|
%YAML 1.1
|
|
---
|
|
|
|
af-packet:
|
|
- cluster-id: 99
|
|
cluster-type: cluster_flow
|
|
defrag: true
|
|
interface: eth0
|
|
- interface: default
|
|
app-layer:
|
|
protocols:
|
|
dcerpc:
|
|
enabled: "yes"
|
|
dhcp:
|
|
enabled: "yes"
|
|
dhcp-px:
|
|
enabled: false
|
|
dnp3:
|
|
detection-ports:
|
|
dp: 20000
|
|
enabled: "yes"
|
|
dns:
|
|
tcp:
|
|
detection-ports:
|
|
dp: 53
|
|
enabled: "yes"
|
|
udp:
|
|
detection-ports:
|
|
dp: 53
|
|
enabled: "yes"
|
|
enip:
|
|
detection-ports:
|
|
dp: 44818
|
|
sp: 44818
|
|
enabled: "yes"
|
|
ftp:
|
|
enabled: "yes"
|
|
ftp-data:
|
|
enabled: "yes"
|
|
ftp-data-px:
|
|
enabled: false
|
|
ftp-px:
|
|
enabled: false
|
|
http:
|
|
enabled: "yes"
|
|
libhtp:
|
|
default-config:
|
|
double-decode-path: false
|
|
double-decode-query: false
|
|
http-body-inline: auto
|
|
personality: IDS
|
|
request-body-inspect-window: 4kb
|
|
request-body-limit: 100kb
|
|
request-body-minimal-inspect-size: 32kb
|
|
response-body-decompress-layer-limit: 2
|
|
response-body-inspect-window: 16kb
|
|
response-body-limit: 100kb
|
|
response-body-minimal-inspect-size: 40kb
|
|
swf-decompression:
|
|
compress-depth: 0
|
|
decompress-depth: 0
|
|
enabled: true
|
|
type: both
|
|
server-config: {}
|
|
memcap: 16gb
|
|
ikev2:
|
|
enabled: "yes"
|
|
imap:
|
|
enabled: "no"
|
|
mime:
|
|
decode-base64: true
|
|
decode-mime: true
|
|
decode-quoted-printable: true
|
|
extract-urls: true
|
|
header-value-depth: 2000
|
|
irc:
|
|
detection-ports:
|
|
dp: 6667
|
|
enabled: "yes"
|
|
krb5:
|
|
enabled: "yes"
|
|
krb5-px:
|
|
enabled: false
|
|
modbus:
|
|
detection-ports:
|
|
dp: 502
|
|
enabled: "yes"
|
|
stream-depth: 0
|
|
msn:
|
|
enabled: detection-only
|
|
nfs:
|
|
enabled: "yes"
|
|
ntp:
|
|
enabled: "yes"
|
|
pop3:
|
|
enabled: "yes"
|
|
mime:
|
|
decode-base64: true
|
|
decode-mime: true
|
|
decode-quoted-printable: true
|
|
extract-urls: true
|
|
header-value-depth: 2000
|
|
radius:
|
|
enabled: "no"
|
|
rdp:
|
|
enabled: "yes"
|
|
rdp-px:
|
|
enabled: false
|
|
rtsp:
|
|
enabled: "yes"
|
|
sip:
|
|
enabled: "no"
|
|
sip-px:
|
|
enabled: false
|
|
smb:
|
|
detection-ports:
|
|
dp: 139, 445
|
|
enabled: "yes"
|
|
smtp:
|
|
enabled: "yes"
|
|
inspected-tracker:
|
|
content-inspect-min-size: 32768
|
|
content-inspect-window: 4096
|
|
content-limit: 100000
|
|
mime:
|
|
body-md5: false
|
|
decode-base64: true
|
|
decode-mime: true
|
|
decode-quoted-printable: true
|
|
extract-urls: true
|
|
header-value-depth: 2000
|
|
raw-extraction: false
|
|
snmp:
|
|
enabled: "yes"
|
|
ssh:
|
|
enabled: "yes"
|
|
tacplus:
|
|
enabled: "yes"
|
|
tftp:
|
|
enabled: "yes"
|
|
tls:
|
|
detection-ports:
|
|
dp: 443
|
|
enabled: "yes"
|
|
encryption-handling: default
|
|
ja3-fingerprints: "yes"
|
|
asn1-max-frames: 256
|
|
capture: {}
|
|
coredump:
|
|
max-dump: unlimited
|
|
decoder:
|
|
erspan:
|
|
typeI:
|
|
enabled: "yes"
|
|
teredo:
|
|
enabled: "no"
|
|
ports: $TEREDO_PORTS
|
|
vxlan:
|
|
enabled: "no"
|
|
ports: $VXLAN_PORTS
|
|
default-log-dir: /var/log/suricata/
|
|
defrag:
|
|
hash-size: 65536
|
|
max-frags: 65535
|
|
memcap: 128mb
|
|
prealloc: true
|
|
timeout: 60
|
|
trackers: 65535
|
|
detect:
|
|
custom-values:
|
|
toclient-groups: 3
|
|
toserver-groups: 25
|
|
grouping: {}
|
|
inspection-recursion-limit: 3000
|
|
prefilter:
|
|
default: mpm
|
|
profile: medium
|
|
profiling:
|
|
grouping:
|
|
dump-to-disk: false
|
|
include-mpm-stats: false
|
|
include-rules: false
|
|
sgh-mpm-context: auto
|
|
engine-analysis:
|
|
rules: true
|
|
rules-fast-pattern: true
|
|
flow:
|
|
emergency-recovery: 30
|
|
hash-size: 1048576
|
|
managers: 2
|
|
memcap: 4gb
|
|
prealloc: 4194304
|
|
recyclers: 2
|
|
flow-timeouts:
|
|
default:
|
|
bypassed: 100
|
|
closed: 0
|
|
emergency-bypassed: 50
|
|
emergency-closed: 0
|
|
emergency-established: 10
|
|
emergency-new: 3
|
|
established: 30
|
|
new: 3
|
|
icmp:
|
|
bypassed: 100
|
|
emergency-bypassed: 10
|
|
emergency-established: 10
|
|
emergency-new: 1
|
|
established: 30
|
|
new: 3
|
|
tcp:
|
|
bypassed: 100
|
|
closed: 12
|
|
emergency-bypassed: 10
|
|
emergency-closed: 2
|
|
emergency-established: 100
|
|
emergency-new: 5
|
|
established: 570
|
|
new: 6
|
|
udp:
|
|
bypassed: 100
|
|
emergency-bypassed: 10
|
|
emergency-established: 10
|
|
emergency-new: 3
|
|
established: 30
|
|
new: 30
|
|
host:
|
|
hash-size: 4096
|
|
memcap: 32mb
|
|
prealloc: 1000
|
|
host-mode: sniffer-only
|
|
host-os-policy:
|
|
bsd: []
|
|
bsd-right: []
|
|
hpux10: []
|
|
hpux11: []
|
|
irix: []
|
|
linux: []
|
|
macos: []
|
|
old-linux: []
|
|
old-solaris: []
|
|
solaris: []
|
|
vista: []
|
|
windows:
|
|
- 0.0.0.0/0
|
|
windows2k3: []
|
|
include: /opt/suricata/etc/suricata/rules/rules.yaml
|
|
ipfw: {}
|
|
legacy:
|
|
uricontent: enabled
|
|
logging:
|
|
default-log-level: notice
|
|
default-output-filter: {}
|
|
outputs:
|
|
- console:
|
|
enabled: true
|
|
- file:
|
|
enabled: true
|
|
filename: /var/log/suricata/suricata.log
|
|
level: info
|
|
- syslog:
|
|
enabled: false
|
|
facility: local5
|
|
format: '[%i] <%d> -- '
|
|
luajit:
|
|
states: 128
|
|
max-pending-packets: 65500
|
|
mpm-algo: auto
|
|
napatech:
|
|
auto-config: true
|
|
hashmode: hash5tuplesorted
|
|
ports:
|
|
- all
|
|
streams:
|
|
- 0-3
|
|
netmap:
|
|
- interface: vale:suri}0
|
|
- interface: vale:suri}1
|
|
- interface: vale:suri}2
|
|
- interface: vale:suri}3
|
|
- interface: vale:suri}4
|
|
- interface: vale:suri}5
|
|
- interface: vale:suri}6
|
|
- interface: vale:suri}7
|
|
- interface: vale:suri}8
|
|
- interface: vale:suri}9
|
|
- interface: vale:suri}10
|
|
- interface: vale:suri}11
|
|
- interface: vale:suri}12
|
|
- interface: vale:suri}13
|
|
- interface: vale:suri}14
|
|
- interface: vale:suri}15
|
|
- bypass-enabled: true
|
|
extra-rings: 20
|
|
interface: default
|
|
nflog:
|
|
- buffer-size: 18432
|
|
group: 2
|
|
- group: default
|
|
max-size: 20000
|
|
qthreshold: 1
|
|
qtimeout: 100
|
|
nfq: {}
|
|
outputs:
|
|
- fast:
|
|
append: true
|
|
enabled: false
|
|
filename: fast.log
|
|
- eve-log:
|
|
community-id: false
|
|
community-id-seed: 0
|
|
enabled: true
|
|
filetype: zeromq
|
|
pcap-file: false
|
|
timestamp: utc
|
|
tunnel: true
|
|
types:
|
|
- alert:
|
|
metadata: true
|
|
payload: true
|
|
payload-printable: true
|
|
tagged-packets: true
|
|
- anomaly:
|
|
enabled: false
|
|
packethdr: false
|
|
types:
|
|
applayer: true
|
|
decode: false
|
|
stream: false
|
|
- http:
|
|
custom:
|
|
- X-Flash-Version
|
|
- X-Authenticated-User
|
|
- True-Client-IP
|
|
dump-all-headers: none
|
|
extended: true
|
|
- dns:
|
|
enabled: true
|
|
formats:
|
|
- detailed
|
|
- grouped
|
|
requests: true
|
|
responses: true
|
|
version: 2
|
|
- tls:
|
|
extended: true
|
|
- files:
|
|
force-hash:
|
|
- md5
|
|
force-magic: true
|
|
- smtp:
|
|
custom:
|
|
- received
|
|
- x-mailer
|
|
- x-originating-ip
|
|
- relays
|
|
- reply-to
|
|
- bcc
|
|
extended: true
|
|
- dnp3
|
|
- ftp
|
|
- rdp
|
|
- nfs
|
|
- smb
|
|
- tftp
|
|
- ikev2
|
|
- krb5
|
|
- snmp
|
|
- sip
|
|
- dhcp:
|
|
enabled: true
|
|
extended: false
|
|
- ssh
|
|
- imap
|
|
- irc
|
|
- mail
|
|
- pop3
|
|
- radius
|
|
- rtsp
|
|
- tacplus
|
|
- stats:
|
|
deltas: false
|
|
threads: false
|
|
totals: true
|
|
utf8: true
|
|
xff:
|
|
deployment: reverse
|
|
enabled: false
|
|
header: X-Forwarded-For
|
|
mode: extra-data
|
|
zeromq: ipc:///var/run/flow/suricata-out.zmq
|
|
- unified2-alert:
|
|
enabled: false
|
|
- http-log:
|
|
append: true
|
|
enabled: false
|
|
filename: http.log
|
|
- tls-log:
|
|
append: true
|
|
enabled: false
|
|
filename: tls.log
|
|
- tls-store:
|
|
enabled: false
|
|
- pcap-log:
|
|
compression: none
|
|
enabled: false
|
|
filename: log.pcap
|
|
honor-pass-rules: false
|
|
limit: 1000mb
|
|
max-files: 2000
|
|
mode: normal
|
|
use-stream-depth: false
|
|
- alert-debug:
|
|
append: true
|
|
enabled: false
|
|
filename: alert-debug.log
|
|
- alert-prelude:
|
|
enabled: false
|
|
log-packet-content: false
|
|
log-packet-header: true
|
|
profile: suricata
|
|
- stats:
|
|
append: true
|
|
enabled: false
|
|
filename: stats.log
|
|
threads: false
|
|
totals: true
|
|
- syslog:
|
|
enabled: false
|
|
facility: local5
|
|
- drop:
|
|
enabled: false
|
|
- file-store:
|
|
enabled: false
|
|
version: 2
|
|
xff:
|
|
deployment: reverse
|
|
enabled: false
|
|
header: X-Forwarded-For
|
|
mode: extra-data
|
|
- file-store:
|
|
enabled: false
|
|
- mail-store:
|
|
enabled: false
|
|
force-mailstore: false
|
|
log-dir: mail
|
|
- tcp-data:
|
|
enabled: false
|
|
filename: tcp-data.log
|
|
type: file
|
|
- http-body-data:
|
|
enabled: false
|
|
filename: http-data.log
|
|
type: file
|
|
- lua:
|
|
enabled: false
|
|
scripts: {}
|
|
- timemachine:
|
|
enabled: false
|
|
heap-expand-by: 1000
|
|
heap-prealloc-count: 5000
|
|
heaps:
|
|
- max-packet-size: 200
|
|
name: micro
|
|
- max-packet-size: 400
|
|
name: small
|
|
- max-packet-size: 800
|
|
name: medium
|
|
- max-packet-size: 1524
|
|
name: normal
|
|
max-memory: 8gb
|
|
output-timeout: 21600
|
|
packet-size: 1524
|
|
pcap:
|
|
- interface: eth0
|
|
- interface: default
|
|
pcap-file:
|
|
checksum-checks: auto
|
|
pcre:
|
|
match-limit: 3500
|
|
match-limit-recursion: 1500
|
|
pfring:
|
|
- cluster-id: 99
|
|
cluster-type: cluster_flow
|
|
interface: eth0
|
|
threads: auto
|
|
- interface: default
|
|
profiling:
|
|
keywords:
|
|
append: true
|
|
enabled: true
|
|
filename: keyword_perf.log
|
|
locks:
|
|
append: true
|
|
enabled: false
|
|
filename: lock_stats.log
|
|
packets:
|
|
append: true
|
|
csv:
|
|
enabled: false
|
|
filename: packet_stats.csv
|
|
enabled: true
|
|
filename: packet_stats.log
|
|
pcap-log:
|
|
append: true
|
|
enabled: false
|
|
filename: pcaplog_stats.log
|
|
prefilter:
|
|
append: true
|
|
enabled: true
|
|
filename: prefilter_perf.log
|
|
rulegroups:
|
|
append: true
|
|
enabled: true
|
|
filename: rule_group_perf.log
|
|
rules:
|
|
append: true
|
|
enabled: true
|
|
filename: rule_perf.log
|
|
json: true
|
|
limit: 10
|
|
runmode: workers
|
|
spm-algo: auto
|
|
stats:
|
|
enabled: true
|
|
interval: 30
|
|
stream:
|
|
async-oneside: false
|
|
bypass: true
|
|
checksum-validation: true
|
|
inline: false
|
|
memcap: 8gb
|
|
reassembly:
|
|
depth: 12mb
|
|
memcap: 30gb
|
|
randomize-chunk-size: true
|
|
toclient-chunk-size: 2560
|
|
toserver-chunk-size: 2560
|
|
threading:
|
|
cpu-affinity:
|
|
- management-cpu-set:
|
|
cpu:
|
|
- "0"
|
|
- "28"
|
|
- "56"
|
|
- "84"
|
|
- receive-cpu-set:
|
|
cpu:
|
|
- 0
|
|
- worker-cpu-set:
|
|
cpu:
|
|
- 10-12
|
|
- 66-68
|
|
- 28-55
|
|
- 84-111
|
|
mode: exclusive
|
|
prio:
|
|
default: high
|
|
high:
|
|
- 10-12
|
|
- 60-62
|
|
- 28-55
|
|
- 84-111
|
|
low:
|
|
- 0
|
|
medium:
|
|
- 1-2
|
|
detect-thread-ratio: 1
|
|
set-cpu-affinity: true
|
|
unix-command:
|
|
enabled: auto
|
|
vars:
|
|
address-groups:
|
|
AIM_SERVERS: $EXTERNAL_NET
|
|
DC_SERVERS: $HOME_NET
|
|
DNP3_CLIENT: $HOME_NET
|
|
DNP3_SERVER: $HOME_NET
|
|
DNS_SERVERS: $HOME_NET
|
|
ENIP_CLIENT: $HOME_NET
|
|
ENIP_SERVER: $HOME_NET
|
|
EXTERNAL_NET: any
|
|
HOME_NET: any
|
|
HTTP_SERVERS: $HOME_NET
|
|
MODBUS_CLIENT: $HOME_NET
|
|
MODBUS_SERVER: $HOME_NET
|
|
SMTP_SERVERS: $HOME_NET
|
|
SQL_SERVERS: $HOME_NET
|
|
TELNET_SERVERS: $HOME_NET
|
|
port-groups:
|
|
DNP3_PORTS: 20000
|
|
FILE_DATA_PORTS: '[$HTTP_PORTS,110,143]'
|
|
FTP_PORTS: 21
|
|
HTTP_PORTS: 21,22,53,80,81,443,1080,1443,3128,8000,8080,10080,10250,18080
|
|
MODBUS_PORTS: 502
|
|
ORACLE_PORTS: 1521
|
|
SHELLCODE_PORTS: '!80'
|
|
SSH_PORTS: 22
|
|
TEREDO_PORTS: 3544
|
|
VXLAN_PORTS: 4789
|
|
vlan:
|
|
use-for-tracking: false
|