1%YAML 1.1 2--- 3 4# Suricata configuration file. In addition to the comments describing all 5# options in this file, full documentation can be found at: 6# https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricatayaml 7 8 9# Number of packets allowed to be processed simultaneously. Default is a 10# conservative 1024. A higher number will make sure CPU's/CPU cores will be 11# more easily kept busy, but may negatively impact caching. 12# 13# If you are using the CUDA pattern matcher (mpm-algo: ac-cuda), different rules 14# apply. In that case try something like 60000 or more. This is because the CUDA 15# pattern matcher buffers and scans as many packets as possible in parallel. 16#max-pending-packets: 1024 17 18# Runmode the engine should use. Please check --list-runmodes to get the available 19# runmodes for each packet acquisition method. Defaults to "autofp" (auto flow pinned 20# load balancing). 21#runmode: autofp 22 23# Specifies the kind of flow load balancer used by the flow pinned autofp mode. 24# 25# Supported schedulers are: 26# 27# round-robin - Flows assigned to threads in a round robin fashion. 28# active-packets - Flows assigned to threads that have the lowest number of 29# unprocessed packets (default). 30# hash - Flow alloted usihng the address hash. More of a random 31# technique. Was the default in Suricata 1.2.1 and older. 32# 33#autofp-scheduler: active-packets 34 35# If suricata box is a router for the sniffed networks, set it to 'router'. If 36# it is a pure sniffing setup, set it to 'sniffer-only'. 37# If set to auto, the variable is internally switch to 'router' in IPS mode 38# and 'sniffer-only' in IDS mode. 39# This feature is currently only used by the reject* keywords. 40host-mode: auto 41 42# Run suricata as user and group. 43#run-as: 44# user: suri 45# group: suri 46 47# Default pid file. 48# Will use this file if no --pidfile in command options. 49#pid-file: /var/run/suricata.pid 50 51# Daemon working directory 52# Suricata will change directory to this one if provided 53# Default: "/" 54#daemon-directory: "/" 55 56# Preallocated size for packet. Default is 1514 which is the classical 57# size for pcap on ethernet. You should adjust this value to the highest 58# packet size (MTU + hardware header) on your system. 59#default-packet-size: 1514 60 61# The default logging directory. Any log or output file will be 62# placed here if its not specified with a full path name. This can be 63# overridden with the -l command line parameter. 64default-log-dir: /var/log/suricata/ 65 66# Unix command socket can be used to pass commands to suricata. 67# An external tool can then connect to get information from suricata 68# or trigger some modifications of the engine. Set enabled to yes 69# to activate the feature. You can use the filename variable to set 70# the file name of the socket. 71unix-command: 72 enabled: no 73 #filename: custom.socket 74 75# Configure the type of alert (and other) logging you would like. 76outputs: 77 78 # a line based alerts log similar to Snort's fast.log 79 - fast: 80 enabled: yes 81 filename: fast.log 82 append: yes 83 #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' 84 85 # Extensible Event Format (nicknamed EVE) event log in JSON format 86 - eve-log: 87 enabled: yes 88 type: file #file|syslog|unix_dgram|unix_stream 89 filename: eve.json 90 # the following are valid when type: syslog above 91 #identity: "suricata" 92 #facility: local5 93 #level: Info ## possible levels: Emergency, Alert, Critical, 94 ## Error, Warning, Notice, Info, Debug 95 types: 96 - alert 97 - http: 98 extended: yes # enable this for extended logging information 99 # custom allows additional http fields to be included in eve-log 100 # the example below adds three additional fields when uncommented 101 #custom: [Accept-Encoding, Accept-Language, Authorization] 102 - dns 103 - tls: 104 extended: yes # enable this for extended logging information 105 - files: 106 force-magic: no # force logging magic on all logged files 107 force-md5: no # force logging of md5 checksums 108 #- drop 109 - ssh 110 111 # alert output for use with Barnyard2 112 - unified2-alert: 113 enabled: yes 114 filename: unified2.alert 115 116 # File size limit. Can be specified in kb, mb, gb. Just a number 117 # is parsed as bytes. 118 #limit: 32mb 119 120 # Sensor ID field of unified2 alerts. 121 #sensor-id: 0 122 123 # HTTP X-Forwarded-For support by adding the unified2 extra header that 124 # will contain the actual client IP address or by overwriting the source 125 # IP address (helpful when inspecting traffic that is being reversed 126 # proxied). 127 xff: 128 enabled: no 129 # Two operation modes are available, "extra-data" and "overwrite". Note 130 # that in the "overwrite" mode, if the reported IP address in the HTTP 131 # X-Forwarded-For header is of a different version of the packet 132 # received, it will fall-back to "extra-data" mode. 133 mode: extra-data 134 # Header name were the actual IP address will be reported, if more than 135 # one IP address is present, the last IP address will be the one taken 136 # into consideration. 137 header: X-Forwarded-For 138 139 # a line based log of HTTP requests (no alerts) 140 - http-log: 141 enabled: yes 142 filename: http.log 143 append: yes 144 #extended: yes # enable this for extended logging information 145 #custom: yes # enabled the custom logging format (defined by customformat) 146 #customformat: "%{%D-%H:%M:%S}t.%z %{X-Forwarded-For}i %H %m %h %u %s %B %a:%p -> %A:%P" 147 #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' 148 149 # a line based log of TLS handshake parameters (no alerts) 150 - tls-log: 151 enabled: no # Log TLS connections. 152 filename: tls.log # File to store TLS logs. 153 append: yes 154 #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' 155 #extended: yes # Log extended information like fingerprint 156 certs-log-dir: certs # directory to store the certificates files 157 158 # a line based log of DNS requests and/or replies (no alerts) 159 - dns-log: 160 enabled: no 161 filename: dns.log 162 append: yes 163 #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' 164 165 # a line based log to used with pcap file study. 166 # this module is dedicated to offline pcap parsing (empty output 167 # if used with another kind of input). It can interoperate with 168 # pcap parser like wireshark via the suriwire plugin. 169 - pcap-info: 170 enabled: no 171 172 # Packet log... log packets in pcap format. 2 modes of operation: "normal" 173 # and "sguil". 174 # 175 # In normal mode a pcap file "filename" is created in the default-log-dir, 176 # or are as specified by "dir". In Sguil mode "dir" indicates the base directory. 177 # In this base dir the pcaps are created in th directory structure Sguil expects: 178 # 179 # $sguil-base-dir/YYYY-MM-DD/$filename.<timestamp> 180 # 181 # By default all packets are logged except: 182 # - TCP streams beyond stream.reassembly.depth 183 # - encrypted streams after the key exchange 184 # 185 - pcap-log: 186 enabled: no 187 filename: log.pcap 188 189 # File size limit. Can be specified in kb, mb, gb. Just a number 190 # is parsed as bytes. 191 limit: 1000mb 192 193 # If set to a value will enable ring buffer mode. Will keep Maximum of "max-files" of size "limit" 194 max-files: 2000 195 196 mode: normal # normal or sguil. 197 #sguil-base-dir: /nsm_data/ 198 #ts-format: usec # sec or usec second format (default) is filename.sec usec is filename.sec.usec 199 use-stream-depth: no #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets 200 201 # a full alerts log containing much information for signature writers 202 # or for investigating suspected false positives. 203 - alert-debug: 204 enabled: no 205 filename: alert-debug.log 206 append: yes 207 #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' 208 209 # alert output to prelude (http://www.prelude-technologies.com/) only 210 # available if Suricata has been compiled with --enable-prelude 211 - alert-prelude: 212 enabled: no 213 profile: suricata 214 log-packet-content: no 215 log-packet-header: yes 216 217 # Stats.log contains data from various counters of the suricata engine. 218 # The interval field (in seconds) tells after how long output will be written 219 # on the log file. 220 - stats: 221 enabled: yes 222 filename: stats.log 223 interval: 8 224 225 # a line based alerts log similar to fast.log into syslog 226 - syslog: 227 enabled: no 228 # reported identity to syslog. If ommited the program name (usually 229 # suricata) will be used. 230 #identity: "suricata" 231 facility: local5 232 #level: Info ## possible levels: Emergency, Alert, Critical, 233 ## Error, Warning, Notice, Info, Debug 234 235 # a line based information for dropped packets in IPS mode 236 - drop: 237 enabled: no 238 filename: drop.log 239 append: yes 240 #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' 241 242 # output module to store extracted files to disk 243 # 244 # The files are stored to the log-dir in a format "file.<id>" where <id> is 245 # an incrementing number starting at 1. For each file "file.<id>" a meta 246 # file "file.<id>.meta" is created. 247 # 248 # File extraction depends on a lot of things to be fully done: 249 # - stream reassembly depth. For optimal results, set this to 0 (unlimited) 250 # - http request / response body sizes. Again set to 0 for optimal results. 251 # - rules that contain the "filestore" keyword. 252 - file-store: 253 enabled: no # set to yes to enable 254 log-dir: files # directory to store the files 255 force-magic: no # force logging magic on all stored files 256 force-md5: no # force logging of md5 checksums 257 #waldo: file.waldo # waldo file to store the file_id across runs 258 259 # output module to log files tracked in a easily parsable json format 260 - file-log: 261 enabled: no 262 filename: files-json.log 263 append: yes 264 #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' 265 266 force-magic: no # force logging magic on all logged files 267 force-md5: no # force logging of md5 checksums 268 269# Magic file. The extension .mgc is added to the value here. 270#magic-file: /usr/share/file/magic 271magic-file: /usr/share/misc/magic.mgc 272 273# When running in NFQ inline mode, it is possible to use a simulated 274# non-terminal NFQUEUE verdict. 275# This permit to do send all needed packet to suricata via this a rule: 276# iptables -I FORWARD -m mark ! --mark $MARK/$MASK -j NFQUEUE 277# And below, you can have your standard filtering ruleset. To activate 278# this mode, you need to set mode to 'repeat' 279# If you want packet to be sent to another queue after an ACCEPT decision 280# set mode to 'route' and set next-queue value. 281# On linux >= 3.1, you can set batchcount to a value > 1 to improve performance 282# by processing several packets before sending a verdict (worker runmode only). 283# On linux >= 3.6, you can set the fail-open option to yes to have the kernel 284# accept the packet if suricata is not able to keep pace. 285nfq: 286# mode: accept 287# repeat-mark: 1 288# repeat-mask: 1 289# route-queue: 2 290# batchcount: 20 291# fail-open: yes 292 293#nflog support 294nflog: 295 # netlink multicast group 296 # (the same as the iptables --nflog-group param) 297 # Group 0 is used by the kernel, so you can't use it 298 - group: 2 299 # netlink buffer size 300 buffer-size: 18432 301 # put default value here 302 - group: default 303 # set number of packet to queue inside kernel 304 qthreshold: 1 305 # set the delay before flushing packet in the queue inside kernel 306 qtimeout: 100 307 # netlink max buffer size 308 max-size: 20000 309 310# af-packet support 311# Set threads to > 1 to use PACKET_FANOUT support 312af-packet: 313 - interface: eth0 314 # Number of receive threads (>1 will enable experimental flow pinned 315 # runmode) 316 threads: 1 317 # Default clusterid. AF_PACKET will load balance packets based on flow. 318 # All threads/processes that will participate need to have the same 319 # clusterid. 320 cluster-id: 99 321 # Default AF_PACKET cluster type. AF_PACKET can load balance per flow or per hash. 322 # This is only supported for Linux kernel > 3.1 323 # possible value are: 324 # * cluster_round_robin: round robin load balancing 325 # * cluster_flow: all packets of a given flow are send to the same socket 326 # * cluster_cpu: all packets treated in kernel by a CPU are send to the same socket 327 cluster-type: cluster_flow 328 # In some fragmentation case, the hash can not be computed. If "defrag" is set 329 # to yes, the kernel will do the needed defragmentation before sending the packets. 330 defrag: yes 331 # To use the ring feature of AF_PACKET, set 'use-mmap' to yes 332 use-mmap: yes 333 # Ring size will be computed with respect to max_pending_packets and number 334 # of threads. You can set manually the ring size in number of packets by setting 335 # the following value. If you are using flow cluster-type and have really network 336 # intensive single-flow you could want to set the ring-size independantly of the number 337 # of threads: 338 #ring-size: 2048 339 # On busy system, this could help to set it to yes to recover from a packet drop 340 # phase. This will result in some packets (at max a ring flush) being non treated. 341 #use-emergency-flush: yes 342 # recv buffer size, increase value could improve performance 343 # buffer-size: 32768 344 # Set to yes to disable promiscuous mode 345 # disable-promisc: no 346 # Choose checksum verification mode for the interface. At the moment 347 # of the capture, some packets may be with an invalid checksum due to 348 # offloading to the network card of the checksum computation. 349 # Possible values are: 350 # - kernel: use indication sent by kernel for each packet (default) 351 # - yes: checksum validation is forced 352 # - no: checksum validation is disabled 353 # - auto: suricata uses a statistical approach to detect when 354 # checksum off-loading is used. 355 # Warning: 'checksum-validation' must be set to yes to have any validation 356 #checksum-checks: kernel 357 # BPF filter to apply to this interface. The pcap filter syntax apply here. 358 #bpf-filter: port 80 or udp 359 # You can use the following variables to activate AF_PACKET tap od IPS mode. 360 # If copy-mode is set to ips or tap, the traffic coming to the current 361 # interface will be copied to the copy-iface interface. If 'tap' is set, the 362 # copy is complete. If 'ips' is set, the packet matching a 'drop' action 363 # will not be copied. 364 #copy-mode: ips 365 #copy-iface: eth1 366 - interface: eth1 367 threads: 1 368 cluster-id: 98 369 cluster-type: cluster_flow 370 defrag: yes 371 # buffer-size: 32768 372 # disable-promisc: no 373 # Put default values here 374 - interface: default 375 #threads: 2 376 #use-mmap: yes 377 378legacy: 379 uricontent: enabled 380 381# You can specify a threshold config file by setting "threshold-file" 382# to the path of the threshold config file: 383# threshold-file: /etc/suricata/threshold.config 384 385# The detection engine builds internal groups of signatures. The engine 386# allow us to specify the profile to use for them, to manage memory on an 387# efficient way keeping a good performance. For the profile keyword you 388# can use the words "low", "medium", "high" or "custom". If you use custom 389# make sure to define the values at "- custom-values" as your convenience. 390# Usually you would prefer medium/high/low. 391# 392# "sgh mpm-context", indicates how the staging should allot mpm contexts for 393# the signature groups. "single" indicates the use of a single context for 394# all the signature group heads. "full" indicates a mpm-context for each 395# group head. "auto" lets the engine decide the distribution of contexts 396# based on the information the engine gathers on the patterns from each 397# group head. 398# 399# The option inspection-recursion-limit is used to limit the recursive calls 400# in the content inspection code. For certain payload-sig combinations, we 401# might end up taking too much time in the content inspection code. 402# If the argument specified is 0, the engine uses an internally defined 403# default limit. On not specifying a value, we use no limits on the recursion. 404detect-engine: 405 - profile: medium 406 - custom-values: 407 toclient-src-groups: 2 408 toclient-dst-groups: 2 409 toclient-sp-groups: 2 410 toclient-dp-groups: 3 411 toserver-src-groups: 2 412 toserver-dst-groups: 4 413 toserver-sp-groups: 2 414 toserver-dp-groups: 25 415 - sgh-mpm-context: auto 416 - inspection-recursion-limit: 3000 417 # When rule-reload is enabled, sending a USR2 signal to the Suricata process 418 # will trigger a live rule reload. Experimental feature, use with care. 419 #- rule-reload: true 420 # If set to yes, the loading of signatures will be made after the capture 421 # is started. This will limit the downtime in IPS mode. 422 #- delayed-detect: yes 423 424# Suricata is multi-threaded. Here the threading can be influenced. 425threading: 426 # On some cpu's/architectures it is beneficial to tie individual threads 427 # to specific CPU's/CPU cores. In this case all threads are tied to CPU0, 428 # and each extra CPU/core has one "detect" thread. 429 # 430 # On Intel Core2 and Nehalem CPU's enabling this will degrade performance. 431 # 432 set-cpu-affinity: no 433 # Tune cpu affinity of suricata threads. Each family of threads can be bound 434 # on specific CPUs. 435 cpu-affinity: 436 - management-cpu-set: 437 cpu: [ 0 ] # include only these cpus in affinity settings 438 - receive-cpu-set: 439 cpu: [ 0 ] # include only these cpus in affinity settings 440 - decode-cpu-set: 441 cpu: [ 0, 1 ] 442 mode: "balanced" 443 - stream-cpu-set: 444 cpu: [ "0-1" ] 445 - detect-cpu-set: 446 cpu: [ "all" ] 447 mode: "exclusive" # run detect threads in these cpus 448 # Use explicitely 3 threads and don't compute number by using 449 # detect-thread-ratio variable: 450 # threads: 3 451 prio: 452 low: [ 0 ] 453 medium: [ "1-2" ] 454 high: [ 3 ] 455 default: "medium" 456 - verdict-cpu-set: 457 cpu: [ 0 ] 458 prio: 459 default: "high" 460 - reject-cpu-set: 461 cpu: [ 0 ] 462 prio: 463 default: "low" 464 - output-cpu-set: 465 cpu: [ "all" ] 466 prio: 467 default: "medium" 468 # 469 # By default Suricata creates one "detect" thread per available CPU/CPU core. 470 # This setting allows controlling this behaviour. A ratio setting of 2 will 471 # create 2 detect threads for each CPU/CPU core. So for a dual core CPU this 472 # will result in 4 detect threads. If values below 1 are used, less threads 473 # are created. So on a dual core CPU a setting of 0.5 results in 1 detect 474 # thread being created. Regardless of the setting at a minimum 1 detect 475 # thread will always be created. 476 # 477 detect-thread-ratio: 1.5 478 479# Cuda configuration. 480cuda: 481 # The "mpm" profile. On not specifying any of these parameters, the engine's 482 # internal default values are used, which are same as the ones specified in 483 # in the default conf file. 484 mpm: 485 # The minimum length required to buffer data to the gpu. 486 # Anything below this is MPM'ed on the CPU. 487 # Can be specified in kb, mb, gb. Just a number indicates it's in bytes. 488 # A value of 0 indicates there's no limit. 489 data-buffer-size-min-limit: 0 490 # The maximum length for data that we would buffer to the gpu. 491 # Anything over this is MPM'ed on the CPU. 492 # Can be specified in kb, mb, gb. Just a number indicates it's in bytes. 493 data-buffer-size-max-limit: 1500 494 # The ring buffer size used by the CudaBuffer API to buffer data. 495 cudabuffer-buffer-size: 500mb 496 # The max chunk size that can be sent to the gpu in a single go. 497 gpu-transfer-size: 50mb 498 # The timeout limit for batching of packets in microseconds. 499 batching-timeout: 2000 500 # The device to use for the mpm. Currently we don't support load balancing 501 # on multiple gpus. In case you have multiple devices on your system, you 502 # can specify the device to use, using this conf. By default we hold 0, to 503 # specify the first device cuda sees. To find out device-id associated with 504 # the card(s) on the system run "suricata --list-cuda-cards". 505 device-id: 0 506 # No of Cuda streams used for asynchronous processing. All values > 0 are valid. 507 # For this option you need a device with Compute Capability > 1.0. 508 cuda-streams: 2 509 510# Select the multi pattern algorithm you want to run for scan/search the 511# in the engine. The supported algorithms are b2g, b2gc, b2gm, b3g, wumanber, 512# ac and ac-gfbs. 513# 514# The mpm you choose also decides the distribution of mpm contexts for 515# signature groups, specified by the conf - "detect-engine.sgh-mpm-context". 516# Selecting "ac" as the mpm would require "detect-engine.sgh-mpm-context" 517# to be set to "single", because of ac's memory requirements, unless the 518# ruleset is small enough to fit in one's memory, in which case one can 519# use "full" with "ac". Rest of the mpms can be run in "full" mode. 520# 521# There is also a CUDA pattern matcher (only available if Suricata was 522# compiled with --enable-cuda: b2g_cuda. Make sure to update your 523# max-pending-packets setting above as well if you use b2g_cuda. 524 525mpm-algo: ac 526 527# The memory settings for hash size of these algorithms can vary from lowest 528# (2048) - low (4096) - medium (8192) - high (16384) - higher (32768) - max 529# (65536). The bloomfilter sizes of these algorithms can vary from low (512) - 530# medium (1024) - high (2048). 531# 532# For B2g/B3g algorithms, there is a support for two different scan/search 533# algorithms. For B2g the scan algorithms are B2gScan & B2gScanBNDMq, and 534# search algorithms are B2gSearch & B2gSearchBNDMq. For B3g scan algorithms 535# are B3gScan & B3gScanBNDMq, and search algorithms are B3gSearch & 536# B3gSearchBNDMq. 537# 538# For B2g the different scan/search algorithms and, hash and bloom 539# filter size settings. For B3g the different scan/search algorithms and, hash 540# and bloom filter size settings. For wumanber the hash and bloom filter size 541# settings. 542 543pattern-matcher: 544 - b2gc: 545 search-algo: B2gSearchBNDMq 546 hash-size: low 547 bf-size: medium 548 - b2gm: 549 search-algo: B2gSearchBNDMq 550 hash-size: low 551 bf-size: medium 552 - b2g: 553 search-algo: B2gSearchBNDMq 554 hash-size: low 555 bf-size: medium 556 - b3g: 557 search-algo: B3gSearchBNDMq 558 hash-size: low 559 bf-size: medium 560 - wumanber: 561 hash-size: low 562 bf-size: medium 563 564# Defrag settings: 565 566defrag: 567 memcap: 32mb 568 hash-size: 65536 569 trackers: 65535 # number of defragmented flows to follow 570 max-frags: 65535 # number of fragments to keep (higher than trackers) 571 prealloc: yes 572 timeout: 60 573 574# Enable defrag per host settings 575# host-config: 576# 577# - dmz: 578# timeout: 30 579# address: [192.168.1.0/24, 127.0.0.0/8, 1.1.1.0/24, 2.2.2.0/24, "1.1.1.1", "2.2.2.2", "::1"] 580# 581# - lan: 582# timeout: 45 583# address: 584# - 192.168.0.0/24 585# - 192.168.10.0/24 586# - 172.16.14.0/24 587 588# Flow settings: 589# By default, the reserved memory (memcap) for flows is 32MB. This is the limit 590# for flow allocation inside the engine. You can change this value to allow 591# more memory usage for flows. 592# The hash-size determine the size of the hash used to identify flows inside 593# the engine, and by default the value is 65536. 594# At the startup, the engine can preallocate a number of flows, to get a better 595# performance. The number of flows preallocated is 10000 by default. 596# emergency-recovery is the percentage of flows that the engine need to 597# prune before unsetting the emergency state. The emergency state is activated 598# when the memcap limit is reached, allowing to create new flows, but 599# prunning them with the emergency timeouts (they are defined below). 600# If the memcap is reached, the engine will try to prune flows 601# with the default timeouts. If it doens't find a flow to prune, it will set 602# the emergency bit and it will try again with more agressive timeouts. 603# If that doesn't work, then it will try to kill the last time seen flows 604# not in use. 605# The memcap can be specified in kb, mb, gb. Just a number indicates it's 606# in bytes. 607 608flow: 609 memcap: 64mb 610 hash-size: 65536 611 prealloc: 10000 612 emergency-recovery: 30 613 614# This option controls the use of vlan ids in the flow (and defrag) 615# hashing. Normally this should be enabled, but in some (broken) 616# setups where both sides of a flow are not tagged with the same vlan 617# tag, we can ignore the vlan id's in the flow hashing. 618vlan: 619 use-for-tracking: true 620 621# Specific timeouts for flows. Here you can specify the timeouts that the 622# active flows will wait to transit from the current state to another, on each 623# protocol. The value of "new" determine the seconds to wait after a hanshake or 624# stream startup before the engine free the data of that flow it doesn't 625# change the state to established (usually if we don't receive more packets 626# of that flow). The value of "established" is the amount of 627# seconds that the engine will wait to free the flow if it spend that amount 628# without receiving new packets or closing the connection. "closed" is the 629# amount of time to wait after a flow is closed (usually zero). 630# 631# There's an emergency mode that will become active under attack circumstances, 632# making the engine to check flow status faster. This configuration variables 633# use the prefix "emergency-" and work similar as the normal ones. 634# Some timeouts doesn't apply to all the protocols, like "closed", for udp and 635# icmp. 636 637flow-timeouts: 638 639 default: 640 new: 30 641 established: 300 642 closed: 0 643 emergency-new: 10 644 emergency-established: 100 645 emergency-closed: 0 646 tcp: 647 new: 60 648 established: 3600 649 closed: 120 650 emergency-new: 10 651 emergency-established: 300 652 emergency-closed: 20 653 udp: 654 new: 30 655 established: 300 656 emergency-new: 10 657 emergency-established: 100 658 icmp: 659 new: 30 660 established: 300 661 emergency-new: 10 662 emergency-established: 100 663 664# Stream engine settings. Here the TCP stream tracking and reassembly 665# engine is configured. 666# 667# stream: 668# memcap: 32mb # Can be specified in kb, mb, gb. Just a 669# # number indicates it's in bytes. 670# checksum-validation: yes # To validate the checksum of received 671# # packet. If csum validation is specified as 672# # "yes", then packet with invalid csum will not 673# # be processed by the engine stream/app layer. 674# # Warning: locally generated trafic can be 675# # generated without checksum due to hardware offload 676# # of checksum. You can control the handling of checksum 677# # on a per-interface basis via the 'checksum-checks' 678# # option 679# prealloc-sessions: 2k # 2k sessions prealloc'd per stream thread 680# midstream: false # don't allow midstream session pickups 681# async-oneside: false # don't enable async stream handling 682# inline: no # stream inline mode 683# max-synack-queued: 5 # Max different SYN/ACKs to queue 684# 685# reassembly: 686# memcap: 64mb # Can be specified in kb, mb, gb. Just a number 687# # indicates it's in bytes. 688# depth: 1mb # Can be specified in kb, mb, gb. Just a number 689# # indicates it's in bytes. 690# toserver-chunk-size: 2560 # inspect raw stream in chunks of at least 691# # this size. Can be specified in kb, mb, 692# # gb. Just a number indicates it's in bytes. 693# # The max acceptable size is 4024 bytes. 694# toclient-chunk-size: 2560 # inspect raw stream in chunks of at least 695# # this size. Can be specified in kb, mb, 696# # gb. Just a number indicates it's in bytes. 697# # The max acceptable size is 4024 bytes. 698# randomize-chunk-size: yes # Take a random value for chunk size around the specified value. 699# # This lower the risk of some evasion technics but could lead 700# # detection change between runs. It is set to 'yes' by default. 701# randomize-chunk-range: 10 # If randomize-chunk-size is active, the value of chunk-size is 702# # a random value between (1 - randomize-chunk-range/100)*randomize-chunk-size 703# # and (1 + randomize-chunk-range/100)*randomize-chunk-size. Default value 704# # of randomize-chunk-range is 10. 705# 706# raw: yes # 'Raw' reassembly enabled or disabled. 707# # raw is for content inspection by detection 708# # engine. 709# 710# chunk-prealloc: 250 # Number of preallocated stream chunks. These 711# # are used during stream inspection (raw). 712# segments: # Settings for reassembly segment pool. 713# - size: 4 # Size of the (data)segment for a pool 714# prealloc: 256 # Number of segments to prealloc and keep 715# # in the pool. 716# 717stream: 718 memcap: 32mb 719 checksum-validation: yes # reject wrong csums 720 inline: auto # auto will use inline mode in IPS mode, yes or no set it statically 721 reassembly: 722 memcap: 128mb 723 depth: 1mb # reassemble 1mb into a stream 724 toserver-chunk-size: 2560 725 toclient-chunk-size: 2560 726 randomize-chunk-size: yes 727 #randomize-chunk-range: 10 728 #raw: yes 729 #chunk-prealloc: 250 730 #segments: 731 # - size: 4 732 # prealloc: 256 733 # - size: 16 734 # prealloc: 512 735 # - size: 112 736 # prealloc: 512 737 # - size: 248 738 # prealloc: 512 739 # - size: 512 740 # prealloc: 512 741 # - size: 768 742 # prealloc: 1024 743 # - size: 1448 744 # prealloc: 1024 745 # - size: 65535 746 # prealloc: 128 747 748# Host table: 749# 750# Host table is used by tagging and per host thresholding subsystems. 751# 752host: 753 hash-size: 4096 754 prealloc: 1000 755 memcap: 16777216 756 757# Logging configuration. This is not about logging IDS alerts, but 758# IDS output about what its doing, errors, etc. 759logging: 760 761 # The default log level, can be overridden in an output section. 762 # Note that debug level logging will only be emitted if Suricata was 763 # compiled with the --enable-debug configure option. 764 # 765 # This value is overriden by the SC_LOG_LEVEL env var. 766 default-log-level: notice 767 768 # The default output format. Optional parameter, should default to 769 # something reasonable if not provided. Can be overriden in an 770 # output section. You can leave this out to get the default. 771 # 772 # This value is overriden by the SC_LOG_FORMAT env var. 773 #default-log-format: "[%i] %t - (%f:%l) <%d> (%n) -- " 774 775 # A regex to filter output. Can be overridden in an output section. 776 # Defaults to empty (no filter). 777 # 778 # This value is overriden by the SC_LOG_OP_FILTER env var. 779 default-output-filter: 780 781 # Define your logging outputs. If none are defined, or they are all 782 # disabled you will get the default - console output. 783 outputs: 784 - console: 785 enabled: yes 786 - file: 787 enabled: no 788 filename: /var/log/suricata.log 789 - syslog: 790 enabled: yes 791 facility: local5 792 format: "[%i] <%d> -- " 793 794# Tilera mpipe configuration. for use on Tilera TILE-Gx. 795mpipe: 796 797 # Load balancing modes: "static", "dynamic", "sticky", or "round-robin". 798 load-balance: dynamic 799 800 # Number of Packets in each ingress packet queue. Must be 128, 512, 2028 or 65536 801 iqueue-packets: 2048 802 803 # List of interfaces we will listen on. 804 inputs: 805 - interface: xgbe2 806 - interface: xgbe3 807 - interface: xgbe4 808 809 810 # Relative weight of memory for packets of each mPipe buffer size. 811 stack: 812 size128: 0 813 size256: 9 814 size512: 0 815 size1024: 0 816 size1664: 7 817 size4096: 0 818 size10386: 0 819 size16384: 0 820 821# PF_RING configuration. for use with native PF_RING support 822# for more info see http://www.ntop.org/PF_RING.html 823pfring: 824 - interface: eth0 825 # Number of receive threads (>1 will enable experimental flow pinned 826 # runmode) 827 threads: 1 828 829 # Default clusterid. PF_RING will load balance packets based on flow. 830 # All threads/processes that will participate need to have the same 831 # clusterid. 832 cluster-id: 99 833 834 # Default PF_RING cluster type. PF_RING can load balance per flow or per hash. 835 # This is only supported in versions of PF_RING > 4.1.1. 836 cluster-type: cluster_flow 837 # bpf filter for this interface 838 #bpf-filter: tcp 839 # Choose checksum verification mode for the interface. At the moment 840 # of the capture, some packets may be with an invalid checksum due to 841 # offloading to the network card of the checksum computation. 842 # Possible values are: 843 # - rxonly: only compute checksum for packets received by network card. 844 # - yes: checksum validation is forced 845 # - no: checksum validation is disabled 846 # - auto: suricata uses a statistical approach to detect when 847 # checksum off-loading is used. (default) 848 # Warning: 'checksum-validation' must be set to yes to have any validation 849 #checksum-checks: auto 850 # Second interface 851 #- interface: eth1 852 # threads: 3 853 # cluster-id: 93 854 # cluster-type: cluster_flow 855 # Put default values here 856 - interface: default 857 #threads: 2 858 859pcap: 860 - interface: eth0 861 # On Linux, pcap will try to use mmaped capture and will use buffer-size 862 # as total of memory used by the ring. So set this to something bigger 863 # than 1% of your bandwidth. 864 #buffer-size: 16777216 865 #bpf-filter: "tcp and port 25" 866 # Choose checksum verification mode for the interface. At the moment 867 # of the capture, some packets may be with an invalid checksum due to 868 # offloading to the network card of the checksum computation. 869 # Possible values are: 870 # - yes: checksum validation is forced 871 # - no: checksum validation is disabled 872 # - auto: suricata uses a statistical approach to detect when 873 # checksum off-loading is used. (default) 874 # Warning: 'checksum-validation' must be set to yes to have any validation 875 #checksum-checks: auto 876 # With some accelerator cards using a modified libpcap (like myricom), you 877 # may want to have the same number of capture threads as the number of capture 878 # rings. In this case, set up the threads variable to N to start N threads 879 # listening on the same interface. 880 #threads: 16 881 # set to no to disable promiscuous mode: 882 #promisc: no 883 # set snaplen, if not set it defaults to MTU if MTU can be known 884 # via ioctl call and to full capture if not. 885 #snaplen: 1518 886 # Put default values here 887 - interface: default 888 #checksum-checks: auto 889 890pcap-file: 891 # Possible values are: 892 # - yes: checksum validation is forced 893 # - no: checksum validation is disabled 894 # - auto: suricata uses a statistical approach to detect when 895 # checksum off-loading is used. (default) 896 # Warning: 'checksum-validation' must be set to yes to have checksum tested 897 checksum-checks: auto 898 899# For FreeBSD ipfw(8) divert(4) support. 900# Please make sure you have ipfw_load="YES" and ipdivert_load="YES" 901# in /etc/loader.conf or kldload'ing the appropriate kernel modules. 902# Additionally, you need to have an ipfw rule for the engine to see 903# the packets from ipfw. For Example: 904# 905# ipfw add 100 divert 8000 ip from any to any 906# 907# The 8000 above should be the same number you passed on the command 908# line, i.e. -d 8000 909# 910ipfw: 911 912 # Reinject packets at the specified ipfw rule number. This config 913 # option is the ipfw rule number AT WHICH rule processing continues 914 # in the ipfw processing system after the engine has finished 915 # inspecting the packet for acceptance. If no rule number is specified, 916 # accepted packets are reinjected at the divert rule which they entered 917 # and IPFW rule processing continues. No check is done to verify 918 # this will rule makes sense so care must be taken to avoid loops in ipfw. 919 # 920 ## The following example tells the engine to reinject packets 921 # back into the ipfw firewall AT rule number 5500: 922 # 923 # ipfw-reinjection-rule-number: 5500 924 925# Set the default rule path here to search for the files. 926# if not set, it will look at the current working dir 927default-rule-path: /etc/suricata/rules 928rule-files: 929 - botcc.rules 930 - ciarmy.rules 931 - compromised.rules 932 - drop.rules 933 - dshield.rules 934 - emerging-activex.rules 935 - emerging-attack_response.rules 936 - emerging-chat.rules 937 - emerging-current_events.rules 938 - emerging-dns.rules 939 - emerging-dos.rules 940 - emerging-exploit.rules 941 - emerging-ftp.rules 942 - emerging-games.rules 943 - emerging-icmp_info.rules 944# - emerging-icmp.rules 945 - emerging-imap.rules 946 - emerging-inappropriate.rules 947 - emerging-malware.rules 948 - emerging-misc.rules 949 - emerging-mobile_malware.rules 950 - emerging-netbios.rules 951 - emerging-p2p.rules 952 - emerging-policy.rules 953 - emerging-pop3.rules 954 - emerging-rpc.rules 955 - emerging-scada.rules 956 - emerging-scan.rules 957 - emerging-shellcode.rules 958 - emerging-smtp.rules 959 - emerging-snmp.rules 960 - emerging-sql.rules 961 - emerging-telnet.rules 962 - emerging-tftp.rules 963 - emerging-trojan.rules 964 - emerging-user_agents.rules 965 - emerging-voip.rules 966 - emerging-web_client.rules 967 - emerging-web_server.rules 968 - emerging-web_specific_apps.rules 969 - emerging-worm.rules 970 - tor.rules 971 - decoder-events.rules # available in suricata sources under rules dir 972 - stream-events.rules # available in suricata sources under rules dir 973 - http-events.rules # available in suricata sources under rules dir 974 - smtp-events.rules # available in suricata sources under rules dir 975 - dns-events.rules # available in suricata sources under rules dir 976 - tls-events.rules # available in suricata sources under rules dir 977 978classification-file: /etc/suricata/classification.config 979reference-config-file: /etc/suricata/reference.config 980 981# Holds variables that would be used by the engine. 982vars: 983 984 # Holds the address group vars that would be passed in a Signature. 985 # These would be retrieved during the Signature address parsing stage. 986 address-groups: 987 988 HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]" 989 990 EXTERNAL_NET: "!$HOME_NET" 991 992 HTTP_SERVERS: "$HOME_NET" 993 994 SMTP_SERVERS: "$HOME_NET" 995 996 SQL_SERVERS: "$HOME_NET" 997 998 DNS_SERVERS: "$HOME_NET" 999 1000 TELNET_SERVERS: "$HOME_NET" 1001 1002 AIM_SERVERS: "$EXTERNAL_NET" 1003 1004 DNP3_SERVER: "$HOME_NET" 1005 1006 DNP3_CLIENT: "$HOME_NET" 1007 1008 MODBUS_CLIENT: "$HOME_NET" 1009 1010 MODBUS_SERVER: "$HOME_NET" 1011 1012 ENIP_CLIENT: "$HOME_NET" 1013 1014 ENIP_SERVER: "$HOME_NET" 1015 1016 # Holds the port group vars that would be passed in a Signature. 1017 # These would be retrieved during the Signature port parsing stage. 1018 port-groups: 1019 1020 HTTP_PORTS: "80" 1021 1022 SHELLCODE_PORTS: "!80" 1023 1024 ORACLE_PORTS: 1521 1025 1026 SSH_PORTS: 22 1027 1028 DNP3_PORTS: 20000 1029 1030# Set the order of alerts bassed on actions 1031# The default order is pass, drop, reject, alert 1032action-order: 1033 - pass 1034 - drop 1035 - reject 1036 - alert 1037 1038# IP Reputation 1039#reputation-categories-file: /etc/suricata/iprep/categories.txt 1040#default-reputation-path: /etc/suricata/iprep 1041#reputation-files: 1042# - reputation.list 1043 1044# Host specific policies for defragmentation and TCP stream 1045# reassembly. The host OS lookup is done using a radix tree, just 1046# like a routing table so the most specific entry matches. 1047host-os-policy: 1048 # Make the default policy windows. 1049 windows: [0.0.0.0/0] 1050 bsd: [] 1051 bsd-right: [] 1052 old-linux: [] 1053 linux: [10.0.0.0/8, 192.168.1.100, "8762:2352:6241:7245:E000:0000:0000:0000"] 1054 old-solaris: [] 1055 solaris: ["::1"] 1056 hpux10: [] 1057 hpux11: [] 1058 irix: [] 1059 macos: [] 1060 vista: [] 1061 windows2k3: [] 1062 1063 1064# Limit for the maximum number of asn1 frames to decode (default 256) 1065asn1-max-frames: 256 1066 1067# When run with the option --engine-analysis, the engine will read each of 1068# the parameters below, and print reports for each of the enabled sections 1069# and exit. The reports are printed to a file in the default log dir 1070# given by the parameter "default-log-dir", with engine reporting 1071# subsection below printing reports in its own report file. 1072engine-analysis: 1073 # enables printing reports for fast-pattern for every rule. 1074 rules-fast-pattern: yes 1075 # enables printing reports for each rule 1076 rules: yes 1077 1078#recursion and match limits for PCRE where supported 1079pcre: 1080 match-limit: 3500 1081 match-limit-recursion: 1500 1082 1083# Holds details on the app-layer. The protocols section details each protocol. 1084# Under each protocol, the default value for detection-enabled and " 1085# parsed-enabled is yes, unless specified otherwise. 1086# Each protocol covers enabling/disabling parsers for all ipprotos 1087# the app-layer protocol runs on. For example "dcerpc" refers to the tcp 1088# version of the protocol as well as the udp version of the protocol. 1089# The option "enabled" takes 3 values - "yes", "no", "detection-only". 1090# "yes" enables both detection and the parser, "no" disables both, and 1091# "detection-only" enables detection only(parser disabled). 1092app-layer: 1093 protocols: 1094 tls: 1095 enabled: yes 1096 detection-ports: 1097 dp: 443 1098 1099 #no-reassemble: yes 1100 dcerpc: 1101 enabled: yes 1102 ftp: 1103 enabled: yes 1104 ssh: 1105 enabled: yes 1106 smtp: 1107 enabled: yes 1108 imap: 1109 enabled: detection-only 1110 msn: 1111 enabled: detection-only 1112 smb: 1113 enabled: yes 1114 detection-ports: 1115 dp: 139 1116 # smb2 detection is disabled internally inside the engine. 1117 #smb2: 1118 # enabled: yes 1119 dns: 1120 # memcaps. Globally and per flow/state. 1121 #global-memcap: 16mb 1122 #state-memcap: 512kb 1123 1124 # How many unreplied DNS requests are considered a flood. 1125 # If the limit is reached, app-layer-event:dns.flooded; will match. 1126 #request-flood: 500 1127 1128 tcp: 1129 enabled: yes 1130 detection-ports: 1131 dp: 53 1132 udp: 1133 enabled: yes 1134 detection-ports: 1135 dp: 53 1136 http: 1137 enabled: yes 1138 # memcap: 64mb 1139 1140 ########################################################################### 1141 # Configure libhtp. 1142 # 1143 # 1144 # default-config: Used when no server-config matches 1145 # personality: List of personalities used by default 1146 # request-body-limit: Limit reassembly of request body for inspection 1147 # by http_client_body & pcre /P option. 1148 # response-body-limit: Limit reassembly of response body for inspection 1149 # by file_data, http_server_body & pcre /Q option. 1150 # double-decode-path: Double decode path section of the URI 1151 # double-decode-query: Double decode query section of the URI 1152 # 1153 # server-config: List of server configurations to use if address matches 1154 # address: List of ip addresses or networks for this block 1155 # personalitiy: List of personalities used by this block 1156 # request-body-limit: Limit reassembly of request body for inspection 1157 # by http_client_body & pcre /P option. 1158 # response-body-limit: Limit reassembly of response body for inspection 1159 # by file_data, http_server_body & pcre /Q option. 1160 # double-decode-path: Double decode path section of the URI 1161 # double-decode-query: Double decode query section of the URI 1162 # 1163 # uri-include-all: Include all parts of the URI. By default the 1164 # 'scheme', username/password, hostname and port 1165 # are excluded. Setting this option to true adds 1166 # all of them to the normalized uri as inspected 1167 # by http_uri, urilen, pcre with /U and the other 1168 # keywords that inspect the normalized uri. 1169 # Note that this does not affect http_raw_uri. 1170 # Also, note that including all was the default in 1171 # 1.4 and 2.0beta1. 1172 # 1173 # meta-field-limit: Hard size limit for request and response size 1174 # limits. Applies to request line and headers, 1175 # response line and headers. Does not apply to 1176 # request or response bodies. Default is 18k. 1177 # If this limit is reached an event is raised. 1178 # 1179 # Currently Available Personalities: 1180 # Minimal 1181 # Generic 1182 # IDS (default) 1183 # IIS_4_0 1184 # IIS_5_0 1185 # IIS_5_1 1186 # IIS_6_0 1187 # IIS_7_0 1188 # IIS_7_5 1189 # Apache_2 1190 ########################################################################### 1191 libhtp: 1192 1193 default-config: 1194 personality: IDS 1195 1196 # Can be specified in kb, mb, gb. Just a number indicates 1197 # it's in bytes. 1198 request-body-limit: 3072 1199 response-body-limit: 3072 1200 1201 # inspection limits 1202 request-body-minimal-inspect-size: 32kb 1203 request-body-inspect-window: 4kb 1204 response-body-minimal-inspect-size: 32kb 1205 response-body-inspect-window: 4kb 1206 # Take a random value for inspection sizes around the specified value. 1207 # This lower the risk of some evasion technics but could lead 1208 # detection change between runs. It is set to 'yes' by default. 1209 #randomize-inspection-sizes: yes 1210 # If randomize-inspection-sizes is active, the value of various 1211 # inspection size will be choosen in the [1 - range%, 1 + range%] 1212 # range 1213 # Default value of randomize-inspection-range is 10. 1214 #randomize-inspection-range: 10 1215 1216 # decoding 1217 double-decode-path: no 1218 double-decode-query: no 1219 1220 server-config: 1221 1222 #- apache: 1223 # address: [192.168.1.0/24, 127.0.0.0/8, "::1"] 1224 # personality: Apache_2 1225 # # Can be specified in kb, mb, gb. Just a number indicates 1226 # # it's in bytes. 1227 # request-body-limit: 4096 1228 # response-body-limit: 4096 1229 # double-decode-path: no 1230 # double-decode-query: no 1231 1232 #- iis7: 1233 # address: 1234 # - 192.168.0.0/24 1235 # - 192.168.10.0/24 1236 # personality: IIS_7_0 1237 # # Can be specified in kb, mb, gb. Just a number indicates 1238 # # it's in bytes. 1239 # request-body-limit: 4096 1240 # response-body-limit: 4096 1241 # double-decode-path: no 1242 # double-decode-query: no 1243 1244# Profiling settings. Only effective if Suricata has been built with the 1245# the --enable-profiling configure flag. 1246# 1247profiling: 1248 # Run profiling for every xth packet. The default is 1, which means we 1249 # profile every packet. If set to 1000, one packet is profiled for every 1250 # 1000 received. 1251 #sample-rate: 1000 1252 1253 # rule profiling 1254 rules: 1255 1256 # Profiling can be disabled here, but it will still have a 1257 # performance impact if compiled in. 1258 enabled: yes 1259 filename: rule_perf.log 1260 append: yes 1261 1262 # Sort options: ticks, avgticks, checks, matches, maxticks 1263 sort: avgticks 1264 1265 # Limit the number of items printed at exit. 1266 limit: 100 1267 1268 # per keyword profiling 1269 keywords: 1270 enabled: yes 1271 filename: keyword_perf.log 1272 append: yes 1273 1274 # packet profiling 1275 packets: 1276 1277 # Profiling can be disabled here, but it will still have a 1278 # performance impact if compiled in. 1279 enabled: yes 1280 filename: packet_stats.log 1281 append: yes 1282 1283 # per packet csv output 1284 csv: 1285 1286 # Output can be disabled here, but it will still have a 1287 # performance impact if compiled in. 1288 enabled: no 1289 filename: packet_stats.csv 1290 1291 # profiling of locking. Only available when Suricata was built with 1292 # --enable-profiling-locks. 1293 locks: 1294 enabled: no 1295 filename: lock_stats.log 1296 append: yes 1297 1298# Suricata core dump configuration. Limits the size of the core dump file to 1299# approximately max-dump. The actual core dump size will be a multiple of the 1300# page size. Core dumps that would be larger than max-dump are truncated. On 1301# Linux, the actual core dump size may be a few pages larger than max-dump. 1302# Setting max-dump to 0 disables core dumping. 1303# Setting max-dump to 'unlimited' will give the full core dump file. 1304# On 32-bit Linux, a max-dump value >= ULONG_MAX may cause the core dump size 1305# to be 'unlimited'. 1306 1307coredump: 1308 max-dump: unlimited 1309 1310napatech: 1311 # The Host Buffer Allowance for all streams 1312 # (-1 = OFF, 1 - 100 = percentage of the host buffer that can be held back) 1313 hba: -1 1314 1315 # use_all_streams set to "yes" will query the Napatech service for all configured 1316 # streams and listen on all of them. When set to "no" the streams config array 1317 # will be used. 1318 use-all-streams: yes 1319 1320 # The streams to listen on 1321 streams: [1, 2, 3] 1322 1323# Includes. Files included here will be handled as if they were 1324# inlined in this configuration file. 1325#include: include1.yaml 1326#include: include2.yaml 1327