nfq:
mode: repeat
- repeat-mark: 16
- repeat-mask: 16
+ repeat-mark: 1879048192
+ repeat-mask: 1879048192
# bypass-mark: 1
# bypass-mask: 1
# route-queue: 2
tls:
enabled: yes
detection-ports:
- dp: "[443,444,465,993,995]"
+ dp: "[443,444,465,853,993,995]"
# Completely stop processing TLS/SSL session after the handshake
# completed. If bypass is enabled this will also trigger flow
tcp:
enabled: yes
detection-ports:
- dp: "[53,853]"
+ dp: 53
udp:
enabled: yes
detection-ports:
- dp: "[53,853]"
+ dp: 53
http:
enabled: yes
- # memcap: 64mb
+ memcap: 256mb
# default-config: Used when no server-config matches
# personality: List of personalities used by default
# Limit to how many layers of compression will be
# decompressed. Defaults to 2.
#
- # server-config: List of server configurations to use if address matches
- # address: List of ip addresses or networks for this block
- # personalitiy: List of personalities used by this block
- # request-body-limit: Limit reassembly of request body for inspection
- # by http_client_body & pcre /P option.
- # response-body-limit: Limit reassembly of response body for inspection
- # by file_data, http_server_body & pcre /Q option.
- # double-decode-path: Double decode path section of the URI
- # double-decode-query: Double decode query section of the URI
- #
- # uri-include-all: Include all parts of the URI. By default the
- # 'scheme', username/password, hostname and port
- # are excluded. Setting this option to true adds
- # all of them to the normalized uri as inspected
- # by http_uri, urilen, pcre with /U and the other
- # keywords that inspect the normalized uri.
- # Note that this does not affect http_raw_uri.
- # Also, note that including all was the default in
- # 1.4 and 2.0beta1.
- #
- # meta-field-limit: Hard size limit for request and response size
- # limits. Applies to request line and headers,
- # response line and headers. Does not apply to
- # request or response bodies. Default is 18k.
- # If this limit is reached an event is raised.
- #
# Currently Available Personalities:
# Minimal, Generic, IDS (default), IIS_4_0, IIS_5_0, IIS_5_1, IIS_6_0,
# IIS_7_0, IIS_7_5, Apache_2
# Can be specified in kb, mb, gb. Just a number indicates
# it's in bytes.
- request-body-limit: 100kb
- response-body-limit: 100kb
-
- # inspection limits
- request-body-minimal-inspect-size: 32kb
- request-body-inspect-window: 4kb
- response-body-minimal-inspect-size: 40kb
- response-body-inspect-window: 16kb
+ request-body-limit: 0
+ response-body-limit: 0
# response body decompression (0 disables)
response-body-decompress-layer-limit: 2
# Take a random value for inspection sizes around the specified value.
# This lower the risk of some evasion technics but could lead
# detection change between runs. It is set to 'yes' by default.
- #randomize-inspection-sizes: yes
+ randomize-inspection-sizes: yes
# If randomize-inspection-sizes is active, the value of various
# inspection size will be choosen in the [1 - range%, 1 + range%]
# range
# Default value of randomize-inspection-range is 10.
- #randomize-inspection-range: 10
+ randomize-inspection-range: 10
# decoding
double-decode-path: no
double-decode-query: no
- server-config:
-
- #- apache:
- # address: [192.168.1.0/24, 127.0.0.0/8, "::1"]
- # personality: Apache_2
- # # Can be specified in kb, mb, gb. Just a number indicates
- # # it's in bytes.
- # request-body-limit: 4096
- # response-body-limit: 4096
- # double-decode-path: no
- # double-decode-query: no
-
- #- iis7:
- # address:
- # - 192.168.0.0/24
- # - 192.168.10.0/24
- # personality: IIS_7_0
- # # Can be specified in kb, mb, gb. Just a number indicates
- # # it's in bytes.
- # request-body-limit: 4096
- # response-body-limit: 4096
- # double-decode-path: no
- # double-decode-query: no
-
- # Note: Modbus probe parser is minimalist due to the poor significant field
- # Only Modbus message length (greater than Modbus header length)
- # And Protocol ID (equal to 0) are checked in probing parser
- # It is important to enable detection port and define Modbus port
- # to avoid false positive
- modbus:
- # How many unreplied Modbus requests are considered a flood.
- # If the limit is reached, app-layer-event:modbus.flooded; will match.
- #request-flood: 500
-
- enabled: no
- detection-ports:
- dp: 502
- # According to MODBUS Messaging on TCP/IP Implementation Guide V1.0b, it
- # is recommended to keep the TCP connection opened with a remote device
- # and not to open and close it for each MODBUS/TCP transaction. In that
- # case, it is important to set the depth of the stream reassembling as
- # unlimited (stream.reassembly.depth: 0)
-
- # Stream reassembly size for modbus. By default track it completely.
- stream-depth: 0
-
- # DNP3
- dnp3:
- enabled: no
- detection-ports:
- dp: 20000
-
- # SCADA EtherNet/IP and CIP protocol support
- enip:
- enabled: no
- detection-ports:
- dp: 44818
- sp: 44818
# Limit for the maximum number of asn1 frames to decode (default 256)
asn1-max-frames: 256
# # is used in a rule.
#
stream:
- memcap: 64mb
+ memcap: 256mb
+ prealloc-sessions: 4096
checksum-validation: yes # reject wrong csums
inline: auto # auto will use inline mode in IPS mode, yes or no set it statically
reassembly:
toserver-chunk-size: 2560
toclient-chunk-size: 2560
randomize-chunk-size: yes
- #randomize-chunk-range: 10
- #raw: yes
- #segment-prealloc: 2048
- #check-overlap-different-data: true
+ raw: yes
+ segment-prealloc: 2048
+ check-overlap-different-data: true
# Host table:
#
# Teredo decoder is known to not be completely accurate
# it will sometimes detect non-teredo as teredo.
teredo:
- enabled: true
+ enabled: false
##
toserver-groups: 25
sgh-mpm-context: auto
inspection-recursion-limit: 3000
+
# If set to yes, the loading of signatures will be made after the capture
# is started. This will limit the downtime in IPS mode.
- #delayed-detect: yes
+ delayed-detect: yes
prefilter:
# default prefiltering setting. "mpm" only creates MPM/fast_pattern