--- /dev/null
+accept:packet arp:all any any -> any any (sid:1;)
+
+accept:hook tcp:all any any <> any any (sid:10;)
+accept:hook http1:request_started any any -> any any (sid:500;)
+accept:hook http1:request_line any any -> any any (sid:501;)
+accept:flow http1:request_headers any any -> any any (http.host; content:"testmyids.com"; sid:502;)
--- /dev/null
+%YAML 1.1
+---
+
+vars:
+ # more specific is better for alert accuracy and performance
+ address-groups:
+ HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
+ #HOME_NET: "[192.168.0.0/16]"
+ #HOME_NET: "[10.0.0.0/8]"
+ #HOME_NET: "[172.16.0.0/12]"
+ #HOME_NET: "any"
+
+ EXTERNAL_NET: "!$HOME_NET"
+ #EXTERNAL_NET: "any"
+
+ HTTP_SERVERS: "$HOME_NET"
+ SMTP_SERVERS: "$HOME_NET"
+ SQL_SERVERS: "$HOME_NET"
+ DNS_SERVERS: "$HOME_NET"
+ TELNET_SERVERS: "$HOME_NET"
+ AIM_SERVERS: "$EXTERNAL_NET"
+ DC_SERVERS: "$HOME_NET"
+ DNP3_SERVER: "$HOME_NET"
+ DNP3_CLIENT: "$HOME_NET"
+ MODBUS_CLIENT: "$HOME_NET"
+ MODBUS_SERVER: "$HOME_NET"
+ ENIP_CLIENT: "$HOME_NET"
+ ENIP_SERVER: "$HOME_NET"
+
+ port-groups:
+ HTTP_PORTS: "80"
+ SHELLCODE_PORTS: "!80"
+ ORACLE_PORTS: 1521
+ SSH_PORTS: 22
+ DNP3_PORTS: 20000
+ MODBUS_PORTS: 502
+ FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
+ FTP_PORTS: 21
+ GENEVE_PORTS: 6081
+ VXLAN_PORTS: 4789
+ TEREDO_PORTS: 3544
+ SIP_PORTS: "[5060, 5061]"
+
+# Global stats configuration
+stats:
+ enabled: yes
+ interval: 8
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - stats
+ - flow
+ - alert
+ - tls:
+ extended: yes # enable this for extended logging information
+ - drop:
+ alerts: yes # log alerts that caused drops
+ flows: all # start or all: 'start' logs only a single drop
projects / thirdparty / suricata-verify.git / commitdiff
