DNS_SERVERS: "$HOME_NET"
TELNET_SERVERS: "$HOME_NET"
AIM_SERVERS: "$EXTERNAL_NET"
+ DC_SERVERS: "$HOME_NET"
DNP3_SERVER: "$HOME_NET"
DNP3_CLIENT: "$HOME_NET"
MODBUS_CLIENT: "$HOME_NET"
# the loggers are invoked.
interval: 8
+ # Add decode events as stats.
+ #decoder-events: true
+ # Decoder event prefix in stats. Has been 'decoder' before, but that leads
+ # to missing events in the eve.stats records. See issue #2225.
+ decoder-events-prefix: "decoder.event"
+ # Add stream events as stats.
+ #stream-events: false
+
# Configure the type of alert (and other) logging you would like.
outputs:
# a line based alerts log similar to Snort's fast.log
nfq:
mode: repeat
- repeat-mark: 16
- repeat-mask: 16
+ repeat-mark: 1879048192
+ repeat-mask: 1879048192
# bypass-mark: 1
# bypass-mask: 1
# route-queue: 2
# "detection-only" enables protocol detection only (parser disabled).
app-layer:
protocols:
+ krb5:
+ enabled: no # Requires rust
+ ikev2:
+ enabled: yes
tls:
enabled: yes
detection-ports:
- dp: "[443,444,465,993,995]"
+ dp: "[443,444,465,853,993,995]"
# Completely stop processing TLS/SSL session after the handshake
# completed. If bypass is enabled this will also trigger flow
tcp:
enabled: yes
detection-ports:
- dp: "[53,853]"
+ dp: 53
udp:
enabled: yes
detection-ports:
- dp: "[53,853]"
+ dp: 53
http:
enabled: yes
- # memcap: 64mb
+ memcap: 256mb
# default-config: Used when no server-config matches
# personality: List of personalities used by default
# Limit to how many layers of compression will be
# decompressed. Defaults to 2.
#
- # server-config: List of server configurations to use if address matches
- # address: List of ip addresses or networks for this block
- # personalitiy: List of personalities used by this block
- # request-body-limit: Limit reassembly of request body for inspection
- # by http_client_body & pcre /P option.
- # response-body-limit: Limit reassembly of response body for inspection
- # by file_data, http_server_body & pcre /Q option.
- # double-decode-path: Double decode path section of the URI
- # double-decode-query: Double decode query section of the URI
- #
- # uri-include-all: Include all parts of the URI. By default the
- # 'scheme', username/password, hostname and port
- # are excluded. Setting this option to true adds
- # all of them to the normalized uri as inspected
- # by http_uri, urilen, pcre with /U and the other
- # keywords that inspect the normalized uri.
- # Note that this does not affect http_raw_uri.
- # Also, note that including all was the default in
- # 1.4 and 2.0beta1.
- #
- # meta-field-limit: Hard size limit for request and response size
- # limits. Applies to request line and headers,
- # response line and headers. Does not apply to
- # request or response bodies. Default is 18k.
- # If this limit is reached an event is raised.
- #
# Currently Available Personalities:
# Minimal, Generic, IDS (default), IIS_4_0, IIS_5_0, IIS_5_1, IIS_6_0,
# IIS_7_0, IIS_7_5, Apache_2
# Can be specified in kb, mb, gb. Just a number indicates
# it's in bytes.
- request-body-limit: 100kb
- response-body-limit: 100kb
-
- # inspection limits
- request-body-minimal-inspect-size: 32kb
- request-body-inspect-window: 4kb
- response-body-minimal-inspect-size: 40kb
- response-body-inspect-window: 16kb
+ request-body-limit: 0
+ response-body-limit: 0
# response body decompression (0 disables)
response-body-decompress-layer-limit: 2
# Take a random value for inspection sizes around the specified value.
# This lower the risk of some evasion technics but could lead
# detection change between runs. It is set to 'yes' by default.
- #randomize-inspection-sizes: yes
+ randomize-inspection-sizes: yes
# If randomize-inspection-sizes is active, the value of various
# inspection size will be choosen in the [1 - range%, 1 + range%]
# range
# Default value of randomize-inspection-range is 10.
- #randomize-inspection-range: 10
+ randomize-inspection-range: 10
# decoding
double-decode-path: no
double-decode-query: no
- server-config:
-
- #- apache:
- # address: [192.168.1.0/24, 127.0.0.0/8, "::1"]
- # personality: Apache_2
- # # Can be specified in kb, mb, gb. Just a number indicates
- # # it's in bytes.
- # request-body-limit: 4096
- # response-body-limit: 4096
- # double-decode-path: no
- # double-decode-query: no
-
- #- iis7:
- # address:
- # - 192.168.0.0/24
- # - 192.168.10.0/24
- # personality: IIS_7_0
- # # Can be specified in kb, mb, gb. Just a number indicates
- # # it's in bytes.
- # request-body-limit: 4096
- # response-body-limit: 4096
- # double-decode-path: no
- # double-decode-query: no
-
- # Note: Modbus probe parser is minimalist due to the poor significant field
- # Only Modbus message length (greater than Modbus header length)
- # And Protocol ID (equal to 0) are checked in probing parser
- # It is important to enable detection port and define Modbus port
- # to avoid false positive
- modbus:
- # How many unreplied Modbus requests are considered a flood.
- # If the limit is reached, app-layer-event:modbus.flooded; will match.
- #request-flood: 500
-
- enabled: no
- detection-ports:
- dp: 502
- # According to MODBUS Messaging on TCP/IP Implementation Guide V1.0b, it
- # is recommended to keep the TCP connection opened with a remote device
- # and not to open and close it for each MODBUS/TCP transaction. In that
- # case, it is important to set the depth of the stream reassembling as
- # unlimited (stream.reassembly.depth: 0)
-
- # Stream reassembly size for modbus. By default track it completely.
- stream-depth: 0
-
- # DNP3
- dnp3:
- enabled: no
- detection-ports:
- dp: 20000
-
- # SCADA EtherNet/IP and CIP protocol support
- enip:
- enabled: no
- detection-ports:
- dp: 44818
- sp: 44818
# Limit for the maximum number of asn1 frames to decode (default 256)
asn1-max-frames: 256
##
##############################################################################
+##
+## Run Options
+##
+
+# Run suricata as user and group.
+run-as:
+ user: suricata
+ group: suricata
+
# Suricata core dump configuration. Limits the size of the core dump file to
# approximately max-dump. The actual core dump size will be a multiple of the
# page size. Core dumps that would be larger than max-dump are truncated. On
- worker-cpu-set:
cpu: [ "all" ]
mode: "exclusive"
- # Use explicitely 3 threads and don't compute number by using
- # detect-thread-ratio variable:
- # threads: 3
prio:
low: [ 0 ]
medium: [ "1-2" ]
high: [ 3 ]
default: "medium"
- #- verdict-cpu-set:
- # cpu: [ 0 ]
- # prio:
- # default: "high"
+ - verdict-cpu-set:
+ cpu: [ 0 ]
+ prio:
+ default: "high"
#
# By default Suricata creates one "detect" thread per available CPU/CPU core.
# This setting allows controlling this behaviour. A ratio setting of 2 will