From: Michael Tremer Date: Tue, 5 Aug 2025 10:34:13 +0000 (+0100) Subject: suricata: Sync configuration with upstream X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0f388dc6d28383f9a5ac230f0dcea23b68b30f7d;p=ipfire-2.x.git suricata: Sync configuration with upstream There are not many big changes except that any new engines have been enabled and new defaults have beep carried over from upstream. Signed-off-by: Michael Tremer --- diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml index 443b8e19e..6a4f31eac 100644 --- a/config/suricata/suricata.yaml +++ b/config/suricata/suricata.yaml @@ -43,6 +43,7 @@ vars: GENEVE_PORTS: 6081 VXLAN_PORTS: 4789 TEREDO_PORTS: 3544 + SIP_PORTS: "[5060, 5061]" ## ## Ruleset specific options. @@ -63,7 +64,7 @@ default-log-dir: /var/log/suricata/ # Global stats configuration stats: - enabled: no + enabled: yes # The interval field (in seconds) controls the interval at # which stats are updated in the log. interval: 8 @@ -74,6 +75,9 @@ stats: #decoder-events-prefix: "decoder.event" # Add stream events as stats. #stream-events: false + exception-policy: + #per-app-proto-errors: false # default: false. True will log errors for + # each app-proto. Warning: VERY verbose # Plugins -- Experimental -- specify the filename for each plugin shared object plugins: @@ -88,15 +92,6 @@ outputs: append: yes #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' - # Stats.log contains data from various counters of the suricata engine. - - stats: - enabled: no - filename: stats.log - append: no # append to file (yes) or overwrite it (no) - totals: yes # stats for all threads merged together - threads: no # per thread stats - #null-values: yes # print counters that have value 0 - # Extensible Event Format (nicknamed EVE) event log in JSON format - eve-log: enabled: no @@ -105,6 +100,10 @@ outputs: # Enable for multi-threaded eve.json output; output files are amended with # an identifier, e.g., eve.9.json #threaded: false + # Specify the amount of buffering, in bytes, for + # this output type. The default value 0 means "no + # buffering". + #buffer-size: 0 #prefix: "@cee: " # prefix to prepend to each log entry # the following are valid when type: syslog above #identity: "suricata" @@ -116,10 +115,18 @@ outputs: # server: 127.0.0.1 # port: 6379 # async: true ## if redis replies are read asynchronously - # mode: list ## possible values: list|lpush (default), rpush, channel|publish + # mode: list ## possible values: list|lpush (default), rpush, channel|publish, xadd|stream # ## lpush and rpush are using a Redis list. "list" is an alias for lpush # ## publish is using a Redis channel. "channel" is an alias for publish - # key: suricata ## key or channel to use (default to suricata) + # ## xadd is using a Redis stream. "stream" is an alias for xadd + # key: suricata ## string denoting the key/channel/stream to use (default to suricata) + # stream-maxlen: 100000 ## Automatically trims the stream length to at most + ## this number of events. Set to 0 to disable trimming. + ## Only used when mode is set to xadd/stream. + # stream-trim-exact: false ## Trim exactly to the maximum stream length above. + ## Default: use inexact trimming (inexact by a few + ## tens of items) + ## Only used when mode is set to xadd/stream. # Redis pipelining set up. This will enable to only do a query every # 'batch-size' events. This should lower the latency induced by network # connection at the cost of some memory. There is no flushing implemented @@ -130,6 +137,8 @@ outputs: # Include top level metadata. Default yes. #metadata: no + # Include suricata version. Default no. + #suricata-version: yes # include the name of the input pcap file in pcap file processing mode pcap-file: false @@ -168,12 +177,28 @@ outputs: types: - alert: # payload: yes # enable dumping payload in Base64 - # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log + # payload-buffer-size: 4 KiB # max size of payload buffer to output in eve-log # payload-printable: yes # enable dumping payload in printable (lossy) format + # payload-length: yes # enable dumping payload length, including the gaps # packet: yes # enable dumping of packet (without stream segments) # metadata: no # enable inclusion of app layer metadata with alert. Default yes + # If you want metadata, use: + # metadata: + # Include the decoded application layer (ie. http, dns) + #app-layer: true + # Log the current state of the flow record. + #flow: true + #rule: + # Log the metadata field from the rule in a structured + # format. + #metadata: true + # Log the raw rule text. + #raw: false + #reference: false # include reference information from the rule # http-body: yes # Requires metadata; enable dumping of HTTP body in Base64 # http-body-printable: yes # Requires metadata; enable dumping of HTTP body in printable format + # websocket-payload: yes # Requires metadata; enable dumping of WebSocket Payload in Base64 + # websocket-payload-printable: yes # Requires metadata; enable dumping of WebSocket Payload in printable format # Enable the logging of tagged packets for rules using the # "tag" keyword. @@ -186,6 +211,7 @@ outputs: - frame: # disabled by default as this is very verbose. enabled: no + # payload-buffer-size: 4 KiB # max size of frame payload buffer to output in eve-log - anomaly: # Anomaly log records describe unexpected conditions such # as truncated packets, packets with invalid IP/UDP/TCP @@ -229,13 +255,10 @@ outputs: # to dump all HTTP headers for every HTTP request and/or response # dump-all-headers: none - dns: - # This configuration uses the new DNS logging format, - # the old configuration is still available: - # https://docs.suricata.io/en/latest/output/eve/eve-json-output.html#dns-v1-format - - # As of Suricata 5.0, version 2 of the eve dns output - # format is the default. - #version: 2 + # Suricata 8.0 uses a new DNS logging format, to keep with + # the old format while you upgrade the version can be set + # to 2. See https://docs.suricata.io/en/latest/upgrade/8.0-dns-logging-changes.html + #version: 3 # Enable/disable this logger. Default: enabled. #enabled: yes @@ -256,13 +279,15 @@ outputs: # DNS record types to log, based on the query type. # Default: all. #types: [a, aaaa, cname, mx, ns, ptr, txt] + - mdns: - tls: extended: yes # enable this for extended logging information # output TLS transaction where the session is resumed using a # session id #session-resumption: no # custom controls which TLS fields that are included in eve-log - #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3, ja3s] + # WARNING: enabling custom disables extended logging. + #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3, ja3s, ja4, subjectaltname, client, client_certificate, client_chain, client_alpns, server_alpns, client_handshake, server_handshake] - files: force-magic: no # force logging magic on all logged files # force logging of checksums, available hash functions are md5, @@ -289,10 +314,15 @@ outputs: #md5: [body, subject] #- dnp3 + - websocket + #- enip - ftp - rdp - nfs - - smb + - smb: + # restrict to only certain types in the following list + #types: [file, tree_connect, negotiate, dcerpc, create, + # session_setup, ioctl, rename, set_file_path_info, generic] - tftp - ike - dcerpc @@ -302,6 +332,10 @@ outputs: - rfb - sip - quic + - ldap + - pop3 + - arp: + enabled: no # Many events can be logged. Disabled by default - dhcp: enabled: yes # When extended mode is on, all DHCP messages are logged @@ -312,14 +346,27 @@ outputs: - ssh - mqtt: # passwords: yes # enable output of passwords + # string-log-limit: 1KiB # limit size of logged strings in bytes. + # Can be specified in KiB, MiB, GiB. Just a number + # is parsed as bytes. Default is 1 KiB. + # Use a value of 0 to disable limiting. + # Note that the size is also bounded by + # the maximum parsed message size (see + # app-layer configuration) - http2 + # dns over http2 + - doh2 - pgsql: enabled: no # passwords: yes # enable output of passwords. Disabled by default + # If a password message is seen but this setting + # is disabled, "password_redacted": true is logged - stats: totals: yes # stats for all threads merged together threads: no # per thread stats deltas: no # include delta values + # Don't log stats counters that are zero. Default: true + #null-values: false # False will NOT log stats counters: 0 # bi-directional flows - flow # uni-directional flows @@ -340,13 +387,224 @@ outputs: # state-update: false # log packets triggering a TCP state update # spurious-retransmission: false # log spurious retransmission packets + # output module to store certificates chain to disk + - tls-store: + enabled: no + #certs-log-dir: certs # directory to store the certificates files + + # Packet log... log packets in pcap format. 2 modes of operation: "normal" + # and "multi". + # + # In normal mode a pcap file "filename" is created in the default-log-dir, + # or as specified by "dir". + # In multi mode, a file is created per thread. This will perform much + # better, but will create multiple files where 'normal' would create one. + # In multi mode the filename takes a few special variables: + # - %n -- thread number + # - %i -- thread id + # - %t -- timestamp (secs or secs.usecs based on 'ts-format' + # E.g. filename: pcap.%n.%t + # + # Note that it's possible to use directories, but the directories are not + # created by Suricata. E.g. filename: pcaps/%n/log.%s will log into the + # per thread directory. + # + # Also note that the limit and max-files settings are enforced per thread. + # So the size limit when using 8 threads with 1000 MiB files and 2000 files + # is: 8*1000*2000 ~ 16TiB. + # + # By default all packets are logged except: + # - TCP streams beyond stream.reassembly.depth + # - encrypted streams after the key exchange + # + - pcap-log: + enabled: no + filename: log.pcap + + # File size limit. Can be specified in kb, mb, gb. Just a number + # is parsed as bytes. + limit: 1000 MiB + + # If set to a value, ring buffer mode is enabled. Will keep maximum of + # "max-files" of size "limit" + max-files: 2000 + + # Compression algorithm for pcap files. Possible values: none, lz4. + # Note also that on Windows, enabling compression will *increase* disk I/O. + compression: none + + # Further options for lz4 compression. The compression level can be set + # to a value between 0 and 16, where higher values result in higher + # compression. + #lz4-checksum: no + #lz4-level: 0 + + mode: normal # normal or multi + + # Directory to place pcap files. If not provided the default log + # directory will be used. + #dir: /nsm_data/ + + #ts-format: usec # sec or usec second format (default) is filename.sec usec is filename.sec.usec + use-stream-depth: no #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets + honor-pass-rules: no # If set to "yes", flows in which a pass rule matched will stop being logged. + # Use "all" to log all packets or use "alerts" to log only alerted packets and flows or "tag" + # to log only flow tagged via the "tag" keyword + #conditional: all + + # A BPF filter that will be applied to all packets being + # logged. If set, packets must match this filter otherwise they + # will not be logged. + #bpf-filter: + + # a full alert log containing much information for signature writers + # or for investigating suspected false positives. + - alert-debug: + enabled: no + filename: alert-debug.log + append: yes + #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' + + # Stats.log contains data from various counters of the Suricata engine. + - stats: + enabled: yes + filename: stats.log + append: yes # append to file (yes) or overwrite it (no) + totals: yes # stats for all threads merged together + threads: no # per thread stats + #null-values: yes # print counters that have value 0. Default: no + + # Output module for storing files on disk. Files are stored in + # directory names consisting of the first 2 characters of the + # SHA256 of the file. Each file is given its SHA256 as a filename. + # + # When a duplicate file is found, the timestamps on the existing file + # are updated. + # + # Unlike the older filestore, metadata is not written by default + # as each file should already have a "fileinfo" record in the + # eve-log. If write-fileinfo is set to yes, then each file will have + # one more associated .json files that consist of the fileinfo + # record. A fileinfo file will be written for each occurrence of the + # file seen using a filename suffix to ensure uniqueness. + # + # To prune the filestore directory see the "suricatactl filestore + # prune" command which can delete files over a certain age. + - file-store: + version: 2 + enabled: no + + # Set the directory for the filestore. Relative pathnames + # are contained within the "default-log-dir". + #dir: filestore + + # Write out a fileinfo record for each occurrence of a file. + # Disabled by default as each occurrence is already logged + # as a fileinfo record to the main eve-log. + #write-fileinfo: yes + + # Force storing of all files. Default: no. + #force-filestore: yes + + # Override the global stream-depth for sessions in which we want + # to perform file extraction. Set to 0 for unlimited; otherwise, + # must be greater than the global stream-depth value to be used. + #stream-depth: 0 + + # Uncomment the following variable to define how many files can + # remain open for filestore by Suricata. Default value is 0 which + # means files get closed after each write to the file. + #max-open-files: 1000 + + # Force logging of checksums: available hash functions are md5, + # sha1 and sha256. Note that SHA256 is automatically forced by + # the use of this output module as it uses the SHA256 as the + # file naming scheme. + #force-hash: [sha1, md5] + # NOTE: X-Forwarded configuration is ignored if write-fileinfo is disabled + # HTTP X-Forwarded-For support by adding an extra field or overwriting + # the source or destination IP address (depending on flow direction) + # with the one reported in the X-Forwarded-For HTTP header. This is + # helpful when reviewing alerts for traffic that is being reverse + # or forward proxied. + xff: + enabled: no + # Two operation modes are available, "extra-data" and "overwrite". + mode: extra-data + # Two proxy deployments are supported, "reverse" and "forward". In + # a "reverse" deployment the IP address used is the last one, in a + # "forward" deployment the first IP address is used. + deployment: reverse + # Header name where the actual IP address will be reported. If more + # than one IP address is present, the last IP address will be the + # one taken into consideration. + header: X-Forwarded-For + + # Log TCP data after stream normalization + # Two types: file or dir: + # - file logs into a single logfile. + # - dir creates 2 files per TCP session and stores the raw TCP + # data into them. + # Use 'both' to enable both file and dir modes. + # + # Note: limited by "stream.reassembly.depth" + - tcp-data: + enabled: no + type: file + filename: tcp-data.log + + # Log HTTP body data after normalization, de-chunking and unzipping. + # Two types: file or dir. + # - file logs into a single logfile. + # - dir creates 2 files per HTTP session and stores the + # normalized data into them. + # Use 'both' to enable both file and dir modes. + # + # Note: limited by the body limit settings + - http-body-data: + enabled: no + type: file + filename: http-data.log + + # Lua Output Support - execute lua script to generate alert and event + # output. + # Documented at: + # https://docs.suricata.io/en/latest/output/lua-output.html + - lua: + enabled: no + + # By default the Lua module search paths are empty. If you plan + # to use external modules these paths will need to be set. The + # examples below are likely suitable for finding modules + # installed with a package manager on a 64 bit Linux system, but + # may need tweaking. + #path: "/usr/share/lua/5.4/?.lua;/usr/share/lua/5.4/?/init.lua;/usr/lib64/lua/5.4/?.lua;/usr/lib64/lua/5.4/?/init.lua;./?.lua;./?/init.lua" + #cpath: "/usr/lib64/lua/5.4/?.so;/usr/lib64/lua/5.4/loadall.so;./?.so" + + #scripts-dir: /etc/suricata/lua-output/ + scripts: + # - script1.lua + +heartbeat: + # The output-flush-interval value governs how often Suricata will instruct the + # detection threads to flush their EVE output. Specify the value in seconds [1-60] + # and Suricata will initiate EVE log output flushes at that interval. A value + # of 0 means no EVE log output flushes are initiated. When the EVE output + # buffer-size value is non-zero, some EVE output that was written may remain + # buffered. The output-flush-interval governs how much buffered data exists. + # + # The default value is: 0 (never instruct detection threads to flush output) + #output-flush-interval: 0 + +# Logging configuration. This is not about logging IDS alerts/events, but +# output about what Suricata is doing, like startup messages, errors, etc. logging: # The default log level: can be overridden in an output section. # Note that debug level logging will only be emitted if Suricata was # compiled with the --enable-debug configure option. # # This value is overridden by the SC_LOG_LEVEL env var. - default-log-level: Info + default-log-level: info # The default output format. Optional parameter, should default to # something reasonable if not provided. Can be overridden in an @@ -378,39 +636,24 @@ logging: - file: enabled: no level: info - filename: /var/log/suricata/suricata.log + filename: suricata.log # format: "[%i - %m] %z %d: %S: %M" # type: json - syslog: enabled: yes facility: local5 - format: "" - #format: "[%i] <%d> -- " + format: "[%i] <%d> -- " # type: json -## -## Netfilter configuration -## - -nfq: - mode: repeat - repeat-mark: 2147483648 - repeat-mask: 2147483648 - bypass-mark: 1073741824 - bypass-mask: 1073741824 -# route-queue: 2 -# batchcount: 20 - fail-open: no - ## ## Step 5: App Layer Protocol Configuration ## # Configure the app-layer parsers. # -# The error-policy setting applies to all app-layer parsers. Values can be -# "drop-flow", "pass-flow", "bypass", "drop-packet", "pass-packet", "reject" or -# "ignore" (the default). +# The exception policy error-policy setting applies to all app-layer parsers. +# Values can be "drop-flow", "pass-flow", "bypass", "drop-packet", "pass-packet", +# "reject" or "ignore" (the default). # # The protocol's section details each protocol. # @@ -428,7 +671,7 @@ app-layer: dp: 5900, 5901, 5902, 5903, 5904, 5905, 5906, 5907, 5908, 5909 mqtt: enabled: yes - # max-msg-length: 1mb + # max-msg-length: 1 MiB # subscribe-topic-match-limit: 100 # unsubscribe-topic-match-limit: 100 # Maximum number of live MQTT transactions per flow @@ -444,16 +687,17 @@ app-layer: tls: enabled: yes detection-ports: - dp: "[443,444,465,853,993,995]" + dp: 443 - # Generate JA3 fingerprint from client hello. If not specified it + # Generate JA3/JA4 fingerprints from client hello. If not specified it # will be disabled by default, but enabled if rules require it. - ja3-fingerprints: auto + #ja3-fingerprints: auto + #ja4-fingerprints: auto # What to do when the encrypted communications start: - # - default: keep tracking TLS session, check for protocol anomalies, + # - track-only: keep tracking TLS session, check for protocol anomalies, # inspect tls_* keywords. Disables inspection of unmodified - # 'content' signatures. + # 'content' signatures. (default) # - bypass: stop processing this flow as much as possible. No further # TLS parsing and inspection. Offload flow bypass to kernel # or hardware if possible. @@ -476,12 +720,28 @@ app-layer: # max-tx: 1024 ftp: enabled: yes - # memcap: 64mb + # memcap: 64 MiB + websocket: + #enabled: yes + # Maximum used payload size, the rest is skipped + # Also applies as a maximum for uncompressed data + # max-payload-size: 64 KiB rdp: - enabled: yes + #enabled: yes ssh: enabled: yes - #hassh: yes + # hassh: no + + # What to do when the encrypted communications start: + # - track-only: keep tracking but stop inspection (default) + # - full: keep tracking and inspect as normal + # - bypass: stop processing this flow as much as possible. + # Offload flow bypass to kernel or hardware if possible. + # For the best performance, select 'bypass'. + # + # encryption-handling: track-only + doh2: + enabled: yes http2: enabled: yes # Maximum number of live HTTP2 streams in a flow @@ -528,7 +788,15 @@ app-layer: content-inspect-min-size: 32768 content-inspect-window: 4096 imap: + enabled: detection-only + pop3: enabled: yes + detection-ports: + dp: 110 + # Stream reassembly size for POP3. By default, track it completely. + stream-depth: 0 + # Maximum number of live POP3 transactions per flow + # max-tx: 256 smb: enabled: yes detection-ports: @@ -545,14 +813,6 @@ app-layer: tftp: enabled: yes dns: - # memcaps. Globally and per flow/state. - global-memcap: 32mb - state-memcap: 512kb - - # How many unreplied DNS requests are considered a flood. - # If the limit is reached, app-layer-event:dns.flooded; will match. - #request-flood: 512 - tcp: enabled: yes detection-ports: @@ -563,15 +823,14 @@ app-layer: dp: 53 http: enabled: yes - memcap: 256mb # Byte Range Containers default settings # byterange: - # memcap: 100mb + # memcap: 100 MiB # timeout: 60 # memcap: Maximum memory capacity for HTTP - # Default is unlimited, values can be 64mb, e.g. + # Default is unlimited, values can be 64 MiB, e.g. # default-config: Used when no server-config matches # personality: List of personalities used by default @@ -596,16 +855,16 @@ app-layer: default-config: personality: IDS - # Can be specified in kb, mb, gb. Just a number indicates + # Can be specified in KiB, MiB, GiB. Just a number indicates # it's in bytes. - request-body-limit: 100kb - response-body-limit: 100kb + request-body-limit: 100 KiB + response-body-limit: 100 KiB # inspection limits - request-body-minimal-inspect-size: 32kb - request-body-inspect-window: 4kb - response-body-minimal-inspect-size: 40kb - response-body-inspect-window: 16kb + request-body-minimal-inspect-size: 32 KiB + request-body-inspect-window: 4 KiB + response-body-minimal-inspect-size: 40 KiB + response-body-inspect-window: 16 KiB # response body decompression (0 disables) response-body-decompress-layer-limit: 2 @@ -624,8 +883,8 @@ app-layer: swf-decompression: enabled: no type: both - compress-depth: 100kb - decompress-depth: 100kb + compress-depth: 100 KiB + decompress-depth: 100 KiB # Use a random value for inspection sizes around the specified value. # This lowers the risk of some evasion techniques but could lead @@ -645,21 +904,23 @@ app-layer: #lzma-enabled: false # Memory limit usage for LZMA decompression dictionary # Data is decompressed until dictionary reaches this size - #lzma-memlimit: 1mb + #lzma-memlimit: 1 MiB # Maximum decompressed size with a compression ratio # above 2048 (only LZMA can reach this ratio, deflate cannot) - #compression-bomb-limit: 1mb + #compression-bomb-limit: 1 MiB # Maximum time spent decompressing a single transaction in usec #decompression-time-limit: 100000 # Maximum number of live transactions per flow #max-tx: 512 + # Maximum used number of HTTP1 headers in one request or response + #headers-limit: 1024 server-config: #- apache: # address: [192.168.1.0/24, 127.0.0.0/8, "::1"] # personality: Apache_2 - # # Can be specified in kb, mb, gb. Just a number indicates + # # Can be specified in KiB, MiB, GiB. Just a number indicates # # it's in bytes. # request-body-limit: 4096 # response-body-limit: 4096 @@ -671,7 +932,7 @@ app-layer: # - 192.168.0.0/24 # - 192.168.10.0/24 # personality: IIS_7_0 - # # Can be specified in kb, mb, gb. Just a number indicates + # # Can be specified in KiB, MiB, GiB. Just a number indicates # # it's in bytes. # request-body-limit: 4096 # response-body-limit: 4096 @@ -725,6 +986,21 @@ app-layer: sip: #enabled: yes + ldap: + tcp: + enabled: yes + detection-ports: + dp: 389, 3268 + udp: + enabled: yes + detection-ports: + dp: 389, 3268 + # Maximum number of live LDAP transactions per flow + # max-tx: 1024 + + mdns: + enabled: yes + # Limit for the maximum number of asn1 frames to decode (default 256) asn1-max-frames: 256 @@ -733,9 +1009,17 @@ datasets: # Default fallback memcap and hashsize values for datasets in case these # were not explicitly defined. defaults: - #memcap: 100mb + #memcap: 100 MiB #hashsize: 2048 + # Limits for per rule dataset instances to avoid rules using too many + # resources. + limits: + # Max value for per dataset `hashsize` setting + #single-hashsize: 65536 + # Max combined hashsize values for all datasets. + #total-hashsizes: 16777216 + rules: # Set to true to allow absolute filenames and filenames that use # ".." components to reference parent directories in rules that specify @@ -782,8 +1066,8 @@ security: - /var/lib/suricata lua: - # Allow Lua rules. Disabled by default. - #allow-rules: false + # Allow Lua rules. Enabled by default. + #allow-rules: true # Some logging modules will use that name in event as identifier. The default # value is the hostname @@ -856,11 +1140,15 @@ runmode: workers # activated in live capture mode. You can use the filename variable to set # the file name of the socket. unix-command: - enabled: no + enabled: auto #filename: custom.socket -# Magic file -magic-file: /usr/share/misc/magic.mgc +# Magic file. The extension .mgc is added to the value here. +magic-file: /usr/share/misc/magic + +# GeoIP2 database file. Specify path and filename of GeoIP2 database +# if using rules with "geoip" rule option. +#geoip-database: /usr/local/share/GeoLite2/GeoLite2-Country.mmdb legacy: uricontent: enabled @@ -893,6 +1181,12 @@ legacy: # drop-flow, reject, bypass, pass-packet, pass-flow, ignore (disable). exception-policy: pass-packet +# IP Reputation +#reputation-categories-file: /etc/suricata/iprep/categories.txt +#default-reputation-path: /etc/suricata/iprep +#reputation-files: +# - reputation.list + # When run with the option --engine-analysis, the engine will read each of # the parameters below, and print reports for each of the enabled sections # and exit. The reports are printed to a file in the default log dir @@ -934,10 +1228,10 @@ host-os-policy: # Defrag settings: -# The memcap-policy value can be "drop-packet", "pass-packet", "reject" or -# "ignore" (which is the default). +# The exception policy memcap-policy value can be "drop-packet", "pass-packet", +# "reject" or "ignore" (which is the default). defrag: - memcap: 64mb + memcap: 64 MiB # memcap-policy: ignore hash-size: 65536 trackers: 65535 # number of defragmented flows to follow @@ -945,8 +1239,22 @@ defrag: prealloc: yes timeout: 60 +# Enable defrag per host settings +# host-config: +# +# - dmz: +# timeout: 30 +# address: [192.168.1.0/24, 127.0.0.0/8, 1.1.1.0/24, 2.2.2.0/24, "1.1.1.1", "2.2.2.2", "::1"] +# +# - lan: +# timeout: 45 +# address: +# - 192.168.0.0/24 +# - 192.168.10.0/24 +# - 172.16.14.0/24 + # Flow settings: -# By default, the reserved memory (memcap) for flows is 32MB. This is the limit +# By default, the reserved memory (memcap) for flows is 32 MiB. This is the limit # for flow allocation inside the engine. You can change this value to allow # more memory usage for flows. # The hash-size determines the size of the hash used to identify flows inside @@ -962,19 +1270,24 @@ defrag: # the emergency bit and it will try again with more aggressive timeouts. # If that doesn't work, then it will try to kill the oldest flows using # last time seen flows. -# The memcap can be specified in kb, mb, gb. Just a number indicates it's +# The memcap can be specified in KiB, MiB, GiB. Just a number indicates it's # in bytes. -# The memcap-policy can be "drop-packet", "pass-packet", "reject" or "ignore" -# (which is the default). +# The exception policy memcap-policy can be "drop-packet", "pass-packet", +# "reject" or "ignore" (which is the default). flow: - memcap: 256mb + memcap: 256 MiB #memcap-policy: ignore hash-size: 65536 prealloc: 10000 emergency-recovery: 30 #managers: 1 # default to one flow manager #recyclers: 1 # default to one flow recycler thread + # Track flows and count them as elephant flow if they exceed the rate defined + # by the byte count per interval configured below. + #rate-tracking: + # bytes: 1GiB + # interval: 10 # seconds is the only supported unit for interval so far # This option controls the use of VLAN ids in the flow (and defrag) # hashing. Normally this should be enabled, but in some (broken) @@ -1046,11 +1359,11 @@ flow-timeouts: # engine is configured. # # stream: -# memcap: 64mb # Can be specified in kb, mb, gb. Just a +# memcap: 64 MiB # Can be specified in KiB, MiB, GiB. Just a # # number indicates it's in bytes. -# memcap-policy: ignore # Can be "drop-flow", "pass-flow", "bypass", -# # "drop-packet", "pass-packet", "reject" or -# # "ignore" default is "ignore" +# memcap-policy: ignore # The exception policy value can be "drop-flow", +# # "pass-flow", "bypass", "drop-packet", +# # "pass-packet", "reject" or "ignore" default is "ignore" # checksum-validation: yes # To validate the checksum of received # # packet. If csum validation is specified as # # "yes", then packets with invalid csum values will not @@ -1062,9 +1375,9 @@ flow-timeouts: # # option # prealloc-sessions: 2048 # 2k sessions prealloc'd per stream thread # midstream: false # don't allow midstream session pickups -# midstream-policy: ignore # Can be "drop-flow", "pass-flow", "bypass", -# # "drop-packet", "pass-packet", "reject" or -# # "ignore" default is "ignore" +# midstream-policy: ignore # The exception policy value can be "drop-flow", +# # "pass-flow", "bypass", "drop-packet", +# # "pass-packet", "reject" or "ignore" default is "ignore" # async-oneside: false # don't enable async stream handling # inline: no # stream inline mode # drop-invalid: yes # in inline mode, drop packets that are invalid with regards to streaming engine @@ -1077,19 +1390,19 @@ flow-timeouts: # # means it's slightly more permissive. Enabled by default. # # reassembly: -# memcap: 256mb # Can be specified in kb, mb, gb. Just a number +# memcap: 256 MiB # Can be specified in KiB, MiB, GiB. Just a number # # indicates it's in bytes. -# memcap-policy: ignore # Can be "drop-flow", "pass-flow", "bypass", -# # "drop-packet", "pass-packet", "reject" or -# # "ignore" default is "ignore" -# depth: 1mb # Can be specified in kb, mb, gb. Just a number +# memcap-policy: ignore # The exception policy value can be "drop-flow", +# # "pass-flow", "bypass", "drop-packet", "pass-packet", +# # "reject" or "ignore" default is "ignore" +# depth: 1 MiB # Can be specified in KiB, MiB, GiB. Just a number # # indicates it's in bytes. # toserver-chunk-size: 2560 # inspect raw stream in chunks of at least -# # this size. Can be specified in kb, mb, -# # gb. Just a number indicates it's in bytes. +# # this size. Can be specified in KiB, MiB, GiB. +# # Just a number indicates it's in bytes. # toclient-chunk-size: 2560 # inspect raw stream in chunks of at least -# # this size. Can be specified in kb, mb, -# # gb. Just a number indicates it's in bytes. +# # this size. Can be specified in KiB, MiB, GiB. +# # Just a number indicates it's in bytes. # randomize-chunk-size: yes # Take a random value for chunk size around the specified value. # # This lowers the risk of some evasion techniques but could lead # # to detection change between runs. It is set to 'yes' by default. @@ -1113,26 +1426,30 @@ flow-timeouts: # # is used or when stream-event:reassembly_overlap_different_data; # # is used in a rule. # +# max-regions: 8 # maximum number of concurrent regions per streaming buffer +# # defaults to 8, if no configuration was provided. 0 means no limit. + stream: - memcap: 256mb - prealloc-sessions: 4096 + memcap: 256 MiB #memcap-policy: ignore checksum-validation: yes # reject incorrect csums midstream: true midstream-policy: pass-flow inline: auto # auto will use inline mode in IPS mode, yes or no set it statically - bypass: yes # Bypass packets when stream.reassembly.depth is reached. reassembly: - memcap: 256mb + urgent: + policy: oob # drop, inline, oob (1 byte, see RFC 6093, 3.1), gap + oob-limit-policy: drop + memcap: 256 MiB #memcap-policy: ignore - depth: 1mb # reassemble 1mb into a stream + depth: 1 MiB # reassemble 1 MiB into a stream toserver-chunk-size: 2560 toclient-chunk-size: 2560 randomize-chunk-size: yes #randomize-chunk-range: 10 - raw: yes - segment-prealloc: 2048 - check-overlap-different-data: true + #raw: yes + #segment-prealloc: 2048 + #check-overlap-different-data: true # Host table: # @@ -1141,7 +1458,7 @@ stream: host: hash-size: 4096 prealloc: 1000 - memcap: 32mb + memcap: 32 MiB # IP Pair table: # @@ -1150,7 +1467,7 @@ host: #ippair: # hash-size: 4096 # prealloc: 1000 -# memcap: 32mb +# memcap: 32 MiB # Decoder settings @@ -1178,6 +1495,13 @@ decoder: # maximum number of decoder layers for a packet # max-layers: 16 + # This option controls the use of packet recursion level in the flow + # (and defrag) hashing. This is enabled by default and should be + # disabled if packet pickup of tunneled packets occurs before the kernel + # has put the headers on, like when using netmap driver pickup. + recursion-level: + use-for-tracking: true + ## ## Performance tuning and profiling ## @@ -1199,15 +1523,26 @@ decoder: # The option inspection-recursion-limit is used to limit the recursive calls # in the content inspection code. For certain payload-sig combinations, we # might end up taking too much time in the content inspection code. -# If the argument specified is 0, the engine uses an internally defined -# default limit. When a value is not specified, there are no limits on the recursion. +# If the argument specified is 0, there are no limits on the recursion. +# When a value is not specified, the default is 3000 detect: profile: medium custom-values: toclient-groups: 3 toserver-groups: 25 sgh-mpm-context: auto - inspection-recursion-limit: 3000 + # Cache MPM contexts to the disk to avoid rule compilation at the startup. + # Cache files are created in the standard library directory. + sgh-mpm-caching: yes + sgh-mpm-caching-path: /var/cache/suricata/sgh + # inspection-recursion-limit: 3000 + # maximum number of times a tx will get logged for rules without app-layer keywords + # stream-tx-log-limit: 4 + # Try to guess an app-layer transaction for rules without app-layer keywords, + # ONLY IF there is just one live transaction for the flow. + # This allows logging app-layer metadata in alert - the transaction may not + # be the relevant one for the alert. + # guess-applayer-tx: no # If set to yes, the loading of signatures will be made after the capture # is started. This will limit the downtime in IPS mode. delayed-detect: yes @@ -1219,12 +1554,17 @@ detect: default: mpm # the grouping values above control how many groups are created per - # direction. Port whitelisting forces that port to get its own group. + # direction. Port priority setting forces that port to get its own group. # Very common ports will benefit, as well as ports with many expensive # rules. grouping: - #tcp-whitelist: 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080 - #udp-whitelist: 53, 135, 5060 + #tcp-priority-ports: 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080 + #udp-priority-ports: 53, 135, 5060 + + # Thresholding hash table settings. + thresholds: + hash-size: 16384 + memcap: 16 MiB profiling: # Log the rules that made it past the prefilter stage, per packet @@ -1270,6 +1610,7 @@ spm-algo: auto # Suricata is multi-threaded. Here the threading can be influenced. threading: set-cpu-affinity: no + autopin: no # Tune cpu affinity of threads. Each family of threads can be bound # to specific CPUs. # @@ -1282,25 +1623,39 @@ threading: # verdict-cpu-set is used for IPS verdict threads # cpu-affinity: - - management-cpu-set: - cpu: [ 0 ] # include only these CPUs in affinity settings - - receive-cpu-set: - cpu: [ 0 ] # include only these CPUs in affinity settings - - worker-cpu-set: - cpu: [ "all" ] - mode: "exclusive" - # Use explicitly 3 threads and don't compute number by using - # detect-thread-ratio variable: - # threads: 3 - prio: - low: [ 0 ] - medium: [ "1-2" ] - high: [ 3 ] - default: "medium" - #- verdict-cpu-set: - # cpu: [ 0 ] - # prio: - # default: "high" + management-cpu-set: + cpu: [ 0 ] # include only these CPUs in affinity settings + receive-cpu-set: + cpu: [ 0 ] # include only these CPUs in affinity settings + # interface-specific-cpu-set: + # - interface: "enp4s0f0" + # cpu: [ 1,3,5,7,9 ] + # mode: "exclusive" + # prio: + # high: [ "all" ] + # default: "medium" + worker-cpu-set: + cpu: [ "all" ] + mode: "exclusive" + # Use explicitly 3 threads and don't compute number by using + # detect-thread-ratio variable: + # threads: 3 + prio: + low: [ 0 ] + medium: [ "1-2" ] + high: [ 3 ] + default: "medium" + interface-specific-cpu-set: + - interface: "enp4s0f0" # 0000:3b:00.0 # net_bonding0 # ens1f0 + cpu: [ 1,3,5,7,9 ] + mode: "exclusive" + prio: + high: [ "all" ] + default: "medium" + #verdict-cpu-set: + # cpu: [ 0 ] + # prio: + # default: "high" # # By default Suricata creates one "detect" thread per available CPU/CPU core. # This setting allows controlling this behaviour. A ratio setting of 2 will @@ -1318,4 +1673,63 @@ threading: # set to this value, a fatal error occurs. # # Generally, the per-thread stack-size should not exceed 8MB. - #stack-size: 8mb + #stack-size: 8 MiB + +## +## Netfilter integration +## + +# When running in NFQ inline mode, it is possible to use a simulated +# non-terminal NFQUEUE verdict. +# This permits sending all needed packet to Suricata via this rule: +# iptables -I FORWARD -m mark ! --mark $MARK/$MASK -j NFQUEUE +# And below, you can have your standard filtering ruleset. To activate +# this mode, you need to set mode to 'repeat' +# If you want a packet to be sent to another queue after an ACCEPT decision +# set the mode to 'route' and set next-queue value. +# On Linux >= 3.1, you can set batchcount to a value > 1 to improve performance +# by processing several packets before sending a verdict (worker runmode only). +# On Linux >= 3.6, you can set the fail-open option to yes to have the kernel +# accept the packet if Suricata is not able to keep pace. +# bypass mark and mask can be used to implement NFQ bypass. If bypass mark is +# set then the NFQ bypass is activated. Suricata will set the bypass mark/mask +# on packet of a flow that need to be bypassed. The Netfilter ruleset has to +# directly accept all packets of a flow once a packet has been marked. +nfq: + mode: repeat + repeat-mark: 2147483648 + repeat-mask: 2147483648 + bypass-mark: 1073741824 + bypass-mask: 1073741824 +# route-queue: 2 +# batchcount: 20 + fail-open: no + +## +## Suricata as a Firewall options (experimental) +## +firewall: + # toggle to enable firewall mode + #enabled: no + + # Firewall rule file are in their own path and are not managed + # by Suricata-Update. + #rule-path: /etc/suricata/firewall/ + + # List of files with firewall rules. Order matters, files are loaded + # in order and rules are applied in that order (per state, see docs) + #rule-files: + # - firewall.rules + + +## +## Include other configs +## + +# Includes: Files included here will be handled as if they were in-lined +# in this configuration file. Files with relative pathnames will be +# searched for in the same directory as this configuration file. You may +# use absolute pathnames too. +#include: +# - include1.yaml +# - include2.yaml