From: Nikolay Denev Date: Sun, 26 Feb 2012 19:37:25 +0000 (+0200) Subject: Consistently use dashes instead of underscores in the sample config file. X-Git-Tag: suricata-1.3beta1~148 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a67d78eda6beaf8c0875c61274586b7939099a6b;p=thirdparty%2Fsuricata.git Consistently use dashes instead of underscores in the sample config file. --- diff --git a/suricata.yaml.in b/suricata.yaml.in index 2adf0c46ae..0f0fb04cbf 100644 --- a/suricata.yaml.in +++ b/suricata.yaml.in @@ -83,7 +83,7 @@ outputs: # or are as specified by "dir". In Sguil mode "dir" indicates the base directory. # In this base dir the pcaps are created in th directory structure Sguil expects: # - # $sguil_base_dir/YYYY-MM-DD/$filename. + # $sguil-base-dir/YYYY-MM-DD/$filename. # # By default all packets are logged except: # - TCP streams beyond stream.reassembly.depth @@ -97,13 +97,13 @@ outputs: # is parsed as bytes. limit: 1000mb - # If set to a value will enable ring buffer mode. Will keep Maximum of "max_files" of size "limit" - max_files: 2000 + # If set to a value will enable ring buffer mode. Will keep Maximum of "max-files" of size "limit" + max-files: 2000 mode: normal # normal or sguil. #sguil-base-dir: /nsm_data/ - #ts_format: usec # sec or usec second format (default) is filename.sec usec is filename.sec.usec - use_stream_depth: no #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets + #ts-format: usec # sec or usec second format (default) is filename.sec usec is filename.sec.usec + use-stream-depth: no #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets # a full alerts log containing much information for signature writers # or for investigating suspected false positives. @@ -118,8 +118,8 @@ outputs: - alert-prelude: enabled: no profile: suricata - log_packet_content: no - log_packet_header: yes + log-packet-content: no + log-packet-header: yes # Stats.log contains data from various counters of the suricata engine. # The interval field (in seconds) tells after how long output will be written @@ -184,12 +184,12 @@ magic-file: @e_magic_file@ # And below, you can have your standard filtering ruleset. To activate # this mode, you need to set mode to 'repeat' # If you want packet to be sent to another queue after an ACCEPT decision -# set mode to 'route' and set next_queue value. +# set mode to 'route' and set next-queue value. nfq: # mode: accept -# repeat_mark: 1 -# repeat_mask: 1 -# route_queue: 2 +# repeat-mark: 1 +# repeat-mask: 1 +# route-queue: 2 # af-packet support # Set threads to > 1 to use PACKET_FANOUT support @@ -227,7 +227,7 @@ af-packet: # - no: checksum validation is disabled # - auto: suricata uses a statistical approach to detect when # checksum off-loading is used. - # Warning: 'checksum_validation' must be set to yes to have any validation + # Warning: 'checksum-validation' must be set to yes to have any validation #checksum-checks: kernel - interface: eth1 threads: 1 @@ -269,12 +269,12 @@ pcre: # # "sgh mpm-context", indicates how the staging should allot mpm contexts for # the signature groups. "single" indicates the use of a single context for -# all the signature group heads. "full" indicates a mpm_context for each +# all the signature group heads. "full" indicates a mpm-context for each # group head. "auto" lets the engine decide the distribution of contexts # based on the information the engine gathers on the patterns from each # group head. # -# The option inspection_recursion_limit is used to limit the recursive calls +# The option inspection-recursion-limit is used to limit the recursive calls # in the content inspection code. For certain payload-sig combinations, we # might end up taking too much time in the content inspection code. # If the argument specified is 0, the engine uses an internally defined @@ -282,14 +282,14 @@ pcre: detect-engine: - profile: medium - custom-values: - toclient_src_groups: 2 - toclient_dst_groups: 2 - toclient_sp_groups: 2 - toclient_dp_groups: 3 - toserver_src_groups: 2 - toserver_dst_groups: 4 - toserver_sp_groups: 2 - toserver_dp_groups: 25 + toclient-src-groups: 2 + toclient-dst-groups: 2 + toclient-sp-groups: 2 + toclient-dp-groups: 3 + toserver-src-groups: 2 + toserver-dst-groups: 4 + toserver-sp-groups: 2 + toserver-dp-groups: 25 - sgh-mpm-context: auto - inspection-recursion-limit: 3000 @@ -301,39 +301,39 @@ threading: # # On Intel Core2 and Nehalem CPU's enabling this will degrade performance. # - set_cpu_affinity: no + set-cpu-affinity: no # Tune cpu affinity of suricata threads. Each family of threads can be bound # on specific CPUs. - cpu_affinity: - - management_cpu_set: + cpu-affinity: + - management-cpu-set: cpu: [ 0 ] # include only these cpus in affinity settings - - receive_cpu_set: + - receive-cpu-set: cpu: [ 0 ] # include only these cpus in affinity settings - - decode_cpu_set: + - decode-cpu-set: cpu: [ 0, 1 ] mode: "balanced" - - stream_cpu_set: + - stream-cpu-set: cpu: [ "0-1" ] - - detect_cpu_set: + - detect-cpu-set: cpu: [ "all" ] mode: "exclusive" # run detect threads in these cpus # Use explicitely 3 threads and don't compute number by using - # detect_thread_ratio variable: + # detect-thread-ratio variable: # threads: 3 prio: low: [ 0 ] medium: [ "1-2" ] high: [ 3 ] default: "medium" - - verdict_cpu_set: + - verdict-cpu-set: cpu: [ 0 ] prio: default: "high" - - reject_cpu_set: + - reject-cpu-set: cpu: [ 0 ] prio: default: "low" - - output_cpu_set: + - output-cpu-set: cpu: [ "all" ] prio: default: "medium" @@ -346,7 +346,7 @@ threading: # thread being created. Regardless of the setting at a minimum 1 detect # thread will always be created. # - detect_thread_ratio: 1.5 + detect-thread-ratio: 1.5 # Cuda configuration. cuda: @@ -355,38 +355,38 @@ cuda: - mpm: # Threshold limit for no of packets buffered to the GPU. Once we hit this # limit, we pass the buffer to the gpu. - packet_buffer_limit: 2400 + packet-buffer-limit: 2400 # The maximum length for a packet that we would buffer to the gpu. # Anything over this is MPM'ed on the CPU. All entries > 0 are valid. # Can be specified in kb, mb, gb. Just a number indicates it's in bytes. - packet_size_limit: 1500 + packet-size-limit: 1500 # No of packet buffers we initialize. All entries > 0 are valid. - packet_buffers: 10 + packet-buffers: 10 # The timeout limit for batching of packets in secs. If we don't fill the # buffer within this timeout limit, we pass the currently filled buffer to the gpu. # All entries > 0 are valid. - batching_timeout: 1 - # Specifies whether to use page_locked memory whereever possible. Accepted values + batching-timeout: 1 + # Specifies whether to use page-locked memory whereever possible. Accepted values # are "enabled" and "disabled". - page_locked: enabled + page-locked: enabled # The device to use for the mpm. Currently we don't support load balancing # on multiple gpus. In case you have multiple devices on your system, you # can specify the device to use, using this conf. By default we hold 0, to - # specify the first device cuda sees. To find out device_id associated with + # specify the first device cuda sees. To find out device-id associated with # the card(s) on the system run "suricata --list-cuda-cards". - device_id: 0 + device-id: 0 # No of Cuda streams used for asynchronous processing. All values > 0 are valid. # For this option you need a device with Compute Capability > 1.0 and - # page_locked enabled to have any effect. - cuda_streams: 2 + # page-locked enabled to have any effect. + cuda-streams: 2 # Select the multi pattern algorithm you want to run for scan/search the # in the engine. The supported algorithms are b2g, b2gc, b2gm, b3g, wumanber, # ac and ac-gfbs. # # The mpm you choose also decides the distribution of mpm contexts for -# signature groups, specified by the conf - "detect-engine.sgh_mpm_context". -# Selecting "ac" as the mpm would require "detect-engine.sgh_mpm_context" +# signature groups, specified by the conf - "detect-engine.sgh-mpm-context". +# Selecting "ac" as the mpm would require "detect-engine.sgh-mpm-context" # to be set to "single", because of ac's memory requirements, unless the # ruleset is small enough to fit in one's memory, in which case one can # use "full" with "ac". Rest of the mpms can be run in "full" mode. @@ -415,38 +415,38 @@ mpm-algo: ac pattern-matcher: - b2gc: - search_algo: B2gSearchBNDMq - hash_size: low - bf_size: medium + search-algo: B2gSearchBNDMq + hash-size: low + bf-size: medium - b2gm: - search_algo: B2gSearchBNDMq - hash_size: low - bf_size: medium + search-algo: B2gSearchBNDMq + hash-size: low + bf-size: medium - b2g: - search_algo: B2gSearchBNDMq - hash_size: low - bf_size: medium + search-algo: B2gSearchBNDMq + hash-size: low + bf-size: medium - b3g: - search_algo: B3gSearchBNDMq - hash_size: low - bf_size: medium + search-algo: B3gSearchBNDMq + hash-size: low + bf-size: medium - wumanber: - hash_size: low - bf_size: medium + hash-size: low + bf-size: medium # Flow settings: # By default, the reserved memory (memcap) for flows is 32MB. This is the limit # for flow allocation inside the engine. You can change this value to allow # more memory usage for flows. -# The hash_size determine the size of the hash used to identify flows inside +# The hash-size determine the size of the hash used to identify flows inside # the engine, and by default the value is 65536. # At the startup, the engine can preallocate a number of flows, to get a better # performance. The number of flows preallocated is 10000 by default. -# emergency_recovery is the percentage of flows that the engine need to +# emergency-recovery is the percentage of flows that the engine need to # prune before unsetting the emergency state. The emergency state is activated # when the memcap limit is reached, allowing to create new flows, but # prunning them with the emergency timeouts (they are defined below). -# If the memcap is reached, the engine will try to prune prune_flows +# If the memcap is reached, the engine will try to prune prune-flows # with the default timeouts. If it doens't find a flow to prune, it will set # the emergency bit and it will try again with more agressive timeouts. # If that doesn't work, then it will try to kill the last time seen flows @@ -456,10 +456,10 @@ pattern-matcher: flow: memcap: 32mb - hash_size: 65536 + hash-size: 65536 prealloc: 10000 - emergency_recovery: 30 - prune_flows: 5 + emergency-recovery: 30 + prune-flows: 5 # Specific timeouts for flows. Here you can specify the timeouts that the # active flows will wait to transit from the current state to another, on each @@ -473,7 +473,7 @@ flow: # # There's an emergency mode that will become active under attack circumstances, # making the engine to check flow status faster. This configuration variables -# use the prefix "emergency_" and work similar as the normal ones. +# use the prefix "emergency-" and work similar as the normal ones. # Some timeouts doesn't apply to all the protocols, like "closed", for udp and # icmp. @@ -483,26 +483,26 @@ flow-timeouts: new: 30 established: 300 closed: 0 - emergency_new: 10 - emergency_established: 100 - emergency_closed: 0 + emergency-new: 10 + emergency-established: 100 + emergency-closed: 0 tcp: new: 60 established: 3600 closed: 120 - emergency_new: 10 - emergency_established: 300 - emergency_closed: 20 + emergency-new: 10 + emergency-established: 300 + emergency-closed: 20 udp: new: 30 established: 300 - emergency_new: 10 - emergency_established: 100 + emergency-new: 10 + emergency-established: 100 icmp: new: 30 established: 300 - emergency_new: 10 - emergency_established: 100 + emergency-new: 10 + emergency-established: 100 # Stream engine settings. Here the TCP stream tracking and reaasembly # engine is configured. @@ -510,7 +510,7 @@ flow-timeouts: # stream: # memcap: 32mb # Can be specified in kb, mb, gb. Just a # # number indicates it's in bytes. -# checksum_validation: yes # To validate the checksum of received +# checksum-validation: yes # To validate the checksum of received # # packet. If csum validation is specified as # # "yes", then packet with invalid csum will not # # be processed by the engine stream/app layer. @@ -519,10 +519,10 @@ flow-timeouts: # # of checksum. You can control the handling of checksum # # on a per-interface basis via the 'checksum-checks' # # option -# max_sessions: 262144 # 256k concurrent sessions -# prealloc_sessions: 32768 # 32k sessions prealloc'd +# max-sessions: 262144 # 256k concurrent sessions +# prealloc-sessions: 32768 # 32k sessions prealloc'd # midstream: false # don't allow midstream session pickups -# async_oneside: false # don't enable async stream handling +# async-oneside: false # don't enable async stream handling # inline: no # stream inline mode # # reassembly: @@ -530,22 +530,22 @@ flow-timeouts: # # indicates it's in bytes. # depth: 1mb # Can be specified in kb, mb, gb. Just a number # # indicates it's in bytes. -# toserver_chunk_size: 2560 # inspect raw stream in chunks of at least +# toserver-chunk-size: 2560 # inspect raw stream in chunks of at least # # this size. Can be specified in kb, mb, # # gb. Just a number indicates it's in bytes. -# toclient_chunk_size: 2560 # inspect raw stream in chunks of at least +# toclient-chunk-size: 2560 # inspect raw stream in chunks of at least # # this size. Can be specified in kb, mb, # # gb. Just a number indicates it's in bytes. stream: memcap: 32mb - checksum_validation: yes # reject wrong csums + checksum-validation: yes # reject wrong csums inline: no # no inline mode reassembly: memcap: 64mb depth: 1mb # reassemble 1mb into a stream - toserver_chunk_size: 2560 - toclient_chunk_size: 2560 + toserver-chunk-size: 2560 + toclient-chunk_size: 2560 # Logging configuration. This is not about logging IDS alerts, but # IDS output about what its doing, errors, etc. @@ -614,7 +614,7 @@ pfring: # - no: checksum validation is disabled # - auto: suricata uses a statistical approach to detect when # checksum off-loading is used. (default) - # Warning: 'checksum_validation' must be set to yes to have any validation + # Warning: 'checksum-validation' must be set to yes to have any validation #checksum-checks: auto # Second interface #- interface: eth1 @@ -634,7 +634,7 @@ pcap: # - no: checksum validation is disabled # - auto: suricata uses a statistical approach to detect when # checksum off-loading is used. (default) - # Warning: 'checksum_validation' must be set to yes to have any validation + # Warning: 'checksum-validation' must be set to yes to have any validation #checksum-checks: auto # For FreeBSD ipfw(8) divert(4) support. @@ -762,10 +762,10 @@ host-os-policy: # Make the default policy windows. windows: [0.0.0.0/0] bsd: [] - bsd_right: [] - old_linux: [] + bsd-right: [] + old-linux: [] linux: [10.0.0.0/8, 192.168.1.100, "8762:2352:6241:7245:E000:0000:0000:0000"] - old_solaris: [] + old-solaris: [] solaris: ["::1"] hpux10: [] hpux11: [] @@ -776,7 +776,7 @@ host-os-policy: # Limit for the maximum number of asn1 frames to decode (default 256) -asn1_max_frames: 256 +asn1-max-frames: 256 ########################################################################### # Configure libhtp. @@ -812,7 +812,7 @@ libhtp: personality: IDS # Can be specified in kb, mb, gb. Just a number indicates # it's in bytes. - request_body_limit: 3072 + request-body-limit: 3072 response-body-limit: 3072 server-config: @@ -822,7 +822,7 @@ libhtp: personality: Apache_2_2 # Can be specified in kb, mb, gb. Just a number indicates # it's in bytes. - request_body_limit: 4096 + request-body-limit: 4096 response-body-limit: 4096 - iis7: @@ -832,7 +832,7 @@ libhtp: personality: IIS_7_0 # Can be specified in kb, mb, gb. Just a number indicates # it's in bytes. - request_body_limit: 4096 + request-body-limit: 4096 response-body-limit: 4096 # Profiling settings. Only effective if Suricata has been built with the @@ -873,13 +873,13 @@ profiling: filename: packet_stats.csv # Suricata core dump configuration. Limits the size of the core dump file to -# approximately max_dump. The actual core dump size will be a multiple of the -# page size. Core dumps that would be larger than max_dump are truncated. On -# Linux, the actual core dump size may be a few pages larger than max_dump. -# Setting max_dump to 0 disables core dumping. -# Setting max_dump to 'unlimited' will give the full core dump file. -# On 32-bit Linux, a max_dump value >= ULONG_MAX may cause the core dump size +# approximately max-dump. The actual core dump size will be a multiple of the +# page size. Core dumps that would be larger than max-dump are truncated. On +# Linux, the actual core dump size may be a few pages larger than max-dump. +# Setting max-dump to 0 disables core dumping. +# Setting max-dump to 'unlimited' will give the full core dump file. +# On 32-bit Linux, a max-dump value >= ULONG_MAX may cause the core dump size # to be 'unlimited'. coredump: - max_dump: unlimited + max-dump: unlimited