X-Git-Url: http://git.ipfire.org/?p=ipfire-2.x.git;a=blobdiff_plain;f=config%2Fsuricata%2Fsuricata.yaml;h=e7e27c731e1b7c7b18fe4bc59d6f76fabc99bb00;hp=767f84074a3979a080f45d5ea0df77713eb87555;hb=64aed99df6ba3b057c35ebb6b9278a13ae5e575d;hpb=96495c9aa2a46896ebb5cbbdfa5fd4b961864215 diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml index 767f84074a..e7e27c731e 100644 --- a/config/suricata/suricata.yaml +++ b/config/suricata/suricata.yaml @@ -20,6 +20,7 @@ vars: DNS_SERVERS: "$HOME_NET" TELNET_SERVERS: "$HOME_NET" AIM_SERVERS: "$EXTERNAL_NET" + DC_SERVERS: "$HOME_NET" DNP3_SERVER: "$HOME_NET" DNP3_CLIENT: "$HOME_NET" MODBUS_CLIENT: "$HOME_NET" @@ -62,6 +63,14 @@ stats: # the loggers are invoked. interval: 8 + # Add decode events as stats. + #decoder-events: true + # Decoder event prefix in stats. Has been 'decoder' before, but that leads + # to missing events in the eve.stats records. See issue #2225. + decoder-events-prefix: "decoder.event" + # Add stream events as stats. + #stream-events: false + # Configure the type of alert (and other) logging you would like. outputs: # a line based alerts log similar to Snort's fast.log @@ -137,6 +146,10 @@ nfq: # "detection-only" enables protocol detection only (parser disabled). app-layer: protocols: + krb5: + enabled: no # Requires rust + ikev2: + enabled: yes tls: enabled: yes detection-ports: @@ -211,7 +224,7 @@ app-layer: dp: 53 http: enabled: yes - # memcap: 64mb + memcap: 256mb # default-config: Used when no server-config matches # personality: List of personalities used by default @@ -225,32 +238,6 @@ app-layer: # Limit to how many layers of compression will be # decompressed. Defaults to 2. # - # server-config: List of server configurations to use if address matches - # address: List of ip addresses or networks for this block - # personalitiy: List of personalities used by this block - # request-body-limit: Limit reassembly of request body for inspection - # by http_client_body & pcre /P option. - # response-body-limit: Limit reassembly of response body for inspection - # by file_data, http_server_body & pcre /Q option. - # double-decode-path: Double decode path section of the URI - # double-decode-query: Double decode query section of the URI - # - # uri-include-all: Include all parts of the URI. By default the - # 'scheme', username/password, hostname and port - # are excluded. Setting this option to true adds - # all of them to the normalized uri as inspected - # by http_uri, urilen, pcre with /U and the other - # keywords that inspect the normalized uri. - # Note that this does not affect http_raw_uri. - # Also, note that including all was the default in - # 1.4 and 2.0beta1. - # - # meta-field-limit: Hard size limit for request and response size - # limits. Applies to request line and headers, - # response line and headers. Does not apply to - # request or response bodies. Default is 18k. - # If this limit is reached an event is raised. - # # Currently Available Personalities: # Minimal, Generic, IDS (default), IIS_4_0, IIS_5_0, IIS_5_1, IIS_6_0, # IIS_7_0, IIS_7_5, Apache_2 @@ -260,14 +247,8 @@ app-layer: # Can be specified in kb, mb, gb. Just a number indicates # it's in bytes. - request-body-limit: 100kb - response-body-limit: 100kb - - # inspection limits - request-body-minimal-inspect-size: 32kb - request-body-inspect-window: 4kb - response-body-minimal-inspect-size: 40kb - response-body-inspect-window: 16kb + request-body-limit: 0 + response-body-limit: 0 # response body decompression (0 disables) response-body-decompress-layer-limit: 2 @@ -278,75 +259,17 @@ app-layer: # Take a random value for inspection sizes around the specified value. # This lower the risk of some evasion technics but could lead # detection change between runs. It is set to 'yes' by default. - #randomize-inspection-sizes: yes + randomize-inspection-sizes: yes # If randomize-inspection-sizes is active, the value of various # inspection size will be choosen in the [1 - range%, 1 + range%] # range # Default value of randomize-inspection-range is 10. - #randomize-inspection-range: 10 + randomize-inspection-range: 10 # decoding double-decode-path: no double-decode-query: no - server-config: - - #- apache: - # address: [192.168.1.0/24, 127.0.0.0/8, "::1"] - # personality: Apache_2 - # # Can be specified in kb, mb, gb. Just a number indicates - # # it's in bytes. - # request-body-limit: 4096 - # response-body-limit: 4096 - # double-decode-path: no - # double-decode-query: no - - #- iis7: - # address: - # - 192.168.0.0/24 - # - 192.168.10.0/24 - # personality: IIS_7_0 - # # Can be specified in kb, mb, gb. Just a number indicates - # # it's in bytes. - # request-body-limit: 4096 - # response-body-limit: 4096 - # double-decode-path: no - # double-decode-query: no - - # Note: Modbus probe parser is minimalist due to the poor significant field - # Only Modbus message length (greater than Modbus header length) - # And Protocol ID (equal to 0) are checked in probing parser - # It is important to enable detection port and define Modbus port - # to avoid false positive - modbus: - # How many unreplied Modbus requests are considered a flood. - # If the limit is reached, app-layer-event:modbus.flooded; will match. - #request-flood: 500 - - enabled: no - detection-ports: - dp: 502 - # According to MODBUS Messaging on TCP/IP Implementation Guide V1.0b, it - # is recommended to keep the TCP connection opened with a remote device - # and not to open and close it for each MODBUS/TCP transaction. In that - # case, it is important to set the depth of the stream reassembling as - # unlimited (stream.reassembly.depth: 0) - - # Stream reassembly size for modbus. By default track it completely. - stream-depth: 0 - - # DNP3 - dnp3: - enabled: no - detection-ports: - dp: 20000 - - # SCADA EtherNet/IP and CIP protocol support - enip: - enabled: no - detection-ports: - dp: 44818 - sp: 44818 # Limit for the maximum number of asn1 frames to decode (default 256) asn1-max-frames: 256 @@ -358,6 +281,15 @@ asn1-max-frames: 256 ## ############################################################################## +## +## Run Options +## + +# Run suricata as user and group. +run-as: + user: suricata + group: suricata + # Suricata core dump configuration. Limits the size of the core dump file to # approximately max-dump. The actual core dump size will be a multiple of the # page size. Core dumps that would be larger than max-dump are truncated. On @@ -385,7 +317,7 @@ max-pending-packets: 1024 # Runmode the engine should use. Please check --list-runmodes to get the available # runmodes for each packet acquisition method. Defaults to "autofp" (auto flow pinned # load balancing). -#runmode: autofp +runmode: workers # Specifies the kind of flow load balancer used by the flow pinned autofp mode. # @@ -692,10 +624,10 @@ decoder: # If the argument specified is 0, the engine uses an internally defined # default limit. On not specifying a value, we use no limits on the recursion. detect: - profile: high + profile: custom custom-values: - toclient-groups: 3 - toserver-groups: 25 + toclient-groups: 200 + toserver-groups: 200 sgh-mpm-context: auto inspection-recursion-limit: 3000 @@ -785,18 +717,15 @@ threading: - worker-cpu-set: cpu: [ "all" ] mode: "exclusive" - # Use explicitely 3 threads and don't compute number by using - # detect-thread-ratio variable: - # threads: 3 prio: low: [ 0 ] medium: [ "1-2" ] high: [ 3 ] default: "medium" - #- verdict-cpu-set: - # cpu: [ 0 ] - # prio: - # default: "high" + - verdict-cpu-set: + cpu: [ 0 ] + prio: + default: "high" # # By default Suricata creates one "detect" thread per available CPU/CPU core. # This setting allows controlling this behaviour. A ratio setting of 2 will