##
default-rule-path: /var/lib/suricata
rule-files:
- # Default rules
- - /usr/share/suricata/rules/app-layer-events.rules
- - /usr/share/suricata/rules/decoder-events.rules
- - /usr/share/suricata/rules/dhcp-events.rules
- - /usr/share/suricata/rules/dnp3-events.rules
- - /usr/share/suricata/rules/dns-events.rules
- - /usr/share/suricata/rules/files.rules
- - /usr/share/suricata/rules/http2-events.rules
- - /usr/share/suricata/rules/http-events.rules
- - /usr/share/suricata/rules/ipsec-events.rules
- - /usr/share/suricata/rules/kerberos-events.rules
- - /usr/share/suricata/rules/modbus-events.rules
- - /usr/share/suricata/rules/mqtt-events.rules
- - /usr/share/suricata/rules/nfs-events.rules
- - /usr/share/suricata/rules/ntp-events.rules
- - /usr/share/suricata/rules/smb-events.rules
- - /usr/share/suricata/rules/smtp-events.rules
- - /usr/share/suricata/rules/stream-events.rules
- - /usr/share/suricata/rules/tls-events.rules
-
- # Include enabled ruleset files from external file
- - !include: /var/ipfire/suricata/suricata-used-rulefiles.yaml
-
-classification-file: /var/lib/suricata/classification.config
-reference-config-file: /var/lib/suricata/reference.config
-threshold-file: /var/lib/suricata/threshold.config
+ # Include enabled ruleset files from external file.
+ include: /var/ipfire/suricata/suricata-used-rulesfiles.yaml
+classification-file: /usr/share/suricata/classification.config
+reference-config-file: /usr/share/suricata/reference.config
+threshold-file: /usr/share/suricata/threshold.config
##
## Logging options.
# global stats configuration
stats:
- enabled: yes
+ enabled: no
# The interval field (in seconds) controls at what interval
# the loggers are invoked.
interval: 8
# compiled with the --enable-debug configure option.
#
# This value is overriden by the SC_LOG_LEVEL env var.
- default-log-level: notice
+ default-log-level: Info
# A regex to filter output. Can be overridden in an output section.
# Defaults to empty (no filter).
double-decode-path: no
double-decode-query: no
+ # Note: Modbus probe parser is minimalist due to the poor significant field
+ # Only Modbus message length (greater than Modbus header length)
+ # And Protocol ID (equal to 0) are checked in probing parser
+ # It is important to enable detection port and define Modbus port
+ # to avoid false positive
+ modbus:
+ # How many unreplied Modbus requests are considered a flood.
+ # If the limit is reached, app-layer-event:modbus.flooded; will match.
+ #request-flood: 500
+
+ enabled: no
+ detection-ports:
+ dp: 502
+ # According to MODBUS Messaging on TCP/IP Implementation Guide V1.0b, it
+ # is recommended to keep the TCP connection opened with a remote device
+ # and not to open and close it for each MODBUS/TCP transaction. In that
+ # case, it is important to set the depth of the stream reassembling as
+ # unlimited (stream.reassembly.depth: 0)
+
+ # Stream reassembly size for modbus. By default track it completely.
+ stream-depth: 0
+
+ # DNP3
+ dnp3:
+ enabled: no
+ detection-ports:
+ dp: 20000
+
+ # SCADA EtherNet/IP and CIP protocol support
+ enip:
+ enabled: no
+ detection-ports:
+ dp: 44818
+ sp: 44818
+
ntp:
enabled: yes
dhcp: