%YAML 1.1 --- max-pending-packets: 1024 # Runmode the engine should use. runmode: autofp # If set to auto, the variable is internally switched to 'router' in IPS # mode and 'sniffer-only' in IDS mode. host-mode: auto # Specifies the kind of flow load balancer used by the flow pinned autofp mode. autofp-scheduler: active-packets # Daemon working directory daemon-directory: /usr/local/etc/suricata/suricata_39900_ix1 default-packet-size: 1514 # The default logging directory. default-log-dir: /var/log/suricata/suricata_ix139900 # global stats configuration stats: enabled: no interval: 10 #decoder-events: true decoder-events-prefix: "decoder.event" #stream-events: false # Configure the type of alert (and other) logging. outputs: # alert-pf blocking plugin - alert-pf: enabled: no kill-state: yes block-drops-only: no pass-list: /usr/local/etc/suricata/suricata_39900_ix1/passlist block-ip: BOTH pf-table: snort2c # a line based alerts log similar to Snort's fast.log - fast: enabled: yes filename: alerts.log append: yes filetype: regular # alert output for use with Barnyard2 - unified2-alert: enabled: no filename: unified2.alert limit: 32mb sensor-id: 0 xff: enabled: no - http-log: enabled: yes filename: http.log append: yes extended: yes filetype: regular - pcap-log: enabled: no filename: log.pcap limit: 32mb max-files: 1000 mode: normal - tls-log: enabled: no filename: tls.log extended: yes - tls-store: enabled: no certs-log-dir: certs - stats: enabled: yes filename: stats.log append: no totals: yes threads: no #null-values: yes - syslog: enabled: yes identity: suricata facility: local7 level: alert - drop: enabled: no filename: drop.log append: yes filetype: regular - file-store: version: 2 enabled: no dir: filestore force-magic: no #force-hash: [md5] #waldo: file.waldo - file-log: enabled: no filename: files-json.log append: yes filetype: regular force-magic: no #force-hash: [md5] - eve-log: enabled: no filetype: regular filename: eve.json redis: server: 127.0.0.1 port: 6379 mode: list key: "suricata" identity: "suricata" facility: local1 level: notice xff: enabled: no mode: extra-data deployment: reverse header: X-Forwarded-For types: - alert: payload: yes # enable dumping payload in Base64 payload-buffer-size: 4kb # max size of payload buffer to output in eve-log payload-printable: yes # enable dumping payload in printable (lossy) format packet: yes # enable dumping of packet (without stream segments) http-body: yes # enable dumping of http body in Base64 http-body-printable: yes # enable dumping of http body in printable format metadata: yes # enable inclusion of app layer metadata with alert tagged-packets: yes # enable logging of tagged packets for rules using the 'tag' keyword - http: extended: yes custom: [accept, accept-charset, accept-datetime, accept-encoding, accept-language, accept-range, age, allow, authorization, cache-control, connection, content-encoding, content-language, content-length, content-location, content-md5, content-range, content-type, cookie, date, dnt, etags, from, last-modified, link, location, max-forwards, origin, pragma, proxy-authenticate, proxy-authorization, range, referrer, refresh, retry-after, server, set-cookie, te, trailer, transfer-encoding, upgrade, vary, via, warning, www-authenticate, x-authenticated-user, x-flash-version, x-forwarded-proto, x-requested-with] - dns: version: 2 query: yes answer: yes - tls: extended: yes - dhcp: extended: no - files: force-magic: no - ssh - nfs - smb - krb5 - ikev2 - tftp - smtp: extended: yes custom: [bcc, received, reply-to, x-mailer, x-originating-ip] md5: [subject] # Magic file. The extension .mgc is added to the value here. magic-file: /usr/share/misc/magic # GeoLite2 IP geo-location database file path and filename. geoip-database: /usr/local/share/suricata/GeoLite2/GeoLite2-Country.mmdb # Specify a threshold config file threshold-file: /usr/local/etc/suricata/suricata_39900_ix1/threshold.config detect-engine: - profile: medium - sgh-mpm-context: auto - inspection-recursion-limit: 3000 - delayed-detect: no # Suricata is multi-threaded. Here the threading can be influenced. threading: set-cpu-affinity: no detect-thread-ratio: 1.0 # Luajit has a strange memory requirement, it's 'states' need to be in the # first 2G of the process' memory. # # 'luajit.states' is used to control how many states are preallocated. # State use: per detect script: 1 per detect thread. Per output script: 1 per # script. luajit: states: 128 # Multi pattern algorithm # The default mpm-algo value of "auto" will use "hs" if Hyperscan is # available, "ac" otherwise. mpm-algo: auto # Single pattern algorithm # The default of "auto" will use "hs" if available, otherwise "bm". spm-algo: auto # Defrag settings: defrag: memcap: 33554432 hash-size: 65536 trackers: 65535 max-frags: 65535 prealloc: yes timeout: 60 # Flow settings: flow: memcap: 33554432 hash-size: 65536 prealloc: 10000 emergency-recovery: 30 prune-flows: 5 # This option controls the use of vlan ids in the flow (and defrag) # hashing. vlan: use-for-tracking: true # Specific timeouts for flows. flow-timeouts: default: new: 30 established: 300 closed: 0 emergency-new: 10 emergency-established: 100 emergency-closed: 0 tcp: new: 60 established: 3600 closed: 120 emergency-new: 10 emergency-established: 300 emergency-closed: 20 udp: new: 30 established: 300 emergency-new: 10 emergency-established: 100 icmp: new: 30 established: 300 emergency-new: 10 emergency-established: 100 stream: memcap: 268435456 checksum-validation: no inline: auto prealloc-sessions: 32768 midstream: false async-oneside: false max-synack-queued: 5 reassembly: memcap: 67108864 depth: 1048576 toserver-chunk-size: 2560 toclient-chunk-size: 2560 # Host table is used by tagging and per host thresholding subsystems. host: hash-size: 4096 prealloc: 1000 memcap: 33554432 # Host specific policies for defragmentation and TCP stream reassembly. host-os-policy: bsd: [0.0.0.0/0] # Logging configuration. This is not about logging IDS alerts, but # IDS output about what its doing, errors, etc. logging: # This value is overriden by the SC_LOG_LEVEL env var. default-log-level: info default-log-format: "%t - <%d> -- " # Define your logging outputs. outputs: - console: enabled: yes - file: enabled: yes filename: /var/log/suricata/suricata_ix139900/suricata.log - syslog: enabled: no facility: off format: "[%i] <%d> -- " # IPS Mode Configuration # PCAP pcap: - interface: ix1 checksum-checks: auto promisc: yes snaplen: 1518 legacy: uricontent: enabled default-rule-path: /usr/local/etc/suricata/suricata_39900_ix1/rules rule-files: - suricata.rules - flowbit-required.rules classification-file: /usr/local/etc/suricata/suricata_39900_ix1/classification.config reference-config-file: /usr/local/etc/suricata/suricata_39900_ix1/reference.config # Holds variables that would be used by the engine. vars: # Holds the address group vars that would be passed in a Signature. address-groups: HOME_NET: "[10.40.1.1/16, 10.40.208.0/24, 38.142.20.8/29, 38.142.20.11/29, 66.28.0.45/32, 66.28.0.61/32, 68.105.28.16/32, 68.105.29.16/32, 127.0.0.1/32, 184.186.253.161/32, 184.186.253.162/27, 184.186.253.163/32, 192.168.2.0/24, ::1/128, fe80::ae1f:6bff:fea0:2e86/128, fe80::ae1f:6bff:fea0:2e87/128, fe80::ae1f:6bff:fea0:f1f0/128, fe80::ae1f:6bff:fea0:f1f1/128]" EXTERNAL_NET: "[!10.40.1.1/16, !10.40.208.0/24, !38.142.20.8/29, !38.142.20.11/29, !66.28.0.45/32, !66.28.0.61/32, !68.105.28.16/32, !68.105.29.16/32, !127.0.0.1/32, !184.186.253.161/32, !184.186.253.162/27, !184.186.253.163/32, !192.168.2.0/24, !::1/128, !fe80::ae1f:6bff:fea0:2e86/128, !fe80::ae1f:6bff:fea0:2e87/128, !fe80::ae1f:6bff:fea0:f1f0/128, !fe80::ae1f:6bff:fea0:f1f1/128]" DNS_SERVERS: "$HOME_NET" SMTP_SERVERS: "$HOME_NET" HTTP_SERVERS: "$HOME_NET" SQL_SERVERS: "$HOME_NET" TELNET_SERVERS: "$HOME_NET" DNP3_SERVER: "$HOME_NET" DNP3_CLIENT: "$HOME_NET" MODBUS_SERVER: "$HOME_NET" MODBUS_CLIENT: "$HOME_NET" ENIP_SERVER: "$HOME_NET" ENIP_CLIENT: "$HOME_NET" FTP_SERVERS: "$HOME_NET" SSH_SERVERS: "$HOME_NET" AIM_SERVERS: "64.12.24.0/23, 64.12.28.0/23, 64.12.161.0/24, 64.12.163.0/24, 64.12.200.0/24, 205.188.3.0/24, 205.188.5.0/24, 205.188.7.0/24, 205.188.9.0/24, 205.188.153.0/24, 205.188.179.0/24, 205.188.248.0/24" SIP_SERVERS: "$HOME_NET" # Holds the port group vars that would be passed in a Signature. port-groups: FTP_PORTS: "21" HTTP_PORTS: "80" ORACLE_PORTS: "1521" SSH_PORTS: "22" SHELLCODE_PORTS: "!80" DNP3_PORTS: "20000" FILE_DATA_PORTS: "$HTTP_PORTS, 110, 143" SIP_PORTS: "5060, 5061, 5600" # Set the order of alerts based on actions action-order: - pass - drop - reject - alert # IP Reputation # Limit for the maximum number of asn1 frames to decode (default 256) asn1-max-frames: 256 engine-analysis: rules-fast-pattern: yes rules: yes #recursion and match limits for PCRE where supported pcre: match-limit: 3500 match-limit-recursion: 1500 # Holds details on the app-layer. The protocols section details each protocol. app-layer: protocols: dcerpc: enabled: yes dhcp: enabled: yes dnp3: enabled: yes detection-ports: dp: 20000 dns: global-memcap: 16777216 state-memcap: 524288 request-flood: 500 tcp: enabled: yes detection-ports: dp: 53 udp: enabled: yes detection-ports: dp: 53 ftp: enabled: yes http: enabled: yes memcap: 67108864 ikev2: enabled: yes imap: enabled: detection-only krb5: enabled: yes modbus: enabled: yes request-flood: 500 detection-ports: dp: 502 stream-depth: 0 msn: enabled: detection-only nfs: enabled: yes ntp: enabled: yes tls: enabled: yes detection-ports: dp: 443 ja3-fingerprints: off encrypt-handling: default smb: enabled: yes detection-ports: dp: 139, 445 smtp: enabled: yes mime: decode-mime: no decode-base64: yes decode-quoted-printable: yes header-value-depth: 2000 extract-urls: yes body-md5: no inspected-tracker: content-limit: 100000 content-inspect-min-size: 32768 content-inspect-window: 4096 ssh: enabled: yes tftp: enabled: yes ########################################################################### # Configure libhtp. libhtp: default-config: personality: IDS request-body-limit: 4096 response-body-limit: 4096 meta-field-limit: 18432 double-decode-path: no double-decode-query: no uri-include-all: no coredump: max-dump: unlimited # Suricata user pass through configuration