|
%YAML 1.1
|
|
---
|
|
|
|
action-order:
|
|
- pass
|
|
- drop
|
|
- reject
|
|
- alert
|
|
af-packet:
|
|
- cluster-id: 99
|
|
cluster-type: cluster_flow
|
|
defrag: true
|
|
interface: eth0
|
|
threads: 1
|
|
use-mmap: true
|
|
- cluster-id: 98
|
|
cluster-type: cluster_flow
|
|
defrag: true
|
|
interface: eth1
|
|
threads: 1
|
|
- interface: default
|
|
asn1-max-frames: 256
|
|
classification-file: /etc/suricata/classification.config
|
|
coredump:
|
|
max-dump: unlimited
|
|
cuda:
|
|
- mpm:
|
|
batching-timeout: 1
|
|
cuda-streams: 2
|
|
device-id: 0
|
|
packet-buffer-limit: 2400
|
|
packet-buffers: 10
|
|
packet-size-limit: 1500
|
|
page-locked: enabled
|
|
default-log-dir: /var/log/suricata/
|
|
default-rule-path: /etc/suricata/rules
|
|
defrag:
|
|
hash-size: 65536
|
|
max-frags: 65535
|
|
memcap: 32mb
|
|
prealloc: true
|
|
timeout: 60
|
|
trackers: 65535
|
|
detect-engine:
|
|
- profile: medium
|
|
- custom-values:
|
|
toclient-dp-groups: 3
|
|
toclient-dst-groups: 2
|
|
toclient-sp-groups: 2
|
|
toclient-src-groups: 2
|
|
toserver-dp-groups: 25
|
|
toserver-dst-groups: 4
|
|
toserver-sp-groups: 2
|
|
toserver-src-groups: 2
|
|
- sgh-mpm-context: auto
|
|
- inspection-recursion-limit: 3000
|
|
engine-analysis:
|
|
rules: true
|
|
rules-fast-pattern: true
|
|
flow:
|
|
emergency-recovery: 30
|
|
hash-size: 65536
|
|
memcap: 32mb
|
|
prealloc: 10000
|
|
flow-timeouts:
|
|
default:
|
|
closed: 0
|
|
emergency-closed: 0
|
|
emergency-established: 100
|
|
emergency-new: 10
|
|
established: 300
|
|
new: 30
|
|
icmp:
|
|
emergency-established: 100
|
|
emergency-new: 10
|
|
established: 300
|
|
new: 30
|
|
tcp:
|
|
closed: 120
|
|
emergency-closed: 20
|
|
emergency-established: 300
|
|
emergency-new: 10
|
|
established: 3600
|
|
new: 60
|
|
udp:
|
|
emergency-established: 100
|
|
emergency-new: 10
|
|
established: 300
|
|
new: 30
|
|
host:
|
|
hash-size: 4096
|
|
memcap: 16777216
|
|
prealloc: 1000
|
|
host-os-policy:
|
|
bsd: []
|
|
bsd-right: []
|
|
hpux10: []
|
|
hpux11: []
|
|
irix: []
|
|
linux:
|
|
- 10.0.2.12
|
|
macos: []
|
|
old-linux: []
|
|
old-solaris: []
|
|
solaris:
|
|
- ::1
|
|
vista: []
|
|
windows: []
|
|
windows2k3: []
|
|
ipfw:
|
|
libhtp:
|
|
default-config:
|
|
double-decode-path: false
|
|
double-decode-query: false
|
|
personality: IDS
|
|
request-body-inspect-window: 4kb
|
|
request-body-limit: 3072
|
|
request-body-minimal-inspect-size: 32kb
|
|
response-body-inspect-window: 4kb
|
|
response-body-limit: 3072
|
|
response-body-minimal-inspect-size: 32kb
|
|
server-config:
|
|
- apache:
|
|
address:
|
|
- 192.168.1.0/24
|
|
- 127.0.0.0/8
|
|
- ::1
|
|
double-decode-path: false
|
|
double-decode-query: false
|
|
personality: Apache_2_2
|
|
request-body-limit: 4096
|
|
response-body-limit: 4096
|
|
- iis7:
|
|
address:
|
|
- 192.168.0.0/24
|
|
- 192.168.10.0/24
|
|
double-decode-path: false
|
|
double-decode-query: false
|
|
personality: IIS_7_0
|
|
request-body-limit: 4096
|
|
response-body-limit: 4096
|
|
logging:
|
|
default-log-level: info
|
|
default-output-filter:
|
|
outputs:
|
|
- console:
|
|
enabled: true
|
|
- file:
|
|
enabled: true
|
|
filename: /var/log/suricata.log
|
|
- syslog:
|
|
enabled: false
|
|
facility: local5
|
|
format: '[%i] <%d> -- '
|
|
magic-file: /usr/share/file/magic
|
|
max-pending-packets: 1024
|
|
mpm-algo: ac
|
|
napatech:
|
|
hba: -1
|
|
streams:
|
|
- 1
|
|
- 2
|
|
- 3
|
|
use-all-streams: true
|
|
nfq:
|
|
outputs:
|
|
- fast:
|
|
append: true
|
|
enabled: true
|
|
filename: fast.log
|
|
- unified2-alert:
|
|
enabled: true
|
|
filename: unified2.alert
|
|
- http-log:
|
|
append: true
|
|
enabled: true
|
|
filename: http.log
|
|
- tls-log:
|
|
certs-log-dir: certs
|
|
enabled: false
|
|
filename: tls.log
|
|
- pcap-info:
|
|
enabled: false
|
|
- pcap-log:
|
|
enabled: true
|
|
filename: log.pcap
|
|
limit: 1000gb
|
|
max-files: 2000
|
|
mode: normal
|
|
use-stream-depth: false
|
|
- alert-debug:
|
|
append: true
|
|
enabled: false
|
|
filename: alert-debug.log
|
|
- alert-prelude:
|
|
enabled: false
|
|
log-packet-content: false
|
|
log-packet-header: true
|
|
profile: suricata
|
|
- stats:
|
|
enabled: true
|
|
filename: stats.log
|
|
interval: 8
|
|
- syslog:
|
|
enabled: false
|
|
facility: local5
|
|
- drop:
|
|
append: true
|
|
enabled: false
|
|
filename: drop.log
|
|
- file-store:
|
|
enabled: false
|
|
force-magic: false
|
|
force-md5: false
|
|
log-dir: files
|
|
- file-log:
|
|
append: true
|
|
enabled: false
|
|
filename: files-json.log
|
|
force-magic: false
|
|
force-md5: false
|
|
pattern-matcher:
|
|
- b2gc:
|
|
bf-size: medium
|
|
hash-size: low
|
|
search-algo: B2gSearchBNDMq
|
|
- b2gm:
|
|
bf-size: medium
|
|
hash-size: low
|
|
search-algo: B2gSearchBNDMq
|
|
- b2g:
|
|
bf-size: medium
|
|
hash-size: low
|
|
search-algo: B2gSearchBNDMq
|
|
- b3g:
|
|
bf-size: medium
|
|
hash-size: low
|
|
search-algo: B3gSearchBNDMq
|
|
- wumanber:
|
|
bf-size: medium
|
|
hash-size: low
|
|
pcap:
|
|
- interface: eth0
|
|
- interface: default
|
|
pcre:
|
|
match-limit: 3500
|
|
match-limit-recursion: 1500
|
|
pfring:
|
|
- cluster-id: 99
|
|
cluster-type: cluster_flow
|
|
interface: eth0
|
|
threads: 1
|
|
- interface: default
|
|
pid-file: /var/run/suricata.pid
|
|
profiling:
|
|
locks:
|
|
append: true
|
|
enabled: false
|
|
filename: lock_stats.log
|
|
packets:
|
|
append: true
|
|
csv:
|
|
enabled: false
|
|
filename: packet_stats.csv
|
|
enabled: true
|
|
filename: packet_stats.log
|
|
rules:
|
|
append: true
|
|
enabled: true
|
|
filename: rule_perf.log
|
|
limit: 100
|
|
sort: avgticks
|
|
reference-config-file: /etc/suricata/reference.config
|
|
rule-files:
|
|
- botcc.rules
|
|
- ciarmy.rules
|
|
- compromised.rules
|
|
- drop.rules
|
|
- dshield.rules
|
|
- emerging-activex.rules
|
|
- emerging-attack_response.rules
|
|
- emerging-chat.rules
|
|
- emerging-current_events.rules
|
|
- emerging-dns.rules
|
|
- emerging-dos.rules
|
|
- emerging-exploit.rules
|
|
- emerging-ftp.rules
|
|
- emerging-games.rules
|
|
- emerging-icmp_info.rules
|
|
- emerging-icmp.rules
|
|
- emerging-imap.rules
|
|
- emerging-inappropriate.rules
|
|
- emerging-malware.rules
|
|
- emerging-misc.rules
|
|
- emerging-mobile_malware.rules
|
|
- emerging-netbios.rules
|
|
- emerging-p2p.rules
|
|
- emerging-policy.rules
|
|
- emerging-pop3.rules
|
|
- emerging-rpc.rules
|
|
- emerging-scada.rules
|
|
- emerging-scan.rules
|
|
- emerging-shellcode.rules
|
|
- emerging-smtp.rules
|
|
- emerging-snmp.rules
|
|
- emerging-sql.rules
|
|
- emerging-telnet.rules
|
|
- emerging-tftp.rules
|
|
- emerging-trojan.rules
|
|
- emerging-user_agents.rules
|
|
- emerging-virus.rules
|
|
- emerging-voip.rules
|
|
- emerging-web_client.rules
|
|
- emerging-web_server.rules
|
|
- emerging-web_specific_apps.rules
|
|
- emerging-worm.rules
|
|
- rbn-malvertisers.rules
|
|
- rbn.rules
|
|
- tor.rules
|
|
- decoder-events.rules
|
|
- stream-events.rules
|
|
- http-events.rules
|
|
- smtp-events.rules
|
|
runmode: autofp
|
|
stream:
|
|
checksum-validation: true
|
|
inline: auto
|
|
memcap: 32mb
|
|
reassembly:
|
|
depth: 1mb
|
|
memcap: 64mb
|
|
toclient-chunk-size: 2560
|
|
toserver-chunk-size: 2560
|
|
threading:
|
|
cpu-affinity:
|
|
- management-cpu-set:
|
|
cpu:
|
|
- 0
|
|
- receive-cpu-set:
|
|
cpu:
|
|
- 0
|
|
- decode-cpu-set:
|
|
cpu:
|
|
- 0
|
|
- 1
|
|
mode: balanced
|
|
- stream-cpu-set:
|
|
cpu:
|
|
- 0-1
|
|
- detect-cpu-set:
|
|
cpu:
|
|
- all
|
|
mode: exclusive
|
|
prio:
|
|
default: medium
|
|
high:
|
|
- 3
|
|
low:
|
|
- 0
|
|
medium:
|
|
- 1-2
|
|
- verdict-cpu-set:
|
|
cpu:
|
|
- 0
|
|
prio:
|
|
default: high
|
|
- reject-cpu-set:
|
|
cpu:
|
|
- 0
|
|
prio:
|
|
default: low
|
|
- output-cpu-set:
|
|
cpu:
|
|
- all
|
|
prio:
|
|
default: medium
|
|
detect-thread-ratio: 1.5
|
|
set-cpu-affinity: false
|
|
unix-command:
|
|
enabled: false
|
|
vars:
|
|
address-groups:
|
|
AIM_SERVERS: $EXTERNAL_NET
|
|
DNP3_CLIENT: $HOME_NET
|
|
DNP3_SERVER: $HOME_NET
|
|
DNS_SERVERS: $HOME_NET
|
|
ENIP_CLIENT: $HOME_NET
|
|
ENIP_SERVER: $HOME_NET
|
|
EXTERNAL_NET: '!$HOME_NET'
|
|
HOME_NET: '[192.168.0.0/16,10.14.0.0/16,10.12.0.0/16,10.11.0.0/16,10.16.0.0/16,10.15.0.0/16]'
|
|
HTTP_SERVERS: $HOME_NET
|
|
MODBUS_CLIENT: $HOME_NET
|
|
MODBUS_SERVER: $HOME_NET
|
|
SMTP_SERVERS: $HOME_NET
|
|
SQL_SERVERS: $HOME_NET
|
|
TELNET_SERVERS: $HOME_NET
|
|
port-groups:
|
|
DNP3_PORTS: 20000
|
|
HTTP_PORTS: '80'
|
|
ORACLE_PORTS: 1521
|
|
SHELLCODE_PORTS: '!80'
|
|
SSH_PORTS: 22
|