%YAML 1.1
---

vars:
  address-groups:
    HOME_NET: "any"

    EXTERNAL_NET: "any"

    HTTP_SERVERS: "$HOME_NET"
    SMTP_SERVERS: "$HOME_NET"
    SQL_SERVERS: "$HOME_NET"
    DNS_SERVERS: "$HOME_NET"
    TELNET_SERVERS: "$HOME_NET"
    AIM_SERVERS: "$EXTERNAL_NET"
    DC_SERVERS: "$HOME_NET"
    DNP3_SERVER: "$HOME_NET"
    DNP3_CLIENT: "$HOME_NET"
    MODBUS_CLIENT: "$HOME_NET"
    MODBUS_SERVER: "$HOME_NET"
    ENIP_CLIENT: "$HOME_NET"
    ENIP_SERVER: "$HOME_NET"

  port-groups:
    HTTP_PORTS: "80"
    SHELLCODE_PORTS: "!80"
    ORACLE_PORTS: 1521
    SSH_PORTS: 22
    DNP3_PORTS: 20000
    MODBUS_PORTS: 502
    FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
    FTP_PORTS: 21

default-log-dir: /var/log/suricata/

# global stats configuration
stats:
  enabled: yes
  interval: 8
  #decoder-events: true
  decoder-events-prefix: "decoder.event"
  #stream-events: flase

outputs:
  - stats:
      enabled: yes
      filename: stats.log
      append: no       # append to file (yes) or overwrite it (no)
      totals: yes       # stats for all threads merged together
      threads: no       # per thread stats

logging:
  default-log-level: notice
  default-output-filter:
  outputs:
  - console:
      enabled: yes
  - file:
      enabled: yes
      level: info
      filename: /var/log/suricata/suricata.log

# Linux high speed capture support
af-packet:
  - interface: enp94s0f0
    threads: 30
    cluster-id: 98
    defrag: no
    cluster-type: cluster_flow
    xdp-mode: driver
    xdp-filter-file:  /etc/suricata/ebpf/xdp_filter.bpf
    bypass: yes
    copy-mode: ips
    use-mmap: yes
    ring-size: 500000
    buffer-size: 5368709120
    rollover: no
    use-emergency-flush: yes
    copy-iface: enp94s0f1
  - interface: enp94s0f1
    threads: 30
    cluster-id: 97
    defrag: no
    cluster-type: cluster_flow
    xdp-mode: driver
    xdp-filter-file:  /etc/suricata/ebpf/xdp_filter.bpf
    bypass: yes
    copy-mode: ips
    use-mmap: yes
    ring-size: 500000
    buffer-size: 5368709120
    rollover: no
    use-emergency-flush: yes
    copy-iface: enp94s0f0

## Step 5: App Layer Protocol Configuration

app-layer:
  protocols:
    krb5:
      enabled: yes
    ikev2:
      enabled: yes
    tls:
      enabled: yes
      detection-ports:
        dp: 443
      ja3-fingerprints: no
      encryption-handling: default

    dcerpc:
      enabled: yes
    ftp:
      enabled: yes
      memcap: 512mb
    ssh:
      enabled: yes
    smtp:
      enabled: yes
      mime:
        decode-mime: yes
        decode-base64: yes
        decode-quoted-printable: yes
        header-value-depth: 2000
        extract-urls: yes
        body-md5: no
      # Configure inspected-tracker for file_data keyword
      inspected-tracker:
        content-limit: 100000
        content-inspect-min-size: 32768
        content-inspect-window: 4096
    imap:
      enabled: detection-only
    msn:
      enabled: detection-only
    smb:
      enabled: yes
      detection-ports:
        dp: 139, 445
      #stream-depth: 0
    nfs:
      enabled: yes
    tftp:
      enabled: yes
    dns:
      #global-memcap: 16mb
      #state-memcap: 512kb
      #request-flood: 500
      tcp:
        enabled: yes
        detection-ports:
          dp: 53
      udp:
        enabled: yes
        detection-ports:
          dp: 53
    http:
      enabled: yes
      memcap: 4gb
      libhtp:
         default-config:
           personality: IDS
           request-body-limit: 200kb
           response-body-limit: 200kb
           request-body-minimal-inspect-size: 32kb
           request-body-inspect-window: 4kb
           response-body-minimal-inspect-size: 40kb
           response-body-inspect-window: 16kb
           response-body-decompress-layer-limit: 2
           http-body-inline: auto
           swf-decompression:
             enabled: yes
             type: both
             compress-depth: 0
             decompress-depth: 0
           double-decode-path: no
           double-decode-query: no

         server-config:
    modbus:
      enabled: no
      detection-ports:
        dp: 502
      stream-depth: 0

    # DNP3
    dnp3:
      enabled: no
      detection-ports:
        dp: 20000

    # Note: parser depends on Rust support
    ntp:
      enabled: yes

    dhcp:
      enabled: yes

# Limit for the maximum number of asn1 frames to decode (default 256)
asn1-max-frames: 256

## Advanced settings below

coredump:
  max-dump: unlimited
host-mode: auto
max-pending-packets: 1024
runmode: workers
#autofp-scheduler: active-packets
#default-packet-size: 1514
unix-command:
  enabled: auto

legacy:
  uricontent: enabled

action-order:
  - pass
  - drop
  - reject
  - alert


engine-analysis:
  rules-fast-pattern: yes
  rules: yes

#recursion and match limits for PCRE where supported
pcre:
  match-limit: 3500
  match-limit-recursion: 1500


host-os-policy:
  windows: []
  bsd: []
  bsd-right: []
  old-linux: []
  linux: [0.0.0.0/0]
  old-solaris: []
  solaris: []
  hpux10: []
  hpux11: []
  irix: []
  macos: []
  vista: []
  windows2k3: []

# Defrag settings:

defrag:
  memcap: 1gb
  hash-size: 65536
  trackers: 65535 # number of defragmented flows to follow
  max-frags: 1000000 # number of fragments to keep (higher than trackers)
  prealloc: yes
  timeout: 30

flow:
  memcap: 1gb
  hash-size: 65536
  prealloc: 1000000
  emergency-recovery: 30
  prune-flows: 5
  managers: 2  # default to one flow manager
  recyclers: 2 # default to one flow recycler thread
vlan:
  use-for-tracking: true

flow-timeouts:
  default:
    new: 5 #10
    established: 20 #100
    closed: 0
    bypassed: 10 #50
    emergency-new: 2 #5
    emergency-established: 10 #50
    emergency-closed: 0
    emergency-bypassed: 5
  tcp:
    new: 5 #10
    established: 20 #100
    closed: 5 #5
    bypassed: 10 #50
    emergency-new: 2
    emergency-established: 10 #50
    emergency-closed: 0 #5
    emergency-bypassed: 5
  udp:
    new: 5 #10
    established: 20 #100
    bypassed: 5 #50
    emergency-new: 2
    emergency-established: 10 #50
    emergency-bypassed: 5
  icmp:
    new: 5 #10
    established: 5 #100
    bypassed: 5 #50
    emergency-new: 2
    emergency-established: 10 #50
    emergency-bypassed: 5
    
stream:
  #memcap: 12gb
  #checksum-validation: no      # reject wrong csums
  #inline: yes                  # auto will use inline mode in IPS mode, yes or no set it statically
  #prealloc-sessions: 1000000
  #bypass: yes
  #midstream: false             # do not allow midstream session pickups
  #async-oneside: false         # do not enable async stream handling
  #drop-invalid: no            # drop invalid packets
  #reassembly:
    #memcap: 18gb
    #depth: 1mb                  # reassemble 1mb into a stream
    #toserver-chunk-size: 2560
    #toclient-chunk-size: 2560
    #randomize-chunk-size: yes
    #randomize-chunk-range: 10
  
  memcap: 1gb
  checksum-validation: yes      # reject wrong csums
  inline: auto
  #prealloc-session: 1000000
  bypass: yes
  #midstream: false
  #async-oneside: false
  reassembly:
    memcap: 2gb
    depth: 6mb                  # reassemble 1mb into a stream
    toserver-chunk-size: 2560
    toclient-chunk-size: 2560
    randomize-chunk-size: yes

host:
  hash-size: 4096
  prealloc: 1000
  memcap: 32mb

# Decoder settings

decoder:
  teredo:
    enabled: true

detect:
  profile: custom
  custom-values:
    toclient-groups: 300
    toserver-groups: 300
    toclient-sp-groups: 300
    toclient-dp-groups: 300
    toserver-src-groups: 300
    toserver-dst-groups: 5400
    toserver-sp-groups: 300
    toserver-dp-groups: 350
  sgh-mpm-context: full
  inspection-recursion-limit: 3000

  prefilter:
    default: mpm

  grouping:
    #tcp-whitelist: 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
    #udp-whitelist: 53, 135, 5060

  profiling:
    #inspect-logging-threshold: 200
    grouping:
      dump-to-disk: false
      include-rules: false      # very verbose
      include-mpm-stats: false

mpm-algo: hs

spm-algo: hs

threading:
  set-cpu-affinity: yes
  #
  cpu-affinity:
    - management-cpu-set:
        cpu: [ 0,1,2,3,4,5 ]  # include only these CPUs in affinity settings
        mode: "balanced"
        prio:
          default: "high"
    - worker-cpu-set:
        cpu: [ "20-39","60-79","40-59" ]
        mode: "exclusive"
        prio:
          default: "high"

  detect-thread-ratio: 1.0

luajit:
  states: 128

default-rule-path: /etc/suricata/rules
rule-files:
 - custom.rules
 - botcc.rules
 - botcc.portgrouped.rules
 - ciarmy.rules
 - compromised.rules
 - drop.rules
 - dshield.rules
 - emerging-activex.rules
 - emerging-attack_response.rules
 - emerging-chat.rules
 - emerging-current_events.rules
 - emerging-deleted.rules
 - emerging-dns.rules
 - emerging-dos.rules
 - emerging-exploit.rules
 - emerging-ftp.rules
 - emerging-games.rules
 - emerging-icmp_info.rules
 - emerging-icmp.rules
 - emerging-imap.rules
 - emerging-inappropriate.rules
 - emerging-info.rules
 - emerging-malware.rules
 - emerging-misc.rules
 - emerging-mobile_malware.rules
 - emerging-netbios.rules
 - emerging-p2p.rules
 - emerging-policy.rules
 - emerging-pop3.rules
 - emerging-rpc.rules
 - emerging-scada.rules
 - emerging-scan.rules
 - emerging-shellcode.rules
 - emerging-smtp.rules
 - emerging-snmp.rules
 - emerging-sql.rules
 - emerging-telnet.rules
 - emerging-tftp.rules
 - emerging-trojan.rules
 - emerging-user_agents.rules
 - emerging-voip.rules
 - emerging-web_client.rules
 - emerging-web_server.rules
 - emerging-web_specific_apps.rules
 - emerging-worm.rules
 - tor.rules

classification-file: /etc/suricata/classification.config
reference-config-file: /etc/suricata/reference.config
threshold-file: /etc/suricata/threshold.config