Project

General

Profile

Download (28.6 KB)

Bug #7184 » suricata.yaml

xc yang, 07/30/2024 07:09 AM

 
%YAML 1.1
---
vars:
# more specific is better for alert accuracy and performance
address-groups:
HOME_NET: "127.0.0.1"

EXTERNAL_NET: "!$HOME_NET"

HTTP_SERVERS: "$HOME_NET"
SMTP_SERVERS: "$HOME_NET"
SQL_SERVERS: "$HOME_NET"
DNS_SERVERS: "$HOME_NET"
TELNET_SERVERS: "$HOME_NET"
AIM_SERVERS: "$EXTERNAL_NET"
DC_SERVERS: "$HOME_NET"
DNP3_SERVER: "$HOME_NET"
DNP3_CLIENT: "$HOME_NET"
MODBUS_CLIENT: "$HOME_NET"
MODBUS_SERVER: "$HOME_NET"
ENIP_CLIENT: "$HOME_NET"
ENIP_SERVER: "$HOME_NET"

port-groups:
HTTP_PORTS: "80"
SHELLCODE_PORTS: "!80"
ORACLE_PORTS: 1521
SSH_PORTS: 22
DNP3_PORTS: 20000
MODBUS_PORTS: 502
FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
FTP_PORTS: 21
GENEVE_PORTS: 6081
VXLAN_PORTS: 4789
TEREDO_PORTS: 3544

default-log-dir: /data/sec/nids/var/log/suricata/

stats:
enabled: yes
interval: 8

plugins:

outputs:
- fast:
enabled: no
filename: fast.log
append: yes

- eve-log:
enabled: yes
filetype: kafka #regular|syslog|unix_dgram|unix_stream|redis|kafka
kafka:
brokers: 10.69.69.35,10.69.71.37,10.69.69.166
partitions: 3
topic: nids-dpdk-evet-log
filename: eve.json
pcap-file: false
community-id: false
community-id-seed: 0

xff:
enabled: no
mode: extra-data
deployment: reverse
header: X-Forwarded-For

types:
- alert:
payload: yes # enable dumping payload in Base64
payload-buffer-size: 4kb # max size of payload buffer to output in eve-log
#payload-printable: yes # enable dumping payload in printable (lossy) format
packet: yes # enable dumping of packet (without stream segments)
# metadata: no # enable inclusion of app layer metadata with alert. Default yes
http-body: yes # Requires metadata; enable dumping of HTTP body in Base64
#http-body-printable: yes # Requires metadata; enable dumping of HTTP body in printable format

# Enable the logging of tagged packets for rules using the
# "tag" keyword.
tagged-packets: yes
# - files:
# force-magic: no
# force-hash: [md5]
# app layer frames
# - frame:
# # disabled by default as this is very verbose.
# enabled: no
# - anomaly:
# # Anomaly log records describe unexpected conditions such
# # as truncated packets, packets with invalid IP/UDP/TCP
# # length values, and other events that render the packet
# # invalid for further processing or describe unexpected
# # behavior on an established stream. Networks which
# # experience high occurrences of anomalies may experience
# # packet processing degradation.
# #
# # Anomalies are reported for the following:
# # 1. Decode: Values and conditions that are detected while
# # decoding individual packets. This includes invalid or
# # unexpected values for low-level protocol lengths as well
# # as stream related events (TCP 3-way handshake issues,
# # unexpected sequence number, etc).
# # 2. Stream: This includes stream related events (TCP
# # 3-way handshake issues, unexpected sequence number,
# # etc).
# # 3. Application layer: These denote application layer
# # specific conditions that are unexpected, invalid or are
# # unexpected given the application monitoring state.
# #
# # By default, anomaly logging is enabled. When anomaly
# # logging is enabled, applayer anomaly reporting is
# # also enabled.
# enabled: yes
# #
# # Choose one or more types of anomaly logging and whether to enable
# # logging of the packet header for packet anomalies.
# types:
# # decode: no
# # stream: no
# # applayer: yes
# #packethdr: no
# - http:
# extended: yes # enable this for extended logging information
# # custom allows additional HTTP fields to be included in eve-log.
# # the example below adds three additional fields when uncommented
# #custom: [Accept-Encoding, Accept-Language, Authorization]
# # set this value to one and only one from {both, request, response}
# # to dump all HTTP headers for every HTTP request and/or response
# # dump-all-headers: none
# - dns:
# # This configuration uses the new DNS logging format,
# # the old configuration is still available:
# https://suricata.readthedocs.io/en/latest/output/eve/eve-json-output.html#dns-v1-format

# As of Suricata 5.0, version 2 of the eve dns output
# format is the default.
#version: 2

# Enable/disable this logger. Default: enabled.
#enabled: yes

# Control logging of requests and responses:
# - requests: enable logging of DNS queries
# - responses: enable logging of DNS answers
# By default both requests and responses are logged.
#requests: no
#responses: no

# Format of answer logging:
# - detailed: array item per answer
# - grouped: answers aggregated by type
# Default: all
#formats: [detailed, grouped]

# DNS record types to log, based on the query type.
# Default: all.
#types: [a, aaaa, cname, mx, ns, ptr, txt]
# - tls:
# extended: yes # enable this for extended logging information
# # output TLS transaction where the session is resumed using a
# # session id
# #session-resumption: no
# # custom controls which TLS fields that are included in eve-log
# #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3, ja3s]
# - files:
# force-magic: no # force logging magic on all logged files
# # force logging of checksums, available hash functions are md5,
# # sha1 and sha256
# #force-hash: [md5]
# #- drop:
# # alerts: yes # log alerts that caused drops
# # flows: all # start or all: 'start' logs only a single drop
# # # per flow direction. All logs each dropped pkt.
# - smtp:
# #extended: yes # enable this for extended logging information
# # this includes: bcc, message-id, subject, x_mailer, user-agent
# # custom fields logging from the list:
# # reply-to, bcc, message-id, subject, x-mailer, user-agent, received,
# # x-originating-ip, in-reply-to, references, importance, priority,
# # sensitivity, organization, content-md5, date
# #custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc]
# output md5 of fields: body, subject
# for the body you need to set app-layer.protocols.smtp.mime.body-md5
# to yes
#md5: [body, subject]

#- dnp3
# - ftp
# - rdp
# - nfs
# - smb
# - tftp
# - ike
# - dcerpc
# - krb5
# - snmp
# - rfb
# - sip
# - quic
# - dhcp:
# enabled: yes
# # When extended mode is on, all DHCP messages are logged
# # with full detail. When extended mode is off (the
# # default), just enough information to map a MAC address
# # to an IP address is logged.
# extended: no
# - ssh
# - mqtt:
# # passwords: yes # enable output of passwords
# - http2
# - pgsql:
# enabled: no
# # passwords: yes # enable output of passwords. Disabled by default
# - stats:
# totals: yes # stats for all threads merged together
# threads: no # per thread stats
# deltas: no # include delta values
# # bi-directional flows
# - flow
# # uni-directional flows
# #- netflow
#
# # Metadata event type. Triggered whenever a pktvar is saved
# # and will include the pktvars, flowvars, flowbits and
# # flowints.
# #- metadata
#
# a line based log of HTTP requests (no alerts)
- http-log:

- tls-log:
enabled: no # Log TLS connections.
filename: tls.log # File to store TLS logs.
append: yes
# output module to store certificates chain to disk
- tls-store:
enabled: no
#certs-log-dir: certs # directory to store the certificates files

- pcap-log:
enabled: no
filename: log.pcap

# File size limit. Can be specified in kb, mb, gb. Just a number
# is parsed as bytes.
limit: 1000mb

# If set to a value, ring buffer mode is enabled. Will keep maximum of
# "max-files" of size "limit"
max-files: 2000

# Compression algorithm for pcap files. Possible values: none, lz4.
# Enabling compression is incompatible with the sguil mode. Note also
# that on Windows, enabling compression will *increase* disk I/O.
compression: none

# Further options for lz4 compression. The compression level can be set
# to a value between 0 and 16, where higher values result in higher
# compression.
#lz4-checksum: no
#lz4-level: 0

mode: normal # normal, multi or sguil.

# Directory to place pcap files. If not provided the default log
# directory will be used. Required for "sguil" mode.
#dir: /nsm_data/

#ts-format: usec # sec or usec second format (default) is filename.sec usec is filename.sec.usec
use-stream-depth: no #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets
honor-pass-rules: no # If set to "yes", flows in which a pass rule matched will stop being logged.

# a full alert log containing much information for signature writers
# or for investigating suspected false positives.
- alert-debug:
enabled: no
filename: alert-debug.log
append: yes
#filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'

# Stats.log contains data from various counters of the Suricata engine.
- stats:
enabled: yes
filename: stats.log
append: yes # append to file (yes) or overwrite it (no)
totals: yes # stats for all threads merged together
threads: no # per thread stats
#null-values: yes # print counters that have value 0. Default: no

# a line based alerts log similar to fast.log into syslog
- syslog:
enabled: no
# reported identity to syslog. If omitted the program name (usually
# suricata) will be used.
#identity: "suricata"
facility: local5
#level: Info ## possible levels: Emergency, Alert, Critical,
## Error, Warning, Notice, Info, Debug

- file-store:
version: 2
enabled: no
force-filestore: no
#force-hash: [md5]
xff:
enabled: no
# Two operation modes are available, "extra-data" and "overwrite".
mode: extra-data
# Two proxy deployments are supported, "reverse" and "forward". In
# a "reverse" deployment the IP address used is the last one, in a
# "forward" deployment the first IP address is used.
deployment: reverse
# Header name where the actual IP address will be reported. If more
# than one IP address is present, the last IP address will be the
# one taken into consideration.
header: X-Forwarded-For

- tcp-data:
enabled: no
type: file
filename: tcp-data.log

- http-body-data:
enabled: no
type: file
filename: http-data.log

- lua:
enabled: no
#scripts-dir: /etc/suricata/lua-output/
scripts:
# - script1.lua

logging:
default-log-level: notice
default-output-filter:

outputs:
- console:
enabled: yes
# type: json
- file:
enabled: yes
level: info
filename: suricata.log
# type: json
- syslog:
enabled: no
facility: local5
format: "[%i] <%d> -- "
# type: json

# Linux high speed capture support
af-packet:
- interface: eth0
threads: 5
cluster-id: 99
cluster-type: cluster_flow
defrag: yes
ring-size: 100000

- interface: default
#threads: auto
#use-mmap: no
#tpacket-v3: yes

dpdk:
eal-params:
proc-type: primary

# DPDK capture support
# RX queues (and TX queues in IPS mode) are assigned to cores in 1:1 ratio
interfaces:
- interface: 0000:02:00.1 # PCIe address of the NIC port
# Threading: possible values are either "auto" or number of threads
# - auto takes all cores
# in IPS mode it is required to specify the number of cores and the numbers on both interfaces must match
threads: 11
promisc: true # promiscuous mode - capture all packets
multicast: true # enables also detection on multicast packets
checksum-checks: true # if Suricata should validate checksums
checksum-checks-offload: true # if possible offload checksum validation to the NIC (saves Suricata resources)
mtu: 1500 # Set MTU of the device in bytes

# To approximately calculate required amount of space (in bytes) for interface's mempool: mempool-size * mtu
# Make sure you have enough allocated hugepages.
# The optimum size for the packet memory pool (in terms of memory usage) is power of two minus one: n = (2^q - 1)
mempool-size: 65535 # The number of elements in the mbuf pool

# Mempool cache size must be lower or equal to:
# - RTE_MEMPOOL_CACHE_MAX_SIZE (by default 512) and
# - "mempool-size / 1.5"
# It is advised to choose cache_size to have "mempool-size modulo cache_size == 0".
# If this is not the case, some elements will always stay in the pool and will never be used.
# The cache can be disabled if the cache_size argument is set to 0, can be useful to avoid losing objects in cache
# If the value is empty or set to "auto", Suricata will attempt to set cache size of the mempool to a value
# that matches the previously mentioned recommendations
mempool-cache-size: 257
rx-descriptors: 1024
tx-descriptors: 1024
#
# IPS mode for Suricata works in 3 modes - none, tap, ips
# - none: IDS mode only - disables IPS functionality (does not further forward packets)
# - tap: forwards all packets and generates alerts (omits DROP action) This is not DPDK TAP
# - ips: the same as tap mode but it also drops packets that are flagged by rules to be dropped
copy-mode: none
copy-iface: none # or PCIe address of the second interface

# - interface: 0000:18:00.1
# threads: 6
# promisc: true
# multicast: true
# checksum-checks: true
# checksum-checks-offload: true
# mtu: 1500
# mempool-size: 65535
# mempool-cache-size: 257
# rx-descriptors: 1024
# tx-descriptors: 1024
# copy-mode: none
# copy-iface: none

# - interface: 0000:af:00.0
# threads: 12
# promisc: true
# multicast: true
# checksum-checks: true
# checksum-checks-offload: true
# mtu: 1500
# mempool-size: 65535
# mempool-cache-size: 257
# rx-descriptors: 1024
# tx-descriptors: 1024
# copy-mode: none
# copy-iface: none
#
# - interface: 0000:af:00.1
# threads: 6
# promisc: true
# multicast: true
# checksum-checks: true
# checksum-checks-offload: true
# mtu: 1500
# mempool-size: 65535
# mempool-cache-size: 257
# rx-descriptors: 1024
# tx-descriptors: 1024
# copy-mode: none
# copy-iface: none

# Crss platform libpcap capture support
pcap:
- interface: eth0
- interface: default

# Settings for reading pcap files
pcap-file:
checksum-checks: auto

app-layer:
protocols:
telnet:
enabled: yes
rfb:
enabled: yes
detection-ports:
dp: 5900, 5901, 5902, 5903, 5904, 5905, 5906, 5907, 5908, 5909
mqtt:
enabled: yes
# max-msg-length: 1mb
# subscribe-topic-match-limit: 100
# unsubscribe-topic-match-limit: 100
# Maximum number of live MQTT transactions per flow
# max-tx: 4096
krb5:
enabled: yes
snmp:
enabled: yes
ike:
enabled: yes
tls:
enabled: yes
detection-ports:
dp: 443
pgsql:
enabled: no
# Stream reassembly size for PostgreSQL. By default, track it completely.
stream-depth: 0
dcerpc:
enabled: yes
ftp:
enabled: yes
# memcap: 64mb
rdp:
#enabled: yes
ssh:
enabled: yes
#hassh: yes
http2:
enabled: yes
smtp:
enabled: yes
raw-extraction: no
# Configure SMTP-MIME Decoder
mime:
decode-mime: yes

# Decode MIME entity bodies (ie. Base64, quoted-printable, etc.)
decode-base64: yes
decode-quoted-printable: yes

# Maximum bytes per header data value stored in the data structure
# (default is 2000)
header-value-depth: 2000

# Extract URLs and save in state data structure
extract-urls: yes
body-md5: no
# Configure inspected-tracker for file_data keyword
inspected-tracker:
content-limit: 100000
content-inspect-min-size: 32768
content-inspect-window: 4096
imap:
enabled: detection-only
smb:
enabled: yes
detection-ports:
dp: 139, 445

nfs:
enabled: yes
# max-tx: 1024
tftp:
enabled: yes
dns:
tcp:
enabled: yes
detection-ports:
dp: 53
udp:
enabled: yes
detection-ports:
dp: 53
http:
enabled: yes

libhtp:
default-config:
personality: IDS

# Can be specified in kb, mb, gb. Just a number indicates
# it's in bytes.
request-body-limit: 100kb
response-body-limit: 100kb

# inspection limits
request-body-minimal-inspect-size: 32kb
request-body-inspect-window: 4kb
response-body-minimal-inspect-size: 40kb
response-body-inspect-window: 16kb

# response body decompression (0 disables)
response-body-decompress-layer-limit: 2

# auto will use http-body-inline mode in IPS mode, yes or no set it statically
http-body-inline: auto

swf-decompression:
enabled: yes
type: both
compress-depth: 100kb
decompress-depth: 100kb

# decoding
double-decode-path: no
double-decode-query: no

server-config:

modbus:
enabled: no
detection-ports:
dp: 502

# Stream reassembly size for modbus. By default track it completely.
stream-depth: 0

# DNP3
dnp3:
enabled: no
detection-ports:
dp: 20000

# SCADA EtherNet/IP and CIP protocol support
enip:
enabled: no
detection-ports:
dp: 44818
sp: 44818

ntp:
enabled: yes

quic:
enabled: yes

dhcp:
enabled: yes

sip:
#enabled: no

# Limit for the maximum number of asn1 frames to decode (default 256)
asn1-max-frames: 256

coredump:
max-dump: unlimited

host-mode: auto

max-pending-packets: 65000

unix-command:
enabled: auto
#filename: custom.socket

# GeoIP2 database file. Specify path and filename of GeoIP2 database
# if using rules with "geoip" rule option.
#geoip-database: /usr/local/share/GeoLite2/GeoLite2-Country.mmdb

legacy:
uricontent: enabled

engine-analysis:
# enables printing reports for fast-pattern for every rule.
rules-fast-pattern: yes
# enables printing reports for each rule
rules: yes

#recursion and match limits for PCRE where supported
pcre:
match-limit: 3500
match-limit-recursion: 1500

##
## Advanced Traffic Tracking and Reconstruction Settings
##

# Host specific policies for defragmentation and TCP stream
# reassembly. The host OS lookup is done using a radix tree, just
# like a routing table so the most specific entry matches.
host-os-policy:
# Make the default policy windows.
windows: [0.0.0.0/0]
bsd: []
bsd-right: []
old-linux: []
linux: []
old-solaris: []
solaris: []
hpux10: []
hpux11: []
irix: []
macos: []
vista: []
windows2k3: []

# Defrag settings:

defrag:
memcap: 32mb
hash-size: 65536
trackers: 65535 # number of defragmented flows to follow
max-frags: 65535 # number of fragments to keep (higher than trackers)
prealloc: yes
timeout: 60

flow:
memcap: 30gb
hash-size: 6553600
prealloc: 1000000
emergency-recovery: 30
#managers: 1 # default to one flow manager
#recyclers: 1 # default to one flow recycler thread

vlan:
use-for-tracking: false

flow-timeouts:
default:
new: 30
established: 300
closed: 0
bypassed: 100
emergency-new: 10
emergency-established: 100
emergency-closed: 0
emergency-bypassed: 50
tcp:
new: 60
established: 600
closed: 60
bypassed: 100
emergency-new: 5
emergency-established: 100
emergency-closed: 10
emergency-bypassed: 50
udp:
new: 30
established: 300
bypassed: 100
emergency-new: 10
emergency-established: 100
emergency-bypassed: 50
icmp:
new: 30
established: 300
bypassed: 100
emergency-new: 10
emergency-established: 100
emergency-bypassed: 50

stream:
memcap: 64mb
checksum-validation: yes # reject incorrect csums
inline: auto # auto will use inline mode in IPS mode, yes or no set it statically
bypass: yes
reassembly:
memcap: 256mb
depth: 1mb # reassemble 1mb into a stream
toserver-chunk-size: 2560
toclient-chunk-size: 2560
randomize-chunk-size: yes

# Host table:
#
# Host table is used by the tagging and per host thresholding subsystems.
#
host:
hash-size: 4096
prealloc: 1000
memcap: 32mb

decoder:
# Teredo decoder is known to not be completely accurate
# as it will sometimes detect non-teredo as teredo.
teredo:
enabled: true
# ports to look for Teredo. Max 4 ports. If no ports are given, or
# the value is set to 'any', Teredo detection runs on _all_ UDP packets.
ports: $TEREDO_PORTS # syntax: '[3544, 1234]' or '3533' or 'any'.

# VXLAN decoder is assigned to up to 4 UDP ports. By default only the
# IANA assigned port 4789 is enabled.
vxlan:
enabled: false
ports: $VXLAN_PORTS # syntax: '[8472, 4789]' or '4789'.

# Geneve decoder is assigned to up to 4 UDP ports. By default only the
# IANA assigned port 6081 is enabled.
geneve:
enabled: true
ports: $GENEVE_PORTS # syntax: '[6081, 1234]' or '6081'.

# maximum number of decoder layers for a packet
# max-layers: 16

##
## Performance tuning and profiling
##
detect:
profile: custom
custom-values:
toclient-groups: 65000
toserver-groups: 65000
sgh-mpm-context: auto
inspection-recursion-limit: 3000
# If set to yes, the loading of signatures will be made after the capture
# is started. This will limit the downtime in IPS mode.
#delayed-detect: yes

prefilter:
# default prefiltering setting. "mpm" only creates MPM/fast_pattern
# engines. "auto" also sets up prefilter engines for other keywords.
# Use --list-keywords=all to see which keywords support prefiltering.
default: mpm

# the grouping values above control how many groups are created per
# direction. Port whitelisting forces that port to get its own group.
# Very common ports will benefit, as well as ports with many expensive
# rules.
grouping:
#tcp-whitelist: 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
#udp-whitelist: 53, 135, 5060

profiling:
# Log the rules that made it past the prefilter stage, per packet
# default is off. The threshold setting determines how many rules
# must have made it past pre-filter for that rule to trigger the
# logging.
#inspect-logging-threshold: 200
grouping:
dump-to-disk: false
include-rules: false # very verbose
include-mpm-stats: false

mpm-algo: hs
spm-algo: hs

# Suricata is multi-threaded. Here the threading can be influenced.
threading:
set-cpu-affinity: yes
cpu-affinity:
- management-cpu-set:
cpu: ["0"] # include only these CPUs in affinity settings
- worker-cpu-set:
cpu: ["1-23"]
mode: "exclusive"
prio:
low: [0]
medium: ["1"]
high: ["1-23"]
default: "high"
detect-thread-ratio: 1.0

luajit:
states: 128

# Profiling settings. Only effective if Suricata has been built with
# the --enable-profiling configure flag.
#
profiling:
# Run profiling for every X-th packet. The default is 1, which means we
# profile every packet. If set to 1000, one packet is profiled for every
# 1000 received.
#sample-rate: 1000

# rule profiling
rules:
# Profiling can be disabled here, but it will still have a
# performance impact if compiled in.
enabled: yes
filename: rule_perf.log
append: yes

# Sort options: ticks, avgticks, checks, matches, maxticks
# If commented out all the sort options will be used.
#sort: avgticks

# Limit the number of sids for which stats are shown at exit (per sort).
limit: 10

# output to json
json: yes

# per keyword profiling
keywords:
enabled: yes
filename: keyword_perf.log
append: yes

prefilter:
enabled: yes
filename: prefilter_perf.log
append: yes

# per rulegroup profiling
rulegroups:
enabled: yes
filename: rule_group_perf.log
append: yes

# packet profiling
packets:
# Profiling can be disabled here, but it will still have a
# performance impact if compiled in.
enabled: yes
filename: packet_stats.log
append: yes

# per packet csv output
csv:
# Output can be disabled here, but it will still have a
# performance impact if compiled in.
enabled: no
filename: packet_stats.csv

# profiling of locking. Only available when Suricata was built with
# --enable-profiling-locks.
locks:
enabled: no
filename: lock_stats.log
append: yes

pcap-log:
enabled: no
filename: pcaplog_stats.log
append: yes

# General settings affecting packet capture
capture:

##
## Configure Suricata to load Suricata-Update managed rules.
##

default-rule-path: /data/sec/nids/etc/suricata/rules

rule-files:
- #suricata.rules
- #suricata-ids.rules
- #pt-rules.rules
- botcc.rules
- botcc.portgrouped.rules
- #ciarmy.rules
- #compromised.rules
- #drop.rules
- dshield.rules
- #emerging-activex.rules
- emerging-attack_response.rules
- #emerging-chat.rules
- #emerging-current_events.rules
- emerging-dns.rules
- #emerging-dos.rules
- emerging-exploit.rules
- #emerging-ftp.rules
- #emerging-games.rules
- #emerging-icmp_info.rules
- #emerging-icmp.rules
- #emerging-imap.rules
- #emerging-inappropriate.rules
- #emerging-info.rules
- emerging-malware.rules
- emerging-misc.rules
- emerging-ja3.rules
- #emerging-mobile_malware.rules
- #emerging-netbios.rules
- #emerging-p2p.rules
- #emerging-phishing.rules
- emerging-policy.rules
- #emerging-pop3.rules
- #emerging-rpc.rules
- #emerging-scada.rules
- #emerging-scada_special.rules
- emerging-scan.rules
- emerging-shellcode.rules
- #emerging-smtp.rules
- #emerging-snmp.rules
- emerging-sql.rules
- #emerging-telnet.rules
- #emerging-tftp.rules
- #emerging-trojan.rules
- emerging-user_agents.rules
- #emerging-voip.rules
- emerging-web_client.rules
- emerging-web_server.rules
- emerging-web_specific_apps.rules
- emerging-worm.rules
- #tor.rules
- custom-rules.rules
- threatview_CS_c2.rules
- #decoder-events.rules # available in suricata sources under rules dir
- #stream-events.rules # available in suricata sources under rules dir
- #http-events.rules # available in suricata sources under rules dir
- #smtp-events.rules # available in suricata sources under rules dir
- #dns-events.rules # available in suricata sources under rules dir
- #tls-events.rules # available in suricata sources under rules dir
- #modbus-events.rules # available in suricata sources under rules dir
- #app-layer-events.rules # available in suricata sources under rules dir
- #dnp3-events.rules # available in suricata sources under rules dir
- #ntp-events.rules # available in suricata sources under rules dir

classification-file: /data/sec/nids/etc/suricata/classification.config
reference-config-file: /data/sec/nids/etc/suricata/reference.config
#threshold-file: /data/sec/nids/etc/suricata/threshold.config
(2-2/2)