]>
Commit | Line | Data |
---|---|---|
4c6d6c1e SS |
1 | %YAML 1.1 |
2 | --- | |
3 | ||
4c6d6c1e | 4 | ## |
335114b2 SS |
5 | ## IPFire specific configuration file - an untouched example configuration |
6 | ## can be found in suricata-example.yaml. | |
4c6d6c1e SS |
7 | ## |
8 | ||
9 | vars: | |
4c6d6c1e | 10 | address-groups: |
42303055 | 11 | # Include HOME_NET declaration from external file. |
13d077fd | 12 | include: /var/ipfire/suricata/suricata-homenet.yaml |
4c6d6c1e SS |
13 | |
14 | EXTERNAL_NET: "!$HOME_NET" | |
15 | #EXTERNAL_NET: "any" | |
16 | ||
17 | HTTP_SERVERS: "$HOME_NET" | |
18 | SMTP_SERVERS: "$HOME_NET" | |
19 | SQL_SERVERS: "$HOME_NET" | |
20 | DNS_SERVERS: "$HOME_NET" | |
21 | TELNET_SERVERS: "$HOME_NET" | |
22 | AIM_SERVERS: "$EXTERNAL_NET" | |
23 | DNP3_SERVER: "$HOME_NET" | |
24 | DNP3_CLIENT: "$HOME_NET" | |
25 | MODBUS_CLIENT: "$HOME_NET" | |
26 | MODBUS_SERVER: "$HOME_NET" | |
27 | ENIP_CLIENT: "$HOME_NET" | |
28 | ENIP_SERVER: "$HOME_NET" | |
29 | ||
30 | port-groups: | |
31 | HTTP_PORTS: "80" | |
32 | SHELLCODE_PORTS: "!80" | |
33 | ORACLE_PORTS: 1521 | |
067e1847 | 34 | SSH_PORTS: "[22,222]" |
4c6d6c1e SS |
35 | DNP3_PORTS: 20000 |
36 | MODBUS_PORTS: 502 | |
37 | FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]" | |
38 | FTP_PORTS: 21 | |
39 | ||
4c6d6c1e | 40 | ## |
335114b2 | 41 | ## Ruleset specific options. |
4c6d6c1e | 42 | ## |
21cab141 | 43 | default-rule-path: /var/lib/suricata |
cc60d3df | 44 | rule-files: |
335114b2 | 45 | # Include enabled ruleset files from external file. |
cc60d3df | 46 | include: /var/ipfire/suricata/suricata-used-rulefiles.yaml |
4c6d6c1e | 47 | |
21cab141 SS |
48 | classification-file: /var/lib/suricata/classification.config |
49 | reference-config-file: /var/lib/suricata/reference.config | |
fd72c85e | 50 | threshold-file: /var/lib/suricata/threshold.config |
4c6d6c1e SS |
51 | |
52 | ||
53 | ## | |
335114b2 | 54 | ## Logging options. |
4c6d6c1e | 55 | ## |
4c6d6c1e SS |
56 | default-log-dir: /var/log/suricata/ |
57 | ||
58 | # global stats configuration | |
59 | stats: | |
60 | enabled: yes | |
61 | # The interval field (in seconds) controls at what interval | |
62 | # the loggers are invoked. | |
63 | interval: 8 | |
64 | ||
65 | # Configure the type of alert (and other) logging you would like. | |
66 | outputs: | |
67 | # a line based alerts log similar to Snort's fast.log | |
68 | - fast: | |
69 | enabled: yes | |
70 | filename: fast.log | |
71 | append: yes | |
72 | #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' | |
73 | ||
4c6d6c1e SS |
74 | # Stats.log contains data from various counters of the suricata engine. |
75 | - stats: | |
76 | enabled: yes | |
77 | filename: stats.log | |
335114b2 | 78 | append: no # append to file (yes) or overwrite it (no) |
4c6d6c1e SS |
79 | totals: yes # stats for all threads merged together |
80 | threads: no # per thread stats | |
81 | #null-values: yes # print counters that have value 0 | |
82 | ||
4c6d6c1e SS |
83 | logging: |
84 | # The default log level, can be overridden in an output section. | |
85 | # Note that debug level logging will only be emitted if Suricata was | |
86 | # compiled with the --enable-debug configure option. | |
87 | # | |
88 | # This value is overriden by the SC_LOG_LEVEL env var. | |
89 | default-log-level: notice | |
90 | ||
4c6d6c1e SS |
91 | # A regex to filter output. Can be overridden in an output section. |
92 | # Defaults to empty (no filter). | |
93 | # | |
94 | # This value is overriden by the SC_LOG_OP_FILTER env var. | |
95 | default-output-filter: | |
96 | ||
97 | # Define your logging outputs. If none are defined, or they are all | |
98 | # disabled you will get the default - console output. | |
99 | outputs: | |
100 | - console: | |
335114b2 | 101 | enabled: no |
4c6d6c1e SS |
102 | # type: json |
103 | - file: | |
335114b2 | 104 | enabled: no |
4c6d6c1e SS |
105 | level: info |
106 | filename: /var/log/suricata/suricata.log | |
107 | # type: json | |
108 | - syslog: | |
335114b2 | 109 | enabled: yes |
4c6d6c1e SS |
110 | facility: local5 |
111 | format: "[%i] <%d> -- " | |
112 | # type: json | |
113 | ||
4c6d6c1e | 114 | ## |
335114b2 | 115 | ## Netfilter configuration |
4c6d6c1e | 116 | ## |
4c6d6c1e | 117 | |
335114b2 SS |
118 | nfq: |
119 | mode: repeat | |
20b4c4d8 SS |
120 | repeat-mark: 16 |
121 | repeat-mask: 16 | |
f5ad510e SS |
122 | # bypass-mark: 1 |
123 | # bypass-mask: 1 | |
335114b2 SS |
124 | # route-queue: 2 |
125 | # batchcount: 20 | |
126 | fail-open: yes | |
4c6d6c1e SS |
127 | |
128 | ## | |
129 | ## Step 5: App Layer Protocol Configuration | |
130 | ## | |
131 | ||
132 | # Configure the app-layer parsers. The protocols section details each | |
133 | # protocol. | |
134 | # | |
135 | # The option "enabled" takes 3 values - "yes", "no", "detection-only". | |
136 | # "yes" enables both detection and the parser, "no" disables both, and | |
137 | # "detection-only" enables protocol detection only (parser disabled). | |
138 | app-layer: | |
139 | protocols: | |
140 | tls: | |
141 | enabled: yes | |
142 | detection-ports: | |
1f3c61b6 | 143 | dp: "[443,444,465,993,995]" |
4c6d6c1e SS |
144 | |
145 | # Completely stop processing TLS/SSL session after the handshake | |
146 | # completed. If bypass is enabled this will also trigger flow | |
147 | # bypass. If disabled (the default), TLS/SSL session is still | |
148 | # tracked for Heartbleed and other anomalies. | |
149 | #no-reassemble: yes | |
150 | dcerpc: | |
151 | enabled: yes | |
152 | ftp: | |
153 | enabled: yes | |
154 | ssh: | |
155 | enabled: yes | |
156 | smtp: | |
157 | enabled: yes | |
158 | # Configure SMTP-MIME Decoder | |
159 | mime: | |
160 | # Decode MIME messages from SMTP transactions | |
161 | # (may be resource intensive) | |
162 | # This field supercedes all others because it turns the entire | |
163 | # process on or off | |
164 | decode-mime: yes | |
165 | ||
166 | # Decode MIME entity bodies (ie. base64, quoted-printable, etc.) | |
167 | decode-base64: yes | |
168 | decode-quoted-printable: yes | |
169 | ||
170 | # Maximum bytes per header data value stored in the data structure | |
171 | # (default is 2000) | |
172 | header-value-depth: 2000 | |
173 | ||
174 | # Extract URLs and save in state data structure | |
175 | extract-urls: yes | |
176 | # Set to yes to compute the md5 of the mail body. You will then | |
177 | # be able to journalize it. | |
178 | body-md5: no | |
179 | # Configure inspected-tracker for file_data keyword | |
180 | inspected-tracker: | |
181 | content-limit: 100000 | |
182 | content-inspect-min-size: 32768 | |
183 | content-inspect-window: 4096 | |
184 | imap: | |
8723bb91 | 185 | enabled: yes |
4c6d6c1e | 186 | msn: |
8723bb91 | 187 | enabled: yes |
4c6d6c1e SS |
188 | smb: |
189 | enabled: yes | |
190 | detection-ports: | |
191 | dp: 139, 445 | |
192 | # smb2 detection is disabled internally inside the engine. | |
193 | #smb2: | |
194 | # enabled: yes | |
4c6d6c1e SS |
195 | dns: |
196 | # memcaps. Globally and per flow/state. | |
cf976e93 MT |
197 | global-memcap: 32mb |
198 | state-memcap: 512kb | |
4c6d6c1e SS |
199 | |
200 | # How many unreplied DNS requests are considered a flood. | |
201 | # If the limit is reached, app-layer-event:dns.flooded; will match. | |
cf976e93 | 202 | request-flood: 512 |
4c6d6c1e SS |
203 | |
204 | tcp: | |
205 | enabled: yes | |
206 | detection-ports: | |
ad99f959 | 207 | dp: "[53,853]" |
4c6d6c1e SS |
208 | udp: |
209 | enabled: yes | |
210 | detection-ports: | |
ad99f959 | 211 | dp: "[53,853]" |
4c6d6c1e SS |
212 | http: |
213 | enabled: yes | |
214 | # memcap: 64mb | |
215 | ||
216 | # default-config: Used when no server-config matches | |
217 | # personality: List of personalities used by default | |
218 | # request-body-limit: Limit reassembly of request body for inspection | |
219 | # by http_client_body & pcre /P option. | |
220 | # response-body-limit: Limit reassembly of response body for inspection | |
221 | # by file_data, http_server_body & pcre /Q option. | |
222 | # double-decode-path: Double decode path section of the URI | |
223 | # double-decode-query: Double decode query section of the URI | |
224 | # response-body-decompress-layer-limit: | |
225 | # Limit to how many layers of compression will be | |
226 | # decompressed. Defaults to 2. | |
227 | # | |
228 | # server-config: List of server configurations to use if address matches | |
229 | # address: List of ip addresses or networks for this block | |
230 | # personalitiy: List of personalities used by this block | |
231 | # request-body-limit: Limit reassembly of request body for inspection | |
232 | # by http_client_body & pcre /P option. | |
233 | # response-body-limit: Limit reassembly of response body for inspection | |
234 | # by file_data, http_server_body & pcre /Q option. | |
235 | # double-decode-path: Double decode path section of the URI | |
236 | # double-decode-query: Double decode query section of the URI | |
237 | # | |
238 | # uri-include-all: Include all parts of the URI. By default the | |
239 | # 'scheme', username/password, hostname and port | |
240 | # are excluded. Setting this option to true adds | |
241 | # all of them to the normalized uri as inspected | |
242 | # by http_uri, urilen, pcre with /U and the other | |
243 | # keywords that inspect the normalized uri. | |
244 | # Note that this does not affect http_raw_uri. | |
245 | # Also, note that including all was the default in | |
246 | # 1.4 and 2.0beta1. | |
247 | # | |
248 | # meta-field-limit: Hard size limit for request and response size | |
249 | # limits. Applies to request line and headers, | |
250 | # response line and headers. Does not apply to | |
251 | # request or response bodies. Default is 18k. | |
252 | # If this limit is reached an event is raised. | |
253 | # | |
254 | # Currently Available Personalities: | |
255 | # Minimal, Generic, IDS (default), IIS_4_0, IIS_5_0, IIS_5_1, IIS_6_0, | |
256 | # IIS_7_0, IIS_7_5, Apache_2 | |
257 | libhtp: | |
258 | default-config: | |
259 | personality: IDS | |
260 | ||
261 | # Can be specified in kb, mb, gb. Just a number indicates | |
262 | # it's in bytes. | |
263 | request-body-limit: 100kb | |
264 | response-body-limit: 100kb | |
265 | ||
266 | # inspection limits | |
267 | request-body-minimal-inspect-size: 32kb | |
268 | request-body-inspect-window: 4kb | |
269 | response-body-minimal-inspect-size: 40kb | |
270 | response-body-inspect-window: 16kb | |
271 | ||
272 | # response body decompression (0 disables) | |
273 | response-body-decompress-layer-limit: 2 | |
274 | ||
275 | # auto will use http-body-inline mode in IPS mode, yes or no set it statically | |
276 | http-body-inline: auto | |
277 | ||
278 | # Take a random value for inspection sizes around the specified value. | |
279 | # This lower the risk of some evasion technics but could lead | |
280 | # detection change between runs. It is set to 'yes' by default. | |
281 | #randomize-inspection-sizes: yes | |
282 | # If randomize-inspection-sizes is active, the value of various | |
283 | # inspection size will be choosen in the [1 - range%, 1 + range%] | |
284 | # range | |
285 | # Default value of randomize-inspection-range is 10. | |
286 | #randomize-inspection-range: 10 | |
287 | ||
288 | # decoding | |
289 | double-decode-path: no | |
290 | double-decode-query: no | |
291 | ||
292 | server-config: | |
293 | ||
294 | #- apache: | |
295 | # address: [192.168.1.0/24, 127.0.0.0/8, "::1"] | |
296 | # personality: Apache_2 | |
297 | # # Can be specified in kb, mb, gb. Just a number indicates | |
298 | # # it's in bytes. | |
299 | # request-body-limit: 4096 | |
300 | # response-body-limit: 4096 | |
301 | # double-decode-path: no | |
302 | # double-decode-query: no | |
303 | ||
304 | #- iis7: | |
305 | # address: | |
306 | # - 192.168.0.0/24 | |
307 | # - 192.168.10.0/24 | |
308 | # personality: IIS_7_0 | |
309 | # # Can be specified in kb, mb, gb. Just a number indicates | |
310 | # # it's in bytes. | |
311 | # request-body-limit: 4096 | |
312 | # response-body-limit: 4096 | |
313 | # double-decode-path: no | |
314 | # double-decode-query: no | |
315 | ||
316 | # Note: Modbus probe parser is minimalist due to the poor significant field | |
317 | # Only Modbus message length (greater than Modbus header length) | |
318 | # And Protocol ID (equal to 0) are checked in probing parser | |
319 | # It is important to enable detection port and define Modbus port | |
320 | # to avoid false positive | |
321 | modbus: | |
322 | # How many unreplied Modbus requests are considered a flood. | |
323 | # If the limit is reached, app-layer-event:modbus.flooded; will match. | |
324 | #request-flood: 500 | |
325 | ||
326 | enabled: no | |
327 | detection-ports: | |
328 | dp: 502 | |
329 | # According to MODBUS Messaging on TCP/IP Implementation Guide V1.0b, it | |
330 | # is recommended to keep the TCP connection opened with a remote device | |
331 | # and not to open and close it for each MODBUS/TCP transaction. In that | |
332 | # case, it is important to set the depth of the stream reassembling as | |
333 | # unlimited (stream.reassembly.depth: 0) | |
334 | ||
335 | # Stream reassembly size for modbus. By default track it completely. | |
336 | stream-depth: 0 | |
337 | ||
338 | # DNP3 | |
339 | dnp3: | |
340 | enabled: no | |
341 | detection-ports: | |
342 | dp: 20000 | |
343 | ||
344 | # SCADA EtherNet/IP and CIP protocol support | |
345 | enip: | |
346 | enabled: no | |
347 | detection-ports: | |
348 | dp: 44818 | |
349 | sp: 44818 | |
350 | ||
4c6d6c1e SS |
351 | # Limit for the maximum number of asn1 frames to decode (default 256) |
352 | asn1-max-frames: 256 | |
353 | ||
354 | ||
355 | ############################################################################## | |
356 | ## | |
357 | ## Advanced settings below | |
358 | ## | |
359 | ############################################################################## | |
360 | ||
4c6d6c1e SS |
361 | # Suricata core dump configuration. Limits the size of the core dump file to |
362 | # approximately max-dump. The actual core dump size will be a multiple of the | |
363 | # page size. Core dumps that would be larger than max-dump are truncated. On | |
364 | # Linux, the actual core dump size may be a few pages larger than max-dump. | |
365 | # Setting max-dump to 0 disables core dumping. | |
366 | # Setting max-dump to 'unlimited' will give the full core dump file. | |
367 | # On 32-bit Linux, a max-dump value >= ULONG_MAX may cause the core dump size | |
368 | # to be 'unlimited'. | |
369 | ||
370 | coredump: | |
371 | max-dump: unlimited | |
372 | ||
373 | # If suricata box is a router for the sniffed networks, set it to 'router'. If | |
374 | # it is a pure sniffing setup, set it to 'sniffer-only'. | |
375 | # If set to auto, the variable is internally switch to 'router' in IPS mode | |
376 | # and 'sniffer-only' in IDS mode. | |
377 | # This feature is currently only used by the reject* keywords. | |
378 | host-mode: auto | |
379 | ||
380 | # Number of packets preallocated per thread. The default is 1024. A higher number | |
381 | # will make sure each CPU will be more easily kept busy, but may negatively | |
382 | # impact caching. | |
16446608 | 383 | max-pending-packets: 1024 |
4c6d6c1e SS |
384 | |
385 | # Runmode the engine should use. Please check --list-runmodes to get the available | |
386 | # runmodes for each packet acquisition method. Defaults to "autofp" (auto flow pinned | |
387 | # load balancing). | |
388 | #runmode: autofp | |
389 | ||
390 | # Specifies the kind of flow load balancer used by the flow pinned autofp mode. | |
391 | # | |
392 | # Supported schedulers are: | |
393 | # | |
394 | # round-robin - Flows assigned to threads in a round robin fashion. | |
395 | # active-packets - Flows assigned to threads that have the lowest number of | |
396 | # unprocessed packets (default). | |
397 | # hash - Flow alloted usihng the address hash. More of a random | |
398 | # technique. Was the default in Suricata 1.2.1 and older. | |
399 | # | |
400 | #autofp-scheduler: active-packets | |
401 | ||
402 | # Preallocated size for packet. Default is 1514 which is the classical | |
403 | # size for pcap on ethernet. You should adjust this value to the highest | |
404 | # packet size (MTU + hardware header) on your system. | |
9f726f8f | 405 | default-packet-size: 1514 |
4c6d6c1e SS |
406 | |
407 | # Unix command socket can be used to pass commands to suricata. | |
408 | # An external tool can then connect to get information from suricata | |
409 | # or trigger some modifications of the engine. Set enabled to yes | |
410 | # to activate the feature. In auto mode, the feature will only be | |
411 | # activated in live capture mode. You can use the filename variable to set | |
412 | # the file name of the socket. | |
413 | unix-command: | |
335114b2 | 414 | enabled: no |
4c6d6c1e SS |
415 | #filename: custom.socket |
416 | ||
417 | # Magic file. The extension .mgc is added to the value here. | |
418 | #magic-file: /usr/share/file/magic | |
419 | #magic-file: | |
420 | ||
421 | legacy: | |
422 | uricontent: enabled | |
423 | ||
424 | ## | |
425 | ## Detection settings | |
426 | ## | |
427 | ||
428 | # Set the order of alerts bassed on actions | |
429 | # The default order is pass, drop, reject, alert | |
430 | # action-order: | |
431 | # - pass | |
432 | # - drop | |
433 | # - reject | |
434 | # - alert | |
435 | ||
4c6d6c1e SS |
436 | # When run with the option --engine-analysis, the engine will read each of |
437 | # the parameters below, and print reports for each of the enabled sections | |
438 | # and exit. The reports are printed to a file in the default log dir | |
439 | # given by the parameter "default-log-dir", with engine reporting | |
440 | # subsection below printing reports in its own report file. | |
441 | engine-analysis: | |
442 | # enables printing reports for fast-pattern for every rule. | |
443 | rules-fast-pattern: yes | |
444 | # enables printing reports for each rule | |
445 | rules: yes | |
446 | ||
447 | #recursion and match limits for PCRE where supported | |
448 | pcre: | |
449 | match-limit: 3500 | |
450 | match-limit-recursion: 1500 | |
451 | ||
452 | ## | |
453 | ## Advanced Traffic Tracking and Reconstruction Settings | |
454 | ## | |
455 | ||
456 | # Host specific policies for defragmentation and TCP stream | |
457 | # reassembly. The host OS lookup is done using a radix tree, just | |
458 | # like a routing table so the most specific entry matches. | |
459 | host-os-policy: | |
460 | # Make the default policy windows. | |
461 | windows: [0.0.0.0/0] | |
462 | bsd: [] | |
463 | bsd-right: [] | |
464 | old-linux: [] | |
465 | linux: [] | |
466 | old-solaris: [] | |
467 | solaris: [] | |
468 | hpux10: [] | |
469 | hpux11: [] | |
470 | irix: [] | |
471 | macos: [] | |
472 | vista: [] | |
473 | windows2k3: [] | |
474 | ||
475 | # Defrag settings: | |
476 | ||
477 | defrag: | |
478 | memcap: 32mb | |
479 | hash-size: 65536 | |
480 | trackers: 65535 # number of defragmented flows to follow | |
481 | max-frags: 65535 # number of fragments to keep (higher than trackers) | |
482 | prealloc: yes | |
483 | timeout: 60 | |
484 | ||
485 | # Enable defrag per host settings | |
486 | # host-config: | |
487 | # | |
488 | # - dmz: | |
489 | # timeout: 30 | |
490 | # address: [192.168.1.0/24, 127.0.0.0/8, 1.1.1.0/24, 2.2.2.0/24, "1.1.1.1", "2.2.2.2", "::1"] | |
491 | # | |
492 | # - lan: | |
493 | # timeout: 45 | |
494 | # address: | |
495 | # - 192.168.0.0/24 | |
496 | # - 192.168.10.0/24 | |
497 | # - 172.16.14.0/24 | |
498 | ||
499 | # Flow settings: | |
500 | # By default, the reserved memory (memcap) for flows is 32MB. This is the limit | |
501 | # for flow allocation inside the engine. You can change this value to allow | |
502 | # more memory usage for flows. | |
503 | # The hash-size determine the size of the hash used to identify flows inside | |
504 | # the engine, and by default the value is 65536. | |
505 | # At the startup, the engine can preallocate a number of flows, to get a better | |
506 | # performance. The number of flows preallocated is 10000 by default. | |
507 | # emergency-recovery is the percentage of flows that the engine need to | |
508 | # prune before unsetting the emergency state. The emergency state is activated | |
509 | # when the memcap limit is reached, allowing to create new flows, but | |
510 | # prunning them with the emergency timeouts (they are defined below). | |
511 | # If the memcap is reached, the engine will try to prune flows | |
512 | # with the default timeouts. If it doens't find a flow to prune, it will set | |
513 | # the emergency bit and it will try again with more agressive timeouts. | |
514 | # If that doesn't work, then it will try to kill the last time seen flows | |
515 | # not in use. | |
516 | # The memcap can be specified in kb, mb, gb. Just a number indicates it's | |
517 | # in bytes. | |
518 | ||
519 | flow: | |
520 | memcap: 128mb | |
521 | hash-size: 65536 | |
522 | prealloc: 10000 | |
523 | emergency-recovery: 30 | |
524 | #managers: 1 # default to one flow manager | |
525 | #recyclers: 1 # default to one flow recycler thread | |
526 | ||
527 | # This option controls the use of vlan ids in the flow (and defrag) | |
528 | # hashing. Normally this should be enabled, but in some (broken) | |
529 | # setups where both sides of a flow are not tagged with the same vlan | |
530 | # tag, we can ignore the vlan id's in the flow hashing. | |
531 | vlan: | |
532 | use-for-tracking: true | |
533 | ||
534 | # Specific timeouts for flows. Here you can specify the timeouts that the | |
535 | # active flows will wait to transit from the current state to another, on each | |
536 | # protocol. The value of "new" determine the seconds to wait after a hanshake or | |
537 | # stream startup before the engine free the data of that flow it doesn't | |
538 | # change the state to established (usually if we don't receive more packets | |
539 | # of that flow). The value of "established" is the amount of | |
540 | # seconds that the engine will wait to free the flow if it spend that amount | |
541 | # without receiving new packets or closing the connection. "closed" is the | |
542 | # amount of time to wait after a flow is closed (usually zero). "bypassed" | |
543 | # timeout controls locally bypassed flows. For these flows we don't do any other | |
544 | # tracking. If no packets have been seen after this timeout, the flow is discarded. | |
545 | # | |
546 | # There's an emergency mode that will become active under attack circumstances, | |
547 | # making the engine to check flow status faster. This configuration variables | |
548 | # use the prefix "emergency-" and work similar as the normal ones. | |
549 | # Some timeouts doesn't apply to all the protocols, like "closed", for udp and | |
550 | # icmp. | |
551 | ||
552 | flow-timeouts: | |
553 | ||
554 | default: | |
555 | new: 30 | |
556 | established: 300 | |
557 | closed: 0 | |
558 | bypassed: 100 | |
559 | emergency-new: 10 | |
560 | emergency-established: 100 | |
561 | emergency-closed: 0 | |
562 | emergency-bypassed: 50 | |
563 | tcp: | |
564 | new: 60 | |
565 | established: 600 | |
566 | closed: 60 | |
567 | bypassed: 100 | |
568 | emergency-new: 5 | |
569 | emergency-established: 100 | |
570 | emergency-closed: 10 | |
571 | emergency-bypassed: 50 | |
572 | udp: | |
573 | new: 30 | |
574 | established: 300 | |
575 | bypassed: 100 | |
576 | emergency-new: 10 | |
577 | emergency-established: 100 | |
578 | emergency-bypassed: 50 | |
579 | icmp: | |
580 | new: 30 | |
581 | established: 300 | |
582 | bypassed: 100 | |
583 | emergency-new: 10 | |
584 | emergency-established: 100 | |
585 | emergency-bypassed: 50 | |
586 | ||
587 | # Stream engine settings. Here the TCP stream tracking and reassembly | |
588 | # engine is configured. | |
589 | # | |
590 | # stream: | |
591 | # memcap: 32mb # Can be specified in kb, mb, gb. Just a | |
592 | # # number indicates it's in bytes. | |
593 | # checksum-validation: yes # To validate the checksum of received | |
594 | # # packet. If csum validation is specified as | |
595 | # # "yes", then packet with invalid csum will not | |
596 | # # be processed by the engine stream/app layer. | |
597 | # # Warning: locally generated trafic can be | |
598 | # # generated without checksum due to hardware offload | |
599 | # # of checksum. You can control the handling of checksum | |
600 | # # on a per-interface basis via the 'checksum-checks' | |
601 | # # option | |
602 | # prealloc-sessions: 2k # 2k sessions prealloc'd per stream thread | |
603 | # midstream: false # don't allow midstream session pickups | |
604 | # async-oneside: false # don't enable async stream handling | |
605 | # inline: no # stream inline mode | |
606 | # drop-invalid: yes # in inline mode, drop packets that are invalid with regards to streaming engine | |
607 | # max-synack-queued: 5 # Max different SYN/ACKs to queue | |
608 | # bypass: no # Bypass packets when stream.depth is reached | |
609 | # | |
610 | # reassembly: | |
611 | # memcap: 64mb # Can be specified in kb, mb, gb. Just a number | |
612 | # # indicates it's in bytes. | |
613 | # depth: 1mb # Can be specified in kb, mb, gb. Just a number | |
614 | # # indicates it's in bytes. | |
615 | # toserver-chunk-size: 2560 # inspect raw stream in chunks of at least | |
616 | # # this size. Can be specified in kb, mb, | |
617 | # # gb. Just a number indicates it's in bytes. | |
618 | # toclient-chunk-size: 2560 # inspect raw stream in chunks of at least | |
619 | # # this size. Can be specified in kb, mb, | |
620 | # # gb. Just a number indicates it's in bytes. | |
621 | # randomize-chunk-size: yes # Take a random value for chunk size around the specified value. | |
622 | # # This lower the risk of some evasion technics but could lead | |
623 | # # detection change between runs. It is set to 'yes' by default. | |
624 | # randomize-chunk-range: 10 # If randomize-chunk-size is active, the value of chunk-size is | |
625 | # # a random value between (1 - randomize-chunk-range/100)*toserver-chunk-size | |
626 | # # and (1 + randomize-chunk-range/100)*toserver-chunk-size and the same | |
627 | # # calculation for toclient-chunk-size. | |
628 | # # Default value of randomize-chunk-range is 10. | |
629 | # | |
630 | # raw: yes # 'Raw' reassembly enabled or disabled. | |
631 | # # raw is for content inspection by detection | |
632 | # # engine. | |
633 | # | |
634 | # segment-prealloc: 2048 # number of segments preallocated per thread | |
635 | # | |
636 | # check-overlap-different-data: true|false | |
637 | # # check if a segment contains different data | |
638 | # # than what we've already seen for that | |
639 | # # position in the stream. | |
640 | # # This is enabled automatically if inline mode | |
641 | # # is used or when stream-event:reassembly_overlap_different_data; | |
642 | # # is used in a rule. | |
643 | # | |
644 | stream: | |
645 | memcap: 64mb | |
646 | checksum-validation: yes # reject wrong csums | |
647 | inline: auto # auto will use inline mode in IPS mode, yes or no set it statically | |
648 | reassembly: | |
649 | memcap: 256mb | |
650 | depth: 1mb # reassemble 1mb into a stream | |
651 | toserver-chunk-size: 2560 | |
652 | toclient-chunk-size: 2560 | |
653 | randomize-chunk-size: yes | |
654 | #randomize-chunk-range: 10 | |
655 | #raw: yes | |
656 | #segment-prealloc: 2048 | |
657 | #check-overlap-different-data: true | |
658 | ||
659 | # Host table: | |
660 | # | |
661 | # Host table is used by tagging and per host thresholding subsystems. | |
662 | # | |
663 | host: | |
664 | hash-size: 4096 | |
665 | prealloc: 1000 | |
666 | memcap: 32mb | |
667 | ||
668 | # IP Pair table: | |
669 | # | |
670 | # Used by xbits 'ippair' tracking. | |
671 | # | |
672 | #ippair: | |
673 | # hash-size: 4096 | |
674 | # prealloc: 1000 | |
675 | # memcap: 32mb | |
676 | ||
677 | # Decoder settings | |
678 | ||
679 | decoder: | |
680 | # Teredo decoder is known to not be completely accurate | |
681 | # it will sometimes detect non-teredo as teredo. | |
682 | teredo: | |
683 | enabled: true | |
684 | ||
685 | ||
686 | ## | |
687 | ## Performance tuning and profiling | |
688 | ## | |
689 | ||
690 | # The detection engine builds internal groups of signatures. The engine | |
691 | # allow us to specify the profile to use for them, to manage memory on an | |
692 | # efficient way keeping a good performance. For the profile keyword you | |
693 | # can use the words "low", "medium", "high" or "custom". If you use custom | |
694 | # make sure to define the values at "- custom-values" as your convenience. | |
695 | # Usually you would prefer medium/high/low. | |
696 | # | |
697 | # "sgh mpm-context", indicates how the staging should allot mpm contexts for | |
698 | # the signature groups. "single" indicates the use of a single context for | |
699 | # all the signature group heads. "full" indicates a mpm-context for each | |
700 | # group head. "auto" lets the engine decide the distribution of contexts | |
701 | # based on the information the engine gathers on the patterns from each | |
702 | # group head. | |
703 | # | |
704 | # The option inspection-recursion-limit is used to limit the recursive calls | |
705 | # in the content inspection code. For certain payload-sig combinations, we | |
706 | # might end up taking too much time in the content inspection code. | |
707 | # If the argument specified is 0, the engine uses an internally defined | |
708 | # default limit. On not specifying a value, we use no limits on the recursion. | |
709 | detect: | |
5196d8dd | 710 | profile: high |
4c6d6c1e SS |
711 | custom-values: |
712 | toclient-groups: 3 | |
713 | toserver-groups: 25 | |
714 | sgh-mpm-context: auto | |
715 | inspection-recursion-limit: 3000 | |
716 | # If set to yes, the loading of signatures will be made after the capture | |
717 | # is started. This will limit the downtime in IPS mode. | |
718 | #delayed-detect: yes | |
719 | ||
720 | prefilter: | |
721 | # default prefiltering setting. "mpm" only creates MPM/fast_pattern | |
722 | # engines. "auto" also sets up prefilter engines for other keywords. | |
723 | # Use --list-keywords=all to see which keywords support prefiltering. | |
724 | default: mpm | |
725 | ||
726 | # the grouping values above control how many groups are created per | |
727 | # direction. Port whitelisting forces that port to get it's own group. | |
728 | # Very common ports will benefit, as well as ports with many expensive | |
729 | # rules. | |
730 | grouping: | |
731 | #tcp-whitelist: 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080 | |
732 | #udp-whitelist: 53, 135, 5060 | |
733 | ||
734 | profiling: | |
735 | # Log the rules that made it past the prefilter stage, per packet | |
736 | # default is off. The threshold setting determines how many rules | |
737 | # must have made it past pre-filter for that rule to trigger the | |
738 | # logging. | |
739 | #inspect-logging-threshold: 200 | |
740 | grouping: | |
741 | dump-to-disk: false | |
742 | include-rules: false # very verbose | |
743 | include-mpm-stats: false | |
744 | ||
745 | # Select the multi pattern algorithm you want to run for scan/search the | |
746 | # in the engine. | |
747 | # | |
748 | # The supported algorithms are: | |
749 | # "ac" - Aho-Corasick, default implementation | |
750 | # "ac-bs" - Aho-Corasick, reduced memory implementation | |
751 | # "ac-cuda" - Aho-Corasick, CUDA implementation | |
752 | # "ac-ks" - Aho-Corasick, "Ken Steele" variant | |
753 | # "hs" - Hyperscan, available when built with Hyperscan support | |
754 | # | |
755 | # The default mpm-algo value of "auto" will use "hs" if Hyperscan is | |
756 | # available, "ac" otherwise. | |
757 | # | |
758 | # The mpm you choose also decides the distribution of mpm contexts for | |
759 | # signature groups, specified by the conf - "detect.sgh-mpm-context". | |
760 | # Selecting "ac" as the mpm would require "detect.sgh-mpm-context" | |
761 | # to be set to "single", because of ac's memory requirements, unless the | |
762 | # ruleset is small enough to fit in one's memory, in which case one can | |
763 | # use "full" with "ac". Rest of the mpms can be run in "full" mode. | |
764 | # | |
765 | # There is also a CUDA pattern matcher (only available if Suricata was | |
766 | # compiled with --enable-cuda: b2g_cuda. Make sure to update your | |
767 | # max-pending-packets setting above as well if you use b2g_cuda. | |
768 | ||
769 | mpm-algo: auto | |
770 | ||
771 | # Select the matching algorithm you want to use for single-pattern searches. | |
772 | # | |
773 | # Supported algorithms are "bm" (Boyer-Moore) and "hs" (Hyperscan, only | |
774 | # available if Suricata has been built with Hyperscan support). | |
775 | # | |
776 | # The default of "auto" will use "hs" if available, otherwise "bm". | |
777 | ||
778 | spm-algo: auto | |
779 | ||
780 | # Suricata is multi-threaded. Here the threading can be influenced. | |
781 | threading: | |
782 | set-cpu-affinity: no | |
783 | # Tune cpu affinity of threads. Each family of threads can be bound | |
784 | # on specific CPUs. | |
785 | # | |
786 | # These 2 apply to the all runmodes: | |
787 | # management-cpu-set is used for flow timeout handling, counters | |
788 | # worker-cpu-set is used for 'worker' threads | |
789 | # | |
790 | # Additionally, for autofp these apply: | |
791 | # receive-cpu-set is used for capture threads | |
792 | # verdict-cpu-set is used for IPS verdict threads | |
793 | # | |
794 | cpu-affinity: | |
795 | - management-cpu-set: | |
796 | cpu: [ 0 ] # include only these cpus in affinity settings | |
797 | - receive-cpu-set: | |
798 | cpu: [ 0 ] # include only these cpus in affinity settings | |
799 | - worker-cpu-set: | |
800 | cpu: [ "all" ] | |
801 | mode: "exclusive" | |
802 | # Use explicitely 3 threads and don't compute number by using | |
803 | # detect-thread-ratio variable: | |
804 | # threads: 3 | |
805 | prio: | |
806 | low: [ 0 ] | |
807 | medium: [ "1-2" ] | |
808 | high: [ 3 ] | |
809 | default: "medium" | |
810 | #- verdict-cpu-set: | |
811 | # cpu: [ 0 ] | |
812 | # prio: | |
813 | # default: "high" | |
814 | # | |
815 | # By default Suricata creates one "detect" thread per available CPU/CPU core. | |
816 | # This setting allows controlling this behaviour. A ratio setting of 2 will | |
817 | # create 2 detect threads for each CPU/CPU core. So for a dual core CPU this | |
818 | # will result in 4 detect threads. If values below 1 are used, less threads | |
819 | # are created. So on a dual core CPU a setting of 0.5 results in 1 detect | |
820 | # thread being created. Regardless of the setting at a minimum 1 detect | |
821 | # thread will always be created. | |
822 | # | |
823 | detect-thread-ratio: 1.0 |