]>
Commit | Line | Data |
---|---|---|
1 | %YAML 1.1 | |
2 | --- | |
3 | # Suricata Emergingthreats Pro Open Rulesets Recommended | |
4 | reference-config-file: /etc/suricata/rules/reference.config | |
5 | ||
6 | # Number of packets allowed to be processed simultaneously. Default is a | |
7 | # conservative 50. a higher number will make sure CPU's/CPU cores will be | |
8 | # more easily kept busy, but will negatively impact caching. | |
9 | # | |
10 | # If you are using the CUDA pattern matcher (b2g_cuda below), different rules | |
11 | # apply. In that case try something like 4000 or more. This is because the CUDA | |
12 | # pattern matcher scans many packets in parallel. | |
13 | #max-pending-packets: 50 | |
14 | ||
15 | # Set the order of alerts bassed on actions | |
16 | # The default order is pass, drop, reject, alert | |
17 | action-order: | |
18 | - pass | |
19 | - drop | |
20 | - reject | |
21 | - alert | |
22 | ||
23 | ||
24 | # The default logging directory. Any log or output file will be | |
25 | # placed here if its not specified with a full path name. This can be | |
26 | # overridden with the -l command line parameter. | |
27 | default-log-dir: /var/log/suricata | |
28 | ||
29 | # Configure the type of alert (and other) logging you would like. | |
30 | outputs: | |
31 | ||
32 | # a line based alerts log similar to Snort's fast.log | |
33 | - fast: | |
34 | enabled: yes | |
35 | filename: fast.log | |
36 | ||
37 | # log output for use with Barnyard | |
38 | - unified-log: | |
39 | enabled: no | |
40 | filename: unified.log | |
41 | ||
42 | #limit: 32mb | |
43 | ||
44 | # alert output for use with Barnyard | |
45 | - unified-alert: | |
46 | enabled: no | |
47 | filename: unified.alert | |
48 | ||
49 | #limit: 32mb | |
50 | ||
51 | # alert output for use with Barnyard2 | |
52 | - unified2-alert: | |
53 | enabled: no | |
54 | filename: unified2.alert | |
55 | ||
56 | #limit: 32mb | |
57 | ||
58 | # a line based log of HTTP requests (no alerts) | |
59 | - http-log: | |
60 | enabled: yes | |
61 | filename: http.log | |
62 | ||
63 | # a full alerts log containing much information for signature writers | |
64 | # or for investigating suspected false positives. | |
65 | - alert-debug: | |
66 | enabled: no | |
67 | filename: alert-debug.log | |
68 | ||
69 | # alert output to prelude (http://www.prelude-technologies.com/) only | |
70 | # available if Suricata has been compiled with --enable-prelude | |
71 | - alert-prelude: | |
72 | enabled: no | |
73 | profile: suricata | |
74 | ||
75 | defrag: | |
76 | max-frags: 65535 | |
77 | prealloc: yes | |
78 | timeout: 60 | |
79 | ||
80 | # You can specify a threshold config file by setting "threshold-file" | |
81 | # to the path of the threshold config file: | |
82 | # threshold-file: /etc/suricata/threshold.config | |
83 | ||
84 | # The detection engine builds internal groups of signatures. The engine | |
85 | # allow us to specify the profile to use for them, to manage memory on an | |
86 | # efficient way keeping a good performance. For the profile keyword you | |
87 | # can use the words "low", "medium", "high" or "custom". If you use custom | |
88 | # make sure to define the values at "- custom-values" as your convenience. | |
89 | # Usually you would prefer medium/high/low | |
90 | detect-engine: | |
91 | - profile: medium | |
92 | - custom-values: | |
93 | toclient_src_groups: 2 | |
94 | toclient_dst_groups: 2 | |
95 | toclient_sp_groups: 2 | |
96 | toclient_dp_groups: 3 | |
97 | toserver_src_groups: 2 | |
98 | toserver_dst_groups: 4 | |
99 | toserver_sp_groups: 2 | |
100 | toserver_dp_groups: 25 | |
101 | ||
102 | # Suricata is multi-threaded. Here the threading can be influenced. | |
103 | threading: | |
104 | # On some cpu's/architectures it is beneficial to tie individual threads | |
105 | # to specific CPU's/CPU cores. In this case all threads are tied to CPU0, | |
106 | # and each extra CPU/core has one "detect" thread. | |
107 | # | |
108 | # On Intel Core2 and Nehalem CPU's enabling this will degrade performance. | |
109 | # | |
110 | set_cpu_affinity: no | |
111 | # | |
112 | # By default Suricata creates one "detect" thread per available CPU/CPU core. | |
113 | # This setting allows controlling this behaviour. A ratio setting of 2 will | |
114 | # create 2 detect threads for each CPU/CPU core. So for a dual core CPU this | |
115 | # will result in 4 detect threads. If values below 1 are used, less threads | |
116 | # are created. So on a dual core CPU a setting of 0.5 results in 1 detect | |
117 | # thread being created. Regardless of the setting at a minimum 1 detect | |
118 | # thread will always be created. | |
119 | # | |
120 | detect_thread_ratio: 1.5 | |
121 | ||
122 | # Select the cuda device to use. The device_id identifies the device to be used | |
123 | # if one has multiple devices on the system. To find out device_id associated | |
124 | # with the card(s) on the system run "suricata --list-cuda-cards". | |
125 | cuda: | |
126 | device_id: 0 | |
127 | ||
128 | # Select the multi pattern algorithm you want to run for scan/search the | |
129 | # in the engine. The supported algorithms are b2g, b3g and wumanber. | |
130 | # | |
131 | # There is also a CUDA pattern matcher (only available if Suricata was | |
132 | # compiled with --enable-cuda: b2g_cuda. Make sure to update your | |
133 | # max-pending-packets setting above as well if you use b2g_cuda. | |
134 | ||
135 | mpm-algo: b2g | |
136 | ||
137 | # The memory settings for hash size of these algorithms can vary from lowest | |
138 | # (2048) - low (4096) - medium (8192) - high (16384) - highest (32768) - max | |
139 | # (65536). The bloomfilter sizes of these algorithms can vary from low (512) - | |
140 | # medium (1024) - high (2048). | |
141 | # | |
142 | # For B2g/B3g algorithms, there is a support for two different scan/search | |
143 | # algorithms. For B2g the scan algorithms are B2gScan & B2gScanBNDMq, and | |
144 | # search algorithms are B2gSearch & B2gSearchBNDMq. For B3g scan algorithms | |
145 | # are B3gScan & B3gScanBNDMq, and search algorithms are B3gSearch & | |
146 | # B3gSearchBNDMq. | |
147 | # | |
148 | # For B2g the different scan/search algorithms and, hash and bloom | |
149 | # filter size settings. For B3g the different scan/search algorithms and, hash | |
150 | # and bloom filter size settings. For wumanber the hash and bloom filter size | |
151 | # settings. | |
152 | ||
153 | pattern-matcher: | |
154 | - b2g: | |
155 | scan_algo: B2gScanBNDMq | |
156 | search_algo: B2gSearchBNDMq | |
157 | hash_size: low | |
158 | bf_size: medium | |
159 | - b3g: | |
160 | scan_algo: B3gScanBNDMq | |
161 | search_algo: B3gSearchBNDMq | |
162 | hash_size: low | |
163 | bf_size: medium | |
164 | - wumanber: | |
165 | hash_size: low | |
166 | bf_size: medium | |
167 | ||
168 | # Flow settings: | |
169 | # By default, the reserved memory (memcap) for flows is 32MB. This is the limit | |
170 | # for flow allocation inside the engine. You can change this value to allow | |
171 | # more memory usage for flows. | |
172 | # The hash_size determine the size of the hash used to identify flows inside | |
173 | # the engine, and by default the value is 65536. | |
174 | # At the startup, the engine can preallocate a number of flows, to get a better | |
175 | # performance. The number of flows preallocated is 10000 by default. | |
176 | # emergency_recovery is the percentage of flows that the engine need to | |
177 | # prune before unsetting the emergency state. The emergency state is activated | |
178 | # when the memcap limit is reached, allowing to create new flows, but | |
179 | # prunning them with the emergency timeouts (they are defined below). | |
180 | # If the memcap is reached, the engine will try to prune prune_flows | |
181 | # with the default timeouts. If it doens't find a flow to prune, it will set | |
182 | # the emergency bit and it will try again with more agressive timeouts. | |
183 | # If that doesn't work, then it will try to kill the last time seen flows | |
184 | # not in use. | |
185 | ||
186 | flow: | |
187 | memcap: 33554432 | |
188 | hash_size: 65536 | |
189 | prealloc: 10000 | |
190 | emergency_recovery: 30 | |
191 | prune_flows: 5 | |
192 | ||
193 | # Specific timeouts for flows. Here you can specify the timeouts that the | |
194 | # active flows will wait to transit from the current state to another, on each | |
195 | # protocol. The value of "new" determine the seconds to wait after a hanshake or | |
196 | # stream startup before the engine free the data of that flow it doesn't | |
197 | # change the state to established (usually if we don't receive more packets | |
198 | # of that flow). The value of "established" is the amount of | |
199 | # seconds that the engine will wait to free the flow if it spend that amount | |
200 | # without receiving new packets or closing the connection. "closed" is the | |
201 | # amount of time to wait after a flow is closed (usually zero). | |
202 | # | |
203 | # There's an emergency mode that will become active under attack circumstances, | |
204 | # making the engine to check flow status faster. This configuration variables | |
205 | # use the prefix "emergency_" and work similar as the normal ones. | |
206 | # Some timeouts doesn't apply to all the protocols, like "closed", for udp and | |
207 | # icmp. | |
208 | ||
209 | flow-timeouts: | |
210 | ||
211 | default: | |
212 | new: 30 | |
213 | established: 300 | |
214 | closed: 0 | |
215 | emergency_new: 10 | |
216 | emergency_established: 100 | |
217 | emergency_closed: 0 | |
218 | tcp: | |
219 | new: 60 | |
220 | established: 3600 | |
221 | closed: 120 | |
222 | emergency_new: 10 | |
223 | emergency_established: 300 | |
224 | emergency_closed: 20 | |
225 | udp: | |
226 | new: 30 | |
227 | established: 300 | |
228 | emergency_new: 10 | |
229 | emergency_established: 100 | |
230 | icmp: | |
231 | new: 30 | |
232 | established: 300 | |
233 | emergency_new: 10 | |
234 | emergency_established: 100 | |
235 | ||
236 | # Stream engine settings. Here the TCP stream tracking and reaasembly | |
237 | # engine is configured. | |
238 | # | |
239 | # stream: | |
240 | # memcap: 33554432 # 32mb tcp session memcap | |
241 | # checksum_validation: yes # To validate the checksum of received | |
242 | # packet. If csum validation is specified as | |
243 | # "yes", then packet with invalid csum will not | |
244 | # be processed by the engine stream/app layer. | |
245 | # max_sessions: 262144 # 256k concurrent sessions | |
246 | # prealloc_sessions: 32768 # 32k sessions prealloc'd | |
247 | # midstream: false # don't allow midstream session pickups | |
248 | # async_oneside: false # don't enable async stream handling | |
249 | # reassembly: | |
250 | # memcap: 67108864 # 64mb tcp reassembly memcap | |
251 | # depth: 1048576 # 1 MB reassembly depth | |
252 | stream: | |
253 | memcap: 33554432 | |
254 | checksum_validation: yes | |
255 | inline: yes | |
256 | reassembly: | |
257 | memcap: 67108864 | |
258 | depth: 1048576 | |
259 | ||
260 | # Logging configuration. This is not about logging IDS alerts, but | |
261 | # IDS output about what its doing, errors, etc. | |
262 | logging: | |
263 | ||
264 | # The default log level, can be overridden in an output section. | |
265 | # Note that debug level logging will only be emitted if Suricata was | |
266 | # compiled with the --enable-debug configure option. | |
267 | # | |
268 | # This value is overriden by the SC_LOG_LEVEL env var. | |
269 | default-log-level: info | |
270 | ||
271 | # The default output format. Optional parameter, should default to | |
272 | # something reasonable if not provided. Can be overriden in an | |
273 | # output section. You can leave this out to get the default. | |
274 | # | |
275 | # This value is overriden by the SC_LOG_FORMAT env var. | |
276 | #default-log-format: "[%i] %t - (%f:%l) <%d> (%n) -- " | |
277 | ||
278 | # A regex to filter output. Can be overridden in an output section. | |
279 | # Defaults to empty (no filter). | |
280 | # | |
281 | # This value is overriden by the SC_LOG_OP_FILTER env var. | |
282 | default-output-filter: | |
283 | ||
284 | # Define your logging outputs. If none are defined, or they are all | |
285 | # disabled you will get the default - console output. | |
286 | outputs: | |
287 | - console: | |
288 | enabled: yes | |
289 | - file: | |
290 | enabled: yes | |
291 | filename: /var/log/suricata.log | |
292 | - syslog: | |
293 | enabled: no | |
294 | facility: local5 | |
295 | format: "[%i] <%d> -- " | |
296 | - drop: | |
297 | enabled: yes | |
298 | filename: drop.log | |
299 | append: yes | |
300 | ||
301 | nfq: | |
302 | mode: repeat | |
303 | repeat_mark: 1 | |
304 | repeat_mask: 1 | |
305 | ||
306 | # PF_RING configuration. for use with native PF_RING support | |
307 | # for more info see http://www.ntop.org/PF_RING.html | |
308 | pfring: | |
309 | ||
310 | # Default interface we will listen on. | |
311 | interface: eth0 | |
312 | ||
313 | # Default clusterid. PF_RING will load balance packets based on flow. | |
314 | # All threads/processes that will participate need to have the same | |
315 | # clusterid. | |
316 | cluster-id: 99 | |
317 | ||
318 | # Default PF_RING cluster type. PF_RING can load balance per flow or per hash. | |
319 | # This is only supported in versions of PF_RING > 4.1.1. | |
320 | cluster-type: cluster_round_robin | |
321 | ||
322 | # For FreeBSD ipfw(8) divert(4) support. | |
323 | # Please make sure you have ipfw_load="YES" and ipdivert_load="YES" | |
324 | # in /etc/loader.conf or kldload'ing the appropriate kernel modules. | |
325 | # Additionally, you need to have an ipfw rule for the engine to see | |
326 | # the packets from ipfw. For Example: | |
327 | # | |
328 | # ipfw add 100 divert 8000 ip from any to any | |
329 | # | |
330 | # The 8000 above should be the same number you passed on the command | |
331 | # line, i.e. -d 8000 | |
332 | # | |
333 | ipfw: | |
334 | ||
335 | # Reinject packets at the specified ipfw rule number. This config | |
336 | # option is the ipfw rule number AT WHICH rule processing continues | |
337 | # in the ipfw processing system after the engine has finished | |
338 | # inspecting the packet for acceptance. If no rule number is specified, | |
339 | # accepted packets are reinjected at the divert rule which they entered | |
340 | # and IPFW rule processing continues. No check is done to verify | |
341 | # this will rule makes sense so care must be taken to avoid loops in ipfw. | |
342 | # | |
343 | ## The following example tells the engine to reinject packets | |
344 | # back into the ipfw firewall AT rule number 5500: | |
345 | # | |
346 | # ipfw-reinjection-rule-number: 5500 | |
347 | ||
348 | # Set the default rule path here to search for the files. | |
349 | # if not set, it will look at the current working dir | |
350 | default-rule-path: /etc/suricata/rules/ | |
351 | rule-files: | |
352 | # - emerging-ftp.rules | |
353 | # - emerging-policy.rules | |
354 | # - emerging-trojan.rules | |
355 | # - emerging-games.rules | |
356 | # - emerging-pop3.rules | |
357 | # - emerging-user_agents.rules | |
358 | # - emerging-activex.rules | |
359 | # - emerging-rpc.rules | |
360 | # - emerging-virus.rules | |
361 | # - emerging-attack_response.rules | |
362 | # - emerging-icmp.rules | |
363 | # - emerging-scan.rules | |
364 | # - emerging-scada.rules | |
365 | # - emerging-voip.rules | |
366 | # - emerging-chat.rules | |
367 | # - emerging-icmp_info.rules | |
368 | # - emerging-shellcode.rules | |
369 | # - emerging-web_client.rules | |
370 | # - emerging-imap.rules | |
371 | # - emerging-web_server.rules | |
372 | # - emerging-current_events.rules | |
373 | # - emerging-inappropriate.rules | |
374 | # - emerging-smtp.rules | |
375 | # - emerging-web_specific_apps.rules | |
376 | # - emerging-deleted.rules | |
377 | # - emerging-malware.rules | |
378 | # - emerging-snmp.rules | |
379 | # - emerging-worm.rules | |
380 | # - emerging-dns.rules | |
381 | # - emerging-misc.rules | |
382 | # - emerging-sql.rules | |
383 | # - emerging-dos.rules | |
384 | # - emerging-netbios.rules | |
385 | # - emerging-telnet.rules | |
386 | # - emerging-exploit.rules | |
387 | # - emerging-p2p.rules | |
388 | # - emerging-tftp.rules | |
389 | # - emerging-botcc.rules | |
390 | # - emerging-compromised.rules | |
391 | # - emerging-drop.rules | |
392 | # - emerging-dshield.rules | |
393 | # - emerging-rbn.rules | |
394 | # - emerging-rbn-malvertisers.rules | |
395 | # - emerging-tor.rules | |
396 | # - emerging-mobile_malware.rules | |
397 | ||
398 | classification-file: /etc/suricata/rules/classification.config | |
399 | ||
400 | # Holds variables that would be used by the engine. | |
401 | vars: | |
402 | ||
403 | # Holds the address group vars that would be passed in a Signature. | |
404 | # These would be retrieved during the Signature address parsing stage. | |
405 | address-groups: | |
406 | ||
407 | HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]" | |
408 | ||
409 | EXTERNAL_NET: any | |
410 | ||
411 | HTTP_SERVERS: "$HOME_NET" | |
412 | ||
413 | SMTP_SERVERS: "$HOME_NET" | |
414 | ||
415 | SQL_SERVERS: "$HOME_NET" | |
416 | ||
417 | DNS_SERVERS: "$HOME_NET" | |
418 | ||
419 | TELNET_SERVERS: "$HOME_NET" | |
420 | ||
421 | AIM_SERVERS: any | |
422 | ||
423 | #These vars are required if you're using the Digitalbond Scada signatures in the scada.rules category | |
424 | # DNP3_SERVER: "$HOME_NET" | |
425 | # DNP3_CLIENT: "$HOME_NET" | |
426 | # MODBUS_CLIENT: "$HOME_NET" | |
427 | # MODBUS_SERVER: "$HOME_NET" | |
428 | # ENIP_CLIENT: "$HOME_NET" | |
429 | # ENIP_SERVER: "$HOME_NET" | |
430 | ||
431 | ||
432 | # Holds the port group vars that would be passed in a Signature. | |
433 | # These would be retrieved during the Signature port parsing stage. | |
434 | port-groups: | |
435 | ||
436 | HTTP_PORTS: "80" | |
437 | ||
438 | SHELLCODE_PORTS: "!80" | |
439 | ||
440 | ORACLE_PORTS: 1521 | |
441 | ||
442 | SSH_PORTS: 22 | |
443 | ||
444 | # DNP3_PORTS: 20000 | |
445 | ||
446 | # Host specific policies for defragmentation and TCP stream | |
447 | # reassembly. The host OS lookup is done using a radix tree, just | |
448 | # like a routing table so the most specific entry matches. | |
449 | host-os-policy: | |
450 | # Make the default policy windows. | |
451 | windows: [0.0.0.0/0] | |
452 | bsd: [] | |
453 | bsd_right: [] | |
454 | old_linux: [] | |
455 | linux: [10.0.0.0/8, 192.168.1.100, "8762:2352:6241:7245:E000:0000:0000:0000"] | |
456 | old_solaris: [] | |
457 | solaris: ["::1"] | |
458 | hpux10: [] | |
459 | hpux11: [] | |
460 | irix: [] | |
461 | macos: [] | |
462 | vista: [] | |
463 | windows2k3: [] | |
464 | ||
465 | ########################################################################### | |
466 | # Configure libhtp. | |
467 | # | |
468 | # | |
469 | # default-config: Used when no server-config matches | |
470 | # personality: List of personalities used by default | |
471 | # | |
472 | # server-config: List of server configurations to use if address matches | |
473 | # address: List of ip addresses or networks for this block | |
474 | # personalitiy: List of personalities used by this block | |
475 | # | |
476 | # Currently Available Personalities: | |
477 | # Minimal | |
478 | # Generic | |
479 | # IDS (default) | |
480 | # IIS_4_0 | |
481 | # IIS_5_0 | |
482 | # IIS_5_1 | |
483 | # IIS_6_0 | |
484 | # IIS_7_0 | |
485 | # IIS_7_5 | |
486 | # Apache | |
487 | # Apache_2_2 | |
488 | ########################################################################### | |
489 | libhtp: | |
490 | ||
491 | default-config: | |
492 | personality: IDS | |
493 | ||
494 | server-config: | |
495 | ||
496 | - apache: | |
497 | address: [192.168.1.0/24, 127.0.0.0/8, "::1"] | |
498 | personality: Apache_2_2 | |
499 | ||
500 | - iis7: | |
501 | address: | |
502 | - 192.168.0.0/24 | |
503 | - 192.168.10.0/24 | |
504 | personality: IIS_7_0 | |
505 | ||
506 | # rule profiling settings. Only effective if Suricata has been built with the | |
507 | # the --enable-profiling configure flag. | |
508 | # | |
509 | profiling: | |
510 | ||
511 | rules: | |
512 | ||
513 | # Profiling can be disabled here, but it will still have a | |
514 | # performance impact if compiled in. | |
515 | enabled: yes | |
516 | ||
517 | # Sort options: ticks, avgticks, checks, matches | |
518 | sort: avgticks | |
519 | ||
520 | # Limit the number of items printed at exit. | |
521 | limit: 100 | |
522 | ||
523 |