<div dir="ltr">Hello,<div><br></div><div>could you please help with the configuration of suricata.yaml for Suricata 2.0. I am using the default rules from emergingthreats. I made some tweaks in the configuration file but still i have about 25% packet drop (capture.kernel_drops) at 340 Mbps network bandwidth. <br>
</div><div><br></div><div>This is the configuration file %YAML 1.1</div>
<div>---</div><div><br></div><div># Suricata configuration file. In addition to the comments describing all</div><div># options in this file, full documentation can be found at:</div><div># <a href="https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricatayaml">https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricatayaml</a></div>
<div><br></div><div><br></div><div># Number of packets allowed to be processed simultaneously. Default is a</div><div># conservative 1024. A higher number will make sure CPU's/CPU cores will be</div><div># more easily kept busy, but may negatively impact caching.</div>
<div>#</div><div># If you are using the CUDA pattern matcher (mpm-algo: ac-cuda), different rules</div><div># apply. In that case try something like 60000 or more. This is because the CUDA</div><div># pattern matcher buffers and scans as many packets as possible in parallel.</div>
<div>max-pending-packets: 65000</div><div><br></div><div># Runmode the engine should use. Please check --list-runmodes to get the available</div><div># runmodes for each packet acquisition method. Defaults to "autofp" (auto flow pinned</div>
<div># load balancing).</div><div>runmode: autofp</div><div><br></div><div># Specifies the kind of flow load balancer used by the flow pinned autofp mode.</div><div>#</div><div># Supported schedulers are:</div><div>#</div>
<div># round-robin - Flows assigned to threads in a round robin fashion.</div><div># active-packets - Flows assigned to threads that have the lowest number of</div><div># unprocessed packets (default).</div>
<div># hash - Flow alloted usihng the address hash. More of a random</div><div># technique. Was the default in Suricata 1.2.1 and older.</div><div>#</div><div>#autofp-scheduler: active-packets</div>
<div><br></div><div># If suricata box is a router for the sniffed networks, set it to 'router'. If</div><div># it is a pure sniffing setup, set it to 'sniffer-only'.</div><div># If set to auto, the variable is internally switch to 'router' in IPS mode</div>
<div># and 'sniffer-only' in IDS mode.</div><div># This feature is currently only used by the reject* keywords.</div><div>host-mode: auto</div><div><br></div><div># Run suricata as user and group.</div><div>#run-as:</div>
<div># user: suri</div><div># group: suri</div><div><br></div><div># Default pid file.</div><div># Will use this file if no --pidfile in command options.</div><div>#pid-file: /var/run/suricata.pid</div><div><br></div><div>
# Daemon working directory</div><div># Suricata will change directory to this one if provided</div><div># Default: "/"</div><div>#daemon-directory: "/"</div><div><br></div><div># Preallocated size for packet. Default is 1514 which is the classical</div>
<div># size for pcap on ethernet. You should adjust this value to the highest</div><div># packet size (MTU + hardware header) on your system.</div><div>#default-packet-size: 1514</div><div><br></div><div># The default logging directory. Any log or output file will be</div>
<div># placed here if its not specified with a full path name. This can be</div><div># overridden with the -l command line parameter.</div><div>default-log-dir: /var/log/suricata/</div><div><br></div><div># Unix command socket can be used to pass commands to suricata.</div>
<div># An external tool can then connect to get information from suricata</div><div># or trigger some modifications of the engine. Set enabled to yes</div><div># to activate the feature. You can use the filename variable to set</div>
<div># the file name of the socket.</div><div>unix-command:</div><div> enabled: no</div><div> #filename: custom.socket</div><div><br></div><div># Configure the type of alert (and other) logging you would like.</div><div>
outputs:</div><div><br></div><div> # a line based alerts log similar to Snort's fast.log</div><div> - fast:</div><div> enabled: yes</div><div> filename: fast.log</div><div> append: yes</div><div> #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'</div>
<div><br></div><div> # Extensible Event Format (nicknamed EVE) event log in JSON format</div><div> - eve-log:</div><div> enabled: no</div><div> type: file #file|syslog|unix_dgram|unix_stream</div><div> filename: eve.json</div>
<div> # the following are valid when type: syslog above</div><div> #identity: "suricata"</div><div> #facility: local5</div><div> #level: Info ## possible levels: Emergency, Alert, Critical,</div>
<div> ## Error, Warning, Notice, Info, Debug</div><div> types:</div><div> - alert</div><div> - http:</div><div> extended: yes # enable this for extended logging information</div>
<div> - dns</div><div> - tls:</div><div> extended: yes # enable this for extended logging information</div><div> - files:</div><div> force-magic: no # force logging magic on all logged files</div>
<div> force-md5: no # force logging of md5 checksums</div><div> #- drop</div><div> - ssh</div><div><br></div><div> # alert output for use with Barnyard2</div><div> - unified2-alert:</div><div>
enabled: no</div><div> filename: unified2.alert</div><div><br></div><div> # File size limit. Can be specified in kb, mb, gb. Just a number</div><div> # is parsed as bytes.</div><div> #limit: 32mb</div>
<div><br></div><div> # Sensor ID field of unified2 alerts.</div><div> #sensor-id: 0</div><div><br></div><div> # HTTP X-Forwarded-For support by adding the unified2 extra header that</div><div> # will contain the actual client IP address or by overwriting the source</div>
<div> # IP address (helpful when inspecting traffic that is being reversed</div><div> # proxied).</div><div> xff:</div><div> enabled: no</div><div> # Two operation modes are available, "extra-data" and "overwrite". Note</div>
<div> # that in the "overwrite" mode, if the reported IP address in the HTTP</div><div> # X-Forwarded-For header is of a different version of the packet</div><div> # received, it will fall-back to "extra-data" mode.</div>
<div> mode: extra-data</div><div> # Header name were the actual IP address will be reported, if more than</div><div> # one IP address is present, the last IP address will be the one taken</div><div> # into consideration.</div>
<div> header: X-Forwarded-For </div><div><br></div><div> # a line based log of HTTP requests (no alerts)</div><div> - http-log:</div><div> enabled: no</div><div> filename: http.log</div><div> append: yes</div>
<div> #extended: yes # enable this for extended logging information</div><div> #custom: yes # enabled the custom logging format (defined by customformat)</div><div> #customformat: "%{%D-%H:%M:%S}t.%z %{X-Forwarded-For}i %H %m %h %u %s %B %a:%p -> %A:%P"</div>
<div> #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'</div><div><br></div><div> # a line based log of TLS handshake parameters (no alerts)</div><div> - tls-log:</div><div> enabled: no # Log TLS connections.</div>
<div> filename: tls.log # File to store TLS logs.</div><div> append: yes</div><div> #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'</div><div> #extended: yes # Log extended information like fingerprint</div>
<div> certs-log-dir: certs # directory to store the certificates files</div><div><br></div><div> # a line based log of DNS requests and/or replies (no alerts)</div><div> - dns-log:</div><div> enabled: no</div>
<div> filename: dns.log</div><div> append: yes</div><div> #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'</div><div><br></div><div> # a line based log to used with pcap file study.</div>
<div> # this module is dedicated to offline pcap parsing (empty output</div><div> # if used with another kind of input). It can interoperate with</div><div> # pcap parser like wireshark via the suriwire plugin.</div><div>
- pcap-info:</div><div> enabled: no</div><div><br></div><div> # Packet log... log packets in pcap format. 2 modes of operation: "normal"</div><div> # and "sguil".</div><div> #</div><div> # In normal mode a pcap file "filename" is created in the default-log-dir,</div>
<div> # or are as specified by "dir". In Sguil mode "dir" indicates the base directory.</div><div> # In this base dir the pcaps are created in th directory structure Sguil expects:</div><div> #</div>
<div> # $sguil-base-dir/YYYY-MM-DD/$filename.<timestamp></div><div> #</div><div> # By default all packets are logged except:</div><div> # - TCP streams beyond stream.reassembly.depth</div><div> # - encrypted streams after the key exchange</div>
<div> #</div><div> - pcap-log:</div><div> enabled: no</div><div> filename: log.pcap</div><div><br></div><div> # File size limit. Can be specified in kb, mb, gb. Just a number</div><div> # is parsed as bytes.</div>
<div> limit: 1000mb</div><div><br></div><div> # If set to a value will enable ring buffer mode. Will keep Maximum of "max-files" of size "limit"</div><div> max-files: 2000</div><div><br>
</div><div> mode: normal # normal or sguil.</div><div> #sguil-base-dir: /nsm_data/</div><div> #ts-format: usec # sec or usec second format (default) is filename.sec usec is filename.sec.usec</div><div> use-stream-depth: no #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets</div>
<div><br></div><div> # a full alerts log containing much information for signature writers</div><div> # or for investigating suspected false positives.</div><div> - alert-debug:</div><div> enabled: no</div><div> filename: alert-debug.log</div>
<div> append: yes</div><div> #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'</div><div><br></div><div> # alert output to prelude (<a href="http://www.prelude-technologies.com/">http://www.prelude-technologies.com/</a>) only</div>
<div> # available if Suricata has been compiled with --enable-prelude</div><div> - alert-prelude:</div><div> enabled: no</div><div> profile: suricata</div><div> log-packet-content: no</div><div> log-packet-header: yes</div>
<div><br></div><div> # Stats.log contains data from various counters of the suricata engine.</div><div> # The interval field (in seconds) tells after how long output will be written</div><div> # on the log file.</div><div>
- stats:</div><div> enabled: yes</div><div> filename: stats.log</div><div> interval: 10</div><div><br></div><div> # a line based alerts log similar to fast.log into syslog</div><div> - syslog:</div><div>
enabled: no</div><div> # reported identity to syslog. If ommited the program name (usually</div><div> # suricata) will be used.</div><div> #identity: "suricata"</div><div> facility: local5</div>
<div> #level: Info ## possible levels: Emergency, Alert, Critical,</div><div> ## Error, Warning, Notice, Info, Debug</div><div><br></div><div> # a line based information for dropped packets in IPS mode</div>
<div> - drop:</div><div> enabled: no</div><div> filename: drop.log</div><div> append: yes</div><div> #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'</div><div><br>
</div><div> # output module to store extracted files to disk</div><div> #</div><div> # The files are stored to the log-dir in a format "file.<id>" where <id> is</div><div> # an incrementing number starting at 1. For each file "file.<id>" a meta</div>
<div> # file "file.<id>.meta" is created.</div><div> #</div><div> # File extraction depends on a lot of things to be fully done:</div><div> # - stream reassembly depth. For optimal results, set this to 0 (unlimited)</div>
<div> # - http request / response body sizes. Again set to 0 for optimal results.</div><div> # - rules that contain the "filestore" keyword.</div><div> - file-store:</div><div> enabled: no # set to yes to enable</div>
<div> log-dir: files # directory to store the files</div><div> force-magic: no # force logging magic on all stored files</div><div> force-md5: no # force logging of md5 checksums</div><div> #waldo: file.waldo # waldo file to store the file_id across runs</div>
<div><br></div><div> # output module to log files tracked in a easily parsable json format</div><div> - file-log:</div><div> enabled: no</div><div> filename: files-json.log</div><div> append: yes</div><div>
#filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'</div><div><br></div><div> force-magic: no # force logging magic on all logged files</div><div> force-md5: no # force logging of md5 checksums</div>
<div><br></div><div># Magic file. The extension .mgc is added to the value here.</div><div>#magic-file: /usr/share/file/magic</div><div>magic-file: /usr/share/file/magic</div><div><br></div><div># When running in NFQ inline mode, it is possible to use a simulated</div>
<div># non-terminal NFQUEUE verdict.</div><div># This permit to do send all needed packet to suricata via this a rule:</div><div># iptables -I FORWARD -m mark ! --mark $MARK/$MASK -j NFQUEUE</div><div># And below, you can have your standard filtering ruleset. To activate</div>
<div># this mode, you need to set mode to 'repeat'</div><div># If you want packet to be sent to another queue after an ACCEPT decision</div><div># set mode to 'route' and set next-queue value.</div><div># On linux >= 3.1, you can set batchcount to a value > 1 to improve performance</div>
<div># by processing several packets before sending a verdict (worker runmode only).</div><div># On linux >= 3.6, you can set the fail-open option to yes to have the kernel</div><div># accept the packet if suricata is not able to keep pace.</div>
<div>nfq:</div><div># mode: accept</div><div># repeat-mark: 1</div><div># repeat-mask: 1</div><div># route-queue: 2</div><div># batchcount: 20</div><div># fail-open: yes</div><div><br></div><div># af-packet support</div>
<div># Set threads to > 1 to use PACKET_FANOUT support</div><div>af-packet:</div><div> - interface: eth0</div><div> # Number of receive threads (>1 will enable experimental flow pinned</div><div> # runmode)</div>
<div> threads: 1</div><div> # Default clusterid. AF_PACKET will load balance packets based on flow.</div><div> # All threads/processes that will participate need to have the same</div><div> # clusterid.</div>
<div> cluster-id: 99</div><div> # Default AF_PACKET cluster type. AF_PACKET can load balance per flow or per hash.</div><div> # This is only supported for Linux kernel > 3.1</div><div> # possible value are:</div>
<div> # * cluster_round_robin: round robin load balancing</div><div> # * cluster_flow: all packets of a given flow are send to the same socket</div><div> # * cluster_cpu: all packets treated in kernel by a CPU are send to the same socket</div>
<div> cluster-type: cluster_flow</div><div> # In some fragmentation case, the hash can not be computed. If "defrag" is set</div><div> # to yes, the kernel will do the needed defragmentation before sending the packets.</div>
<div> defrag: yes</div><div> # To use the ring feature of AF_PACKET, set 'use-mmap' to yes</div><div> use-mmap: yes</div><div> # Ring size will be computed with respect to max_pending_packets and number</div>
<div> # of threads. You can set manually the ring size in number of packets by setting</div><div> # the following value. If you are using flow cluster-type and have really network</div><div> # intensive single-flow you could want to set the ring-size independantly of the number</div>
<div> # of threads:</div><div> #ring-size: 2048</div><div> # On busy system, this could help to set it to yes to recover from a packet drop</div><div> # phase. This will result in some packets (at max a ring flush) being non treated.</div>
<div> #use-emergency-flush: yes</div><div> # recv buffer size, increase value could improve performance</div><div> # buffer-size: 32768</div><div> # Set to yes to disable promiscuous mode</div><div> # disable-promisc: no</div>
<div> # Choose checksum verification mode for the interface. At the moment</div><div> # of the capture, some packets may be with an invalid checksum due to</div><div> # offloading to the network card of the checksum computation.</div>
<div> # Possible values are:</div><div> # - kernel: use indication sent by kernel for each packet (default)</div><div> # - yes: checksum validation is forced</div><div> # - no: checksum validation is disabled</div>
<div> # - auto: suricata uses a statistical approach to detect when</div><div> # checksum off-loading is used.</div><div> # Warning: 'checksum-validation' must be set to yes to have any validation</div>
<div> #checksum-checks: kernel</div><div> # BPF filter to apply to this interface. The pcap filter syntax apply here.</div><div> #bpf-filter: port 80 or udp</div><div> # You can use the following variables to activate AF_PACKET tap od IPS mode.</div>
<div> # If copy-mode is set to ips or tap, the traffic coming to the current</div><div> # interface will be copied to the copy-iface interface. If 'tap' is set, the</div><div> # copy is complete. If 'ips' is set, the packet matching a 'drop' action</div>
<div> # will not be copied.</div><div> #copy-mode: ips</div><div> #copy-iface: eth1</div><div> - interface: eth1</div><div> threads: 1</div><div> cluster-id: 98</div><div> cluster-type: cluster_flow</div>
<div> defrag: yes</div><div> # buffer-size: 32768</div><div> # disable-promisc: no</div><div> # Put default values here</div><div> - interface: default</div><div> #threads: 2</div><div> #use-mmap: yes</div>
<div><br></div><div>legacy:</div><div> uricontent: enabled</div><div><br></div><div># You can specify a threshold config file by setting "threshold-file"</div><div># to the path of the threshold config file:</div>
<div># threshold-file: /etc/suricata/threshold.config</div><div><br></div><div># The detection engine builds internal groups of signatures. The engine</div><div># allow us to specify the profile to use for them, to manage memory on an</div>
<div># efficient way keeping a good performance. For the profile keyword you</div><div># can use the words "low", "medium", "high" or "custom". If you use custom</div><div># make sure to define the values at "- custom-values" as your convenience.</div>
<div># Usually you would prefer medium/high/low.</div><div>#</div><div># "sgh mpm-context", indicates how the staging should allot mpm contexts for</div><div># the signature groups. "single" indicates the use of a single context for</div>
<div># all the signature group heads. "full" indicates a mpm-context for each</div><div># group head. "auto" lets the engine decide the distribution of contexts</div><div># based on the information the engine gathers on the patterns from each</div>
<div># group head.</div><div>#</div><div># The option inspection-recursion-limit is used to limit the recursive calls</div><div># in the content inspection code. For certain payload-sig combinations, we</div><div># might end up taking too much time in the content inspection code.</div>
<div># If the argument specified is 0, the engine uses an internally defined</div><div># default limit. On not specifying a value, we use no limits on the recursion.</div><div>detect-engine:</div><div> - profile: medium</div>
<div> - custom-values:</div><div> toclient-src-groups: 2</div><div> toclient-dst-groups: 2</div><div> toclient-sp-groups: 2</div><div> toclient-dp-groups: 3</div><div> toserver-src-groups: 2</div>
<div> toserver-dst-groups: 4</div><div> toserver-sp-groups: 2</div><div> toserver-dp-groups: 25</div><div> - sgh-mpm-context: auto</div><div> - inspection-recursion-limit: 3000</div><div> # When rule-reload is enabled, sending a USR2 signal to the Suricata process</div>
<div> # will trigger a live rule reload. Experimental feature, use with care.</div><div> #- rule-reload: true</div><div> # If set to yes, the loading of signatures will be made after the capture</div><div> # is started. This will limit the downtime in IPS mode.</div>
<div> #- delayed-detect: yes</div><div><br></div><div># Suricata is multi-threaded. Here the threading can be influenced.</div><div>threading:</div><div> # On some cpu's/architectures it is beneficial to tie individual threads</div>
<div> # to specific CPU's/CPU cores. In this case all threads are tied to CPU0,</div><div> # and each extra CPU/core has one "detect" thread.</div><div> #</div><div> # On Intel Core2 and Nehalem CPU's enabling this will degrade performance.</div>
<div> #</div><div> set-cpu-affinity: no</div><div> # Tune cpu affinity of suricata threads. Each family of threads can be bound</div><div> # on specific CPUs.</div><div> cpu-affinity:</div><div> - management-cpu-set:</div>
<div> cpu: [ 0 ] # include only these cpus in affinity settings</div><div> - receive-cpu-set:</div><div> cpu: [ 0 ] # include only these cpus in affinity settings</div><div> - decode-cpu-set:</div><div>
cpu: [ 0, 1 ]</div><div> mode: "balanced"</div><div> - stream-cpu-set:</div><div> cpu: [ "0-1" ]</div><div> - detect-cpu-set:</div><div> cpu: [ "all" ]</div>
<div> mode: "exclusive" # run detect threads in these cpus</div><div> # Use explicitely 3 threads and don't compute number by using</div><div> # detect-thread-ratio variable:</div><div> # threads: 3</div>
<div> prio:</div><div> low: [ 0 ]</div><div> medium: [ "1-2" ]</div><div> high: [ 3 ]</div><div> default: "medium"</div><div> - verdict-cpu-set:</div><div>
cpu: [ 0 ]</div><div> prio:</div><div> default: "high"</div><div> - reject-cpu-set:</div><div> cpu: [ 0 ]</div><div> prio:</div><div> default: "low"</div>
<div> - output-cpu-set:</div><div> cpu: [ "all" ]</div><div> prio:</div><div> default: "medium"</div><div> #</div><div> # By default Suricata creates one "detect" thread per available CPU/CPU core.</div>
<div> # This setting allows controlling this behaviour. A ratio setting of 2 will</div><div> # create 2 detect threads for each CPU/CPU core. So for a dual core CPU this</div><div> # will result in 4 detect threads. If values below 1 are used, less threads</div>
<div> # are created. So on a dual core CPU a setting of 0.5 results in 1 detect</div><div> # thread being created. Regardless of the setting at a minimum 1 detect</div><div> # thread will always be created.</div><div> #</div>
<div> detect-thread-ratio: 0.5</div><div><br></div><div># Cuda configuration.</div><div>cuda:</div><div> # The "mpm" profile. On not specifying any of these parameters, the engine's</div><div> # internal default values are used, which are same as the ones specified in</div>
<div> # in the default conf file.</div><div> mpm:</div><div> # The minimum length required to buffer data to the gpu.</div><div> # Anything below this is MPM'ed on the CPU.</div><div> # Can be specified in kb, mb, gb. Just a number indicates it's in bytes.</div>
<div> # A value of 0 indicates there's no limit.</div><div> data-buffer-size-min-limit: 0</div><div> # The maximum length for data that we would buffer to the gpu.</div><div> # Anything over this is MPM'ed on the CPU.</div>
<div> # Can be specified in kb, mb, gb. Just a number indicates it's in bytes.</div><div> data-buffer-size-max-limit: 1500</div><div> # The ring buffer size used by the CudaBuffer API to buffer data.</div><div>
cudabuffer-buffer-size: 500mb</div><div> # The max chunk size that can be sent to the gpu in a single go.</div><div> gpu-transfer-size: 95mb</div><div> # The timeout limit for batching of packets in microseconds.</div>
<div> batching-timeout: 400</div><div> # The device to use for the mpm. Currently we don't support load balancing</div><div> # on multiple gpus. In case you have multiple devices on your system, you</div><div>
# can specify the device to use, using this conf. By default we hold 0, to</div><div> # specify the first device cuda sees. To find out device-id associated with</div><div> # the card(s) on the system run "suricata --list-cuda-cards".</div>
<div> device-id: 1</div><div> # No of Cuda streams used for asynchronous processing. All values > 0 are valid.</div><div> # For this option you need a device with Compute Capability > 1.0.</div><div> cuda-streams: 2</div>
<div><br></div><div># Select the multi pattern algorithm you want to run for scan/search the</div><div># in the engine. The supported algorithms are b2g, b2gc, b2gm, b3g, wumanber,</div><div># ac and ac-gfbs.</div><div>#</div>
<div># The mpm you choose also decides the distribution of mpm contexts for</div><div># signature groups, specified by the conf - "detect-engine.sgh-mpm-context".</div><div># Selecting "ac" as the mpm would require "detect-engine.sgh-mpm-context"</div>
<div># to be set to "single", because of ac's memory requirements, unless the</div><div># ruleset is small enough to fit in one's memory, in which case one can</div><div># use "full" with "ac". Rest of the mpms can be run in "full" mode.</div>
<div>#</div><div># There is also a CUDA pattern matcher (only available if Suricata was</div><div># compiled with --enable-cuda: b2g_cuda. Make sure to update your</div><div># mssax-pending-packets setting above as well if you use b2g_cuda.</div>
<div><br></div><div>mpm-algo: ac</div><div><br></div><div># The memory settings for hash size of these algorithms can vary from lowest</div><div># (2048) - low (4096) - medium (8192) - high (16384) - higher (32768) - max</div>
<div># (65536). The bloomfilter sizes of these algorithms can vary from low (512) -</div><div># medium (1024) - high (2048).</div><div>#</div><div># For B2g/B3g algorithms, there is a support for two different scan/search</div>
<div># algorithms. For B2g the scan algorithms are B2gScan & B2gScanBNDMq, and</div><div># search algorithms are B2gSearch & B2gSearchBNDMq. For B3g scan algorithms</div><div># are B3gScan & B3gScanBNDMq, and search algorithms are B3gSearch &</div>
<div># B3gSearchBNDMq.</div><div>#</div><div># For B2g the different scan/search algorithms and, hash and bloom</div><div># filter size settings. For B3g the different scan/search algorithms and, hash</div><div># and bloom filter size settings. For wumanber the hash and bloom filter size</div>
<div># settings.</div><div><br></div><div>pattern-matcher:</div><div> - b2gc:</div><div> search-algo: B2gSearchBNDMq</div><div> hash-size: low</div><div> bf-size: medium</div><div> - b2gm:</div><div> search-algo: B2gSearchBNDMq</div>
<div> hash-size: low</div><div> bf-size: medium</div><div> - b2g:</div><div> search-algo: B2gSearchBNDMq</div><div> hash-size: low</div><div> bf-size: medium</div><div> - b3g:</div><div> search-algo: B3gSearchBNDMq</div>
<div> hash-size: low</div><div> bf-size: medium</div><div> - wumanber:</div><div> hash-size: low</div><div> bf-size: medium</div><div><br></div><div># Defrag settings:</div><div><br></div><div>defrag:</div>
<div> memcap: 2gb</div><div> hash-size: 65536</div><div> trackers: 65535 # number of defragmented flows to follow</div><div> max-frags: 65535 # number of fragments to keep (higher than trackers)</div><div> prealloc: yes</div>
<div> timeout: 60</div><div><br></div><div># Enable defrag per host settings</div><div># host-config:</div><div>#</div><div># - dmz:</div><div># timeout: 30</div><div># address: [<a href="http://192.168.1.0/24">192.168.1.0/24</a>, <a href="http://127.0.0.0/8">127.0.0.0/8</a>, <a href="http://1.1.1.0/24">1.1.1.0/24</a>, <a href="http://2.2.2.0/24">2.2.2.0/24</a>, "1.1.1.1", "2.2.2.2", "::1"]</div>
<div>#</div><div># - lan:</div><div># timeout: 45</div><div># address:</div><div># - <a href="http://192.168.0.0/24">192.168.0.0/24</a></div><div># - <a href="http://192.168.10.0/24">192.168.10.0/24</a></div>
<div># - <a href="http://172.16.14.0/24">172.16.14.0/24</a></div><div><br></div><div># Flow settings:</div><div># By default, the reserved memory (memcap) for flows is 32MB. This is the limit</div><div># for flow allocation inside the engine. You can change this value to allow</div>
<div># more memory usage for flows.</div><div># The hash-size determine the size of the hash used to identify flows inside</div><div># the engine, and by default the value is 65536.</div><div># At the startup, the engine can preallocate a number of flows, to get a better</div>
<div># performance. The number of flows preallocated is 10000 by default.</div><div># emergency-recovery is the percentage of flows that the engine need to</div><div># prune before unsetting the emergency state. The emergency state is activated</div>
<div># when the memcap limit is reached, allowing to create new flows, but</div><div># prunning them with the emergency timeouts (they are defined below).</div><div># If the memcap is reached, the engine will try to prune flows</div>
<div># with the default timeouts. If it doens't find a flow to prune, it will set</div><div># the emergency bit and it will try again with more agressive timeouts.</div><div># If that doesn't work, then it will try to kill the last time seen flows</div>
<div># not in use.</div><div># The memcap can be specified in kb, mb, gb. Just a number indicates it's</div><div># in bytes.</div><div><br></div><div>flow:</div><div> memcap: 2gb</div><div> hash-size: 65536</div><div>
prealloc: 10000</div><div> emergency-recovery: 30</div><div><br></div><div># This option controls the use of vlan ids in the flow (and defrag)</div><div># hashing. Normally this should be enabled, but in some (broken)</div>
<div># setups where both sides of a flow are not tagged with the same vlan</div><div># tag, we can ignore the vlan id's in the flow hashing.</div><div>vlan:</div><div> use-for-tracking: true</div><div><br></div><div>
# Specific timeouts for flows. Here you can specify the timeouts that the</div><div># active flows will wait to transit from the current state to another, on each</div><div># protocol. The value of "new" determine the seconds to wait after a hanshake or</div>
<div># stream startup before the engine free the data of that flow it doesn't</div><div># change the state to established (usually if we don't receive more packets</div><div># of that flow). The value of "established" is the amount of</div>
<div># seconds that the engine will wait to free the flow if it spend that amount</div><div># without receiving new packets or closing the connection. "closed" is the</div><div># amount of time to wait after a flow is closed (usually zero).</div>
<div>#</div><div># There's an emergency mode that will become active under attack circumstances,</div><div># making the engine to check flow status faster. This configuration variables</div><div># use the prefix "emergency-" and work similar as the normal ones.</div>
<div># Some timeouts doesn't apply to all the protocols, like "closed", for udp and</div><div># icmp.</div><div><br></div><div>flow-timeouts:</div><div><br></div><div> default:</div><div> new: 30</div><div>
established: 300</div><div> closed: 0</div><div> emergency-new: 10</div><div> emergency-established: 100</div><div> emergency-closed: 0</div><div> tcp:</div><div> new: 60</div><div> established: 3600</div>
<div> closed: 120</div><div> emergency-new: 10</div><div> emergency-established: 300</div><div> emergency-closed: 20</div><div> udp:</div><div> new: 30</div><div> established: 300</div><div> emergency-new: 10</div>
<div> emergency-established: 100</div><div> icmp:</div><div> new: 30</div><div> established: 300</div><div> emergency-new: 10</div><div> emergency-established: 100</div><div><br></div><div># Stream engine settings. Here the TCP stream tracking and reassembly</div>
<div># engine is configured.</div><div>#</div><div># stream:</div><div># memcap: 32mb # Can be specified in kb, mb, gb. Just a</div><div># # number indicates it's in bytes.</div>
<div># checksum-validation: yes # To validate the checksum of received</div><div># # packet. If csum validation is specified as</div><div># # "yes", then packet with invalid csum will not</div>
<div># # be processed by the engine stream/app layer.</div><div># # Warning: locally generated trafic can be</div><div># # generated without checksum due to hardware offload</div>
<div># # of checksum. You can control the handling of checksum</div><div># # on a per-interface basis via the 'checksum-checks'</div><div># # option</div>
<div># prealloc-sessions: 2k # 2k sessions prealloc'd per stream thread</div><div># midstream: false # don't allow midstream session pickups</div><div># async-oneside: false # don't enable async stream handling</div>
<div># inline: no # stream inline mode</div><div># max-synack-queued: 5 # Max different SYN/ACKs to queue</div><div>#</div><div># reassembly:</div><div># memcap: 64mb # Can be specified in kb, mb, gb. Just a number</div>
<div># # indicates it's in bytes.</div><div># depth: 1mb # Can be specified in kb, mb, gb. Just a number</div><div># # indicates it's in bytes.</div>
<div># toserver-chunk-size: 2560 # inspect raw stream in chunks of at least</div><div># # this size. Can be specified in kb, mb,</div><div># # gb. Just a number indicates it's in bytes.</div>
<div># # The max acceptable size is 4024 bytes.</div><div># toclient-chunk-size: 2560 # inspect raw stream in chunks of at least</div><div># # this size. Can be specified in kb, mb,</div>
<div># # gb. Just a number indicates it's in bytes.</div><div># # The max acceptable size is 4024 bytes.</div><div># randomize-chunk-size: yes # Take a random value for chunk size around the specified value.</div>
<div># # This lower the risk of some evasion technics but could lead</div><div># # detection change between runs. It is set to 'yes' by default.</div><div>
# randomize-chunk-range: 10 # If randomize-chunk-size is active, the value of chunk-size is</div><div># # a random value between (1 - randomize-chunk-range/100)*randomize-chunk-size</div>
<div># # and (1 + randomize-chunk-range/100)*randomize-chunk-size. Default value</div><div># # of randomize-chunk-range is 10.</div><div>#</div><div># raw: yes # 'Raw' reassembly enabled or disabled.</div>
<div># # raw is for content inspection by detection</div><div># # engine.</div><div>#</div><div># chunk-prealloc: 250 # Number of preallocated stream chunks. These</div>
<div># # are used during stream inspection (raw).</div><div># segments: # Settings for reassembly segment pool.</div><div># - size: 4 # Size of the (data)segment for a pool</div>
<div># prealloc: 256 # Number of segments to prealloc and keep</div><div># # in the pool.</div><div>#</div><div>stream:</div><div> memcap: 2gb</div><div> checksum-validation: yes # reject wrong csums</div>
<div> inline: auto # auto will use inline mode in IPS mode, yes or no set it statically</div><div> reassembly:</div><div> memcap: 2gb</div><div> depth: 5mb # reassemble 1mb into a stream</div>
<div> toserver-chunk-size: 2560</div><div> toclient-chunk-size: 2560</div><div> randomize-chunk-size: yes</div><div> #randomize-chunk-range: 10</div><div> #raw: yes</div><div> #chunk-prealloc: 250</div><div>
#segments:</div><div> # - size: 4</div><div> # prealloc: 256</div><div> # - size: 16</div><div> # prealloc: 512</div><div> # - size: 112</div><div> # prealloc: 512</div><div> # - size: 248</div>
<div> # prealloc: 512</div><div> # - size: 512</div><div> # prealloc: 512</div><div> # - size: 768</div><div> # prealloc: 1024</div><div> # - size: 1448</div><div> # prealloc: 1024</div>
<div> # - size: 65535</div><div> # prealloc: 128</div><div><br></div><div># Host table:</div><div>#</div><div># Host table is used by tagging and per host thresholding subsystems.</div><div>#</div><div>host:</div>
<div> hash-size: 4096</div><div> prealloc: 1000</div><div> memcap: 16777216</div><div><br></div><div># Logging configuration. This is not about logging IDS alerts, but</div><div># IDS output about what its doing, errors, etc.</div>
<div>logging:</div><div><br></div><div> # The default log level, can be overridden in an output section.</div><div> # Note that debug level logging will only be emitted if Suricata was</div><div> # compiled with the --enable-debug configure option.</div>
<div> #</div><div> # This value is overriden by the SC_LOG_LEVEL env var.</div><div> default-log-level: notice</div><div><br></div><div> # The default output format. Optional parameter, should default to</div><div> # something reasonable if not provided. Can be overriden in an</div>
<div> # output section. You can leave this out to get the default.</div><div> #</div><div> # This value is overriden by the SC_LOG_FORMAT env var.</div><div> #default-log-format: "[%i] %t - (%f:%l) <%d> (%n) -- "</div>
<div><br></div><div> # A regex to filter output. Can be overridden in an output section.</div><div> # Defaults to empty (no filter).</div><div> #</div><div> # This value is overriden by the SC_LOG_OP_FILTER env var.</div>
<div> default-output-filter:</div><div><br></div><div> # Define your logging outputs. If none are defined, or they are all</div><div> # disabled you will get the default - console output.</div><div> outputs:</div><div>
- console:</div><div> enabled: yes</div><div> - file:</div><div> enabled: no</div><div> filename: /var/log/suricata.log</div><div> - syslog:</div><div> enabled: no</div><div> facility: local5</div>
<div> format: "[%i] <%d> -- "</div><div><br></div><div># Tilera mpipe configuration. for use on Tilera TILE-Gx.</div><div>mpipe:</div><div><br></div><div> # Load balancing modes: "static", "dynamic", "sticky", or "round-robin".</div>
<div> load-balance: dynamic</div><div><br></div><div> # Number of Packets in each ingress packet queue. Must be 128, 512, 2028 or 65536</div><div> iqueue-packets: 2048</div><div><br></div><div> # List of interfaces we will listen on.</div>
<div> inputs:</div><div> - interface: xgbe2</div><div> - interface: xgbe3</div><div> - interface: xgbe4</div><div><br></div><div><br></div><div> # Relative weight of memory for packets of each mPipe buffer size.</div>
<div> stack:</div><div> size128: 0</div><div> size256: 9</div><div> size512: 0</div><div> size1024: 0</div><div> size1664: 7</div><div> size4096: 0</div><div> size10386: 0</div><div> size16384: 0</div>
<div><br></div><div># PF_RING configuration. for use with native PF_RING support</div><div># for more info see <a href="http://www.ntop.org/PF_RING.html">http://www.ntop.org/PF_RING.html</a></div><div>pfring:</div><div> - interface: eth0</div>
<div> # Number of receive threads (>1 will enable experimental flow pinned</div><div> # runmode)</div><div> threads: 1</div><div><br></div><div> # Default clusterid. PF_RING will load balance packets based on flow.</div>
<div> # All threads/processes that will participate need to have the same</div><div> # clusterid.</div><div> cluster-id: 99</div><div><br></div><div> # Default PF_RING cluster type. PF_RING can load balance per flow or per hash.</div>
<div> # This is only supported in versions of PF_RING > 4.1.1.</div><div> cluster-type: cluster_flow</div><div> # bpf filter for this interface</div><div> #bpf-filter: tcp</div><div> # Choose checksum verification mode for the interface. At the moment</div>
<div> # of the capture, some packets may be with an invalid checksum due to</div><div> # offloading to the network card of the checksum computation.</div><div> # Possible values are:</div><div> # - rxonly: only compute checksum for packets received by network card.</div>
<div> # - yes: checksum validation is forced</div><div> # - no: checksum validation is disabled</div><div> # - auto: suricata uses a statistical approach to detect when</div><div> # checksum off-loading is used. (default)</div>
<div> # Warning: 'checksum-validation' must be set to yes to have any validation</div><div> #checksum-checks: auto</div><div> # Second interface</div><div> #- interface: eth1</div><div> # threads: 3</div>
<div> # cluster-id: 93</div><div> # cluster-type: cluster_flow</div><div> # Put default values here</div><div> - interface: default</div><div> #threads: 2</div><div><br></div><div>pcap:</div><div> - interface: eth0</div>
<div> # On Linux, pcap will try to use mmaped capture and will use buffer-size</div><div> # as total of memory used by the ring. So set this to something bigger</div><div> # than 1% of your bandwidth.</div><div> #buffer-size: 16777216</div>
<div> #bpf-filter: "tcp and port 25"</div><div> # Choose checksum verification mode for the interface. At the moment</div><div> # of the capture, some packets may be with an invalid checksum due to</div>
<div> # offloading to the network card of the checksum computation.</div><div> # Possible values are:</div><div> # - yes: checksum validation is forced</div><div> # - no: checksum validation is disabled</div>
<div> # - auto: suricata uses a statistical approach to detect when</div><div> # checksum off-loading is used. (default)</div><div> # Warning: 'checksum-validation' must be set to yes to have any validation</div>
<div> #checksum-checks: auto</div><div> # With some accelerator cards using a modified libpcap (like myricom), you</div><div> # may want to have the same number of capture threads as the number of capture</div><div>
# rings. In this case, set up the threads variable to N to start N threads</div><div> # listening on the same interface.</div><div> #threads: 16</div><div> # set to no to disable promiscuous mode:</div><div> #promisc: no</div>
<div> # set snaplen, if not set it defaults to MTU if MTU can be known</div><div> # via ioctl call and to full capture if not.</div><div> #snaplen: 1518</div><div> # Put default values here</div><div> - interface: default</div>
<div> #checksum-checks: auto</div><div><br></div><div>pcap-file:</div><div> # Possible values are:</div><div> # - yes: checksum validation is forced</div><div> # - no: checksum validation is disabled</div><div> # - auto: suricata uses a statistical approach to detect when</div>
<div> # checksum off-loading is used. (default)</div><div> # Warning: 'checksum-validation' must be set to yes to have checksum tested</div><div> checksum-checks: auto</div><div><br></div><div># For FreeBSD ipfw(8) divert(4) support.</div>
<div># Please make sure you have ipfw_load="YES" and ipdivert_load="YES"</div><div># in /etc/loader.conf or kldload'ing the appropriate kernel modules.</div><div># Additionally, you need to have an ipfw rule for the engine to see</div>
<div># the packets from ipfw. For Example:</div><div>#</div><div># ipfw add 100 divert 8000 ip from any to any</div><div>#</div><div># The 8000 above should be the same number you passed on the command</div><div># line, i.e. -d 8000</div>
<div>#</div><div>ipfw:</div><div><br></div><div> # Reinject packets at the specified ipfw rule number. This config</div><div> # option is the ipfw rule number AT WHICH rule processing continues</div><div> # in the ipfw processing system after the engine has finished</div>
<div> # inspecting the packet for acceptance. If no rule number is specified,</div><div> # accepted packets are reinjected at the divert rule which they entered</div><div> # and IPFW rule processing continues. No check is done to verify</div>
<div> # this will rule makes sense so care must be taken to avoid loops in ipfw.</div><div> #</div><div> ## The following example tells the engine to reinject packets</div><div> # back into the ipfw firewall AT rule number 5500:</div>
<div> #</div><div> # ipfw-reinjection-rule-number: 5500</div><div><br></div><div># Set the default rule path here to search for the files.</div><div># if not set, it will look at the current working dir</div><div>default-rule-path: /etc/suricata/rules</div>
<div>rule-files:</div><div> - snort.rules</div><div># - botcc.portgrouped.rules</div><div># - botcc.rules</div><div># - ciarmy.rules</div><div># - compromised.rules</div><div># - decoder-events.rules</div><div># - drop.rules</div>
<div># - dshield.rules</div><div># - emerging-activex.rules</div><div># - emerging-attack_response.rules</div><div># - emerging-chat.rules</div><div># - emerging-current_events.rules</div><div># #- emerging-deleted.rules</div>
<div># - emerging-dns.rules</div><div># - emerging-dos.rules</div><div># - emerging-exploit.rules</div><div># - emerging-ftp.rules</div><div># - emerging-games.rules</div><div># - emerging-icmp_info.rules</div><div># - emerging-icmp.rules</div>
<div># - emerging-imap.rules</div><div># - emerging-inappropriate.rules</div><div># - emerging-info.rules</div><div># - emerging-malware.rules</div><div># - emerging-misc.rules</div><div># - emerging-mobile_malware.rules</div>
<div># - emerging-netbios.rules</div><div># - emerging-p2p.rules</div><div># - emerging-policy.rules</div><div># - emerging-pop3.rules</div><div># - emerging-rpc.rules</div><div># - emerging-scada.rules</div><div># - emerging-scan.rules</div>
<div># - emerging-shellcode.rules</div><div># - emerging-smtp.rules</div><div># - emerging-snmp.rules</div><div># - emerging-sql.rules</div><div># - emerging-telnet.rules</div><div># - emerging-tftp.rules</div><div># - emerging-trojan.rules</div>
<div># - emerging-user_agents.rules</div><div># - emerging-voip.rules</div><div># - emerging-web_client.rules</div><div># - emerging-web_server.rules</div><div># - emerging-web_specific_apps.rules</div><div># - emerging-worm.rules</div>
<div># - files.rules</div><div># - http-events.rules</div><div># - rbn-malvertisers.rules</div><div># - rbn.rules</div><div># - smtp-events.rules</div><div># - stream-events.rules</div><div># - tls-events.rules</div><div>
# - tor.rules</div><div> # decoder-events.rules # available in suricata sources under rules dir</div><div> # stream-events.rules # available in suricata sources under rules dir</div><div> # http-events.rules # available in suricata sources under rules dir</div>
<div> # smtp-events.rules # available in suricata sources under rules dir</div><div> # dns-events.rules # available in suricata sources under rules dir</div><div> #- tls-events.rules # available in suricata sources under rules dir</div>
<div><br></div><div>classification-file: /etc/suricata/rules/classification.config</div><div>reference-config-file: /etc/suricata/rules/reference.config</div><div><br></div><div># Holds variables that would be used by the engine.</div>
<div>vars:</div><div><br></div><div> # Holds the address group vars that would be passed in a Signature.</div><div> # These would be retrieved during the Signature address parsing stage.</div><div> address-groups:</div>
<div><br></div><div> HOME_NET: "[<a href="http://192.168.1.3/32">192.168.1.3/32</a>]"</div><div><br></div><div> EXTERNAL_NET: "!$HOME_NET"</div><div><br></div><div> HTTP_SERVERS: "$HOME_NET"</div>
<div><br></div><div> SMTP_SERVERS: "$HOME_NET"</div><div><br></div><div> SQL_SERVERS: "$HOME_NET"</div><div><br></div><div> DNS_SERVERS: "$HOME_NET"</div><div><br></div><div> TELNET_SERVERS: "$HOME_NET"</div>
<div><br></div><div> AIM_SERVERS: "$EXTERNAL_NET"</div><div><br></div><div> DNP3_SERVER: "$HOME_NET"</div><div><br></div><div> DNP3_CLIENT: "$HOME_NET"</div><div><br></div><div> MODBUS_CLIENT: "$HOME_NET"</div>
<div><br></div><div> MODBUS_SERVER: "$HOME_NET"</div><div><br></div><div> ENIP_CLIENT: "$HOME_NET"</div><div><br></div><div> ENIP_SERVER: "$HOME_NET"</div><div><br></div><div> # Holds the port group vars that would be passed in a Signature.</div>
<div> # These would be retrieved during the Signature port parsing stage.</div><div> port-groups:</div><div><br></div><div> HTTP_PORTS: "80"</div><div><br></div><div> SHELLCODE_PORTS: "!80"</div>
<div><br></div><div> ORACLE_PORTS: 1521</div><div><br></div><div> SSH_PORTS: 22</div><div><br></div><div> DNP3_PORTS: 20000</div><div><br></div><div># Set the order of alerts bassed on actions</div><div># The default order is pass, drop, reject, alert</div>
<div>action-order:</div><div> - pass</div><div> - drop</div><div> - reject</div><div> - alert</div><div><br></div><div># IP Reputation</div><div>#reputation-categories-file: /usr/local/etc/suricata/iprep/categories.txt</div>
<div>#default-reputation-path: /usr/local/etc/suricata/iprep</div><div>#reputation-files:</div><div># - reputation.list</div><div><br></div><div># Host specific policies for defragmentation and TCP stream</div><div># reassembly. The host OS lookup is done using a radix tree, just</div>
<div># like a routing table so the most specific entry matches.</div><div>host-os-policy:</div><div> # Make the default policy windows.</div><div> windows: []</div><div> bsd: []</div><div> bsd-right: []</div><div> old-linux: []</div>
<div> linux: [<a href="http://192.168.1.0/24">192.168.1.0/24</a>, <a href="http://192.168.1.0/24">192.168.1.0/24</a>, "8762:2352:6241:7245:E000:0000:0000:0000"]</div><div> old-solaris: []</div><div> solaris: ["::1"]</div>
<div> hpux10: []</div><div> hpux11: []</div><div> irix: []</div><div> macos: []</div><div> vista: []</div><div> windows2k3: []</div><div><br></div><div><br></div><div># Limit for the maximum number of asn1 frames to decode (default 256)</div>
<div>asn1-max-frames: 256</div><div><br></div><div># When run with the option --engine-analysis, the engine will read each of</div><div># the parameters below, and print reports for each of the enabled sections</div><div>
# and exit. The reports are printed to a file in the default log dir</div><div># given by the parameter "default-log-dir", with engine reporting</div><div># subsection below printing reports in its own report file.</div>
<div>engine-analysis:</div><div> # enables printing reports for fast-pattern for every rule.</div><div> rules-fast-pattern: yes</div><div> # enables printing reports for each rule</div><div> rules: yes</div><div><br></div>
<div>#recursion and match limits for PCRE where supported</div><div>pcre:</div><div> match-limit: 3500</div><div> match-limit-recursion: 1500</div><div><br></div><div># Holds details on the app-layer. The protocols section details each protocol.</div>
<div># Under each protocol, the default value for detection-enabled and "</div><div># parsed-enabled is yes, unless specified otherwise.</div><div># Each protocol covers enabling/disabling parsers for all ipprotos</div>
<div># the app-layer protocol runs on. For example "dcerpc" refers to the tcp</div><div># version of the protocol as well as the udp version of the protocol.</div><div># The option "enabled" takes 3 values - "yes", "no", "detection-only".</div>
<div># "yes" enables both detection and the parser, "no" disables both, and</div><div># "detection-only" enables detection only(parser disabled).</div><div>app-layer:</div><div> protocols:</div>
<div> tls:</div><div> enabled: yes</div><div> detection-ports:</div><div> toserver: 443</div><div><br></div><div> #no-reassemble: yes</div><div> dcerpc:</div><div> enabled: yes</div><div> ftp:</div>
<div> enabled: yes</div><div> ssh:</div><div> enabled: yes</div><div> smtp:</div><div> enabled: yes</div><div> imap:</div><div> enabled: detection-only</div><div> msn:</div><div> enabled: detection-only</div>
<div> smb:</div><div> enabled: yes</div><div> detection-ports:</div><div> toserver: 139</div><div> # smb2 detection is disabled internally inside the engine.</div><div> #smb2:</div><div> # enabled: yes</div>
<div> dns:</div><div> # memcaps. Globally and per flow/state.</div><div> #global-memcap: 16mb</div><div> #state-memcap: 512kb</div><div><br></div><div> # How many unreplied DNS requests are considered a flood.</div>
<div> # If the limit is reached, app-layer-event:dns.flooded; will match.</div><div> #request-flood: 500</div><div><br></div><div> tcp:</div><div> enabled: yes</div><div> detection-ports:</div>
<div> toserver: 53</div><div> udp:</div><div> enabled: yes</div><div> detection-ports:</div><div> toserver: 53</div><div> http:</div><div> enabled: yes</div><div> # memcap: 64mb</div>
<div><br></div><div> ###########################################################################</div><div> # Configure libhtp.</div><div> #</div><div> #</div><div> # default-config: Used when no server-config matches</div>
<div> # personality: List of personalities used by default</div><div> # request-body-limit: Limit reassembly of request body for inspection</div><div> # by http_client_body & pcre /P option.</div>
<div> # response-body-limit: Limit reassembly of response body for inspection</div><div> # by file_data, http_server_body & pcre /Q option.</div><div> # double-decode-path: Double decode path section of the URI</div>
<div> # double-decode-query: Double decode query section of the URI</div><div> #</div><div> # server-config: List of server configurations to use if address matches</div><div> # address: List of ip addresses or networks for this block</div>
<div> # personalitiy: List of personalities used by this block</div><div> # request-body-limit: Limit reassembly of request body for inspection</div><div> # by http_client_body & pcre /P option.</div>
<div> # response-body-limit: Limit reassembly of response body for inspection</div><div> # by file_data, http_server_body & pcre /Q option.</div><div> # double-decode-path: Double decode path section of the URI</div>
<div> # double-decode-query: Double decode query section of the URI</div><div> #</div><div> # uri-include-all: Include all parts of the URI. By default the</div><div> # 'scheme', username/password, hostname and port</div>
<div> # are excluded. Setting this option to true adds</div><div> # all of them to the normalized uri as inspected</div><div> # by http_uri, urilen, pcre with /U and the other</div>
<div> # keywords that inspect the normalized uri.</div><div> # Note that this does not affect http_raw_uri.</div><div> # Also, note that including all was the default in</div>
<div> # 1.4 and 2.0beta1.</div><div> #</div><div> # meta-field-limit: Hard size limit for request and response size</div><div> # limits. Applies to request line and headers,</div>
<div> # response line and headers. Does not apply to</div><div> # request or response bodies. Default is 18k.</div><div> # If this limit is reached an event is raised.</div>
<div> #</div><div> # Currently Available Personalities:</div><div> # Minimal</div><div> # Generic</div><div> # IDS (default)</div><div> # IIS_4_0</div><div> # IIS_5_0</div><div>
# IIS_5_1</div><div> # IIS_6_0</div><div> # IIS_7_0</div><div> # IIS_7_5</div><div> # Apache_2</div><div> ###########################################################################</div>
<div> libhtp:</div><div><br></div><div> default-config:</div><div> personality: IDS</div><div><br></div><div> # Can be specified in kb, mb, gb. Just a number indicates</div><div> # it's in bytes.</div>
<div> request-body-limit: 3072</div><div> response-body-limit: 3072</div><div><br></div><div> # inspection limits</div><div> request-body-minimal-inspect-size: 32kb</div><div> request-body-inspect-window: 4kb</div>
<div> response-body-minimal-inspect-size: 32kb</div><div> response-body-inspect-window: 4kb</div><div> # Take a random value for inspection sizes around the specified value.</div><div> # This lower the risk of some evasion technics but could lead</div>
<div> # detection change between runs. It is set to 'yes' by default.</div><div> #randomize-inspection-sizes: yes</div><div> # If randomize-inspection-sizes is active, the value of various</div>
<div> # inspection size will be choosen in the [1 - range%, 1 + range%]</div><div> # range</div><div> # Default value of randomize-inspection-range is 10.</div><div> #randomize-inspection-range: 10</div>
<div><br></div><div> # decoding</div><div> double-decode-path: no</div><div> double-decode-query: no</div><div><br></div><div> server-config:</div><div><br></div><div> #- apache:</div>
<div> # address: [<a href="http://192.168.1.0/24">192.168.1.0/24</a>, <a href="http://127.0.0.0/8">127.0.0.0/8</a>, "::1"]</div><div> # personality: Apache_2</div><div> # # Can be specified in kb, mb, gb. Just a number indicates</div>
<div> # # it's in bytes.</div><div> # request-body-limit: 4096</div><div> # response-body-limit: 4096</div><div> # double-decode-path: no</div><div> # double-decode-query: no</div>
<div><br></div><div> #- iis7:</div><div> # address:</div><div> # - <a href="http://192.168.0.0/24">192.168.0.0/24</a></div><div> # - <a href="http://192.168.10.0/24">192.168.10.0/24</a></div>
<div> # personality: IIS_7_0</div><div> # # Can be specified in kb, mb, gb. Just a number indicates</div><div> # # it's in bytes.</div><div> # request-body-limit: 4096</div>
<div> # response-body-limit: 4096</div><div> # double-decode-path: no</div><div> # double-decode-query: no</div><div><br></div><div># Profiling settings. Only effective if Suricata has been built with the</div>
<div># the --enable-profiling configure flag.</div><div>#</div><div>profiling:</div><div> # Run profiling for every xth packet. The default is 1, which means we</div><div> # profile every packet. If set to 1000, one packet is profiled for every</div>
<div> # 1000 received.</div><div> #sample-rate: 1000</div><div><br></div><div> # rule profiling</div><div> rules:</div><div><br></div><div> # Profiling can be disabled here, but it will still have a</div><div> # performance impact if compiled in.</div>
<div> enabled: yes</div><div> filename: rule_perf.log</div><div> append: yes</div><div><br></div><div> # Sort options: ticks, avgticks, checks, matches, maxticks</div><div> sort: avgticks</div><div><br></div>
<div> # Limit the number of items printed at exit.</div><div> limit: 100</div><div><br></div><div> # per keyword profiling</div><div> keywords:</div><div> enabled: yes</div><div> filename: keyword_perf.log</div>
<div> append: yes</div><div><br></div><div> # packet profiling</div><div> packets:</div><div><br></div><div> # Profiling can be disabled here, but it will still have a</div><div> # performance impact if compiled in.</div>
<div> enabled: yes</div><div> filename: packet_stats.log</div><div> append: yes</div><div><br></div><div> # per packet csv output</div><div> csv:</div><div><br></div><div> # Output can be disabled here, but it will still have a</div>
<div> # performance impact if compiled in.</div><div> enabled: no</div><div> filename: packet_stats.csv</div><div><br></div><div> # profiling of locking. Only available when Suricata was built with</div><div>
# --enable-profiling-locks.</div><div> locks:</div><div> enabled: no</div><div> filename: lock_stats.log</div><div> append: yes</div><div><br></div><div># Suricata core dump configuration. Limits the size of the core dump file to</div>
<div># approximately max-dump. The actual core dump size will be a multiple of the</div><div># page size. Core dumps that would be larger than max-dump are truncated. On</div><div># Linux, the actual core dump size may be a few pages larger than max-dump.</div>
<div># Setting max-dump to 0 disables core dumping.</div><div># Setting max-dump to 'unlimited' will give the full core dump file.</div><div># On 32-bit Linux, a max-dump value >= ULONG_MAX may cause the core dump size</div>
<div># to be 'unlimited'.</div><div><br></div><div>coredump:</div><div> max-dump: unlimited</div><div><br></div><div>napatech:</div><div> # The Host Buffer Allowance for all streams</div><div> # (-1 = OFF, 1 - 100 = percentage of the host buffer that can be held back)</div>
<div> hba: -1</div><div><br></div><div> # use_all_streams set to "yes" will query the Napatech service for all configured</div><div> # streams and listen on all of them. When set to "no" the streams config array</div>
<div> # will be used.</div><div> use-all-streams: yes</div><div><br></div><div> # The streams to listen on</div><div> streams: [1, 2, 3]</div><div><br></div><div># Includes. Files included here will be handled as if they were</div>
<div># inlined in this configuration file.</div><div>#include: include1.yaml</div><div>#include: include2.yaml </div>
</div>