Project

General

Profile

Support #3119 » suricata.yaml

suricata.yaml - Srijan Nandi, 08/20/2019 12:16 AM

 
%YAML 1.1
---
vars:
# more specific is better for alert accuracy and performance
address-groups:
HOME_NET: "any"

EXTERNAL_NET: "any"

HTTP_SERVERS: "$HOME_NET"
SMTP_SERVERS: "$HOME_NET"
SQL_SERVERS: "$HOME_NET"
DNS_SERVERS: "$HOME_NET"
TELNET_SERVERS: "$HOME_NET"
AIM_SERVERS: "$EXTERNAL_NET"
DC_SERVERS: "$HOME_NET"
DNP3_SERVER: "$HOME_NET"
DNP3_CLIENT: "$HOME_NET"
MODBUS_CLIENT: "$HOME_NET"
MODBUS_SERVER: "$HOME_NET"
ENIP_CLIENT: "$HOME_NET"
ENIP_SERVER: "$HOME_NET"

port-groups:
HTTP_PORTS: "80"
SHELLCODE_PORTS: "!80"
ORACLE_PORTS: 1521
SSH_PORTS: 22
DNP3_PORTS: 20000
MODBUS_PORTS: 502
FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
FTP_PORTS: 21
VXLAN_PORTS: 4789

##
## Step 2: select outputs to enable
##

default-log-dir: /var/log/suricata/

# global stats configuration
stats:
enabled: yes
interval: 15
#decoder-events: true
decoder-events-prefix: "decoder.event"
#stream-events: false

# Configure the type of alert (and other) logging you would like.
outputs:
- fast:
enabled: no
filename: fast.log
append: yes
#filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'

# Extensible Event Format (nicknamed EVE) event log in JSON format
- eve-log:
enabled: yes
filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
filename: eve.json
#filename: eve-%Y-%m-%d-%H:%M.json
#rotate-interval: day
#prefix: "@cee: " # prefix to prepend to each log entry
# the following are valid when type: syslog above
identity: "suricata-teletalk"
#facility: local5
#level: Info ## possible levels: Emergency, Alert, Critical,
## Error, Warning, Notice, Info, Debug
#redis:
# server: 127.0.0.1
# port: 6379
# async: true ## if redis replies are read asynchronously
# mode: list ## possible values: list|lpush (default), rpush, channel|publish
# ## lpush and rpush are using a Redis list. "list" is an alias for lpush
# ## publish is using a Redis channel. "channel" is an alias for publish
# key: suricata ## key or channel to use (default to suricata)
# Redis pipelining set up. This will enable to only do a query every
# 'batch-size' events. This should lower the latency induced by network
# connection at the cost of some memory. There is no flushing implemented
# so this setting as to be reserved to high traffic suricata.
# pipelining:
# enabled: yes ## set enable to yes to enable query pipelining
# batch-size: 10 ## number of entry to keep in buffer

# Include top level metadata. Default yes.
#metadata: no

# include the name of the input pcap file in pcap file processing mode
pcap-file: false

# Community Flow ID
# Adds a 'community_id' field to EVE records. These are meant to give
# a records a predictable flow id that can be used to match records to
# output of other tools such as Bro.
#
# Takes a 'seed' that needs to be same across sensors and tools
# to make the id less predictable.

# enable/disable the community id feature.
community-id: false
# Seed value for the ID output. Valid values are 0-65535.
community-id-seed: 0

# HTTP X-Forwarded-For support by adding an extra field or overwriting
# the source or destination IP address (depending on flow direction)
# with the one reported in the X-Forwarded-For HTTP header. This is
# helpful when reviewing alerts for traffic that is being reverse
# or forward proxied.
xff:
enabled: no
# Two operation modes are available, "extra-data" and "overwrite".
mode: extra-data
# Two proxy deployments are supported, "reverse" and "forward". In
# a "reverse" deployment the IP address used is the last one, in a
# "forward" deployment the first IP address is used.
deployment: reverse
# Header name where the actual IP address will be reported, if more
# than one IP address is present, the last IP address will be the
# one taken into consideration.
header: X-Forwarded-For

types:
- alert:
# payload: yes # enable dumping payload in Base64
# payload-buffer-size: 4kb # max size of payload buffer to output in eve-log
# payload-printable: yes # enable dumping payload in printable (lossy) format
# packet: yes # enable dumping of packet (without stream segments)
# http-body: yes # enable dumping of http body in Base64
# http-body-printable: yes # enable dumping of http body in printable format
# metadata: no # enable inclusion of app layer metadata with alert. Default yes

# Enable the logging of tagged packets for rules using the
# "tag" keyword.
tagged-packets: yes
#- anomaly:
# Anomaly log records describe unexpected conditions such as truncated packets, packets with invalid
# IP/UDP/TCP length values, and other events that render the packet invalid for further processing
# or describe unexpected behavior on an established stream. Networks which experience high
# occurrences of anomalies may experience packet processing degradation.

# Enable dumping of packet header
# packethdr: no # enable dumping of packet header
- http:
extended: no # enable this for extended logging information
# custom allows additional http fields to be included in eve-log
# the example below adds three additional fields when uncommented
#custom: [Accept-Encoding, Accept-Language, Authorization]
# set this value to one among {both, request, response} to dump all
# http headers for every http request and/or response
# dump-all-headers: [both, request, response]
- dns:
version: 2

# Enable/disable this logger. Default: enabled.
enabled: no

# Control logging of requests and responses:
# - requests: enable logging of DNS queries
# - responses: enable logging of DNS answers
# By default both requests and responses are logged.
#requests: no
#responses: no

# Format of answer logging:
# - detailed: array item per answer
# - grouped: answers aggregated by type
# Default: all
#formats: [detailed, grouped]

# Answer types to log.
# Default: all
#types: [a, aaaa, cname, mx, ns, ptr, txt]
- tls:
extended: no # enable this for extended logging information
# output TLS transaction where the session is resumed using a
# session id
#session-resumption: no
# custom allows to control which tls fields that are included
# in eve-log
#custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3, ja3s]
- files:
force-magic: no # force logging magic on all logged files
# force logging of checksums, available hash functions are md5,
# sha1 and sha256
#force-hash: [md5]
- drop:
alerts: no # log alerts that caused drops
flows: start # start or all: 'start' logs only a single drop
- smtp:
#extended: yes # enable this for extended logging information
# this includes: bcc, message-id, subject, x_mailer, user-agent
# custom fields logging from the list:
# reply-to, bcc, message-id, subject, x-mailer, user-agent, received,
# x-originating-ip, in-reply-to, references, importance, priority,
# sensitivity, organization, content-md5, date
#custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc]
# output md5 of fields: body, subject
# for the body you need to set app-layer.protocols.smtp.mime.body-md5
# to yes
#md5: [body, subject]

#- dnp3
#- ftp
#- nfs
#- smb
#- tftp
#- ikev2
#- krb5
#- snmp
- dhcp:
enabled: no
extended: no
- ssh
- stats:
totals: yes # stats for all threads merged together
threads: no # per thread stats
deltas: no # include delta values
# bi-directional flows
- flow
# uni-directional flows
#- netflow

# Metadata event type. Triggered whenever a pktvar is saved
# and will include the pktvars, flowvars, flowbits and
# flowints.
#- metadata

# alert output for use with Barnyard2
- unified2-alert:
enabled: no
filename: unified2.alert
#limit: 32mb
#nostamp: no
#sensor-id: 0
#payload: yes
xff:
enabled: no
mode: extra-data
deployment: reverse
header: X-Forwarded-For

# a line based log of HTTP requests (no alerts)
- http-log:
enabled: no
filename: http.log
append: yes
#extended: yes # enable this for extended logging information
#custom: yes # enabled the custom logging format (defined by customformat)
#customformat: "%{%D-%H:%M:%S}t.%z %{X-Forwarded-For}i %H %m %h %u %s %B %a:%p -> %A:%P"
#filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'

# a line based log of TLS handshake parameters (no alerts)
- tls-log:
enabled: no # Log TLS connections.
filename: tls.log # File to store TLS logs.
append: yes
#extended: yes # Log extended information like fingerprint
#custom: yes # enabled the custom logging format (defined by customformat)
#customformat: "%{%D-%H:%M:%S}t.%z %a:%p -> %A:%P %v %n %d %D"
#filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
# output TLS transaction where the session is resumed using a
# session id
#session-resumption: no

# output module to store certificates chain to disk
- tls-store:
enabled: no
#certs-log-dir: certs # directory to store the certificates files

- pcap-log:
enabled: no
filename: log.pcap
limit: 1000mb
max-files: 2000
compression: none
#lz4-checksum: no
#lz4-level: 0
mode: normal # normal, multi or sguil.
#dir: /nsm_data/

#ts-format: usec # sec or usec second format (default) is filename.sec usec is filename.sec.usec
use-stream-depth: no #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets
honor-pass-rules: no # If set to "yes", flows in which a pass rule matched will stopped being logged.

# a full alerts log containing much information for signature writers
# or for investigating suspected false positives.
- alert-debug:
enabled: no
filename: alert-debug.log
append: yes
#filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'

# alert output to prelude (https://www.prelude-siem.org/) only
# available if Suricata has been compiled with --enable-prelude
- alert-prelude:
enabled: no
profile: suricata
log-packet-content: no
log-packet-header: yes

# Stats.log contains data from various counters of the Suricata engine.
- stats:
enabled: yes
filename: stats.log
append: yes # append to file (yes) or overwrite it (no)
totals: yes # stats for all threads merged together
threads: no # per thread stats
#null-values: yes # print counters that have value 0

# a line based alerts log similar to fast.log into syslog
- syslog:
enabled: no
# reported identity to syslog. If ommited the program name (usually
# suricata) will be used.
#identity: "suricata"
facility: local5
#level: Info ## possible levels: Emergency, Alert, Critical,
## Error, Warning, Notice, Info, Debug

# a line based information for dropped packets in IPS mode
- drop:
enabled: no
filename: drop.log
append: yes
#filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'

- file-store:
version: 2
enabled: no
#dir: filestore
#write-fileinfo: yes
#force-filestore: yes
#stream-depth: 0
#max-open-files: 1000
#force-hash: [sha1, md5]
xff:
enabled: no
mode: extra-data
deployment: reverse
header: X-Forwarded-For

- file-store:
enabled: no # set to yes to enable
log-dir: files # directory to store the files
force-magic: no # force logging magic on all stored files
# force logging of checksums, available hash functions are md5,
# sha1 and sha256
#force-hash: [md5]
force-filestore: no # force storing of all files
# override global stream-depth for sessions in which we want to
# perform file extraction. Set to 0 for unlimited.
#stream-depth: 0
#waldo: file.waldo # waldo file to store the file_id across runs
# uncomment to disable meta file writing
#write-meta: no
# uncomment the following variable to define how many files can
# remain open for filestore by Suricata. Default value is 0 which
# means files get closed after each write
#max-open-files: 1000
include-pid: no # set to yes to include pid in file names

# Log TCP data after stream normalization
- tcp-data:
enabled: no
type: file
filename: tcp-data.log

# Log HTTP body data after normalization, dechunking and unzipping.
- http-body-data:
enabled: no
type: file
filename: http-data.log

# Lua Output Support - execute lua script to generate alert and event
- lua:
enabled: no
#scripts-dir: /etc/suricata/lua-output/
scripts:
# - script1.lua

# Logging configuration. This is not about logging IDS alerts/events, but
# output about what Suricata is doing, like startup messages, errors, etc.
logging:
default-log-level: notice

# The default output format. Optional parameter, should default to
# something reasonable if not provided. Can be overridden in an
# output section. You can leave this out to get the default.
#
# This value is overridden by the SC_LOG_FORMAT env var.
#default-log-format: "[%i] %t - (%f:%l) <%d> (%n) -- "

# A regex to filter output. Can be overridden in an output section.
# Defaults to empty (no filter).
#
# This value is overridden by the SC_LOG_OP_FILTER env var.
default-output-filter:

# Define your logging outputs. If none are defined, or they are all
# disabled you will get the default - console output.
outputs:
- console:
enabled: yes
# type: json
- file:
enabled: yes
level: info
filename: suricata.log
# type: json
- syslog:
enabled: no
facility: local5
format: "[%i] <%d> -- "
# type: json


##
## Step 4: configure common capture settings
##

# Linux high speed capture support
af-packet:
- interface: ens2f0
threads: 18
cuslter-id: 98
cluster-type: cluster_qm
xdp-mode: driver
xdp-filter-file: /etc/suricata/ebpf/xdp_filter.bpf
bypass: yes
defrag: no
use-mmap: yes
#mmap-locked: yes
ring-size: 1000000
#buffer: 2147483647
buffer: 4294967296
use-emergency-flush: yes
#disable-promisc: no
#checksum-checks: kernel
copy-mode: ips
copy-iface: ens2f1
- interface: ens2f1
threads: 18
cuslter-id: 97
cluster-type: cluster_qm
xdp-mode: driver
xdp-filter-file: /etc/suricata/ebpf/xdp_filter.bpf
bypass: yes
defrag: no
use-mmap: yes
#mmap-locked: yes
ring-size: 1000000
#buffer: 2147483647
buffer: 4294967296
use-emergency-flush: yes
#disable-promisc: no
#checksum-checks: kernel
copy-mode: ips
copy-iface: ens2f0

# Cross platform libpcap capture support
pcap:
- interface: eth0
buffer-size: 16777216
#bpf-filter: "tcp and port 25"
#checksum-checks: auto
threads: 18
#promisc: no
#snaplen: 1518
# Put default values here
- interface: default
#checksum-checks: auto

# Settings for reading pcap files
pcap-file:
checksum-checks: auto

##
## Step 5: App Layer Protocol Configuration
##

app-layer:
protocols:
krb5:
enabled: yes
snmp:
enabled: yes
ikev2:
enabled: yes
tls:
enabled: yes
detection-ports:
dp: 443
encryption-handling: bypass
# Generate JA3 fingerprint from client hello
ja3-fingerprints: no

# What to do when the encrypted communications start:
# - default: keep tracking TLS session, check for protocol anomalies,
# inspect tls_* keywords. Disables inspection of unmodified
# 'content' signatures.
# - bypass: stop processing this flow as much as possible. No further
# TLS parsing and inspection. Offload flow bypass to kernel
# or hardware if possible.
# - full: keep tracking and inspection as normal. Unmodified content
# keyword signatures are inspected as well.
#
# For best performance, select 'bypass'.
#
#encryption-handling: default

dcerpc:
enabled: yes
ftp:
enabled: yes
# memcap: 64mb
ssh:
enabled: yes
smtp:
enabled: yes
raw-extraction: no
# Configure SMTP-MIME Decoder
mime:
# Decode MIME messages from SMTP transactions
# (may be resource intensive)
# This field supercedes all others because it turns the entire
# process on or off
decode-mime: yes

# Decode MIME entity bodies (ie. base64, quoted-printable, etc.)
decode-base64: yes
decode-quoted-printable: yes

# Maximum bytes per header data value stored in the data structure
# (default is 2000)
header-value-depth: 2000

# Extract URLs and save in state data structure
extract-urls: yes
# Set to yes to compute the md5 of the mail body. You will then
# be able to journalize it.
body-md5: no
# Configure inspected-tracker for file_data keyword
inspected-tracker:
content-limit: 100000
content-inspect-min-size: 32768
content-inspect-window: 4096
imap:
enabled: detection-only
msn:
enabled: detection-only
smb:
enabled: yes
detection-ports:
dp: 139, 445

# Stream reassembly size for SMB streams. By default track it completely.
#stream-depth: 0

nfs:
enabled: yes
tftp:
enabled: yes
dns:
# memcaps. Globally and per flow/state.
#global-memcap: 16mb
#state-memcap: 512kb

# How many unreplied DNS requests are considered a flood.
# If the limit is reached, app-layer-event:dns.flooded; will match.
#request-flood: 500

tcp:
enabled: yes
detection-ports:
dp: 53
udp:
enabled: yes
detection-ports:
dp: 53
http:
enabled: yes
# memcap: 64mb

# default-config: Used when no server-config matches
# personality: List of personalities used by default
# request-body-limit: Limit reassembly of request body for inspection
# by http_client_body & pcre /P option.
# response-body-limit: Limit reassembly of response body for inspection
# by file_data, http_server_body & pcre /Q option.
# double-decode-path: Double decode path section of the URI
# double-decode-query: Double decode query section of the URI
# response-body-decompress-layer-limit:
# Limit to how many layers of compression will be
# decompressed. Defaults to 2.
#
# server-config: List of server configurations to use if address matches
# address: List of IP addresses or networks for this block
# personalitiy: List of personalities used by this block
# request-body-limit: Limit reassembly of request body for inspection
# by http_client_body & pcre /P option.
# response-body-limit: Limit reassembly of response body for inspection
# by file_data, http_server_body & pcre /Q option.
# double-decode-path: Double decode path section of the URI
# double-decode-query: Double decode query section of the URI
#
# uri-include-all: Include all parts of the URI. By default the
# 'scheme', username/password, hostname and port
# are excluded. Setting this option to true adds
# all of them to the normalized uri as inspected
# by http_uri, urilen, pcre with /U and the other
# keywords that inspect the normalized uri.
# Note that this does not affect http_raw_uri.
# Also, note that including all was the default in
# 1.4 and 2.0beta1.
#
# meta-field-limit: Hard size limit for request and response size
# limits. Applies to request line and headers,
# response line and headers. Does not apply to
# request or response bodies. Default is 18k.
# If this limit is reached an event is raised.
#
# Currently Available Personalities:
# Minimal, Generic, IDS (default), IIS_4_0, IIS_5_0, IIS_5_1, IIS_6_0,
# IIS_7_0, IIS_7_5, Apache_2
libhtp:
default-config:
personality: IDS

# Can be specified in kb, mb, gb. Just a number indicates
# it's in bytes.
request-body-limit: 100kb
response-body-limit: 100kb

# inspection limits
request-body-minimal-inspect-size: 32kb
request-body-inspect-window: 4kb
response-body-minimal-inspect-size: 40kb
response-body-inspect-window: 16kb

# response body decompression (0 disables)
response-body-decompress-layer-limit: 2

# auto will use http-body-inline mode in IPS mode, yes or no set it statically
http-body-inline: auto

# Decompress SWF files.
# 2 types: 'deflate', 'lzma', 'both' will decompress deflate and lzma
# compress-depth:
# Specifies the maximum amount of data to decompress,
# set 0 for unlimited.
# decompress-depth:
# Specifies the maximum amount of decompressed data to obtain,
# set 0 for unlimited.
swf-decompression:
enabled: yes
type: both
compress-depth: 0
decompress-depth: 0

# Take a random value for inspection sizes around the specified value.
# This lower the risk of some evasion technics but could lead
# detection change between runs. It is set to 'yes' by default.
#randomize-inspection-sizes: yes
# If randomize-inspection-sizes is active, the value of various
# inspection size will be choosen in the [1 - range%, 1 + range%]
# range
# Default value of randomize-inspection-range is 10.
#randomize-inspection-range: 10

# decoding
double-decode-path: no
double-decode-query: no

server-config:

#- apache:
# address: [192.168.1.0/24, 127.0.0.0/8, "::1"]
# personality: Apache_2
# # Can be specified in kb, mb, gb. Just a number indicates
# # it's in bytes.
# request-body-limit: 4096
# response-body-limit: 4096
# double-decode-path: no
# double-decode-query: no

#- iis7:
# address:
# - 192.168.0.0/24
# - 192.168.10.0/24
# personality: IIS_7_0
# # Can be specified in kb, mb, gb. Just a number indicates
# # it's in bytes.
# request-body-limit: 4096
# response-body-limit: 4096
# double-decode-path: no
# double-decode-query: no

# Note: Modbus probe parser is minimalist due to the poor significant field
# Only Modbus message length (greater than Modbus header length)
# And Protocol ID (equal to 0) are checked in probing parser
# It is important to enable detection port and define Modbus port
# to avoid false positive
modbus:
#request-flood: 500
enabled: no
detection-ports:
dp: 502
stream-depth: 0

# DNP3
dnp3:
enabled: no
detection-ports:
dp: 20000

# SCADA EtherNet/IP and CIP protocol support
enip:
enabled: no
detection-ports:
dp: 44818
sp: 44818

ntp:
enabled: yes

dhcp:
enabled: yes

# Limit for the maximum number of asn1 frames to decode (default 256)
asn1-max-frames: 256


##############################################################################
##
## Advanced settings below
##
##############################################################################

##
## Run Options
##

#sensor-name: suricata

pid-file: /var/run/suricata.pid

coredump:
max-dump: unlimited

host-mode: auto

max-pending-packets: 1024

runmode: workers

#autofp-scheduler: active-packets

#default-packet-size: 1514

unix-command:
enabled: auto
#filename: custom.socket

# Magic file. The extension .mgc is added to the value here.
#magic-file:

# GeoIP2 database file. Specify path and filename of GeoIP2 database
#geoip-database: /usr/local/share/GeoLite2/GeoLite2-Country.mmdb

legacy:
uricontent: enabled

##
## Detection settings
##

action-order:
- pass
- drop
- reject
- alert

# IP Reputation
#reputation-categories-file: /etc/suricata/iprep/categories.txt
#default-reputation-path: /etc/suricata/iprep
#reputation-files:
# - reputation.list

# When run with the option --engine-analysis, the engine will read each of
# the parameters below, and print reports for each of the enabled sections
# and exit. The reports are printed to a file in the default log dir
# given by the parameter "default-log-dir", with engine reporting
# subsection below printing reports in its own report file.
engine-analysis:
rules-fast-pattern: yes
rules: yes

#recursion and match limits for PCRE where supported
pcre:
match-limit: 3500
match-limit-recursion: 1500

##
## Advanced Traffic Tracking and Reconstruction Settings
##

host-os-policy:
# Make the default policy windows.
windows: [0.0.0.0/0]
bsd: []
bsd-right: []
old-linux: []
linux: []
old-solaris: []
solaris: []
hpux10: []
hpux11: []
irix: []
macos: []
vista: []
windows2k3: []

# Defrag settings:

defrag:
memcap: 4028mb
hash-size: 65536
trackers: 65535 # number of defragmented flows to follow
max-frags: 65535 # number of fragments to keep (higher than trackers)
prealloc: yes
timeout: 60

# Flow settings:

flow:
memcap: 30gb
hash-size: 65536
prealloc: 10000
emergency-recovery: 30
prune-flows: 5
#managers: 2 # default to one flow manager
#recyclers: 2 # default to one flow recycler thread

vlan:
use-for-tracking: true

# Specific timeouts for flows.

flow-timeouts:

default:
new: 10
established: 100
closed: 0
bypassed: 50
emergency-new: 5
emergency-established: 50
emergency-closed: 0
emergency-bypassed: 10
tcp:
new: 10
established: 100
closed: 5
bypassed: 50
emergency-new: 2
emergency-established: 50
emergency-closed: 5
emergency-bypassed: 10
udp:
new: 10
established: 100
bypassed: 50
emergency-new: 2
emergency-established: 50
emergency-bypassed: 10
icmp:
new: 10
established: 100
bypassed: 50
emergency-new: 2
emergency-established: 50
emergency-bypassed: 10

# Stream engine settings. Here the TCP stream tracking and reassembly
# engine is configured.

stream:
memcap: 20gb
checksum-validation: no # reject wrong csums
inline: yes # auto will use inline mode in IPS mode, yes or no set it statically
prealloc-sessions: 375000 # 32k sessions prealloc'd
bypass: true
midstream: false # do not allow midstream session pickups
async-oneside: false # do not enable async stream handling
drop-invalid: no # drop invalid packets
reassembly:
memcap: 30gb
depth: 1mb # reassemble 1mb into a stream
toserver-chunk-size: 2560
toclient-chunk-size: 2560
randomize-chunk-size: yes
randomize-chunk-range: 10
raw: yes
segment-prealloc: 200000
check-overlap-different-data: true

# Host table:
#
# Host table is used by tagging and per host thresholding subsystems.
#
host:
hash-size: 4096
prealloc: 1000
memcap: 2048mb

# IP Pair table:
#
# Used by xbits 'ippair' tracking.
#
#ippair:
# hash-size: 4096
# prealloc: 1000
# memcap: 32mb

# Decoder settings

decoder:
# Teredo decoder is known to not be completely accurate
# as it will sometimes detect non-teredo as teredo.
teredo:
enabled: true
# VXLAN decoder is assigned to up to 4 UDP ports. By default only the
# IANA assigned port 4789 is enabled.
vxlan:
enabled: true
ports: $VXLAN_PORTS # syntax: '8472, 4789'


##
## Performance tuning and profiling
##

detect:
profile: custom
custom-values:
toclient-groups: 300
toserver-groups: 300
toclient-sp-groups: 300
toclient-dp-groups: 300
toserver-src-groups: 300
toserver-dst-groups: 5400
toserver-sp-groups: 300
toserver-dp-groups: 350
sgh-mpm-context: full
inspection-recursion-limit: 3000
# If set to yes, the loading of signatures will be made after the capture
# is started. This will limit the downtime in IPS mode.
#delayed-detect: yes

prefilter:
default: mpm

grouping:
#tcp-whitelist: 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
#udp-whitelist: 53, 135, 5060

profiling:
grouping:
dump-to-disk: false
include-rules: false # very verbose
include-mpm-stats: false

# Select the multi pattern algorithm you want to run for scan/search the
# in the engine.
#

mpm-algo: hs

# Select the matching algorithm you want to use for single-pattern searches.
#

spm-algo: hs

# Suricata is multi-threaded. Here the threading can be influenced.
threading:
set-cpu-affinity: yes
#
cpu-affinity:
- management-cpu-set:
cpu: [ 0,1,2,20 ] # include only these CPUs in affinity settings
mode: "exclusive"
prio:
default: "high"
- worker-cpu-set:
cpu: [ "3-19","40-59" ]
mode: "exclusive"
prio:
default: "high"
#
detect-thread-ratio: 1.0

# Luajit has a strange memory requirement, it's 'states' need to be in the
# first 2G of the process' memory.
#
# 'luajit.states' is used to control how many states are preallocated.
# State use: per detect script: 1 per detect thread. Per output script: 1 per
# script.
luajit:
states: 128

# Profiling settings. Only effective if Suricata has been built with the
# the --enable-profiling configure flag.
#
profiling:
# Run profiling for every xth packet. The default is 1, which means we
# profile every packet. If set to 1000, one packet is profiled for every
# 1000 received.
#sample-rate: 1000

# rule profiling
rules:

# Profiling can be disabled here, but it will still have a
# performance impact if compiled in.
enabled: no
filename: rule_perf.log
append: yes

# Sort options: ticks, avgticks, checks, matches, maxticks
# If commented out all the sort options will be used.
#sort: avgticks

# Limit the number of sids for which stats are shown at exit (per sort).
limit: 10

# output to json
json: no

# per keyword profiling
keywords:
enabled: no
filename: keyword_perf.log
append: yes

prefilter:
enabled: no
filename: prefilter_perf.log
append: yes

# per rulegroup profiling
rulegroups:
enabled: no
filename: rule_group_perf.log
append: yes

# packet profiling
packets:

# Profiling can be disabled here, but it will still have a
# performance impact if compiled in.
enabled: no
filename: packet_stats.log
append: yes

# per packet csv output
csv:

# Output can be disabled here, but it will still have a
# performance impact if compiled in.
enabled: no
filename: packet_stats.csv

# profiling of locking. Only available when Suricata was built with
# --enable-profiling-locks.
locks:
enabled: no
filename: lock_stats.log
append: yes

pcap-log:
enabled: no
filename: pcaplog_stats.log
append: yes

##
## Advanced Capture Options
##

# general settings affecting packet capture
capture:
#disable-offloading: false
#checksum-validation: none

##
## Configure Suricata to load Suricata-Update managed rules.
##

##
## Advanced rule file configuration.
##

default-rule-path: /etc/suricata/rules

rule-files:
# - decoder-events.rules # available in suricata sources under rules dir
# - stream-events.rules # available in suricata sources under rules dir
# - modbus-events.rules # available in suricata sources under rules dir
# - app-layer-events.rules # available in suricata sources under rules dir
# - dnp3-events.rules # available in suricata sources under rules dir
- custom.rules

##
## Auxiliary configuration files.
##

classification-file: /etc/suricata/classification.config
reference-config-file: /etc/suricata/reference.config
# threshold-file: /etc/suricata/threshold.config
(2-2/39)