1
|
%YAML 1.1
|
2
|
---
|
3
|
|
4
|
max-pending-packets: 1024
|
5
|
|
6
|
# Runmode the engine should use.
|
7
|
runmode: autofp
|
8
|
|
9
|
# If set to auto, the variable is internally switched to 'router' in IPS
|
10
|
# mode and 'sniffer-only' in IDS mode.
|
11
|
host-mode: auto
|
12
|
|
13
|
# Specifies the kind of flow load balancer used by the flow pinned autofp mode.
|
14
|
autofp-scheduler: active-packets
|
15
|
|
16
|
# Daemon working directory
|
17
|
daemon-directory: /usr/local/etc/suricata/suricata_20934_ix1
|
18
|
|
19
|
default-packet-size: 1514
|
20
|
|
21
|
# The default logging directory.
|
22
|
default-log-dir: /var/log/suricata/suricata_ix120934
|
23
|
|
24
|
# Configure the type of alert (and other) logging.
|
25
|
outputs:
|
26
|
|
27
|
# alert-pf blocking plugin
|
28
|
- alert-pf:
|
29
|
enabled: no
|
30
|
kill-state: yes
|
31
|
pass-list: /usr/local/etc/suricata/suricata_20934_ix1/passlist
|
32
|
block-ip: BOTH
|
33
|
pf-table: snort2c
|
34
|
|
35
|
# a line based alerts log similar to Snort's fast.log
|
36
|
- fast:
|
37
|
enabled: yes
|
38
|
filename: alerts.log
|
39
|
append: yes
|
40
|
filetype: regular
|
41
|
|
42
|
# alert output for use with Barnyard2
|
43
|
- unified2-alert:
|
44
|
enabled: no
|
45
|
filename: unified2.alert
|
46
|
limit: 32mb
|
47
|
sensor-id: 0
|
48
|
xff:
|
49
|
enabled: no
|
50
|
|
51
|
- http-log:
|
52
|
enabled: yes
|
53
|
filename: http.log
|
54
|
append: yes
|
55
|
extended: yes
|
56
|
filetype: regular
|
57
|
|
58
|
- pcap-log:
|
59
|
enabled: no
|
60
|
filename: log.pcap
|
61
|
limit: 32mb
|
62
|
max-files: 1000
|
63
|
mode: normal
|
64
|
|
65
|
- tls-log:
|
66
|
enabled: no
|
67
|
filename: tls.log
|
68
|
extended: yes
|
69
|
|
70
|
- tls-store:
|
71
|
enabled: no
|
72
|
certs-log-dir: certs
|
73
|
|
74
|
- stats:
|
75
|
enabled: no
|
76
|
filename: stats.log
|
77
|
interval: 10
|
78
|
append: no
|
79
|
|
80
|
- syslog:
|
81
|
enabled: no
|
82
|
identity: suricata
|
83
|
facility: local1
|
84
|
level: notice
|
85
|
|
86
|
- drop:
|
87
|
enabled: no
|
88
|
filename: drop.log
|
89
|
append: yes
|
90
|
filetype: regular
|
91
|
|
92
|
- file-store:
|
93
|
enabled: no
|
94
|
log-dir: files
|
95
|
force-magic: no
|
96
|
force-md5: no
|
97
|
waldo: file.waldo
|
98
|
|
99
|
- file-log:
|
100
|
enabled: no
|
101
|
filename: files-json.log
|
102
|
append: yes
|
103
|
filetype: regular
|
104
|
force-magic: no
|
105
|
force-md5: no
|
106
|
|
107
|
- dns-log:
|
108
|
enabled: no
|
109
|
filename: dns.log
|
110
|
append: yes
|
111
|
filetype: regular
|
112
|
|
113
|
- eve-log:
|
114
|
enabled: yes
|
115
|
type: file
|
116
|
filename: eve.json
|
117
|
identity: "suricata"
|
118
|
facility: local1
|
119
|
level: info
|
120
|
types:
|
121
|
- alert:
|
122
|
payload: yes # enable dumping payload in Base64
|
123
|
payload-printable: yes # enable dumping payload in printable (lossy) format
|
124
|
packet: yes # enable dumping of packet (without stream segments)
|
125
|
http: yes # enable dumping of http fields
|
126
|
tls: yes # enable dumping of tls fields
|
127
|
ssh: yes # enable dumping of ssh fields
|
128
|
smtp: yes # enable dumping of smtp fields
|
129
|
- http:
|
130
|
extended: yes
|
131
|
- dns
|
132
|
- tls:
|
133
|
extended: yes
|
134
|
- files:
|
135
|
force-magic: no
|
136
|
force-md5: no
|
137
|
- ssh
|
138
|
|
139
|
# Magic file. The extension .mgc is added to the value here.
|
140
|
magic-file: /usr/share/misc/magic
|
141
|
|
142
|
# Specify a threshold config file
|
143
|
threshold-file: /usr/local/etc/suricata/suricata_20934_ix1/threshold.config
|
144
|
|
145
|
detect-engine:
|
146
|
- profile: high
|
147
|
- sgh-mpm-context: auto
|
148
|
- inspection-recursion-limit: 3000
|
149
|
- delayed-detect: no
|
150
|
|
151
|
# Suricata is multi-threaded. Here the threading can be influenced.
|
152
|
threading:
|
153
|
set-cpu-affinity: no
|
154
|
detect-thread-ratio: 1.5
|
155
|
|
156
|
mpm-algo: ac
|
157
|
|
158
|
pattern-matcher:
|
159
|
- b2gc:
|
160
|
search-algo: B2gSearchBNDMq
|
161
|
hash-size: low
|
162
|
bf-size: medium
|
163
|
- b2gm:
|
164
|
search-algo: B2gSearchBNDMq
|
165
|
hash-size: low
|
166
|
bf-size: medium
|
167
|
- b2g:
|
168
|
search-algo: B2gSearchBNDMq
|
169
|
hash-size: low
|
170
|
bf-size: medium
|
171
|
- b3g:
|
172
|
search-algo: B3gSearchBNDMq
|
173
|
hash-size: low
|
174
|
bf-size: medium
|
175
|
- wumanber:
|
176
|
hash-size: low
|
177
|
bf-size: medium
|
178
|
|
179
|
# Defrag settings:
|
180
|
defrag:
|
181
|
memcap: 33554432
|
182
|
hash-size: 65536
|
183
|
trackers: 65535
|
184
|
max-frags: 65535
|
185
|
prealloc: yes
|
186
|
timeout: 60
|
187
|
|
188
|
# Flow settings:
|
189
|
flow:
|
190
|
memcap: 33554432
|
191
|
hash-size: 65536
|
192
|
prealloc: 10000
|
193
|
emergency-recovery: 30
|
194
|
prune-flows: 5
|
195
|
|
196
|
# Specific timeouts for flows.
|
197
|
flow-timeouts:
|
198
|
default:
|
199
|
new: 30
|
200
|
established: 300
|
201
|
closed: 0
|
202
|
emergency-new: 10
|
203
|
emergency-established: 100
|
204
|
emergency-closed: 0
|
205
|
tcp:
|
206
|
new: 60
|
207
|
established: 3600
|
208
|
closed: 120
|
209
|
emergency-new: 10
|
210
|
emergency-established: 300
|
211
|
emergency-closed: 20
|
212
|
udp:
|
213
|
new: 30
|
214
|
established: 300
|
215
|
emergency-new: 10
|
216
|
emergency-established: 100
|
217
|
icmp:
|
218
|
new: 30
|
219
|
established: 300
|
220
|
emergency-new: 10
|
221
|
emergency-established: 100
|
222
|
|
223
|
stream:
|
224
|
memcap: 83886080
|
225
|
checksum-validation: no
|
226
|
inline: auto
|
227
|
max-sessions:
|
228
|
prealloc-sessions: 32768
|
229
|
midstream: false
|
230
|
async-oneside: false
|
231
|
max-synack-queued: 5
|
232
|
|
233
|
reassembly:
|
234
|
memcap: 67108864
|
235
|
depth: 1048576
|
236
|
toserver-chunk-size: 2560
|
237
|
toclient-chunk-size: 2560
|
238
|
|
239
|
# Host table is used by tagging and per host thresholding subsystems.
|
240
|
host:
|
241
|
hash-size: 4096
|
242
|
prealloc: 1000
|
243
|
memcap: 33554432
|
244
|
|
245
|
# Host specific policies for defragmentation and TCP stream reassembly.
|
246
|
host-os-policy:
|
247
|
bsd: [0.0.0.0/0]
|
248
|
|
249
|
# Logging configuration. This is not about logging IDS alerts, but
|
250
|
# IDS output about what its doing, errors, etc.
|
251
|
logging:
|
252
|
|
253
|
# This value is overriden by the SC_LOG_LEVEL env var.
|
254
|
default-log-level: info
|
255
|
default-log-format: "%t - <%d> -- "
|
256
|
|
257
|
# Define your logging outputs.
|
258
|
outputs:
|
259
|
- console:
|
260
|
enabled: yes
|
261
|
- file:
|
262
|
enabled: yes
|
263
|
filename: /var/log/suricata/suricata_ix120934/suricata.log
|
264
|
- syslog:
|
265
|
enabled: no
|
266
|
facility: off
|
267
|
format: "[%i] <%d> -- "
|
268
|
|
269
|
# IPS Mode Configuration
|
270
|
# PCAP
|
271
|
pcap:
|
272
|
- interface: ix1
|
273
|
checksum-checks: auto
|
274
|
promisc: yes
|
275
|
|
276
|
legacy:
|
277
|
uricontent: enabled
|
278
|
|
279
|
default-rule-path: /usr/local/etc/suricata/suricata_20934_ix1/rules
|
280
|
rule-files:
|
281
|
- suricata.rules
|
282
|
- flowbit-required.rules
|
283
|
|
284
|
classification-file: /usr/local/etc/suricata/suricata_20934_ix1/classification.config
|
285
|
reference-config-file: /usr/local/etc/suricata/suricata_20934_ix1/reference.config
|
286
|
|
287
|
# Holds variables that would be used by the engine.
|
288
|
vars:
|
289
|
|
290
|
# Holds the address group vars that would be passed in a Signature.
|
291
|
address-groups:
|
292
|
HOME_NET: "[1.1.1.0/24,8.8.8.8/32,10.10.10.0/24,10.10.10.14/32,127.0.0.1/32,192.168.1.1/32,192.168.1.3/32,::1/128,fe80::ec4:7aff:fe90:a28/128,fe80::ec4:7aff:fe90:aec/128,fe80::ec4:7aff:fe90:aed/128]"
|
293
|
EXTERNAL_NET: "[!1.1.1.0/24,!8.8.8.8/32,!10.10.10.0/24,!10.10.10.14/32,!127.0.0.1/32,!192.168.1.1/32,!192.168.1.3/32,!::1/128,!fe80::ec4:7aff:fe90:a28/128,!fe80::ec4:7aff:fe90:aec/128,!fe80::ec4:7aff:fe90:aed/128]"
|
294
|
DNS_SERVERS: "$HOME_NET"
|
295
|
SMTP_SERVERS: "$HOME_NET"
|
296
|
HTTP_SERVERS: "$HOME_NET"
|
297
|
SQL_SERVERS: "$HOME_NET"
|
298
|
TELNET_SERVERS: "$HOME_NET"
|
299
|
DNP3_SERVER: "$HOME_NET"
|
300
|
DNP3_CLIENT: "$HOME_NET"
|
301
|
MODBUS_SERVER: "$HOME_NET"
|
302
|
MODBUS_CLIENT: "$HOME_NET"
|
303
|
ENIP_SERVER: "$HOME_NET"
|
304
|
ENIP_CLIENT: "$HOME_NET"
|
305
|
FTP_SERVERS: "$HOME_NET"
|
306
|
SSH_SERVERS: "$HOME_NET"
|
307
|
AIM_SERVERS: "64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24"
|
308
|
|
309
|
# Holds the port group vars that would be passed in a Signature.
|
310
|
port-groups:
|
311
|
FTP_PORTS: "21"
|
312
|
HTTP_PORTS: "80"
|
313
|
ORACLE_PORTS: "1521"
|
314
|
SSH_PORTS: "22"
|
315
|
SHELLCODE_PORTS: "!80"
|
316
|
DNP3_PORTS: "20000"
|
317
|
FILE_DATA_PORTS: "$HTTP_PORTS,110,143"
|
318
|
|
319
|
# Set the order of alerts based on actions
|
320
|
action-order:
|
321
|
- pass
|
322
|
- drop
|
323
|
- reject
|
324
|
- alert
|
325
|
|
326
|
# IP Reputation
|
327
|
|
328
|
|
329
|
# Limit for the maximum number of asn1 frames to decode (default 256)
|
330
|
asn1-max-frames: 256
|
331
|
|
332
|
engine-analysis:
|
333
|
rules-fast-pattern: yes
|
334
|
rules: yes
|
335
|
|
336
|
#recursion and match limits for PCRE where supported
|
337
|
pcre:
|
338
|
match-limit: 3500
|
339
|
match-limit-recursion: 1500
|
340
|
|
341
|
# Holds details on the app-layer. The protocols section details each protocol.
|
342
|
app-layer:
|
343
|
protocols:
|
344
|
tls:
|
345
|
enabled: yes
|
346
|
detection-ports:
|
347
|
dp: 443
|
348
|
#no-reassemble: yes
|
349
|
dcerpc:
|
350
|
enabled: yes
|
351
|
ftp:
|
352
|
enabled: yes
|
353
|
ssh:
|
354
|
enabled: yes
|
355
|
smtp:
|
356
|
enabled: yes
|
357
|
imap:
|
358
|
enabled: detection-only
|
359
|
msn:
|
360
|
enabled: detection-only
|
361
|
smb:
|
362
|
enabled: yes
|
363
|
detection-ports:
|
364
|
dp: 139
|
365
|
dns:
|
366
|
global-memcap: 16777216
|
367
|
state-memcap: 524288
|
368
|
request-flood: 500
|
369
|
|
370
|
tcp:
|
371
|
enabled: yes
|
372
|
detection-ports:
|
373
|
dp: 53
|
374
|
udp:
|
375
|
enabled: yes
|
376
|
detection-ports:
|
377
|
dp: 53
|
378
|
http:
|
379
|
enabled: yes
|
380
|
memcap: 67108864
|
381
|
|
382
|
###########################################################################
|
383
|
# Configure libhtp.
|
384
|
libhtp:
|
385
|
default-config:
|
386
|
personality: IDS
|
387
|
request-body-limit: 4096
|
388
|
response-body-limit: 4096
|
389
|
double-decode-path: no
|
390
|
double-decode-query: no
|
391
|
uri-include-all: no
|
392
|
|
393
|
|
394
|
|
395
|
coredump:
|
396
|
max-dump: unlimited
|