- syslog:
enabled: yes
facility: local5
- format: "[%i] <%d> -- "
+ format: ""
# type: json
##
# smb2 detection is disabled internally inside the engine.
#smb2:
# enabled: yes
- # Note: NFS parser depends on Rust support: pass --enable-rust
- # to configure.
- nfs:
- enabled: no
dns:
# memcaps. Globally and per flow/state.
- #global-memcap: 16mb
- #state-memcap: 512kb
+ global-memcap: 32mb
+ state-memcap: 512kb
# How many unreplied DNS requests are considered a flood.
# If the limit is reached, app-layer-event:dns.flooded; will match.
- #request-flood: 500
+ request-flood: 512
tcp:
enabled: yes
dp: 44818
sp: 44818
- # Note: parser depends on experimental Rust support
- # with --enable-rust-experimental passed to configure
- ntp:
- enabled: no
-
# Limit for the maximum number of asn1 frames to decode (default 256)
asn1-max-frames: 256
enabled: no
#filename: custom.socket
-# Magic file. The extension .mgc is added to the value here.
-#magic-file: /usr/share/file/magic
-#magic-file:
+# Magic file
+magic-file: /usr/share/misc/magic.mgc
legacy:
uricontent: enabled
# - reject
# - alert
-# IP Reputation
-#reputation-categories-file: /etc/suricata/iprep/categories.txt
-#default-reputation-path: /etc/suricata/iprep
-#reputation-files:
-# - reputation.list
-
# When run with the option --engine-analysis, the engine will read each of
# the parameters below, and print reports for each of the enabled sections
# and exit. The reports are printed to a file in the default log dir
# Defrag settings:
defrag:
- memcap: 32mb
+ memcap: 64mb
hash-size: 65536
trackers: 65535 # number of defragmented flows to follow
max-frags: 65535 # number of fragments to keep (higher than trackers)
prealloc: yes
timeout: 60
-# Enable defrag per host settings
-# host-config:
-#
-# - dmz:
-# timeout: 30
-# address: [192.168.1.0/24, 127.0.0.0/8, 1.1.1.0/24, 2.2.2.0/24, "1.1.1.1", "2.2.2.2", "::1"]
-#
-# - lan:
-# timeout: 45
-# address:
-# - 192.168.0.0/24
-# - 192.168.10.0/24
-# - 172.16.14.0/24
-
# Flow settings:
# By default, the reserved memory (memcap) for flows is 32MB. This is the limit
# for flow allocation inside the engine. You can change this value to allow
# in bytes.
flow:
- memcap: 128mb
+ memcap: 256mb
hash-size: 65536
prealloc: 10000
emergency-recovery: 30
- #managers: 1 # default to one flow manager
- #recyclers: 1 # default to one flow recycler thread
+ managers: 1
+ recyclers: 1
# This option controls the use of vlan ids in the flow (and defrag)
# hashing. Normally this should be enabled, but in some (broken)
# # is used in a rule.
#
stream:
- memcap: 64mb
+ memcap: 256mb
+ prealloc-sessions: 4k
checksum-validation: yes # reject wrong csums
inline: auto # auto will use inline mode in IPS mode, yes or no set it statically
reassembly:
toserver-chunk-size: 2560
toclient-chunk-size: 2560
randomize-chunk-size: yes
- #randomize-chunk-range: 10
- #raw: yes
- #segment-prealloc: 2048
- #check-overlap-different-data: true
+ raw: yes
+ segment-prealloc: 2048
+ check-overlap-different-data: true
# Host table:
#