%YAML 1.1 --- nfq: mode: repeat repeat-mark: 1 repeat-mask: 1 fail-open: yes default-rule-path: /etc/suricata/rules rule-files: # - botcc.rules # - ciarmy.rules # - compromised.rules # - dshield.rules # - emerging-attack_response.rules # - emerging-chat.rules # - emerging-current_events.rules # - emerging-dns.rules # - emerging-dos.rules # - emerging-exploit.rules - emerging-icmp.rules # - emerging-inappropriate.rules # - emerging-malware.rules # - emerging-misc.rules # - emerging-policy.rules # - emerging-scan.rules # - emerging-shellcode.rules # - emerging-sql.rules # - emerging-telnet.rules # - emerging-trojan.rules # - emerging-user_agents.rules # - emerging-web_client.rules # - emerging-web_server.rules # - emerging-worm.rules # - stream-events.rules # - decoder-events.rules # - http-events.rules # - tls-events.rules # - http-events.rules # - decoder-events.rules # - tls-events.rules # - app-layer-events.rules # - dns-events.rules classification-file: /etc/suricata/classification.config reference-config-file: /etc/suricata/reference.config vars: # Holds the address group vars that would be passed in a Signature. # These would be retrieved during the Signature address parsing stage. address-groups: HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]" EXTERNAL_NET: "!$HOME_NET" HTTP_SERVERS: "$HOME_NET" SMTP_SERVERS: "$HOME_NET" SQL_SERVERS: "$HOME_NET" DNS_SERVERS: "$HOME_NET" TELNET_SERVERS: "$HOME_NET" AIM_SERVERS: "$EXTERNAL_NET" DNP3_SERVER: "$HOME_NET" DNP3_CLIENT: "$HOME_NET" MODBUS_CLIENT: "$HOME_NET" MODBUS_SERVER: "$HOME_NET" ENIP_CLIENT: "$HOME_NET" ENIP_SERVER: "$HOME_NET" # Holds the port group vars that would be passed in a Signature. # These would be retrieved during the Signature port parsing stage. port-groups: HTTP_PORTS: "80" SHELLCODE_PORTS: "!80" ORACLE_PORTS: 1521 SSH_PORTS: 22 DNP3_PORTS: 20000 action-order: - pass - drop - reject - alert host-os-policy: # Make the default policy windows. windows: [0.0.0.0/0] bsd: [] bsd-right: [] old-linux: [] linux: [10.0.0.0/8, 192.168.1.100, "8762:2352:6241:7245:E000:0000:0000:0000"] old-solaris: [] solaris: ["::1"] hpux10: [] hpux11: [] irix: [] macos: [] vista: [] windows2k3: [] app-layer: protocols: tls: enabled: yes detection-ports: dp: 443 #no-reassemble: yes dcerpc: enabled: yes ftp: enabled: yes ssh: enabled: yes smtp: enabled: yes imap: enabled: detection-only msn: enabled: detection-only smb: enabled: yes detection-ports: dp: 139 # smb2 detection is disabled internally inside the engine. #smb2: # enabled: yes dns: # memcaps. Globally and per flow/state. #global-memcap: 16mb #state-memcap: 512kb # How many unreplied DNS requests are considered a flood. # If the limit is reached, app-layer-event:dns.flooded; will match. #request-flood: 500 tcp: enabled: yes detection-ports: dp: 53 udp: enabled: yes detection-ports: dp: 53 http: enabled: yes # memcap: 64mb