|
%YAML 1.1
|
|
---
|
|
|
|
max-pending-packets: 1024
|
|
|
|
# Runmode the engine should use.
|
|
runmode: autofp
|
|
|
|
# If set to auto, the variable is internally switched to 'router' in IPS
|
|
# mode and 'sniffer-only' in IDS mode.
|
|
host-mode: auto
|
|
|
|
# Specifies the kind of flow load balancer used by the flow pinned autofp mode.
|
|
autofp-scheduler: hash
|
|
|
|
# Daemon working directory
|
|
daemon-directory: /usr/local/etc/suricata/suricata_36290_igb2
|
|
|
|
default-packet-size: 1514
|
|
|
|
# The default logging directory.
|
|
default-log-dir: /var/log/suricata/suricata_igb236290
|
|
|
|
# global stats configuration
|
|
stats:
|
|
enabled: no
|
|
interval: 10
|
|
decoder-events: true
|
|
decoder-events-prefix: "decoder.event"
|
|
stream-events: false
|
|
|
|
# Configure the type of alert (and other) logging.
|
|
outputs:
|
|
|
|
# alert-pf blocking plugin
|
|
- alert-pf:
|
|
enabled: no
|
|
kill-state: yes
|
|
block-drops-only: no
|
|
pass-list: /usr/local/etc/suricata/suricata_36290_igb2/passlist
|
|
block-ip: BOTH
|
|
pf-table: snort2c
|
|
|
|
# a line based alerts log similar to Snort's fast.log
|
|
- fast:
|
|
enabled: yes
|
|
filename: alerts.log
|
|
append: yes
|
|
filetype: regular
|
|
|
|
- http-log:
|
|
enabled: yes
|
|
filename: http.log
|
|
append: yes
|
|
extended: yes
|
|
filetype: regular
|
|
|
|
- pcap-log:
|
|
enabled: no
|
|
filename: log.pcap
|
|
limit: 32mb
|
|
max-files: 1000
|
|
mode: normal
|
|
|
|
- tls-log:
|
|
enabled: no
|
|
filename: tls.log
|
|
extended: yes
|
|
|
|
- tls-store:
|
|
enabled: no
|
|
certs-log-dir: certs
|
|
|
|
- stats:
|
|
enabled: no
|
|
filename: stats.log
|
|
append: no
|
|
totals: yes
|
|
threads: no
|
|
null-values: yes
|
|
|
|
- syslog:
|
|
enabled: no
|
|
identity: suricata
|
|
facility: local1
|
|
level: notice
|
|
|
|
- drop:
|
|
enabled: no
|
|
filename: drop.log
|
|
append: yes
|
|
filetype: regular
|
|
|
|
- file-store:
|
|
version: 2
|
|
enabled: no
|
|
length: 0
|
|
dir: filestore
|
|
|
|
- eve-log:
|
|
enabled: no
|
|
filetype: regular
|
|
filename: eve.json
|
|
redis:
|
|
server: 127.0.0.1
|
|
port: 6379
|
|
mode: list
|
|
key: "suricata"
|
|
identity: "suricata"
|
|
facility: local1
|
|
level: notice
|
|
xff:
|
|
enabled: no
|
|
mode: extra-data
|
|
deployment: reverse
|
|
header: X-Forwarded-For
|
|
types:
|
|
- alert:
|
|
payload: yes # enable dumping payload in Base64
|
|
payload-buffer-size: 4kb # max size of payload buffer to output in eve-log
|
|
payload-printable: yes # enable dumping payload in printable (lossy) format
|
|
packet: yes # enable dumping of packet (without stream segments)
|
|
http-body: yes # enable dumping of http body in Base64
|
|
http-body-printable: yes # enable dumping of http body in printable format
|
|
metadata: yes # enable inclusion of app layer metadata with alert
|
|
tagged-packets: yes # enable logging of tagged packets for rules using the 'tag' keyword
|
|
- http:
|
|
extended: yes
|
|
custom: [accept, accept-charset, accept-datetime, accept-encoding, accept-language, accept-range, age, allow, authorization, cache-control, connection, content-encoding, content-language, content-length, content-location, content-md5, content-range, content-type, cookie, date, dnt, etags, from, last-modified, link, location, max-forwards, origin, pragma, proxy-authenticate, proxy-authorization, range, referrer, refresh, retry-after, server, set-cookie, te, trailer, transfer-encoding, upgrade, vary, via, warning, www-authenticate, x-authenticated-user, x-flash-version, x-forwarded-proto, x-requested-with]
|
|
- dns:
|
|
version: 2
|
|
query: yes
|
|
answer: yes
|
|
- tls:
|
|
extended: yes
|
|
- dhcp:
|
|
extended: no
|
|
- files:
|
|
force-magic: no
|
|
- ssh
|
|
- nfs
|
|
- smb
|
|
- krb5
|
|
- ikev2
|
|
- tftp
|
|
- snmp
|
|
- ftp
|
|
- rfb
|
|
- mqtt
|
|
- smtp:
|
|
extended: yes
|
|
custom: [bcc, received, reply-to, x-mailer, x-originating-ip]
|
|
md5: [subject]
|
|
|
|
- eve-log:
|
|
enabled: no
|
|
filetype: unix_stream
|
|
filename:
|
|
types:
|
|
- stats:
|
|
threads: yes
|
|
|
|
# Magic file. The extension .mgc is added to the value here.
|
|
magic-file: /usr/share/misc/magic
|
|
|
|
# GeoLite2 IP geo-location database file path and filename.
|
|
geoip-database: /usr/local/share/suricata/GeoLite2/GeoLite2-Country.mmdb
|
|
|
|
# Specify a threshold config file
|
|
threshold-file: /usr/local/etc/suricata/suricata_36290_igb2/threshold.config
|
|
|
|
detect-engine:
|
|
- profile: high
|
|
- sgh-mpm-context: auto
|
|
- inspection-recursion-limit: 3000
|
|
- delayed-detect: no
|
|
|
|
# Suricata is multi-threaded. Here the threading can be influenced.
|
|
threading:
|
|
set-cpu-affinity: no
|
|
detect-thread-ratio: 1.0
|
|
|
|
# Luajit has a strange memory requirement, it's 'states' need to be in the
|
|
# first 2G of the process' memory.
|
|
#
|
|
# 'luajit.states' is used to control how many states are preallocated.
|
|
# State use: per detect script: 1 per detect thread. Per output script: 1 per
|
|
# script.
|
|
luajit:
|
|
states: 128
|
|
|
|
# Multi pattern algorithm
|
|
# The default mpm-algo value of "auto" will use "hs" if Hyperscan is
|
|
# available, "ac" otherwise.
|
|
mpm-algo: auto
|
|
|
|
# Single pattern algorithm
|
|
# The default of "auto" will use "hs" if available, otherwise "bm".
|
|
spm-algo: auto
|
|
|
|
# Defrag settings:
|
|
defrag:
|
|
memcap: 33554432
|
|
hash-size: 65536
|
|
trackers: 65535
|
|
max-frags: 65535
|
|
prealloc: yes
|
|
timeout: 60
|
|
|
|
# Flow settings:
|
|
flow:
|
|
memcap: 33554432
|
|
hash-size: 65536
|
|
prealloc: 10000
|
|
emergency-recovery: 30
|
|
prune-flows: 5
|
|
|
|
# This option controls the use of vlan ids in the flow (and defrag)
|
|
# hashing.
|
|
vlan:
|
|
use-for-tracking: true
|
|
|
|
# Specific timeouts for flows.
|
|
flow-timeouts:
|
|
default:
|
|
new: 30
|
|
established: 300
|
|
closed: 0
|
|
emergency-new: 10
|
|
emergency-established: 100
|
|
emergency-closed: 0
|
|
tcp:
|
|
new: 60
|
|
established: 3600
|
|
closed: 120
|
|
emergency-new: 10
|
|
emergency-established: 300
|
|
emergency-closed: 20
|
|
udp:
|
|
new: 30
|
|
established: 300
|
|
emergency-new: 10
|
|
emergency-established: 100
|
|
icmp:
|
|
new: 30
|
|
established: 300
|
|
emergency-new: 10
|
|
emergency-established: 100
|
|
|
|
stream:
|
|
memcap: 131217728
|
|
checksum-validation: no
|
|
inline: auto
|
|
prealloc-sessions: 32768
|
|
midstream: false
|
|
async-oneside: false
|
|
max-synack-queued: 5
|
|
reassembly:
|
|
memcap: 131217728
|
|
depth: 1048576
|
|
toserver-chunk-size: 2560
|
|
toclient-chunk-size: 2560
|
|
|
|
# Host table is used by tagging and per host thresholding subsystems.
|
|
host:
|
|
hash-size: 4096
|
|
prealloc: 1000
|
|
memcap: 33554432
|
|
|
|
# Host specific policies for defragmentation and TCP stream reassembly.
|
|
host-os-policy:
|
|
bsd: [0.0.0.0/0]
|
|
|
|
# Logging configuration. This is not about logging IDS alerts, but
|
|
# IDS output about what its doing, errors, etc.
|
|
logging:
|
|
|
|
# This value is overriden by the SC_LOG_LEVEL env var.
|
|
default-log-level: info
|
|
default-log-format: "%t - <%d> -- "
|
|
|
|
# Define your logging outputs.
|
|
outputs:
|
|
- console:
|
|
enabled: yes
|
|
- file:
|
|
enabled: yes
|
|
filename: /var/log/suricata/suricata_igb236290/suricata.log
|
|
- syslog:
|
|
enabled: no
|
|
facility: local1
|
|
level: notice
|
|
format: "[%i] <%d> -- "
|
|
|
|
# IPS Mode Configuration
|
|
# PCAP
|
|
pcap:
|
|
- interface: igb2
|
|
checksum-checks: auto
|
|
promisc: yes
|
|
snaplen: 1518
|
|
|
|
legacy:
|
|
uricontent: enabled
|
|
|
|
default-rule-path: /usr/local/etc/suricata/suricata_36290_igb2/rules
|
|
rule-files:
|
|
- suricata.rules
|
|
|
|
classification-file: /usr/local/etc/suricata/suricata_36290_igb2/classification.config
|
|
reference-config-file: /usr/local/etc/suricata/suricata_36290_igb2/reference.config
|
|
|
|
# Holds variables that would be used by the engine.
|
|
vars:
|
|
|
|
# Holds the address group vars that would be passed in a Signature.
|
|
address-groups:
|
|
HOME_NET: "[114.114.114.114/32, 116.24.100.1/32, 116.24.101.223/32, 127.0.0.1/32, 192.168.1.0/24, 192.168.2.0/24, 192.168.3.0/24, 202.96.128.86/32, 202.96.134.33/32, 202.96.134.133/32, ::1/128, fe80::2f1:f3ff:fe1b:cef5/128, fe80::2f1:f3ff:fe1b:cef6/128, fe80::2f1:f3ff:fe1b:cef7/128]"
|
|
EXTERNAL_NET: "[!114.114.114.114/32, !116.24.100.1/32, !116.24.101.223/32, !127.0.0.1/32, !192.168.1.0/24, !192.168.2.0/24, !192.168.3.0/24, !202.96.128.86/32, !202.96.134.33/32, !202.96.134.133/32, !::1/128, !fe80::2f1:f3ff:fe1b:cef5/128, !fe80::2f1:f3ff:fe1b:cef6/128, !fe80::2f1:f3ff:fe1b:cef7/128]"
|
|
DNS_SERVERS: "$HOME_NET"
|
|
SMTP_SERVERS: "$HOME_NET"
|
|
HTTP_SERVERS: "$HOME_NET"
|
|
SQL_SERVERS: "$HOME_NET"
|
|
TELNET_SERVERS: "$HOME_NET"
|
|
DNP3_SERVER: "$HOME_NET"
|
|
DNP3_CLIENT: "$HOME_NET"
|
|
MODBUS_SERVER: "$HOME_NET"
|
|
MODBUS_CLIENT: "$HOME_NET"
|
|
ENIP_SERVER: "$HOME_NET"
|
|
ENIP_CLIENT: "$HOME_NET"
|
|
FTP_SERVERS: "$HOME_NET"
|
|
SSH_SERVERS: "$HOME_NET"
|
|
AIM_SERVERS: "64.12.24.0/23, 64.12.28.0/23, 64.12.161.0/24, 64.12.163.0/24, 64.12.200.0/24, 205.188.3.0/24, 205.188.5.0/24, 205.188.7.0/24, 205.188.9.0/24, 205.188.153.0/24, 205.188.179.0/24, 205.188.248.0/24"
|
|
SIP_SERVERS: "$HOME_NET"
|
|
|
|
# Holds the port group vars that would be passed in a Signature.
|
|
port-groups:
|
|
FTP_PORTS: "21"
|
|
HTTP_PORTS: "80"
|
|
ORACLE_PORTS: "1521"
|
|
SSH_PORTS: "22"
|
|
SHELLCODE_PORTS: "!80"
|
|
DNP3_PORTS: "20000"
|
|
FILE_DATA_PORTS: "$HTTP_PORTS, 110, 143"
|
|
SIP_PORTS: "5060, 5061, 5600"
|
|
|
|
# Set the order of alerts based on actions
|
|
action-order:
|
|
- pass
|
|
- drop
|
|
- reject
|
|
- alert
|
|
|
|
# IP Reputation
|
|
|
|
|
|
# Limit for the maximum number of asn1 frames to decode (default 256)
|
|
asn1-max-frames: 256
|
|
|
|
engine-analysis:
|
|
rules-fast-pattern: yes
|
|
rules: yes
|
|
|
|
#recursion and match limits for PCRE where supported
|
|
pcre:
|
|
match-limit: 3500
|
|
match-limit-recursion: 1500
|
|
|
|
# Holds details on the app-layer. The protocols section details each protocol.
|
|
app-layer:
|
|
protocols:
|
|
dcerpc:
|
|
enabled: yes
|
|
dhcp:
|
|
enabled: yes
|
|
dnp3:
|
|
enabled: yes
|
|
detection-ports:
|
|
dp: 20000
|
|
dns:
|
|
global-memcap: 16777216
|
|
state-memcap: 524288
|
|
request-flood: 500
|
|
tcp:
|
|
enabled: yes
|
|
detection-ports:
|
|
dp: 53
|
|
udp:
|
|
enabled: yes
|
|
detection-ports:
|
|
dp: 53
|
|
ftp:
|
|
enabled: yes
|
|
ftp-data:
|
|
enabled: no
|
|
http:
|
|
enabled: yes
|
|
memcap: 67108864
|
|
ikev2:
|
|
enabled: yes
|
|
imap:
|
|
enabled: detection-only
|
|
krb5:
|
|
enabled: yes
|
|
modbus:
|
|
enabled: yes
|
|
request-flood: 500
|
|
detection-ports:
|
|
dp: 502
|
|
stream-depth: 0
|
|
msn:
|
|
enabled: detection-only
|
|
nfs:
|
|
enabled: yes
|
|
ntp:
|
|
enabled: yes
|
|
tls:
|
|
enabled: yes
|
|
detection-ports:
|
|
dp: 443
|
|
ja3-fingerprints: off
|
|
encrypt-handling: default
|
|
smb:
|
|
enabled: yes
|
|
detection-ports:
|
|
dp: 139, 445
|
|
smtp:
|
|
enabled: yes
|
|
mime:
|
|
decode-mime: no
|
|
decode-base64: yes
|
|
decode-quoted-printable: yes
|
|
header-value-depth: 2000
|
|
extract-urls: yes
|
|
body-md5: no
|
|
inspected-tracker:
|
|
content-limit: 100000
|
|
content-inspect-min-size: 32768
|
|
content-inspect-window: 4096
|
|
ssh:
|
|
enabled: yes
|
|
tftp:
|
|
enabled: yes
|
|
rdp:
|
|
enabled: yes
|
|
sip:
|
|
enabled: yes
|
|
snmp:
|
|
enabled: yes
|
|
http2:
|
|
enabled: no
|
|
rfb:
|
|
enabled: yes
|
|
detection-ports:
|
|
dp: 5900, 5901, 5902, 5903, 5904, 5905, 5906, 5907, 5908, 5909
|
|
|
|
###########################################################################
|
|
# Configure libhtp.
|
|
libhtp:
|
|
default-config:
|
|
personality: IDS
|
|
request-body-limit: 4096
|
|
response-body-limit: 4096
|
|
meta-field-limit: 18432
|
|
double-decode-path: no
|
|
double-decode-query: no
|
|
uri-include-all: no
|
|
|
|
|
|
|
|
coredump:
|
|
max-dump: unlimited
|
|
|
|
# Suricata user pass through configuration
|
|
|