GENEVE_PORTS: 6081
VXLAN_PORTS: 4789
TEREDO_PORTS: 3544
+ SIP_PORTS: "[5060, 5061]"
##
## Ruleset specific options.
# Global stats configuration
stats:
- enabled: no
+ enabled: yes
# The interval field (in seconds) controls the interval at
# which stats are updated in the log.
interval: 8
#decoder-events-prefix: "decoder.event"
# Add stream events as stats.
#stream-events: false
+ exception-policy:
+ #per-app-proto-errors: false # default: false. True will log errors for
+ # each app-proto. Warning: VERY verbose
# Plugins -- Experimental -- specify the filename for each plugin shared object
plugins:
append: yes
#filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
- # Stats.log contains data from various counters of the suricata engine.
- - stats:
- enabled: no
- filename: stats.log
- append: no # append to file (yes) or overwrite it (no)
- totals: yes # stats for all threads merged together
- threads: no # per thread stats
- #null-values: yes # print counters that have value 0
-
# Extensible Event Format (nicknamed EVE) event log in JSON format
- eve-log:
enabled: no
# Enable for multi-threaded eve.json output; output files are amended with
# an identifier, e.g., eve.9.json
#threaded: false
+ # Specify the amount of buffering, in bytes, for
+ # this output type. The default value 0 means "no
+ # buffering".
+ #buffer-size: 0
#prefix: "@cee: " # prefix to prepend to each log entry
# the following are valid when type: syslog above
#identity: "suricata"
# server: 127.0.0.1
# port: 6379
# async: true ## if redis replies are read asynchronously
- # mode: list ## possible values: list|lpush (default), rpush, channel|publish
+ # mode: list ## possible values: list|lpush (default), rpush, channel|publish, xadd|stream
# ## lpush and rpush are using a Redis list. "list" is an alias for lpush
# ## publish is using a Redis channel. "channel" is an alias for publish
- # key: suricata ## key or channel to use (default to suricata)
+ # ## xadd is using a Redis stream. "stream" is an alias for xadd
+ # key: suricata ## string denoting the key/channel/stream to use (default to suricata)
+ # stream-maxlen: 100000 ## Automatically trims the stream length to at most
+ ## this number of events. Set to 0 to disable trimming.
+ ## Only used when mode is set to xadd/stream.
+ # stream-trim-exact: false ## Trim exactly to the maximum stream length above.
+ ## Default: use inexact trimming (inexact by a few
+ ## tens of items)
+ ## Only used when mode is set to xadd/stream.
# Redis pipelining set up. This will enable to only do a query every
# 'batch-size' events. This should lower the latency induced by network
# connection at the cost of some memory. There is no flushing implemented
# Include top level metadata. Default yes.
#metadata: no
+ # Include suricata version. Default no.
+ #suricata-version: yes
# include the name of the input pcap file in pcap file processing mode
pcap-file: false
types:
- alert:
# payload: yes # enable dumping payload in Base64
- # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log
+ # payload-buffer-size: 4 KiB # max size of payload buffer to output in eve-log
# payload-printable: yes # enable dumping payload in printable (lossy) format
+ # payload-length: yes # enable dumping payload length, including the gaps
# packet: yes # enable dumping of packet (without stream segments)
# metadata: no # enable inclusion of app layer metadata with alert. Default yes
+ # If you want metadata, use:
+ # metadata:
+ # Include the decoded application layer (ie. http, dns)
+ #app-layer: true
+ # Log the current state of the flow record.
+ #flow: true
+ #rule:
+ # Log the metadata field from the rule in a structured
+ # format.
+ #metadata: true
+ # Log the raw rule text.
+ #raw: false
+ #reference: false # include reference information from the rule
# http-body: yes # Requires metadata; enable dumping of HTTP body in Base64
# http-body-printable: yes # Requires metadata; enable dumping of HTTP body in printable format
+ # websocket-payload: yes # Requires metadata; enable dumping of WebSocket Payload in Base64
+ # websocket-payload-printable: yes # Requires metadata; enable dumping of WebSocket Payload in printable format
# Enable the logging of tagged packets for rules using the
# "tag" keyword.
- frame:
# disabled by default as this is very verbose.
enabled: no
+ # payload-buffer-size: 4 KiB # max size of frame payload buffer to output in eve-log
- anomaly:
# Anomaly log records describe unexpected conditions such
# as truncated packets, packets with invalid IP/UDP/TCP
# to dump all HTTP headers for every HTTP request and/or response
# dump-all-headers: none
- dns:
- # This configuration uses the new DNS logging format,
- # the old configuration is still available:
- # https://docs.suricata.io/en/latest/output/eve/eve-json-output.html#dns-v1-format
-
- # As of Suricata 5.0, version 2 of the eve dns output
- # format is the default.
- #version: 2
+ # Suricata 8.0 uses a new DNS logging format, to keep with
+ # the old format while you upgrade the version can be set
+ # to 2. See https://docs.suricata.io/en/latest/upgrade/8.0-dns-logging-changes.html
+ #version: 3
# Enable/disable this logger. Default: enabled.
#enabled: yes
# DNS record types to log, based on the query type.
# Default: all.
#types: [a, aaaa, cname, mx, ns, ptr, txt]
+ - mdns:
- tls:
extended: yes # enable this for extended logging information
# output TLS transaction where the session is resumed using a
# session id
#session-resumption: no
# custom controls which TLS fields that are included in eve-log
- #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3, ja3s]
+ # WARNING: enabling custom disables extended logging.
+ #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3, ja3s, ja4, subjectaltname, client, client_certificate, client_chain, client_alpns, server_alpns, client_handshake, server_handshake]
- files:
force-magic: no # force logging magic on all logged files
# force logging of checksums, available hash functions are md5,
#md5: [body, subject]
#- dnp3
+ - websocket
+ #- enip
- ftp
- rdp
- nfs
- - smb
+ - smb:
+ # restrict to only certain types in the following list
+ #types: [file, tree_connect, negotiate, dcerpc, create,
+ # session_setup, ioctl, rename, set_file_path_info, generic]
- tftp
- ike
- dcerpc
- rfb
- sip
- quic
+ - ldap
+ - pop3
+ - arp:
+ enabled: no # Many events can be logged. Disabled by default
- dhcp:
enabled: yes
# When extended mode is on, all DHCP messages are logged
- ssh
- mqtt:
# passwords: yes # enable output of passwords
+ # string-log-limit: 1KiB # limit size of logged strings in bytes.
+ # Can be specified in KiB, MiB, GiB. Just a number
+ # is parsed as bytes. Default is 1 KiB.
+ # Use a value of 0 to disable limiting.
+ # Note that the size is also bounded by
+ # the maximum parsed message size (see
+ # app-layer configuration)
- http2
+ # dns over http2
+ - doh2
- pgsql:
enabled: no
# passwords: yes # enable output of passwords. Disabled by default
+ # If a password message is seen but this setting
+ # is disabled, "password_redacted": true is logged
- stats:
totals: yes # stats for all threads merged together
threads: no # per thread stats
deltas: no # include delta values
+ # Don't log stats counters that are zero. Default: true
+ #null-values: false # False will NOT log stats counters: 0
# bi-directional flows
- flow
# uni-directional flows
# state-update: false # log packets triggering a TCP state update
# spurious-retransmission: false # log spurious retransmission packets
+ # output module to store certificates chain to disk
+ - tls-store:
+ enabled: no
+ #certs-log-dir: certs # directory to store the certificates files
+
+ # Packet log... log packets in pcap format. 2 modes of operation: "normal"
+ # and "multi".
+ #
+ # In normal mode a pcap file "filename" is created in the default-log-dir,
+ # or as specified by "dir".
+ # In multi mode, a file is created per thread. This will perform much
+ # better, but will create multiple files where 'normal' would create one.
+ # In multi mode the filename takes a few special variables:
+ # - %n -- thread number
+ # - %i -- thread id
+ # - %t -- timestamp (secs or secs.usecs based on 'ts-format'
+ # E.g. filename: pcap.%n.%t
+ #
+ # Note that it's possible to use directories, but the directories are not
+ # created by Suricata. E.g. filename: pcaps/%n/log.%s will log into the
+ # per thread directory.
+ #
+ # Also note that the limit and max-files settings are enforced per thread.
+ # So the size limit when using 8 threads with 1000 MiB files and 2000 files
+ # is: 8*1000*2000 ~ 16TiB.
+ #
+ # By default all packets are logged except:
+ # - TCP streams beyond stream.reassembly.depth
+ # - encrypted streams after the key exchange
+ #
+ - pcap-log:
+ enabled: no
+ filename: log.pcap
+
+ # File size limit. Can be specified in kb, mb, gb. Just a number
+ # is parsed as bytes.
+ limit: 1000 MiB
+
+ # If set to a value, ring buffer mode is enabled. Will keep maximum of
+ # "max-files" of size "limit"
+ max-files: 2000
+
+ # Compression algorithm for pcap files. Possible values: none, lz4.
+ # Note also that on Windows, enabling compression will *increase* disk I/O.
+ compression: none
+
+ # Further options for lz4 compression. The compression level can be set
+ # to a value between 0 and 16, where higher values result in higher
+ # compression.
+ #lz4-checksum: no
+ #lz4-level: 0
+
+ mode: normal # normal or multi
+
+ # Directory to place pcap files. If not provided the default log
+ # directory will be used.
+ #dir: /nsm_data/
+
+ #ts-format: usec # sec or usec second format (default) is filename.sec usec is filename.sec.usec
+ use-stream-depth: no #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets
+ honor-pass-rules: no # If set to "yes", flows in which a pass rule matched will stop being logged.
+ # Use "all" to log all packets or use "alerts" to log only alerted packets and flows or "tag"
+ # to log only flow tagged via the "tag" keyword
+ #conditional: all
+
+ # A BPF filter that will be applied to all packets being
+ # logged. If set, packets must match this filter otherwise they
+ # will not be logged.
+ #bpf-filter:
+
+ # a full alert log containing much information for signature writers
+ # or for investigating suspected false positives.
+ - alert-debug:
+ enabled: no
+ filename: alert-debug.log
+ append: yes
+ #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
+
+ # Stats.log contains data from various counters of the Suricata engine.
+ - stats:
+ enabled: yes
+ filename: stats.log
+ append: yes # append to file (yes) or overwrite it (no)
+ totals: yes # stats for all threads merged together
+ threads: no # per thread stats
+ #null-values: yes # print counters that have value 0. Default: no
+
+ # Output module for storing files on disk. Files are stored in
+ # directory names consisting of the first 2 characters of the
+ # SHA256 of the file. Each file is given its SHA256 as a filename.
+ #
+ # When a duplicate file is found, the timestamps on the existing file
+ # are updated.
+ #
+ # Unlike the older filestore, metadata is not written by default
+ # as each file should already have a "fileinfo" record in the
+ # eve-log. If write-fileinfo is set to yes, then each file will have
+ # one more associated .json files that consist of the fileinfo
+ # record. A fileinfo file will be written for each occurrence of the
+ # file seen using a filename suffix to ensure uniqueness.
+ #
+ # To prune the filestore directory see the "suricatactl filestore
+ # prune" command which can delete files over a certain age.
+ - file-store:
+ version: 2
+ enabled: no
+
+ # Set the directory for the filestore. Relative pathnames
+ # are contained within the "default-log-dir".
+ #dir: filestore
+
+ # Write out a fileinfo record for each occurrence of a file.
+ # Disabled by default as each occurrence is already logged
+ # as a fileinfo record to the main eve-log.
+ #write-fileinfo: yes
+
+ # Force storing of all files. Default: no.
+ #force-filestore: yes
+
+ # Override the global stream-depth for sessions in which we want
+ # to perform file extraction. Set to 0 for unlimited; otherwise,
+ # must be greater than the global stream-depth value to be used.
+ #stream-depth: 0
+
+ # Uncomment the following variable to define how many files can
+ # remain open for filestore by Suricata. Default value is 0 which
+ # means files get closed after each write to the file.
+ #max-open-files: 1000
+
+ # Force logging of checksums: available hash functions are md5,
+ # sha1 and sha256. Note that SHA256 is automatically forced by
+ # the use of this output module as it uses the SHA256 as the
+ # file naming scheme.
+ #force-hash: [sha1, md5]
+ # NOTE: X-Forwarded configuration is ignored if write-fileinfo is disabled
+ # HTTP X-Forwarded-For support by adding an extra field or overwriting
+ # the source or destination IP address (depending on flow direction)
+ # with the one reported in the X-Forwarded-For HTTP header. This is
+ # helpful when reviewing alerts for traffic that is being reverse
+ # or forward proxied.
+ xff:
+ enabled: no
+ # Two operation modes are available, "extra-data" and "overwrite".
+ mode: extra-data
+ # Two proxy deployments are supported, "reverse" and "forward". In
+ # a "reverse" deployment the IP address used is the last one, in a
+ # "forward" deployment the first IP address is used.
+ deployment: reverse
+ # Header name where the actual IP address will be reported. If more
+ # than one IP address is present, the last IP address will be the
+ # one taken into consideration.
+ header: X-Forwarded-For
+
+ # Log TCP data after stream normalization
+ # Two types: file or dir:
+ # - file logs into a single logfile.
+ # - dir creates 2 files per TCP session and stores the raw TCP
+ # data into them.
+ # Use 'both' to enable both file and dir modes.
+ #
+ # Note: limited by "stream.reassembly.depth"
+ - tcp-data:
+ enabled: no
+ type: file
+ filename: tcp-data.log
+
+ # Log HTTP body data after normalization, de-chunking and unzipping.
+ # Two types: file or dir.
+ # - file logs into a single logfile.
+ # - dir creates 2 files per HTTP session and stores the
+ # normalized data into them.
+ # Use 'both' to enable both file and dir modes.
+ #
+ # Note: limited by the body limit settings
+ - http-body-data:
+ enabled: no
+ type: file
+ filename: http-data.log
+
+ # Lua Output Support - execute lua script to generate alert and event
+ # output.
+ # Documented at:
+ # https://docs.suricata.io/en/latest/output/lua-output.html
+ - lua:
+ enabled: no
+
+ # By default the Lua module search paths are empty. If you plan
+ # to use external modules these paths will need to be set. The
+ # examples below are likely suitable for finding modules
+ # installed with a package manager on a 64 bit Linux system, but
+ # may need tweaking.
+ #path: "/usr/share/lua/5.4/?.lua;/usr/share/lua/5.4/?/init.lua;/usr/lib64/lua/5.4/?.lua;/usr/lib64/lua/5.4/?/init.lua;./?.lua;./?/init.lua"
+ #cpath: "/usr/lib64/lua/5.4/?.so;/usr/lib64/lua/5.4/loadall.so;./?.so"
+
+ #scripts-dir: /etc/suricata/lua-output/
+ scripts:
+ # - script1.lua
+
+heartbeat:
+ # The output-flush-interval value governs how often Suricata will instruct the
+ # detection threads to flush their EVE output. Specify the value in seconds [1-60]
+ # and Suricata will initiate EVE log output flushes at that interval. A value
+ # of 0 means no EVE log output flushes are initiated. When the EVE output
+ # buffer-size value is non-zero, some EVE output that was written may remain
+ # buffered. The output-flush-interval governs how much buffered data exists.
+ #
+ # The default value is: 0 (never instruct detection threads to flush output)
+ #output-flush-interval: 0
+
+# Logging configuration. This is not about logging IDS alerts/events, but
+# output about what Suricata is doing, like startup messages, errors, etc.
logging:
# The default log level: can be overridden in an output section.
# Note that debug level logging will only be emitted if Suricata was
# compiled with the --enable-debug configure option.
#
# This value is overridden by the SC_LOG_LEVEL env var.
- default-log-level: Info
+ default-log-level: info
# The default output format. Optional parameter, should default to
# something reasonable if not provided. Can be overridden in an
- file:
enabled: no
level: info
- filename: /var/log/suricata/suricata.log
+ filename: suricata.log
# format: "[%i - %m] %z %d: %S: %M"
# type: json
- syslog:
enabled: yes
facility: local5
- format: ""
- #format: "[%i] <%d> -- "
+ format: "[%i] <%d> -- "
# type: json
-##
-## Netfilter configuration
-##
-
-nfq:
- mode: repeat
- repeat-mark: 2147483648
- repeat-mask: 2147483648
- bypass-mark: 1073741824
- bypass-mask: 1073741824
-# route-queue: 2
-# batchcount: 20
- fail-open: no
-
##
## Step 5: App Layer Protocol Configuration
##
# Configure the app-layer parsers.
#
-# The error-policy setting applies to all app-layer parsers. Values can be
-# "drop-flow", "pass-flow", "bypass", "drop-packet", "pass-packet", "reject" or
-# "ignore" (the default).
+# The exception policy error-policy setting applies to all app-layer parsers.
+# Values can be "drop-flow", "pass-flow", "bypass", "drop-packet", "pass-packet",
+# "reject" or "ignore" (the default).
#
# The protocol's section details each protocol.
#
dp: 5900, 5901, 5902, 5903, 5904, 5905, 5906, 5907, 5908, 5909
mqtt:
enabled: yes
- # max-msg-length: 1mb
+ # max-msg-length: 1 MiB
# subscribe-topic-match-limit: 100
# unsubscribe-topic-match-limit: 100
# Maximum number of live MQTT transactions per flow
tls:
enabled: yes
detection-ports:
- dp: "[443,444,465,853,993,995]"
+ dp: 443
- # Generate JA3 fingerprint from client hello. If not specified it
+ # Generate JA3/JA4 fingerprints from client hello. If not specified it
# will be disabled by default, but enabled if rules require it.
- ja3-fingerprints: auto
+ #ja3-fingerprints: auto
+ #ja4-fingerprints: auto
# What to do when the encrypted communications start:
- # - default: keep tracking TLS session, check for protocol anomalies,
+ # - track-only: keep tracking TLS session, check for protocol anomalies,
# inspect tls_* keywords. Disables inspection of unmodified
- # 'content' signatures.
+ # 'content' signatures. (default)
# - bypass: stop processing this flow as much as possible. No further
# TLS parsing and inspection. Offload flow bypass to kernel
# or hardware if possible.
# max-tx: 1024
ftp:
enabled: yes
- # memcap: 64mb
+ # memcap: 64 MiB
+ websocket:
+ #enabled: yes
+ # Maximum used payload size, the rest is skipped
+ # Also applies as a maximum for uncompressed data
+ # max-payload-size: 64 KiB
rdp:
- enabled: yes
+ #enabled: yes
ssh:
enabled: yes
- #hassh: yes
+ # hassh: no
+
+ # What to do when the encrypted communications start:
+ # - track-only: keep tracking but stop inspection (default)
+ # - full: keep tracking and inspect as normal
+ # - bypass: stop processing this flow as much as possible.
+ # Offload flow bypass to kernel or hardware if possible.
+ # For the best performance, select 'bypass'.
+ #
+ # encryption-handling: track-only
+ doh2:
+ enabled: yes
http2:
enabled: yes
# Maximum number of live HTTP2 streams in a flow
content-inspect-min-size: 32768
content-inspect-window: 4096
imap:
+ enabled: detection-only
+ pop3:
enabled: yes
+ detection-ports:
+ dp: 110
+ # Stream reassembly size for POP3. By default, track it completely.
+ stream-depth: 0
+ # Maximum number of live POP3 transactions per flow
+ # max-tx: 256
smb:
enabled: yes
detection-ports:
tftp:
enabled: yes
dns:
- # memcaps. Globally and per flow/state.
- global-memcap: 32mb
- state-memcap: 512kb
-
- # How many unreplied DNS requests are considered a flood.
- # If the limit is reached, app-layer-event:dns.flooded; will match.
- #request-flood: 512
-
tcp:
enabled: yes
detection-ports:
dp: 53
http:
enabled: yes
- memcap: 256mb
# Byte Range Containers default settings
# byterange:
- # memcap: 100mb
+ # memcap: 100 MiB
# timeout: 60
# memcap: Maximum memory capacity for HTTP
- # Default is unlimited, values can be 64mb, e.g.
+ # Default is unlimited, values can be 64 MiB, e.g.
# default-config: Used when no server-config matches
# personality: List of personalities used by default
default-config:
personality: IDS
- # Can be specified in kb, mb, gb. Just a number indicates
+ # Can be specified in KiB, MiB, GiB. Just a number indicates
# it's in bytes.
- request-body-limit: 100kb
- response-body-limit: 100kb
+ request-body-limit: 100 KiB
+ response-body-limit: 100 KiB
# inspection limits
- request-body-minimal-inspect-size: 32kb
- request-body-inspect-window: 4kb
- response-body-minimal-inspect-size: 40kb
- response-body-inspect-window: 16kb
+ request-body-minimal-inspect-size: 32 KiB
+ request-body-inspect-window: 4 KiB
+ response-body-minimal-inspect-size: 40 KiB
+ response-body-inspect-window: 16 KiB
# response body decompression (0 disables)
response-body-decompress-layer-limit: 2
swf-decompression:
enabled: no
type: both
- compress-depth: 100kb
- decompress-depth: 100kb
+ compress-depth: 100 KiB
+ decompress-depth: 100 KiB
# Use a random value for inspection sizes around the specified value.
# This lowers the risk of some evasion techniques but could lead
#lzma-enabled: false
# Memory limit usage for LZMA decompression dictionary
# Data is decompressed until dictionary reaches this size
- #lzma-memlimit: 1mb
+ #lzma-memlimit: 1 MiB
# Maximum decompressed size with a compression ratio
# above 2048 (only LZMA can reach this ratio, deflate cannot)
- #compression-bomb-limit: 1mb
+ #compression-bomb-limit: 1 MiB
# Maximum time spent decompressing a single transaction in usec
#decompression-time-limit: 100000
# Maximum number of live transactions per flow
#max-tx: 512
+ # Maximum used number of HTTP1 headers in one request or response
+ #headers-limit: 1024
server-config:
#- apache:
# address: [192.168.1.0/24, 127.0.0.0/8, "::1"]
# personality: Apache_2
- # # Can be specified in kb, mb, gb. Just a number indicates
+ # # Can be specified in KiB, MiB, GiB. Just a number indicates
# # it's in bytes.
# request-body-limit: 4096
# response-body-limit: 4096
# - 192.168.0.0/24
# - 192.168.10.0/24
# personality: IIS_7_0
- # # Can be specified in kb, mb, gb. Just a number indicates
+ # # Can be specified in KiB, MiB, GiB. Just a number indicates
# # it's in bytes.
# request-body-limit: 4096
# response-body-limit: 4096
sip:
#enabled: yes
+ ldap:
+ tcp:
+ enabled: yes
+ detection-ports:
+ dp: 389, 3268
+ udp:
+ enabled: yes
+ detection-ports:
+ dp: 389, 3268
+ # Maximum number of live LDAP transactions per flow
+ # max-tx: 1024
+
+ mdns:
+ enabled: yes
+
# Limit for the maximum number of asn1 frames to decode (default 256)
asn1-max-frames: 256
# Default fallback memcap and hashsize values for datasets in case these
# were not explicitly defined.
defaults:
- #memcap: 100mb
+ #memcap: 100 MiB
#hashsize: 2048
+ # Limits for per rule dataset instances to avoid rules using too many
+ # resources.
+ limits:
+ # Max value for per dataset `hashsize` setting
+ #single-hashsize: 65536
+ # Max combined hashsize values for all datasets.
+ #total-hashsizes: 16777216
+
rules:
# Set to true to allow absolute filenames and filenames that use
# ".." components to reference parent directories in rules that specify
- /var/lib/suricata
lua:
- # Allow Lua rules. Disabled by default.
- #allow-rules: false
+ # Allow Lua rules. Enabled by default.
+ #allow-rules: true
# Some logging modules will use that name in event as identifier. The default
# value is the hostname
# activated in live capture mode. You can use the filename variable to set
# the file name of the socket.
unix-command:
- enabled: no
+ enabled: auto
#filename: custom.socket
-# Magic file
-magic-file: /usr/share/misc/magic.mgc
+# Magic file. The extension .mgc is added to the value here.
+magic-file: /usr/share/misc/magic
+
+# GeoIP2 database file. Specify path and filename of GeoIP2 database
+# if using rules with "geoip" rule option.
+#geoip-database: /usr/local/share/GeoLite2/GeoLite2-Country.mmdb
legacy:
uricontent: enabled
# drop-flow, reject, bypass, pass-packet, pass-flow, ignore (disable).
exception-policy: pass-packet
+# IP Reputation
+#reputation-categories-file: /etc/suricata/iprep/categories.txt
+#default-reputation-path: /etc/suricata/iprep
+#reputation-files:
+# - reputation.list
+
# When run with the option --engine-analysis, the engine will read each of
# the parameters below, and print reports for each of the enabled sections
# and exit. The reports are printed to a file in the default log dir
# Defrag settings:
-# The memcap-policy value can be "drop-packet", "pass-packet", "reject" or
-# "ignore" (which is the default).
+# The exception policy memcap-policy value can be "drop-packet", "pass-packet",
+# "reject" or "ignore" (which is the default).
defrag:
- memcap: 64mb
+ memcap: 64 MiB
# memcap-policy: ignore
hash-size: 65536
trackers: 65535 # number of defragmented flows to follow
prealloc: yes
timeout: 60
+# Enable defrag per host settings
+# host-config:
+#
+# - dmz:
+# timeout: 30
+# address: [192.168.1.0/24, 127.0.0.0/8, 1.1.1.0/24, 2.2.2.0/24, "1.1.1.1", "2.2.2.2", "::1"]
+#
+# - lan:
+# timeout: 45
+# address:
+# - 192.168.0.0/24
+# - 192.168.10.0/24
+# - 172.16.14.0/24
+
# Flow settings:
-# By default, the reserved memory (memcap) for flows is 32MB. This is the limit
+# By default, the reserved memory (memcap) for flows is 32 MiB. This is the limit
# for flow allocation inside the engine. You can change this value to allow
# more memory usage for flows.
# The hash-size determines the size of the hash used to identify flows inside
# the emergency bit and it will try again with more aggressive timeouts.
# If that doesn't work, then it will try to kill the oldest flows using
# last time seen flows.
-# The memcap can be specified in kb, mb, gb. Just a number indicates it's
+# The memcap can be specified in KiB, MiB, GiB. Just a number indicates it's
# in bytes.
-# The memcap-policy can be "drop-packet", "pass-packet", "reject" or "ignore"
-# (which is the default).
+# The exception policy memcap-policy can be "drop-packet", "pass-packet",
+# "reject" or "ignore" (which is the default).
flow:
- memcap: 256mb
+ memcap: 256 MiB
#memcap-policy: ignore
hash-size: 65536
prealloc: 10000
emergency-recovery: 30
#managers: 1 # default to one flow manager
#recyclers: 1 # default to one flow recycler thread
+ # Track flows and count them as elephant flow if they exceed the rate defined
+ # by the byte count per interval configured below.
+ #rate-tracking:
+ # bytes: 1GiB
+ # interval: 10 # seconds is the only supported unit for interval so far
# This option controls the use of VLAN ids in the flow (and defrag)
# hashing. Normally this should be enabled, but in some (broken)
# engine is configured.
#
# stream:
-# memcap: 64mb # Can be specified in kb, mb, gb. Just a
+# memcap: 64 MiB # Can be specified in KiB, MiB, GiB. Just a
# # number indicates it's in bytes.
-# memcap-policy: ignore # Can be "drop-flow", "pass-flow", "bypass",
-# # "drop-packet", "pass-packet", "reject" or
-# # "ignore" default is "ignore"
+# memcap-policy: ignore # The exception policy value can be "drop-flow",
+# # "pass-flow", "bypass", "drop-packet",
+# # "pass-packet", "reject" or "ignore" default is "ignore"
# checksum-validation: yes # To validate the checksum of received
# # packet. If csum validation is specified as
# # "yes", then packets with invalid csum values will not
# # option
# prealloc-sessions: 2048 # 2k sessions prealloc'd per stream thread
# midstream: false # don't allow midstream session pickups
-# midstream-policy: ignore # Can be "drop-flow", "pass-flow", "bypass",
-# # "drop-packet", "pass-packet", "reject" or
-# # "ignore" default is "ignore"
+# midstream-policy: ignore # The exception policy value can be "drop-flow",
+# # "pass-flow", "bypass", "drop-packet",
+# # "pass-packet", "reject" or "ignore" default is "ignore"
# async-oneside: false # don't enable async stream handling
# inline: no # stream inline mode
# drop-invalid: yes # in inline mode, drop packets that are invalid with regards to streaming engine
# # means it's slightly more permissive. Enabled by default.
#
# reassembly:
-# memcap: 256mb # Can be specified in kb, mb, gb. Just a number
+# memcap: 256 MiB # Can be specified in KiB, MiB, GiB. Just a number
# # indicates it's in bytes.
-# memcap-policy: ignore # Can be "drop-flow", "pass-flow", "bypass",
-# # "drop-packet", "pass-packet", "reject" or
-# # "ignore" default is "ignore"
-# depth: 1mb # Can be specified in kb, mb, gb. Just a number
+# memcap-policy: ignore # The exception policy value can be "drop-flow",
+# # "pass-flow", "bypass", "drop-packet", "pass-packet",
+# # "reject" or "ignore" default is "ignore"
+# depth: 1 MiB # Can be specified in KiB, MiB, GiB. Just a number
# # indicates it's in bytes.
# toserver-chunk-size: 2560 # inspect raw stream in chunks of at least
-# # this size. Can be specified in kb, mb,
-# # gb. Just a number indicates it's in bytes.
+# # this size. Can be specified in KiB, MiB, GiB.
+# # Just a number indicates it's in bytes.
# toclient-chunk-size: 2560 # inspect raw stream in chunks of at least
-# # this size. Can be specified in kb, mb,
-# # gb. Just a number indicates it's in bytes.
+# # this size. Can be specified in KiB, MiB, GiB.
+# # Just a number indicates it's in bytes.
# randomize-chunk-size: yes # Take a random value for chunk size around the specified value.
# # This lowers the risk of some evasion techniques but could lead
# # to detection change between runs. It is set to 'yes' by default.
# # is used or when stream-event:reassembly_overlap_different_data;
# # is used in a rule.
#
+# max-regions: 8 # maximum number of concurrent regions per streaming buffer
+# # defaults to 8, if no configuration was provided. 0 means no limit.
+
stream:
- memcap: 256mb
- prealloc-sessions: 4096
+ memcap: 256 MiB
#memcap-policy: ignore
checksum-validation: yes # reject incorrect csums
midstream: true
midstream-policy: pass-flow
inline: auto # auto will use inline mode in IPS mode, yes or no set it statically
- bypass: yes # Bypass packets when stream.reassembly.depth is reached.
reassembly:
- memcap: 256mb
+ urgent:
+ policy: oob # drop, inline, oob (1 byte, see RFC 6093, 3.1), gap
+ oob-limit-policy: drop
+ memcap: 256 MiB
#memcap-policy: ignore
- depth: 1mb # reassemble 1mb into a stream
+ depth: 1 MiB # reassemble 1 MiB into a stream
toserver-chunk-size: 2560
toclient-chunk-size: 2560
randomize-chunk-size: yes
#randomize-chunk-range: 10
- raw: yes
- segment-prealloc: 2048
- check-overlap-different-data: true
+ #raw: yes
+ #segment-prealloc: 2048
+ #check-overlap-different-data: true
# Host table:
#
host:
hash-size: 4096
prealloc: 1000
- memcap: 32mb
+ memcap: 32 MiB
# IP Pair table:
#
#ippair:
# hash-size: 4096
# prealloc: 1000
-# memcap: 32mb
+# memcap: 32 MiB
# Decoder settings
# maximum number of decoder layers for a packet
# max-layers: 16
+ # This option controls the use of packet recursion level in the flow
+ # (and defrag) hashing. This is enabled by default and should be
+ # disabled if packet pickup of tunneled packets occurs before the kernel
+ # has put the headers on, like when using netmap driver pickup.
+ recursion-level:
+ use-for-tracking: true
+
##
## Performance tuning and profiling
##
# The option inspection-recursion-limit is used to limit the recursive calls
# in the content inspection code. For certain payload-sig combinations, we
# might end up taking too much time in the content inspection code.
-# If the argument specified is 0, the engine uses an internally defined
-# default limit. When a value is not specified, there are no limits on the recursion.
+# If the argument specified is 0, there are no limits on the recursion.
+# When a value is not specified, the default is 3000
detect:
profile: medium
custom-values:
toclient-groups: 3
toserver-groups: 25
sgh-mpm-context: auto
- inspection-recursion-limit: 3000
+ # Cache MPM contexts to the disk to avoid rule compilation at the startup.
+ # Cache files are created in the standard library directory.
+ sgh-mpm-caching: yes
+ sgh-mpm-caching-path: /var/cache/suricata/sgh
+ # inspection-recursion-limit: 3000
+ # maximum number of times a tx will get logged for rules without app-layer keywords
+ # stream-tx-log-limit: 4
+ # Try to guess an app-layer transaction for rules without app-layer keywords,
+ # ONLY IF there is just one live transaction for the flow.
+ # This allows logging app-layer metadata in alert - the transaction may not
+ # be the relevant one for the alert.
+ # guess-applayer-tx: no
# If set to yes, the loading of signatures will be made after the capture
# is started. This will limit the downtime in IPS mode.
delayed-detect: yes
default: mpm
# the grouping values above control how many groups are created per
- # direction. Port whitelisting forces that port to get its own group.
+ # direction. Port priority setting forces that port to get its own group.
# Very common ports will benefit, as well as ports with many expensive
# rules.
grouping:
- #tcp-whitelist: 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
- #udp-whitelist: 53, 135, 5060
+ #tcp-priority-ports: 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
+ #udp-priority-ports: 53, 135, 5060
+
+ # Thresholding hash table settings.
+ thresholds:
+ hash-size: 16384
+ memcap: 16 MiB
profiling:
# Log the rules that made it past the prefilter stage, per packet
# Suricata is multi-threaded. Here the threading can be influenced.
threading:
set-cpu-affinity: no
+ autopin: no
# Tune cpu affinity of threads. Each family of threads can be bound
# to specific CPUs.
#
# verdict-cpu-set is used for IPS verdict threads
#
cpu-affinity:
- - management-cpu-set:
- cpu: [ 0 ] # include only these CPUs in affinity settings
- - receive-cpu-set:
- cpu: [ 0 ] # include only these CPUs in affinity settings
- - worker-cpu-set:
- cpu: [ "all" ]
- mode: "exclusive"
- # Use explicitly 3 threads and don't compute number by using
- # detect-thread-ratio variable:
- # threads: 3
- prio:
- low: [ 0 ]
- medium: [ "1-2" ]
- high: [ 3 ]
- default: "medium"
- #- verdict-cpu-set:
- # cpu: [ 0 ]
- # prio:
- # default: "high"
+ management-cpu-set:
+ cpu: [ 0 ] # include only these CPUs in affinity settings
+ receive-cpu-set:
+ cpu: [ 0 ] # include only these CPUs in affinity settings
+ # interface-specific-cpu-set:
+ # - interface: "enp4s0f0"
+ # cpu: [ 1,3,5,7,9 ]
+ # mode: "exclusive"
+ # prio:
+ # high: [ "all" ]
+ # default: "medium"
+ worker-cpu-set:
+ cpu: [ "all" ]
+ mode: "exclusive"
+ # Use explicitly 3 threads and don't compute number by using
+ # detect-thread-ratio variable:
+ # threads: 3
+ prio:
+ low: [ 0 ]
+ medium: [ "1-2" ]
+ high: [ 3 ]
+ default: "medium"
+ interface-specific-cpu-set:
+ - interface: "enp4s0f0" # 0000:3b:00.0 # net_bonding0 # ens1f0
+ cpu: [ 1,3,5,7,9 ]
+ mode: "exclusive"
+ prio:
+ high: [ "all" ]
+ default: "medium"
+ #verdict-cpu-set:
+ # cpu: [ 0 ]
+ # prio:
+ # default: "high"
#
# By default Suricata creates one "detect" thread per available CPU/CPU core.
# This setting allows controlling this behaviour. A ratio setting of 2 will
# set to this value, a fatal error occurs.
#
# Generally, the per-thread stack-size should not exceed 8MB.
- #stack-size: 8mb
+ #stack-size: 8 MiB
+
+##
+## Netfilter integration
+##
+
+# When running in NFQ inline mode, it is possible to use a simulated
+# non-terminal NFQUEUE verdict.
+# This permits sending all needed packet to Suricata via this rule:
+# iptables -I FORWARD -m mark ! --mark $MARK/$MASK -j NFQUEUE
+# And below, you can have your standard filtering ruleset. To activate
+# this mode, you need to set mode to 'repeat'
+# If you want a packet to be sent to another queue after an ACCEPT decision
+# set the mode to 'route' and set next-queue value.
+# On Linux >= 3.1, you can set batchcount to a value > 1 to improve performance
+# by processing several packets before sending a verdict (worker runmode only).
+# On Linux >= 3.6, you can set the fail-open option to yes to have the kernel
+# accept the packet if Suricata is not able to keep pace.
+# bypass mark and mask can be used to implement NFQ bypass. If bypass mark is
+# set then the NFQ bypass is activated. Suricata will set the bypass mark/mask
+# on packet of a flow that need to be bypassed. The Netfilter ruleset has to
+# directly accept all packets of a flow once a packet has been marked.
+nfq:
+ mode: repeat
+ repeat-mark: 2147483648
+ repeat-mask: 2147483648
+ bypass-mark: 1073741824
+ bypass-mask: 1073741824
+# route-queue: 2
+# batchcount: 20
+ fail-open: no
+
+##
+## Suricata as a Firewall options (experimental)
+##
+firewall:
+ # toggle to enable firewall mode
+ #enabled: no
+
+ # Firewall rule file are in their own path and are not managed
+ # by Suricata-Update.
+ #rule-path: /etc/suricata/firewall/
+
+ # List of files with firewall rules. Order matters, files are loaded
+ # in order and rules are applied in that order (per state, see docs)
+ #rule-files:
+ # - firewall.rules
+
+
+##
+## Include other configs
+##
+
+# Includes: Files included here will be handled as if they were in-lined
+# in this configuration file. Files with relative pathnames will be
+# searched for in the same directory as this configuration file. You may
+# use absolute pathnames too.
+#include:
+# - include1.yaml
+# - include2.yaml
projects / ipfire-2.x.git / commitdiff
