%YAML 1.1 --- suricata-version: "7.0" vars: address-groups: HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]" EXTERNAL_NET: "!$HOME_NET" HTTP_SERVERS: "$HOME_NET" SMTP_SERVERS: "$HOME_NET" SQL_SERVERS: "$HOME_NET" DNS_SERVERS: "$HOME_NET" TELNET_SERVERS: "$HOME_NET" AIM_SERVERS: "$EXTERNAL_NET" DC_SERVERS: "$HOME_NET" DNP3_SERVER: "$HOME_NET" DNP3_CLIENT: "$HOME_NET" MODBUS_CLIENT: "$HOME_NET" MODBUS_SERVER: "$HOME_NET" ENIP_CLIENT: "$HOME_NET" ENIP_SERVER: "$HOME_NET" port-groups: HTTP_PORTS: "80" SHELLCODE_PORTS: "!80" ORACLE_PORTS: 1521 SSH_PORTS: 22 DNP3_PORTS: 20000 MODBUS_PORTS: 502 FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]" FTP_PORTS: 21 GENEVE_PORTS: 6081 VXLAN_PORTS: 4789 TEREDO_PORTS: 3544 default-log-dir: /var/log/suricata/ stats: enabled: yes interval: 8 plugins: outputs: - fast: enabled: yes filename: fast.log append: yes - eve-log: enabled: yes filetype: regular #regular|syslog|unix_dgram|unix_stream|redis filename: eve.json pcap-file: false community-id: false community-id-seed: 0 xff: enabled: no mode: extra-data deployment: reverse header: X-Forwarded-For types: - alert: tagged-packets: yes - frame: enabled: no - anomaly: enabled: yes types: - http: extended: yes # enable this for extended logging information - dns: - tls: extended: yes # enable this for extended logging information - files: force-magic: no # force logging magic on all logged files - smtp: - ftp - rdp - nfs - smb - tftp - ike - dcerpc - krb5 - bittorrent-dht - snmp - rfb - sip - quic: - dhcp: enabled: yes extended: no - ssh - mqtt: - http2 - pgsql: enabled: no - stats: totals: yes # stats for all threads merged together threads: no # per thread stats deltas: no # include delta values - flow - http-log: enabled: no filename: http.log append: yes - tls-log: enabled: no # Log TLS connections. filename: tls.log # File to store TLS logs. append: yes - tls-store: enabled: no - pcap-log: enabled: no filename: log.pcap limit: 1000mb max-files: 2000 compression: none mode: normal # normal, multi or sguil. use-stream-depth: no #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets honor-pass-rules: no # If set to "yes", flows in which a pass rule matched will stop being logged. - alert-debug: enabled: no filename: alert-debug.log append: yes - stats: enabled: yes filename: stats.log append: yes # append to file (yes) or overwrite it (no) totals: yes # stats for all threads merged together threads: no # per thread stats - syslog: enabled: no facility: local5 - file-store: version: 2 enabled: no xff: enabled: no mode: extra-data deployment: reverse header: X-Forwarded-For - tcp-data: enabled: no type: file filename: tcp-data.log - http-body-data: enabled: no type: file filename: http-data.log - lua: enabled: no scripts: logging: default-log-level: notice default-output-filter: outputs: - console: enabled: yes - file: enabled: yes level: info filename: suricata.log - syslog: enabled: no facility: local5 format: "[%i] <%d> -- " af-packet: - interface: eth0 cluster-id: 99 cluster-type: cluster_flow defrag: yes - interface: default af-xdp: - interface: default dpdk: eal-params: proc-type: primary interfaces: - interface: 0000:3b:00.0 # PCIe address of the NIC port threads: auto promisc: true # promiscuous mode - capture all packets multicast: true # enables also detection on multicast packets checksum-checks: true # if Suricata should validate checksums checksum-checks-offload: true # if possible offload checksum validation to the NIC (saves Suricata resources) mtu: 1500 # Set MTU of the device in bytes mempool-size: 65535 # The number of elements in the mbuf pool mempool-cache-size: 257 rx-descriptors: 1024 tx-descriptors: 1024 copy-mode: none copy-iface: none # or PCIe address of the second interface - interface: default threads: auto promisc: true multicast: true checksum-checks: true checksum-checks-offload: true mtu: 1500 rss-hash-functions: auto mempool-size: 65535 mempool-cache-size: 257 rx-descriptors: 1024 tx-descriptors: 1024 copy-mode: none copy-iface: none pcap: - interface: eth0 - interface: default pcap-file: checksum-checks: auto app-layer: protocols: telnet: enabled: yes rfb: enabled: yes detection-ports: dp: 5900, 5901, 5902, 5903, 5904, 5905, 5906, 5907, 5908, 5909 mqtt: enabled: yes krb5: enabled: yes bittorrent-dht: enabled: yes snmp: enabled: yes ike: enabled: yes tls: enabled: yes detection-ports: dp: 443 pgsql: enabled: no stream-depth: 0 dcerpc: enabled: yes ftp: enabled: yes rdp: ssh: enabled: yes http2: enabled: yes smtp: enabled: yes raw-extraction: no mime: decode-mime: yes decode-base64: yes decode-quoted-printable: yes header-value-depth: 2000 extract-urls: yes body-md5: no inspected-tracker: content-limit: 100000 content-inspect-min-size: 32768 content-inspect-window: 4096 imap: enabled: detection-only smb: enabled: yes detection-ports: dp: 139, 445 nfs: enabled: yes tftp: enabled: yes dns: tcp: enabled: yes detection-ports: dp: 53 udp: enabled: yes detection-ports: dp: 53 http: enabled: yes libhtp: default-config: personality: IDS request-body-limit: 100kb response-body-limit: 100kb request-body-minimal-inspect-size: 32kb request-body-inspect-window: 4kb response-body-minimal-inspect-size: 40kb response-body-inspect-window: 16kb response-body-decompress-layer-limit: 2 http-body-inline: auto swf-decompression: enabled: no type: both compress-depth: 100kb decompress-depth: 100kb double-decode-path: no double-decode-query: no server-config: modbus: enabled: no detection-ports: dp: 502 stream-depth: 0 dnp3: enabled: no detection-ports: dp: 20000 enip: enabled: no detection-ports: dp: 44818 sp: 44818 ntp: enabled: yes quic: enabled: yes dhcp: enabled: yes sip: asn1-max-frames: 256 datasets: defaults: rules: security: limit-noproc: true landlock: enabled: no directories: read: - /usr/ - /etc/ - /etc/suricata/ lua: coredump: max-dump: unlimited host-mode: auto unix-command: enabled: auto legacy: uricontent: enabled exception-policy: auto engine-analysis: rules-fast-pattern: yes rules: yes pcre: match-limit: 3500 match-limit-recursion: 1500 host-os-policy: windows: [0.0.0.0/0] bsd: [] bsd-right: [] old-linux: [] linux: [] old-solaris: [] solaris: [] hpux10: [] hpux11: [] irix: [] macos: [] vista: [] windows2k3: [] defrag: memcap: 32mb hash-size: 65536 trackers: 65535 # number of defragmented flows to follow max-frags: 65535 # number of fragments to keep (higher than trackers) prealloc: yes timeout: 60 flow: memcap: 128mb hash-size: 65536 prealloc: 10000 emergency-recovery: 30 vlan: use-for-tracking: true livedev: use-for-tracking: true flow-timeouts: default: new: 30 established: 300 closed: 0 bypassed: 100 emergency-new: 10 emergency-established: 100 emergency-closed: 0 emergency-bypassed: 50 tcp: new: 60 established: 600 closed: 60 bypassed: 100 emergency-new: 5 emergency-established: 100 emergency-closed: 10 emergency-bypassed: 50 udp: new: 30 established: 300 bypassed: 100 emergency-new: 10 emergency-established: 100 emergency-bypassed: 50 icmp: new: 30 established: 300 bypassed: 100 emergency-new: 10 emergency-established: 100 emergency-bypassed: 50 stream: memcap: 64mb checksum-validation: yes # reject incorrect csums inline: auto # auto will use inline mode in IPS mode, yes or no set it statically reassembly: memcap: 256mb depth: 1mb # reassemble 1mb into a stream toserver-chunk-size: 2560 toclient-chunk-size: 2560 randomize-chunk-size: yes host: hash-size: 4096 prealloc: 1000 memcap: 32mb decoder: teredo: enabled: true ports: $TEREDO_PORTS # syntax: '[3544, 1234]' or '3533' or 'any'. vxlan: enabled: true ports: $VXLAN_PORTS # syntax: '[8472, 4789]' or '4789'. geneve: enabled: true ports: $GENEVE_PORTS # syntax: '[6081, 1234]' or '6081'. detect: profile: medium custom-values: toclient-groups: 3 toserver-groups: 25 sgh-mpm-context: auto inspection-recursion-limit: 3000 prefilter: default: mpm grouping: profiling: grouping: dump-to-disk: false include-rules: false # very verbose include-mpm-stats: false mpm-algo: auto spm-algo: auto threading: set-cpu-affinity: no cpu-affinity: - management-cpu-set: cpu: [ 0 ] # include only these CPUs in affinity settings - receive-cpu-set: cpu: [ 0 ] # include only these CPUs in affinity settings - worker-cpu-set: cpu: [ "all" ] mode: "exclusive" prio: low: [ 0 ] medium: [ "1-2" ] high: [ 3 ] default: "medium" detect-thread-ratio: 1.0 luajit: states: 128 profiling: rules: enabled: yes filename: rule_perf.log append: yes limit: 10 json: yes keywords: enabled: yes filename: keyword_perf.log append: yes prefilter: enabled: yes filename: prefilter_perf.log append: yes rulegroups: enabled: yes filename: rule_group_perf.log append: yes packets: enabled: yes filename: packet_stats.log append: yes csv: enabled: no filename: packet_stats.csv locks: enabled: no filename: lock_stats.log append: yes pcap-log: enabled: no filename: pcaplog_stats.log append: yes nfq: nflog: - group: 2 buffer-size: 18432 - group: default qthreshold: 1 qtimeout: 100 max-size: 20000 capture: netmap: - interface: eth2 - interface: default pfring: - interface: eth0 threads: auto cluster-id: 99 cluster-type: cluster_flow - interface: default ipfw: napatech: streams: ["0-3"] enable-stream-stats: no auto-config: yes hardware-bypass: yes inline: no ports: [0-1,2-3] hashmode: hash5tuplesorted default-rule-path: /var/lib/suricata/rules rule-files: - suricata.rules classification-file: /etc/suricata/classification.config reference-config-file: /etc/suricata/reference.config