%YAML 1.1 --- max-pending-packets: 1024 # Runmode the engine should use. runmode: autofp # If set to auto, the variable is internally switched to 'router' in IPS # mode and 'sniffer-only' in IDS mode. host-mode: auto # Specifies the kind of flow load balancer used by the flow pinned autofp mode. autofp-scheduler: active-packets # Daemon working directory daemon-directory: /usr/local/etc/suricata/suricata_20934_ix1 default-packet-size: 1514 # The default logging directory. default-log-dir: /var/log/suricata/suricata_ix120934 # Configure the type of alert (and other) logging. outputs: # alert-pf blocking plugin - alert-pf: enabled: no kill-state: yes pass-list: /usr/local/etc/suricata/suricata_20934_ix1/passlist block-ip: BOTH pf-table: snort2c # a line based alerts log similar to Snort's fast.log - fast: enabled: yes filename: alerts.log append: yes filetype: regular # alert output for use with Barnyard2 - unified2-alert: enabled: no filename: unified2.alert limit: 32mb sensor-id: 0 xff: enabled: no - http-log: enabled: yes filename: http.log append: yes extended: yes filetype: regular - pcap-log: enabled: no filename: log.pcap limit: 32mb max-files: 1000 mode: normal - tls-log: enabled: no filename: tls.log extended: yes - tls-store: enabled: no certs-log-dir: certs - stats: enabled: no filename: stats.log interval: 10 append: no - syslog: enabled: no identity: suricata facility: local1 level: notice - drop: enabled: no filename: drop.log append: yes filetype: regular - file-store: enabled: no log-dir: files force-magic: no force-md5: no waldo: file.waldo - file-log: enabled: no filename: files-json.log append: yes filetype: regular force-magic: no force-md5: no - dns-log: enabled: no filename: dns.log append: yes filetype: regular - eve-log: enabled: yes type: file filename: eve.json identity: "suricata" facility: local1 level: info types: - alert: payload: yes # enable dumping payload in Base64 payload-printable: yes # enable dumping payload in printable (lossy) format packet: yes # enable dumping of packet (without stream segments) http: yes # enable dumping of http fields tls: yes # enable dumping of tls fields ssh: yes # enable dumping of ssh fields smtp: yes # enable dumping of smtp fields - http: extended: yes - dns - tls: extended: yes - files: force-magic: no force-md5: no - ssh # Magic file. The extension .mgc is added to the value here. magic-file: /usr/share/misc/magic # Specify a threshold config file threshold-file: /usr/local/etc/suricata/suricata_20934_ix1/threshold.config detect-engine: - profile: high - sgh-mpm-context: auto - inspection-recursion-limit: 3000 - delayed-detect: no # Suricata is multi-threaded. Here the threading can be influenced. threading: set-cpu-affinity: no detect-thread-ratio: 1.5 mpm-algo: ac pattern-matcher: - b2gc: search-algo: B2gSearchBNDMq hash-size: low bf-size: medium - b2gm: search-algo: B2gSearchBNDMq hash-size: low bf-size: medium - b2g: search-algo: B2gSearchBNDMq hash-size: low bf-size: medium - b3g: search-algo: B3gSearchBNDMq hash-size: low bf-size: medium - wumanber: hash-size: low bf-size: medium # Defrag settings: defrag: memcap: 33554432 hash-size: 65536 trackers: 65535 max-frags: 65535 prealloc: yes timeout: 60 # Flow settings: flow: memcap: 33554432 hash-size: 65536 prealloc: 10000 emergency-recovery: 30 prune-flows: 5 # Specific timeouts for flows. flow-timeouts: default: new: 30 established: 300 closed: 0 emergency-new: 10 emergency-established: 100 emergency-closed: 0 tcp: new: 60 established: 3600 closed: 120 emergency-new: 10 emergency-established: 300 emergency-closed: 20 udp: new: 30 established: 300 emergency-new: 10 emergency-established: 100 icmp: new: 30 established: 300 emergency-new: 10 emergency-established: 100 stream: memcap: 83886080 checksum-validation: no inline: auto max-sessions: prealloc-sessions: 32768 midstream: false async-oneside: false max-synack-queued: 5 reassembly: memcap: 67108864 depth: 1048576 toserver-chunk-size: 2560 toclient-chunk-size: 2560 # Host table is used by tagging and per host thresholding subsystems. host: hash-size: 4096 prealloc: 1000 memcap: 33554432 # Host specific policies for defragmentation and TCP stream reassembly. host-os-policy: bsd: [0.0.0.0/0] # Logging configuration. This is not about logging IDS alerts, but # IDS output about what its doing, errors, etc. logging: # This value is overriden by the SC_LOG_LEVEL env var. default-log-level: info default-log-format: "%t - <%d> -- " # Define your logging outputs. outputs: - console: enabled: yes - file: enabled: yes filename: /var/log/suricata/suricata_ix120934/suricata.log - syslog: enabled: no facility: off format: "[%i] <%d> -- " # IPS Mode Configuration # PCAP pcap: - interface: ix1 checksum-checks: auto promisc: yes legacy: uricontent: enabled default-rule-path: /usr/local/etc/suricata/suricata_20934_ix1/rules rule-files: - suricata.rules - flowbit-required.rules classification-file: /usr/local/etc/suricata/suricata_20934_ix1/classification.config reference-config-file: /usr/local/etc/suricata/suricata_20934_ix1/reference.config # Holds variables that would be used by the engine. vars: # Holds the address group vars that would be passed in a Signature. address-groups: HOME_NET: "[1.1.1.0/24,8.8.8.8/32,10.10.10.0/24,10.10.10.14/32,127.0.0.1/32,192.168.1.1/32,192.168.1.3/32,::1/128,fe80::ec4:7aff:fe90:a28/128,fe80::ec4:7aff:fe90:aec/128,fe80::ec4:7aff:fe90:aed/128]" EXTERNAL_NET: "[!1.1.1.0/24,!8.8.8.8/32,!10.10.10.0/24,!10.10.10.14/32,!127.0.0.1/32,!192.168.1.1/32,!192.168.1.3/32,!::1/128,!fe80::ec4:7aff:fe90:a28/128,!fe80::ec4:7aff:fe90:aec/128,!fe80::ec4:7aff:fe90:aed/128]" DNS_SERVERS: "$HOME_NET" SMTP_SERVERS: "$HOME_NET" HTTP_SERVERS: "$HOME_NET" SQL_SERVERS: "$HOME_NET" TELNET_SERVERS: "$HOME_NET" DNP3_SERVER: "$HOME_NET" DNP3_CLIENT: "$HOME_NET" MODBUS_SERVER: "$HOME_NET" MODBUS_CLIENT: "$HOME_NET" ENIP_SERVER: "$HOME_NET" ENIP_CLIENT: "$HOME_NET" FTP_SERVERS: "$HOME_NET" SSH_SERVERS: "$HOME_NET" AIM_SERVERS: "64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24" # Holds the port group vars that would be passed in a Signature. port-groups: FTP_PORTS: "21" HTTP_PORTS: "80" ORACLE_PORTS: "1521" SSH_PORTS: "22" SHELLCODE_PORTS: "!80" DNP3_PORTS: "20000" FILE_DATA_PORTS: "$HTTP_PORTS,110,143" # Set the order of alerts based on actions action-order: - pass - drop - reject - alert # IP Reputation # Limit for the maximum number of asn1 frames to decode (default 256) asn1-max-frames: 256 engine-analysis: rules-fast-pattern: yes rules: yes #recursion and match limits for PCRE where supported pcre: match-limit: 3500 match-limit-recursion: 1500 # Holds details on the app-layer. The protocols section details each protocol. app-layer: protocols: tls: enabled: yes detection-ports: dp: 443 #no-reassemble: yes dcerpc: enabled: yes ftp: enabled: yes ssh: enabled: yes smtp: enabled: yes imap: enabled: detection-only msn: enabled: detection-only smb: enabled: yes detection-ports: dp: 139 dns: global-memcap: 16777216 state-memcap: 524288 request-flood: 500 tcp: enabled: yes detection-ports: dp: 53 udp: enabled: yes detection-ports: dp: 53 http: enabled: yes memcap: 67108864 ########################################################################### # Configure libhtp. libhtp: default-config: personality: IDS request-body-limit: 4096 response-body-limit: 4096 double-decode-path: no double-decode-query: no uri-include-all: no coredump: max-dump: unlimited