<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]-->
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:"Freestyle Script";
panose-1:3 8 4 2 3 2 5 11 4 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
.MsoChpDefault
{mso-style-type:export-only;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="2050" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal>Hey guys, my suricata doesn’t seem to be logging. I am
running in non-daemon mode, so I can see the output and I tried using idswakeup,
nessus, nmap, and a few metasploit modules against the box with no avail. I was
running iptables prior, I disabled them during the test to see if my firewall
rules were causing any issues. I ran tcpdump with “tcp dst port 80”
and ran a Paros scan against the host, the IDS did not log or output anything
to stdout. I am using the emerging-all.rules file from emergingthreats. I have
pasted my config below:<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'>%YAML 1.1<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'>---<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'><o:p> </o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># Number of packets allowed to be processed
simultaneously. Default is a<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># conservative 50. a higher number will make sure
CPU's/CPU cores will be<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># more easily kept busy, but will negatively impact
caching.<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'>#<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># If you are using the CUDA pattern matcher
(b2g_cuda below), different rules<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># apply. In that case try something like 4000 or
more. This is because the CUDA<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># pattern matcher scans many packets in parallel.<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'>#max-pending-packets: 50<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'><o:p> </o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># Set the order of alerts bassed on actions<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># The default order is pass, drop, reject, alert<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'>action-order:<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> - pass<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> - drop<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> - reject<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> - alert<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'><o:p> </o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'><o:p> </o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># The default logging directory. Any log or
output file will be<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># placed here if its not specified with a full path
name. This can be<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># overridden with the -l command line parameter.<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'>default-log-dir: /var/log/suricata<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'><o:p> </o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># Configure the type of alert (and other) logging
you would like.<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'>outputs:<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'><o:p> </o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> # a line based alerts log similar to Snort's
fast.log<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> - fast:<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> enabled: yes<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> filename: fast.log<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'><o:p> </o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> # log output for use with Barnyard<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> - unified-log:<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> enabled: no<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> filename: unified.log<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'><o:p> </o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> # Limit in MB.<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> #limit: 32<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'><o:p> </o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> # alert output for use with Barnyard<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> - unified-alert:<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> enabled: no<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> filename:
unified.alert<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'><o:p> </o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> # Limit in MB.<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> #limit: 32<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'><o:p> </o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> # alert output for use with Barnyard2<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> - unified2-alert:<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> enabled: yes<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> filename:
unified2.alert<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'><o:p> </o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> # Limit in MB.<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> #limit: 32<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'><o:p> </o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> # a line based log of HTTP requests (no
alerts)<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> - http-log:<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> enabled: yes<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> filename: http.log<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'><o:p> </o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> # a full alerts log containing much
information for signature writers<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> # or for investigating suspected false
positives.<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> - alert-debug:<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> enabled: no<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> filename:
alert-debug.log<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'><o:p> </o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> # alert output to prelude
(http://www.prelude-technologies.com/) only<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> # available if Suricata has been compiled
with --enable-prelude<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> - alert-prelude:<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> enabled: no<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> profile: suricata<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'><o:p> </o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'>defrag:<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> max-frags: 65535<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> prealloc: yes<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> timeout: 60<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'><o:p> </o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># You can specify a threshold config file by setting
"threshold-file"<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># to the path of the threshold config file:<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># threshold-file: /etc/suricata/threshold.config<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'><o:p> </o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># The detection engine builds internal groups of
signatures. The engine<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># allow us to specify the profile to use for them,
to manage memory on an<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># efficient way keeping a good performance. For the
profile keyword you<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'>#Â can use the words "low",
"medium", "high" or "custom". If you use custom<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># make sure to define the values at "-
custom-values" as your convenience.<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># Usually you would prefer medium/high/low<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'>detect-engine:<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> - profile: medium<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> - custom-values:<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> toclient_src_groups:
2<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> toclient_dst_groups:
2<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> toclient_sp_groups: 2<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> toclient_dp_groups: 3<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> toserver_src_groups:
2<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> toserver_dst_groups:
4<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> toserver_sp_groups: 2<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> toserver_dp_groups:
25<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'><o:p> </o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># Suricata is multi-threaded. Here the threading can
be influenced.<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'>threading:<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> # On some cpu's/architectures it is
beneficial to tie individual threads<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> # to specific CPU's/CPU cores. In this case
all threads are tied to CPU0,<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> # and each extra CPU/core has one
"detect" thread.<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> #<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> # On Intel Core2 and Nehalem CPU's enabling
this will degrade performance.<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> #<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> set_cpu_affinity: no<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> #<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> # By default Suricata creates one
"detect" thread per available CPU/CPU core.<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> # This setting allows controlling this
behaviour. A ratio setting of 2 will<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> # create 2 detect threads for each CPU/CPU
core. So for a dual core CPU this<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> # will result in 4 detect threads. If values
below 1 are used, less threads<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> # are created. So on a dual core CPU a
setting of 0.5 results in 1 detect<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> # thread being created. Regardless of the
setting at a minimum 1 detect<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> # thread will always be created.<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> #<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> detect_thread_ratio: 1.5<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'><o:p> </o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># Select the cuda device to use. The device_id
identifies the device to be used<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># if one has multiple devices on the system.
To find out device_id associated<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># with the card(s) on the system run
"suricata --list-cuda-cards".<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'>cuda:<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> device_id: 0<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'><o:p> </o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># Select the multi pattern algorithm you want to run
for scan/search the<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># in the engine. The supported algorithms are b2g,
b3g and wumanber.<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'>#<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># There is also a CUDA pattern matcher (only
available if Suricata was<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># compiled with --enable-cuda: b2g_cuda. Make sure
to update your<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># max-pending-packets setting above as well if you
use b2g_cuda.<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'><o:p> </o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'>mpm-algo: b2g<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'><o:p> </o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># The memory settings for hash size of these
algorithms can vary from lowest<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># (2048) - low (4096) - medium (8192) - high (16384)
- highest (32768) - max<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># (65536). The bloomfilter sizes of these algorithms
can vary from low (512) -<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># medium (1024) - high (2048).<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'>#<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># For B2g/B3g algorithms, there is a support for two
different scan/search<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># algorithms. For B2g the scan algorithms are
B2gScan & B2gScanBNDMq, and<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># search algorithms are B2gSearch &
B2gSearchBNDMq. For B3g scan algorithms<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># are B3gScan & B3gScanBNDMq, and search
algorithms are B3gSearch &<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># B3gSearchBNDMq.<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'>#<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># For B2g the different scan/search algorithms and,
hash and bloom<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># filter size settings. For B3g the different
scan/search algorithms and, hash<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># and bloom filter size settings. For wumanber the
hash and bloom filter size<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># settings.<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'><o:p> </o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'>pattern-matcher:<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> - b2g:<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> scan_algo:
B2gScanBNDMq<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> search_algo:
B2gSearchBNDMq<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> hash_size: low<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> bf_size: medium<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> - b3g:<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> scan_algo:
B3gScanBNDMq<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> search_algo:
B3gSearchBNDMq<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> hash_size: low<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> bf_size: medium<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> - wumanber:<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> hash_size: low<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> bf_size: medium<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'><o:p> </o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># Flow settings:<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># By default, the reserved memory (memcap) for flows
is 32MB. This is the limit<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># for flow allocation inside the engine. You can
change this value to allow<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># more memory usage for flows.<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># The hash_size determine the size of the hash used
to identify flows inside<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># the engine, and by default the value is 65536.<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># At the startup, the engine can preallocate a
number of flows, to get a better<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># performance. The number of flows preallocated is
10000 by default.<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># emergency_recovery is the percentage of flows that
the engine need to<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># prune before unsetting the emergency state. The
emergency state is activated<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># when the memcap limit is reached, allowing to
create new flows, but<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># prunning them with the emergency timeouts (they
are defined below).<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># If the memcap is reached, the engine will try to
prune prune_flows<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># with the default timeouts. If it doens't find a
flow to prune, it will set<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># the emergency bit and it will try again with more
agressive timeouts.<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># If that doesn't work, then it will try to kill the
last time seen flows<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># not in use.<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'><o:p> </o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'>flow:<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> memcap: 33554432<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> hash_size: 65536<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> prealloc: 10000<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> emergency_recovery: 30<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> prune_flows: 5<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'><o:p> </o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># Specific timeouts for flows. Here you can specify
the timeouts that the<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># active flows will wait to transit from the current
state to another, on each<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># protocol. The value of "new" determine
the seconds to wait after a hanshake or<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># stream startup before the engine free the data of
that flow it doesn't<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># change the state to established (usually if we
don't receive more packets<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># of that flow). The value of
"established" is the amount of<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># seconds that the engine will wait to free the flow
if it spend that amount<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># without receiving new packets or closing the
connection. "closed" is the<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># amount of time to wait after a flow is closed
(usually zero).<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'>#<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># There's an emergency mode that will become active
under attack circumstances,<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># making the engine to check flow status faster.
This configuration variables<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># use the prefix "emergency_" and work
similar as the normal ones.<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># Some timeouts doesn't apply to all the protocols,
like "closed", for udp and<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># icmp.<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'><o:p> </o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'>flow-timeouts:<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'><o:p> </o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> default:<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> new: 30<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> established: 300<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> closed: 0<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> emergency_new: 10<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> emergency_established: 100<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> emergency_closed: 0<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> tcp:<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> new: 60<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> established: 3600<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> closed: 120<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> emergency_new: 10<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> emergency_established: 300<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> emergency_closed: 20<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> udp:<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> new: 30<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> established: 300<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> emergency_new: 10<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> emergency_established: 100<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> icmp:<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> new: 30<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> established: 300<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> emergency_new: 10<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> emergency_established: 100<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'><o:p> </o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># Stream engine settings. Here the TCP stream
tracking and reaasembly<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># engine is configured.<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'>#<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># stream:<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># memcap:
33554432 #
32mb tcp session memcap<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># max_sessions:
262144 # 256k concurrent sessions<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># prealloc_sessions:
32768 # 32k sessions prealloc'd<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># midstream:
false # don't
allow midstream session pickups<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># async_oneside:
false # don't enable async stream
handling<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># reassembly:<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># memcap:
67108864 # 64mb tcp
reassembly memcap<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># depth: 1048576
# 1 MB reassembly depth<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'>stream:<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> memcap: 33554432<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> reassembly:<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> memcap: 67108864<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> depth: 1048576<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'><o:p> </o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># Logging configuration. This is not about
logging IDS alerts, but<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># IDS output about what its doing, errors, etc.<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'>logging:<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'><o:p> </o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> # The default log level, can be overridden in
an output section.<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> # Note that debug level logging will only be
emitted if Suricata was<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> # compiled with the --enable-debug configure
option.<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> #<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> # This value is overriden by the SC_LOG_LEVEL
env var.<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> default-log-level: info<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'><o:p> </o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> # The default output format. Optional
parameter, should default to<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> # something reasonable if not provided.
Can be overriden in an<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> # output section. You can leave this
out to get the default.<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> #<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> # This value is overriden by the
SC_LOG_FORMAT env var.<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> #default-log-format: "[%i] %t - (%f:%l)
<%d> (%n) -- "<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'><o:p> </o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> # A regex to filter output. Can be
overridden in an output section.<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> # Defaults to empty (no filter).<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> #<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> # This value is overriden by the
SC_LOG_OP_FILTER env var.<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> default-output-filter:<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'><o:p> </o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> # Define your logging outputs. If none
are defined, or they are all<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> # disabled you will get the default - console
output.<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> outputs:<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> - console:<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> enabled: yes<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> - file:<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> enabled: no<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> filename:
/var/log/suricata.log<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> - syslog:<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> enabled: no<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> facility: local5<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> format: "[%i]
<%d> -- "<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'><o:p> </o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># PF_RING configuration. for use with native PF_RING
support<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># for more info see http://www.ntop.org/PF_RING.html<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'>pfring:<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'><o:p> </o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> # Default interface we will listen on.<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> interface: eth0<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'><o:p> </o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> # Default clusterid. PF_RING will load
balance packets based on flow.<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> # All threads/processes that will participate
need to have the same<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> # clusterid.<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> cluster-id: 99<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'><o:p> </o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> # Default PF_RING cluster type. PF_RING can
load balance per flow or per hash.<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> # This is only supported in versions of
PF_RING > 4.1.1.<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> cluster-type: cluster_round_robin<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'><o:p> </o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># For FreeBSD ipfw(8) divert(4) support.<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># Please make sure you have ipfw_load="YES"
and ipdivert_load="YES"<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># in /etc/loader.conf or kldload'ing the appropriate
kernel modules.<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># Additionally, you need to have an ipfw rule for
the engine to see<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># the packets from ipfw. For Example:<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'>#<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># ipfw add 100 divert 8000 ip from any
to any<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'>#<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># The 8000 above should be the same number you
passed on the command<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># line, i.e. -d 8000<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'>#<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'>ipfw:<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'><o:p> </o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> # Reinject packets at the specified ipfw rule
number. This config<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> # option is the ipfw rule number AT WHICH
rule processing continues<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> # in the ipfw processing system after the
engine has finished<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> # inspecting the packet for acceptance.
If no rule number is specified,<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> # accepted packets are reinjected at the
divert rule which they entered<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> # and IPFW rule processing continues.
No check is done to verify<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> # this will rule makes sense so care must be
taken to avoid loops in ipfw.<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> #<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> ## The following example tells the engine to
reinject packets<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> # back into the ipfw firewall AT rule number
5500:<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> #<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> # ipfw-reinjection-rule-number: 5500<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'><o:p> </o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># Set the default rule path here to search for the
files.<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># if not set, it will look at the current working
dir<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'>default-rule-path: /etc/suricata/rules/<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'>rule-files:<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># - attack-responses.rules<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># - backdoor.rules<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># - bad-traffic.rules<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># - chat.rules<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># - ddos.rules<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># - deleted.rules<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># - dns.rules<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># - dos.rules<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># - experimental.rules<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># - exploit.rules<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># - finger.rules<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># - ftp.rules<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># - icmp-info.rules<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># - icmp.rules<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># - imap.rules<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># - info.rules<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># - local.rules<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># - misc.rules<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># - multimedia.rules<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># - mysql.rules<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># - netbios.rules<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># - nntp.rules<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># - oracle.rules<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># - other-ids.rules<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># - p2p.rules<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># - policy.rules<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># - pop2.rules<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># - pop3.rules<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># - porn.rules<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># - rpc.rules<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># - rservices.rules<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># - scada.rules<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># - scan.rules<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># - shellcode.rules<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># - smtp.rules<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># - snmp.rules<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># - specific-threats.rules<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># - spyware-put.rules<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># - sql.rules<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># - telnet.rules<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># - tftp.rules<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># - virus.rules<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># - voip.rules<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># - web-activex.rules<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># - web-attacks.rules<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># - web-cgi.rules<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># - web-client.rules<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># - web-coldfusion.rules<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># - web-frontpage.rules<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># - web-iis.rules<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># - web-misc.rules<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># - web-php.rules<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># - x11.rules<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># - emerging-attack_response.rules<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># - emerging-dos.rules<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># - emerging-exploit.rules<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># - emerging-game.rules<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># - emerging-inappropriate.rules<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># - emerging-malware.rules<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># - emerging-p2p.rules<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># - emerging-policy.rules<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># - emerging-scan.rules<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># - emerging-virus.rules<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># - emerging-voip.rules<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># - emerging-web.rules<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># - emerging-web_client.rules<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># - emerging-web_server.rules<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># - emerging-web_specific_apps.rules<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># - emerging-user_agents.rules<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># - emerging-current_events.rules<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> - emerging-all.rules<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'>classification-file:
/etc/rules/classification.config<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'><o:p> </o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># Holds variables that would be used by the engine.<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'>vars:<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'><o:p> </o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> # Holds the address group vars that would be
passed in a Signature.<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> # These would be retrieved during the
Signature address parsing stage.<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> address-groups:<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'><o:p> </o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> HOME_NET:
"[66.249.5.158]"<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'><o:p> </o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> EXTERNAL_NET: any<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'><o:p> </o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> HTTP_SERVERS:
"$HOME_NET"<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'><o:p> </o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> SMTP_SERVERS:
"$HOME_NET"<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'><o:p> </o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> SQL_SERVERS:
"$HOME_NET"<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'><o:p> </o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> DNS_SERVERS:
"$HOME_NET"<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'><o:p> </o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> TELNET_SERVERS:
"$HOME_NET"<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'><o:p> </o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> AIM_SERVERS: any<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'><o:p> </o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> # Holds the port group vars that would be
passed in a Signature.<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> # These would be retrieved during the
Signature port parsing stage.<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> port-groups:<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'><o:p> </o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> HTTP_PORTS: "80"<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'><o:p> </o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> SHELLCODE_PORTS: "!80"<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'><o:p> </o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> ORACLE_PORTS: 1521<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'><o:p> </o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> SSH_PORTS: 22<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'><o:p> </o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># Host specific policies for defragmentation and TCP
stream<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># reassembly. The host OS lookup is done using
a radix tree, just<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># like a routing table so the most specific entry
matches.<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'>host-os-policy:<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> # Make the default policy windows.<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> windows: [0.0.0.0/0]<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> bsd: []<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> bsd_right: []<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> old_linux: []<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> linux: [10.0.0.0/8, 192.168.1.100,
"8762:2352:6241:7245:E000:0000:0000:0000"]<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> old_solaris: []<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> solaris: ["::1"]<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> hpux10: []<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> hpux11: []<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> irix: []<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> macos: []<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> vista: []<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> windows2k3: []<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'><o:p> </o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'>###########################################################################<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># Configure libhtp.<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'>#<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'>#<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># default-config: Used when no server-config
matches<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># personality: List of
personalities used by default<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'>#<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># server-config: List of server
configurations to use if address matches<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'>#
address: List of ip addresses or networks
for this block<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># personalitiy: List of
personalities used by this block<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'>#<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># Currently Available Personalities:<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># Minimal<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># Generic<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># IDS (default)<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># IIS_4_0<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># IIS_5_0<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># IIS_5_1<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># IIS_6_0<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># IIS_7_0<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># IIS_7_5<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># Apache<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># Apache_2_2<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'>###########################################################################<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'>libhtp:<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'><o:p> </o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> default-config:<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> personality: IDS<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'><o:p> </o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> server-config:<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'><o:p> </o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> - apache:<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'>
address: [66.249.5.158]<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'>
personality: Apache_2_2<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'><o:p> </o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> - iis7:<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'>
address:<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'>
- 192.168.0.0/24<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'>
- 192.168.10.0/24<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'>
personality: IIS_7_0<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'><o:p> </o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># rule profiling settings. Only effective if
Suricata has been built with the<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'># the --enable-profiling configure flag.<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'>#<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'>profiling:<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'><o:p> </o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> rules:<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'><o:p> </o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> # Profiling can be disabled here,
but it will still have a<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> # performance impact if compiled
in.<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> enabled: yes<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'><o:p> </o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> # Sort options: ticks, avgticks,
checks, matches<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> sort: avgticks<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'><o:p> </o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> # Limit the number of items
printed at exit.<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'> limit: 100<o:p></o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'><o:p> </o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;
font-family:"Courier New"'><o:p> </o:p></span></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal><span style='font-size:16.0pt;font-family:"Freestyle Script"'>Thanks,<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:18.0pt;font-family:"Freestyle Script"'>Matthew
Bergin<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:16.0pt;font-family:"Freestyle Script"'><o:p> </o:p></span></p>
<p class=MsoNormal><b><span style='font-size:18.0pt;font-family:"Freestyle Script"'>Matthew
Scott Bergin<o:p></o:p></span></b></p>
<p class=MsoNormal><img width=102 height=102 id="Picture_x0020_1"
src="cid:image003.jpg@01CB452A.84C50B00" alt="GPEN_small"><o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
</div>
</body>
</html>