%YAML 1.1 --- vars: # more specific is better for alert accuracy and performance address-groups: HOME_NET: "any" EXTERNAL_NET: "any" HTTP_SERVERS: "$HOME_NET" SMTP_SERVERS: "$HOME_NET" SQL_SERVERS: "$HOME_NET" DNS_SERVERS: "$HOME_NET" TELNET_SERVERS: "$HOME_NET" AIM_SERVERS: "$EXTERNAL_NET" DC_SERVERS: "$HOME_NET" DNP3_SERVER: "$HOME_NET" DNP3_CLIENT: "$HOME_NET" MODBUS_CLIENT: "$HOME_NET" MODBUS_SERVER: "$HOME_NET" ENIP_CLIENT: "$HOME_NET" ENIP_SERVER: "$HOME_NET" port-groups: HTTP_PORTS: "80" SHELLCODE_PORTS: "!80" ORACLE_PORTS: 1521 SSH_PORTS: 22 DNP3_PORTS: 20000 MODBUS_PORTS: 502 FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]" FTP_PORTS: 21 VXLAN_PORTS: 4789 ## ## Step 2: select outputs to enable ## default-log-dir: /var/log/suricata/ # global stats configuration stats: enabled: yes interval: 15 decoder-events: true decoder-events-prefix: "decoder.event" stream-events: true # Configure the type of alert (and other) logging you would like. outputs: - fast: enabled: no filename: fast.log append: yes #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' # Extensible Event Format (nicknamed EVE) event log in JSON format - eve-log: enabled: no filetype: regular #regular|syslog|unix_dgram|unix_stream|redis filename: eve.json #filename: eve-%Y-%m-%d-%H:%M.json #rotate-interval: day #prefix: "@cee: " # prefix to prepend to each log entry # the following are valid when type: syslog above identity: "suricata-teletalk" #facility: local5 #level: Info ## possible levels: Emergency, Alert, Critical, ## Error, Warning, Notice, Info, Debug #redis: # server: 127.0.0.1 # port: 6379 # async: true ## if redis replies are read asynchronously # mode: list ## possible values: list|lpush (default), rpush, channel|publish # ## lpush and rpush are using a Redis list. "list" is an alias for lpush # ## publish is using a Redis channel. "channel" is an alias for publish # key: suricata ## key or channel to use (default to suricata) # Redis pipelining set up. This will enable to only do a query every # 'batch-size' events. This should lower the latency induced by network # connection at the cost of some memory. There is no flushing implemented # so this setting as to be reserved to high traffic suricata. # pipelining: # enabled: yes ## set enable to yes to enable query pipelining # batch-size: 10 ## number of entry to keep in buffer # Include top level metadata. Default yes. #metadata: no # include the name of the input pcap file in pcap file processing mode pcap-file: false # Community Flow ID # Adds a 'community_id' field to EVE records. These are meant to give # a records a predictable flow id that can be used to match records to # output of other tools such as Bro. # # Takes a 'seed' that needs to be same across sensors and tools # to make the id less predictable. # enable/disable the community id feature. community-id: false # Seed value for the ID output. Valid values are 0-65535. community-id-seed: 0 # HTTP X-Forwarded-For support by adding an extra field or overwriting # the source or destination IP address (depending on flow direction) # with the one reported in the X-Forwarded-For HTTP header. This is # helpful when reviewing alerts for traffic that is being reverse # or forward proxied. xff: enabled: no # Two operation modes are available, "extra-data" and "overwrite". mode: extra-data # Two proxy deployments are supported, "reverse" and "forward". In # a "reverse" deployment the IP address used is the last one, in a # "forward" deployment the first IP address is used. deployment: reverse # Header name where the actual IP address will be reported, if more # than one IP address is present, the last IP address will be the # one taken into consideration. header: X-Forwarded-For types: - alert: # payload: yes # enable dumping payload in Base64 # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log # payload-printable: yes # enable dumping payload in printable (lossy) format # packet: yes # enable dumping of packet (without stream segments) # http-body: yes # enable dumping of http body in Base64 # http-body-printable: yes # enable dumping of http body in printable format # metadata: no # enable inclusion of app layer metadata with alert. Default yes # Enable the logging of tagged packets for rules using the # "tag" keyword. tagged-packets: yes #- anomaly: # Anomaly log records describe unexpected conditions such as truncated packets, packets with invalid # IP/UDP/TCP length values, and other events that render the packet invalid for further processing # or describe unexpected behavior on an established stream. Networks which experience high # occurrences of anomalies may experience packet processing degradation. # Enable dumping of packet header # packethdr: no # enable dumping of packet header - http: extended: no # enable this for extended logging information # custom allows additional http fields to be included in eve-log # the example below adds three additional fields when uncommented #custom: [Accept-Encoding, Accept-Language, Authorization] # set this value to one among {both, request, response} to dump all # http headers for every http request and/or response # dump-all-headers: [both, request, response] - dns: version: 2 # Enable/disable this logger. Default: enabled. enabled: no # Control logging of requests and responses: # - requests: enable logging of DNS queries # - responses: enable logging of DNS answers # By default both requests and responses are logged. #requests: no #responses: no # Format of answer logging: # - detailed: array item per answer # - grouped: answers aggregated by type # Default: all #formats: [detailed, grouped] # Answer types to log. # Default: all #types: [a, aaaa, cname, mx, ns, ptr, txt] - tls: extended: no # enable this for extended logging information # output TLS transaction where the session is resumed using a # session id #session-resumption: no # custom allows to control which tls fields that are included # in eve-log #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3, ja3s] - files: force-magic: no # force logging magic on all logged files # force logging of checksums, available hash functions are md5, # sha1 and sha256 #force-hash: [md5] - drop: alerts: no # log alerts that caused drops flows: start # start or all: 'start' logs only a single drop #- smtp: #extended: yes # enable this for extended logging information # this includes: bcc, message-id, subject, x_mailer, user-agent # custom fields logging from the list: # reply-to, bcc, message-id, subject, x-mailer, user-agent, received, # x-originating-ip, in-reply-to, references, importance, priority, # sensitivity, organization, content-md5, date #custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc] # output md5 of fields: body, subject # for the body you need to set app-layer.protocols.smtp.mime.body-md5 # to yes #md5: [body, subject] #- dnp3 #- ftp #- nfs #- smb #- tftp #- ikev2 #- krb5 #- snmp - dhcp: enabled: no extended: no - ssh - stats: totals: yes # stats for all threads merged together threads: no # per thread stats deltas: no # include delta values # bi-directional flows #- flow # uni-directional flows #- netflow # Metadata event type. Triggered whenever a pktvar is saved # and will include the pktvars, flowvars, flowbits and # flowints. #- metadata # alert output for use with Barnyard2 - unified2-alert: enabled: no filename: unified2.alert #limit: 32mb #nostamp: no #sensor-id: 0 #payload: yes xff: enabled: no mode: extra-data deployment: reverse header: X-Forwarded-For # a line based log of HTTP requests (no alerts) - http-log: enabled: no filename: http.log append: yes #extended: yes # enable this for extended logging information #custom: yes # enabled the custom logging format (defined by customformat) #customformat: "%{%D-%H:%M:%S}t.%z %{X-Forwarded-For}i %H %m %h %u %s %B %a:%p -> %A:%P" #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' # a line based log of TLS handshake parameters (no alerts) - tls-log: enabled: no # Log TLS connections. filename: tls.log # File to store TLS logs. append: yes #extended: yes # Log extended information like fingerprint #custom: yes # enabled the custom logging format (defined by customformat) #customformat: "%{%D-%H:%M:%S}t.%z %a:%p -> %A:%P %v %n %d %D" #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' # output TLS transaction where the session is resumed using a # session id #session-resumption: no # output module to store certificates chain to disk - tls-store: enabled: no #certs-log-dir: certs # directory to store the certificates files - pcap-log: enabled: no filename: log.pcap limit: 1000mb max-files: 2000 compression: none #lz4-checksum: no #lz4-level: 0 mode: normal # normal, multi or sguil. #dir: /nsm_data/ #ts-format: usec # sec or usec second format (default) is filename.sec usec is filename.sec.usec use-stream-depth: no #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets honor-pass-rules: no # If set to "yes", flows in which a pass rule matched will stopped being logged. # a full alerts log containing much information for signature writers # or for investigating suspected false positives. - alert-debug: enabled: no filename: alert-debug.log append: yes #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' # alert output to prelude (https://www.prelude-siem.org/) only # available if Suricata has been compiled with --enable-prelude - alert-prelude: enabled: no profile: suricata log-packet-content: no log-packet-header: yes # Stats.log contains data from various counters of the Suricata engine. - stats: enabled: yes filename: stats.log append: yes # append to file (yes) or overwrite it (no) totals: yes # stats for all threads merged together threads: no # per thread stats #null-values: yes # print counters that have value 0 # a line based alerts log similar to fast.log into syslog - syslog: enabled: no # reported identity to syslog. If ommited the program name (usually # suricata) will be used. #identity: "suricata" facility: local5 #level: Info ## possible levels: Emergency, Alert, Critical, ## Error, Warning, Notice, Info, Debug # a line based information for dropped packets in IPS mode - drop: enabled: no filename: drop.log append: yes #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' - file-store: version: 2 enabled: no #dir: filestore #write-fileinfo: yes #force-filestore: yes #stream-depth: 0 #max-open-files: 1000 #force-hash: [sha1, md5] xff: enabled: no mode: extra-data deployment: reverse header: X-Forwarded-For - file-store: enabled: no # set to yes to enable log-dir: files # directory to store the files force-magic: no # force logging magic on all stored files # force logging of checksums, available hash functions are md5, # sha1 and sha256 #force-hash: [md5] force-filestore: no # force storing of all files # override global stream-depth for sessions in which we want to # perform file extraction. Set to 0 for unlimited. #stream-depth: 0 #waldo: file.waldo # waldo file to store the file_id across runs # uncomment to disable meta file writing #write-meta: no # uncomment the following variable to define how many files can # remain open for filestore by Suricata. Default value is 0 which # means files get closed after each write #max-open-files: 1000 include-pid: no # set to yes to include pid in file names # Log TCP data after stream normalization - tcp-data: enabled: no type: file filename: tcp-data.log # Log HTTP body data after normalization, dechunking and unzipping. - http-body-data: enabled: no type: file filename: http-data.log # Lua Output Support - execute lua script to generate alert and event - lua: enabled: no #scripts-dir: /etc/suricata/lua-output/ scripts: # - script1.lua # Logging configuration. This is not about logging IDS alerts/events, but # output about what Suricata is doing, like startup messages, errors, etc. logging: default-log-level: notice # The default output format. Optional parameter, should default to # something reasonable if not provided. Can be overridden in an # output section. You can leave this out to get the default. # # This value is overridden by the SC_LOG_FORMAT env var. #default-log-format: "[%i] %t - (%f:%l) <%d> (%n) -- " # A regex to filter output. Can be overridden in an output section. # Defaults to empty (no filter). # # This value is overridden by the SC_LOG_OP_FILTER env var. default-output-filter: # Define your logging outputs. If none are defined, or they are all # disabled you will get the default - console output. outputs: - console: enabled: no # type: json - file: enabled: yes level: info filename: suricata.log # type: json - syslog: enabled: no facility: local5 format: "[%i] <%d> -- " # type: json ## ## Step 4: configure common capture settings ## # Linux high speed capture support af-packet: - interface: ens2f0 threads: 20 cluster-id: 99 #cluster-type: cluster_flow cluster-type: cluster_qm xdp-mode: driver xdp-filter-file: /etc/suricata/ebpf/xdp_filter.bpf bypass: yes defrag: no use-mmap: yes ring-size: 1000000 buffer: 5368709120 rollover: no use-emergency-flush: yes #disable-promisc: no #checksum-checks: kernel copy-mode: ips copy-iface: ens2f1 - interface: ens2f1 threads: 20 cluster-id: 98 #cluster-type: cluster_flow cluster-type: cluster_qm xdp-mode: driver xdp-filter-file: /etc/suricata/ebpf/xdp_filter.bpf bypass: yes defrag: no use-mmap: yes ring-size: 1000000 buffer: 5368709120 rollover: no use-emergency-flush: yes #disable-promisc: no #checksum-checks: kernel copy-mode: ips copy-iface: ens2f0 # Cross platform libpcap capture support pcap: #- interface: eth0 #buffer-size: 16777216 #bpf-filter: "tcp and port 25" #checksum-checks: auto #threads: 18 #promisc: no #snaplen: 1518 # Put default values here #- interface: default #checksum-checks: auto # Settings for reading pcap files #pcap-file: #checksum-checks: auto ## ## Step 5: App Layer Protocol Configuration ## app-layer: protocols: krb5: enabled: no snmp: enabled: no ikev2: enabled: no tls: enabled: yes detection-ports: dp: 443 encryption-handling: bypass # Generate JA3 fingerprint from client hello ja3-fingerprints: no # What to do when the encrypted communications start: # - default: keep tracking TLS session, check for protocol anomalies, # inspect tls_* keywords. Disables inspection of unmodified # 'content' signatures. # - bypass: stop processing this flow as much as possible. No further # TLS parsing and inspection. Offload flow bypass to kernel # or hardware if possible. # - full: keep tracking and inspection as normal. Unmodified content # keyword signatures are inspected as well. # # For best performance, select 'bypass'. # #encryption-handling: default dcerpc: enabled: no ftp: enabled: no # memcap: 64mb ssh: enabled: yes smtp: enabled: yes raw-extraction: no # Configure SMTP-MIME Decoder mime: # Decode MIME messages from SMTP transactions # (may be resource intensive) # This field supercedes all others because it turns the entire # process on or off decode-mime: yes # Decode MIME entity bodies (ie. base64, quoted-printable, etc.) decode-base64: yes decode-quoted-printable: yes # Maximum bytes per header data value stored in the data structure # (default is 2000) header-value-depth: 2000 # Extract URLs and save in state data structure extract-urls: yes # Set to yes to compute the md5 of the mail body. You will then # be able to journalize it. body-md5: no # Configure inspected-tracker for file_data keyword inspected-tracker: content-limit: 100000 content-inspect-min-size: 32768 content-inspect-window: 4096 imap: enabled: detection-only msn: enabled: detection-only smb: enabled: no detection-ports: dp: 139, 445 # Stream reassembly size for SMB streams. By default track it completely. #stream-depth: 0 nfs: enabled: no tftp: enabled: no dns: # memcaps. Globally and per flow/state. #global-memcap: 16mb #state-memcap: 512kb # How many unreplied DNS requests are considered a flood. # If the limit is reached, app-layer-event:dns.flooded; will match. #request-flood: 500 tcp: enabled: no detection-ports: dp: 53 udp: enabled: no detection-ports: dp: 53 http: enabled: yes memcap: 20gb # default-config: Used when no server-config matches # personality: List of personalities used by default # request-body-limit: Limit reassembly of request body for inspection # by http_client_body & pcre /P option. # response-body-limit: Limit reassembly of response body for inspection # by file_data, http_server_body & pcre /Q option. # double-decode-path: Double decode path section of the URI # double-decode-query: Double decode query section of the URI # response-body-decompress-layer-limit: # Limit to how many layers of compression will be # decompressed. Defaults to 2. # # server-config: List of server configurations to use if address matches # address: List of IP addresses or networks for this block # personalitiy: List of personalities used by this block # request-body-limit: Limit reassembly of request body for inspection # by http_client_body & pcre /P option. # response-body-limit: Limit reassembly of response body for inspection # by file_data, http_server_body & pcre /Q option. # double-decode-path: Double decode path section of the URI # double-decode-query: Double decode query section of the URI # # uri-include-all: Include all parts of the URI. By default the # 'scheme', username/password, hostname and port # are excluded. Setting this option to true adds # all of them to the normalized uri as inspected # by http_uri, urilen, pcre with /U and the other # keywords that inspect the normalized uri. # Note that this does not affect http_raw_uri. # Also, note that including all was the default in # 1.4 and 2.0beta1. # # meta-field-limit: Hard size limit for request and response size # limits. Applies to request line and headers, # response line and headers. Does not apply to # request or response bodies. Default is 18k. # If this limit is reached an event is raised. # # Currently Available Personalities: # Minimal, Generic, IDS (default), IIS_4_0, IIS_5_0, IIS_5_1, IIS_6_0, # IIS_7_0, IIS_7_5, Apache_2 libhtp: default-config: personality: IDS # Can be specified in kb, mb, gb. Just a number indicates # it's in bytes. request-body-limit: 100kb response-body-limit: 100kb # inspection limits request-body-minimal-inspect-size: 32kb request-body-inspect-window: 4kb response-body-minimal-inspect-size: 40kb response-body-inspect-window: 16kb # response body decompression (0 disables) response-body-decompress-layer-limit: 2 # auto will use http-body-inline mode in IPS mode, yes or no set it statically http-body-inline: auto # Decompress SWF files. # 2 types: 'deflate', 'lzma', 'both' will decompress deflate and lzma # compress-depth: # Specifies the maximum amount of data to decompress, # set 0 for unlimited. # decompress-depth: # Specifies the maximum amount of decompressed data to obtain, # set 0 for unlimited. swf-decompression: enabled: yes type: both compress-depth: 0 decompress-depth: 0 # Take a random value for inspection sizes around the specified value. # This lower the risk of some evasion technics but could lead # detection change between runs. It is set to 'yes' by default. #randomize-inspection-sizes: yes # If randomize-inspection-sizes is active, the value of various # inspection size will be choosen in the [1 - range%, 1 + range%] # range # Default value of randomize-inspection-range is 10. #randomize-inspection-range: 10 # decoding double-decode-path: no double-decode-query: no server-config: #- apache: # address: [192.168.1.0/24, 127.0.0.0/8, "::1"] # personality: Apache_2 # # Can be specified in kb, mb, gb. Just a number indicates # # it's in bytes. # request-body-limit: 4096 # response-body-limit: 4096 # double-decode-path: no # double-decode-query: no #- iis7: # address: # - 192.168.0.0/24 # - 192.168.10.0/24 # personality: IIS_7_0 # # Can be specified in kb, mb, gb. Just a number indicates # # it's in bytes. # request-body-limit: 4096 # response-body-limit: 4096 # double-decode-path: no # double-decode-query: no # Note: Modbus probe parser is minimalist due to the poor significant field # Only Modbus message length (greater than Modbus header length) # And Protocol ID (equal to 0) are checked in probing parser # It is important to enable detection port and define Modbus port # to avoid false positive modbus: #request-flood: 500 enabled: no detection-ports: dp: 502 stream-depth: 0 # DNP3 dnp3: enabled: no detection-ports: dp: 20000 # SCADA EtherNet/IP and CIP protocol support enip: enabled: no detection-ports: dp: 44818 sp: 44818 ntp: enabled: yes dhcp: enabled: yes # Limit for the maximum number of asn1 frames to decode (default 256) asn1-max-frames: 256 ############################################################################## ## ## Advanced settings below ## ############################################################################## ## ## Run Options ## #sensor-name: suricata pid-file: /var/run/suricata.pid coredump: max-dump: unlimited host-mode: auto max-pending-packets: 1024 runmode: workers #autofp-scheduler: active-packets default-packet-size: 1514 unix-command: enabled: auto #filename: custom.socket # Magic file. The extension .mgc is added to the value here. #magic-file: # GeoIP2 database file. Specify path and filename of GeoIP2 database #geoip-database: /usr/local/share/GeoLite2/GeoLite2-Country.mmdb legacy: uricontent: enabled ## ## Detection settings ## action-order: - pass - drop - reject - alert # IP Reputation #reputation-categories-file: /etc/suricata/iprep/categories.txt #default-reputation-path: /etc/suricata/iprep #reputation-files: # - reputation.list # When run with the option --engine-analysis, the engine will read each of # the parameters below, and print reports for each of the enabled sections # and exit. The reports are printed to a file in the default log dir # given by the parameter "default-log-dir", with engine reporting # subsection below printing reports in its own report file. engine-analysis: rules-fast-pattern: yes rules: yes #recursion and match limits for PCRE where supported pcre: match-limit: 3500 match-limit-recursion: 1500 ## ## Advanced Traffic Tracking and Reconstruction Settings ## host-os-policy: # Make the default policy windows. windows: [0.0.0.0/0] bsd: [] bsd-right: [] old-linux: [] linux: [] old-solaris: [] solaris: [] hpux10: [] hpux11: [] irix: [] macos: [] vista: [] windows2k3: [] # Defrag settings: defrag: memcap: 10gb hash-size: 65536 trackers: 65535 # number of defragmented flows to follow max-frags: 1000000 # number of fragments to keep (higher than trackers) prealloc: yes timeout: 60 # Flow settings: flow: memcap: 30gb hash-size: 65536 prealloc: 1000000 emergency-recovery: 30 prune-flows: 5 managers: 2 # default to one flow manager recyclers: 2 # default to one flow recycler thread vlan: use-for-tracking: false # Specific timeouts for flows. flow-timeouts: default: new: 10 established: 100 closed: 0 bypassed: 50 emergency-new: 5 emergency-established: 50 emergency-closed: 0 emergency-bypassed: 10 tcp: new: 10 established: 100 closed: 5 bypassed: 50 emergency-new: 2 emergency-established: 50 emergency-closed: 5 emergency-bypassed: 10 udp: new: 10 established: 100 bypassed: 50 emergency-new: 2 emergency-established: 50 emergency-bypassed: 10 icmp: new: 10 established: 100 bypassed: 50 emergency-new: 2 emergency-established: 50 emergency-bypassed: 10 # Stream engine settings. Here the TCP stream tracking and reassembly # engine is configured. stream: memcap: 30gb checksum-validation: no # reject wrong csums inline: yes # auto will use inline mode in IPS mode, yes or no set it statically prealloc-sessions: 1000000 bypass: true midstream: false # do not allow midstream session pickups async-oneside: false # do not enable async stream handling drop-invalid: no # drop invalid packets reassembly: memcap: 40gb depth: 1mb # reassemble 1mb into a stream toserver-chunk-size: 2560 toclient-chunk-size: 2560 randomize-chunk-size: yes randomize-chunk-range: 10 raw: yes segment-prealloc: 1000000 check-overlap-different-data: true # Host table: # # Host table is used by tagging and per host thresholding subsystems. # host: hash-size: 4096 prealloc: 1000 memcap: 2048mb # IP Pair table: # # Used by xbits 'ippair' tracking. # #ippair: # hash-size: 4096 # prealloc: 1000 # memcap: 32mb # Decoder settings decoder: # Teredo decoder is known to not be completely accurate # as it will sometimes detect non-teredo as teredo. teredo: enabled: true # VXLAN decoder is assigned to up to 4 UDP ports. By default only the # IANA assigned port 4789 is enabled. vxlan: enabled: true ports: $VXLAN_PORTS # syntax: '8472, 4789' ## ## Performance tuning and profiling ## detect: profile: custom custom-values: toclient-groups: 300 toserver-groups: 300 toclient-sp-groups: 300 toclient-dp-groups: 300 toserver-src-groups: 300 toserver-dst-groups: 5400 toserver-sp-groups: 300 toserver-dp-groups: 350 sgh-mpm-context: full inspection-recursion-limit: 3000 # If set to yes, the loading of signatures will be made after the capture # is started. This will limit the downtime in IPS mode. #delayed-detect: yes prefilter: default: mpm grouping: #tcp-whitelist: 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080 #udp-whitelist: 53, 135, 5060 profiling: grouping: dump-to-disk: false include-rules: false # very verbose include-mpm-stats: false # Select the multi pattern algorithm you want to run for scan/search the # in the engine. # mpm-algo: hs # Select the matching algorithm you want to use for single-pattern searches. # spm-algo: hs # Suricata is multi-threaded. Here the threading can be influenced. threading: set-cpu-affinity: yes # cpu-affinity: - management-cpu-set: cpu: [ 20,21,22,23,24,25 ] # include only these CPUs in affinity settings mode: "exclusive" prio: default: "high" - worker-cpu-set: cpu: [ "0-19","40-59" ] mode: "exclusive" prio: default: "high" # detect-thread-ratio: 1.0 # Luajit has a strange memory requirement, it's 'states' need to be in the # first 2G of the process' memory. # # 'luajit.states' is used to control how many states are preallocated. # State use: per detect script: 1 per detect thread. Per output script: 1 per # script. luajit: states: 128 # Profiling settings. Only effective if Suricata has been built with the # the --enable-profiling configure flag. # profiling: # Run profiling for every xth packet. The default is 1, which means we # profile every packet. If set to 1000, one packet is profiled for every # 1000 received. #sample-rate: 1000 # rule profiling rules: # Profiling can be disabled here, but it will still have a # performance impact if compiled in. enabled: no filename: rule_perf.log append: yes # Sort options: ticks, avgticks, checks, matches, maxticks # If commented out all the sort options will be used. #sort: avgticks # Limit the number of sids for which stats are shown at exit (per sort). limit: 10 # output to json json: no # per keyword profiling keywords: enabled: no filename: keyword_perf.log append: yes prefilter: enabled: no filename: prefilter_perf.log append: yes # per rulegroup profiling rulegroups: enabled: no filename: rule_group_perf.log append: yes # packet profiling packets: # Profiling can be disabled here, but it will still have a # performance impact if compiled in. enabled: no filename: packet_stats.log append: yes # per packet csv output csv: # Output can be disabled here, but it will still have a # performance impact if compiled in. enabled: no filename: packet_stats.csv # profiling of locking. Only available when Suricata was built with # --enable-profiling-locks. locks: enabled: no filename: lock_stats.log append: yes pcap-log: enabled: no filename: pcaplog_stats.log append: yes ## ## Advanced Capture Options ## # general settings affecting packet capture capture: #disable-offloading: false #checksum-validation: none ## ## Configure Suricata to load Suricata-Update managed rules. ## ## ## Advanced rule file configuration. ## default-rule-path: /etc/suricata/rules rule-files: - custom.rules ## ## Auxiliary configuration files. ## classification-file: /etc/suricata/classification.config reference-config-file: /etc/suricata/reference.config # threshold-file: /etc/suricata/threshold.config