- syslog:
enabled: yes
facility: local5
- format: "[%i] <%d> -- "
+ format: ""
# type: json
##
nfq:
mode: repeat
- repeat-mark: 16
- repeat-mask: 16
+ repeat-mark: 1879048192
+ repeat-mask: 1879048192
# bypass-mark: 1
# bypass-mask: 1
# route-queue: 2
tls:
enabled: yes
detection-ports:
- dp: "[443,465,993,995]"
+ dp: "[443,444,465,853,993,995]"
# Completely stop processing TLS/SSL session after the handshake
# completed. If bypass is enabled this will also trigger flow
# smb2 detection is disabled internally inside the engine.
#smb2:
# enabled: yes
- # Note: NFS parser depends on Rust support: pass --enable-rust
- # to configure.
- nfs:
- enabled: no
dns:
# memcaps. Globally and per flow/state.
- #global-memcap: 16mb
- #state-memcap: 512kb
+ global-memcap: 32mb
+ state-memcap: 512kb
# How many unreplied DNS requests are considered a flood.
# If the limit is reached, app-layer-event:dns.flooded; will match.
- #request-flood: 500
+ request-flood: 512
tcp:
enabled: yes
detection-ports:
- dp: "[53,853]"
+ dp: 53
udp:
enabled: yes
detection-ports:
- dp: "[53,853]"
+ dp: 53
http:
enabled: yes
- # memcap: 64mb
+ memcap: 256mb
# default-config: Used when no server-config matches
# personality: List of personalities used by default
# Limit to how many layers of compression will be
# decompressed. Defaults to 2.
#
- # server-config: List of server configurations to use if address matches
- # address: List of ip addresses or networks for this block
- # personalitiy: List of personalities used by this block
- # request-body-limit: Limit reassembly of request body for inspection
- # by http_client_body & pcre /P option.
- # response-body-limit: Limit reassembly of response body for inspection
- # by file_data, http_server_body & pcre /Q option.
- # double-decode-path: Double decode path section of the URI
- # double-decode-query: Double decode query section of the URI
- #
- # uri-include-all: Include all parts of the URI. By default the
- # 'scheme', username/password, hostname and port
- # are excluded. Setting this option to true adds
- # all of them to the normalized uri as inspected
- # by http_uri, urilen, pcre with /U and the other
- # keywords that inspect the normalized uri.
- # Note that this does not affect http_raw_uri.
- # Also, note that including all was the default in
- # 1.4 and 2.0beta1.
- #
- # meta-field-limit: Hard size limit for request and response size
- # limits. Applies to request line and headers,
- # response line and headers. Does not apply to
- # request or response bodies. Default is 18k.
- # If this limit is reached an event is raised.
- #
# Currently Available Personalities:
# Minimal, Generic, IDS (default), IIS_4_0, IIS_5_0, IIS_5_1, IIS_6_0,
# IIS_7_0, IIS_7_5, Apache_2
# Can be specified in kb, mb, gb. Just a number indicates
# it's in bytes.
- request-body-limit: 100kb
- response-body-limit: 100kb
-
- # inspection limits
- request-body-minimal-inspect-size: 32kb
- request-body-inspect-window: 4kb
- response-body-minimal-inspect-size: 40kb
- response-body-inspect-window: 16kb
+ request-body-limit: 0
+ response-body-limit: 0
# response body decompression (0 disables)
response-body-decompress-layer-limit: 2
# Take a random value for inspection sizes around the specified value.
# This lower the risk of some evasion technics but could lead
# detection change between runs. It is set to 'yes' by default.
- #randomize-inspection-sizes: yes
+ randomize-inspection-sizes: yes
# If randomize-inspection-sizes is active, the value of various
# inspection size will be choosen in the [1 - range%, 1 + range%]
# range
# Default value of randomize-inspection-range is 10.
- #randomize-inspection-range: 10
+ randomize-inspection-range: 10
# decoding
double-decode-path: no
double-decode-query: no
- server-config:
-
- #- apache:
- # address: [192.168.1.0/24, 127.0.0.0/8, "::1"]
- # personality: Apache_2
- # # Can be specified in kb, mb, gb. Just a number indicates
- # # it's in bytes.
- # request-body-limit: 4096
- # response-body-limit: 4096
- # double-decode-path: no
- # double-decode-query: no
-
- #- iis7:
- # address:
- # - 192.168.0.0/24
- # - 192.168.10.0/24
- # personality: IIS_7_0
- # # Can be specified in kb, mb, gb. Just a number indicates
- # # it's in bytes.
- # request-body-limit: 4096
- # response-body-limit: 4096
- # double-decode-path: no
- # double-decode-query: no
-
- # Note: Modbus probe parser is minimalist due to the poor significant field
- # Only Modbus message length (greater than Modbus header length)
- # And Protocol ID (equal to 0) are checked in probing parser
- # It is important to enable detection port and define Modbus port
- # to avoid false positive
- modbus:
- # How many unreplied Modbus requests are considered a flood.
- # If the limit is reached, app-layer-event:modbus.flooded; will match.
- #request-flood: 500
-
- enabled: no
- detection-ports:
- dp: 502
- # According to MODBUS Messaging on TCP/IP Implementation Guide V1.0b, it
- # is recommended to keep the TCP connection opened with a remote device
- # and not to open and close it for each MODBUS/TCP transaction. In that
- # case, it is important to set the depth of the stream reassembling as
- # unlimited (stream.reassembly.depth: 0)
-
- # Stream reassembly size for modbus. By default track it completely.
- stream-depth: 0
-
- # DNP3
- dnp3:
- enabled: no
- detection-ports:
- dp: 20000
-
- # SCADA EtherNet/IP and CIP protocol support
- enip:
- enabled: no
- detection-ports:
- dp: 44818
- sp: 44818
-
- # Note: parser depends on experimental Rust support
- # with --enable-rust-experimental passed to configure
- ntp:
- enabled: no
# Limit for the maximum number of asn1 frames to decode (default 256)
asn1-max-frames: 256
##
##############################################################################
-##
-## Run Options
-##
-
-# Run suricata as user and group.
-#run-as:
-# user: suri
-# group: suri
-
-# Some logging module will use that name in event as identifier. The default
-# value is the hostname
-#sensor-name: suricata
-
-# Default location of the pid file. The pid file is only used in
-# daemon mode (start Suricata with -D). If not running in daemon mode
-# the --pidfile command line option must be used to create a pid file.
-#pid-file: /var/run/suricata.pid
-
-# Daemon working directory
-# Suricata will change directory to this one if provided
-# Default: "/"
-#daemon-directory: "/"
-
# Suricata core dump configuration. Limits the size of the core dump file to
# approximately max-dump. The actual core dump size will be a multiple of the
# page size. Core dumps that would be larger than max-dump are truncated. On
# Number of packets preallocated per thread. The default is 1024. A higher number
# will make sure each CPU will be more easily kept busy, but may negatively
# impact caching.
-#
-# If you are using the CUDA pattern matcher (mpm-algo: ac-cuda), different rules
-# apply. In that case try something like 60000 or more. This is because the CUDA
-# pattern matcher buffers and scans as many packets as possible in parallel.
-#max-pending-packets: 1024
+max-pending-packets: 1024
# Runmode the engine should use. Please check --list-runmodes to get the available
# runmodes for each packet acquisition method. Defaults to "autofp" (auto flow pinned
# Preallocated size for packet. Default is 1514 which is the classical
# size for pcap on ethernet. You should adjust this value to the highest
# packet size (MTU + hardware header) on your system.
-#default-packet-size: 1514
+default-packet-size: 1514
# Unix command socket can be used to pass commands to suricata.
# An external tool can then connect to get information from suricata
enabled: no
#filename: custom.socket
-# Magic file. The extension .mgc is added to the value here.
-#magic-file: /usr/share/file/magic
-#magic-file:
+# Magic file
+magic-file: /usr/share/misc/magic.mgc
legacy:
uricontent: enabled
# - reject
# - alert
-# IP Reputation
-#reputation-categories-file: /etc/suricata/iprep/categories.txt
-#default-reputation-path: /etc/suricata/iprep
-#reputation-files:
-# - reputation.list
-
# When run with the option --engine-analysis, the engine will read each of
# the parameters below, and print reports for each of the enabled sections
# and exit. The reports are printed to a file in the default log dir
# Defrag settings:
defrag:
- memcap: 32mb
+ memcap: 64mb
hash-size: 65536
trackers: 65535 # number of defragmented flows to follow
max-frags: 65535 # number of fragments to keep (higher than trackers)
prealloc: yes
timeout: 60
-# Enable defrag per host settings
-# host-config:
-#
-# - dmz:
-# timeout: 30
-# address: [192.168.1.0/24, 127.0.0.0/8, 1.1.1.0/24, 2.2.2.0/24, "1.1.1.1", "2.2.2.2", "::1"]
-#
-# - lan:
-# timeout: 45
-# address:
-# - 192.168.0.0/24
-# - 192.168.10.0/24
-# - 172.16.14.0/24
-
# Flow settings:
# By default, the reserved memory (memcap) for flows is 32MB. This is the limit
# for flow allocation inside the engine. You can change this value to allow
# in bytes.
flow:
- memcap: 128mb
+ memcap: 256mb
hash-size: 65536
prealloc: 10000
emergency-recovery: 30
- #managers: 1 # default to one flow manager
- #recyclers: 1 # default to one flow recycler thread
+ managers: 1
+ recyclers: 1
# This option controls the use of vlan ids in the flow (and defrag)
# hashing. Normally this should be enabled, but in some (broken)
# # is used in a rule.
#
stream:
- memcap: 64mb
+ memcap: 256mb
+ prealloc-sessions: 4096
checksum-validation: yes # reject wrong csums
inline: auto # auto will use inline mode in IPS mode, yes or no set it statically
reassembly:
toserver-chunk-size: 2560
toclient-chunk-size: 2560
randomize-chunk-size: yes
- #randomize-chunk-range: 10
- #raw: yes
- #segment-prealloc: 2048
- #check-overlap-different-data: true
+ raw: yes
+ segment-prealloc: 2048
+ check-overlap-different-data: true
# Host table:
#
# Teredo decoder is known to not be completely accurate
# it will sometimes detect non-teredo as teredo.
teredo:
- enabled: true
+ enabled: false
##
# If the argument specified is 0, the engine uses an internally defined
# default limit. On not specifying a value, we use no limits on the recursion.
detect:
- profile: medium
+ profile: high
custom-values:
toclient-groups: 3
toserver-groups: 25
sgh-mpm-context: auto
inspection-recursion-limit: 3000
+
# If set to yes, the loading of signatures will be made after the capture
# is started. This will limit the downtime in IPS mode.
- #delayed-detect: yes
+ delayed-detect: yes
prefilter:
# default prefiltering setting. "mpm" only creates MPM/fast_pattern
# thread will always be created.
#
detect-thread-ratio: 1.0
-
-# Profiling settings. Only effective if Suricata has been built with the
-# the --enable-profiling configure flag.
-#
-profiling:
- # Run profiling for every xth packet. The default is 1, which means we
- # profile every packet. If set to 1000, one packet is profiled for every
- # 1000 received.
- #sample-rate: 1000
-
- # rule profiling
- rules:
-
- # Profiling can be disabled here, but it will still have a
- # performance impact if compiled in.
- enabled: yes
- filename: rule_perf.log
- append: yes
-
- # Sort options: ticks, avgticks, checks, matches, maxticks
- # If commented out all the sort options will be used.
- #sort: avgticks
-
- # Limit the number of sids for which stats are shown at exit (per sort).
- limit: 10
-
- # output to json
- json: yes
-
- # per keyword profiling
- keywords:
- enabled: yes
- filename: keyword_perf.log
- append: yes
-
- # per rulegroup profiling
- rulegroups:
- enabled: yes
- filename: rule_group_perf.log
- append: yes
-
- # packet profiling
- packets:
-
- # Profiling can be disabled here, but it will still have a
- # performance impact if compiled in.
- enabled: yes
- filename: packet_stats.log
- append: yes
-
- # per packet csv output
- csv:
-
- # Output can be disabled here, but it will still have a
- # performance impact if compiled in.
- enabled: no
- filename: packet_stats.csv
-
- # profiling of locking. Only available when Suricata was built with
- # --enable-profiling-locks.
- locks:
- enabled: no
- filename: lock_stats.log
- append: yes
-
- pcap-log:
- enabled: no
- filename: pcaplog_stats.log
- append: yes
-
-##
-## Include other configs
-##
-
-# Includes. Files included here will be handled as if they were
-# inlined in this configuration file.
-#include: include1.yaml
-#include: include2.yaml