%YAML 1.1 --- vars: address-groups: XXXXXXXXXXXXXXXXXXXXXXXXXXX REMOVED NETWORKS XXXXXXXXXXXXXXXXXXXXXXXXX EXTERNAL_NET: "!$HOME_NET" HTTP_SERVERS: "$HOME_NET" SMTP_SERVERS: "$HOME_NET" SQL_SERVERS: "$HOME_NET" DNS_SERVERS: "$HOME_NET" TELNET_SERVERS: "$HOME_NET" AIM_SERVERS: "$EXTERNAL_NET" DNP3_SERVER: "$HOME_NET" DNP3_CLIENT: "$HOME_NET" MODBUS_CLIENT: "$HOME_NET" MODBUS_SERVER: "$HOME_NET" ENIP_CLIENT: "$HOME_NET" ENIP_SERVER: "$HOME_NET" port-groups: HTTP_PORTS: "[80,800,8000,8080,3000,9000]" SHELLCODE_PORTS: "!80" ORACLE_PORTS: 1521 SSH_PORTS: 22 DNP3_PORTS: 20000 FILE_DATA_PORTS: "[$HTTP_PORTS, 110, 143]" MODBUS_PORTS: 502 default-rule-path: /etc/suricata/rules/ rule-files: # Our Extra Rules!!! - extra.rules - emerging-trojan.rules - emerging-malware.rules - emerging-mobile_malware.rules - emerging-worm.rules - emerging-user_agents.rules - emerging-current_events.rules - emerging-ftp.rules - emerging-pop3.rules - emerging-rpc.rules - emerging-attack_response.rules - emerging-icmp.rules - emerging-scan.rules - emerging-voip.rules - emerging-imap.rules - emerging-web_server.rules - emerging-smtp.rules - emerging-dns.rules - emerging-misc.rules - emerging-snmp.rules - emerging-sql.rules - emerging-dos.rules - emerging-telnet.rules - emerging-exploit.rules - emerging-tftp.rules - http-events.rules - emerging-games.rules - dns-events.rules - tls-events.rules - emerging-shellcode.rules - botcc.rules - botcc.portgrouped.rules - ciarmy.rules - compromised.rules - drop.rules - dshield.rules - tor.rules classification-file: /opt/suricata/etc/suricata/rules/classification.config reference-config-file: /opt/suricata/etc/suricata/rules/reference.config threshold-file: /etc/suricata/threshold.config default-log-dir: /opt/suricata/var/log/ outputs: - fast: enabled: yes filename: fast.log append: yes - eve-log: enabled: yes filetype: regular #regular|syslog|unix_dgram|unix_stream|redis filename: eve.json types: - alert: payload: yes # enable dumping payload in Base64 payload-printable: yes # enable dumping payload in printable (lossy) format packet: yes # enable dumping of packet (without stream segments) - unified2-alert: enabled: no filename: unified2.alert xff: enabled: no mode: extra-data deployment: reverse header: X-Forwarded-For - http-log: enabled: no filename: http.log append: yes - tls-log: enabled: no # Log TLS connections. filename: tls.log # File to store TLS logs. append: yes - tls-store: enabled: no - dns-log: enabled: no filename: dns.log append: yes - pcap-log: enabled: no filename: log.pcap limit: 1000mb max-files: 2000 mode: normal # normal, multi or sguil. use-stream-depth: no #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets honor-pass-rules: no # If set to "yes", flows in which a pass rule matched will stopped being logged. - alert-debug: enabled: no filename: alert-debug.log append: yes - alert-prelude: enabled: no profile: suricata log-packet-content: no log-packet-header: yes - stats: enabled: yes filename: stats.log totals: yes # stats for all threads merged together threads: no # per thread stats interval: 10 - syslog: enabled: no facility: local5 - drop: enabled: no filename: drop.log append: yes - file-store: enabled: no # set to yes to enable log-dir: files # directory to store the files force-magic: no # force logging magic on all stored files force-filestore: no # force storing of all files - file-log: enabled: no filename: files-json.log append: yes force-magic: no # force logging magic on all logged files - tcp-data: enabled: no type: file filename: tcp-data.log - http-body-data: enabled: no type: file filename: http-data.log - lua: enabled: no scripts: # - script1.lua logging: default-log-level: notice default-output-filter: outputs: - console: enabled: no - file: enabled: yes level: info filename: /opt/suricata/var/log/suricata.log - syslog: enabled: no facility: local5 format: "[%i] <%d> -- " af-packet: - interface: eth2 threads: 16 cluster-id: 98 cluster-type: cluster_flow defrag: yes tpacket-v3: yes use-mmap: yes ring-size: 400000 #block-size: 524288 buffer-size: 104857600 - interface: eth3 threads: 16 cluster-id: 97 cluster-type: cluster_flow defrag: yes tpacket-v3: yes use-mmap: yes ring-size: 400000 #block-size: 524288 buffer-size: 104857600 pcap: - interface: eth2 buffer-size: 104857600 checksum-checks: no threads: 8 snaplen: 1522 - interface: eth3 buffer-size: 104857600 checksum-checks: no threads: 8 snaplen: 1522 pcap-file: checksum-checks: auto app-layer: protocols: tls: enabled: yes detection-ports: dp: 443 dcerpc: enabled: yes ftp: enabled: yes ssh: enabled: yes smtp: enabled: yes mime: decode-mime: yes decode-base64: yes decode-quoted-printable: yes header-value-depth: 2000 extract-urls: yes body-md5: no inspected-tracker: content-limit: 100000 content-inspect-min-size: 32768 content-inspect-window: 4096 imap: enabled: detection-only msn: enabled: detection-only smb: enabled: yes detection-ports: dp: 139 dns: tcp: enabled: yes detection-ports: dp: 53 udp: enabled: yes detection-ports: dp: 53 http: enabled: yes libhtp: default-config: personality: IDS request-body-limit: 100kb response-body-limit: 100kb request-body-minimal-inspect-size: 32kb request-body-inspect-window: 4kb response-body-minimal-inspect-size: 40kb response-body-inspect-window: 16kb response-body-decompress-layer-limit: 2 http-body-inline: auto double-decode-path: no double-decode-query: no server-config: modbus: enabled: no detection-ports: dp: 502 stream-depth: 0 dnp3: enabled: no detection-ports: dp: 20000 enip: enabled: no detection-ports: dp: 44818 sp: 44818 asn1-max-frames: 256 pid-file: /var/run/suricata.pid coredump: max-dump: 0 host-mode: sniffer-only #max-pending-packets: 1024 max-pending-packets: 16384 runmode: workers default-packet-size: 1514 unix-command: enabled: no magic-file: /usr/share/file/magic legacy: uricontent: enabled action-order: - pass - drop - reject - alert engine-analysis: rules-fast-pattern: yes rules: yes pcre: match-limit: 3500 match-limit-recursion: 1500 host-os-policy: windows: [] bsd: [] bsd-right: [] old-linux: [] linux: [10.0.0.0/8, 192.168.1.100, "8762:2352:6241:7245:E000:0000:0000:0000"] old-solaris: [] solaris: [] hpux10: [] hpux11: [] irix: [] macos: [] vista: [] windows2k3: [] defrag: memcap: 512mb hash-size: 65536 trackers: 65535 # number of defragmented flows to follow max-frags: 65535 # number of fragments to keep (higher than trackers) prealloc: yes timeout: 30 flow: memcap: 1gb hash-size: 1048576 prealloc: 1048576 emergency-recovery: 30 vlan: use-for-tracking: true flow-timeouts: default: new: 30 established: 300 closed: 0 bypassed: 100 emergency-new: 10 emergency-established: 100 emergency-closed: 0 emergency-bypassed: 50 tcp: new: 60 established: 600 closed: 60 bypassed: 100 emergency-new: 5 emergency-established: 100 emergency-closed: 10 emergency-bypassed: 50 udp: new: 30 established: 300 bypassed: 100 emergency-new: 10 emergency-established: 100 emergency-bypassed: 50 icmp: new: 30 established: 300 bypassed: 100 emergency-new: 10 emergency-established: 100 emergency-bypassed: 50 stream: memcap: 16gb checksum-validation: no # reject wrong csums inline: auto # auto will use inline mode in IPS mode, yes or no set it statically reassembly: memcap: 20gb depth: 12mb # reassemble 1mb into a stream toserver-chunk-size: 2560 toclient-chunk-size: 2560 randomize-chunk-size: yes chunk-prealloc: 30000 segments: - size: 4 prealloc: 512 - size: 16 prealloc: 1024 - size: 112 prealloc: 1024 - size: 248 prealloc: 1024 - size: 512 prealloc: 1024 - size: 768 prealloc: 2048 - size: 1448 prealloc: 2048 - size: 65535 prealloc: 512 host: hash-size: 4096 prealloc: 1000 memcap: 32mb detect: profile: custom custom-values: toclient-groups: 200 toserver-groups: 200 sgh-mpm-context: auto inspection-recursion-limit: 3000 prefilter: default: mpm grouping: profiling: grouping: dump-to-disk: false include-rules: false # very verbose include-mpm-stats: false mpm-algo: ac-ks spm-algo: auto threading: set-cpu-affinity: yes cpu-affinity: - management-cpu-set: # cpu: [ "all" ] # include only these cpus in affinity settings cpu: [ "0,7" ] - receive-cpu-set: # cpu: [ "all" ] # include only these cpus in affinity settings cpu: [ "0,7" ] - worker-cpu-set: # cpu: [ "all" ] cpu: ["3-7","11-15","19-23","27-31"] mode: "exclusive" prio: low: [ 0 ] medium: [ "1-2" ] high: [ 3 ] default: "high" - detect-cpu-set: # cpu: [ "all" ] cpu: ["3-7","11-15","19-23","27-31"] mode: "exclusive" # run detect threads in these cpus prio: default: "high" detect-thread-ratio: 1.5 luajit: states: 128 profiling: rules: enabled: yes filename: rule_perf.log append: yes sort: avgticks limit: 100 json: yes keywords: enabled: yes filename: keyword_perf.log append: yes rulegroups: enabled: yes filename: rule_group_perf.log append: yes packets: enabled: yes filename: packet_stats.log append: yes csv: enabled: no filename: packet_stats.csv locks: enabled: no filename: lock_stats.log append: yes pcap-log: enabled: no filename: pcaplog_stats.log append: yes nfq: nflog: - group: 2 buffer-size: 18432 - group: default qthreshold: 1 qtimeout: 100 max-size: 20000 capture: netmap: - interface: eth2 - interface: default pfring: - interface: eth2 threads: 8 cluster-id: 99 cluster-type: cluster_flow - interface: eth3 threads: 8 cluster-id: 99 cluster-type: cluster_flow ipfw: napatech: hba: -1 use-all-streams: yes streams: [1, 2, 3] mpipe: load-balance: dynamic iqueue-packets: 2048 inputs: - interface: xgbe2 - interface: xgbe3 - interface: xgbe4 stack: size128: 0 size256: 9 size512: 0 size1024: 0 size1664: 7 size4096: 0 size10386: 0 size16384: 0 cuda: mpm: data-buffer-size-min-limit: 0 data-buffer-size-max-limit: 1500 cudabuffer-buffer-size: 500mb gpu-transfer-size: 50mb batching-timeout: 2000 device-id: 0 cuda-streams: 2