|
%YAML 1.1
|
|
---
|
|
af-packet:
|
|
- interface: eno1
|
|
- block-size: 104857600
|
|
cluster-type: cluster_flow
|
|
interface: default
|
|
ring-size: 699050
|
|
app-layer:
|
|
protocols:
|
|
dcerpc:
|
|
enabled: true
|
|
dns:
|
|
tcp:
|
|
detection-ports:
|
|
dp: 53
|
|
enabled: true
|
|
udp:
|
|
detection-ports:
|
|
dp: 53
|
|
enabled: true
|
|
ftp:
|
|
enabled: true
|
|
http:
|
|
enabled: true
|
|
libhtp:
|
|
default-config:
|
|
double-decode-path: false
|
|
double-decode-query: false
|
|
http-body-inline: auto
|
|
personality: IDS
|
|
request-body-inspect-window: 4kb
|
|
request-body-limit: 100
|
|
request-body-minimal-inspect-size: 32kb
|
|
response-body-inspect-window: 16kb
|
|
response-body-limit: 100
|
|
response-body-minimal-inspect-size: 40kb
|
|
response-body-decompress-layer-limit: 2
|
|
imap:
|
|
enabled: detection-only
|
|
modbus:
|
|
detection-ports:
|
|
dp: 502
|
|
enabled: false
|
|
smb:
|
|
detection-ports:
|
|
dp: 139, 445
|
|
enabled: true
|
|
smtp:
|
|
enabled: true
|
|
inspected-tracker:
|
|
content-inspect-min-size: 32768
|
|
content-inspect-window: 4096
|
|
content-limit: 1000
|
|
mime:
|
|
body-md5: false
|
|
decode-base64: true
|
|
decode-mime: true
|
|
decode-quoted-printable: true
|
|
extract-urls: true
|
|
header-value-depth: 2000
|
|
ssh:
|
|
enabled: true
|
|
tls:
|
|
detection-ports:
|
|
dp: 443
|
|
enabled: true
|
|
asn1-max-frames: 256
|
|
classification-file: /etc/suricata/classification.config
|
|
coredump:
|
|
max-dump: unlimited
|
|
default-log-dir: /var/log/suricata/
|
|
default-rule-path: /etc/suricata/rules
|
|
defrag:
|
|
hash-size: 65536
|
|
max-frags: 65535
|
|
memcap: 32mb
|
|
prealloc: true
|
|
timeout: 60
|
|
trackers: 65535
|
|
detect:
|
|
profile: medium
|
|
custom-values:
|
|
toclient-groups: 3
|
|
toserver-groups: 25
|
|
sgh-mpm-context: auto
|
|
inspection-recursion-limit: 3000
|
|
engine-analysis:
|
|
rules: true
|
|
rules-fast-pattern: true
|
|
flow:
|
|
emergency-recovery: 30
|
|
hash-size: 65536
|
|
prealloc: 10000
|
|
flow-timeouts:
|
|
default:
|
|
closed: 0
|
|
emergency-closed: 0
|
|
emergency-established: 100
|
|
emergency-new: 10
|
|
emergency-bypassed: 50
|
|
established: 300
|
|
new: 30
|
|
bypassed: 100
|
|
icmp:
|
|
emergency-established: 100
|
|
emergency-new: 10
|
|
established: 300
|
|
new: 30
|
|
bypassed: 100
|
|
emergency-bypassed: 50
|
|
tcp:
|
|
closed: 60
|
|
emergency-closed: 10
|
|
emergency-established: 100
|
|
emergency-new: 5
|
|
established: 600
|
|
new: 60
|
|
udp:
|
|
emergency-established: 100
|
|
emergency-new: 10
|
|
established: 300
|
|
new: 30
|
|
host-mode: auto
|
|
host-os-policy:
|
|
bsd: []
|
|
bsd-right: []
|
|
hpux10: []
|
|
hpux11: []
|
|
irix: []
|
|
linux:
|
|
macos: []
|
|
old-linux: []
|
|
old-solaris: []
|
|
solaris:
|
|
|
|
vista: []
|
|
windows:
|
|
- 0.0.0.0/0
|
|
windows2k3: []
|
|
legacy:
|
|
uricontent: enabled
|
|
logging:
|
|
default-log-level: notice
|
|
outputs:
|
|
- console:
|
|
enabled: true
|
|
- file:
|
|
enabled: false
|
|
filename: /var/log/suricata/suricata.log
|
|
- syslog:
|
|
enabled: false
|
|
facility: local5
|
|
|
|
luajit:
|
|
states: 1024
|
|
magic-file: /usr/share/misc/magic.mgc
|
|
max-pending-packets: 1024
|
|
mpm-algo: ac
|
|
multi-detect:
|
|
enabled: true
|
|
mappings:
|
|
- device: eno1
|
|
tenant-id: 1
|
|
selector: device
|
|
tenants:
|
|
- id: 1
|
|
yaml: /etc/suricata/multi-detect-eno1.yaml
|
|
napatech:
|
|
hba: -1
|
|
streams:
|
|
- 1
|
|
- 2
|
|
- 3
|
|
use-all-streams: false
|
|
outputs:
|
|
- fast:
|
|
append: true
|
|
enabled: true
|
|
filename: fast.log
|
|
- eve-log:
|
|
enabled: true
|
|
filename: eve.json
|
|
filetype: regular
|
|
types:
|
|
- alert:
|
|
http: true
|
|
http-body: false
|
|
http-body-printable: false
|
|
packet: true
|
|
payload: true
|
|
payload-buffer-size: 4kb
|
|
payload-printable: true
|
|
smtp: true
|
|
ssh: true
|
|
stats: true
|
|
tls: true
|
|
xff:
|
|
deployment: reverse
|
|
enabled: true
|
|
header: X-Forwarded-For
|
|
mode: extra-data
|
|
- drop:
|
|
alerts: true
|
|
- files:
|
|
force-hash:
|
|
- sha256
|
|
- md5
|
|
force-magic: false
|
|
- unified2-alert:
|
|
enabled: false
|
|
- http-log:
|
|
enabled: false
|
|
- tls-log:
|
|
enabled: false
|
|
- tls-store:
|
|
enabled: true
|
|
- dns-log:
|
|
enabled: false
|
|
- pcap-log:
|
|
enabled: false
|
|
- alert-debug:
|
|
enabled: false
|
|
- alert-prelude:
|
|
enabled: false
|
|
- stats:
|
|
enabled: true
|
|
filename: stats.log
|
|
threads: false
|
|
totals: true
|
|
- file-store:
|
|
dir: /var/log/suricata/files
|
|
enabled: false
|
|
- file-log:
|
|
enabled: false
|
|
- tcp-data:
|
|
enabled: false
|
|
- http-body-data:
|
|
enabled: false
|
|
- lua:
|
|
enabled: false
|
|
pcre:
|
|
match-limit: 35000
|
|
match-limit-recursion: 15000
|
|
pid-file: /var/run/suricata.pid
|
|
profiling:
|
|
keywords:
|
|
enabled: false
|
|
locks:
|
|
append: true
|
|
enabled: false
|
|
filename: lock_stats.log
|
|
packets:
|
|
append: true
|
|
csv:
|
|
enabled: false
|
|
filename: packet_stats.csv
|
|
enabled: true
|
|
filename: packet_stats.log
|
|
pcap-log:
|
|
append: true
|
|
enabled: false
|
|
filename: pcaplog_stats.log
|
|
rules:
|
|
append: true
|
|
enabled: true
|
|
filename: rule_perf.log
|
|
json: true
|
|
reference-config-file: /etc/suricata/reference.config
|
|
run-as:
|
|
group: suri
|
|
user: suri
|
|
runmode: autofp
|
|
stats:
|
|
enabled: true
|
|
interval: 8
|
|
stream:
|
|
checksum-validation: true
|
|
inline: auto
|
|
memcap: 256mb
|
|
prealloc-sessions: 2000
|
|
reassembly:
|
|
depth: 1mb
|
|
memcap: 64mb
|
|
randomize-chunk-size: true
|
|
toclient-chunk-size: 2560
|
|
toserver-chunk-size: 2560
|
|
threading:
|
|
cpu-affinity:
|
|
- management-cpu-set:
|
|
cpu: "all"
|
|
prio:
|
|
default: medium
|
|
- detect-cpu-set:
|
|
cpu: "all"
|
|
mode: exclusive
|
|
set-cpu-affinity: false
|
|
unix-command:
|
|
enabled: auto
|
|
vlan:
|
|
use-for-tracking: true
|
|
rule-files:
|
|
- /etc/suricata/rules/crash.rules
|
|
|