Project

General

Profile

Bug #7278 ยป suricata.yaml

Suricata YML does not receive Advanced Configuration Pass-Through data - Michael Strasner, 02/18/2017 04:32 PM

 
1
%YAML 1.1
2
---
3

    
4
max-pending-packets: 1024
5

    
6
# Runmode the engine should use.
7
runmode: autofp
8

    
9
# If set to auto, the variable is internally switched to 'router' in IPS 
10
# mode and 'sniffer-only' in IDS mode.
11
host-mode: auto
12

    
13
# Specifies the kind of flow load balancer used by the flow pinned autofp mode.
14
autofp-scheduler: active-packets
15

    
16
# Daemon working directory
17
daemon-directory: /usr/local/etc/suricata/suricata_20934_ix1
18

    
19
default-packet-size: 1514
20

    
21
# The default logging directory.
22
default-log-dir: /var/log/suricata/suricata_ix120934
23

    
24
# Configure the type of alert (and other) logging.
25
outputs:
26

    
27
  # alert-pf blocking plugin
28
  - alert-pf:
29
      enabled: no
30
      kill-state: yes
31
      pass-list: /usr/local/etc/suricata/suricata_20934_ix1/passlist
32
      block-ip: BOTH
33
      pf-table: snort2c
34

    
35
  # a line based alerts log similar to Snort's fast.log
36
  - fast:
37
      enabled: yes
38
      filename: alerts.log
39
      append: yes
40
      filetype: regular
41

    
42
  # alert output for use with Barnyard2
43
  - unified2-alert:
44
      enabled: no
45
      filename: unified2.alert
46
      limit: 32mb
47
      sensor-id: 0
48
      xff:
49
        enabled: no
50

    
51
  - http-log:
52
      enabled: yes
53
      filename: http.log
54
      append: yes
55
      extended: yes
56
      filetype: regular
57

    
58
  - pcap-log:
59
      enabled: no
60
      filename: log.pcap
61
      limit: 32mb
62
      max-files: 1000
63
      mode: normal
64

    
65
  - tls-log:
66
      enabled: no
67
      filename: tls.log
68
      extended: yes
69

    
70
  - tls-store:
71
      enabled: no
72
      certs-log-dir: certs
73

    
74
  - stats:
75
      enabled: no
76
      filename: stats.log
77
      interval: 10
78
      append: no
79

    
80
  - syslog:
81
      enabled: no
82
      identity: suricata
83
      facility: local1
84
      level: notice
85

    
86
  - drop:
87
      enabled: no
88
      filename: drop.log
89
      append: yes
90
      filetype: regular
91

    
92
  - file-store:
93
      enabled: no
94
      log-dir: files
95
      force-magic: no
96
      force-md5: no
97
      waldo: file.waldo
98

    
99
  - file-log:
100
      enabled: no
101
      filename: files-json.log
102
      append: yes
103
      filetype: regular
104
      force-magic: no
105
      force-md5: no
106

    
107
  - dns-log:
108
      enabled: no
109
      filename: dns.log
110
      append: yes
111
      filetype: regular
112

    
113
  - eve-log:
114
      enabled: yes
115
      type: file
116
      filename: eve.json
117
      identity: "suricata"
118
      facility: local1
119
      level: info
120
      types: 
121
        - alert:
122
            payload: yes # enable dumping payload in Base64
123
            payload-printable: yes # enable dumping payload in printable (lossy) format
124
            packet: yes # enable dumping of packet (without stream segments)
125
            http: yes # enable dumping of http fields
126
            tls: yes # enable dumping of tls fields
127
            ssh: yes # enable dumping of ssh fields
128
            smtp: yes # enable dumping of smtp fields
129
        - http:
130
            extended: yes
131
        - dns
132
        - tls:
133
            extended: yes
134
        - files:
135
            force-magic: no
136
            force-md5: no
137
        - ssh
138

    
139
# Magic file. The extension .mgc is added to the value here.
140
magic-file: /usr/share/misc/magic
141

    
142
# Specify a threshold config file
143
threshold-file: /usr/local/etc/suricata/suricata_20934_ix1/threshold.config
144

    
145
detect-engine:
146
  - profile: high
147
  - sgh-mpm-context: auto
148
  - inspection-recursion-limit: 3000
149
  - delayed-detect: no
150

    
151
# Suricata is multi-threaded. Here the threading can be influenced.
152
threading:
153
  set-cpu-affinity: no
154
  detect-thread-ratio: 1.5
155

    
156
mpm-algo: ac
157

    
158
pattern-matcher:
159
  - b2gc:
160
      search-algo: B2gSearchBNDMq
161
      hash-size: low
162
      bf-size: medium
163
  - b2gm:
164
      search-algo: B2gSearchBNDMq
165
      hash-size: low
166
      bf-size: medium
167
  - b2g:
168
      search-algo: B2gSearchBNDMq
169
      hash-size: low
170
      bf-size: medium
171
  - b3g:
172
      search-algo: B3gSearchBNDMq
173
      hash-size: low
174
      bf-size: medium
175
  - wumanber:
176
      hash-size: low
177
      bf-size: medium
178

    
179
# Defrag settings:
180
defrag:
181
  memcap: 33554432
182
  hash-size: 65536
183
  trackers: 65535
184
  max-frags: 65535
185
  prealloc: yes
186
  timeout: 60
187

    
188
# Flow settings:
189
flow:
190
  memcap: 33554432
191
  hash-size: 65536
192
  prealloc: 10000
193
  emergency-recovery: 30
194
  prune-flows: 5
195

    
196
# Specific timeouts for flows.
197
flow-timeouts:
198
  default:
199
    new: 30
200
    established: 300
201
    closed: 0
202
    emergency-new: 10
203
    emergency-established: 100
204
    emergency-closed: 0
205
  tcp:
206
    new: 60
207
    established: 3600
208
    closed: 120
209
    emergency-new: 10
210
    emergency-established: 300
211
    emergency-closed: 20
212
  udp:
213
    new: 30
214
    established: 300
215
    emergency-new: 10
216
    emergency-established: 100
217
  icmp:
218
    new: 30
219
    established: 300
220
    emergency-new: 10
221
    emergency-established: 100
222

    
223
stream:
224
  memcap: 83886080
225
  checksum-validation: no
226
  inline: auto
227
  max-sessions: 
228
  prealloc-sessions: 32768
229
  midstream: false
230
  async-oneside: false
231
  max-synack-queued: 5
232

    
233
reassembly:
234
  memcap: 67108864
235
  depth: 1048576
236
  toserver-chunk-size: 2560
237
  toclient-chunk-size: 2560
238

    
239
# Host table is used by tagging and per host thresholding subsystems.
240
host:
241
  hash-size: 4096
242
  prealloc: 1000
243
  memcap: 33554432
244

    
245
# Host specific policies for defragmentation and TCP stream reassembly.
246
host-os-policy:
247
  bsd: [0.0.0.0/0]
248

    
249
# Logging configuration.  This is not about logging IDS alerts, but
250
# IDS output about what its doing, errors, etc.
251
logging:
252

    
253
  # This value is overriden by the SC_LOG_LEVEL env var.
254
  default-log-level: info
255
  default-log-format: "%t - <%d> -- "
256

    
257
  # Define your logging outputs.
258
  outputs:
259
  - console:
260
      enabled: yes
261
  - file:
262
      enabled: yes
263
      filename: /var/log/suricata/suricata_ix120934/suricata.log
264
  - syslog:
265
      enabled: no
266
      facility: off
267
      format: "[%i] <%d> -- "
268

    
269
# IPS Mode Configuration
270
# PCAP
271
pcap:
272
  - interface: ix1
273
    checksum-checks: auto
274
    promisc: yes
275

    
276
legacy:
277
  uricontent: enabled
278

    
279
default-rule-path: /usr/local/etc/suricata/suricata_20934_ix1/rules
280
rule-files:
281
 - suricata.rules
282
 - flowbit-required.rules
283

    
284
classification-file: /usr/local/etc/suricata/suricata_20934_ix1/classification.config
285
reference-config-file: /usr/local/etc/suricata/suricata_20934_ix1/reference.config
286

    
287
# Holds variables that would be used by the engine.
288
vars:
289

    
290
  # Holds the address group vars that would be passed in a Signature.
291
  address-groups:
292
    HOME_NET: "[1.1.1.0/24,8.8.8.8/32,10.10.10.0/24,10.10.10.14/32,127.0.0.1/32,192.168.1.1/32,192.168.1.3/32,::1/128,fe80::ec4:7aff:fe90:a28/128,fe80::ec4:7aff:fe90:aec/128,fe80::ec4:7aff:fe90:aed/128]"
293
    EXTERNAL_NET: "[!1.1.1.0/24,!8.8.8.8/32,!10.10.10.0/24,!10.10.10.14/32,!127.0.0.1/32,!192.168.1.1/32,!192.168.1.3/32,!::1/128,!fe80::ec4:7aff:fe90:a28/128,!fe80::ec4:7aff:fe90:aec/128,!fe80::ec4:7aff:fe90:aed/128]"
294
    DNS_SERVERS: "$HOME_NET"
295
    SMTP_SERVERS: "$HOME_NET"
296
    HTTP_SERVERS: "$HOME_NET"
297
    SQL_SERVERS: "$HOME_NET"
298
    TELNET_SERVERS: "$HOME_NET"
299
    DNP3_SERVER: "$HOME_NET"
300
    DNP3_CLIENT: "$HOME_NET"
301
    MODBUS_SERVER: "$HOME_NET"
302
    MODBUS_CLIENT: "$HOME_NET"
303
    ENIP_SERVER: "$HOME_NET"
304
    ENIP_CLIENT: "$HOME_NET"
305
    FTP_SERVERS: "$HOME_NET"
306
    SSH_SERVERS: "$HOME_NET"
307
    AIM_SERVERS: "64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24"
308

    
309
  # Holds the port group vars that would be passed in a Signature.
310
  port-groups:
311
    FTP_PORTS: "21"
312
    HTTP_PORTS: "80"
313
    ORACLE_PORTS: "1521"
314
    SSH_PORTS: "22"
315
    SHELLCODE_PORTS: "!80"
316
    DNP3_PORTS: "20000"
317
    FILE_DATA_PORTS: "$HTTP_PORTS,110,143"
318

    
319
# Set the order of alerts based on actions
320
action-order:
321
  - pass
322
  - drop
323
  - reject
324
  - alert
325

    
326
# IP Reputation
327

    
328

    
329
# Limit for the maximum number of asn1 frames to decode (default 256)
330
asn1-max-frames: 256
331

    
332
engine-analysis:
333
  rules-fast-pattern: yes
334
  rules: yes
335

    
336
#recursion and match limits for PCRE where supported
337
pcre:
338
  match-limit: 3500
339
  match-limit-recursion: 1500
340

    
341
# Holds details on the app-layer. The protocols section details each protocol.
342
app-layer:
343
  protocols:
344
    tls:
345
      enabled: yes
346
      detection-ports:
347
        dp: 443
348
      #no-reassemble: yes
349
    dcerpc:
350
      enabled: yes
351
    ftp:
352
      enabled: yes
353
    ssh:
354
      enabled: yes
355
    smtp:
356
      enabled: yes
357
    imap:
358
      enabled: detection-only
359
    msn:
360
      enabled: detection-only
361
    smb:
362
      enabled: yes
363
      detection-ports:
364
        dp: 139
365
    dns:
366
      global-memcap: 16777216
367
      state-memcap: 524288
368
      request-flood: 500
369

    
370
      tcp:
371
        enabled: yes
372
        detection-ports:
373
          dp: 53
374
      udp:
375
        enabled: yes
376
        detection-ports:
377
          dp: 53
378
    http:
379
      enabled: yes
380
      memcap: 67108864
381

    
382
###########################################################################
383
# Configure libhtp.
384
libhtp:
385
   default-config:
386
     personality: IDS
387
     request-body-limit: 4096
388
     response-body-limit: 4096
389
     double-decode-path: no
390
     double-decode-query: no
391
     uri-include-all: no
392

    
393
   
394

    
395
coredump:
396
  max-dump: unlimited
    (1-1/1)