DNS_SERVERS: "$HOME_NET"
TELNET_SERVERS: "$HOME_NET"
AIM_SERVERS: "$EXTERNAL_NET"
+ DC_SERVERS: "$HOME_NET"
DNP3_SERVER: "$HOME_NET"
DNP3_CLIENT: "$HOME_NET"
MODBUS_CLIENT: "$HOME_NET"
# the loggers are invoked.
interval: 8
+ # Add decode events as stats.
+ #decoder-events: true
+ # Decoder event prefix in stats. Has been 'decoder' before, but that leads
+ # to missing events in the eve.stats records. See issue #2225.
+ decoder-events-prefix: "decoder.event"
+ # Add stream events as stats.
+ #stream-events: false
+
# Configure the type of alert (and other) logging you would like.
outputs:
# a line based alerts log similar to Snort's fast.log
nfq:
mode: repeat
- repeat-mark: 16
- repeat-mask: 16
+ repeat-mark: 1879048192
+ repeat-mask: 1879048192
# bypass-mark: 1
# bypass-mask: 1
# route-queue: 2
# "detection-only" enables protocol detection only (parser disabled).
app-layer:
protocols:
+ krb5:
+ enabled: no # Requires rust
+ ikev2:
+ enabled: yes
tls:
enabled: yes
detection-ports:
- dp: "[443,444,465,993,995]"
+ dp: "[443,444,465,853,993,995]"
# Completely stop processing TLS/SSL session after the handshake
# completed. If bypass is enabled this will also trigger flow
tcp:
enabled: yes
detection-ports:
- dp: "[53,853]"
+ dp: 53
udp:
enabled: yes
detection-ports:
- dp: "[53,853]"
+ dp: 53
http:
enabled: yes
- # memcap: 64mb
+ memcap: 256mb
# default-config: Used when no server-config matches
# personality: List of personalities used by default
# Limit to how many layers of compression will be
# decompressed. Defaults to 2.
#
- # server-config: List of server configurations to use if address matches
- # address: List of ip addresses or networks for this block
- # personalitiy: List of personalities used by this block
- # request-body-limit: Limit reassembly of request body for inspection
- # by http_client_body & pcre /P option.
- # response-body-limit: Limit reassembly of response body for inspection
- # by file_data, http_server_body & pcre /Q option.
- # double-decode-path: Double decode path section of the URI
- # double-decode-query: Double decode query section of the URI
- #
- # uri-include-all: Include all parts of the URI. By default the
- # 'scheme', username/password, hostname and port
- # are excluded. Setting this option to true adds
- # all of them to the normalized uri as inspected
- # by http_uri, urilen, pcre with /U and the other
- # keywords that inspect the normalized uri.
- # Note that this does not affect http_raw_uri.
- # Also, note that including all was the default in
- # 1.4 and 2.0beta1.
- #
- # meta-field-limit: Hard size limit for request and response size
- # limits. Applies to request line and headers,
- # response line and headers. Does not apply to
- # request or response bodies. Default is 18k.
- # If this limit is reached an event is raised.
- #
# Currently Available Personalities:
# Minimal, Generic, IDS (default), IIS_4_0, IIS_5_0, IIS_5_1, IIS_6_0,
# IIS_7_0, IIS_7_5, Apache_2
# Can be specified in kb, mb, gb. Just a number indicates
# it's in bytes.
- request-body-limit: 100kb
- response-body-limit: 100kb
-
- # inspection limits
- request-body-minimal-inspect-size: 32kb
- request-body-inspect-window: 4kb
- response-body-minimal-inspect-size: 40kb
- response-body-inspect-window: 16kb
+ request-body-limit: 0
+ response-body-limit: 0
# response body decompression (0 disables)
response-body-decompress-layer-limit: 2
# Take a random value for inspection sizes around the specified value.
# This lower the risk of some evasion technics but could lead
# detection change between runs. It is set to 'yes' by default.
- #randomize-inspection-sizes: yes
+ randomize-inspection-sizes: yes
# If randomize-inspection-sizes is active, the value of various
# inspection size will be choosen in the [1 - range%, 1 + range%]
# range
# Default value of randomize-inspection-range is 10.
- #randomize-inspection-range: 10
+ randomize-inspection-range: 10
# decoding
double-decode-path: no
double-decode-query: no
- server-config:
-
- #- apache:
- # address: [192.168.1.0/24, 127.0.0.0/8, "::1"]
- # personality: Apache_2
- # # Can be specified in kb, mb, gb. Just a number indicates
- # # it's in bytes.
- # request-body-limit: 4096
- # response-body-limit: 4096
- # double-decode-path: no
- # double-decode-query: no
-
- #- iis7:
- # address:
- # - 192.168.0.0/24
- # - 192.168.10.0/24
- # personality: IIS_7_0
- # # Can be specified in kb, mb, gb. Just a number indicates
- # # it's in bytes.
- # request-body-limit: 4096
- # response-body-limit: 4096
- # double-decode-path: no
- # double-decode-query: no
-
- # Note: Modbus probe parser is minimalist due to the poor significant field
- # Only Modbus message length (greater than Modbus header length)
- # And Protocol ID (equal to 0) are checked in probing parser
- # It is important to enable detection port and define Modbus port
- # to avoid false positive
- modbus:
- # How many unreplied Modbus requests are considered a flood.
- # If the limit is reached, app-layer-event:modbus.flooded; will match.
- #request-flood: 500
-
- enabled: no
- detection-ports:
- dp: 502
- # According to MODBUS Messaging on TCP/IP Implementation Guide V1.0b, it
- # is recommended to keep the TCP connection opened with a remote device
- # and not to open and close it for each MODBUS/TCP transaction. In that
- # case, it is important to set the depth of the stream reassembling as
- # unlimited (stream.reassembly.depth: 0)
-
- # Stream reassembly size for modbus. By default track it completely.
- stream-depth: 0
-
- # DNP3
- dnp3:
- enabled: no
- detection-ports:
- dp: 20000
-
- # SCADA EtherNet/IP and CIP protocol support
- enip:
- enabled: no
- detection-ports:
- dp: 44818
- sp: 44818
# Limit for the maximum number of asn1 frames to decode (default 256)
asn1-max-frames: 256
##
##############################################################################
+##
+## Run Options
+##
+
+# Run suricata as user and group.
+run-as:
+ user: suricata
+ group: suricata
+
# Suricata core dump configuration. Limits the size of the core dump file to
# approximately max-dump. The actual core dump size will be a multiple of the
# page size. Core dumps that would be larger than max-dump are truncated. On
# Runmode the engine should use. Please check --list-runmodes to get the available
# runmodes for each packet acquisition method. Defaults to "autofp" (auto flow pinned
# load balancing).
-#runmode: autofp
+runmode: workers
# Specifies the kind of flow load balancer used by the flow pinned autofp mode.
#
# # is used in a rule.
#
stream:
- memcap: 64mb
+ memcap: 256mb
+ prealloc-sessions: 4096
checksum-validation: yes # reject wrong csums
inline: auto # auto will use inline mode in IPS mode, yes or no set it statically
reassembly:
toserver-chunk-size: 2560
toclient-chunk-size: 2560
randomize-chunk-size: yes
- #randomize-chunk-range: 10
- #raw: yes
- #segment-prealloc: 2048
- #check-overlap-different-data: true
+ raw: yes
+ segment-prealloc: 2048
+ check-overlap-different-data: true
# Host table:
#
# Teredo decoder is known to not be completely accurate
# it will sometimes detect non-teredo as teredo.
teredo:
- enabled: true
+ enabled: false
##
# If the argument specified is 0, the engine uses an internally defined
# default limit. On not specifying a value, we use no limits on the recursion.
detect:
- profile: high
+ profile: custom
custom-values:
- toclient-groups: 3
- toserver-groups: 25
+ toclient-groups: 200
+ toserver-groups: 200
sgh-mpm-context: auto
inspection-recursion-limit: 3000
+
# If set to yes, the loading of signatures will be made after the capture
# is started. This will limit the downtime in IPS mode.
- #delayed-detect: yes
+ delayed-detect: yes
prefilter:
# default prefiltering setting. "mpm" only creates MPM/fast_pattern
- worker-cpu-set:
cpu: [ "all" ]
mode: "exclusive"
- # Use explicitely 3 threads and don't compute number by using
- # detect-thread-ratio variable:
- # threads: 3
prio:
low: [ 0 ]
medium: [ "1-2" ]
high: [ 3 ]
default: "medium"
- #- verdict-cpu-set:
- # cpu: [ 0 ]
- # prio:
- # default: "high"
+ - verdict-cpu-set:
+ cpu: [ 0 ]
+ prio:
+ default: "high"
#
# By default Suricata creates one "detect" thread per available CPU/CPU core.
# This setting allows controlling this behaviour. A ratio setting of 2 will
projects / ipfire-2.x.git / blobdiff