Suricata

%YAML 1.1

---

# Suricata configuration file. In addition to the comments describing all

# options in this file, full documentation can be found at:

# https://suricata.readthedocs.io/en/latest/configuration/suricata-yaml.html

##

## Step 1: inform Suricata about your network

##

vars:

# more specific is better for alert accuracy and performance

address-groups:

HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"

#HOME_NET: "any"

EXTERNAL_NET: "!$HOME_NET"

#EXTERNAL_NET: "any"

HTTP_SERVERS: "$HOME_NET"

SMTP_SERVERS: "$HOME_NET"

SQL_SERVERS: "$HOME_NET"

DNS_SERVERS: "$HOME_NET"

TELNET_SERVERS: "$HOME_NET"

AIM_SERVERS: "$EXTERNAL_NET"

DC_SERVERS: "$HOME_NET"

DNP3_SERVER: "$HOME_NET"

DNP3_CLIENT: "$HOME_NET"

MODBUS_CLIENT: "$HOME_NET"

MODBUS_SERVER: "$HOME_NET"

ENIP_CLIENT: "$HOME_NET"

ENIP_SERVER: "$HOME_NET"

port-groups:

HTTP_PORTS: "80"

SHELLCODE_PORTS: "!80"

ORACLE_PORTS: 1521

SSH_PORTS: 22

DNP3_PORTS: 20000

MODBUS_PORTS: 502

FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"

FTP_PORTS: 21

VXLAN_PORTS: 4789

##

## Step 2: select outputs to enable

##

# The default logging directory. Any log or output file will be

# placed here if its not specified with a full path name. This can be

# overridden with the -l command line parameter.

default-log-dir: /data/logs/suricata/

# global stats configuration

stats:

enabled: yes

# The interval field (in seconds) controls at what interval

# the loggers are invoked.

interval: 60

# Add decode events as stats.

#decoder-events: true

# Decoder event prefix in stats. Has been 'decoder' before, but that leads

# to missing events in the eve.stats records. See issue #2225.

decoder-events-prefix: "decoder.event"

# Add stream events as stats.

#stream-events: false

# Configure the type of alert (and other) logging you would like.

outputs:

# a line based alerts log similar to Snort's fast.log

- fast:

enabled: yes

filename: fast.log

append: yes

#filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'

# Extensible Event Format (nicknamed EVE) event log in JSON format

- eve-log:

enabled: yes

filetype: regular #regular|syslog|unix_dgram|unix_stream|redis

filemode: 644

filename: alert-%Y-%m-%d.json

rotate-interval: day

metadata: yes

pcap-file: false

xff:

enabled: yes

mode: overwrite

deployment: forward

header: True-Client-IP

types:

- alert:

payload-buffer-size: 30kb

payload-printable: yes # enable dumping payload in printable (lossy) format

http-body-printable: yes # enable dumping of http body in printable format

tagged-packets: yes

- eve-log:

enabled: no

filetype: regular #regular|syslog|unix_dgram|unix_stream|redis

filemode: 644

filename: http-%Y-%m-%d-%H:%M.json

rotate-interval: 30m

metadata: yes

pcap-file: false

xff:

enabled: yes

#mode: overwrite

mode: extra-data

deployment: forward

#header: X-Forwarded-For

header: True-Client-IP

types:

- http:

extended: yes

custom: [accept, accept-charset, accept-encoding, accept-language,accept-datetime, authorization, cache-control, cookie, from, max-forwards, origin, pragma, proxy-authorization, range, te, via, x-requested-with, dnt, x-forwarded-proto, accept-range, age, allow, connection, content-encoding, content-language, content-length, content-location, content-md5, content-range, content-type, date, etags, last-modified, link, location, proxy-authenticate, referrer, refresh, retry-after, server, set-cookie, trailer, transfer-encoding, upgrade, vary, warning, www-authenticate, x-flash-version, x-authenticated-user, true-client-ip]

# dump-all-headers: requests # requests/responses/both

- eve-log:

enabled: yes

filetype: regular #regular|syslog|unix_dgram|unix_stream|redis

filemode: 644

filename: dns-%Y-%m-%d.json

rotate-interval: day

pcap-file: false

types:

- dns:

version: 2

- eve-log:

enabled: yes

filetype: regular #regular|syslog|unix_dgram|unix_stream|redis

filemode: 644

filename: ssh-%Y-%m-%d.json

rotate-interval: day

pcap-file: false

types:

- ssh

- eve-log:

enabled: yes

filetype: regular #regular|syslog|unix_dgram|unix_stream|redis

filemode: 644

filename: stats-%Y-%m-%d.json

rotate-interval: day

pcap-file: false

types:

- stats:

totals: yes

threads: no

deltas: yes

# alert output for use with Barnyard2

- unified2-alert:

enabled: no

filename: unified2.alert

# File size limit. Can be specified in kb, mb, gb. Just a number

# is parsed as bytes.

#limit: 32mb

# By default unified2 log files have the file creation time (in

# unix epoch format) appended to the filename. Set this to yes to

# disable this behaviour.

#nostamp: no

# Sensor ID field of unified2 alerts.

#sensor-id: 0

# Include payload of packets related to alerts. Defaults to true, set to

# false if payload is not required.

#payload: yes

# HTTP X-Forwarded-For support by adding the unified2 extra header or

# overwriting the source or destination IP address (depending on flow

# direction) with the one reported in the X-Forwarded-For HTTP header.

# This is helpful when reviewing alerts for traffic that is being reverse

# or forward proxied.

xff:

enabled: no

# Two operation modes are available, "extra-data" and "overwrite". Note

# that in the "overwrite" mode, if the reported IP address in the HTTP

# X-Forwarded-For header is of a different version of the packet

# received, it will fall-back to "extra-data" mode.

mode: extra-data

# Two proxy deployments are supported, "reverse" and "forward". In

# a "reverse" deployment the IP address used is the last one, in a

# "forward" deployment the first IP address is used.

deployment: reverse

# Header name where the actual IP address will be reported, if more

# than one IP address is present, the last IP address will be the

# one taken into consideration.

header: X-Forwarded-For

# a line based log of HTTP requests (no alerts)

- http-log:

enabled: no

filename: http.log

append: yes

#extended: yes # enable this for extended logging information

#custom: yes # enabled the custom logging format (defined by customformat)

#customformat: "%{%D-%H:%M:%S}t.%z %{X-Forwarded-For}i %H %m %h %u %s %B %a:%p -> %A:%P"

#filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'

# a line based log of TLS handshake parameters (no alerts)

- tls-log:

enabled: no # Log TLS connections.

filename: tls.log # File to store TLS logs.

append: yes

#extended: yes # Log extended information like fingerprint

#custom: yes # enabled the custom logging format (defined by customformat)

#customformat: "%{%D-%H:%M:%S}t.%z %a:%p -> %A:%P %v %n %d %D"

#filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'

# output TLS transaction where the session is resumed using a

# session id

#session-resumption: no

# output module to store certificates chain to disk

- tls-store:

enabled: no

#certs-log-dir: certs # directory to store the certificates files

# Packet log... log packets in pcap format. 3 modes of operation: "normal"

# "multi" and "sguil".

#

# In normal mode a pcap file "filename" is created in the default-log-dir,

# or are as specified by "dir".

# In multi mode, a file is created per thread. This will perform much

# better, but will create multiple files where 'normal' would create one.

# In multi mode the filename takes a few special variables:

# - %n -- thread number

# - %i -- thread id

# - %t -- timestamp (secs or secs.usecs based on 'ts-format'

# E.g. filename: pcap.%n.%t

#

# Note that it's possible to use directories, but the directories are not

# created by Suricata. E.g. filename: pcaps/%n/log.%s will log into the

# per thread directory.

#

# Also note that the limit and max-files settings are enforced per thread.

# So the size limit when using 8 threads with 1000mb files and 2000 files

# is: 8*1000*2000 ~ 16TiB.

#

# In Sguil mode "dir" indicates the base directory. In this base dir the

# pcaps are created in th directory structure Sguil expects:

#

# $sguil-base-dir/YYYY-MM-DD/$filename.<timestamp>

#

# By default all packets are logged except:

# - TCP streams beyond stream.reassembly.depth

# - encrypted streams after the key exchange

#

- pcap-log:

enabled: no

filename: log.pcap

# File size limit. Can be specified in kb, mb, gb. Just a number

# is parsed as bytes.

limit: 1000mb

# If set to a value will enable ring buffer mode. Will keep Maximum of "max-files" of size "limit"

max-files: 2000

# Compression algorithm for pcap files. Possible values: none, lz4.

# Enabling compression is incompatible with the sguil mode. Note also

# that on Windows, enabling compression will *increase* disk I/O.

compression: none

# Further options for lz4 compression. The compression level can be set

# to a value between 0 and 16, where higher values result in higher

# compression.

#lz4-checksum: no

#lz4-level: 0

mode: normal # normal, multi or sguil.

# Directory to place pcap files. If not provided the default log

# directory will be used. Required for "sguil" mode.

#dir: /nsm_data/

#ts-format: usec # sec or usec second format (default) is filename.sec usec is filename.sec.usec

use-stream-depth: no #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets

honor-pass-rules: no # If set to "yes", flows in which a pass rule matched will stopped being logged.

# a full alerts log containing much information for signature writers

# or for investigating suspected false positives.

- alert-debug:

enabled: no

filename: alert-debug.log

append: yes

#filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'

# alert output to prelude (https://www.prelude-siem.org/) only

# available if Suricata has been compiled with --enable-prelude

- alert-prelude:

enabled: no

profile: suricata

log-packet-content: no

log-packet-header: yes

# Stats.log contains data from various counters of the Suricata engine.

- stats:

enabled: yes

filename: stats.log

append: yes # append to file (yes) or overwrite it (no)

totals: yes # stats for all threads merged together

threads: no # per thread stats

#null-values: yes # print counters that have value 0

# a line based alerts log similar to fast.log into syslog

- syslog:

enabled: no

# reported identity to syslog. If ommited the program name (usually

# suricata) will be used.

#identity: "suricata"

facility: local5

#level: Info ## possible levels: Emergency, Alert, Critical,

## Error, Warning, Notice, Info, Debug

# a line based information for dropped packets in IPS mode

- drop:

enabled: no

filename: drop.log

append: yes

#filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'

# Output module for storing files on disk. Files are stored in a

# directory names consisting of the first 2 characters of the

# SHA256 of the file. Each file is given its SHA256 as a filename.

#

# When a duplicate file is found, the existing file is touched to

# have its timestamps updated.

#

# Unlike the older filestore, metadata is not written out by default

# as each file should already have a "fileinfo" record in the

# eve.log. If write-fileinfo is set to yes, the each file will have

# one more associated .json files that consists of the fileinfo

# record. A fileinfo file will be written for each occurrence of the

# file seen using a filename suffix to ensure uniqueness.

#

# To prune the filestore directory see the "suricatactl filestore

# prune" command which can delete files over a certain age.

- file-store:

version: 2

enabled: no

# Set the directory for the filestore. If the path is not

# absolute will be be relative to the default-log-dir.

#dir: filestore

# Write out a fileinfo record for each occurrence of a

# file. Disabled by default as each occurrence is already logged

# as a fileinfo record to the main eve-log.

#write-fileinfo: yes

# Force storing of all files. Default: no.

#force-filestore: yes

# Override the global stream-depth for sessions in which we want

# to perform file extraction. Set to 0 for unlimited.

#stream-depth: 0

# Uncomment the following variable to define how many files can

# remain open for filestore by Suricata. Default value is 0 which

# means files get closed after each write

#max-open-files: 1000

# Force logging of checksums, available hash functions are md5,

# sha1 and sha256. Note that SHA256 is automatically forced by

# the use of this output module as it uses the SHA256 as the

# file naming scheme.

#force-hash: [sha1, md5]

# NOTE: X-Forwarded configuration is ignored if write-fileinfo is disabled

# HTTP X-Forwarded-For support by adding an extra field or overwriting

# the source or destination IP address (depending on flow direction)

# with the one reported in the X-Forwarded-For HTTP header. This is

# helpful when reviewing alerts for traffic that is being reverse

# or forward proxied.

xff:

enabled: no

# Two operation modes are available, "extra-data" and "overwrite".

mode: extra-data

# Two proxy deployments are supported, "reverse" and "forward". In

# a "reverse" deployment the IP address used is the last one, in a

# "forward" deployment the first IP address is used.

deployment: reverse

# Header name where the actual IP address will be reported, if more

# than one IP address is present, the last IP address will be the

# one taken into consideration.

header: X-Forwarded-For

# output module to store extracted files to disk (old style, deprecated)

#

# The files are stored to the log-dir in a format "file.<id>" where <id> is

# an incrementing number starting at 1. For each file "file.<id>" a meta

# file "file.<id>.meta" is created. Before they are finalized, they will

# have a ".tmp" suffix to indicate that they are still being processed.

#

# If include-pid is yes, then the files are instead "file.<pid>.<id>", with

# meta files named as "file.<pid>.<id>.meta"

#

# File extraction depends on a lot of things to be fully done:

# - file-store stream-depth. For optimal results, set this to 0 (unlimited)

# - http request / response body sizes. Again set to 0 for optimal results.

# - rules that contain the "filestore" keyword.

- file-store:

enabled: no # set to yes to enable

log-dir: files # directory to store the files

force-magic: no # force logging magic on all stored files

# force logging of checksums, available hash functions are md5,

# sha1 and sha256

#force-hash: [md5]

force-filestore: no # force storing of all files

# override global stream-depth for sessions in which we want to

# perform file extraction. Set to 0 for unlimited.

#stream-depth: 0

#waldo: file.waldo # waldo file to store the file_id across runs

# uncomment to disable meta file writing

#write-meta: no

# uncomment the following variable to define how many files can

# remain open for filestore by Suricata. Default value is 0 which

# means files get closed after each write

#max-open-files: 1000

include-pid: no # set to yes to include pid in file names

# Log TCP data after stream normalization

# 2 types: file or dir. File logs into a single logfile. Dir creates

# 2 files per TCP session and stores the raw TCP data into them.

# Using 'both' will enable both file and dir modes.

#

# Note: limited by stream.depth

- tcp-data:

enabled: no

type: file

filename: tcp-data.log

# Log HTTP body data after normalization, dechunking and unzipping.

# 2 types: file or dir. File logs into a single logfile. Dir creates

# 2 files per HTTP session and stores the normalized data into them.

# Using 'both' will enable both file and dir modes.

#

# Note: limited by the body limit settings

- http-body-data:

enabled: no

type: file

filename: http-data.log

# Lua Output Support - execute lua script to generate alert and event

# output.

# Documented at:

# https://suricata.readthedocs.io/en/latest/output/lua-output.html

- lua:

enabled: yes

scripts-dir: /etc/suricata/lua-output/

scripts:

- web_http_audit.lua

# Logging configuration. This is not about logging IDS alerts/events, but

# output about what Suricata is doing, like startup messages, errors, etc.

logging:

# The default log level, can be overridden in an output section.

# Note that debug level logging will only be emitted if Suricata was

# compiled with the --enable-debug configure option.

#

# This value is overridden by the SC_LOG_LEVEL env var.

default-log-level: notice

# The default output format. Optional parameter, should default to

# something reasonable if not provided. Can be overridden in an

# output section. You can leave this out to get the default.

#

# This value is overridden by the SC_LOG_FORMAT env var.

#default-log-format: "[%i] %t - (%f:%l) <%d> (%n) -- "

# A regex to filter output. Can be overridden in an output section.

# Defaults to empty (no filter).

#

# This value is overridden by the SC_LOG_OP_FILTER env var.

default-output-filter:

# Define your logging outputs. If none are defined, or they are all

# disabled you will get the default - console output.

outputs:

- console:

enabled: yes

# type: json

- file:

enabled: yes

level: info

filename: suricata.log

# type: json

- syslog:

enabled: no

facility: local5

format: "[%i] <%d> -- "

# type: json

##

## Step 4: configure common capture settings

##

## See "Advanced Capture Options" below for more options, including NETMAP

## and PF_RING.

##

# Linux high speed capture support

af-packet:

- interface: ens4

# Number of receive threads. "auto" uses the number of cores

threads: auto

# Default clusterid. AF_PACKET will load balance packets based on flow.

cluster-id: 99

# Default AF_PACKET cluster type. AF_PACKET can load balance per flow or per hash.

# This is only supported for Linux kernel > 3.1

# possible value are:

# * cluster_flow: all packets of a given flow are send to the same socket

# * cluster_cpu: all packets treated in kernel by a CPU are send to the same socket

# * cluster_qm: all packets linked by network card to a RSS queue are sent to the same

# socket. Requires at least Linux 3.14.

# * cluster_ebpf: eBPF file load balancing. See doc/userguide/capture-hardware/ebpf-xdp.rst for

# more info.

# Recommended modes are cluster_flow on most boxes and cluster_cpu or cluster_qm on system

# with capture card using RSS (require cpu affinity tuning and system irq tuning)

cluster-type: cluster_flow

# In some fragmentation case, the hash can not be computed. If "defrag" is set

# to yes, the kernel will do the needed defragmentation before sending the packets.

defrag: yes

# To use the ring feature of AF_PACKET, set 'use-mmap' to yes

#use-mmap: yes

# Lock memory map to avoid it goes to swap. Be careful that over subscribing could lock

# your system

#mmap-locked: yes

# Use tpacket_v3 capture mode, only active if use-mmap is true

# Don't use it in IPS or TAP mode as it causes severe latency

tpacket-v3: yes

# Ring size will be computed with respect to max_pending_packets and number

# of threads. You can set manually the ring size in number of packets by setting

# the following value. If you are using flow cluster-type and have really network

# intensive single-flow you could want to set the ring-size independently of the number

# of threads:

#ring-size: 2048

# Block size is used by tpacket_v3 only. It should set to a value high enough to contain

# a decent number of packets. Size is in bytes so please consider your MTU. It should be

# a power of 2 and it must be multiple of page size (usually 4096).

#block-size: 32768

# tpacket_v3 block timeout: an open block is passed to userspace if it is not

# filled after block-timeout milliseconds.

#block-timeout: 10

# On busy system, this could help to set it to yes to recover from a packet drop

# phase. This will result in some packets (at max a ring flush) being non treated.

#use-emergency-flush: yes

# recv buffer size, increase value could improve performance

# buffer-size: 32768

# Set to yes to disable promiscuous mode

# disable-promisc: no

# Choose checksum verification mode for the interface. At the moment

# of the capture, some packets may be with an invalid checksum due to

# offloading to the network card of the checksum computation.

# Possible values are:

# - kernel: use indication sent by kernel for each packet (default)

# - yes: checksum validation is forced

# - no: checksum validation is disabled

# - auto: suricata uses a statistical approach to detect when

# checksum off-loading is used.

# Warning: 'checksum-validation' must be set to yes to have any validation

#checksum-checks: kernel

# BPF filter to apply to this interface. The pcap filter syntax apply here.

#bpf-filter: port 80 or udp

# You can use the following variables to activate AF_PACKET tap or IPS mode.

# If copy-mode is set to ips or tap, the traffic coming to the current

# interface will be copied to the copy-iface interface. If 'tap' is set, the

# copy is complete. If 'ips' is set, the packet matching a 'drop' action

# will not be copied.

#copy-mode: ips

#copy-iface: eth1

# For eBPF and XDP setup including bypass, filter and load balancing, please

# see doc/userguide/capture-hardware/ebpf-xdp.rst for more info.

# Put default values here. These will be used for an interface that is not

# in the list above.

- interface: default

#threads: auto

#use-mmap: no

#tpacket-v3: yes

# Cross platform libpcap capture support

pcap:

- interface: eth0

# On Linux, pcap will try to use mmaped capture and will use buffer-size

# as total of memory used by the ring. So set this to something bigger

# than 1% of your bandwidth.

#buffer-size: 16777216

#bpf-filter: "tcp and port 25"

# Choose checksum verification mode for the interface. At the moment

# of the capture, some packets may be with an invalid checksum due to

# offloading to the network card of the checksum computation.

# Possible values are:

# - yes: checksum validation is forced

# - no: checksum validation is disabled

# - auto: Suricata uses a statistical approach to detect when

# checksum off-loading is used. (default)

# Warning: 'checksum-validation' must be set to yes to have any validation

#checksum-checks: auto

# With some accelerator cards using a modified libpcap (like myricom), you

# may want to have the same number of capture threads as the number of capture

# rings. In this case, set up the threads variable to N to start N threads

# listening on the same interface.

#threads: 16

# set to no to disable promiscuous mode:

#promisc: no

# set snaplen, if not set it defaults to MTU if MTU can be known

# via ioctl call and to full capture if not.

#snaplen: 1518

# Put default values here

- interface: default

#checksum-checks: auto

# Settings for reading pcap files

pcap-file:

# Possible values are:

# - yes: checksum validation is forced

# - no: checksum validation is disabled

# - auto: Suricata uses a statistical approach to detect when

# checksum off-loading is used. (default)

# Warning: 'checksum-validation' must be set to yes to have checksum tested

checksum-checks: auto

# See "Advanced Capture Options" below for more options, including NETMAP

# and PF_RING.

##

## Step 5: App Layer Protocol Configuration

##

# Configure the app-layer parsers. The protocols section details each

# protocol.

#

# The option "enabled" takes 3 values - "yes", "no", "detection-only".

# "yes" enables both detection and the parser, "no" disables both, and

# "detection-only" enables protocol detection only (parser disabled).

app-layer:

protocols:

krb5:

enabled: no

snmp:

enabled: no

ikev2:

enabled: no

tls:

enabled: no

detection-ports:

dp: 443

# Generate JA3 fingerprint from client hello

ja3-fingerprints: no

# What to do when the encrypted communications start:

# - default: keep tracking TLS session, check for protocol anomalies,

# inspect tls_* keywords. Disables inspection of unmodified

# 'content' signatures.

# - bypass: stop processing this flow as much as possible. No further

# TLS parsing and inspection. Offload flow bypass to kernel

# or hardware if possible.

# - full: keep tracking and inspection as normal. Unmodified content

# keyword signatures are inspected as well.

#

# For best performance, select 'bypass'.

#

#encryption-handling: default

dcerpc:

enabled: no

ftp:

enabled: no

# memcap: 64mb

# RDP, disabled by default.

rdp:

enabled: no

ssh:

enabled: yes

smtp:

enabled: no

raw-extraction: no

# Configure SMTP-MIME Decoder

mime:

# Decode MIME messages from SMTP transactions

# (may be resource intensive)

# This field supercedes all others because it turns the entire

# process on or off

decode-mime: yes

# Decode MIME entity bodies (ie. base64, quoted-printable, etc.)

decode-base64: yes

decode-quoted-printable: yes

# Maximum bytes per header data value stored in the data structure

# (default is 2000)

header-value-depth: 2000

# Extract URLs and save in state data structure

extract-urls: yes

# Set to yes to compute the md5 of the mail body. You will then

# be able to journalize it.

body-md5: no

# Configure inspected-tracker for file_data keyword

inspected-tracker:

content-limit: 100000

content-inspect-min-size: 32768

content-inspect-window: 4096

imap:

enabled: no

msn:

enabled: no

smb:

enabled: no

detection-ports:

dp: 139, 445

# Stream reassembly size for SMB streams. By default track it completely.

#stream-depth: 0

nfs:

enabled: no

tftp:

enabled: no

dns:

# memcaps. Globally and per flow/state.

#global-memcap: 16mb

#state-memcap: 512kb

# How many unreplied DNS requests are considered a flood.

# If the limit is reached, app-layer-event:dns.flooded; will match.

#request-flood: 500

tcp:

enabled: yes

detection-ports:

dp: 53

udp:

enabled: yes

detection-ports:

dp: 53

http:

enabled: yes

memcap: 8gb

# default-config: Used when no server-config matches

# personality: List of personalities used by default

# request-body-limit: Limit reassembly of request body for inspection

# by http_client_body & pcre /P option.

# response-body-limit: Limit reassembly of response body for inspection

# by file_data, http_server_body & pcre /Q option.

# double-decode-path: Double decode path section of the URI

# double-decode-query: Double decode query section of the URI

# response-body-decompress-layer-limit:

# Limit to how many layers of compression will be

# decompressed. Defaults to 2.

#

# server-config: List of server configurations to use if address matches

# address: List of IP addresses or networks for this block

# personalitiy: List of personalities used by this block

# request-body-limit: Limit reassembly of request body for inspection

# by http_client_body & pcre /P option.

# response-body-limit: Limit reassembly of response body for inspection

# by file_data, http_server_body & pcre /Q option.

# double-decode-path: Double decode path section of the URI

# double-decode-query: Double decode query section of the URI

#

# uri-include-all: Include all parts of the URI. By default the

# 'scheme', username/password, hostname and port

# are excluded. Setting this option to true adds

# all of them to the normalized uri as inspected

# by http_uri, urilen, pcre with /U and the other

# keywords that inspect the normalized uri.

# Note that this does not affect http_raw_uri.

# Also, note that including all was the default in

# 1.4 and 2.0beta1.

#

# meta-field-limit: Hard size limit for request and response size

# limits. Applies to request line and headers,

# response line and headers. Does not apply to

# request or response bodies. Default is 18k.

# If this limit is reached an event is raised.

#

# Currently Available Personalities:

# Minimal, Generic, IDS (default), IIS_4_0, IIS_5_0, IIS_5_1, IIS_6_0,

# IIS_7_0, IIS_7_5, Apache_2

libhtp:

default-config:

personality: IDS

# Can be specified in kb, mb, gb. Just a number indicates

# it's in bytes.

request-body-limit: 30mb

response-body-limit: 30mb

# inspection limits

request-body-minimal-inspect-size: 32kb

request-body-inspect-window: 4kb

response-body-minimal-inspect-size: 40kb

response-body-inspect-window: 16kb

# response body decompression (0 disables)

response-body-decompress-layer-limit: 2

# auto will use http-body-inline mode in IPS mode, yes or no set it statically

http-body-inline: no

# Decompress SWF files.

# 2 types: 'deflate', 'lzma', 'both' will decompress deflate and lzma

# compress-depth:

# Specifies the maximum amount of data to decompress,

# set 0 for unlimited.

# decompress-depth:

# Specifies the maximum amount of decompressed data to obtain,

# set 0 for unlimited.

swf-decompression:

enabled: yes

type: both

compress-depth: 0

decompress-depth: 0

# Take a random value for inspection sizes around the specified value.

# This lower the risk of some evasion technics but could lead

# detection change between runs. It is set to 'yes' by default.

#randomize-inspection-sizes: yes

# If randomize-inspection-sizes is active, the value of various

# inspection size will be choosen in the [1 - range%, 1 + range%]

# range

# Default value of randomize-inspection-range is 10.

#randomize-inspection-range: 10

# decoding

double-decode-path: no

double-decode-query: no

#lzma-enabled: yes

# LZMA decompression memory limit.

#lzma-memlimit: 1 Mb

# Compression bomb output limit.

#compression-bomb-limit: 1 Mb

server-config:

#- apache:

# address: [192.168.1.0/24, 127.0.0.0/8, "::1"]

# personality: Apache_2

# # Can be specified in kb, mb, gb. Just a number indicates

# # it's in bytes.

# request-body-limit: 4096

# response-body-limit: 4096

# double-decode-path: no

# double-decode-query: no

#- iis7:

# address:

# - 192.168.0.0/24

# - 192.168.10.0/24

# personality: IIS_7_0

# # Can be specified in kb, mb, gb. Just a number indicates

# # it's in bytes.

# request-body-limit: 4096

# response-body-limit: 4096

# double-decode-path: no

# double-decode-query: no

# Note: Modbus probe parser is minimalist due to the poor significant field

# Only Modbus message length (greater than Modbus header length)

# And Protocol ID (equal to 0) are checked in probing parser

# It is important to enable detection port and define Modbus port

# to avoid false positive

modbus:

# How many unreplied Modbus requests are considered a flood.

# If the limit is reached, app-layer-event:modbus.flooded; will match.

#request-flood: 500

enabled: no

detection-ports:

dp: 502

# According to MODBUS Messaging on TCP/IP Implementation Guide V1.0b, it

# is recommended to keep the TCP connection opened with a remote device

# and not to open and close it for each MODBUS/TCP transaction. In that

# case, it is important to set the depth of the stream reassembling as

# unlimited (stream.reassembly.depth: 0)

# Stream reassembly size for modbus. By default track it completely.

stream-depth: 0

# DNP3

dnp3:

enabled: no

detection-ports:

dp: 20000

# SCADA EtherNet/IP and CIP protocol support

enip:

enabled: no

detection-ports:

dp: 44818

sp: 44818

ntp:

enabled: no

dhcp:

enabled: no

# SIP, disabled by default.

sip:

#enabled: no

# Limit for the maximum number of asn1 frames to decode (default 256)

asn1-max-frames: 256

##############################################################################

##

## Advanced settings below

##

##############################################################################

##

## Run Options

##

# Run suricata as user and group.

#run-as:

# user: suri

# group: suri

# Some logging module will use that name in event as identifier. The default

# value is the hostname

#sensor-name: suricata

# Default location of the pid file. The pid file is only used in

# daemon mode (start Suricata with -D). If not running in daemon mode

# the --pidfile command line option must be used to create a pid file.

#pid-file: /var/run/suricata.pid

# Daemon working directory

# Suricata will change directory to this one if provided

# Default: "/"

#daemon-directory: "/"

# Umask.

# Suricata will use this umask if it is provided. By default it will use the

# umask passed on by the shell.

#umask: 022

# Suricata core dump configuration. Limits the size of the core dump file to

# approximately max-dump. The actual core dump size will be a multiple of the

# page size. Core dumps that would be larger than max-dump are truncated. On

# Linux, the actual core dump size may be a few pages larger than max-dump.

# Setting max-dump to 0 disables core dumping.

# Setting max-dump to 'unlimited' will give the full core dump file.

# On 32-bit Linux, a max-dump value >= ULONG_MAX may cause the core dump size

# to be 'unlimited'.

coredump:

max-dump: unlimited

# If Suricata box is a router for the sniffed networks, set it to 'router'. If

# it is a pure sniffing setup, set it to 'sniffer-only'.

# If set to auto, the variable is internally switch to 'router' in IPS mode

# and 'sniffer-only' in IDS mode.

# This feature is currently only used by the reject* keywords.

host-mode: auto

# Number of packets preallocated per thread. The default is 1024. A higher number

# will make sure each CPU will be more easily kept busy, but may negatively

# impact caching.

#max-pending-packets: 1024

max-pending-packets: 8192

# Runmode the engine should use. Please check --list-runmodes to get the available

# runmodes for each packet acquisition method. Defaults to "autofp" (auto flow pinned

# load balancing).

#runmode: autofp

runmode: workers

# Specifies the kind of flow load balancer used by the flow pinned autofp mode.

#

# Supported schedulers are:

#

# round-robin - Flows assigned to threads in a round robin fashion.

# active-packets - Flows assigned to threads that have the lowest number of

# unprocessed packets (default).

# hash - Flow allocated using the address hash. More of a random

# technique. Was the default in Suricata 1.2.1 and older.

#

#autofp-scheduler: active-packets

# Preallocated size for packet. Default is 1514 which is the classical

# size for pcap on ethernet. You should adjust this value to the highest

# packet size (MTU + hardware header) on your system.

#default-packet-size: 1514

default-packet-size: 9015

# Unix command socket can be used to pass commands to Suricata.

# An external tool can then connect to get information from Suricata

# or trigger some modifications of the engine. Set enabled to yes

# to activate the feature. In auto mode, the feature will only be

# activated in live capture mode. You can use the filename variable to set

# the file name of the socket.

unix-command:

enabled: auto

#filename: custom.socket

# Magic file. The extension .mgc is added to the value here.

#magic-file: /usr/share/file/magic

#magic-file:

# GeoIP2 database file. Specify path and filename of GeoIP2 database

# if using rules with "geoip" rule option.

#geoip-database: /usr/local/share/GeoLite2/GeoLite2-Country.mmdb

legacy:

uricontent: enabled

##

## Detection settings

##

# Set the order of alerts based on actions

# The default order is pass, drop, reject, alert

# action-order:

# - pass

# - drop

# - reject

# - alert

# IP Reputation

#reputation-categories-file: /etc/suricata/iprep/categories.txt

#default-reputation-path: /etc/suricata/iprep

#reputation-files:

# - reputation.list

# When run with the option --engine-analysis, the engine will read each of

# the parameters below, and print reports for each of the enabled sections

# and exit. The reports are printed to a file in the default log dir

# given by the parameter "default-log-dir", with engine reporting

# subsection below printing reports in its own report file.

engine-analysis:

# enables printing reports for fast-pattern for every rule.

rules-fast-pattern: yes

# enables printing reports for each rule

rules: yes

#recursion and match limits for PCRE where supported

pcre:

match-limit: 3500

match-limit-recursion: 1500

##

## Advanced Traffic Tracking and Reconstruction Settings

##

# Host specific policies for defragmentation and TCP stream

# reassembly. The host OS lookup is done using a radix tree, just

# like a routing table so the most specific entry matches.

host-os-policy:

# Make the default policy windows.

windows: []

bsd: []

bsd-right: []

old-linux: []

linux: [0.0.0.0/0]

old-solaris: []

solaris: []

hpux10: []

hpux11: []

irix: []

macos: []

vista: []

windows2k3: []

# Defrag settings:

defrag:

memcap: 16gb

hash-size: 65536

trackers: 65535 # number of defragmented flows to follow

max-frags: 65535 # number of fragments to keep (higher than trackers)

prealloc: yes

timeout: 60

# Enable defrag per host settings

# host-config:

#

# - dmz:

# timeout: 30

# address: [192.168.1.0/24, 127.0.0.0/8, 1.1.1.0/24, 2.2.2.0/24, "1.1.1.1", "2.2.2.2", "::1"]

#

# - lan:

# timeout: 45

# address:

# - 192.168.0.0/24

# - 192.168.10.0/24

# - 172.16.14.0/24

# Flow settings:

# By default, the reserved memory (memcap) for flows is 32MB. This is the limit

# for flow allocation inside the engine. You can change this value to allow

# more memory usage for flows.

# The hash-size determine the size of the hash used to identify flows inside

# the engine, and by default the value is 65536.

# At the startup, the engine can preallocate a number of flows, to get a better

# performance. The number of flows preallocated is 10000 by default.

# emergency-recovery is the percentage of flows that the engine need to

# prune before unsetting the emergency state. The emergency state is activated

# when the memcap limit is reached, allowing to create new flows, but

# pruning them with the emergency timeouts (they are defined below).

# If the memcap is reached, the engine will try to prune flows

# with the default timeouts. If it doesn't find a flow to prune, it will set

# the emergency bit and it will try again with more aggressive timeouts.

# If that doesn't work, then it will try to kill the last time seen flows

# not in use.

# The memcap can be specified in kb, mb, gb. Just a number indicates it's

# in bytes.

flow:

memcap: 8gb

hash-size: 1048576

prealloc: 1048576

emergency-recovery: 30

#managers: 1 # default to one flow manager

#recyclers: 1 # default to one flow recycler thread

# This option controls the use of vlan ids in the flow (and defrag)

# hashing. Normally this should be enabled, but in some (broken)

# setups where both sides of a flow are not tagged with the same vlan

# tag, we can ignore the vlan id's in the flow hashing.

vlan:

use-for-tracking: true

# Specific timeouts for flows. Here you can specify the timeouts that the

# active flows will wait to transit from the current state to another, on each

# protocol. The value of "new" determine the seconds to wait after a handshake or

# stream startup before the engine free the data of that flow it doesn't

# change the state to established (usually if we don't receive more packets

# of that flow). The value of "established" is the amount of

# seconds that the engine will wait to free the flow if it spend that amount

# without receiving new packets or closing the connection. "closed" is the

# amount of time to wait after a flow is closed (usually zero). "bypassed"

# timeout controls locally bypassed flows. For these flows we don't do any other

# tracking. If no packets have been seen after this timeout, the flow is discarded.

#

# There's an emergency mode that will become active under attack circumstances,

# making the engine to check flow status faster. This configuration variables

# use the prefix "emergency-" and work similar as the normal ones.

# Some timeouts doesn't apply to all the protocols, like "closed", for udp and

# icmp.

flow-timeouts:

default:

new: 5

established: 60

closed: 5

bypassed: 30

emergency-new: 10

emergency-established: 30

emergency-closed: 0

emergency-bypassed: 50

tcp:

new: 5

established: 60

closed: 1

bypassed: 30

emergency-new: 3

emergency-established: 30

emergency-closed: 0

emergency-bypassed: 15

udp:

new: 5

established: 60

bypassed: 30

emergency-new: 3

emergency-established: 30

emergency-bypassed: 15

icmp:

new: 5

established: 30

bypassed: 30

emergency-new: 10

emergency-established: 15

emergency-bypassed: 10

# Stream engine settings. Here the TCP stream tracking and reassembly

# engine is configured.

#

# stream:

# memcap: 32mb # Can be specified in kb, mb, gb. Just a