@ -1062,7 +1062,7 @@ what to do in case memcap is hit: 'drop-packet', 'pass-packet', 'reject', or
flow:
flow:
memcap: 33554432 #The maximum amount of bytes the flow-engine will make use of.
memcap: 33554432 #The maximum amount of bytes the flow-engine will make use of.
memcap-policy: bypass #How to handle the flow if memcap is reached (IPS mode)
memcap-policy: bypass #How to handle the flow if memcap is reached (IPS mode)
hash_ size: 65536 #Flows will be organized in a hash-table. With this option you can set the
hash- size: 65536 #Flows will be organized in a hash-table. With this option you can set the
#size of the hash-table.
#size of the hash-table.
Prealloc: 10000 #The amount of flows Suricata has to keep ready in memory.
Prealloc: 10000 #The amount of flows Suricata has to keep ready in memory.
@ -1120,27 +1120,27 @@ UDP, ICMP and default (all other protocols).
new: 30 #Time-out in seconds after the last activity in this flow in a New state.
new: 30 #Time-out in seconds after the last activity in this flow in a New state.
established: 300 #Time-out in seconds after the last activity in this flow in a Established
established: 300 #Time-out in seconds after the last activity in this flow in a Established
#state.
#state.
emergency_ new: 10 #Time-out in seconds after the last activity in this flow in a New state
emergency- new: 10 #Time-out in seconds after the last activity in this flow in a New state
#during the emergency mode.
#during the emergency mode.
emergency_ established: 100 #Time-out in seconds after the last activity in this flow in a Established
emergency- established: 100 #Time-out in seconds after the last activity in this flow in a Established
#state in the emergency mode.
#state in the emergency mode.
tcp:
tcp:
new: 60
new: 60
established: 3600
established: 3600
closed: 120
closed: 120
emergency_ new: 10
emergency- new: 10
emergency_ established: 300
emergency- established: 300
emergency_ closed: 20
emergency- closed: 20
udp:
udp:
new: 30
new: 30
established: 300
established: 300
emergency_ new: 10
emergency- new: 10
emergency_ established: 100
emergency- established: 100
icmp:
icmp:
new: 30
new: 30
established: 300
established: 300
emergency_ new: 10
emergency- new: 10
emergency_ established: 100
emergency- established: 100
Stream-engine
Stream-engine
~~~~~~~~~~~~~
~~~~~~~~~~~~~
@ -1173,10 +1173,10 @@ option can be set off by entering 'no' instead of 'yes'.
stream:
stream:
memcap: 64mb # Max memory usage (in bytes) for TCP session tracking
memcap: 64mb # Max memory usage (in bytes) for TCP session tracking
memcap-policy: ignore # In IPS mode, call memcap policy if memcap is reached
memcap-policy: ignore # In IPS mode, call memcap policy if memcap is reached
checksum_ validation: yes # Validate packet checksum, reject packets with invalid checksums.
checksum- validation: yes # Validate packet checksum, reject packets with invalid checksums.
To mitigate Suricata from being overloaded by fast session creation,
To mitigate Suricata from being overloaded by fast session creation,
the option prealloc_ sessions instructs Suricata to keep a number of
the option prealloc- sessions instructs Suricata to keep a number of
sessions ready in memory.
sessions ready in memory.
A TCP-session starts with the three-way-handshake. After that, data
A TCP-session starts with the three-way-handshake. After that, data
@ -1207,10 +1207,10 @@ anomalies in streams. See :ref:`host-os-policy`.
::
::
prealloc_ sessions: 32768 # 32k sessions prealloc'd
prealloc- sessions: 32768 # 32k sessions prealloc'd
midstream: false # do not allow midstream session pickups
midstream: false # do not allow midstream session pickups
midstream-policy: drop-flow # in IPS mode, drop flows that start midstream
midstream-policy: drop-flow # in IPS mode, drop flows that start midstream
async_ oneside: false # do not enable async stream handling
async- oneside: false # do not enable async stream handling
inline: no # stream inline mode
inline: no # stream inline mode
drop-invalid: yes # drop invalid packets
drop-invalid: yes # drop invalid packets
bypass: no
bypass: no
@ -1257,7 +1257,7 @@ this is 1MB. This setting can be overridden per stream by the protocol
parsers that do file extraction.
parsers that do file extraction.
Inspection of reassembled data is done in chunks. The size of these
Inspection of reassembled data is done in chunks. The size of these
chunks is set with `` toserver _chunk_size`` and `` toclient_chunk_ size`` .
chunks is set with `` toserver -chunk-size`` and `` toclient-chunk- size`` .
To avoid making the borders predictable, the sizes can be varied by
To avoid making the borders predictable, the sizes can be varied by
adding in a random factor.
adding in a random factor.
@ -1267,8 +1267,8 @@ adding in a random factor.
memcap: 256mb # Memory reserved for stream data reconstruction (in bytes)
memcap: 256mb # Memory reserved for stream data reconstruction (in bytes)
memcap-policy: ignore # What to do when memcap for reassembly is hit
memcap-policy: ignore # What to do when memcap for reassembly is hit
depth: 1mb # The depth of the reassembling.
depth: 1mb # The depth of the reassembling.
toserver_chunk_ size: 2560 # inspect raw stream in chunks of at least this size
toserver-chunk- size: 2560 # inspect raw stream in chunks of at least this size
toclient_chunk_ size: 2560 # inspect raw stream in chunks of at least
toclient-chunk- size: 2560 # inspect raw stream in chunks of at least
randomize-chunk-size: yes
randomize-chunk-size: yes
#randomize-chunk-range: 10
#randomize-chunk-range: 10
@ -1355,7 +1355,7 @@ Asn1 (`Abstract Syntax One
<http://en.wikipedia.org/wiki/Abstract_Syntax_Notation_One> `_) is a<http://en.wikipedia.org/wiki/Abstract_Syntax_Notation_One> `_) is a
standard notation to structure and describe data.
standard notation to structure and describe data.
Within Asn1_max_ frames there are several frames. To protect itself,
Within Asn1-max- frames there are several frames. To protect itself,
Suricata will inspect a maximum of 256. You can set this amount
Suricata will inspect a maximum of 256. You can set this amount
differently if wanted.
differently if wanted.
@ -1368,7 +1368,7 @@ Limit for the maximum number of asn1 frames to decode (default 256):
::
::
asn1_max_ frames: 256
asn1-max- frames: 256
.. _suricata-yaml-configure-ftp: .. _suricata-yaml-configure-ftp:
@ -2309,10 +2309,10 @@ Add the numbers of the options repeat_mark and route_queue to the NFQ-rule::
nfq:
nfq:
mode: accept #By default the packet will be accepted or dropped by Suricata
mode: accept #By default the packet will be accepted or dropped by Suricata
repeat_ mark: 1 #If the mode is set to 'repeat', the packets will be marked after being
repeat- mark: 1 #If the mode is set to 'repeat', the packets will be marked after being
#processed by Suricata.
#processed by Suricata.
repeat_ mask: 1
repeat- mask: 1
route_ queue: 2 #Here you can assign the queue-number of the tool that Suricata has to
route- queue: 2 #Here you can assign the queue-number of the tool that Suricata has to
#send the packets to after processing them.
#send the packets to after processing them.
*Example 1 NFQ1* *Example 1 NFQ1*
@ -2523,10 +2523,10 @@ use of.
host-os-policy:
host-os-policy:
windows: [0.0.0.0/0]
windows: [0.0.0.0/0]
bsd: []
bsd: []
bsd_ right: []
bsd- right: []
old_ linux: []
old- linux: []
linux: [10.0.0.0/8, 192.168.1.100, "8762:2352:6241:7245:E000:0000:0000:0000"]
linux: [10.0.0.0/8, 192.168.1.100, "8762:2352:6241:7245:E000:0000:0000:0000"]
old_ solaris: []
old- solaris: []
solaris: ["::1"]
solaris: ["::1"]
hpux10: []
hpux10: []
hpux11: []
hpux11: []
Juliana Fajardini
10 months ago
committed by
Victor Julien