]>
Commit | Line | Data |
---|---|---|
4c6d6c1e SS |
1 | %YAML 1.1 |
2 | --- | |
3 | ||
4c6d6c1e | 4 | ## |
335114b2 SS |
5 | ## IPFire specific configuration file - an untouched example configuration |
6 | ## can be found in suricata-example.yaml. | |
4c6d6c1e SS |
7 | ## |
8 | ||
9 | vars: | |
4c6d6c1e | 10 | address-groups: |
42303055 | 11 | # Include HOME_NET declaration from external file. |
13d077fd | 12 | include: /var/ipfire/suricata/suricata-homenet.yaml |
4c6d6c1e | 13 | |
961a27b5 SS |
14 | # Include DNS_SERVERS declaration from external file. |
15 | include: /var/ipfire/suricata/suricata-dns-servers.yaml | |
16 | ||
50612920 | 17 | EXTERNAL_NET: "any" |
4c6d6c1e SS |
18 | |
19 | HTTP_SERVERS: "$HOME_NET" | |
20 | SMTP_SERVERS: "$HOME_NET" | |
21 | SQL_SERVERS: "$HOME_NET" | |
4c6d6c1e SS |
22 | TELNET_SERVERS: "$HOME_NET" |
23 | AIM_SERVERS: "$EXTERNAL_NET" | |
2bec60c3 | 24 | DC_SERVERS: "$HOME_NET" |
4c6d6c1e SS |
25 | DNP3_SERVER: "$HOME_NET" |
26 | DNP3_CLIENT: "$HOME_NET" | |
27 | MODBUS_CLIENT: "$HOME_NET" | |
28 | MODBUS_SERVER: "$HOME_NET" | |
29 | ENIP_CLIENT: "$HOME_NET" | |
30 | ENIP_SERVER: "$HOME_NET" | |
31 | ||
32 | port-groups: | |
e698090e SS |
33 | # Incluse HTTP_PORTS declaration from external file. |
34 | include: /var/ipfire/suricata/suricata-http-ports.yaml | |
35 | ||
4c6d6c1e SS |
36 | SHELLCODE_PORTS: "!80" |
37 | ORACLE_PORTS: 1521 | |
067e1847 | 38 | SSH_PORTS: "[22,222]" |
4c6d6c1e SS |
39 | DNP3_PORTS: 20000 |
40 | MODBUS_PORTS: 502 | |
41 | FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]" | |
42 | FTP_PORTS: 21 | |
43 | ||
4c6d6c1e | 44 | ## |
335114b2 | 45 | ## Ruleset specific options. |
4c6d6c1e | 46 | ## |
21cab141 | 47 | default-rule-path: /var/lib/suricata |
cc60d3df | 48 | rule-files: |
30f41169 MT |
49 | # Default rules |
50 | - /usr/share/suricata/rules/app-layer-events.rules | |
51 | - /usr/share/suricata/rules/decoder-events.rules | |
52 | - /usr/share/suricata/rules/dhcp-events.rules | |
53 | - /usr/share/suricata/rules/dnp3-events.rules | |
54 | - /usr/share/suricata/rules/dns-events.rules | |
55 | - /usr/share/suricata/rules/files.rules | |
56 | - /usr/share/suricata/rules/http2-events.rules | |
57 | - /usr/share/suricata/rules/http-events.rules | |
58 | - /usr/share/suricata/rules/ipsec-events.rules | |
59 | - /usr/share/suricata/rules/kerberos-events.rules | |
60 | - /usr/share/suricata/rules/modbus-events.rules | |
61 | - /usr/share/suricata/rules/mqtt-events.rules | |
62 | - /usr/share/suricata/rules/nfs-events.rules | |
63 | - /usr/share/suricata/rules/ntp-events.rules | |
64 | - /usr/share/suricata/rules/smb-events.rules | |
65 | - /usr/share/suricata/rules/smtp-events.rules | |
66 | - /usr/share/suricata/rules/stream-events.rules | |
67 | - /usr/share/suricata/rules/tls-events.rules | |
68 | ||
69 | # Include enabled ruleset files from external file | |
70 | - !include: /var/ipfire/suricata/suricata-used-rulefiles.yaml | |
4c6d6c1e | 71 | |
21cab141 SS |
72 | classification-file: /var/lib/suricata/classification.config |
73 | reference-config-file: /var/lib/suricata/reference.config | |
fd72c85e | 74 | threshold-file: /var/lib/suricata/threshold.config |
4c6d6c1e SS |
75 | |
76 | ||
77 | ## | |
335114b2 | 78 | ## Logging options. |
4c6d6c1e | 79 | ## |
4c6d6c1e SS |
80 | default-log-dir: /var/log/suricata/ |
81 | ||
82 | # global stats configuration | |
83 | stats: | |
84 | enabled: yes | |
85 | # The interval field (in seconds) controls at what interval | |
86 | # the loggers are invoked. | |
87 | interval: 8 | |
88 | ||
2bec60c3 SS |
89 | # Add decode events as stats. |
90 | #decoder-events: true | |
91 | # Decoder event prefix in stats. Has been 'decoder' before, but that leads | |
92 | # to missing events in the eve.stats records. See issue #2225. | |
93 | decoder-events-prefix: "decoder.event" | |
94 | # Add stream events as stats. | |
95 | #stream-events: false | |
96 | ||
4c6d6c1e SS |
97 | # Configure the type of alert (and other) logging you would like. |
98 | outputs: | |
99 | # a line based alerts log similar to Snort's fast.log | |
100 | - fast: | |
101 | enabled: yes | |
102 | filename: fast.log | |
103 | append: yes | |
104 | #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' | |
105 | ||
4c6d6c1e SS |
106 | # Stats.log contains data from various counters of the suricata engine. |
107 | - stats: | |
6e7c8a33 | 108 | enabled: no |
4c6d6c1e | 109 | filename: stats.log |
335114b2 | 110 | append: no # append to file (yes) or overwrite it (no) |
4c6d6c1e SS |
111 | totals: yes # stats for all threads merged together |
112 | threads: no # per thread stats | |
113 | #null-values: yes # print counters that have value 0 | |
114 | ||
6084e66e SS |
115 | # Extensible Event Format (nicknamed EVE) event log in JSON format |
116 | - eve-log: | |
117 | enabled: no | |
118 | filetype: regular #regular|syslog|unix_dgram|unix_stream|redis | |
119 | filename: eve.json | |
120 | #prefix: "@cee: " # prefix to prepend to each log entry | |
121 | # the following are valid when type: syslog above | |
122 | #identity: "suricata" | |
123 | #facility: local5 | |
124 | #level: Info ## possible levels: Emergency, Alert, Critical, | |
125 | ## Error, Warning, Notice, Info, Debug | |
126 | #redis: | |
127 | # server: 127.0.0.1 | |
128 | # port: 6379 | |
129 | # async: true ## if redis replies are read asynchronously | |
130 | # mode: list ## possible values: list|lpush (default), rpush, channel|publish | |
131 | # ## lpush and rpush are using a Redis list. "list" is an alias for lpush | |
132 | # ## publish is using a Redis channel. "channel" is an alias for publish | |
133 | # key: suricata ## key or channel to use (default to suricata) | |
134 | # Redis pipelining set up. This will enable to only do a query every | |
135 | # 'batch-size' events. This should lower the latency induced by network | |
136 | # connection at the cost of some memory. There is no flushing implemented | |
137 | # so this setting as to be reserved to high traffic suricata. | |
138 | # pipelining: | |
139 | # enabled: yes ## set enable to yes to enable query pipelining | |
140 | # batch-size: 10 ## number of entry to keep in buffer | |
141 | ||
142 | # Include top level metadata. Default yes. | |
143 | #metadata: no | |
144 | ||
145 | # include the name of the input pcap file in pcap file processing mode | |
146 | pcap-file: false | |
147 | ||
148 | # Community Flow ID | |
149 | # Adds a 'community_id' field to EVE records. These are meant to give | |
150 | # a records a predictable flow id that can be used to match records to | |
151 | # output of other tools such as Bro. | |
152 | # | |
153 | # Takes a 'seed' that needs to be same across sensors and tools | |
154 | # to make the id less predictable. | |
155 | ||
156 | # enable/disable the community id feature. | |
157 | community-id: false | |
158 | # Seed value for the ID output. Valid values are 0-65535. | |
159 | community-id-seed: 0 | |
160 | ||
161 | # HTTP X-Forwarded-For support by adding an extra field or overwriting | |
162 | # the source or destination IP address (depending on flow direction) | |
163 | # with the one reported in the X-Forwarded-For HTTP header. This is | |
164 | # helpful when reviewing alerts for traffic that is being reverse | |
165 | # or forward proxied. | |
166 | xff: | |
167 | enabled: no | |
168 | # Two operation modes are available, "extra-data" and "overwrite". | |
169 | mode: extra-data | |
170 | # Two proxy deployments are supported, "reverse" and "forward". In | |
171 | # a "reverse" deployment the IP address used is the last one, in a | |
172 | # "forward" deployment the first IP address is used. | |
173 | deployment: reverse | |
174 | # Header name where the actual IP address will be reported, if more | |
175 | # than one IP address is present, the last IP address will be the | |
176 | # one taken into consideration. | |
177 | header: X-Forwarded-For | |
178 | ||
179 | types: | |
180 | - alert: | |
181 | # payload: yes # enable dumping payload in Base64 | |
182 | # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log | |
183 | # payload-printable: yes # enable dumping payload in printable (lossy) format | |
184 | # packet: yes # enable dumping of packet (without stream segments) | |
185 | # metadata: no # enable inclusion of app layer metadata with alert. Default yes | |
186 | # http-body: yes # Requires metadata; enable dumping of http body in Base64 | |
187 | # http-body-printable: yes # Requires metadata; enable dumping of http body in printable format | |
188 | ||
189 | # Enable the logging of tagged packets for rules using the | |
190 | # "tag" keyword. | |
191 | tagged-packets: yes | |
192 | - anomaly: | |
193 | # Anomaly log records describe unexpected conditions such | |
194 | # as truncated packets, packets with invalid IP/UDP/TCP | |
195 | # length values, and other events that render the packet | |
196 | # invalid for further processing or describe unexpected | |
197 | # behavior on an established stream. Networks which | |
198 | # experience high occurrences of anomalies may experience | |
199 | # packet processing degradation. | |
200 | # | |
201 | # Anomalies are reported for the following: | |
202 | # 1. Decode: Values and conditions that are detected while | |
203 | # decoding individual packets. This includes invalid or | |
204 | # unexpected values for low-level protocol lengths as well | |
205 | # as stream related events (TCP 3-way handshake issues, | |
206 | # unexpected sequence number, etc). | |
207 | # 2. Stream: This includes stream related events (TCP | |
208 | # 3-way handshake issues, unexpected sequence number, | |
209 | # etc). | |
210 | # 3. Application layer: These denote application layer | |
211 | # specific conditions that are unexpected, invalid or are | |
212 | # unexpected given the application monitoring state. | |
213 | # | |
214 | # By default, anomaly logging is disabled. When anomaly | |
215 | # logging is enabled, applayer anomaly reporting is | |
216 | # enabled. | |
217 | enabled: yes | |
218 | # | |
219 | # Choose one or more types of anomaly logging and whether to enable | |
220 | # logging of the packet header for packet anomalies. | |
221 | types: | |
222 | # decode: no | |
223 | # stream: no | |
224 | # applayer: yes | |
225 | #packethdr: no | |
226 | - http: | |
227 | extended: yes # enable this for extended logging information | |
228 | # custom allows additional http fields to be included in eve-log | |
229 | # the example below adds three additional fields when uncommented | |
230 | #custom: [Accept-Encoding, Accept-Language, Authorization] | |
231 | # set this value to one and only one among {both, request, response} | |
232 | # to dump all http headers for every http request and/or response | |
233 | # dump-all-headers: none | |
234 | - dns: | |
235 | # This configuration uses the new DNS logging format, | |
236 | # the old configuration is still available: | |
237 | # https://suricata.readthedocs.io/en/latest/output/eve/eve-json-output.html#dns-v1-format | |
238 | ||
239 | # As of Suricata 5.0, version 2 of the eve dns output | |
240 | # format is the default. | |
241 | #version: 2 | |
242 | ||
243 | # Enable/disable this logger. Default: enabled. | |
244 | #enabled: yes | |
245 | ||
246 | # Control logging of requests and responses: | |
247 | # - requests: enable logging of DNS queries | |
248 | # - responses: enable logging of DNS answers | |
249 | # By default both requests and responses are logged. | |
250 | #requests: no | |
251 | #responses: no | |
252 | ||
253 | # Format of answer logging: | |
254 | # - detailed: array item per answer | |
255 | # - grouped: answers aggregated by type | |
256 | # Default: all | |
257 | #formats: [detailed, grouped] | |
258 | ||
259 | # Types to log, based on the query type. | |
260 | # Default: all. | |
261 | #types: [a, aaaa, cname, mx, ns, ptr, txt] | |
262 | - tls: | |
263 | extended: yes # enable this for extended logging information | |
264 | # output TLS transaction where the session is resumed using a | |
265 | # session id | |
266 | #session-resumption: no | |
267 | # custom allows to control which tls fields that are included | |
268 | # in eve-log | |
269 | #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3, ja3s] | |
270 | - files: | |
271 | force-magic: no # force logging magic on all logged files | |
272 | # force logging of checksums, available hash functions are md5, | |
273 | # sha1 and sha256 | |
274 | #force-hash: [md5] | |
275 | #- drop: | |
276 | # alerts: yes # log alerts that caused drops | |
277 | # flows: all # start or all: 'start' logs only a single drop | |
278 | # # per flow direction. All logs each dropped pkt. | |
279 | - smtp: | |
280 | #extended: yes # enable this for extended logging information | |
281 | # this includes: bcc, message-id, subject, x_mailer, user-agent | |
282 | # custom fields logging from the list: | |
283 | # reply-to, bcc, message-id, subject, x-mailer, user-agent, received, | |
284 | # x-originating-ip, in-reply-to, references, importance, priority, | |
285 | # sensitivity, organization, content-md5, date | |
286 | #custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc] | |
287 | # output md5 of fields: body, subject | |
288 | # for the body you need to set app-layer.protocols.smtp.mime.body-md5 | |
289 | # to yes | |
290 | #md5: [body, subject] | |
291 | ||
292 | #- dnp3 | |
293 | - ftp | |
0cdb1518 | 294 | - rdp |
6084e66e SS |
295 | - nfs |
296 | - smb | |
297 | - tftp | |
298 | - ikev2 | |
0cdb1518 | 299 | - dcerpc |
6084e66e SS |
300 | - krb5 |
301 | - snmp | |
0cdb1518 SS |
302 | - rfb |
303 | - sip | |
6084e66e SS |
304 | - dhcp: |
305 | enabled: yes | |
306 | # When extended mode is on, all DHCP messages are logged | |
307 | # with full detail. When extended mode is off (the | |
308 | # default), just enough information to map a MAC address | |
309 | # to an IP address is logged. | |
310 | extended: no | |
311 | - ssh | |
0cdb1518 SS |
312 | - mqtt: |
313 | # passwords: yes # enable output of passwords | |
314 | # HTTP2 logging. HTTP2 support is currently experimental and | |
315 | # disabled by default. To enable, uncomment the following line | |
316 | # and be sure to enable http2 in the app-layer section. | |
317 | #- http2 | |
6084e66e SS |
318 | - stats: |
319 | totals: yes # stats for all threads merged together | |
320 | threads: no # per thread stats | |
321 | deltas: no # include delta values | |
322 | # bi-directional flows | |
323 | - flow | |
324 | # uni-directional flows | |
325 | #- netflow | |
326 | ||
327 | # Metadata event type. Triggered whenever a pktvar is saved | |
328 | # and will include the pktvars, flowvars, flowbits and | |
329 | # flowints. | |
330 | #- metadata | |
331 | ||
4c6d6c1e SS |
332 | logging: |
333 | # The default log level, can be overridden in an output section. | |
334 | # Note that debug level logging will only be emitted if Suricata was | |
335 | # compiled with the --enable-debug configure option. | |
336 | # | |
337 | # This value is overriden by the SC_LOG_LEVEL env var. | |
338 | default-log-level: notice | |
339 | ||
4c6d6c1e SS |
340 | # A regex to filter output. Can be overridden in an output section. |
341 | # Defaults to empty (no filter). | |
342 | # | |
343 | # This value is overriden by the SC_LOG_OP_FILTER env var. | |
344 | default-output-filter: | |
345 | ||
346 | # Define your logging outputs. If none are defined, or they are all | |
347 | # disabled you will get the default - console output. | |
348 | outputs: | |
349 | - console: | |
335114b2 | 350 | enabled: no |
4c6d6c1e SS |
351 | # type: json |
352 | - file: | |
335114b2 | 353 | enabled: no |
4c6d6c1e SS |
354 | level: info |
355 | filename: /var/log/suricata/suricata.log | |
356 | # type: json | |
357 | - syslog: | |
335114b2 | 358 | enabled: yes |
4c6d6c1e | 359 | facility: local5 |
ab1444b4 | 360 | format: "" |
4c6d6c1e SS |
361 | # type: json |
362 | ||
4c6d6c1e | 363 | ## |
335114b2 | 364 | ## Netfilter configuration |
4c6d6c1e | 365 | ## |
4c6d6c1e | 366 | |
335114b2 SS |
367 | nfq: |
368 | mode: repeat | |
761fadbd MT |
369 | repeat-mark: 2147483648 |
370 | repeat-mask: 2147483648 | |
11f7218f MT |
371 | bypass-mark: 1073741824 |
372 | bypass-mask: 1073741824 | |
335114b2 SS |
373 | # route-queue: 2 |
374 | # batchcount: 20 | |
375 | fail-open: yes | |
4c6d6c1e SS |
376 | |
377 | ## | |
378 | ## Step 5: App Layer Protocol Configuration | |
379 | ## | |
380 | ||
381 | # Configure the app-layer parsers. The protocols section details each | |
382 | # protocol. | |
383 | # | |
384 | # The option "enabled" takes 3 values - "yes", "no", "detection-only". | |
385 | # "yes" enables both detection and the parser, "no" disables both, and | |
386 | # "detection-only" enables protocol detection only (parser disabled). | |
387 | app-layer: | |
388 | protocols: | |
0cdb1518 SS |
389 | rfb: |
390 | enabled: yes | |
391 | detection-ports: | |
392 | dp: 5900, 5901, 5902, 5903, 5904, 5905, 5906, 5907, 5908, 5909 | |
393 | # MQTT, disabled by default. | |
394 | mqtt: | |
395 | # enabled: no | |
396 | # max-msg-length: 1mb | |
2bec60c3 | 397 | krb5: |
d6cc8710 SS |
398 | enabled: yes |
399 | snmp: | |
400 | enabled: yes | |
2bec60c3 SS |
401 | ikev2: |
402 | enabled: yes | |
4c6d6c1e SS |
403 | tls: |
404 | enabled: yes | |
405 | detection-ports: | |
96495c9a | 406 | dp: "[443,444,465,853,993,995]" |
4c6d6c1e | 407 | |
d6cc8710 SS |
408 | # Generate JA3 fingerprint from client hello. If not specified it |
409 | # will be disabled by default, but enabled if rules require it. | |
0937bd9c | 410 | ja3-fingerprints: auto |
d6cc8710 | 411 | |
9deccd1c MT |
412 | # What to do when the encrypted communications start: |
413 | # - default: keep tracking TLS session, check for protocol anomalies, | |
414 | # inspect tls_* keywords. Disables inspection of unmodified | |
415 | # 'content' signatures. | |
416 | # - bypass: stop processing this flow as much as possible. No further | |
417 | # TLS parsing and inspection. Offload flow bypass to kernel | |
418 | # or hardware if possible. | |
419 | # - full: keep tracking and inspection as normal. Unmodified content | |
420 | # keyword signatures are inspected as well. | |
421 | # | |
422 | # For best performance, select 'bypass'. | |
423 | # | |
424 | encryption-handling: bypass | |
4c6d6c1e SS |
425 | dcerpc: |
426 | enabled: yes | |
427 | ftp: | |
428 | enabled: yes | |
d6cc8710 | 429 | rdp: |
2acc41c0 | 430 | enabled: yes |
4c6d6c1e SS |
431 | ssh: |
432 | enabled: yes | |
0cdb1518 SS |
433 | #hassh: yes |
434 | # HTTP2: Experimental HTTP 2 support. Disabled by default. | |
435 | http2: | |
436 | enabled: no | |
4c6d6c1e SS |
437 | smtp: |
438 | enabled: yes | |
439 | # Configure SMTP-MIME Decoder | |
440 | mime: | |
441 | # Decode MIME messages from SMTP transactions | |
442 | # (may be resource intensive) | |
443 | # This field supercedes all others because it turns the entire | |
444 | # process on or off | |
445 | decode-mime: yes | |
446 | ||
447 | # Decode MIME entity bodies (ie. base64, quoted-printable, etc.) | |
448 | decode-base64: yes | |
449 | decode-quoted-printable: yes | |
450 | ||
451 | # Maximum bytes per header data value stored in the data structure | |
452 | # (default is 2000) | |
453 | header-value-depth: 2000 | |
454 | ||
455 | # Extract URLs and save in state data structure | |
456 | extract-urls: yes | |
457 | # Set to yes to compute the md5 of the mail body. You will then | |
458 | # be able to journalize it. | |
459 | body-md5: no | |
460 | # Configure inspected-tracker for file_data keyword | |
461 | inspected-tracker: | |
462 | content-limit: 100000 | |
463 | content-inspect-min-size: 32768 | |
464 | content-inspect-window: 4096 | |
465 | imap: | |
8723bb91 | 466 | enabled: yes |
4c6d6c1e | 467 | msn: |
8723bb91 | 468 | enabled: yes |
4c6d6c1e SS |
469 | smb: |
470 | enabled: yes | |
471 | detection-ports: | |
472 | dp: 139, 445 | |
d6cc8710 SS |
473 | nfs: |
474 | enabled: yes | |
475 | tftp: | |
476 | enabled: yes | |
4c6d6c1e SS |
477 | dns: |
478 | # memcaps. Globally and per flow/state. | |
cf976e93 MT |
479 | global-memcap: 32mb |
480 | state-memcap: 512kb | |
4c6d6c1e SS |
481 | |
482 | # How many unreplied DNS requests are considered a flood. | |
483 | # If the limit is reached, app-layer-event:dns.flooded; will match. | |
551bc489 | 484 | #request-flood: 512 |
4c6d6c1e SS |
485 | |
486 | tcp: | |
487 | enabled: yes | |
488 | detection-ports: | |
96495c9a | 489 | dp: 53 |
4c6d6c1e SS |
490 | udp: |
491 | enabled: yes | |
492 | detection-ports: | |
96495c9a | 493 | dp: 53 |
4c6d6c1e SS |
494 | http: |
495 | enabled: yes | |
8efbd71c | 496 | memcap: 256mb |
4c6d6c1e SS |
497 | |
498 | # default-config: Used when no server-config matches | |
499 | # personality: List of personalities used by default | |
500 | # request-body-limit: Limit reassembly of request body for inspection | |
501 | # by http_client_body & pcre /P option. | |
502 | # response-body-limit: Limit reassembly of response body for inspection | |
503 | # by file_data, http_server_body & pcre /Q option. | |
504 | # double-decode-path: Double decode path section of the URI | |
505 | # double-decode-query: Double decode query section of the URI | |
506 | # response-body-decompress-layer-limit: | |
507 | # Limit to how many layers of compression will be | |
508 | # decompressed. Defaults to 2. | |
509 | # | |
4c6d6c1e SS |
510 | # Currently Available Personalities: |
511 | # Minimal, Generic, IDS (default), IIS_4_0, IIS_5_0, IIS_5_1, IIS_6_0, | |
512 | # IIS_7_0, IIS_7_5, Apache_2 | |
513 | libhtp: | |
514 | default-config: | |
515 | personality: IDS | |
516 | ||
517 | # Can be specified in kb, mb, gb. Just a number indicates | |
518 | # it's in bytes. | |
8efbd71c MT |
519 | request-body-limit: 0 |
520 | response-body-limit: 0 | |
4c6d6c1e SS |
521 | |
522 | # response body decompression (0 disables) | |
523 | response-body-decompress-layer-limit: 2 | |
524 | ||
525 | # auto will use http-body-inline mode in IPS mode, yes or no set it statically | |
526 | http-body-inline: auto | |
527 | ||
528 | # Take a random value for inspection sizes around the specified value. | |
529 | # This lower the risk of some evasion technics but could lead | |
530 | # detection change between runs. It is set to 'yes' by default. | |
8efbd71c | 531 | randomize-inspection-sizes: yes |
4c6d6c1e SS |
532 | # If randomize-inspection-sizes is active, the value of various |
533 | # inspection size will be choosen in the [1 - range%, 1 + range%] | |
534 | # range | |
535 | # Default value of randomize-inspection-range is 10. | |
8efbd71c | 536 | randomize-inspection-range: 10 |
4c6d6c1e SS |
537 | |
538 | # decoding | |
539 | double-decode-path: no | |
540 | double-decode-query: no | |
541 | ||
d6cc8710 SS |
542 | ntp: |
543 | enabled: yes | |
544 | dhcp: | |
545 | enabled: yes | |
546 | sip: | |
547 | enabled: yes | |
4c6d6c1e | 548 | |
4c6d6c1e SS |
549 | # Limit for the maximum number of asn1 frames to decode (default 256) |
550 | asn1-max-frames: 256 | |
551 | ||
552 | ||
553 | ############################################################################## | |
554 | ## | |
555 | ## Advanced settings below | |
556 | ## | |
557 | ############################################################################## | |
558 | ||
38081b8b MT |
559 | ## |
560 | ## Run Options | |
561 | ## | |
562 | ||
563 | # Run suricata as user and group. | |
564 | run-as: | |
565 | user: suricata | |
566 | group: suricata | |
567 | ||
4c6d6c1e SS |
568 | # Suricata core dump configuration. Limits the size of the core dump file to |
569 | # approximately max-dump. The actual core dump size will be a multiple of the | |
570 | # page size. Core dumps that would be larger than max-dump are truncated. On | |
571 | # Linux, the actual core dump size may be a few pages larger than max-dump. | |
572 | # Setting max-dump to 0 disables core dumping. | |
573 | # Setting max-dump to 'unlimited' will give the full core dump file. | |
574 | # On 32-bit Linux, a max-dump value >= ULONG_MAX may cause the core dump size | |
575 | # to be 'unlimited'. | |
576 | ||
577 | coredump: | |
578 | max-dump: unlimited | |
579 | ||
580 | # If suricata box is a router for the sniffed networks, set it to 'router'. If | |
581 | # it is a pure sniffing setup, set it to 'sniffer-only'. | |
582 | # If set to auto, the variable is internally switch to 'router' in IPS mode | |
583 | # and 'sniffer-only' in IDS mode. | |
584 | # This feature is currently only used by the reject* keywords. | |
585 | host-mode: auto | |
586 | ||
587 | # Number of packets preallocated per thread. The default is 1024. A higher number | |
588 | # will make sure each CPU will be more easily kept busy, but may negatively | |
589 | # impact caching. | |
16446608 | 590 | max-pending-packets: 1024 |
4c6d6c1e SS |
591 | |
592 | # Runmode the engine should use. Please check --list-runmodes to get the available | |
593 | # runmodes for each packet acquisition method. Defaults to "autofp" (auto flow pinned | |
594 | # load balancing). | |
64aed99d | 595 | runmode: workers |
4c6d6c1e SS |
596 | |
597 | # Specifies the kind of flow load balancer used by the flow pinned autofp mode. | |
598 | # | |
599 | # Supported schedulers are: | |
600 | # | |
601 | # round-robin - Flows assigned to threads in a round robin fashion. | |
602 | # active-packets - Flows assigned to threads that have the lowest number of | |
603 | # unprocessed packets (default). | |
604 | # hash - Flow alloted usihng the address hash. More of a random | |
605 | # technique. Was the default in Suricata 1.2.1 and older. | |
606 | # | |
607 | #autofp-scheduler: active-packets | |
608 | ||
609 | # Preallocated size for packet. Default is 1514 which is the classical | |
610 | # size for pcap on ethernet. You should adjust this value to the highest | |
611 | # packet size (MTU + hardware header) on your system. | |
9f726f8f | 612 | default-packet-size: 1514 |
4c6d6c1e SS |
613 | |
614 | # Unix command socket can be used to pass commands to suricata. | |
615 | # An external tool can then connect to get information from suricata | |
616 | # or trigger some modifications of the engine. Set enabled to yes | |
617 | # to activate the feature. In auto mode, the feature will only be | |
618 | # activated in live capture mode. You can use the filename variable to set | |
619 | # the file name of the socket. | |
620 | unix-command: | |
335114b2 | 621 | enabled: no |
4c6d6c1e SS |
622 | #filename: custom.socket |
623 | ||
83b576c8 MT |
624 | # Magic file |
625 | magic-file: /usr/share/misc/magic.mgc | |
4c6d6c1e SS |
626 | |
627 | legacy: | |
628 | uricontent: enabled | |
629 | ||
630 | ## | |
631 | ## Detection settings | |
632 | ## | |
633 | ||
634 | # Set the order of alerts bassed on actions | |
635 | # The default order is pass, drop, reject, alert | |
636 | # action-order: | |
637 | # - pass | |
638 | # - drop | |
639 | # - reject | |
640 | # - alert | |
641 | ||
4c6d6c1e SS |
642 | # When run with the option --engine-analysis, the engine will read each of |
643 | # the parameters below, and print reports for each of the enabled sections | |
644 | # and exit. The reports are printed to a file in the default log dir | |
645 | # given by the parameter "default-log-dir", with engine reporting | |
646 | # subsection below printing reports in its own report file. | |
647 | engine-analysis: | |
648 | # enables printing reports for fast-pattern for every rule. | |
649 | rules-fast-pattern: yes | |
650 | # enables printing reports for each rule | |
651 | rules: yes | |
652 | ||
653 | #recursion and match limits for PCRE where supported | |
654 | pcre: | |
655 | match-limit: 3500 | |
656 | match-limit-recursion: 1500 | |
657 | ||
658 | ## | |
659 | ## Advanced Traffic Tracking and Reconstruction Settings | |
660 | ## | |
661 | ||
662 | # Host specific policies for defragmentation and TCP stream | |
663 | # reassembly. The host OS lookup is done using a radix tree, just | |
664 | # like a routing table so the most specific entry matches. | |
665 | host-os-policy: | |
666 | # Make the default policy windows. | |
667 | windows: [0.0.0.0/0] | |
668 | bsd: [] | |
669 | bsd-right: [] | |
670 | old-linux: [] | |
671 | linux: [] | |
672 | old-solaris: [] | |
673 | solaris: [] | |
674 | hpux10: [] | |
675 | hpux11: [] | |
676 | irix: [] | |
677 | macos: [] | |
678 | vista: [] | |
679 | windows2k3: [] | |
680 | ||
681 | # Defrag settings: | |
682 | ||
683 | defrag: | |
7eed864c | 684 | memcap: 64mb |
4c6d6c1e SS |
685 | hash-size: 65536 |
686 | trackers: 65535 # number of defragmented flows to follow | |
687 | max-frags: 65535 # number of fragments to keep (higher than trackers) | |
688 | prealloc: yes | |
689 | timeout: 60 | |
690 | ||
4c6d6c1e SS |
691 | # Flow settings: |
692 | # By default, the reserved memory (memcap) for flows is 32MB. This is the limit | |
693 | # for flow allocation inside the engine. You can change this value to allow | |
694 | # more memory usage for flows. | |
695 | # The hash-size determine the size of the hash used to identify flows inside | |
696 | # the engine, and by default the value is 65536. | |
697 | # At the startup, the engine can preallocate a number of flows, to get a better | |
698 | # performance. The number of flows preallocated is 10000 by default. | |
699 | # emergency-recovery is the percentage of flows that the engine need to | |
700 | # prune before unsetting the emergency state. The emergency state is activated | |
701 | # when the memcap limit is reached, allowing to create new flows, but | |
702 | # prunning them with the emergency timeouts (they are defined below). | |
703 | # If the memcap is reached, the engine will try to prune flows | |
704 | # with the default timeouts. If it doens't find a flow to prune, it will set | |
705 | # the emergency bit and it will try again with more agressive timeouts. | |
706 | # If that doesn't work, then it will try to kill the last time seen flows | |
707 | # not in use. | |
708 | # The memcap can be specified in kb, mb, gb. Just a number indicates it's | |
709 | # in bytes. | |
710 | ||
711 | flow: | |
47cb0571 | 712 | memcap: 256mb |
4c6d6c1e SS |
713 | hash-size: 65536 |
714 | prealloc: 10000 | |
715 | emergency-recovery: 30 | |
47cb0571 MT |
716 | managers: 1 |
717 | recyclers: 1 | |
4c6d6c1e SS |
718 | |
719 | # This option controls the use of vlan ids in the flow (and defrag) | |
720 | # hashing. Normally this should be enabled, but in some (broken) | |
721 | # setups where both sides of a flow are not tagged with the same vlan | |
722 | # tag, we can ignore the vlan id's in the flow hashing. | |
723 | vlan: | |
724 | use-for-tracking: true | |
725 | ||
726 | # Specific timeouts for flows. Here you can specify the timeouts that the | |
727 | # active flows will wait to transit from the current state to another, on each | |
728 | # protocol. The value of "new" determine the seconds to wait after a hanshake or | |
729 | # stream startup before the engine free the data of that flow it doesn't | |
730 | # change the state to established (usually if we don't receive more packets | |
731 | # of that flow). The value of "established" is the amount of | |
732 | # seconds that the engine will wait to free the flow if it spend that amount | |
733 | # without receiving new packets or closing the connection. "closed" is the | |
734 | # amount of time to wait after a flow is closed (usually zero). "bypassed" | |
735 | # timeout controls locally bypassed flows. For these flows we don't do any other | |
736 | # tracking. If no packets have been seen after this timeout, the flow is discarded. | |
737 | # | |
738 | # There's an emergency mode that will become active under attack circumstances, | |
739 | # making the engine to check flow status faster. This configuration variables | |
740 | # use the prefix "emergency-" and work similar as the normal ones. | |
741 | # Some timeouts doesn't apply to all the protocols, like "closed", for udp and | |
742 | # icmp. | |
743 | ||
744 | flow-timeouts: | |
745 | ||
746 | default: | |
747 | new: 30 | |
748 | established: 300 | |
749 | closed: 0 | |
750 | bypassed: 100 | |
751 | emergency-new: 10 | |
752 | emergency-established: 100 | |
753 | emergency-closed: 0 | |
754 | emergency-bypassed: 50 | |
755 | tcp: | |
756 | new: 60 | |
757 | established: 600 | |
758 | closed: 60 | |
759 | bypassed: 100 | |
760 | emergency-new: 5 | |
761 | emergency-established: 100 | |
762 | emergency-closed: 10 | |
763 | emergency-bypassed: 50 | |
764 | udp: | |
765 | new: 30 | |
766 | established: 300 | |
767 | bypassed: 100 | |
768 | emergency-new: 10 | |
769 | emergency-established: 100 | |
770 | emergency-bypassed: 50 | |
771 | icmp: | |
772 | new: 30 | |
773 | established: 300 | |
774 | bypassed: 100 | |
775 | emergency-new: 10 | |
776 | emergency-established: 100 | |
777 | emergency-bypassed: 50 | |
778 | ||
779 | # Stream engine settings. Here the TCP stream tracking and reassembly | |
780 | # engine is configured. | |
781 | # | |
782 | # stream: | |
783 | # memcap: 32mb # Can be specified in kb, mb, gb. Just a | |
784 | # # number indicates it's in bytes. | |
785 | # checksum-validation: yes # To validate the checksum of received | |
786 | # # packet. If csum validation is specified as | |
787 | # # "yes", then packet with invalid csum will not | |
788 | # # be processed by the engine stream/app layer. | |
789 | # # Warning: locally generated trafic can be | |
790 | # # generated without checksum due to hardware offload | |
791 | # # of checksum. You can control the handling of checksum | |
792 | # # on a per-interface basis via the 'checksum-checks' | |
793 | # # option | |
794 | # prealloc-sessions: 2k # 2k sessions prealloc'd per stream thread | |
795 | # midstream: false # don't allow midstream session pickups | |
796 | # async-oneside: false # don't enable async stream handling | |
797 | # inline: no # stream inline mode | |
798 | # drop-invalid: yes # in inline mode, drop packets that are invalid with regards to streaming engine | |
799 | # max-synack-queued: 5 # Max different SYN/ACKs to queue | |
800 | # bypass: no # Bypass packets when stream.depth is reached | |
801 | # | |
802 | # reassembly: | |
803 | # memcap: 64mb # Can be specified in kb, mb, gb. Just a number | |
804 | # # indicates it's in bytes. | |
805 | # depth: 1mb # Can be specified in kb, mb, gb. Just a number | |
806 | # # indicates it's in bytes. | |
807 | # toserver-chunk-size: 2560 # inspect raw stream in chunks of at least | |
808 | # # this size. Can be specified in kb, mb, | |
809 | # # gb. Just a number indicates it's in bytes. | |
810 | # toclient-chunk-size: 2560 # inspect raw stream in chunks of at least | |
811 | # # this size. Can be specified in kb, mb, | |
812 | # # gb. Just a number indicates it's in bytes. | |
813 | # randomize-chunk-size: yes # Take a random value for chunk size around the specified value. | |
814 | # # This lower the risk of some evasion technics but could lead | |
815 | # # detection change between runs. It is set to 'yes' by default. | |
816 | # randomize-chunk-range: 10 # If randomize-chunk-size is active, the value of chunk-size is | |
817 | # # a random value between (1 - randomize-chunk-range/100)*toserver-chunk-size | |
818 | # # and (1 + randomize-chunk-range/100)*toserver-chunk-size and the same | |
819 | # # calculation for toclient-chunk-size. | |
820 | # # Default value of randomize-chunk-range is 10. | |
821 | # | |
822 | # raw: yes # 'Raw' reassembly enabled or disabled. | |
823 | # # raw is for content inspection by detection | |
824 | # # engine. | |
825 | # | |
826 | # segment-prealloc: 2048 # number of segments preallocated per thread | |
827 | # | |
828 | # check-overlap-different-data: true|false | |
829 | # # check if a segment contains different data | |
830 | # # than what we've already seen for that | |
831 | # # position in the stream. | |
832 | # # This is enabled automatically if inline mode | |
833 | # # is used or when stream-event:reassembly_overlap_different_data; | |
834 | # # is used in a rule. | |
835 | # | |
836 | stream: | |
0b340f09 | 837 | memcap: 256mb |
c9ee3592 | 838 | prealloc-sessions: 4096 |
4c6d6c1e SS |
839 | checksum-validation: yes # reject wrong csums |
840 | inline: auto # auto will use inline mode in IPS mode, yes or no set it statically | |
9deccd1c | 841 | bypass: yes # Bypass packets when stream.reassembly.depth is reached. |
4c6d6c1e SS |
842 | reassembly: |
843 | memcap: 256mb | |
844 | depth: 1mb # reassemble 1mb into a stream | |
845 | toserver-chunk-size: 2560 | |
846 | toclient-chunk-size: 2560 | |
847 | randomize-chunk-size: yes | |
0b340f09 MT |
848 | raw: yes |
849 | segment-prealloc: 2048 | |
850 | check-overlap-different-data: true | |
4c6d6c1e SS |
851 | |
852 | # Host table: | |
853 | # | |
854 | # Host table is used by tagging and per host thresholding subsystems. | |
855 | # | |
856 | host: | |
857 | hash-size: 4096 | |
858 | prealloc: 1000 | |
859 | memcap: 32mb | |
860 | ||
861 | # IP Pair table: | |
862 | # | |
863 | # Used by xbits 'ippair' tracking. | |
864 | # | |
865 | #ippair: | |
866 | # hash-size: 4096 | |
867 | # prealloc: 1000 | |
868 | # memcap: 32mb | |
869 | ||
870 | # Decoder settings | |
871 | ||
872 | decoder: | |
873 | # Teredo decoder is known to not be completely accurate | |
874 | # it will sometimes detect non-teredo as teredo. | |
875 | teredo: | |
890f1bf2 | 876 | enabled: false |
4c6d6c1e SS |
877 | |
878 | ||
879 | ## | |
880 | ## Performance tuning and profiling | |
881 | ## | |
882 | ||
883 | # The detection engine builds internal groups of signatures. The engine | |
884 | # allow us to specify the profile to use for them, to manage memory on an | |
885 | # efficient way keeping a good performance. For the profile keyword you | |
886 | # can use the words "low", "medium", "high" or "custom". If you use custom | |
887 | # make sure to define the values at "- custom-values" as your convenience. | |
888 | # Usually you would prefer medium/high/low. | |
889 | # | |
890 | # "sgh mpm-context", indicates how the staging should allot mpm contexts for | |
891 | # the signature groups. "single" indicates the use of a single context for | |
892 | # all the signature group heads. "full" indicates a mpm-context for each | |
893 | # group head. "auto" lets the engine decide the distribution of contexts | |
894 | # based on the information the engine gathers on the patterns from each | |
895 | # group head. | |
896 | # | |
897 | # The option inspection-recursion-limit is used to limit the recursive calls | |
898 | # in the content inspection code. For certain payload-sig combinations, we | |
899 | # might end up taking too much time in the content inspection code. | |
900 | # If the argument specified is 0, the engine uses an internally defined | |
901 | # default limit. On not specifying a value, we use no limits on the recursion. | |
902 | detect: | |
dccbdf5b | 903 | profile: custom |
4c6d6c1e | 904 | custom-values: |
dccbdf5b MT |
905 | toclient-groups: 200 |
906 | toserver-groups: 200 | |
4c6d6c1e SS |
907 | sgh-mpm-context: auto |
908 | inspection-recursion-limit: 3000 | |
99d75ac7 | 909 | |
4c6d6c1e SS |
910 | # If set to yes, the loading of signatures will be made after the capture |
911 | # is started. This will limit the downtime in IPS mode. | |
99d75ac7 | 912 | delayed-detect: yes |
4c6d6c1e SS |
913 | |
914 | prefilter: | |
915 | # default prefiltering setting. "mpm" only creates MPM/fast_pattern | |
916 | # engines. "auto" also sets up prefilter engines for other keywords. | |
917 | # Use --list-keywords=all to see which keywords support prefiltering. | |
918 | default: mpm | |
919 | ||
920 | # the grouping values above control how many groups are created per | |
921 | # direction. Port whitelisting forces that port to get it's own group. | |
922 | # Very common ports will benefit, as well as ports with many expensive | |
923 | # rules. | |
924 | grouping: | |
925 | #tcp-whitelist: 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080 | |
926 | #udp-whitelist: 53, 135, 5060 | |
927 | ||
928 | profiling: | |
929 | # Log the rules that made it past the prefilter stage, per packet | |
930 | # default is off. The threshold setting determines how many rules | |
931 | # must have made it past pre-filter for that rule to trigger the | |
932 | # logging. | |
933 | #inspect-logging-threshold: 200 | |
934 | grouping: | |
935 | dump-to-disk: false | |
936 | include-rules: false # very verbose | |
937 | include-mpm-stats: false | |
938 | ||
939 | # Select the multi pattern algorithm you want to run for scan/search the | |
940 | # in the engine. | |
941 | # | |
942 | # The supported algorithms are: | |
943 | # "ac" - Aho-Corasick, default implementation | |
944 | # "ac-bs" - Aho-Corasick, reduced memory implementation | |
945 | # "ac-cuda" - Aho-Corasick, CUDA implementation | |
946 | # "ac-ks" - Aho-Corasick, "Ken Steele" variant | |
947 | # "hs" - Hyperscan, available when built with Hyperscan support | |
948 | # | |
949 | # The default mpm-algo value of "auto" will use "hs" if Hyperscan is | |
950 | # available, "ac" otherwise. | |
951 | # | |
952 | # The mpm you choose also decides the distribution of mpm contexts for | |
953 | # signature groups, specified by the conf - "detect.sgh-mpm-context". | |
954 | # Selecting "ac" as the mpm would require "detect.sgh-mpm-context" | |
955 | # to be set to "single", because of ac's memory requirements, unless the | |
956 | # ruleset is small enough to fit in one's memory, in which case one can | |
957 | # use "full" with "ac". Rest of the mpms can be run in "full" mode. | |
958 | # | |
959 | # There is also a CUDA pattern matcher (only available if Suricata was | |
960 | # compiled with --enable-cuda: b2g_cuda. Make sure to update your | |
961 | # max-pending-packets setting above as well if you use b2g_cuda. | |
962 | ||
963 | mpm-algo: auto | |
964 | ||
965 | # Select the matching algorithm you want to use for single-pattern searches. | |
966 | # | |
967 | # Supported algorithms are "bm" (Boyer-Moore) and "hs" (Hyperscan, only | |
968 | # available if Suricata has been built with Hyperscan support). | |
969 | # | |
970 | # The default of "auto" will use "hs" if available, otherwise "bm". | |
971 | ||
972 | spm-algo: auto | |
973 | ||
974 | # Suricata is multi-threaded. Here the threading can be influenced. | |
975 | threading: | |
f903d3a6 | 976 | set-cpu-affinity: no |
4c6d6c1e SS |
977 | # Tune cpu affinity of threads. Each family of threads can be bound |
978 | # on specific CPUs. | |
979 | # | |
980 | # These 2 apply to the all runmodes: | |
981 | # management-cpu-set is used for flow timeout handling, counters | |
982 | # worker-cpu-set is used for 'worker' threads | |
983 | # | |
984 | # Additionally, for autofp these apply: | |
985 | # receive-cpu-set is used for capture threads | |
986 | # verdict-cpu-set is used for IPS verdict threads | |
987 | # | |
988 | cpu-affinity: | |
989 | - management-cpu-set: | |
990 | cpu: [ 0 ] # include only these cpus in affinity settings | |
991 | - receive-cpu-set: | |
992 | cpu: [ 0 ] # include only these cpus in affinity settings | |
993 | - worker-cpu-set: | |
994 | cpu: [ "all" ] | |
995 | mode: "exclusive" | |
4c6d6c1e SS |
996 | prio: |
997 | low: [ 0 ] | |
998 | medium: [ "1-2" ] | |
999 | high: [ 3 ] | |
1000 | default: "medium" | |
35cdc506 MT |
1001 | - verdict-cpu-set: |
1002 | cpu: [ 0 ] | |
1003 | prio: | |
1004 | default: "high" | |
4c6d6c1e SS |
1005 | # |
1006 | # By default Suricata creates one "detect" thread per available CPU/CPU core. | |
1007 | # This setting allows controlling this behaviour. A ratio setting of 2 will | |
1008 | # create 2 detect threads for each CPU/CPU core. So for a dual core CPU this | |
1009 | # will result in 4 detect threads. If values below 1 are used, less threads | |
1010 | # are created. So on a dual core CPU a setting of 0.5 results in 1 detect | |
1011 | # thread being created. Regardless of the setting at a minimum 1 detect | |
1012 | # thread will always be created. | |
1013 | # | |
1014 | detect-thread-ratio: 1.0 |