Project

General

Profile

Download (6.47 KB)

Bug #942 » suri.yaml

Christophe Vandeplas, 09/09/2013 02:51 AM

 
infosec@IDS-WS16:~$ grep -v -e "^$" -e "^\ *#" /etc/suricata/suricata.yaml
%YAML 1.1
---
max-pending-packets: 2048
runmode: autofp
pid-file: /var/run/suricata.pid
default-log-dir: /var/log/suricata/
outputs:
- fast:
enabled: yes
filename: fast.log
append: yes
- unified2-alert:
enabled: yes
filename: unified2.alert
- http-log:
enabled: no
filename: http.log
append: yes
extended: yes # enable this for extended logging information
- pcap-info:
enabled: no
- pcap-log:
enabled: no
filename: log.pcap
limit: 1000mb
max-files: 2000
mode: normal # normal or sguil.
use-stream-depth: no #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets
- alert-debug:
enabled: no
filename: alert-debug.log
append: yes
- alert-prelude:
enabled: no
profile: suricata
log-packet-content: no
log-packet-header: yes
- stats:
enabled: yes
filename: stats.log
interval: 8
- syslog:
enabled: no
identity: "suricata-WS16"
facility: local5
level: Info ## possible levels: Emergency, Alert, Critical,
- drop:
enabled: no
filename: drop.log
append: yes
- file-store:
enabled: no # set to yes to enable
log-dir: files # directory to store the files
force-magic: no # force logging magic on all stored files
force-md5: no # force logging of md5 checksums
- file-log:
enabled: no
filename: files-json.log
append: yes
force-magic: no # force logging magic on all logged files
force-md5: no # force logging of md5 checksums
magic-file: /usr/share/file/magic
nfq:
af-packet:
- interface: eth0
threads: 2
cluster-id: 99
cluster-type: cluster_cpu
defrag: yes
use-mmap: no
threshold-file: /etc/suricata/threshold.config
detect-engine:
- profile: medium
- custom-values:
toclient-src-groups: 2
toclient-dst-groups: 2
toclient-sp-groups: 2
toclient-dp-groups: 3
toserver-src-groups: 2
toserver-dst-groups: 4
toserver-sp-groups: 2
toserver-dp-groups: 25
- sgh-mpm-context: auto
- inspection-recursion-limit: 3000
threading:
set-cpu-affinity: yes
cpu-affinity:
- management-cpu-set:
cpu: [ "all" ] # include only these cpus in affinity settings
mode: "balanced"
prio:
default: "medium"
- detect-cpu-set:
cpu: [ "all" ]
mode: "exclusive" # run detect threads in these cpus
prio:
default: "high"
detect-thread-ratio: 1.5
cuda:
- mpm:
packet-buffer-limit: 2400
packet-size-limit: 1500
packet-buffers: 10
batching-timeout: 1
page-locked: enabled
device-id: 0
cuda-streams: 2
mpm-algo: ac
pattern-matcher:
- b2gc:
search-algo: B2gSearchBNDMq
hash-size: low
bf-size: medium
- b2gm:
search-algo: B2gSearchBNDMq
hash-size: low
bf-size: medium
- b2g:
search-algo: B2gSearchBNDMq
hash-size: low
bf-size: medium
- b3g:
search-algo: B3gSearchBNDMq
hash-size: low
bf-size: medium
- wumanber:
hash-size: low
bf-size: medium
defrag:
max-frags: 65535
prealloc: yes
timeout: 60
flow:
memcap: 200mb
hash-size: 65536
prealloc: 10000
emergency-recovery: 30
prune-flows: 5
flow-timeouts:
default:
new: 30
established: 300
closed: 0
emergency-new: 10
emergency-established: 100
emergency-closed: 0
tcp:
new: 60
established: 600
closed: 120
emergency-new: 10
emergency-established: 300
emergency-closed: 20
udp:
new: 30
established: 300
emergency-new: 10
emergency-established: 100
icmp:
new: 30
established: 300
emergency-new: 10
emergency-established: 100
stream:
memcap: 3gb
checksum-validation: no # reject wrong csums
inline: no # no inline mode
max-sessions: 8000000
prealloc-sessions: 4000000
reassembly:
memcap: 3gb
depth: 2mb # reassemble 1mb into a stream
toserver-chunk-size: 2560
toclient-chunk-size: 2560
host:
hash-size: 4096
prealloc: 1000
memcap: 16777216
logging:
default-log-level: info
default-output-filter:
outputs:
- console:
enabled: yes
- file:
enabled: yes
filename: /var/log/suricata.log
- syslog:
enabled: no
facility: local5
format: "[%i] <%d> -- "
pfring:
- interface: eth2
threads: 1
interface: eth2
cluster-id: 99
cluster-type: cluster_round_robin
pcap:
ipfw:
default-rule-path: /etc/suricata/rules
rule-files:
- pass.rules
- secureworks-apt-ip.rules
- buza.rules
- cydefsig.rules
- tdss.rules
- uk.rules
- nicelist-4-ids-domains.rules
- summer-domains.rules
- summer-ips.rules
- tdss-uniques-domains.rules
- tdss-uniques-ips.rules
classification-file: /etc/suricata/rules/classification.config
reference-config-file: /etc/suricata/rules/reference.config
vars:
address-groups:
HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
EXTERNAL_NET: "!$HOME_NET"
HTTP_SERVERS: "$HOME_NET"
SMTP_SERVERS: "$HOME_NET"
SQL_SERVERS: "$HOME_NET"
DNS_SERVERS: "$HOME_NET"
TELNET_SERVERS: "$HOME_NET"
AIM_SERVERS: "$EXTERNAL_NET"
port-groups:
HTTP_PORTS: "[80,8080]"
SHELLCODE_PORTS: "!80"
ORACLE_PORTS: 1521
SSH_PORTS: 22
action-order:
- pass
- drop
- reject
- alert
host-os-policy:
windows: [0.0.0.0/0]
asn1-max-frames: 256
engine-analysis:
rules-fast-pattern: yes
rules: yes
pcre:
match-limit: 3500
match-limit-recursion: 1500
libhtp:
default-config:
personality: IDS
request-body-limit: 3072
response-body-limit: 3072
server-config:
- apache:
address: [192.168.1.0/24, 127.0.0.0/8, "::1"]
personality: Apache_2_2
request-body-limit: 4096
response-body-limit: 4096
- iis7:
address:
- 192.168.0.0/24
- 192.168.10.0/24
personality: IIS_7_0
request-body-limit: 4096
response-body-limit: 4096
profiling:
rules:
enabled: yes
filename: rule_perf.log
append: yes
sort: avgticks
limit: 100
packets:
enabled: yes
filename: packet_stats.log
append: yes
csv:
enabled: no
filename: packet_stats.csv
locks:
enabled: no
filename: lock_stats.log
append: yes
coredump:
max-dump: unlimited
infosec@IDS-WS16:~$
(2-2/2)