Project

General

Profile

Download (15.8 KB)

Bug #4499 » config.txt

suricata --dump-config - Gianni Tedesco, 05/20/2021 07:05 AM

 
vars = (null)
vars.address-groups = (null)
vars.address-groups.HOME_NET = [10.0.0.0/8,172.16.0.0/12,192.168.0.0/16]
vars.address-groups.EXTERNAL_NET = [!$HOME_NET]
vars.address-groups.ANY_NET = [any]
vars.address-groups.HTTP_SERVERS = [$HOME_NET]
vars.address-groups.SMTP_SERVERS = [192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]
vars.address-groups.SNMP_SERVERS = [$HOME_NET]
vars.address-groups.SQL_SERVERS = [192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]
vars.address-groups.DNS_SERVERS = [192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]
vars.address-groups.TELNET_SERVERS = [$HOME_NET]
vars.address-groups.AIM_SERVERS = [$EXTERNAL_NET]
vars.address-groups.DNP3_SERVER = [$HOME_NET]
vars.address-groups.DNP3_CLIENT = [$HOME_NET]
vars.address-groups.MODBUS_CLIENT = [$HOME_NET]
vars.address-groups.MODBUS_SERVER = [$HOME_NET]
vars.address-groups.ENIP_CLIENT = [$HOME_NET]
vars.address-groups.ENIP_SERVER = [$HOME_NET]
vars.address-groups.DC_SERVERS = [$HOME_NET]
vars.port-groups = (null)
vars.port-groups.HTTP_PORTS = [80]
vars.port-groups.SHELCODE_PORTS = [!80]
vars.port-groups.ORACLE_PORTS = [1521]
vars.port-groups.SSH_PORTS = [22]
vars.port-groups.DNP3_PORTS = [20000]
vars.port-groups.MODBUS_PORTS = [502]
vars.port-groups.FILE_DATA_PORTS = [110,143,$HTTP_PORTS]
vars.port-groups.FTP_PORTS = [21]
vars.port-groups.SHELLCODE_PORTS = [!80]
vars.port-groups.VXLAN_PORTS = [4789]
default-rule-path = /var/lib/sensor/config/ids-rules
rule-files = (null)
rule-files.0 = rapid7-sensor.rules
classification-file = //etc/rapid7/suricata/classification.config
reference-config-file = //etc/rapid7/suricata/reference.config
threshold-file = //etc/rapid7/suricata/threshold.config
default-log-dir = /run/magpie
stats = (null)
stats.enabled = yes
stats.interval = 60
outputs = (null)
outputs.0 = eve-log
outputs.0.eve-log = (null)
outputs.0.eve-log.enabled = yes
outputs.0.eve-log.filetype = unix_dgram
outputs.0.eve-log.filename = eve.sock
outputs.0.eve-log.pcap-file = false
outputs.0.eve-log.community-id = false
outputs.0.eve-log.community-id-seed = 0
outputs.0.eve-log.types = (null)
outputs.0.eve-log.types.0 = alert
outputs.0.eve-log.types.0.alert = (null)
outputs.0.eve-log.types.0.alert.payload = yes
outputs.0.eve-log.types.0.alert.payload-buffer-size = 4kb
outputs.0.eve-log.types.0.alert.packet = no
outputs.0.eve-log.types.0.alert.tagged-packets = yes
outputs.0.eve-log.types.1 = http
outputs.0.eve-log.types.1.http = (null)
outputs.0.eve-log.types.1.http.enabled = no
outputs.0.eve-log.types.1.http.extended = yes
outputs.0.eve-log.types.2 = dns
outputs.0.eve-log.types.2.dns = (null)
outputs.0.eve-log.types.2.dns.enabled = no
outputs.0.eve-log.types.2.dns.version = 2
outputs.0.eve-log.types.3 = tls
outputs.0.eve-log.types.3.tls = (null)
outputs.0.eve-log.types.3.tls.enabled = no
outputs.0.eve-log.types.3.tls.extended = yes
outputs.0.eve-log.types.4 = files
outputs.0.eve-log.types.4.files = (null)
outputs.0.eve-log.types.4.files.enabled = no
outputs.0.eve-log.types.4.files.force-magic = no
outputs.0.eve-log.types.5 = smtp
outputs.0.eve-log.types.5.smtp = (null)
outputs.0.eve-log.types.5.smtp.enabled = no
outputs.0.eve-log.types.6 = dhcp
outputs.0.eve-log.types.6.dhcp = (null)
outputs.0.eve-log.types.6.dhcp.enabled = no
outputs.0.eve-log.types.6.dhcp.extended = no
outputs.0.eve-log.types.7 = ssh
outputs.0.eve-log.types.7.ssh = (null)
outputs.0.eve-log.types.7.ssh.enabled = no
outputs.0.eve-log.types.8 = stats
outputs.0.eve-log.types.8.stats = (null)
outputs.0.eve-log.types.8.stats.enabled = yes
outputs.0.eve-log.types.8.stats.totals = yes
outputs.0.eve-log.types.8.stats.threads = no
outputs.0.eve-log.types.8.stats.deltas = no
outputs.0.eve-log.types.9 = flow
outputs.0.eve-log.types.9.flow = (null)
outputs.0.eve-log.types.9.flow.enabled = no
outputs.1 = unified2-alert
outputs.1.unified2-alert = (null)
outputs.1.unified2-alert.enabled = no
outputs.1.unified2-alert.filename = unified2.sock
outputs.1.unified2-alert.sensor-id = 1
outputs.1.unified2-alert.xff = (null)
outputs.1.unified2-alert.xff.enabled = no
outputs.2 = stats
outputs.2.stats = (null)
outputs.2.stats.enabled = no
outputs.2.stats.filename = suricata-stats-1.log
outputs.2.stats.append = no
outputs.2.stats.totals = yes
outputs.2.stats.threads = no
outputs.3 = fast
outputs.3.fast = (null)
outputs.3.fast.enabled = no
outputs.3.fast.filename = suricata-fast-1.log
outputs.3.fast.append = yes
outputs.4 = http-log
outputs.4.http-log = (null)
outputs.4.http-log.enabled = no
outputs.4.http-log.filename = suricata-http-1.log
outputs.4.http-log.append = yes
outputs.5 = tls-log
outputs.5.tls-log = (null)
outputs.5.tls-log.enabled = no
outputs.5.tls-log.filename = suricata-tls-1.log
outputs.5.tls-log.append = yes
outputs.6 = tls-store
outputs.6.tls-store = (null)
outputs.6.tls-store.enabled = no
outputs.7 = dns-log
outputs.7.dns-log = (null)
outputs.7.dns-log.enabled = no
outputs.7.dns-log.filename = suricata-dns-1.log
outputs.7.dns-log.append = yes
outputs.8 = pcap-log
outputs.8.pcap-log = (null)
outputs.8.pcap-log.enabled = no
outputs.8.pcap-log.filename = log.pcap
outputs.8.pcap-log.limit = 1000mb
outputs.8.pcap-log.max-files = 2000
outputs.8.pcap-log.compression = none
outputs.8.pcap-log.mode = normal
outputs.8.pcap-log.use-stream-depth = no
outputs.8.pcap-log.honor-pass-rules = no
outputs.9 = alert-debug
outputs.9.alert-debug = (null)
outputs.9.alert-debug.enabled = no
outputs.9.alert-debug.filename = suricata-alert-debug-1.log
outputs.9.alert-debug.append = yes
logging = (null)
logging.default-log-level = notice
logging.default-log-format = %d:
logging.default-output-filter =
logging.outputs = (null)
logging.outputs.0 = console
logging.outputs.0.console = (null)
logging.outputs.0.console.enabled = yes
logging.outputs.0.console.format = %d:
logging.outputs.1 = file
logging.outputs.1.file = (null)
logging.outputs.1.file.enabled = no
logging.outputs.1.file.level = info
logging.outputs.1.file.filename = /var/log/suricata-1.log
logging.outputs.2 = syslog
logging.outputs.2.syslog = (null)
logging.outputs.2.syslog.enabled = no
logging.outputs.2.syslog.facility = local5
logging.outputs.2.syslog.format = [%i] <%d> --
af-packet = (null)
af-packet.0 = interface
af-packet.0.interface = default
af-packet.0.threads = 0
af-packet.0.cluster-id = 1337
af-packet.0.cluster-type = cluster_qm
af-packet.0.defrag = yes
af-packet.0.rollover = no
af-packet.0.use-mmap = yes
af-packet.0.mmap-locked = yes
af-packet.0.tpacket-v3 = yes
af-packet.0.ring-size = 300000
af-packet.0.block-size = 2097152
pcap = (null)
pcap.0 = interface
pcap.0.interface = default
pcap.0.threads = 1
pcap-file = (null)
pcap-file.checksum-checks = auto
app-layer = (null)
app-layer.protocols = (null)
app-layer.protocols.tls = (null)
app-layer.protocols.tls.enabled = yes
app-layer.protocols.tls.detection-ports = (null)
app-layer.protocols.tls.detection-ports.dp = 443
app-layer.protocols.tls.ja3-fingerprints = yes
app-layer.protocols.dcerpc = (null)
app-layer.protocols.dcerpc.enabled = yes
app-layer.protocols.ftp = (null)
app-layer.protocols.ftp.enabled = yes
app-layer.protocols.ssh = (null)
app-layer.protocols.ssh.enabled = yes
app-layer.protocols.smtp = (null)
app-layer.protocols.smtp.enabled = yes
app-layer.protocols.smtp.mime = (null)
app-layer.protocols.smtp.mime.decode-mime = yes
app-layer.protocols.smtp.mime.decode-base64 = yes
app-layer.protocols.smtp.mime.decode-quoted-printable = yes
app-layer.protocols.smtp.mime.header-value-depth = 2000
app-layer.protocols.smtp.mime.extract-urls = yes
app-layer.protocols.smtp.mime.body-md5 = no
app-layer.protocols.smtp.inspected-tracker = (null)
app-layer.protocols.smtp.inspected-tracker.content-limit = 100000
app-layer.protocols.smtp.inspected-tracker.content-inspect-min-size = 32768
app-layer.protocols.smtp.inspected-tracker.content-inspect-window = 4096
app-layer.protocols.imap = (null)
app-layer.protocols.imap.enabled = detection-only
app-layer.protocols.msn = (null)
app-layer.protocols.msn.enabled = detection-only
app-layer.protocols.smb = (null)
app-layer.protocols.smb.enabled = yes
app-layer.protocols.smb.detection-ports = (null)
app-layer.protocols.smb.detection-ports.dp = 139, 445
app-layer.protocols.nfs = (null)
app-layer.protocols.nfs.enabled = no
app-layer.protocols.dns = (null)
app-layer.protocols.dns.tcp = (null)
app-layer.protocols.dns.tcp.enabled = yes
app-layer.protocols.dns.tcp.detection-ports = (null)
app-layer.protocols.dns.tcp.detection-ports.dp = 53
app-layer.protocols.dns.udp = (null)
app-layer.protocols.dns.udp.enabled = yes
app-layer.protocols.dns.udp.detection-ports = (null)
app-layer.protocols.dns.udp.detection-ports.dp = 53
app-layer.protocols.http = (null)
app-layer.protocols.http.enabled = yes
app-layer.protocols.http.memcap = 512mb
app-layer.protocols.http.libhtp = (null)
app-layer.protocols.http.libhtp.default-config = (null)
app-layer.protocols.http.libhtp.default-config.personality = IDS
app-layer.protocols.http.libhtp.default-config.request-body-limit = 100kb
app-layer.protocols.http.libhtp.default-config.response-body-limit = 100kb
app-layer.protocols.http.libhtp.default-config.request-body-minimal-inspect-size = 32kb
app-layer.protocols.http.libhtp.default-config.request-body-inspect-window = 4kb
app-layer.protocols.http.libhtp.default-config.response-body-minimal-inspect-size = 40kb
app-layer.protocols.http.libhtp.default-config.response-body-inspect-window = 16kb
app-layer.protocols.http.libhtp.default-config.response-body-decompress-layer-limit = 2
app-layer.protocols.http.libhtp.default-config.http-body-inline = auto
app-layer.protocols.http.libhtp.default-config.double-decode-path = no
app-layer.protocols.http.libhtp.default-config.double-decode-query = no
app-layer.protocols.http.libhtp.server-config =
app-layer.protocols.modbus = (null)
app-layer.protocols.modbus.enabled = no
app-layer.protocols.modbus.detection-ports = (null)
app-layer.protocols.modbus.detection-ports.dp = 502
app-layer.protocols.modbus.stream-depth = 0
app-layer.protocols.dnp3 = (null)
app-layer.protocols.dnp3.enabled = no
app-layer.protocols.dnp3.detection-ports = (null)
app-layer.protocols.dnp3.detection-ports.dp = 20000
app-layer.protocols.enip = (null)
app-layer.protocols.enip.enabled = no
app-layer.protocols.enip.detection-ports = (null)
app-layer.protocols.enip.detection-ports.dp = 44818
app-layer.protocols.enip.detection-ports.sp = 44818
app-layer.protocols.ntp = (null)
app-layer.protocols.ntp.enabled = no
asn1-max-frames = 256
daemon-directory = .
coredump = (null)
coredump.max-dump = unlimited
host-mode = auto
runmode = workers
unix-command = (null)
unix-command.enabled = auto
legacy = (null)
legacy.uricontent = enabled
engine-analysis = (null)
engine-analysis.rules-fast-pattern = yes
engine-analysis.rules = yes
pcre = (null)
pcre.match-limit = 3500
pcre.match-limit-recursion = 1500
host-os-policy = (null)
host-os-policy.windows = (null)
host-os-policy.windows.0 = 0.0.0.0/0
host-os-policy.bsd = (null)
host-os-policy.bsd-right = (null)
host-os-policy.old-linux = (null)
host-os-policy.linux = (null)
host-os-policy.old-solaris = (null)
host-os-policy.solaris = (null)
host-os-policy.hpux10 = (null)
host-os-policy.hpux11 = (null)
host-os-policy.irix = (null)
host-os-policy.macos = (null)
host-os-policy.vista = (null)
host-os-policy.windows2k3 = (null)
defrag = (null)
defrag.memcap = 32mb
defrag.hash-size = 65536
defrag.trackers = 65535
defrag.max-frags = 65535
defrag.prealloc = yes
defrag.timeout = 60
flow = (null)
flow.memcap = 128mb
flow.hash-size = 65536
flow.prealloc = 65536
flow.emergency-recovery = 30
flow.managers = 1
flow.recyclers = 1
vlan = (null)
vlan.use-for-tracking = true
flow-timeouts = (null)
flow-timeouts.default = (null)
flow-timeouts.default.new = 30
flow-timeouts.default.established = 300
flow-timeouts.default.closed = 0
flow-timeouts.default.bypassed = 100
flow-timeouts.default.emergency-new = 10
flow-timeouts.default.emergency-established = 100
flow-timeouts.default.emergency-closed = 0
flow-timeouts.default.emergency-bypassed = 50
flow-timeouts.tcp = (null)
flow-timeouts.tcp.new = 60
flow-timeouts.tcp.established = 600
flow-timeouts.tcp.closed = 60
flow-timeouts.tcp.bypassed = 100
flow-timeouts.tcp.emergency-new = 5
flow-timeouts.tcp.emergency-established = 100
flow-timeouts.tcp.emergency-closed = 10
flow-timeouts.tcp.emergency-bypassed = 50
flow-timeouts.udp = (null)
flow-timeouts.udp.new = 30
flow-timeouts.udp.established = 300
flow-timeouts.udp.bypassed = 100
flow-timeouts.udp.emergency-new = 10
flow-timeouts.udp.emergency-established = 100
flow-timeouts.udp.emergency-bypassed = 50
flow-timeouts.icmp = (null)
flow-timeouts.icmp.new = 30
flow-timeouts.icmp.established = 300
flow-timeouts.icmp.bypassed = 100
flow-timeouts.icmp.emergency-new = 10
flow-timeouts.icmp.emergency-established = 100
flow-timeouts.icmp.emergency-bypassed = 50
stream = (null)
stream.memcap = 512mb
stream.checksum-validation = yes
stream.inline = auto
stream.reassembly = (null)
stream.reassembly.memcap = 2048mb
stream.reassembly.depth = 1mb
stream.reassembly.toserver-chunk-size = 2560
stream.reassembly.toclient-chunk-size = 2560
stream.reassembly.randomize-chunk-size = yes
host = (null)
host.hash-size = 4096
host.prealloc = 1000
host.memcap = 32mb
decoder = (null)
decoder.teredo = (null)
decoder.teredo.enabled = true
detect = (null)
detect.profile = medium
detect.custom-values = (null)
detect.custom-values.toclient-groups = 3
detect.custom-values.toserver-groups = 25
detect.sgh-mpm-context = auto
detect.inspection-recursion-limit = 3000
detect.prefilter = (null)
detect.prefilter.default = mpm
detect.grouping =
detect.profiling = (null)
detect.profiling.grouping = (null)
detect.profiling.grouping.dump-to-disk = false
detect.profiling.grouping.include-rules = false
detect.profiling.grouping.include-mpm-stats = false
mpm-algo = hs
spm-algo = hs
threading = (null)
threading.set-cpu-affinity = no
threading.cpu-affinity = (null)
threading.cpu-affinity.0 = management-cpu-set
threading.cpu-affinity.0.management-cpu-set = (null)
threading.cpu-affinity.0.management-cpu-set.cpu = (null)
threading.cpu-affinity.0.management-cpu-set.cpu.0 = 0
threading.cpu-affinity.1 = receive-cpu-set
threading.cpu-affinity.1.receive-cpu-set = (null)
threading.cpu-affinity.1.receive-cpu-set.cpu = (null)
threading.cpu-affinity.1.receive-cpu-set.cpu.0 = 0
threading.cpu-affinity.2 = worker-cpu-set
threading.cpu-affinity.2.worker-cpu-set = (null)
threading.cpu-affinity.2.worker-cpu-set.cpu = (null)
threading.cpu-affinity.2.worker-cpu-set.cpu.0 = all
threading.cpu-affinity.2.worker-cpu-set.mode = exclusive
threading.cpu-affinity.2.worker-cpu-set.prio = (null)
threading.cpu-affinity.2.worker-cpu-set.prio.low = (null)
threading.cpu-affinity.2.worker-cpu-set.prio.low.0 = 0
threading.cpu-affinity.2.worker-cpu-set.prio.medium = (null)
threading.cpu-affinity.2.worker-cpu-set.prio.medium.0 = 1-2
threading.cpu-affinity.2.worker-cpu-set.prio.high = (null)
threading.cpu-affinity.2.worker-cpu-set.prio.high.0 = 3
threading.cpu-affinity.2.worker-cpu-set.prio.default = medium
luajit = (null)
luajit.states = 12
profiling = (null)
profiling.rules = (null)
profiling.rules.enabled = yes
profiling.rules.filename = suricata-rule_perf-1.log
profiling.rules.append = yes
profiling.rules.limit = 10
profiling.rules.json = no
profiling.keywords = (null)
profiling.keywords.enabled = yes
profiling.keywords.filename = suricata-keyword_perf-1.log
profiling.keywords.append = yes
profiling.rulegroups = (null)
profiling.rulegroups.enabled = yes
profiling.rulegroups.filename = suricata-rule_group_perf-1.log
profiling.rulegroups.append = yes
profiling.packets = (null)
profiling.packets.enabled = yes
profiling.packets.filename = suricata-packet_stats-1.log
profiling.packets.append = yes
profiling.packets.csv = (null)
profiling.packets.csv.enabled = no
profiling.packets.csv.filename = packet_stats.csv
profiling.locks = (null)
profiling.locks.enabled = no
profiling.locks.filename = suricata-lock_stats-1.log
profiling.locks.append = yes
profiling.pcap-log = (null)
profiling.pcap-log.enabled = no
profiling.pcap-log.filename = suricata-pcaplog_stats-1.log
profiling.pcap-log.append = yes
capture = (null)
capture.disable-offloading = false
(3-3/4)