aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Consistently use dashes instead of underscores in the sample config file.

Browse Source
remotes/origin/master
Nikolay Denev 14 years ago committed by Victor Julien
parent fb05edeeee
commit a67d78eda6
1 changed files with 102 additions and 102 deletions
Show Stats Download Patch File Download Diff File

204
suricata.yaml.in
Unescape Escape View File

@ -83,7 +83,7 @@ outputs:
# or are as specified by "dir". In Sguil mode "dir" indicates the base directory.
# In this base dir the pcaps are created in th directory structure Sguil expects:
#
# $sguil_base_dir/YYYY-MM-DD/$filename.<timestamp>
# $sguil-base-dir/YYYY-MM-DD/$filename.<timestamp>
#
# By default all packets are logged except:
# - TCP streams beyond stream.reassembly.depth
@ -97,13 +97,13 @@ outputs:
# is parsed as bytes.
limit: 1000mb
# If set to a value will enable ring buffer mode. Will keep Maximum of "max_files" of size "limit"
max_files: 2000
# If set to a value will enable ring buffer mode. Will keep Maximum of "max-files" of size "limit"
max-files: 2000
mode: normal # normal or sguil.
#sguil-base-dir: /nsm_data/
#ts_format: usec # sec or usec second format (default) is filename.sec usec is filename.sec.usec
use_stream_depth: no #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets
#ts-format: usec # sec or usec second format (default) is filename.sec usec is filename.sec.usec
use-stream-depth: no #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets
# a full alerts log containing much information for signature writers
# or for investigating suspected false positives.
@ -118,8 +118,8 @@ outputs:
- alert-prelude:
enabled: no
profile: suricata
log_packet_content: no
log_packet_header: yes
log-packet-content: no
log-packet-header: yes
# Stats.log contains data from various counters of the suricata engine.
# The interval field (in seconds) tells after how long output will be written
@ -184,12 +184,12 @@ magic-file: @e_magic_file@
# And below, you can have your standard filtering ruleset. To activate
# this mode, you need to set mode to 'repeat'
# If you want packet to be sent to another queue after an ACCEPT decision
# set mode to 'route' and set next_queue value.
# set mode to 'route' and set next-queue value.
nfq:
# mode: accept
# repeat_mark: 1
# repeat_mask: 1
# route_queue: 2
# repeat-mark: 1
# repeat-mask: 1
# route-queue: 2
# af-packet support
# Set threads to > 1 to use PACKET_FANOUT support
@ -227,7 +227,7 @@ af-packet:
# - no: checksum validation is disabled
# - auto: suricata uses a statistical approach to detect when
# checksum off-loading is used.
# Warning: 'checksum_validation' must be set to yes to have any validation
# Warning: 'checksum-validation' must be set to yes to have any validation
#checksum-checks: kernel
- interface: eth1
threads: 1
@ -269,12 +269,12 @@ pcre:
#
# "sgh mpm-context", indicates how the staging should allot mpm contexts for
# the signature groups. "single" indicates the use of a single context for
# all the signature group heads. "full" indicates a mpm_context for each
# all the signature group heads. "full" indicates a mpm-context for each
# group head. "auto" lets the engine decide the distribution of contexts
# based on the information the engine gathers on the patterns from each
# group head.
#
# The option inspection_recursion_limit is used to limit the recursive calls
# The option inspection-recursion-limit is used to limit the recursive calls
# in the content inspection code. For certain payload-sig combinations, we
# might end up taking too much time in the content inspection code.
# If the argument specified is 0, the engine uses an internally defined
@ -282,14 +282,14 @@ pcre:
detect-engine:
- profile: medium
- custom-values:
toclient_src_groups: 2
toclient_dst_groups: 2
toclient_sp_groups: 2
toclient_dp_groups: 3
toserver_src_groups: 2
toserver_dst_groups: 4
toserver_sp_groups: 2
toserver_dp_groups: 25
toclient-src-groups: 2
toclient-dst-groups: 2
toclient-sp-groups: 2
toclient-dp-groups: 3
toserver-src-groups: 2
toserver-dst-groups: 4
toserver-sp-groups: 2
toserver-dp-groups: 25
- sgh-mpm-context: auto
- inspection-recursion-limit: 3000
@ -301,39 +301,39 @@ threading:
#
# On Intel Core2 and Nehalem CPU's enabling this will degrade performance.
#
set_cpu_affinity: no
set-cpu-affinity: no
# Tune cpu affinity of suricata threads. Each family of threads can be bound
# on specific CPUs.
cpu_affinity:
- management_cpu_set:
cpu-affinity:
- management-cpu-set:
cpu: [ 0 ] # include only these cpus in affinity settings
- receive_cpu_set:
- receive-cpu-set:
cpu: [ 0 ] # include only these cpus in affinity settings
- decode_cpu_set:
- decode-cpu-set:
cpu: [ 0, 1 ]
mode: "balanced"
- stream_cpu_set:
- stream-cpu-set:
cpu: [ "0-1" ]
- detect_cpu_set:
- detect-cpu-set:
cpu: [ "all" ]
mode: "exclusive" # run detect threads in these cpus
# Use explicitely 3 threads and don't compute number by using
# detect_thread_ratio variable:
# detect-thread-ratio variable:
# threads: 3
prio:
low: [ 0 ]
medium: [ "1-2" ]
high: [ 3 ]
default: "medium"
- verdict_cpu_set:
- verdict-cpu-set:
cpu: [ 0 ]
prio:
default: "high"
- reject_cpu_set:
- reject-cpu-set:
cpu: [ 0 ]
prio:
default: "low"
- output_cpu_set:
- output-cpu-set:
cpu: [ "all" ]
prio:
default: "medium"
@ -346,7 +346,7 @@ threading:
# thread being created. Regardless of the setting at a minimum 1 detect
# thread will always be created.
#
detect_thread_ratio: 1.5
detect-thread-ratio: 1.5
# Cuda configuration.
cuda:
@ -355,38 +355,38 @@ cuda:
- mpm:
# Threshold limit for no of packets buffered to the GPU. Once we hit this
# limit, we pass the buffer to the gpu.
packet_buffer_limit: 2400
packet-buffer-limit: 2400
# The maximum length for a packet that we would buffer to the gpu.
# Anything over this is MPM'ed on the CPU. All entries > 0 are valid.
# Can be specified in kb, mb, gb. Just a number indicates it's in bytes.
packet_size_limit: 1500
packet-size-limit: 1500
# No of packet buffers we initialize. All entries > 0 are valid.
packet_buffers: 10
packet-buffers: 10
# The timeout limit for batching of packets in secs. If we don't fill the
# buffer within this timeout limit, we pass the currently filled buffer to the gpu.
# All entries > 0 are valid.
batching_timeout: 1
# Specifies whether to use page_locked memory whereever possible. Accepted values
batching-timeout: 1
# Specifies whether to use page-locked memory whereever possible. Accepted values
# are "enabled" and "disabled".
page_locked: enabled
page-locked: enabled
# The device to use for the mpm. Currently we don't support load balancing
# on multiple gpus. In case you have multiple devices on your system, you
# can specify the device to use, using this conf. By default we hold 0, to
# specify the first device cuda sees. To find out device_id associated with
# specify the first device cuda sees. To find out device-id associated with
# the card(s) on the system run "suricata --list-cuda-cards".
device_id: 0
device-id: 0
# No of Cuda streams used for asynchronous processing. All values > 0 are valid.
# For this option you need a device with Compute Capability > 1.0 and
# page_locked enabled to have any effect.
cuda_streams: 2
# page-locked enabled to have any effect.
cuda-streams: 2
# Select the multi pattern algorithm you want to run for scan/search the
# in the engine. The supported algorithms are b2g, b2gc, b2gm, b3g, wumanber,
# ac and ac-gfbs.
#
# The mpm you choose also decides the distribution of mpm contexts for
# signature groups, specified by the conf - "detect-engine.sgh_mpm_context".
# Selecting "ac" as the mpm would require "detect-engine.sgh_mpm_context"
# signature groups, specified by the conf - "detect-engine.sgh-mpm-context".
# Selecting "ac" as the mpm would require "detect-engine.sgh-mpm-context"
# to be set to "single", because of ac's memory requirements, unless the
# ruleset is small enough to fit in one's memory, in which case one can
# use "full" with "ac". Rest of the mpms can be run in "full" mode.
@ -415,38 +415,38 @@ mpm-algo: ac
pattern-matcher:
- b2gc:
search_algo: B2gSearchBNDMq
hash_size: low
bf_size: medium
search-algo: B2gSearchBNDMq
hash-size: low
bf-size: medium
- b2gm:
search_algo: B2gSearchBNDMq
hash_size: low
bf_size: medium
search-algo: B2gSearchBNDMq
hash-size: low
bf-size: medium
- b2g:
search_algo: B2gSearchBNDMq
hash_size: low
bf_size: medium
search-algo: B2gSearchBNDMq
hash-size: low
bf-size: medium
- b3g:
search_algo: B3gSearchBNDMq
hash_size: low
bf_size: medium
search-algo: B3gSearchBNDMq
hash-size: low
bf-size: medium
- wumanber:
hash_size: low
bf_size: medium
hash-size: low
bf-size: medium
# Flow settings:
# By default, the reserved memory (memcap) for flows is 32MB. This is the limit
# for flow allocation inside the engine. You can change this value to allow
# more memory usage for flows.
# The hash_size determine the size of the hash used to identify flows inside
# The hash-size determine the size of the hash used to identify flows inside
# the engine, and by default the value is 65536.
# At the startup, the engine can preallocate a number of flows, to get a better
# performance. The number of flows preallocated is 10000 by default.
# emergency_recovery is the percentage of flows that the engine need to
# emergency-recovery is the percentage of flows that the engine need to
# prune before unsetting the emergency state. The emergency state is activated
# when the memcap limit is reached, allowing to create new flows, but
# prunning them with the emergency timeouts (they are defined below).
# If the memcap is reached, the engine will try to prune prune_flows
# If the memcap is reached, the engine will try to prune prune-flows
# with the default timeouts. If it doens't find a flow to prune, it will set
# the emergency bit and it will try again with more agressive timeouts.
# If that doesn't work, then it will try to kill the last time seen flows
@ -456,10 +456,10 @@ pattern-matcher:
flow:
memcap: 32mb
hash_size: 65536
hash-size: 65536
prealloc: 10000
emergency_recovery: 30
prune_flows: 5
emergency-recovery: 30
prune-flows: 5
# Specific timeouts for flows. Here you can specify the timeouts that the
# active flows will wait to transit from the current state to another, on each
@ -473,7 +473,7 @@ flow:
#
# There's an emergency mode that will become active under attack circumstances,
# making the engine to check flow status faster. This configuration variables
# use the prefix "emergency_" and work similar as the normal ones.
# use the prefix "emergency-" and work similar as the normal ones.
# Some timeouts doesn't apply to all the protocols, like "closed", for udp and
# icmp.
@ -483,26 +483,26 @@ flow-timeouts:
new: 30
established: 300
closed: 0
emergency_new: 10
emergency_established: 100
emergency_closed: 0
emergency-new: 10
emergency-established: 100
emergency-closed: 0
tcp:
new: 60
established: 3600
closed: 120
emergency_new: 10
emergency_established: 300
emergency_closed: 20
emergency-new: 10
emergency-established: 300
emergency-closed: 20
udp:
new: 30
established: 300
emergency_new: 10
emergency_established: 100
emergency-new: 10
emergency-established: 100
icmp:
new: 30
established: 300
emergency_new: 10
emergency_established: 100
emergency-new: 10
emergency-established: 100
# Stream engine settings. Here the TCP stream tracking and reaasembly
# engine is configured.
@ -510,7 +510,7 @@ flow-timeouts:
# stream:
# memcap: 32mb # Can be specified in kb, mb, gb. Just a
# # number indicates it's in bytes.
# checksum_validation: yes # To validate the checksum of received
# checksum-validation: yes # To validate the checksum of received
# # packet. If csum validation is specified as
# # "yes", then packet with invalid csum will not
# # be processed by the engine stream/app layer.
@ -519,10 +519,10 @@ flow-timeouts:
# # of checksum. You can control the handling of checksum
# # on a per-interface basis via the 'checksum-checks'
# # option
# max_sessions: 262144 # 256k concurrent sessions
# prealloc_sessions: 32768 # 32k sessions prealloc'd
# max-sessions: 262144 # 256k concurrent sessions
# prealloc-sessions: 32768 # 32k sessions prealloc'd
# midstream: false # don't allow midstream session pickups
# async_oneside: false # don't enable async stream handling
# async-oneside: false # don't enable async stream handling
# inline: no # stream inline mode
#
# reassembly:
@ -530,22 +530,22 @@ flow-timeouts:
# # indicates it's in bytes.
# depth: 1mb # Can be specified in kb, mb, gb. Just a number
# # indicates it's in bytes.
# toserver_chunk_size: 2560 # inspect raw stream in chunks of at least
# toserver-chunk-size: 2560 # inspect raw stream in chunks of at least
# # this size. Can be specified in kb, mb,
# # gb. Just a number indicates it's in bytes.
# toclient_chunk_size: 2560 # inspect raw stream in chunks of at least
# toclient-chunk-size: 2560 # inspect raw stream in chunks of at least
# # this size. Can be specified in kb, mb,
# # gb. Just a number indicates it's in bytes.
stream:
memcap: 32mb
checksum_validation: yes # reject wrong csums
checksum-validation: yes # reject wrong csums
inline: no # no inline mode
reassembly:
memcap: 64mb
depth: 1mb # reassemble 1mb into a stream
toserver_chunk_size: 2560
toclient_chunk_size: 2560
toserver-chunk-size: 2560
toclient-chunk_size: 2560
# Logging configuration. This is not about logging IDS alerts, but
# IDS output about what its doing, errors, etc.
@ -614,7 +614,7 @@ pfring:
# - no: checksum validation is disabled
# - auto: suricata uses a statistical approach to detect when
# checksum off-loading is used. (default)
# Warning: 'checksum_validation' must be set to yes to have any validation
# Warning: 'checksum-validation' must be set to yes to have any validation
#checksum-checks: auto
# Second interface
#- interface: eth1
@ -634,7 +634,7 @@ pcap:
# - no: checksum validation is disabled
# - auto: suricata uses a statistical approach to detect when
# checksum off-loading is used. (default)
# Warning: 'checksum_validation' must be set to yes to have any validation
# Warning: 'checksum-validation' must be set to yes to have any validation
#checksum-checks: auto
# For FreeBSD ipfw(8) divert(4) support.
@ -762,10 +762,10 @@ host-os-policy:
# Make the default policy windows.
windows: [0.0.0.0/0]
bsd: []
bsd_right: []
old_linux: []
bsd-right: []
old-linux: []
linux: [10.0.0.0/8, 192.168.1.100, "8762:2352:6241:7245:E000:0000:0000:0000"]
old_solaris: []
old-solaris: []
solaris: ["::1"]
hpux10: []
hpux11: []
@ -776,7 +776,7 @@ host-os-policy:
# Limit for the maximum number of asn1 frames to decode (default 256)
asn1_max_frames: 256
asn1-max-frames: 256
###########################################################################
# Configure libhtp.
@ -812,7 +812,7 @@ libhtp:
personality: IDS
# Can be specified in kb, mb, gb. Just a number indicates
# it's in bytes.
request_body_limit: 3072
request-body-limit: 3072
response-body-limit: 3072
server-config:
@ -822,7 +822,7 @@ libhtp:
personality: Apache_2_2
# Can be specified in kb, mb, gb. Just a number indicates
# it's in bytes.
request_body_limit: 4096
request-body-limit: 4096
response-body-limit: 4096
- iis7:
@ -832,7 +832,7 @@ libhtp:
personality: IIS_7_0
# Can be specified in kb, mb, gb. Just a number indicates
# it's in bytes.
request_body_limit: 4096
request-body-limit: 4096
response-body-limit: 4096
# Profiling settings. Only effective if Suricata has been built with the
@ -873,13 +873,13 @@ profiling:
filename: packet_stats.csv
# Suricata core dump configuration. Limits the size of the core dump file to
# approximately max_dump. The actual core dump size will be a multiple of the
# page size. Core dumps that would be larger than max_dump are truncated. On
# Linux, the actual core dump size may be a few pages larger than max_dump.
# Setting max_dump to 0 disables core dumping.
# Setting max_dump to 'unlimited' will give the full core dump file.
# On 32-bit Linux, a max_dump value >= ULONG_MAX may cause the core dump size
# approximately max-dump. The actual core dump size will be a multiple of the
# page size. Core dumps that would be larger than max-dump are truncated. On
# Linux, the actual core dump size may be a few pages larger than max-dump.
# Setting max-dump to 0 disables core dumping.
# Setting max-dump to 'unlimited' will give the full core dump file.
# On 32-bit Linux, a max-dump value >= ULONG_MAX may cause the core dump size
# to be 'unlimited'.
coredump:
max_dump: unlimited
max-dump: unlimited

Write Preview
Loading…
Cancel
Save