%YAML 1.1 --- vars: address-groups: HOME_NET: "any" EXTERNAL_NET: "any" HTTP_SERVERS: "$HOME_NET" SMTP_SERVERS: "$HOME_NET" SQL_SERVERS: "$HOME_NET" DNS_SERVERS: "$HOME_NET" TELNET_SERVERS: "$HOME_NET" AIM_SERVERS: "$EXTERNAL_NET" DC_SERVERS: "$HOME_NET" DNP3_SERVER: "$HOME_NET" DNP3_CLIENT: "$HOME_NET" MODBUS_CLIENT: "$HOME_NET" MODBUS_SERVER: "$HOME_NET" ENIP_CLIENT: "$HOME_NET" ENIP_SERVER: "$HOME_NET" port-groups: HTTP_PORTS: "80" SHELLCODE_PORTS: "!80" ORACLE_PORTS: 1521 SSH_PORTS: 22 DNP3_PORTS: 20000 MODBUS_PORTS: 502 FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]" FTP_PORTS: 21 default-log-dir: /var/log/suricata/ # global stats configuration stats: enabled: yes interval: 8 #decoder-events: true decoder-events-prefix: "decoder.event" #stream-events: flase outputs: - stats: enabled: yes filename: stats.log append: no # append to file (yes) or overwrite it (no) totals: yes # stats for all threads merged together threads: no # per thread stats logging: default-log-level: notice default-output-filter: outputs: - console: enabled: yes - file: enabled: yes level: info filename: /var/log/suricata/suricata.log # Linux high speed capture support af-packet: - interface: enp94s0f0 threads: 30 cluster-id: 98 defrag: no cluster-type: cluster_flow xdp-mode: driver xdp-filter-file: /etc/suricata/ebpf/xdp_filter.bpf bypass: yes copy-mode: ips use-mmap: yes ring-size: 500000 buffer-size: 5368709120 rollover: no use-emergency-flush: yes copy-iface: enp94s0f1 - interface: enp94s0f1 threads: 30 cluster-id: 97 defrag: no cluster-type: cluster_flow xdp-mode: driver xdp-filter-file: /etc/suricata/ebpf/xdp_filter.bpf bypass: yes copy-mode: ips use-mmap: yes ring-size: 500000 buffer-size: 5368709120 rollover: no use-emergency-flush: yes copy-iface: enp94s0f0 ## Step 5: App Layer Protocol Configuration app-layer: protocols: krb5: enabled: yes ikev2: enabled: yes tls: enabled: yes detection-ports: dp: 443 ja3-fingerprints: no encryption-handling: default dcerpc: enabled: yes ftp: enabled: yes memcap: 512mb ssh: enabled: yes smtp: enabled: yes mime: decode-mime: yes decode-base64: yes decode-quoted-printable: yes header-value-depth: 2000 extract-urls: yes body-md5: no # Configure inspected-tracker for file_data keyword inspected-tracker: content-limit: 100000 content-inspect-min-size: 32768 content-inspect-window: 4096 imap: enabled: detection-only msn: enabled: detection-only smb: enabled: yes detection-ports: dp: 139, 445 #stream-depth: 0 nfs: enabled: yes tftp: enabled: yes dns: #global-memcap: 16mb #state-memcap: 512kb #request-flood: 500 tcp: enabled: yes detection-ports: dp: 53 udp: enabled: yes detection-ports: dp: 53 http: enabled: yes memcap: 4gb libhtp: default-config: personality: IDS request-body-limit: 200kb response-body-limit: 200kb request-body-minimal-inspect-size: 32kb request-body-inspect-window: 4kb response-body-minimal-inspect-size: 40kb response-body-inspect-window: 16kb response-body-decompress-layer-limit: 2 http-body-inline: auto swf-decompression: enabled: yes type: both compress-depth: 0 decompress-depth: 0 double-decode-path: no double-decode-query: no server-config: modbus: enabled: no detection-ports: dp: 502 stream-depth: 0 # DNP3 dnp3: enabled: no detection-ports: dp: 20000 # Note: parser depends on Rust support ntp: enabled: yes dhcp: enabled: yes # Limit for the maximum number of asn1 frames to decode (default 256) asn1-max-frames: 256 ## Advanced settings below coredump: max-dump: unlimited host-mode: auto max-pending-packets: 1024 runmode: workers #autofp-scheduler: active-packets #default-packet-size: 1514 unix-command: enabled: auto legacy: uricontent: enabled action-order: - pass - drop - reject - alert engine-analysis: rules-fast-pattern: yes rules: yes #recursion and match limits for PCRE where supported pcre: match-limit: 3500 match-limit-recursion: 1500 host-os-policy: windows: [] bsd: [] bsd-right: [] old-linux: [] linux: [0.0.0.0/0] old-solaris: [] solaris: [] hpux10: [] hpux11: [] irix: [] macos: [] vista: [] windows2k3: [] # Defrag settings: defrag: memcap: 1gb hash-size: 65536 trackers: 65535 # number of defragmented flows to follow max-frags: 1000000 # number of fragments to keep (higher than trackers) prealloc: yes timeout: 30 flow: memcap: 1gb hash-size: 65536 prealloc: 1000000 emergency-recovery: 30 prune-flows: 5 managers: 2 # default to one flow manager recyclers: 2 # default to one flow recycler thread vlan: use-for-tracking: true flow-timeouts: default: new: 5 #10 established: 20 #100 closed: 0 bypassed: 10 #50 emergency-new: 2 #5 emergency-established: 10 #50 emergency-closed: 0 emergency-bypassed: 5 tcp: new: 5 #10 established: 20 #100 closed: 5 #5 bypassed: 10 #50 emergency-new: 2 emergency-established: 10 #50 emergency-closed: 0 #5 emergency-bypassed: 5 udp: new: 5 #10 established: 20 #100 bypassed: 5 #50 emergency-new: 2 emergency-established: 10 #50 emergency-bypassed: 5 icmp: new: 5 #10 established: 5 #100 bypassed: 5 #50 emergency-new: 2 emergency-established: 10 #50 emergency-bypassed: 5 stream: #memcap: 12gb #checksum-validation: no # reject wrong csums #inline: yes # auto will use inline mode in IPS mode, yes or no set it statically #prealloc-sessions: 1000000 #bypass: yes #midstream: false # do not allow midstream session pickups #async-oneside: false # do not enable async stream handling #drop-invalid: no # drop invalid packets #reassembly: #memcap: 18gb #depth: 1mb # reassemble 1mb into a stream #toserver-chunk-size: 2560 #toclient-chunk-size: 2560 #randomize-chunk-size: yes #randomize-chunk-range: 10 memcap: 1gb checksum-validation: yes # reject wrong csums inline: auto #prealloc-session: 1000000 bypass: yes #midstream: false #async-oneside: false reassembly: memcap: 2gb depth: 6mb # reassemble 1mb into a stream toserver-chunk-size: 2560 toclient-chunk-size: 2560 randomize-chunk-size: yes host: hash-size: 4096 prealloc: 1000 memcap: 32mb # Decoder settings decoder: teredo: enabled: true detect: profile: custom custom-values: toclient-groups: 300 toserver-groups: 300 toclient-sp-groups: 300 toclient-dp-groups: 300 toserver-src-groups: 300 toserver-dst-groups: 5400 toserver-sp-groups: 300 toserver-dp-groups: 350 sgh-mpm-context: full inspection-recursion-limit: 3000 prefilter: default: mpm grouping: #tcp-whitelist: 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080 #udp-whitelist: 53, 135, 5060 profiling: #inspect-logging-threshold: 200 grouping: dump-to-disk: false include-rules: false # very verbose include-mpm-stats: false mpm-algo: hs spm-algo: hs threading: set-cpu-affinity: yes # cpu-affinity: - management-cpu-set: cpu: [ 0,1,2,3,4,5 ] # include only these CPUs in affinity settings mode: "balanced" prio: default: "high" - worker-cpu-set: cpu: [ "20-39","60-79","40-59" ] mode: "exclusive" prio: default: "high" detect-thread-ratio: 1.0 luajit: states: 128 default-rule-path: /etc/suricata/rules rule-files: - custom.rules - botcc.rules - botcc.portgrouped.rules - ciarmy.rules - compromised.rules - drop.rules - dshield.rules - emerging-activex.rules - emerging-attack_response.rules - emerging-chat.rules - emerging-current_events.rules - emerging-deleted.rules - emerging-dns.rules - emerging-dos.rules - emerging-exploit.rules - emerging-ftp.rules - emerging-games.rules - emerging-icmp_info.rules - emerging-icmp.rules - emerging-imap.rules - emerging-inappropriate.rules - emerging-info.rules - emerging-malware.rules - emerging-misc.rules - emerging-mobile_malware.rules - emerging-netbios.rules - emerging-p2p.rules - emerging-policy.rules - emerging-pop3.rules - emerging-rpc.rules - emerging-scada.rules - emerging-scan.rules - emerging-shellcode.rules - emerging-smtp.rules - emerging-snmp.rules - emerging-sql.rules - emerging-telnet.rules - emerging-tftp.rules - emerging-trojan.rules - emerging-user_agents.rules - emerging-voip.rules - emerging-web_client.rules - emerging-web_server.rules - emerging-web_specific_apps.rules - emerging-worm.rules - tor.rules classification-file: /etc/suricata/classification.config reference-config-file: /etc/suricata/reference.config threshold-file: /etc/suricata/threshold.config