]>
Commit | Line | Data |
---|---|---|
4c6d6c1e SS |
1 | %YAML 1.1 |
2 | --- | |
3 | ||
4 | # Suricata configuration file. In addition to the comments describing all | |
5 | # options in this file, full documentation can be found at: | |
6 | # https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricatayaml | |
7 | ||
8 | ## | |
9 | ## Step 1: inform Suricata about your network | |
10 | ## | |
11 | ||
12 | vars: | |
13 | # more specifc is better for alert accuracy and performance | |
14 | address-groups: | |
15 | HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]" | |
16 | #HOME_NET: "[192.168.0.0/16]" | |
17 | #HOME_NET: "[10.0.0.0/8]" | |
18 | #HOME_NET: "[172.16.0.0/12]" | |
19 | #HOME_NET: "any" | |
20 | ||
21 | EXTERNAL_NET: "!$HOME_NET" | |
22 | #EXTERNAL_NET: "any" | |
23 | ||
24 | HTTP_SERVERS: "$HOME_NET" | |
25 | SMTP_SERVERS: "$HOME_NET" | |
26 | SQL_SERVERS: "$HOME_NET" | |
27 | DNS_SERVERS: "$HOME_NET" | |
28 | TELNET_SERVERS: "$HOME_NET" | |
29 | AIM_SERVERS: "$EXTERNAL_NET" | |
30 | DNP3_SERVER: "$HOME_NET" | |
31 | DNP3_CLIENT: "$HOME_NET" | |
32 | MODBUS_CLIENT: "$HOME_NET" | |
33 | MODBUS_SERVER: "$HOME_NET" | |
34 | ENIP_CLIENT: "$HOME_NET" | |
35 | ENIP_SERVER: "$HOME_NET" | |
36 | ||
37 | port-groups: | |
38 | HTTP_PORTS: "80" | |
39 | SHELLCODE_PORTS: "!80" | |
40 | ORACLE_PORTS: 1521 | |
41 | SSH_PORTS: 22 | |
42 | DNP3_PORTS: 20000 | |
43 | MODBUS_PORTS: 502 | |
44 | FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]" | |
45 | FTP_PORTS: 21 | |
46 | ||
47 | ||
48 | ## | |
49 | ## Step 2: select the rules to enable or disable | |
50 | ## | |
51 | ||
52 | default-rule-path: /etc/suricata/rules | |
53 | rule-files: !include /var/ipfire/suricata/suricata-used-rulefiles.yaml | |
54 | ||
55 | classification-file: /etc/suricata/classification.config | |
56 | reference-config-file: /etc/suricata/reference.config | |
57 | # threshold-file: /etc/suricata/threshold.config | |
58 | ||
59 | ||
60 | ## | |
61 | ## Step 3: select outputs to enable | |
62 | ## | |
63 | ||
64 | # The default logging directory. Any log or output file will be | |
65 | # placed here if its not specified with a full path name. This can be | |
66 | # overridden with the -l command line parameter. | |
67 | default-log-dir: /var/log/suricata/ | |
68 | ||
69 | # global stats configuration | |
70 | stats: | |
71 | enabled: yes | |
72 | # The interval field (in seconds) controls at what interval | |
73 | # the loggers are invoked. | |
74 | interval: 8 | |
75 | ||
76 | # Configure the type of alert (and other) logging you would like. | |
77 | outputs: | |
78 | # a line based alerts log similar to Snort's fast.log | |
79 | - fast: | |
80 | enabled: yes | |
81 | filename: fast.log | |
82 | append: yes | |
83 | #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' | |
84 | ||
85 | # Extensible Event Format (nicknamed EVE) event log in JSON format | |
86 | - eve-log: | |
87 | enabled: yes | |
88 | filetype: regular #regular|syslog|unix_dgram|unix_stream|redis | |
89 | filename: eve.json | |
90 | #prefix: "@cee: " # prefix to prepend to each log entry | |
91 | # the following are valid when type: syslog above | |
92 | #identity: "suricata" | |
93 | #facility: local5 | |
94 | #level: Info ## possible levels: Emergency, Alert, Critical, | |
95 | ## Error, Warning, Notice, Info, Debug | |
96 | #redis: | |
97 | # server: 127.0.0.1 | |
98 | # port: 6379 | |
99 | # async: true ## if redis replies are read asynchronously | |
100 | # mode: list ## possible values: list|lpush (default), rpush, channel|publish | |
101 | # ## lpush and rpush are using a Redis list. "list" is an alias for lpush | |
102 | # ## publish is using a Redis channel. "channel" is an alias for publish | |
103 | # key: suricata ## key or channel to use (default to suricata) | |
104 | # Redis pipelining set up. This will enable to only do a query every | |
105 | # 'batch-size' events. This should lower the latency induced by network | |
106 | # connection at the cost of some memory. There is no flushing implemented | |
107 | # so this setting as to be reserved to high traffic suricata. | |
108 | # pipelining: | |
109 | # enabled: yes ## set enable to yes to enable query pipelining | |
110 | # batch-size: 10 ## number of entry to keep in buffer | |
111 | types: | |
112 | - alert: | |
113 | # payload: yes # enable dumping payload in Base64 | |
114 | # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log | |
115 | # payload-printable: yes # enable dumping payload in printable (lossy) format | |
116 | # packet: yes # enable dumping of packet (without stream segments) | |
117 | # http-body: yes # enable dumping of http body in Base64 | |
118 | # http-body-printable: yes # enable dumping of http body in printable format | |
119 | metadata: yes # add L7/applayer fields, flowbit and other vars to the alert | |
120 | ||
121 | # Enable the logging of tagged packets for rules using the | |
122 | # "tag" keyword. | |
123 | tagged-packets: yes | |
124 | ||
125 | # HTTP X-Forwarded-For support by adding an extra field or overwriting | |
126 | # the source or destination IP address (depending on flow direction) | |
127 | # with the one reported in the X-Forwarded-For HTTP header. This is | |
128 | # helpful when reviewing alerts for traffic that is being reverse | |
129 | # or forward proxied. | |
130 | xff: | |
131 | enabled: no | |
132 | # Two operation modes are available, "extra-data" and "overwrite". | |
133 | mode: extra-data | |
134 | # Two proxy deployments are supported, "reverse" and "forward". In | |
135 | # a "reverse" deployment the IP address used is the last one, in a | |
136 | # "forward" deployment the first IP address is used. | |
137 | deployment: reverse | |
138 | # Header name where the actual IP address will be reported, if more | |
139 | # than one IP address is present, the last IP address will be the | |
140 | # one taken into consideration. | |
141 | header: X-Forwarded-For | |
142 | - http: | |
143 | extended: yes # enable this for extended logging information | |
144 | # custom allows additional http fields to be included in eve-log | |
145 | # the example below adds three additional fields when uncommented | |
146 | #custom: [Accept-Encoding, Accept-Language, Authorization] | |
147 | - dns: | |
148 | # control logging of queries and answers | |
149 | # default yes, no to disable | |
150 | query: yes # enable logging of DNS queries | |
151 | answer: yes # enable logging of DNS answers | |
152 | # control which RR types are logged | |
153 | # all enabled if custom not specified | |
154 | #custom: [a, aaaa, cname, mx, ns, ptr, txt] | |
155 | - tls: | |
156 | extended: yes # enable this for extended logging information | |
157 | # output TLS transaction where the session is resumed using a | |
158 | # session id | |
159 | #session-resumption: no | |
160 | # custom allows to control which tls fields that are included | |
161 | # in eve-log | |
162 | #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain] | |
163 | - files: | |
164 | force-magic: no # force logging magic on all logged files | |
165 | # force logging of checksums, available hash functions are md5, | |
166 | # sha1 and sha256 | |
167 | #force-hash: [md5] | |
168 | #- drop: | |
169 | # alerts: yes # log alerts that caused drops | |
170 | # flows: all # start or all: 'start' logs only a single drop | |
171 | # # per flow direction. All logs each dropped pkt. | |
172 | - smtp: | |
173 | #extended: yes # enable this for extended logging information | |
174 | # this includes: bcc, message-id, subject, x_mailer, user-agent | |
175 | # custom fields logging from the list: | |
176 | # reply-to, bcc, message-id, subject, x-mailer, user-agent, received, | |
177 | # x-originating-ip, in-reply-to, references, importance, priority, | |
178 | # sensitivity, organization, content-md5, date | |
179 | #custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc] | |
180 | # output md5 of fields: body, subject | |
181 | # for the body you need to set app-layer.protocols.smtp.mime.body-md5 | |
182 | # to yes | |
183 | #md5: [body, subject] | |
184 | ||
185 | #- dnp3 | |
186 | #- nfs | |
187 | - ssh | |
188 | - stats: | |
189 | totals: yes # stats for all threads merged together | |
190 | threads: no # per thread stats | |
191 | deltas: no # include delta values | |
192 | # bi-directional flows | |
193 | - flow | |
194 | # uni-directional flows | |
195 | #- netflow | |
196 | # Vars log flowbits and other packet and flow vars | |
197 | #- vars | |
198 | ||
199 | # alert output for use with Barnyard2 | |
200 | - unified2-alert: | |
201 | enabled: no | |
202 | filename: unified2.alert | |
203 | ||
204 | # File size limit. Can be specified in kb, mb, gb. Just a number | |
205 | # is parsed as bytes. | |
206 | #limit: 32mb | |
207 | ||
208 | # By default unified2 log files have the file creation time (in | |
209 | # unix epoch format) appended to the filename. Set this to yes to | |
210 | # disable this behaviour. | |
211 | #nostamp: no | |
212 | ||
213 | # Sensor ID field of unified2 alerts. | |
214 | #sensor-id: 0 | |
215 | ||
216 | # Include payload of packets related to alerts. Defaults to true, set to | |
217 | # false if payload is not required. | |
218 | #payload: yes | |
219 | ||
220 | # HTTP X-Forwarded-For support by adding the unified2 extra header or | |
221 | # overwriting the source or destination IP address (depending on flow | |
222 | # direction) with the one reported in the X-Forwarded-For HTTP header. | |
223 | # This is helpful when reviewing alerts for traffic that is being reverse | |
224 | # or forward proxied. | |
225 | xff: | |
226 | enabled: no | |
227 | # Two operation modes are available, "extra-data" and "overwrite". Note | |
228 | # that in the "overwrite" mode, if the reported IP address in the HTTP | |
229 | # X-Forwarded-For header is of a different version of the packet | |
230 | # received, it will fall-back to "extra-data" mode. | |
231 | mode: extra-data | |
232 | # Two proxy deployments are supported, "reverse" and "forward". In | |
233 | # a "reverse" deployment the IP address used is the last one, in a | |
234 | # "forward" deployment the first IP address is used. | |
235 | deployment: reverse | |
236 | # Header name where the actual IP address will be reported, if more | |
237 | # than one IP address is present, the last IP address will be the | |
238 | # one taken into consideration. | |
239 | header: X-Forwarded-For | |
240 | ||
241 | # a line based log of HTTP requests (no alerts) | |
242 | - http-log: | |
243 | enabled: no | |
244 | filename: http.log | |
245 | append: yes | |
246 | #extended: yes # enable this for extended logging information | |
247 | #custom: yes # enabled the custom logging format (defined by customformat) | |
248 | #customformat: "%{%D-%H:%M:%S}t.%z %{X-Forwarded-For}i %H %m %h %u %s %B %a:%p -> %A:%P" | |
249 | #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' | |
250 | ||
251 | # a line based log of TLS handshake parameters (no alerts) | |
252 | - tls-log: | |
253 | enabled: no # Log TLS connections. | |
254 | filename: tls.log # File to store TLS logs. | |
255 | append: yes | |
256 | #extended: yes # Log extended information like fingerprint | |
257 | #custom: yes # enabled the custom logging format (defined by customformat) | |
258 | #customformat: "%{%D-%H:%M:%S}t.%z %a:%p -> %A:%P %v %n %d %D" | |
259 | #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' | |
260 | # output TLS transaction where the session is resumed using a | |
261 | # session id | |
262 | #session-resumption: no | |
263 | ||
264 | # output module to store certificates chain to disk | |
265 | - tls-store: | |
266 | enabled: no | |
267 | #certs-log-dir: certs # directory to store the certificates files | |
268 | ||
269 | # a line based log of DNS requests and/or replies (no alerts) | |
270 | - dns-log: | |
271 | enabled: no | |
272 | filename: dns.log | |
273 | append: yes | |
274 | #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' | |
275 | ||
276 | # Packet log... log packets in pcap format. 3 modes of operation: "normal" | |
277 | # "multi" and "sguil". | |
278 | # | |
279 | # In normal mode a pcap file "filename" is created in the default-log-dir, | |
280 | # or are as specified by "dir". | |
281 | # In multi mode, a file is created per thread. This will perform much | |
282 | # better, but will create multiple files where 'normal' would create one. | |
283 | # In multi mode the filename takes a few special variables: | |
284 | # - %n -- thread number | |
285 | # - %i -- thread id | |
286 | # - %t -- timestamp (secs or secs.usecs based on 'ts-format' | |
287 | # E.g. filename: pcap.%n.%t | |
288 | # | |
289 | # Note that it's possible to use directories, but the directories are not | |
290 | # created by Suricata. E.g. filename: pcaps/%n/log.%s will log into the | |
291 | # per thread directory. | |
292 | # | |
293 | # Also note that the limit and max-files settings are enforced per thread. | |
294 | # So the size limit when using 8 threads with 1000mb files and 2000 files | |
295 | # is: 8*1000*2000 ~ 16TiB. | |
296 | # | |
297 | # In Sguil mode "dir" indicates the base directory. In this base dir the | |
298 | # pcaps are created in th directory structure Sguil expects: | |
299 | # | |
300 | # $sguil-base-dir/YYYY-MM-DD/$filename.<timestamp> | |
301 | # | |
302 | # By default all packets are logged except: | |
303 | # - TCP streams beyond stream.reassembly.depth | |
304 | # - encrypted streams after the key exchange | |
305 | # | |
306 | - pcap-log: | |
307 | enabled: no | |
308 | filename: log.pcap | |
309 | ||
310 | # File size limit. Can be specified in kb, mb, gb. Just a number | |
311 | # is parsed as bytes. | |
312 | limit: 1000mb | |
313 | ||
314 | # If set to a value will enable ring buffer mode. Will keep Maximum of "max-files" of size "limit" | |
315 | max-files: 2000 | |
316 | ||
317 | mode: normal # normal, multi or sguil. | |
318 | ||
319 | # Directory to place pcap files. If not provided the default log | |
320 | # directory will be used. Required for "sguil" mode. | |
321 | #dir: /nsm_data/ | |
322 | ||
323 | #ts-format: usec # sec or usec second format (default) is filename.sec usec is filename.sec.usec | |
324 | use-stream-depth: no #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets | |
325 | honor-pass-rules: no # If set to "yes", flows in which a pass rule matched will stopped being logged. | |
326 | ||
327 | # a full alerts log containing much information for signature writers | |
328 | # or for investigating suspected false positives. | |
329 | - alert-debug: | |
330 | enabled: no | |
331 | filename: alert-debug.log | |
332 | append: yes | |
333 | #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' | |
334 | ||
335 | # alert output to prelude (http://www.prelude-technologies.com/) only | |
336 | # available if Suricata has been compiled with --enable-prelude | |
337 | - alert-prelude: | |
338 | enabled: no | |
339 | profile: suricata | |
340 | log-packet-content: no | |
341 | log-packet-header: yes | |
342 | ||
343 | # Stats.log contains data from various counters of the suricata engine. | |
344 | - stats: | |
345 | enabled: yes | |
346 | filename: stats.log | |
347 | append: yes # append to file (yes) or overwrite it (no) | |
348 | totals: yes # stats for all threads merged together | |
349 | threads: no # per thread stats | |
350 | #null-values: yes # print counters that have value 0 | |
351 | ||
352 | # a line based alerts log similar to fast.log into syslog | |
353 | - syslog: | |
354 | enabled: no | |
355 | # reported identity to syslog. If ommited the program name (usually | |
356 | # suricata) will be used. | |
357 | #identity: "suricata" | |
358 | facility: local5 | |
359 | #level: Info ## possible levels: Emergency, Alert, Critical, | |
360 | ## Error, Warning, Notice, Info, Debug | |
361 | ||
362 | # a line based information for dropped packets in IPS mode | |
363 | - drop: | |
364 | enabled: no | |
365 | filename: drop.log | |
366 | append: yes | |
367 | #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' | |
368 | ||
369 | # output module to store extracted files to disk | |
370 | # | |
371 | # The files are stored to the log-dir in a format "file.<id>" where <id> is | |
372 | # an incrementing number starting at 1. For each file "file.<id>" a meta | |
373 | # file "file.<id>.meta" is created. | |
374 | # | |
375 | # File extraction depends on a lot of things to be fully done: | |
376 | # - file-store stream-depth. For optimal results, set this to 0 (unlimited) | |
377 | # - http request / response body sizes. Again set to 0 for optimal results. | |
378 | # - rules that contain the "filestore" keyword. | |
379 | - file-store: | |
380 | enabled: no # set to yes to enable | |
381 | log-dir: files # directory to store the files | |
382 | force-magic: no # force logging magic on all stored files | |
383 | # force logging of checksums, available hash functions are md5, | |
384 | # sha1 and sha256 | |
385 | #force-hash: [md5] | |
386 | force-filestore: no # force storing of all files | |
387 | # override global stream-depth for sessions in which we want to | |
388 | # perform file extraction. Set to 0 for unlimited. | |
389 | #stream-depth: 0 | |
390 | #waldo: file.waldo # waldo file to store the file_id across runs | |
391 | # uncomment to disable meta file writing | |
392 | #write-meta: no | |
393 | # uncomment the following variable to define how many files can | |
394 | # remain open for filestore by Suricata. Default value is 0 which | |
395 | # means files get closed after each write | |
396 | #max-open-files: 1000 | |
397 | ||
398 | # output module to log files tracked in a easily parsable json format | |
399 | - file-log: | |
400 | enabled: no | |
401 | filename: files-json.log | |
402 | append: yes | |
403 | #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' | |
404 | ||
405 | force-magic: no # force logging magic on all logged files | |
406 | # force logging of checksums, available hash functions are md5, | |
407 | # sha1 and sha256 | |
408 | #force-hash: [md5] | |
409 | ||
410 | # Log TCP data after stream normalization | |
411 | # 2 types: file or dir. File logs into a single logfile. Dir creates | |
412 | # 2 files per TCP session and stores the raw TCP data into them. | |
413 | # Using 'both' will enable both file and dir modes. | |
414 | # | |
415 | # Note: limited by stream.depth | |
416 | - tcp-data: | |
417 | enabled: no | |
418 | type: file | |
419 | filename: tcp-data.log | |
420 | ||
421 | # Log HTTP body data after normalization, dechunking and unzipping. | |
422 | # 2 types: file or dir. File logs into a single logfile. Dir creates | |
423 | # 2 files per HTTP session and stores the normalized data into them. | |
424 | # Using 'both' will enable both file and dir modes. | |
425 | # | |
426 | # Note: limited by the body limit settings | |
427 | - http-body-data: | |
428 | enabled: no | |
429 | type: file | |
430 | filename: http-data.log | |
431 | ||
432 | # Lua Output Support - execute lua script to generate alert and event | |
433 | # output. | |
434 | # Documented at: | |
435 | # https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Lua_Output | |
436 | - lua: | |
437 | enabled: no | |
438 | #scripts-dir: /etc/suricata/lua-output/ | |
439 | scripts: | |
440 | # - script1.lua | |
441 | ||
442 | # Logging configuration. This is not about logging IDS alerts/events, but | |
443 | # output about what Suricata is doing, like startup messages, errors, etc. | |
444 | logging: | |
445 | # The default log level, can be overridden in an output section. | |
446 | # Note that debug level logging will only be emitted if Suricata was | |
447 | # compiled with the --enable-debug configure option. | |
448 | # | |
449 | # This value is overriden by the SC_LOG_LEVEL env var. | |
450 | default-log-level: notice | |
451 | ||
452 | # The default output format. Optional parameter, should default to | |
453 | # something reasonable if not provided. Can be overriden in an | |
454 | # output section. You can leave this out to get the default. | |
455 | # | |
456 | # This value is overriden by the SC_LOG_FORMAT env var. | |
457 | #default-log-format: "[%i] %t - (%f:%l) <%d> (%n) -- " | |
458 | ||
459 | # A regex to filter output. Can be overridden in an output section. | |
460 | # Defaults to empty (no filter). | |
461 | # | |
462 | # This value is overriden by the SC_LOG_OP_FILTER env var. | |
463 | default-output-filter: | |
464 | ||
465 | # Define your logging outputs. If none are defined, or they are all | |
466 | # disabled you will get the default - console output. | |
467 | outputs: | |
468 | - console: | |
469 | enabled: yes | |
470 | # type: json | |
471 | - file: | |
472 | enabled: yes | |
473 | level: info | |
474 | filename: /var/log/suricata/suricata.log | |
475 | # type: json | |
476 | - syslog: | |
477 | enabled: no | |
478 | facility: local5 | |
479 | format: "[%i] <%d> -- " | |
480 | # type: json | |
481 | ||
482 | ||
483 | ## | |
484 | ## Step 4: configure common capture settings | |
485 | ## | |
486 | ## See "Advanced Capture Options" below for more options, including NETMAP | |
487 | ## and PF_RING. | |
488 | ## | |
489 | ||
490 | # Linux high speed capture support | |
491 | af-packet: | |
492 | - interface: eth0 | |
493 | # Number of receive threads. "auto" uses the number of cores | |
494 | #threads: auto | |
495 | # Default clusterid. AF_PACKET will load balance packets based on flow. | |
496 | cluster-id: 99 | |
497 | # Default AF_PACKET cluster type. AF_PACKET can load balance per flow or per hash. | |
498 | # This is only supported for Linux kernel > 3.1 | |
499 | # possible value are: | |
500 | # * cluster_round_robin: round robin load balancing | |
501 | # * cluster_flow: all packets of a given flow are send to the same socket | |
502 | # * cluster_cpu: all packets treated in kernel by a CPU are send to the same socket | |
503 | # * cluster_qm: all packets linked by network card to a RSS queue are sent to the same | |
504 | # socket. Requires at least Linux 3.14. | |
505 | # * cluster_random: packets are sent randomly to sockets but with an equipartition. | |
506 | # Requires at least Linux 3.14. | |
507 | # * cluster_rollover: kernel rotates between sockets filling each socket before moving | |
508 | # to the next. Requires at least Linux 3.10. | |
509 | # Recommended modes are cluster_flow on most boxes and cluster_cpu or cluster_qm on system | |
510 | # with capture card using RSS (require cpu affinity tuning and system irq tuning) | |
511 | cluster-type: cluster_flow | |
512 | # In some fragmentation case, the hash can not be computed. If "defrag" is set | |
513 | # to yes, the kernel will do the needed defragmentation before sending the packets. | |
514 | defrag: yes | |
515 | # After Linux kernel 3.10 it is possible to activate the rollover option: if a socket is | |
516 | # full then kernel will send the packet on the next socket with room available. This option | |
517 | # can minimize packet drop and increase the treated bandwidth on single intensive flow. | |
518 | #rollover: yes | |
519 | # To use the ring feature of AF_PACKET, set 'use-mmap' to yes | |
520 | #use-mmap: yes | |
521 | # Lock memory map to avoid it goes to swap. Be careful that over suscribing could lock | |
522 | # your system | |
523 | #mmap-locked: yes | |
524 | # Use tpacket_v3 capture mode, only active if use-mmap is true | |
525 | # Don't use it in IPS or TAP mode as it causes severe latency | |
526 | #tpacket-v3: yes | |
527 | # Ring size will be computed with respect to max_pending_packets and number | |
528 | # of threads. You can set manually the ring size in number of packets by setting | |
529 | # the following value. If you are using flow cluster-type and have really network | |
530 | # intensive single-flow you could want to set the ring-size independently of the number | |
531 | # of threads: | |
532 | #ring-size: 2048 | |
533 | # Block size is used by tpacket_v3 only. It should set to a value high enough to contain | |
534 | # a decent number of packets. Size is in bytes so please consider your MTU. It should be | |
535 | # a power of 2 and it must be multiple of page size (usually 4096). | |
536 | #block-size: 32768 | |
537 | # tpacket_v3 block timeout: an open block is passed to userspace if it is not | |
538 | # filled after block-timeout milliseconds. | |
539 | #block-timeout: 10 | |
540 | # On busy system, this could help to set it to yes to recover from a packet drop | |
541 | # phase. This will result in some packets (at max a ring flush) being non treated. | |
542 | #use-emergency-flush: yes | |
543 | # recv buffer size, increase value could improve performance | |
544 | # buffer-size: 32768 | |
545 | # Set to yes to disable promiscuous mode | |
546 | # disable-promisc: no | |
547 | # Choose checksum verification mode for the interface. At the moment | |
548 | # of the capture, some packets may be with an invalid checksum due to | |
549 | # offloading to the network card of the checksum computation. | |
550 | # Possible values are: | |
551 | # - kernel: use indication sent by kernel for each packet (default) | |
552 | # - yes: checksum validation is forced | |
553 | # - no: checksum validation is disabled | |
554 | # - auto: suricata uses a statistical approach to detect when | |
555 | # checksum off-loading is used. | |
556 | # Warning: 'checksum-validation' must be set to yes to have any validation | |
557 | #checksum-checks: kernel | |
558 | # BPF filter to apply to this interface. The pcap filter syntax apply here. | |
559 | #bpf-filter: port 80 or udp | |
560 | # You can use the following variables to activate AF_PACKET tap or IPS mode. | |
561 | # If copy-mode is set to ips or tap, the traffic coming to the current | |
562 | # interface will be copied to the copy-iface interface. If 'tap' is set, the | |
563 | # copy is complete. If 'ips' is set, the packet matching a 'drop' action | |
564 | # will not be copied. | |
565 | #copy-mode: ips | |
566 | #copy-iface: eth1 | |
567 | ||
568 | # Put default values here. These will be used for an interface that is not | |
569 | # in the list above. | |
570 | - interface: default | |
571 | #threads: auto | |
572 | #use-mmap: no | |
573 | #rollover: yes | |
574 | #tpacket-v3: yes | |
575 | ||
576 | # Cross platform libpcap capture support | |
577 | pcap: | |
578 | - interface: eth0 | |
579 | # On Linux, pcap will try to use mmaped capture and will use buffer-size | |
580 | # as total of memory used by the ring. So set this to something bigger | |
581 | # than 1% of your bandwidth. | |
582 | #buffer-size: 16777216 | |
583 | #bpf-filter: "tcp and port 25" | |
584 | # Choose checksum verification mode for the interface. At the moment | |
585 | # of the capture, some packets may be with an invalid checksum due to | |
586 | # offloading to the network card of the checksum computation. | |
587 | # Possible values are: | |
588 | # - yes: checksum validation is forced | |
589 | # - no: checksum validation is disabled | |
590 | # - auto: suricata uses a statistical approach to detect when | |
591 | # checksum off-loading is used. (default) | |
592 | # Warning: 'checksum-validation' must be set to yes to have any validation | |
593 | #checksum-checks: auto | |
594 | # With some accelerator cards using a modified libpcap (like myricom), you | |
595 | # may want to have the same number of capture threads as the number of capture | |
596 | # rings. In this case, set up the threads variable to N to start N threads | |
597 | # listening on the same interface. | |
598 | #threads: 16 | |
599 | # set to no to disable promiscuous mode: | |
600 | #promisc: no | |
601 | # set snaplen, if not set it defaults to MTU if MTU can be known | |
602 | # via ioctl call and to full capture if not. | |
603 | #snaplen: 1518 | |
604 | # Put default values here | |
605 | - interface: default | |
606 | #checksum-checks: auto | |
607 | ||
608 | # Settings for reading pcap files | |
609 | pcap-file: | |
610 | # Possible values are: | |
611 | # - yes: checksum validation is forced | |
612 | # - no: checksum validation is disabled | |
613 | # - auto: suricata uses a statistical approach to detect when | |
614 | # checksum off-loading is used. (default) | |
615 | # Warning: 'checksum-validation' must be set to yes to have checksum tested | |
616 | checksum-checks: auto | |
617 | ||
618 | # See "Advanced Capture Options" below for more options, including NETMAP | |
619 | # and PF_RING. | |
620 | ||
621 | ||
622 | ## | |
623 | ## Step 5: App Layer Protocol Configuration | |
624 | ## | |
625 | ||
626 | # Configure the app-layer parsers. The protocols section details each | |
627 | # protocol. | |
628 | # | |
629 | # The option "enabled" takes 3 values - "yes", "no", "detection-only". | |
630 | # "yes" enables both detection and the parser, "no" disables both, and | |
631 | # "detection-only" enables protocol detection only (parser disabled). | |
632 | app-layer: | |
633 | protocols: | |
634 | tls: | |
635 | enabled: yes | |
636 | detection-ports: | |
637 | dp: 443 | |
638 | ||
639 | # Completely stop processing TLS/SSL session after the handshake | |
640 | # completed. If bypass is enabled this will also trigger flow | |
641 | # bypass. If disabled (the default), TLS/SSL session is still | |
642 | # tracked for Heartbleed and other anomalies. | |
643 | #no-reassemble: yes | |
644 | dcerpc: | |
645 | enabled: yes | |
646 | ftp: | |
647 | enabled: yes | |
648 | ssh: | |
649 | enabled: yes | |
650 | smtp: | |
651 | enabled: yes | |
652 | # Configure SMTP-MIME Decoder | |
653 | mime: | |
654 | # Decode MIME messages from SMTP transactions | |
655 | # (may be resource intensive) | |
656 | # This field supercedes all others because it turns the entire | |
657 | # process on or off | |
658 | decode-mime: yes | |
659 | ||
660 | # Decode MIME entity bodies (ie. base64, quoted-printable, etc.) | |
661 | decode-base64: yes | |
662 | decode-quoted-printable: yes | |
663 | ||
664 | # Maximum bytes per header data value stored in the data structure | |
665 | # (default is 2000) | |
666 | header-value-depth: 2000 | |
667 | ||
668 | # Extract URLs and save in state data structure | |
669 | extract-urls: yes | |
670 | # Set to yes to compute the md5 of the mail body. You will then | |
671 | # be able to journalize it. | |
672 | body-md5: no | |
673 | # Configure inspected-tracker for file_data keyword | |
674 | inspected-tracker: | |
675 | content-limit: 100000 | |
676 | content-inspect-min-size: 32768 | |
677 | content-inspect-window: 4096 | |
678 | imap: | |
679 | enabled: detection-only | |
680 | msn: | |
681 | enabled: detection-only | |
682 | smb: | |
683 | enabled: yes | |
684 | detection-ports: | |
685 | dp: 139, 445 | |
686 | # smb2 detection is disabled internally inside the engine. | |
687 | #smb2: | |
688 | # enabled: yes | |
689 | # Note: NFS parser depends on Rust support: pass --enable-rust | |
690 | # to configure. | |
691 | nfs: | |
692 | enabled: no | |
693 | dns: | |
694 | # memcaps. Globally and per flow/state. | |
695 | #global-memcap: 16mb | |
696 | #state-memcap: 512kb | |
697 | ||
698 | # How many unreplied DNS requests are considered a flood. | |
699 | # If the limit is reached, app-layer-event:dns.flooded; will match. | |
700 | #request-flood: 500 | |
701 | ||
702 | tcp: | |
703 | enabled: yes | |
704 | detection-ports: | |
705 | dp: 53 | |
706 | udp: | |
707 | enabled: yes | |
708 | detection-ports: | |
709 | dp: 53 | |
710 | http: | |
711 | enabled: yes | |
712 | # memcap: 64mb | |
713 | ||
714 | # default-config: Used when no server-config matches | |
715 | # personality: List of personalities used by default | |
716 | # request-body-limit: Limit reassembly of request body for inspection | |
717 | # by http_client_body & pcre /P option. | |
718 | # response-body-limit: Limit reassembly of response body for inspection | |
719 | # by file_data, http_server_body & pcre /Q option. | |
720 | # double-decode-path: Double decode path section of the URI | |
721 | # double-decode-query: Double decode query section of the URI | |
722 | # response-body-decompress-layer-limit: | |
723 | # Limit to how many layers of compression will be | |
724 | # decompressed. Defaults to 2. | |
725 | # | |
726 | # server-config: List of server configurations to use if address matches | |
727 | # address: List of ip addresses or networks for this block | |
728 | # personalitiy: List of personalities used by this block | |
729 | # request-body-limit: Limit reassembly of request body for inspection | |
730 | # by http_client_body & pcre /P option. | |
731 | # response-body-limit: Limit reassembly of response body for inspection | |
732 | # by file_data, http_server_body & pcre /Q option. | |
733 | # double-decode-path: Double decode path section of the URI | |
734 | # double-decode-query: Double decode query section of the URI | |
735 | # | |
736 | # uri-include-all: Include all parts of the URI. By default the | |
737 | # 'scheme', username/password, hostname and port | |
738 | # are excluded. Setting this option to true adds | |
739 | # all of them to the normalized uri as inspected | |
740 | # by http_uri, urilen, pcre with /U and the other | |
741 | # keywords that inspect the normalized uri. | |
742 | # Note that this does not affect http_raw_uri. | |
743 | # Also, note that including all was the default in | |
744 | # 1.4 and 2.0beta1. | |
745 | # | |
746 | # meta-field-limit: Hard size limit for request and response size | |
747 | # limits. Applies to request line and headers, | |
748 | # response line and headers. Does not apply to | |
749 | # request or response bodies. Default is 18k. | |
750 | # If this limit is reached an event is raised. | |
751 | # | |
752 | # Currently Available Personalities: | |
753 | # Minimal, Generic, IDS (default), IIS_4_0, IIS_5_0, IIS_5_1, IIS_6_0, | |
754 | # IIS_7_0, IIS_7_5, Apache_2 | |
755 | libhtp: | |
756 | default-config: | |
757 | personality: IDS | |
758 | ||
759 | # Can be specified in kb, mb, gb. Just a number indicates | |
760 | # it's in bytes. | |
761 | request-body-limit: 100kb | |
762 | response-body-limit: 100kb | |
763 | ||
764 | # inspection limits | |
765 | request-body-minimal-inspect-size: 32kb | |
766 | request-body-inspect-window: 4kb | |
767 | response-body-minimal-inspect-size: 40kb | |
768 | response-body-inspect-window: 16kb | |
769 | ||
770 | # response body decompression (0 disables) | |
771 | response-body-decompress-layer-limit: 2 | |
772 | ||
773 | # auto will use http-body-inline mode in IPS mode, yes or no set it statically | |
774 | http-body-inline: auto | |
775 | ||
776 | # Take a random value for inspection sizes around the specified value. | |
777 | # This lower the risk of some evasion technics but could lead | |
778 | # detection change between runs. It is set to 'yes' by default. | |
779 | #randomize-inspection-sizes: yes | |
780 | # If randomize-inspection-sizes is active, the value of various | |
781 | # inspection size will be choosen in the [1 - range%, 1 + range%] | |
782 | # range | |
783 | # Default value of randomize-inspection-range is 10. | |
784 | #randomize-inspection-range: 10 | |
785 | ||
786 | # decoding | |
787 | double-decode-path: no | |
788 | double-decode-query: no | |
789 | ||
790 | server-config: | |
791 | ||
792 | #- apache: | |
793 | # address: [192.168.1.0/24, 127.0.0.0/8, "::1"] | |
794 | # personality: Apache_2 | |
795 | # # Can be specified in kb, mb, gb. Just a number indicates | |
796 | # # it's in bytes. | |
797 | # request-body-limit: 4096 | |
798 | # response-body-limit: 4096 | |
799 | # double-decode-path: no | |
800 | # double-decode-query: no | |
801 | ||
802 | #- iis7: | |
803 | # address: | |
804 | # - 192.168.0.0/24 | |
805 | # - 192.168.10.0/24 | |
806 | # personality: IIS_7_0 | |
807 | # # Can be specified in kb, mb, gb. Just a number indicates | |
808 | # # it's in bytes. | |
809 | # request-body-limit: 4096 | |
810 | # response-body-limit: 4096 | |
811 | # double-decode-path: no | |
812 | # double-decode-query: no | |
813 | ||
814 | # Note: Modbus probe parser is minimalist due to the poor significant field | |
815 | # Only Modbus message length (greater than Modbus header length) | |
816 | # And Protocol ID (equal to 0) are checked in probing parser | |
817 | # It is important to enable detection port and define Modbus port | |
818 | # to avoid false positive | |
819 | modbus: | |
820 | # How many unreplied Modbus requests are considered a flood. | |
821 | # If the limit is reached, app-layer-event:modbus.flooded; will match. | |
822 | #request-flood: 500 | |
823 | ||
824 | enabled: no | |
825 | detection-ports: | |
826 | dp: 502 | |
827 | # According to MODBUS Messaging on TCP/IP Implementation Guide V1.0b, it | |
828 | # is recommended to keep the TCP connection opened with a remote device | |
829 | # and not to open and close it for each MODBUS/TCP transaction. In that | |
830 | # case, it is important to set the depth of the stream reassembling as | |
831 | # unlimited (stream.reassembly.depth: 0) | |
832 | ||
833 | # Stream reassembly size for modbus. By default track it completely. | |
834 | stream-depth: 0 | |
835 | ||
836 | # DNP3 | |
837 | dnp3: | |
838 | enabled: no | |
839 | detection-ports: | |
840 | dp: 20000 | |
841 | ||
842 | # SCADA EtherNet/IP and CIP protocol support | |
843 | enip: | |
844 | enabled: no | |
845 | detection-ports: | |
846 | dp: 44818 | |
847 | sp: 44818 | |
848 | ||
849 | # Note: parser depends on experimental Rust support | |
850 | # with --enable-rust-experimental passed to configure | |
851 | ntp: | |
852 | enabled: no | |
853 | ||
854 | # Limit for the maximum number of asn1 frames to decode (default 256) | |
855 | asn1-max-frames: 256 | |
856 | ||
857 | ||
858 | ############################################################################## | |
859 | ## | |
860 | ## Advanced settings below | |
861 | ## | |
862 | ############################################################################## | |
863 | ||
864 | ## | |
865 | ## Run Options | |
866 | ## | |
867 | ||
868 | # Run suricata as user and group. | |
869 | #run-as: | |
870 | # user: suri | |
871 | # group: suri | |
872 | ||
873 | # Some logging module will use that name in event as identifier. The default | |
874 | # value is the hostname | |
875 | #sensor-name: suricata | |
876 | ||
877 | # Default location of the pid file. The pid file is only used in | |
878 | # daemon mode (start Suricata with -D). If not running in daemon mode | |
879 | # the --pidfile command line option must be used to create a pid file. | |
880 | #pid-file: /var/run/suricata.pid | |
881 | ||
882 | # Daemon working directory | |
883 | # Suricata will change directory to this one if provided | |
884 | # Default: "/" | |
885 | #daemon-directory: "/" | |
886 | ||
887 | # Suricata core dump configuration. Limits the size of the core dump file to | |
888 | # approximately max-dump. The actual core dump size will be a multiple of the | |
889 | # page size. Core dumps that would be larger than max-dump are truncated. On | |
890 | # Linux, the actual core dump size may be a few pages larger than max-dump. | |
891 | # Setting max-dump to 0 disables core dumping. | |
892 | # Setting max-dump to 'unlimited' will give the full core dump file. | |
893 | # On 32-bit Linux, a max-dump value >= ULONG_MAX may cause the core dump size | |
894 | # to be 'unlimited'. | |
895 | ||
896 | coredump: | |
897 | max-dump: unlimited | |
898 | ||
899 | # If suricata box is a router for the sniffed networks, set it to 'router'. If | |
900 | # it is a pure sniffing setup, set it to 'sniffer-only'. | |
901 | # If set to auto, the variable is internally switch to 'router' in IPS mode | |
902 | # and 'sniffer-only' in IDS mode. | |
903 | # This feature is currently only used by the reject* keywords. | |
904 | host-mode: auto | |
905 | ||
906 | # Number of packets preallocated per thread. The default is 1024. A higher number | |
907 | # will make sure each CPU will be more easily kept busy, but may negatively | |
908 | # impact caching. | |
909 | # | |
910 | # If you are using the CUDA pattern matcher (mpm-algo: ac-cuda), different rules | |
911 | # apply. In that case try something like 60000 or more. This is because the CUDA | |
912 | # pattern matcher buffers and scans as many packets as possible in parallel. | |
913 | #max-pending-packets: 1024 | |
914 | ||
915 | # Runmode the engine should use. Please check --list-runmodes to get the available | |
916 | # runmodes for each packet acquisition method. Defaults to "autofp" (auto flow pinned | |
917 | # load balancing). | |
918 | #runmode: autofp | |
919 | ||
920 | # Specifies the kind of flow load balancer used by the flow pinned autofp mode. | |
921 | # | |
922 | # Supported schedulers are: | |
923 | # | |
924 | # round-robin - Flows assigned to threads in a round robin fashion. | |
925 | # active-packets - Flows assigned to threads that have the lowest number of | |
926 | # unprocessed packets (default). | |
927 | # hash - Flow alloted usihng the address hash. More of a random | |
928 | # technique. Was the default in Suricata 1.2.1 and older. | |
929 | # | |
930 | #autofp-scheduler: active-packets | |
931 | ||
932 | # Preallocated size for packet. Default is 1514 which is the classical | |
933 | # size for pcap on ethernet. You should adjust this value to the highest | |
934 | # packet size (MTU + hardware header) on your system. | |
935 | #default-packet-size: 1514 | |
936 | ||
937 | # Unix command socket can be used to pass commands to suricata. | |
938 | # An external tool can then connect to get information from suricata | |
939 | # or trigger some modifications of the engine. Set enabled to yes | |
940 | # to activate the feature. In auto mode, the feature will only be | |
941 | # activated in live capture mode. You can use the filename variable to set | |
942 | # the file name of the socket. | |
943 | unix-command: | |
944 | enabled: auto | |
945 | #filename: custom.socket | |
946 | ||
947 | # Magic file. The extension .mgc is added to the value here. | |
948 | #magic-file: /usr/share/file/magic | |
949 | #magic-file: | |
950 | ||
951 | legacy: | |
952 | uricontent: enabled | |
953 | ||
954 | ## | |
955 | ## Detection settings | |
956 | ## | |
957 | ||
958 | # Set the order of alerts bassed on actions | |
959 | # The default order is pass, drop, reject, alert | |
960 | # action-order: | |
961 | # - pass | |
962 | # - drop | |
963 | # - reject | |
964 | # - alert | |
965 | ||
966 | # IP Reputation | |
967 | #reputation-categories-file: /etc/suricata/iprep/categories.txt | |
968 | #default-reputation-path: /etc/suricata/iprep | |
969 | #reputation-files: | |
970 | # - reputation.list | |
971 | ||
972 | # When run with the option --engine-analysis, the engine will read each of | |
973 | # the parameters below, and print reports for each of the enabled sections | |
974 | # and exit. The reports are printed to a file in the default log dir | |
975 | # given by the parameter "default-log-dir", with engine reporting | |
976 | # subsection below printing reports in its own report file. | |
977 | engine-analysis: | |
978 | # enables printing reports for fast-pattern for every rule. | |
979 | rules-fast-pattern: yes | |
980 | # enables printing reports for each rule | |
981 | rules: yes | |
982 | ||
983 | #recursion and match limits for PCRE where supported | |
984 | pcre: | |
985 | match-limit: 3500 | |
986 | match-limit-recursion: 1500 | |
987 | ||
988 | ## | |
989 | ## Advanced Traffic Tracking and Reconstruction Settings | |
990 | ## | |
991 | ||
992 | # Host specific policies for defragmentation and TCP stream | |
993 | # reassembly. The host OS lookup is done using a radix tree, just | |
994 | # like a routing table so the most specific entry matches. | |
995 | host-os-policy: | |
996 | # Make the default policy windows. | |
997 | windows: [0.0.0.0/0] | |
998 | bsd: [] | |
999 | bsd-right: [] | |
1000 | old-linux: [] | |
1001 | linux: [] | |
1002 | old-solaris: [] | |
1003 | solaris: [] | |
1004 | hpux10: [] | |
1005 | hpux11: [] | |
1006 | irix: [] | |
1007 | macos: [] | |
1008 | vista: [] | |
1009 | windows2k3: [] | |
1010 | ||
1011 | # Defrag settings: | |
1012 | ||
1013 | defrag: | |
1014 | memcap: 32mb | |
1015 | hash-size: 65536 | |
1016 | trackers: 65535 # number of defragmented flows to follow | |
1017 | max-frags: 65535 # number of fragments to keep (higher than trackers) | |
1018 | prealloc: yes | |
1019 | timeout: 60 | |
1020 | ||
1021 | # Enable defrag per host settings | |
1022 | # host-config: | |
1023 | # | |
1024 | # - dmz: | |
1025 | # timeout: 30 | |
1026 | # address: [192.168.1.0/24, 127.0.0.0/8, 1.1.1.0/24, 2.2.2.0/24, "1.1.1.1", "2.2.2.2", "::1"] | |
1027 | # | |
1028 | # - lan: | |
1029 | # timeout: 45 | |
1030 | # address: | |
1031 | # - 192.168.0.0/24 | |
1032 | # - 192.168.10.0/24 | |
1033 | # - 172.16.14.0/24 | |
1034 | ||
1035 | # Flow settings: | |
1036 | # By default, the reserved memory (memcap) for flows is 32MB. This is the limit | |
1037 | # for flow allocation inside the engine. You can change this value to allow | |
1038 | # more memory usage for flows. | |
1039 | # The hash-size determine the size of the hash used to identify flows inside | |
1040 | # the engine, and by default the value is 65536. | |
1041 | # At the startup, the engine can preallocate a number of flows, to get a better | |
1042 | # performance. The number of flows preallocated is 10000 by default. | |
1043 | # emergency-recovery is the percentage of flows that the engine need to | |
1044 | # prune before unsetting the emergency state. The emergency state is activated | |
1045 | # when the memcap limit is reached, allowing to create new flows, but | |
1046 | # prunning them with the emergency timeouts (they are defined below). | |
1047 | # If the memcap is reached, the engine will try to prune flows | |
1048 | # with the default timeouts. If it doens't find a flow to prune, it will set | |
1049 | # the emergency bit and it will try again with more agressive timeouts. | |
1050 | # If that doesn't work, then it will try to kill the last time seen flows | |
1051 | # not in use. | |
1052 | # The memcap can be specified in kb, mb, gb. Just a number indicates it's | |
1053 | # in bytes. | |
1054 | ||
1055 | flow: | |
1056 | memcap: 128mb | |
1057 | hash-size: 65536 | |
1058 | prealloc: 10000 | |
1059 | emergency-recovery: 30 | |
1060 | #managers: 1 # default to one flow manager | |
1061 | #recyclers: 1 # default to one flow recycler thread | |
1062 | ||
1063 | # This option controls the use of vlan ids in the flow (and defrag) | |
1064 | # hashing. Normally this should be enabled, but in some (broken) | |
1065 | # setups where both sides of a flow are not tagged with the same vlan | |
1066 | # tag, we can ignore the vlan id's in the flow hashing. | |
1067 | vlan: | |
1068 | use-for-tracking: true | |
1069 | ||
1070 | # Specific timeouts for flows. Here you can specify the timeouts that the | |
1071 | # active flows will wait to transit from the current state to another, on each | |
1072 | # protocol. The value of "new" determine the seconds to wait after a hanshake or | |
1073 | # stream startup before the engine free the data of that flow it doesn't | |
1074 | # change the state to established (usually if we don't receive more packets | |
1075 | # of that flow). The value of "established" is the amount of | |
1076 | # seconds that the engine will wait to free the flow if it spend that amount | |
1077 | # without receiving new packets or closing the connection. "closed" is the | |
1078 | # amount of time to wait after a flow is closed (usually zero). "bypassed" | |
1079 | # timeout controls locally bypassed flows. For these flows we don't do any other | |
1080 | # tracking. If no packets have been seen after this timeout, the flow is discarded. | |
1081 | # | |
1082 | # There's an emergency mode that will become active under attack circumstances, | |
1083 | # making the engine to check flow status faster. This configuration variables | |
1084 | # use the prefix "emergency-" and work similar as the normal ones. | |
1085 | # Some timeouts doesn't apply to all the protocols, like "closed", for udp and | |
1086 | # icmp. | |
1087 | ||
1088 | flow-timeouts: | |
1089 | ||
1090 | default: | |
1091 | new: 30 | |
1092 | established: 300 | |
1093 | closed: 0 | |
1094 | bypassed: 100 | |
1095 | emergency-new: 10 | |
1096 | emergency-established: 100 | |
1097 | emergency-closed: 0 | |
1098 | emergency-bypassed: 50 | |
1099 | tcp: | |
1100 | new: 60 | |
1101 | established: 600 | |
1102 | closed: 60 | |
1103 | bypassed: 100 | |
1104 | emergency-new: 5 | |
1105 | emergency-established: 100 | |
1106 | emergency-closed: 10 | |
1107 | emergency-bypassed: 50 | |
1108 | udp: | |
1109 | new: 30 | |
1110 | established: 300 | |
1111 | bypassed: 100 | |
1112 | emergency-new: 10 | |
1113 | emergency-established: 100 | |
1114 | emergency-bypassed: 50 | |
1115 | icmp: | |
1116 | new: 30 | |
1117 | established: 300 | |
1118 | bypassed: 100 | |
1119 | emergency-new: 10 | |
1120 | emergency-established: 100 | |
1121 | emergency-bypassed: 50 | |
1122 | ||
1123 | # Stream engine settings. Here the TCP stream tracking and reassembly | |
1124 | # engine is configured. | |
1125 | # | |
1126 | # stream: | |
1127 | # memcap: 32mb # Can be specified in kb, mb, gb. Just a | |
1128 | # # number indicates it's in bytes. | |
1129 | # checksum-validation: yes # To validate the checksum of received | |
1130 | # # packet. If csum validation is specified as | |
1131 | # # "yes", then packet with invalid csum will not | |
1132 | # # be processed by the engine stream/app layer. | |
1133 | # # Warning: locally generated trafic can be | |
1134 | # # generated without checksum due to hardware offload | |
1135 | # # of checksum. You can control the handling of checksum | |
1136 | # # on a per-interface basis via the 'checksum-checks' | |
1137 | # # option | |
1138 | # prealloc-sessions: 2k # 2k sessions prealloc'd per stream thread | |
1139 | # midstream: false # don't allow midstream session pickups | |
1140 | # async-oneside: false # don't enable async stream handling | |
1141 | # inline: no # stream inline mode | |
1142 | # drop-invalid: yes # in inline mode, drop packets that are invalid with regards to streaming engine | |
1143 | # max-synack-queued: 5 # Max different SYN/ACKs to queue | |
1144 | # bypass: no # Bypass packets when stream.depth is reached | |
1145 | # | |
1146 | # reassembly: | |
1147 | # memcap: 64mb # Can be specified in kb, mb, gb. Just a number | |
1148 | # # indicates it's in bytes. | |
1149 | # depth: 1mb # Can be specified in kb, mb, gb. Just a number | |
1150 | # # indicates it's in bytes. | |
1151 | # toserver-chunk-size: 2560 # inspect raw stream in chunks of at least | |
1152 | # # this size. Can be specified in kb, mb, | |
1153 | # # gb. Just a number indicates it's in bytes. | |
1154 | # toclient-chunk-size: 2560 # inspect raw stream in chunks of at least | |
1155 | # # this size. Can be specified in kb, mb, | |
1156 | # # gb. Just a number indicates it's in bytes. | |
1157 | # randomize-chunk-size: yes # Take a random value for chunk size around the specified value. | |
1158 | # # This lower the risk of some evasion technics but could lead | |
1159 | # # detection change between runs. It is set to 'yes' by default. | |
1160 | # randomize-chunk-range: 10 # If randomize-chunk-size is active, the value of chunk-size is | |
1161 | # # a random value between (1 - randomize-chunk-range/100)*toserver-chunk-size | |
1162 | # # and (1 + randomize-chunk-range/100)*toserver-chunk-size and the same | |
1163 | # # calculation for toclient-chunk-size. | |
1164 | # # Default value of randomize-chunk-range is 10. | |
1165 | # | |
1166 | # raw: yes # 'Raw' reassembly enabled or disabled. | |
1167 | # # raw is for content inspection by detection | |
1168 | # # engine. | |
1169 | # | |
1170 | # segment-prealloc: 2048 # number of segments preallocated per thread | |
1171 | # | |
1172 | # check-overlap-different-data: true|false | |
1173 | # # check if a segment contains different data | |
1174 | # # than what we've already seen for that | |
1175 | # # position in the stream. | |
1176 | # # This is enabled automatically if inline mode | |
1177 | # # is used or when stream-event:reassembly_overlap_different_data; | |
1178 | # # is used in a rule. | |
1179 | # | |
1180 | stream: | |
1181 | memcap: 64mb | |
1182 | checksum-validation: yes # reject wrong csums | |
1183 | inline: auto # auto will use inline mode in IPS mode, yes or no set it statically | |
1184 | reassembly: | |
1185 | memcap: 256mb | |
1186 | depth: 1mb # reassemble 1mb into a stream | |
1187 | toserver-chunk-size: 2560 | |
1188 | toclient-chunk-size: 2560 | |
1189 | randomize-chunk-size: yes | |
1190 | #randomize-chunk-range: 10 | |
1191 | #raw: yes | |
1192 | #segment-prealloc: 2048 | |
1193 | #check-overlap-different-data: true | |
1194 | ||
1195 | # Host table: | |
1196 | # | |
1197 | # Host table is used by tagging and per host thresholding subsystems. | |
1198 | # | |
1199 | host: | |
1200 | hash-size: 4096 | |
1201 | prealloc: 1000 | |
1202 | memcap: 32mb | |
1203 | ||
1204 | # IP Pair table: | |
1205 | # | |
1206 | # Used by xbits 'ippair' tracking. | |
1207 | # | |
1208 | #ippair: | |
1209 | # hash-size: 4096 | |
1210 | # prealloc: 1000 | |
1211 | # memcap: 32mb | |
1212 | ||
1213 | # Decoder settings | |
1214 | ||
1215 | decoder: | |
1216 | # Teredo decoder is known to not be completely accurate | |
1217 | # it will sometimes detect non-teredo as teredo. | |
1218 | teredo: | |
1219 | enabled: true | |
1220 | ||
1221 | ||
1222 | ## | |
1223 | ## Performance tuning and profiling | |
1224 | ## | |
1225 | ||
1226 | # The detection engine builds internal groups of signatures. The engine | |
1227 | # allow us to specify the profile to use for them, to manage memory on an | |
1228 | # efficient way keeping a good performance. For the profile keyword you | |
1229 | # can use the words "low", "medium", "high" or "custom". If you use custom | |
1230 | # make sure to define the values at "- custom-values" as your convenience. | |
1231 | # Usually you would prefer medium/high/low. | |
1232 | # | |
1233 | # "sgh mpm-context", indicates how the staging should allot mpm contexts for | |
1234 | # the signature groups. "single" indicates the use of a single context for | |
1235 | # all the signature group heads. "full" indicates a mpm-context for each | |
1236 | # group head. "auto" lets the engine decide the distribution of contexts | |
1237 | # based on the information the engine gathers on the patterns from each | |
1238 | # group head. | |
1239 | # | |
1240 | # The option inspection-recursion-limit is used to limit the recursive calls | |
1241 | # in the content inspection code. For certain payload-sig combinations, we | |
1242 | # might end up taking too much time in the content inspection code. | |
1243 | # If the argument specified is 0, the engine uses an internally defined | |
1244 | # default limit. On not specifying a value, we use no limits on the recursion. | |
1245 | detect: | |
1246 | profile: medium | |
1247 | custom-values: | |
1248 | toclient-groups: 3 | |
1249 | toserver-groups: 25 | |
1250 | sgh-mpm-context: auto | |
1251 | inspection-recursion-limit: 3000 | |
1252 | # If set to yes, the loading of signatures will be made after the capture | |
1253 | # is started. This will limit the downtime in IPS mode. | |
1254 | #delayed-detect: yes | |
1255 | ||
1256 | prefilter: | |
1257 | # default prefiltering setting. "mpm" only creates MPM/fast_pattern | |
1258 | # engines. "auto" also sets up prefilter engines for other keywords. | |
1259 | # Use --list-keywords=all to see which keywords support prefiltering. | |
1260 | default: mpm | |
1261 | ||
1262 | # the grouping values above control how many groups are created per | |
1263 | # direction. Port whitelisting forces that port to get it's own group. | |
1264 | # Very common ports will benefit, as well as ports with many expensive | |
1265 | # rules. | |
1266 | grouping: | |
1267 | #tcp-whitelist: 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080 | |
1268 | #udp-whitelist: 53, 135, 5060 | |
1269 | ||
1270 | profiling: | |
1271 | # Log the rules that made it past the prefilter stage, per packet | |
1272 | # default is off. The threshold setting determines how many rules | |
1273 | # must have made it past pre-filter for that rule to trigger the | |
1274 | # logging. | |
1275 | #inspect-logging-threshold: 200 | |
1276 | grouping: | |
1277 | dump-to-disk: false | |
1278 | include-rules: false # very verbose | |
1279 | include-mpm-stats: false | |
1280 | ||
1281 | # Select the multi pattern algorithm you want to run for scan/search the | |
1282 | # in the engine. | |
1283 | # | |
1284 | # The supported algorithms are: | |
1285 | # "ac" - Aho-Corasick, default implementation | |
1286 | # "ac-bs" - Aho-Corasick, reduced memory implementation | |
1287 | # "ac-cuda" - Aho-Corasick, CUDA implementation | |
1288 | # "ac-ks" - Aho-Corasick, "Ken Steele" variant | |
1289 | # "hs" - Hyperscan, available when built with Hyperscan support | |
1290 | # | |
1291 | # The default mpm-algo value of "auto" will use "hs" if Hyperscan is | |
1292 | # available, "ac" otherwise. | |
1293 | # | |
1294 | # The mpm you choose also decides the distribution of mpm contexts for | |
1295 | # signature groups, specified by the conf - "detect.sgh-mpm-context". | |
1296 | # Selecting "ac" as the mpm would require "detect.sgh-mpm-context" | |
1297 | # to be set to "single", because of ac's memory requirements, unless the | |
1298 | # ruleset is small enough to fit in one's memory, in which case one can | |
1299 | # use "full" with "ac". Rest of the mpms can be run in "full" mode. | |
1300 | # | |
1301 | # There is also a CUDA pattern matcher (only available if Suricata was | |
1302 | # compiled with --enable-cuda: b2g_cuda. Make sure to update your | |
1303 | # max-pending-packets setting above as well if you use b2g_cuda. | |
1304 | ||
1305 | mpm-algo: auto | |
1306 | ||
1307 | # Select the matching algorithm you want to use for single-pattern searches. | |
1308 | # | |
1309 | # Supported algorithms are "bm" (Boyer-Moore) and "hs" (Hyperscan, only | |
1310 | # available if Suricata has been built with Hyperscan support). | |
1311 | # | |
1312 | # The default of "auto" will use "hs" if available, otherwise "bm". | |
1313 | ||
1314 | spm-algo: auto | |
1315 | ||
1316 | # Suricata is multi-threaded. Here the threading can be influenced. | |
1317 | threading: | |
1318 | set-cpu-affinity: no | |
1319 | # Tune cpu affinity of threads. Each family of threads can be bound | |
1320 | # on specific CPUs. | |
1321 | # | |
1322 | # These 2 apply to the all runmodes: | |
1323 | # management-cpu-set is used for flow timeout handling, counters | |
1324 | # worker-cpu-set is used for 'worker' threads | |
1325 | # | |
1326 | # Additionally, for autofp these apply: | |
1327 | # receive-cpu-set is used for capture threads | |
1328 | # verdict-cpu-set is used for IPS verdict threads | |
1329 | # | |
1330 | cpu-affinity: | |
1331 | - management-cpu-set: | |
1332 | cpu: [ 0 ] # include only these cpus in affinity settings | |
1333 | - receive-cpu-set: | |
1334 | cpu: [ 0 ] # include only these cpus in affinity settings | |
1335 | - worker-cpu-set: | |
1336 | cpu: [ "all" ] | |
1337 | mode: "exclusive" | |
1338 | # Use explicitely 3 threads and don't compute number by using | |
1339 | # detect-thread-ratio variable: | |
1340 | # threads: 3 | |
1341 | prio: | |
1342 | low: [ 0 ] | |
1343 | medium: [ "1-2" ] | |
1344 | high: [ 3 ] | |
1345 | default: "medium" | |
1346 | #- verdict-cpu-set: | |
1347 | # cpu: [ 0 ] | |
1348 | # prio: | |
1349 | # default: "high" | |
1350 | # | |
1351 | # By default Suricata creates one "detect" thread per available CPU/CPU core. | |
1352 | # This setting allows controlling this behaviour. A ratio setting of 2 will | |
1353 | # create 2 detect threads for each CPU/CPU core. So for a dual core CPU this | |
1354 | # will result in 4 detect threads. If values below 1 are used, less threads | |
1355 | # are created. So on a dual core CPU a setting of 0.5 results in 1 detect | |
1356 | # thread being created. Regardless of the setting at a minimum 1 detect | |
1357 | # thread will always be created. | |
1358 | # | |
1359 | detect-thread-ratio: 1.0 | |
1360 | ||
1361 | # Luajit has a strange memory requirement, it's 'states' need to be in the | |
1362 | # first 2G of the process' memory. | |
1363 | # | |
1364 | # 'luajit.states' is used to control how many states are preallocated. | |
1365 | # State use: per detect script: 1 per detect thread. Per output script: 1 per | |
1366 | # script. | |
1367 | luajit: | |
1368 | states: 128 | |
1369 | ||
1370 | # Profiling settings. Only effective if Suricata has been built with the | |
1371 | # the --enable-profiling configure flag. | |
1372 | # | |
1373 | profiling: | |
1374 | # Run profiling for every xth packet. The default is 1, which means we | |
1375 | # profile every packet. If set to 1000, one packet is profiled for every | |
1376 | # 1000 received. | |
1377 | #sample-rate: 1000 | |
1378 | ||
1379 | # rule profiling | |
1380 | rules: | |
1381 | ||
1382 | # Profiling can be disabled here, but it will still have a | |
1383 | # performance impact if compiled in. | |
1384 | enabled: yes | |
1385 | filename: rule_perf.log | |
1386 | append: yes | |
1387 | ||
1388 | # Sort options: ticks, avgticks, checks, matches, maxticks | |
1389 | # If commented out all the sort options will be used. | |
1390 | #sort: avgticks | |
1391 | ||
1392 | # Limit the number of sids for which stats are shown at exit (per sort). | |
1393 | limit: 10 | |
1394 | ||
1395 | # output to json | |
1396 | json: yes | |
1397 | ||
1398 | # per keyword profiling | |
1399 | keywords: | |
1400 | enabled: yes | |
1401 | filename: keyword_perf.log | |
1402 | append: yes | |
1403 | ||
1404 | # per rulegroup profiling | |
1405 | rulegroups: | |
1406 | enabled: yes | |
1407 | filename: rule_group_perf.log | |
1408 | append: yes | |
1409 | ||
1410 | # packet profiling | |
1411 | packets: | |
1412 | ||
1413 | # Profiling can be disabled here, but it will still have a | |
1414 | # performance impact if compiled in. | |
1415 | enabled: yes | |
1416 | filename: packet_stats.log | |
1417 | append: yes | |
1418 | ||
1419 | # per packet csv output | |
1420 | csv: | |
1421 | ||
1422 | # Output can be disabled here, but it will still have a | |
1423 | # performance impact if compiled in. | |
1424 | enabled: no | |
1425 | filename: packet_stats.csv | |
1426 | ||
1427 | # profiling of locking. Only available when Suricata was built with | |
1428 | # --enable-profiling-locks. | |
1429 | locks: | |
1430 | enabled: no | |
1431 | filename: lock_stats.log | |
1432 | append: yes | |
1433 | ||
1434 | pcap-log: | |
1435 | enabled: no | |
1436 | filename: pcaplog_stats.log | |
1437 | append: yes | |
1438 | ||
1439 | ## | |
1440 | ## Netfilter integration | |
1441 | ## | |
1442 | ||
1443 | # When running in NFQ inline mode, it is possible to use a simulated | |
1444 | # non-terminal NFQUEUE verdict. | |
1445 | # This permit to do send all needed packet to suricata via this a rule: | |
1446 | # iptables -I FORWARD -m mark ! --mark $MARK/$MASK -j NFQUEUE | |
1447 | # And below, you can have your standard filtering ruleset. To activate | |
1448 | # this mode, you need to set mode to 'repeat' | |
1449 | # If you want packet to be sent to another queue after an ACCEPT decision | |
1450 | # set mode to 'route' and set next-queue value. | |
1451 | # On linux >= 3.1, you can set batchcount to a value > 1 to improve performance | |
1452 | # by processing several packets before sending a verdict (worker runmode only). | |
1453 | # On linux >= 3.6, you can set the fail-open option to yes to have the kernel | |
1454 | # accept the packet if suricata is not able to keep pace. | |
1455 | # bypass mark and mask can be used to implement NFQ bypass. If bypass mark is | |
1456 | # set then the NFQ bypass is activated. Suricata will set the bypass mark/mask | |
1457 | # on packet of a flow that need to be bypassed. The Nefilter ruleset has to | |
1458 | # directly accept all packets of a flow once a packet has been marked. | |
1459 | nfq: | |
1460 | # mode: accept | |
1461 | # repeat-mark: 1 | |
1462 | # repeat-mask: 1 | |
1463 | # bypass-mark: 1 | |
1464 | # bypass-mask: 1 | |
1465 | # route-queue: 2 | |
1466 | # batchcount: 20 | |
1467 | # fail-open: yes | |
1468 | ||
1469 | #nflog support | |
1470 | nflog: | |
1471 | # netlink multicast group | |
1472 | # (the same as the iptables --nflog-group param) | |
1473 | # Group 0 is used by the kernel, so you can't use it | |
1474 | - group: 2 | |
1475 | # netlink buffer size | |
1476 | buffer-size: 18432 | |
1477 | # put default value here | |
1478 | - group: default | |
1479 | # set number of packet to queue inside kernel | |
1480 | qthreshold: 1 | |
1481 | # set the delay before flushing packet in the queue inside kernel | |
1482 | qtimeout: 100 | |
1483 | # netlink max buffer size | |
1484 | max-size: 20000 | |
1485 | ||
1486 | ## | |
1487 | ## Advanced Capture Options | |
1488 | ## | |
1489 | ||
1490 | # general settings affecting packet capture | |
1491 | capture: | |
1492 | # disable NIC offloading. It's restored when Suricata exists. | |
1493 | # Enabled by default | |
1494 | #disable-offloading: false | |
1495 | # | |
1496 | # disable checksum validation. Same as setting '-k none' on the | |
1497 | # commandline | |
1498 | #checksum-validation: none | |
1499 | ||
1500 | # Netmap support | |
1501 | # | |
1502 | # Netmap operates with NIC directly in driver, so you need FreeBSD wich have | |
1503 | # built-in netmap support or compile and install netmap module and appropriate | |
1504 | # NIC driver on your Linux system. | |
1505 | # To reach maximum throughput disable all receive-, segmentation-, | |
1506 | # checksum- offloadings on NIC. | |
1507 | # Disabling Tx checksum offloading is *required* for connecting OS endpoint | |
1508 | # with NIC endpoint. | |
1509 | # You can find more information at https://github.com/luigirizzo/netmap | |
1510 | # | |
1511 | netmap: | |
1512 | # To specify OS endpoint add plus sign at the end (e.g. "eth0+") | |
1513 | - interface: eth2 | |
1514 | # Number of receive threads. "auto" uses number of RSS queues on interface. | |
1515 | #threads: auto | |
1516 | # You can use the following variables to activate netmap tap or IPS mode. | |
1517 | # If copy-mode is set to ips or tap, the traffic coming to the current | |
1518 | # interface will be copied to the copy-iface interface. If 'tap' is set, the | |
1519 | # copy is complete. If 'ips' is set, the packet matching a 'drop' action | |
1520 | # will not be copied. | |
1521 | # To specify the OS as the copy-iface (so the OS can route packets, or forward | |
1522 | # to a service running on the same machine) add a plus sign at the end | |
1523 | # (e.g. "copy-iface: eth0+"). Don't forget to set up a symmetrical eth0+ -> eth0 | |
1524 | # for return packets. Hardware checksumming must be *off* on the interface if | |
1525 | # using an OS endpoint (e.g. 'ifconfig eth0 -rxcsum -txcsum -rxcsum6 -txcsum6' for FreeBSD | |
1526 | # or 'ethtool -K eth0 tx off rx off' for Linux). | |
1527 | #copy-mode: tap | |
1528 | #copy-iface: eth3 | |
1529 | # Set to yes to disable promiscuous mode | |
1530 | # disable-promisc: no | |
1531 | # Choose checksum verification mode for the interface. At the moment | |
1532 | # of the capture, some packets may be with an invalid checksum due to | |
1533 | # offloading to the network card of the checksum computation. | |
1534 | # Possible values are: | |
1535 | # - yes: checksum validation is forced | |
1536 | # - no: checksum validation is disabled | |
1537 | # - auto: suricata uses a statistical approach to detect when | |
1538 | # checksum off-loading is used. | |
1539 | # Warning: 'checksum-validation' must be set to yes to have any validation | |
1540 | #checksum-checks: auto | |
1541 | # BPF filter to apply to this interface. The pcap filter syntax apply here. | |
1542 | #bpf-filter: port 80 or udp | |
1543 | #- interface: eth3 | |
1544 | #threads: auto | |
1545 | #copy-mode: tap | |
1546 | #copy-iface: eth2 | |
1547 | # Put default values here | |
1548 | - interface: default | |
1549 | ||
1550 | # PF_RING configuration. for use with native PF_RING support | |
1551 | # for more info see http://www.ntop.org/products/pf_ring/ | |
1552 | pfring: | |
1553 | - interface: eth0 | |
1554 | # Number of receive threads (>1 will enable experimental flow pinned | |
1555 | # runmode) | |
1556 | threads: 1 | |
1557 | ||
1558 | # Default clusterid. PF_RING will load balance packets based on flow. | |
1559 | # All threads/processes that will participate need to have the same | |
1560 | # clusterid. | |
1561 | cluster-id: 99 | |
1562 | ||
1563 | # Default PF_RING cluster type. PF_RING can load balance per flow. | |
1564 | # Possible values are cluster_flow or cluster_round_robin. | |
1565 | cluster-type: cluster_flow | |
1566 | # bpf filter for this interface | |
1567 | #bpf-filter: tcp | |
1568 | # Choose checksum verification mode for the interface. At the moment | |
1569 | # of the capture, some packets may be with an invalid checksum due to | |
1570 | # offloading to the network card of the checksum computation. | |
1571 | # Possible values are: | |
1572 | # - rxonly: only compute checksum for packets received by network card. | |
1573 | # - yes: checksum validation is forced | |
1574 | # - no: checksum validation is disabled | |
1575 | # - auto: suricata uses a statistical approach to detect when | |
1576 | # checksum off-loading is used. (default) | |
1577 | # Warning: 'checksum-validation' must be set to yes to have any validation | |
1578 | #checksum-checks: auto | |
1579 | # Second interface | |
1580 | #- interface: eth1 | |
1581 | # threads: 3 | |
1582 | # cluster-id: 93 | |
1583 | # cluster-type: cluster_flow | |
1584 | # Put default values here | |
1585 | - interface: default | |
1586 | #threads: 2 | |
1587 | ||
1588 | # For FreeBSD ipfw(8) divert(4) support. | |
1589 | # Please make sure you have ipfw_load="YES" and ipdivert_load="YES" | |
1590 | # in /etc/loader.conf or kldload'ing the appropriate kernel modules. | |
1591 | # Additionally, you need to have an ipfw rule for the engine to see | |
1592 | # the packets from ipfw. For Example: | |
1593 | # | |
1594 | # ipfw add 100 divert 8000 ip from any to any | |
1595 | # | |
1596 | # The 8000 above should be the same number you passed on the command | |
1597 | # line, i.e. -d 8000 | |
1598 | # | |
1599 | ipfw: | |
1600 | ||
1601 | # Reinject packets at the specified ipfw rule number. This config | |
1602 | # option is the ipfw rule number AT WHICH rule processing continues | |
1603 | # in the ipfw processing system after the engine has finished | |
1604 | # inspecting the packet for acceptance. If no rule number is specified, | |
1605 | # accepted packets are reinjected at the divert rule which they entered | |
1606 | # and IPFW rule processing continues. No check is done to verify | |
1607 | # this will rule makes sense so care must be taken to avoid loops in ipfw. | |
1608 | # | |
1609 | ## The following example tells the engine to reinject packets | |
1610 | # back into the ipfw firewall AT rule number 5500: | |
1611 | # | |
1612 | # ipfw-reinjection-rule-number: 5500 | |
1613 | ||
1614 | ||
1615 | napatech: | |
1616 | # The Host Buffer Allowance for all streams | |
1617 | # (-1 = OFF, 1 - 100 = percentage of the host buffer that can be held back) | |
1618 | # This may be enabled when sharing streams with another application. | |
1619 | # Otherwise, it should be turned off. | |
1620 | hba: -1 | |
1621 | ||
1622 | # use_all_streams set to "yes" will query the Napatech service for all configured | |
1623 | # streams and listen on all of them. When set to "no" the streams config array | |
1624 | # will be used. | |
1625 | use-all-streams: yes | |
1626 | ||
1627 | # The streams to listen on. This can be either: | |
1628 | # a list of individual streams (e.g. streams: [0,1,2,3]) | |
1629 | # or | |
1630 | # a range of streams (e.g. streams: ["0-3"]) | |
1631 | streams: ["0-3"] | |
1632 | ||
1633 | # Tilera mpipe configuration. for use on Tilera TILE-Gx. | |
1634 | mpipe: | |
1635 | ||
1636 | # Load balancing modes: "static", "dynamic", "sticky", or "round-robin". | |
1637 | load-balance: dynamic | |
1638 | ||
1639 | # Number of Packets in each ingress packet queue. Must be 128, 512, 2028 or 65536 | |
1640 | iqueue-packets: 2048 | |
1641 | ||
1642 | # List of interfaces we will listen on. | |
1643 | inputs: | |
1644 | - interface: xgbe2 | |
1645 | - interface: xgbe3 | |
1646 | - interface: xgbe4 | |
1647 | ||
1648 | ||
1649 | # Relative weight of memory for packets of each mPipe buffer size. | |
1650 | stack: | |
1651 | size128: 0 | |
1652 | size256: 9 | |
1653 | size512: 0 | |
1654 | size1024: 0 | |
1655 | size1664: 7 | |
1656 | size4096: 0 | |
1657 | size10386: 0 | |
1658 | size16384: 0 | |
1659 | ||
1660 | ## | |
1661 | ## Hardware accelaration | |
1662 | ## | |
1663 | ||
1664 | # Cuda configuration. | |
1665 | cuda: | |
1666 | # The "mpm" profile. On not specifying any of these parameters, the engine's | |
1667 | # internal default values are used, which are same as the ones specified in | |
1668 | # in the default conf file. | |
1669 | mpm: | |
1670 | # The minimum length required to buffer data to the gpu. | |
1671 | # Anything below this is MPM'ed on the CPU. | |
1672 | # Can be specified in kb, mb, gb. Just a number indicates it's in bytes. | |
1673 | # A value of 0 indicates there's no limit. | |
1674 | data-buffer-size-min-limit: 0 | |
1675 | # The maximum length for data that we would buffer to the gpu. | |
1676 | # Anything over this is MPM'ed on the CPU. | |
1677 | # Can be specified in kb, mb, gb. Just a number indicates it's in bytes. | |
1678 | data-buffer-size-max-limit: 1500 | |
1679 | # The ring buffer size used by the CudaBuffer API to buffer data. | |
1680 | cudabuffer-buffer-size: 500mb | |
1681 | # The max chunk size that can be sent to the gpu in a single go. | |
1682 | gpu-transfer-size: 50mb | |
1683 | # The timeout limit for batching of packets in microseconds. | |
1684 | batching-timeout: 2000 | |
1685 | # The device to use for the mpm. Currently we don't support load balancing | |
1686 | # on multiple gpus. In case you have multiple devices on your system, you | |
1687 | # can specify the device to use, using this conf. By default we hold 0, to | |
1688 | # specify the first device cuda sees. To find out device-id associated with | |
1689 | # the card(s) on the system run "suricata --list-cuda-cards". | |
1690 | device-id: 0 | |
1691 | # No of Cuda streams used for asynchronous processing. All values > 0 are valid. | |
1692 | # For this option you need a device with Compute Capability > 1.0. | |
1693 | cuda-streams: 2 | |
1694 | ||
1695 | ## | |
1696 | ## Include other configs | |
1697 | ## | |
1698 | ||
1699 | # Includes. Files included here will be handled as if they were | |
1700 | # inlined in this configuration file. | |
1701 | #include: include1.yaml | |
1702 | #include: include2.yaml |