Suricata discards the fragments (timeout). This occurs by default after 60
seconds.
+In IPS mode, it is possible to tell the engine what to do in case the memcap for
+the defrag engine is reached: "drop-flow", "pass-flow", "bypass", "drop-packet",
+"pass-packet", or "ignore" (default behavior).
+
::
defrag:
memcap: 32mb
+ memcap-policy: ignore # in IPS mode, what to do if memcap is reached
hash-size: 65536
- trackers: 65535 # number of defragmented flows to follow
- max-frags: 65535 # number of fragments do keep (higher than trackers)
+ trackers: 65535 # number of defragmented flows to follow
+ max-frags: 65535 # number of fragments do keep (higher than trackers)
prealloc: yes
timeout: 60
thread ensures that wherever possible and within the memcap. there
will be 10000 flows prepared.
+In IPS mode, a memcap-policy exception policy can be set, telling Suricata
+what to do in case memcap is hit: 'drop-flow', 'pass-flow', 'bypass', 'ignore'.
+
::
flow:
memcap: 33554432 #The maximum amount of bytes the flow-engine will make use of.
+ memcap-policy: bypass #How to handle the flow if memcap is reached (IPS mode)
hash_size: 65536 #Flows will be organized in a hash-table. With this option you can set the
#size of the hash-table.
Prealloc: 10000 #The amount of flows Suricata has to keep ready in memory.
be recognized by Suricata.
The stream-engine has two memcaps that can be set. One for the
-stream-tracking-engine and one for the reassembly-engine.
+stream-tracking-engine and one for the reassembly-engine. For both cases,
+in IPS mode, an exception policy (memcap-policy) can be set, telling Suricata
+what to do in case memcap is hit: 'drop-flow', 'pass-flow', 'bypass', 'ignore'.
The stream-tracking-engine keeps information of the flow in
memory. Information about the state, TCP-sequence-numbers and the TCP
stream:
memcap: 64mb # Max memory usage (in bytes) for TCP session tracking
+ memcap-policy: ignore # In IPS mode, call memcap policy if memcap is reached
checksum_validation: yes # Validate packet checksum, reject packets with invalid checksums.
To mitigate Suricata from being overloaded by fast session creation,
sessions. This setup always includes a lot of information. If you want
Suricata to check the stream from that time on, you can do so by
setting the option 'midstream' to 'true'. The default setting is
-'false'. Normally Suricata is able to see all packets of a
-connection. Some networks make it more complicated though. Some of the
-network-traffic follows a different route than the other part, in
-other words: the traffic goes asynchronous. To make sure Suricata will
-check the one part it does see, instead of getting confused, the
-option 'async-oneside' is brought to life. By default the option is
-set to 'false'.
+'false'. In IPS mode, it is possible to define a 'midstream-policy',
+indicating whether Suricata should drop, pass or bypass a midstream flow.
+Normally Suricata is able to see all packets of a connection. Some networks
+make it more complicated though. Some of the network-traffic follows a
+different route than the other part, in other words: the traffic goes
+asynchronous. To make sure Suricata will check the one part it does see,
+instead of getting confused, the option 'async-oneside' is brought to life. By
+default the option is set to 'false'.
Suricata inspects content in the normal/IDS mode in chunks. In the
inline/IPS mode it does that on the sliding window way (see example
prealloc_sessions: 32768 # 32k sessions prealloc'd
midstream: false # do not allow midstream session pickups
+ midstream-policy: drop-flow # in IPS mode, drop flows that start midstream
async_oneside: false # do not enable async stream handling
inline: no # stream inline mode
drop-invalid: yes # drop invalid packets
The reassembly-engine has to keep data segments in memory in order to
be able to reconstruct a stream. To avoid resource starvation a memcap
-is used to limit the memory used.
+is used to limit the memory used. In IPS mode, an exception policy
+(memcap-policy) can be set, telling Suricata what to do in case memcap
+is hit: 'drop-flow', 'pass-flow', 'bypass', 'ignore'.
Reassembling a stream is an expensive operation. With the option depth
you can control how far into a stream reassembly is done. By default
reassembly:
memcap: 256mb # Memory reserved for stream data reconstruction (in bytes)
+ memcap-policy: ignore # What to do when a midstream session is seen
depth: 1mb # The depth of the reassembling.
toserver_chunk_size: 2560 # inspect raw stream in chunks of at least this size
toclient_chunk_size: 2560 # inspect raw stream in chunks of at least
Application Layer Parsers
-------------------------
+The ``app-layer`` section holds application layer specific configurations.
+
+A in IPS mode, a global exception policy accessed via the ``error-policy``
+setting can be defined to indicate what the engine should do in case if
+encounters an app-layer error. Possible values are "drop-flow", "pass-flow",
+"bypass", "drop-packet", "pass-packet" or "ignore" (which will mean keeping
+the default behavior).
+
+Each supported protocol will have a dedicated subsection under ``protocols``.
+
Asn1_max_frames (new in 1.0.3 and 1.1)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
projects / thirdparty / suricata.git / commitdiff
