{"id":2568,"date":"2025-02-21T10:36:52","date_gmt":"2025-02-21T09:36:52","guid":{"rendered":"http:\/\/clark.tipistrani.it\/?p=2568"},"modified":"2025-02-21T10:36:52","modified_gmt":"2025-02-21T09:36:52","slug":"suricata-yaml-su-devuan-5","status":"publish","type":"post","link":"http:\/\/clark.tipistrani.it\/?p=2568","title":{"rendered":"suricata.yaml su Devuan 5"},"content":{"rendered":"

%YAML 1.1
\n—<\/p>\n

# Suricata configuration file. In addition to the comments describing all
\n# options in this file, full documentation can be found at:
\n# https:\/\/suricata.readthedocs.io\/en\/latest\/configuration\/suricata-yaml.html<\/p>\n

##
\n## Step 1: Inform Suricata about your network
\n##<\/p>\n

vars:
\n# more specific is better for alert accuracy and performance
\naddress-groups:
\n#HOME_NET: “[192.168.0.0\/16,10.0.0.0\/8,172.16.0.0\/12]”
\nHOME_NET: “[192.168.2.0\/23]”
\n#HOME_NET: “[10.0.0.0\/8]”
\n#HOME_NET: “[172.16.0.0\/12]”
\n#HOME_NET: “any”<\/p>\n

EXTERNAL_NET: “!$HOME_NET”
\n#EXTERNAL_NET: “any”<\/p>\n

HTTP_SERVERS: “$HOME_NET”
\nSMTP_SERVERS: “$HOME_NET”
\nSQL_SERVERS: “$HOME_NET”
\nDNS_SERVERS: “$HOME_NET”
\nTELNET_SERVERS: “$HOME_NET”
\nAIM_SERVERS: “$EXTERNAL_NET”
\nDC_SERVERS: “$HOME_NET”
\nDNP3_SERVER: “$HOME_NET”
\nDNP3_CLIENT: “$HOME_NET”
\nMODBUS_CLIENT: “$HOME_NET”
\nMODBUS_SERVER: “$HOME_NET”
\nENIP_CLIENT: “$HOME_NET”
\nENIP_SERVER: “$HOME_NET”<\/p>\n

port-groups:
\nHTTP_PORTS: “80”
\nSHELLCODE_PORTS: “!80”
\nORACLE_PORTS: 1521
\nSSH_PORTS: 22
\nDNP3_PORTS: 20000
\nMODBUS_PORTS: 502
\nFILE_DATA_PORTS: “[$HTTP_PORTS,110,143]”
\nFTP_PORTS: 21
\nGENEVE_PORTS: 6081
\nVXLAN_PORTS: 4789
\nTEREDO_PORTS: 3544<\/p>\n

##
\n## Step 2: Select outputs to enable
\n##<\/p>\n

# The default logging directory. Any log or output file will be
\n# placed here if it’s not specified with a full path name. This can be
\n# overridden with the -l command line parameter.
\ndefault-log-dir: \/var\/log\/suricata\/<\/p>\n

# Global stats configuration
\nstats:
\nenabled: yes
\n# The interval field (in seconds) controls the interval at
\n# which stats are updated in the log.
\ninterval: 8
\n# Add decode events to stats.
\n#decoder-events: true
\n# Decoder event prefix in stats. Has been ‘decoder’ before, but that leads
\n# to missing events in the eve.stats records. See issue #2225.
\n#decoder-events-prefix: “decoder.event”
\n# Add stream events as stats.
\n#stream-events: false<\/p>\n

# Configure the type of alert (and other) logging you would like.
\noutputs:
\n# a line based alerts log similar to Snort’s fast.log
\n– fast:
\nenabled: yes
\nfilename: fast.log
\nappend: yes
\n#filetype: regular # ‘regular’, ‘unix_stream’ or ‘unix_dgram’<\/p>\n

# Extensible Event Format (nicknamed EVE) event log in JSON format
\n– eve-log:
\nenabled: yes
\nfiletype: regular #regular|syslog|unix_dgram|unix_stream|redis
\nfilename: eve.json
\n# Enable for multi-threaded eve.json output; output files are amended with
\n# with an identifier, e.g., eve.9.json
\nthreaded: false
\n#prefix: “@cee: ” # prefix to prepend to each log entry
\n# the following are valid when type: syslog above
\n#identity: “suricata”
\n#facility: local5
\n#level: Info ## possible levels: Emergency, Alert, Critical,
\n## Error, Warning, Notice, Info, Debug
\n#ethernet: no # log ethernet header in events when available
\n#redis:
\n# server: 127.0.0.1
\n# port: 6379
\n# async: true ## if redis replies are read asynchronously
\n# mode: list ## possible values: list|lpush (default), rpush, channel|publish
\n# ## lpush and rpush are using a Redis list. “list” is an alias for lpush
\n# ## publish is using a Redis channel. “channel” is an alias for publish
\n# key: suricata ## key or channel to use (default to suricata)
\n# Redis pipelining set up. This will enable to only do a query every
\n# ‘batch-size’ events. This should lower the latency induced by network
\n# connection at the cost of some memory. There is no flushing implemented
\n# so this setting should be reserved to high traffic Suricata deployments.
\n# pipelining:
\n# enabled: yes ## set enable to yes to enable query pipelining
\n# batch-size: 10 ## number of entries to keep in buffer<\/p>\n

# Include top level metadata. Default yes.
\n#metadata: no<\/p>\n

# include the name of the input pcap file in pcap file processing mode
\npcap-file: false<\/p>\n

# Community Flow ID
\n# Adds a ‘community_id’ field to EVE records. These are meant to give
\n# records a predictable flow ID that can be used to match records to
\n# output of other tools such as Zeek (Bro).
\n#
\n# Takes a ‘seed’ that needs to be same across sensors and tools
\n# to make the id less predictable.<\/p>\n

# enable\/disable the community id feature.
\n#community-id: false
\ncommunity-id: true
\n# Seed value for the ID output. Valid values are 0-65535.
\ncommunity-id-seed: 0<\/p>\n

# HTTP X-Forwarded-For support by adding an extra field or overwriting
\n# the source or destination IP address (depending on flow direction)
\n# with the one reported in the X-Forwarded-For HTTP header. This is
\n# helpful when reviewing alerts for traffic that is being reverse
\n# or forward proxied.
\nxff:
\nenabled: no
\n# Two operation modes are available: “extra-data” and “overwrite”.
\nmode: extra-data
\n# Two proxy deployments are supported: “reverse” and “forward”. In
\n# a “reverse” deployment the IP address used is the last one, in a
\n# “forward” deployment the first IP address is used.
\ndeployment: reverse
\n# Header name where the actual IP address will be reported. If more
\n# than one IP address is present, the last IP address will be the
\n# one taken into consideration.
\nheader: X-Forwarded-For<\/p>\n

types:
\n– alert:
\n# payload: yes # enable dumping payload in Base64
\n# payload-buffer-size: 4kb # max size of payload buffer to output in eve-log
\n# payload-printable: yes # enable dumping payload in printable (lossy) format
\n# packet: yes # enable dumping of packet (without stream segments)
\n# metadata: no # enable inclusion of app layer metadata with alert. Default yes
\n# http-body: yes # Requires metadata; enable dumping of HTTP body in Base64
\n# http-body-printable: yes # Requires metadata; enable dumping of HTTP body in printable format<\/p>\n

# Enable the logging of tagged packets for rules using the
\n# “tag” keyword.
\ntagged-packets: yes
\n– anomaly:
\n# Anomaly log records describe unexpected conditions such
\n# as truncated packets, packets with invalid IP\/UDP\/TCP
\n# length values, and other events that render the packet
\n# invalid for further processing or describe unexpected
\n# behavior on an established stream. Networks which
\n# experience high occurrences of anomalies may experience
\n# packet processing degradation.
\n#
\n# Anomalies are reported for the following:
\n# 1. Decode: Values and conditions that are detected while
\n# decoding individual packets. This includes invalid or
\n# unexpected values for low-level protocol lengths as well
\n# as stream related events (TCP 3-way handshake issues,
\n# unexpected sequence number, etc).
\n# 2. Stream: This includes stream related events (TCP
\n# 3-way handshake issues, unexpected sequence number,
\n# etc).
\n# 3. Application layer: These denote application layer
\n# specific conditions that are unexpected, invalid or are
\n# unexpected given the application monitoring state.
\n#
\n# By default, anomaly logging is enabled. When anomaly
\n# logging is enabled, applayer anomaly reporting is
\n# also enabled.
\nenabled: yes
\n#
\n# Choose one or more types of anomaly logging and whether to enable
\n# logging of the packet header for packet anomalies.
\ntypes:
\n# decode: no
\n# stream: no
\n# applayer: yes
\n#packethdr: no
\n– http:
\nextended: yes # enable this for extended logging information
\n# custom allows additional HTTP fields to be included in eve-log.
\n# the example below adds three additional fields when uncommented
\n#custom: [Accept-Encoding, Accept-Language, Authorization]
\n# set this value to one and only one from {both, request, response}
\n# to dump all HTTP headers for every HTTP request and\/or response
\n# dump-all-headers: none
\n– dns:
\n# This configuration uses the new DNS logging format,
\n# the old configuration is still available:
\n# https:\/\/suricata.readthedocs.io\/en\/latest\/output\/eve\/eve-json-output.html#dns-v1-format<\/p>\n

# As of Suricata 5.0, version 2 of the eve dns output
\n# format is the default.
\n#version: 2<\/p>\n

# Enable\/disable this logger. Default: enabled.
\n#enabled: yes<\/p>\n

# Control logging of requests and responses:
\n# – requests: enable logging of DNS queries
\n# – responses: enable logging of DNS answers
\n# By default both requests and responses are logged.
\n#requests: no
\n#responses: no<\/p>\n

# Format of answer logging:
\n# – detailed: array item per answer
\n# – grouped: answers aggregated by type
\n# Default: all
\n#formats: [detailed, grouped]<\/p>\n

# DNS record types to log, based on the query type.
\n# Default: all.
\n#types: [a, aaaa, cname, mx, ns, ptr, txt]
\n– tls:
\nextended: yes # enable this for extended logging information
\n# output TLS transaction where the session is resumed using a
\n# session id
\n#session-resumption: no
\n# custom controls which TLS fields that are included in eve-log
\n#custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3, ja3s]
\n– files:
\nforce-magic: no # force logging magic on all logged files
\n# force logging of checksums, available hash functions are md5,
\n# sha1 and sha256
\n#force-hash: [md5]
\n#- drop:
\n# alerts: yes # log alerts that caused drops
\n# flows: all # start or all: ‘start’ logs only a single drop
\n# # per flow direction. All logs each dropped pkt.
\n– smtp:
\n#extended: yes # enable this for extended logging information
\n# this includes: bcc, message-id, subject, x_mailer, user-agent
\n# custom fields logging from the list:
\n# reply-to, bcc, message-id, subject, x-mailer, user-agent, received,
\n# x-originating-ip, in-reply-to, references, importance, priority,
\n# sensitivity, organization, content-md5, date
\n#custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc]
\n# output md5 of fields: body, subject
\n# for the body you need to set app-layer.protocols.smtp.mime.body-md5
\n# to yes
\n#md5: [body, subject]<\/p>\n

#- dnp3
\n– ftp
\n– rdp
\n– nfs
\n– smb
\n– tftp
\n– ikev2
\n– dcerpc
\n– krb5
\n– snmp
\n– rfb
\n– sip
\n– dhcp:
\nenabled: yes
\n# When extended mode is on, all DHCP messages are logged
\n# with full detail. When extended mode is off (the
\n# default), just enough information to map a MAC address
\n# to an IP address is logged.
\nextended: no
\n– ssh
\n– mqtt:
\n# passwords: yes # enable output of passwords
\n# HTTP2 logging. HTTP2 support is currently experimental and
\n# disabled by default. To enable, uncomment the following line
\n# and be sure to enable http2 in the app-layer section.
\n#- http2
\n– stats:
\ntotals: yes # stats for all threads merged together
\nthreads: no # per thread stats
\ndeltas: no # include delta values
\n# bi-directional flows
\n– flow
\n# uni-directional flows
\n#- netflow<\/p>\n

# Metadata event type. Triggered whenever a pktvar is saved
\n# and will include the pktvars, flowvars, flowbits and
\n# flowints.
\n#- metadata<\/p>\n

# a line based log of HTTP requests (no alerts)
\n– http-log:
\nenabled: no
\nfilename: http.log
\nappend: yes
\n#extended: yes # enable this for extended logging information
\n#custom: yes # enable the custom logging format (defined by customformat)
\n#customformat: “%{%D-%H:%M:%S}t.%z %{X-Forwarded-For}i %H %m %h %u %s %B %a:%p -> %A:%P”
\n#filetype: regular # ‘regular’, ‘unix_stream’ or ‘unix_dgram’<\/p>\n

# a line based log of TLS handshake parameters (no alerts)
\n– tls-log:
\nenabled: no # Log TLS connections.
\nfilename: tls.log # File to store TLS logs.
\nappend: yes
\n#extended: yes # Log extended information like fingerprint
\n#custom: yes # enabled the custom logging format (defined by customformat)
\n#customformat: “%{%D-%H:%M:%S}t.%z %a:%p -> %A:%P %v %n %d %D”
\n#filetype: regular # ‘regular’, ‘unix_stream’ or ‘unix_dgram’
\n# output TLS transaction where the session is resumed using a
\n# session id
\n#session-resumption: no<\/p>\n

# output module to store certificates chain to disk
\n– tls-store:
\nenabled: no
\n#certs-log-dir: certs # directory to store the certificates files<\/p>\n

# Packet log… log packets in pcap format. 3 modes of operation: “normal”
\n# “multi” and “sguil”.
\n#
\n# In normal mode a pcap file “filename” is created in the default-log-dir,
\n# or as specified by “dir”.
\n# In multi mode, a file is created per thread. This will perform much
\n# better, but will create multiple files where ‘normal’ would create one.
\n# In multi mode the filename takes a few special variables:
\n# – %n — thread number
\n# – %i — thread id
\n# – %t — timestamp (secs or secs.usecs based on ‘ts-format’
\n# E.g. filename: pcap.%n.%t
\n#
\n# Note that it’s possible to use directories, but the directories are not
\n# created by Suricata. E.g. filename: pcaps\/%n\/log.%s will log into the
\n# per thread directory.
\n#
\n# Also note that the limit and max-files settings are enforced per thread.
\n# So the size limit when using 8 threads with 1000mb files and 2000 files
\n# is: 8*1000*2000 ~ 16TiB.
\n#
\n# In Sguil mode “dir” indicates the base directory. In this base dir the
\n# pcaps are created in the directory structure Sguil expects:
\n#
\n# $sguil-base-dir\/YYYY-MM-DD\/$filename.<timestamp>
\n#
\n# By default all packets are logged except:
\n# – TCP streams beyond stream.reassembly.depth
\n# – encrypted streams after the key exchange
\n#
\n– pcap-log:
\nenabled: no
\nfilename: log.pcap<\/p>\n

# File size limit. Can be specified in kb, mb, gb. Just a number
\n# is parsed as bytes.
\nlimit: 1000mb<\/p>\n

# If set to a value, ring buffer mode is enabled. Will keep maximum of
\n# “max-files” of size “limit”
\nmax-files: 2000<\/p>\n

# Compression algorithm for pcap files. Possible values: none, lz4.
\n# Enabling compression is incompatible with the sguil mode. Note also
\n# that on Windows, enabling compression will *increase* disk I\/O.
\ncompression: none<\/p>\n

# Further options for lz4 compression. The compression level can be set
\n# to a value between 0 and 16, where higher values result in higher
\n# compression.
\n#lz4-checksum: no
\n#lz4-level: 0<\/p>\n

mode: normal # normal, multi or sguil.<\/p>\n

# Directory to place pcap files. If not provided the default log
\n# directory will be used. Required for “sguil” mode.
\n#dir: \/nsm_data\/<\/p>\n

#ts-format: usec # sec or usec second format (default) is filename.sec usec is filename.sec.usec
\nuse-stream-depth: no #If set to “yes” packets seen after reaching stream inspection depth are ignored. “no” logs all packets
\nhonor-pass-rules: no # If set to “yes”, flows in which a pass rule matched will stop being logged.<\/p>\n

# a full alert log containing much information for signature writers
\n# or for investigating suspected false positives.
\n– alert-debug:
\nenabled: no
\nfilename: alert-debug.log
\nappend: yes
\n#filetype: regular # ‘regular’, ‘unix_stream’ or ‘unix_dgram’<\/p>\n

# alert output to prelude (https:\/\/www.prelude-siem.org\/) only
\n# available if Suricata has been compiled with –enable-prelude
\n– alert-prelude:
\nenabled: no
\nprofile: suricata
\nlog-packet-content: no
\nlog-packet-header: yes<\/p>\n

# Stats.log contains data from various counters of the Suricata engine.
\n– stats:
\nenabled: yes
\nfilename: stats.log
\nappend: yes # append to file (yes) or overwrite it (no)
\ntotals: yes # stats for all threads merged together
\nthreads: no # per thread stats
\n#null-values: yes # print counters that have value 0. Default: no<\/p>\n

# a line based alerts log similar to fast.log into syslog
\n– syslog:
\nenabled: no
\n# reported identity to syslog. If omitted the program name (usually
\n# suricata) will be used.
\n#identity: “suricata”
\nfacility: local5
\n#level: Info ## possible levels: Emergency, Alert, Critical,
\n## Error, Warning, Notice, Info, Debug<\/p>\n

# Output module for storing files on disk. Files are stored in
\n# directory names consisting of the first 2 characters of the
\n# SHA256 of the file. Each file is given its SHA256 as a filename.
\n#
\n# When a duplicate file is found, the timestamps on the existing file
\n# are updated.
\n#
\n# Unlike the older filestore, metadata is not written by default
\n# as each file should already have a “fileinfo” record in the
\n# eve-log. If write-fileinfo is set to yes, then each file will have
\n# one more associated .json files that consist of the fileinfo
\n# record. A fileinfo file will be written for each occurrence of the
\n# file seen using a filename suffix to ensure uniqueness.
\n#
\n# To prune the filestore directory see the “suricatactl filestore
\n# prune” command which can delete files over a certain age.
\n– file-store:
\nversion: 2
\nenabled: no<\/p>\n

# Set the directory for the filestore. Relative pathnames
\n# are contained within the “default-log-dir”.
\n#dir: filestore<\/p>\n

# Write out a fileinfo record for each occurrence of a file.
\n# Disabled by default as each occurrence is already logged
\n# as a fileinfo record to the main eve-log.
\n#write-fileinfo: yes<\/p>\n

# Force storing of all files. Default: no.
\n#force-filestore: yes<\/p>\n

# Override the global stream-depth for sessions in which we want
\n# to perform file extraction. Set to 0 for unlimited; otherwise,
\n# must be greater than the global stream-depth value to be used.
\n#stream-depth: 0<\/p>\n

# Uncomment the following variable to define how many files can
\n# remain open for filestore by Suricata. Default value is 0 which
\n# means files get closed after each write to the file.
\n#max-open-files: 1000<\/p>\n

# Force logging of checksums: available hash functions are md5,
\n# sha1 and sha256. Note that SHA256 is automatically forced by
\n# the use of this output module as it uses the SHA256 as the
\n# file naming scheme.
\n#force-hash: [sha1, md5]
\n# NOTE: X-Forwarded configuration is ignored if write-fileinfo is disabled
\n# HTTP X-Forwarded-For support by adding an extra field or overwriting
\n# the source or destination IP address (depending on flow direction)
\n# with the one reported in the X-Forwarded-For HTTP header. This is
\n# helpful when reviewing alerts for traffic that is being reverse
\n# or forward proxied.
\nxff:
\nenabled: no
\n# Two operation modes are available, “extra-data” and “overwrite”.
\nmode: extra-data
\n# Two proxy deployments are supported, “reverse” and “forward”. In
\n# a “reverse” deployment the IP address used is the last one, in a
\n# “forward” deployment the first IP address is used.
\ndeployment: reverse
\n# Header name where the actual IP address will be reported. If more
\n# than one IP address is present, the last IP address will be the
\n# one taken into consideration.
\nheader: X-Forwarded-For<\/p>\n

# Log TCP data after stream normalization
\n# Two types: file or dir:
\n# – file logs into a single logfile.
\n# – dir creates 2 files per TCP session and stores the raw TCP
\n# data into them.
\n# Use ‘both’ to enable both file and dir modes.
\n#
\n# Note: limited by “stream.reassembly.depth”
\n– tcp-data:
\nenabled: no
\ntype: file
\nfilename: tcp-data.log<\/p>\n

# Log HTTP body data after normalization, de-chunking and unzipping.
\n# Two types: file or dir.
\n# – file logs into a single logfile.
\n# – dir creates 2 files per HTTP session and stores the
\n# normalized data into them.
\n# Use ‘both’ to enable both file and dir modes.
\n#
\n# Note: limited by the body limit settings
\n– http-body-data:
\nenabled: no
\ntype: file
\nfilename: http-data.log<\/p>\n

# Lua Output Support – execute lua script to generate alert and event
\n# output.
\n# Documented at:
\n# https:\/\/suricata.readthedocs.io\/en\/latest\/output\/lua-output.html
\n– lua:
\nenabled: no
\n#scripts-dir: \/etc\/suricata\/lua-output\/
\nscripts:
\n# – script1.lua<\/p>\n

# Logging configuration. This is not about logging IDS alerts\/events, but
\n# output about what Suricata is doing, like startup messages, errors, etc.
\nlogging:
\n# The default log level: can be overridden in an output section.
\n# Note that debug level logging will only be emitted if Suricata was
\n# compiled with the –enable-debug configure option.
\n#
\n# This value is overridden by the SC_LOG_LEVEL env var.
\ndefault-log-level: notice<\/p>\n

# The default output format. Optional parameter, should default to
\n# something reasonable if not provided. Can be overridden in an
\n# output section. You can leave this out to get the default.
\n#
\n# This value is overridden by the SC_LOG_FORMAT env var.
\n#default-log-format: “[%i] %t – (%f:%l) <%d> (%n) — ”<\/p>\n

# A regex to filter output. Can be overridden in an output section.
\n# Defaults to empty (no filter).
\n#
\n# This value is overridden by the SC_LOG_OP_FILTER env var.
\ndefault-output-filter:<\/p>\n

# Define your logging outputs. If none are defined, or they are all
\n# disabled you will get the default: console output.
\noutputs:
\n– console:
\nenabled: yes
\n# type: json
\n– file:
\nenabled: yes
\nlevel: info
\nfilename: suricata.log
\n# type: json
\n– syslog:
\nenabled: no
\nfacility: local5
\nformat: “[%i] <%d> — ”
\n# type: json<\/p>\n

##
\n## Step 3: Configure common capture settings
\n##
\n## See “Advanced Capture Options” below for more options, including Netmap
\n## and PF_RING.
\n##<\/p>\n

# Linux high speed capture support
\naf-packet:
\n– interface: eth0
\n# Number of receive threads. “auto” uses the number of cores
\n#threads: auto
\n# Default clusterid. AF_PACKET will load balance packets based on flow.
\ncluster-id: 99
\n# Default AF_PACKET cluster type. AF_PACKET can load balance per flow or per hash.
\n# This is only supported for Linux kernel > 3.1
\n# possible value are:
\n# * cluster_flow: all packets of a given flow are sent to the same socket
\n# * cluster_cpu: all packets treated in kernel by a CPU are sent to the same socket
\n# * cluster_qm: all packets linked by network card to a RSS queue are sent to the same
\n# socket. Requires at least Linux 3.14.
\n# * cluster_ebpf: eBPF file load balancing. See doc\/userguide\/capture-hardware\/ebpf-xdp.rst for
\n# more info.
\n# Recommended modes are cluster_flow on most boxes and cluster_cpu or cluster_qm on system
\n# with capture card using RSS (requires cpu affinity tuning and system IRQ tuning)
\ncluster-type: cluster_flow
\n# In some fragmentation cases, the hash can not be computed. If “defrag” is set
\n# to yes, the kernel will do the needed defragmentation before sending the packets.
\ndefrag: yes
\n# To use the ring feature of AF_PACKET, set ‘use-mmap’ to yes
\n#use-mmap: yes
\n# Lock memory map to avoid it being swapped. Be careful that over
\n# subscribing could lock your system
\n#mmap-locked: yes
\n# Use tpacket_v3 capture mode, only active if use-mmap is true
\n# Don’t use it in IPS or TAP mode as it causes severe latency
\n#tpacket-v3: yes
\n# Ring size will be computed with respect to “max-pending-packets” and number
\n# of threads. You can set manually the ring size in number of packets by setting
\n# the following value. If you are using flow “cluster-type” and have really network
\n# intensive single-flow you may want to set the “ring-size” independently of the number
\n# of threads:
\n#ring-size: 2048
\n# Block size is used by tpacket_v3 only. It should set to a value high enough to contain
\n# a decent number of packets. Size is in bytes so please consider your MTU. It should be
\n# a power of 2 and it must be multiple of page size (usually 4096).
\n#block-size: 32768
\n# tpacket_v3 block timeout: an open block is passed to userspace if it is not
\n# filled after block-timeout milliseconds.
\n#block-timeout: 10
\n# On busy systems, set it to yes to help recover from a packet drop
\n# phase. This will result in some packets (at max a ring flush) not being inspected.
\n#use-emergency-flush: yes
\n# recv buffer size, increased value could improve performance
\n# buffer-size: 32768
\n# Set to yes to disable promiscuous mode
\n# disable-promisc: no
\n# Choose checksum verification mode for the interface. At the moment
\n# of the capture, some packets may have an invalid checksum due to
\n# the checksum computation being offloaded to the network card.
\n# Possible values are:
\n# – kernel: use indication sent by kernel for each packet (default)
\n# – yes: checksum validation is forced
\n# – no: checksum validation is disabled
\n# – auto: Suricata uses a statistical approach to detect when
\n# checksum off-loading is used.
\n# Warning: ‘capture.checksum-validation’ must be set to yes to have any validation
\n#checksum-checks: kernel
\n# BPF filter to apply to this interface. The pcap filter syntax applies here.
\n#bpf-filter: port 80 or udp
\n# You can use the following variables to activate AF_PACKET tap or IPS mode.
\n# If copy-mode is set to ips or tap, the traffic coming to the current
\n# interface will be copied to the copy-iface interface. If ‘tap’ is set, the
\n# copy is complete. If ‘ips’ is set, the packet matching a ‘drop’ action
\n# will not be copied.
\n#copy-mode: ips
\n#copy-iface: eth1
\n# For eBPF and XDP setup including bypass, filter and load balancing, please
\n# see doc\/userguide\/capture-hardware\/ebpf-xdp.rst for more info.<\/p>\n

# Put default values here. These will be used for an interface that is not
\n# in the list above.
\n– interface: default
\n#threads: auto
\n#use-mmap: no
\n#tpacket-v3: yes
\n### le due righe sotto sono state aggiunte in data 21\/02\/25
\ndetect-engine:
\n-rule-reload:true
\n# Cross platform libpcap capture support
\npcap:
\n– interface: eth0
\n# On Linux, pcap will try to use mmap’ed capture and will use “buffer-size”
\n# as total memory used by the ring. So set this to something bigger
\n# than 1% of your bandwidth.
\n#buffer-size: 16777216
\n#bpf-filter: “tcp and port 25”
\n# Choose checksum verification mode for the interface. At the moment
\n# of the capture, some packets may have an invalid checksum due to
\n# the checksum computation being offloaded to the network card.
\n# Possible values are:
\n# – yes: checksum validation is forced
\n# – no: checksum validation is disabled
\n# – auto: Suricata uses a statistical approach to detect when
\n# checksum off-loading is used. (default)
\n# Warning: ‘capture.checksum-validation’ must be set to yes to have any validation
\n#checksum-checks: auto
\n# With some accelerator cards using a modified libpcap (like Myricom), you
\n# may want to have the same number of capture threads as the number of capture
\n# rings. In this case, set up the threads variable to N to start N threads
\n# listening on the same interface.
\n#threads: 16
\n# set to no to disable promiscuous mode:
\n#promisc: no
\n# set snaplen, if not set it defaults to MTU if MTU can be known
\n# via ioctl call and to full capture if not.
\n#snaplen: 1518
\n# Put default values here
\n– interface: default
\n#checksum-checks: auto<\/p>\n

# Settings for reading pcap files
\npcap-file:
\n# Possible values are:
\n# – yes: checksum validation is forced
\n# – no: checksum validation is disabled
\n# – auto: Suricata uses a statistical approach to detect when
\n# checksum off-loading is used. (default)
\n# Warning: ‘checksum-validation’ must be set to yes to have checksum tested
\nchecksum-checks: auto<\/p>\n

# See “Advanced Capture Options” below for more options, including Netmap
\n# and PF_RING.<\/p>\n

##
\n## Step 4: App Layer Protocol configuration
\n##<\/p>\n

# Configure the app-layer parsers. The protocol’s section details each
\n# protocol.
\n#
\n# The option “enabled” takes 3 values – “yes”, “no”, “detection-only”.
\n# “yes” enables both detection and the parser, “no” disables both, and
\n# “detection-only” enables protocol detection only (parser disabled).
\napp-layer:
\nprotocols:
\nrfb:
\nenabled: yes
\ndetection-ports:
\ndp: 5900, 5901, 5902, 5903, 5904, 5905, 5906, 5907, 5908, 5909
\n# MQTT, disabled by default.
\nmqtt:
\n# enabled: no
\n# max-msg-length: 1mb
\nenabled: yes
\nmax-msg-length: 1mb
\nkrb5:
\nenabled: yes
\nsnmp:
\nenabled: yes
\nikev2:
\nenabled: yes
\ntls:
\nenabled: yes
\ndetection-ports:
\ndp: 443<\/p>\n

# Generate JA3 fingerprint from client hello. If not specified it
\n# will be disabled by default, but enabled if rules require it.
\n#ja3-fingerprints: auto<\/p>\n

# What to do when the encrypted communications start:
\n# – default: keep tracking TLS session, check for protocol anomalies,
\n# inspect tls_* keywords. Disables inspection of unmodified
\n# ‘content’ signatures.
\n# – bypass: stop processing this flow as much as possible. No further
\n# TLS parsing and inspection. Offload flow bypass to kernel
\n# or hardware if possible.
\n# – full: keep tracking and inspection as normal. Unmodified content
\n# keyword signatures are inspected as well.
\n#
\n# For best performance, select ‘bypass’.
\n#
\n#encryption-handling: default<\/p>\n

dcerpc:
\nenabled: yes
\nftp:
\nenabled: yes
\n# memcap: 64mb
\nrdp:
\n#enabled: yes
\nenabled: yes
\nssh:
\nenabled: yes
\n#hassh: yes
\n# HTTP2: Experimental HTTP 2 support. Disabled by default.
\nhttp2:
\nenabled: no
\nsmtp:
\nenabled: yes
\nraw-extraction: no
\n# Configure SMTP-MIME Decoder
\nmime:
\n# Decode MIME messages from SMTP transactions
\n# (may be resource intensive)
\n# This field supersedes all others because it turns the entire
\n# process on or off
\ndecode-mime: yes<\/p>\n

# Decode MIME entity bodies (ie. Base64, quoted-printable, etc.)
\ndecode-base64: yes
\ndecode-quoted-printable: yes<\/p>\n

# Maximum bytes per header data value stored in the data structure
\n# (default is 2000)
\nheader-value-depth: 2000<\/p>\n

# Extract URLs and save in state data structure
\nextract-urls: yes
\n# Set to yes to compute the md5 of the mail body. You will then
\n# be able to journalize it.
\nbody-md5: no
\n# Configure inspected-tracker for file_data keyword
\ninspected-tracker:
\ncontent-limit: 100000
\ncontent-inspect-min-size: 32768
\ncontent-inspect-window: 4096
\nimap:
\nenabled: detection-only
\nsmb:
\nenabled: yes
\ndetection-ports:
\ndp: 139, 445<\/p>\n

# Stream reassembly size for SMB streams. By default track it completely.
\n#stream-depth: 0<\/p>\n

nfs:
\nenabled: yes
\ntftp:
\nenabled: yes
\ndns:
\ntcp:
\nenabled: yes
\ndetection-ports:
\ndp: 53
\nudp:
\nenabled: yes
\ndetection-ports:
\ndp: 53
\nhttp:
\nenabled: yes
\n# memcap: Maximum memory capacity for HTTP
\n# Default is unlimited, values can be 64mb, e.g.<\/p>\n

# default-config: Used when no server-config matches
\n# personality: List of personalities used by default
\n# request-body-limit: Limit reassembly of request body for inspection
\n# by http_client_body & pcre \/P option.
\n# response-body-limit: Limit reassembly of response body for inspection
\n# by file_data, http_server_body & pcre \/Q option.
\n#
\n# For advanced options, see the user guide<\/p>\n

# server-config: List of server configurations to use if address matches
\n# address: List of IP addresses or networks for this block
\n# personality: List of personalities used by this block
\n#
\n# Then, all the fields from default-config can be overloaded
\n#
\n# Currently Available Personalities:
\n# Minimal, Generic, IDS (default), IIS_4_0, IIS_5_0, IIS_5_1, IIS_6_0,
\n# IIS_7_0, IIS_7_5, Apache_2
\nlibhtp:
\ndefault-config:
\npersonality: IDS<\/p>\n

# Can be specified in kb, mb, gb. Just a number indicates
\n# it’s in bytes.
\nrequest-body-limit: 100kb
\nresponse-body-limit: 100kb<\/p>\n

# inspection limits
\nrequest-body-minimal-inspect-size: 32kb
\nrequest-body-inspect-window: 4kb
\nresponse-body-minimal-inspect-size: 40kb
\nresponse-body-inspect-window: 16kb<\/p>\n

# response body decompression (0 disables)
\nresponse-body-decompress-layer-limit: 2<\/p>\n

# auto will use http-body-inline mode in IPS mode, yes or no set it statically
\nhttp-body-inline: auto<\/p>\n

# Decompress SWF files.
\n# Two types: ‘deflate’, ‘lzma’, ‘both’ will decompress deflate and lzma
\n# compress-depth:
\n# Specifies the maximum amount of data to decompress,
\n# set 0 for unlimited.
\n# decompress-depth:
\n# Specifies the maximum amount of decompressed data to obtain,
\n# set 0 for unlimited.
\nswf-decompression:
\nenabled: yes
\ntype: both
\ncompress-depth: 0
\ndecompress-depth: 0<\/p>\n

# Use a random value for inspection sizes around the specified value.
\n# This lowers the risk of some evasion techniques but could lead
\n# to detection change between runs. It is set to ‘yes’ by default.
\n#randomize-inspection-sizes: yes
\n# If “randomize-inspection-sizes” is active, the value of various
\n# inspection size will be chosen from the [1 – range%, 1 + range%]
\n# range
\n# Default value of “randomize-inspection-range” is 10.
\n#randomize-inspection-range: 10<\/p>\n

# decoding
\ndouble-decode-path: no
\ndouble-decode-query: no<\/p>\n

# Can enable LZMA decompression
\n#lzma-enabled: false
\n# Memory limit usage for LZMA decompression dictionary
\n# Data is decompressed until dictionary reaches this size
\n#lzma-memlimit: 1mb
\n# Maximum decompressed size with a compression ratio
\n# above 2048 (only LZMA can reach this ratio, deflate cannot)
\n#compression-bomb-limit: 1mb<\/p>\n

server-config:<\/p>\n

#- apache:
\n# address: [192.168.1.0\/24, 127.0.0.0\/8, “::1”]
\n# personality: Apache_2
\n# # Can be specified in kb, mb, gb. Just a number indicates
\n# # it’s in bytes.
\n# request-body-limit: 4096
\n# response-body-limit: 4096
\n# double-decode-path: no
\n# double-decode-query: no<\/p>\n

#- iis7:
\n# address:
\n# – 192.168.0.0\/24
\n# – 192.168.10.0\/24
\n# personality: IIS_7_0
\n# # Can be specified in kb, mb, gb. Just a number indicates
\n# # it’s in bytes.
\n# request-body-limit: 4096
\n# response-body-limit: 4096
\n# double-decode-path: no
\n# double-decode-query: no<\/p>\n

# Note: Modbus probe parser is minimalist due to the limited usage in the field.
\n# Only Modbus message length (greater than Modbus header length)
\n# and protocol ID (equal to 0) are checked in probing parser
\n# It is important to enable detection port and define Modbus port
\n# to avoid false positives
\nmodbus:
\n# How many unanswered Modbus requests are considered a flood.
\n# If the limit is reached, the app-layer-event:modbus.flooded; will match.
\n#request-flood: 500<\/p>\n

enabled: no
\ndetection-ports:
\ndp: 502
\n# According to MODBUS Messaging on TCP\/IP Implementation Guide V1.0b, it
\n# is recommended to keep the TCP connection opened with a remote device
\n# and not to open and close it for each MODBUS\/TCP transaction. In that
\n# case, it is important to set the depth of the stream reassembling as
\n# unlimited (stream.reassembly.depth: 0)<\/p>\n

# Stream reassembly size for modbus. By default track it completely.
\nstream-depth: 0<\/p>\n

# DNP3
\ndnp3:
\nenabled: no
\ndetection-ports:
\ndp: 20000<\/p>\n

# SCADA EtherNet\/IP and CIP protocol support
\nenip:
\nenabled: no
\ndetection-ports:
\ndp: 44818
\nsp: 44818<\/p>\n

ntp:
\nenabled: yes<\/p>\n

dhcp:
\nenabled: yes<\/p>\n

sip:
\n#enabled: no
\nenabled: yes
\n# Limit for the maximum number of asn1 frames to decode (default 256)
\nasn1-max-frames: 256<\/p>\n

# Datasets default settings
\n# datasets:
\n# # Default fallback memcap and hashsize values for datasets in case these
\n# # were not explicitly defined.
\n# defaults:
\n# memcap: 100mb
\n# hashsize: 2048<\/p>\n

##############################################################################
\n##
\n## Advanced settings below
\n##
\n##############################################################################<\/p>\n

##
\n## Run Options
\n##<\/p>\n

# Run Suricata with a specific user-id and group-id:
\n#run-as:
\n# user: suri
\n# group: suri<\/p>\n

# Some logging modules will use that name in event as identifier. The default
\n# value is the hostname
\n#sensor-name: suricata<\/p>\n

# Default location of the pid file. The pid file is only used in
\n# daemon mode (start Suricata with -D). If not running in daemon mode
\n# the –pidfile command line option must be used to create a pid file.
\n#pid-file: \/var\/run\/suricata.pid<\/p>\n

# Daemon working directory
\n# Suricata will change directory to this one if provided
\n# Default: “\/”
\n#daemon-directory: “\/”<\/p>\n

# Umask.
\n# Suricata will use this umask if it is provided. By default it will use the
\n# umask passed on by the shell.
\n#umask: 022<\/p>\n

# Suricata core dump configuration. Limits the size of the core dump file to
\n# approximately max-dump. The actual core dump size will be a multiple of the
\n# page size. Core dumps that would be larger than max-dump are truncated. On
\n# Linux, the actual core dump size may be a few pages larger than max-dump.
\n# Setting max-dump to 0 disables core dumping.
\n# Setting max-dump to ‘unlimited’ will give the full core dump file.
\n# On 32-bit Linux, a max-dump value >= ULONG_MAX may cause the core dump size
\n# to be ‘unlimited’.<\/p>\n

coredump:
\nmax-dump: unlimited<\/p>\n

# If the Suricata box is a router for the sniffed networks, set it to ‘router’. If
\n# it is a pure sniffing setup, set it to ‘sniffer-only’.
\n# If set to auto, the variable is internally switched to ‘router’ in IPS mode
\n# and ‘sniffer-only’ in IDS mode.
\n# This feature is currently only used by the reject* keywords.
\nhost-mode: auto<\/p>\n

# Number of packets preallocated per thread. The default is 1024. A higher number
\n# will make sure each CPU will be more easily kept busy, but may negatively
\n# impact caching.
\n#max-pending-packets: 1024<\/p>\n

# Runmode the engine should use. Please check –list-runmodes to get the available
\n# runmodes for each packet acquisition method. Default depends on selected capture
\n# method. ‘workers’ generally gives best performance.
\n#runmode: autofp<\/p>\n

# Specifies the kind of flow load balancer used by the flow pinned autofp mode.
\n#
\n# Supported schedulers are:
\n#
\n# hash – Flow assigned to threads using the 5-7 tuple hash.
\n# ippair – Flow assigned to threads using addresses only.
\n#
\n#autofp-scheduler: hash<\/p>\n

# Preallocated size for each packet. Default is 1514 which is the classical
\n# size for pcap on Ethernet. You should adjust this value to the highest
\n# packet size (MTU + hardware header) on your system.
\n#default-packet-size: 1514<\/p>\n

# Unix command socket that can be used to pass commands to Suricata.
\n# An external tool can then connect to get information from Suricata
\n# or trigger some modifications of the engine. Set enabled to yes
\n# to activate the feature. In auto mode, the feature will only be
\n# activated in live capture mode. You can use the filename variable to set
\n# the file name of the socket.
\nunix-command:
\nenabled: yes
\nfilename: \/var\/run\/suricata\/suricata-command.socket<\/p>\n

# Magic file. The extension .mgc is added to the value here.
\n#magic-file: \/usr\/share\/file\/magic
\n#magic-file:<\/p>\n

# GeoIP2 database file. Specify path and filename of GeoIP2 database
\n# if using rules with “geoip” rule option.
\n#geoip-database: \/usr\/local\/share\/GeoLite2\/GeoLite2-Country.mmdb<\/p>\n

legacy:
\nuricontent: enabled<\/p>\n

##
\n## Detection settings
\n##<\/p>\n

# Set the order of alerts based on actions
\n# The default order is pass, drop, reject, alert
\n# action-order:
\n# – pass
\n# – drop
\n# – reject
\n# – alert<\/p>\n

# IP Reputation
\n#reputation-categories-file: \/etc\/suricata\/iprep\/categories.txt
\n#default-reputation-path: \/etc\/suricata\/iprep
\n#reputation-files:
\n# – reputation.list<\/p>\n

# When run with the option –engine-analysis, the engine will read each of
\n# the parameters below, and print reports for each of the enabled sections
\n# and exit. The reports are printed to a file in the default log dir
\n# given by the parameter “default-log-dir”, with engine reporting
\n# subsection below printing reports in its own report file.
\nengine-analysis:
\n# enables printing reports for fast-pattern for every rule.
\nrules-fast-pattern: yes
\n# enables printing reports for each rule
\nrules: yes<\/p>\n

#recursion and match limits for PCRE where supported
\npcre:
\nmatch-limit: 3500
\nmatch-limit-recursion: 1500<\/p>\n

##
\n## Advanced Traffic Tracking and Reconstruction Settings
\n##<\/p>\n

# Host specific policies for defragmentation and TCP stream
\n# reassembly. The host OS lookup is done using a radix tree, just
\n# like a routing table so the most specific entry matches.
\nhost-os-policy:
\n# Make the default policy windows.
\nwindows: [0.0.0.0\/0]
\nbsd: []
\nbsd-right: []
\nold-linux: []
\nlinux: []
\nold-solaris: []
\nsolaris: []
\nhpux10: []
\nhpux11: []
\nirix: []
\nmacos: []
\nvista: []
\nwindows2k3: []<\/p>\n

# Defrag settings:<\/p>\n

defrag:
\nmemcap: 32mb
\nhash-size: 65536
\ntrackers: 65535 # number of defragmented flows to follow
\nmax-frags: 65535 # number of fragments to keep (higher than trackers)
\nprealloc: yes
\ntimeout: 60<\/p>\n

# Enable defrag per host settings
\n# host-config:
\n#
\n# – dmz:
\n# timeout: 30
\n# address: [192.168.1.0\/24, 127.0.0.0\/8, 1.1.1.0\/24, 2.2.2.0\/24, “1.1.1.1”, “2.2.2.2”, “::1”]
\n#
\n# – lan:
\n# timeout: 45
\n# address:
\n# – 192.168.0.0\/24
\n# – 192.168.10.0\/24
\n# – 172.16.14.0\/24<\/p>\n

# Flow settings:
\n# By default, the reserved memory (memcap) for flows is 32MB. This is the limit
\n# for flow allocation inside the engine. You can change this value to allow
\n# more memory usage for flows.
\n# The hash-size determines the size of the hash used to identify flows inside
\n# the engine, and by default the value is 65536.
\n# At startup, the engine can preallocate a number of flows, to get better
\n# performance. The number of flows preallocated is 10000 by default.
\n# emergency-recovery is the percentage of flows that the engine needs to
\n# prune before clearing the emergency state. The emergency state is activated
\n# when the memcap limit is reached, allowing new flows to be created, but
\n# pruning them with the emergency timeouts (they are defined below).
\n# If the memcap is reached, the engine will try to prune flows
\n# with the default timeouts. If it doesn’t find a flow to prune, it will set
\n# the emergency bit and it will try again with more aggressive timeouts.
\n# If that doesn’t work, then it will try to kill the oldest flows using
\n# last time seen flows.
\n# The memcap can be specified in kb, mb, gb. Just a number indicates it’s
\n# in bytes.<\/p>\n

flow:
\nmemcap: 128mb
\nhash-size: 65536
\nprealloc: 10000
\nemergency-recovery: 30
\n#managers: 1 # default to one flow manager
\n#recyclers: 1 # default to one flow recycler thread<\/p>\n

# This option controls the use of VLAN ids in the flow (and defrag)
\n# hashing. Normally this should be enabled, but in some (broken)
\n# setups where both sides of a flow are not tagged with the same VLAN
\n# tag, we can ignore the VLAN id’s in the flow hashing.
\nvlan:
\nuse-for-tracking: true<\/p>\n

# Specific timeouts for flows. Here you can specify the timeouts that the
\n# active flows will wait to transit from the current state to another, on each
\n# protocol. The value of “new” determines the seconds to wait after a handshake or
\n# stream startup before the engine frees the data of that flow it doesn’t
\n# change the state to established (usually if we don’t receive more packets
\n# of that flow). The value of “established” is the amount of
\n# seconds that the engine will wait to free the flow if that time elapses
\n# without receiving new packets or closing the connection. “closed” is the
\n# amount of time to wait after a flow is closed (usually zero). “bypassed”
\n# timeout controls locally bypassed flows. For these flows we don’t do any other
\n# tracking. If no packets have been seen after this timeout, the flow is discarded.
\n#
\n# There’s an emergency mode that will become active under attack circumstances,
\n# making the engine to check flow status faster. This configuration variables
\n# use the prefix “emergency-” and work similar as the normal ones.
\n# Some timeouts doesn’t apply to all the protocols, like “closed”, for udp and
\n# icmp.<\/p>\n

flow-timeouts:<\/p>\n

default:
\nnew: 30
\nestablished: 300
\nclosed: 0
\nbypassed: 100
\nemergency-new: 10
\nemergency-established: 100
\nemergency-closed: 0
\nemergency-bypassed: 50
\ntcp:
\nnew: 60
\nestablished: 600
\nclosed: 60
\nbypassed: 100
\nemergency-new: 5
\nemergency-established: 100
\nemergency-closed: 10
\nemergency-bypassed: 50
\nudp:
\nnew: 30
\nestablished: 300
\nbypassed: 100
\nemergency-new: 10
\nemergency-established: 100
\nemergency-bypassed: 50
\nicmp:
\nnew: 30
\nestablished: 300
\nbypassed: 100
\nemergency-new: 10
\nemergency-established: 100
\nemergency-bypassed: 50<\/p>\n

# Stream engine settings. Here the TCP stream tracking and reassembly
\n# engine is configured.
\n#
\n# stream:
\n# memcap: 32mb # Can be specified in kb, mb, gb. Just a
\n# # number indicates it’s in bytes.
\n# checksum-validation: yes # To validate the checksum of received
\n# # packet. If csum validation is specified as
\n# # “yes”, then packets with invalid csum values will not
\n# # be processed by the engine stream\/app layer.
\n# # Warning: locally generated traffic can be
\n# # generated without checksum due to hardware offload
\n# # of checksum. You can control the handling of checksum
\n# # on a per-interface basis via the ‘checksum-checks’
\n# # option
\n# prealloc-sessions: 2k # 2k sessions prealloc’d per stream thread
\n# midstream: false # don’t allow midstream session pickups
\n# async-oneside: false # don’t enable async stream handling
\n# inline: no # stream inline mode
\n# drop-invalid: yes # in inline mode, drop packets that are invalid with regards to streaming engine
\n# max-synack-queued: 5 # Max different SYN\/ACKs to queue
\n# bypass: no # Bypass packets when stream.reassembly.depth is reached.
\n# # Warning: first side to reach this triggers
\n# # the bypass.
\n#
\n# reassembly:
\n# memcap: 64mb # Can be specified in kb, mb, gb. Just a number
\n# # indicates it’s in bytes.
\n# depth: 1mb # Can be specified in kb, mb, gb. Just a number
\n# # indicates it’s in bytes.
\n# toserver-chunk-size: 2560 # inspect raw stream in chunks of at least
\n# # this size. Can be specified in kb, mb,
\n# # gb. Just a number indicates it’s in bytes.
\n# toclient-chunk-size: 2560 # inspect raw stream in chunks of at least
\n# # this size. Can be specified in kb, mb,
\n# # gb. Just a number indicates it’s in bytes.
\n# randomize-chunk-size: yes # Take a random value for chunk size around the specified value.
\n# # This lowers the risk of some evasion techniques but could lead
\n# # to detection change between runs. It is set to ‘yes’ by default.
\n# randomize-chunk-range: 10 # If randomize-chunk-size is active, the value of chunk-size is
\n# # a random value between (1 – randomize-chunk-range\/100)*toserver-chunk-size
\n# # and (1 + randomize-chunk-range\/100)*toserver-chunk-size and the same
\n# # calculation for toclient-chunk-size.
\n# # Default value of randomize-chunk-range is 10.
\n#
\n# raw: yes # ‘Raw’ reassembly enabled or disabled.
\n# # raw is for content inspection by detection
\n# # engine.
\n#
\n# segment-prealloc: 2048 # number of segments preallocated per thread
\n#
\n# check-overlap-different-data: true|false
\n# # check if a segment contains different data
\n# # than what we’ve already seen for that
\n# # position in the stream.
\n# # This is enabled automatically if inline mode
\n# # is used or when stream-event:reassembly_overlap_different_data;
\n# # is used in a rule.
\n#
\nstream:
\nmemcap: 64mb
\nchecksum-validation: yes # reject incorrect csums
\ninline: auto # auto will use inline mode in IPS mode, yes or no set it statically
\nreassembly:
\nmemcap: 256mb
\ndepth: 1mb # reassemble 1mb into a stream
\ntoserver-chunk-size: 2560
\ntoclient-chunk-size: 2560
\nrandomize-chunk-size: yes
\n#randomize-chunk-range: 10
\n#raw: yes
\n#segment-prealloc: 2048
\n#check-overlap-different-data: true<\/p>\n

# Host table:
\n#
\n# Host table is used by the tagging and per host thresholding subsystems.
\n#
\nhost:
\nhash-size: 4096
\nprealloc: 1000
\nmemcap: 32mb<\/p>\n

# IP Pair table:
\n#
\n# Used by xbits ‘ippair’ tracking.
\n#
\n#ippair:
\n# hash-size: 4096
\n# prealloc: 1000
\n# memcap: 32mb<\/p>\n

# Decoder settings<\/p>\n

decoder:
\n# Teredo decoder is known to not be completely accurate
\n# as it will sometimes detect non-teredo as teredo.
\nteredo:
\nenabled: true
\n# ports to look for Teredo. Max 4 ports. If no ports are given, or
\n# the value is set to ‘any’, Teredo detection runs on _all_ UDP packets.
\nports: $TEREDO_PORTS # syntax: ‘[3544, 1234]’ or ‘3533’ or ‘any’.<\/p>\n

# VXLAN decoder is assigned to up to 4 UDP ports. By default only the
\n# IANA assigned port 4789 is enabled.
\nvxlan:
\nenabled: true
\nports: $VXLAN_PORTS # syntax: ‘[8472, 4789]’ or ‘4789’.<\/p>\n

# Geneve decoder is assigned to up to 4 UDP ports. By default only the
\n# IANA assigned port 6081 is enabled.
\ngeneve:
\nenabled: true
\nports: $GENEVE_PORTS # syntax: ‘[6081, 1234]’ or ‘6081’.<\/p>\n

##
\n## Performance tuning and profiling
\n##<\/p>\n

# The detection engine builds internal groups of signatures. The engine
\n# allows us to specify the profile to use for them, to manage memory in an
\n# efficient way keeping good performance. For the profile keyword you
\n# can use the words “low”, “medium”, “high” or “custom”. If you use custom,
\n# make sure to define the values in the “custom-values” section.
\n# Usually you would prefer medium\/high\/low.
\n#
\n# “sgh mpm-context”, indicates how the staging should allot mpm contexts for
\n# the signature groups. “single” indicates the use of a single context for
\n# all the signature group heads. “full” indicates a mpm-context for each
\n# group head. “auto” lets the engine decide the distribution of contexts
\n# based on the information the engine gathers on the patterns from each
\n# group head.
\n#
\n# The option inspection-recursion-limit is used to limit the recursive calls
\n# in the content inspection code. For certain payload-sig combinations, we
\n# might end up taking too much time in the content inspection code.
\n# If the argument specified is 0, the engine uses an internally defined
\n# default limit. When a value is not specified, there are no limits on the recursion.
\ndetect:
\nprofile: medium
\ncustom-values:
\ntoclient-groups: 3
\ntoserver-groups: 25
\nsgh-mpm-context: auto
\ninspection-recursion-limit: 3000
\n# If set to yes, the loading of signatures will be made after the capture
\n# is started. This will limit the downtime in IPS mode.
\n#delayed-detect: yes<\/p>\n

prefilter:
\n# default prefiltering setting. “mpm” only creates MPM\/fast_pattern
\n# engines. “auto” also sets up prefilter engines for other keywords.
\n# Use –list-keywords=all to see which keywords support prefiltering.
\ndefault: mpm<\/p>\n

# the grouping values above control how many groups are created per
\n# direction. Port whitelisting forces that port to get its own group.
\n# Very common ports will benefit, as well as ports with many expensive
\n# rules.
\ngrouping:
\n#tcp-whitelist: 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
\n#udp-whitelist: 53, 135, 5060<\/p>\n

profiling:
\n# Log the rules that made it past the prefilter stage, per packet
\n# default is off. The threshold setting determines how many rules
\n# must have made it past pre-filter for that rule to trigger the
\n# logging.
\n#inspect-logging-threshold: 200
\ngrouping:
\ndump-to-disk: false
\ninclude-rules: false # very verbose
\ninclude-mpm-stats: false<\/p>\n

# Select the multi pattern algorithm you want to run for scan\/search the
\n# in the engine.
\n#
\n# The supported algorithms are:
\n# “ac” – Aho-Corasick, default implementation
\n# “ac-bs” – Aho-Corasick, reduced memory implementation
\n# “ac-ks” – Aho-Corasick, “Ken Steele” variant
\n# “hs” – Hyperscan, available when built with Hyperscan support
\n#
\n# The default mpm-algo value of “auto” will use “hs” if Hyperscan is
\n# available, “ac” otherwise.
\n#
\n# The mpm you choose also decides the distribution of mpm contexts for
\n# signature groups, specified by the conf – “detect.sgh-mpm-context”.
\n# Selecting “ac” as the mpm would require “detect.sgh-mpm-context”
\n# to be set to “single”, because of ac’s memory requirements, unless the
\n# ruleset is small enough to fit in memory, in which case one can
\n# use “full” with “ac”. The rest of the mpms can be run in “full” mode.<\/p>\n

mpm-algo: auto<\/p>\n

# Select the matching algorithm you want to use for single-pattern searches.
\n#
\n# Supported algorithms are “bm” (Boyer-Moore) and “hs” (Hyperscan, only
\n# available if Suricata has been built with Hyperscan support).
\n#
\n# The default of “auto” will use “hs” if available, otherwise “bm”.<\/p>\n

spm-algo: auto<\/p>\n

# Suricata is multi-threaded. Here the threading can be influenced.
\nthreading:
\nset-cpu-affinity: no
\n# Tune cpu affinity of threads. Each family of threads can be bound
\n# to specific CPUs.
\n#
\n# These 2 apply to the all runmodes:
\n# management-cpu-set is used for flow timeout handling, counters
\n# worker-cpu-set is used for ‘worker’ threads
\n#
\n# Additionally, for autofp these apply:
\n# receive-cpu-set is used for capture threads
\n# verdict-cpu-set is used for IPS verdict threads
\n#
\ncpu-affinity:
\n– management-cpu-set:
\ncpu: [ 0 ] # include only these CPUs in affinity settings
\n– receive-cpu-set:
\ncpu: [ 0 ] # include only these CPUs in affinity settings
\n– worker-cpu-set:
\ncpu: [ “all” ]
\nmode: “exclusive”
\n# Use explicitly 3 threads and don’t compute number by using
\n# detect-thread-ratio variable:
\n# threads: 3
\nprio:
\nlow: [ 0 ]
\nmedium: [ “1-2” ]
\nhigh: [ 3 ]
\ndefault: “medium”
\n#- verdict-cpu-set:
\n# cpu: [ 0 ]
\n# prio:
\n# default: “high”
\n#
\n# By default Suricata creates one “detect” thread per available CPU\/CPU core.
\n# This setting allows controlling this behaviour. A ratio setting of 2 will
\n# create 2 detect threads for each CPU\/CPU core. So for a dual core CPU this
\n# will result in 4 detect threads. If values below 1 are used, less threads
\n# are created. So on a dual core CPU a setting of 0.5 results in 1 detect
\n# thread being created. Regardless of the setting at a minimum 1 detect
\n# thread will always be created.
\n#
\ndetect-thread-ratio: 1.0<\/p>\n

# Luajit has a strange memory requirement, its ‘states’ need to be in the
\n# first 2G of the process’ memory.
\n#
\n# ‘luajit.states’ is used to control how many states are preallocated.
\n# State use: per detect script: 1 per detect thread. Per output script: 1 per
\n# script.
\nluajit:
\nstates: 128<\/p>\n

# Profiling settings. Only effective if Suricata has been built with
\n# the –enable-profiling configure flag.
\n#
\nprofiling:
\n# Run profiling for every X-th packet. The default is 1, which means we
\n# profile every packet. If set to 1000, one packet is profiled for every
\n# 1000 received.
\n#sample-rate: 1000<\/p>\n

# rule profiling
\nrules:<\/p>\n

# Profiling can be disabled here, but it will still have a
\n# performance impact if compiled in.
\nenabled: yes
\nfilename: rule_perf.log
\nappend: yes<\/p>\n

# Sort options: ticks, avgticks, checks, matches, maxticks
\n# If commented out all the sort options will be used.
\n#sort: avgticks<\/p>\n

# Limit the number of sids for which stats are shown at exit (per sort).
\nlimit: 10<\/p>\n

# output to json
\njson: yes<\/p>\n

# per keyword profiling
\nkeywords:
\nenabled: yes
\nfilename: keyword_perf.log
\nappend: yes<\/p>\n

prefilter:
\nenabled: yes
\nfilename: prefilter_perf.log
\nappend: yes<\/p>\n

# per rulegroup profiling
\nrulegroups:
\nenabled: yes
\nfilename: rule_group_perf.log
\nappend: yes<\/p>\n

# packet profiling
\npackets:<\/p>\n

# Profiling can be disabled here, but it will still have a
\n# performance impact if compiled in.
\nenabled: yes
\nfilename: packet_stats.log
\nappend: yes<\/p>\n

# per packet csv output
\ncsv:<\/p>\n

# Output can be disabled here, but it will still have a
\n# performance impact if compiled in.
\nenabled: no
\nfilename: packet_stats.csv<\/p>\n

# profiling of locking. Only available when Suricata was built with
\n# –enable-profiling-locks.
\nlocks:
\nenabled: no
\nfilename: lock_stats.log
\nappend: yes<\/p>\n

pcap-log:
\nenabled: no
\nfilename: pcaplog_stats.log
\nappend: yes<\/p>\n

##
\n## Netfilter integration
\n##<\/p>\n

# When running in NFQ inline mode, it is possible to use a simulated
\n# non-terminal NFQUEUE verdict.
\n# This permits sending all needed packet to Suricata via this rule:
\n# iptables -I FORWARD -m mark ! –mark $MARK\/$MASK -j NFQUEUE
\n# And below, you can have your standard filtering ruleset. To activate
\n# this mode, you need to set mode to ‘repeat’
\n# If you want a packet to be sent to another queue after an ACCEPT decision
\n# set the mode to ‘route’ and set next-queue value.
\n# On Linux >= 3.1, you can set batchcount to a value > 1 to improve performance
\n# by processing several packets before sending a verdict (worker runmode only).
\n# On Linux >= 3.6, you can set the fail-open option to yes to have the kernel
\n# accept the packet if Suricata is not able to keep pace.
\n# bypass mark and mask can be used to implement NFQ bypass. If bypass mark is
\n# set then the NFQ bypass is activated. Suricata will set the bypass mark\/mask
\n# on packet of a flow that need to be bypassed. The Nefilter ruleset has to
\n# directly accept all packets of a flow once a packet has been marked.
\nnfq:
\nmode: accept
\n# repeat-mark: 1
\n# repeat-mask: 1
\n# bypass-mark: 1
\n# bypass-mask: 1
\n# route-queue: 2
\n# batchcount: 20
\n# fail-open: yes<\/p>\n

#nflog support
\nnflog:
\n# netlink multicast group
\n# (the same as the iptables –nflog-group param)
\n# Group 0 is used by the kernel, so you can’t use it
\n– group: 2
\n# netlink buffer size
\nbuffer-size: 18432
\n# put default value here
\n– group: default
\n# set number of packets to queue inside kernel
\nqthreshold: 1
\n# set the delay before flushing packet in the kernel’s queue
\nqtimeout: 100
\n# netlink max buffer size
\nmax-size: 20000<\/p>\n

##
\n## Advanced Capture Options
\n##<\/p>\n

# General settings affecting packet capture
\ncapture:
\n# disable NIC offloading. It’s restored when Suricata exits.
\n# Enabled by default.
\n#disable-offloading: false
\n#
\n# disable checksum validation. Same as setting ‘-k none’ on the
\n# commandline.
\n#checksum-validation: none<\/p>\n

# Netmap support
\n#
\n# Netmap operates with NIC directly in driver, so you need FreeBSD 11+ which has
\n# built-in Netmap support or compile and install the Netmap module and appropriate
\n# NIC driver for your Linux system.
\n# To reach maximum throughput disable all receive-, segmentation-,
\n# checksum- offloading on your NIC (using ethtool or similar).
\n# Disabling TX checksum offloading is *required* for connecting OS endpoint
\n# with NIC endpoint.
\n# You can find more information at https:\/\/github.com\/luigirizzo\/netmap
\n#
\nnetmap:
\n# To specify OS endpoint add plus sign at the end (e.g. “eth0+”)
\n– interface: eth2
\n# Number of capture threads. “auto” uses number of RSS queues on interface.
\n# Warning: unless the RSS hashing is symmetrical, this will lead to
\n# accuracy issues.
\n#threads: auto
\n# You can use the following variables to activate netmap tap or IPS mode.
\n# If copy-mode is set to ips or tap, the traffic coming to the current
\n# interface will be copied to the copy-iface interface. If ‘tap’ is set, the
\n# copy is complete. If ‘ips’ is set, the packet matching a ‘drop’ action
\n# will not be copied.
\n# To specify the OS as the copy-iface (so the OS can route packets, or forward
\n# to a service running on the same machine) add a plus sign at the end
\n# (e.g. “copy-iface: eth0+”). Don’t forget to set up a symmetrical eth0+ -> eth0
\n# for return packets. Hardware checksumming must be *off* on the interface if
\n# using an OS endpoint (e.g. ‘ifconfig eth0 -rxcsum -txcsum -rxcsum6 -txcsum6’ for FreeBSD
\n# or ‘ethtool -K eth0 tx off rx off’ for Linux).
\n#copy-mode: tap
\n#copy-iface: eth3
\n# Set to yes to disable promiscuous mode
\n# disable-promisc: no
\n# Choose checksum verification mode for the interface. At the moment
\n# of the capture, some packets may have an invalid checksum due to
\n# the checksum computation being offloaded to the network card.
\n# Possible values are:
\n# – yes: checksum validation is forced
\n# – no: checksum validation is disabled
\n# – auto: Suricata uses a statistical approach to detect when
\n# checksum off-loading is used.
\n# Warning: ‘checksum-validation’ must be set to yes to have any validation
\n#checksum-checks: auto
\n# BPF filter to apply to this interface. The pcap filter syntax apply here.
\n#bpf-filter: port 80 or udp
\n#- interface: eth3
\n#threads: auto
\n#copy-mode: tap
\n#copy-iface: eth2
\n# Put default values here
\n– interface: default<\/p>\n

# PF_RING configuration: for use with native PF_RING support
\n# for more info see http:\/\/www.ntop.org\/products\/pf_ring\/
\npfring:
\n– interface: eth0
\n# Number of receive threads. If set to ‘auto’ Suricata will first try
\n# to use CPU (core) count and otherwise RSS queue count.
\nthreads: auto<\/p>\n

# Default clusterid. PF_RING will load balance packets based on flow.
\n# All threads\/processes that will participate need to have the same
\n# clusterid.
\ncluster-id: 99<\/p>\n

# Default PF_RING cluster type. PF_RING can load balance per flow.
\n# Possible values are cluster_flow or cluster_round_robin.
\ncluster-type: cluster_flow<\/p>\n

# bpf filter for this interface
\n#bpf-filter: tcp<\/p>\n

# If bypass is set then the PF_RING hw bypass is activated, when supported
\n# by the network interface. Suricata will instruct the interface to bypass
\n# all future packets for a flow that need to be bypassed.
\n#bypass: yes<\/p>\n

# Choose checksum verification mode for the interface. At the moment
\n# of the capture, some packets may have an invalid checksum due to
\n# the checksum computation being offloaded to the network card.
\n# Possible values are:
\n# – rxonly: only compute checksum for packets received by network card.
\n# – yes: checksum validation is forced
\n# – no: checksum validation is disabled
\n# – auto: Suricata uses a statistical approach to detect when
\n# checksum off-loading is used. (default)
\n# Warning: ‘checksum-validation’ must be set to yes to have any validation
\n#checksum-checks: auto
\n# Second interface
\n#- interface: eth1
\n# threads: 3
\n# cluster-id: 93
\n# cluster-type: cluster_flow
\n# Put default values here
\n– interface: default
\n#threads: 2<\/p>\n

# For FreeBSD ipfw(8) divert(4) support.
\n# Please make sure you have ipfw_load=”YES” and ipdivert_load=”YES”
\n# in \/etc\/loader.conf or kldload’ing the appropriate kernel modules.
\n# Additionally, you need to have an ipfw rule for the engine to see
\n# the packets from ipfw. For Example:
\n#
\n# ipfw add 100 divert 8000 ip from any to any
\n#
\n# N.B. This example uses “8000” — this number must mach the values
\n# you passed on the command line, i.e., -d 8000
\n#
\nipfw:<\/p>\n

# Reinject packets at the specified ipfw rule number. This config
\n# option is the ipfw rule number AT WHICH rule processing continues
\n# in the ipfw processing system after the engine has finished
\n# inspecting the packet for acceptance. If no rule number is specified,
\n# accepted packets are reinjected at the divert rule which they entered
\n# and IPFW rule processing continues. No check is done to verify
\n# this will rule makes sense so care must be taken to avoid loops in ipfw.
\n#
\n## The following example tells the engine to reinject packets
\n# back into the ipfw firewall AT rule number 5500:
\n#
\n# ipfw-reinjection-rule-number: 5500<\/p>\n

napatech:
\n# When use_all_streams is set to “yes” the initialization code will query
\n# the Napatech service for all configured streams and listen on all of them.
\n# When set to “no” the streams config array will be used.
\n#
\n# This option necessitates running the appropriate NTPL commands to create
\n# the desired streams prior to running Suricata.
\n#use-all-streams: no<\/p>\n

# The streams to listen on when auto-config is disabled or when and threading
\n# cpu-affinity is disabled. This can be either:
\n# an individual stream (e.g. streams: [0])
\n# or
\n# a range of streams (e.g. streams: [“0-3”])
\n#
\nstreams: [“0-3”]<\/p>\n

# Stream stats can be enabled to provide fine grain packet and byte counters
\n# for each thread\/stream that is configured.
\n#
\nenable-stream-stats: no<\/p>\n

# When auto-config is enabled the streams will be created and assigned
\n# automatically to the NUMA node where the thread resides. If cpu-affinity
\n# is enabled in the threading section. Then the streams will be created
\n# according to the number of worker threads specified in the worker-cpu-set.
\n# Otherwise, the streams array is used to define the streams.
\n#
\n# This option is intended primarily to support legacy configurations.
\n#
\n# This option cannot be used simultaneously with either “use-all-streams”
\n# or “hardware-bypass”.
\n#
\nauto-config: yes<\/p>\n

# Enable hardware level flow bypass.
\n#
\nhardware-bypass: yes<\/p>\n

# Enable inline operation. When enabled traffic arriving on a given port is
\n# automatically forwarded out its peer port after analysis by Suricata.
\n#
\ninline: no<\/p>\n

# Ports indicates which Napatech ports are to be used in auto-config mode.
\n# these are the port IDs of the ports that will be merged prior to the
\n# traffic being distributed to the streams.
\n#
\n# When hardware-bypass is enabled the ports must be configured as a segment.
\n# specify the port(s) on which upstream and downstream traffic will arrive.
\n# This information is necessary for the hardware to properly process flows.
\n#
\n# When using a tap configuration one of the ports will receive inbound traffic
\n# for the network and the other will receive outbound traffic. The two ports on a
\n# given segment must reside on the same network adapter.
\n#
\n# When using a SPAN-port configuration the upstream and downstream traffic
\n# arrives on a single port. This is configured by setting the two sides of the
\n# segment to reference the same port. (e.g. 0-0 to configure a SPAN port on
\n# port 0).
\n#
\n# port segments are specified in the form:
\n# ports: [0-1,2-3,4-5,6-6,7-7]
\n#
\n# For legacy systems when hardware-bypass is disabled this can be specified in any
\n# of the following ways:
\n#
\n# a list of individual ports (e.g. ports: [0,1,2,3])
\n#
\n# a range of ports (e.g. ports: [0-3])
\n#
\n# “all” to indicate that all ports are to be merged together
\n# (e.g. ports: [all])
\n#
\n# This parameter has no effect if auto-config is disabled.
\n#
\nports: [0-1,2-3]<\/p>\n

# When auto-config is enabled the hashmode specifies the algorithm for
\n# determining to which stream a given packet is to be delivered.
\n# This can be any valid Napatech NTPL hashmode command.
\n#
\n# The most common hashmode commands are: hash2tuple, hash2tuplesorted,
\n# hash5tuple, hash5tuplesorted and roundrobin.
\n#
\n# See Napatech NTPL documentation other hashmodes and details on their use.
\n#
\n# This parameter has no effect if auto-config is disabled.
\n#
\nhashmode: hash5tuplesorted<\/p>\n

##
\n## Configure Suricata to load Suricata-Update managed rules.
\n##<\/p>\n

#default-rule-path: \/etc\/suricata\/rules
\ndefaul-rule-path: \/var\/lib\/suricata\/rules
\nrule-files:
\n– suricata.rules<\/p>\n

##
\n## Auxiliary configuration files.
\n##<\/p>\n

classification-file: \/etc\/suricata\/classification.config
\nreference-config-file: \/etc\/suricata\/reference.config
\n# threshold-file: \/etc\/suricata\/threshold.config<\/p>\n

##
\n## Include other configs
\n##<\/p>\n

# Includes: Files included here will be handled as if they were in-lined
\n# in this configuration file. Files with relative pathnames will be
\n# searched for in the same directory as this configuration file. You may
\n# use absolute pathnames too.
\n# You can specify more than 2 configuration files, if needed.
\n#include: include1.yaml
\n#include: include2.yaml<\/p>\n","protected":false},"excerpt":{"rendered":"

%YAML 1.1 — # Suricata configuration file. In addition to the comments describing all # options in this file, full documentation can be found at: # https:\/\/suricata.readthedocs.io\/en\/latest\/configuration\/suricata-yaml.html ## ## Step 1: Inform Suricata about your network ## vars: # more specific is better for alert accuracy and performance address-groups: #HOME_NET: “[192.168.0.0\/16,10.0.0.0\/8,172.16.0.0\/12]” HOME_NET: “[192.168.2.0\/23]” #HOME_NET: “[10.0.0.0\/8]” […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[222],"tags":[135,134],"class_list":["post-2568","post","type-post","status-publish","format-standard","hentry","category-ips","tag-ips","tag-suricata"],"_links":{"self":[{"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=\/wp\/v2\/posts\/2568","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2568"}],"version-history":[{"count":1,"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=\/wp\/v2\/posts\/2568\/revisions"}],"predecessor-version":[{"id":2569,"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=\/wp\/v2\/posts\/2568\/revisions\/2569"}],"wp:attachment":[{"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2568"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2568"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2568"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}