{"id":1491,"date":"2018-10-12T13:41:42","date_gmt":"2018-10-12T11:41:42","guid":{"rendered":"http:\/\/clark.tipistrani.it\/?p=1491"},"modified":"2018-10-17T10:09:10","modified_gmt":"2018-10-17T08:09:10","slug":"suricata-yaml","status":"publish","type":"post","link":"http:\/\/clark.tipistrani.it\/?p=1491","title":{"rendered":"suricata.yaml"},"content":{"rendered":"

%YAML 1.1
\n—<\/p>\n

# Suricata configuration file. In addition to the comments describing all
\n# options in this file, full documentation can be found at:
\n# https:\/\/redmine.openinfosecfoundation.org\/projects\/suricata\/wiki\/Suricatayaml<\/p>\n

##
\n## Step 1: inform Suricata about your network
\n##<\/p>\n

vars:
\n# more specifc is better for alert accuracy and performance
\naddress-groups:
\n#HOME_NET: “[192.168.0.0\/16,10.0.0.0\/8,172.16.0.0\/12]”
\nHOME_NET: “[192.168.2.0\/24]”
\n#HOME_NET: “[10.0.0.0\/8]”
\n#HOME_NET: “[172.16.0.0\/12]”
\n#HOME_NET: “any”<\/p>\n

EXTERNAL_NET: “!$HOME_NET”
\n#EXTERNAL_NET: “any”<\/p>\n

HTTP_SERVERS: “$HOME_NET”
\nSMTP_SERVERS: “$HOME_NET”
\nSQL_SERVERS: “$HOME_NET”
\nDNS_SERVERS: “$HOME_NET”
\nTELNET_SERVERS: “$HOME_NET”
\nAIM_SERVERS: “$EXTERNAL_NET”
\nDNP3_SERVER: “$HOME_NET”
\nDNP3_CLIENT: “$HOME_NET”
\nMODBUS_CLIENT: “$HOME_NET”
\nMODBUS_SERVER: “$HOME_NET”
\nENIP_CLIENT: “$HOME_NET”
\nENIP_SERVER: “$HOME_NET”<\/p>\n

port-groups:
\nHTTP_PORTS: “80”
\nSHELLCODE_PORTS: “!80”
\nORACLE_PORTS: 1521
\nSSH_PORTS: 22
\nDNP3_PORTS: 20000
\nMODBUS_PORTS: 502<\/p>\n

##
\n## Step 2: select the rules to enable or disable
\n##<\/p>\n

default-rule-path: \/etc\/suricata\/rules
\nrule-files:
\n– botcc.rules
\n# – botcc.portgrouped.rules
\n– ciarmy.rules
\n– compromised.rules
\n– drop.rules
\n– dshield.rules
\n# – emerging-activex.rules
\n– emerging-attack_response.rules
\n– emerging-chat.rules
\n– emerging-current_events.rules
\n– emerging-dns.rules
\n– emerging-dos.rules
\n– emerging-exploit.rules
\n– emerging-ftp.rules
\n# – emerging-games.rules
\n# – emerging-icmp_info.rules
\n# – emerging-icmp.rules
\n– emerging-imap.rules
\n# – emerging-inappropriate.rules
\n# – emerging-info.rules
\n– emerging-malware.rules
\n– emerging-misc.rules
\n– emerging-mobile_malware.rules
\n– emerging-netbios.rules
\n– emerging-p2p.rules
\n– emerging-policy.rules
\n– emerging-pop3.rules
\n– emerging-rpc.rules
\n# – emerging-scada.rules
\n# – emerging-scada_special.rules
\n– emerging-scan.rules
\n# – emerging-shellcode.rules
\n– emerging-smtp.rules
\n– emerging-snmp.rules
\n– emerging-sql.rules
\n– emerging-telnet.rules
\n– emerging-tftp.rules
\n– emerging-trojan.rules
\n– emerging-user_agents.rules
\n– emerging-voip.rules
\n– emerging-web_client.rules
\n– emerging-web_server.rules
\n# – emerging-web_specific_apps.rules
\n– emerging-worm.rules
\n– tor.rules
\n# – decoder-events.rules # available in suricata sources under rules dir
\n# – stream-events.rules # available in suricata sources under rules dir
\n– http-events.rules # available in suricata sources under rules dir
\n– smtp-events.rules # available in suricata sources under rules dir
\n– dns-events.rules # available in suricata sources under rules dir
\n– tls-events.rules # available in suricata sources under rules dir
\n# – modbus-events.rules # available in suricata sources under rules dir
\n# – app-layer-events.rules # available in suricata sources under rules dir
\n# – dnp3-events.rules # available in suricata sources under rules dir<\/p>\n

classification-file: \/etc\/suricata\/classification.config
\nreference-config-file: \/etc\/suricata\/reference.config
\n# threshold-file: \/etc\/suricata\/threshold.config<\/p>\n

##
\n## Step 3: select outputs to enable
\n##<\/p>\n

# The default logging directory. Any log or output file will be
\n# placed here if its not specified with a full path name. This can be
\n# overridden with the -l command line parameter.
\ndefault-log-dir: \/var\/log\/suricata\/<\/p>\n

# global stats configuration
\nstats:
\nenabled: yes
\n# The interval field (in seconds) controls at what interval
\n# the loggers are invoked.
\ninterval: 8<\/p>\n

# Configure the type of alert (and other) logging you would like.
\noutputs:
\n# a line based alerts log similar to Snort’s fast.log
\n– fast:
\nenabled: yes
\nfilename: fast.log
\nappend: yes
\n#filetype: regular # ‘regular’, ‘unix_stream’ or ‘unix_dgram’<\/p>\n

# Extensible Event Format (nicknamed EVE) event log in JSON format
\n– eve-log:
\nenabled: yes
\nfiletype: regular #regular|syslog|unix_dgram|unix_stream|redis
\nfilename: eve.json
\n#prefix: “@cee: ” # prefix to prepend to each log entry
\n# the following are valid when type: syslog above
\n#identity: “suricata”
\n#facility: local5
\n#level: Info ## possible levels: Emergency, Alert, Critical,
\n## Error, Warning, Notice, Info, Debug
\n#redis:
\n# server: 127.0.0.1
\n# port: 6379
\n# mode: list ## possible values: list (default), channel
\n# key: suricata ## key or channel to use (default to suricata)
\n# Redis pipelining set up. This will enable to only do a query every
\n# ‘batch-size’ events. This should lower the latency induced by network
\n# connection at the cost of some memory. There is no flushing implemented
\n# so this setting as to be reserved to high traffic suricata.
\n# pipelining:
\n# enabled: yes ## set enable to yes to enable query pipelining
\n# batch-size: 10 ## number of entry to keep in buffer
\ntypes:
\n– alert:
\n# payload: yes # enable dumping payload in Base64
\n# payload-buffer-size: 4kb # max size of payload buffer to output in eve-log
\n# payload-printable: yes # enable dumping payload in printable (lossy) format
\n# packet: yes # enable dumping of packet (without stream segments)
\nhttp: yes # enable dumping of http fields
\ntls: yes # enable dumping of tls fields
\nssh: yes # enable dumping of ssh fields
\nsmtp: yes # enable dumping of smtp fields
\ndnp3: yes # enable dumping of DNP3 fields<\/p>\n

# Enable the logging of tagged packets for rules using the
\n# “tag” keyword.
\ntagged-packets: yes<\/p>\n

# HTTP X-Forwarded-For support by adding an extra field or overwriting
\n# the source or destination IP address (depending on flow direction)
\n# with the one reported in the X-Forwarded-For HTTP header. This is
\n# helpful when reviewing alerts for traffic that is being reverse
\n# or forward proxied.
\nxff:
\nenabled: no
\n# Two operation modes are available, “extra-data” and “overwrite”.
\nmode: extra-data
\n# Two proxy deployments are supported, “reverse” and “forward”. In
\n# a “reverse” deployment the IP address used is the last one, in a
\n# “forward” deployment the first IP address is used.
\ndeployment: reverse
\n# Header name where the actual IP address will be reported, if more
\n# than one IP address is present, the last IP address will be the
\n# one taken into consideration.
\nheader: X-Forwarded-For
\n– http:
\nextended: yes # enable this for extended logging information
\n# custom allows additional http fields to be included in eve-log
\n# the example below adds three additional fields when uncommented
\n#custom: [Accept-Encoding, Accept-Language, Authorization]
\n– dns:
\n# control logging of queries and answers
\n# default yes, no to disable
\nquery: yes # enable logging of DNS queries
\nanswer: yes # enable logging of DNS answers
\n# control which RR types are logged
\n# all enabled if custom not specified
\n#custom: [a, aaaa, cname, mx, ns, ptr, txt]
\n– tls:
\nextended: yes # enable this for extended logging information
\n– files:
\nforce-magic: no # force logging magic on all logged files
\n# force logging of checksums, available hash functions are md5,
\n# sha1 and sha256
\n#force-hash: [md5]
\n#- drop:
\n# alerts: yes # log alerts that caused drops
\n# flows: all # start or all: ‘start’ logs only a single drop
\n# # per flow direction. All logs each dropped pkt.
\n– smtp:
\n#extended: yes # enable this for extended logging information
\n# this includes: bcc, message-id, subject, x_mailer, user-agent
\n# custom fields logging from the list:
\n# reply-to, bcc, message-id, subject, x-mailer, user-agent, received,
\n# x-originating-ip, in-reply-to, references, importance, priority,
\n# sensitivity, organization, content-md5, date
\n#custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc]
\n# output md5 of fields: body, subject
\n# for the body you need to set app-layer.protocols.smtp.mime.body-md5
\n# to yes
\n#md5: [body, subject]<\/p>\n

– ssh
\n– stats:
\ntotals: yes # stats for all threads merged together
\nthreads: no # per thread stats
\ndeltas: no # include delta values
\n# bi-directional flows
\n– flow
\n# uni-directional flows
\n#- netflow
\n#- dnp3<\/p>\n

# alert output for use with Barnyard2
\n– unified2-alert:
\nenabled: no
\nfilename: unified2.alert<\/p>\n

# File size limit. Can be specified in kb, mb, gb. Just a number
\n# is parsed as bytes.
\n#limit: 32mb<\/p>\n

# Sensor ID field of unified2 alerts.
\n#sensor-id: 0<\/p>\n

# Include payload of packets related to alerts. Defaults to true, set to
\n# false if payload is not required.
\n#payload: yes<\/p>\n

# HTTP X-Forwarded-For support by adding the unified2 extra header or
\n# overwriting the source or destination IP address (depending on flow
\n# direction) with the one reported in the X-Forwarded-For HTTP header.
\n# This is helpful when reviewing alerts for traffic that is being reverse
\n# or forward proxied.
\nxff:
\nenabled: no
\n# Two operation modes are available, “extra-data” and “overwrite”. Note
\n# that in the “overwrite” mode, if the reported IP address in the HTTP
\n# X-Forwarded-For header is of a different version of the packet
\n# received, it will fall-back to “extra-data” mode.
\nmode: extra-data
\n# Two proxy deployments are supported, “reverse” and “forward”. In
\n# a “reverse” deployment the IP address used is the last one, in a
\n# “forward” deployment the first IP address is used.
\ndeployment: reverse
\n# Header name where the actual IP address will be reported, if more
\n# than one IP address is present, the last IP address will be the
\n# one taken into consideration.
\nheader: X-Forwarded-For<\/p>\n

# a line based log of HTTP requests (no alerts)
\n– http-log:
\nenabled: no
\nfilename: http.log
\nappend: yes
\n#extended: yes # enable this for extended logging information
\n#custom: yes # enabled the custom logging format (defined by customformat)
\n#customformat: “%{%D-%H:%M:%S}t.%z %{X-Forwarded-For}i %H %m %h %u %s %B %a:%p -> %A:%P”
\n#filetype: regular # ‘regular’, ‘unix_stream’ or ‘unix_dgram’<\/p>\n

# a line based log of TLS handshake parameters (no alerts)
\n– tls-log:
\nenabled: no # Log TLS connections.
\nfilename: tls.log # File to store TLS logs.
\nappend: yes
\n#filetype: regular # ‘regular’, ‘unix_stream’ or ‘unix_dgram’
\n#extended: yes # Log extended information like fingerprint<\/p>\n

# output module to store certificates chain to disk
\n– tls-store:
\nenabled: no
\n#certs-log-dir: certs # directory to store the certificates files<\/p>\n

# a line based log of DNS requests and\/or replies (no alerts)
\n– dns-log:
\nenabled: no
\nfilename: dns.log
\nappend: yes
\n#filetype: regular # ‘regular’, ‘unix_stream’ or ‘unix_dgram’<\/p>\n

# Packet log… log packets in pcap format. 3 modes of operation: “normal”
\n# “multi” and “sguil”.
\n#
\n# In normal mode a pcap file “filename” is created in the default-log-dir,
\n# or are as specified by “dir”.
\n# In multi mode, a file is created per thread. This will perform much
\n# better, but will create multiple files where ‘normal’ would create one.
\n# In multi mode the filename takes a few special variables:
\n# – %n — thread number
\n# – %i — thread id
\n# – %t — timestamp (secs or secs.usecs based on ‘ts-format’
\n# E.g. filename: pcap.%n.%t
\n#
\n# Note that it’s possible to use directories, but the directories are not
\n# created by Suricata. E.g. filename: pcaps\/%n\/log.%s will log into the
\n# per thread directory.
\n#
\n# Also note that the limit and max-files settings are enforced per thread.
\n# So the size limit when using 8 threads with 1000mb files and 2000 files
\n# is: 8*1000*2000 ~ 16TiB.
\n#
\n# In Sguil mode “dir” indicates the base directory. In this base dir the
\n# pcaps are created in th directory structure Sguil expects:
\n#
\n# $sguil-base-dir\/YYYY-MM-DD\/$filename.<timestamp>
\n#
\n# By default all packets are logged except:
\n# – TCP streams beyond stream.reassembly.depth
\n# – encrypted streams after the key exchange
\n#
\n– pcap-log:
\nenabled: no
\nfilename: log.pcap<\/p>\n

# File size limit. Can be specified in kb, mb, gb. Just a number
\n# is parsed as bytes.
\nlimit: 1000mb<\/p>\n

# If set to a value will enable ring buffer mode. Will keep Maximum of “max-files” of size “limit”
\nmax-files: 2000<\/p>\n

mode: normal # normal, multi or sguil.<\/p>\n

# Directory to place pcap files. If not provided the default log
\n# directory will be used. Required for “sguil” mode.
\n#dir: \/nsm_data\/<\/p>\n

#ts-format: usec # sec or usec second format (default) is filename.sec usec is filename.sec.usec
\nuse-stream-depth: no #If set to “yes” packets seen after reaching stream inspection depth are ignored. “no” logs all packets
\nhonor-pass-rules: no # If set to “yes”, flows in which a pass rule matched will stopped being logged.<\/p>\n

# a full alerts log containing much information for signature writers
\n# or for investigating suspected false positives.
\n– alert-debug:
\nenabled: no
\nfilename: alert-debug.log
\nappend: yes
\n#filetype: regular # ‘regular’, ‘unix_stream’ or ‘unix_dgram’<\/p>\n

# alert output to prelude (http:\/\/www.prelude-technologies.com\/) only
\n# available if Suricata has been compiled with –enable-prelude
\n– alert-prelude:
\nenabled: no
\nprofile: suricata
\nlog-packet-content: no
\nlog-packet-header: yes<\/p>\n

# Stats.log contains data from various counters of the suricata engine.
\n– stats:
\nenabled: yes
\nfilename: stats.log
\ntotals: yes # stats for all threads merged together
\nthreads: no # per thread stats
\n#null-values: yes # print counters that have value 0<\/p>\n

# a line based alerts log similar to fast.log into syslog
\n– syslog:
\nenabled: yes
\n# reported identity to syslog. If ommited the program name (usually
\n# suricata) will be used.
\nidentity: “suricata”
\nfacility: local5
\n#level: Info ## possible levels: Emergency, Alert, Critical,
\n## Error, Warning, Notice, Info, Debug<\/p>\n

# a line based information for dropped packets in IPS mode
\n– drop:
\nenabled: no
\nfilename: drop.log
\nappend: yes
\n#filetype: regular # ‘regular’, ‘unix_stream’ or ‘unix_dgram’<\/p>\n

# output module to store extracted files to disk
\n#
\n# The files are stored to the log-dir in a format “file.<id>” where <id> is
\n# an incrementing number starting at 1. For each file “file.<id>” a meta
\n# file “file.<id>.meta” is created.
\n#
\n# File extraction depends on a lot of things to be fully done:
\n# – file-store stream-depth. For optimal results, set this to 0 (unlimited)
\n# – http request \/ response body sizes. Again set to 0 for optimal results.
\n# – rules that contain the “filestore” keyword.
\n– file-store:
\nenabled: no # set to yes to enable
\nlog-dir: files # directory to store the files
\nforce-magic: no # force logging magic on all stored files
\n# force logging of checksums, available hash functions are md5,
\n# sha1 and sha256
\n#force-hash: [md5]
\nforce-filestore: no # force storing of all files
\n# override global stream-depth for sessions in which we want to
\n# perform file extraction. Set to 0 for unlimited.
\n#stream-depth: 0
\n#waldo: file.waldo # waldo file to store the file_id across runs<\/p>\n

# output module to log files tracked in a easily parsable json format
\n– file-log:
\nenabled: no
\nfilename: files-json.log
\nappend: yes
\n#filetype: regular # ‘regular’, ‘unix_stream’ or ‘unix_dgram’<\/p>\n

force-magic: no # force logging magic on all logged files
\n# force logging of checksums, available hash functions are md5,
\n# sha1 and sha256
\n#force-hash: [md5]<\/p>\n

# Log TCP data after stream normalization
\n# 2 types: file or dir. File logs into a single logfile. Dir creates
\n# 2 files per TCP session and stores the raw TCP data into them.
\n# Using ‘both’ will enable both file and dir modes.
\n#
\n# Note: limited by stream.depth
\n– tcp-data:
\nenabled: no
\ntype: file
\nfilename: tcp-data.log<\/p>\n

# Log HTTP body data after normalization, dechunking and unzipping.
\n# 2 types: file or dir. File logs into a single logfile. Dir creates
\n# 2 files per HTTP session and stores the normalized data into them.
\n# Using ‘both’ will enable both file and dir modes.
\n#
\n# Note: limited by the body limit settings
\n– http-body-data:
\nenabled: no
\ntype: file
\nfilename: http-data.log<\/p>\n

# Lua Output Support – execute lua script to generate alert and event
\n# output.
\n# Documented at:
\n# https:\/\/redmine.openinfosecfoundation.org\/projects\/suricata\/wiki\/Lua_Output
\n– lua:
\nenabled: no
\n#scripts-dir: \/etc\/suricata\/lua-output\/
\nscripts:
\n# – script1.lua<\/p>\n

# Logging configuration. This is not about logging IDS alerts\/events, but
\n# output about what Suricata is doing, like startup messages, errors, etc.
\nlogging:
\n# The default log level, can be overridden in an output section.
\n# Note that debug level logging will only be emitted if Suricata was
\n# compiled with the –enable-debug configure option.
\n#
\n# This value is overriden by the SC_LOG_LEVEL env var.
\ndefault-log-level: notice<\/p>\n

# The default output format. Optional parameter, should default to
\n# something reasonable if not provided. Can be overriden in an
\n# output section. You can leave this out to get the default.
\n#
\n# This value is overriden by the SC_LOG_FORMAT env var.
\n#default-log-format: “[%i] %t – (%f:%l) <%d> (%n) — ”<\/p>\n

# A regex to filter output. Can be overridden in an output section.
\n# Defaults to empty (no filter).
\n#
\n# This value is overriden by the SC_LOG_OP_FILTER env var.
\ndefault-output-filter:<\/p>\n

# Define your logging outputs. If none are defined, or they are all
\n# disabled you will get the default – console output.
\noutputs:
\n– console:
\nenabled: yes
\n# type: json
\n– file:
\nenabled: yes
\nlevel: info
\nfilename: \/var\/log\/suricata\/suricata.log
\n# type: json
\n– syslog:
\nenabled: no
\nfacility: local5
\nformat: “[%i] <%d> — ”
\n# type: json<\/p>\n

##
\n## Step 4: configure common capture settings
\n##
\n## See “Advanced Capture Options” below for more options, including NETMAP
\n## and PF_RING.
\n##<\/p>\n

# Linux high speed capture support
\naf-packet:
\n– interface: eth0
\n# Number of receive threads. “auto” uses the number of cores
\n#threads: auto
\n# Default clusterid. AF_PACKET will load balance packets based on flow.
\ncluster-id: 99
\n# Default AF_PACKET cluster type. AF_PACKET can load balance per flow or per hash.
\n# This is only supported for Linux kernel > 3.1
\n# possible value are:
\n# * cluster_round_robin: round robin load balancing
\n# * cluster_flow: all packets of a given flow are send to the same socket
\n# * cluster_cpu: all packets treated in kernel by a CPU are send to the same socket
\n# * cluster_qm: all packets linked by network card to a RSS queue are sent to the same
\n# socket. Requires at least Linux 3.14.
\n# * cluster_random: packets are sent randomly to sockets but with an equipartition.
\n# Requires at least Linux 3.14.
\n# * cluster_rollover: kernel rotates between sockets filling each socket before moving
\n# to the next. Requires at least Linux 3.10.
\n# Recommended modes are cluster_flow on most boxes and cluster_cpu or cluster_qm on system
\n# with capture card using RSS (require cpu affinity tuning and system irq tuning)
\ncluster-type: cluster_flow
\n# In some fragmentation case, the hash can not be computed. If “defrag” is set
\n# to yes, the kernel will do the needed defragmentation before sending the packets.
\ndefrag: yes
\n# After Linux kernel 3.10 it is possible to activate the rollover option: if a socket is
\n# full then kernel will send the packet on the next socket with room available. This option
\n# can minimize packet drop and increase the treated bandwidth on single intensive flow.
\n#rollover: yes
\n# To use the ring feature of AF_PACKET, set ‘use-mmap’ to yes
\n#use-mmap: yes
\n# Lock memory map to avoid it goes to swap. Be careful that over suscribing could lock
\n# your system
\n#mmap-locked: yes
\n# Use experimental tpacket_v3 capture mode, only active if use-mmap is true
\n#tpacket-v3: yes
\n# Ring size will be computed with respect to max_pending_packets and number
\n# of threads. You can set manually the ring size in number of packets by setting
\n# the following value. If you are using flow cluster-type and have really network
\n# intensive single-flow you could want to set the ring-size independently of the number
\n# of threads:
\n#ring-size: 2048
\n# Block size is used by tpacket_v3 only. It should set to a value high enough to contain
\n# a decent number of packets. Size is in bytes so please consider your MTU. It should be
\n# a power of 2 and it must be multiple of page size (usually 4096).
\n#block-size: 32768
\n# tpacket_v3 block timeout: an open block is passed to userspace if it is not
\n# filled after block-timeout milliseconds.
\n#block-timeout: 10
\n# On busy system, this could help to set it to yes to recover from a packet drop
\n# phase. This will result in some packets (at max a ring flush) being non treated.
\n#use-emergency-flush: yes
\n# recv buffer size, increase value could improve performance
\n# buffer-size: 32768
\n# Set to yes to disable promiscuous mode
\n# disable-promisc: no
\n# Choose checksum verification mode for the interface. At the moment
\n# of the capture, some packets may be with an invalid checksum due to
\n# offloading to the network card of the checksum computation.
\n# Possible values are:
\n# – kernel: use indication sent by kernel for each packet (default)
\n# – yes: checksum validation is forced
\n# – no: checksum validation is disabled
\n# – auto: suricata uses a statistical approach to detect when
\n# checksum off-loading is used.
\n# Warning: ‘checksum-validation’ must be set to yes to have any validation
\n#checksum-checks: kernel
\n# BPF filter to apply to this interface. The pcap filter syntax apply here.
\n#bpf-filter: port 80 or udp
\n# You can use the following variables to activate AF_PACKET tap or IPS mode.
\n# If copy-mode is set to ips or tap, the traffic coming to the current
\n# interface will be copied to the copy-iface interface. If ‘tap’ is set, the
\n# copy is complete. If ‘ips’ is set, the packet matching a ‘drop’ action
\n# will not be copied.
\n#copy-mode: ips
\n#copy-iface: eth1<\/p>\n

# Put default values here. These will be used for an interface that is not
\n# in the list above.
\n– interface: default
\n#threads: auto
\n#use-mmap: no
\n#rollover: yes
\n#tpacket-v3: yes<\/p>\n

# Cross platform libpcap capture support
\npcap:
\n– interface: eth0
\n# On Linux, pcap will try to use mmaped capture and will use buffer-size
\n# as total of memory used by the ring. So set this to something bigger
\n# than 1% of your bandwidth.
\n#buffer-size: 16777216
\n#bpf-filter: “tcp and port 25”
\n# Choose checksum verification mode for the interface. At the moment
\n# of the capture, some packets may be with an invalid checksum due to
\n# offloading to the network card of the checksum computation.
\n# Possible values are:
\n# – yes: checksum validation is forced
\n# – no: checksum validation is disabled
\n# – auto: suricata uses a statistical approach to detect when
\n# checksum off-loading is used. (default)
\n# Warning: ‘checksum-validation’ must be set to yes to have any validation
\n#checksum-checks: auto
\n# With some accelerator cards using a modified libpcap (like myricom), you
\n# may want to have the same number of capture threads as the number of capture
\n# rings. In this case, set up the threads variable to N to start N threads
\n# listening on the same interface.
\n#threads: 16
\n# set to no to disable promiscuous mode:
\n#promisc: no
\n# set snaplen, if not set it defaults to MTU if MTU can be known
\n# via ioctl call and to full capture if not.
\n#snaplen: 1518
\n# Put default values here
\n– interface: default
\n#checksum-checks: auto<\/p>\n

# Settings for reading pcap files
\npcap-file:
\n# Possible values are:
\n# – yes: checksum validation is forced
\n# – no: checksum validation is disabled
\n# – auto: suricata uses a statistical approach to detect when
\n# checksum off-loading is used. (default)
\n# Warning: ‘checksum-validation’ must be set to yes to have checksum tested
\nchecksum-checks: auto<\/p>\n

# See “Advanced Capture Options” below for more options, including NETMAP
\n# and PF_RING.<\/p>\n

##
\n## Step 5: App Layer Protocol Configuration
\n##<\/p>\n

# Configure the app-layer parsers. The protocols section details each
\n# protocol.
\n#
\n# The option “enabled” takes 3 values – “yes”, “no”, “detection-only”.
\n# “yes” enables both detection and the parser, “no” disables both, and
\n# “detection-only” enables protocol detection only (parser disabled).
\napp-layer:
\nprotocols:
\ntls:
\nenabled: yes
\ndetection-ports:
\ndp: 443<\/p>\n

# Completely stop processing TLS\/SSL session after the handshake
\n# completed. If bypass is enabled this will also trigger flow
\n# bypass. If disabled (the default), TLS\/SSL session is still
\n# tracked for Heartbleed and other anomalies.
\n#no-reassemble: yes
\ndcerpc:
\nenabled: yes
\nftp:
\nenabled: yes
\nssh:
\nenabled: yes
\nsmtp:
\nenabled: yes
\n# Configure SMTP-MIME Decoder
\nmime:
\n# Decode MIME messages from SMTP transactions
\n# (may be resource intensive)
\n# This field supercedes all others because it turns the entire
\n# process on or off
\ndecode-mime: yes<\/p>\n

# Decode MIME entity bodies (ie. base64, quoted-printable, etc.)
\ndecode-base64: yes
\ndecode-quoted-printable: yes<\/p>\n

# Maximum bytes per header data value stored in the data structure
\n# (default is 2000)
\nheader-value-depth: 2000<\/p>\n

# Extract URLs and save in state data structure
\nextract-urls: yes
\n# Set to yes to compute the md5 of the mail body. You will then
\n# be able to journalize it.
\nbody-md5: no
\n# Configure inspected-tracker for file_data keyword
\ninspected-tracker:
\ncontent-limit: 100000
\ncontent-inspect-min-size: 32768
\ncontent-inspect-window: 4096
\nimap:
\nenabled: detection-only
\nmsn:
\nenabled: detection-only
\nsmb:
\nenabled: yes
\ndetection-ports:
\ndp: 139, 445
\n# smb2 detection is disabled internally inside the engine.
\n#smb2:
\n# enabled: yes
\ndns:
\n# memcaps. Globally and per flow\/state.
\n#global-memcap: 16mb
\n#state-memcap: 512kb<\/p>\n

# How many unreplied DNS requests are considered a flood.
\n# If the limit is reached, app-layer-event:dns.flooded; will match.
\n#request-flood: 500<\/p>\n

tcp:
\nenabled: yes
\ndetection-ports:
\ndp: 53
\nudp:
\nenabled: yes
\ndetection-ports:
\ndp: 53
\nhttp:
\nenabled: yes
\n# memcap: 64mb<\/p>\n

# default-config: Used when no server-config matches
\n# personality: List of personalities used by default
\n# request-body-limit: Limit reassembly of request body for inspection
\n# by http_client_body & pcre \/P option.
\n# response-body-limit: Limit reassembly of response body for inspection
\n# by file_data, http_server_body & pcre \/Q option.
\n# double-decode-path: Double decode path section of the URI
\n# double-decode-query: Double decode query section of the URI
\n# response-body-decompress-layer-limit:
\n# Limit to how many layers of compression will be
\n# decompressed. Defaults to 2.
\n#
\n# server-config: List of server configurations to use if address matches
\n# address: List of ip addresses or networks for this block
\n# personalitiy: List of personalities used by this block
\n# request-body-limit: Limit reassembly of request body for inspection
\n# by http_client_body & pcre \/P option.
\n# response-body-limit: Limit reassembly of response body for inspection
\n# by file_data, http_server_body & pcre \/Q option.
\n# double-decode-path: Double decode path section of the URI
\n# double-decode-query: Double decode query section of the URI
\n#
\n# uri-include-all: Include all parts of the URI. By default the
\n# ‘scheme’, username\/password, hostname and port
\n# are excluded. Setting this option to true adds
\n# all of them to the normalized uri as inspected
\n# by http_uri, urilen, pcre with \/U and the other
\n# keywords that inspect the normalized uri.
\n# Note that this does not affect http_raw_uri.
\n# Also, note that including all was the default in
\n# 1.4 and 2.0beta1.
\n#
\n# meta-field-limit: Hard size limit for request and response size
\n# limits. Applies to request line and headers,
\n# response line and headers. Does not apply to
\n# request or response bodies. Default is 18k.
\n# If this limit is reached an event is raised.
\n#
\n# Currently Available Personalities:
\n# Minimal, Generic, IDS (default), IIS_4_0, IIS_5_0, IIS_5_1, IIS_6_0,
\n# IIS_7_0, IIS_7_5, Apache_2
\nlibhtp:
\ndefault-config:
\npersonality: IDS<\/p>\n

# Can be specified in kb, mb, gb. Just a number indicates
\n# it’s in bytes.
\nrequest-body-limit: 100kb
\nresponse-body-limit: 100kb<\/p>\n

# inspection limits
\nrequest-body-minimal-inspect-size: 32kb
\nrequest-body-inspect-window: 4kb
\nresponse-body-minimal-inspect-size: 40kb
\nresponse-body-inspect-window: 16kb<\/p>\n

# response body decompression (0 disables)
\nresponse-body-decompress-layer-limit: 2<\/p>\n

# auto will use http-body-inline mode in IPS mode, yes or no set it statically
\nhttp-body-inline: auto<\/p>\n

# Take a random value for inspection sizes around the specified value.
\n# This lower the risk of some evasion technics but could lead
\n# detection change between runs. It is set to ‘yes’ by default.
\n#randomize-inspection-sizes: yes
\n# If randomize-inspection-sizes is active, the value of various
\n# inspection size will be choosen in the [1 – range%, 1 + range%]
\n# range
\n# Default value of randomize-inspection-range is 10.
\n#randomize-inspection-range: 10<\/p>\n

# decoding
\ndouble-decode-path: no
\ndouble-decode-query: no<\/p>\n

server-config:<\/p>\n

#- apache:
\n# address: [192.168.1.0\/24, 127.0.0.0\/8, “::1”]
\n# personality: Apache_2
\n# # Can be specified in kb, mb, gb. Just a number indicates
\n# # it’s in bytes.
\n# request-body-limit: 4096
\n# response-body-limit: 4096
\n# double-decode-path: no
\n# double-decode-query: no<\/p>\n

#- iis7:
\n# address:
\n# – 192.168.0.0\/24
\n# – 192.168.10.0\/24
\n# personality: IIS_7_0
\n# # Can be specified in kb, mb, gb. Just a number indicates
\n# # it’s in bytes.
\n# request-body-limit: 4096
\n# response-body-limit: 4096
\n# double-decode-path: no
\n# double-decode-query: no<\/p>\n

# Note: Modbus probe parser is minimalist due to the poor significant field
\n# Only Modbus message length (greater than Modbus header length)
\n# And Protocol ID (equal to 0) are checked in probing parser
\n# It is important to enable detection port and define Modbus port
\n# to avoid false positive
\nmodbus:
\n# How many unreplied Modbus requests are considered a flood.
\n# If the limit is reached, app-layer-event:modbus.flooded; will match.
\n#request-flood: 500<\/p>\n

enabled: no
\ndetection-ports:
\ndp: 502
\n# According to MODBUS Messaging on TCP\/IP Implementation Guide V1.0b, it
\n# is recommended to keep the TCP connection opened with a remote device
\n# and not to open and close it for each MODBUS\/TCP transaction. In that
\n# case, it is important to set the depth of the stream reassembling as
\n# unlimited (stream.reassembly.depth: 0)<\/p>\n

# Stream reassembly size for modbus. By default track it completely.
\nstream-depth: 0<\/p>\n

# DNP3
\ndnp3:
\nenabled: no
\ndetection-ports:
\ndp: 20000<\/p>\n

# SCADA EtherNet\/IP and CIP protocol support
\nenip:
\nenabled: no
\ndetection-ports:
\ndp: 44818
\nsp: 44818<\/p>\n

# Limit for the maximum number of asn1 frames to decode (default 256)
\nasn1-max-frames: 256<\/p>\n

##############################################################################
\n##
\n## Advanced settings below
\n##
\n##############################################################################<\/p>\n

##
\n## Run Options
\n##<\/p>\n

# Run suricata as user and group.
\n#run-as:
\n# user: suri
\n# group: suri<\/p>\n

# Some logging module will use that name in event as identifier. The default
\n# value is the hostname
\n#sensor-name: suricata<\/p>\n

# Default pid file.
\n# Will use this file if no –pidfile in command options.
\n#pid-file: \/var\/run\/suricata.pid<\/p>\n

# Daemon working directory
\n# Suricata will change directory to this one if provided
\n# Default: “\/”
\n#daemon-directory: “\/”<\/p>\n

# Suricata core dump configuration. Limits the size of the core dump file to
\n# approximately max-dump. The actual core dump size will be a multiple of the
\n# page size. Core dumps that would be larger than max-dump are truncated. On
\n# Linux, the actual core dump size may be a few pages larger than max-dump.
\n# Setting max-dump to 0 disables core dumping.
\n# Setting max-dump to ‘unlimited’ will give the full core dump file.
\n# On 32-bit Linux, a max-dump value >= ULONG_MAX may cause the core dump size
\n# to be ‘unlimited’.<\/p>\n

coredump:
\nmax-dump: unlimited<\/p>\n

# If suricata box is a router for the sniffed networks, set it to ‘router’. If
\n# it is a pure sniffing setup, set it to ‘sniffer-only’.
\n# If set to auto, the variable is internally switch to ‘router’ in IPS mode
\n# and ‘sniffer-only’ in IDS mode.
\n# This feature is currently only used by the reject* keywords.
\nhost-mode: auto<\/p>\n

# Number of packets preallocated per thread. The default is 1024. A higher number
\n# will make sure each CPU will be more easily kept busy, but may negatively
\n# impact caching.
\n#
\n# If you are using the CUDA pattern matcher (mpm-algo: ac-cuda), different rules
\n# apply. In that case try something like 60000 or more. This is because the CUDA
\n# pattern matcher buffers and scans as many packets as possible in parallel.
\nmax-pending-packets: 1024<\/p>\n

# Runmode the engine should use. Please check –list-runmodes to get the available
\n# runmodes for each packet acquisition method. Defaults to “autofp” (auto flow pinned
\n# load balancing).
\nrunmode: autofp<\/p>\n

# Specifies the kind of flow load balancer used by the flow pinned autofp mode.
\n#
\n# Supported schedulers are:
\n#
\n# round-robin – Flows assigned to threads in a round robin fashion.
\n# active-packets – Flows assigned to threads that have the lowest number of
\n# unprocessed packets (default).
\n# hash – Flow alloted usihng the address hash. More of a random
\n# technique. Was the default in Suricata 1.2.1 and older.
\n#
\nautofp-scheduler: active-packets<\/p>\n

# Preallocated size for packet. Default is 1514 which is the classical
\n# size for pcap on ethernet. You should adjust this value to the highest
\n# packet size (MTU + hardware header) on your system.
\ndefault-packet-size: 1514<\/p>\n

# Unix command socket can be used to pass commands to suricata.
\n# An external tool can then connect to get information from suricata
\n# or trigger some modifications of the engine. Set enabled to yes
\n# to activate the feature. In auto mode, the feature will only be
\n# activated in live capture mode. You can use the filename variable to set
\n# the file name of the socket.
\nunix-command:
\nenabled: no
\n# filename: \/var\/run\/suricata-command.socket<\/p>\n

# Magic file. The extension .mgc is added to the value here.
\n#magic-file: \/usr\/share\/file\/magic
\n#magic-file:<\/p>\n

legacy:
\nuricontent: enabled<\/p>\n

##
\n## Detection settings
\n##<\/p>\n

# Set the order of alerts bassed on actions
\n# The default order is pass, drop, reject, alert
\n# action-order:
\n# – pass
\n# – drop
\n# – reject
\n# – alert<\/p>\n

# IP Reputation
\n#reputation-categories-file: \/etc\/suricata\/iprep\/categories.txt
\n#default-reputation-path: \/etc\/suricata\/iprep
\n#reputation-files:
\n# – reputation.list<\/p>\n

# When run with the option –engine-analysis, the engine will read each of
\n# the parameters below, and print reports for each of the enabled sections
\n# and exit. The reports are printed to a file in the default log dir
\n# given by the parameter “default-log-dir”, with engine reporting
\n# subsection below printing reports in its own report file.
\nengine-analysis:
\n# enables printing reports for fast-pattern for every rule.
\nrules-fast-pattern: yes
\n# enables printing reports for each rule
\nrules: yes<\/p>\n

#recursion and match limits for PCRE where supported
\npcre:
\nmatch-limit: 3500
\nmatch-limit-recursion: 1500<\/p>\n

##
\n## Advanced Traffic Tracking and Reconstruction Settings
\n##<\/p>\n

# Host specific policies for defragmentation and TCP stream
\n# reassembly. The host OS lookup is done using a radix tree, just
\n# like a routing table so the most specific entry matches.
\nhost-os-policy:
\n# Make the default policy windows.
\nwindows: [0.0.0.0\/0]
\nbsd: []
\nbsd-right: []
\nold-linux: []
\nlinux: []
\nold-solaris: []
\nsolaris: []
\nhpux10: []
\nhpux11: []
\nirix: []
\nmacos: []
\nvista: []
\nwindows2k3: []<\/p>\n

# Defrag settings:<\/p>\n

defrag:
\nmemcap: 32mb
\nhash-size: 65536
\ntrackers: 65535 # number of defragmented flows to follow
\nmax-frags: 65535 # number of fragments to keep (higher than trackers)
\nprealloc: yes
\ntimeout: 60<\/p>\n

# Enable defrag per host settings
\n# host-config:
\n#
\n# – dmz:
\n# timeout: 30
\n# address: [192.168.1.0\/24, 127.0.0.0\/8, 1.1.1.0\/24, 2.2.2.0\/24, “1.1.1.1”, “2.2.2.2”, “::1”]
\n#
\n# – lan:
\n# timeout: 45
\n# address:
\n# – 192.168.0.0\/24
\n# – 192.168.10.0\/24
\n# – 172.16.14.0\/24<\/p>\n

# Flow settings:
\n# By default, the reserved memory (memcap) for flows is 32MB. This is the limit
\n# for flow allocation inside the engine. You can change this value to allow
\n# more memory usage for flows.
\n# The hash-size determine the size of the hash used to identify flows inside
\n# the engine, and by default the value is 65536.
\n# At the startup, the engine can preallocate a number of flows, to get a better
\n# performance. The number of flows preallocated is 10000 by default.
\n# emergency-recovery is the percentage of flows that the engine need to
\n# prune before unsetting the emergency state. The emergency state is activated
\n# when the memcap limit is reached, allowing to create new flows, but
\n# prunning them with the emergency timeouts (they are defined below).
\n# If the memcap is reached, the engine will try to prune flows
\n# with the default timeouts. If it doens’t find a flow to prune, it will set
\n# the emergency bit and it will try again with more agressive timeouts.
\n# If that doesn’t work, then it will try to kill the last time seen flows
\n# not in use.
\n# The memcap can be specified in kb, mb, gb. Just a number indicates it’s
\n# in bytes.<\/p>\n

flow:
\nmemcap: 128mb
\nhash-size: 65536
\nprealloc: 10000
\nemergency-recovery: 30
\n#managers: 1 # default to one flow manager
\n#recyclers: 1 # default to one flow recycler thread<\/p>\n

# This option controls the use of vlan ids in the flow (and defrag)
\n# hashing. Normally this should be enabled, but in some (broken)
\n# setups where both sides of a flow are not tagged with the same vlan
\n# tag, we can ignore the vlan id’s in the flow hashing.
\nvlan:
\nuse-for-tracking: true<\/p>\n

# Specific timeouts for flows. Here you can specify the timeouts that the
\n# active flows will wait to transit from the current state to another, on each
\n# protocol. The value of “new” determine the seconds to wait after a hanshake or
\n# stream startup before the engine free the data of that flow it doesn’t
\n# change the state to established (usually if we don’t receive more packets
\n# of that flow). The value of “established” is the amount of
\n# seconds that the engine will wait to free the flow if it spend that amount
\n# without receiving new packets or closing the connection. “closed” is the
\n# amount of time to wait after a flow is closed (usually zero). “bypassed”
\n# timeout controls locally bypassed flows. For these flows we don’t do any other
\n# tracking. If no packets have been seen after this timeout, the flow is discarded.
\n#
\n# There’s an emergency mode that will become active under attack circumstances,
\n# making the engine to check flow status faster. This configuration variables
\n# use the prefix “emergency-” and work similar as the normal ones.
\n# Some timeouts doesn’t apply to all the protocols, like “closed”, for udp and
\n# icmp.<\/p>\n

flow-timeouts:<\/p>\n

default:
\nnew: 30
\nestablished: 300
\nclosed: 0
\nbypassed: 100
\nemergency-new: 10
\nemergency-established: 100
\nemergency-closed: 0
\nemergency-bypassed: 50
\ntcp:
\nnew: 60
\nestablished: 600
\nclosed: 60
\nbypassed: 100
\nemergency-new: 5
\nemergency-established: 100
\nemergency-closed: 10
\nemergency-bypassed: 50
\nudp:
\nnew: 30
\nestablished: 300
\nbypassed: 100
\nemergency-new: 10
\nemergency-established: 100
\nemergency-bypassed: 50
\nicmp:
\nnew: 30
\nestablished: 300
\nbypassed: 100
\nemergency-new: 10
\nemergency-established: 100
\nemergency-bypassed: 50<\/p>\n

# Stream engine settings. Here the TCP stream tracking and reassembly
\n# engine is configured.
\n#
\n# stream:
\n# memcap: 32mb # Can be specified in kb, mb, gb. Just a
\n# # number indicates it’s in bytes.
\n# checksum-validation: yes # To validate the checksum of received
\n# # packet. If csum validation is specified as
\n# # “yes”, then packet with invalid csum will not
\n# # be processed by the engine stream\/app layer.
\n# # Warning: locally generated trafic can be
\n# # generated without checksum due to hardware offload
\n# # of checksum. You can control the handling of checksum
\n# # on a per-interface basis via the ‘checksum-checks’
\n# # option
\n# prealloc-sessions: 2k # 2k sessions prealloc’d per stream thread
\n# midstream: false # don’t allow midstream session pickups
\n# async-oneside: false # don’t enable async stream handling
\n# inline: no # stream inline mode
\n# max-synack-queued: 5 # Max different SYN\/ACKs to queue
\n# bypass: no # Bypass packets when stream.depth is reached
\n#
\n# reassembly:
\n# memcap: 64mb # Can be specified in kb, mb, gb. Just a number
\n# # indicates it’s in bytes.
\n# depth: 1mb # Can be specified in kb, mb, gb. Just a number
\n# # indicates it’s in bytes.
\n# toserver-chunk-size: 2560 # inspect raw stream in chunks of at least
\n# # this size. Can be specified in kb, mb,
\n# # gb. Just a number indicates it’s in bytes.
\n# # The max acceptable size is 4024 bytes.
\n# toclient-chunk-size: 2560 # inspect raw stream in chunks of at least
\n# # this size. Can be specified in kb, mb,
\n# # gb. Just a number indicates it’s in bytes.
\n# # The max acceptable size is 4024 bytes.
\n# randomize-chunk-size: yes # Take a random value for chunk size around the specified value.
\n# # This lower the risk of some evasion technics but could lead
\n# # detection change between runs. It is set to ‘yes’ by default.
\n# randomize-chunk-range: 10 # If randomize-chunk-size is active, the value of chunk-size is
\n# # a random value between (1 – randomize-chunk-range\/100)*toserver-chunk-size
\n# # and (1 + randomize-chunk-range\/100)*toserver-chunk-size and the same
\n# # calculation for toclient-chunk-size.
\n# # Default value of randomize-chunk-range is 10.
\n#
\n# raw: yes # ‘Raw’ reassembly enabled or disabled.
\n# # raw is for content inspection by detection
\n# # engine.
\n#
\n# chunk-prealloc: 250 # Number of preallocated stream chunks. These
\n# # are used during stream inspection (raw).
\n# segments: # Settings for reassembly segment pool.
\n# – size: 4 # Size of the (data)segment for a pool
\n# prealloc: 256 # Number of segments to prealloc and keep
\n# # in the pool.
\n# zero-copy-size: 128 # This option sets in bytes the value at
\n# # which segment data is passed to the app
\n# # layer API directly. Data sizes equal to
\n# # and higher than the value set are passed
\n# # on directly.
\n#
\nstream:
\nmemcap: 64mb
\nchecksum-validation: yes # reject wrong csums
\ninline: auto # auto will use inline mode in IPS mode, yes or no set it statically
\nreassembly:
\nmemcap: 256mb
\ndepth: 1mb # reassemble 1mb into a stream
\ntoserver-chunk-size: 2560
\ntoclient-chunk-size: 2560
\nrandomize-chunk-size: yes
\n#randomize-chunk-range: 10
\n#raw: yes
\n#chunk-prealloc: 250
\n#segments:
\n# – size: 4
\n# prealloc: 256
\n# – size: 16
\n# prealloc: 512
\n# – size: 112
\n# prealloc: 512
\n# – size: 248
\n# prealloc: 512
\n# – size: 512
\n# prealloc: 512
\n# – size: 768
\n# prealloc: 1024
\n# ‘from_mtu’ means that the size is mtu – 40,
\n# or 1460 if mtu couldn’t be determined.
\n# – size: from_mtu
\n# prealloc: 1024
\n# – size: 65535
\n# prealloc: 128
\n#zero-copy-size: 128<\/p>\n

# Host table:
\n#
\n# Host table is used by tagging and per host thresholding subsystems.
\n#
\nhost:
\nhash-size: 4096
\nprealloc: 1000
\nmemcap: 32mb<\/p>\n

# IP Pair table:
\n#
\n# Used by xbits ‘ippair’ tracking.
\n#
\n#ippair:
\n# hash-size: 4096
\n# prealloc: 1000
\n# memcap: 32mb<\/p>\n

##
\n## Performance tuning and profiling
\n##<\/p>\n

# The detection engine builds internal groups of signatures. The engine
\n# allow us to specify the profile to use for them, to manage memory on an
\n# efficient way keeping a good performance. For the profile keyword you
\n# can use the words “low”, “medium”, “high” or “custom”. If you use custom
\n# make sure to define the values at “- custom-values” as your convenience.
\n# Usually you would prefer medium\/high\/low.
\n#
\n# “sgh mpm-context”, indicates how the staging should allot mpm contexts for
\n# the signature groups. “single” indicates the use of a single context for
\n# all the signature group heads. “full” indicates a mpm-context for each
\n# group head. “auto” lets the engine decide the distribution of contexts
\n# based on the information the engine gathers on the patterns from each
\n# group head.
\n#
\n# The option inspection-recursion-limit is used to limit the recursive calls
\n# in the content inspection code. For certain payload-sig combinations, we
\n# might end up taking too much time in the content inspection code.
\n# If the argument specified is 0, the engine uses an internally defined
\n# default limit. On not specifying a value, we use no limits on the recursion.
\ndetect:
\nprofile: medium
\ncustom-values:
\ntoclient-groups: 3
\ntoserver-groups: 25
\nsgh-mpm-context: auto
\ninspection-recursion-limit: 3000
\n# If set to yes, the loading of signatures will be made after the capture
\n# is started. This will limit the downtime in IPS mode.
\n#delayed-detect: yes<\/p>\n

prefilter:
\n# default prefiltering setting. “mpm” only creates MPM\/fast_pattern
\n# engines. “auto” also sets up prefilter engines for other keywords.
\n# Use –list-keywords=all to see which keywords support prefiltering.
\ndefault: mpm<\/p>\n

# the grouping values above control how many groups are created per
\n# direction. Port whitelisting forces that port to get it’s own group.
\n# Very common ports will benefit, as well as ports with many expensive
\n# rules.
\ngrouping:
\n#tcp-whitelist: 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
\n#udp-whitelist: 53, 135, 5060<\/p>\n

profiling:
\n# Log the rules that made it past the prefilter stage, per packet
\n# default is off. The threshold setting determines how many rules
\n# must have made it past pre-filter for that rule to trigger the
\n# logging.
\n#inspect-logging-threshold: 200
\ngrouping:
\ndump-to-disk: false
\ninclude-rules: false # very verbose
\ninclude-mpm-stats: false<\/p>\n

# Select the multi pattern algorithm you want to run for scan\/search the
\n# in the engine.
\n#
\n# The supported algorithms are:
\n# “ac” – Aho-Corasick, default implementation
\n# “ac-bs” – Aho-Corasick, reduced memory implementation
\n# “ac-cuda” – Aho-Corasick, CUDA implementation
\n# “ac-ks” – Aho-Corasick, “Ken Steele” variant
\n# “hs” – Hyperscan, available when built with Hyperscan support
\n#
\n# The default mpm-algo value of “auto” will use “hs” if Hyperscan is
\n# available, “ac” otherwise.
\n#
\n# The mpm you choose also decides the distribution of mpm contexts for
\n# signature groups, specified by the conf – “detect.sgh-mpm-context”.
\n# Selecting “ac” as the mpm would require “detect.sgh-mpm-context”
\n# to be set to “single”, because of ac’s memory requirements, unless the
\n# ruleset is small enough to fit in one’s memory, in which case one can
\n# use “full” with “ac”. Rest of the mpms can be run in “full” mode.
\n#
\n# There is also a CUDA pattern matcher (only available if Suricata was
\n# compiled with –enable-cuda: b2g_cuda. Make sure to update your
\n# max-pending-packets setting above as well if you use b2g_cuda.<\/p>\n

mpm-algo: auto<\/p>\n

# Select the matching algorithm you want to use for single-pattern searches.
\n#
\n# Supported algorithms are “bm” (Boyer-Moore) and “hs” (Hyperscan, only
\n# available if Suricata has been built with Hyperscan support).
\n#
\n# The default of “auto” will use “hs” if available, otherwise “bm”.<\/p>\n

spm-algo: auto<\/p>\n

# Suricata is multi-threaded. Here the threading can be influenced.
\nthreading:
\nset-cpu-affinity: no
\n# Tune cpu affinity of threads. Each family of threads can be bound
\n# on specific CPUs.
\n#
\n# These 2 apply to the all runmodes:
\n# management-cpu-set is used for flow timeout handling, counters
\n# worker-cpu-set is used for ‘worker’ threads
\n#
\n# Additionally, for autofp these apply:
\n# receive-cpu-set is used for capture threads
\n# verdict-cpu-set is used for IPS verdict threads
\n#
\ncpu-affinity:
\n– management-cpu-set:
\ncpu: [ 0 ] # include only these cpus in affinity settings
\n– receive-cpu-set:
\ncpu: [ 0 ] # include only these cpus in affinity settings
\n– worker-cpu-set:
\ncpu: [ “all” ]
\nmode: “exclusive”
\n# Use explicitely 3 threads and don’t compute number by using
\n# detect-thread-ratio variable:
\n# threads: 3
\nprio:
\nlow: [ 0 ]
\nmedium: [ “1-2” ]
\nhigh: [ 3 ]
\ndefault: “medium”
\n#- verdict-cpu-set:
\n# cpu: [ 0 ]
\n# prio:
\n# default: “high”
\n#
\n# By default Suricata creates one “detect” thread per available CPU\/CPU core.
\n# This setting allows controlling this behaviour. A ratio setting of 2 will
\n# create 2 detect threads for each CPU\/CPU core. So for a dual core CPU this
\n# will result in 4 detect threads. If values below 1 are used, less threads
\n# are created. So on a dual core CPU a setting of 0.5 results in 1 detect
\n# thread being created. Regardless of the setting at a minimum 1 detect
\n# thread will always be created.
\n#
\ndetect-thread-ratio: 1.0<\/p>\n

# Luajit has a strange memory requirement, it’s ‘states’ need to be in the
\n# first 2G of the process’ memory.
\n#
\n# ‘luajit.states’ is used to control how many states are preallocated.
\n# State use: per detect script: 1 per detect thread. Per output script: 1 per
\n# script.
\nluajit:
\nstates: 128<\/p>\n

# Profiling settings. Only effective if Suricata has been built with the
\n# the –enable-profiling configure flag.
\n#
\nprofiling:
\n# Run profiling for every xth packet. The default is 1, which means we
\n# profile every packet. If set to 1000, one packet is profiled for every
\n# 1000 received.
\n#sample-rate: 1000<\/p>\n

# rule profiling
\nrules:<\/p>\n

# Profiling can be disabled here, but it will still have a
\n# performance impact if compiled in.
\nenabled: yes
\nfilename: rule_perf.log
\nappend: yes<\/p>\n

# Sort options: ticks, avgticks, checks, matches, maxticks
\nsort: avgticks<\/p>\n

# Limit the number of items printed at exit (ignored for json).
\nlimit: 100<\/p>\n

# output to json
\njson: yes<\/p>\n

# per keyword profiling
\nkeywords:
\nenabled: yes
\nfilename: keyword_perf.log
\nappend: yes<\/p>\n

# per rulegroup profiling
\nrulegroups:
\nenabled: yes
\nfilename: rule_group_perf.log
\nappend: yes<\/p>\n

# packet profiling
\npackets:<\/p>\n

# Profiling can be disabled here, but it will still have a
\n# performance impact if compiled in.
\nenabled: yes
\nfilename: packet_stats.log
\nappend: yes<\/p>\n

# per packet csv output
\ncsv:<\/p>\n

# Output can be disabled here, but it will still have a
\n# performance impact if compiled in.
\nenabled: no
\nfilename: packet_stats.csv<\/p>\n

# profiling of locking. Only available when Suricata was built with
\n# –enable-profiling-locks.
\nlocks:
\nenabled: no
\nfilename: lock_stats.log
\nappend: yes<\/p>\n

pcap-log:
\nenabled: no
\nfilename: pcaplog_stats.log
\nappend: yes<\/p>\n

##
\n## Netfilter integration
\n##<\/p>\n

# When running in NFQ inline mode, it is possible to use a simulated
\n# non-terminal NFQUEUE verdict.
\n# This permit to do send all needed packet to suricata via this a rule:
\n# iptables -I FORWARD -m mark ! –mark $MARK\/$MASK -j NFQUEUE
\n# And below, you can have your standard filtering ruleset. To activate
\n# this mode, you need to set mode to ‘repeat’
\n# If you want packet to be sent to another queue after an ACCEPT decision
\n# set mode to ‘route’ and set next-queue value.
\n# On linux >= 3.1, you can set batchcount to a value > 1 to improve performance
\n# by processing several packets before sending a verdict (worker runmode only).
\n# On linux >= 3.6, you can set the fail-open option to yes to have the kernel
\n# accept the packet if suricata is not able to keep pace.
\n# bypass mark and mask can be used to implement NFQ bypass. If bypass mark is
\n# set then the NFQ bypass is activated. Suricata will set the bypass mark\/mask
\n# on packet of a flow that need to be bypassed. The Nefilter ruleset has to
\n# directly accept all packets of a flow once a packet has been marked.
\nnfq:
\n# mode: accept
\nrepeat-mark: 1
\nrepeat-mask: 1
\n# bypass-mark: 1
\n# bypass-mask: 1
\n# route-queue: 2
\n# batchcount: 20
\nfail-open: yes<\/p>\n

#nflog support
\nnflog:
\n# netlink multicast group
\n# (the same as the iptables –nflog-group param)
\n# Group 0 is used by the kernel, so you can’t use it
\n– group: 2
\n# netlink buffer size
\nbuffer-size: 18432
\n# put default value here
\n– group: default
\n# set number of packet to queue inside kernel
\nqthreshold: 1
\n# set the delay before flushing packet in the queue inside kernel
\nqtimeout: 100
\n# netlink max buffer size
\nmax-size: 20000<\/p>\n

##
\n## Advanced Capture Options
\n##<\/p>\n

# general settings affecting packet capture
\ncapture:
\n# disable NIC offloading. It’s restored when Suricata exists.
\n# Enabled by default
\n#disable-offloading: false
\n#
\n# disable checksum validation. Same as setting ‘-k none’ on the
\n# commandline
\n#checksum-validation: none<\/p>\n

# Netmap support
\n#
\n# Netmap operates with NIC directly in driver, so you need FreeBSD wich have
\n# built-in netmap support or compile and install netmap module and appropriate
\n# NIC driver on your Linux system.
\n# To reach maximum throughput disable all receive-, segmentation-,
\n# checksum- offloadings on NIC.
\n# Disabling Tx checksum offloading is *required* for connecting OS endpoint
\n# with NIC endpoint.
\n# You can find more information at https:\/\/github.com\/luigirizzo\/netmap
\n#
\nnetmap:
\n# To specify OS endpoint add plus sign at the end (e.g. “eth0+”)
\n– interface: eth2
\n# Number of receive threads. “auto” uses number of RSS queues on interface.
\n#threads: auto
\n# You can use the following variables to activate netmap tap or IPS mode.
\n# If copy-mode is set to ips or tap, the traffic coming to the current
\n# interface will be copied to the copy-iface interface. If ‘tap’ is set, the
\n# copy is complete. If ‘ips’ is set, the packet matching a ‘drop’ action
\n# will not be copied.
\n# To specify the OS as the copy-iface (so the OS can route packets, or forward
\n# to a service running on the same machine) add a plus sign at the end
\n# (e.g. “copy-iface: eth0+”). Don’t forget to set up a symmetrical eth0+ -> eth0
\n# for return packets. Hardware checksumming must be *off* on the interface if
\n# using an OS endpoint (e.g. ‘ifconfig eth0 -rxcsum -txcsum -rxcsum6 -txcsum6’ for FreeBSD
\n# or ‘ethtool -K eth0 tx off rx off’ for Linux).
\n#copy-mode: tap
\n#copy-iface: eth3
\n# Set to yes to disable promiscuous mode
\n# disable-promisc: no
\n# Choose checksum verification mode for the interface. At the moment
\n# of the capture, some packets may be with an invalid checksum due to
\n# offloading to the network card of the checksum computation.
\n# Possible values are:
\n# – yes: checksum validation is forced
\n# – no: checksum validation is disabled
\n# – auto: suricata uses a statistical approach to detect when
\n# checksum off-loading is used.
\n# Warning: ‘checksum-validation’ must be set to yes to have any validation
\n#checksum-checks: auto
\n# BPF filter to apply to this interface. The pcap filter syntax apply here.
\n#bpf-filter: port 80 or udp
\n#- interface: eth3
\n#threads: auto
\n#copy-mode: tap
\n#copy-iface: eth2
\n# Put default values here
\n– interface: default<\/p>\n

# PF_RING configuration. for use with native PF_RING support
\n# for more info see http:\/\/www.ntop.org\/products\/pf_ring\/
\npfring:
\n– interface: eth0
\n# Number of receive threads (>1 will enable experimental flow pinned
\n# runmode)
\nthreads: 1<\/p>\n

# Default clusterid. PF_RING will load balance packets based on flow.
\n# All threads\/processes that will participate need to have the same
\n# clusterid.
\ncluster-id: 99<\/p>\n

# Default PF_RING cluster type. PF_RING can load balance per flow.
\n# Possible values are cluster_flow or cluster_round_robin.
\ncluster-type: cluster_flow
\n# bpf filter for this interface
\n#bpf-filter: tcp
\n# Choose checksum verification mode for the interface. At the moment
\n# of the capture, some packets may be with an invalid checksum due to
\n# offloading to the network card of the checksum computation.
\n# Possible values are:
\n# – rxonly: only compute checksum for packets received by network card.
\n# – yes: checksum validation is forced
\n# – no: checksum validation is disabled
\n# – auto: suricata uses a statistical approach to detect when
\n# checksum off-loading is used. (default)
\n# Warning: ‘checksum-validation’ must be set to yes to have any validation
\n#checksum-checks: auto
\n# Second interface
\n#- interface: eth1
\n# threads: 3
\n# cluster-id: 93
\n# cluster-type: cluster_flow
\n# Put default values here
\n– interface: default
\n#threads: 2<\/p>\n

# For FreeBSD ipfw(8) divert(4) support.
\n# Please make sure you have ipfw_load=”YES” and ipdivert_load=”YES”
\n# in \/etc\/loader.conf or kldload’ing the appropriate kernel modules.
\n# Additionally, you need to have an ipfw rule for the engine to see
\n# the packets from ipfw. For Example:
\n#
\n# ipfw add 100 divert 8000 ip from any to any
\n#
\n# The 8000 above should be the same number you passed on the command
\n# line, i.e. -d 8000
\n#
\nipfw:<\/p>\n

# Reinject packets at the specified ipfw rule number. This config
\n# option is the ipfw rule number AT WHICH rule processing continues
\n# in the ipfw processing system after the engine has finished
\n# inspecting the packet for acceptance. If no rule number is specified,
\n# accepted packets are reinjected at the divert rule which they entered
\n# and IPFW rule processing continues. No check is done to verify
\n# this will rule makes sense so care must be taken to avoid loops in ipfw.
\n#
\n## The following example tells the engine to reinject packets
\n# back into the ipfw firewall AT rule number 5500:
\n#
\n# ipfw-reinjection-rule-number: 5500<\/p>\n

napatech:
\n# The Host Buffer Allowance for all streams
\n# (-1 = OFF, 1 – 100 = percentage of the host buffer that can be held back)
\nhba: -1<\/p>\n

# use_all_streams set to “yes” will query the Napatech service for all configured
\n# streams and listen on all of them. When set to “no” the streams config array
\n# will be used.
\nuse-all-streams: yes<\/p>\n

# The streams to listen on
\nstreams: [1, 2, 3]<\/p>\n

# Tilera mpipe configuration. for use on Tilera TILE-Gx.
\nmpipe:<\/p>\n

# Load balancing modes: “static”, “dynamic”, “sticky”, or “round-robin”.
\nload-balance: dynamic<\/p>\n

# Number of Packets in each ingress packet queue. Must be 128, 512, 2028 or 65536
\niqueue-packets: 2048<\/p>\n

# List of interfaces we will listen on.
\ninputs:
\n– interface: xgbe2
\n– interface: xgbe3
\n– interface: xgbe4<\/p>\n

# Relative weight of memory for packets of each mPipe buffer size.
\nstack:
\nsize128: 0
\nsize256: 9
\nsize512: 0
\nsize1024: 0
\nsize1664: 7
\nsize4096: 0
\nsize10386: 0
\nsize16384: 0<\/p>\n

##
\n## Hardware accelaration
\n##<\/p>\n

# Cuda configuration.
\ncuda:
\n# The “mpm” profile. On not specifying any of these parameters, the engine’s
\n# internal default values are used, which are same as the ones specified in
\n# in the default conf file.
\nmpm:
\n# The minimum length required to buffer data to the gpu.
\n# Anything below this is MPM’ed on the CPU.
\n# Can be specified in kb, mb, gb. Just a number indicates it’s in bytes.
\n# A value of 0 indicates there’s no limit.
\ndata-buffer-size-min-limit: 0
\n# The maximum length for data that we would buffer to the gpu.
\n# Anything over this is MPM’ed on the CPU.
\n# Can be specified in kb, mb, gb. Just a number indicates it’s in bytes.
\ndata-buffer-size-max-limit: 1500
\n# The ring buffer size used by the CudaBuffer API to buffer data.
\ncudabuffer-buffer-size: 500mb
\n# The max chunk size that can be sent to the gpu in a single go.
\ngpu-transfer-size: 50mb
\n# The timeout limit for batching of packets in microseconds.
\nbatching-timeout: 2000
\n# The device to use for the mpm. Currently we don’t support load balancing
\n# on multiple gpus. In case you have multiple devices on your system, you
\n# can specify the device to use, using this conf. By default we hold 0, to
\n# specify the first device cuda sees. To find out device-id associated with
\n# the card(s) on the system run “suricata –list-cuda-cards”.
\ndevice-id: 0
\n# No of Cuda streams used for asynchronous processing. All values > 0 are valid.
\n# For this option you need a device with Compute Capability > 1.0.
\ncuda-streams: 2<\/p>\n

##
\n## Include other configs
\n##<\/p>\n

# Includes. Files included here will be handled as if they were
\n# inlined in this configuration file.
\n#include: include1.yaml
\n#include: include2.yaml<\/p>\n","protected":false},"excerpt":{"rendered":"

%YAML 1.1 — # Suricata configuration file. In addition to the comments describing all # options in this file, full documentation can be found at: # https:\/\/redmine.openinfosecfoundation.org\/projects\/suricata\/wiki\/Suricatayaml ## ## Step 1: inform Suricata about your network ## vars: # more specifc is better for alert accuracy and performance address-groups: #HOME_NET: “[192.168.0.0\/16,10.0.0.0\/8,172.16.0.0\/12]” HOME_NET: “[192.168.2.0\/24]” #HOME_NET: “[10.0.0.0\/8]” […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[110,8,14,6],"tags":[136,135,134],"class_list":["post-1491","post","type-post","status-publish","format-standard","hentry","category-ids","category-linux","category-networking","category-work","tag-devuan","tag-ips","tag-suricata"],"_links":{"self":[{"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=\/wp\/v2\/posts\/1491","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1491"}],"version-history":[{"count":3,"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=\/wp\/v2\/posts\/1491\/revisions"}],"predecessor-version":[{"id":1523,"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=\/wp\/v2\/posts\/1491\/revisions\/1523"}],"wp:attachment":[{"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1491"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1491"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1491"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}