]>
Commit | Line | Data |
---|---|---|
4c6d6c1e SS |
1 | %YAML 1.1 |
2 | --- | |
3 | ||
4c6d6c1e | 4 | ## |
335114b2 SS |
5 | ## IPFire specific configuration file - an untouched example configuration |
6 | ## can be found in suricata-example.yaml. | |
4c6d6c1e SS |
7 | ## |
8 | ||
9 | vars: | |
4c6d6c1e | 10 | address-groups: |
42303055 | 11 | # Include HOME_NET declaration from external file. |
13d077fd | 12 | include: /var/ipfire/suricata/suricata-homenet.yaml |
4c6d6c1e | 13 | |
961a27b5 SS |
14 | # Include DNS_SERVERS declaration from external file. |
15 | include: /var/ipfire/suricata/suricata-dns-servers.yaml | |
16 | ||
50612920 | 17 | EXTERNAL_NET: "any" |
4c6d6c1e SS |
18 | |
19 | HTTP_SERVERS: "$HOME_NET" | |
20 | SMTP_SERVERS: "$HOME_NET" | |
21 | SQL_SERVERS: "$HOME_NET" | |
4c6d6c1e SS |
22 | TELNET_SERVERS: "$HOME_NET" |
23 | AIM_SERVERS: "$EXTERNAL_NET" | |
2bec60c3 | 24 | DC_SERVERS: "$HOME_NET" |
4c6d6c1e SS |
25 | DNP3_SERVER: "$HOME_NET" |
26 | DNP3_CLIENT: "$HOME_NET" | |
27 | MODBUS_CLIENT: "$HOME_NET" | |
28 | MODBUS_SERVER: "$HOME_NET" | |
29 | ENIP_CLIENT: "$HOME_NET" | |
30 | ENIP_SERVER: "$HOME_NET" | |
31 | ||
32 | port-groups: | |
e698090e SS |
33 | # Incluse HTTP_PORTS declaration from external file. |
34 | include: /var/ipfire/suricata/suricata-http-ports.yaml | |
35 | ||
4c6d6c1e SS |
36 | SHELLCODE_PORTS: "!80" |
37 | ORACLE_PORTS: 1521 | |
067e1847 | 38 | SSH_PORTS: "[22,222]" |
4c6d6c1e SS |
39 | DNP3_PORTS: 20000 |
40 | MODBUS_PORTS: 502 | |
41 | FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]" | |
42 | FTP_PORTS: 21 | |
a4ade63e SS |
43 | GENEVE_PORTS: 6081 |
44 | VXLAN_PORTS: 4789 | |
45 | TEREDO_PORTS: 3544 | |
4c6d6c1e | 46 | |
4c6d6c1e | 47 | ## |
335114b2 | 48 | ## Ruleset specific options. |
4c6d6c1e | 49 | ## |
21cab141 | 50 | default-rule-path: /var/lib/suricata |
cc60d3df | 51 | rule-files: |
ddaf8ae1 | 52 | # Include enabled ruleset files from external file. |
8d6714ed | 53 | include: /var/ipfire/suricata/suricata-used-rulesfiles.yaml |
4c6d6c1e | 54 | |
5a3e97b8 MT |
55 | classification-file: /usr/share/suricata/classification.config |
56 | reference-config-file: /usr/share/suricata/reference.config | |
57 | threshold-file: /usr/share/suricata/threshold.config | |
4c6d6c1e SS |
58 | |
59 | ## | |
335114b2 | 60 | ## Logging options. |
4c6d6c1e | 61 | ## |
4c6d6c1e SS |
62 | default-log-dir: /var/log/suricata/ |
63 | ||
a4ade63e | 64 | # Global stats configuration |
4c6d6c1e | 65 | stats: |
636a7965 | 66 | enabled: no |
a4ade63e SS |
67 | # The interval field (in seconds) controls the interval at |
68 | # which stats are updated in the log. | |
4c6d6c1e | 69 | interval: 8 |
a4ade63e | 70 | # Add decode events to stats. |
2bec60c3 SS |
71 | #decoder-events: true |
72 | # Decoder event prefix in stats. Has been 'decoder' before, but that leads | |
73 | # to missing events in the eve.stats records. See issue #2225. | |
a4ade63e | 74 | #decoder-events-prefix: "decoder.event" |
2bec60c3 SS |
75 | # Add stream events as stats. |
76 | #stream-events: false | |
77 | ||
a4ade63e SS |
78 | # Plugins -- Experimental -- specify the filename for each plugin shared object |
79 | plugins: | |
80 | # - /path/to/plugin.so | |
81 | ||
4c6d6c1e SS |
82 | # Configure the type of alert (and other) logging you would like. |
83 | outputs: | |
84 | # a line based alerts log similar to Snort's fast.log | |
85 | - fast: | |
86 | enabled: yes | |
87 | filename: fast.log | |
88 | append: yes | |
89 | #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' | |
90 | ||
4c6d6c1e SS |
91 | # Stats.log contains data from various counters of the suricata engine. |
92 | - stats: | |
6e7c8a33 | 93 | enabled: no |
4c6d6c1e | 94 | filename: stats.log |
335114b2 | 95 | append: no # append to file (yes) or overwrite it (no) |
4c6d6c1e SS |
96 | totals: yes # stats for all threads merged together |
97 | threads: no # per thread stats | |
98 | #null-values: yes # print counters that have value 0 | |
99 | ||
6084e66e SS |
100 | # Extensible Event Format (nicknamed EVE) event log in JSON format |
101 | - eve-log: | |
102 | enabled: no | |
103 | filetype: regular #regular|syslog|unix_dgram|unix_stream|redis | |
104 | filename: eve.json | |
a4ade63e SS |
105 | # Enable for multi-threaded eve.json output; output files are amended with |
106 | # an identifier, e.g., eve.9.json | |
107 | #threaded: false | |
6084e66e SS |
108 | #prefix: "@cee: " # prefix to prepend to each log entry |
109 | # the following are valid when type: syslog above | |
110 | #identity: "suricata" | |
111 | #facility: local5 | |
112 | #level: Info ## possible levels: Emergency, Alert, Critical, | |
113 | ## Error, Warning, Notice, Info, Debug | |
a4ade63e | 114 | #ethernet: no # log ethernet header in events when available |
6084e66e SS |
115 | #redis: |
116 | # server: 127.0.0.1 | |
117 | # port: 6379 | |
118 | # async: true ## if redis replies are read asynchronously | |
119 | # mode: list ## possible values: list|lpush (default), rpush, channel|publish | |
120 | # ## lpush and rpush are using a Redis list. "list" is an alias for lpush | |
121 | # ## publish is using a Redis channel. "channel" is an alias for publish | |
122 | # key: suricata ## key or channel to use (default to suricata) | |
123 | # Redis pipelining set up. This will enable to only do a query every | |
124 | # 'batch-size' events. This should lower the latency induced by network | |
125 | # connection at the cost of some memory. There is no flushing implemented | |
a4ade63e | 126 | # so this setting should be reserved to high traffic Suricata deployments. |
6084e66e SS |
127 | # pipelining: |
128 | # enabled: yes ## set enable to yes to enable query pipelining | |
a4ade63e | 129 | # batch-size: 10 ## number of entries to keep in buffer |
6084e66e SS |
130 | |
131 | # Include top level metadata. Default yes. | |
132 | #metadata: no | |
133 | ||
134 | # include the name of the input pcap file in pcap file processing mode | |
135 | pcap-file: false | |
136 | ||
137 | # Community Flow ID | |
138 | # Adds a 'community_id' field to EVE records. These are meant to give | |
a4ade63e SS |
139 | # records a predictable flow ID that can be used to match records to |
140 | # output of other tools such as Zeek (Bro). | |
6084e66e SS |
141 | # |
142 | # Takes a 'seed' that needs to be same across sensors and tools | |
143 | # to make the id less predictable. | |
144 | ||
145 | # enable/disable the community id feature. | |
146 | community-id: false | |
147 | # Seed value for the ID output. Valid values are 0-65535. | |
148 | community-id-seed: 0 | |
149 | ||
150 | # HTTP X-Forwarded-For support by adding an extra field or overwriting | |
151 | # the source or destination IP address (depending on flow direction) | |
152 | # with the one reported in the X-Forwarded-For HTTP header. This is | |
153 | # helpful when reviewing alerts for traffic that is being reverse | |
154 | # or forward proxied. | |
155 | xff: | |
156 | enabled: no | |
a4ade63e | 157 | # Two operation modes are available: "extra-data" and "overwrite". |
6084e66e | 158 | mode: extra-data |
a4ade63e | 159 | # Two proxy deployments are supported: "reverse" and "forward". In |
6084e66e SS |
160 | # a "reverse" deployment the IP address used is the last one, in a |
161 | # "forward" deployment the first IP address is used. | |
162 | deployment: reverse | |
a4ade63e | 163 | # Header name where the actual IP address will be reported. If more |
6084e66e SS |
164 | # than one IP address is present, the last IP address will be the |
165 | # one taken into consideration. | |
166 | header: X-Forwarded-For | |
167 | ||
168 | types: | |
169 | - alert: | |
170 | # payload: yes # enable dumping payload in Base64 | |
171 | # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log | |
172 | # payload-printable: yes # enable dumping payload in printable (lossy) format | |
173 | # packet: yes # enable dumping of packet (without stream segments) | |
174 | # metadata: no # enable inclusion of app layer metadata with alert. Default yes | |
a4ade63e SS |
175 | # http-body: yes # Requires metadata; enable dumping of HTTP body in Base64 |
176 | # http-body-printable: yes # Requires metadata; enable dumping of HTTP body in printable format | |
6084e66e SS |
177 | |
178 | # Enable the logging of tagged packets for rules using the | |
179 | # "tag" keyword. | |
180 | tagged-packets: yes | |
a4ade63e SS |
181 | # Enable logging the final action taken on a packet by the engine |
182 | # (e.g: the alert may have action 'allowed' but the verdict be | |
183 | # 'drop' due to another alert. That's the engine's verdict) | |
184 | # verdict: yes | |
185 | # app layer frames | |
186 | - frame: | |
187 | # disabled by default as this is very verbose. | |
188 | enabled: no | |
6084e66e SS |
189 | - anomaly: |
190 | # Anomaly log records describe unexpected conditions such | |
191 | # as truncated packets, packets with invalid IP/UDP/TCP | |
192 | # length values, and other events that render the packet | |
193 | # invalid for further processing or describe unexpected | |
194 | # behavior on an established stream. Networks which | |
195 | # experience high occurrences of anomalies may experience | |
196 | # packet processing degradation. | |
197 | # | |
198 | # Anomalies are reported for the following: | |
199 | # 1. Decode: Values and conditions that are detected while | |
200 | # decoding individual packets. This includes invalid or | |
201 | # unexpected values for low-level protocol lengths as well | |
202 | # as stream related events (TCP 3-way handshake issues, | |
203 | # unexpected sequence number, etc). | |
204 | # 2. Stream: This includes stream related events (TCP | |
205 | # 3-way handshake issues, unexpected sequence number, | |
206 | # etc). | |
207 | # 3. Application layer: These denote application layer | |
208 | # specific conditions that are unexpected, invalid or are | |
209 | # unexpected given the application monitoring state. | |
210 | # | |
a4ade63e | 211 | # By default, anomaly logging is enabled. When anomaly |
6084e66e | 212 | # logging is enabled, applayer anomaly reporting is |
a4ade63e | 213 | # also enabled. |
6084e66e SS |
214 | enabled: yes |
215 | # | |
216 | # Choose one or more types of anomaly logging and whether to enable | |
217 | # logging of the packet header for packet anomalies. | |
218 | types: | |
219 | # decode: no | |
220 | # stream: no | |
221 | # applayer: yes | |
222 | #packethdr: no | |
223 | - http: | |
224 | extended: yes # enable this for extended logging information | |
a4ade63e | 225 | # custom allows additional HTTP fields to be included in eve-log. |
6084e66e SS |
226 | # the example below adds three additional fields when uncommented |
227 | #custom: [Accept-Encoding, Accept-Language, Authorization] | |
a4ade63e SS |
228 | # set this value to one and only one from {both, request, response} |
229 | # to dump all HTTP headers for every HTTP request and/or response | |
6084e66e SS |
230 | # dump-all-headers: none |
231 | - dns: | |
232 | # This configuration uses the new DNS logging format, | |
233 | # the old configuration is still available: | |
a4ade63e | 234 | # https://docs.suricata.io/en/latest/output/eve/eve-json-output.html#dns-v1-format |
6084e66e SS |
235 | |
236 | # As of Suricata 5.0, version 2 of the eve dns output | |
237 | # format is the default. | |
238 | #version: 2 | |
239 | ||
240 | # Enable/disable this logger. Default: enabled. | |
241 | #enabled: yes | |
242 | ||
243 | # Control logging of requests and responses: | |
244 | # - requests: enable logging of DNS queries | |
245 | # - responses: enable logging of DNS answers | |
246 | # By default both requests and responses are logged. | |
247 | #requests: no | |
248 | #responses: no | |
249 | ||
250 | # Format of answer logging: | |
251 | # - detailed: array item per answer | |
252 | # - grouped: answers aggregated by type | |
253 | # Default: all | |
254 | #formats: [detailed, grouped] | |
255 | ||
a4ade63e | 256 | # DNS record types to log, based on the query type. |
6084e66e SS |
257 | # Default: all. |
258 | #types: [a, aaaa, cname, mx, ns, ptr, txt] | |
259 | - tls: | |
260 | extended: yes # enable this for extended logging information | |
261 | # output TLS transaction where the session is resumed using a | |
262 | # session id | |
263 | #session-resumption: no | |
a4ade63e | 264 | # custom controls which TLS fields that are included in eve-log |
6084e66e SS |
265 | #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3, ja3s] |
266 | - files: | |
267 | force-magic: no # force logging magic on all logged files | |
268 | # force logging of checksums, available hash functions are md5, | |
269 | # sha1 and sha256 | |
270 | #force-hash: [md5] | |
271 | #- drop: | |
272 | # alerts: yes # log alerts that caused drops | |
273 | # flows: all # start or all: 'start' logs only a single drop | |
274 | # # per flow direction. All logs each dropped pkt. | |
a4ade63e SS |
275 | # Enable logging the final action taken on a packet by the engine |
276 | # (will show more information in case of a drop caused by 'reject') | |
277 | # verdict: yes | |
6084e66e SS |
278 | - smtp: |
279 | #extended: yes # enable this for extended logging information | |
280 | # this includes: bcc, message-id, subject, x_mailer, user-agent | |
281 | # custom fields logging from the list: | |
282 | # reply-to, bcc, message-id, subject, x-mailer, user-agent, received, | |
283 | # x-originating-ip, in-reply-to, references, importance, priority, | |
284 | # sensitivity, organization, content-md5, date | |
285 | #custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc] | |
286 | # output md5 of fields: body, subject | |
287 | # for the body you need to set app-layer.protocols.smtp.mime.body-md5 | |
288 | # to yes | |
289 | #md5: [body, subject] | |
290 | ||
291 | #- dnp3 | |
292 | - ftp | |
0cdb1518 | 293 | - rdp |
6084e66e SS |
294 | - nfs |
295 | - smb | |
296 | - tftp | |
a4ade63e | 297 | - ike |
0cdb1518 | 298 | - dcerpc |
6084e66e | 299 | - krb5 |
a4ade63e | 300 | - bittorrent-dht |
6084e66e | 301 | - snmp |
0cdb1518 SS |
302 | - rfb |
303 | - sip | |
a4ade63e | 304 | - quic |
6084e66e SS |
305 | - dhcp: |
306 | enabled: yes | |
307 | # When extended mode is on, all DHCP messages are logged | |
308 | # with full detail. When extended mode is off (the | |
309 | # default), just enough information to map a MAC address | |
310 | # to an IP address is logged. | |
311 | extended: no | |
312 | - ssh | |
0cdb1518 SS |
313 | - mqtt: |
314 | # passwords: yes # enable output of passwords | |
a4ade63e SS |
315 | - http2 |
316 | - pgsql: | |
317 | enabled: no | |
318 | # passwords: yes # enable output of passwords. Disabled by default | |
6084e66e SS |
319 | - stats: |
320 | totals: yes # stats for all threads merged together | |
321 | threads: no # per thread stats | |
322 | deltas: no # include delta values | |
323 | # bi-directional flows | |
324 | - flow | |
325 | # uni-directional flows | |
326 | #- netflow | |
327 | ||
328 | # Metadata event type. Triggered whenever a pktvar is saved | |
329 | # and will include the pktvars, flowvars, flowbits and | |
330 | # flowints. | |
331 | #- metadata | |
332 | ||
a4ade63e SS |
333 | # EXPERIMENTAL per packet output giving TCP state tracking details |
334 | # including internal state, flags, etc. | |
335 | # This output is experimental, meant for debugging and subject to | |
336 | # change in both config and output without any notice. | |
337 | #- stream: | |
338 | # all: false # log all TCP packets | |
339 | # event-set: false # log packets that have a decoder/stream event | |
340 | # state-update: false # log packets triggering a TCP state update | |
341 | # spurious-retransmission: false # log spurious retransmission packets | |
342 | ||
4c6d6c1e | 343 | logging: |
a4ade63e | 344 | # The default log level: can be overridden in an output section. |
4c6d6c1e SS |
345 | # Note that debug level logging will only be emitted if Suricata was |
346 | # compiled with the --enable-debug configure option. | |
347 | # | |
a4ade63e | 348 | # This value is overridden by the SC_LOG_LEVEL env var. |
ec03b64e | 349 | default-log-level: Info |
4c6d6c1e | 350 | |
a4ade63e SS |
351 | # The default output format. Optional parameter, should default to |
352 | # something reasonable if not provided. Can be overridden in an | |
353 | # output section. You can leave this out to get the default. | |
354 | # | |
355 | # This console log format value can be overridden by the SC_LOG_FORMAT env var. | |
356 | #default-log-format: "%D: %S: %M" | |
357 | # | |
358 | # For the pre-7.0 log format use: | |
359 | #default-log-format: "[%i] %t [%S] - (%f:%l) <%d> (%n) -- " | |
360 | ||
4c6d6c1e SS |
361 | # A regex to filter output. Can be overridden in an output section. |
362 | # Defaults to empty (no filter). | |
363 | # | |
a4ade63e | 364 | # This value is overridden by the SC_LOG_OP_FILTER env var. |
4c6d6c1e SS |
365 | default-output-filter: |
366 | ||
a4ade63e SS |
367 | # Requires libunwind to be available when Suricata is configured and built. |
368 | # If a signal unexpectedly terminates Suricata, displays a brief diagnostic | |
369 | # message with the offending stacktrace if enabled. | |
370 | #stacktrace-on-signal: on | |
371 | ||
4c6d6c1e | 372 | # Define your logging outputs. If none are defined, or they are all |
a4ade63e | 373 | # disabled you will get the default: console output. |
4c6d6c1e SS |
374 | outputs: |
375 | - console: | |
335114b2 | 376 | enabled: no |
4c6d6c1e SS |
377 | # type: json |
378 | - file: | |
335114b2 | 379 | enabled: no |
4c6d6c1e SS |
380 | level: info |
381 | filename: /var/log/suricata/suricata.log | |
a4ade63e | 382 | # format: "[%i - %m] %z %d: %S: %M" |
4c6d6c1e SS |
383 | # type: json |
384 | - syslog: | |
335114b2 | 385 | enabled: yes |
4c6d6c1e | 386 | facility: local5 |
ab1444b4 | 387 | format: "" |
a4ade63e | 388 | #format: "[%i] <%d> -- " |
4c6d6c1e SS |
389 | # type: json |
390 | ||
4c6d6c1e | 391 | ## |
335114b2 | 392 | ## Netfilter configuration |
4c6d6c1e | 393 | ## |
4c6d6c1e | 394 | |
335114b2 SS |
395 | nfq: |
396 | mode: repeat | |
761fadbd MT |
397 | repeat-mark: 2147483648 |
398 | repeat-mask: 2147483648 | |
11f7218f MT |
399 | bypass-mark: 1073741824 |
400 | bypass-mask: 1073741824 | |
335114b2 SS |
401 | # route-queue: 2 |
402 | # batchcount: 20 | |
69031f76 | 403 | fail-open: no |
4c6d6c1e SS |
404 | |
405 | ## | |
406 | ## Step 5: App Layer Protocol Configuration | |
407 | ## | |
408 | ||
a4ade63e SS |
409 | # Configure the app-layer parsers. |
410 | # | |
411 | # The error-policy setting applies to all app-layer parsers. Values can be | |
412 | # "drop-flow", "pass-flow", "bypass", "drop-packet", "pass-packet", "reject" or | |
413 | # "ignore" (the default). | |
414 | # | |
415 | # The protocol's section details each protocol. | |
4c6d6c1e SS |
416 | # |
417 | # The option "enabled" takes 3 values - "yes", "no", "detection-only". | |
418 | # "yes" enables both detection and the parser, "no" disables both, and | |
419 | # "detection-only" enables protocol detection only (parser disabled). | |
420 | app-layer: | |
a4ade63e | 421 | # error-policy: ignore |
4c6d6c1e | 422 | protocols: |
a4ade63e SS |
423 | telnet: |
424 | enabled: yes | |
0cdb1518 SS |
425 | rfb: |
426 | enabled: yes | |
427 | detection-ports: | |
428 | dp: 5900, 5901, 5902, 5903, 5904, 5905, 5906, 5907, 5908, 5909 | |
0cdb1518 | 429 | mqtt: |
e79c4372 | 430 | enabled: yes |
0cdb1518 | 431 | # max-msg-length: 1mb |
a4ade63e SS |
432 | # subscribe-topic-match-limit: 100 |
433 | # unsubscribe-topic-match-limit: 100 | |
434 | # Maximum number of live MQTT transactions per flow | |
435 | # max-tx: 4096 | |
2bec60c3 | 436 | krb5: |
d6cc8710 | 437 | enabled: yes |
a4ade63e SS |
438 | bittorrent-dht: |
439 | enabled: yes | |
d6cc8710 SS |
440 | snmp: |
441 | enabled: yes | |
a4ade63e | 442 | ike: |
2bec60c3 | 443 | enabled: yes |
4c6d6c1e SS |
444 | tls: |
445 | enabled: yes | |
446 | detection-ports: | |
96495c9a | 447 | dp: "[443,444,465,853,993,995]" |
4c6d6c1e | 448 | |
d6cc8710 SS |
449 | # Generate JA3 fingerprint from client hello. If not specified it |
450 | # will be disabled by default, but enabled if rules require it. | |
0937bd9c | 451 | ja3-fingerprints: auto |
d6cc8710 | 452 | |
9deccd1c MT |
453 | # What to do when the encrypted communications start: |
454 | # - default: keep tracking TLS session, check for protocol anomalies, | |
455 | # inspect tls_* keywords. Disables inspection of unmodified | |
456 | # 'content' signatures. | |
457 | # - bypass: stop processing this flow as much as possible. No further | |
458 | # TLS parsing and inspection. Offload flow bypass to kernel | |
459 | # or hardware if possible. | |
460 | # - full: keep tracking and inspection as normal. Unmodified content | |
461 | # keyword signatures are inspected as well. | |
462 | # | |
463 | # For best performance, select 'bypass'. | |
464 | # | |
465 | encryption-handling: bypass | |
a4ade63e SS |
466 | |
467 | pgsql: | |
468 | enabled: no | |
469 | # Stream reassembly size for PostgreSQL. By default, track it completely. | |
470 | stream-depth: 0 | |
471 | # Maximum number of live PostgreSQL transactions per flow | |
472 | # max-tx: 1024 | |
4c6d6c1e SS |
473 | dcerpc: |
474 | enabled: yes | |
a4ade63e SS |
475 | # Maximum number of live DCERPC transactions per flow |
476 | # max-tx: 1024 | |
4c6d6c1e SS |
477 | ftp: |
478 | enabled: yes | |
a4ade63e | 479 | # memcap: 64mb |
d6cc8710 | 480 | rdp: |
2acc41c0 | 481 | enabled: yes |
4c6d6c1e SS |
482 | ssh: |
483 | enabled: yes | |
0cdb1518 | 484 | #hassh: yes |
0cdb1518 | 485 | http2: |
a4ade63e SS |
486 | enabled: yes |
487 | # Maximum number of live HTTP2 streams in a flow | |
488 | #max-streams: 4096 | |
489 | # Maximum headers table size | |
490 | #max-table-size: 65536 | |
491 | # Maximum reassembly size for header + continuation frames | |
492 | #max-reassembly-size: 102400 | |
4c6d6c1e SS |
493 | smtp: |
494 | enabled: yes | |
a4ade63e SS |
495 | raw-extraction: no |
496 | # Maximum number of live SMTP transactions per flow | |
497 | # max-tx: 256 | |
4c6d6c1e SS |
498 | # Configure SMTP-MIME Decoder |
499 | mime: | |
500 | # Decode MIME messages from SMTP transactions | |
501 | # (may be resource intensive) | |
a4ade63e | 502 | # This field supersedes all others because it turns the entire |
4c6d6c1e SS |
503 | # process on or off |
504 | decode-mime: yes | |
505 | ||
a4ade63e | 506 | # Decode MIME entity bodies (ie. Base64, quoted-printable, etc.) |
4c6d6c1e SS |
507 | decode-base64: yes |
508 | decode-quoted-printable: yes | |
509 | ||
510 | # Maximum bytes per header data value stored in the data structure | |
511 | # (default is 2000) | |
512 | header-value-depth: 2000 | |
513 | ||
514 | # Extract URLs and save in state data structure | |
515 | extract-urls: yes | |
a4ade63e SS |
516 | # Scheme of URLs to extract |
517 | # (default is [http]) | |
518 | #extract-urls-schemes: [http, https, ftp, mailto] | |
519 | # Log the scheme of URLs that are extracted | |
520 | # (default is no) | |
521 | #log-url-scheme: yes | |
4c6d6c1e SS |
522 | # Set to yes to compute the md5 of the mail body. You will then |
523 | # be able to journalize it. | |
524 | body-md5: no | |
525 | # Configure inspected-tracker for file_data keyword | |
526 | inspected-tracker: | |
527 | content-limit: 100000 | |
528 | content-inspect-min-size: 32768 | |
529 | content-inspect-window: 4096 | |
530 | imap: | |
8723bb91 | 531 | enabled: yes |
4c6d6c1e SS |
532 | smb: |
533 | enabled: yes | |
534 | detection-ports: | |
535 | dp: 139, 445 | |
a4ade63e SS |
536 | # Maximum number of live SMB transactions per flow |
537 | # max-tx: 1024 | |
538 | ||
539 | # Stream reassembly size for SMB streams. By default track it completely. | |
540 | #stream-depth: 0 | |
541 | ||
d6cc8710 SS |
542 | nfs: |
543 | enabled: yes | |
a4ade63e | 544 | # max-tx: 1024 |
d6cc8710 SS |
545 | tftp: |
546 | enabled: yes | |
4c6d6c1e SS |
547 | dns: |
548 | # memcaps. Globally and per flow/state. | |
cf976e93 MT |
549 | global-memcap: 32mb |
550 | state-memcap: 512kb | |
4c6d6c1e SS |
551 | |
552 | # How many unreplied DNS requests are considered a flood. | |
553 | # If the limit is reached, app-layer-event:dns.flooded; will match. | |
551bc489 | 554 | #request-flood: 512 |
4c6d6c1e SS |
555 | |
556 | tcp: | |
557 | enabled: yes | |
558 | detection-ports: | |
96495c9a | 559 | dp: 53 |
4c6d6c1e SS |
560 | udp: |
561 | enabled: yes | |
562 | detection-ports: | |
96495c9a | 563 | dp: 53 |
4c6d6c1e SS |
564 | http: |
565 | enabled: yes | |
8efbd71c | 566 | memcap: 256mb |
4c6d6c1e | 567 | |
a4ade63e SS |
568 | # Byte Range Containers default settings |
569 | # byterange: | |
570 | # memcap: 100mb | |
571 | # timeout: 60 | |
572 | ||
573 | # memcap: Maximum memory capacity for HTTP | |
574 | # Default is unlimited, values can be 64mb, e.g. | |
575 | ||
4c6d6c1e SS |
576 | # default-config: Used when no server-config matches |
577 | # personality: List of personalities used by default | |
578 | # request-body-limit: Limit reassembly of request body for inspection | |
579 | # by http_client_body & pcre /P option. | |
580 | # response-body-limit: Limit reassembly of response body for inspection | |
581 | # by file_data, http_server_body & pcre /Q option. | |
a4ade63e SS |
582 | # |
583 | # For advanced options, see the user guide | |
584 | ||
585 | ||
586 | # server-config: List of server configurations to use if address matches | |
587 | # address: List of IP addresses or networks for this block | |
588 | # personality: List of personalities used by this block | |
589 | # | |
590 | # Then, all the fields from default-config can be overloaded | |
4c6d6c1e | 591 | # |
4c6d6c1e SS |
592 | # Currently Available Personalities: |
593 | # Minimal, Generic, IDS (default), IIS_4_0, IIS_5_0, IIS_5_1, IIS_6_0, | |
594 | # IIS_7_0, IIS_7_5, Apache_2 | |
595 | libhtp: | |
596 | default-config: | |
597 | personality: IDS | |
598 | ||
599 | # Can be specified in kb, mb, gb. Just a number indicates | |
600 | # it's in bytes. | |
a4ade63e SS |
601 | request-body-limit: 100kb |
602 | response-body-limit: 100kb | |
603 | ||
604 | # inspection limits | |
605 | request-body-minimal-inspect-size: 32kb | |
606 | request-body-inspect-window: 4kb | |
607 | response-body-minimal-inspect-size: 40kb | |
608 | response-body-inspect-window: 16kb | |
4c6d6c1e SS |
609 | |
610 | # response body decompression (0 disables) | |
611 | response-body-decompress-layer-limit: 2 | |
612 | ||
613 | # auto will use http-body-inline mode in IPS mode, yes or no set it statically | |
614 | http-body-inline: auto | |
615 | ||
a4ade63e SS |
616 | # Decompress SWF files. Disabled by default. |
617 | # Two types: 'deflate', 'lzma', 'both' will decompress deflate and lzma | |
618 | # compress-depth: | |
619 | # Specifies the maximum amount of data to decompress, | |
620 | # set 0 for unlimited. | |
621 | # decompress-depth: | |
622 | # Specifies the maximum amount of decompressed data to obtain, | |
623 | # set 0 for unlimited. | |
624 | swf-decompression: | |
625 | enabled: no | |
626 | type: both | |
627 | compress-depth: 100kb | |
628 | decompress-depth: 100kb | |
629 | ||
630 | # Use a random value for inspection sizes around the specified value. | |
631 | # This lowers the risk of some evasion techniques but could lead | |
632 | # to detection change between runs. It is set to 'yes' by default. | |
633 | #randomize-inspection-sizes: yes | |
634 | # If "randomize-inspection-sizes" is active, the value of various | |
635 | # inspection size will be chosen from the [1 - range%, 1 + range%] | |
4c6d6c1e | 636 | # range |
a4ade63e SS |
637 | # Default value of "randomize-inspection-range" is 10. |
638 | #randomize-inspection-range: 10 | |
4c6d6c1e SS |
639 | |
640 | # decoding | |
641 | double-decode-path: no | |
642 | double-decode-query: no | |
643 | ||
a4ade63e SS |
644 | # Can enable LZMA decompression |
645 | #lzma-enabled: false | |
646 | # Memory limit usage for LZMA decompression dictionary | |
647 | # Data is decompressed until dictionary reaches this size | |
648 | #lzma-memlimit: 1mb | |
649 | # Maximum decompressed size with a compression ratio | |
650 | # above 2048 (only LZMA can reach this ratio, deflate cannot) | |
651 | #compression-bomb-limit: 1mb | |
652 | # Maximum time spent decompressing a single transaction in usec | |
653 | #decompression-time-limit: 100000 | |
654 | # Maximum number of live transactions per flow | |
655 | #max-tx: 512 | |
656 | ||
657 | server-config: | |
658 | ||
659 | #- apache: | |
660 | # address: [192.168.1.0/24, 127.0.0.0/8, "::1"] | |
661 | # personality: Apache_2 | |
662 | # # Can be specified in kb, mb, gb. Just a number indicates | |
663 | # # it's in bytes. | |
664 | # request-body-limit: 4096 | |
665 | # response-body-limit: 4096 | |
666 | # double-decode-path: no | |
667 | # double-decode-query: no | |
668 | ||
669 | #- iis7: | |
670 | # address: | |
671 | # - 192.168.0.0/24 | |
672 | # - 192.168.10.0/24 | |
673 | # personality: IIS_7_0 | |
674 | # # Can be specified in kb, mb, gb. Just a number indicates | |
675 | # # it's in bytes. | |
676 | # request-body-limit: 4096 | |
677 | # response-body-limit: 4096 | |
678 | # double-decode-path: no | |
679 | # double-decode-query: no | |
680 | ||
681 | # Note: Modbus probe parser is minimalist due to the limited usage in the field. | |
ee87c2e3 | 682 | # Only Modbus message length (greater than Modbus header length) |
a4ade63e | 683 | # and protocol ID (equal to 0) are checked in probing parser |
ee87c2e3 | 684 | # It is important to enable detection port and define Modbus port |
a4ade63e | 685 | # to avoid false positives |
ee87c2e3 | 686 | modbus: |
a4ade63e SS |
687 | # How many unanswered Modbus requests are considered a flood. |
688 | # If the limit is reached, the app-layer-event:modbus.flooded; will match. | |
ee87c2e3 SS |
689 | #request-flood: 500 |
690 | ||
691 | enabled: no | |
692 | detection-ports: | |
693 | dp: 502 | |
694 | # According to MODBUS Messaging on TCP/IP Implementation Guide V1.0b, it | |
695 | # is recommended to keep the TCP connection opened with a remote device | |
696 | # and not to open and close it for each MODBUS/TCP transaction. In that | |
697 | # case, it is important to set the depth of the stream reassembling as | |
698 | # unlimited (stream.reassembly.depth: 0) | |
699 | ||
700 | # Stream reassembly size for modbus. By default track it completely. | |
701 | stream-depth: 0 | |
702 | ||
703 | # DNP3 | |
704 | dnp3: | |
705 | enabled: no | |
706 | detection-ports: | |
707 | dp: 20000 | |
708 | ||
709 | # SCADA EtherNet/IP and CIP protocol support | |
710 | enip: | |
711 | enabled: no | |
712 | detection-ports: | |
713 | dp: 44818 | |
714 | sp: 44818 | |
715 | ||
d6cc8710 SS |
716 | ntp: |
717 | enabled: yes | |
a4ade63e SS |
718 | |
719 | quic: | |
720 | enabled: yes | |
721 | ||
d6cc8710 SS |
722 | dhcp: |
723 | enabled: yes | |
a4ade63e | 724 | |
d6cc8710 | 725 | sip: |
a4ade63e | 726 | #enabled: yes |
4c6d6c1e | 727 | |
4c6d6c1e SS |
728 | # Limit for the maximum number of asn1 frames to decode (default 256) |
729 | asn1-max-frames: 256 | |
730 | ||
a4ade63e SS |
731 | # Datasets default settings |
732 | datasets: | |
733 | # Default fallback memcap and hashsize values for datasets in case these | |
734 | # were not explicitly defined. | |
735 | defaults: | |
736 | #memcap: 100mb | |
737 | #hashsize: 2048 | |
738 | ||
739 | rules: | |
740 | # Set to true to allow absolute filenames and filenames that use | |
741 | # ".." components to reference parent directories in rules that specify | |
742 | # their filenames. | |
743 | #allow-absolute-filenames: false | |
744 | ||
745 | # Allow datasets in rules write access for "save" and | |
746 | # "state". This is enabled by default, however write access is | |
747 | # limited to the data directory. | |
748 | #allow-write: true | |
4c6d6c1e SS |
749 | |
750 | ############################################################################## | |
751 | ## | |
752 | ## Advanced settings below | |
753 | ## | |
754 | ############################################################################## | |
755 | ||
38081b8b MT |
756 | ## |
757 | ## Run Options | |
758 | ## | |
759 | ||
a4ade63e | 760 | # Run Suricata with a specific user-id and group-id: |
38081b8b MT |
761 | run-as: |
762 | user: suricata | |
763 | group: suricata | |
764 | ||
a4ade63e SS |
765 | security: |
766 | # if true, prevents process creation from Suricata by calling | |
767 | # setrlimit(RLIMIT_NPROC, 0) | |
768 | limit-noproc: true | |
769 | # Use landlock security module under Linux | |
770 | landlock: | |
b7da97fd | 771 | enabled: no |
a4ade63e | 772 | directories: |
64e057aa SS |
773 | write: |
774 | - /run | |
a4ade63e SS |
775 | # /usr and /etc folders are added to read list to allow |
776 | # file magic to be used. | |
777 | read: | |
64e057aa | 778 | - /usr/share/misc/magic.mgc |
b4847c38 MT |
779 | - /usr/share/suricata |
780 | - /var/ipfire/suricata | |
781 | - /var/lib/suricata | |
a4ade63e SS |
782 | |
783 | lua: | |
784 | # Allow Lua rules. Disabled by default. | |
785 | #allow-rules: false | |
786 | ||
787 | # Some logging modules will use that name in event as identifier. The default | |
788 | # value is the hostname | |
789 | #sensor-name: suricata | |
790 | ||
791 | # Default location of the pid file. The pid file is only used in | |
792 | # daemon mode (start Suricata with -D). If not running in daemon mode | |
793 | # the --pidfile command line option must be used to create a pid file. | |
794 | pid-file: /var/run/suricata.pid | |
795 | ||
796 | # Daemon working directory | |
797 | # Suricata will change directory to this one if provided | |
798 | # Default: "/" | |
799 | #daemon-directory: "/" | |
800 | ||
801 | # Umask. | |
802 | # Suricata will use this umask if it is provided. By default it will use the | |
803 | # umask passed on by the shell. | |
804 | #umask: 022 | |
805 | ||
4c6d6c1e SS |
806 | # Suricata core dump configuration. Limits the size of the core dump file to |
807 | # approximately max-dump. The actual core dump size will be a multiple of the | |
808 | # page size. Core dumps that would be larger than max-dump are truncated. On | |
809 | # Linux, the actual core dump size may be a few pages larger than max-dump. | |
810 | # Setting max-dump to 0 disables core dumping. | |
811 | # Setting max-dump to 'unlimited' will give the full core dump file. | |
812 | # On 32-bit Linux, a max-dump value >= ULONG_MAX may cause the core dump size | |
813 | # to be 'unlimited'. | |
814 | ||
815 | coredump: | |
816 | max-dump: unlimited | |
817 | ||
a4ade63e | 818 | # If the Suricata box is a router for the sniffed networks, set it to 'router'. If |
4c6d6c1e | 819 | # it is a pure sniffing setup, set it to 'sniffer-only'. |
a4ade63e | 820 | # If set to auto, the variable is internally switched to 'router' in IPS mode |
4c6d6c1e SS |
821 | # and 'sniffer-only' in IDS mode. |
822 | # This feature is currently only used by the reject* keywords. | |
823 | host-mode: auto | |
824 | ||
825 | # Number of packets preallocated per thread. The default is 1024. A higher number | |
826 | # will make sure each CPU will be more easily kept busy, but may negatively | |
827 | # impact caching. | |
a4ade63e | 828 | #max-pending-packets: 1024 |
4c6d6c1e SS |
829 | |
830 | # Runmode the engine should use. Please check --list-runmodes to get the available | |
a4ade63e SS |
831 | # runmodes for each packet acquisition method. Default depends on selected capture |
832 | # method. 'workers' generally gives best performance. | |
64aed99d | 833 | runmode: workers |
4c6d6c1e SS |
834 | |
835 | # Specifies the kind of flow load balancer used by the flow pinned autofp mode. | |
836 | # | |
837 | # Supported schedulers are: | |
838 | # | |
a4ade63e SS |
839 | # hash - Flow assigned to threads using the 5-7 tuple hash. |
840 | # ippair - Flow assigned to threads using addresses only. | |
841 | # ftp-hash - Flow assigned to threads using the hash, except for FTP, so that | |
842 | # ftp-data flows will be handled by the same thread | |
4c6d6c1e | 843 | # |
a4ade63e | 844 | #autofp-scheduler: hash |
4c6d6c1e | 845 | |
a4ade63e SS |
846 | # Preallocated size for each packet. Default is 1514 which is the classical |
847 | # size for pcap on Ethernet. You should adjust this value to the highest | |
4c6d6c1e | 848 | # packet size (MTU + hardware header) on your system. |
a4ade63e | 849 | #default-packet-size: 1514 |
4c6d6c1e | 850 | |
a4ade63e SS |
851 | # Unix command socket that can be used to pass commands to Suricata. |
852 | # An external tool can then connect to get information from Suricata | |
4c6d6c1e SS |
853 | # or trigger some modifications of the engine. Set enabled to yes |
854 | # to activate the feature. In auto mode, the feature will only be | |
855 | # activated in live capture mode. You can use the filename variable to set | |
856 | # the file name of the socket. | |
857 | unix-command: | |
335114b2 | 858 | enabled: no |
4c6d6c1e SS |
859 | #filename: custom.socket |
860 | ||
83b576c8 MT |
861 | # Magic file |
862 | magic-file: /usr/share/misc/magic.mgc | |
4c6d6c1e SS |
863 | |
864 | legacy: | |
865 | uricontent: enabled | |
866 | ||
867 | ## | |
868 | ## Detection settings | |
869 | ## | |
870 | ||
a4ade63e | 871 | # Set the order of alerts based on actions |
4c6d6c1e SS |
872 | # The default order is pass, drop, reject, alert |
873 | # action-order: | |
874 | # - pass | |
875 | # - drop | |
876 | # - reject | |
877 | # - alert | |
878 | ||
a4ade63e SS |
879 | # Define maximum number of possible alerts that can be triggered for the same |
880 | # packet. Default is 15 | |
881 | #packet-alert-max: 15 | |
882 | ||
883 | # Exception Policies | |
884 | # | |
885 | # Define a common behavior for all exception policies. | |
886 | # In IPS mode, the default is drop-flow. For cases when that's not possible, the | |
887 | # engine will fall to drop-packet. To fallback to old behavior (setting each of | |
888 | # them individually, or ignoring all), set this to ignore. | |
889 | # All values available for exception policies can be used, and there is one | |
890 | # extra option: auto - which means drop-flow or drop-packet (as explained above) | |
891 | # in IPS mode, and ignore in IDS mode. Exception policy values are: drop-packet, | |
892 | # drop-flow, reject, bypass, pass-packet, pass-flow, ignore (disable). | |
4d24d994 | 893 | exception-policy: pass-packet |
a4ade63e | 894 | |
4c6d6c1e SS |
895 | # When run with the option --engine-analysis, the engine will read each of |
896 | # the parameters below, and print reports for each of the enabled sections | |
897 | # and exit. The reports are printed to a file in the default log dir | |
898 | # given by the parameter "default-log-dir", with engine reporting | |
899 | # subsection below printing reports in its own report file. | |
900 | engine-analysis: | |
901 | # enables printing reports for fast-pattern for every rule. | |
902 | rules-fast-pattern: yes | |
903 | # enables printing reports for each rule | |
904 | rules: yes | |
905 | ||
906 | #recursion and match limits for PCRE where supported | |
907 | pcre: | |
908 | match-limit: 3500 | |
909 | match-limit-recursion: 1500 | |
910 | ||
911 | ## | |
912 | ## Advanced Traffic Tracking and Reconstruction Settings | |
913 | ## | |
914 | ||
915 | # Host specific policies for defragmentation and TCP stream | |
916 | # reassembly. The host OS lookup is done using a radix tree, just | |
917 | # like a routing table so the most specific entry matches. | |
918 | host-os-policy: | |
919 | # Make the default policy windows. | |
920 | windows: [0.0.0.0/0] | |
921 | bsd: [] | |
922 | bsd-right: [] | |
923 | old-linux: [] | |
924 | linux: [] | |
925 | old-solaris: [] | |
926 | solaris: [] | |
927 | hpux10: [] | |
928 | hpux11: [] | |
929 | irix: [] | |
930 | macos: [] | |
931 | vista: [] | |
932 | windows2k3: [] | |
933 | ||
934 | # Defrag settings: | |
935 | ||
a4ade63e SS |
936 | # The memcap-policy value can be "drop-packet", "pass-packet", "reject" or |
937 | # "ignore" (which is the default). | |
4c6d6c1e | 938 | defrag: |
7eed864c | 939 | memcap: 64mb |
a4ade63e | 940 | # memcap-policy: ignore |
4c6d6c1e SS |
941 | hash-size: 65536 |
942 | trackers: 65535 # number of defragmented flows to follow | |
943 | max-frags: 65535 # number of fragments to keep (higher than trackers) | |
944 | prealloc: yes | |
945 | timeout: 60 | |
946 | ||
4c6d6c1e SS |
947 | # Flow settings: |
948 | # By default, the reserved memory (memcap) for flows is 32MB. This is the limit | |
949 | # for flow allocation inside the engine. You can change this value to allow | |
950 | # more memory usage for flows. | |
a4ade63e | 951 | # The hash-size determines the size of the hash used to identify flows inside |
4c6d6c1e | 952 | # the engine, and by default the value is 65536. |
a4ade63e | 953 | # At startup, the engine can preallocate a number of flows, to get better |
4c6d6c1e | 954 | # performance. The number of flows preallocated is 10000 by default. |
a4ade63e SS |
955 | # emergency-recovery is the percentage of flows that the engine needs to |
956 | # prune before clearing the emergency state. The emergency state is activated | |
957 | # when the memcap limit is reached, allowing new flows to be created, but | |
958 | # pruning them with the emergency timeouts (they are defined below). | |
4c6d6c1e | 959 | # If the memcap is reached, the engine will try to prune flows |
a4ade63e SS |
960 | # with the default timeouts. If it doesn't find a flow to prune, it will set |
961 | # the emergency bit and it will try again with more aggressive timeouts. | |
962 | # If that doesn't work, then it will try to kill the oldest flows using | |
963 | # last time seen flows. | |
4c6d6c1e SS |
964 | # The memcap can be specified in kb, mb, gb. Just a number indicates it's |
965 | # in bytes. | |
a4ade63e SS |
966 | # The memcap-policy can be "drop-packet", "pass-packet", "reject" or "ignore" |
967 | # (which is the default). | |
4c6d6c1e SS |
968 | |
969 | flow: | |
47cb0571 | 970 | memcap: 256mb |
a4ade63e | 971 | #memcap-policy: ignore |
4c6d6c1e SS |
972 | hash-size: 65536 |
973 | prealloc: 10000 | |
974 | emergency-recovery: 30 | |
a4ade63e SS |
975 | #managers: 1 # default to one flow manager |
976 | #recyclers: 1 # default to one flow recycler thread | |
4c6d6c1e | 977 | |
a4ade63e | 978 | # This option controls the use of VLAN ids in the flow (and defrag) |
4c6d6c1e | 979 | # hashing. Normally this should be enabled, but in some (broken) |
a4ade63e SS |
980 | # setups where both sides of a flow are not tagged with the same VLAN |
981 | # tag, we can ignore the VLAN id's in the flow hashing. | |
4c6d6c1e SS |
982 | vlan: |
983 | use-for-tracking: true | |
984 | ||
a4ade63e SS |
985 | # This option controls the use of livedev ids in the flow (and defrag) |
986 | # hashing. This is enabled by default and should be disabled if | |
987 | # multiple live devices are used to capture traffic from the same network | |
988 | livedev: | |
989 | use-for-tracking: true | |
990 | ||
4c6d6c1e SS |
991 | # Specific timeouts for flows. Here you can specify the timeouts that the |
992 | # active flows will wait to transit from the current state to another, on each | |
a4ade63e SS |
993 | # protocol. The value of "new" determines the seconds to wait after a handshake or |
994 | # stream startup before the engine frees the data of that flow it doesn't | |
4c6d6c1e SS |
995 | # change the state to established (usually if we don't receive more packets |
996 | # of that flow). The value of "established" is the amount of | |
a4ade63e | 997 | # seconds that the engine will wait to free the flow if that time elapses |
4c6d6c1e SS |
998 | # without receiving new packets or closing the connection. "closed" is the |
999 | # amount of time to wait after a flow is closed (usually zero). "bypassed" | |
1000 | # timeout controls locally bypassed flows. For these flows we don't do any other | |
1001 | # tracking. If no packets have been seen after this timeout, the flow is discarded. | |
1002 | # | |
1003 | # There's an emergency mode that will become active under attack circumstances, | |
1004 | # making the engine to check flow status faster. This configuration variables | |
1005 | # use the prefix "emergency-" and work similar as the normal ones. | |
1006 | # Some timeouts doesn't apply to all the protocols, like "closed", for udp and | |
1007 | # icmp. | |
1008 | ||
1009 | flow-timeouts: | |
1010 | ||
1011 | default: | |
1012 | new: 30 | |
1013 | established: 300 | |
1014 | closed: 0 | |
1015 | bypassed: 100 | |
1016 | emergency-new: 10 | |
1017 | emergency-established: 100 | |
1018 | emergency-closed: 0 | |
1019 | emergency-bypassed: 50 | |
1020 | tcp: | |
1021 | new: 60 | |
1022 | established: 600 | |
1023 | closed: 60 | |
1024 | bypassed: 100 | |
1025 | emergency-new: 5 | |
1026 | emergency-established: 100 | |
1027 | emergency-closed: 10 | |
1028 | emergency-bypassed: 50 | |
1029 | udp: | |
1030 | new: 30 | |
1031 | established: 300 | |
1032 | bypassed: 100 | |
1033 | emergency-new: 10 | |
1034 | emergency-established: 100 | |
1035 | emergency-bypassed: 50 | |
1036 | icmp: | |
1037 | new: 30 | |
1038 | established: 300 | |
1039 | bypassed: 100 | |
1040 | emergency-new: 10 | |
1041 | emergency-established: 100 | |
1042 | emergency-bypassed: 50 | |
1043 | ||
1044 | # Stream engine settings. Here the TCP stream tracking and reassembly | |
1045 | # engine is configured. | |
1046 | # | |
1047 | # stream: | |
a4ade63e | 1048 | # memcap: 64mb # Can be specified in kb, mb, gb. Just a |
4c6d6c1e | 1049 | # # number indicates it's in bytes. |
a4ade63e SS |
1050 | # memcap-policy: ignore # Can be "drop-flow", "pass-flow", "bypass", |
1051 | # # "drop-packet", "pass-packet", "reject" or | |
1052 | # # "ignore" default is "ignore" | |
4c6d6c1e SS |
1053 | # checksum-validation: yes # To validate the checksum of received |
1054 | # # packet. If csum validation is specified as | |
a4ade63e | 1055 | # # "yes", then packets with invalid csum values will not |
4c6d6c1e | 1056 | # # be processed by the engine stream/app layer. |
a4ade63e | 1057 | # # Warning: locally generated traffic can be |
4c6d6c1e SS |
1058 | # # generated without checksum due to hardware offload |
1059 | # # of checksum. You can control the handling of checksum | |
1060 | # # on a per-interface basis via the 'checksum-checks' | |
1061 | # # option | |
a4ade63e | 1062 | # prealloc-sessions: 2048 # 2k sessions prealloc'd per stream thread |
4c6d6c1e | 1063 | # midstream: false # don't allow midstream session pickups |
a4ade63e SS |
1064 | # midstream-policy: ignore # Can be "drop-flow", "pass-flow", "bypass", |
1065 | # # "drop-packet", "pass-packet", "reject" or | |
1066 | # # "ignore" default is "ignore" | |
4c6d6c1e SS |
1067 | # async-oneside: false # don't enable async stream handling |
1068 | # inline: no # stream inline mode | |
1069 | # drop-invalid: yes # in inline mode, drop packets that are invalid with regards to streaming engine | |
a4ade63e | 1070 | # max-syn-queued: 10 # Max different SYNs to queue |
4c6d6c1e | 1071 | # max-synack-queued: 5 # Max different SYN/ACKs to queue |
a4ade63e SS |
1072 | # bypass: no # Bypass packets when stream.reassembly.depth is reached. |
1073 | # # Warning: first side to reach this triggers | |
1074 | # # the bypass. | |
1075 | # liberal-timestamps: false # Treat all timestamps as if the Linux policy applies. This | |
1076 | # # means it's slightly more permissive. Enabled by default. | |
4c6d6c1e SS |
1077 | # |
1078 | # reassembly: | |
a4ade63e | 1079 | # memcap: 256mb # Can be specified in kb, mb, gb. Just a number |
4c6d6c1e | 1080 | # # indicates it's in bytes. |
a4ade63e SS |
1081 | # memcap-policy: ignore # Can be "drop-flow", "pass-flow", "bypass", |
1082 | # # "drop-packet", "pass-packet", "reject" or | |
1083 | # # "ignore" default is "ignore" | |
4c6d6c1e SS |
1084 | # depth: 1mb # Can be specified in kb, mb, gb. Just a number |
1085 | # # indicates it's in bytes. | |
1086 | # toserver-chunk-size: 2560 # inspect raw stream in chunks of at least | |
1087 | # # this size. Can be specified in kb, mb, | |
1088 | # # gb. Just a number indicates it's in bytes. | |
1089 | # toclient-chunk-size: 2560 # inspect raw stream in chunks of at least | |
1090 | # # this size. Can be specified in kb, mb, | |
1091 | # # gb. Just a number indicates it's in bytes. | |
1092 | # randomize-chunk-size: yes # Take a random value for chunk size around the specified value. | |
a4ade63e SS |
1093 | # # This lowers the risk of some evasion techniques but could lead |
1094 | # # to detection change between runs. It is set to 'yes' by default. | |
4c6d6c1e SS |
1095 | # randomize-chunk-range: 10 # If randomize-chunk-size is active, the value of chunk-size is |
1096 | # # a random value between (1 - randomize-chunk-range/100)*toserver-chunk-size | |
1097 | # # and (1 + randomize-chunk-range/100)*toserver-chunk-size and the same | |
1098 | # # calculation for toclient-chunk-size. | |
1099 | # # Default value of randomize-chunk-range is 10. | |
1100 | # | |
1101 | # raw: yes # 'Raw' reassembly enabled or disabled. | |
1102 | # # raw is for content inspection by detection | |
1103 | # # engine. | |
1104 | # | |
1105 | # segment-prealloc: 2048 # number of segments preallocated per thread | |
1106 | # | |
1107 | # check-overlap-different-data: true|false | |
1108 | # # check if a segment contains different data | |
1109 | # # than what we've already seen for that | |
1110 | # # position in the stream. | |
1111 | # # This is enabled automatically if inline mode | |
1112 | # # is used or when stream-event:reassembly_overlap_different_data; | |
1113 | # # is used in a rule. | |
1114 | # | |
1115 | stream: | |
0b340f09 | 1116 | memcap: 256mb |
c9ee3592 | 1117 | prealloc-sessions: 4096 |
a4ade63e SS |
1118 | #memcap-policy: ignore |
1119 | checksum-validation: yes # reject incorrect csums | |
763c7f67 | 1120 | midstream: true |
76ba16ae | 1121 | midstream-policy: pass-flow |
4c6d6c1e | 1122 | inline: auto # auto will use inline mode in IPS mode, yes or no set it statically |
9deccd1c | 1123 | bypass: yes # Bypass packets when stream.reassembly.depth is reached. |
4c6d6c1e SS |
1124 | reassembly: |
1125 | memcap: 256mb | |
a4ade63e | 1126 | #memcap-policy: ignore |
4c6d6c1e SS |
1127 | depth: 1mb # reassemble 1mb into a stream |
1128 | toserver-chunk-size: 2560 | |
1129 | toclient-chunk-size: 2560 | |
1130 | randomize-chunk-size: yes | |
a4ade63e | 1131 | #randomize-chunk-range: 10 |
0b340f09 MT |
1132 | raw: yes |
1133 | segment-prealloc: 2048 | |
1134 | check-overlap-different-data: true | |
4c6d6c1e SS |
1135 | |
1136 | # Host table: | |
1137 | # | |
a4ade63e | 1138 | # Host table is used by the tagging and per host thresholding subsystems. |
4c6d6c1e SS |
1139 | # |
1140 | host: | |
1141 | hash-size: 4096 | |
1142 | prealloc: 1000 | |
1143 | memcap: 32mb | |
1144 | ||
1145 | # IP Pair table: | |
1146 | # | |
1147 | # Used by xbits 'ippair' tracking. | |
1148 | # | |
1149 | #ippair: | |
1150 | # hash-size: 4096 | |
1151 | # prealloc: 1000 | |
1152 | # memcap: 32mb | |
1153 | ||
1154 | # Decoder settings | |
1155 | ||
1156 | decoder: | |
1157 | # Teredo decoder is known to not be completely accurate | |
a4ade63e | 1158 | # as it will sometimes detect non-teredo as teredo. |
4c6d6c1e | 1159 | teredo: |
890f1bf2 | 1160 | enabled: false |
a4ade63e SS |
1161 | # ports to look for Teredo. Max 4 ports. If no ports are given, or |
1162 | # the value is set to 'any', Teredo detection runs on _all_ UDP packets. | |
1163 | ports: $TEREDO_PORTS # syntax: '[3544, 1234]' or '3533' or 'any'. | |
1164 | ||
1165 | # VXLAN decoder is assigned to up to 4 UDP ports. By default only the | |
1166 | # IANA assigned port 4789 is enabled. | |
1167 | vxlan: | |
1168 | enabled: true | |
1169 | ports: $VXLAN_PORTS # syntax: '[8472, 4789]' or '4789'. | |
1170 | ||
1171 | # Geneve decoder is assigned to up to 4 UDP ports. By default only the | |
1172 | # IANA assigned port 6081 is enabled. | |
1173 | geneve: | |
1174 | enabled: true | |
1175 | ports: $GENEVE_PORTS # syntax: '[6081, 1234]' or '6081'. | |
4c6d6c1e | 1176 | |
a4ade63e SS |
1177 | # maximum number of decoder layers for a packet |
1178 | # max-layers: 16 | |
4c6d6c1e SS |
1179 | |
1180 | ## | |
1181 | ## Performance tuning and profiling | |
1182 | ## | |
1183 | ||
1184 | # The detection engine builds internal groups of signatures. The engine | |
a4ade63e SS |
1185 | # allows us to specify the profile to use for them, to manage memory in an |
1186 | # efficient way keeping good performance. For the profile keyword you | |
1187 | # can use the words "low", "medium", "high" or "custom". If you use custom, | |
1188 | # make sure to define the values in the "custom-values" section. | |
4c6d6c1e SS |
1189 | # Usually you would prefer medium/high/low. |
1190 | # | |
1191 | # "sgh mpm-context", indicates how the staging should allot mpm contexts for | |
1192 | # the signature groups. "single" indicates the use of a single context for | |
1193 | # all the signature group heads. "full" indicates a mpm-context for each | |
1194 | # group head. "auto" lets the engine decide the distribution of contexts | |
1195 | # based on the information the engine gathers on the patterns from each | |
1196 | # group head. | |
1197 | # | |
1198 | # The option inspection-recursion-limit is used to limit the recursive calls | |
1199 | # in the content inspection code. For certain payload-sig combinations, we | |
1200 | # might end up taking too much time in the content inspection code. | |
1201 | # If the argument specified is 0, the engine uses an internally defined | |
a4ade63e | 1202 | # default limit. When a value is not specified, there are no limits on the recursion. |
4c6d6c1e | 1203 | detect: |
a4ade63e | 1204 | profile: medium |
4c6d6c1e | 1205 | custom-values: |
a4ade63e SS |
1206 | toclient-groups: 3 |
1207 | toserver-groups: 25 | |
4c6d6c1e SS |
1208 | sgh-mpm-context: auto |
1209 | inspection-recursion-limit: 3000 | |
1210 | # If set to yes, the loading of signatures will be made after the capture | |
1211 | # is started. This will limit the downtime in IPS mode. | |
99d75ac7 | 1212 | delayed-detect: yes |
4c6d6c1e SS |
1213 | |
1214 | prefilter: | |
1215 | # default prefiltering setting. "mpm" only creates MPM/fast_pattern | |
1216 | # engines. "auto" also sets up prefilter engines for other keywords. | |
1217 | # Use --list-keywords=all to see which keywords support prefiltering. | |
1218 | default: mpm | |
1219 | ||
1220 | # the grouping values above control how many groups are created per | |
a4ade63e | 1221 | # direction. Port whitelisting forces that port to get its own group. |
4c6d6c1e SS |
1222 | # Very common ports will benefit, as well as ports with many expensive |
1223 | # rules. | |
1224 | grouping: | |
1225 | #tcp-whitelist: 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080 | |
1226 | #udp-whitelist: 53, 135, 5060 | |
1227 | ||
1228 | profiling: | |
1229 | # Log the rules that made it past the prefilter stage, per packet | |
1230 | # default is off. The threshold setting determines how many rules | |
1231 | # must have made it past pre-filter for that rule to trigger the | |
1232 | # logging. | |
1233 | #inspect-logging-threshold: 200 | |
1234 | grouping: | |
1235 | dump-to-disk: false | |
1236 | include-rules: false # very verbose | |
1237 | include-mpm-stats: false | |
1238 | ||
1239 | # Select the multi pattern algorithm you want to run for scan/search the | |
1240 | # in the engine. | |
1241 | # | |
1242 | # The supported algorithms are: | |
1243 | # "ac" - Aho-Corasick, default implementation | |
1244 | # "ac-bs" - Aho-Corasick, reduced memory implementation | |
4c6d6c1e SS |
1245 | # "ac-ks" - Aho-Corasick, "Ken Steele" variant |
1246 | # "hs" - Hyperscan, available when built with Hyperscan support | |
1247 | # | |
1248 | # The default mpm-algo value of "auto" will use "hs" if Hyperscan is | |
1249 | # available, "ac" otherwise. | |
1250 | # | |
1251 | # The mpm you choose also decides the distribution of mpm contexts for | |
1252 | # signature groups, specified by the conf - "detect.sgh-mpm-context". | |
1253 | # Selecting "ac" as the mpm would require "detect.sgh-mpm-context" | |
1254 | # to be set to "single", because of ac's memory requirements, unless the | |
a4ade63e SS |
1255 | # ruleset is small enough to fit in memory, in which case one can |
1256 | # use "full" with "ac". The rest of the mpms can be run in "full" mode. | |
4c6d6c1e SS |
1257 | |
1258 | mpm-algo: auto | |
1259 | ||
1260 | # Select the matching algorithm you want to use for single-pattern searches. | |
1261 | # | |
1262 | # Supported algorithms are "bm" (Boyer-Moore) and "hs" (Hyperscan, only | |
1263 | # available if Suricata has been built with Hyperscan support). | |
1264 | # | |
1265 | # The default of "auto" will use "hs" if available, otherwise "bm". | |
1266 | ||
1267 | spm-algo: auto | |
1268 | ||
1269 | # Suricata is multi-threaded. Here the threading can be influenced. | |
1270 | threading: | |
f903d3a6 | 1271 | set-cpu-affinity: no |
4c6d6c1e | 1272 | # Tune cpu affinity of threads. Each family of threads can be bound |
a4ade63e | 1273 | # to specific CPUs. |
4c6d6c1e SS |
1274 | # |
1275 | # These 2 apply to the all runmodes: | |
1276 | # management-cpu-set is used for flow timeout handling, counters | |
1277 | # worker-cpu-set is used for 'worker' threads | |
1278 | # | |
1279 | # Additionally, for autofp these apply: | |
1280 | # receive-cpu-set is used for capture threads | |
1281 | # verdict-cpu-set is used for IPS verdict threads | |
1282 | # | |
1283 | cpu-affinity: | |
1284 | - management-cpu-set: | |
a4ade63e | 1285 | cpu: [ 0 ] # include only these CPUs in affinity settings |
4c6d6c1e | 1286 | - receive-cpu-set: |
a4ade63e | 1287 | cpu: [ 0 ] # include only these CPUs in affinity settings |
4c6d6c1e SS |
1288 | - worker-cpu-set: |
1289 | cpu: [ "all" ] | |
1290 | mode: "exclusive" | |
a4ade63e SS |
1291 | # Use explicitly 3 threads and don't compute number by using |
1292 | # detect-thread-ratio variable: | |
1293 | # threads: 3 | |
4c6d6c1e SS |
1294 | prio: |
1295 | low: [ 0 ] | |
1296 | medium: [ "1-2" ] | |
1297 | high: [ 3 ] | |
1298 | default: "medium" | |
a4ade63e SS |
1299 | #- verdict-cpu-set: |
1300 | # cpu: [ 0 ] | |
1301 | # prio: | |
1302 | # default: "high" | |
4c6d6c1e SS |
1303 | # |
1304 | # By default Suricata creates one "detect" thread per available CPU/CPU core. | |
1305 | # This setting allows controlling this behaviour. A ratio setting of 2 will | |
1306 | # create 2 detect threads for each CPU/CPU core. So for a dual core CPU this | |
1307 | # will result in 4 detect threads. If values below 1 are used, less threads | |
1308 | # are created. So on a dual core CPU a setting of 0.5 results in 1 detect | |
1309 | # thread being created. Regardless of the setting at a minimum 1 detect | |
1310 | # thread will always be created. | |
1311 | # | |
1312 | detect-thread-ratio: 1.0 | |
a4ade63e SS |
1313 | # |
1314 | # By default, the per-thread stack size is left to its default setting. If | |
1315 | # the default thread stack size is too small, use the following configuration | |
1316 | # setting to change the size. Note that if any thread's stack size cannot be | |
1317 | # set to this value, a fatal error occurs. | |
1318 | # | |
1319 | # Generally, the per-thread stack-size should not exceed 8MB. | |
1320 | #stack-size: 8mb |