]> git.ipfire.org Git - people/pmueller/ipfire-2.x.git/blame - config/suricata/suricata.yaml
projects / people / pmueller / ipfire-2.x.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
suricata: Use HOME_NET declaration from external file
[people/pmueller/ipfire-2.x.git] / config / suricata / suricata.yaml
CommitLineData
4c6d6c1e
SS		 1%YAML 1.1
2---
3
4# Suricata configuration file. In addition to the comments describing all
5# options in this file, full documentation can be found at:
6# https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricatayaml
7
8##
9## Step 1: inform Suricata about your network
10##
11
12vars:
13 # more specifc is better for alert accuracy and performance
14 address-groups:
42303055
SS		 15 # Include HOME_NET declaration from external file.
16 include /var/ipfire/suricata/suricata-homenet.yaml
4c6d6c1e
SS		 17
18 EXTERNAL_NET: "!$HOME_NET"
19 #EXTERNAL_NET: "any"
20
21 HTTP_SERVERS: "$HOME_NET"
22 SMTP_SERVERS: "$HOME_NET"
23 SQL_SERVERS: "$HOME_NET"
24 DNS_SERVERS: "$HOME_NET"
25 TELNET_SERVERS: "$HOME_NET"
26 AIM_SERVERS: "$EXTERNAL_NET"
27 DNP3_SERVER: "$HOME_NET"
28 DNP3_CLIENT: "$HOME_NET"
29 MODBUS_CLIENT: "$HOME_NET"
30 MODBUS_SERVER: "$HOME_NET"
31 ENIP_CLIENT: "$HOME_NET"
32 ENIP_SERVER: "$HOME_NET"
33
34 port-groups:
35 HTTP_PORTS: "80"
36 SHELLCODE_PORTS: "!80"
37 ORACLE_PORTS: 1521
38 SSH_PORTS: 22
39 DNP3_PORTS: 20000
40 MODBUS_PORTS: 502
41 FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
42 FTP_PORTS: 21
43
44
45##
46## Step 2: select the rules to enable or disable
47##
48
49default-rule-path: /etc/suricata/rules
50rule-files: !include /var/ipfire/suricata/suricata-used-rulefiles.yaml
51
52classification-file: /etc/suricata/classification.config
53reference-config-file: /etc/suricata/reference.config
54# threshold-file: /etc/suricata/threshold.config
55
56
57##
58## Step 3: select outputs to enable
59##
60
61# The default logging directory. Any log or output file will be
62# placed here if its not specified with a full path name. This can be
63# overridden with the -l command line parameter.
64default-log-dir: /var/log/suricata/
65
66# global stats configuration
67stats:
68 enabled: yes
69 # The interval field (in seconds) controls at what interval
70 # the loggers are invoked.
71 interval: 8
72
73# Configure the type of alert (and other) logging you would like.
74outputs:
75 # a line based alerts log similar to Snort's fast.log
76 - fast:
77 enabled: yes
78 filename: fast.log
79 append: yes
80 #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
81
82 # Extensible Event Format (nicknamed EVE) event log in JSON format
83 - eve-log:
84 enabled: yes
85 filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
86 filename: eve.json
87 #prefix: "@cee: " # prefix to prepend to each log entry
88 # the following are valid when type: syslog above
89 #identity: "suricata"
90 #facility: local5
91 #level: Info ## possible levels: Emergency, Alert, Critical,
92 ## Error, Warning, Notice, Info, Debug
93 #redis:
94 # server: 127.0.0.1
95 # port: 6379
96 # async: true ## if redis replies are read asynchronously
97 # mode: list ## possible values: list|lpush (default), rpush, channel|publish
98 # ## lpush and rpush are using a Redis list. "list" is an alias for lpush
99 # ## publish is using a Redis channel. "channel" is an alias for publish
100 # key: suricata ## key or channel to use (default to suricata)
101 # Redis pipelining set up. This will enable to only do a query every
102 # 'batch-size' events. This should lower the latency induced by network
103 # connection at the cost of some memory. There is no flushing implemented
104 # so this setting as to be reserved to high traffic suricata.
105 # pipelining:
106 # enabled: yes ## set enable to yes to enable query pipelining
107 # batch-size: 10 ## number of entry to keep in buffer
108 types:
109 - alert:
110 # payload: yes # enable dumping payload in Base64
111 # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log
112 # payload-printable: yes # enable dumping payload in printable (lossy) format
113 # packet: yes # enable dumping of packet (without stream segments)
114 # http-body: yes # enable dumping of http body in Base64
115 # http-body-printable: yes # enable dumping of http body in printable format
116 metadata: yes # add L7/applayer fields, flowbit and other vars to the alert
117
118 # Enable the logging of tagged packets for rules using the
119 # "tag" keyword.
120 tagged-packets: yes
121
122 # HTTP X-Forwarded-For support by adding an extra field or overwriting
123 # the source or destination IP address (depending on flow direction)
124 # with the one reported in the X-Forwarded-For HTTP header. This is
125 # helpful when reviewing alerts for traffic that is being reverse
126 # or forward proxied.
127 xff:
128 enabled: no
129 # Two operation modes are available, "extra-data" and "overwrite".
130 mode: extra-data
131 # Two proxy deployments are supported, "reverse" and "forward". In
132 # a "reverse" deployment the IP address used is the last one, in a
133 # "forward" deployment the first IP address is used.
134 deployment: reverse
135 # Header name where the actual IP address will be reported, if more
136 # than one IP address is present, the last IP address will be the
137 # one taken into consideration.
138 header: X-Forwarded-For
139 - http:
140 extended: yes # enable this for extended logging information
141 # custom allows additional http fields to be included in eve-log
142 # the example below adds three additional fields when uncommented
143 #custom: [Accept-Encoding, Accept-Language, Authorization]
144 - dns:
145 # control logging of queries and answers
146 # default yes, no to disable
147 query: yes # enable logging of DNS queries
148 answer: yes # enable logging of DNS answers
149 # control which RR types are logged
150 # all enabled if custom not specified
151 #custom: [a, aaaa, cname, mx, ns, ptr, txt]
152 - tls:
153 extended: yes # enable this for extended logging information
154 # output TLS transaction where the session is resumed using a
155 # session id
156 #session-resumption: no
157 # custom allows to control which tls fields that are included
158 # in eve-log
159 #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain]
160 - files:
161 force-magic: no # force logging magic on all logged files
162 # force logging of checksums, available hash functions are md5,
163 # sha1 and sha256
164 #force-hash: [md5]
165 #- drop:
166 # alerts: yes # log alerts that caused drops
167 # flows: all # start or all: 'start' logs only a single drop
168 # # per flow direction. All logs each dropped pkt.
169 - smtp:
170 #extended: yes # enable this for extended logging information
171 # this includes: bcc, message-id, subject, x_mailer, user-agent
172 # custom fields logging from the list:
173 # reply-to, bcc, message-id, subject, x-mailer, user-agent, received,
174 # x-originating-ip, in-reply-to, references, importance, priority,
175 # sensitivity, organization, content-md5, date
176 #custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc]
177 # output md5 of fields: body, subject
178 # for the body you need to set app-layer.protocols.smtp.mime.body-md5
179 # to yes
180 #md5: [body, subject]
181
182 #- dnp3
183 #- nfs
184 - ssh
185 - stats:
186 totals: yes # stats for all threads merged together
187 threads: no # per thread stats
188 deltas: no # include delta values
189 # bi-directional flows
190 - flow
191 # uni-directional flows
192 #- netflow
193 # Vars log flowbits and other packet and flow vars
194 #- vars
195
196 # alert output for use with Barnyard2
197 - unified2-alert:
198 enabled: no
199 filename: unified2.alert
200
201 # File size limit. Can be specified in kb, mb, gb. Just a number
202 # is parsed as bytes.
203 #limit: 32mb
204
205 # By default unified2 log files have the file creation time (in
206 # unix epoch format) appended to the filename. Set this to yes to
207 # disable this behaviour.
208 #nostamp: no
209
210 # Sensor ID field of unified2 alerts.
211 #sensor-id: 0
212
213 # Include payload of packets related to alerts. Defaults to true, set to
214 # false if payload is not required.
215 #payload: yes
216
217 # HTTP X-Forwarded-For support by adding the unified2 extra header or
218 # overwriting the source or destination IP address (depending on flow
219 # direction) with the one reported in the X-Forwarded-For HTTP header.
220 # This is helpful when reviewing alerts for traffic that is being reverse
221 # or forward proxied.
222 xff:
223 enabled: no
224 # Two operation modes are available, "extra-data" and "overwrite". Note
225 # that in the "overwrite" mode, if the reported IP address in the HTTP
226 # X-Forwarded-For header is of a different version of the packet
227 # received, it will fall-back to "extra-data" mode.
228 mode: extra-data
229 # Two proxy deployments are supported, "reverse" and "forward". In
230 # a "reverse" deployment the IP address used is the last one, in a
231 # "forward" deployment the first IP address is used.
232 deployment: reverse
233 # Header name where the actual IP address will be reported, if more
234 # than one IP address is present, the last IP address will be the
235 # one taken into consideration.
236 header: X-Forwarded-For
237
238 # a line based log of HTTP requests (no alerts)
239 - http-log:
240 enabled: no
241 filename: http.log
242 append: yes
243 #extended: yes # enable this for extended logging information
244 #custom: yes # enabled the custom logging format (defined by customformat)
245 #customformat: "%{%D-%H:%M:%S}t.%z %{X-Forwarded-For}i %H %m %h %u %s %B %a:%p -> %A:%P"
246 #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
247
248 # a line based log of TLS handshake parameters (no alerts)
249 - tls-log:
250 enabled: no # Log TLS connections.
251 filename: tls.log # File to store TLS logs.
252 append: yes
253 #extended: yes # Log extended information like fingerprint
254 #custom: yes # enabled the custom logging format (defined by customformat)
255 #customformat: "%{%D-%H:%M:%S}t.%z %a:%p -> %A:%P %v %n %d %D"
256 #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
257 # output TLS transaction where the session is resumed using a
258 # session id
259 #session-resumption: no
260
261 # output module to store certificates chain to disk
262 - tls-store:
263 enabled: no
264 #certs-log-dir: certs # directory to store the certificates files
265
266 # a line based log of DNS requests and/or replies (no alerts)
267 - dns-log:
268 enabled: no
269 filename: dns.log
270 append: yes
271 #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
272
273 # Packet log... log packets in pcap format. 3 modes of operation: "normal"
274 # "multi" and "sguil".
275 #
276 # In normal mode a pcap file "filename" is created in the default-log-dir,
277 # or are as specified by "dir".
278 # In multi mode, a file is created per thread. This will perform much
279 # better, but will create multiple files where 'normal' would create one.
280 # In multi mode the filename takes a few special variables:
281 # - %n -- thread number
282 # - %i -- thread id
283 # - %t -- timestamp (secs or secs.usecs based on 'ts-format'
284 # E.g. filename: pcap.%n.%t
285 #
286 # Note that it's possible to use directories, but the directories are not
287 # created by Suricata. E.g. filename: pcaps/%n/log.%s will log into the
288 # per thread directory.
289 #
290 # Also note that the limit and max-files settings are enforced per thread.
291 # So the size limit when using 8 threads with 1000mb files and 2000 files
292 # is: 8*1000*2000 ~ 16TiB.
293 #
294 # In Sguil mode "dir" indicates the base directory. In this base dir the
295 # pcaps are created in th directory structure Sguil expects:
296 #
297 # $sguil-base-dir/YYYY-MM-DD/$filename.<timestamp>
298 #
299 # By default all packets are logged except:
300 # - TCP streams beyond stream.reassembly.depth
301 # - encrypted streams after the key exchange
302 #
303 - pcap-log:
304 enabled: no
305 filename: log.pcap
306
307 # File size limit. Can be specified in kb, mb, gb. Just a number
308 # is parsed as bytes.
309 limit: 1000mb
310
311 # If set to a value will enable ring buffer mode. Will keep Maximum of "max-files" of size "limit"
312 max-files: 2000
313
314 mode: normal # normal, multi or sguil.
315
316 # Directory to place pcap files. If not provided the default log
317 # directory will be used. Required for "sguil" mode.
318 #dir: /nsm_data/
319
320 #ts-format: usec # sec or usec second format (default) is filename.sec usec is filename.sec.usec
321 use-stream-depth: no #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets
322 honor-pass-rules: no # If set to "yes", flows in which a pass rule matched will stopped being logged.
323
324 # a full alerts log containing much information for signature writers
325 # or for investigating suspected false positives.
326 - alert-debug:
327 enabled: no
328 filename: alert-debug.log
329 append: yes
330 #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
331
332 # alert output to prelude (http://www.prelude-technologies.com/) only
333 # available if Suricata has been compiled with --enable-prelude
334 - alert-prelude:
335 enabled: no
336 profile: suricata
337 log-packet-content: no
338 log-packet-header: yes
339
340 # Stats.log contains data from various counters of the suricata engine.
341 - stats:
342 enabled: yes
343 filename: stats.log
344 append: yes # append to file (yes) or overwrite it (no)
345 totals: yes # stats for all threads merged together
346 threads: no # per thread stats
347 #null-values: yes # print counters that have value 0
348
349 # a line based alerts log similar to fast.log into syslog
350 - syslog:
351 enabled: no
352 # reported identity to syslog. If ommited the program name (usually
353 # suricata) will be used.
354 #identity: "suricata"
355 facility: local5
356 #level: Info ## possible levels: Emergency, Alert, Critical,
357 ## Error, Warning, Notice, Info, Debug
358
359 # a line based information for dropped packets in IPS mode
360 - drop:
361 enabled: no
362 filename: drop.log
363 append: yes
364 #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
365
366 # output module to store extracted files to disk
367 #
368 # The files are stored to the log-dir in a format "file.<id>" where <id> is
369 # an incrementing number starting at 1. For each file "file.<id>" a meta
370 # file "file.<id>.meta" is created.
371 #
372 # File extraction depends on a lot of things to be fully done:
373 # - file-store stream-depth. For optimal results, set this to 0 (unlimited)
374 # - http request / response body sizes. Again set to 0 for optimal results.
375 # - rules that contain the "filestore" keyword.
376 - file-store:
377 enabled: no # set to yes to enable
378 log-dir: files # directory to store the files
379 force-magic: no # force logging magic on all stored files
380 # force logging of checksums, available hash functions are md5,
381 # sha1 and sha256
382 #force-hash: [md5]
383 force-filestore: no # force storing of all files
384 # override global stream-depth for sessions in which we want to
385 # perform file extraction. Set to 0 for unlimited.
386 #stream-depth: 0
387 #waldo: file.waldo # waldo file to store the file_id across runs
388 # uncomment to disable meta file writing
389 #write-meta: no
390 # uncomment the following variable to define how many files can
391 # remain open for filestore by Suricata. Default value is 0 which
392 # means files get closed after each write
393 #max-open-files: 1000
394
395 # output module to log files tracked in a easily parsable json format
396 - file-log:
397 enabled: no
398 filename: files-json.log
399 append: yes
400 #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
401
402 force-magic: no # force logging magic on all logged files
403 # force logging of checksums, available hash functions are md5,
404 # sha1 and sha256
405 #force-hash: [md5]
406
407 # Log TCP data after stream normalization
408 # 2 types: file or dir. File logs into a single logfile. Dir creates
409 # 2 files per TCP session and stores the raw TCP data into them.
410 # Using 'both' will enable both file and dir modes.
411 #
412 # Note: limited by stream.depth
413 - tcp-data:
414 enabled: no
415 type: file
416 filename: tcp-data.log
417
418 # Log HTTP body data after normalization, dechunking and unzipping.
419 # 2 types: file or dir. File logs into a single logfile. Dir creates
420 # 2 files per HTTP session and stores the normalized data into them.
421 # Using 'both' will enable both file and dir modes.
422 #
423 # Note: limited by the body limit settings
424 - http-body-data:
425 enabled: no
426 type: file
427 filename: http-data.log
428
429 # Lua Output Support - execute lua script to generate alert and event
430 # output.
431 # Documented at:
432 # https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Lua_Output
433 - lua:
434 enabled: no
435 #scripts-dir: /etc/suricata/lua-output/
436 scripts:
437 # - script1.lua
438
439# Logging configuration. This is not about logging IDS alerts/events, but
440# output about what Suricata is doing, like startup messages, errors, etc.
441logging:
442 # The default log level, can be overridden in an output section.
443 # Note that debug level logging will only be emitted if Suricata was
444 # compiled with the --enable-debug configure option.
445 #
446 # This value is overriden by the SC_LOG_LEVEL env var.
447 default-log-level: notice
448
449 # The default output format. Optional parameter, should default to
450 # something reasonable if not provided. Can be overriden in an
451 # output section. You can leave this out to get the default.
452 #
453 # This value is overriden by the SC_LOG_FORMAT env var.
454 #default-log-format: "[%i] %t - (%f:%l) <%d> (%n) -- "
455
456 # A regex to filter output. Can be overridden in an output section.
457 # Defaults to empty (no filter).
458 #
459 # This value is overriden by the SC_LOG_OP_FILTER env var.
460 default-output-filter:
461
462 # Define your logging outputs. If none are defined, or they are all
463 # disabled you will get the default - console output.
464 outputs:
465 - console:
466 enabled: yes
467 # type: json
468 - file:
469 enabled: yes
470 level: info
471 filename: /var/log/suricata/suricata.log
472 # type: json
473 - syslog:
474 enabled: no
475 facility: local5
476 format: "[%i] <%d> -- "
477 # type: json
478
479
480##
481## Step 4: configure common capture settings
482##
483## See "Advanced Capture Options" below for more options, including NETMAP
484## and PF_RING.
485##
486
487# Linux high speed capture support
488af-packet:
489 - interface: eth0
490 # Number of receive threads. "auto" uses the number of cores
491 #threads: auto
492 # Default clusterid. AF_PACKET will load balance packets based on flow.
493 cluster-id: 99
494 # Default AF_PACKET cluster type. AF_PACKET can load balance per flow or per hash.
495 # This is only supported for Linux kernel > 3.1
496 # possible value are:
497 # * cluster_round_robin: round robin load balancing
498 # * cluster_flow: all packets of a given flow are send to the same socket
499 # * cluster_cpu: all packets treated in kernel by a CPU are send to the same socket
500 # * cluster_qm: all packets linked by network card to a RSS queue are sent to the same
501 # socket. Requires at least Linux 3.14.
502 # * cluster_random: packets are sent randomly to sockets but with an equipartition.
503 # Requires at least Linux 3.14.
504 # * cluster_rollover: kernel rotates between sockets filling each socket before moving
505 # to the next. Requires at least Linux 3.10.
506 # Recommended modes are cluster_flow on most boxes and cluster_cpu or cluster_qm on system
507 # with capture card using RSS (require cpu affinity tuning and system irq tuning)
508 cluster-type: cluster_flow
509 # In some fragmentation case, the hash can not be computed. If "defrag" is set
510 # to yes, the kernel will do the needed defragmentation before sending the packets.
511 defrag: yes
512 # After Linux kernel 3.10 it is possible to activate the rollover option: if a socket is
513 # full then kernel will send the packet on the next socket with room available. This option
514 # can minimize packet drop and increase the treated bandwidth on single intensive flow.
515 #rollover: yes
516 # To use the ring feature of AF_PACKET, set 'use-mmap' to yes
517 #use-mmap: yes
518 # Lock memory map to avoid it goes to swap. Be careful that over suscribing could lock
519 # your system
520 #mmap-locked: yes
521 # Use tpacket_v3 capture mode, only active if use-mmap is true
522 # Don't use it in IPS or TAP mode as it causes severe latency
523 #tpacket-v3: yes
524 # Ring size will be computed with respect to max_pending_packets and number
525 # of threads. You can set manually the ring size in number of packets by setting
526 # the following value. If you are using flow cluster-type and have really network
527 # intensive single-flow you could want to set the ring-size independently of the number
528 # of threads:
529 #ring-size: 2048
530 # Block size is used by tpacket_v3 only. It should set to a value high enough to contain
531 # a decent number of packets. Size is in bytes so please consider your MTU. It should be
532 # a power of 2 and it must be multiple of page size (usually 4096).
533 #block-size: 32768
534 # tpacket_v3 block timeout: an open block is passed to userspace if it is not
535 # filled after block-timeout milliseconds.
536 #block-timeout: 10
537 # On busy system, this could help to set it to yes to recover from a packet drop
538 # phase. This will result in some packets (at max a ring flush) being non treated.
539 #use-emergency-flush: yes
540 # recv buffer size, increase value could improve performance
541 # buffer-size: 32768
542 # Set to yes to disable promiscuous mode
543 # disable-promisc: no
544 # Choose checksum verification mode for the interface. At the moment
545 # of the capture, some packets may be with an invalid checksum due to
546 # offloading to the network card of the checksum computation.
547 # Possible values are:
548 # - kernel: use indication sent by kernel for each packet (default)
549 # - yes: checksum validation is forced
550 # - no: checksum validation is disabled
551 # - auto: suricata uses a statistical approach to detect when
552 # checksum off-loading is used.
553 # Warning: 'checksum-validation' must be set to yes to have any validation
554 #checksum-checks: kernel
555 # BPF filter to apply to this interface. The pcap filter syntax apply here.
556 #bpf-filter: port 80 or udp
557 # You can use the following variables to activate AF_PACKET tap or IPS mode.
558 # If copy-mode is set to ips or tap, the traffic coming to the current
559 # interface will be copied to the copy-iface interface. If 'tap' is set, the
560 # copy is complete. If 'ips' is set, the packet matching a 'drop' action
561 # will not be copied.
562 #copy-mode: ips
563 #copy-iface: eth1
564
565 # Put default values here. These will be used for an interface that is not
566 # in the list above.
567 - interface: default
568 #threads: auto
569 #use-mmap: no
570 #rollover: yes
571 #tpacket-v3: yes
572
573# Cross platform libpcap capture support
574pcap:
575 - interface: eth0
576 # On Linux, pcap will try to use mmaped capture and will use buffer-size
577 # as total of memory used by the ring. So set this to something bigger
578 # than 1% of your bandwidth.
579 #buffer-size: 16777216
580 #bpf-filter: "tcp and port 25"
581 # Choose checksum verification mode for the interface. At the moment
582 # of the capture, some packets may be with an invalid checksum due to
583 # offloading to the network card of the checksum computation.
584 # Possible values are:
585 # - yes: checksum validation is forced
586 # - no: checksum validation is disabled
587 # - auto: suricata uses a statistical approach to detect when
588 # checksum off-loading is used. (default)
589 # Warning: 'checksum-validation' must be set to yes to have any validation
590 #checksum-checks: auto
591 # With some accelerator cards using a modified libpcap (like myricom), you
592 # may want to have the same number of capture threads as the number of capture
593 # rings. In this case, set up the threads variable to N to start N threads
594 # listening on the same interface.
595 #threads: 16
596 # set to no to disable promiscuous mode:
597 #promisc: no
598 # set snaplen, if not set it defaults to MTU if MTU can be known
599 # via ioctl call and to full capture if not.
600 #snaplen: 1518
601 # Put default values here
602 - interface: default
603 #checksum-checks: auto
604
605# Settings for reading pcap files
606pcap-file:
607 # Possible values are:
608 # - yes: checksum validation is forced
609 # - no: checksum validation is disabled
610 # - auto: suricata uses a statistical approach to detect when
611 # checksum off-loading is used. (default)
612 # Warning: 'checksum-validation' must be set to yes to have checksum tested
613 checksum-checks: auto
614
615# See "Advanced Capture Options" below for more options, including NETMAP
616# and PF_RING.
617
618
619##
620## Step 5: App Layer Protocol Configuration
621##
622
623# Configure the app-layer parsers. The protocols section details each
624# protocol.
625#
626# The option "enabled" takes 3 values - "yes", "no", "detection-only".
627# "yes" enables both detection and the parser, "no" disables both, and
628# "detection-only" enables protocol detection only (parser disabled).
629app-layer:
630 protocols:
631 tls:
632 enabled: yes
633 detection-ports:
634 dp: 443
635
636 # Completely stop processing TLS/SSL session after the handshake
637 # completed. If bypass is enabled this will also trigger flow
638 # bypass. If disabled (the default), TLS/SSL session is still
639 # tracked for Heartbleed and other anomalies.
640 #no-reassemble: yes
641 dcerpc:
642 enabled: yes
643 ftp:
644 enabled: yes
645 ssh:
646 enabled: yes
647 smtp:
648 enabled: yes
649 # Configure SMTP-MIME Decoder
650 mime:
651 # Decode MIME messages from SMTP transactions
652 # (may be resource intensive)
653 # This field supercedes all others because it turns the entire
654 # process on or off
655 decode-mime: yes
656
657 # Decode MIME entity bodies (ie. base64, quoted-printable, etc.)
658 decode-base64: yes
659 decode-quoted-printable: yes
660
661 # Maximum bytes per header data value stored in the data structure
662 # (default is 2000)
663 header-value-depth: 2000
664
665 # Extract URLs and save in state data structure
666 extract-urls: yes
667 # Set to yes to compute the md5 of the mail body. You will then
668 # be able to journalize it.
669 body-md5: no
670 # Configure inspected-tracker for file_data keyword
671 inspected-tracker:
672 content-limit: 100000
673 content-inspect-min-size: 32768
674 content-inspect-window: 4096
675 imap:
676 enabled: detection-only
677 msn:
678 enabled: detection-only
679 smb:
680 enabled: yes
681 detection-ports:
682 dp: 139, 445
683 # smb2 detection is disabled internally inside the engine.
684 #smb2:
685 # enabled: yes
686 # Note: NFS parser depends on Rust support: pass --enable-rust
687 # to configure.
688 nfs:
689 enabled: no
690 dns:
691 # memcaps. Globally and per flow/state.
692 #global-memcap: 16mb
693 #state-memcap: 512kb
694
695 # How many unreplied DNS requests are considered a flood.
696 # If the limit is reached, app-layer-event:dns.flooded; will match.
697 #request-flood: 500
698
699 tcp:
700 enabled: yes
701 detection-ports:
702 dp: 53
703 udp:
704 enabled: yes
705 detection-ports:
706 dp: 53
707 http:
708 enabled: yes
709 # memcap: 64mb
710
711 # default-config: Used when no server-config matches
712 # personality: List of personalities used by default
713 # request-body-limit: Limit reassembly of request body for inspection
714 # by http_client_body & pcre /P option.
715 # response-body-limit: Limit reassembly of response body for inspection
716 # by file_data, http_server_body & pcre /Q option.
717 # double-decode-path: Double decode path section of the URI
718 # double-decode-query: Double decode query section of the URI
719 # response-body-decompress-layer-limit:
720 # Limit to how many layers of compression will be
721 # decompressed. Defaults to 2.
722 #
723 # server-config: List of server configurations to use if address matches
724 # address: List of ip addresses or networks for this block
725 # personalitiy: List of personalities used by this block
726 # request-body-limit: Limit reassembly of request body for inspection
727 # by http_client_body & pcre /P option.
728 # response-body-limit: Limit reassembly of response body for inspection
729 # by file_data, http_server_body & pcre /Q option.
730 # double-decode-path: Double decode path section of the URI
731 # double-decode-query: Double decode query section of the URI
732 #
733 # uri-include-all: Include all parts of the URI. By default the
734 # 'scheme', username/password, hostname and port
735 # are excluded. Setting this option to true adds
736 # all of them to the normalized uri as inspected
737 # by http_uri, urilen, pcre with /U and the other
738 # keywords that inspect the normalized uri.
739 # Note that this does not affect http_raw_uri.
740 # Also, note that including all was the default in
741 # 1.4 and 2.0beta1.
742 #
743 # meta-field-limit: Hard size limit for request and response size
744 # limits. Applies to request line and headers,
745 # response line and headers. Does not apply to
746 # request or response bodies. Default is 18k.
747 # If this limit is reached an event is raised.
748 #
749 # Currently Available Personalities:
750 # Minimal, Generic, IDS (default), IIS_4_0, IIS_5_0, IIS_5_1, IIS_6_0,
751 # IIS_7_0, IIS_7_5, Apache_2
752 libhtp:
753 default-config:
754 personality: IDS
755
756 # Can be specified in kb, mb, gb. Just a number indicates
757 # it's in bytes.
758 request-body-limit: 100kb
759 response-body-limit: 100kb
760
761 # inspection limits
762 request-body-minimal-inspect-size: 32kb
763 request-body-inspect-window: 4kb
764 response-body-minimal-inspect-size: 40kb
765 response-body-inspect-window: 16kb
766
767 # response body decompression (0 disables)
768 response-body-decompress-layer-limit: 2
769
770 # auto will use http-body-inline mode in IPS mode, yes or no set it statically
771 http-body-inline: auto
772
773 # Take a random value for inspection sizes around the specified value.
774 # This lower the risk of some evasion technics but could lead
775 # detection change between runs. It is set to 'yes' by default.
776 #randomize-inspection-sizes: yes
777 # If randomize-inspection-sizes is active, the value of various
778 # inspection size will be choosen in the [1 - range%, 1 + range%]
779 # range
780 # Default value of randomize-inspection-range is 10.
781 #randomize-inspection-range: 10
782
783 # decoding
784 double-decode-path: no
785 double-decode-query: no
786
787 server-config:
788
789 #- apache:
790 # address: [192.168.1.0/24, 127.0.0.0/8, "::1"]
791 # personality: Apache_2
792 # # Can be specified in kb, mb, gb. Just a number indicates
793 # # it's in bytes.
794 # request-body-limit: 4096
795 # response-body-limit: 4096
796 # double-decode-path: no
797 # double-decode-query: no
798
799 #- iis7:
800 # address:
801 # - 192.168.0.0/24
802 # - 192.168.10.0/24
803 # personality: IIS_7_0
804 # # Can be specified in kb, mb, gb. Just a number indicates
805 # # it's in bytes.
806 # request-body-limit: 4096
807 # response-body-limit: 4096
808 # double-decode-path: no
809 # double-decode-query: no
810
811 # Note: Modbus probe parser is minimalist due to the poor significant field
812 # Only Modbus message length (greater than Modbus header length)
813 # And Protocol ID (equal to 0) are checked in probing parser
814 # It is important to enable detection port and define Modbus port
815 # to avoid false positive
816 modbus:
817 # How many unreplied Modbus requests are considered a flood.
818 # If the limit is reached, app-layer-event:modbus.flooded; will match.
819 #request-flood: 500
820
821 enabled: no
822 detection-ports:
823 dp: 502
824 # According to MODBUS Messaging on TCP/IP Implementation Guide V1.0b, it
825 # is recommended to keep the TCP connection opened with a remote device
826 # and not to open and close it for each MODBUS/TCP transaction. In that
827 # case, it is important to set the depth of the stream reassembling as
828 # unlimited (stream.reassembly.depth: 0)
829
830 # Stream reassembly size for modbus. By default track it completely.
831 stream-depth: 0
832
833 # DNP3
834 dnp3:
835 enabled: no
836 detection-ports:
837 dp: 20000
838
839 # SCADA EtherNet/IP and CIP protocol support
840 enip:
841 enabled: no
842 detection-ports:
843 dp: 44818
844 sp: 44818
845
846 # Note: parser depends on experimental Rust support
847 # with --enable-rust-experimental passed to configure
848 ntp:
849 enabled: no
850
851# Limit for the maximum number of asn1 frames to decode (default 256)
852asn1-max-frames: 256
853
854
855##############################################################################
856##
857## Advanced settings below
858##
859##############################################################################
860
861##
862## Run Options
863##
864
865# Run suricata as user and group.
866#run-as:
867# user: suri
868# group: suri
869
870# Some logging module will use that name in event as identifier. The default
871# value is the hostname
872#sensor-name: suricata
873
874# Default location of the pid file. The pid file is only used in
875# daemon mode (start Suricata with -D). If not running in daemon mode
876# the --pidfile command line option must be used to create a pid file.
877#pid-file: /var/run/suricata.pid
878
879# Daemon working directory
880# Suricata will change directory to this one if provided
881# Default: "/"
882#daemon-directory: "/"
883
884# Suricata core dump configuration. Limits the size of the core dump file to
885# approximately max-dump. The actual core dump size will be a multiple of the
886# page size. Core dumps that would be larger than max-dump are truncated. On
887# Linux, the actual core dump size may be a few pages larger than max-dump.
888# Setting max-dump to 0 disables core dumping.
889# Setting max-dump to 'unlimited' will give the full core dump file.
890# On 32-bit Linux, a max-dump value >= ULONG_MAX may cause the core dump size
891# to be 'unlimited'.
892
893coredump:
894 max-dump: unlimited
895
896# If suricata box is a router for the sniffed networks, set it to 'router'. If
897# it is a pure sniffing setup, set it to 'sniffer-only'.
898# If set to auto, the variable is internally switch to 'router' in IPS mode
899# and 'sniffer-only' in IDS mode.
900# This feature is currently only used by the reject* keywords.
901host-mode: auto
902
903# Number of packets preallocated per thread. The default is 1024. A higher number
904# will make sure each CPU will be more easily kept busy, but may negatively
905# impact caching.
906#
907# If you are using the CUDA pattern matcher (mpm-algo: ac-cuda), different rules
908# apply. In that case try something like 60000 or more. This is because the CUDA
909# pattern matcher buffers and scans as many packets as possible in parallel.
910#max-pending-packets: 1024
911
912# Runmode the engine should use. Please check --list-runmodes to get the available
913# runmodes for each packet acquisition method. Defaults to "autofp" (auto flow pinned
914# load balancing).
915#runmode: autofp
916
917# Specifies the kind of flow load balancer used by the flow pinned autofp mode.
918#
919# Supported schedulers are:
920#
921# round-robin - Flows assigned to threads in a round robin fashion.
922# active-packets - Flows assigned to threads that have the lowest number of
923# unprocessed packets (default).
924# hash - Flow alloted usihng the address hash. More of a random
925# technique. Was the default in Suricata 1.2.1 and older.
926#
927#autofp-scheduler: active-packets
928
929# Preallocated size for packet. Default is 1514 which is the classical
930# size for pcap on ethernet. You should adjust this value to the highest
931# packet size (MTU + hardware header) on your system.
932#default-packet-size: 1514
933
934# Unix command socket can be used to pass commands to suricata.
935# An external tool can then connect to get information from suricata
936# or trigger some modifications of the engine. Set enabled to yes
937# to activate the feature. In auto mode, the feature will only be
938# activated in live capture mode. You can use the filename variable to set
939# the file name of the socket.
940unix-command:
941 enabled: auto
942 #filename: custom.socket
943
944# Magic file. The extension .mgc is added to the value here.
945#magic-file: /usr/share/file/magic
946#magic-file:
947
948legacy:
949 uricontent: enabled
950
951##
952## Detection settings
953##
954
955# Set the order of alerts bassed on actions
956# The default order is pass, drop, reject, alert
957# action-order:
958# - pass
959# - drop
960# - reject
961# - alert
962
963# IP Reputation
964#reputation-categories-file: /etc/suricata/iprep/categories.txt
965#default-reputation-path: /etc/suricata/iprep
966#reputation-files:
967# - reputation.list
968
969# When run with the option --engine-analysis, the engine will read each of
970# the parameters below, and print reports for each of the enabled sections
971# and exit. The reports are printed to a file in the default log dir
972# given by the parameter "default-log-dir", with engine reporting
973# subsection below printing reports in its own report file.
974engine-analysis:
975 # enables printing reports for fast-pattern for every rule.
976 rules-fast-pattern: yes
977 # enables printing reports for each rule
978 rules: yes
979
980#recursion and match limits for PCRE where supported
981pcre:
982 match-limit: 3500
983 match-limit-recursion: 1500
984
985##
986## Advanced Traffic Tracking and Reconstruction Settings
987##
988
989# Host specific policies for defragmentation and TCP stream
990# reassembly. The host OS lookup is done using a radix tree, just
991# like a routing table so the most specific entry matches.
992host-os-policy:
993 # Make the default policy windows.
994 windows: [0.0.0.0/0]
995 bsd: []
996 bsd-right: []
997 old-linux: []
998 linux: []
999 old-solaris: []
1000 solaris: []
1001 hpux10: []
1002 hpux11: []
1003 irix: []
1004 macos: []
1005 vista: []
1006 windows2k3: []
1007
1008# Defrag settings:
1009
1010defrag:
1011 memcap: 32mb
1012 hash-size: 65536
1013 trackers: 65535 # number of defragmented flows to follow
1014 max-frags: 65535 # number of fragments to keep (higher than trackers)
1015 prealloc: yes
1016 timeout: 60
1017
1018# Enable defrag per host settings
1019# host-config:
1020#
1021# - dmz:
1022# timeout: 30
1023# address: [192.168.1.0/24, 127.0.0.0/8, 1.1.1.0/24, 2.2.2.0/24, "1.1.1.1", "2.2.2.2", "::1"]
1024#
1025# - lan:
1026# timeout: 45
1027# address:
1028# - 192.168.0.0/24
1029# - 192.168.10.0/24
1030# - 172.16.14.0/24
1031
1032# Flow settings:
1033# By default, the reserved memory (memcap) for flows is 32MB. This is the limit
1034# for flow allocation inside the engine. You can change this value to allow
1035# more memory usage for flows.
1036# The hash-size determine the size of the hash used to identify flows inside
1037# the engine, and by default the value is 65536.
1038# At the startup, the engine can preallocate a number of flows, to get a better
1039# performance. The number of flows preallocated is 10000 by default.
1040# emergency-recovery is the percentage of flows that the engine need to
1041# prune before unsetting the emergency state. The emergency state is activated
1042# when the memcap limit is reached, allowing to create new flows, but
1043# prunning them with the emergency timeouts (they are defined below).
1044# If the memcap is reached, the engine will try to prune flows
1045# with the default timeouts. If it doens't find a flow to prune, it will set
1046# the emergency bit and it will try again with more agressive timeouts.
1047# If that doesn't work, then it will try to kill the last time seen flows
1048# not in use.
1049# The memcap can be specified in kb, mb, gb. Just a number indicates it's
1050# in bytes.
1051
1052flow:
1053 memcap: 128mb
1054 hash-size: 65536
1055 prealloc: 10000
1056 emergency-recovery: 30
1057 #managers: 1 # default to one flow manager
1058 #recyclers: 1 # default to one flow recycler thread
1059
1060# This option controls the use of vlan ids in the flow (and defrag)
1061# hashing. Normally this should be enabled, but in some (broken)
1062# setups where both sides of a flow are not tagged with the same vlan
1063# tag, we can ignore the vlan id's in the flow hashing.
1064vlan:
1065 use-for-tracking: true
1066
1067# Specific timeouts for flows. Here you can specify the timeouts that the
1068# active flows will wait to transit from the current state to another, on each
1069# protocol. The value of "new" determine the seconds to wait after a hanshake or
1070# stream startup before the engine free the data of that flow it doesn't
1071# change the state to established (usually if we don't receive more packets
1072# of that flow). The value of "established" is the amount of
1073# seconds that the engine will wait to free the flow if it spend that amount
1074# without receiving new packets or closing the connection. "closed" is the
1075# amount of time to wait after a flow is closed (usually zero). "bypassed"
1076# timeout controls locally bypassed flows. For these flows we don't do any other
1077# tracking. If no packets have been seen after this timeout, the flow is discarded.
1078#
1079# There's an emergency mode that will become active under attack circumstances,
1080# making the engine to check flow status faster. This configuration variables
1081# use the prefix "emergency-" and work similar as the normal ones.
1082# Some timeouts doesn't apply to all the protocols, like "closed", for udp and
1083# icmp.
1084
1085flow-timeouts:
1086
1087 default:
1088 new: 30
1089 established: 300
1090 closed: 0
1091 bypassed: 100
1092 emergency-new: 10
1093 emergency-established: 100
1094 emergency-closed: 0
1095 emergency-bypassed: 50
1096 tcp:
1097 new: 60
1098 established: 600
1099 closed: 60
1100 bypassed: 100
1101 emergency-new: 5
1102 emergency-established: 100
1103 emergency-closed: 10
1104 emergency-bypassed: 50
1105 udp:
1106 new: 30
1107 established: 300
1108 bypassed: 100
1109 emergency-new: 10
1110 emergency-established: 100
1111 emergency-bypassed: 50
1112 icmp:
1113 new: 30
1114 established: 300
1115 bypassed: 100
1116 emergency-new: 10
1117 emergency-established: 100
1118 emergency-bypassed: 50
1119
1120# Stream engine settings. Here the TCP stream tracking and reassembly
1121# engine is configured.
1122#
1123# stream:
1124# memcap: 32mb # Can be specified in kb, mb, gb. Just a
1125# # number indicates it's in bytes.
1126# checksum-validation: yes # To validate the checksum of received
1127# # packet. If csum validation is specified as
1128# # "yes", then packet with invalid csum will not
1129# # be processed by the engine stream/app layer.
1130# # Warning: locally generated trafic can be
1131# # generated without checksum due to hardware offload
1132# # of checksum. You can control the handling of checksum
1133# # on a per-interface basis via the 'checksum-checks'
1134# # option
1135# prealloc-sessions: 2k # 2k sessions prealloc'd per stream thread
1136# midstream: false # don't allow midstream session pickups
1137# async-oneside: false # don't enable async stream handling
1138# inline: no # stream inline mode
1139# drop-invalid: yes # in inline mode, drop packets that are invalid with regards to streaming engine
1140# max-synack-queued: 5 # Max different SYN/ACKs to queue
1141# bypass: no # Bypass packets when stream.depth is reached
1142#
1143# reassembly:
1144# memcap: 64mb # Can be specified in kb, mb, gb. Just a number
1145# # indicates it's in bytes.
1146# depth: 1mb # Can be specified in kb, mb, gb. Just a number
1147# # indicates it's in bytes.
1148# toserver-chunk-size: 2560 # inspect raw stream in chunks of at least
1149# # this size. Can be specified in kb, mb,
1150# # gb. Just a number indicates it's in bytes.
1151# toclient-chunk-size: 2560 # inspect raw stream in chunks of at least
1152# # this size. Can be specified in kb, mb,
1153# # gb. Just a number indicates it's in bytes.
1154# randomize-chunk-size: yes # Take a random value for chunk size around the specified value.
1155# # This lower the risk of some evasion technics but could lead
1156# # detection change between runs. It is set to 'yes' by default.
1157# randomize-chunk-range: 10 # If randomize-chunk-size is active, the value of chunk-size is
1158# # a random value between (1 - randomize-chunk-range/100)*toserver-chunk-size
1159# # and (1 + randomize-chunk-range/100)*toserver-chunk-size and the same
1160# # calculation for toclient-chunk-size.
1161# # Default value of randomize-chunk-range is 10.
1162#
1163# raw: yes # 'Raw' reassembly enabled or disabled.
1164# # raw is for content inspection by detection
1165# # engine.
1166#
1167# segment-prealloc: 2048 # number of segments preallocated per thread
1168#
1169# check-overlap-different-data: true|false
1170# # check if a segment contains different data
1171# # than what we've already seen for that
1172# # position in the stream.
1173# # This is enabled automatically if inline mode
1174# # is used or when stream-event:reassembly_overlap_different_data;
1175# # is used in a rule.
1176#
1177stream:
1178 memcap: 64mb
1179 checksum-validation: yes # reject wrong csums
1180 inline: auto # auto will use inline mode in IPS mode, yes or no set it statically
1181 reassembly:
1182 memcap: 256mb
1183 depth: 1mb # reassemble 1mb into a stream
1184 toserver-chunk-size: 2560
1185 toclient-chunk-size: 2560
1186 randomize-chunk-size: yes
1187 #randomize-chunk-range: 10
1188 #raw: yes
1189 #segment-prealloc: 2048
1190 #check-overlap-different-data: true
1191
1192# Host table:
1193#
1194# Host table is used by tagging and per host thresholding subsystems.
1195#
1196host:
1197 hash-size: 4096
1198 prealloc: 1000
1199 memcap: 32mb
1200
1201# IP Pair table:
1202#
1203# Used by xbits 'ippair' tracking.
1204#
1205#ippair:
1206# hash-size: 4096
1207# prealloc: 1000
1208# memcap: 32mb
1209
1210# Decoder settings
1211
1212decoder:
1213 # Teredo decoder is known to not be completely accurate
1214 # it will sometimes detect non-teredo as teredo.
1215 teredo:
1216 enabled: true
1217
1218
1219##
1220## Performance tuning and profiling
1221##
1222
1223# The detection engine builds internal groups of signatures. The engine
1224# allow us to specify the profile to use for them, to manage memory on an
1225# efficient way keeping a good performance. For the profile keyword you
1226# can use the words "low", "medium", "high" or "custom". If you use custom
1227# make sure to define the values at "- custom-values" as your convenience.
1228# Usually you would prefer medium/high/low.
1229#
1230# "sgh mpm-context", indicates how the staging should allot mpm contexts for
1231# the signature groups. "single" indicates the use of a single context for
1232# all the signature group heads. "full" indicates a mpm-context for each
1233# group head. "auto" lets the engine decide the distribution of contexts
1234# based on the information the engine gathers on the patterns from each
1235# group head.
1236#
1237# The option inspection-recursion-limit is used to limit the recursive calls
1238# in the content inspection code. For certain payload-sig combinations, we
1239# might end up taking too much time in the content inspection code.
1240# If the argument specified is 0, the engine uses an internally defined
1241# default limit. On not specifying a value, we use no limits on the recursion.
1242detect:
1243 profile: medium
1244 custom-values:
1245 toclient-groups: 3
1246 toserver-groups: 25
1247 sgh-mpm-context: auto
1248 inspection-recursion-limit: 3000
1249 # If set to yes, the loading of signatures will be made after the capture
1250 # is started. This will limit the downtime in IPS mode.
1251 #delayed-detect: yes
1252
1253 prefilter:
1254 # default prefiltering setting. "mpm" only creates MPM/fast_pattern
1255 # engines. "auto" also sets up prefilter engines for other keywords.
1256 # Use --list-keywords=all to see which keywords support prefiltering.
1257 default: mpm
1258
1259 # the grouping values above control how many groups are created per
1260 # direction. Port whitelisting forces that port to get it's own group.
1261 # Very common ports will benefit, as well as ports with many expensive
1262 # rules.
1263 grouping:
1264 #tcp-whitelist: 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
1265 #udp-whitelist: 53, 135, 5060
1266
1267 profiling:
1268 # Log the rules that made it past the prefilter stage, per packet
1269 # default is off. The threshold setting determines how many rules
1270 # must have made it past pre-filter for that rule to trigger the
1271 # logging.
1272 #inspect-logging-threshold: 200
1273 grouping:
1274 dump-to-disk: false
1275 include-rules: false # very verbose
1276 include-mpm-stats: false
1277
1278# Select the multi pattern algorithm you want to run for scan/search the
1279# in the engine.
1280#
1281# The supported algorithms are:
1282# "ac" - Aho-Corasick, default implementation
1283# "ac-bs" - Aho-Corasick, reduced memory implementation
1284# "ac-cuda" - Aho-Corasick, CUDA implementation
1285# "ac-ks" - Aho-Corasick, "Ken Steele" variant
1286# "hs" - Hyperscan, available when built with Hyperscan support
1287#
1288# The default mpm-algo value of "auto" will use "hs" if Hyperscan is
1289# available, "ac" otherwise.
1290#
1291# The mpm you choose also decides the distribution of mpm contexts for
1292# signature groups, specified by the conf - "detect.sgh-mpm-context".
1293# Selecting "ac" as the mpm would require "detect.sgh-mpm-context"
1294# to be set to "single", because of ac's memory requirements, unless the
1295# ruleset is small enough to fit in one's memory, in which case one can
1296# use "full" with "ac". Rest of the mpms can be run in "full" mode.
1297#
1298# There is also a CUDA pattern matcher (only available if Suricata was
1299# compiled with --enable-cuda: b2g_cuda. Make sure to update your
1300# max-pending-packets setting above as well if you use b2g_cuda.
1301
1302mpm-algo: auto
1303
1304# Select the matching algorithm you want to use for single-pattern searches.
1305#
1306# Supported algorithms are "bm" (Boyer-Moore) and "hs" (Hyperscan, only
1307# available if Suricata has been built with Hyperscan support).
1308#
1309# The default of "auto" will use "hs" if available, otherwise "bm".
1310
1311spm-algo: auto
1312
1313# Suricata is multi-threaded. Here the threading can be influenced.
1314threading:
1315 set-cpu-affinity: no
1316 # Tune cpu affinity of threads. Each family of threads can be bound
1317 # on specific CPUs.
1318 #
1319 # These 2 apply to the all runmodes:
1320 # management-cpu-set is used for flow timeout handling, counters
1321 # worker-cpu-set is used for 'worker' threads
1322 #
1323 # Additionally, for autofp these apply:
1324 # receive-cpu-set is used for capture threads
1325 # verdict-cpu-set is used for IPS verdict threads
1326 #
1327 cpu-affinity:
1328 - management-cpu-set:
1329 cpu: [ 0 ] # include only these cpus in affinity settings
1330 - receive-cpu-set:
1331 cpu: [ 0 ] # include only these cpus in affinity settings
1332 - worker-cpu-set:
1333 cpu: [ "all" ]
1334 mode: "exclusive"
1335 # Use explicitely 3 threads and don't compute number by using
1336 # detect-thread-ratio variable:
1337 # threads: 3
1338 prio:
1339 low: [ 0 ]
1340 medium: [ "1-2" ]
1341 high: [ 3 ]
1342 default: "medium"
1343 #- verdict-cpu-set:
1344 # cpu: [ 0 ]
1345 # prio:
1346 # default: "high"
1347 #
1348 # By default Suricata creates one "detect" thread per available CPU/CPU core.
1349 # This setting allows controlling this behaviour. A ratio setting of 2 will
1350 # create 2 detect threads for each CPU/CPU core. So for a dual core CPU this
1351 # will result in 4 detect threads. If values below 1 are used, less threads
1352 # are created. So on a dual core CPU a setting of 0.5 results in 1 detect
1353 # thread being created. Regardless of the setting at a minimum 1 detect
1354 # thread will always be created.
1355 #
1356 detect-thread-ratio: 1.0
1357
1358# Luajit has a strange memory requirement, it's 'states' need to be in the
1359# first 2G of the process' memory.
1360#
1361# 'luajit.states' is used to control how many states are preallocated.
1362# State use: per detect script: 1 per detect thread. Per output script: 1 per
1363# script.
1364luajit:
1365 states: 128
1366
1367# Profiling settings. Only effective if Suricata has been built with the
1368# the --enable-profiling configure flag.
1369#
1370profiling:
1371 # Run profiling for every xth packet. The default is 1, which means we
1372 # profile every packet. If set to 1000, one packet is profiled for every
1373 # 1000 received.
1374 #sample-rate: 1000
1375
1376 # rule profiling
1377 rules:
1378
1379 # Profiling can be disabled here, but it will still have a
1380 # performance impact if compiled in.
1381 enabled: yes
1382 filename: rule_perf.log
1383 append: yes
1384
1385 # Sort options: ticks, avgticks, checks, matches, maxticks
1386 # If commented out all the sort options will be used.
1387 #sort: avgticks
1388
1389 # Limit the number of sids for which stats are shown at exit (per sort).
1390 limit: 10
1391
1392 # output to json
1393 json: yes
1394
1395 # per keyword profiling
1396 keywords:
1397 enabled: yes
1398 filename: keyword_perf.log
1399 append: yes
1400
1401 # per rulegroup profiling
1402 rulegroups:
1403 enabled: yes
1404 filename: rule_group_perf.log
1405 append: yes
1406
1407 # packet profiling
1408 packets:
1409
1410 # Profiling can be disabled here, but it will still have a
1411 # performance impact if compiled in.
1412 enabled: yes
1413 filename: packet_stats.log
1414 append: yes
1415
1416 # per packet csv output
1417 csv:
1418
1419 # Output can be disabled here, but it will still have a
1420 # performance impact if compiled in.
1421 enabled: no
1422 filename: packet_stats.csv
1423
1424 # profiling of locking. Only available when Suricata was built with
1425 # --enable-profiling-locks.
1426 locks:
1427 enabled: no
1428 filename: lock_stats.log
1429 append: yes
1430
1431 pcap-log:
1432 enabled: no
1433 filename: pcaplog_stats.log
1434 append: yes
1435
1436##
1437## Netfilter integration
1438##
1439
1440# When running in NFQ inline mode, it is possible to use a simulated
1441# non-terminal NFQUEUE verdict.
1442# This permit to do send all needed packet to suricata via this a rule:
1443# iptables -I FORWARD -m mark ! --mark $MARK/$MASK -j NFQUEUE
1444# And below, you can have your standard filtering ruleset. To activate
1445# this mode, you need to set mode to 'repeat'
1446# If you want packet to be sent to another queue after an ACCEPT decision
1447# set mode to 'route' and set next-queue value.
1448# On linux >= 3.1, you can set batchcount to a value > 1 to improve performance
1449# by processing several packets before sending a verdict (worker runmode only).
1450# On linux >= 3.6, you can set the fail-open option to yes to have the kernel
1451# accept the packet if suricata is not able to keep pace.
1452# bypass mark and mask can be used to implement NFQ bypass. If bypass mark is
1453# set then the NFQ bypass is activated. Suricata will set the bypass mark/mask
1454# on packet of a flow that need to be bypassed. The Nefilter ruleset has to
1455# directly accept all packets of a flow once a packet has been marked.
1456nfq:
1457# mode: accept
1458# repeat-mark: 1
1459# repeat-mask: 1
1460# bypass-mark: 1
1461# bypass-mask: 1
1462# route-queue: 2
1463# batchcount: 20
1464# fail-open: yes
1465
1466#nflog support
1467nflog:
1468 # netlink multicast group
1469 # (the same as the iptables --nflog-group param)
1470 # Group 0 is used by the kernel, so you can't use it
1471 - group: 2
1472 # netlink buffer size
1473 buffer-size: 18432
1474 # put default value here
1475 - group: default
1476 # set number of packet to queue inside kernel
1477 qthreshold: 1
1478 # set the delay before flushing packet in the queue inside kernel
1479 qtimeout: 100
1480 # netlink max buffer size
1481 max-size: 20000
1482
1483##
1484## Advanced Capture Options
1485##
1486
1487# general settings affecting packet capture
1488capture:
1489 # disable NIC offloading. It's restored when Suricata exists.
1490 # Enabled by default
1491 #disable-offloading: false
1492 #
1493 # disable checksum validation. Same as setting '-k none' on the
1494 # commandline
1495 #checksum-validation: none
1496
1497# Netmap support
1498#
1499# Netmap operates with NIC directly in driver, so you need FreeBSD wich have
1500# built-in netmap support or compile and install netmap module and appropriate
1501# NIC driver on your Linux system.
1502# To reach maximum throughput disable all receive-, segmentation-,
1503# checksum- offloadings on NIC.
1504# Disabling Tx checksum offloading is *required* for connecting OS endpoint
1505# with NIC endpoint.
1506# You can find more information at https://github.com/luigirizzo/netmap
1507#
1508netmap:
1509 # To specify OS endpoint add plus sign at the end (e.g. "eth0+")
1510 - interface: eth2
1511 # Number of receive threads. "auto" uses number of RSS queues on interface.
1512 #threads: auto
1513 # You can use the following variables to activate netmap tap or IPS mode.
1514 # If copy-mode is set to ips or tap, the traffic coming to the current
1515 # interface will be copied to the copy-iface interface. If 'tap' is set, the
1516 # copy is complete. If 'ips' is set, the packet matching a 'drop' action
1517 # will not be copied.
1518 # To specify the OS as the copy-iface (so the OS can route packets, or forward
1519 # to a service running on the same machine) add a plus sign at the end
1520 # (e.g. "copy-iface: eth0+"). Don't forget to set up a symmetrical eth0+ -> eth0
1521 # for return packets. Hardware checksumming must be *off* on the interface if
1522 # using an OS endpoint (e.g. 'ifconfig eth0 -rxcsum -txcsum -rxcsum6 -txcsum6' for FreeBSD
1523 # or 'ethtool -K eth0 tx off rx off' for Linux).
1524 #copy-mode: tap
1525 #copy-iface: eth3
1526 # Set to yes to disable promiscuous mode
1527 # disable-promisc: no
1528 # Choose checksum verification mode for the interface. At the moment
1529 # of the capture, some packets may be with an invalid checksum due to
1530 # offloading to the network card of the checksum computation.
1531 # Possible values are:
1532 # - yes: checksum validation is forced
1533 # - no: checksum validation is disabled
1534 # - auto: suricata uses a statistical approach to detect when
1535 # checksum off-loading is used.
1536 # Warning: 'checksum-validation' must be set to yes to have any validation
1537 #checksum-checks: auto
1538 # BPF filter to apply to this interface. The pcap filter syntax apply here.
1539 #bpf-filter: port 80 or udp
1540 #- interface: eth3
1541 #threads: auto
1542 #copy-mode: tap
1543 #copy-iface: eth2
1544 # Put default values here
1545 - interface: default
1546
1547# PF_RING configuration. for use with native PF_RING support
1548# for more info see http://www.ntop.org/products/pf_ring/
1549pfring:
1550 - interface: eth0
1551 # Number of receive threads (>1 will enable experimental flow pinned
1552 # runmode)
1553 threads: 1
1554
1555 # Default clusterid. PF_RING will load balance packets based on flow.
1556 # All threads/processes that will participate need to have the same
1557 # clusterid.
1558 cluster-id: 99
1559
1560 # Default PF_RING cluster type. PF_RING can load balance per flow.
1561 # Possible values are cluster_flow or cluster_round_robin.
1562 cluster-type: cluster_flow
1563 # bpf filter for this interface
1564 #bpf-filter: tcp
1565 # Choose checksum verification mode for the interface. At the moment
1566 # of the capture, some packets may be with an invalid checksum due to
1567 # offloading to the network card of the checksum computation.
1568 # Possible values are:
1569 # - rxonly: only compute checksum for packets received by network card.
1570 # - yes: checksum validation is forced
1571 # - no: checksum validation is disabled
1572 # - auto: suricata uses a statistical approach to detect when
1573 # checksum off-loading is used. (default)
1574 # Warning: 'checksum-validation' must be set to yes to have any validation
1575 #checksum-checks: auto
1576 # Second interface
1577 #- interface: eth1
1578 # threads: 3
1579 # cluster-id: 93
1580 # cluster-type: cluster_flow
1581 # Put default values here
1582 - interface: default
1583 #threads: 2
1584
1585# For FreeBSD ipfw(8) divert(4) support.
1586# Please make sure you have ipfw_load="YES" and ipdivert_load="YES"
1587# in /etc/loader.conf or kldload'ing the appropriate kernel modules.
1588# Additionally, you need to have an ipfw rule for the engine to see
1589# the packets from ipfw. For Example:
1590#
1591# ipfw add 100 divert 8000 ip from any to any
1592#
1593# The 8000 above should be the same number you passed on the command
1594# line, i.e. -d 8000
1595#
1596ipfw:
1597
1598 # Reinject packets at the specified ipfw rule number. This config
1599 # option is the ipfw rule number AT WHICH rule processing continues
1600 # in the ipfw processing system after the engine has finished
1601 # inspecting the packet for acceptance. If no rule number is specified,
1602 # accepted packets are reinjected at the divert rule which they entered
1603 # and IPFW rule processing continues. No check is done to verify
1604 # this will rule makes sense so care must be taken to avoid loops in ipfw.
1605 #
1606 ## The following example tells the engine to reinject packets
1607 # back into the ipfw firewall AT rule number 5500:
1608 #
1609 # ipfw-reinjection-rule-number: 5500
1610
1611
1612napatech:
1613 # The Host Buffer Allowance for all streams
1614 # (-1 = OFF, 1 - 100 = percentage of the host buffer that can be held back)
1615 # This may be enabled when sharing streams with another application.
1616 # Otherwise, it should be turned off.
1617 hba: -1
1618
1619 # use_all_streams set to "yes" will query the Napatech service for all configured
1620 # streams and listen on all of them. When set to "no" the streams config array
1621 # will be used.
1622 use-all-streams: yes
1623
1624 # The streams to listen on. This can be either:
1625 # a list of individual streams (e.g. streams: [0,1,2,3])
1626 # or
1627 # a range of streams (e.g. streams: ["0-3"])
1628 streams: ["0-3"]
1629
1630# Tilera mpipe configuration. for use on Tilera TILE-Gx.
1631mpipe:
1632
1633 # Load balancing modes: "static", "dynamic", "sticky", or "round-robin".
1634 load-balance: dynamic
1635
1636 # Number of Packets in each ingress packet queue. Must be 128, 512, 2028 or 65536
1637 iqueue-packets: 2048
1638
1639 # List of interfaces we will listen on.
1640 inputs:
1641 - interface: xgbe2
1642 - interface: xgbe3
1643 - interface: xgbe4
1644
1645
1646 # Relative weight of memory for packets of each mPipe buffer size.
1647 stack:
1648 size128: 0
1649 size256: 9
1650 size512: 0
1651 size1024: 0
1652 size1664: 7
1653 size4096: 0
1654 size10386: 0
1655 size16384: 0
1656
1657##
1658## Hardware accelaration
1659##
1660
1661# Cuda configuration.
1662cuda:
1663 # The "mpm" profile. On not specifying any of these parameters, the engine's
1664 # internal default values are used, which are same as the ones specified in
1665 # in the default conf file.
1666 mpm:
1667 # The minimum length required to buffer data to the gpu.
1668 # Anything below this is MPM'ed on the CPU.
1669 # Can be specified in kb, mb, gb. Just a number indicates it's in bytes.
1670 # A value of 0 indicates there's no limit.
1671 data-buffer-size-min-limit: 0
1672 # The maximum length for data that we would buffer to the gpu.
1673 # Anything over this is MPM'ed on the CPU.
1674 # Can be specified in kb, mb, gb. Just a number indicates it's in bytes.
1675 data-buffer-size-max-limit: 1500
1676 # The ring buffer size used by the CudaBuffer API to buffer data.
1677 cudabuffer-buffer-size: 500mb
1678 # The max chunk size that can be sent to the gpu in a single go.
1679 gpu-transfer-size: 50mb
1680 # The timeout limit for batching of packets in microseconds.
1681 batching-timeout: 2000
1682 # The device to use for the mpm. Currently we don't support load balancing
1683 # on multiple gpus. In case you have multiple devices on your system, you
1684 # can specify the device to use, using this conf. By default we hold 0, to
1685 # specify the first device cuda sees. To find out device-id associated with
1686 # the card(s) on the system run "suricata --list-cuda-cards".
1687 device-id: 0
1688 # No of Cuda streams used for asynchronous processing. All values > 0 are valid.
1689 # For this option you need a device with Compute Capability > 1.0.
1690 cuda-streams: 2
1691
1692##
1693## Include other configs
1694##
1695
1696# Includes. Files included here will be handled as if they were
1697# inlined in this configuration file.
1698#include: include1.yaml
1699#include: include2.yaml
Peter's tree of IPFire 2.x