X-Git-Url: http://git.ipfire.org/?p=ipfire-2.x.git;a=blobdiff_plain;f=config%2Fsuricata%2Fsuricata.yaml;h=e7e27c731e1b7c7b18fe4bc59d6f76fabc99bb00;hp=494d59aad6bcb1edc8848f8aca30fc55af3e54e8;hb=64aed99df6ba3b057c35ebb6b9278a13ae5e575d;hpb=7eed864c93d143ef943b9f3f8bdf7b40a440cb71 diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml index 494d59aad6..e7e27c731e 100644 --- a/config/suricata/suricata.yaml +++ b/config/suricata/suricata.yaml @@ -20,6 +20,7 @@ vars: DNS_SERVERS: "$HOME_NET" TELNET_SERVERS: "$HOME_NET" AIM_SERVERS: "$EXTERNAL_NET" + DC_SERVERS: "$HOME_NET" DNP3_SERVER: "$HOME_NET" DNP3_CLIENT: "$HOME_NET" MODBUS_CLIENT: "$HOME_NET" @@ -62,6 +63,14 @@ stats: # the loggers are invoked. interval: 8 + # Add decode events as stats. + #decoder-events: true + # Decoder event prefix in stats. Has been 'decoder' before, but that leads + # to missing events in the eve.stats records. See issue #2225. + decoder-events-prefix: "decoder.event" + # Add stream events as stats. + #stream-events: false + # Configure the type of alert (and other) logging you would like. outputs: # a line based alerts log similar to Snort's fast.log @@ -108,7 +117,7 @@ logging: - syslog: enabled: yes facility: local5 - format: "[%i] <%d> -- " + format: "" # type: json ## @@ -117,8 +126,8 @@ logging: nfq: mode: repeat - repeat-mark: 16 - repeat-mask: 16 + repeat-mark: 1879048192 + repeat-mask: 1879048192 # bypass-mark: 1 # bypass-mask: 1 # route-queue: 2 @@ -137,10 +146,14 @@ nfq: # "detection-only" enables protocol detection only (parser disabled). app-layer: protocols: + krb5: + enabled: no # Requires rust + ikev2: + enabled: yes tls: enabled: yes detection-ports: - dp: "[443,444,465,993,995]" + dp: "[443,444,465,853,993,995]" # Completely stop processing TLS/SSL session after the handshake # completed. If bypass is enabled this will also trigger flow @@ -204,14 +217,14 @@ app-layer: tcp: enabled: yes detection-ports: - dp: "[53,853]" + dp: 53 udp: enabled: yes detection-ports: - dp: "[53,853]" + dp: 53 http: enabled: yes - # memcap: 64mb + memcap: 256mb # default-config: Used when no server-config matches # personality: List of personalities used by default @@ -225,32 +238,6 @@ app-layer: # Limit to how many layers of compression will be # decompressed. Defaults to 2. # - # server-config: List of server configurations to use if address matches - # address: List of ip addresses or networks for this block - # personalitiy: List of personalities used by this block - # request-body-limit: Limit reassembly of request body for inspection - # by http_client_body & pcre /P option. - # response-body-limit: Limit reassembly of response body for inspection - # by file_data, http_server_body & pcre /Q option. - # double-decode-path: Double decode path section of the URI - # double-decode-query: Double decode query section of the URI - # - # uri-include-all: Include all parts of the URI. By default the - # 'scheme', username/password, hostname and port - # are excluded. Setting this option to true adds - # all of them to the normalized uri as inspected - # by http_uri, urilen, pcre with /U and the other - # keywords that inspect the normalized uri. - # Note that this does not affect http_raw_uri. - # Also, note that including all was the default in - # 1.4 and 2.0beta1. - # - # meta-field-limit: Hard size limit for request and response size - # limits. Applies to request line and headers, - # response line and headers. Does not apply to - # request or response bodies. Default is 18k. - # If this limit is reached an event is raised. - # # Currently Available Personalities: # Minimal, Generic, IDS (default), IIS_4_0, IIS_5_0, IIS_5_1, IIS_6_0, # IIS_7_0, IIS_7_5, Apache_2 @@ -260,14 +247,8 @@ app-layer: # Can be specified in kb, mb, gb. Just a number indicates # it's in bytes. - request-body-limit: 100kb - response-body-limit: 100kb - - # inspection limits - request-body-minimal-inspect-size: 32kb - request-body-inspect-window: 4kb - response-body-minimal-inspect-size: 40kb - response-body-inspect-window: 16kb + request-body-limit: 0 + response-body-limit: 0 # response body decompression (0 disables) response-body-decompress-layer-limit: 2 @@ -278,75 +259,17 @@ app-layer: # Take a random value for inspection sizes around the specified value. # This lower the risk of some evasion technics but could lead # detection change between runs. It is set to 'yes' by default. - #randomize-inspection-sizes: yes + randomize-inspection-sizes: yes # If randomize-inspection-sizes is active, the value of various # inspection size will be choosen in the [1 - range%, 1 + range%] # range # Default value of randomize-inspection-range is 10. - #randomize-inspection-range: 10 + randomize-inspection-range: 10 # decoding double-decode-path: no double-decode-query: no - server-config: - - #- apache: - # address: [192.168.1.0/24, 127.0.0.0/8, "::1"] - # personality: Apache_2 - # # Can be specified in kb, mb, gb. Just a number indicates - # # it's in bytes. - # request-body-limit: 4096 - # response-body-limit: 4096 - # double-decode-path: no - # double-decode-query: no - - #- iis7: - # address: - # - 192.168.0.0/24 - # - 192.168.10.0/24 - # personality: IIS_7_0 - # # Can be specified in kb, mb, gb. Just a number indicates - # # it's in bytes. - # request-body-limit: 4096 - # response-body-limit: 4096 - # double-decode-path: no - # double-decode-query: no - - # Note: Modbus probe parser is minimalist due to the poor significant field - # Only Modbus message length (greater than Modbus header length) - # And Protocol ID (equal to 0) are checked in probing parser - # It is important to enable detection port and define Modbus port - # to avoid false positive - modbus: - # How many unreplied Modbus requests are considered a flood. - # If the limit is reached, app-layer-event:modbus.flooded; will match. - #request-flood: 500 - - enabled: no - detection-ports: - dp: 502 - # According to MODBUS Messaging on TCP/IP Implementation Guide V1.0b, it - # is recommended to keep the TCP connection opened with a remote device - # and not to open and close it for each MODBUS/TCP transaction. In that - # case, it is important to set the depth of the stream reassembling as - # unlimited (stream.reassembly.depth: 0) - - # Stream reassembly size for modbus. By default track it completely. - stream-depth: 0 - - # DNP3 - dnp3: - enabled: no - detection-ports: - dp: 20000 - - # SCADA EtherNet/IP and CIP protocol support - enip: - enabled: no - detection-ports: - dp: 44818 - sp: 44818 # Limit for the maximum number of asn1 frames to decode (default 256) asn1-max-frames: 256 @@ -358,6 +281,15 @@ asn1-max-frames: 256 ## ############################################################################## +## +## Run Options +## + +# Run suricata as user and group. +run-as: + user: suricata + group: suricata + # Suricata core dump configuration. Limits the size of the core dump file to # approximately max-dump. The actual core dump size will be a multiple of the # page size. Core dumps that would be larger than max-dump are truncated. On @@ -385,7 +317,7 @@ max-pending-packets: 1024 # Runmode the engine should use. Please check --list-runmodes to get the available # runmodes for each packet acquisition method. Defaults to "autofp" (auto flow pinned # load balancing). -#runmode: autofp +runmode: workers # Specifies the kind of flow load balancer used by the flow pinned autofp mode. # @@ -502,12 +434,12 @@ defrag: # in bytes. flow: - memcap: 128mb + memcap: 256mb hash-size: 65536 prealloc: 10000 emergency-recovery: 30 - #managers: 1 # default to one flow manager - #recyclers: 1 # default to one flow recycler thread + managers: 1 + recyclers: 1 # This option controls the use of vlan ids in the flow (and defrag) # hashing. Normally this should be enabled, but in some (broken) @@ -627,7 +559,8 @@ flow-timeouts: # # is used in a rule. # stream: - memcap: 64mb + memcap: 256mb + prealloc-sessions: 4096 checksum-validation: yes # reject wrong csums inline: auto # auto will use inline mode in IPS mode, yes or no set it statically reassembly: @@ -636,10 +569,9 @@ stream: toserver-chunk-size: 2560 toclient-chunk-size: 2560 randomize-chunk-size: yes - #randomize-chunk-range: 10 - #raw: yes - #segment-prealloc: 2048 - #check-overlap-different-data: true + raw: yes + segment-prealloc: 2048 + check-overlap-different-data: true # Host table: # @@ -665,7 +597,7 @@ decoder: # Teredo decoder is known to not be completely accurate # it will sometimes detect non-teredo as teredo. teredo: - enabled: true + enabled: false ## @@ -692,15 +624,16 @@ decoder: # If the argument specified is 0, the engine uses an internally defined # default limit. On not specifying a value, we use no limits on the recursion. detect: - profile: high + profile: custom custom-values: - toclient-groups: 3 - toserver-groups: 25 + toclient-groups: 200 + toserver-groups: 200 sgh-mpm-context: auto inspection-recursion-limit: 3000 + # If set to yes, the loading of signatures will be made after the capture # is started. This will limit the downtime in IPS mode. - #delayed-detect: yes + delayed-detect: yes prefilter: # default prefiltering setting. "mpm" only creates MPM/fast_pattern @@ -784,18 +717,15 @@ threading: - worker-cpu-set: cpu: [ "all" ] mode: "exclusive" - # Use explicitely 3 threads and don't compute number by using - # detect-thread-ratio variable: - # threads: 3 prio: low: [ 0 ] medium: [ "1-2" ] high: [ 3 ] default: "medium" - #- verdict-cpu-set: - # cpu: [ 0 ] - # prio: - # default: "high" + - verdict-cpu-set: + cpu: [ 0 ] + prio: + default: "high" # # By default Suricata creates one "detect" thread per available CPU/CPU core. # This setting allows controlling this behaviour. A ratio setting of 2 will