|  |  | %YAML 1.1
 | 
						
						
						
							|  |  | ---
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | # Suricata configuration file. In addition to the comments describing all
 | 
						
						
						
							|  |  | # options in this file, full documentation can be found at:
 | 
						
						
						
							|  |  | # https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricatayaml
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | # Number of packets allowed to be processed simultaneously.  Default is a
 | 
						
						
						
							|  |  | # conservative 50. a higher number will make sure CPU's/CPU cores will be
 | 
						
						
						
							|  |  | # more easily kept busy, but will negatively impact caching.
 | 
						
						
						
							|  |  | #
 | 
						
						
						
							|  |  | # If you are using the CUDA pattern matcher (b2g_cuda below), different rules
 | 
						
						
						
							|  |  | # apply. In that case try something like 4000 or more. This is because the CUDA
 | 
						
						
						
							|  |  | # pattern matcher scans many packets in parallel.
 | 
						
						
						
							|  |  | #max-pending-packets: 50
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | # Runmode custom mode the engine should run in.  Please check --list-runmodes
 | 
						
						
						
							|  |  | # to get the runmode custom modes that can be used here for a particular runmode.
 | 
						
						
						
							|  |  | #runmode: auto
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | # Default pid file.
 | 
						
						
						
							|  |  | # Will use this file if no --pidfile in command options.
 | 
						
						
						
							|  |  | #pid-file: /var/run/suricata.pid
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | # Preallocated size for packet. Default is 1514 which is the classical
 | 
						
						
						
							|  |  | # size for pcap on ethernet. You should adjust this value to the highest
 | 
						
						
						
							|  |  | # packet size (MTU + hardware header) on your system.
 | 
						
						
						
							|  |  | #default-packet-size: 1514
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | # Set the order of alerts bassed on actions
 | 
						
						
						
							|  |  | # The default order is pass, drop, reject, alert
 | 
						
						
						
							|  |  | action-order:
 | 
						
						
						
							|  |  |   - pass
 | 
						
						
						
							|  |  |   - drop
 | 
						
						
						
							|  |  |   - reject
 | 
						
						
						
							|  |  |   - alert
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | # The default logging directory.  Any log or output file will be
 | 
						
						
						
							|  |  | # placed here if its not specified with a full path name.  This can be
 | 
						
						
						
							|  |  | # overridden with the -l command line parameter.
 | 
						
						
						
							|  |  | default-log-dir: /var/log/suricata
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | # Configure the type of alert (and other) logging you would like.
 | 
						
						
						
							|  |  | outputs:
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  |   # a line based alerts log similar to Snort's fast.log
 | 
						
						
						
							|  |  |   - fast:
 | 
						
						
						
							|  |  |       enabled: yes
 | 
						
						
						
							|  |  |       filename: fast.log
 | 
						
						
						
							|  |  |       append: yes
 | 
						
						
						
							|  |  |       #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  |   # alert output for use with Barnyard2
 | 
						
						
						
							|  |  |   - unified2-alert:
 | 
						
						
						
							|  |  |       enabled: yes
 | 
						
						
						
							|  |  |       filename: unified2.alert
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  |       # File size limit.  Can be specified in kb, mb, gb.  Just a number
 | 
						
						
						
							|  |  |       # is parsed as bytes.
 | 
						
						
						
							|  |  |       #limit: 32mb
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  |   # a line based log of HTTP requests (no alerts)
 | 
						
						
						
							|  |  |   - http-log:
 | 
						
						
						
							|  |  |       enabled: yes
 | 
						
						
						
							|  |  |       filename: http.log
 | 
						
						
						
							|  |  |       append: yes
 | 
						
						
						
							|  |  |       #extended: yes     # enable this for extended logging information
 | 
						
						
						
							|  |  |       #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  |   # a line based log to used with pcap file study.
 | 
						
						
						
							|  |  |   # this module is dedicated to offline pcap parsing (empty output
 | 
						
						
						
							|  |  |   # if used with an other kind of input). It can interoperate with
 | 
						
						
						
							|  |  |   # pcap parser like wireshark via the suriwire plugin.
 | 
						
						
						
							|  |  |   - pcap-info:
 | 
						
						
						
							|  |  |       enabled: no
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  |   # Packet log... log packets in pcap format. 2 modes of operation: "normal"
 | 
						
						
						
							|  |  |   # and "sguil".
 | 
						
						
						
							|  |  |   #
 | 
						
						
						
							|  |  |   # In normal mode a pcap file "filename" is created in the default-log-dir,
 | 
						
						
						
							|  |  |   # or are as specified by "dir". In Sguil mode "dir" indicates the base directory.
 | 
						
						
						
							|  |  |   # In this base dir the pcaps are created in th directory structure Sguil expects:
 | 
						
						
						
							|  |  |   #
 | 
						
						
						
							|  |  |   # $sguil_base_dir/YYYY-MM-DD/$filename.<timestamp>
 | 
						
						
						
							|  |  |   #
 | 
						
						
						
							|  |  |   # By default all packets are logged except:
 | 
						
						
						
							|  |  |   # - TCP streams beyond stream.reassembly.depth
 | 
						
						
						
							|  |  |   # - encrypted streams after the key exchange
 | 
						
						
						
							|  |  |   #
 | 
						
						
						
							|  |  |   - pcap-log:
 | 
						
						
						
							|  |  |       enabled:  no
 | 
						
						
						
							|  |  |       filename: log.pcap
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  |       # File size limit.  Can be specified in kb, mb, gb.  Just a number
 | 
						
						
						
							|  |  |       # is parsed as bytes.
 | 
						
						
						
							|  |  |       limit: 1000mb
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  |       # If set to a value will enable ring buffer mode. Will keep Maximum of "max_files" of size "limit"
 | 
						
						
						
							|  |  |       max_files: 2000
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  |       mode: normal # normal or sguil.
 | 
						
						
						
							|  |  |       #sguil-base-dir: /nsm_data/
 | 
						
						
						
							|  |  |       #ts_format: usec # sec or usec second format (default) is filename.sec usec is filename.sec.usec
 | 
						
						
						
							|  |  |       use_stream_depth: no #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  |   # a full alerts log containing much information for signature writers
 | 
						
						
						
							|  |  |   # or for investigating suspected false positives.
 | 
						
						
						
							|  |  |   - alert-debug:
 | 
						
						
						
							|  |  |       enabled: no
 | 
						
						
						
							|  |  |       filename: alert-debug.log
 | 
						
						
						
							|  |  |       append: yes
 | 
						
						
						
							|  |  |       #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  |   # alert output to prelude (http://www.prelude-technologies.com/) only
 | 
						
						
						
							|  |  |   # available if Suricata has been compiled with --enable-prelude
 | 
						
						
						
							|  |  |   - alert-prelude:
 | 
						
						
						
							|  |  |       enabled: no
 | 
						
						
						
							|  |  |       profile: suricata
 | 
						
						
						
							|  |  |       log_packet_content: no
 | 
						
						
						
							|  |  |       log_packet_header: yes
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  |   # Stats.log contains data from various counters of the suricata engine.
 | 
						
						
						
							|  |  |   # The interval field (in seconds) tells after how long output will be written
 | 
						
						
						
							|  |  |   # on the log file.
 | 
						
						
						
							|  |  |   - stats:
 | 
						
						
						
							|  |  |       enabled: yes
 | 
						
						
						
							|  |  |       filename: stats.log
 | 
						
						
						
							|  |  |       interval: 8
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  |   # a line based alerts log similar to fast.log into syslog
 | 
						
						
						
							|  |  |   - syslog:
 | 
						
						
						
							|  |  |       enabled: no
 | 
						
						
						
							|  |  |       # reported identity to syslog. If ommited the program name (usually
 | 
						
						
						
							|  |  |       # suricata) will be used.
 | 
						
						
						
							|  |  |       #identity: "suricata"
 | 
						
						
						
							|  |  |       facility: local5
 | 
						
						
						
							|  |  |       #level: Info ## possible levels: Emergency, Alert, Critical,
 | 
						
						
						
							|  |  |                    ## Error, Warning, Notice, Info, Debug
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  |   # a line based information for dropped packets in IPS mode
 | 
						
						
						
							|  |  |   - drop:
 | 
						
						
						
							|  |  |       enabled: no
 | 
						
						
						
							|  |  |       filename: drop.log
 | 
						
						
						
							|  |  |       append: yes
 | 
						
						
						
							|  |  |       #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  |   # output module to store extracted files to disk
 | 
						
						
						
							|  |  |   #
 | 
						
						
						
							|  |  |   # The files are stored to the log-dir in a format "file.<id>" where <id> is
 | 
						
						
						
							|  |  |   # an incrementing number starting at 1. For each file "file.<id>" a meta
 | 
						
						
						
							|  |  |   # file "file.<id>.meta" is created.
 | 
						
						
						
							|  |  |   #
 | 
						
						
						
							|  |  |   # File extraction depends on a lot of things to be fully done:
 | 
						
						
						
							|  |  |   # - stream reassembly depth. For optimal results, set this to 0 (unlimited)
 | 
						
						
						
							|  |  |   # - http request / response body sizes. Again set to 0 for optimal results.
 | 
						
						
						
							|  |  |   # - rules that contain the "filestore" keyword.
 | 
						
						
						
							|  |  |   - file:
 | 
						
						
						
							|  |  |       enabled: no       # set to yes to enable
 | 
						
						
						
							|  |  |       log-dir: files    # directory to store the files
 | 
						
						
						
							|  |  |       force-magic: no   # force logging magic on all stored files
 | 
						
						
						
							|  |  |       #waldo: file.waldo # waldo file to store the file_id across runs
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | # Magic file. The extension .mgc is added to the value here.
 | 
						
						
						
							|  |  | #magic-file: /usr/share/file/magic
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | # When running in NFQ inline mode, it is possible to use a simulated
 | 
						
						
						
							|  |  | # non-terminal NFQUEUE verdict.
 | 
						
						
						
							|  |  | # This permit to do send all needed packet to suricata via this a rule:
 | 
						
						
						
							|  |  | #        iptables -I FORWARD -m mark ! --mark $MARK/$MASK -j NFQUEUE
 | 
						
						
						
							|  |  | # And below, you can have your standard filtering ruleset. To activate
 | 
						
						
						
							|  |  | # this mode, you need to set mode to 'repeat'
 | 
						
						
						
							|  |  | # If you want packet to be sent to another queue after an ACCEPT decision
 | 
						
						
						
							|  |  | # set mode to 'route' and set next_queue value.
 | 
						
						
						
							|  |  | nfq:
 | 
						
						
						
							|  |  | #  mode: accept
 | 
						
						
						
							|  |  | #  repeat_mark: 1
 | 
						
						
						
							|  |  | #  repeat_mask: 1
 | 
						
						
						
							|  |  | #  route_queue: 2
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | # af-packet support
 | 
						
						
						
							|  |  | # Set threads to > 1 to use PACKET_FANOUT support
 | 
						
						
						
							|  |  | af-packet:
 | 
						
						
						
							|  |  |   - interface: eth0
 | 
						
						
						
							|  |  |     # Number of receive threads (>1 will enable experimental flow pinned
 | 
						
						
						
							|  |  |     # runmode)
 | 
						
						
						
							|  |  |     threads: 1
 | 
						
						
						
							|  |  |     # Default clusterid.  AF_PACKET will load balance packets based on flow.
 | 
						
						
						
							|  |  |     # All threads/processes that will participate need to have the same
 | 
						
						
						
							|  |  |     # clusterid.
 | 
						
						
						
							|  |  |     cluster-id: 99
 | 
						
						
						
							|  |  |     # Default AF_PACKET cluster type. AF_PACKET can load balance per flow or per hash.
 | 
						
						
						
							|  |  |     # This is only supported for Linux kernel > 3.1
 | 
						
						
						
							|  |  |     # possible value are:
 | 
						
						
						
							|  |  |     #  * cluster_round_robin: round robin load balancing
 | 
						
						
						
							|  |  |     #  * cluster_flow: all packets of a given flow are send to the same socket
 | 
						
						
						
							|  |  |     #  * cluster_cpu: all packets treated in kernel by a CPU are send to the same socket
 | 
						
						
						
							|  |  |     cluster-type: cluster_round_robin
 | 
						
						
						
							|  |  |     # In some fragmentation case, the hash can not be computed. If "defrag" is set
 | 
						
						
						
							|  |  |     # to yes, the kernel will do the needed defragmentation before sending the packets.
 | 
						
						
						
							|  |  |     defrag: yes
 | 
						
						
						
							|  |  |     # recv buffer size, increase value could improve performance
 | 
						
						
						
							|  |  |     # buffer-size: 32768
 | 
						
						
						
							|  |  |     # Set to yes to disable promiscuous mode
 | 
						
						
						
							|  |  |     # disable-promisc: no
 | 
						
						
						
							|  |  |     # Choose checksum verification mode for the interface. At the moment
 | 
						
						
						
							|  |  |     # of the capture, some packets may be with an invalid checksum due to
 | 
						
						
						
							|  |  |     # offloading to the network card of the checksum computation.
 | 
						
						
						
							|  |  |     # Possible values are:
 | 
						
						
						
							|  |  |     #  - kernel: use indication sent by kernel for each packet (default)
 | 
						
						
						
							|  |  |     #  - yes: checksum validation is forced
 | 
						
						
						
							|  |  |     #  - no: checksum validation is disabled
 | 
						
						
						
							|  |  |     #  - auto: suricata uses a statistical approach to detect when
 | 
						
						
						
							|  |  |     #  checksum off-loading is used.
 | 
						
						
						
							|  |  |     # Warning: 'checksum_validation' must be set to yes to have any validation
 | 
						
						
						
							|  |  |     #checksum-checks: kernel
 | 
						
						
						
							|  |  |   - interface: eth1
 | 
						
						
						
							|  |  |     threads: 1
 | 
						
						
						
							|  |  |     cluster-id: 98
 | 
						
						
						
							|  |  |     cluster-type: cluster_round_robin
 | 
						
						
						
							|  |  |     defrag: yes
 | 
						
						
						
							|  |  |     # buffer-size: 32768
 | 
						
						
						
							|  |  |     # disable-promisc: no
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | defrag:
 | 
						
						
						
							|  |  |   max-frags: 65535
 | 
						
						
						
							|  |  |   prealloc: yes
 | 
						
						
						
							|  |  |   timeout: 60
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | # When run with the option --engine-analysis, the engine will read each of
 | 
						
						
						
							|  |  | # the parameters below, and print reports for each of the enabled sections
 | 
						
						
						
							|  |  | # and exit.  The reports are printed to a file in the default log dir
 | 
						
						
						
							|  |  | # given by the parameter "default-log-dir", with engine reporting
 | 
						
						
						
							|  |  | # subsection below printing reports in its own report file.
 | 
						
						
						
							|  |  | engine-analysis:
 | 
						
						
						
							|  |  |   # enables printing reports for fast-pattern for every rule.
 | 
						
						
						
							|  |  |   rules-fast-pattern: yes
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | #recursion and match limits for PCRE where supported
 | 
						
						
						
							|  |  | pcre:
 | 
						
						
						
							|  |  |   match-limit: 3500
 | 
						
						
						
							|  |  |   match-limit-recursion: 1500
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | # You can specify a threshold config file by setting "threshold-file"
 | 
						
						
						
							|  |  | # to the path of the threshold config file:
 | 
						
						
						
							|  |  | # threshold-file: /etc/suricata/threshold.config
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | # The detection engine builds internal groups of signatures. The engine
 | 
						
						
						
							|  |  | # allow us to specify the profile to use for them, to manage memory on an
 | 
						
						
						
							|  |  | # efficient way keeping a good performance. For the profile keyword you
 | 
						
						
						
							|  |  | # can use the words "low", "medium", "high" or "custom". If you use custom
 | 
						
						
						
							|  |  | # make sure to define the values at "- custom-values" as your convenience.
 | 
						
						
						
							|  |  | # Usually you would prefer medium/high/low.
 | 
						
						
						
							|  |  | #
 | 
						
						
						
							|  |  | # "sgh mpm-context", indicates how the staging should allot mpm contexts for
 | 
						
						
						
							|  |  | # the signature groups.  "single" indicates the use of a single context for
 | 
						
						
						
							|  |  | # all the signature group heads.  "full" indicates a mpm_context for each
 | 
						
						
						
							|  |  | # group head.  "auto" lets the engine decide the distribution of contexts
 | 
						
						
						
							|  |  | # based on the information the engine gathers on the patterns from each
 | 
						
						
						
							|  |  | # group head.
 | 
						
						
						
							|  |  | #
 | 
						
						
						
							|  |  | # The option inspection_recursion_limit is used to limit the recursive calls
 | 
						
						
						
							|  |  | # in the content inspection code.  For certain payload-sig combinations, we
 | 
						
						
						
							|  |  | # might end up taking too much time in the content inspection code.
 | 
						
						
						
							|  |  | # If the argument specified is 0, the engine uses an internally defined
 | 
						
						
						
							|  |  | # default limit.  On not specifying a value, we use no limits on the recursion.
 | 
						
						
						
							|  |  | detect-engine:
 | 
						
						
						
							|  |  |   - profile: medium
 | 
						
						
						
							|  |  |   - custom-values:
 | 
						
						
						
							|  |  |       toclient_src_groups: 2
 | 
						
						
						
							|  |  |       toclient_dst_groups: 2
 | 
						
						
						
							|  |  |       toclient_sp_groups: 2
 | 
						
						
						
							|  |  |       toclient_dp_groups: 3
 | 
						
						
						
							|  |  |       toserver_src_groups: 2
 | 
						
						
						
							|  |  |       toserver_dst_groups: 4
 | 
						
						
						
							|  |  |       toserver_sp_groups: 2
 | 
						
						
						
							|  |  |       toserver_dp_groups: 25
 | 
						
						
						
							|  |  |   - sgh-mpm-context: auto
 | 
						
						
						
							|  |  |   - inspection-recursion-limit: 3000
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | # Suricata is multi-threaded. Here the threading can be influenced.
 | 
						
						
						
							|  |  | threading:
 | 
						
						
						
							|  |  |   # On some cpu's/architectures it is beneficial to tie individual threads
 | 
						
						
						
							|  |  |   # to specific CPU's/CPU cores. In this case all threads are tied to CPU0,
 | 
						
						
						
							|  |  |   # and each extra CPU/core has one "detect" thread.
 | 
						
						
						
							|  |  |   #
 | 
						
						
						
							|  |  |   # On Intel Core2 and Nehalem CPU's enabling this will degrade performance.
 | 
						
						
						
							|  |  |   #
 | 
						
						
						
							|  |  |   set_cpu_affinity: no
 | 
						
						
						
							|  |  |   # Tune cpu affinity of suricata threads. Each family of threads can be bound
 | 
						
						
						
							|  |  |   # on specific CPUs.
 | 
						
						
						
							|  |  |   cpu_affinity:
 | 
						
						
						
							|  |  |     - management_cpu_set:
 | 
						
						
						
							|  |  |         cpu: [ 0 ]  # include only these cpus in affinity settings
 | 
						
						
						
							|  |  |     - receive_cpu_set:
 | 
						
						
						
							|  |  |         cpu: [ 0 ]  # include only these cpus in affinity settings
 | 
						
						
						
							|  |  |     - decode_cpu_set:
 | 
						
						
						
							|  |  |         cpu: [ 0, 1 ]
 | 
						
						
						
							|  |  |         mode: "balanced"
 | 
						
						
						
							|  |  |     - stream_cpu_set:
 | 
						
						
						
							|  |  |         cpu: [ "0-1" ]
 | 
						
						
						
							|  |  |     - detect_cpu_set:
 | 
						
						
						
							|  |  |         cpu: [ "all" ]
 | 
						
						
						
							|  |  |         mode: "exclusive" # run detect threads in these cpus
 | 
						
						
						
							|  |  |         # Use explicitely 3 threads and don't compute number by using
 | 
						
						
						
							|  |  |         # detect_thread_ratio variable:
 | 
						
						
						
							|  |  |         # threads: 3
 | 
						
						
						
							|  |  |         prio:
 | 
						
						
						
							|  |  |           low: [ 0 ]
 | 
						
						
						
							|  |  |           medium: [ "1-2" ]
 | 
						
						
						
							|  |  |           high: [ 3 ]
 | 
						
						
						
							|  |  |           default: "medium"
 | 
						
						
						
							|  |  |     - verdict_cpu_set:
 | 
						
						
						
							|  |  |         cpu: [ 0 ]
 | 
						
						
						
							|  |  |         prio:
 | 
						
						
						
							|  |  |           default: "high"
 | 
						
						
						
							|  |  |     - reject_cpu_set:
 | 
						
						
						
							|  |  |         cpu: [ 0 ]
 | 
						
						
						
							|  |  |         prio:
 | 
						
						
						
							|  |  |           default: "low"
 | 
						
						
						
							|  |  |     - output_cpu_set:
 | 
						
						
						
							|  |  |         cpu: [ "all" ]
 | 
						
						
						
							|  |  |         prio:
 | 
						
						
						
							|  |  |            default: "medium"
 | 
						
						
						
							|  |  |   #
 | 
						
						
						
							|  |  |   # By default Suricata creates one "detect" thread per available CPU/CPU core.
 | 
						
						
						
							|  |  |   # This setting allows controlling this behaviour. A ratio setting of 2 will
 | 
						
						
						
							|  |  |   # create 2 detect threads for each CPU/CPU core. So for a dual core CPU this
 | 
						
						
						
							|  |  |   # will result in 4 detect threads. If values below 1 are used, less threads
 | 
						
						
						
							|  |  |   # are created. So on a dual core CPU a setting of 0.5 results in 1 detect
 | 
						
						
						
							|  |  |   # thread being created. Regardless of the setting at a minimum 1 detect
 | 
						
						
						
							|  |  |   # thread will always be created.
 | 
						
						
						
							|  |  |   #
 | 
						
						
						
							|  |  |   detect_thread_ratio: 1.5
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | # Cuda configuration.
 | 
						
						
						
							|  |  | cuda:
 | 
						
						
						
							|  |  |   # The "mpm" profile.  On not specifying any of these parameters, the engine's
 | 
						
						
						
							|  |  |   # internal default values are used, which are same as the ones specified here.
 | 
						
						
						
							|  |  |   - mpm:
 | 
						
						
						
							|  |  |       # Threshold limit for no of packets buffered to the GPU.  Once we hit this
 | 
						
						
						
							|  |  |       # limit, we pass the buffer to the gpu.
 | 
						
						
						
							|  |  |       packet_buffer_limit: 2400
 | 
						
						
						
							|  |  |       # The maximum length for a packet that we would buffer to the gpu.
 | 
						
						
						
							|  |  |       # Anything over this is MPM'ed on the CPU.  All entries > 0 are valid.
 | 
						
						
						
							|  |  |       # Can be specified in kb, mb, gb.  Just a number indicates it's in bytes.
 | 
						
						
						
							|  |  |       packet_size_limit: 1500
 | 
						
						
						
							|  |  |       # No of packet buffers we initialize.  All entries > 0 are valid.
 | 
						
						
						
							|  |  |       packet_buffers: 10
 | 
						
						
						
							|  |  |       # The timeout limit for batching of packets in secs.  If we don't fill the
 | 
						
						
						
							|  |  |       # buffer within this timeout limit, we pass the currently filled buffer to the gpu.
 | 
						
						
						
							|  |  |       # All entries > 0 are valid.
 | 
						
						
						
							|  |  |       batching_timeout: 1
 | 
						
						
						
							|  |  |       # Specifies whether to use page_locked memory whereever possible.  Accepted values
 | 
						
						
						
							|  |  |       # are "enabled" and "disabled".
 | 
						
						
						
							|  |  |       page_locked: enabled
 | 
						
						
						
							|  |  |       # The device to use for the mpm.  Currently we don't support load balancing
 | 
						
						
						
							|  |  |       # on multiple gpus.  In case you have multiple devices on your system, you
 | 
						
						
						
							|  |  |       # can specify the device to use, using this conf.  By default we hold 0, to
 | 
						
						
						
							|  |  |       # specify the first device cuda sees.  To find out device_id associated with
 | 
						
						
						
							|  |  |       # the card(s) on the system run "suricata --list-cuda-cards".
 | 
						
						
						
							|  |  |       device_id: 0
 | 
						
						
						
							|  |  |       # No of Cuda streams used for asynchronous processing. All values > 0 are valid.
 | 
						
						
						
							|  |  |       # For this option you need a device with Compute Capability > 1.0 and
 | 
						
						
						
							|  |  |       # page_locked enabled to have any effect.
 | 
						
						
						
							|  |  |       cuda_streams: 2
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | # Select the multi pattern algorithm you want to run for scan/search the
 | 
						
						
						
							|  |  | # in the engine. The supported algorithms are b2g, b2gc, b2gm, b3g, wumanber,
 | 
						
						
						
							|  |  | # ac and ac-gfbs.
 | 
						
						
						
							|  |  | #
 | 
						
						
						
							|  |  | # The mpm you choose also decides the distribution of mpm contexts for
 | 
						
						
						
							|  |  | # signature groups, specified by the conf - "detect-engine.sgh_mpm_context".
 | 
						
						
						
							|  |  | # Selecting "ac" as the mpm would require "detect-engine.sgh_mpm_context"
 | 
						
						
						
							|  |  | # to be set to "single", because of ac's memory requirements, unless the
 | 
						
						
						
							|  |  | # ruleset is small enough to fit in one's memory, in which case one can
 | 
						
						
						
							|  |  | # use "full" with "ac".  Rest of the mpms can be run in "full" mode.
 | 
						
						
						
							|  |  | #
 | 
						
						
						
							|  |  | # There is also a CUDA pattern matcher (only available if Suricata was
 | 
						
						
						
							|  |  | # compiled with --enable-cuda: b2g_cuda. Make sure to update your
 | 
						
						
						
							|  |  | # max-pending-packets setting above as well if you use b2g_cuda.
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | mpm-algo: ac
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | # The memory settings for hash size of these algorithms can vary from lowest
 | 
						
						
						
							|  |  | # (2048) - low (4096) - medium (8192) - high (16384) - higher (32768) - max
 | 
						
						
						
							|  |  | # (65536). The bloomfilter sizes of these algorithms can vary from low (512) -
 | 
						
						
						
							|  |  | # medium (1024) - high (2048).
 | 
						
						
						
							|  |  | #
 | 
						
						
						
							|  |  | # For B2g/B3g algorithms, there is a support for two different scan/search
 | 
						
						
						
							|  |  | # algorithms. For B2g the scan algorithms are B2gScan & B2gScanBNDMq, and
 | 
						
						
						
							|  |  | # search algorithms are B2gSearch & B2gSearchBNDMq. For B3g scan algorithms
 | 
						
						
						
							|  |  | # are B3gScan & B3gScanBNDMq, and search algorithms are B3gSearch &
 | 
						
						
						
							|  |  | # B3gSearchBNDMq.
 | 
						
						
						
							|  |  | #
 | 
						
						
						
							|  |  | # For B2g the different scan/search algorithms and, hash and bloom
 | 
						
						
						
							|  |  | # filter size settings. For B3g the different scan/search algorithms and, hash
 | 
						
						
						
							|  |  | # and bloom filter size settings. For wumanber the hash and bloom filter size
 | 
						
						
						
							|  |  | # settings.
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | pattern-matcher:
 | 
						
						
						
							|  |  |   - b2gc:
 | 
						
						
						
							|  |  |       search_algo: B2gSearchBNDMq
 | 
						
						
						
							|  |  |       hash_size: low
 | 
						
						
						
							|  |  |       bf_size: medium
 | 
						
						
						
							|  |  |   - b2gm:
 | 
						
						
						
							|  |  |       search_algo: B2gSearchBNDMq
 | 
						
						
						
							|  |  |       hash_size: low
 | 
						
						
						
							|  |  |       bf_size: medium
 | 
						
						
						
							|  |  |   - b2g:
 | 
						
						
						
							|  |  |       search_algo: B2gSearchBNDMq
 | 
						
						
						
							|  |  |       hash_size: low
 | 
						
						
						
							|  |  |       bf_size: medium
 | 
						
						
						
							|  |  |   - b3g:
 | 
						
						
						
							|  |  |       search_algo: B3gSearchBNDMq
 | 
						
						
						
							|  |  |       hash_size: low
 | 
						
						
						
							|  |  |       bf_size: medium
 | 
						
						
						
							|  |  |   - wumanber:
 | 
						
						
						
							|  |  |       hash_size: low
 | 
						
						
						
							|  |  |       bf_size: medium
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | # Flow settings:
 | 
						
						
						
							|  |  | # By default, the reserved memory (memcap) for flows is 32MB. This is the limit
 | 
						
						
						
							|  |  | # for flow allocation inside the engine. You can change this value to allow
 | 
						
						
						
							|  |  | # more memory usage for flows.
 | 
						
						
						
							|  |  | # The hash_size determine the size of the hash used to identify flows inside
 | 
						
						
						
							|  |  | # the engine, and by default the value is 65536.
 | 
						
						
						
							|  |  | # At the startup, the engine can preallocate a number of flows, to get a better
 | 
						
						
						
							|  |  | # performance. The number of flows preallocated is 10000 by default.
 | 
						
						
						
							|  |  | # emergency_recovery is the percentage of flows that the engine need to
 | 
						
						
						
							|  |  | # prune before unsetting the emergency state. The emergency state is activated
 | 
						
						
						
							|  |  | # when the memcap limit is reached, allowing to create new flows, but
 | 
						
						
						
							|  |  | # prunning them with the emergency timeouts (they are defined below).
 | 
						
						
						
							|  |  | # If the memcap is reached, the engine will try to prune prune_flows
 | 
						
						
						
							|  |  | # with the default timeouts. If it doens't find a flow to prune, it will set
 | 
						
						
						
							|  |  | # the emergency bit and it will try again with more agressive timeouts.
 | 
						
						
						
							|  |  | # If that doesn't work, then it will try to kill the last time seen flows
 | 
						
						
						
							|  |  | # not in use.
 | 
						
						
						
							|  |  | # The memcap can be specified in kb, mb, gb.  Just a number indicates it's
 | 
						
						
						
							|  |  | # in bytes.
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | flow:
 | 
						
						
						
							|  |  |   memcap: 32mb
 | 
						
						
						
							|  |  |   hash_size: 65536
 | 
						
						
						
							|  |  |   prealloc: 10000
 | 
						
						
						
							|  |  |   emergency_recovery: 30
 | 
						
						
						
							|  |  |   prune_flows: 5
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | # Specific timeouts for flows. Here you can specify the timeouts that the
 | 
						
						
						
							|  |  | # active flows will wait to transit from the current state to another, on each
 | 
						
						
						
							|  |  | # protocol. The value of "new" determine the seconds to wait after a hanshake or
 | 
						
						
						
							|  |  | # stream startup before the engine free the data of that flow it doesn't
 | 
						
						
						
							|  |  | # change the state to established (usually if we don't receive more packets
 | 
						
						
						
							|  |  | # of that flow). The value of "established" is the amount of
 | 
						
						
						
							|  |  | # seconds that the engine will wait to free the flow if it spend that amount
 | 
						
						
						
							|  |  | # without receiving new packets or closing the connection. "closed" is the
 | 
						
						
						
							|  |  | # amount of time to wait after a flow is closed (usually zero).
 | 
						
						
						
							|  |  | #
 | 
						
						
						
							|  |  | # There's an emergency mode that will become active under attack circumstances,
 | 
						
						
						
							|  |  | # making the engine to check flow status faster. This configuration variables
 | 
						
						
						
							|  |  | # use the prefix "emergency_" and work similar as the normal ones.
 | 
						
						
						
							|  |  | # Some timeouts doesn't apply to all the protocols, like "closed", for udp and
 | 
						
						
						
							|  |  | # icmp.
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | flow-timeouts:
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  |   default:
 | 
						
						
						
							|  |  |     new: 30
 | 
						
						
						
							|  |  |     established: 300
 | 
						
						
						
							|  |  |     closed: 0
 | 
						
						
						
							|  |  |     emergency_new: 10
 | 
						
						
						
							|  |  |     emergency_established: 100
 | 
						
						
						
							|  |  |     emergency_closed: 0
 | 
						
						
						
							|  |  |   tcp:
 | 
						
						
						
							|  |  |     new: 60
 | 
						
						
						
							|  |  |     established: 3600
 | 
						
						
						
							|  |  |     closed: 120
 | 
						
						
						
							|  |  |     emergency_new: 10
 | 
						
						
						
							|  |  |     emergency_established: 300
 | 
						
						
						
							|  |  |     emergency_closed: 20
 | 
						
						
						
							|  |  |   udp:
 | 
						
						
						
							|  |  |     new: 30
 | 
						
						
						
							|  |  |     established: 300
 | 
						
						
						
							|  |  |     emergency_new: 10
 | 
						
						
						
							|  |  |     emergency_established: 100
 | 
						
						
						
							|  |  |   icmp:
 | 
						
						
						
							|  |  |     new: 30
 | 
						
						
						
							|  |  |     established: 300
 | 
						
						
						
							|  |  |     emergency_new: 10
 | 
						
						
						
							|  |  |     emergency_established: 100
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | # Stream engine settings. Here the TCP stream tracking and reaasembly
 | 
						
						
						
							|  |  | # engine is configured.
 | 
						
						
						
							|  |  | #
 | 
						
						
						
							|  |  | # stream:
 | 
						
						
						
							|  |  | #   memcap: 32mb                # Can be specified in kb, mb, gb.  Just a
 | 
						
						
						
							|  |  | #                               # number indicates it's in bytes.
 | 
						
						
						
							|  |  | #   checksum_validation: yes    # To validate the checksum of received
 | 
						
						
						
							|  |  | #                               # packet. If csum validation is specified as
 | 
						
						
						
							|  |  | #                               # "yes", then packet with invalid csum will not
 | 
						
						
						
							|  |  | #                               # be processed by the engine stream/app layer.
 | 
						
						
						
							|  |  | #                               # Warning: locally generated trafic can be
 | 
						
						
						
							|  |  | #                               # generated without checksum due to hardware offload
 | 
						
						
						
							|  |  | #                               # of checksum. You can control the handling of checksum
 | 
						
						
						
							|  |  | #				# on a per-interface basis via the 'checksum-checks'
 | 
						
						
						
							|  |  | #				# option
 | 
						
						
						
							|  |  | #   max_sessions: 262144        # 256k concurrent sessions
 | 
						
						
						
							|  |  | #   prealloc_sessions: 32768    # 32k sessions prealloc'd
 | 
						
						
						
							|  |  | #   midstream: false            # don't allow midstream session pickups
 | 
						
						
						
							|  |  | #   async_oneside: false        # don't enable async stream handling
 | 
						
						
						
							|  |  | #   inline: no                  # stream inline mode
 | 
						
						
						
							|  |  | #
 | 
						
						
						
							|  |  | #   reassembly:
 | 
						
						
						
							|  |  | #     memcap: 64mb              # Can be specified in kb, mb, gb.  Just a number
 | 
						
						
						
							|  |  | #                               # indicates it's in bytes.
 | 
						
						
						
							|  |  | #     depth: 1mb                # Can be specified in kb, mb, gb.  Just a number
 | 
						
						
						
							|  |  | #                               # indicates it's in bytes.
 | 
						
						
						
							|  |  | #     toserver_chunk_size: 2560 # inspect raw stream in chunks of at least
 | 
						
						
						
							|  |  | #                               # this size.  Can be specified in kb, mb,
 | 
						
						
						
							|  |  | #                               # gb.  Just a number indicates it's in bytes.
 | 
						
						
						
							|  |  | #     toclient_chunk_size: 2560 # inspect raw stream in chunks of at least
 | 
						
						
						
							|  |  | #                               # this size.  Can be specified in kb, mb,
 | 
						
						
						
							|  |  | #                               # gb.  Just a number indicates it's in bytes.
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | stream:
 | 
						
						
						
							|  |  |   memcap: 32mb
 | 
						
						
						
							|  |  |   checksum_validation: yes      # reject wrong csums
 | 
						
						
						
							|  |  |   inline: no                    # no inline mode
 | 
						
						
						
							|  |  |   reassembly:
 | 
						
						
						
							|  |  |     memcap: 64mb
 | 
						
						
						
							|  |  |     depth: 1mb                  # reassemble 1mb into a stream
 | 
						
						
						
							|  |  |     toserver_chunk_size: 2560
 | 
						
						
						
							|  |  |     toclient_chunk_size: 2560
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | # Logging configuration.  This is not about logging IDS alerts, but
 | 
						
						
						
							|  |  | # IDS output about what its doing, errors, etc.
 | 
						
						
						
							|  |  | logging:
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  |   # The default log level, can be overridden in an output section.
 | 
						
						
						
							|  |  |   # Note that debug level logging will only be emitted if Suricata was
 | 
						
						
						
							|  |  |   # compiled with the --enable-debug configure option.
 | 
						
						
						
							|  |  |   #
 | 
						
						
						
							|  |  |   # This value is overriden by the SC_LOG_LEVEL env var.
 | 
						
						
						
							|  |  |   default-log-level: info
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  |   # The default output format.  Optional parameter, should default to
 | 
						
						
						
							|  |  |   # something reasonable if not provided.  Can be overriden in an
 | 
						
						
						
							|  |  |   # output section.  You can leave this out to get the default.
 | 
						
						
						
							|  |  |   #
 | 
						
						
						
							|  |  |   # This value is overriden by the SC_LOG_FORMAT env var.
 | 
						
						
						
							|  |  |   #default-log-format: "[%i] %t - (%f:%l) <%d> (%n) -- "
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  |   # A regex to filter output.  Can be overridden in an output section.
 | 
						
						
						
							|  |  |   # Defaults to empty (no filter).
 | 
						
						
						
							|  |  |   #
 | 
						
						
						
							|  |  |   # This value is overriden by the SC_LOG_OP_FILTER env var.
 | 
						
						
						
							|  |  |   default-output-filter:
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  |   # Define your logging outputs.  If none are defined, or they are all
 | 
						
						
						
							|  |  |   # disabled you will get the default - console output.
 | 
						
						
						
							|  |  |   outputs:
 | 
						
						
						
							|  |  |   - console:
 | 
						
						
						
							|  |  |       enabled: yes
 | 
						
						
						
							|  |  |   - file:
 | 
						
						
						
							|  |  |       enabled: no
 | 
						
						
						
							|  |  |       filename: /var/log/suricata.log
 | 
						
						
						
							|  |  |   - syslog:
 | 
						
						
						
							|  |  |       enabled: no
 | 
						
						
						
							|  |  |       facility: local5
 | 
						
						
						
							|  |  |       format: "[%i] <%d> -- "
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | # PF_RING configuration. for use with native PF_RING support
 | 
						
						
						
							|  |  | # for more info see http://www.ntop.org/PF_RING.html
 | 
						
						
						
							|  |  | pfring:
 | 
						
						
						
							|  |  |   - interface: eth0
 | 
						
						
						
							|  |  |     # Number of receive threads (>1 will enable experimental flow pinned
 | 
						
						
						
							|  |  |     # runmode)
 | 
						
						
						
							|  |  |     threads: 1
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  |     # Default interface we will listen on.
 | 
						
						
						
							|  |  |     interface: eth0
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  |     # Default clusterid.  PF_RING will load balance packets based on flow.
 | 
						
						
						
							|  |  |     # All threads/processes that will participate need to have the same
 | 
						
						
						
							|  |  |     # clusterid.
 | 
						
						
						
							|  |  |     cluster-id: 99
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  |     # Default PF_RING cluster type. PF_RING can load balance per flow or per hash.
 | 
						
						
						
							|  |  |     # This is only supported in versions of PF_RING > 4.1.1.
 | 
						
						
						
							|  |  |     cluster-type: cluster_round_robin
 | 
						
						
						
							|  |  |     # bpf filter for this interface
 | 
						
						
						
							|  |  |     #bpf-filter: tcp
 | 
						
						
						
							|  |  |     # Choose checksum verification mode for the interface. At the moment
 | 
						
						
						
							|  |  |     # of the capture, some packets may be with an invalid checksum due to
 | 
						
						
						
							|  |  |     # offloading to the network card of the checksum computation.
 | 
						
						
						
							|  |  |     # Possible values are:
 | 
						
						
						
							|  |  |     #  - rxonly: only compute checksum for packets received by network card.
 | 
						
						
						
							|  |  |     #  - yes: checksum validation is forced
 | 
						
						
						
							|  |  |     #  - no: checksum validation is disabled
 | 
						
						
						
							|  |  |     #  - auto: suricata uses a statistical approach to detect when
 | 
						
						
						
							|  |  |     #  checksum off-loading is used. (default)
 | 
						
						
						
							|  |  |     # Warning: 'checksum_validation' must be set to yes to have any validation
 | 
						
						
						
							|  |  |     #checksum-checks: auto
 | 
						
						
						
							|  |  |   # Second interface
 | 
						
						
						
							|  |  |   #- interface: eth1
 | 
						
						
						
							|  |  |   #  threads: 3
 | 
						
						
						
							|  |  |   #  cluster-id: 93
 | 
						
						
						
							|  |  |   #  cluster-type: cluster_flow
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | pcap:
 | 
						
						
						
							|  |  |   - interface: eth0
 | 
						
						
						
							|  |  |     #buffer-size: 32768
 | 
						
						
						
							|  |  |     #bpf-filter: "tcp and port 25"
 | 
						
						
						
							|  |  |     # Choose checksum verification mode for the interface. At the moment
 | 
						
						
						
							|  |  |     # of the capture, some packets may be with an invalid checksum due to
 | 
						
						
						
							|  |  |     # offloading to the network card of the checksum computation.
 | 
						
						
						
							|  |  |     # Possible values are:
 | 
						
						
						
							|  |  |     #  - yes: checksum validation is forced
 | 
						
						
						
							|  |  |     #  - no: checksum validation is disabled
 | 
						
						
						
							|  |  |     #  - auto: suricata uses a statistical approach to detect when
 | 
						
						
						
							|  |  |     #  checksum off-loading is used. (default)
 | 
						
						
						
							|  |  |     # Warning: 'checksum_validation' must be set to yes to have any validation
 | 
						
						
						
							|  |  |     #checksum-checks: auto
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | # For FreeBSD ipfw(8) divert(4) support.
 | 
						
						
						
							|  |  | # Please make sure you have ipfw_load="YES" and ipdivert_load="YES"
 | 
						
						
						
							|  |  | # in /etc/loader.conf or kldload'ing the appropriate kernel modules.
 | 
						
						
						
							|  |  | # Additionally, you need to have an ipfw rule for the engine to see
 | 
						
						
						
							|  |  | # the packets from ipfw.  For Example:
 | 
						
						
						
							|  |  | #
 | 
						
						
						
							|  |  | #   ipfw add 100 divert 8000 ip from any to any
 | 
						
						
						
							|  |  | #
 | 
						
						
						
							|  |  | # The 8000 above should be the same number you passed on the command
 | 
						
						
						
							|  |  | # line, i.e. -d 8000
 | 
						
						
						
							|  |  | #
 | 
						
						
						
							|  |  | ipfw:
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  |   # Reinject packets at the specified ipfw rule number.  This config
 | 
						
						
						
							|  |  |   # option is the ipfw rule number AT WHICH rule processing continues
 | 
						
						
						
							|  |  |   # in the ipfw processing system after the engine has finished
 | 
						
						
						
							|  |  |   # inspecting the packet for acceptance.  If no rule number is specified,
 | 
						
						
						
							|  |  |   # accepted packets are reinjected at the divert rule which they entered
 | 
						
						
						
							|  |  |   # and IPFW rule processing continues.  No check is done to verify
 | 
						
						
						
							|  |  |   # this will rule makes sense so care must be taken to avoid loops in ipfw.
 | 
						
						
						
							|  |  |   #
 | 
						
						
						
							|  |  |   ## The following example tells the engine to reinject packets
 | 
						
						
						
							|  |  |   # back into the ipfw firewall AT rule number 5500:
 | 
						
						
						
							|  |  |   #
 | 
						
						
						
							|  |  |   # ipfw-reinjection-rule-number: 5500
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | # Set the default rule path here to search for the files.
 | 
						
						
						
							|  |  | # if not set, it will look at the current working dir
 | 
						
						
						
							|  |  | default-rule-path: /etc/suricata/rules/
 | 
						
						
						
							|  |  | rule-files:
 | 
						
						
						
							|  |  |  - attack-responses.rules
 | 
						
						
						
							|  |  |  - backdoor.rules
 | 
						
						
						
							|  |  |  - bad-traffic.rules
 | 
						
						
						
							|  |  |  - chat.rules
 | 
						
						
						
							|  |  |  - ddos.rules
 | 
						
						
						
							|  |  |  - deleted.rules
 | 
						
						
						
							|  |  |  - dns.rules
 | 
						
						
						
							|  |  |  - dos.rules
 | 
						
						
						
							|  |  |  - experimental.rules
 | 
						
						
						
							|  |  |  - exploit.rules
 | 
						
						
						
							|  |  |  - finger.rules
 | 
						
						
						
							|  |  |  - ftp.rules
 | 
						
						
						
							|  |  |  - icmp-info.rules
 | 
						
						
						
							|  |  |  - icmp.rules
 | 
						
						
						
							|  |  |  - imap.rules
 | 
						
						
						
							|  |  |  - info.rules
 | 
						
						
						
							|  |  |  - local.rules
 | 
						
						
						
							|  |  |  - misc.rules
 | 
						
						
						
							|  |  |  - multimedia.rules
 | 
						
						
						
							|  |  |  - mysql.rules
 | 
						
						
						
							|  |  |  - netbios.rules
 | 
						
						
						
							|  |  |  - nntp.rules
 | 
						
						
						
							|  |  |  - oracle.rules
 | 
						
						
						
							|  |  |  - other-ids.rules
 | 
						
						
						
							|  |  |  - p2p.rules
 | 
						
						
						
							|  |  |  - policy.rules
 | 
						
						
						
							|  |  |  - pop2.rules
 | 
						
						
						
							|  |  |  - pop3.rules
 | 
						
						
						
							|  |  |  - porn.rules
 | 
						
						
						
							|  |  |  - rpc.rules
 | 
						
						
						
							|  |  |  - rservices.rules
 | 
						
						
						
							|  |  |  - scada.rules
 | 
						
						
						
							|  |  |  - scan.rules
 | 
						
						
						
							|  |  |  - shellcode.rules
 | 
						
						
						
							|  |  |  - smtp.rules
 | 
						
						
						
							|  |  |  - snmp.rules
 | 
						
						
						
							|  |  |  - specific-threats.rules
 | 
						
						
						
							|  |  |  - spyware-put.rules
 | 
						
						
						
							|  |  |  - sql.rules
 | 
						
						
						
							|  |  |  - telnet.rules
 | 
						
						
						
							|  |  |  - tftp.rules
 | 
						
						
						
							|  |  |  - virus.rules
 | 
						
						
						
							|  |  |  - voip.rules
 | 
						
						
						
							|  |  |  - web-activex.rules
 | 
						
						
						
							|  |  |  - web-attacks.rules
 | 
						
						
						
							|  |  |  - web-cgi.rules
 | 
						
						
						
							|  |  |  - web-client.rules
 | 
						
						
						
							|  |  |  - web-coldfusion.rules
 | 
						
						
						
							|  |  |  - web-frontpage.rules
 | 
						
						
						
							|  |  |  - web-iis.rules
 | 
						
						
						
							|  |  |  - web-misc.rules
 | 
						
						
						
							|  |  |  - web-php.rules
 | 
						
						
						
							|  |  |  - x11.rules
 | 
						
						
						
							|  |  |  - emerging-attack_response.rules
 | 
						
						
						
							|  |  |  - emerging-dos.rules
 | 
						
						
						
							|  |  |  - emerging-exploit.rules
 | 
						
						
						
							|  |  |  - emerging-game.rules
 | 
						
						
						
							|  |  |  - emerging-inappropriate.rules
 | 
						
						
						
							|  |  |  - emerging-malware.rules
 | 
						
						
						
							|  |  |  - emerging-p2p.rules
 | 
						
						
						
							|  |  |  - emerging-policy.rules
 | 
						
						
						
							|  |  |  - emerging-scan.rules
 | 
						
						
						
							|  |  |  - emerging-virus.rules
 | 
						
						
						
							|  |  |  - emerging-voip.rules
 | 
						
						
						
							|  |  |  - emerging-web.rules
 | 
						
						
						
							|  |  |  - emerging-web_client.rules
 | 
						
						
						
							|  |  |  - emerging-web_server.rules
 | 
						
						
						
							|  |  |  - emerging-web_specific_apps.rules
 | 
						
						
						
							|  |  |  - emerging-user_agents.rules
 | 
						
						
						
							|  |  |  - emerging-current_events.rules
 | 
						
						
						
							|  |  |  - decoder-events.rules # available in suricata sources under rules dir
 | 
						
						
						
							|  |  |  - stream-events.rules  # available in suricata sources under rules dir
 | 
						
						
						
							|  |  |  - http-events.rules    # available in suricata sources under rules dir
 | 
						
						
						
							|  |  |  - smtp-events.rules    # available in suricata sources under rules dir
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | classification-file: /etc/suricata/classification.config
 | 
						
						
						
							|  |  | reference-config-file: /etc/suricata/reference.config
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | # Holds variables that would be used by the engine.
 | 
						
						
						
							|  |  | vars:
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  |   # Holds the address group vars that would be passed in a Signature.
 | 
						
						
						
							|  |  |   # These would be retrieved during the Signature address parsing stage.
 | 
						
						
						
							|  |  |   address-groups:
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  |     HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  |     EXTERNAL_NET: "!$HOME_NET"
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  |     HTTP_SERVERS: "$HOME_NET"
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  |     SMTP_SERVERS: "$HOME_NET"
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  |     SQL_SERVERS: "$HOME_NET"
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  |     DNS_SERVERS: "$HOME_NET"
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  |     TELNET_SERVERS: "$HOME_NET"
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  |     AIM_SERVERS: "$EXTERNAL_NET"
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  |   # Holds the port group vars that would be passed in a Signature.
 | 
						
						
						
							|  |  |   # These would be retrieved during the Signature port parsing stage.
 | 
						
						
						
							|  |  |   port-groups:
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  |     HTTP_PORTS: "80"
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  |     SHELLCODE_PORTS: "!80"
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  |     ORACLE_PORTS: 1521
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  |     SSH_PORTS: 22
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | # Host specific policies for defragmentation and TCP stream
 | 
						
						
						
							|  |  | # reassembly.  The host OS lookup is done using a radix tree, just
 | 
						
						
						
							|  |  | # like a routing table so the most specific entry matches.
 | 
						
						
						
							|  |  | host-os-policy:
 | 
						
						
						
							|  |  |   # Make the default policy windows.
 | 
						
						
						
							|  |  |   windows: [0.0.0.0/0]
 | 
						
						
						
							|  |  |   bsd: []
 | 
						
						
						
							|  |  |   bsd_right: []
 | 
						
						
						
							|  |  |   old_linux: []
 | 
						
						
						
							|  |  |   linux: [10.0.0.0/8, 192.168.1.100, "8762:2352:6241:7245:E000:0000:0000:0000"]
 | 
						
						
						
							|  |  |   old_solaris: []
 | 
						
						
						
							|  |  |   solaris: ["::1"]
 | 
						
						
						
							|  |  |   hpux10: []
 | 
						
						
						
							|  |  |   hpux11: []
 | 
						
						
						
							|  |  |   irix: []
 | 
						
						
						
							|  |  |   macos: []
 | 
						
						
						
							|  |  |   vista: []
 | 
						
						
						
							|  |  |   windows2k3: []
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | # Limit for the maximum number of asn1 frames to decode (default 256)
 | 
						
						
						
							|  |  | asn1_max_frames: 256
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | ###########################################################################
 | 
						
						
						
							|  |  | # Configure libhtp.
 | 
						
						
						
							|  |  | #
 | 
						
						
						
							|  |  | #
 | 
						
						
						
							|  |  | # default-config:       Used when no server-config matches
 | 
						
						
						
							|  |  | #   personality:        List of personalities used by default
 | 
						
						
						
							|  |  | #   request-body-limit: Limit reassembly of request body for inspection
 | 
						
						
						
							|  |  | #                       by http_client_body & pcre /P option.
 | 
						
						
						
							|  |  | #
 | 
						
						
						
							|  |  | # server-config:        List of server configurations to use if address matches
 | 
						
						
						
							|  |  | #   address:            List of ip addresses or networks for this block
 | 
						
						
						
							|  |  | #   personalitiy:       List of personalities used by this block
 | 
						
						
						
							|  |  | #   request-body-limit: Limit reassembly of request body for inspection
 | 
						
						
						
							|  |  | #                       by http_client_body & pcre /P option.
 | 
						
						
						
							|  |  | #
 | 
						
						
						
							|  |  | # Currently Available Personalities:
 | 
						
						
						
							|  |  | #   Minimal
 | 
						
						
						
							|  |  | #   Generic
 | 
						
						
						
							|  |  | #   IDS (default)
 | 
						
						
						
							|  |  | #   IIS_4_0
 | 
						
						
						
							|  |  | #   IIS_5_0
 | 
						
						
						
							|  |  | #   IIS_5_1
 | 
						
						
						
							|  |  | #   IIS_6_0
 | 
						
						
						
							|  |  | #   IIS_7_0
 | 
						
						
						
							|  |  | #   IIS_7_5
 | 
						
						
						
							|  |  | #   Apache
 | 
						
						
						
							|  |  | #   Apache_2_2
 | 
						
						
						
							|  |  | ###########################################################################
 | 
						
						
						
							|  |  | libhtp:
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  |    default-config:
 | 
						
						
						
							|  |  |      personality: IDS
 | 
						
						
						
							|  |  |      # Can be specified in kb, mb, gb.  Just a number indicates
 | 
						
						
						
							|  |  |      # it's in bytes.
 | 
						
						
						
							|  |  |      request_body_limit: 3072
 | 
						
						
						
							|  |  |      response-body-limit: 3072
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  |    server-config:
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  |      - apache:
 | 
						
						
						
							|  |  |          address: [192.168.1.0/24, 127.0.0.0/8, "::1"]
 | 
						
						
						
							|  |  |          personality: Apache_2_2
 | 
						
						
						
							|  |  |          # Can be specified in kb, mb, gb.  Just a number indicates
 | 
						
						
						
							|  |  |          # it's in bytes.
 | 
						
						
						
							|  |  |          request_body_limit: 4096
 | 
						
						
						
							|  |  |          response-body-limit: 4096
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  |      - iis7:
 | 
						
						
						
							|  |  |          address:
 | 
						
						
						
							|  |  |            - 192.168.0.0/24
 | 
						
						
						
							|  |  |            - 192.168.10.0/24
 | 
						
						
						
							|  |  |          personality: IIS_7_0
 | 
						
						
						
							|  |  |          # Can be specified in kb, mb, gb.  Just a number indicates
 | 
						
						
						
							|  |  |          # it's in bytes.
 | 
						
						
						
							|  |  |          request_body_limit: 4096
 | 
						
						
						
							|  |  |          response-body-limit: 4096
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | # Profiling settings. Only effective if Suricata has been built with the
 | 
						
						
						
							|  |  | # the --enable-profiling configure flag.
 | 
						
						
						
							|  |  | #
 | 
						
						
						
							|  |  | profiling:
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  |   # rule profiling
 | 
						
						
						
							|  |  |   rules:
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  |     # Profiling can be disabled here, but it will still have a
 | 
						
						
						
							|  |  |     # performance impact if compiled in.
 | 
						
						
						
							|  |  |     enabled: yes
 | 
						
						
						
							|  |  |     filename: rule_perf.log
 | 
						
						
						
							|  |  |     append: yes
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  |     # Sort options: ticks, avgticks, checks, matches, maxticks
 | 
						
						
						
							|  |  |     sort: avgticks
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  |     # Limit the number of items printed at exit.
 | 
						
						
						
							|  |  |     limit: 100
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  |   # packet profiling
 | 
						
						
						
							|  |  |   packets:
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  |     # Profiling can be disabled here, but it will still have a
 | 
						
						
						
							|  |  |     # performance impact if compiled in.
 | 
						
						
						
							|  |  |     enabled: yes
 | 
						
						
						
							|  |  |     filename: packet_stats.log
 | 
						
						
						
							|  |  |     append: yes
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  |     # per packet csv output
 | 
						
						
						
							|  |  |     csv:
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  |       # Output can be disabled here, but it will still have a
 | 
						
						
						
							|  |  |       # performance impact if compiled in.
 | 
						
						
						
							|  |  |       enabled: no
 | 
						
						
						
							|  |  |       filename: packet_stats.csv
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | # Suricata core dump configuration. Limits the size of the core dump file to
 | 
						
						
						
							|  |  | # approximately max_dump. The actual core dump size will be a multiple of the
 | 
						
						
						
							|  |  | # page size. Core dumps that would be larger than max_dump are truncated. On
 | 
						
						
						
							|  |  | # Linux, the actual core dump size may be a few pages larger than max_dump.
 | 
						
						
						
							|  |  | # Setting max_dump to 0 disables core dumping.
 | 
						
						
						
							|  |  | # Setting max_dump to 'unlimited' will give the full core dump file.
 | 
						
						
						
							|  |  | # On 32-bit Linux, a max_dump value >= ULONG_MAX may cause the core dump size
 | 
						
						
						
							|  |  | # to be 'unlimited'.
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | coredump:
 | 
						
						
						
							|  |  |   max_dump: unlimited
 |