suricata: Start capture first and then load rules

[ipfire-2.x.git] / config / suricata / suricata.yaml

diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml
index 1a10613af7c9605191aea4df18819453e81fc335..083fc54117c12fd24afe4eef390191dbee4ef629 100644 (file)
--- a/config/suricata/suricata.yaml
+++ b/config/suricata/suricata.yaml
@@ -108,7 +108,7 @@ logging:
   - syslog:
       enabled: yes
       facility: local5
-      format: "[%i] <%d> -- "
+      format: ""
       # type: json
 
 ##
@@ -474,27 +474,13 @@ host-os-policy:
 # Defrag settings:
 
 defrag:
-  memcap: 32mb
+  memcap: 64mb
   hash-size: 65536
   trackers: 65535 # number of defragmented flows to follow
   max-frags: 65535 # number of fragments to keep (higher than trackers)
   prealloc: yes
   timeout: 60
 
-# Enable defrag per host settings
-#  host-config:
-#
-#    - dmz:
-#        timeout: 30
-#        address: [192.168.1.0/24, 127.0.0.0/8, 1.1.1.0/24, 2.2.2.0/24, "1.1.1.1", "2.2.2.2", "::1"]
-#
-#    - lan:
-#        timeout: 45
-#        address:
-#          - 192.168.0.0/24
-#          - 192.168.10.0/24
-#          - 172.16.14.0/24
-
 # Flow settings:
 # By default, the reserved memory (memcap) for flows is 32MB. This is the limit
 # for flow allocation inside the engine. You can change this value to allow
@@ -516,12 +502,12 @@ defrag:
 # in bytes.
 
 flow:
-  memcap: 128mb
+  memcap: 256mb
   hash-size: 65536
   prealloc: 10000
   emergency-recovery: 30
-  #managers: 1 # default to one flow manager
-  #recyclers: 1 # default to one flow recycler thread
+  managers: 1
+  recyclers: 1
 
 # This option controls the use of vlan ids in the flow (and defrag)
 # hashing. Normally this should be enabled, but in some (broken)
@@ -641,7 +627,8 @@ flow-timeouts:
 #                               # is used in a rule.
 #
 stream:
-  memcap: 64mb
+  memcap: 256mb
+  prealloc-sessions: 4k
   checksum-validation: yes      # reject wrong csums
   inline: auto                  # auto will use inline mode in IPS mode, yes or no set it statically
   reassembly:
@@ -650,10 +637,9 @@ stream:
     toserver-chunk-size: 2560
     toclient-chunk-size: 2560
     randomize-chunk-size: yes
-    #randomize-chunk-range: 10
-    #raw: yes
-    #segment-prealloc: 2048
-    #check-overlap-different-data: true
+    raw: yes
+    segment-prealloc: 2048
+    check-overlap-different-data: true
 
 # Host table:
 #
@@ -679,7 +665,7 @@ decoder:
   # Teredo decoder is known to not be completely accurate
   # it will sometimes detect non-teredo as teredo.
   teredo:
-    enabled: true
+    enabled: false
 
 
 ##
@@ -712,9 +698,10 @@ detect:
     toserver-groups: 25
   sgh-mpm-context: auto
   inspection-recursion-limit: 3000
+
   # If set to yes, the loading of signatures will be made after the capture
   # is started. This will limit the downtime in IPS mode.
-  #delayed-detect: yes
+  delayed-detect: yes
 
   prefilter:
     # default prefiltering setting. "mpm" only creates MPM/fast_pattern