]>
Commit | Line | Data |
---|---|---|
4e1acf5f JI |
1 | %YAML 1.1 |
2 | --- | |
3 | ||
0dd07df6 VJ |
4 | # Suricata configuration file. In addition to the comments describing all |
5 | # options in this file, full documentation can be found at: | |
2e8678a5 | 6 | # https://suricata.readthedocs.io/en/latest/configuration/suricata-yaml.html |
0dd07df6 | 7 | |
a9cea53e VJ |
8 | ## |
9 | ## Step 1: inform Suricata about your network | |
10 | ## | |
11 | ||
12 | vars: | |
66b37d86 | 13 | # more specific is better for alert accuracy and performance |
a9cea53e VJ |
14 | address-groups: |
15 | HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]" | |
16 | #HOME_NET: "[192.168.0.0/16]" | |
17 | #HOME_NET: "[10.0.0.0/8]" | |
18 | #HOME_NET: "[172.16.0.0/12]" | |
19 | #HOME_NET: "any" | |
20 | ||
21 | EXTERNAL_NET: "!$HOME_NET" | |
22 | #EXTERNAL_NET: "any" | |
23 | ||
24 | HTTP_SERVERS: "$HOME_NET" | |
25 | SMTP_SERVERS: "$HOME_NET" | |
26 | SQL_SERVERS: "$HOME_NET" | |
27 | DNS_SERVERS: "$HOME_NET" | |
28 | TELNET_SERVERS: "$HOME_NET" | |
29 | AIM_SERVERS: "$EXTERNAL_NET" | |
2938f797 | 30 | DC_SERVERS: "$HOME_NET" |
a9cea53e VJ |
31 | DNP3_SERVER: "$HOME_NET" |
32 | DNP3_CLIENT: "$HOME_NET" | |
33 | MODBUS_CLIENT: "$HOME_NET" | |
34 | MODBUS_SERVER: "$HOME_NET" | |
35 | ENIP_CLIENT: "$HOME_NET" | |
36 | ENIP_SERVER: "$HOME_NET" | |
37 | ||
38 | port-groups: | |
39 | HTTP_PORTS: "80" | |
40 | SHELLCODE_PORTS: "!80" | |
41 | ORACLE_PORTS: 1521 | |
42 | SSH_PORTS: 22 | |
43 | DNP3_PORTS: 20000 | |
44 | MODBUS_PORTS: 502 | |
c3806ebd EL |
45 | FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]" |
46 | FTP_PORTS: 21 | |
82de6e06 | 47 | VXLAN_PORTS: 4789 |
0dd07df6 | 48 | |
c9496688 | 49 | ## |
64b6ff73 | 50 | ## Step 2: select outputs to enable |
d48098f1 VJ |
51 | ## |
52 | ||
056f88b4 VJ |
53 | # The default logging directory. Any log or output file will be |
54 | # placed here if its not specified with a full path name. This can be | |
55 | # overridden with the -l command line parameter. | |
56 | default-log-dir: @e_logdir@ | |
d48098f1 | 57 | |
056f88b4 VJ |
58 | # global stats configuration |
59 | stats: | |
60 | enabled: yes | |
61 | # The interval field (in seconds) controls at what interval | |
62 | # the loggers are invoked. | |
63 | interval: 8 | |
4f84672d VJ |
64 | # Add decode events as stats. |
65 | #decoder-events: true | |
0d86263e VJ |
66 | # Decoder event prefix in stats. Has been 'decoder' before, but that leads |
67 | # to missing events in the eve.stats records. See issue #2225. | |
59da7ae3 | 68 | #decoder-events-prefix: "decoder.event" |
4f84672d VJ |
69 | # Add stream events as stats. |
70 | #stream-events: false | |
d48098f1 | 71 | |
056f88b4 VJ |
72 | # Configure the type of alert (and other) logging you would like. |
73 | outputs: | |
74 | # a line based alerts log similar to Snort's fast.log | |
75 | - fast: | |
d48098f1 | 76 | enabled: yes |
056f88b4 VJ |
77 | filename: fast.log |
78 | append: yes | |
79 | #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' | |
c5ca642a | 80 | |
056f88b4 VJ |
81 | # Extensible Event Format (nicknamed EVE) event log in JSON format |
82 | - eve-log: | |
f55dbca5 | 83 | enabled: @e_enable_evelog@ |
056f88b4 VJ |
84 | filetype: regular #regular|syslog|unix_dgram|unix_stream|redis |
85 | filename: eve.json | |
86 | #prefix: "@cee: " # prefix to prepend to each log entry | |
87 | # the following are valid when type: syslog above | |
88 | #identity: "suricata" | |
89 | #facility: local5 | |
90 | #level: Info ## possible levels: Emergency, Alert, Critical, | |
91 | ## Error, Warning, Notice, Info, Debug | |
92 | #redis: | |
93 | # server: 127.0.0.1 | |
94 | # port: 6379 | |
a64e5e77 | 95 | # async: true ## if redis replies are read asynchronously |
f27b4fc8 J |
96 | # mode: list ## possible values: list|lpush (default), rpush, channel|publish |
97 | # ## lpush and rpush are using a Redis list. "list" is an alias for lpush | |
98 | # ## publish is using a Redis channel. "channel" is an alias for publish | |
056f88b4 VJ |
99 | # key: suricata ## key or channel to use (default to suricata) |
100 | # Redis pipelining set up. This will enable to only do a query every | |
101 | # 'batch-size' events. This should lower the latency induced by network | |
102 | # connection at the cost of some memory. There is no flushing implemented | |
103 | # so this setting as to be reserved to high traffic suricata. | |
104 | # pipelining: | |
105 | # enabled: yes ## set enable to yes to enable query pipelining | |
106 | # batch-size: 10 ## number of entry to keep in buffer | |
dd988d99 JI |
107 | |
108 | # Include top level metadata. Default yes. | |
109 | #metadata: no | |
110 | ||
1dd81f73 | 111 | # include the name of the input pcap file in pcap file processing mode |
75d7c9d6 VJ |
112 | pcap-file: false |
113 | ||
c4d8508f VJ |
114 | # Community Flow ID |
115 | # Adds a 'community_id' field to EVE records. These are meant to give | |
116 | # a records a predictable flow id that can be used to match records to | |
117 | # output of other tools such as Bro. | |
118 | # | |
119 | # Takes a 'seed' that needs to be same across sensors and tools | |
120 | # to make the id less predictable. | |
121 | ||
122 | # enable/disable the community id feature. | |
123 | community-id: false | |
124 | # Seed value for the ID output. Valid values are 0-65535. | |
125 | community-id-seed: 0 | |
126 | ||
57658415 JI |
127 | # HTTP X-Forwarded-For support by adding an extra field or overwriting |
128 | # the source or destination IP address (depending on flow direction) | |
129 | # with the one reported in the X-Forwarded-For HTTP header. This is | |
130 | # helpful when reviewing alerts for traffic that is being reverse | |
131 | # or forward proxied. | |
132 | xff: | |
133 | enabled: no | |
134 | # Two operation modes are available, "extra-data" and "overwrite". | |
135 | mode: extra-data | |
136 | # Two proxy deployments are supported, "reverse" and "forward". In | |
137 | # a "reverse" deployment the IP address used is the last one, in a | |
138 | # "forward" deployment the first IP address is used. | |
139 | deployment: reverse | |
140 | # Header name where the actual IP address will be reported, if more | |
141 | # than one IP address is present, the last IP address will be the | |
142 | # one taken into consideration. | |
143 | header: X-Forwarded-For | |
144 | ||
056f88b4 VJ |
145 | types: |
146 | - alert: | |
147 | # payload: yes # enable dumping payload in Base64 | |
148 | # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log | |
149 | # payload-printable: yes # enable dumping payload in printable (lossy) format | |
150 | # packet: yes # enable dumping of packet (without stream segments) | |
a2bc0080 | 151 | # metadata: no # enable inclusion of app layer metadata with alert. Default yes |
af615baa JL |
152 | # http-body: yes # Requires metadata; enable dumping of http body in Base64 |
153 | # http-body-printable: yes # Requires metadata; enable dumping of http body in printable format | |
fe9cac58 | 154 | |
1691c106 JI |
155 | # Enable the logging of tagged packets for rules using the |
156 | # "tag" keyword. | |
157 | tagged-packets: yes | |
4111272c JI |
158 | - anomaly: |
159 | # Anomaly log records describe unexpected conditions such | |
160 | # as truncated packets, packets with invalid IP/UDP/TCP | |
161 | # length values, and other events that render the packet | |
162 | # invalid for further processing or describe unexpected | |
163 | # behavior on an established stream. Networks which | |
164 | # experience high occurrences of anomalies may experience | |
165 | # packet processing degradation. | |
aaacbf28 JL |
166 | # |
167 | # Anomalies are reported for the following: | |
4111272c JI |
168 | # 1. Decode: Values and conditions that are detected while |
169 | # decoding individual packets. This includes invalid or | |
170 | # unexpected values for low-level protocol lengths as well | |
171 | # as stream related events (TCP 3-way handshake issues, | |
172 | # unexpected sequence number, etc). | |
173 | # 2. Stream: This includes stream related events (TCP | |
174 | # 3-way handshake issues, unexpected sequence number, | |
175 | # etc). | |
176 | # 3. Application layer: These denote application layer | |
177 | # specific conditions that are unexpected, invalid or are | |
178 | # unexpected given the application monitoring state. | |
aaacbf28 | 179 | # |
4111272c JI |
180 | # By default, anomaly logging is disabled. When anomaly |
181 | # logging is enabled, applayer anomaly reporting is | |
182 | # enabled. | |
ebecaca7 | 183 | enabled: yes |
aaacbf28 | 184 | # |
883cad1a JL |
185 | # Choose one or more types of anomaly logging and whether to enable |
186 | # logging of the packet header for packet anomalies. | |
aaacbf28 JL |
187 | types: |
188 | # decode: no | |
189 | # stream: no | |
190 | # applayer: yes | |
191 | #packethdr: no | |
056f88b4 VJ |
192 | - http: |
193 | extended: yes # enable this for extended logging information | |
194 | # custom allows additional http fields to be included in eve-log | |
195 | # the example below adds three additional fields when uncommented | |
196 | #custom: [Accept-Encoding, Accept-Language, Authorization] | |
4a2918e6 PA |
197 | # set this value to one and only one among {both, request, response} |
198 | # to dump all http headers for every http request and/or response | |
199 | # dump-all-headers: none | |
0f6c8806 | 200 | - dns: |
869b7c0e GL |
201 | # This configuration uses the new DNS logging format, |
202 | # the old configuration is still available: | |
16221c0b JI |
203 | # https://suricata.readthedocs.io/en/latest/output/eve/eve-json-output.html#dns-v1-format |
204 | ||
205 | # As of Suricata 5.0, version 2 of the eve dns output | |
206 | # format is the default. | |
207 | #version: 2 | |
869b7c0e GL |
208 | |
209 | # Enable/disable this logger. Default: enabled. | |
16221c0b | 210 | #enabled: yes |
869b7c0e GL |
211 | |
212 | # Control logging of requests and responses: | |
213 | # - requests: enable logging of DNS queries | |
214 | # - responses: enable logging of DNS answers | |
215 | # By default both requests and responses are logged. | |
216 | #requests: no | |
217 | #responses: no | |
218 | ||
219 | # Format of answer logging: | |
220 | # - detailed: array item per answer | |
221 | # - grouped: answers aggregated by type | |
222 | # Default: all | |
223 | #formats: [detailed, grouped] | |
224 | ||
16221c0b JI |
225 | # Types to log, based on the query type. |
226 | # Default: all. | |
869b7c0e | 227 | #types: [a, aaaa, cname, mx, ns, ptr, txt] |
056f88b4 VJ |
228 | - tls: |
229 | extended: yes # enable this for extended logging information | |
75399731 RR |
230 | # output TLS transaction where the session is resumed using a |
231 | # session id | |
232 | #session-resumption: no | |
0716199a MK |
233 | # custom allows to control which tls fields that are included |
234 | # in eve-log | |
a4eaef25 | 235 | #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3, ja3s] |
056f88b4 VJ |
236 | - files: |
237 | force-magic: no # force logging magic on all logged files | |
53ebe4c5 DS |
238 | # force logging of checksums, available hash functions are md5, |
239 | # sha1 and sha256 | |
240 | #force-hash: [md5] | |
056f88b4 | 241 | #- drop: |
2997d086 VJ |
242 | # alerts: yes # log alerts that caused drops |
243 | # flows: all # start or all: 'start' logs only a single drop | |
244 | # # per flow direction. All logs each dropped pkt. | |
056f88b4 VJ |
245 | - smtp: |
246 | #extended: yes # enable this for extended logging information | |
247 | # this includes: bcc, message-id, subject, x_mailer, user-agent | |
248 | # custom fields logging from the list: | |
249 | # reply-to, bcc, message-id, subject, x-mailer, user-agent, received, | |
250 | # x-originating-ip, in-reply-to, references, importance, priority, | |
251 | # sensitivity, organization, content-md5, date | |
252 | #custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc] | |
253 | # output md5 of fields: body, subject | |
254 | # for the body you need to set app-layer.protocols.smtp.mime.body-md5 | |
255 | # to yes | |
256 | #md5: [body, subject] | |
c5ca642a | 257 | |
d6592211 | 258 | #- dnp3 |
2149807b | 259 | - ftp |
c1b333c9 | 260 | #- rdp |
fc3191dc JI |
261 | - nfs |
262 | - smb | |
263 | - tftp | |
264 | - ikev2 | |
265 | - krb5 | |
6fc7fc74 | 266 | - snmp |
87658390 | 267 | #- sip |
9210d874 | 268 | - dhcp: |
fc3191dc | 269 | enabled: yes |
9210d874 JI |
270 | # When extended mode is on, all DHCP messages are logged |
271 | # with full detail. When extended mode is off (the | |
272 | # default), just enough information to map a MAC address | |
273 | # to an IP address is logged. | |
274 | extended: no | |
056f88b4 VJ |
275 | - ssh |
276 | - stats: | |
277 | totals: yes # stats for all threads merged together | |
278 | threads: no # per thread stats | |
279 | deltas: no # include delta values | |
280 | # bi-directional flows | |
1b4e1ea3 | 281 | - flow |
056f88b4 VJ |
282 | # uni-directional flows |
283 | #- netflow | |
34811cf6 JI |
284 | |
285 | # Metadata event type. Triggered whenever a pktvar is saved | |
286 | # and will include the pktvars, flowvars, flowbits and | |
287 | # flowints. | |
288 | #- metadata | |
c5ca642a | 289 | |
056f88b4 VJ |
290 | # a line based log of HTTP requests (no alerts) |
291 | - http-log: | |
1b4e1ea3 | 292 | enabled: no |
056f88b4 VJ |
293 | filename: http.log |
294 | append: yes | |
295 | #extended: yes # enable this for extended logging information | |
296 | #custom: yes # enabled the custom logging format (defined by customformat) | |
297 | #customformat: "%{%D-%H:%M:%S}t.%z %{X-Forwarded-For}i %H %m %h %u %s %B %a:%p -> %A:%P" | |
298 | #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' | |
c5ca642a | 299 | |
056f88b4 VJ |
300 | # a line based log of TLS handshake parameters (no alerts) |
301 | - tls-log: | |
302 | enabled: no # Log TLS connections. | |
303 | filename: tls.log # File to store TLS logs. | |
304 | append: yes | |
20d4d400 | 305 | #extended: yes # Log extended information like fingerprint |
306 | #custom: yes # enabled the custom logging format (defined by customformat) | |
307 | #customformat: "%{%D-%H:%M:%S}t.%z %a:%p -> %A:%P %v %n %d %D" | |
056f88b4 | 308 | #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' |
75399731 RR |
309 | # output TLS transaction where the session is resumed using a |
310 | # session id | |
311 | #session-resumption: no | |
c5ca642a | 312 | |
056f88b4 VJ |
313 | # output module to store certificates chain to disk |
314 | - tls-store: | |
315 | enabled: no | |
316 | #certs-log-dir: certs # directory to store the certificates files | |
c5ca642a | 317 | |
056f88b4 VJ |
318 | # Packet log... log packets in pcap format. 3 modes of operation: "normal" |
319 | # "multi" and "sguil". | |
320 | # | |
321 | # In normal mode a pcap file "filename" is created in the default-log-dir, | |
322 | # or are as specified by "dir". | |
323 | # In multi mode, a file is created per thread. This will perform much | |
324 | # better, but will create multiple files where 'normal' would create one. | |
325 | # In multi mode the filename takes a few special variables: | |
326 | # - %n -- thread number | |
327 | # - %i -- thread id | |
328 | # - %t -- timestamp (secs or secs.usecs based on 'ts-format' | |
329 | # E.g. filename: pcap.%n.%t | |
330 | # | |
331 | # Note that it's possible to use directories, but the directories are not | |
332 | # created by Suricata. E.g. filename: pcaps/%n/log.%s will log into the | |
333 | # per thread directory. | |
334 | # | |
335 | # Also note that the limit and max-files settings are enforced per thread. | |
336 | # So the size limit when using 8 threads with 1000mb files and 2000 files | |
337 | # is: 8*1000*2000 ~ 16TiB. | |
338 | # | |
339 | # In Sguil mode "dir" indicates the base directory. In this base dir the | |
340 | # pcaps are created in th directory structure Sguil expects: | |
341 | # | |
342 | # $sguil-base-dir/YYYY-MM-DD/$filename.<timestamp> | |
343 | # | |
344 | # By default all packets are logged except: | |
345 | # - TCP streams beyond stream.reassembly.depth | |
346 | # - encrypted streams after the key exchange | |
347 | # | |
348 | - pcap-log: | |
cb47c2f6 | 349 | enabled: no |
056f88b4 | 350 | filename: log.pcap |
c5ca642a | 351 | |
056f88b4 VJ |
352 | # File size limit. Can be specified in kb, mb, gb. Just a number |
353 | # is parsed as bytes. | |
354 | limit: 1000mb | |
c5ca642a | 355 | |
056f88b4 VJ |
356 | # If set to a value will enable ring buffer mode. Will keep Maximum of "max-files" of size "limit" |
357 | max-files: 2000 | |
c5ca642a | 358 | |
b85a0b18 MF |
359 | # Compression algorithm for pcap files. Possible values: none, lz4. |
360 | # Enabling compression is incompatible with the sguil mode. Note also | |
361 | # that on Windows, enabling compression will *increase* disk I/O. | |
362 | compression: none | |
363 | ||
364 | # Further options for lz4 compression. The compression level can be set | |
365 | # to a value between 0 and 16, where higher values result in higher | |
366 | # compression. | |
367 | #lz4-checksum: no | |
368 | #lz4-level: 0 | |
369 | ||
056f88b4 | 370 | mode: normal # normal, multi or sguil. |
a6854147 JI |
371 | |
372 | # Directory to place pcap files. If not provided the default log | |
373 | # directory will be used. Required for "sguil" mode. | |
374 | #dir: /nsm_data/ | |
375 | ||
056f88b4 VJ |
376 | #ts-format: usec # sec or usec second format (default) is filename.sec usec is filename.sec.usec |
377 | use-stream-depth: no #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets | |
378 | honor-pass-rules: no # If set to "yes", flows in which a pass rule matched will stopped being logged. | |
c5ca642a | 379 | |
056f88b4 VJ |
380 | # a full alerts log containing much information for signature writers |
381 | # or for investigating suspected false positives. | |
382 | - alert-debug: | |
383 | enabled: no | |
384 | filename: alert-debug.log | |
385 | append: yes | |
386 | #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' | |
c5ca642a | 387 | |
3539ae30 | 388 | # alert output to prelude (https://www.prelude-siem.org/) only |
056f88b4 VJ |
389 | # available if Suricata has been compiled with --enable-prelude |
390 | - alert-prelude: | |
391 | enabled: no | |
392 | profile: suricata | |
393 | log-packet-content: no | |
394 | log-packet-header: yes | |
c5ca642a | 395 | |
66b37d86 | 396 | # Stats.log contains data from various counters of the Suricata engine. |
056f88b4 VJ |
397 | - stats: |
398 | enabled: yes | |
399 | filename: stats.log | |
3e868188 | 400 | append: yes # append to file (yes) or overwrite it (no) |
056f88b4 VJ |
401 | totals: yes # stats for all threads merged together |
402 | threads: no # per thread stats | |
403 | #null-values: yes # print counters that have value 0 | |
c5ca642a | 404 | |
056f88b4 VJ |
405 | # a line based alerts log similar to fast.log into syslog |
406 | - syslog: | |
407 | enabled: no | |
408 | # reported identity to syslog. If ommited the program name (usually | |
409 | # suricata) will be used. | |
410 | #identity: "suricata" | |
411 | facility: local5 | |
412 | #level: Info ## possible levels: Emergency, Alert, Critical, | |
413 | ## Error, Warning, Notice, Info, Debug | |
11e6809d | 414 | |
6c2e9ac2 | 415 | # deprecated a line based information for dropped packets in IPS mode |
056f88b4 VJ |
416 | - drop: |
417 | enabled: no | |
6c2e9ac2 JI |
418 | # further options documented at: |
419 | # https://suricata.readthedocs.io/en/suricata-5.0.0/configuration/suricata-yaml.html#drop-log-a-line-based-information-for-dropped-packets | |
11e6809d | 420 | |
f7c3f301 | 421 | # Output module for storing files on disk. Files are stored in a |
66b37d86 | 422 | # directory names consisting of the first 2 characters of the |
f7c3f301 JI |
423 | # SHA256 of the file. Each file is given its SHA256 as a filename. |
424 | # | |
425 | # When a duplicate file is found, the existing file is touched to | |
426 | # have its timestamps updated. | |
427 | # | |
428 | # Unlike the older filestore, metadata is not written out by default | |
429 | # as each file should already have a "fileinfo" record in the | |
430 | # eve.log. If write-fileinfo is set to yes, the each file will have | |
431 | # one more associated .json files that consists of the fileinfo | |
432 | # record. A fileinfo file will be written for each occurrence of the | |
433 | # file seen using a filename suffix to ensure uniqueness. | |
434 | # | |
435 | # To prune the filestore directory see the "suricatactl filestore | |
436 | # prune" command which can delete files over a certain age. | |
437 | - file-store: | |
438 | version: 2 | |
439 | enabled: no | |
440 | ||
441 | # Set the directory for the filestore. If the path is not | |
442 | # absolute will be be relative to the default-log-dir. | |
443 | #dir: filestore | |
444 | ||
445 | # Write out a fileinfo record for each occurrence of a | |
446 | # file. Disabled by default as each occurrence is already logged | |
447 | # as a fileinfo record to the main eve-log. | |
448 | #write-fileinfo: yes | |
449 | ||
450 | # Force storing of all files. Default: no. | |
451 | #force-filestore: yes | |
452 | ||
453 | # Override the global stream-depth for sessions in which we want | |
454 | # to perform file extraction. Set to 0 for unlimited. | |
455 | #stream-depth: 0 | |
456 | ||
457 | # Uncomment the following variable to define how many files can | |
458 | # remain open for filestore by Suricata. Default value is 0 which | |
459 | # means files get closed after each write | |
460 | #max-open-files: 1000 | |
461 | ||
462 | # Force logging of checksums, available hash functions are md5, | |
463 | # sha1 and sha256. Note that SHA256 is automatically forced by | |
464 | # the use of this output module as it uses the SHA256 as the | |
465 | # file naming scheme. | |
466 | #force-hash: [sha1, md5] | |
2543930d MA |
467 | # NOTE: X-Forwarded configuration is ignored if write-fileinfo is disabled |
468 | # HTTP X-Forwarded-For support by adding an extra field or overwriting | |
469 | # the source or destination IP address (depending on flow direction) | |
470 | # with the one reported in the X-Forwarded-For HTTP header. This is | |
471 | # helpful when reviewing alerts for traffic that is being reverse | |
472 | # or forward proxied. | |
473 | xff: | |
474 | enabled: no | |
475 | # Two operation modes are available, "extra-data" and "overwrite". | |
476 | mode: extra-data | |
477 | # Two proxy deployments are supported, "reverse" and "forward". In | |
478 | # a "reverse" deployment the IP address used is the last one, in a | |
479 | # "forward" deployment the first IP address is used. | |
480 | deployment: reverse | |
481 | # Header name where the actual IP address will be reported, if more | |
482 | # than one IP address is present, the last IP address will be the | |
483 | # one taken into consideration. | |
484 | header: X-Forwarded-For | |
f7c3f301 | 485 | |
d891a8cb | 486 | # deprecated - file-store v1 |
056f88b4 | 487 | - file-store: |
d891a8cb JI |
488 | enabled: no |
489 | # further options documented at: | |
490 | # https://suricata.readthedocs.io/en/suricata-5.0.0/file-extraction/file-extraction.html#file-store-version-1 | |
11e6809d | 491 | |
056f88b4 VJ |
492 | # Log TCP data after stream normalization |
493 | # 2 types: file or dir. File logs into a single logfile. Dir creates | |
494 | # 2 files per TCP session and stores the raw TCP data into them. | |
495 | # Using 'both' will enable both file and dir modes. | |
496 | # | |
be6cdd37 | 497 | # Note: limited by stream.reassembly.depth |
056f88b4 VJ |
498 | - tcp-data: |
499 | enabled: no | |
500 | type: file | |
501 | filename: tcp-data.log | |
502 | ||
503 | # Log HTTP body data after normalization, dechunking and unzipping. | |
504 | # 2 types: file or dir. File logs into a single logfile. Dir creates | |
505 | # 2 files per HTTP session and stores the normalized data into them. | |
506 | # Using 'both' will enable both file and dir modes. | |
507 | # | |
508 | # Note: limited by the body limit settings | |
509 | - http-body-data: | |
510 | enabled: no | |
511 | type: file | |
512 | filename: http-data.log | |
11e6809d | 513 | |
056f88b4 VJ |
514 | # Lua Output Support - execute lua script to generate alert and event |
515 | # output. | |
516 | # Documented at: | |
2e8678a5 | 517 | # https://suricata.readthedocs.io/en/latest/output/lua-output.html |
056f88b4 VJ |
518 | - lua: |
519 | enabled: no | |
520 | #scripts-dir: /etc/suricata/lua-output/ | |
521 | scripts: | |
522 | # - script1.lua | |
11e6809d | 523 | |
cb47c2f6 | 524 | # Logging configuration. This is not about logging IDS alerts/events, but |
056f88b4 VJ |
525 | # output about what Suricata is doing, like startup messages, errors, etc. |
526 | logging: | |
527 | # The default log level, can be overridden in an output section. | |
528 | # Note that debug level logging will only be emitted if Suricata was | |
529 | # compiled with the --enable-debug configure option. | |
530 | # | |
66b37d86 | 531 | # This value is overridden by the SC_LOG_LEVEL env var. |
056f88b4 | 532 | default-log-level: notice |
11e6809d | 533 | |
056f88b4 | 534 | # The default output format. Optional parameter, should default to |
66b37d86 | 535 | # something reasonable if not provided. Can be overridden in an |
056f88b4 VJ |
536 | # output section. You can leave this out to get the default. |
537 | # | |
66b37d86 | 538 | # This value is overridden by the SC_LOG_FORMAT env var. |
056f88b4 | 539 | #default-log-format: "[%i] %t - (%f:%l) <%d> (%n) -- " |
11e6809d | 540 | |
056f88b4 VJ |
541 | # A regex to filter output. Can be overridden in an output section. |
542 | # Defaults to empty (no filter). | |
543 | # | |
66b37d86 | 544 | # This value is overridden by the SC_LOG_OP_FILTER env var. |
056f88b4 | 545 | default-output-filter: |
11e6809d | 546 | |
056f88b4 VJ |
547 | # Define your logging outputs. If none are defined, or they are all |
548 | # disabled you will get the default - console output. | |
549 | outputs: | |
550 | - console: | |
551 | enabled: yes | |
552 | # type: json | |
553 | - file: | |
554 | enabled: yes | |
4d056912 | 555 | level: info |
d00950be | 556 | filename: suricata.log |
056f88b4 VJ |
557 | # type: json |
558 | - syslog: | |
559 | enabled: no | |
560 | facility: local5 | |
561 | format: "[%i] <%d> -- " | |
562 | # type: json | |
c5ca642a | 563 | |
ea7923cc | 564 | |
056f88b4 | 565 | ## |
df6f9269 VJ |
566 | ## Step 4: configure common capture settings |
567 | ## | |
568 | ## See "Advanced Capture Options" below for more options, including NETMAP | |
569 | ## and PF_RING. | |
056f88b4 | 570 | ## |
c9496688 | 571 | |
df6f9269 | 572 | # Linux high speed capture support |
056f88b4 VJ |
573 | af-packet: |
574 | - interface: eth0 | |
575 | # Number of receive threads. "auto" uses the number of cores | |
576 | #threads: auto | |
cb47c2f6 | 577 | # Default clusterid. AF_PACKET will load balance packets based on flow. |
056f88b4 VJ |
578 | cluster-id: 99 |
579 | # Default AF_PACKET cluster type. AF_PACKET can load balance per flow or per hash. | |
580 | # This is only supported for Linux kernel > 3.1 | |
581 | # possible value are: | |
056f88b4 VJ |
582 | # * cluster_flow: all packets of a given flow are send to the same socket |
583 | # * cluster_cpu: all packets treated in kernel by a CPU are send to the same socket | |
584 | # * cluster_qm: all packets linked by network card to a RSS queue are sent to the same | |
585 | # socket. Requires at least Linux 3.14. | |
24806c21 | 586 | # * cluster_ebpf: eBPF file load balancing. See doc/userguide/capture-hardware/ebpf-xdp.rst for |
60265e02 | 587 | # more info. |
056f88b4 VJ |
588 | # Recommended modes are cluster_flow on most boxes and cluster_cpu or cluster_qm on system |
589 | # with capture card using RSS (require cpu affinity tuning and system irq tuning) | |
590 | cluster-type: cluster_flow | |
591 | # In some fragmentation case, the hash can not be computed. If "defrag" is set | |
592 | # to yes, the kernel will do the needed defragmentation before sending the packets. | |
593 | defrag: yes | |
056f88b4 VJ |
594 | # To use the ring feature of AF_PACKET, set 'use-mmap' to yes |
595 | #use-mmap: yes | |
66b37d86 | 596 | # Lock memory map to avoid it goes to swap. Be careful that over subscribing could lock |
056f88b4 VJ |
597 | # your system |
598 | #mmap-locked: yes | |
050d8f78 EL |
599 | # Use tpacket_v3 capture mode, only active if use-mmap is true |
600 | # Don't use it in IPS or TAP mode as it causes severe latency | |
f7124b11 | 601 | #tpacket-v3: yes |
056f88b4 VJ |
602 | # Ring size will be computed with respect to max_pending_packets and number |
603 | # of threads. You can set manually the ring size in number of packets by setting | |
604 | # the following value. If you are using flow cluster-type and have really network | |
605 | # intensive single-flow you could want to set the ring-size independently of the number | |
606 | # of threads: | |
607 | #ring-size: 2048 | |
608 | # Block size is used by tpacket_v3 only. It should set to a value high enough to contain | |
609 | # a decent number of packets. Size is in bytes so please consider your MTU. It should be | |
610 | # a power of 2 and it must be multiple of page size (usually 4096). | |
611 | #block-size: 32768 | |
612 | # tpacket_v3 block timeout: an open block is passed to userspace if it is not | |
613 | # filled after block-timeout milliseconds. | |
614 | #block-timeout: 10 | |
615 | # On busy system, this could help to set it to yes to recover from a packet drop | |
616 | # phase. This will result in some packets (at max a ring flush) being non treated. | |
617 | #use-emergency-flush: yes | |
618 | # recv buffer size, increase value could improve performance | |
619 | # buffer-size: 32768 | |
620 | # Set to yes to disable promiscuous mode | |
621 | # disable-promisc: no | |
622 | # Choose checksum verification mode for the interface. At the moment | |
623 | # of the capture, some packets may be with an invalid checksum due to | |
624 | # offloading to the network card of the checksum computation. | |
625 | # Possible values are: | |
626 | # - kernel: use indication sent by kernel for each packet (default) | |
627 | # - yes: checksum validation is forced | |
628 | # - no: checksum validation is disabled | |
629 | # - auto: suricata uses a statistical approach to detect when | |
630 | # checksum off-loading is used. | |
631 | # Warning: 'checksum-validation' must be set to yes to have any validation | |
632 | #checksum-checks: kernel | |
633 | # BPF filter to apply to this interface. The pcap filter syntax apply here. | |
634 | #bpf-filter: port 80 or udp | |
635 | # You can use the following variables to activate AF_PACKET tap or IPS mode. | |
636 | # If copy-mode is set to ips or tap, the traffic coming to the current | |
637 | # interface will be copied to the copy-iface interface. If 'tap' is set, the | |
638 | # copy is complete. If 'ips' is set, the packet matching a 'drop' action | |
639 | # will not be copied. | |
640 | #copy-mode: ips | |
641 | #copy-iface: eth1 | |
60265e02 | 642 | # For eBPF and XDP setup including bypass, filter and load balancing, please |
4e94c2b8 | 643 | # see doc/userguide/capture-hardware/ebpf-xdp.rst for more info. |
7142fdb7 | 644 | |
056f88b4 VJ |
645 | # Put default values here. These will be used for an interface that is not |
646 | # in the list above. | |
647 | - interface: default | |
648 | #threads: auto | |
649 | #use-mmap: no | |
f7124b11 | 650 | #tpacket-v3: yes |
229f7281 | 651 | |
df6f9269 | 652 | # Cross platform libpcap capture support |
056f88b4 VJ |
653 | pcap: |
654 | - interface: eth0 | |
655 | # On Linux, pcap will try to use mmaped capture and will use buffer-size | |
656 | # as total of memory used by the ring. So set this to something bigger | |
657 | # than 1% of your bandwidth. | |
658 | #buffer-size: 16777216 | |
659 | #bpf-filter: "tcp and port 25" | |
660 | # Choose checksum verification mode for the interface. At the moment | |
661 | # of the capture, some packets may be with an invalid checksum due to | |
662 | # offloading to the network card of the checksum computation. | |
663 | # Possible values are: | |
664 | # - yes: checksum validation is forced | |
665 | # - no: checksum validation is disabled | |
66b37d86 | 666 | # - auto: Suricata uses a statistical approach to detect when |
056f88b4 VJ |
667 | # checksum off-loading is used. (default) |
668 | # Warning: 'checksum-validation' must be set to yes to have any validation | |
669 | #checksum-checks: auto | |
670 | # With some accelerator cards using a modified libpcap (like myricom), you | |
671 | # may want to have the same number of capture threads as the number of capture | |
672 | # rings. In this case, set up the threads variable to N to start N threads | |
673 | # listening on the same interface. | |
674 | #threads: 16 | |
675 | # set to no to disable promiscuous mode: | |
676 | #promisc: no | |
677 | # set snaplen, if not set it defaults to MTU if MTU can be known | |
678 | # via ioctl call and to full capture if not. | |
679 | #snaplen: 1518 | |
680 | # Put default values here | |
681 | - interface: default | |
682 | #checksum-checks: auto | |
4e417b72 | 683 | |
df6f9269 | 684 | # Settings for reading pcap files |
056f88b4 VJ |
685 | pcap-file: |
686 | # Possible values are: | |
687 | # - yes: checksum validation is forced | |
688 | # - no: checksum validation is disabled | |
66b37d86 | 689 | # - auto: Suricata uses a statistical approach to detect when |
056f88b4 VJ |
690 | # checksum off-loading is used. (default) |
691 | # Warning: 'checksum-validation' must be set to yes to have checksum tested | |
692 | checksum-checks: auto | |
6cf7da30 | 693 | |
cb47c2f6 VJ |
694 | # See "Advanced Capture Options" below for more options, including NETMAP |
695 | # and PF_RING. | |
696 | ||
ea7923cc | 697 | |
056f88b4 VJ |
698 | ## |
699 | ## Step 5: App Layer Protocol Configuration | |
700 | ## | |
e802e1ed | 701 | |
056f88b4 VJ |
702 | # Configure the app-layer parsers. The protocols section details each |
703 | # protocol. | |
704 | # | |
705 | # The option "enabled" takes 3 values - "yes", "no", "detection-only". | |
706 | # "yes" enables both detection and the parser, "no" disables both, and | |
707 | # "detection-only" enables protocol detection only (parser disabled). | |
708 | app-layer: | |
709 | protocols: | |
77f0c11c | 710 | krb5: |
fc3191dc | 711 | enabled: yes |
2df840a8 PC |
712 | snmp: |
713 | enabled: yes | |
c99b9462 PC |
714 | ikev2: |
715 | enabled: yes | |
056f88b4 VJ |
716 | tls: |
717 | enabled: yes | |
718 | detection-ports: | |
719 | dp: 443 | |
c91a4baa | 720 | |
788c9f8f VJ |
721 | # Generate JA3 fingerprint from client hello. If not specified it |
722 | # will be disabled by default, but enabled if rules require it. | |
514c7c1a | 723 | #ja3-fingerprints: auto |
0c16cd01 | 724 | |
693a3df0 VJ |
725 | # What to do when the encrypted communications start: |
726 | # - default: keep tracking TLS session, check for protocol anomalies, | |
727 | # inspect tls_* keywords. Disables inspection of unmodified | |
728 | # 'content' signatures. | |
729 | # - bypass: stop processing this flow as much as possible. No further | |
730 | # TLS parsing and inspection. Offload flow bypass to kernel | |
731 | # or hardware if possible. | |
732 | # - full: keep tracking and inspection as normal. Unmodified content | |
733 | # keyword signatures are inspected as well. | |
734 | # | |
735 | # For best performance, select 'bypass'. | |
736 | # | |
abe2836c | 737 | #encryption-handling: default |
693a3df0 | 738 | |
056f88b4 VJ |
739 | dcerpc: |
740 | enabled: yes | |
741 | ftp: | |
742 | enabled: yes | |
711b6fb3 | 743 | # memcap: 64mb |
664605b5 | 744 | # RDP, disabled by default. |
caef8b5b | 745 | rdp: |
664605b5 | 746 | #enabled: no |
056f88b4 VJ |
747 | ssh: |
748 | enabled: yes | |
749 | smtp: | |
750 | enabled: yes | |
46973511 | 751 | raw-extraction: no |
056f88b4 VJ |
752 | # Configure SMTP-MIME Decoder |
753 | mime: | |
754 | # Decode MIME messages from SMTP transactions | |
755 | # (may be resource intensive) | |
756 | # This field supercedes all others because it turns the entire | |
757 | # process on or off | |
758 | decode-mime: yes | |
20a8b9db | 759 | |
056f88b4 VJ |
760 | # Decode MIME entity bodies (ie. base64, quoted-printable, etc.) |
761 | decode-base64: yes | |
762 | decode-quoted-printable: yes | |
a95c95f7 | 763 | |
056f88b4 VJ |
764 | # Maximum bytes per header data value stored in the data structure |
765 | # (default is 2000) | |
766 | header-value-depth: 2000 | |
844c444a | 767 | |
056f88b4 VJ |
768 | # Extract URLs and save in state data structure |
769 | extract-urls: yes | |
770 | # Set to yes to compute the md5 of the mail body. You will then | |
771 | # be able to journalize it. | |
772 | body-md5: no | |
773 | # Configure inspected-tracker for file_data keyword | |
774 | inspected-tracker: | |
775 | content-limit: 100000 | |
776 | content-inspect-min-size: 32768 | |
777 | content-inspect-window: 4096 | |
778 | imap: | |
779 | enabled: detection-only | |
056f88b4 | 780 | smb: |
844c444a | 781 | enabled: yes |
056f88b4 | 782 | detection-ports: |
15f4144e | 783 | dp: 139, 445 |
0b46d027 VJ |
784 | |
785 | # Stream reassembly size for SMB streams. By default track it completely. | |
786 | #stream-depth: 0 | |
787 | ||
9dab3ec7 | 788 | nfs: |
fc3191dc | 789 | enabled: yes |
80f2fbac | 790 | tftp: |
fc3191dc | 791 | enabled: yes |
056f88b4 VJ |
792 | dns: |
793 | # memcaps. Globally and per flow/state. | |
794 | #global-memcap: 16mb | |
795 | #state-memcap: 512kb | |
4e04cd2d | 796 | |
056f88b4 VJ |
797 | # How many unreplied DNS requests are considered a flood. |
798 | # If the limit is reached, app-layer-event:dns.flooded; will match. | |
799 | #request-flood: 500 | |
d1b0a5aa | 800 | |
056f88b4 VJ |
801 | tcp: |
802 | enabled: yes | |
803 | detection-ports: | |
804 | dp: 53 | |
805 | udp: | |
806 | enabled: yes | |
807 | detection-ports: | |
808 | dp: 53 | |
809 | http: | |
810 | enabled: yes | |
69216086 PA |
811 | # memcap: Maximum memory capacity for http |
812 | # Default is unlimited, value can be such as 64mb | |
1dd6d7a1 | 813 | |
056f88b4 VJ |
814 | # default-config: Used when no server-config matches |
815 | # personality: List of personalities used by default | |
816 | # request-body-limit: Limit reassembly of request body for inspection | |
817 | # by http_client_body & pcre /P option. | |
818 | # response-body-limit: Limit reassembly of response body for inspection | |
819 | # by file_data, http_server_body & pcre /Q option. | |
056f88b4 | 820 | # |
69216086 PA |
821 | # For advanced options, see the user guide |
822 | ||
823 | ||
056f88b4 | 824 | # server-config: List of server configurations to use if address matches |
66b37d86 | 825 | # address: List of IP addresses or networks for this block |
056f88b4 | 826 | # personalitiy: List of personalities used by this block |
056f88b4 | 827 | # |
69216086 | 828 | # Then, all the fields from default-config can be overloaded |
056f88b4 VJ |
829 | # |
830 | # Currently Available Personalities: | |
831 | # Minimal, Generic, IDS (default), IIS_4_0, IIS_5_0, IIS_5_1, IIS_6_0, | |
832 | # IIS_7_0, IIS_7_5, Apache_2 | |
833 | libhtp: | |
834 | default-config: | |
835 | personality: IDS | |
844c444a | 836 | |
056f88b4 VJ |
837 | # Can be specified in kb, mb, gb. Just a number indicates |
838 | # it's in bytes. | |
839 | request-body-limit: 100kb | |
840 | response-body-limit: 100kb | |
fbdf1baf | 841 | |
056f88b4 VJ |
842 | # inspection limits |
843 | request-body-minimal-inspect-size: 32kb | |
844 | request-body-inspect-window: 4kb | |
845 | response-body-minimal-inspect-size: 40kb | |
846 | response-body-inspect-window: 16kb | |
bf0ebcbe | 847 | |
5ec885e4 VJ |
848 | # response body decompression (0 disables) |
849 | response-body-decompress-layer-limit: 2 | |
850 | ||
056f88b4 VJ |
851 | # auto will use http-body-inline mode in IPS mode, yes or no set it statically |
852 | http-body-inline: auto | |
dcbbda50 | 853 | |
d0f92e2a GL |
854 | # Decompress SWF files. |
855 | # 2 types: 'deflate', 'lzma', 'both' will decompress deflate and lzma | |
856 | # compress-depth: | |
857 | # Specifies the maximum amount of data to decompress, | |
858 | # set 0 for unlimited. | |
859 | # decompress-depth: | |
860 | # Specifies the maximum amount of decompressed data to obtain, | |
861 | # set 0 for unlimited. | |
862 | swf-decompression: | |
863 | enabled: yes | |
864 | type: both | |
865 | compress-depth: 0 | |
866 | decompress-depth: 0 | |
867 | ||
056f88b4 VJ |
868 | # Take a random value for inspection sizes around the specified value. |
869 | # This lower the risk of some evasion technics but could lead | |
870 | # detection change between runs. It is set to 'yes' by default. | |
871 | #randomize-inspection-sizes: yes | |
872 | # If randomize-inspection-sizes is active, the value of various | |
873 | # inspection size will be choosen in the [1 - range%, 1 + range%] | |
874 | # range | |
875 | # Default value of randomize-inspection-range is 10. | |
876 | #randomize-inspection-range: 10 | |
877 | ||
878 | # decoding | |
879 | double-decode-path: no | |
880 | double-decode-query: no | |
a28ec799 | 881 | |
69216086 | 882 | # Can disable LZMA decompression |
af4f8162 | 883 | #lzma-enabled: yes |
69216086 PA |
884 | # Memory limit usage for LZMA decompression dictionary |
885 | # Data is decompressed until dictionary reaches this size | |
e4156b2f | 886 | #lzma-memlimit: 1mb |
69216086 PA |
887 | # Maximum decompressed size with a compression ratio |
888 | # above 2048 (only LZMA can reach this ratio, deflate cannot) | |
e4156b2f | 889 | #compression-bomb-limit: 1mb |
61a6eaf3 | 890 | |
056f88b4 | 891 | server-config: |
844c444a | 892 | |
056f88b4 VJ |
893 | #- apache: |
894 | # address: [192.168.1.0/24, 127.0.0.0/8, "::1"] | |
895 | # personality: Apache_2 | |
896 | # # Can be specified in kb, mb, gb. Just a number indicates | |
897 | # # it's in bytes. | |
898 | # request-body-limit: 4096 | |
899 | # response-body-limit: 4096 | |
900 | # double-decode-path: no | |
901 | # double-decode-query: no | |
4db0a35f | 902 | |
056f88b4 VJ |
903 | #- iis7: |
904 | # address: | |
905 | # - 192.168.0.0/24 | |
906 | # - 192.168.10.0/24 | |
907 | # personality: IIS_7_0 | |
908 | # # Can be specified in kb, mb, gb. Just a number indicates | |
909 | # # it's in bytes. | |
910 | # request-body-limit: 4096 | |
911 | # response-body-limit: 4096 | |
912 | # double-decode-path: no | |
913 | # double-decode-query: no | |
050f36ea | 914 | |
39733631 VJ |
915 | # Note: Modbus probe parser is minimalist due to the poor significant field |
916 | # Only Modbus message length (greater than Modbus header length) | |
917 | # And Protocol ID (equal to 0) are checked in probing parser | |
918 | # It is important to enable detection port and define Modbus port | |
919 | # to avoid false positive | |
920 | modbus: | |
921 | # How many unreplied Modbus requests are considered a flood. | |
922 | # If the limit is reached, app-layer-event:modbus.flooded; will match. | |
923 | #request-flood: 500 | |
924 | ||
925 | enabled: no | |
926 | detection-ports: | |
927 | dp: 502 | |
928 | # According to MODBUS Messaging on TCP/IP Implementation Guide V1.0b, it | |
929 | # is recommended to keep the TCP connection opened with a remote device | |
930 | # and not to open and close it for each MODBUS/TCP transaction. In that | |
931 | # case, it is important to set the depth of the stream reassembling as | |
932 | # unlimited (stream.reassembly.depth: 0) | |
933 | ||
934 | # Stream reassembly size for modbus. By default track it completely. | |
935 | stream-depth: 0 | |
936 | ||
937 | # DNP3 | |
938 | dnp3: | |
939 | enabled: no | |
940 | detection-ports: | |
941 | dp: 20000 | |
942 | ||
050f36ea | 943 | # SCADA EtherNet/IP and CIP protocol support |
a3ffebd8 | 944 | enip: |
945 | enabled: no | |
b2315589 VJ |
946 | detection-ports: |
947 | dp: 44818 | |
948 | sp: 44818 | |
efdf96cc | 949 | |
9dab3ec7 | 950 | ntp: |
fc3191dc | 951 | enabled: yes |
9dab3ec7 | 952 | |
9210d874 | 953 | dhcp: |
fc3191dc | 954 | enabled: yes |
9210d874 | 955 | |
a45a2fa1 | 956 | # SIP, disabled by default. |
2e975a04 | 957 | sip: |
a45a2fa1 | 958 | #enabled: no |
2e975a04 | 959 | |
6d7b4c81 VJ |
960 | # Limit for the maximum number of asn1 frames to decode (default 256) |
961 | asn1-max-frames: 256 | |
962 | ||
8e01cba8 | 963 | |
056f88b4 VJ |
964 | ############################################################################## |
965 | ## | |
966 | ## Advanced settings below | |
967 | ## | |
968 | ############################################################################## | |
f1e3d636 | 969 | |
056f88b4 VJ |
970 | ## |
971 | ## Run Options | |
972 | ## | |
3b3f5816 | 973 | |
056f88b4 VJ |
974 | # Run suricata as user and group. |
975 | #run-as: | |
976 | # user: suri | |
977 | # group: suri | |
f1e3d636 | 978 | |
056f88b4 VJ |
979 | # Some logging module will use that name in event as identifier. The default |
980 | # value is the hostname | |
981 | #sensor-name: suricata | |
bc7e21ae | 982 | |
95a781d4 JI |
983 | # Default location of the pid file. The pid file is only used in |
984 | # daemon mode (start Suricata with -D). If not running in daemon mode | |
985 | # the --pidfile command line option must be used to create a pid file. | |
056f88b4 | 986 | #pid-file: @e_rundir@suricata.pid |
844c444a | 987 | |
056f88b4 VJ |
988 | # Daemon working directory |
989 | # Suricata will change directory to this one if provided | |
990 | # Default: "/" | |
991 | #daemon-directory: "/" | |
4515ae13 | 992 | |
c130820b MK |
993 | # Umask. |
994 | # Suricata will use this umask if it is provided. By default it will use the | |
995 | # umask passed on by the shell. | |
996 | #umask: 022 | |
997 | ||
056f88b4 VJ |
998 | # Suricata core dump configuration. Limits the size of the core dump file to |
999 | # approximately max-dump. The actual core dump size will be a multiple of the | |
1000 | # page size. Core dumps that would be larger than max-dump are truncated. On | |
1001 | # Linux, the actual core dump size may be a few pages larger than max-dump. | |
1002 | # Setting max-dump to 0 disables core dumping. | |
1003 | # Setting max-dump to 'unlimited' will give the full core dump file. | |
1004 | # On 32-bit Linux, a max-dump value >= ULONG_MAX may cause the core dump size | |
1005 | # to be 'unlimited'. | |
ba18110a | 1006 | |
056f88b4 VJ |
1007 | coredump: |
1008 | max-dump: unlimited | |
801f92f7 | 1009 | |
66b37d86 | 1010 | # If Suricata box is a router for the sniffed networks, set it to 'router'. If |
8fae138d VJ |
1011 | # it is a pure sniffing setup, set it to 'sniffer-only'. |
1012 | # If set to auto, the variable is internally switch to 'router' in IPS mode | |
1013 | # and 'sniffer-only' in IDS mode. | |
1014 | # This feature is currently only used by the reject* keywords. | |
1015 | host-mode: auto | |
2197f1a6 | 1016 | |
056f88b4 VJ |
1017 | # Number of packets preallocated per thread. The default is 1024. A higher number |
1018 | # will make sure each CPU will be more easily kept busy, but may negatively | |
1019 | # impact caching. | |
056f88b4 | 1020 | #max-pending-packets: 1024 |
cd78705e | 1021 | |
056f88b4 | 1022 | # Runmode the engine should use. Please check --list-runmodes to get the available |
514c7c1a VJ |
1023 | # runmodes for each packet acquisition method. Default depends on selected capture |
1024 | # method. 'workers' generally gives best performance. | |
056f88b4 | 1025 | #runmode: autofp |
cd78705e | 1026 | |
056f88b4 VJ |
1027 | # Specifies the kind of flow load balancer used by the flow pinned autofp mode. |
1028 | # | |
1029 | # Supported schedulers are: | |
1030 | # | |
cec80670 VJ |
1031 | # hash - Flow assigned to threads using the 5-7 tuple hash. |
1032 | # ippair - Flow assigned to threads using addresses only. | |
056f88b4 | 1033 | # |
cec80670 | 1034 | #autofp-scheduler: hash |
056f88b4 | 1035 | |
056f88b4 VJ |
1036 | # Preallocated size for packet. Default is 1514 which is the classical |
1037 | # size for pcap on ethernet. You should adjust this value to the highest | |
1038 | # packet size (MTU + hardware header) on your system. | |
1039 | #default-packet-size: 1514 | |
1040 | ||
66b37d86 EL |
1041 | # Unix command socket can be used to pass commands to Suricata. |
1042 | # An external tool can then connect to get information from Suricata | |
056f88b4 | 1043 | # or trigger some modifications of the engine. Set enabled to yes |
f2d1e93e EL |
1044 | # to activate the feature. In auto mode, the feature will only be |
1045 | # activated in live capture mode. You can use the filename variable to set | |
056f88b4 VJ |
1046 | # the file name of the socket. |
1047 | unix-command: | |
f2d1e93e | 1048 | enabled: auto |
056f88b4 | 1049 | #filename: custom.socket |
936db9c0 | 1050 | |
a5563389 VJ |
1051 | # Magic file. The extension .mgc is added to the value here. |
1052 | #magic-file: /usr/share/file/magic | |
15c98c60 | 1053 | @e_magic_file_comment@magic-file: @e_magic_file@ |
a5563389 | 1054 | |
a291209e BM |
1055 | # GeoIP2 database file. Specify path and filename of GeoIP2 database |
1056 | # if using rules with "geoip" rule option. | |
1057 | #geoip-database: /usr/local/share/GeoLite2/GeoLite2-Country.mmdb | |
1058 | ||
45ff67a2 AS |
1059 | legacy: |
1060 | uricontent: enabled | |
1061 | ||
a6a69f00 VJ |
1062 | ## |
1063 | ## Detection settings | |
1064 | ## | |
1065 | ||
66b37d86 | 1066 | # Set the order of alerts based on actions |
a6a69f00 VJ |
1067 | # The default order is pass, drop, reject, alert |
1068 | # action-order: | |
1069 | # - pass | |
1070 | # - drop | |
1071 | # - reject | |
1072 | # - alert | |
1073 | ||
1074 | # IP Reputation | |
1075 | #reputation-categories-file: @e_sysconfdir@iprep/categories.txt | |
1076 | #default-reputation-path: @e_sysconfdir@iprep | |
1077 | #reputation-files: | |
1078 | # - reputation.list | |
1079 | ||
6d7b4c81 VJ |
1080 | # When run with the option --engine-analysis, the engine will read each of |
1081 | # the parameters below, and print reports for each of the enabled sections | |
1082 | # and exit. The reports are printed to a file in the default log dir | |
1083 | # given by the parameter "default-log-dir", with engine reporting | |
1084 | # subsection below printing reports in its own report file. | |
1085 | engine-analysis: | |
1086 | # enables printing reports for fast-pattern for every rule. | |
1087 | rules-fast-pattern: yes | |
1088 | # enables printing reports for each rule | |
1089 | rules: yes | |
1090 | ||
1091 | #recursion and match limits for PCRE where supported | |
1092 | pcre: | |
1093 | match-limit: 3500 | |
1094 | match-limit-recursion: 1500 | |
1095 | ||
a6a69f00 VJ |
1096 | ## |
1097 | ## Advanced Traffic Tracking and Reconstruction Settings | |
1098 | ## | |
7ba9dbe3 | 1099 | |
6d7b4c81 | 1100 | # Host specific policies for defragmentation and TCP stream |
cb47c2f6 | 1101 | # reassembly. The host OS lookup is done using a radix tree, just |
6d7b4c81 VJ |
1102 | # like a routing table so the most specific entry matches. |
1103 | host-os-policy: | |
1104 | # Make the default policy windows. | |
1105 | windows: [0.0.0.0/0] | |
1106 | bsd: [] | |
1107 | bsd-right: [] | |
1108 | old-linux: [] | |
cb47c2f6 | 1109 | linux: [] |
6d7b4c81 | 1110 | old-solaris: [] |
cb47c2f6 | 1111 | solaris: [] |
6d7b4c81 VJ |
1112 | hpux10: [] |
1113 | hpux11: [] | |
1114 | irix: [] | |
1115 | macos: [] | |
1116 | vista: [] | |
1117 | windows2k3: [] | |
1118 | ||
8d1fe9f2 VJ |
1119 | # Defrag settings: |
1120 | ||
1121 | defrag: | |
7a044a99 VJ |
1122 | memcap: 32mb |
1123 | hash-size: 65536 | |
b1b4cd27 | 1124 | trackers: 65535 # number of defragmented flows to follow |
6475f99b | 1125 | max-frags: 65535 # number of fragments to keep (higher than trackers) |
8d1fe9f2 VJ |
1126 | prealloc: yes |
1127 | timeout: 60 | |
1128 | ||
ae939398 GL |
1129 | # Enable defrag per host settings |
1130 | # host-config: | |
1131 | # | |
1132 | # - dmz: | |
1133 | # timeout: 30 | |
1134 | # address: [192.168.1.0/24, 127.0.0.0/8, 1.1.1.0/24, 2.2.2.0/24, "1.1.1.1", "2.2.2.2", "::1"] | |
1135 | # | |
1136 | # - lan: | |
1137 | # timeout: 45 | |
1138 | # address: | |
1139 | # - 192.168.0.0/24 | |
1140 | # - 192.168.10.0/24 | |
1141 | # - 172.16.14.0/24 | |
1142 | ||
5592189c PR |
1143 | # Flow settings: |
1144 | # By default, the reserved memory (memcap) for flows is 32MB. This is the limit | |
1145 | # for flow allocation inside the engine. You can change this value to allow | |
1146 | # more memory usage for flows. | |
a67d78ed | 1147 | # The hash-size determine the size of the hash used to identify flows inside |
5592189c PR |
1148 | # the engine, and by default the value is 65536. |
1149 | # At the startup, the engine can preallocate a number of flows, to get a better | |
1150 | # performance. The number of flows preallocated is 10000 by default. | |
a67d78ed | 1151 | # emergency-recovery is the percentage of flows that the engine need to |
4775f67b PR |
1152 | # prune before unsetting the emergency state. The emergency state is activated |
1153 | # when the memcap limit is reached, allowing to create new flows, but | |
66b37d86 | 1154 | # pruning them with the emergency timeouts (they are defined below). |
a5587fec | 1155 | # If the memcap is reached, the engine will try to prune flows |
66b37d86 EL |
1156 | # with the default timeouts. If it doesn't find a flow to prune, it will set |
1157 | # the emergency bit and it will try again with more aggressive timeouts. | |
4775f67b PR |
1158 | # If that doesn't work, then it will try to kill the last time seen flows |
1159 | # not in use. | |
52b37fef AS |
1160 | # The memcap can be specified in kb, mb, gb. Just a number indicates it's |
1161 | # in bytes. | |
5592189c PR |
1162 | |
1163 | flow: | |
cb47c2f6 | 1164 | memcap: 128mb |
a67d78ed | 1165 | hash-size: 65536 |
5592189c | 1166 | prealloc: 10000 |
a67d78ed | 1167 | emergency-recovery: 30 |
e0841218 | 1168 | #managers: 1 # default to one flow manager |
0ac94ef7 | 1169 | #recyclers: 1 # default to one flow recycler thread |
5592189c | 1170 | |
2953b3f6 JI |
1171 | # This option controls the use of vlan ids in the flow (and defrag) |
1172 | # hashing. Normally this should be enabled, but in some (broken) | |
1173 | # setups where both sides of a flow are not tagged with the same vlan | |
1174 | # tag, we can ignore the vlan id's in the flow hashing. | |
16c34874 VJ |
1175 | vlan: |
1176 | use-for-tracking: true | |
1177 | ||
5592189c PR |
1178 | # Specific timeouts for flows. Here you can specify the timeouts that the |
1179 | # active flows will wait to transit from the current state to another, on each | |
66b37d86 | 1180 | # protocol. The value of "new" determine the seconds to wait after a handshake or |
5592189c PR |
1181 | # stream startup before the engine free the data of that flow it doesn't |
1182 | # change the state to established (usually if we don't receive more packets | |
1183 | # of that flow). The value of "established" is the amount of | |
1184 | # seconds that the engine will wait to free the flow if it spend that amount | |
1185 | # without receiving new packets or closing the connection. "closed" is the | |
e6bac998 GL |
1186 | # amount of time to wait after a flow is closed (usually zero). "bypassed" |
1187 | # timeout controls locally bypassed flows. For these flows we don't do any other | |
1188 | # tracking. If no packets have been seen after this timeout, the flow is discarded. | |
5592189c PR |
1189 | # |
1190 | # There's an emergency mode that will become active under attack circumstances, | |
1191 | # making the engine to check flow status faster. This configuration variables | |
a67d78ed | 1192 | # use the prefix "emergency-" and work similar as the normal ones. |
5592189c PR |
1193 | # Some timeouts doesn't apply to all the protocols, like "closed", for udp and |
1194 | # icmp. | |
1195 | ||
1196 | flow-timeouts: | |
1197 | ||
00974d15 JI |
1198 | default: |
1199 | new: 30 | |
1200 | established: 300 | |
1201 | closed: 0 | |
e6bac998 | 1202 | bypassed: 100 |
a67d78ed ND |
1203 | emergency-new: 10 |
1204 | emergency-established: 100 | |
1205 | emergency-closed: 0 | |
e6bac998 | 1206 | emergency-bypassed: 50 |
00974d15 JI |
1207 | tcp: |
1208 | new: 60 | |
cb47c2f6 VJ |
1209 | established: 600 |
1210 | closed: 60 | |
e6bac998 | 1211 | bypassed: 100 |
cb47c2f6 VJ |
1212 | emergency-new: 5 |
1213 | emergency-established: 100 | |
1214 | emergency-closed: 10 | |
e6bac998 | 1215 | emergency-bypassed: 50 |
00974d15 JI |
1216 | udp: |
1217 | new: 30 | |
1218 | established: 300 | |
e6bac998 | 1219 | bypassed: 100 |
a67d78ed ND |
1220 | emergency-new: 10 |
1221 | emergency-established: 100 | |
e6bac998 | 1222 | emergency-bypassed: 50 |
00974d15 JI |
1223 | icmp: |
1224 | new: 30 | |
1225 | established: 300 | |
e6bac998 | 1226 | bypassed: 100 |
a67d78ed ND |
1227 | emergency-new: 10 |
1228 | emergency-established: 100 | |
e6bac998 | 1229 | emergency-bypassed: 50 |
5592189c | 1230 | |
a9ffd821 | 1231 | # Stream engine settings. Here the TCP stream tracking and reassembly |
875184a4 VJ |
1232 | # engine is configured. |
1233 | # | |
6a53ab9c | 1234 | # stream: |
52b37fef AS |
1235 | # memcap: 32mb # Can be specified in kb, mb, gb. Just a |
1236 | # # number indicates it's in bytes. | |
a67d78ed | 1237 | # checksum-validation: yes # To validate the checksum of received |
d00c6172 VJ |
1238 | # # packet. If csum validation is specified as |
1239 | # # "yes", then packet with invalid csum will not | |
1240 | # # be processed by the engine stream/app layer. | |
66b37d86 | 1241 | # # Warning: locally generated traffic can be |
d00c6172 | 1242 | # # generated without checksum due to hardware offload |
279b8b40 | 1243 | # # of checksum. You can control the handling of checksum |
4c6463f3 VJ |
1244 | # # on a per-interface basis via the 'checksum-checks' |
1245 | # # option | |
aa449d51 | 1246 | # prealloc-sessions: 2k # 2k sessions prealloc'd per stream thread |
875184a4 | 1247 | # midstream: false # don't allow midstream session pickups |
a67d78ed | 1248 | # async-oneside: false # don't enable async stream handling |
d00c6172 | 1249 | # inline: no # stream inline mode |
ea9b9b50 | 1250 | # drop-invalid: yes # in inline mode, drop packets that are invalid with regards to streaming engine |
4c6463f3 | 1251 | # max-synack-queued: 5 # Max different SYN/ACKs to queue |
be6cdd37 | 1252 | # bypass: no # Bypass packets when stream.reassembly.depth is reached. |
d5009c5d VJ |
1253 | # # Warning: first side to reach this triggers |
1254 | # # the bypass. | |
d00c6172 | 1255 | # |
8b0ca4f6 | 1256 | # reassembly: |
52b37fef AS |
1257 | # memcap: 64mb # Can be specified in kb, mb, gb. Just a number |
1258 | # # indicates it's in bytes. | |
1259 | # depth: 1mb # Can be specified in kb, mb, gb. Just a number | |
1260 | # # indicates it's in bytes. | |
a67d78ed | 1261 | # toserver-chunk-size: 2560 # inspect raw stream in chunks of at least |
52b37fef AS |
1262 | # # this size. Can be specified in kb, mb, |
1263 | # # gb. Just a number indicates it's in bytes. | |
a67d78ed | 1264 | # toclient-chunk-size: 2560 # inspect raw stream in chunks of at least |
52b37fef AS |
1265 | # # this size. Can be specified in kb, mb, |
1266 | # # gb. Just a number indicates it's in bytes. | |
9b235b3d EL |
1267 | # randomize-chunk-size: yes # Take a random value for chunk size around the specified value. |
1268 | # # This lower the risk of some evasion technics but could lead | |
1269 | # # detection change between runs. It is set to 'yes' by default. | |
1270 | # randomize-chunk-range: 10 # If randomize-chunk-size is active, the value of chunk-size is | |
5cee70f9 AH |
1271 | # # a random value between (1 - randomize-chunk-range/100)*toserver-chunk-size |
1272 | # # and (1 + randomize-chunk-range/100)*toserver-chunk-size and the same | |
1273 | # # calculation for toclient-chunk-size. | |
1274 | # # Default value of randomize-chunk-range is 10. | |
0032ad34 VJ |
1275 | # |
1276 | # raw: yes # 'Raw' reassembly enabled or disabled. | |
1277 | # # raw is for content inspection by detection | |
1278 | # # engine. | |
1279 | # | |
80731232 VJ |
1280 | # segment-prealloc: 2048 # number of segments preallocated per thread |
1281 | # | |
91f57200 VJ |
1282 | # check-overlap-different-data: true|false |
1283 | # # check if a segment contains different data | |
1284 | # # than what we've already seen for that | |
1285 | # # position in the stream. | |
1286 | # # This is enabled automatically if inline mode | |
1287 | # # is used or when stream-event:reassembly_overlap_different_data; | |
1288 | # # is used in a rule. | |
0032ad34 | 1289 | # |
6a53ab9c | 1290 | stream: |
cb47c2f6 | 1291 | memcap: 64mb |
a67d78ed | 1292 | checksum-validation: yes # reject wrong csums |
b1296753 | 1293 | inline: auto # auto will use inline mode in IPS mode, yes or no set it statically |
8b0ca4f6 | 1294 | reassembly: |
cb47c2f6 | 1295 | memcap: 256mb |
52b37fef | 1296 | depth: 1mb # reassemble 1mb into a stream |
a67d78ed | 1297 | toserver-chunk-size: 2560 |
0fc878b3 | 1298 | toclient-chunk-size: 2560 |
9b235b3d EL |
1299 | randomize-chunk-size: yes |
1300 | #randomize-chunk-range: 10 | |
0032ad34 | 1301 | #raw: yes |
80731232 | 1302 | #segment-prealloc: 2048 |
91f57200 | 1303 | #check-overlap-different-data: true |
6a53ab9c | 1304 | |
ba4613ae VJ |
1305 | # Host table: |
1306 | # | |
1307 | # Host table is used by tagging and per host thresholding subsystems. | |
1308 | # | |
1309 | host: | |
1310 | hash-size: 4096 | |
1311 | prealloc: 1000 | |
cb47c2f6 | 1312 | memcap: 32mb |
ba4613ae | 1313 | |
7281ae6e VJ |
1314 | # IP Pair table: |
1315 | # | |
1316 | # Used by xbits 'ippair' tracking. | |
1317 | # | |
1318 | #ippair: | |
1319 | # hash-size: 4096 | |
1320 | # prealloc: 1000 | |
cb47c2f6 VJ |
1321 | # memcap: 32mb |
1322 | ||
62b6f9fe VJ |
1323 | # Decoder settings |
1324 | ||
1325 | decoder: | |
1326 | # Teredo decoder is known to not be completely accurate | |
82de6e06 | 1327 | # as it will sometimes detect non-teredo as teredo. |
62b6f9fe VJ |
1328 | teredo: |
1329 | enabled: true | |
82de6e06 VJ |
1330 | # VXLAN decoder is assigned to up to 4 UDP ports. By default only the |
1331 | # IANA assigned port 4789 is enabled. | |
1332 | vxlan: | |
1333 | enabled: true | |
1334 | ports: $VXLAN_PORTS # syntax: '8472, 4789' | |
62b6f9fe | 1335 | |
7281ae6e | 1336 | |
ea7923cc VJ |
1337 | ## |
1338 | ## Performance tuning and profiling | |
1339 | ## | |
1340 | ||
1341 | # The detection engine builds internal groups of signatures. The engine | |
1342 | # allow us to specify the profile to use for them, to manage memory on an | |
1343 | # efficient way keeping a good performance. For the profile keyword you | |
1344 | # can use the words "low", "medium", "high" or "custom". If you use custom | |
1345 | # make sure to define the values at "- custom-values" as your convenience. | |
1346 | # Usually you would prefer medium/high/low. | |
1347 | # | |
1348 | # "sgh mpm-context", indicates how the staging should allot mpm contexts for | |
1349 | # the signature groups. "single" indicates the use of a single context for | |
1350 | # all the signature group heads. "full" indicates a mpm-context for each | |
1351 | # group head. "auto" lets the engine decide the distribution of contexts | |
1352 | # based on the information the engine gathers on the patterns from each | |
1353 | # group head. | |
1354 | # | |
1355 | # The option inspection-recursion-limit is used to limit the recursive calls | |
1356 | # in the content inspection code. For certain payload-sig combinations, we | |
1357 | # might end up taking too much time in the content inspection code. | |
1358 | # If the argument specified is 0, the engine uses an internally defined | |
1359 | # default limit. On not specifying a value, we use no limits on the recursion. | |
1360 | detect: | |
1361 | profile: medium | |
1362 | custom-values: | |
1363 | toclient-groups: 3 | |
1364 | toserver-groups: 25 | |
1365 | sgh-mpm-context: auto | |
1366 | inspection-recursion-limit: 3000 | |
1367 | # If set to yes, the loading of signatures will be made after the capture | |
1368 | # is started. This will limit the downtime in IPS mode. | |
1369 | #delayed-detect: yes | |
1370 | ||
12560387 VJ |
1371 | prefilter: |
1372 | # default prefiltering setting. "mpm" only creates MPM/fast_pattern | |
1373 | # engines. "auto" also sets up prefilter engines for other keywords. | |
1374 | # Use --list-keywords=all to see which keywords support prefiltering. | |
1375 | default: mpm | |
1376 | ||
ea7923cc VJ |
1377 | # the grouping values above control how many groups are created per |
1378 | # direction. Port whitelisting forces that port to get it's own group. | |
1379 | # Very common ports will benefit, as well as ports with many expensive | |
1380 | # rules. | |
1381 | grouping: | |
1382 | #tcp-whitelist: 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080 | |
1383 | #udp-whitelist: 53, 135, 5060 | |
1384 | ||
1385 | profiling: | |
1386 | # Log the rules that made it past the prefilter stage, per packet | |
1387 | # default is off. The threshold setting determines how many rules | |
1388 | # must have made it past pre-filter for that rule to trigger the | |
1389 | # logging. | |
1390 | #inspect-logging-threshold: 200 | |
1391 | grouping: | |
1392 | dump-to-disk: false | |
1393 | include-rules: false # very verbose | |
1394 | include-mpm-stats: false | |
8d1fe9f2 | 1395 | |
ea7923cc VJ |
1396 | # Select the multi pattern algorithm you want to run for scan/search the |
1397 | # in the engine. | |
1398 | # | |
1399 | # The supported algorithms are: | |
1400 | # "ac" - Aho-Corasick, default implementation | |
1401 | # "ac-bs" - Aho-Corasick, reduced memory implementation | |
be9cd0fd | 1402 | # "ac-ks" - Aho-Corasick, "Ken Steele" variant |
ea7923cc VJ |
1403 | # "hs" - Hyperscan, available when built with Hyperscan support |
1404 | # | |
be9cd0fd VJ |
1405 | # The default mpm-algo value of "auto" will use "hs" if Hyperscan is |
1406 | # available, "ac" otherwise. | |
ea7923cc VJ |
1407 | # |
1408 | # The mpm you choose also decides the distribution of mpm contexts for | |
1409 | # signature groups, specified by the conf - "detect.sgh-mpm-context". | |
1410 | # Selecting "ac" as the mpm would require "detect.sgh-mpm-context" | |
1411 | # to be set to "single", because of ac's memory requirements, unless the | |
1412 | # ruleset is small enough to fit in one's memory, in which case one can | |
1413 | # use "full" with "ac". Rest of the mpms can be run in "full" mode. | |
ea7923cc VJ |
1414 | |
1415 | mpm-algo: auto | |
1416 | ||
1417 | # Select the matching algorithm you want to use for single-pattern searches. | |
1418 | # | |
1419 | # Supported algorithms are "bm" (Boyer-Moore) and "hs" (Hyperscan, only | |
1420 | # available if Suricata has been built with Hyperscan support). | |
1421 | # | |
1422 | # The default of "auto" will use "hs" if available, otherwise "bm". | |
1423 | ||
1424 | spm-algo: auto | |
1425 | ||
1426 | # Suricata is multi-threaded. Here the threading can be influenced. | |
1427 | threading: | |
ea7923cc | 1428 | set-cpu-affinity: no |
45b72d61 | 1429 | # Tune cpu affinity of threads. Each family of threads can be bound |
ea7923cc | 1430 | # on specific CPUs. |
45b72d61 VJ |
1431 | # |
1432 | # These 2 apply to the all runmodes: | |
1433 | # management-cpu-set is used for flow timeout handling, counters | |
723e90a1 | 1434 | # worker-cpu-set is used for 'worker' threads |
45b72d61 VJ |
1435 | # |
1436 | # Additionally, for autofp these apply: | |
1437 | # receive-cpu-set is used for capture threads | |
1438 | # verdict-cpu-set is used for IPS verdict threads | |
1439 | # | |
ea7923cc VJ |
1440 | cpu-affinity: |
1441 | - management-cpu-set: | |
66b37d86 | 1442 | cpu: [ 0 ] # include only these CPUs in affinity settings |
ea7923cc | 1443 | - receive-cpu-set: |
66b37d86 | 1444 | cpu: [ 0 ] # include only these CPUs in affinity settings |
723e90a1 | 1445 | - worker-cpu-set: |
ea7923cc | 1446 | cpu: [ "all" ] |
723e90a1 | 1447 | mode: "exclusive" |
ea7923cc VJ |
1448 | # Use explicitely 3 threads and don't compute number by using |
1449 | # detect-thread-ratio variable: | |
1450 | # threads: 3 | |
1451 | prio: | |
1452 | low: [ 0 ] | |
1453 | medium: [ "1-2" ] | |
1454 | high: [ 3 ] | |
1455 | default: "medium" | |
0b617185 VJ |
1456 | #- verdict-cpu-set: |
1457 | # cpu: [ 0 ] | |
1458 | # prio: | |
1459 | # default: "high" | |
ea7923cc VJ |
1460 | # |
1461 | # By default Suricata creates one "detect" thread per available CPU/CPU core. | |
1462 | # This setting allows controlling this behaviour. A ratio setting of 2 will | |
1463 | # create 2 detect threads for each CPU/CPU core. So for a dual core CPU this | |
1464 | # will result in 4 detect threads. If values below 1 are used, less threads | |
1465 | # are created. So on a dual core CPU a setting of 0.5 results in 1 detect | |
1466 | # thread being created. Regardless of the setting at a minimum 1 detect | |
1467 | # thread will always be created. | |
1468 | # | |
0b617185 | 1469 | detect-thread-ratio: 1.0 |
8d1fe9f2 | 1470 | |
3012edae VJ |
1471 | # Luajit has a strange memory requirement, it's 'states' need to be in the |
1472 | # first 2G of the process' memory. | |
1473 | # | |
1474 | # 'luajit.states' is used to control how many states are preallocated. | |
1475 | # State use: per detect script: 1 per detect thread. Per output script: 1 per | |
1476 | # script. | |
1477 | luajit: | |
1478 | states: 128 | |
1479 | ||
820b0ded | 1480 | # Profiling settings. Only effective if Suricata has been built with the |
2fd31a1a VJ |
1481 | # the --enable-profiling configure flag. |
1482 | # | |
18e5ac8c | 1483 | profiling: |
8a735a9b VJ |
1484 | # Run profiling for every xth packet. The default is 1, which means we |
1485 | # profile every packet. If set to 1000, one packet is profiled for every | |
1486 | # 1000 received. | |
1487 | #sample-rate: 1000 | |
18e5ac8c | 1488 | |
820b0ded | 1489 | # rule profiling |
18e5ac8c JI |
1490 | rules: |
1491 | ||
1492 | # Profiling can be disabled here, but it will still have a | |
1493 | # performance impact if compiled in. | |
1494 | enabled: yes | |
820b0ded | 1495 | filename: rule_perf.log |
85643fe7 | 1496 | append: yes |
18e5ac8c | 1497 | |
a4d19e41 | 1498 | # Sort options: ticks, avgticks, checks, matches, maxticks |
75907fce VJ |
1499 | # If commented out all the sort options will be used. |
1500 | #sort: avgticks | |
18e5ac8c | 1501 | |
75907fce VJ |
1502 | # Limit the number of sids for which stats are shown at exit (per sort). |
1503 | limit: 10 | |
2fd31a1a | 1504 | |
c1bf0e1b | 1505 | # output to json |
1c0f20f0 | 1506 | json: @e_enable_evelog@ |
c1bf0e1b | 1507 | |
97bfcac4 VJ |
1508 | # per keyword profiling |
1509 | keywords: | |
1510 | enabled: yes | |
1511 | filename: keyword_perf.log | |
1512 | append: yes | |
1513 | ||
cf2feeec VJ |
1514 | prefilter: |
1515 | enabled: yes | |
1516 | filename: prefilter_perf.log | |
1517 | append: yes | |
1518 | ||
722e2dbf VJ |
1519 | # per rulegroup profiling |
1520 | rulegroups: | |
1521 | enabled: yes | |
1522 | filename: rule_group_perf.log | |
1523 | append: yes | |
1524 | ||
820b0ded VJ |
1525 | # packet profiling |
1526 | packets: | |
1527 | ||
1528 | # Profiling can be disabled here, but it will still have a | |
1529 | # performance impact if compiled in. | |
1530 | enabled: yes | |
1531 | filename: packet_stats.log | |
1532 | append: yes | |
1533 | ||
1534 | # per packet csv output | |
1535 | csv: | |
1536 | ||
1537 | # Output can be disabled here, but it will still have a | |
1538 | # performance impact if compiled in. | |
1539 | enabled: no | |
1540 | filename: packet_stats.csv | |
53df3982 | 1541 | |
d908e707 VJ |
1542 | # profiling of locking. Only available when Suricata was built with |
1543 | # --enable-profiling-locks. | |
1544 | locks: | |
1545 | enabled: no | |
1546 | filename: lock_stats.log | |
1547 | append: yes | |
1548 | ||
adde58d2 VJ |
1549 | pcap-log: |
1550 | enabled: no | |
1551 | filename: pcaplog_stats.log | |
1552 | append: yes | |
1553 | ||
8fae138d VJ |
1554 | ## |
1555 | ## Netfilter integration | |
1556 | ## | |
1557 | ||
1558 | # When running in NFQ inline mode, it is possible to use a simulated | |
1559 | # non-terminal NFQUEUE verdict. | |
66b37d86 | 1560 | # This permit to do send all needed packet to Suricata via this a rule: |
8fae138d VJ |
1561 | # iptables -I FORWARD -m mark ! --mark $MARK/$MASK -j NFQUEUE |
1562 | # And below, you can have your standard filtering ruleset. To activate | |
1563 | # this mode, you need to set mode to 'repeat' | |
1564 | # If you want packet to be sent to another queue after an ACCEPT decision | |
1565 | # set mode to 'route' and set next-queue value. | |
1566 | # On linux >= 3.1, you can set batchcount to a value > 1 to improve performance | |
1567 | # by processing several packets before sending a verdict (worker runmode only). | |
1568 | # On linux >= 3.6, you can set the fail-open option to yes to have the kernel | |
66b37d86 | 1569 | # accept the packet if Suricata is not able to keep pace. |
97783f81 GL |
1570 | # bypass mark and mask can be used to implement NFQ bypass. If bypass mark is |
1571 | # set then the NFQ bypass is activated. Suricata will set the bypass mark/mask | |
1572 | # on packet of a flow that need to be bypassed. The Nefilter ruleset has to | |
1573 | # directly accept all packets of a flow once a packet has been marked. | |
8fae138d VJ |
1574 | nfq: |
1575 | # mode: accept | |
1576 | # repeat-mark: 1 | |
1577 | # repeat-mask: 1 | |
97783f81 GL |
1578 | # bypass-mark: 1 |
1579 | # bypass-mask: 1 | |
8fae138d VJ |
1580 | # route-queue: 2 |
1581 | # batchcount: 20 | |
1582 | # fail-open: yes | |
1583 | ||
1584 | #nflog support | |
1585 | nflog: | |
1586 | # netlink multicast group | |
1587 | # (the same as the iptables --nflog-group param) | |
1588 | # Group 0 is used by the kernel, so you can't use it | |
1589 | - group: 2 | |
1590 | # netlink buffer size | |
1591 | buffer-size: 18432 | |
1592 | # put default value here | |
1593 | - group: default | |
1594 | # set number of packet to queue inside kernel | |
1595 | qthreshold: 1 | |
1596 | # set the delay before flushing packet in the queue inside kernel | |
1597 | qtimeout: 100 | |
1598 | # netlink max buffer size | |
1599 | max-size: 20000 | |
1600 | ||
11e6809d VJ |
1601 | ## |
1602 | ## Advanced Capture Options | |
1603 | ## | |
1604 | ||
da8f3c98 VJ |
1605 | # general settings affecting packet capture |
1606 | capture: | |
8b213e9d VJ |
1607 | # disable NIC offloading. It's restored when Suricata exits. |
1608 | # Enabled by default. | |
da8f3c98 VJ |
1609 | #disable-offloading: false |
1610 | # | |
1611 | # disable checksum validation. Same as setting '-k none' on the | |
8b213e9d | 1612 | # commandline. |
da8f3c98 VJ |
1613 | #checksum-validation: none |
1614 | ||
11e6809d VJ |
1615 | # Netmap support |
1616 | # | |
517b45ea | 1617 | # Netmap operates with NIC directly in driver, so you need FreeBSD 11+ which have |
11e6809d VJ |
1618 | # built-in netmap support or compile and install netmap module and appropriate |
1619 | # NIC driver on your Linux system. | |
1620 | # To reach maximum throughput disable all receive-, segmentation-, | |
1621 | # checksum- offloadings on NIC. | |
1622 | # Disabling Tx checksum offloading is *required* for connecting OS endpoint | |
1623 | # with NIC endpoint. | |
1624 | # You can find more information at https://github.com/luigirizzo/netmap | |
1625 | # | |
1626 | netmap: | |
1627 | # To specify OS endpoint add plus sign at the end (e.g. "eth0+") | |
1628 | - interface: eth2 | |
517b45ea VJ |
1629 | # Number of capture threads. "auto" uses number of RSS queues on interface. |
1630 | # Warning: unless the RSS hashing is symmetrical, this will lead to | |
1631 | # accuracy issues. | |
d58d02fe | 1632 | #threads: auto |
11e6809d VJ |
1633 | # You can use the following variables to activate netmap tap or IPS mode. |
1634 | # If copy-mode is set to ips or tap, the traffic coming to the current | |
1635 | # interface will be copied to the copy-iface interface. If 'tap' is set, the | |
1636 | # copy is complete. If 'ips' is set, the packet matching a 'drop' action | |
1637 | # will not be copied. | |
1638 | # To specify the OS as the copy-iface (so the OS can route packets, or forward | |
1639 | # to a service running on the same machine) add a plus sign at the end | |
1640 | # (e.g. "copy-iface: eth0+"). Don't forget to set up a symmetrical eth0+ -> eth0 | |
1641 | # for return packets. Hardware checksumming must be *off* on the interface if | |
1642 | # using an OS endpoint (e.g. 'ifconfig eth0 -rxcsum -txcsum -rxcsum6 -txcsum6' for FreeBSD | |
1643 | # or 'ethtool -K eth0 tx off rx off' for Linux). | |
1644 | #copy-mode: tap | |
1645 | #copy-iface: eth3 | |
1646 | # Set to yes to disable promiscuous mode | |
1647 | # disable-promisc: no | |
1648 | # Choose checksum verification mode for the interface. At the moment | |
1649 | # of the capture, some packets may be with an invalid checksum due to | |
1650 | # offloading to the network card of the checksum computation. | |
1651 | # Possible values are: | |
1652 | # - yes: checksum validation is forced | |
1653 | # - no: checksum validation is disabled | |
66b37d86 | 1654 | # - auto: Suricata uses a statistical approach to detect when |
11e6809d VJ |
1655 | # checksum off-loading is used. |
1656 | # Warning: 'checksum-validation' must be set to yes to have any validation | |
1657 | #checksum-checks: auto | |
1658 | # BPF filter to apply to this interface. The pcap filter syntax apply here. | |
1659 | #bpf-filter: port 80 or udp | |
1660 | #- interface: eth3 | |
1661 | #threads: auto | |
1662 | #copy-mode: tap | |
1663 | #copy-iface: eth2 | |
1664 | # Put default values here | |
1665 | - interface: default | |
1666 | ||
1667 | # PF_RING configuration. for use with native PF_RING support | |
1668 | # for more info see http://www.ntop.org/products/pf_ring/ | |
1669 | pfring: | |
1670 | - interface: eth0 | |
1467c308 VJ |
1671 | # Number of receive threads. If set to 'auto' Suricata will first try |
1672 | # to use CPU (core) count and otherwise RSS queue count. | |
1673 | threads: auto | |
11e6809d VJ |
1674 | |
1675 | # Default clusterid. PF_RING will load balance packets based on flow. | |
1676 | # All threads/processes that will participate need to have the same | |
1677 | # clusterid. | |
1678 | cluster-id: 99 | |
1679 | ||
1680 | # Default PF_RING cluster type. PF_RING can load balance per flow. | |
1681 | # Possible values are cluster_flow or cluster_round_robin. | |
1682 | cluster-type: cluster_flow | |
1467c308 | 1683 | |
11e6809d VJ |
1684 | # bpf filter for this interface |
1685 | #bpf-filter: tcp | |
b6baafb3 AC |
1686 | |
1687 | # If bypass is set then the PF_RING hw bypass is activated, when supported | |
1688 | # by the interface in use. Suricata will instruct the interface to bypass | |
1689 | # all future packets for a flow that need to be bypassed. | |
1690 | #bypass: yes | |
1691 | ||
11e6809d VJ |
1692 | # Choose checksum verification mode for the interface. At the moment |
1693 | # of the capture, some packets may be with an invalid checksum due to | |
1694 | # offloading to the network card of the checksum computation. | |
1695 | # Possible values are: | |
1696 | # - rxonly: only compute checksum for packets received by network card. | |
1697 | # - yes: checksum validation is forced | |
1698 | # - no: checksum validation is disabled | |
66b37d86 | 1699 | # - auto: Suricata uses a statistical approach to detect when |
11e6809d VJ |
1700 | # checksum off-loading is used. (default) |
1701 | # Warning: 'checksum-validation' must be set to yes to have any validation | |
1702 | #checksum-checks: auto | |
1703 | # Second interface | |
1704 | #- interface: eth1 | |
1705 | # threads: 3 | |
1706 | # cluster-id: 93 | |
1707 | # cluster-type: cluster_flow | |
1708 | # Put default values here | |
1709 | - interface: default | |
1710 | #threads: 2 | |
1711 | ||
1712 | # For FreeBSD ipfw(8) divert(4) support. | |
1713 | # Please make sure you have ipfw_load="YES" and ipdivert_load="YES" | |
1714 | # in /etc/loader.conf or kldload'ing the appropriate kernel modules. | |
1715 | # Additionally, you need to have an ipfw rule for the engine to see | |
1716 | # the packets from ipfw. For Example: | |
1717 | # | |
1718 | # ipfw add 100 divert 8000 ip from any to any | |
1719 | # | |
1720 | # The 8000 above should be the same number you passed on the command | |
1721 | # line, i.e. -d 8000 | |
1722 | # | |
1723 | ipfw: | |
1724 | ||
1725 | # Reinject packets at the specified ipfw rule number. This config | |
1726 | # option is the ipfw rule number AT WHICH rule processing continues | |
1727 | # in the ipfw processing system after the engine has finished | |
1728 | # inspecting the packet for acceptance. If no rule number is specified, | |
1729 | # accepted packets are reinjected at the divert rule which they entered | |
1730 | # and IPFW rule processing continues. No check is done to verify | |
1731 | # this will rule makes sense so care must be taken to avoid loops in ipfw. | |
1732 | # | |
1733 | ## The following example tells the engine to reinject packets | |
1734 | # back into the ipfw firewall AT rule number 5500: | |
1735 | # | |
1736 | # ipfw-reinjection-rule-number: 5500 | |
dbdf2d88 | 1737 | |
ebccb9ff MK |
1738 | |
1739 | napatech: | |
1740 | # The Host Buffer Allowance for all streams | |
1741 | # (-1 = OFF, 1 - 100 = percentage of the host buffer that can be held back) | |
01801c6d PY |
1742 | # This may be enabled when sharing streams with another application. |
1743 | # Otherwise, it should be turned off. | |
05271bfb PY |
1744 | #hba: -1 |
1745 | ||
1746 | # When use_all_streams is set to "yes" the initialization code will query | |
1747 | # the Napatech service for all configured streams and listen on all of them. | |
1748 | # When set to "no" the streams config array will be used. | |
1749 | # | |
1750 | # This option necessitates running the appropriate NTPL commands to create | |
1751 | # the desired streams prior to running suricata. | |
1752 | #use-all-streams: no | |
1753 | ||
1754 | # The streams to listen on when auto-config is disabled or when and threading | |
1755 | # cpu-affinity is disabled. This can be either: | |
1756 | # an individual stream (e.g. streams: [0]) | |
01801c6d PY |
1757 | # or |
1758 | # a range of streams (e.g. streams: ["0-3"]) | |
05271bfb | 1759 | # |
01801c6d | 1760 | streams: ["0-3"] |
8625c9eb | 1761 | |
1c995369 PY |
1762 | # Stream stats can be enabled to provide fine grain packet and byte counters |
1763 | # for each thread/stream that is configured. | |
1764 | # | |
1765 | enable-stream-stats: no | |
1766 | ||
05271bfb PY |
1767 | # When auto-config is enabled the streams will be created and assigned |
1768 | # automatically to the NUMA node where the thread resides. If cpu-affinity | |
1769 | # is enabled in the threading section. Then the streams will be created | |
1770 | # according to the number of worker threads specified in the worker cpu set. | |
1771 | # Otherwise, the streams array is used to define the streams. | |
1772 | # | |
1c995369 PY |
1773 | # This option is intended primarily to support legacy configurations. |
1774 | # | |
1775 | # This option cannot be used simultaneous with either "use-all-streams" | |
1776 | # or hardware-bypass. | |
05271bfb PY |
1777 | # |
1778 | auto-config: yes | |
1779 | ||
1c995369 PY |
1780 | # Enable hardware level flow bypass. |
1781 | # | |
1782 | hardware-bypass: yes | |
1783 | ||
1784 | # Enable inline operation. When enabled traffic arriving on a given port is | |
1785 | # automatically forwarded out it's peer port after analysis by suricata. | |
1786 | # | |
1787 | inline: no | |
1788 | ||
05271bfb PY |
1789 | # Ports indicates which napatech ports are to be used in auto-config mode. |
1790 | # these are the port ID's of the ports that will be merged prior to the | |
1791 | # traffic being distributed to the streams. | |
1792 | # | |
1c995369 PY |
1793 | # When hardware-bypass is enabled the ports must be configured as a segement |
1794 | # specify the port(s) on which upstream and downstream traffic will arrive. | |
1795 | # This information is necessary for the hardware to properly process flows. | |
1796 | # | |
1797 | # When using a tap configuration one of the ports will receive inbound traffic | |
1798 | # for the network and the other will receive outbound traffic. The two ports on a | |
1799 | # given segment must reside on the same network adapter. | |
1800 | # | |
1801 | # When using a SPAN-port configuration the upstream and downstream traffic | |
1802 | # arrives on a single port. This is configured by setting the two sides of the | |
1803 | # segment to reference the same port. (e.g. 0-0 to configure a SPAN port on | |
1804 | # port 0). | |
1805 | # | |
1806 | # port segments are specified in the form: | |
1807 | # ports: [0-1,2-3,4-5,6-6,7-7] | |
1808 | # | |
1809 | # For legecy systems when hardware-bypass is disabled this can be specified in any | |
1810 | # of the following ways: | |
05271bfb PY |
1811 | # |
1812 | # a list of individual ports (e.g. ports: [0,1,2,3]) | |
1813 | # | |
1814 | # a range of ports (e.g. ports: [0-3]) | |
1815 | # | |
1816 | # "all" to indicate that all ports are to be merged together | |
1817 | # (e.g. ports: [all]) | |
1818 | # | |
1c995369 | 1819 | # This parameter has no effect if auto-config is disabled. |
05271bfb | 1820 | # |
1c995369 | 1821 | ports: [0-1,2-3] |
05271bfb PY |
1822 | |
1823 | # When auto-config is enabled the hashmode specifies the algorithm for | |
1824 | # determining to which stream a given packet is to be delivered. | |
1825 | # This can be any valid Napatech NTPL hashmode command. | |
1826 | # | |
1827 | # The most common hashmode commands are: hash2tuple, hash2tuplesorted, | |
1828 | # hash5tuple, hash5tuplesorted and roundrobin. | |
1829 | # | |
1830 | # See Napatech NTPL documentation other hashmodes and details on their use. | |
1831 | # | |
1c995369 | 1832 | # This parameter has no effect if auto-config is disabled. |
05271bfb PY |
1833 | # |
1834 | hashmode: hash5tuplesorted | |
514c7c1a | 1835 | |
64b6ff73 JI |
1836 | ## |
1837 | ## Configure Suricata to load Suricata-Update managed rules. | |
1838 | ## | |
1839 | ## If this section is completely commented out move down to the "Advanced rule | |
1840 | ## file configuration". | |
1841 | ## | |
1842 | ||
55852d0d | 1843 | default-rule-path: @e_defaultruledir@ |
64b6ff73 | 1844 | |
55852d0d JI |
1845 | rule-files: |
1846 | - suricata.rules | |
64b6ff73 JI |
1847 | |
1848 | ## | |
1849 | ## Auxiliary configuration files. | |
1850 | ## | |
1851 | ||
1852 | classification-file: @e_sysconfdir@classification.config | |
1853 | reference-config-file: @e_sysconfdir@reference.config | |
1854 | # threshold-file: @e_sysconfdir@threshold.config | |
d79c95dd | 1855 | |
cb47c2f6 VJ |
1856 | ## |
1857 | ## Include other configs | |
1858 | ## | |
11e6809d | 1859 | |
8625c9eb JI |
1860 | # Includes. Files included here will be handled as if they were |
1861 | # inlined in this configuration file. | |
1862 | #include: include1.yaml | |
1863 | #include: include2.yaml |