<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><br><div><br>On 24 Jun 2018, at 00:52, Darren S. <<a href="mailto:phatbuckett@gmail.com">phatbuckett@gmail.com</a>> wrote:<br><br></div><blockquote type="cite"><div><span>On Sat, Jun 23, 2018 at 8:49 AM, Peter Manev <<a href="mailto:petermanev@gmail.com">petermanev@gmail.com</a>> wrote:</span><br><blockquote type="cite"><span>On Sat, Jun 23, 2018 at 12:04 PM, Victor Julien <<a href="mailto:lists@inliniac.net">lists@inliniac.net</a>> wrote:</span><br></blockquote><blockquote type="cite"><blockquote type="cite"><span>On 23-06-18 02:41, Darren S. wrote:</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>Suricata version 4.0.4 RELEASE</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>outputs.13.file-store = (null)</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>outputs.13.file-store.enabled = yes</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>outputs.13.file-store.log-dir = files</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>outputs.13.file-store.force-magic = yes</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>outputs.13.file-store.force-md5 = yes</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>outputs.13.file-store.force-filestore = no</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>I'd like to find out what is the meaning of the force-* options in</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>these types of settings - understanding that they force the given data</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>output, but not what that means by example.</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>For example, would outputs.file-store.force-filestore result in Suri</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>storing all files regardless of any filestore rules active (as a</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>convenience factor)?</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>Yes.</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>What cases do force-magic and force-md5 output those values where they</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>wouldn't normally be output when file-store.enabled = yes?</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>Since md5 and magic are expensive operations they are normally only</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>performed on-demand, for example if there are rules matching on those</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>properties. The force-* options enable them unconditionally.</span><br></blockquote></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>I sometimes find it very useful when running investigation on smaller pcaps.</span><br></blockquote><span></span><br><span>That's what I'm finding it very useful for right now. :)  Suricata has</span><br><span>developed into an incredibly useful packet capture dissection and</span><br><span>analysis tool.</span><br><span></span><br><span>One thing I'm hung up on is getting file hashes to be stored/logged.</span><br><span>Including the build info and config dump below, but the following</span><br><span>blocks I assumed would get the hash stored in both the file-log JSON</span><br><span>data and the metadata file written out with the stored file. I've</span><br><span>tried setting the force-hash value to any of these and still no sign</span><br><span>of logged hashes:</span><br><span></span><br><span>  [md5]</span><br><span>  [md5,sha1]</span><br><span>  [md5,sha1,sha256]</span><br><span></span><br><span>outputs.13 = file-store</span><br><span>outputs.13.file-store = (null)</span><br><span>outputs.13.file-store.enabled = yes</span><br><span>outputs.13.file-store.log-dir = files</span><br><span>outputs.13.file-store.stream-depth = 0</span><br><span>outputs.13.file-store.force-magic = yes</span><br><span>outputs.13.file-store.force-hash = [md5]</span><br><span>outputs.13.file-store.force-filestore = yes</span><br><span>outputs.14 = file-log</span><br><span>outputs.14.file-log = (null)</span><br><span>outputs.14.file-log.enabled = yes</span><br><span>outputs.14.file-log.filename = files-json.log</span><br><span>outputs.14.file-log.force-magic = yes</span><br><span>outputs.14.file-log.force-hash = [md5]</span><br><span>outputs.14.file-log.append = no</span><br><span></span><br><span>This is on Darwin 17.6.0 Darwin Kernel Version 17.6.0: Tue May  8</span><br><span>15:22:16 PDT 2018; root:xnu-4570.61.1~1/RELEASE_X86_64 x86_64.</span><br><span></span><br><span>Suricata installed from Homebrew. At this time just running in pcap</span><br><span>offline mode (-r).</span><br><span></span><br><span>Any clue?</span><br><span></span><br><span></span><br></div></blockquote><div><br></div><div>I think it is worth  if you try filestotre version 2 from 4.1beta/latest git (that would become stable soon anyway) - <a href="https://suricata.readthedocs.io/en/latest/file-extraction/file-extraction.html#output">https://suricata.readthedocs.io/en/latest/file-extraction/file-extraction.html#output</a></div><div><br></div><div><br></div><br><blockquote type="cite"><div><span></span><br><span>This is Suricata version 4.0.4 RELEASE</span><br><span>Features: PCAP_SET_BUFF HAVE_PACKET_FANOUT LIBNET1.1</span><br><span>HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HAVE_LUA HAVE_LIBJANSSON</span><br><span>TLS MAGIC</span><br><span>SIMD support: SSE_4_2 SSE_4_1 SSE_3</span><br><span>Atomic intrisics: 1 2 4 8 16 byte(s)</span><br><span>64-bits, Little-endian architecture</span><br><span>GCC version 4.2.1 Compatible Apple LLVM 9.0.0 (clang-900.0.39.2), C</span><br><span>version 199901</span><br><span>compiled with -fstack-protector</span><br><span>compiled with _FORTIFY_SOURCE=2</span><br><span>L1 cache line size (CLS)=64</span><br><span>thread local storage method: __thread</span><br><span>compiled with LibHTP v0.5.26, linked against LibHTP v0.5.26</span><br><span></span><br><span>Suricata Configuration:</span><br><span>  AF_PACKET support:                       no</span><br><span>  PF_RING support:                         no</span><br><span>  NFQueue support:                         no</span><br><span>  NFLOG support:                           no</span><br><span>  IPFW support:                            no</span><br><span>  Netmap support:                          no</span><br><span>  DAG enabled:                             no</span><br><span>  Napatech enabled:                        no</span><br><span></span><br><span>  Unix socket enabled:                     yes</span><br><span>  Detection enabled:                       yes</span><br><span></span><br><span>  Libmagic support:                        yes</span><br><span>  libnss support:                          yes</span><br><span>  libnspr support:                         yes</span><br><span>  libjansson support:                      yes</span><br><span>  hiredis support:                         no</span><br><span>  hiredis async with libevent:             no</span><br><span>  Prelude support:                         no</span><br><span>  PCRE jit:                                yes</span><br><span>  LUA support:                             yes</span><br><span>  libluajit:                               no</span><br><span>  libgeoip:                                no</span><br><span>  Non-bundled htp:                         no</span><br><span>  Old barnyard2 support:                   no</span><br><span>  CUDA enabled:                            no</span><br><span>  Hyperscan support:                       no</span><br><span>  Libnet support:                          yes</span><br><span></span><br><span>  Rust support (experimental):             no</span><br><span>  Experimental Rust parsers:               no</span><br><span>  Rust strict mode:                        no</span><br><span></span><br><span>  Suricatasc install:                      yes</span><br><span></span><br><span>  Profiling enabled:                       no</span><br><span>  Profiling locks enabled:                 no</span><br><span></span><br><span>Development settings:</span><br><span>  Coccinelle / spatch:                     no</span><br><span>  Unit tests enabled:                      no</span><br><span>  Debug output enabled:                    no</span><br><span>  Debug validation enabled:                no</span><br><span></span><br><span>Generic build parameters:</span><br><span>  Installation prefix:                     /usr/local/Cellar/suricata/4.0.4</span><br><span>  Configuration directory:                 /usr/local/etc/suricata/</span><br><span>  Log directory:                           /usr/local/var/log/suricata/</span><br><span></span><br><span>  --prefix                                 /usr/local/Cellar/suricata/4.0.4</span><br><span>  --sysconfdir                             /usr/local/etc</span><br><span>  --localstatedir                          /usr/local/var</span><br><span></span><br><span>  Host:                                    x86_64-apple-darwin17.4.0</span><br><span>  Compiler:                                clang (exec name) / clang (real)</span><br><span>  GCC Protect enabled:                     no</span><br><span>  GCC march native enabled:                yes</span><br><span>  GCC Profile enabled:                     no</span><br><span>  Position Independent Executable enabled: no</span><br><span>  CFLAGS                                   -g -O2 -DOS_DARWIN -march=native</span><br><span>  PCAP_CFLAGS                               -I/usr/local/include</span><br><span>  SECCFLAGS</span><br><span></span><br><span></span><br><span>default-log-dir = tmp.suricata.d</span><br><span>vars = (null)</span><br><span>vars.address-groups = (null)</span><br><span>vars.address-groups.HOME_NET = 10.0.0.3</span><br><span>vars.address-groups.EXTERNAL_NET = !$HOME_NET</span><br><span>vars.address-groups.HTTP_SERVERS = $HOME_NET</span><br><span>vars.address-groups.SMTP_SERVERS = $HOME_NET</span><br><span>vars.address-groups.SQL_SERVERS = $HOME_NET</span><br><span>vars.address-groups.DNS_SERVERS = $HOME_NET</span><br><span>vars.address-groups.TELNET_SERVERS = $HOME_NET</span><br><span>vars.address-groups.AIM_SERVERS = $EXTERNAL_NET</span><br><span>vars.address-groups.DNP3_SERVER = $HOME_NET</span><br><span>vars.address-groups.DNP3_CLIENT = $HOME_NET</span><br><span>vars.address-groups.MODBUS_CLIENT = $HOME_NET</span><br><span>vars.address-groups.MODBUS_SERVER = $HOME_NET</span><br><span>vars.address-groups.ENIP_CLIENT = $HOME_NET</span><br><span>vars.address-groups.ENIP_SERVER = $HOME_NET</span><br><span>vars.port-groups = (null)</span><br><span>vars.port-groups.HTTP_PORTS = 80</span><br><span>vars.port-groups.SHELLCODE_PORTS = !80</span><br><span>vars.port-groups.ORACLE_PORTS = 1521</span><br><span>vars.port-groups.SSH_PORTS = 22</span><br><span>vars.port-groups.DNP3_PORTS = 20000</span><br><span>vars.port-groups.MODBUS_PORTS = 502</span><br><span>vars.port-groups.FILE_DATA_PORTS = [$HTTP_PORTS,110,143]</span><br><span>vars.port-groups.FTP_PORTS = 21</span><br><span>logging = (null)</span><br><span>logging.outputs = (null)</span><br><span>logging.outputs.0 = console</span><br><span>logging.outputs.0.console = (null)</span><br><span>logging.outputs.0.console.enabled = yes</span><br><span>logging.outputs.1 = file</span><br><span>logging.outputs.1.file = (null)</span><br><span>logging.outputs.1.file.filename = tmp.suricata.d/suricata.log</span><br><span>logging.outputs.1.file.append = no</span><br><span>logging.outputs.1.file.enabled = yes</span><br><span>logging.outputs.1.file.level = info</span><br><span>logging.outputs.2 = syslog</span><br><span>logging.outputs.2.syslog = (null)</span><br><span>logging.outputs.2.syslog.enabled = no</span><br><span>logging.outputs.2.syslog.facility = local5</span><br><span>logging.outputs.2.syslog.format = [%i] <%d> --</span><br><span>logging.default-log-level = notice</span><br><span>logging.default-output-filter =</span><br><span>outputs = (null)</span><br><span>outputs.0 = fast</span><br><span>outputs.0.fast = (null)</span><br><span>outputs.0.fast.enabled = yes</span><br><span>outputs.0.fast.append = no</span><br><span>outputs.0.fast.filename = fast.log</span><br><span>outputs.1 = eve-log</span><br><span>outputs.1.eve-log = (null)</span><br><span>outputs.1.eve-log.enabled = yes</span><br><span>outputs.1.eve-log.append = no</span><br><span>outputs.1.eve-log.filetype = regular</span><br><span>outputs.1.eve-log.filename = eve.json</span><br><span>outputs.1.eve-log.types = (null)</span><br><span>outputs.1.eve-log.types.0 = alert</span><br><span>outputs.1.eve-log.types.0.alert = (null)</span><br><span>outputs.1.eve-log.types.0.alert.metadata = yes</span><br><span>outputs.1.eve-log.types.0.alert.tagged-packets = yes</span><br><span>outputs.1.eve-log.types.0.alert.xff = (null)</span><br><span>outputs.1.eve-log.types.0.alert.xff.enabled = no</span><br><span>outputs.1.eve-log.types.0.alert.xff.mode = extra-data</span><br><span>outputs.1.eve-log.types.0.alert.xff.deployment = reverse</span><br><span>outputs.1.eve-log.types.0.alert.xff.header = X-Forwarded-For</span><br><span>outputs.1.eve-log.types.1 = http</span><br><span>outputs.1.eve-log.types.1.http = (null)</span><br><span>outputs.1.eve-log.types.1.http.extended = yes</span><br><span>outputs.1.eve-log.types.2 = dns</span><br><span>outputs.1.eve-log.types.2.dns = (null)</span><br><span>outputs.1.eve-log.types.2.dns.query = yes</span><br><span>outputs.1.eve-log.types.2.dns.answer = yes</span><br><span>outputs.1.eve-log.types.3 = tls</span><br><span>outputs.1.eve-log.types.3.tls = (null)</span><br><span>outputs.1.eve-log.types.3.tls.extended = yes</span><br><span>outputs.1.eve-log.types.4 = files</span><br><span>outputs.1.eve-log.types.4.files = (null)</span><br><span>outputs.1.eve-log.types.4.files.force-magic = no</span><br><span>outputs.1.eve-log.types.5 = ssh</span><br><span>outputs.1.eve-log.types.6 = stats</span><br><span>outputs.1.eve-log.types.6.stats = (null)</span><br><span>outputs.1.eve-log.types.6.stats.totals = yes</span><br><span>outputs.1.eve-log.types.6.stats.threads = no</span><br><span>outputs.1.eve-log.types.6.stats.deltas = no</span><br><span>outputs.2 = unified2-alert</span><br><span>outputs.2.unified2-alert = (null)</span><br><span>outputs.2.unified2-alert.enabled = no</span><br><span>outputs.2.unified2-alert.filename = unified2.alert</span><br><span>outputs.2.unified2-alert.xff = (null)</span><br><span>outputs.2.unified2-alert.xff.enabled = no</span><br><span>outputs.2.unified2-alert.xff.mode = extra-data</span><br><span>outputs.2.unified2-alert.xff.deployment = reverse</span><br><span>outputs.2.unified2-alert.xff.header = X-Forwarded-For</span><br><span>outputs.3 = http-log</span><br><span>outputs.3.http-log = (null)</span><br><span>outputs.3.http-log.enabled = yes</span><br><span>outputs.3.http-log.filename = http.log</span><br><span>outputs.3.http-log.append = no</span><br><span>outputs.4 = tls-log</span><br><span>outputs.4.tls-log = (null)</span><br><span>outputs.4.tls-log.enabled = yes</span><br><span>outputs.4.tls-log.filename = tls.log</span><br><span>outputs.4.tls-log.append = no</span><br><span>outputs.5 = tls-store</span><br><span>outputs.5.tls-store = (null)</span><br><span>outputs.5.tls-store.enabled = yes</span><br><span>outputs.5.tls-store.certs-log-dir = certs</span><br><span>outputs.6 = dns-log</span><br><span>outputs.6.dns-log = (null)</span><br><span>outputs.6.dns-log.enabled = yes</span><br><span>outputs.6.dns-log.filename = dns.log</span><br><span>outputs.6.dns-log.append = no</span><br><span>outputs.7 = pcap-log</span><br><span>outputs.7.pcap-log = (null)</span><br><span>outputs.7.pcap-log.enabled = no</span><br><span>outputs.7.pcap-log.filename = log.pcap</span><br><span>outputs.7.pcap-log.limit = 1000mb</span><br><span>outputs.7.pcap-log.max-files = 2000</span><br><span>outputs.7.pcap-log.mode = normal</span><br><span>outputs.7.pcap-log.use-stream-depth = no</span><br><span>outputs.7.pcap-log.honor-pass-rules = no</span><br><span>outputs.8 = alert-debug</span><br><span>outputs.8.alert-debug = (null)</span><br><span>outputs.8.alert-debug.enabled = no</span><br><span>outputs.8.alert-debug.filename = alert-debug.log</span><br><span>outputs.8.alert-debug.append = yes</span><br><span>outputs.9 = alert-prelude</span><br><span>outputs.9.alert-prelude = (null)</span><br><span>outputs.9.alert-prelude.enabled = no</span><br><span>outputs.9.alert-prelude.profile = suricata</span><br><span>outputs.9.alert-prelude.log-packet-content = no</span><br><span>outputs.9.alert-prelude.log-packet-header = yes</span><br><span>outputs.10 = stats</span><br><span>outputs.10.stats = (null)</span><br><span>outputs.10.stats.enabled = no</span><br><span>outputs.10.stats.filename = stats.log</span><br><span>outputs.10.stats.totals = yes</span><br><span>outputs.10.stats.threads = no</span><br><span>outputs.11 = syslog</span><br><span>outputs.11.syslog = (null)</span><br><span>outputs.11.syslog.enabled = no</span><br><span>outputs.11.syslog.facility = local5</span><br><span>outputs.12 = drop</span><br><span>outputs.12.drop = (null)</span><br><span>outputs.12.drop.enabled = no</span><br><span>outputs.12.drop.filename = drop.log</span><br><span>outputs.12.drop.append = yes</span><br><span>outputs.13 = file-store</span><br><span>outputs.13.file-store = (null)</span><br><span>outputs.13.file-store.enabled = yes</span><br><span>outputs.13.file-store.log-dir = files</span><br><span>outputs.13.file-store.stream-depth = 0</span><br><span>outputs.13.file-store.force-magic = yes</span><br><span>outputs.13.file-store.force-hash = [md5]</span><br><span>outputs.13.file-store.force-filestore = yes</span><br><span>outputs.14 = file-log</span><br><span>outputs.14.file-log = (null)</span><br><span>outputs.14.file-log.enabled = yes</span><br><span>outputs.14.file-log.filename = files-json.log</span><br><span>outputs.14.file-log.force-magic = yes</span><br><span>outputs.14.file-log.force-hash = [md5]</span><br><span>outputs.14.file-log.append = no</span><br><span>outputs.15 = tcp-data</span><br><span>outputs.15.tcp-data = (null)</span><br><span>outputs.15.tcp-data.enabled = yes</span><br><span>outputs.15.tcp-data.type = dir</span><br><span>outputs.15.tcp-data.filename = tcp-data.log</span><br><span>outputs.16 = http-body-data</span><br><span>outputs.16.http-body-data = (null)</span><br><span>outputs.16.http-body-data.enabled = yes</span><br><span>outputs.16.http-body-data.type = dir</span><br><span>outputs.16.http-body-data.filename = http-data.log</span><br><span>outputs.17 = lua</span><br><span>outputs.17.lua = (null)</span><br><span>outputs.17.lua.enabled = no</span><br><span>outputs.17.lua.scripts =</span><br><span>stream = (null)</span><br><span>stream.inline = no</span><br><span>stream.reassembly = (null)</span><br><span>stream.reassembly.depth = 0</span><br><span>stream.reassembly.memcap = 256mb</span><br><span>stream.reassembly.toserver-chunk-size = 2560</span><br><span>stream.reassembly.toclient-chunk-size = 2560</span><br><span>stream.reassembly.randomize-chunk-size = yes</span><br><span>stream.memcap = 64mb</span><br><span>stream.checksum-validation = yes</span><br><span>libhtp = (null)</span><br><span>libhtp.default-config = (null)</span><br><span>libhtp.default-config.request-body-limit = 0</span><br><span>libhtp.default-config.response-body-limit = 0</span><br><span>default-rule-path = /var/lib/suricata/rules/</span><br><span>rule-files = (null)</span><br><span>rule-files.0 = suricata.rules</span><br><span>classification-file = /usr/local/etc/suricata/classification.config</span><br><span>reference-config-file = /usr/local/etc/suricata/reference.config</span><br><span>stats = (null)</span><br><span>stats.enabled = yes</span><br><span>stats.interval = 8</span><br><span>af-packet = (null)</span><br><span>af-packet.0 = interface</span><br><span>af-packet.0.interface = eth0</span><br><span>af-packet.0.cluster-id = 99</span><br><span>af-packet.0.cluster-type = cluster_flow</span><br><span>af-packet.0.defrag = yes</span><br><span>af-packet.1 = interface</span><br><span>af-packet.1.interface = default</span><br><span>pcap = (null)</span><br><span>pcap.0 = interface</span><br><span>pcap.0.interface = eth0</span><br><span>pcap.1 = interface</span><br><span>pcap.1.interface = default</span><br><span>pcap-file = (null)</span><br><span>pcap-file.checksum-checks = auto</span><br><span>app-layer = (null)</span><br><span>app-layer.protocols = (null)</span><br><span>app-layer.protocols.tls = (null)</span><br><span>app-layer.protocols.tls.enabled = yes</span><br><span>app-layer.protocols.tls.detection-ports = (null)</span><br><span>app-layer.protocols.tls.detection-ports.dp = 443</span><br><span>app-layer.protocols.dcerpc = (null)</span><br><span>app-layer.protocols.dcerpc.enabled = yes</span><br><span>app-layer.protocols.ftp = (null)</span><br><span>app-layer.protocols.ftp.enabled = yes</span><br><span>app-layer.protocols.ssh = (null)</span><br><span>app-layer.protocols.ssh.enabled = yes</span><br><span>app-layer.protocols.smtp = (null)</span><br><span>app-layer.protocols.smtp.enabled = yes</span><br><span>app-layer.protocols.smtp.mime = (null)</span><br><span>app-layer.protocols.smtp.mime.decode-mime = yes</span><br><span>app-layer.protocols.smtp.mime.decode-base64 = yes</span><br><span>app-layer.protocols.smtp.mime.decode-quoted-printable = yes</span><br><span>app-layer.protocols.smtp.mime.header-value-depth = 2000</span><br><span>app-layer.protocols.smtp.mime.extract-urls = yes</span><br><span>app-layer.protocols.smtp.mime.body-md5 = no</span><br><span>app-layer.protocols.smtp.inspected-tracker = (null)</span><br><span>app-layer.protocols.smtp.inspected-tracker.content-limit = 100000</span><br><span>app-layer.protocols.smtp.inspected-tracker.content-inspect-min-size = 32768</span><br><span>app-layer.protocols.smtp.inspected-tracker.content-inspect-window = 4096</span><br><span>app-layer.protocols.imap = (null)</span><br><span>app-layer.protocols.imap.enabled = detection-only</span><br><span>app-layer.protocols.msn = (null)</span><br><span>app-layer.protocols.msn.enabled = detection-only</span><br><span>app-layer.protocols.smb = (null)</span><br><span>app-layer.protocols.smb.enabled = yes</span><br><span>app-layer.protocols.smb.detection-ports = (null)</span><br><span>app-layer.protocols.smb.detection-ports.dp = 139, 445</span><br><span>app-layer.protocols.nfs = (null)</span><br><span>app-layer.protocols.nfs.enabled = no</span><br><span>app-layer.protocols.dns = (null)</span><br><span>app-layer.protocols.dns.tcp = (null)</span><br><span>app-layer.protocols.dns.tcp.enabled = yes</span><br><span>app-layer.protocols.dns.tcp.detection-ports = (null)</span><br><span>app-layer.protocols.dns.tcp.detection-ports.dp = 53</span><br><span>app-layer.protocols.dns.udp = (null)</span><br><span>app-layer.protocols.dns.udp.enabled = yes</span><br><span>app-layer.protocols.dns.udp.detection-ports = (null)</span><br><span>app-layer.protocols.dns.udp.detection-ports.dp = 53</span><br><span>app-layer.protocols.http = (null)</span><br><span>app-layer.protocols.http.enabled = yes</span><br><span>app-layer.protocols.http.libhtp = (null)</span><br><span>app-layer.protocols.http.libhtp.default-config = (null)</span><br><span>app-layer.protocols.http.libhtp.default-config.personality = IDS</span><br><span>app-layer.protocols.http.libhtp.default-config.request-body-limit = 100kb</span><br><span>app-layer.protocols.http.libhtp.default-config.response-body-limit = 100kb</span><br><span>app-layer.protocols.http.libhtp.default-config.request-body-minimal-inspect-size</span><br><span>= 32kb</span><br><span>app-layer.protocols.http.libhtp.default-config.request-body-inspect-window = 4kb</span><br><span>app-layer.protocols.http.libhtp.default-config.response-body-minimal-inspect-size</span><br><span>= 40kb</span><br><span>app-layer.protocols.http.libhtp.default-config.response-body-inspect-window</span><br><span>= 16kb</span><br><span>app-layer.protocols.http.libhtp.default-config.response-body-decompress-layer-limit</span><br><span>= 2</span><br><span>app-layer.protocols.http.libhtp.default-config.http-body-inline = auto</span><br><span>app-layer.protocols.http.libhtp.default-config.double-decode-path = no</span><br><span>app-layer.protocols.http.libhtp.default-config.double-decode-query = no</span><br><span>app-layer.protocols.http.libhtp.server-config =</span><br><span>app-layer.protocols.modbus = (null)</span><br><span>app-layer.protocols.modbus.enabled = no</span><br><span>app-layer.protocols.modbus.detection-ports = (null)</span><br><span>app-layer.protocols.modbus.detection-ports.dp = 502</span><br><span>app-layer.protocols.modbus.stream-depth = 0</span><br><span>app-layer.protocols.dnp3 = (null)</span><br><span>app-layer.protocols.dnp3.enabled = no</span><br><span>app-layer.protocols.dnp3.detection-ports = (null)</span><br><span>app-layer.protocols.dnp3.detection-ports.dp = 20000</span><br><span>app-layer.protocols.enip = (null)</span><br><span>app-layer.protocols.enip.enabled = no</span><br><span>app-layer.protocols.enip.detection-ports = (null)</span><br><span>app-layer.protocols.enip.detection-ports.dp = 44818</span><br><span>app-layer.protocols.enip.detection-ports.sp = 44818</span><br><span>app-layer.protocols.ntp = (null)</span><br><span>app-layer.protocols.ntp.enabled = no</span><br><span>asn1-max-frames = 256</span><br><span>coredump = (null)</span><br><span>coredump.max-dump = unlimited</span><br><span>host-mode = auto</span><br><span>unix-command = (null)</span><br><span>unix-command.enabled = auto</span><br><span>legacy = (null)</span><br><span>legacy.uricontent = enabled</span><br><span>engine-analysis = (null)</span><br><span>engine-analysis.rules-fast-pattern = yes</span><br><span>engine-analysis.rules = yes</span><br><span>pcre = (null)</span><br><span>pcre.match-limit = 3500</span><br><span>pcre.match-limit-recursion = 1500</span><br><span>host-os-policy = (null)</span><br><span>host-os-policy.windows = (null)</span><br><span>host-os-policy.windows.0 = 0.0.0.0/0</span><br><span>host-os-policy.bsd = (null)</span><br><span>host-os-policy.bsd-right = (null)</span><br><span>host-os-policy.old-linux = (null)</span><br><span>host-os-policy.linux = (null)</span><br><span>host-os-policy.old-solaris = (null)</span><br><span>host-os-policy.solaris = (null)</span><br><span>host-os-policy.hpux10 = (null)</span><br><span>host-os-policy.hpux11 = (null)</span><br><span>host-os-policy.irix = (null)</span><br><span>host-os-policy.macos = (null)</span><br><span>host-os-policy.vista = (null)</span><br><span>host-os-policy.windows2k3 = (null)</span><br><span>defrag = (null)</span><br><span>defrag.memcap = 32mb</span><br><span>defrag.hash-size = 65536</span><br><span>defrag.trackers = 65535</span><br><span>defrag.max-frags = 65535</span><br><span>defrag.prealloc = yes</span><br><span>defrag.timeout = 60</span><br><span>flow = (null)</span><br><span>flow.memcap = 128mb</span><br><span>flow.hash-size = 65536</span><br><span>flow.prealloc = 10000</span><br><span>flow.emergency-recovery = 30</span><br><span>vlan = (null)</span><br><span>vlan.use-for-tracking = true</span><br><span>flow-timeouts = (null)</span><br><span>flow-timeouts.default = (null)</span><br><span>flow-timeouts.default.new = 30</span><br><span>flow-timeouts.default.established = 300</span><br><span>flow-timeouts.default.closed = 0</span><br><span>flow-timeouts.default.bypassed = 100</span><br><span>flow-timeouts.default.emergency-new = 10</span><br><span>flow-timeouts.default.emergency-established = 100</span><br><span>flow-timeouts.default.emergency-closed = 0</span><br><span>flow-timeouts.default.emergency-bypassed = 50</span><br><span>flow-timeouts.tcp = (null)</span><br><span>flow-timeouts.tcp.new = 60</span><br><span>flow-timeouts.tcp.established = 600</span><br><span>flow-timeouts.tcp.closed = 60</span><br><span>flow-timeouts.tcp.bypassed = 100</span><br><span>flow-timeouts.tcp.emergency-new = 5</span><br><span>flow-timeouts.tcp.emergency-established = 100</span><br><span>flow-timeouts.tcp.emergency-closed = 10</span><br><span>flow-timeouts.tcp.emergency-bypassed = 50</span><br><span>flow-timeouts.udp = (null)</span><br><span>flow-timeouts.udp.new = 30</span><br><span>flow-timeouts.udp.established = 300</span><br><span>flow-timeouts.udp.bypassed = 100</span><br><span>flow-timeouts.udp.emergency-new = 10</span><br><span>flow-timeouts.udp.emergency-established = 100</span><br><span>flow-timeouts.udp.emergency-bypassed = 50</span><br><span>flow-timeouts.icmp = (null)</span><br><span>flow-timeouts.icmp.new = 30</span><br><span>flow-timeouts.icmp.established = 300</span><br><span>flow-timeouts.icmp.bypassed = 100</span><br><span>flow-timeouts.icmp.emergency-new = 10</span><br><span>flow-timeouts.icmp.emergency-established = 100</span><br><span>flow-timeouts.icmp.emergency-bypassed = 50</span><br><span>host = (null)</span><br><span>host.hash-size = 4096</span><br><span>host.prealloc = 1000</span><br><span>host.memcap = 32mb</span><br><span>decoder = (null)</span><br><span>decoder.teredo = (null)</span><br><span>decoder.teredo.enabled = true</span><br><span>detect = (null)</span><br><span>detect.profile = medium</span><br><span>detect.custom-values = (null)</span><br><span>detect.custom-values.toclient-groups = 3</span><br><span>detect.custom-values.toserver-groups = 25</span><br><span>detect.sgh-mpm-context = auto</span><br><span>detect.inspection-recursion-limit = 3000</span><br><span>detect.prefilter = (null)</span><br><span>detect.prefilter.default = mpm</span><br><span>detect.grouping =</span><br><span>detect.profiling = (null)</span><br><span>detect.profiling.grouping = (null)</span><br><span>detect.profiling.grouping.dump-to-disk = false</span><br><span>detect.profiling.grouping.include-rules = false</span><br><span>detect.profiling.grouping.include-mpm-stats = false</span><br><span>mpm-algo = auto</span><br><span>spm-algo = auto</span><br><span>threading = (null)</span><br><span>threading.set-cpu-affinity = no</span><br><span>threading.cpu-affinity = (null)</span><br><span>threading.cpu-affinity.0 = management-cpu-set</span><br><span>threading.cpu-affinity.0.management-cpu-set = (null)</span><br><span>threading.cpu-affinity.0.management-cpu-set.cpu = (null)</span><br><span>threading.cpu-affinity.0.management-cpu-set.cpu.0 = 0</span><br><span>threading.cpu-affinity.1 = receive-cpu-set</span><br><span>threading.cpu-affinity.1.receive-cpu-set = (null)</span><br><span>threading.cpu-affinity.1.receive-cpu-set.cpu = (null)</span><br><span>threading.cpu-affinity.1.receive-cpu-set.cpu.0 = 0</span><br><span>threading.cpu-affinity.2 = worker-cpu-set</span><br><span>threading.cpu-affinity.2.worker-cpu-set = (null)</span><br><span>threading.cpu-affinity.2.worker-cpu-set.cpu = (null)</span><br><span>threading.cpu-affinity.2.worker-cpu-set.cpu.0 = all</span><br><span>threading.cpu-affinity.2.worker-cpu-set.mode = exclusive</span><br><span>threading.cpu-affinity.2.worker-cpu-set.prio = (null)</span><br><span>threading.cpu-affinity.2.worker-cpu-set.prio.low = (null)</span><br><span>threading.cpu-affinity.2.worker-cpu-set.prio.low.0 = 0</span><br><span>threading.cpu-affinity.2.worker-cpu-set.prio.medium = (null)</span><br><span>threading.cpu-affinity.2.worker-cpu-set.prio.medium.0 = 1-2</span><br><span>threading.cpu-affinity.2.worker-cpu-set.prio.high = (null)</span><br><span>threading.cpu-affinity.2.worker-cpu-set.prio.high.0 = 3</span><br><span>threading.cpu-affinity.2.worker-cpu-set.prio.default = medium</span><br><span>threading.detect-thread-ratio = 1.0</span><br><span>luajit = (null)</span><br><span>luajit.states = 128</span><br><span>profiling = (null)</span><br><span>profiling.rules = (null)</span><br><span>profiling.rules.enabled = yes</span><br><span>profiling.rules.filename = rule_perf.log</span><br><span>profiling.rules.append = yes</span><br><span>profiling.rules.limit = 10</span><br><span>profiling.rules.json = yes</span><br><span>profiling.keywords = (null)</span><br><span>profiling.keywords.enabled = yes</span><br><span>profiling.keywords.filename = keyword_perf.log</span><br><span>profiling.keywords.append = yes</span><br><span>profiling.rulegroups = (null)</span><br><span>profiling.rulegroups.enabled = yes</span><br><span>profiling.rulegroups.filename = rule_group_perf.log</span><br><span>profiling.rulegroups.append = yes</span><br><span>profiling.packets = (null)</span><br><span>profiling.packets.enabled = yes</span><br><span>profiling.packets.filename = packet_stats.log</span><br><span>profiling.packets.append = yes</span><br><span>profiling.packets.csv = (null)</span><br><span>profiling.packets.csv.enabled = no</span><br><span>profiling.packets.csv.filename = packet_stats.csv</span><br><span>profiling.locks = (null)</span><br><span>profiling.locks.enabled = no</span><br><span>profiling.locks.filename = lock_stats.log</span><br><span>profiling.locks.append = yes</span><br><span>profiling.pcap-log = (null)</span><br><span>profiling.pcap-log.enabled = no</span><br><span>profiling.pcap-log.filename = pcaplog_stats.log</span><br><span>profiling.pcap-log.append = yes</span><br><span>nfq =</span><br><span>nflog = (null)</span><br><span>nflog.0 = group</span><br><span>nflog.0.group = 2</span><br><span>nflog.0.buffer-size = 18432</span><br><span>nflog.1 = group</span><br><span>nflog.1.group = default</span><br><span>nflog.1.qthreshold = 1</span><br><span>nflog.1.qtimeout = 100</span><br><span>nflog.1.max-size = 20000</span><br><span>capture =</span><br><span>netmap = (null)</span><br><span>netmap.0 = interface</span><br><span>netmap.0.interface = eth2</span><br><span>netmap.1 = interface</span><br><span>netmap.1.interface = default</span><br><span>pfring = (null)</span><br><span>pfring.0 = interface</span><br><span>pfring.0.interface = eth0</span><br><span>pfring.0.threads = 1</span><br><span>pfring.0.cluster-id = 99</span><br><span>pfring.0.cluster-type = cluster_flow</span><br><span>pfring.1 = interface</span><br><span>pfring.1.interface = default</span><br><span>ipfw =</span><br><span>napatech = (null)</span><br><span>napatech.hba = -1</span><br><span>napatech.use-all-streams = yes</span><br><span>napatech.streams = (null)</span><br><span>napatech.streams.0 = 0-3</span><br><span>mpipe = (null)</span><br><span>mpipe.load-balance = dynamic</span><br><span>mpipe.iqueue-packets = 2048</span><br><span>mpipe.inputs = (null)</span><br><span>mpipe.inputs.0 = interface</span><br><span>mpipe.inputs.0.interface = xgbe2</span><br><span>mpipe.inputs.1 = interface</span><br><span>mpipe.inputs.1.interface = xgbe3</span><br><span>mpipe.inputs.2 = interface</span><br><span>mpipe.inputs.2.interface = xgbe4</span><br><span>mpipe.stack = (null)</span><br><span>mpipe.stack.size128 = 0</span><br><span>mpipe.stack.size256 = 9</span><br><span>mpipe.stack.size512 = 0</span><br><span>mpipe.stack.size1024 = 0</span><br><span>mpipe.stack.size1664 = 7</span><br><span>mpipe.stack.size4096 = 0</span><br><span>mpipe.stack.size10386 = 0</span><br><span>mpipe.stack.size16384 = 0</span><br><span>cuda = (null)</span><br><span>cuda.mpm = (null)</span><br><span>cuda.mpm.data-buffer-size-min-limit = 0</span><br><span>cuda.mpm.data-buffer-size-max-limit = 1500</span><br><span>cuda.mpm.cudabuffer-buffer-size = 500mb</span><br><span>cuda.mpm.gpu-transfer-size = 50mb</span><br><span>cuda.mpm.batching-timeout = 2000</span><br><span>cuda.mpm.device-id = 0</span><br><span>cuda.mpm.cuda-streams = 2</span><br><span></span><br><span>-- </span><br><span>Darren Spruell</span><br><span><a href="mailto:phatbuckett@gmail.com">phatbuckett@gmail.com</a></span><br></div></blockquote></body></html>