# or are as specified by "dir". In Sguil mode "dir" indicates the base directory.
# In this base dir the pcaps are created in th directory structure Sguil expects:
#
- # $sguil_base_dir/YYYY-MM-DD/$filename.<timestamp>
+ # $sguil-base-dir/YYYY-MM-DD/$filename.<timestamp>
#
# By default all packets are logged except:
# - TCP streams beyond stream.reassembly.depth
# is parsed as bytes.
limit: 1000mb
- # If set to a value will enable ring buffer mode. Will keep Maximum of "max_files" of size "limit"
- max_files: 2000
+ # If set to a value will enable ring buffer mode. Will keep Maximum of "max-files" of size "limit"
+ max-files: 2000
mode: normal # normal or sguil.
#sguil-base-dir: /nsm_data/
- #ts_format: usec # sec or usec second format (default) is filename.sec usec is filename.sec.usec
- use_stream_depth: no #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets
+ #ts-format: usec # sec or usec second format (default) is filename.sec usec is filename.sec.usec
+ use-stream-depth: no #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets
# a full alerts log containing much information for signature writers
# or for investigating suspected false positives.
- alert-prelude:
enabled: no
profile: suricata
- log_packet_content: no
- log_packet_header: yes
+ log-packet-content: no
+ log-packet-header: yes
# Stats.log contains data from various counters of the suricata engine.
# The interval field (in seconds) tells after how long output will be written
# And below, you can have your standard filtering ruleset. To activate
# this mode, you need to set mode to 'repeat'
# If you want packet to be sent to another queue after an ACCEPT decision
-# set mode to 'route' and set next_queue value.
+# set mode to 'route' and set next-queue value.
nfq:
# mode: accept
-# repeat_mark: 1
-# repeat_mask: 1
-# route_queue: 2
+# repeat-mark: 1
+# repeat-mask: 1
+# route-queue: 2
# af-packet support
# Set threads to > 1 to use PACKET_FANOUT support
# - no: checksum validation is disabled
# - auto: suricata uses a statistical approach to detect when
# checksum off-loading is used.
- # Warning: 'checksum_validation' must be set to yes to have any validation
+ # Warning: 'checksum-validation' must be set to yes to have any validation
#checksum-checks: kernel
- interface: eth1
threads: 1
#
# "sgh mpm-context", indicates how the staging should allot mpm contexts for
# the signature groups. "single" indicates the use of a single context for
-# all the signature group heads. "full" indicates a mpm_context for each
+# all the signature group heads. "full" indicates a mpm-context for each
# group head. "auto" lets the engine decide the distribution of contexts
# based on the information the engine gathers on the patterns from each
# group head.
#
-# The option inspection_recursion_limit is used to limit the recursive calls
+# The option inspection-recursion-limit is used to limit the recursive calls
# in the content inspection code. For certain payload-sig combinations, we
# might end up taking too much time in the content inspection code.
# If the argument specified is 0, the engine uses an internally defined
detect-engine:
- profile: medium
- custom-values:
- toclient_src_groups: 2
- toclient_dst_groups: 2
- toclient_sp_groups: 2
- toclient_dp_groups: 3
- toserver_src_groups: 2
- toserver_dst_groups: 4
- toserver_sp_groups: 2
- toserver_dp_groups: 25
+ toclient-src-groups: 2
+ toclient-dst-groups: 2
+ toclient-sp-groups: 2
+ toclient-dp-groups: 3
+ toserver-src-groups: 2
+ toserver-dst-groups: 4
+ toserver-sp-groups: 2
+ toserver-dp-groups: 25
- sgh-mpm-context: auto
- inspection-recursion-limit: 3000
#
# On Intel Core2 and Nehalem CPU's enabling this will degrade performance.
#
- set_cpu_affinity: no
+ set-cpu-affinity: no
# Tune cpu affinity of suricata threads. Each family of threads can be bound
# on specific CPUs.
- cpu_affinity:
- - management_cpu_set:
+ cpu-affinity:
+ - management-cpu-set:
cpu: [ 0 ] # include only these cpus in affinity settings
- - receive_cpu_set:
+ - receive-cpu-set:
cpu: [ 0 ] # include only these cpus in affinity settings
- - decode_cpu_set:
+ - decode-cpu-set:
cpu: [ 0, 1 ]
mode: "balanced"
- - stream_cpu_set:
+ - stream-cpu-set:
cpu: [ "0-1" ]
- - detect_cpu_set:
+ - detect-cpu-set:
cpu: [ "all" ]
mode: "exclusive" # run detect threads in these cpus
# Use explicitely 3 threads and don't compute number by using
- # detect_thread_ratio variable:
+ # detect-thread-ratio variable:
# threads: 3
prio:
low: [ 0 ]
medium: [ "1-2" ]
high: [ 3 ]
default: "medium"
- - verdict_cpu_set:
+ - verdict-cpu-set:
cpu: [ 0 ]
prio:
default: "high"
- - reject_cpu_set:
+ - reject-cpu-set:
cpu: [ 0 ]
prio:
default: "low"
- - output_cpu_set:
+ - output-cpu-set:
cpu: [ "all" ]
prio:
default: "medium"
# thread being created. Regardless of the setting at a minimum 1 detect
# thread will always be created.
#
- detect_thread_ratio: 1.5
+ detect-thread-ratio: 1.5
# Cuda configuration.
cuda:
- mpm:
# Threshold limit for no of packets buffered to the GPU. Once we hit this
# limit, we pass the buffer to the gpu.
- packet_buffer_limit: 2400
+ packet-buffer-limit: 2400
# The maximum length for a packet that we would buffer to the gpu.
# Anything over this is MPM'ed on the CPU. All entries > 0 are valid.
# Can be specified in kb, mb, gb. Just a number indicates it's in bytes.
- packet_size_limit: 1500
+ packet-size-limit: 1500
# No of packet buffers we initialize. All entries > 0 are valid.
- packet_buffers: 10
+ packet-buffers: 10
# The timeout limit for batching of packets in secs. If we don't fill the
# buffer within this timeout limit, we pass the currently filled buffer to the gpu.
# All entries > 0 are valid.
- batching_timeout: 1
- # Specifies whether to use page_locked memory whereever possible. Accepted values
+ batching-timeout: 1
+ # Specifies whether to use page-locked memory whereever possible. Accepted values
# are "enabled" and "disabled".
- page_locked: enabled
+ page-locked: enabled
# The device to use for the mpm. Currently we don't support load balancing
# on multiple gpus. In case you have multiple devices on your system, you
# can specify the device to use, using this conf. By default we hold 0, to
- # specify the first device cuda sees. To find out device_id associated with
+ # specify the first device cuda sees. To find out device-id associated with
# the card(s) on the system run "suricata --list-cuda-cards".
- device_id: 0
+ device-id: 0
# No of Cuda streams used for asynchronous processing. All values > 0 are valid.
# For this option you need a device with Compute Capability > 1.0 and
- # page_locked enabled to have any effect.
- cuda_streams: 2
+ # page-locked enabled to have any effect.
+ cuda-streams: 2
# Select the multi pattern algorithm you want to run for scan/search the
# in the engine. The supported algorithms are b2g, b2gc, b2gm, b3g, wumanber,
# ac and ac-gfbs.
#
# The mpm you choose also decides the distribution of mpm contexts for
-# signature groups, specified by the conf - "detect-engine.sgh_mpm_context".
-# Selecting "ac" as the mpm would require "detect-engine.sgh_mpm_context"
+# signature groups, specified by the conf - "detect-engine.sgh-mpm-context".
+# Selecting "ac" as the mpm would require "detect-engine.sgh-mpm-context"
# to be set to "single", because of ac's memory requirements, unless the
# ruleset is small enough to fit in one's memory, in which case one can
# use "full" with "ac". Rest of the mpms can be run in "full" mode.
pattern-matcher:
- b2gc:
- search_algo: B2gSearchBNDMq
- hash_size: low
- bf_size: medium
+ search-algo: B2gSearchBNDMq
+ hash-size: low
+ bf-size: medium
- b2gm:
- search_algo: B2gSearchBNDMq
- hash_size: low
- bf_size: medium
+ search-algo: B2gSearchBNDMq
+ hash-size: low
+ bf-size: medium
- b2g:
- search_algo: B2gSearchBNDMq
- hash_size: low
- bf_size: medium
+ search-algo: B2gSearchBNDMq
+ hash-size: low
+ bf-size: medium
- b3g:
- search_algo: B3gSearchBNDMq
- hash_size: low
- bf_size: medium
+ search-algo: B3gSearchBNDMq
+ hash-size: low
+ bf-size: medium
- wumanber:
- hash_size: low
- bf_size: medium
+ hash-size: low
+ bf-size: medium
# Flow settings:
# By default, the reserved memory (memcap) for flows is 32MB. This is the limit
# for flow allocation inside the engine. You can change this value to allow
# more memory usage for flows.
-# The hash_size determine the size of the hash used to identify flows inside
+# The hash-size determine the size of the hash used to identify flows inside
# the engine, and by default the value is 65536.
# At the startup, the engine can preallocate a number of flows, to get a better
# performance. The number of flows preallocated is 10000 by default.
-# emergency_recovery is the percentage of flows that the engine need to
+# emergency-recovery is the percentage of flows that the engine need to
# prune before unsetting the emergency state. The emergency state is activated
# when the memcap limit is reached, allowing to create new flows, but
# prunning them with the emergency timeouts (they are defined below).
-# If the memcap is reached, the engine will try to prune prune_flows
+# If the memcap is reached, the engine will try to prune prune-flows
# with the default timeouts. If it doens't find a flow to prune, it will set
# the emergency bit and it will try again with more agressive timeouts.
# If that doesn't work, then it will try to kill the last time seen flows
flow:
memcap: 32mb
- hash_size: 65536
+ hash-size: 65536
prealloc: 10000
- emergency_recovery: 30
- prune_flows: 5
+ emergency-recovery: 30
+ prune-flows: 5
# Specific timeouts for flows. Here you can specify the timeouts that the
# active flows will wait to transit from the current state to another, on each
#
# There's an emergency mode that will become active under attack circumstances,
# making the engine to check flow status faster. This configuration variables
-# use the prefix "emergency_" and work similar as the normal ones.
+# use the prefix "emergency-" and work similar as the normal ones.
# Some timeouts doesn't apply to all the protocols, like "closed", for udp and
# icmp.
new: 30
established: 300
closed: 0
- emergency_new: 10
- emergency_established: 100
- emergency_closed: 0
+ emergency-new: 10
+ emergency-established: 100
+ emergency-closed: 0
tcp:
new: 60
established: 3600
closed: 120
- emergency_new: 10
- emergency_established: 300
- emergency_closed: 20
+ emergency-new: 10
+ emergency-established: 300
+ emergency-closed: 20
udp:
new: 30
established: 300
- emergency_new: 10
- emergency_established: 100
+ emergency-new: 10
+ emergency-established: 100
icmp:
new: 30
established: 300
- emergency_new: 10
- emergency_established: 100
+ emergency-new: 10
+ emergency-established: 100
# Stream engine settings. Here the TCP stream tracking and reaasembly
# engine is configured.
# stream:
# memcap: 32mb # Can be specified in kb, mb, gb. Just a
# # number indicates it's in bytes.
-# checksum_validation: yes # To validate the checksum of received
+# checksum-validation: yes # To validate the checksum of received
# # packet. If csum validation is specified as
# # "yes", then packet with invalid csum will not
# # be processed by the engine stream/app layer.
# # of checksum. You can control the handling of checksum
# # on a per-interface basis via the 'checksum-checks'
# # option
-# max_sessions: 262144 # 256k concurrent sessions
-# prealloc_sessions: 32768 # 32k sessions prealloc'd
+# max-sessions: 262144 # 256k concurrent sessions
+# prealloc-sessions: 32768 # 32k sessions prealloc'd
# midstream: false # don't allow midstream session pickups
-# async_oneside: false # don't enable async stream handling
+# async-oneside: false # don't enable async stream handling
# inline: no # stream inline mode
#
# reassembly:
# # indicates it's in bytes.
# depth: 1mb # Can be specified in kb, mb, gb. Just a number
# # indicates it's in bytes.
-# toserver_chunk_size: 2560 # inspect raw stream in chunks of at least
+# toserver-chunk-size: 2560 # inspect raw stream in chunks of at least
# # this size. Can be specified in kb, mb,
# # gb. Just a number indicates it's in bytes.
-# toclient_chunk_size: 2560 # inspect raw stream in chunks of at least
+# toclient-chunk-size: 2560 # inspect raw stream in chunks of at least
# # this size. Can be specified in kb, mb,
# # gb. Just a number indicates it's in bytes.
stream:
memcap: 32mb
- checksum_validation: yes # reject wrong csums
+ checksum-validation: yes # reject wrong csums
inline: no # no inline mode
reassembly:
memcap: 64mb
depth: 1mb # reassemble 1mb into a stream
- toserver_chunk_size: 2560
- toclient_chunk_size: 2560
+ toserver-chunk-size: 2560
+ toclient-chunk_size: 2560
# Logging configuration. This is not about logging IDS alerts, but
# IDS output about what its doing, errors, etc.
# - no: checksum validation is disabled
# - auto: suricata uses a statistical approach to detect when
# checksum off-loading is used. (default)
- # Warning: 'checksum_validation' must be set to yes to have any validation
+ # Warning: 'checksum-validation' must be set to yes to have any validation
#checksum-checks: auto
# Second interface
#- interface: eth1
# - no: checksum validation is disabled
# - auto: suricata uses a statistical approach to detect when
# checksum off-loading is used. (default)
- # Warning: 'checksum_validation' must be set to yes to have any validation
+ # Warning: 'checksum-validation' must be set to yes to have any validation
#checksum-checks: auto
# For FreeBSD ipfw(8) divert(4) support.
# Make the default policy windows.
windows: [0.0.0.0/0]
bsd: []
- bsd_right: []
- old_linux: []
+ bsd-right: []
+ old-linux: []
linux: [10.0.0.0/8, 192.168.1.100, "8762:2352:6241:7245:E000:0000:0000:0000"]
- old_solaris: []
+ old-solaris: []
solaris: ["::1"]
hpux10: []
hpux11: []
# Limit for the maximum number of asn1 frames to decode (default 256)
-asn1_max_frames: 256
+asn1-max-frames: 256
###########################################################################
# Configure libhtp.
personality: IDS
# Can be specified in kb, mb, gb. Just a number indicates
# it's in bytes.
- request_body_limit: 3072
+ request-body-limit: 3072
response-body-limit: 3072
server-config:
personality: Apache_2_2
# Can be specified in kb, mb, gb. Just a number indicates
# it's in bytes.
- request_body_limit: 4096
+ request-body-limit: 4096
response-body-limit: 4096
- iis7:
personality: IIS_7_0
# Can be specified in kb, mb, gb. Just a number indicates
# it's in bytes.
- request_body_limit: 4096
+ request-body-limit: 4096
response-body-limit: 4096
# Profiling settings. Only effective if Suricata has been built with the
filename: packet_stats.csv
# Suricata core dump configuration. Limits the size of the core dump file to
-# approximately max_dump. The actual core dump size will be a multiple of the
-# page size. Core dumps that would be larger than max_dump are truncated. On
-# Linux, the actual core dump size may be a few pages larger than max_dump.
-# Setting max_dump to 0 disables core dumping.
-# Setting max_dump to 'unlimited' will give the full core dump file.
-# On 32-bit Linux, a max_dump value >= ULONG_MAX may cause the core dump size
+# approximately max-dump. The actual core dump size will be a multiple of the
+# page size. Core dumps that would be larger than max-dump are truncated. On
+# Linux, the actual core dump size may be a few pages larger than max-dump.
+# Setting max-dump to 0 disables core dumping.
+# Setting max-dump to 'unlimited' will give the full core dump file.
+# On 32-bit Linux, a max-dump value >= ULONG_MAX may cause the core dump size
# to be 'unlimited'.
coredump:
- max_dump: unlimited
+ max-dump: unlimited
projects / thirdparty / suricata.git / commitdiff
