
      enabled: yes
83
      filename: fast.log
84
      append: yes
85
      #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
86

    
87
  # Extensible Event Format (nicknamed EVE) event log in JSON format
88
  - eve-log:
89
      enabled: yes
90
      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
91
#      filename: eve.json
92
      filename: eve-%y-%m-%d-%H-%M.json
93
      rotate-interval: 30m
94
      types:
95
        - dns:
96
            query: yes     # enable logging of DNS queries
97
            answer: yes    # enable logging of DNS answers
98

    
99
  # a full alerts log containing much information for signature writers
100
  # or for investigating suspected false positives.
101
  - alert-debug:
102
      enabled: no
103
      filename: alert-debug.log
104
      append: yes
105
      #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
106

    
107
  # Stats.log contains data from various counters of the suricata engine.
108
  - stats:
109
      enabled: yes
110
      filename: stats.log
111
      totals: yes       # stats for all threads merged together
112
      threads: no       # per thread stats
113
      #null-values: yes  # print counters that have value 0
114

    
115
  # a line based alerts log similar to fast.log into syslog
116
  - syslog:
117
      enabled: no
118
      # reported identity to syslog. If ommited the program name (usually
119
      # suricata) will be used.
120
      #identity: "suricata"
121
      facility: local5
122
      #level: Info ## possible levels: Emergency, Alert, Critical,
123
                   ## Error, Warning, Notice, Info, Debug
124

    
125
# Logging configuration.  This is not about logging IDS alerts/events, but
126
# output about what Suricata is doing, like startup messages, errors, etc.
127
logging:
128
  # The default log level, can be overridden in an output section.
129
  # Note that debug level logging will only be emitted if Suricata was
130
  # compiled with the --enable-debug configure option.
131
  #
132
  # This value is overriden by the SC_LOG_LEVEL env var.
133
  default-log-level: notice
134

    
135
  # The default output format.  Optional parameter, should default to
136
  # something reasonable if not provided.  Can be overriden in an
137
  # output section.  You can leave this out to get the default.
138
  #
139
  # This value is overriden by the SC_LOG_FORMAT env var.
140
  #default-log-format: "[%i] %t - (%f:%l) <%d> (%n) -- "
141

    
142
  # A regex to filter output.  Can be overridden in an output section.
143
  # Defaults to empty (no filter).
144
  #
145
  # This value is overriden by the SC_LOG_OP_FILTER env var.
146
  default-output-filter:
147

    
148
  # Define your logging outputs.  If none are defined, or they are all
149
  # disabled you will get the default - console output.
150
  outputs:
151
  - console:
152
      enabled: yes
153
      # type: json
154
  - file:
155
      enabled: yes
156
      level: info
157
      filename: /var/log/suricata/suricata.log
158
      # type: json
159
  - syslog:
160
      enabled: no
161
      facility: local5
162
      format: "[%i] <%d> -- "
163
      # type: json
164

    
165

    
166
##
167
## Step 5: App Layer Protocol Configuration
168
##
169

    
170
# Configure the app-layer parsers. The protocols section details each
171
# protocol.
172
#
173
# The option "enabled" takes 3 values - "yes", "no", "detection-only".
174
# "yes" enables both detection and the parser, "no" disables both, and
175
# "detection-only" enables protocol detection only (parser disabled).
176
app-layer:
177
  protocols:
178
    tls:
179
      enabled: yes
180
      detection-ports:
181
        dp: 443
182

    
183
      # Completely stop processing TLS/SSL session after the handshake
184
      # completed. If bypass is enabled this will also trigger flow
185
      # bypass. If disabled (the default), TLS/SSL session is still
186
      # tracked for Heartbleed and other anomalies.
187
      #no-reassemble: yes
188
    dcerpc:
189
      enabled: yes
190
    ftp:
191
      enabled: yes
192
    ssh:
193
      enabled: yes
194
    imap:
195
      enabled: detection-only
196
    msn:
197
      enabled: detection-only
198
    smb:
199
      enabled: yes
200
      detection-ports:
201
        dp: 139, 445
202
    dns:
203
      # memcaps. Globally and per flow/state.
204
      #global-memcap: 16mb
205
      #state-memcap: 512kb
206

    
207
      # How many unreplied DNS requests are considered a flood.
208
      # If the limit is reached, app-layer-event:dns.flooded; will match.
209
      #request-flood: 500
210

    
211
      tcp:
212
        enabled: yes
213
        detection-ports:
214
          dp: 53
215
      udp:
216
        enabled: yes
217
        detection-ports:
218
          dp: 53
219
    http:
220
      enabled: yes
221
      memcap: 4gb
222
      # memcap: 64mb
223

    
224
      # default-config:           Used when no server-config matches
225
      #   personality:            List of personalities used by default
226
      #   request-body-limit:     Limit reassembly of request body for inspection
227
      #                           by http_client_body & pcre /P option.
228
      #   response-body-limit:    Limit reassembly of response body for inspection
229
      #                           by file_data, http_server_body & pcre /Q option.
230
      #   double-decode-path:     Double decode path section of the URI
231
      #   double-decode-query:    Double decode query section of the URI
232
      #   response-body-decompress-layer-limit:
233
      #                           Limit to how many layers of compression will be
234
      #                           decompressed. Defaults to 2.
235
      #
236
      # server-config:            List of server configurations to use if address matches
237
      #   address:                List of ip addresses or networks for this block
238
      #   personalitiy:           List of personalities used by this block
239
      #   request-body-limit:     Limit reassembly of request body for inspection
240
      #                           by http_client_body & pcre /P option.
241
      #   response-body-limit:    Limit reassembly of response body for inspection
242
      #                           by file_data, http_server_body & pcre /Q option.
243
      #   double-decode-path:     Double decode path section of the URI
244
      #   double-decode-query:    Double decode query section of the URI
245
      #
246
      #   uri-include-all:        Include all parts of the URI. By default the
247
      #                           'scheme', username/password, hostname and port
248
      #                           are excluded. Setting this option to true adds
249
      #                           all of them to the normalized uri as inspected
250
      #                           by http_uri, urilen, pcre with /U and the other
251
      #                           keywords that inspect the normalized uri.
252
      #                           Note that this does not affect http_raw_uri.
253
      #                           Also, note that including all was the default in
254
      #                           1.4 and 2.0beta1.
255
      #
256
      #   meta-field-limit:       Hard size limit for request and response size
257
      #                           limits. Applies to request line and headers,
258
      #                           response line and headers. Does not apply to
259
      #                           request or response bodies. Default is 18k.
260
      #                           If this limit is reached an event is raised.
261
      #
262
      # Currently Available Personalities:
263
      #   Minimal, Generic, IDS (default), IIS_4_0, IIS_5_0, IIS_5_1, IIS_6_0,
264
      #   IIS_7_0, IIS_7_5, Apache_2
265
      libhtp:
266
         default-config:
267
           personality: IDS
268

    
269
           # Can be specified in kb, mb, gb.  Just a number indicates
270
           # it's in bytes.
271
           request-body-limit: 12mb
272
           response-body-limit: 12mb
273

    
274
           # inspection limits
275
           request-body-minimal-inspect-size: 32kb
276
           request-body-inspect-window: 4kb
277
           response-body-minimal-inspect-size: 40kb
278
           response-body-inspect-window: 16kb
279

    
280
           # response body decompression (0 disables)
281
           response-body-decompress-layer-limit: 2
282

    
283
           # auto will use http-body-inline mode in IPS mode, yes or no set it statically
284
           http-body-inline: auto
285

    
286
           # Take a random value for inspection sizes around the specified value.
287
           # This lower the risk of some evasion technics but could lead
288
           # detection change between runs. It is set to 'yes' by default.
289
           #randomize-inspection-sizes: yes
290
           # If randomize-inspection-sizes is active, the value of various
291
           # inspection size will be choosen in the [1 - range%, 1 + range%]
292
           # range
293
           # Default value of randomize-inspection-range is 10.
294
           #randomize-inspection-range: 10
295

    
296
           # decoding
297
           double-decode-path: no
298
           double-decode-query: no
299

    
300
         server-config:
301

    
302
           - apache:
303
               address: []
304
               personality: Apache_2
305
           #    # Can be specified in kb, mb, gb.  Just a number indicates
306
           #    # it's in bytes.
307
               request-body-limit: 4096
308
               response-body-limit: 4096
309

    
310
# Limit for the maximum number of asn1 frames to decode (default 256)
311
asn1-max-frames: 256
312

    
313

    
314
##############################################################################
315
##
316
## Advanced settings below
317
##
318
##############################################################################
319

    
320
##
321
## Run Options
322
##
323

    
324
# Run suricata as user and group.
325
#run-as:
326
#  user: suri
327
#  group: suri
328

    
329
# Some logging module will use that name in event as identifier. The default
330
# value is the hostname
331
#sensor-name: suricata
332

    
333
# Default location of the pid file. The pid file is only used in
334
# daemon mode (start Suricata with -D). If not running in daemon mode
335
# the --pidfile command line option must be used to create a pid file.
336
#pid-file: /var/run/suricata.pid
337

    
338
# Daemon working directory
339
# Suricata will change directory to this one if provided
340
# Default: "/"
341
#daemon-directory: "/"
342

    
343
# Suricata core dump configuration. Limits the size of the core dump file to
344
# approximately max-dump. The actual core dump size will be a multiple of the
345
# page size. Core dumps that would be larger than max-dump are truncated. On
346
# Linux, the actual core dump size may be a few pages larger than max-dump.
347
# Setting max-dump to 0 disables core dumping.
348
# Setting max-dump to 'unlimited' will give the full core dump file.
349
# On 32-bit Linux, a max-dump value >= ULONG_MAX may cause the core dump size
350
# to be 'unlimited'.
351

    
352
coredump:
353
  max-dump: unlimited
354

    
355
# If suricata box is a router for the sniffed networks, set it to 'router'. If
356
# it is a pure sniffing setup, set it to 'sniffer-only'.
357
# If set to auto, the variable is internally switch to 'router' in IPS mode
358
# and 'sniffer-only' in IDS mode.
359
# This feature is currently only used by the reject* keywords.
360
host-mode: sniffer-only
361

    
362
# Number of packets preallocated per thread. The default is 1024. A higher number 
363
# will make sure each CPU will be more easily kept busy, but may negatively 
364
# impact caching.
365
#
366
# If you are using the CUDA pattern matcher (mpm-algo: ac-cuda), different rules
367
# apply. In that case try something like 60000 or more. This is because the CUDA
368
# pattern matcher buffers and scans as many packets as possible in parallel.
369
max-pending-packets: 10000
370

    
371
# Runmode the engine should use. Please check --list-runmodes to get the available
372
# runmodes for each packet acquisition method. Defaults to "autofp" (auto flow pinned
373
# load balancing).
374
runmode: workers
375

    
376
# Specifies the kind of flow load balancer used by the flow pinned autofp mode.
377
#
378
# Supported schedulers are:
379
#
380
# round-robin       - Flows assigned to threads in a round robin fashion.
381
# active-packets    - Flows assigned to threads that have the lowest number of
382
#                     unprocessed packets (default).
383
# hash              - Flow alloted usihng the address hash. More of a random
384
#                     technique. Was the default in Suricata 1.2.1 and older.
385
#
386
autofp-scheduler: active-packets
387

    
388
# Preallocated size for packet. Default is 1514 which is the classical
389
# size for pcap on ethernet. You should adjust this value to the highest
390
# packet size (MTU + hardware header) on your system.
391
default-packet-size: 9018
392

    
393
# Unix command socket can be used to pass commands to suricata.
394
# An external tool can then connect to get information from suricata
395
# or trigger some modifications of the engine. Set enabled to yes
396
# to activate the feature. In auto mode, the feature will only be
397
# activated in live capture mode. You can use the filename variable to set
398
# the file name of the socket.
399
unix-command:
400
  enabled: no
401
#  enabled: auto
402
  #filename: custom.socket
403

    
404
# Magic file. The extension .mgc is added to the value here.
405
#magic-file: /usr/share/file/magic
406
#magic-file: 
407

    
408
legacy:
409
  uricontent: enabled
410

    
411
##
412
## Detection settings
413
##
414

    
415
# Set the order of alerts bassed on actions
416
# The default order is pass, drop, reject, alert
417
# action-order:
418
#   - pass
419
#   - drop
420
#   - reject
421
#   - alert
422

    
423
# IP Reputation
424
#reputation-categories-file: /etc/suricata/iprep/categories.txt
425
#default-reputation-path: /etc/suricata/iprep
426
#reputation-files:
427
# - reputation.list
428

    
429
# When run with the option --engine-analysis, the engine will read each of
430
# the parameters below, and print reports for each of the enabled sections
431
# and exit.  The reports are printed to a file in the default log dir
432
# given by the parameter "default-log-dir", with engine reporting
433
# subsection below printing reports in its own report file.
434
engine-analysis:
435
  # enables printing reports for fast-pattern for every rule.
436
  rules-fast-pattern: yes
437
  # enables printing reports for each rule
438
  rules: yes
439

    
440
#recursion and match limits for PCRE where supported
441
pcre:
442
  match-limit: 3500
443
  match-limit-recursion: 1500
444

    
445
##
446
## Advanced Traffic Tracking and Reconstruction Settings
447
##
448

    
449
# Host specific policies for defragmentation and TCP stream
450
# reassembly. The host OS lookup is done using a radix tree, just
451
# like a routing table so the most specific entry matches.
452
host-os-policy:
453
  # Make the default policy windows.
454
  windows: [0.0.0.0/0]
455
  bsd: []
456
  bsd-right: []
457
  old-linux: []
458
  linux: []
459
  old-solaris: []
460
  solaris: []
461
  hpux10: []
462
  hpux11: []
463
  irix: []
464
  macos: []
465
  vista: []
466
  windows2k3: []
467

    
468
# Defrag settings:
469

    
470
defrag:
471
  hash-size: 65536
472
  trackers: 65535 # number of defragmented flows to follow
473
  max-frags: 65535 # number of fragments to keep (higher than trackers)
474
  prealloc: yes
475
  timeout: 10
476

    
477
# Enable defrag per host settings
478
#  host-config:
479
#
480
#    - dmz:
481
#        timeout: 30
482
#        address: [192.168.1.0/24, 127.0.0.0/8, 1.1.1.0/24, 2.2.2.0/24, "1.1.1.1", "2.2.2.2", "::1"]
483
#
484
#    - lan:
485
#        timeout: 45
486
#        address:
487
#          - 192.168.0.0/24
488
#          - 192.168.10.0/24
489
#          - 172.16.14.0/24
490

    
491
# Flow settings:
492
# By default, the reserved memory (memcap) for flows is 32MB. This is the limit
493
# for flow allocation inside the engine. You can change this value to allow
494
# more memory usage for flows.
495
# The hash-size determine the size of the hash used to identify flows inside
496
# the engine, and by default the value is 65536.
497
# At the startup, the engine can preallocate a number of flows, to get a better
498
# performance. The number of flows preallocated is 10000 by default.
499
# emergency-recovery is the percentage of flows that the engine need to
500
# prune before unsetting the emergency state. The emergency state is activated
501
# when the memcap limit is reached, allowing to create new flows, but
502
# prunning them with the emergency timeouts (they are defined below).
503
# If the memcap is reached, the engine will try to prune flows
504
# with the default timeouts. If it doens't find a flow to prune, it will set
505
# the emergency bit and it will try again with more agressive timeouts.
506
# If that doesn't work, then it will try to kill the last time seen flows
507
# not in use.
508
# The memcap can be specified in kb, mb, gb.  Just a number indicates it's
509
# in bytes.
510

    
511
flow:
512
  memcap: 1gb
513
  hash-size: 1048576
514
  prealloc: 1048576
515
  prune-flows: 50000
516
  emergency-recovery: 30
517
  managers: 10
518
  #recyclers: 1 # default to one flow recycler thread
519

    
520
# This option controls the use of vlan ids in the flow (and defrag)
521
# hashing. Normally this should be enabled, but in some (broken)
522
# setups where both sides of a flow are not tagged with the same vlan
523
# tag, we can ignore the vlan id's in the flow hashing.
524
vlan:
525
  use-for-tracking: false
526

    
527
# Specific timeouts for flows. Here you can specify the timeouts that the
528
# active flows will wait to transit from the current state to another, on each
529
# protocol. The value of "new" determine the seconds to wait after a hanshake or
530
# stream startup before the engine free the data of that flow it doesn't
531
# change the state to established (usually if we don't receive more packets
532
# of that flow). The value of "established" is the amount of
533
# seconds that the engine will wait to free the flow if it spend that amount
534
# without receiving new packets or closing the connection. "closed" is the
535
# amount of time to wait after a flow is closed (usually zero). "bypassed"
536
# timeout controls locally bypassed flows. For these flows we don't do any other
537
# tracking. If no packets have been seen after this timeout, the flow is discarded.
538
#
539
# There's an emergency mode that will become active under attack circumstances,
540
# making the engine to check flow status faster. This configuration variables
541
# use the prefix "emergency-" and work similar as the normal ones.
542
# Some timeouts doesn't apply to all the protocols, like "closed", for udp and
543
# icmp.
544

    
545
flow-timeouts:
546

    
547
  default:
548
    new: 3
549
    established: 300
550
    closed: 0
551
    emergency-new: 10
552
    emergency-established: 10
553
    emergency-closed: 0
554
  tcp:
555
    new: 6
556
    established: 100
557
    closed: 12
558
    emergency-new: 1
559
    emergency-established: 5
560
    emergency-closed: 2
561
  udp:
562
    new: 3
563
    established: 30
564
    emergency-new: 3
565
    emergency-established: 10
566
  icmp:
567
    new: 3
568
    established: 30
569
    emergency-new: 1
570
    emergency-established: 10
571

    
572
# Stream engine settings. Here the TCP stream tracking and reassembly
573
# engine is configured.
574
#
575
# stream:
576
#   memcap: 32mb                # Can be specified in kb, mb, gb.  Just a
577
#                               # number indicates it's in bytes.
578
#   checksum-validation: yes    # To validate the checksum of received
579
#                               # packet. If csum validation is specified as
580
#                               # "yes", then packet with invalid csum will not
581
#                               # be processed by the engine stream/app layer.
582
#                               # Warning: locally generated trafic can be
583
#                               # generated without checksum due to hardware offload
584
#                               # of checksum. You can control the handling of checksum
585
#                               # on a per-interface basis via the 'checksum-checks'
586
#                               # option
587
#   prealloc-sessions: 2k       # 2k sessions prealloc'd per stream thread
588
#   midstream: false            # don't allow midstream session pickups
589
#   async-oneside: false        # don't enable async stream handling
590
#   inline: no                  # stream inline mode
591
#   drop-invalid: yes           # in inline mode, drop packets that are invalid with regards to streaming engine
592
#   max-synack-queued: 5        # Max different SYN/ACKs to queue
593
#   bypass: no                  # Bypass packets when stream.depth is reached
594
#
595
#   reassembly:
596
#     memcap: 64mb              # Can be specified in kb, mb, gb.  Just a number
597
#                               # indicates it's in bytes.
598
#     depth: 1mb                # Can be specified in kb, mb, gb.  Just a number
599
#                               # indicates it's in bytes.
600
#     toserver-chunk-size: 2560 # inspect raw stream in chunks of at least
601
#                               # this size.  Can be specified in kb, mb,
602
#                               # gb.  Just a number indicates it's in bytes.
603
#     toclient-chunk-size: 2560 # inspect raw stream in chunks of at least
604
#                               # this size.  Can be specified in kb, mb,
605
#                               # gb.  Just a number indicates it's in bytes.
606
#     randomize-chunk-size: yes # Take a random value for chunk size around the specified value.
607
#                               # This lower the risk of some evasion technics but could lead
608
#                               # detection change between runs. It is set to 'yes' by default.
609
#     randomize-chunk-range: 10 # If randomize-chunk-size is active, the value of chunk-size is
610
#                               # a random value between (1 - randomize-chunk-range/100)*toserver-chunk-size
611
#                               # and (1 + randomize-chunk-range/100)*toserver-chunk-size and the same
612
#                               # calculation for toclient-chunk-size.
613
#                               # Default value of randomize-chunk-range is 10.
614
#
615
#     raw: yes                  # 'Raw' reassembly enabled or disabled.
616
#                               # raw is for content inspection by detection
617
#                               # engine.
618
#
619
#     segment-prealloc: 2048    # number of segments preallocated per thread
620
#
621
#     check-overlap-different-data: true|false
622
#                               # check if a segment contains different data
623
#                               # than what we've already seen for that
624
#                               # position in the stream.
625
#                               # This is enabled automatically if inline mode
626
#                               # is used or when stream-event:reassembly_overlap_different_data;
627
#                               # is used in a rule.
628
#
629
stream:
630
  memcap: 12gb
631
  checksum-validation: no
632
  prealloc-session: 1000000
633
  inline: no                    # auto will use inline mode in IPS mode, yes or no set it statically
634
  bypass: yes
635
  midstream: true
636
  asyn-oneside:true
637
  reassembly:
638
    memcap: 20gb         
639
    depth: 12mb              
640
    toserver-chunk-size: 2560
641
    toclient-chunk-size: 2560
642
    randomize-chunk-size: yes
643
    chunk-prealloc: 303360   
644

    
645
# Host table:
646
#
647
# Host table is used by tagging and per host thresholding subsystems.
648
#
649
host:
650
  hash-size: 4096
651
  prealloc: 1000
652
  memcap: 16777216
653

    
654
detect:
655
  - profile: custom
656
  - custom-values:
657
      toclient-sp-groups: 200
658
      toclient-dp-groups: 300
659
      toserver-src-groups: 200
660
      toserver-dst-groups: 400
661
      toserver-sp-groups: 200
662
      toserver-dp-groups: 250
663
  - sgh-mpm-context: auto
664
  - inspection-recursion-limit: 3000
665
  # When rule-reload is enabled, sending a USR2 signal to the Suricata process
666
  # will trigger a live rule reload. Experimental feature, use with care.
667
#  - rule-reload: true
668

    
669
# Select the multi pattern algorithm you want to run for scan/search the
670
# in the engine.
671
#
672
# The supported algorithms are:
673
# "ac"      - Aho-Corasick, default implementation
674
# "ac-bs"   - Aho-Corasick, reduced memory implementation
675
# "ac-cuda" - Aho-Corasick, CUDA implementation
676
# "ac-ks"   - Aho-Corasick, "Ken Steele" variant
677
# "hs"      - Hyperscan, available when built with Hyperscan support
678
#
679
# The default mpm-algo value of "auto" will use "hs" if Hyperscan is
680
# available, "ac" otherwise.
681
#
682
# The mpm you choose also decides the distribution of mpm contexts for
683
# signature groups, specified by the conf - "detect.sgh-mpm-context".
684
# Selecting "ac" as the mpm would require "detect.sgh-mpm-context"
685
# to be set to "single", because of ac's memory requirements, unless the
686
# ruleset is small enough to fit in one's memory, in which case one can
687
# use "full" with "ac".  Rest of the mpms can be run in "full" mode.
688
#
689
# There is also a CUDA pattern matcher (only available if Suricata was
690
# compiled with --enable-cuda: b2g_cuda. Make sure to update your
691
# max-pending-packets setting above as well if you use b2g_cuda.
692

    
693
mpm-algo: hs
694

    
695
# Select the matching algorithm you want to use for single-pattern searches.
696
#
697
# Supported algorithms are "bm" (Boyer-Moore) and "hs" (Hyperscan, only
698
# available if Suricata has been built with Hyperscan support).
699
#
700
# The default of "auto" will use "hs" if available, otherwise "bm".
701

    
702
spm-algo: hs
703

    
704
# Suricata is multi-threaded. Here the threading can be influenced.
705
threading:
706
  set-cpu-affinity: yes
707
  # Tune cpu affinity of threads. Each family of threads can be bound
708
  # on specific CPUs.
709
  #
710
  # These 2 apply to the all runmodes:
711
  # management-cpu-set is used for flow timeout handling, counters
712
  # worker-cpu-set is used for 'worker' threads
713
  #
714
  # Additionally, for autofp these apply:
715
  # receive-cpu-set is used for capture threads
716
  # verdict-cpu-set is used for IPS verdict threads
717
  #
718
  cpu-affinity:
719
    - management-cpu-set:
720
        cpu: [ 1,21 ]  # include only these cpus in affinity settings
721
        mode: "balanced"
722
        prio:
723
        default: "low"
724
    - worker-cpu-set:
725
        cpu: [ 5,7,9,11,13,15,17,19,23,25,27,29,31,33,35,37,39 ]
726
        mode: "exclusive"
727
        # Use explicitely 3 threads and don't compute number by using
728
        # detect-thread-ratio variable:
729
        # threads: 3
730
        prio:
731
          default: "high"
732

    
733
  #
734
  # By default Suricata creates one "detect" thread per available CPU/CPU core.
735
  # This setting allows controlling this behaviour. A ratio setting of 2 will
736
  # create 2 detect threads for each CPU/CPU core. So for a dual core CPU this
737
  # will result in 4 detect threads. If values below 1 are used, less threads
738
  # are created. So on a dual core CPU a setting of 0.5 results in 1 detect
739
  # thread being created. Regardless of the setting at a minimum 1 detect
740
  # thread will always be created.
741
  #
742
  detect-thread-ratio: 1.5
743

    
744
# Luajit has a strange memory requirement, it's 'states' need to be in the
745
# first 2G of the process' memory.
746
#
747
# 'luajit.states' is used to control how many states are preallocated.
748
# State use: per detect script: 1 per detect thread. Per output script: 1 per
749
# script.
750
luajit:
751
  states: 128
752

    
753
# Profiling settings. Only effective if Suricata has been built with the
754
# the --enable-profiling configure flag.
755
#
756
profiling:
757
  # Run profiling for every xth packet. The default is 1, which means we
758
  # profile every packet. If set to 1000, one packet is profiled for every
759
  # 1000 received.
760
  #sample-rate: 1000
761

    
762
  # rule profiling
763
  rules:
764

    
765
    # Profiling can be disabled here, but it will still have a
766
    # performance impact if compiled in.
767
    enabled: no
768
    filename: rule_perf.log
769
    append: yes
770

    
771
    # Sort options: ticks, avgticks, checks, matches, maxticks
772
    # If commented out all the sort options will be used.
773
    sort: avgticks
774

    
775
    # Limit the number of sids for which stats are shown at exit (per sort).
776
    limit: 100
777

    
778
    # output to json
779
    json: yes
780

    
781
  # packet profiling
782
  packets:
783

    
784
    # Profiling can be disabled here, but it will still have a
785
    # performance impact if compiled in.
786
    enabled: no
787
    filename: packet_stats.log
788
    append: yes
789

    
790
napatech:
791
    # The Host Buffer Allowance for all streams
792
    # (-1 = OFF, 1 - 100 = percentage of the host buffer that can be held back)
793
    # This may be enabled when sharing streams with another application.
794
    # Otherwise, it should be turned off.
795
    hba: -1
796

    
797
    # use_all_streams set to "yes" will query the Napatech service for all configured
798
    # streams and listen on all of them. When set to "no" the streams config array
799
    # will be used.
800
    use-all-streams: no
801
    streams: [0-16]
802

    
803
##
804
## Include other configs
805
##
806

    
807
# Includes.  Files included here will be handled as if they were
808
# inlined in this configuration file.
809
#include: include1.yaml
810
#include: include2.yaml
(3-3/5)