Suricata

vars = (null)

vars.address-groups = (null)

vars.address-groups.HOME_NET = [127.0.0.1/8,<hidden>/16]

vars.address-groups.EXTERNAL_NET = any

vars.address-groups.HTTP_SERVERS = $HOME_NET

vars.address-groups.SMTP_SERVERS = $HOME_NET

vars.address-groups.SQL_SERVERS = $HOME_NET

vars.address-groups.DNS_SERVERS = $HOME_NET

vars.address-groups.TELNET_SERVERS = $HOME_NET

vars.address-groups.AIM_SERVERS = $EXTERNAL_NET

vars.address-groups.DC_SERVERS = $HOME_NET

vars.address-groups.DNP3_SERVER = $HOME_NET

vars.address-groups.DNP3_CLIENT = $HOME_NET

vars.address-groups.MODBUS_CLIENT = $HOME_NET

vars.address-groups.MODBUS_SERVER = $HOME_NET

vars.address-groups.ENIP_CLIENT = $HOME_NET

vars.address-groups.ENIP_SERVER = $HOME_NET

vars.port-groups = (null)

vars.port-groups.HTTP_PORTS = [<hidden>]

vars.port-groups.SHELLCODE_PORTS = !80

vars.port-groups.ORACLE_PORTS = 1521

vars.port-groups.SSH_PORTS = 22

vars.port-groups.DNP3_PORTS = 20000

vars.port-groups.MODBUS_PORTS = 502

vars.port-groups.FILE_DATA_PORTS = [$HTTP_PORTS,110,143]

vars.port-groups.FTP_PORTS = 21

vars.port-groups.GENEVE_PORTS = 6081

vars.port-groups.VXLAN_PORTS = 4789

vars.port-groups.TEREDO_PORTS = 3544

default-log-dir = /var/log/suricata/

stats = (null)

stats.enabled = yes

stats.interval = 8

outputs = (null)

outputs.0 = fast

outputs.0.fast = (null)

outputs.0.fast.enabled = yes

outputs.0.fast.filename = fast.log

outputs.0.fast.append = yes

outputs.1 = eve-log

outputs.1.eve-log = (null)

outputs.1.eve-log.enabled = yes

outputs.1.eve-log.filetype = regular

outputs.1.eve-log.filename = eve.json

outputs.1.eve-log.pcap-file = false

outputs.1.eve-log.community-id = false

outputs.1.eve-log.community-id-seed = 0

outputs.1.eve-log.xff = (null)

outputs.1.eve-log.xff.enabled = no

outputs.1.eve-log.xff.mode = extra-data

outputs.1.eve-log.xff.deployment = reverse

outputs.1.eve-log.xff.header = X-Forwarded-For

outputs.1.eve-log.types = (null)

outputs.1.eve-log.types.0 = alert

outputs.1.eve-log.types.0.alert = (null)

outputs.1.eve-log.types.0.alert.tagged-packets = yes

outputs.1.eve-log.types.1 = anomaly

outputs.1.eve-log.types.1.anomaly = (null)

outputs.1.eve-log.types.1.anomaly.enabled = yes

outputs.1.eve-log.types.1.anomaly.types =

outputs.1.eve-log.types.2 = http

outputs.1.eve-log.types.2.http = (null)

outputs.1.eve-log.types.2.http.extended = yes

outputs.1.eve-log.types.3 = dns

outputs.1.eve-log.types.3.dns =

outputs.1.eve-log.types.4 = tls

outputs.1.eve-log.types.4.tls = (null)

outputs.1.eve-log.types.4.tls.extended = yes

outputs.1.eve-log.types.5 = files

outputs.1.eve-log.types.5.files = (null)

outputs.1.eve-log.types.5.files.force-magic = no

outputs.1.eve-log.types.6 = smtp

outputs.1.eve-log.types.6.smtp =

outputs.1.eve-log.types.7 = ftp

outputs.1.eve-log.types.8 = rdp

outputs.1.eve-log.types.9 = nfs

outputs.1.eve-log.types.10 = smb

outputs.1.eve-log.types.11 = tftp

outputs.1.eve-log.types.12 = ikev2

outputs.1.eve-log.types.13 = dcerpc

outputs.1.eve-log.types.14 = krb5

outputs.1.eve-log.types.15 = snmp

outputs.1.eve-log.types.16 = rfb

outputs.1.eve-log.types.17 = sip

outputs.1.eve-log.types.18 = dhcp

outputs.1.eve-log.types.18.dhcp = (null)

outputs.1.eve-log.types.18.dhcp.enabled = yes

outputs.1.eve-log.types.18.dhcp.extended = no

outputs.1.eve-log.types.19 = ssh

outputs.1.eve-log.types.20 = mqtt

outputs.1.eve-log.types.20.mqtt =

outputs.1.eve-log.types.21 = stats

outputs.1.eve-log.types.21.stats = (null)

outputs.1.eve-log.types.21.stats.totals = yes

outputs.1.eve-log.types.21.stats.threads = no

outputs.1.eve-log.types.21.stats.deltas = no

outputs.1.eve-log.types.22 = flow

outputs.2 = http-log

outputs.2.http-log = (null)

outputs.2.http-log.enabled = no

outputs.2.http-log.filename = http.log

outputs.2.http-log.append = yes

outputs.3 = tls-log

outputs.3.tls-log = (null)

outputs.3.tls-log.enabled = no

outputs.3.tls-log.filename = tls.log

outputs.3.tls-log.append = yes

outputs.4 = tls-store

outputs.4.tls-store = (null)

outputs.4.tls-store.enabled = no

outputs.5 = pcap-log

outputs.5.pcap-log = (null)

outputs.5.pcap-log.enabled = no

outputs.5.pcap-log.filename = log.pcap

outputs.5.pcap-log.limit = 1000mb

outputs.5.pcap-log.max-files = 2000

outputs.5.pcap-log.compression = none

outputs.5.pcap-log.mode = normal

outputs.5.pcap-log.use-stream-depth = no

outputs.5.pcap-log.honor-pass-rules = no

outputs.6 = alert-debug

outputs.6.alert-debug = (null)

outputs.6.alert-debug.enabled = no

outputs.6.alert-debug.filename = alert-debug.log

outputs.6.alert-debug.append = yes

outputs.7 = alert-prelude

outputs.7.alert-prelude = (null)

outputs.7.alert-prelude.enabled = no

outputs.7.alert-prelude.profile = suricata

outputs.7.alert-prelude.log-packet-content = no

outputs.7.alert-prelude.log-packet-header = yes

outputs.8 = stats

outputs.8.stats = (null)

outputs.8.stats.enabled = yes

outputs.8.stats.filename = stats.log

outputs.8.stats.append = yes

outputs.8.stats.totals = yes

outputs.8.stats.threads = no

outputs.9 = syslog

outputs.9.syslog = (null)

outputs.9.syslog.enabled = yes

outputs.9.syslog.facility = local5

outputs.10 = file-store

outputs.10.file-store = (null)

outputs.10.file-store.version = 2

outputs.10.file-store.enabled = no

outputs.10.file-store.xff = (null)

outputs.10.file-store.xff.enabled = no

outputs.10.file-store.xff.mode = extra-data

outputs.10.file-store.xff.deployment = reverse

outputs.10.file-store.xff.header = X-Forwarded-For

outputs.11 = tcp-data

outputs.11.tcp-data = (null)

outputs.11.tcp-data.enabled = no

outputs.11.tcp-data.type = file

outputs.11.tcp-data.filename = tcp-data.log

outputs.12 = http-body-data

outputs.12.http-body-data = (null)

outputs.12.http-body-data.enabled = no

outputs.12.http-body-data.type = file

outputs.12.http-body-data.filename = http-data.log

outputs.13 = lua

outputs.13.lua = (null)

outputs.13.lua.enabled = no

outputs.13.lua.scripts =

logging = (null)

logging.default-log-level = notice

logging.default-output-filter =

logging.outputs = (null)

logging.outputs.0 = console

logging.outputs.0.console = (null)

logging.outputs.0.console.enabled = yes

logging.outputs.1 = file

logging.outputs.1.file = (null)

logging.outputs.1.file.enabled = yes

logging.outputs.1.file.level = info

logging.outputs.1.file.filename = suricata.log

logging.outputs.2 = syslog

logging.outputs.2.syslog = (null)

logging.outputs.2.syslog.enabled = no

logging.outputs.2.syslog.facility = local5

logging.outputs.2.syslog.format = [%i] <%d> --

af-packet = (null)

af-packet.0 = interface

af-packet.0.interface = eth0

af-packet.0.cluster-id = 99

af-packet.0.cluster-type = cluster_flow

af-packet.0.defrag = yes

af-packet.1 = interface

af-packet.1.interface = default

pcap = (null)

pcap.0 = interface

pcap.0.interface = eth0

pcap.1 = interface

pcap.1.interface = default

pcap-file = (null)

pcap-file.checksum-checks = auto

app-layer = (null)

app-layer.protocols = (null)

app-layer.protocols.rfb = (null)

app-layer.protocols.rfb.enabled = yes

app-layer.protocols.rfb.detection-ports = (null)

app-layer.protocols.rfb.detection-ports.dp = 5900, 5901, 5902, 5903, 5904, 5905, 5906, 5907, 5908, 5909

app-layer.protocols.mqtt = (null)

app-layer.protocols.mqtt.enabled = no

app-layer.protocols.krb5 = (null)

app-layer.protocols.krb5.enabled = yes

app-layer.protocols.snmp = (null)

app-layer.protocols.snmp.enabled = yes

app-layer.protocols.ikev2 = (null)

app-layer.protocols.ikev2.enabled = yes

app-layer.protocols.tls = (null)

app-layer.protocols.tls.enabled = yes

app-layer.protocols.tls.detection-ports = (null)

app-layer.protocols.tls.detection-ports.dp = 443

app-layer.protocols.dcerpc = (null)

app-layer.protocols.dcerpc.enabled = yes

app-layer.protocols.ftp = (null)

app-layer.protocols.ftp.enabled = yes

app-layer.protocols.rdp = (null)

app-layer.protocols.rdp.enabled = no

app-layer.protocols.ssh = (null)

app-layer.protocols.ssh.enabled = yes

app-layer.protocols.http2 = (null)

app-layer.protocols.http2.enabled = no

app-layer.protocols.http2.http1-rules = no

app-layer.protocols.smtp = (null)

app-layer.protocols.smtp.enabled = yes

app-layer.protocols.smtp.raw-extraction = no

app-layer.protocols.smtp.mime = (null)

app-layer.protocols.smtp.mime.decode-mime = yes

app-layer.protocols.smtp.mime.decode-base64 = yes

app-layer.protocols.smtp.mime.decode-quoted-printable = yes

app-layer.protocols.smtp.mime.header-value-depth = 2000

app-layer.protocols.smtp.mime.extract-urls = yes

app-layer.protocols.smtp.mime.body-md5 = no

app-layer.protocols.smtp.inspected-tracker = (null)

app-layer.protocols.smtp.inspected-tracker.content-limit = 100000

app-layer.protocols.smtp.inspected-tracker.content-inspect-min-size = 32768

app-layer.protocols.smtp.inspected-tracker.content-inspect-window = 4096

app-layer.protocols.imap = (null)

app-layer.protocols.imap.enabled = detection-only

app-layer.protocols.smb = (null)

app-layer.protocols.smb.enabled = yes

app-layer.protocols.smb.detection-ports = (null)

app-layer.protocols.smb.detection-ports.dp = 139, 445

app-layer.protocols.nfs = (null)

app-layer.protocols.nfs.enabled = yes

app-layer.protocols.tftp = (null)

app-layer.protocols.tftp.enabled = yes

app-layer.protocols.dns = (null)

app-layer.protocols.dns.tcp = (null)

app-layer.protocols.dns.tcp.enabled = yes

app-layer.protocols.dns.tcp.detection-ports = (null)

app-layer.protocols.dns.tcp.detection-ports.dp = 53

app-layer.protocols.dns.udp = (null)

app-layer.protocols.dns.udp.enabled = yes

app-layer.protocols.dns.udp.detection-ports = (null)

app-layer.protocols.dns.udp.detection-ports.dp = 53

app-layer.protocols.http = (null)

app-layer.protocols.http.enabled = yes

app-layer.protocols.http.libhtp = (null)

app-layer.protocols.http.libhtp.default-config = (null)

app-layer.protocols.http.libhtp.default-config.personality = IDS

app-layer.protocols.http.libhtp.default-config.request-body-limit = 100kb

app-layer.protocols.http.libhtp.default-config.response-body-limit = 100kb

app-layer.protocols.http.libhtp.default-config.request-body-minimal-inspect-size = 32kb

app-layer.protocols.http.libhtp.default-config.request-body-inspect-window = 4kb

app-layer.protocols.http.libhtp.default-config.response-body-minimal-inspect-size = 40kb

app-layer.protocols.http.libhtp.default-config.response-body-inspect-window = 16kb

app-layer.protocols.http.libhtp.default-config.response-body-decompress-layer-limit = 2

app-layer.protocols.http.libhtp.default-config.http-body-inline = auto

app-layer.protocols.http.libhtp.default-config.swf-decompression = (null)

app-layer.protocols.http.libhtp.default-config.swf-decompression.enabled = yes

app-layer.protocols.http.libhtp.default-config.swf-decompression.type = both

app-layer.protocols.http.libhtp.default-config.swf-decompression.compress-depth = 100kb

app-layer.protocols.http.libhtp.default-config.swf-decompression.decompress-depth = 100kb

app-layer.protocols.http.libhtp.default-config.double-decode-path = no

app-layer.protocols.http.libhtp.default-config.double-decode-query = no

app-layer.protocols.http.libhtp.server-config =

app-layer.protocols.modbus = (null)

app-layer.protocols.modbus.enabled = no

app-layer.protocols.modbus.detection-ports = (null)

app-layer.protocols.modbus.detection-ports.dp = 502

app-layer.protocols.modbus.stream-depth = 0

app-layer.protocols.dnp3 = (null)

app-layer.protocols.dnp3.enabled = no

app-layer.protocols.dnp3.detection-ports = (null)

app-layer.protocols.dnp3.detection-ports.dp = 20000

app-layer.protocols.enip = (null)

app-layer.protocols.enip.enabled = no

app-layer.protocols.enip.detection-ports = (null)

app-layer.protocols.enip.detection-ports.dp = 44818

app-layer.protocols.enip.detection-ports.sp = 44818

app-layer.protocols.ntp = (null)

app-layer.protocols.ntp.enabled = yes

app-layer.protocols.dhcp = (null)

app-layer.protocols.dhcp.enabled = yes

app-layer.protocols.sip = (null)

app-layer.protocols.sip.enabled = no

asn1-max-frames = 256

coredump = (null)

coredump.max-dump = unlimited

host-mode = auto

unix-command = (null)

unix-command.enabled = auto

legacy = (null)

legacy.uricontent = enabled

engine-analysis = (null)

engine-analysis.rules-fast-pattern = yes

engine-analysis.rules = yes

pcre = (null)

pcre.match-limit = 3500

pcre.match-limit-recursion = 1500

host-os-policy = (null)

host-os-policy.windows = (null)

host-os-policy.windows.0 = 0.0.0.0/0

host-os-policy.bsd = (null)

host-os-policy.bsd-right = (null)

host-os-policy.old-linux = (null)

host-os-policy.linux = (null)

host-os-policy.linux.0 = 0.0.0.0/0

host-os-policy.old-solaris = (null)

host-os-policy.solaris = (null)

host-os-policy.hpux10 = (null)

host-os-policy.hpux11 = (null)

host-os-policy.irix = (null)

host-os-policy.macos = (null)

host-os-policy.macos.0 = 0.0.0.0/0

host-os-policy.vista = (null)

host-os-policy.windows2k3 = (null)

defrag = (null)

defrag.memcap = 32mb

defrag.hash-size = 65536

defrag.trackers = 65535

defrag.max-frags = 65535

defrag.prealloc = yes

defrag.timeout = 60

flow = (null)

flow.memcap = 128mb

flow.hash-size = 65536

flow.prealloc = 10000

flow.emergency-recovery = 30

vlan = (null)

vlan.use-for-tracking = true

flow-timeouts = (null)

flow-timeouts.default = (null)

flow-timeouts.default.new = 30

flow-timeouts.default.established = 300

flow-timeouts.default.closed = 0

flow-timeouts.default.bypassed = 100

flow-timeouts.default.emergency-new = 10

flow-timeouts.default.emergency-established = 100

flow-timeouts.default.emergency-closed = 0

flow-timeouts.default.emergency-bypassed = 50

flow-timeouts.tcp = (null)

flow-timeouts.tcp.new = 60

flow-timeouts.tcp.established = 600

flow-timeouts.tcp.closed = 60

flow-timeouts.tcp.bypassed = 100

flow-timeouts.tcp.emergency-new = 5

flow-timeouts.tcp.emergency-established = 100

flow-timeouts.tcp.emergency-closed = 10

flow-timeouts.tcp.emergency-bypassed = 50

flow-timeouts.udp = (null)

flow-timeouts.udp.new = 30

flow-timeouts.udp.established = 300

flow-timeouts.udp.bypassed = 100

flow-timeouts.udp.emergency-new = 10

flow-timeouts.udp.emergency-established = 100

flow-timeouts.udp.emergency-bypassed = 50

flow-timeouts.icmp = (null)

flow-timeouts.icmp.new = 30

flow-timeouts.icmp.established = 300

flow-timeouts.icmp.bypassed = 100

flow-timeouts.icmp.emergency-new = 10

flow-timeouts.icmp.emergency-established = 100

flow-timeouts.icmp.emergency-bypassed = 50

stream = (null)

stream.memcap = 64mb

stream.checksum-validation = yes

stream.inline = auto

stream.reassembly = (null)

stream.reassembly.memcap = 256mb

stream.reassembly.depth = 1mb

stream.reassembly.toserver-chunk-size = 2560

stream.reassembly.toclient-chunk-size = 2560

stream.reassembly.randomize-chunk-size = yes

host = (null)

host.hash-size = 4096

host.prealloc = 1000

host.memcap = 32mb

decoder = (null)

decoder.teredo = (null)

decoder.teredo.enabled = true

decoder.teredo.ports = $TEREDO_PORTS

decoder.vxlan = (null)

decoder.vxlan.enabled = true

decoder.vxlan.ports = $VXLAN_PORTS

decoder.vntag = (null)

decoder.vntag.enabled = false

decoder.geneve = (null)

decoder.geneve.enabled = true

decoder.geneve.ports = $GENEVE_PORTS

detect = (null)

detect.profile = low

detect.custom-values = (null)

detect.custom-values.toclient-groups = 3

detect.custom-values.toserver-groups = 25

detect.sgh-mpm-context = auto

detect.inspection-recursion-limit = 3000

detect.prefilter = (null)

detect.prefilter.default = mpm

detect.grouping =

detect.profiling = (null)

detect.profiling.grouping = (null)

detect.profiling.grouping.dump-to-disk = false

detect.profiling.grouping.include-rules = false

detect.profiling.grouping.include-mpm-stats = false

mpm-algo = auto

spm-algo = auto

threading = (null)

threading.set-cpu-affinity = no

threading.cpu-affinity = (null)

threading.cpu-affinity.0 = management-cpu-set

threading.cpu-affinity.0.management-cpu-set = (null)

threading.cpu-affinity.0.management-cpu-set.cpu = (null)

threading.cpu-affinity.0.management-cpu-set.cpu.0 = 0

threading.cpu-affinity.1 = receive-cpu-set

threading.cpu-affinity.1.receive-cpu-set = (null)

threading.cpu-affinity.1.receive-cpu-set.cpu = (null)

threading.cpu-affinity.1.receive-cpu-set.cpu.0 = 0

threading.cpu-affinity.2 = worker-cpu-set

threading.cpu-affinity.2.worker-cpu-set = (null)

threading.cpu-affinity.2.worker-cpu-set.cpu = (null)

threading.cpu-affinity.2.worker-cpu-set.cpu.0 = all

threading.cpu-affinity.2.worker-cpu-set.mode = exclusive

threading.cpu-affinity.2.worker-cpu-set.prio = (null)

threading.cpu-affinity.2.worker-cpu-set.prio.low = (null)

threading.cpu-affinity.2.worker-cpu-set.prio.low.0 = 0

threading.cpu-affinity.2.worker-cpu-set.prio.medium = (null)

threading.cpu-affinity.2.worker-cpu-set.prio.medium.0 = 1-2

threading.cpu-affinity.2.worker-cpu-set.prio.high = (null)

threading.cpu-affinity.2.worker-cpu-set.prio.high.0 = 3

threading.cpu-affinity.2.worker-cpu-set.prio.default = medium

threading.detect-thread-ratio = 1.0

luajit = (null)

luajit.states = 128

profiling = (null)

profiling.rules = (null)

profiling.rules.enabled = yes

profiling.rules.filename = rule_perf.log

profiling.rules.append = yes

profiling.rules.limit = 10

profiling.rules.json = yes

profiling.keywords = (null)

profiling.keywords.enabled = yes

profiling.keywords.filename = keyword_perf.log

profiling.keywords.append = yes

profiling.prefilter = (null)

profiling.prefilter.enabled = yes

profiling.prefilter.filename = prefilter_perf.log

profiling.prefilter.append = yes

profiling.rulegroups = (null)

profiling.rulegroups.enabled = yes

profiling.rulegroups.filename = rule_group_perf.log

profiling.rulegroups.append = yes

profiling.packets = (null)

profiling.packets.enabled = yes

profiling.packets.filename = packet_stats.log

profiling.packets.append = yes

profiling.packets.csv = (null)

profiling.packets.csv.enabled = no

profiling.packets.csv.filename = packet_stats.csv

profiling.locks = (null)

profiling.locks.enabled = no

profiling.locks.filename = lock_stats.log

profiling.locks.append = yes

profiling.pcap-log = (null)

profiling.pcap-log.enabled = no

profiling.pcap-log.filename = pcaplog_stats.log

profiling.pcap-log.append = yes

nfq = (null)

nfq.fail-open = yes

nflog = (null)

nflog.0 = group

nflog.0.group = 2

nflog.0.buffer-size = 18432

nflog.1 = group

nflog.1.group = default

nflog.1.qthreshold = 1

nflog.1.qtimeout = 100

nflog.1.max-size = 20000

capture =

netmap = (null)

netmap.0 = interface

netmap.0.interface = eth2

netmap.1 = interface

netmap.1.interface = default

pfring = (null)

pfring.0 = interface

pfring.0.interface = eth0

pfring.0.threads = auto

pfring.0.cluster-id = 99

pfring.0.cluster-type = cluster_flow

pfring.1 = interface

pfring.1.interface = default

ipfw =

napatech = (null)

napatech.streams = (null)

napatech.streams.0 = 0-3

napatech.enable-stream-stats = no

napatech.auto-config = yes

napatech.hardware-bypass = yes

napatech.inline = no

napatech.ports = (null)

napatech.ports.0 = 0-1

napatech.ports.1 = 2-3

napatech.hashmode = hash5tuplesorted

default-rule-path = /var/lib/suricata/rules

rule-files = (null)

rule-files.0 = suricata.rules

classification-file = /etc/suricata/classification.config

reference-config-file = /etc/suricata/reference.config

threshold-file = /opt/<hidden>/suricata/threshold.config