4 # Suricata configuration file. In addition to the comments describing all
5 # options in this file, full documentation can be found at:
6 # https://suricata.readthedocs.io/en/latest/configuration/suricata-yaml.html
9 ## Step 1: inform Suricata about your network
13 # more specific is better for alert accuracy and performance
15 HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
16 #HOME_NET: "[192.168.0.0/16]"
17 #HOME_NET: "[10.0.0.0/8]"
18 #HOME_NET: "[172.16.0.0/12]"
21 EXTERNAL_NET: "!$HOME_NET"
24 HTTP_SERVERS: "$HOME_NET"
25 SMTP_SERVERS: "$HOME_NET"
26 SQL_SERVERS: "$HOME_NET"
27 DNS_SERVERS: "$HOME_NET"
28 TELNET_SERVERS: "$HOME_NET"
29 AIM_SERVERS: "$EXTERNAL_NET"
30 DC_SERVERS: "$HOME_NET"
31 DNP3_SERVER: "$HOME_NET"
32 DNP3_CLIENT: "$HOME_NET"
33 MODBUS_CLIENT: "$HOME_NET"
34 MODBUS_SERVER: "$HOME_NET"
35 ENIP_CLIENT: "$HOME_NET"
36 ENIP_SERVER: "$HOME_NET"
40 SHELLCODE_PORTS: "!80"
45 FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
49 ## Step 2: select outputs to enable
52 # The default logging directory. Any log or output file will be
53 # placed here if its not specified with a full path name. This can be
54 # overridden with the -l command line parameter.
55 default-log-dir: @e_logdir@
57 # global stats configuration
60 # The interval field (in seconds) controls at what interval
61 # the loggers are invoked.
63 # Add decode events as stats.
65 # Decoder event prefix in stats. Has been 'decoder' before, but that leads
66 # to missing events in the eve.stats records. See issue #2225.
67 decoder-events-prefix: "decoder.event"
68 # Add stream events as stats.
71 # Configure the type of alert (and other) logging you would like.
73 # a line based alerts log similar to Snort's fast.log
78 #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
80 # Extensible Event Format (nicknamed EVE) event log in JSON format
82 enabled: @e_enable_evelog@
83 filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
85 #prefix: "@cee: " # prefix to prepend to each log entry
86 # the following are valid when type: syslog above
89 #level: Info ## possible levels: Emergency, Alert, Critical,
90 ## Error, Warning, Notice, Info, Debug
94 # async: true ## if redis replies are read asynchronously
95 # mode: list ## possible values: list|lpush (default), rpush, channel|publish
96 # ## lpush and rpush are using a Redis list. "list" is an alias for lpush
97 # ## publish is using a Redis channel. "channel" is an alias for publish
98 # key: suricata ## key or channel to use (default to suricata)
99 # Redis pipelining set up. This will enable to only do a query every
100 # 'batch-size' events. This should lower the latency induced by network
101 # connection at the cost of some memory. There is no flushing implemented
102 # so this setting as to be reserved to high traffic suricata.
104 # enabled: yes ## set enable to yes to enable query pipelining
105 # batch-size: 10 ## number of entry to keep in buffer
107 # Include top level metadata. Default yes.
110 # include the name of the input pcap file in pcap file processing mode
114 # Adds a 'community_id' field to EVE records. These are meant to give
115 # a records a predictable flow id that can be used to match records to
116 # output of other tools such as Bro.
118 # Takes a 'seed' that needs to be same across sensors and tools
119 # to make the id less predictable.
121 # enable/disable the community id feature.
123 # Seed value for the ID output. Valid values are 0-65535.
126 # HTTP X-Forwarded-For support by adding an extra field or overwriting
127 # the source or destination IP address (depending on flow direction)
128 # with the one reported in the X-Forwarded-For HTTP header. This is
129 # helpful when reviewing alerts for traffic that is being reverse
130 # or forward proxied.
133 # Two operation modes are available, "extra-data" and "overwrite".
135 # Two proxy deployments are supported, "reverse" and "forward". In
136 # a "reverse" deployment the IP address used is the last one, in a
137 # "forward" deployment the first IP address is used.
139 # Header name where the actual IP address will be reported, if more
140 # than one IP address is present, the last IP address will be the
141 # one taken into consideration.
142 header: X-Forwarded-For
146 # payload: yes # enable dumping payload in Base64
147 # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log
148 # payload-printable: yes # enable dumping payload in printable (lossy) format
149 # packet: yes # enable dumping of packet (without stream segments)
150 # http-body: yes # enable dumping of http body in Base64
151 # http-body-printable: yes # enable dumping of http body in printable format
152 # metadata: no # enable inclusion of app layer metadata with alert. Default yes
154 # Enable the logging of tagged packets for rules using the
158 # Anomaly log records describe unexpected conditions such as truncated packets, packets with invalid
159 # IP/UDP/TCP length values, and other events that render the packet invalid for further processing
160 # or describe unexpected behavior on an established stream. Networks which experience high
161 # occurrences of anomalies may experience packet processing degradation.
163 # Enable dumping of packet header
164 # packethdr: no # enable dumping of packet header
166 extended: yes # enable this for extended logging information
167 # custom allows additional http fields to be included in eve-log
168 # the example below adds three additional fields when uncommented
169 #custom: [Accept-Encoding, Accept-Language, Authorization]
170 # set this value to one among {both, request, response} to dump all
171 # http headers for every http request and/or response
172 # dump-all-headers: [both, request, response]
174 # This configuration uses the new DNS logging format,
175 # the old configuration is still available:
176 # http://suricata.readthedocs.io/en/latest/configuration/suricata-yaml.html#eve-extensible-event-format
177 # Use version 2 logging with the new format:
178 # DNS answers will be logged in one single event
179 # rather than an event for each of it.
180 # Without setting a version the version
181 # will fallback to 1 for backwards compatibility.
184 # Enable/disable this logger. Default: enabled.
187 # Control logging of requests and responses:
188 # - requests: enable logging of DNS queries
189 # - responses: enable logging of DNS answers
190 # By default both requests and responses are logged.
194 # Format of answer logging:
195 # - detailed: array item per answer
196 # - grouped: answers aggregated by type
198 #formats: [detailed, grouped]
200 # Answer types to log.
202 #types: [a, aaaa, cname, mx, ns, ptr, txt]
204 extended: yes # enable this for extended logging information
205 # output TLS transaction where the session is resumed using a
207 #session-resumption: no
208 # custom allows to control which tls fields that are included
210 #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3, ja3s]
212 force-magic: no # force logging magic on all logged files
213 # force logging of checksums, available hash functions are md5,
217 # alerts: yes # log alerts that caused drops
218 # flows: all # start or all: 'start' logs only a single drop
219 # # per flow direction. All logs each dropped pkt.
221 #extended: yes # enable this for extended logging information
222 # this includes: bcc, message-id, subject, x_mailer, user-agent
223 # custom fields logging from the list:
224 # reply-to, bcc, message-id, subject, x-mailer, user-agent, received,
225 # x-originating-ip, in-reply-to, references, importance, priority,
226 # sensitivity, organization, content-md5, date
227 #custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc]
228 # output md5 of fields: body, subject
229 # for the body you need to set app-layer.protocols.smtp.mime.body-md5
231 #md5: [body, subject]
241 # When extended mode is on, all DHCP messages are logged
242 # with full detail. When extended mode is off (the
243 # default), just enough information to map a MAC address
244 # to an IP address is logged.
248 totals: yes # stats for all threads merged together
249 threads: no # per thread stats
250 deltas: no # include delta values
251 # bi-directional flows
253 # uni-directional flows
256 # Metadata event type. Triggered whenever a pktvar is saved
257 # and will include the pktvars, flowvars, flowbits and
261 # alert output for use with Barnyard2
264 filename: unified2.alert
266 # File size limit. Can be specified in kb, mb, gb. Just a number
267 # is parsed as bytes.
270 # By default unified2 log files have the file creation time (in
271 # unix epoch format) appended to the filename. Set this to yes to
272 # disable this behaviour.
275 # Sensor ID field of unified2 alerts.
278 # Include payload of packets related to alerts. Defaults to true, set to
279 # false if payload is not required.
282 # HTTP X-Forwarded-For support by adding the unified2 extra header or
283 # overwriting the source or destination IP address (depending on flow
284 # direction) with the one reported in the X-Forwarded-For HTTP header.
285 # This is helpful when reviewing alerts for traffic that is being reverse
286 # or forward proxied.
289 # Two operation modes are available, "extra-data" and "overwrite". Note
290 # that in the "overwrite" mode, if the reported IP address in the HTTP
291 # X-Forwarded-For header is of a different version of the packet
292 # received, it will fall-back to "extra-data" mode.
294 # Two proxy deployments are supported, "reverse" and "forward". In
295 # a "reverse" deployment the IP address used is the last one, in a
296 # "forward" deployment the first IP address is used.
298 # Header name where the actual IP address will be reported, if more
299 # than one IP address is present, the last IP address will be the
300 # one taken into consideration.
301 header: X-Forwarded-For
303 # a line based log of HTTP requests (no alerts)
308 #extended: yes # enable this for extended logging information
309 #custom: yes # enabled the custom logging format (defined by customformat)
310 #customformat: "%{%D-%H:%M:%S}t.%z %{X-Forwarded-For}i %H %m %h %u %s %B %a:%p -> %A:%P"
311 #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
313 # a line based log of TLS handshake parameters (no alerts)
315 enabled: no # Log TLS connections.
316 filename: tls.log # File to store TLS logs.
318 #extended: yes # Log extended information like fingerprint
319 #custom: yes # enabled the custom logging format (defined by customformat)
320 #customformat: "%{%D-%H:%M:%S}t.%z %a:%p -> %A:%P %v %n %d %D"
321 #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
322 # output TLS transaction where the session is resumed using a
324 #session-resumption: no
326 # output module to store certificates chain to disk
329 #certs-log-dir: certs # directory to store the certificates files
331 # a line based log of DNS requests and/or replies (no alerts)
332 # Note: not available when Rust is enabled (--enable-rust).
337 #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
339 # Packet log... log packets in pcap format. 3 modes of operation: "normal"
340 # "multi" and "sguil".
342 # In normal mode a pcap file "filename" is created in the default-log-dir,
343 # or are as specified by "dir".
344 # In multi mode, a file is created per thread. This will perform much
345 # better, but will create multiple files where 'normal' would create one.
346 # In multi mode the filename takes a few special variables:
347 # - %n -- thread number
349 # - %t -- timestamp (secs or secs.usecs based on 'ts-format'
350 # E.g. filename: pcap.%n.%t
352 # Note that it's possible to use directories, but the directories are not
353 # created by Suricata. E.g. filename: pcaps/%n/log.%s will log into the
354 # per thread directory.
356 # Also note that the limit and max-files settings are enforced per thread.
357 # So the size limit when using 8 threads with 1000mb files and 2000 files
358 # is: 8*1000*2000 ~ 16TiB.
360 # In Sguil mode "dir" indicates the base directory. In this base dir the
361 # pcaps are created in th directory structure Sguil expects:
363 # $sguil-base-dir/YYYY-MM-DD/$filename.<timestamp>
365 # By default all packets are logged except:
366 # - TCP streams beyond stream.reassembly.depth
367 # - encrypted streams after the key exchange
373 # File size limit. Can be specified in kb, mb, gb. Just a number
374 # is parsed as bytes.
377 # If set to a value will enable ring buffer mode. Will keep Maximum of "max-files" of size "limit"
380 # Compression algorithm for pcap files. Possible values: none, lz4.
381 # Enabling compression is incompatible with the sguil mode. Note also
382 # that on Windows, enabling compression will *increase* disk I/O.
385 # Further options for lz4 compression. The compression level can be set
386 # to a value between 0 and 16, where higher values result in higher
391 mode: normal # normal, multi or sguil.
393 # Directory to place pcap files. If not provided the default log
394 # directory will be used. Required for "sguil" mode.
397 #ts-format: usec # sec or usec second format (default) is filename.sec usec is filename.sec.usec
398 use-stream-depth: no #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets
399 honor-pass-rules: no # If set to "yes", flows in which a pass rule matched will stopped being logged.
401 # a full alerts log containing much information for signature writers
402 # or for investigating suspected false positives.
405 filename: alert-debug.log
407 #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
409 # alert output to prelude (https://www.prelude-siem.org/) only
410 # available if Suricata has been compiled with --enable-prelude
414 log-packet-content: no
415 log-packet-header: yes
417 # Stats.log contains data from various counters of the Suricata engine.
421 append: yes # append to file (yes) or overwrite it (no)
422 totals: yes # stats for all threads merged together
423 threads: no # per thread stats
424 #null-values: yes # print counters that have value 0
426 # a line based alerts log similar to fast.log into syslog
429 # reported identity to syslog. If ommited the program name (usually
430 # suricata) will be used.
431 #identity: "suricata"
433 #level: Info ## possible levels: Emergency, Alert, Critical,
434 ## Error, Warning, Notice, Info, Debug
436 # a line based information for dropped packets in IPS mode
441 #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
443 # Output module for storing files on disk. Files are stored in a
444 # directory names consisting of the first 2 characters of the
445 # SHA256 of the file. Each file is given its SHA256 as a filename.
447 # When a duplicate file is found, the existing file is touched to
448 # have its timestamps updated.
450 # Unlike the older filestore, metadata is not written out by default
451 # as each file should already have a "fileinfo" record in the
452 # eve.log. If write-fileinfo is set to yes, the each file will have
453 # one more associated .json files that consists of the fileinfo
454 # record. A fileinfo file will be written for each occurrence of the
455 # file seen using a filename suffix to ensure uniqueness.
457 # To prune the filestore directory see the "suricatactl filestore
458 # prune" command which can delete files over a certain age.
463 # Set the directory for the filestore. If the path is not
464 # absolute will be be relative to the default-log-dir.
467 # Write out a fileinfo record for each occurrence of a
468 # file. Disabled by default as each occurrence is already logged
469 # as a fileinfo record to the main eve-log.
472 # Force storing of all files. Default: no.
473 #force-filestore: yes
475 # Override the global stream-depth for sessions in which we want
476 # to perform file extraction. Set to 0 for unlimited.
479 # Uncomment the following variable to define how many files can
480 # remain open for filestore by Suricata. Default value is 0 which
481 # means files get closed after each write
482 #max-open-files: 1000
484 # Force logging of checksums, available hash functions are md5,
485 # sha1 and sha256. Note that SHA256 is automatically forced by
486 # the use of this output module as it uses the SHA256 as the
487 # file naming scheme.
488 #force-hash: [sha1, md5]
489 # NOTE: X-Forwarded configuration is ignored if write-fileinfo is disabled
490 # HTTP X-Forwarded-For support by adding an extra field or overwriting
491 # the source or destination IP address (depending on flow direction)
492 # with the one reported in the X-Forwarded-For HTTP header. This is
493 # helpful when reviewing alerts for traffic that is being reverse
494 # or forward proxied.
497 # Two operation modes are available, "extra-data" and "overwrite".
499 # Two proxy deployments are supported, "reverse" and "forward". In
500 # a "reverse" deployment the IP address used is the last one, in a
501 # "forward" deployment the first IP address is used.
503 # Header name where the actual IP address will be reported, if more
504 # than one IP address is present, the last IP address will be the
505 # one taken into consideration.
506 header: X-Forwarded-For
508 # output module to store extracted files to disk (old style, deprecated)
510 # The files are stored to the log-dir in a format "file.<id>" where <id> is
511 # an incrementing number starting at 1. For each file "file.<id>" a meta
512 # file "file.<id>.meta" is created. Before they are finalized, they will
513 # have a ".tmp" suffix to indicate that they are still being processed.
515 # If include-pid is yes, then the files are instead "file.<pid>.<id>", with
516 # meta files named as "file.<pid>.<id>.meta"
518 # File extraction depends on a lot of things to be fully done:
519 # - file-store stream-depth. For optimal results, set this to 0 (unlimited)
520 # - http request / response body sizes. Again set to 0 for optimal results.
521 # - rules that contain the "filestore" keyword.
523 enabled: no # set to yes to enable
524 log-dir: files # directory to store the files
525 force-magic: no # force logging magic on all stored files
526 # force logging of checksums, available hash functions are md5,
529 force-filestore: no # force storing of all files
530 # override global stream-depth for sessions in which we want to
531 # perform file extraction. Set to 0 for unlimited.
533 #waldo: file.waldo # waldo file to store the file_id across runs
534 # uncomment to disable meta file writing
536 # uncomment the following variable to define how many files can
537 # remain open for filestore by Suricata. Default value is 0 which
538 # means files get closed after each write
539 #max-open-files: 1000
540 include-pid: no # set to yes to include pid in file names
542 # Log TCP data after stream normalization
543 # 2 types: file or dir. File logs into a single logfile. Dir creates
544 # 2 files per TCP session and stores the raw TCP data into them.
545 # Using 'both' will enable both file and dir modes.
547 # Note: limited by stream.depth
551 filename: tcp-data.log
553 # Log HTTP body data after normalization, dechunking and unzipping.
554 # 2 types: file or dir. File logs into a single logfile. Dir creates
555 # 2 files per HTTP session and stores the normalized data into them.
556 # Using 'both' will enable both file and dir modes.
558 # Note: limited by the body limit settings
562 filename: http-data.log
564 # Lua Output Support - execute lua script to generate alert and event
567 # https://suricata.readthedocs.io/en/latest/output/lua-output.html
570 #scripts-dir: /etc/suricata/lua-output/
574 # Logging configuration. This is not about logging IDS alerts/events, but
575 # output about what Suricata is doing, like startup messages, errors, etc.
577 # The default log level, can be overridden in an output section.
578 # Note that debug level logging will only be emitted if Suricata was
579 # compiled with the --enable-debug configure option.
581 # This value is overridden by the SC_LOG_LEVEL env var.
582 default-log-level: notice
584 # The default output format. Optional parameter, should default to
585 # something reasonable if not provided. Can be overridden in an
586 # output section. You can leave this out to get the default.
588 # This value is overridden by the SC_LOG_FORMAT env var.
589 #default-log-format: "[%i] %t - (%f:%l) <%d> (%n) -- "
591 # A regex to filter output. Can be overridden in an output section.
592 # Defaults to empty (no filter).
594 # This value is overridden by the SC_LOG_OP_FILTER env var.
595 default-output-filter:
597 # Define your logging outputs. If none are defined, or they are all
598 # disabled you will get the default - console output.
606 filename: suricata.log
611 format: "[%i] <%d> -- "
616 ## Step 4: configure common capture settings
618 ## See "Advanced Capture Options" below for more options, including NETMAP
622 # Linux high speed capture support
625 # Number of receive threads. "auto" uses the number of cores
627 # Default clusterid. AF_PACKET will load balance packets based on flow.
629 # Default AF_PACKET cluster type. AF_PACKET can load balance per flow or per hash.
630 # This is only supported for Linux kernel > 3.1
631 # possible value are:
632 # * cluster_flow: all packets of a given flow are send to the same socket
633 # * cluster_cpu: all packets treated in kernel by a CPU are send to the same socket
634 # * cluster_qm: all packets linked by network card to a RSS queue are sent to the same
635 # socket. Requires at least Linux 3.14.
636 # * cluster_ebpf: eBPF file load balancing. See doc/userguide/capture-hardware/ebpf-xdp.rst for
638 # Recommended modes are cluster_flow on most boxes and cluster_cpu or cluster_qm on system
639 # with capture card using RSS (require cpu affinity tuning and system irq tuning)
640 cluster-type: cluster_flow
641 # In some fragmentation case, the hash can not be computed. If "defrag" is set
642 # to yes, the kernel will do the needed defragmentation before sending the packets.
644 # To use the ring feature of AF_PACKET, set 'use-mmap' to yes
646 # Lock memory map to avoid it goes to swap. Be careful that over subscribing could lock
649 # Use tpacket_v3 capture mode, only active if use-mmap is true
650 # Don't use it in IPS or TAP mode as it causes severe latency
652 # Ring size will be computed with respect to max_pending_packets and number
653 # of threads. You can set manually the ring size in number of packets by setting
654 # the following value. If you are using flow cluster-type and have really network
655 # intensive single-flow you could want to set the ring-size independently of the number
658 # Block size is used by tpacket_v3 only. It should set to a value high enough to contain
659 # a decent number of packets. Size is in bytes so please consider your MTU. It should be
660 # a power of 2 and it must be multiple of page size (usually 4096).
662 # tpacket_v3 block timeout: an open block is passed to userspace if it is not
663 # filled after block-timeout milliseconds.
665 # On busy system, this could help to set it to yes to recover from a packet drop
666 # phase. This will result in some packets (at max a ring flush) being non treated.
667 #use-emergency-flush: yes
668 # recv buffer size, increase value could improve performance
670 # Set to yes to disable promiscuous mode
671 # disable-promisc: no
672 # Choose checksum verification mode for the interface. At the moment
673 # of the capture, some packets may be with an invalid checksum due to
674 # offloading to the network card of the checksum computation.
675 # Possible values are:
676 # - kernel: use indication sent by kernel for each packet (default)
677 # - yes: checksum validation is forced
678 # - no: checksum validation is disabled
679 # - auto: suricata uses a statistical approach to detect when
680 # checksum off-loading is used.
681 # Warning: 'checksum-validation' must be set to yes to have any validation
682 #checksum-checks: kernel
683 # BPF filter to apply to this interface. The pcap filter syntax apply here.
684 #bpf-filter: port 80 or udp
685 # You can use the following variables to activate AF_PACKET tap or IPS mode.
686 # If copy-mode is set to ips or tap, the traffic coming to the current
687 # interface will be copied to the copy-iface interface. If 'tap' is set, the
688 # copy is complete. If 'ips' is set, the packet matching a 'drop' action
689 # will not be copied.
692 # For eBPF and XDP setup including bypass, filter and load balancing, please
693 # see doc/userguide/capture/ebpf-xdt.rst for more info.
695 # Put default values here. These will be used for an interface that is not
702 # Cross platform libpcap capture support
705 # On Linux, pcap will try to use mmaped capture and will use buffer-size
706 # as total of memory used by the ring. So set this to something bigger
707 # than 1% of your bandwidth.
708 #buffer-size: 16777216
709 #bpf-filter: "tcp and port 25"
710 # Choose checksum verification mode for the interface. At the moment
711 # of the capture, some packets may be with an invalid checksum due to
712 # offloading to the network card of the checksum computation.
713 # Possible values are:
714 # - yes: checksum validation is forced
715 # - no: checksum validation is disabled
716 # - auto: Suricata uses a statistical approach to detect when
717 # checksum off-loading is used. (default)
718 # Warning: 'checksum-validation' must be set to yes to have any validation
719 #checksum-checks: auto
720 # With some accelerator cards using a modified libpcap (like myricom), you
721 # may want to have the same number of capture threads as the number of capture
722 # rings. In this case, set up the threads variable to N to start N threads
723 # listening on the same interface.
725 # set to no to disable promiscuous mode:
727 # set snaplen, if not set it defaults to MTU if MTU can be known
728 # via ioctl call and to full capture if not.
730 # Put default values here
732 #checksum-checks: auto
734 # Settings for reading pcap files
736 # Possible values are:
737 # - yes: checksum validation is forced
738 # - no: checksum validation is disabled
739 # - auto: Suricata uses a statistical approach to detect when
740 # checksum off-loading is used. (default)
741 # Warning: 'checksum-validation' must be set to yes to have checksum tested
742 checksum-checks: auto
744 # See "Advanced Capture Options" below for more options, including NETMAP
749 ## Step 5: App Layer Protocol Configuration
752 # Configure the app-layer parsers. The protocols section details each
755 # The option "enabled" takes 3 values - "yes", "no", "detection-only".
756 # "yes" enables both detection and the parser, "no" disables both, and
757 # "detection-only" enables protocol detection only (parser disabled).
771 # Generate JA3 fingerprint from client hello
774 # What to do when the encrypted communications start:
775 # - default: keep tracking TLS session, check for protocol anomalies,
776 # inspect tls_* keywords. Disables inspection of unmodified
777 # 'content' signatures.
778 # - bypass: stop processing this flow as much as possible. No further
779 # TLS parsing and inspection. Offload flow bypass to kernel
780 # or hardware if possible.
781 # - full: keep tracking and inspection as normal. Unmodified content
782 # keyword signatures are inspected as well.
784 # For best performance, select 'bypass'.
786 #encryption-handling: default
798 # Configure SMTP-MIME Decoder
800 # Decode MIME messages from SMTP transactions
801 # (may be resource intensive)
802 # This field supercedes all others because it turns the entire
806 # Decode MIME entity bodies (ie. base64, quoted-printable, etc.)
808 decode-quoted-printable: yes
810 # Maximum bytes per header data value stored in the data structure
812 header-value-depth: 2000
814 # Extract URLs and save in state data structure
816 # Set to yes to compute the md5 of the mail body. You will then
817 # be able to journalize it.
819 # Configure inspected-tracker for file_data keyword
821 content-limit: 100000
822 content-inspect-min-size: 32768
823 content-inspect-window: 4096
825 enabled: detection-only
827 enabled: detection-only
833 # Stream reassembly size for SMB streams. By default track it completely.
841 # memcaps. Globally and per flow/state.
845 # How many unreplied DNS requests are considered a flood.
846 # If the limit is reached, app-layer-event:dns.flooded; will match.
861 # default-config: Used when no server-config matches
862 # personality: List of personalities used by default
863 # request-body-limit: Limit reassembly of request body for inspection
864 # by http_client_body & pcre /P option.
865 # response-body-limit: Limit reassembly of response body for inspection
866 # by file_data, http_server_body & pcre /Q option.
867 # double-decode-path: Double decode path section of the URI
868 # double-decode-query: Double decode query section of the URI
869 # response-body-decompress-layer-limit:
870 # Limit to how many layers of compression will be
871 # decompressed. Defaults to 2.
873 # server-config: List of server configurations to use if address matches
874 # address: List of IP addresses or networks for this block
875 # personalitiy: List of personalities used by this block
876 # request-body-limit: Limit reassembly of request body for inspection
877 # by http_client_body & pcre /P option.
878 # response-body-limit: Limit reassembly of response body for inspection
879 # by file_data, http_server_body & pcre /Q option.
880 # double-decode-path: Double decode path section of the URI
881 # double-decode-query: Double decode query section of the URI
883 # uri-include-all: Include all parts of the URI. By default the
884 # 'scheme', username/password, hostname and port
885 # are excluded. Setting this option to true adds
886 # all of them to the normalized uri as inspected
887 # by http_uri, urilen, pcre with /U and the other
888 # keywords that inspect the normalized uri.
889 # Note that this does not affect http_raw_uri.
890 # Also, note that including all was the default in
893 # meta-field-limit: Hard size limit for request and response size
894 # limits. Applies to request line and headers,
895 # response line and headers. Does not apply to
896 # request or response bodies. Default is 18k.
897 # If this limit is reached an event is raised.
899 # Currently Available Personalities:
900 # Minimal, Generic, IDS (default), IIS_4_0, IIS_5_0, IIS_5_1, IIS_6_0,
901 # IIS_7_0, IIS_7_5, Apache_2
906 # Can be specified in kb, mb, gb. Just a number indicates
908 request-body-limit: 100kb
909 response-body-limit: 100kb
912 request-body-minimal-inspect-size: 32kb
913 request-body-inspect-window: 4kb
914 response-body-minimal-inspect-size: 40kb
915 response-body-inspect-window: 16kb
917 # response body decompression (0 disables)
918 response-body-decompress-layer-limit: 2
920 # auto will use http-body-inline mode in IPS mode, yes or no set it statically
921 http-body-inline: auto
923 # Decompress SWF files.
924 # 2 types: 'deflate', 'lzma', 'both' will decompress deflate and lzma
926 # Specifies the maximum amount of data to decompress,
927 # set 0 for unlimited.
929 # Specifies the maximum amount of decompressed data to obtain,
930 # set 0 for unlimited.
937 # Take a random value for inspection sizes around the specified value.
938 # This lower the risk of some evasion technics but could lead
939 # detection change between runs. It is set to 'yes' by default.
940 #randomize-inspection-sizes: yes
941 # If randomize-inspection-sizes is active, the value of various
942 # inspection size will be choosen in the [1 - range%, 1 + range%]
944 # Default value of randomize-inspection-range is 10.
945 #randomize-inspection-range: 10
948 double-decode-path: no
949 double-decode-query: no
954 # address: [192.168.1.0/24, 127.0.0.0/8, "::1"]
955 # personality: Apache_2
956 # # Can be specified in kb, mb, gb. Just a number indicates
958 # request-body-limit: 4096
959 # response-body-limit: 4096
960 # double-decode-path: no
961 # double-decode-query: no
967 # personality: IIS_7_0
968 # # Can be specified in kb, mb, gb. Just a number indicates
970 # request-body-limit: 4096
971 # response-body-limit: 4096
972 # double-decode-path: no
973 # double-decode-query: no
975 # Note: Modbus probe parser is minimalist due to the poor significant field
976 # Only Modbus message length (greater than Modbus header length)
977 # And Protocol ID (equal to 0) are checked in probing parser
978 # It is important to enable detection port and define Modbus port
979 # to avoid false positive
981 # How many unreplied Modbus requests are considered a flood.
982 # If the limit is reached, app-layer-event:modbus.flooded; will match.
988 # According to MODBUS Messaging on TCP/IP Implementation Guide V1.0b, it
989 # is recommended to keep the TCP connection opened with a remote device
990 # and not to open and close it for each MODBUS/TCP transaction. In that
991 # case, it is important to set the depth of the stream reassembling as
992 # unlimited (stream.reassembly.depth: 0)
994 # Stream reassembly size for modbus. By default track it completely.
1003 # SCADA EtherNet/IP and CIP protocol support
1016 # Limit for the maximum number of asn1 frames to decode (default 256)
1017 asn1-max-frames: 256
1020 ##############################################################################
1022 ## Advanced settings below
1024 ##############################################################################
1030 # Run suricata as user and group.
1035 # Some logging module will use that name in event as identifier. The default
1036 # value is the hostname
1037 #sensor-name: suricata
1039 # Default location of the pid file. The pid file is only used in
1040 # daemon mode (start Suricata with -D). If not running in daemon mode
1041 # the --pidfile command line option must be used to create a pid file.
1042 #pid-file: @e_rundir@suricata.pid
1044 # Daemon working directory
1045 # Suricata will change directory to this one if provided
1047 #daemon-directory: "/"
1050 # Suricata will use this umask if it is provided. By default it will use the
1051 # umask passed on by the shell.
1054 # Suricata core dump configuration. Limits the size of the core dump file to
1055 # approximately max-dump. The actual core dump size will be a multiple of the
1056 # page size. Core dumps that would be larger than max-dump are truncated. On
1057 # Linux, the actual core dump size may be a few pages larger than max-dump.
1058 # Setting max-dump to 0 disables core dumping.
1059 # Setting max-dump to 'unlimited' will give the full core dump file.
1060 # On 32-bit Linux, a max-dump value >= ULONG_MAX may cause the core dump size
1061 # to be 'unlimited'.
1066 # If Suricata box is a router for the sniffed networks, set it to 'router'. If
1067 # it is a pure sniffing setup, set it to 'sniffer-only'.
1068 # If set to auto, the variable is internally switch to 'router' in IPS mode
1069 # and 'sniffer-only' in IDS mode.
1070 # This feature is currently only used by the reject* keywords.
1073 # Number of packets preallocated per thread. The default is 1024. A higher number
1074 # will make sure each CPU will be more easily kept busy, but may negatively
1076 #max-pending-packets: 1024
1078 # Runmode the engine should use. Please check --list-runmodes to get the available
1079 # runmodes for each packet acquisition method. Defaults to "autofp" (auto flow pinned
1083 # Specifies the kind of flow load balancer used by the flow pinned autofp mode.
1085 # Supported schedulers are:
1087 # round-robin - Flows assigned to threads in a round robin fashion.
1088 # active-packets - Flows assigned to threads that have the lowest number of
1089 # unprocessed packets (default).
1090 # hash - Flow allocated using the address hash. More of a random
1091 # technique. Was the default in Suricata 1.2.1 and older.
1093 #autofp-scheduler: active-packets
1095 # Preallocated size for packet. Default is 1514 which is the classical
1096 # size for pcap on ethernet. You should adjust this value to the highest
1097 # packet size (MTU + hardware header) on your system.
1098 #default-packet-size: 1514
1100 # Unix command socket can be used to pass commands to Suricata.
1101 # An external tool can then connect to get information from Suricata
1102 # or trigger some modifications of the engine. Set enabled to yes
1103 # to activate the feature. In auto mode, the feature will only be
1104 # activated in live capture mode. You can use the filename variable to set
1105 # the file name of the socket.
1108 #filename: custom.socket
1110 # Magic file. The extension .mgc is added to the value here.
1111 #magic-file: /usr/share/file/magic
1112 @e_magic_file_comment@magic-file: @e_magic_file@
1118 ## Detection settings
1121 # Set the order of alerts based on actions
1122 # The default order is pass, drop, reject, alert
1130 #reputation-categories-file: @e_sysconfdir@iprep/categories.txt
1131 #default-reputation-path: @e_sysconfdir@iprep
1135 # When run with the option --engine-analysis, the engine will read each of
1136 # the parameters below, and print reports for each of the enabled sections
1137 # and exit. The reports are printed to a file in the default log dir
1138 # given by the parameter "default-log-dir", with engine reporting
1139 # subsection below printing reports in its own report file.
1141 # enables printing reports for fast-pattern for every rule.
1142 rules-fast-pattern: yes
1143 # enables printing reports for each rule
1146 #recursion and match limits for PCRE where supported
1149 match-limit-recursion: 1500
1152 ## Advanced Traffic Tracking and Reconstruction Settings
1155 # Host specific policies for defragmentation and TCP stream
1156 # reassembly. The host OS lookup is done using a radix tree, just
1157 # like a routing table so the most specific entry matches.
1159 # Make the default policy windows.
1160 windows: [0.0.0.0/0]
1179 trackers: 65535 # number of defragmented flows to follow
1180 max-frags: 65535 # number of fragments to keep (higher than trackers)
1184 # Enable defrag per host settings
1189 # address: [192.168.1.0/24, 127.0.0.0/8, 1.1.1.0/24, 2.2.2.0/24, "1.1.1.1", "2.2.2.2", "::1"]
1199 # By default, the reserved memory (memcap) for flows is 32MB. This is the limit
1200 # for flow allocation inside the engine. You can change this value to allow
1201 # more memory usage for flows.
1202 # The hash-size determine the size of the hash used to identify flows inside
1203 # the engine, and by default the value is 65536.
1204 # At the startup, the engine can preallocate a number of flows, to get a better
1205 # performance. The number of flows preallocated is 10000 by default.
1206 # emergency-recovery is the percentage of flows that the engine need to
1207 # prune before unsetting the emergency state. The emergency state is activated
1208 # when the memcap limit is reached, allowing to create new flows, but
1209 # pruning them with the emergency timeouts (they are defined below).
1210 # If the memcap is reached, the engine will try to prune flows
1211 # with the default timeouts. If it doesn't find a flow to prune, it will set
1212 # the emergency bit and it will try again with more aggressive timeouts.
1213 # If that doesn't work, then it will try to kill the last time seen flows
1215 # The memcap can be specified in kb, mb, gb. Just a number indicates it's
1222 emergency-recovery: 30
1223 #managers: 1 # default to one flow manager
1224 #recyclers: 1 # default to one flow recycler thread
1226 # This option controls the use of vlan ids in the flow (and defrag)
1227 # hashing. Normally this should be enabled, but in some (broken)
1228 # setups where both sides of a flow are not tagged with the same vlan
1229 # tag, we can ignore the vlan id's in the flow hashing.
1231 use-for-tracking: true
1233 # Specific timeouts for flows. Here you can specify the timeouts that the
1234 # active flows will wait to transit from the current state to another, on each
1235 # protocol. The value of "new" determine the seconds to wait after a handshake or
1236 # stream startup before the engine free the data of that flow it doesn't
1237 # change the state to established (usually if we don't receive more packets
1238 # of that flow). The value of "established" is the amount of
1239 # seconds that the engine will wait to free the flow if it spend that amount
1240 # without receiving new packets or closing the connection. "closed" is the
1241 # amount of time to wait after a flow is closed (usually zero). "bypassed"
1242 # timeout controls locally bypassed flows. For these flows we don't do any other
1243 # tracking. If no packets have been seen after this timeout, the flow is discarded.
1245 # There's an emergency mode that will become active under attack circumstances,
1246 # making the engine to check flow status faster. This configuration variables
1247 # use the prefix "emergency-" and work similar as the normal ones.
1248 # Some timeouts doesn't apply to all the protocols, like "closed", for udp and
1259 emergency-established: 100
1261 emergency-bypassed: 50
1268 emergency-established: 100
1269 emergency-closed: 10
1270 emergency-bypassed: 50
1276 emergency-established: 100
1277 emergency-bypassed: 50
1283 emergency-established: 100
1284 emergency-bypassed: 50
1286 # Stream engine settings. Here the TCP stream tracking and reassembly
1287 # engine is configured.
1290 # memcap: 32mb # Can be specified in kb, mb, gb. Just a
1291 # # number indicates it's in bytes.
1292 # checksum-validation: yes # To validate the checksum of received
1293 # # packet. If csum validation is specified as
1294 # # "yes", then packet with invalid csum will not
1295 # # be processed by the engine stream/app layer.
1296 # # Warning: locally generated traffic can be
1297 # # generated without checksum due to hardware offload
1298 # # of checksum. You can control the handling of checksum
1299 # # on a per-interface basis via the 'checksum-checks'
1301 # prealloc-sessions: 2k # 2k sessions prealloc'd per stream thread
1302 # midstream: false # don't allow midstream session pickups
1303 # async-oneside: false # don't enable async stream handling
1304 # inline: no # stream inline mode
1305 # drop-invalid: yes # in inline mode, drop packets that are invalid with regards to streaming engine
1306 # max-synack-queued: 5 # Max different SYN/ACKs to queue
1307 # bypass: no # Bypass packets when stream.depth is reached
1310 # memcap: 64mb # Can be specified in kb, mb, gb. Just a number
1311 # # indicates it's in bytes.
1312 # depth: 1mb # Can be specified in kb, mb, gb. Just a number
1313 # # indicates it's in bytes.
1314 # toserver-chunk-size: 2560 # inspect raw stream in chunks of at least
1315 # # this size. Can be specified in kb, mb,
1316 # # gb. Just a number indicates it's in bytes.
1317 # toclient-chunk-size: 2560 # inspect raw stream in chunks of at least
1318 # # this size. Can be specified in kb, mb,
1319 # # gb. Just a number indicates it's in bytes.
1320 # randomize-chunk-size: yes # Take a random value for chunk size around the specified value.
1321 # # This lower the risk of some evasion technics but could lead
1322 # # detection change between runs. It is set to 'yes' by default.
1323 # randomize-chunk-range: 10 # If randomize-chunk-size is active, the value of chunk-size is
1324 # # a random value between (1 - randomize-chunk-range/100)*toserver-chunk-size
1325 # # and (1 + randomize-chunk-range/100)*toserver-chunk-size and the same
1326 # # calculation for toclient-chunk-size.
1327 # # Default value of randomize-chunk-range is 10.
1329 # raw: yes # 'Raw' reassembly enabled or disabled.
1330 # # raw is for content inspection by detection
1333 # segment-prealloc: 2048 # number of segments preallocated per thread
1335 # check-overlap-different-data: true|false
1336 # # check if a segment contains different data
1337 # # than what we've already seen for that
1338 # # position in the stream.
1339 # # This is enabled automatically if inline mode
1340 # # is used or when stream-event:reassembly_overlap_different_data;
1341 # # is used in a rule.
1345 checksum-validation: yes # reject wrong csums
1346 inline: auto # auto will use inline mode in IPS mode, yes or no set it statically
1349 depth: 1mb # reassemble 1mb into a stream
1350 toserver-chunk-size: 2560
1351 toclient-chunk-size: 2560
1352 randomize-chunk-size: yes
1353 #randomize-chunk-range: 10
1355 #segment-prealloc: 2048
1356 #check-overlap-different-data: true
1360 # Host table is used by tagging and per host thresholding subsystems.
1369 # Used by xbits 'ippair' tracking.
1379 # Teredo decoder is known to not be completely accurate
1380 # it will sometimes detect non-teredo as teredo.
1386 ## Performance tuning and profiling
1389 # The detection engine builds internal groups of signatures. The engine
1390 # allow us to specify the profile to use for them, to manage memory on an
1391 # efficient way keeping a good performance. For the profile keyword you
1392 # can use the words "low", "medium", "high" or "custom". If you use custom
1393 # make sure to define the values at "- custom-values" as your convenience.
1394 # Usually you would prefer medium/high/low.
1396 # "sgh mpm-context", indicates how the staging should allot mpm contexts for
1397 # the signature groups. "single" indicates the use of a single context for
1398 # all the signature group heads. "full" indicates a mpm-context for each
1399 # group head. "auto" lets the engine decide the distribution of contexts
1400 # based on the information the engine gathers on the patterns from each
1403 # The option inspection-recursion-limit is used to limit the recursive calls
1404 # in the content inspection code. For certain payload-sig combinations, we
1405 # might end up taking too much time in the content inspection code.
1406 # If the argument specified is 0, the engine uses an internally defined
1407 # default limit. On not specifying a value, we use no limits on the recursion.
1413 sgh-mpm-context: auto
1414 inspection-recursion-limit: 3000
1415 # If set to yes, the loading of signatures will be made after the capture
1416 # is started. This will limit the downtime in IPS mode.
1417 #delayed-detect: yes
1420 # default prefiltering setting. "mpm" only creates MPM/fast_pattern
1421 # engines. "auto" also sets up prefilter engines for other keywords.
1422 # Use --list-keywords=all to see which keywords support prefiltering.
1425 # the grouping values above control how many groups are created per
1426 # direction. Port whitelisting forces that port to get it's own group.
1427 # Very common ports will benefit, as well as ports with many expensive
1430 #tcp-whitelist: 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
1431 #udp-whitelist: 53, 135, 5060
1434 # Log the rules that made it past the prefilter stage, per packet
1435 # default is off. The threshold setting determines how many rules
1436 # must have made it past pre-filter for that rule to trigger the
1438 #inspect-logging-threshold: 200
1441 include-rules: false # very verbose
1442 include-mpm-stats: false
1444 # Select the multi pattern algorithm you want to run for scan/search the
1447 # The supported algorithms are:
1448 # "ac" - Aho-Corasick, default implementation
1449 # "ac-bs" - Aho-Corasick, reduced memory implementation
1450 # "ac-ks" - Aho-Corasick, "Ken Steele" variant
1451 # "hs" - Hyperscan, available when built with Hyperscan support
1453 # The default mpm-algo value of "auto" will use "hs" if Hyperscan is
1454 # available, "ac" otherwise.
1456 # The mpm you choose also decides the distribution of mpm contexts for
1457 # signature groups, specified by the conf - "detect.sgh-mpm-context".
1458 # Selecting "ac" as the mpm would require "detect.sgh-mpm-context"
1459 # to be set to "single", because of ac's memory requirements, unless the
1460 # ruleset is small enough to fit in one's memory, in which case one can
1461 # use "full" with "ac". Rest of the mpms can be run in "full" mode.
1465 # Select the matching algorithm you want to use for single-pattern searches.
1467 # Supported algorithms are "bm" (Boyer-Moore) and "hs" (Hyperscan, only
1468 # available if Suricata has been built with Hyperscan support).
1470 # The default of "auto" will use "hs" if available, otherwise "bm".
1474 # Suricata is multi-threaded. Here the threading can be influenced.
1476 set-cpu-affinity: no
1477 # Tune cpu affinity of threads. Each family of threads can be bound
1480 # These 2 apply to the all runmodes:
1481 # management-cpu-set is used for flow timeout handling, counters
1482 # worker-cpu-set is used for 'worker' threads
1484 # Additionally, for autofp these apply:
1485 # receive-cpu-set is used for capture threads
1486 # verdict-cpu-set is used for IPS verdict threads
1489 - management-cpu-set:
1490 cpu: [ 0 ] # include only these CPUs in affinity settings
1492 cpu: [ 0 ] # include only these CPUs in affinity settings
1496 # Use explicitely 3 threads and don't compute number by using
1497 # detect-thread-ratio variable:
1509 # By default Suricata creates one "detect" thread per available CPU/CPU core.
1510 # This setting allows controlling this behaviour. A ratio setting of 2 will
1511 # create 2 detect threads for each CPU/CPU core. So for a dual core CPU this
1512 # will result in 4 detect threads. If values below 1 are used, less threads
1513 # are created. So on a dual core CPU a setting of 0.5 results in 1 detect
1514 # thread being created. Regardless of the setting at a minimum 1 detect
1515 # thread will always be created.
1517 detect-thread-ratio: 1.0
1519 # Luajit has a strange memory requirement, it's 'states' need to be in the
1520 # first 2G of the process' memory.
1522 # 'luajit.states' is used to control how many states are preallocated.
1523 # State use: per detect script: 1 per detect thread. Per output script: 1 per
1528 # Profiling settings. Only effective if Suricata has been built with the
1529 # the --enable-profiling configure flag.
1532 # Run profiling for every xth packet. The default is 1, which means we
1533 # profile every packet. If set to 1000, one packet is profiled for every
1540 # Profiling can be disabled here, but it will still have a
1541 # performance impact if compiled in.
1543 filename: rule_perf.log
1546 # Sort options: ticks, avgticks, checks, matches, maxticks
1547 # If commented out all the sort options will be used.
1550 # Limit the number of sids for which stats are shown at exit (per sort).
1554 json: @e_enable_evelog@
1556 # per keyword profiling
1559 filename: keyword_perf.log
1564 filename: prefilter_perf.log
1567 # per rulegroup profiling
1570 filename: rule_group_perf.log
1576 # Profiling can be disabled here, but it will still have a
1577 # performance impact if compiled in.
1579 filename: packet_stats.log
1582 # per packet csv output
1585 # Output can be disabled here, but it will still have a
1586 # performance impact if compiled in.
1588 filename: packet_stats.csv
1590 # profiling of locking. Only available when Suricata was built with
1591 # --enable-profiling-locks.
1594 filename: lock_stats.log
1599 filename: pcaplog_stats.log
1603 ## Netfilter integration
1606 # When running in NFQ inline mode, it is possible to use a simulated
1607 # non-terminal NFQUEUE verdict.
1608 # This permit to do send all needed packet to Suricata via this a rule:
1609 # iptables -I FORWARD -m mark ! --mark $MARK/$MASK -j NFQUEUE
1610 # And below, you can have your standard filtering ruleset. To activate
1611 # this mode, you need to set mode to 'repeat'
1612 # If you want packet to be sent to another queue after an ACCEPT decision
1613 # set mode to 'route' and set next-queue value.
1614 # On linux >= 3.1, you can set batchcount to a value > 1 to improve performance
1615 # by processing several packets before sending a verdict (worker runmode only).
1616 # On linux >= 3.6, you can set the fail-open option to yes to have the kernel
1617 # accept the packet if Suricata is not able to keep pace.
1618 # bypass mark and mask can be used to implement NFQ bypass. If bypass mark is
1619 # set then the NFQ bypass is activated. Suricata will set the bypass mark/mask
1620 # on packet of a flow that need to be bypassed. The Nefilter ruleset has to
1621 # directly accept all packets of a flow once a packet has been marked.
1634 # netlink multicast group
1635 # (the same as the iptables --nflog-group param)
1636 # Group 0 is used by the kernel, so you can't use it
1638 # netlink buffer size
1640 # put default value here
1642 # set number of packet to queue inside kernel
1644 # set the delay before flushing packet in the queue inside kernel
1646 # netlink max buffer size
1650 ## Advanced Capture Options
1653 # general settings affecting packet capture
1655 # disable NIC offloading. It's restored when Suricata exits.
1656 # Enabled by default.
1657 #disable-offloading: false
1659 # disable checksum validation. Same as setting '-k none' on the
1661 #checksum-validation: none
1665 # Netmap operates with NIC directly in driver, so you need FreeBSD 11+ which have
1666 # built-in netmap support or compile and install netmap module and appropriate
1667 # NIC driver on your Linux system.
1668 # To reach maximum throughput disable all receive-, segmentation-,
1669 # checksum- offloadings on NIC.
1670 # Disabling Tx checksum offloading is *required* for connecting OS endpoint
1671 # with NIC endpoint.
1672 # You can find more information at https://github.com/luigirizzo/netmap
1675 # To specify OS endpoint add plus sign at the end (e.g. "eth0+")
1677 # Number of capture threads. "auto" uses number of RSS queues on interface.
1678 # Warning: unless the RSS hashing is symmetrical, this will lead to
1681 # You can use the following variables to activate netmap tap or IPS mode.
1682 # If copy-mode is set to ips or tap, the traffic coming to the current
1683 # interface will be copied to the copy-iface interface. If 'tap' is set, the
1684 # copy is complete. If 'ips' is set, the packet matching a 'drop' action
1685 # will not be copied.
1686 # To specify the OS as the copy-iface (so the OS can route packets, or forward
1687 # to a service running on the same machine) add a plus sign at the end
1688 # (e.g. "copy-iface: eth0+"). Don't forget to set up a symmetrical eth0+ -> eth0
1689 # for return packets. Hardware checksumming must be *off* on the interface if
1690 # using an OS endpoint (e.g. 'ifconfig eth0 -rxcsum -txcsum -rxcsum6 -txcsum6' for FreeBSD
1691 # or 'ethtool -K eth0 tx off rx off' for Linux).
1694 # Set to yes to disable promiscuous mode
1695 # disable-promisc: no
1696 # Choose checksum verification mode for the interface. At the moment
1697 # of the capture, some packets may be with an invalid checksum due to
1698 # offloading to the network card of the checksum computation.
1699 # Possible values are:
1700 # - yes: checksum validation is forced
1701 # - no: checksum validation is disabled
1702 # - auto: Suricata uses a statistical approach to detect when
1703 # checksum off-loading is used.
1704 # Warning: 'checksum-validation' must be set to yes to have any validation
1705 #checksum-checks: auto
1706 # BPF filter to apply to this interface. The pcap filter syntax apply here.
1707 #bpf-filter: port 80 or udp
1712 # Put default values here
1713 - interface: default
1715 # PF_RING configuration. for use with native PF_RING support
1716 # for more info see http://www.ntop.org/products/pf_ring/
1719 # Number of receive threads. If set to 'auto' Suricata will first try
1720 # to use CPU (core) count and otherwise RSS queue count.
1723 # Default clusterid. PF_RING will load balance packets based on flow.
1724 # All threads/processes that will participate need to have the same
1728 # Default PF_RING cluster type. PF_RING can load balance per flow.
1729 # Possible values are cluster_flow or cluster_round_robin.
1730 cluster-type: cluster_flow
1732 # bpf filter for this interface
1735 # If bypass is set then the PF_RING hw bypass is activated, when supported
1736 # by the interface in use. Suricata will instruct the interface to bypass
1737 # all future packets for a flow that need to be bypassed.
1740 # Choose checksum verification mode for the interface. At the moment
1741 # of the capture, some packets may be with an invalid checksum due to
1742 # offloading to the network card of the checksum computation.
1743 # Possible values are:
1744 # - rxonly: only compute checksum for packets received by network card.
1745 # - yes: checksum validation is forced
1746 # - no: checksum validation is disabled
1747 # - auto: Suricata uses a statistical approach to detect when
1748 # checksum off-loading is used. (default)
1749 # Warning: 'checksum-validation' must be set to yes to have any validation
1750 #checksum-checks: auto
1755 # cluster-type: cluster_flow
1756 # Put default values here
1757 - interface: default
1760 # For FreeBSD ipfw(8) divert(4) support.
1761 # Please make sure you have ipfw_load="YES" and ipdivert_load="YES"
1762 # in /etc/loader.conf or kldload'ing the appropriate kernel modules.
1763 # Additionally, you need to have an ipfw rule for the engine to see
1764 # the packets from ipfw. For Example:
1766 # ipfw add 100 divert 8000 ip from any to any
1768 # The 8000 above should be the same number you passed on the command
1769 # line, i.e. -d 8000
1773 # Reinject packets at the specified ipfw rule number. This config
1774 # option is the ipfw rule number AT WHICH rule processing continues
1775 # in the ipfw processing system after the engine has finished
1776 # inspecting the packet for acceptance. If no rule number is specified,
1777 # accepted packets are reinjected at the divert rule which they entered
1778 # and IPFW rule processing continues. No check is done to verify
1779 # this will rule makes sense so care must be taken to avoid loops in ipfw.
1781 ## The following example tells the engine to reinject packets
1782 # back into the ipfw firewall AT rule number 5500:
1784 # ipfw-reinjection-rule-number: 5500
1788 # The Host Buffer Allowance for all streams
1789 # (-1 = OFF, 1 - 100 = percentage of the host buffer that can be held back)
1790 # This may be enabled when sharing streams with another application.
1791 # Otherwise, it should be turned off.
1794 # When use_all_streams is set to "yes" the initialization code will query
1795 # the Napatech service for all configured streams and listen on all of them.
1796 # When set to "no" the streams config array will be used.
1798 # This option necessitates running the appropriate NTPL commands to create
1799 # the desired streams prior to running suricata.
1800 #use-all-streams: no
1802 # The streams to listen on when auto-config is disabled or when and threading
1803 # cpu-affinity is disabled. This can be either:
1804 # an individual stream (e.g. streams: [0])
1806 # a range of streams (e.g. streams: ["0-3"])
1810 # When auto-config is enabled the streams will be created and assigned
1811 # automatically to the NUMA node where the thread resides. If cpu-affinity
1812 # is enabled in the threading section. Then the streams will be created
1813 # according to the number of worker threads specified in the worker cpu set.
1814 # Otherwise, the streams array is used to define the streams.
1816 # This option cannot be used simultaneous with "use-all-streams".
1820 # Ports indicates which napatech ports are to be used in auto-config mode.
1821 # these are the port ID's of the ports that will be merged prior to the
1822 # traffic being distributed to the streams.
1824 # This can be specified in any of the following ways:
1826 # a list of individual ports (e.g. ports: [0,1,2,3])
1828 # a range of ports (e.g. ports: [0-3])
1830 # "all" to indicate that all ports are to be merged together
1831 # (e.g. ports: [all])
1833 # This has no effect if auto-config is disabled.
1837 # When auto-config is enabled the hashmode specifies the algorithm for
1838 # determining to which stream a given packet is to be delivered.
1839 # This can be any valid Napatech NTPL hashmode command.
1841 # The most common hashmode commands are: hash2tuple, hash2tuplesorted,
1842 # hash5tuple, hash5tuplesorted and roundrobin.
1844 # See Napatech NTPL documentation other hashmodes and details on their use.
1846 # This has no effect if auto-config is disabled.
1848 hashmode: hash5tuplesorted
1850 ## Configure Suricata to load Suricata-Update managed rules.
1852 ## If this section is completely commented out move down to the "Advanced rule
1853 ## file configuration".
1856 @no_suricata_update_comment@default-rule-path: @e_defaultruledir@
1857 @no_suricata_update_comment@rule-files:
1858 @no_suricata_update_comment@ - suricata.rules
1861 ## Advanced rule file configuration.
1863 ## If this section is completely commented out then your configuration
1864 ## is setup for suricata-update as it was most likely bundled and
1865 ## installed with Suricata.
1868 @has_suricata_update_comment@default-rule-path: @e_defaultruledir@
1870 @has_suricata_update_comment@rule-files:
1871 @has_suricata_update_comment@ - botcc.rules
1872 @has_suricata_update_comment@ # - botcc.portgrouped.rules
1873 @has_suricata_update_comment@ - ciarmy.rules
1874 @has_suricata_update_comment@ - compromised.rules
1875 @has_suricata_update_comment@ - drop.rules
1876 @has_suricata_update_comment@ - dshield.rules
1877 @has_suricata_update_comment@# - emerging-activex.rules
1878 @has_suricata_update_comment@ - emerging-attack_response.rules
1879 @has_suricata_update_comment@ - emerging-chat.rules
1880 @has_suricata_update_comment@ - emerging-current_events.rules
1881 @has_suricata_update_comment@ - emerging-dns.rules
1882 @has_suricata_update_comment@ - emerging-dos.rules
1883 @has_suricata_update_comment@ - emerging-exploit.rules
1884 @has_suricata_update_comment@ - emerging-ftp.rules
1885 @has_suricata_update_comment@# - emerging-games.rules
1886 @has_suricata_update_comment@# - emerging-icmp_info.rules
1887 @has_suricata_update_comment@# - emerging-icmp.rules
1888 @has_suricata_update_comment@ - emerging-imap.rules
1889 @has_suricata_update_comment@# - emerging-inappropriate.rules
1890 @has_suricata_update_comment@# - emerging-info.rules
1891 @has_suricata_update_comment@ - emerging-malware.rules
1892 @has_suricata_update_comment@ - emerging-misc.rules
1893 @has_suricata_update_comment@ - emerging-mobile_malware.rules
1894 @has_suricata_update_comment@ - emerging-netbios.rules
1895 @has_suricata_update_comment@ - emerging-p2p.rules
1896 @has_suricata_update_comment@ - emerging-policy.rules
1897 @has_suricata_update_comment@ - emerging-pop3.rules
1898 @has_suricata_update_comment@ - emerging-rpc.rules
1899 @has_suricata_update_comment@# - emerging-scada.rules
1900 @has_suricata_update_comment@# - emerging-scada_special.rules
1901 @has_suricata_update_comment@ - emerging-scan.rules
1902 @has_suricata_update_comment@# - emerging-shellcode.rules
1903 @has_suricata_update_comment@ - emerging-smtp.rules
1904 @has_suricata_update_comment@ - emerging-snmp.rules
1905 @has_suricata_update_comment@ - emerging-sql.rules
1906 @has_suricata_update_comment@ - emerging-telnet.rules
1907 @has_suricata_update_comment@ - emerging-tftp.rules
1908 @has_suricata_update_comment@ - emerging-trojan.rules
1909 @has_suricata_update_comment@ - emerging-user_agents.rules
1910 @has_suricata_update_comment@ - emerging-voip.rules
1911 @has_suricata_update_comment@ - emerging-web_client.rules
1912 @has_suricata_update_comment@ - emerging-web_server.rules
1913 @has_suricata_update_comment@# - emerging-web_specific_apps.rules
1914 @has_suricata_update_comment@ - emerging-worm.rules
1915 @has_suricata_update_comment@ - tor.rules
1916 @has_suricata_update_comment@# - decoder-events.rules # available in suricata sources under rules dir
1917 @has_suricata_update_comment@# - stream-events.rules # available in suricata sources under rules dir
1918 @has_suricata_update_comment@ - http-events.rules # available in suricata sources under rules dir
1919 @has_suricata_update_comment@ - smtp-events.rules # available in suricata sources under rules dir
1920 @has_suricata_update_comment@ - dns-events.rules # available in suricata sources under rules dir
1921 @has_suricata_update_comment@ - tls-events.rules # available in suricata sources under rules dir
1922 @has_suricata_update_comment@# - modbus-events.rules # available in suricata sources under rules dir
1923 @has_suricata_update_comment@# - app-layer-events.rules # available in suricata sources under rules dir
1924 @has_suricata_update_comment@# - dnp3-events.rules # available in suricata sources under rules dir
1925 @has_suricata_update_comment@# - ntp-events.rules # available in suricata sources under rules dir
1926 @has_suricata_update_comment@# - ipsec-events.rules # available in suricata sources under rules dir
1927 @has_suricata_update_comment@# - kerberos-events.rules # available in suricata sources under rules dir
1930 ## Auxiliary configuration files.
1933 classification-file: @e_sysconfdir@classification.config
1934 reference-config-file: @e_sysconfdir@reference.config
1935 # threshold-file: @e_sysconfdir@threshold.config
1938 ## Include other configs
1941 # Includes. Files included here will be handled as if they were
1942 # inlined in this configuration file.
1943 #include: include1.yaml
1944 #include: include2.yaml