Project

General

Profile

Bug #4567 ┬╗ suricata.yaml

eric fool, 07/29/2021 02:28 AM

 
1
%YAML 1.1
2
---
3

    
4
# Suricata configuration file. In addition to the comments describing all
5
# options in this file, full documentation can be found at:
6
# https://suricata.readthedocs.io/en/latest/configuration/suricata-yaml.html
7

    
8
##
9
## Step 1: inform Suricata about your network
10
##
11

    
12
vars:
13
  # more specific is better for alert accuracy and performance
14
  address-groups:
15
    HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
16
    #HOME_NET: "[192.168.0.0/16]"
17
    #HOME_NET: "[10.0.0.0/8]"
18
    #HOME_NET: "[172.16.0.0/12]"
19
    #HOME_NET: "any"
20

    
21
    EXTERNAL_NET: "!$HOME_NET"
22
    #EXTERNAL_NET: "any"
23

    
24
    HTTP_SERVERS: "$HOME_NET"
25
    SMTP_SERVERS: "$HOME_NET"
26
    SQL_SERVERS: "$HOME_NET"
27
    DNS_SERVERS: "$HOME_NET"
28
    TELNET_SERVERS: "$HOME_NET"
29
    AIM_SERVERS: "$EXTERNAL_NET"
30
    DC_SERVERS: "$HOME_NET"
31
    DNP3_SERVER: "$HOME_NET"
32
    DNP3_CLIENT: "$HOME_NET"
33
    MODBUS_CLIENT: "$HOME_NET"
34
    MODBUS_SERVER: "$HOME_NET"
35
    ENIP_CLIENT: "$HOME_NET"
36
    ENIP_SERVER: "$HOME_NET"
37

    
38
  port-groups:
39
    HTTP_PORTS: "80"
40
    SHELLCODE_PORTS: "!80"
41
    ORACLE_PORTS: 1521
42
    SSH_PORTS: 22
43
    DNP3_PORTS: 20000
44
    MODBUS_PORTS: 502
45
    FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
46
    FTP_PORTS: 21
47

    
48
##
49
## Step 2: select outputs to enable
50
##
51

    
52
# The default logging directory.  Any log or output file will be
53
# placed here if its not specified with a full path name. This can be
54
# overridden with the -l command line parameter.
55
default-log-dir: /var/log/suricata/
56

    
57
# global stats configuration
58
stats:
59
  enabled: no
60
  # The interval field (in seconds) controls at what interval
61
  # the loggers are invoked.
62
  interval: 8
63
  # Add decode events as stats.
64
  #decoder-events: true
65
  # Add stream events as stats.
66
  #stream-events: false
67

    
68
# Configure the type of alert (and other) logging you would like.
69
outputs:
70
  # a line based alerts log similar to Snort's fast.log
71
  - fast:
72
      enabled: yes
73
      filename: fast.log
74
      append: yes
75
      #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
76

    
77
  # Extensible Event Format (nicknamed EVE) event log in JSON format
78
  - eve-log:
79
      enabled: no
80
      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
81
      filename: eve.json
82
      #prefix: "@cee: " # prefix to prepend to each log entry
83
      # the following are valid when type: syslog above
84
      #identity: "suricata"
85
      #facility: local5
86
      #level: Info ## possible levels: Emergency, Alert, Critical,
87
                   ## Error, Warning, Notice, Info, Debug
88
      #redis:
89
      #  server: 127.0.0.1
90
      #  port: 6379
91
      #  async: true ## if redis replies are read asynchronously
92
      #  mode: list ## possible values: list|lpush (default), rpush, channel|publish
93
      #             ## lpush and rpush are using a Redis list. "list" is an alias for lpush
94
      #             ## publish is using a Redis channel. "channel" is an alias for publish
95
      #  key: suricata ## key or channel to use (default to suricata)
96
      # Redis pipelining set up. This will enable to only do a query every
97
      # 'batch-size' events. This should lower the latency induced by network
98
      # connection at the cost of some memory. There is no flushing implemented
99
      # so this setting as to be reserved to high traffic suricata.
100
      #  pipelining:
101
      #    enabled: yes ## set enable to yes to enable query pipelining
102
      #    batch-size: 10 ## number of entry to keep in buffer
103

    
104
      # Include top level metadata. Default yes.
105
      #metadata: no
106

    
107
      pcap-file: false
108

    
109
      # Community Flow ID
110
      # Adds a 'community_id' field to EVE records. These are meant to give
111
      # a records a predictable flow id that can be used to match records to
112
      # output of other tools such as Bro.
113
      #
114
      # Takes a 'seed' that needs to be same across sensors and tools
115
      # to make the id less predictable.
116

    
117
      # enable/disable the community id feature.
118
      community-id: false
119
      # Seed value for the ID output. Valid values are 0-65535.
120
      community-id-seed: 0
121

    
122
      # HTTP X-Forwarded-For support by adding an extra field or overwriting
123
      # the source or destination IP address (depending on flow direction)
124
      # with the one reported in the X-Forwarded-For HTTP header. This is
125
      # helpful when reviewing alerts for traffic that is being reverse
126
      # or forward proxied.
127
      xff:
128
        enabled: no
129
        # Two operation modes are available, "extra-data" and "overwrite".
130
        mode: extra-data
131
        # Two proxy deployments are supported, "reverse" and "forward". In
132
        # a "reverse" deployment the IP address used is the last one, in a
133
        # "forward" deployment the first IP address is used.
134
        deployment: reverse
135
        # Header name where the actual IP address will be reported, if more
136
        # than one IP address is present, the last IP address will be the
137
        # one taken into consideration.
138
        header: X-Forwarded-For
139

    
140
      types:
141
        - alert:
142
            # payload: yes             # enable dumping payload in Base64
143
            # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log
144
            # payload-printable: yes   # enable dumping payload in printable (lossy) format
145
            # packet: yes              # enable dumping of packet (without stream segments)
146
            # http-body: yes           # enable dumping of http body in Base64
147
            # http-body-printable: yes # enable dumping of http body in printable format
148
            # metadata: no             # enable inclusion of app layer metadata with alert. Default yes
149

    
150
            # Enable the logging of tagged packets for rules using the
151
            # "tag" keyword.
152
            tagged-packets: yes
153
        - http:
154
            extended: yes     # enable this for extended logging information
155
            # custom allows additional http fields to be included in eve-log
156
            # the example below adds three additional fields when uncommented
157
            #custom: [Accept-Encoding, Accept-Language, Authorization]
158
        - dns:
159
            # This configuration uses the new DNS logging format,
160
            # the old configuration is still available:
161
            # http://suricata.readthedocs.io/en/latest/configuration/suricata-yaml.html#eve-extensible-event-format
162
            # Use version 2 logging with the new format:
163
            # DNS answers will be logged in one single event
164
            # rather than an event for each of it.
165
            # Without setting a version the version
166
            # will fallback to 1 for backwards compatibility.
167
            # Note: version 1 is not available with rust enabled
168
            version: 2
169

    
170
            # Enable/disable this logger. Default: enabled.
171
            #enabled: no
172

    
173
            # Control logging of requests and responses:
174
            # - requests: enable logging of DNS queries
175
            # - responses: enable logging of DNS answers
176
            # By default both requests and responses are logged.
177
            #requests: no
178
            #responses: no
179

    
180
            # Format of answer logging:
181
            # - detailed: array item per answer
182
            # - grouped: answers aggregated by type
183
            # Default: all
184
            #formats: [detailed, grouped]
185

    
186
            # Answer types to log.
187
            # Default: all
188
            #types: [a, aaaa, cname, mx, ns, ptr, txt]
189
        - tls:
190
            extended: yes     # enable this for extended logging information
191
            # output TLS transaction where the session is resumed using a
192
            # session id
193
            #session-resumption: no
194
            # custom allows to control which tls fields that are included
195
            # in eve-log
196
            #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3]
197
        - files:
198
            force-magic: no   # force logging magic on all logged files
199
            # force logging of checksums, available hash functions are md5,
200
            # sha1 and sha256
201
            #force-hash: [md5]
202
        #- drop:
203
        #    alerts: yes      # log alerts that caused drops
204
        #    flows: all       # start or all: 'start' logs only a single drop
205
        #                     # per flow direction. All logs each dropped pkt.
206
        - smtp:
207
            #extended: yes # enable this for extended logging information
208
            # this includes: bcc, message-id, subject, x_mailer, user-agent
209
            # custom fields logging from the list:
210
            #  reply-to, bcc, message-id, subject, x-mailer, user-agent, received,
211
            #  x-originating-ip, in-reply-to, references, importance, priority,
212
            #  sensitivity, organization, content-md5, date
213
            #custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc]
214
            # output md5 of fields: body, subject
215
            # for the body you need to set app-layer.protocols.smtp.mime.body-md5
216
            # to yes
217
            #md5: [body, subject]
218

    
219
        #- dnp3
220
        - nfs
221
        - smb
222
        - tftp
223
        - ikev2
224
        - krb5
225
        - dhcp:
226
            # DHCP logging requires Rust.
227
            enabled: yes
228
            # When extended mode is on, all DHCP messages are logged
229
            # with full detail. When extended mode is off (the
230
            # default), just enough information to map a MAC address
231
            # to an IP address is logged.
232
            extended: no
233
        - ssh
234
        - stats:
235
            totals: yes       # stats for all threads merged together
236
            threads: no       # per thread stats
237
            deltas: no        # include delta values
238
        # bi-directional flows
239
        - flow
240
        # uni-directional flows
241
        #- netflow
242

    
243
        # Metadata event type. Triggered whenever a pktvar is saved
244
        # and will include the pktvars, flowvars, flowbits and
245
        # flowints.
246
        #- metadata
247

    
248
  # alert output for use with Barnyard2
249
  - unified2-alert:
250
      enabled: no
251
      filename: unified2.alert
252

    
253
      # File size limit.  Can be specified in kb, mb, gb.  Just a number
254
      # is parsed as bytes.
255
      #limit: 32mb
256

    
257
      # By default unified2 log files have the file creation time (in
258
      # unix epoch format) appended to the filename. Set this to yes to
259
      # disable this behaviour.
260
      #nostamp: no
261

    
262
      # Sensor ID field of unified2 alerts.
263
      #sensor-id: 0
264

    
265
      # Include payload of packets related to alerts. Defaults to true, set to
266
      # false if payload is not required.
267
      #payload: yes
268

    
269
      # HTTP X-Forwarded-For support by adding the unified2 extra header or
270
      # overwriting the source or destination IP address (depending on flow
271
      # direction) with the one reported in the X-Forwarded-For HTTP header.
272
      # This is helpful when reviewing alerts for traffic that is being reverse
273
      # or forward proxied.
274
      xff:
275
        enabled: no
276
        # Two operation modes are available, "extra-data" and "overwrite". Note
277
        # that in the "overwrite" mode, if the reported IP address in the HTTP
278
        # X-Forwarded-For header is of a different version of the packet
279
        # received, it will fall-back to "extra-data" mode.
280
        mode: extra-data
281
        # Two proxy deployments are supported, "reverse" and "forward". In
282
        # a "reverse" deployment the IP address used is the last one, in a
283
        # "forward" deployment the first IP address is used.
284
        deployment: reverse
285
        # Header name where the actual IP address will be reported, if more
286
        # than one IP address is present, the last IP address will be the
287
        # one taken into consideration.
288
        header: X-Forwarded-For
289

    
290
  # a line based log of HTTP requests (no alerts)
291
  - http-log:
292
      enabled: no
293
      filename: http.log
294
      append: yes
295
      #extended: yes     # enable this for extended logging information
296
      #custom: yes       # enabled the custom logging format (defined by customformat)
297
      #customformat: "%{%D-%H:%M:%S}t.%z %{X-Forwarded-For}i %H %m %h %u %s %B %a:%p -> %A:%P"
298
      #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
299

    
300
  # a line based log of TLS handshake parameters (no alerts)
301
  - tls-log:
302
      enabled: no  # Log TLS connections.
303
      filename: tls.log # File to store TLS logs.
304
      append: yes
305
      #extended: yes     # Log extended information like fingerprint
306
      #custom: yes       # enabled the custom logging format (defined by customformat)
307
      #customformat: "%{%D-%H:%M:%S}t.%z %a:%p -> %A:%P %v %n %d %D"
308
      #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
309
      # output TLS transaction where the session is resumed using a
310
      # session id
311
      #session-resumption: no
312

    
313
  # output module to store certificates chain to disk
314
  - tls-store:
315
      enabled: no
316
      #certs-log-dir: certs # directory to store the certificates files
317

    
318
  # a line based log of DNS requests and/or replies (no alerts)
319
  # Note: not available when Rust is enabled (--enable-rust).
320
  - dns-log:
321
      enabled: no
322
      filename: dns.log
323
      append: yes
324
      #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
325

    
326
  # Packet log... log packets in pcap format. 3 modes of operation: "normal"
327
  # "multi" and "sguil".
328
  #
329
  # In normal mode a pcap file "filename" is created in the default-log-dir,
330
  # or are as specified by "dir".
331
  # In multi mode, a file is created per thread. This will perform much
332
  # better, but will create multiple files where 'normal' would create one.
333
  # In multi mode the filename takes a few special variables:
334
  # - %n -- thread number
335
  # - %i -- thread id
336
  # - %t -- timestamp (secs or secs.usecs based on 'ts-format'
337
  # E.g. filename: pcap.%n.%t
338
  #
339
  # Note that it's possible to use directories, but the directories are not
340
  # created by Suricata. E.g. filename: pcaps/%n/log.%s will log into the
341
  # per thread directory.
342
  #
343
  # Also note that the limit and max-files settings are enforced per thread.
344
  # So the size limit when using 8 threads with 1000mb files and 2000 files
345
  # is: 8*1000*2000 ~ 16TiB.
346
  #
347
  # In Sguil mode "dir" indicates the base directory. In this base dir the
348
  # pcaps are created in th directory structure Sguil expects:
349
  #
350
  # $sguil-base-dir/YYYY-MM-DD/$filename.<timestamp>
351
  #
352
  # By default all packets are logged except:
353
  # - TCP streams beyond stream.reassembly.depth
354
  # - encrypted streams after the key exchange
355
  #
356
  - pcap-log:
357
      enabled: no
358
      filename: log.pcap
359

    
360
      # File size limit.  Can be specified in kb, mb, gb.  Just a number
361
      # is parsed as bytes.
362
      limit: 1000mb
363

    
364
      # If set to a value will enable ring buffer mode. Will keep Maximum of "max-files" of size "limit"
365
      max-files: 2000
366

    
367
      # Compression algorithm for pcap files. Possible values: none, lz4.
368
      # Enabling compression is incompatible with the sguil mode. Note also
369
      # that on Windows, enabling compression will *increase* disk I/O.
370
      compression: none
371

    
372
      # Further options for lz4 compression. The compression level can be set
373
      # to a value between 0 and 16, where higher values result in higher
374
      # compression.
375
      #lz4-checksum: no
376
      #lz4-level: 0
377

    
378
      mode: normal # normal, multi or sguil.
379

    
380
      # Directory to place pcap files. If not provided the default log
381
      # directory will be used. Required for "sguil" mode.
382
      #dir: /nsm_data/
383

    
384
      #ts-format: usec # sec or usec second format (default) is filename.sec usec is filename.sec.usec
385
      use-stream-depth: no #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets
386
      honor-pass-rules: no # If set to "yes", flows in which a pass rule matched will stopped being logged.
387

    
388
  # a full alerts log containing much information for signature writers
389
  # or for investigating suspected false positives.
390
  - alert-debug:
391
      enabled: no
392
      filename: alert-debug.log
393
      append: yes
394
      #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
395

    
396
  # alert output to prelude (http://www.prelude-technologies.com/) only
397
  # available if Suricata has been compiled with --enable-prelude
398
  - alert-prelude:
399
      enabled: no
400
      profile: suricata
401
      log-packet-content: no
402
      log-packet-header: yes
403

    
404
  # Stats.log contains data from various counters of the Suricata engine.
405
  - stats:
406
      enabled: no
407
      filename: stats.log
408
      append: yes       # append to file (yes) or overwrite it (no)
409
      totals: yes       # stats for all threads merged together
410
      threads: no       # per thread stats
411
      #null-values: yes  # print counters that have value 0
412

    
413
  # a line based alerts log similar to fast.log into syslog
414
  - syslog:
415
      enabled: no
416
      # reported identity to syslog. If ommited the program name (usually
417
      # suricata) will be used.
418
      #identity: "suricata"
419
      facility: local5
420
      #level: Info ## possible levels: Emergency, Alert, Critical,
421
                   ## Error, Warning, Notice, Info, Debug
422

    
423
  # a line based information for dropped packets in IPS mode
424
  - drop:
425
      enabled: no
426
      filename: drop.log
427
      append: yes
428
      #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
429

    
430
  # Output module for storing files on disk. Files are stored in a
431
  # directory names consisting of the first 2 characters of the
432
  # SHA256 of the file. Each file is given its SHA256 as a filename.
433
  #
434
  # When a duplicate file is found, the existing file is touched to
435
  # have its timestamps updated.
436
  #
437
  # Unlike the older filestore, metadata is not written out by default
438
  # as each file should already have a "fileinfo" record in the
439
  # eve.log. If write-fileinfo is set to yes, the each file will have
440
  # one more associated .json files that consists of the fileinfo
441
  # record. A fileinfo file will be written for each occurrence of the
442
  # file seen using a filename suffix to ensure uniqueness.
443
  #
444
  # To prune the filestore directory see the "suricatactl filestore
445
  # prune" command which can delete files over a certain age.
446
  - file-store:
447
      version: 2
448
      enabled: no
449

    
450
      # Set the directory for the filestore. If the path is not
451
      # absolute will be be relative to the default-log-dir.
452
      #dir: filestore
453

    
454
      # Write out a fileinfo record for each occurrence of a
455
      # file. Disabled by default as each occurrence is already logged
456
      # as a fileinfo record to the main eve-log.
457
      #write-fileinfo: yes
458

    
459
      # Force storing of all files. Default: no.
460
      #force-filestore: yes
461

    
462
      # Override the global stream-depth for sessions in which we want
463
      # to perform file extraction. Set to 0 for unlimited.
464
      #stream-depth: 0
465

    
466
      # Uncomment the following variable to define how many files can
467
      # remain open for filestore by Suricata. Default value is 0 which
468
      # means files get closed after each write
469
      #max-open-files: 1000
470

    
471
      # Force logging of checksums, available hash functions are md5,
472
      # sha1 and sha256. Note that SHA256 is automatically forced by
473
      # the use of this output module as it uses the SHA256 as the
474
      # file naming scheme.
475
      #force-hash: [sha1, md5]
476
      # NOTE: X-Forwarded configuration is ignored if write-fileinfo is disabled
477
      # HTTP X-Forwarded-For support by adding an extra field or overwriting
478
      # the source or destination IP address (depending on flow direction)
479
      # with the one reported in the X-Forwarded-For HTTP header. This is
480
      # helpful when reviewing alerts for traffic that is being reverse
481
      # or forward proxied.
482
      xff:
483
        enabled: no
484
        # Two operation modes are available, "extra-data" and "overwrite".
485
        mode: extra-data
486
        # Two proxy deployments are supported, "reverse" and "forward". In
487
        # a "reverse" deployment the IP address used is the last one, in a
488
        # "forward" deployment the first IP address is used.
489
        deployment: reverse
490
        # Header name where the actual IP address will be reported, if more
491
        # than one IP address is present, the last IP address will be the
492
        # one taken into consideration.
493
        header: X-Forwarded-For
494

    
495
  # output module to store extracted files to disk (old style, deprecated)
496
  #
497
  # The files are stored to the log-dir in a format "file.<id>" where <id> is
498
  # an incrementing number starting at 1. For each file "file.<id>" a meta
499
  # file "file.<id>.meta" is created. Before they are finalized, they will
500
  # have a ".tmp" suffix to indicate that they are still being processed.
501
  #
502
  # If include-pid is yes, then the files are instead "file.<pid>.<id>", with
503
  # meta files named as "file.<pid>.<id>.meta"
504
  #
505
  # File extraction depends on a lot of things to be fully done:
506
  # - file-store stream-depth. For optimal results, set this to 0 (unlimited)
507
  # - http request / response body sizes. Again set to 0 for optimal results.
508
  # - rules that contain the "filestore" keyword.
509
  - file-store:
510
      enabled: no       # set to yes to enable
511
      log-dir: files    # directory to store the files
512
      force-magic: no   # force logging magic on all stored files
513
      # force logging of checksums, available hash functions are md5,
514
      # sha1 and sha256
515
      #force-hash: [md5]
516
      force-filestore: no # force storing of all files
517
      # override global stream-depth for sessions in which we want to
518
      # perform file extraction. Set to 0 for unlimited.
519
      #stream-depth: 0
520
      #waldo: file.waldo # waldo file to store the file_id across runs
521
      # uncomment to disable meta file writing
522
      #write-meta: no
523
      # uncomment the following variable to define how many files can
524
      # remain open for filestore by Suricata. Default value is 0 which
525
      # means files get closed after each write
526
      #max-open-files: 1000
527
      include-pid: no # set to yes to include pid in file names
528

    
529
  # output module to log files tracked in a easily parsable JSON format
530
  - file-log:
531
      enabled: no
532
      filename: files-json.log
533
      append: yes
534
      #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
535

    
536
      force-magic: no   # force logging magic on all logged files
537
      # force logging of checksums, available hash functions are md5,
538
      # sha1 and sha256
539
      #force-hash: [md5]
540

    
541
  # Log TCP data after stream normalization
542
  # 2 types: file or dir. File logs into a single logfile. Dir creates
543
  # 2 files per TCP session and stores the raw TCP data into them.
544
  # Using 'both' will enable both file and dir modes.
545
  #
546
  # Note: limited by stream.depth
547
  - tcp-data:
548
      enabled: no
549
      type: file
550
      filename: tcp-data.log
551

    
552
  # Log HTTP body data after normalization, dechunking and unzipping.
553
  # 2 types: file or dir. File logs into a single logfile. Dir creates
554
  # 2 files per HTTP session and stores the normalized data into them.
555
  # Using 'both' will enable both file and dir modes.
556
  #
557
  # Note: limited by the body limit settings
558
  - http-body-data:
559
      enabled: no
560
      type: file
561
      filename: http-data.log
562

    
563
  # Lua Output Support - execute lua script to generate alert and event
564
  # output.
565
  # Documented at:
566
  # https://suricata.readthedocs.io/en/latest/output/lua-output.html
567
  - lua:
568
      enabled: no
569
      #scripts-dir: /etc/suricata/lua-output/
570
      scripts:
571
      #   - script1.lua
572

    
573
# Logging configuration.  This is not about logging IDS alerts/events, but
574
# output about what Suricata is doing, like startup messages, errors, etc.
575
logging:
576
  # The default log level, can be overridden in an output section.
577
  # Note that debug level logging will only be emitted if Suricata was
578
  # compiled with the --enable-debug configure option.
579
  #
580
  # This value is overridden by the SC_LOG_LEVEL env var.
581
  #default-log-level: notice
582
  default-log-level: info
583

    
584
  # The default output format.  Optional parameter, should default to
585
  # something reasonable if not provided.  Can be overridden in an
586
  # output section.  You can leave this out to get the default.
587
  #
588
  # This value is overridden by the SC_LOG_FORMAT env var.
589
  #default-log-format: "[%i] %t - (%f:%l) <%d> (%n) -- "
590

    
591
  # A regex to filter output.  Can be overridden in an output section.
592
  # Defaults to empty (no filter).
593
  #
594
  # This value is overridden by the SC_LOG_OP_FILTER env var.
595
  default-output-filter:
596

    
597
  # Define your logging outputs.  If none are defined, or they are all
598
  # disabled you will get the default - console output.
599
  outputs:
600
  - console:
601
      enabled: yes
602
      # type: json
603
  - file:
604
      enabled: yes
605
      level: info
606
      filename: /var/log/suricata/suricata.log
607
      # type: json
608
  - syslog:
609
      enabled: no
610
      facility: local5
611
      format: "[%i] <%d> -- "
612
      # type: json
613

    
614

    
615
##
616
## Step 4: configure common capture settings
617
##
618
## See "Advanced Capture Options" below for more options, including NETMAP
619
## and PF_RING.
620
##
621

    
622
# Linux high speed capture support
623
af-packet:
624
  - interface: eth0
625
    # Number of receive threads. "auto" uses the number of cores
626
    #threads: auto
627
    # Default clusterid. AF_PACKET will load balance packets based on flow.
628
    cluster-id: 99
629
    # Default AF_PACKET cluster type. AF_PACKET can load balance per flow or per hash.
630
    # This is only supported for Linux kernel > 3.1
631
    # possible value are:
632
    #  * cluster_round_robin: round robin load balancing
633
    #  * cluster_flow: all packets of a given flow are send to the same socket
634
    #  * cluster_cpu: all packets treated in kernel by a CPU are send to the same socket
635
    #  * cluster_qm: all packets linked by network card to a RSS queue are sent to the same
636
    #  socket. Requires at least Linux 3.14.
637
    #  * cluster_random: packets are sent randomly to sockets but with an equipartition.
638
    #  Requires at least Linux 3.14.
639
    #  * cluster_rollover: kernel rotates between sockets filling each socket before moving
640
    #  to the next. Requires at least Linux 3.10.
641
    #  * cluster_ebpf: eBPF file load balancing. See doc/userguide/capture/ebpf-xdt.rst for
642
    #  more info.
643
    # Recommended modes are cluster_flow on most boxes and cluster_cpu or cluster_qm on system
644
    # with capture card using RSS (require cpu affinity tuning and system irq tuning)
645
    cluster-type: cluster_flow
646
    # In some fragmentation case, the hash can not be computed. If "defrag" is set
647
    # to yes, the kernel will do the needed defragmentation before sending the packets.
648
    defrag: yes
649
    # After Linux kernel 3.10 it is possible to activate the rollover option: if a socket is
650
    # full then kernel will send the packet on the next socket with room available. This option
651
    # can minimize packet drop and increase the treated bandwidth on single intensive flow.
652
    #rollover: yes
653
    # To use the ring feature of AF_PACKET, set 'use-mmap' to yes
654
    #use-mmap: yes
655
    # Lock memory map to avoid it goes to swap. Be careful that over subscribing could lock
656
    # your system
657
    #mmap-locked: yes
658
    # Use tpacket_v3 capture mode, only active if use-mmap is true
659
    # Don't use it in IPS or TAP mode as it causes severe latency
660
    #tpacket-v3: yes
661
    # Ring size will be computed with respect to max_pending_packets and number
662
    # of threads. You can set manually the ring size in number of packets by setting
663
    # the following value. If you are using flow cluster-type and have really network
664
    # intensive single-flow you could want to set the ring-size independently of the number
665
    # of threads:
666
    #ring-size: 2048
667
    # Block size is used by tpacket_v3 only. It should set to a value high enough to contain
668
    # a decent number of packets. Size is in bytes so please consider your MTU. It should be
669
    # a power of 2 and it must be multiple of page size (usually 4096).
670
    #block-size: 32768
671
    # tpacket_v3 block timeout: an open block is passed to userspace if it is not
672
    # filled after block-timeout milliseconds.
673
    #block-timeout: 10
674
    # On busy system, this could help to set it to yes to recover from a packet drop
675
    # phase. This will result in some packets (at max a ring flush) being non treated.
676
    #use-emergency-flush: yes
677
    # recv buffer size, increase value could improve performance
678
    # buffer-size: 32768
679
    # Set to yes to disable promiscuous mode
680
    # disable-promisc: no
681
    # Choose checksum verification mode for the interface. At the moment
682
    # of the capture, some packets may be with an invalid checksum due to
683
    # offloading to the network card of the checksum computation.
684
    # Possible values are:
685
    #  - kernel: use indication sent by kernel for each packet (default)
686
    #  - yes: checksum validation is forced
687
    #  - no: checksum validation is disabled
688
    #  - auto: suricata uses a statistical approach to detect when
689
    #  checksum off-loading is used.
690
    # Warning: 'checksum-validation' must be set to yes to have any validation
691
    #checksum-checks: kernel
692
    # BPF filter to apply to this interface. The pcap filter syntax apply here.
693
    #bpf-filter: port 80 or udp
694
    # You can use the following variables to activate AF_PACKET tap or IPS mode.
695
    # If copy-mode is set to ips or tap, the traffic coming to the current
696
    # interface will be copied to the copy-iface interface. If 'tap' is set, the
697
    # copy is complete. If 'ips' is set, the packet matching a 'drop' action
698
    # will not be copied.
699
    #copy-mode: ips
700
    #copy-iface: eth1
701
    #  For eBPF and XDP setup including bypass, filter and load balancing, please
702
    #  see doc/userguide/capture/ebpf-xdt.rst for more info.
703

    
704
  # Put default values here. These will be used for an interface that is not
705
  # in the list above.
706
  - interface: default
707
    #threads: auto
708
    #use-mmap: no
709
    #rollover: yes
710
    #tpacket-v3: yes
711

    
712
# Cross platform libpcap capture support
713
pcap:
714
  - interface: eth0
715
    # On Linux, pcap will try to use mmaped capture and will use buffer-size
716
    # as total of memory used by the ring. So set this to something bigger
717
    # than 1% of your bandwidth.
718
    #buffer-size: 16777216
719
    #bpf-filter: "tcp and port 25"
720
    # Choose checksum verification mode for the interface. At the moment
721
    # of the capture, some packets may be with an invalid checksum due to
722
    # offloading to the network card of the checksum computation.
723
    # Possible values are:
724
    #  - yes: checksum validation is forced
725
    #  - no: checksum validation is disabled
726
    #  - auto: Suricata uses a statistical approach to detect when
727
    #  checksum off-loading is used. (default)
728
    # Warning: 'checksum-validation' must be set to yes to have any validation
729
    #checksum-checks: auto
730
    # With some accelerator cards using a modified libpcap (like myricom), you
731
    # may want to have the same number of capture threads as the number of capture
732
    # rings. In this case, set up the threads variable to N to start N threads
733
    # listening on the same interface.
734
    #threads: 16
735
    # set to no to disable promiscuous mode:
736
    #promisc: no
737
    # set snaplen, if not set it defaults to MTU if MTU can be known
738
    # via ioctl call and to full capture if not.
739
    #snaplen: 1518
740
  # Put default values here
741
  - interface: default
742
    #checksum-checks: auto
743

    
744
# Settings for reading pcap files
745
pcap-file:
746
  # Possible values are:
747
  #  - yes: checksum validation is forced
748
  #  - no: checksum validation is disabled
749
  #  - auto: Suricata uses a statistical approach to detect when
750
  #  checksum off-loading is used. (default)
751
  # Warning: 'checksum-validation' must be set to yes to have checksum tested
752
  checksum-checks: auto
753

    
754
# See "Advanced Capture Options" below for more options, including NETMAP
755
# and PF_RING.
756

    
757

    
758
##
759
## Step 5: App Layer Protocol Configuration
760
##
761

    
762
# Configure the app-layer parsers. The protocols section details each
763
# protocol.
764
#
765
# The option "enabled" takes 3 values - "yes", "no", "detection-only".
766
# "yes" enables both detection and the parser, "no" disables both, and
767
# "detection-only" enables protocol detection only (parser disabled).
768
app-layer:
769
  protocols:
770
    krb5:
771
      enabled: yes
772
    ikev2:
773
      enabled: yes
774
    tls:
775
      enabled: yes
776
      detection-ports:
777
        dp: 443
778

    
779
      # Generate JA3 fingerprint from client hello
780
      ja3-fingerprints: no
781

    
782
      # What to do when the encrypted communications start:
783
      # - default: keep tracking TLS session, check for protocol anomalies,
784
      #            inspect tls_* keywords. Disables inspection of unmodified
785
      #            'content' signatures.
786
      # - bypass:  stop processing this flow as much as possible. No further
787
      #            TLS parsing and inspection. Offload flow bypass to kernel
788
      #            or hardware if possible.
789
      # - full:    keep tracking and inspection as normal. Unmodified content
790
      #            keyword signatures are inspected as well.
791
      #
792
      # For best performance, select 'bypass'.
793
      #
794
      #encrypt-handling: default
795

    
796
    dcerpc:
797
      enabled: yes
798
    ftp:
799
      enabled: yes
800
      # memcap: 64mb
801
    ssh:
802
      enabled: yes
803
    smtp:
804
      enabled: yes
805
      # Configure SMTP-MIME Decoder
806
      mime:
807
        # Decode MIME messages from SMTP transactions
808
        # (may be resource intensive)
809
        # This field supercedes all others because it turns the entire
810
        # process on or off
811
        decode-mime: yes
812

    
813
        # Decode MIME entity bodies (ie. base64, quoted-printable, etc.)
814
        decode-base64: yes
815
        decode-quoted-printable: yes
816

    
817
        # Maximum bytes per header data value stored in the data structure
818
        # (default is 2000)
819
        header-value-depth: 2000
820

    
821
        # Extract URLs and save in state data structure
822
        extract-urls: yes
823
        #u Set to yes to compute the md5 of the mail body. You will then
824
        # be able to journalize it.
825
        body-md5: no
826
      # Configure inspected-tracker for file_data keyword
827
      inspected-tracker:
828
        content-limit: 100000
829
        content-inspect-min-size: 32768
830
        content-inspect-window: 4096
831
    imap:
832
      enabled: detection-only
833
    msn:
834
      enabled: detection-only
835
    # Note: --enable-rust is required for full SMB1/2 support. W/o rust
836
    # only minimal SMB1 support is available.
837
    smb:
838
      enabled: yes
839
      detection-ports:
840
        dp: 139, 445
841

    
842
      # Stream reassembly size for SMB streams. By default track it completely.
843
      #stream-depth: 0
844

    
845
    # Note: NFS parser depends on Rust support: pass --enable-rust
846
    # to configure.
847
    nfs:
848
      enabled: yes
849
    tftp:
850
      enabled: yes
851
    dns:
852
      # memcaps. Globally and per flow/state.
853
      #global-memcap: 16mb
854
      #state-memcap: 512kb
855

    
856
      # How many unreplied DNS requests are considered a flood.
857
      # If the limit is reached, app-layer-event:dns.flooded; will match.
858
      #request-flood: 500
859

    
860
      tcp:
861
        enabled: yes
862
        detection-ports:
863
          dp: 53
864
      udp:
865
        enabled: yes
866
        detection-ports:
867
          dp: 53
868
    http:
869
      enabled: yes
870
      # memcap: 64mb
871

    
872
      # default-config:           Used when no server-config matches
873
      #   personality:            List of personalities used by default
874
      #   request-body-limit:     Limit reassembly of request body for inspection
875
      #                           by http_client_body & pcre /P option.
876
      #   response-body-limit:    Limit reassembly of response body for inspection
877
      #                           by file_data, http_server_body & pcre /Q option.
878
      #   double-decode-path:     Double decode path section of the URI
879
      #   double-decode-query:    Double decode query section of the URI
880
      #   response-body-decompress-layer-limit:
881
      #                           Limit to how many layers of compression will be
882
      #                           decompressed. Defaults to 2.
883
      #
884
      # server-config:            List of server configurations to use if address matches
885
      #   address:                List of IP addresses or networks for this block
886
      #   personalitiy:           List of personalities used by this block
887
      #   request-body-limit:     Limit reassembly of request body for inspection
888
      #                           by http_client_body & pcre /P option.
889
      #   response-body-limit:    Limit reassembly of response body for inspection
890
      #                           by file_data, http_server_body & pcre /Q option.
891
      #   double-decode-path:     Double decode path section of the URI
892
      #   double-decode-query:    Double decode query section of the URI
893
      #
894
      #   uri-include-all:        Include all parts of the URI. By default the
895
      #                           'scheme', username/password, hostname and port
896
      #                           are excluded. Setting this option to true adds
897
      #                           all of them to the normalized uri as inspected
898
      #                           by http_uri, urilen, pcre with /U and the other
899
      #                           keywords that inspect the normalized uri.
900
      #                           Note that this does not affect http_raw_uri.
901
      #                           Also, note that including all was the default in
902
      #                           1.4 and 2.0beta1.
903
      #
904
      #   meta-field-limit:       Hard size limit for request and response size
905
      #                           limits. Applies to request line and headers,
906
      #                           response line and headers. Does not apply to
907
      #                           request or response bodies. Default is 18k.
908
      #                           If this limit is reached an event is raised.
909
      #
910
      # Currently Available Personalities:
911
      #   Minimal, Generic, IDS (default), IIS_4_0, IIS_5_0, IIS_5_1, IIS_6_0,
912
      #   IIS_7_0, IIS_7_5, Apache_2
913
      libhtp:
914
         default-config:
915
           personality: IDS
916

    
917
           # Can be specified in kb, mb, gb.  Just a number indicates
918
           # it's in bytes.
919
           request-body-limit: 100kb
920
           response-body-limit: 100kb
921

    
922
           # inspection limits
923
           request-body-minimal-inspect-size: 32kb
924
           request-body-inspect-window: 4kb
925
           response-body-minimal-inspect-size: 40kb
926
           response-body-inspect-window: 16kb
927

    
928
           # response body decompression (0 disables)
929
           response-body-decompress-layer-limit: 2
930

    
931
           # auto will use http-body-inline mode in IPS mode, yes or no set it statically
932
           http-body-inline: auto
933

    
934
           # Decompress SWF files.
935
           # 2 types: 'deflate', 'lzma', 'both' will decompress deflate and lzma
936
           # compress-depth:
937
           # Specifies the maximum amount of data to decompress,
938
           # set 0 for unlimited.
939
           # decompress-depth:
940
           # Specifies the maximum amount of decompressed data to obtain,
941
           # set 0 for unlimited.
942
           swf-decompression:
943
             enabled: yes
944
             type: both
945
             compress-depth: 0
946
             decompress-depth: 0
947

    
948
           # Take a random value for inspection sizes around the specified value.
949
           # This lower the risk of some evasion technics but could lead
950
           # detection change between runs. It is set to 'yes' by default.
951
           #randomize-inspection-sizes: yes
952
           # If randomize-inspection-sizes is active, the value of various
953
           # inspection size will be choosen in the [1 - range%, 1 + range%]
954
           # range
955
           # Default value of randomize-inspection-range is 10.
956
           #randomize-inspection-range: 10
957

    
958
           # decoding
959
           double-decode-path: no
960
           double-decode-query: no
961

    
962
         server-config:
963

    
964
           #- apache:
965
           #    address: [192.168.1.0/24, 127.0.0.0/8, "::1"]
966
           #    personality: Apache_2
967
           #    # Can be specified in kb, mb, gb.  Just a number indicates
968
           #    # it's in bytes.
969
           #    request-body-limit: 4096
970
           #    response-body-limit: 4096
971
           #    double-decode-path: no
972
           #    double-decode-query: no
973

    
974
           #- iis7:
975
           #    address:
976
           #      - 192.168.0.0/24
977
           #      - 192.168.10.0/24
978
           #    personality: IIS_7_0
979
           #    # Can be specified in kb, mb, gb.  Just a number indicates
980
           #    # it's in bytes.
981
           #    request-body-limit: 4096
982
           #    response-body-limit: 4096
983
           #    double-decode-path: no
984
           #    double-decode-query: no
985

    
986
    # Note: Modbus probe parser is minimalist due to the poor significant field
987
    # Only Modbus message length (greater than Modbus header length)
988
    # And Protocol ID (equal to 0) are checked in probing parser
989
    # It is important to enable detection port and define Modbus port
990
    # to avoid false positive
991
    modbus:
992
      # How many unreplied Modbus requests are considered a flood.
993
      # If the limit is reached, app-layer-event:modbus.flooded; will match.
994
      #request-flood: 500
995

    
996
      enabled: no
997
      detection-ports:
998
        dp: 502
999
      # According to MODBUS Messaging on TCP/IP Implementation Guide V1.0b, it
1000
      # is recommended to keep the TCP connection opened with a remote device
1001
      # and not to open and close it for each MODBUS/TCP transaction. In that
1002
      # case, it is important to set the depth of the stream reassembling as
1003
      # unlimited (stream.reassembly.depth: 0)
1004

    
1005
      # Stream reassembly size for modbus. By default track it completely.
1006
      stream-depth: 0
1007

    
1008
    # DNP3
1009
    dnp3:
1010
      enabled: no
1011
      detection-ports:
1012
        dp: 20000
1013

    
1014
    # SCADA EtherNet/IP and CIP protocol support
1015
    enip:
1016
      enabled: no
1017
      detection-ports:
1018
        dp: 44818
1019
        sp: 44818
1020

    
1021
    # Note: parser depends on Rust support
1022
    ntp:
1023
      enabled: yes
1024

    
1025
    dhcp:
1026
      enabled: yes
1027

    
1028
# Limit for the maximum number of asn1 frames to decode (default 256)
1029
asn1-max-frames: 256
1030

    
1031

    
1032
##############################################################################
1033
##
1034
## Advanced settings below
1035
##
1036
##############################################################################
1037

    
1038
##
1039
## Run Options
1040
##
1041

    
1042
# Run suricata as user and group.
1043
#run-as:
1044
#  user: suri
1045
#  group: suri
1046

    
1047
# Some logging module will use that name in event as identifier. The default
1048
# value is the hostname
1049
#sensor-name: suricata
1050

    
1051
# Default location of the pid file. The pid file is only used in
1052
# daemon mode (start Suricata with -D). If not running in daemon mode
1053
# the --pidfile command line option must be used to create a pid file.
1054
#pid-file: /usr/local/var/run/suricata.pid
1055

    
1056
# Daemon working directory
1057
# Suricata will change directory to this one if provided
1058
# Default: "/"
1059
#daemon-directory: "/"
1060

    
1061
# Umask.
1062
# Suricata will use this umask if it is provided. By default it will use the
1063
# umask passed on by the shell.
1064
#umask: 022
1065

    
1066
# Suricata core dump configuration. Limits the size of the core dump file to
1067
# approximately max-dump. The actual core dump size will be a multiple of the
1068
# page size. Core dumps that would be larger than max-dump are truncated. On
1069
# Linux, the actual core dump size may be a few pages larger than max-dump.
1070
# Setting max-dump to 0 disables core dumping.
1071
# Setting max-dump to 'unlimited' will give the full core dump file.
1072
# On 32-bit Linux, a max-dump value >= ULONG_MAX may cause the core dump size
1073
# to be 'unlimited'.
1074

    
1075
coredump:
1076
  max-dump: unlimited
1077

    
1078
# If Suricata box is a router for the sniffed networks, set it to 'router'. If
1079
# it is a pure sniffing setup, set it to 'sniffer-only'.
1080
# If set to auto, the variable is internally switch to 'router' in IPS mode
1081
# and 'sniffer-only' in IDS mode.
1082
# This feature is currently only used by the reject* keywords.
1083
host-mode: auto
1084

    
1085
# Number of packets preallocated per thread. The default is 1024. A higher number 
1086
# will make sure each CPU will be more easily kept busy, but may negatively 
1087
# impact caching.
1088
#max-pending-packets: 1024
1089

    
1090
# Runmode the engine should use. Please check --list-runmodes to get the available
1091
# runmodes for each packet acquisition method. Defaults to "autofp" (auto flow pinned
1092
# load balancing).
1093
#runmode: autofp
1094

    
1095
# Specifies the kind of flow load balancer used by the flow pinned autofp mode.
1096
#
1097
# Supported schedulers are:
1098
#
1099
# round-robin       - Flows assigned to threads in a round robin fashion.
1100
# active-packets    - Flows assigned to threads that have the lowest number of
1101
#                     unprocessed packets (default).
1102
# hash              - Flow allocated using the address hash. More of a random
1103
#                     technique. Was the default in Suricata 1.2.1 and older.
1104
#
1105
#autofp-scheduler: active-packets
1106

    
1107
# Preallocated size for packet. Default is 1514 which is the classical
1108
# size for pcap on ethernet. You should adjust this value to the highest
1109
# packet size (MTU + hardware header) on your system.
1110
#default-packet-size: 1514
1111

    
1112
# Unix command socket can be used to pass commands to Suricata.
1113
# An external tool can then connect to get information from Suricata
1114
# or trigger some modifications of the engine. Set enabled to yes
1115
# to activate the feature. In auto mode, the feature will only be
1116
# activated in live capture mode. You can use the filename variable to set
1117
# the file name of the socket.
1118
unix-command:
1119
  enabled: auto
1120
  #filename: custom.socket
1121

    
1122
# Magic file. The extension .mgc is added to the value here.
1123
#magic-file: /usr/share/file/magic
1124
#magic-file: 
1125

    
1126
legacy:
1127
  uricontent: enabled
1128

    
1129
##
1130
## Detection settings
1131
##
1132

    
1133
# Set the order of alerts based on actions
1134
# The default order is pass, drop, reject, alert
1135
# action-order:
1136
#   - pass
1137
#   - drop
1138
#   - reject
1139
#   - alert
1140

    
1141
# IP Reputation
1142
#reputation-categories-file: /usr/local/etc/suricata/iprep/categories.txt
1143
#default-reputation-path: /usr/local/etc/suricata/iprep
1144
#reputation-files:
1145
# - reputation.list
1146

    
1147
# When run with the option --engine-analysis, the engine will read each of
1148
# the parameters below, and print reports for each of the enabled sections
1149
# and exit.  The reports are printed to a file in the default log dir
1150
# given by the parameter "default-log-dir", with engine reporting
1151
# subsection below printing reports in its own report file.
1152
engine-analysis:
1153
  # enables printing reports for fast-pattern for every rule.
1154
  rules-fast-pattern: yes
1155
  # enables printing reports for each rule
1156
  rules: yes
1157

    
1158
#recursion and match limits for PCRE where supported
1159
pcre:
1160
  match-limit: 3500
1161
  match-limit-recursion: 1500
1162

    
1163
##
1164
## Advanced Traffic Tracking and Reconstruction Settings
1165
##
1166

    
1167
# Host specific policies for defragmentation and TCP stream
1168
# reassembly. The host OS lookup is done using a radix tree, just
1169
# like a routing table so the most specific entry matches.
1170
host-os-policy:
1171
  # Make the default policy windows.
1172
  windows: [0.0.0.0/0]
1173
  bsd: []
1174
  bsd-right: []
1175
  old-linux: []
1176
  linux: []
1177
  old-solaris: []
1178
  solaris: []
1179
  hpux10: []
1180
  hpux11: []
1181
  irix: []
1182
  macos: []
1183
  vista: []
1184
  windows2k3: []
1185

    
1186
# Defrag settings:
1187

    
1188
defrag:
1189
  memcap: 32mb
1190
  hash-size: 65536
1191
  trackers: 65535 # number of defragmented flows to follow
1192
  max-frags: 65535 # number of fragments to keep (higher than trackers)
1193
  prealloc: yes
1194
  timeout: 60
1195

    
1196
# Enable defrag per host settings
1197
#  host-config:
1198
#
1199
#    - dmz:
1200
#        timeout: 30
1201
#        address: [192.168.1.0/24, 127.0.0.0/8, 1.1.1.0/24, 2.2.2.0/24, "1.1.1.1", "2.2.2.2", "::1"]
1202
#
1203
#    - lan:
1204
#        timeout: 45
1205
#        address:
1206
#          - 192.168.0.0/24
1207
#          - 192.168.10.0/24
1208
#          - 172.16.14.0/24
1209

    
1210
# Flow settings:
1211
# By default, the reserved memory (memcap) for flows is 32MB. This is the limit
1212
# for flow allocation inside the engine. You can change this value to allow
1213
# more memory usage for flows.
1214
# The hash-size determine the size of the hash used to identify flows inside
1215
# the engine, and by default the value is 65536.
1216
# At the startup, the engine can preallocate a number of flows, to get a better
1217
# performance. The number of flows preallocated is 10000 by default.
1218
# emergency-recovery is the percentage of flows that the engine need to
1219
# prune before unsetting the emergency state. The emergency state is activated
1220
# when the memcap limit is reached, allowing to create new flows, but
1221
# pruning them with the emergency timeouts (they are defined below).
1222
# If the memcap is reached, the engine will try to prune flows
1223
# with the default timeouts. If it doesn't find a flow to prune, it will set
1224
# the emergency bit and it will try again with more aggressive timeouts.
1225
# If that doesn't work, then it will try to kill the last time seen flows
1226
# not in use.
1227
# The memcap can be specified in kb, mb, gb.  Just a number indicates it's
1228
# in bytes.
1229

    
1230
flow:
1231
  memcap: 128mb
1232
  hash-size: 65536
1233
  prealloc: 10000
1234
  emergency-recovery: 30
1235
  managers: 1 # default to one flow manager
1236
  #recyclers: 1 # default to one flow recycler thread
1237

    
1238
# This option controls the use of vlan ids in the flow (and defrag)
1239
# hashing. Normally this should be enabled, but in some (broken)
1240
# setups where both sides of a flow are not tagged with the same vlan
1241
# tag, we can ignore the vlan id's in the flow hashing.
1242
vlan:
1243
  use-for-tracking: true
1244

    
1245
# Specific timeouts for flows. Here you can specify the timeouts that the
1246
# active flows will wait to transit from the current state to another, on each
1247
# protocol. The value of "new" determine the seconds to wait after a handshake or
1248
# stream startup before the engine free the data of that flow it doesn't
1249
# change the state to established (usually if we don't receive more packets
1250
# of that flow). The value of "established" is the amount of
1251
# seconds that the engine will wait to free the flow if it spend that amount
1252
# without receiving new packets or closing the connection. "closed" is the
1253
# amount of time to wait after a flow is closed (usually zero). "bypassed"
1254
# timeout controls locally bypassed flows. For these flows we don't do any other
1255
# tracking. If no packets have been seen after this timeout, the flow is discarded.
1256
#
1257
# There's an emergency mode that will become active under attack circumstances,
1258
# making the engine to check flow status faster. This configuration variables
1259
# use the prefix "emergency-" and work similar as the normal ones.
1260
# Some timeouts doesn't apply to all the protocols, like "closed", for udp and
1261
# icmp.
1262

    
1263
flow-timeouts:
1264

    
1265
  default:
1266
    new: 30
1267
    established: 300
1268
    closed: 0
1269
    bypassed: 100
1270
    emergency-new: 10
1271
    emergency-established: 100
1272
    emergency-closed: 0
1273
    emergency-bypassed: 50
1274
  tcp:
1275
    new: 60
1276
    established: 600
1277
    closed: 60
1278
    bypassed: 100
1279
    emergency-new: 5
1280
    emergency-established: 100
1281
    emergency-closed: 10
1282
    emergency-bypassed: 50
1283
  udp:
1284
    new: 30
1285
    established: 300
1286
    bypassed: 100
1287
    emergency-new: 10
1288
    emergency-established: 100
1289
    emergency-bypassed: 50
1290
  icmp:
1291
    new: 30
1292
    established: 300
1293
    bypassed: 100
1294
    emergency-new: 10
1295
    emergency-established: 100
1296
    emergency-bypassed: 50
1297

    
1298
# Stream engine settings. Here the TCP stream tracking and reassembly
1299
# engine is configured.
1300
#
1301
# stream:
1302
#   memcap: 32mb                # Can be specified in kb, mb, gb.  Just a
1303
#                               # number indicates it's in bytes.
1304
#   checksum-validation: yes    # To validate the checksum of received
1305
#                               # packet. If csum validation is specified as
1306
#                               # "yes", then packet with invalid csum will not
1307
#                               # be processed by the engine stream/app layer.
1308
#                               # Warning: locally generated traffic can be
1309
#                               # generated without checksum due to hardware offload
1310
#                               # of checksum. You can control the handling of checksum
1311
#                               # on a per-interface basis via the 'checksum-checks'
1312
#                               # option
1313
#   prealloc-sessions: 2k       # 2k sessions prealloc'd per stream thread
1314
#   midstream: false            # don't allow midstream session pickups
1315
#   async-oneside: false        # don't enable async stream handling
1316
#   inline: no                  # stream inline mode
1317
#   drop-invalid: yes           # in inline mode, drop packets that are invalid with regards to streaming engine
1318
#   max-synack-queued: 5        # Max different SYN/ACKs to queue
1319
#   bypass: no                  # Bypass packets when stream.depth is reached
1320
#
1321
#   reassembly:
1322
#     memcap: 64mb              # Can be specified in kb, mb, gb.  Just a number
1323
#                               # indicates it's in bytes.
1324
#     depth: 1mb                # Can be specified in kb, mb, gb.  Just a number
1325
#                               # indicates it's in bytes.
1326
#     toserver-chunk-size: 2560 # inspect raw stream in chunks of at least
1327
#                               # this size.  Can be specified in kb, mb,
1328
#                               # gb.  Just a number indicates it's in bytes.
1329
#     toclient-chunk-size: 2560 # inspect raw stream in chunks of at least
1330
#                               # this size.  Can be specified in kb, mb,
1331
#                               # gb.  Just a number indicates it's in bytes.
1332
#     randomize-chunk-size: yes # Take a random value for chunk size around the specified value.
1333
#                               # This lower the risk of some evasion technics but could lead
1334
#                               # detection change between runs. It is set to 'yes' by default.
1335
#     randomize-chunk-range: 10 # If randomize-chunk-size is active, the value of chunk-size is
1336
#                               # a random value between (1 - randomize-chunk-range/100)*toserver-chunk-size
1337
#                               # and (1 + randomize-chunk-range/100)*toserver-chunk-size and the same
1338
#                               # calculation for toclient-chunk-size.
1339
#                               # Default value of randomize-chunk-range is 10.
1340
#
1341
#     raw: yes                  # 'Raw' reassembly enabled or disabled.
1342
#                               # raw is for content inspection by detection
1343
#                               # engine.
1344
#
1345
#     segment-prealloc: 2048    # number of segments preallocated per thread
1346
#
1347
#     check-overlap-different-data: true|false
1348
#                               # check if a segment contains different data
1349
#                               # than what we've already seen for that
1350
#                               # position in the stream.
1351
#                               # This is enabled automatically if inline mode
1352
#                               # is used or when stream-event:reassembly_overlap_different_data;
1353
#                               # is used in a rule.
1354
#
1355
stream:
1356
  memcap: 64mb
1357
  checksum-validation: no      # reject wrong csums
1358
  inline: auto                  # auto will use inline mode in IPS mode, yes or no set it statically
1359
  reassembly:
1360
    memcap: 256mb
1361
    depth: 1mb                  # reassemble 1mb into a stream
1362
    toserver-chunk-size: 2560
1363
    toclient-chunk-size: 2560
1364
    randomize-chunk-size: yes
1365
    #randomize-chunk-range: 10
1366
    #raw: yes
1367
    #segment-prealloc: 2048
1368
    #check-overlap-different-data: true
1369

    
1370
# Host table:
1371
#
1372
# Host table is used by tagging and per host thresholding subsystems.
1373
#
1374
host:
1375
  hash-size: 4096
1376
  prealloc: 1000
1377
  memcap: 32mb
1378

    
1379
# IP Pair table:
1380
#
1381
# Used by xbits 'ippair' tracking.
1382
#
1383
#ippair:
1384
#  hash-size: 4096
1385
#  prealloc: 1000
1386
#  memcap: 32mb
1387

    
1388
# Decoder settings
1389

    
1390
decoder:
1391
  # Teredo decoder is known to not be completely accurate
1392
  # it will sometimes detect non-teredo as teredo.
1393
  teredo:
1394
    enabled: true
1395

    
1396

    
1397
##
1398
## Performance tuning and profiling
1399
##
1400

    
1401
# The detection engine builds internal groups of signatures. The engine
1402
# allow us to specify the profile to use for them, to manage memory on an
1403
# efficient way keeping a good performance. For the profile keyword you
1404
# can use the words "low", "medium", "high" or "custom". If you use custom
1405
# make sure to define the values at "- custom-values" as your convenience.
1406
# Usually you would prefer medium/high/low.
1407
#
1408
# "sgh mpm-context", indicates how the staging should allot mpm contexts for
1409
# the signature groups.  "single" indicates the use of a single context for
1410
# all the signature group heads.  "full" indicates a mpm-context for each
1411
# group head.  "auto" lets the engine decide the distribution of contexts
1412
# based on the information the engine gathers on the patterns from each
1413
# group head.
1414
#
1415
# The option inspection-recursion-limit is used to limit the recursive calls
1416
# in the content inspection code.  For certain payload-sig combinations, we
1417
# might end up taking too much time in the content inspection code.
1418
# If the argument specified is 0, the engine uses an internally defined
1419
# default limit.  On not specifying a value, we use no limits on the recursion.
1420
detect:
1421
  profile: medium
1422
  custom-values:
1423
    toclient-groups: 3
1424
    toserver-groups: 25
1425
  sgh-mpm-context: auto
1426
  inspection-recursion-limit: 3000
1427
  # If set to yes, the loading of signatures will be made after the capture
1428
  # is started. This will limit the downtime in IPS mode.
1429
  #delayed-detect: yes
1430

    
1431
  prefilter:
1432
    # default prefiltering setting. "mpm" only creates MPM/fast_pattern
1433
    # engines. "auto" also sets up prefilter engines for other keywords.
1434
    # Use --list-keywords=all to see which keywords support prefiltering.
1435
    default: mpm
1436

    
1437
  # the grouping values above control how many groups are created per
1438
  # direction. Port whitelisting forces that port to get it's own group.
1439
  # Very common ports will benefit, as well as ports with many expensive
1440
  # rules.
1441
  grouping:
1442
    #tcp-whitelist: 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
1443
    #udp-whitelist: 53, 135, 5060
1444

    
1445
  profiling:
1446
    # Log the rules that made it past the prefilter stage, per packet
1447
    # default is off. The threshold setting determines how many rules
1448
    # must have made it past pre-filter for that rule to trigger the
1449
    # logging.
1450
    #inspect-logging-threshold: 200
1451
    grouping:
1452
      dump-to-disk: false
1453
      include-rules: false      # very verbose
1454
      include-mpm-stats: false
1455

    
1456
# Select the multi pattern algorithm you want to run for scan/search the
1457
# in the engine.
1458
#
1459
# The supported algorithms are:
1460
# "ac"      - Aho-Corasick, default implementation
1461
# "ac-bs"   - Aho-Corasick, reduced memory implementation
1462
# "ac-ks"   - Aho-Corasick, "Ken Steele" variant
1463
# "hs"      - Hyperscan, available when built with Hyperscan support
1464
#
1465
# The default mpm-algo value of "auto" will use "hs" if Hyperscan is
1466
# available, "ac" otherwise.
1467
#
1468
# The mpm you choose also decides the distribution of mpm contexts for
1469
# signature groups, specified by the conf - "detect.sgh-mpm-context".
1470
# Selecting "ac" as the mpm would require "detect.sgh-mpm-context"
1471
# to be set to "single", because of ac's memory requirements, unless the
1472
# ruleset is small enough to fit in one's memory, in which case one can
1473
# use "full" with "ac".  Rest of the mpms can be run in "full" mode.
1474

    
1475
mpm-algo: auto
1476

    
1477
# Select the matching algorithm you want to use for single-pattern searches.
1478
#
1479
# Supported algorithms are "bm" (Boyer-Moore) and "hs" (Hyperscan, only
1480
# available if Suricata has been built with Hyperscan support).
1481
#
1482
# The default of "auto" will use "hs" if available, otherwise "bm".
1483

    
1484
spm-algo: auto
1485

    
1486
# Suricata is multi-threaded. Here the threading can be influenced.
1487
threading:
1488
  set-cpu-affinity: yes
1489
  # Tune cpu affinity of threads. Each family of threads can be bound
1490
  # on specific CPUs.
1491
  #
1492
  # These 2 apply to the all runmodes:
1493
  # management-cpu-set is used for flow timeout handling, counters
1494
  # worker-cpu-set is used for 'worker' threads
1495
  #
1496
  # Additionally, for autofp these apply:
1497
  # receive-cpu-set is used for capture threads
1498
  # verdict-cpu-set is used for IPS verdict threads
1499
  #
1500
  cpu-affinity:
1501
    - management-cpu-set:
1502
        cpu: [ 8 ]  # include only these CPUs in affinity settings
1503
    - receive-cpu-set:
1504
        cpu: [ 8 ]  # include only these CPUs in affinity settings
1505
    - worker-cpu-set:
1506
        cpu: [ "9-12" ]
1507
        mode: "exclusive"
1508
        # Use explicitely 3 threads and don't compute number by using
1509
        # detect-thread-ratio variable:
1510
        # threads: 3
1511
        prio:
1512
          low: [ 0 ]
1513
          medium: [ "8" ]
1514
          high: [ 9-12 ]
1515
          default: "medium"
1516
    #- verdict-cpu-set:
1517
    #    cpu: [ 0 ]
1518
    #    prio:
1519
    #      default: "high"
1520
  #
1521
  # By default Suricata creates one "detect" thread per available CPU/CPU core.
1522
  # This setting allows controlling this behaviour. A ratio setting of 2 will
1523
  # create 2 detect threads for each CPU/CPU core. So for a dual core CPU this
1524
  # will result in 4 detect threads. If values below 1 are used, less threads
1525
  # are created. So on a dual core CPU a setting of 0.5 results in 1 detect
1526
  # thread being created. Regardless of the setting at a minimum 1 detect
1527
  # thread will always be created.
1528
  #
1529
  detect-thread-ratio: 1.0
1530

    
1531
# Luajit has a strange memory requirement, it's 'states' need to be in the
1532
# first 2G of the process' memory.
1533
#
1534
# 'luajit.states' is used to control how many states are preallocated.
1535
# State use: per detect script: 1 per detect thread. Per output script: 1 per
1536
# script.
1537
luajit:
1538
  states: 128
1539

    
1540
# Profiling settings. Only effective if Suricata has been built with the
1541
# the --enable-profiling configure flag.
1542
#
1543
profiling:
1544
  # Run profiling for every xth packet. The default is 1, which means we
1545
  # profile every packet. If set to 1000, one packet is profiled for every
1546
  # 1000 received.
1547
  #sample-rate: 1000
1548

    
1549
  # rule profiling
1550
  rules:
1551

    
1552
    # Profiling can be disabled here, but it will still have a
1553
    # performance impact if compiled in.
1554
    enabled: yes
1555
    filename: rule_perf.log
1556
    append: yes
1557

    
1558
    # Sort options: ticks, avgticks, checks, matches, maxticks
1559
    # If commented out all the sort options will be used.
1560
    #sort: avgticks
1561

    
1562
    # Limit the number of sids for which stats are shown at exit (per sort).
1563
    limit: 10
1564

    
1565
    # output to json
1566
    json: yes
1567

    
1568
  # per keyword profiling
1569
  keywords:
1570
    enabled: yes
1571
    filename: keyword_perf.log
1572
    append: yes
1573

    
1574
  prefilter:
1575
    enabled: yes
1576
    filename: prefilter_perf.log
1577
    append: yes
1578

    
1579
  # per rulegroup profiling
1580
  rulegroups:
1581
    enabled: yes
1582
    filename: rule_group_perf.log
1583
    append: yes
1584

    
1585
  # packet profiling
1586
  packets:
1587

    
1588
    # Profiling can be disabled here, but it will still have a
1589
    # performance impact if compiled in.
1590
    enabled: yes
1591
    filename: packet_stats.log
1592
    append: yes
1593

    
1594
    # per packet csv output
1595
    csv:
1596

    
1597
      # Output can be disabled here, but it will still have a
1598
      # performance impact if compiled in.
1599
      enabled: no
1600
      filename: packet_stats.csv
1601

    
1602
  # profiling of locking. Only available when Suricata was built with
1603
  # --enable-profiling-locks.
1604
  locks:
1605
    enabled: no
1606
    filename: lock_stats.log
1607
    append: yes
1608

    
1609
  pcap-log:
1610
    enabled: no
1611
    filename: pcaplog_stats.log
1612
    append: yes
1613

    
1614
##
1615
## Netfilter integration
1616
##
1617

    
1618
# When running in NFQ inline mode, it is possible to use a simulated
1619
# non-terminal NFQUEUE verdict.
1620
# This permit to do send all needed packet to Suricata via this a rule:
1621
#        iptables -I FORWARD -m mark ! --mark $MARK/$MASK -j NFQUEUE
1622
# And below, you can have your standard filtering ruleset. To activate
1623
# this mode, you need to set mode to 'repeat'
1624
# If you want packet to be sent to another queue after an ACCEPT decision
1625
# set mode to 'route' and set next-queue value.
1626
# On linux >= 3.1, you can set batchcount to a value > 1 to improve performance
1627
# by processing several packets before sending a verdict (worker runmode only).
1628
# On linux >= 3.6, you can set the fail-open option to yes to have the kernel
1629
# accept the packet if Suricata is not able to keep pace.
1630
# bypass mark and mask can be used to implement NFQ bypass. If bypass mark is
1631
# set then the NFQ bypass is activated. Suricata will set the bypass mark/mask
1632
# on packet of a flow that need to be bypassed. The Nefilter ruleset has to
1633
# directly accept all packets of a flow once a packet has been marked.
1634
nfq:
1635
#  mode: accept
1636
#  repeat-mark: 1
1637
#  repeat-mask: 1
1638
#  bypass-mark: 1
1639
#  bypass-mask: 1
1640
#  route-queue: 2
1641
#  batchcount: 20
1642
#  fail-open: yes
1643

    
1644
#nflog support
1645
nflog:
1646
    # netlink multicast group
1647
    # (the same as the iptables --nflog-group param)
1648
    # Group 0 is used by the kernel, so you can't use it
1649
  - group: 2
1650
    # netlink buffer size
1651
    buffer-size: 18432
1652
    # put default value here
1653
  - group: default
1654
    # set number of packet to queue inside kernel
1655
    qthreshold: 1
1656
    # set the delay before flushing packet in the queue inside kernel
1657
    qtimeout: 100
1658
    # netlink max buffer size
1659
    max-size: 20000
1660

    
1661
##
1662
## Advanced Capture Options
1663
##
1664

    
1665
# general settings affecting packet capture
1666
capture:
1667
  # disable NIC offloading. It's restored when Suricata exits.
1668
  # Enabled by default.
1669
  #disable-offloading: false
1670
  #
1671
  # disable checksum validation. Same as setting '-k none' on the
1672
  # commandline.
1673
  #checksum-validation: none
1674

    
1675
# Netmap support
1676
#
1677
# Netmap operates with NIC directly in driver, so you need FreeBSD which have
1678
# built-in netmap support or compile and install netmap module and appropriate
1679
# NIC driver on your Linux system.
1680
# To reach maximum throughput disable all receive-, segmentation-,
1681
# checksum- offloadings on NIC.
1682
# Disabling Tx checksum offloading is *required* for connecting OS endpoint
1683
# with NIC endpoint.
1684
# You can find more information at https://github.com/luigirizzo/netmap
1685
#
1686
netmap:
1687
   # To specify OS endpoint add plus sign at the end (e.g. "eth0+")
1688
 - interface: eth2
1689
   # Number of receive threads. "auto" uses number of RSS queues on interface.
1690
   #threads: auto
1691
   # You can use the following variables to activate netmap tap or IPS mode.
1692
   # If copy-mode is set to ips or tap, the traffic coming to the current
1693
   # interface will be copied to the copy-iface interface. If 'tap' is set, the
1694
   # copy is complete. If 'ips' is set, the packet matching a 'drop' action
1695
   # will not be copied.
1696
   # To specify the OS as the copy-iface (so the OS can route packets, or forward
1697
   # to a service running on the same machine) add a plus sign at the end
1698
   # (e.g. "copy-iface: eth0+"). Don't forget to set up a symmetrical eth0+ -> eth0
1699
   # for return packets. Hardware checksumming must be *off* on the interface if
1700
   # using an OS endpoint (e.g. 'ifconfig eth0 -rxcsum -txcsum -rxcsum6 -txcsum6' for FreeBSD
1701
   # or 'ethtool -K eth0 tx off rx off' for Linux).
1702
   #copy-mode: tap
1703
   #copy-iface: eth3
1704
   # Set to yes to disable promiscuous mode
1705
   # disable-promisc: no
1706
   # Choose checksum verification mode for the interface. At the moment
1707
   # of the capture, some packets may be with an invalid checksum due to
1708
   # offloading to the network card of the checksum computation.
1709
   # Possible values are:
1710
   #  - yes: checksum validation is forced
1711
   #  - no: checksum validation is disabled
1712
   #  - auto: Suricata uses a statistical approach to detect when
1713
   #  checksum off-loading is used.
1714
   # Warning: 'checksum-validation' must be set to yes to have any validation
1715
   #checksum-checks: auto
1716
   # BPF filter to apply to this interface. The pcap filter syntax apply here.
1717
   #bpf-filter: port 80 or udp
1718
 #- interface: eth3
1719
   #threads: auto
1720
   #copy-mode: tap
1721
   #copy-iface: eth2
1722
   # Put default values here
1723
 - interface: default
1724

    
1725
# PF_RING configuration. for use with native PF_RING support
1726
# for more info see http://www.ntop.org/products/pf_ring/
1727
pfring:
1728
  - interface: eth0
1729
    # Number of receive threads. If set to 'auto' Suricata will first try
1730
    # to use CPU (core) count and otherwise RSS queue count.
1731
    threads: auto
1732

    
1733
    # Default clusterid.  PF_RING will load balance packets based on flow.
1734
    # All threads/processes that will participate need to have the same
1735
    # clusterid.
1736
    cluster-id: 99
1737

    
1738
    # Default PF_RING cluster type. PF_RING can load balance per flow.
1739
    # Possible values are cluster_flow or cluster_round_robin.
1740
    cluster-type: cluster_flow
1741

    
1742
    # bpf filter for this interface
1743
    #bpf-filter: tcp
1744

    
1745
    # If bypass is set then the PF_RING hw bypass is activated, when supported
1746
    # by the interface in use. Suricata will instruct the interface to bypass
1747
    # all future packets for a flow that need to be bypassed.
1748
    #bypass: yes
1749

    
1750
    # Choose checksum verification mode for the interface. At the moment
1751
    # of the capture, some packets may be with an invalid checksum due to
1752
    # offloading to the network card of the checksum computation.
1753
    # Possible values are:
1754
    #  - rxonly: only compute checksum for packets received by network card.
1755
    #  - yes: checksum validation is forced
1756
    #  - no: checksum validation is disabled
1757
    #  - auto: Suricata uses a statistical approach to detect when
1758
    #  checksum off-loading is used. (default)
1759
    # Warning: 'checksum-validation' must be set to yes to have any validation
1760
    #checksum-checks: auto
1761
  # Second interface
1762
  #- interface: eth1
1763
  #  threads: 3
1764
  #  cluster-id: 93
1765
  #  cluster-type: cluster_flow
1766
  # Put default values here
1767
  - interface: default
1768
    #threads: 2
1769

    
1770
# For FreeBSD ipfw(8) divert(4) support.
1771
# Please make sure you have ipfw_load="YES" and ipdivert_load="YES"
1772
# in /etc/loader.conf or kldload'ing the appropriate kernel modules.
1773
# Additionally, you need to have an ipfw rule for the engine to see
1774
# the packets from ipfw.  For Example:
1775
#
1776
#   ipfw add 100 divert 8000 ip from any to any
1777
#
1778
# The 8000 above should be the same number you passed on the command
1779
# line, i.e. -d 8000
1780
#
1781
ipfw:
1782

    
1783
  # Reinject packets at the specified ipfw rule number.  This config
1784
  # option is the ipfw rule number AT WHICH rule processing continues
1785
  # in the ipfw processing system after the engine has finished
1786
  # inspecting the packet for acceptance.  If no rule number is specified,
1787
  # accepted packets are reinjected at the divert rule which they entered
1788
  # and IPFW rule processing continues.  No check is done to verify
1789
  # this will rule makes sense so care must be taken to avoid loops in ipfw.
1790
  #
1791
  ## The following example tells the engine to reinject packets
1792
  # back into the ipfw firewall AT rule number 5500:
1793
  #
1794
  # ipfw-reinjection-rule-number: 5500
1795

    
1796

    
1797
napatech:
1798
    # The Host Buffer Allowance for all streams
1799
    # (-1 = OFF, 1 - 100 = percentage of the host buffer that can be held back)
1800
    # This may be enabled when sharing streams with another application.
1801
    # Otherwise, it should be turned off.
1802
    hba: -1
1803

    
1804
    # use_all_streams set to "yes" will query the Napatech service for all configured
1805
    # streams and listen on all of them. When set to "no" the streams config array
1806
    # will be used.
1807
    use-all-streams: yes
1808

    
1809
    # The streams to listen on.  This can be either:
1810
    #   a list of individual streams (e.g. streams: [0,1,2,3])
1811
    # or
1812
    #   a range of streams (e.g. streams: ["0-3"])
1813
    streams: ["0-3"]
1814

    
1815
# Tilera mpipe configuration. for use on Tilera TILE-Gx.
1816
mpipe:
1817

    
1818
  # Load balancing modes: "static", "dynamic", "sticky", or "round-robin".
1819
  load-balance: dynamic
1820

    
1821
  # Number of Packets in each ingress packet queue. Must be 128, 512, 2028 or 65536
1822
  iqueue-packets: 2048
1823

    
1824
  # List of interfaces we will listen on.
1825
  inputs:
1826
  - interface: xgbe2
1827
  - interface: xgbe3
1828
  - interface: xgbe4
1829

    
1830

    
1831
  # Relative weight of memory for packets of each mPipe buffer size.
1832
  stack:
1833
    size128: 0
1834
    size256: 9
1835
    size512: 0
1836
    size1024: 0
1837
    size1664: 7
1838
    size4096: 0
1839
    size10386: 0
1840
    size16384: 0
1841

    
1842
##
1843
## Configure Suricata to load Suricata-Update managed rules.
1844
##
1845
## If this section is completely commented out move down to the "Advanced rule
1846
## file configuration".
1847
##
1848

    
1849
#default-rule-path: /usr/local/etc/suricata/rules
1850
#rule-files:
1851
# - suricata.rules
1852

    
1853
##
1854
## Advanced rule file configuration.
1855
##
1856
## If this section is completely commented out then your configuration
1857
## is setup for suricata-update as it was most likely bundled and
1858
## installed with Suricata.
1859
##
1860

    
1861
default-rule-path: /var/lib/suricata/rules
1862

    
1863
rule-files:
1864
 - suricata.rules
1865
# - botcc.rules
1866
 # - botcc.portgrouped.rules
1867
# - ciarmy.rules
1868
# - compromised.rules
1869
# - drop.rules
1870
# - dshield.rules
1871
# - emerging-activex.rules
1872
# - emerging-attack_response.rules
1873
# - emerging-chat.rules
1874
# - emerging-current_events.rules
1875
# - emerging-dns.rules
1876
# - emerging-dos.rules
1877
# - emerging-exploit.rules
1878
# - emerging-ftp.rules
1879
# - emerging-games.rules
1880
# - emerging-icmp_info.rules
1881
# - emerging-icmp.rules
1882
# - emerging-imap.rules
1883
# - emerging-inappropriate.rules
1884
# - emerging-info.rules
1885
# - emerging-malware.rules
1886
# - emerging-misc.rules
1887
# - emerging-mobile_malware.rules
1888
# - emerging-netbios.rules
1889
# - emerging-p2p.rules
1890
# - emerging-policy.rules
1891
# - emerging-pop3.rules
1892
# - emerging-rpc.rules
1893
# - emerging-scada.rules
1894
# - emerging-scada_special.rules
1895
# - emerging-scan.rules
1896
# - emerging-shellcode.rules
1897
# - emerging-smtp.rules
1898
# - emerging-snmp.rules
1899
# - emerging-sql.rules
1900
# - emerging-telnet.rules
1901
# - emerging-tftp.rules
1902
# - emerging-trojan.rules
1903
# - emerging-user_agents.rules
1904
# - emerging-voip.rules
1905
# - emerging-web_client.rules
1906
# - emerging-web_server.rules
1907
# - emerging-web_specific_apps.rules
1908
# - emerging-worm.rules
1909
# - tor.rules
1910
# - decoder-events.rules # available in suricata sources under rules dir
1911
# - stream-events.rules  # available in suricata sources under rules dir
1912
# - http-events.rules    # available in suricata sources under rules dir
1913
# - smtp-events.rules    # available in suricata sources under rules dir
1914
# - dns-events.rules     # available in suricata sources under rules dir
1915
# - tls-events.rules     # available in suricata sources under rules dir
1916
# - modbus-events.rules  # available in suricata sources under rules dir
1917
# - app-layer-events.rules  # available in suricata sources under rules dir
1918
# - dnp3-events.rules       # available in suricata sources under rules dir
1919
# - ntp-events.rules       # available in suricata sources under rules dir
1920
# - ipsec-events.rules       # available in suricata sources under rules dir
1921
# - kerberos-events.rules       # available in suricata sources under rules dir
1922
##
1923
## Auxiliary configuration files.
1924
##
1925

    
1926
classification-file: /etc/suricata/classification.config
1927
reference-config-file: /etc/suricata/reference.config
1928
# threshold-file: /usr/local/etc/suricata/threshold.config
1929

    
1930
##
1931
## Include other configs
1932
##
1933

    
1934
# Includes.  Files included here will be handled as if they were
1935
# inlined in this configuration file.
1936
#include: include1.yaml
1937
#include: include2.yaml
    (1-1/1)