├── .gitignore
├── LICENSE
├── README.rst
├── TODO
├── amsterdam
├── scripts
└── systemd
│ └── amsterdam.service
├── setup.py
└── src
├── __init__.py
├── amsterdam.py
├── config
├── logstash
│ ├── conf.d
│ │ └── logstash.conf
│ └── elasticsearch-template.json
├── nginx
│ └── amsterdam.conf
├── scirius
│ └── local_settings.py
└── suricata
│ ├── suricata.yaml
│ └── threshold.config
├── docker
├── elasticsearch
│ └── Dockerfile
└── kibana
│ └── Dockerfile
└── templates
├── docker-compose.yml.j2
└── ethtool.conf.j2
/.gitignore:
--------------------------------------------------------------------------------
1 | data/*
2 | *.swp
3 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | GNU GENERAL PUBLIC LICENSE
2 | Version 3, 29 June 2007
3 |
4 | Copyright (C) 2007 Free Software Foundation, Inc.
5 | Everyone is permitted to copy and distribute verbatim copies
6 | of this license document, but changing it is not allowed.
7 |
8 | Preamble
9 |
10 | The GNU General Public License is a free, copyleft license for
11 | software and other kinds of works.
12 |
13 | The licenses for most software and other practical works are designed
14 | to take away your freedom to share and change the works. By contrast,
15 | the GNU General Public License is intended to guarantee your freedom to
16 | share and change all versions of a program--to make sure it remains free
17 | software for all its users. We, the Free Software Foundation, use the
18 | GNU General Public License for most of our software; it applies also to
19 | any other work released this way by its authors. You can apply it to
20 | your programs, too.
21 |
22 | When we speak of free software, we are referring to freedom, not
23 | price. Our General Public Licenses are designed to make sure that you
24 | have the freedom to distribute copies of free software (and charge for
25 | them if you wish), that you receive source code or can get it if you
26 | want it, that you can change the software or use pieces of it in new
27 | free programs, and that you know you can do these things.
28 |
29 | To protect your rights, we need to prevent others from denying you
30 | these rights or asking you to surrender the rights. Therefore, you have
31 | certain responsibilities if you distribute copies of the software, or if
32 | you modify it: responsibilities to respect the freedom of others.
33 |
34 | For example, if you distribute copies of such a program, whether
35 | gratis or for a fee, you must pass on to the recipients the same
36 | freedoms that you received. You must make sure that they, too, receive
37 | or can get the source code. And you must show them these terms so they
38 | know their rights.
39 |
40 | Developers that use the GNU GPL protect your rights with two steps:
41 | (1) assert copyright on the software, and (2) offer you this License
42 | giving you legal permission to copy, distribute and/or modify it.
43 |
44 | For the developers' and authors' protection, the GPL clearly explains
45 | that there is no warranty for this free software. For both users' and
46 | authors' sake, the GPL requires that modified versions be marked as
47 | changed, so that their problems will not be attributed erroneously to
48 | authors of previous versions.
49 |
50 | Some devices are designed to deny users access to install or run
51 | modified versions of the software inside them, although the manufacturer
52 | can do so. This is fundamentally incompatible with the aim of
53 | protecting users' freedom to change the software. The systematic
54 | pattern of such abuse occurs in the area of products for individuals to
55 | use, which is precisely where it is most unacceptable. Therefore, we
56 | have designed this version of the GPL to prohibit the practice for those
57 | products. If such problems arise substantially in other domains, we
58 | stand ready to extend this provision to those domains in future versions
59 | of the GPL, as needed to protect the freedom of users.
60 |
61 | Finally, every program is threatened constantly by software patents.
62 | States should not allow patents to restrict development and use of
63 | software on general-purpose computers, but in those that do, we wish to
64 | avoid the special danger that patents applied to a free program could
65 | make it effectively proprietary. To prevent this, the GPL assures that
66 | patents cannot be used to render the program non-free.
67 |
68 | The precise terms and conditions for copying, distribution and
69 | modification follow.
70 |
71 | TERMS AND CONDITIONS
72 |
73 | 0. Definitions.
74 |
75 | "This License" refers to version 3 of the GNU General Public License.
76 |
77 | "Copyright" also means copyright-like laws that apply to other kinds of
78 | works, such as semiconductor masks.
79 |
80 | "The Program" refers to any copyrightable work licensed under this
81 | License. Each licensee is addressed as "you". "Licensees" and
82 | "recipients" may be individuals or organizations.
83 |
84 | To "modify" a work means to copy from or adapt all or part of the work
85 | in a fashion requiring copyright permission, other than the making of an
86 | exact copy. The resulting work is called a "modified version" of the
87 | earlier work or a work "based on" the earlier work.
88 |
89 | A "covered work" means either the unmodified Program or a work based
90 | on the Program.
91 |
92 | To "propagate" a work means to do anything with it that, without
93 | permission, would make you directly or secondarily liable for
94 | infringement under applicable copyright law, except executing it on a
95 | computer or modifying a private copy. Propagation includes copying,
96 | distribution (with or without modification), making available to the
97 | public, and in some countries other activities as well.
98 |
99 | To "convey" a work means any kind of propagation that enables other
100 | parties to make or receive copies. Mere interaction with a user through
101 | a computer network, with no transfer of a copy, is not conveying.
102 |
103 | An interactive user interface displays "Appropriate Legal Notices"
104 | to the extent that it includes a convenient and prominently visible
105 | feature that (1) displays an appropriate copyright notice, and (2)
106 | tells the user that there is no warranty for the work (except to the
107 | extent that warranties are provided), that licensees may convey the
108 | work under this License, and how to view a copy of this License. If
109 | the interface presents a list of user commands or options, such as a
110 | menu, a prominent item in the list meets this criterion.
111 |
112 | 1. Source Code.
113 |
114 | The "source code" for a work means the preferred form of the work
115 | for making modifications to it. "Object code" means any non-source
116 | form of a work.
117 |
118 | A "Standard Interface" means an interface that either is an official
119 | standard defined by a recognized standards body, or, in the case of
120 | interfaces specified for a particular programming language, one that
121 | is widely used among developers working in that language.
122 |
123 | The "System Libraries" of an executable work include anything, other
124 | than the work as a whole, that (a) is included in the normal form of
125 | packaging a Major Component, but which is not part of that Major
126 | Component, and (b) serves only to enable use of the work with that
127 | Major Component, or to implement a Standard Interface for which an
128 | implementation is available to the public in source code form. A
129 | "Major Component", in this context, means a major essential component
130 | (kernel, window system, and so on) of the specific operating system
131 | (if any) on which the executable work runs, or a compiler used to
132 | produce the work, or an object code interpreter used to run it.
133 |
134 | The "Corresponding Source" for a work in object code form means all
135 | the source code needed to generate, install, and (for an executable
136 | work) run the object code and to modify the work, including scripts to
137 | control those activities. However, it does not include the work's
138 | System Libraries, or general-purpose tools or generally available free
139 | programs which are used unmodified in performing those activities but
140 | which are not part of the work. For example, Corresponding Source
141 | includes interface definition files associated with source files for
142 | the work, and the source code for shared libraries and dynamically
143 | linked subprograms that the work is specifically designed to require,
144 | such as by intimate data communication or control flow between those
145 | subprograms and other parts of the work.
146 |
147 | The Corresponding Source need not include anything that users
148 | can regenerate automatically from other parts of the Corresponding
149 | Source.
150 |
151 | The Corresponding Source for a work in source code form is that
152 | same work.
153 |
154 | 2. Basic Permissions.
155 |
156 | All rights granted under this License are granted for the term of
157 | copyright on the Program, and are irrevocable provided the stated
158 | conditions are met. This License explicitly affirms your unlimited
159 | permission to run the unmodified Program. The output from running a
160 | covered work is covered by this License only if the output, given its
161 | content, constitutes a covered work. This License acknowledges your
162 | rights of fair use or other equivalent, as provided by copyright law.
163 |
164 | You may make, run and propagate covered works that you do not
165 | convey, without conditions so long as your license otherwise remains
166 | in force. You may convey covered works to others for the sole purpose
167 | of having them make modifications exclusively for you, or provide you
168 | with facilities for running those works, provided that you comply with
169 | the terms of this License in conveying all material for which you do
170 | not control copyright. Those thus making or running the covered works
171 | for you must do so exclusively on your behalf, under your direction
172 | and control, on terms that prohibit them from making any copies of
173 | your copyrighted material outside their relationship with you.
174 |
175 | Conveying under any other circumstances is permitted solely under
176 | the conditions stated below. Sublicensing is not allowed; section 10
177 | makes it unnecessary.
178 |
179 | 3. Protecting Users' Legal Rights From Anti-Circumvention Law.
180 |
181 | No covered work shall be deemed part of an effective technological
182 | measure under any applicable law fulfilling obligations under article
183 | 11 of the WIPO copyright treaty adopted on 20 December 1996, or
184 | similar laws prohibiting or restricting circumvention of such
185 | measures.
186 |
187 | When you convey a covered work, you waive any legal power to forbid
188 | circumvention of technological measures to the extent such circumvention
189 | is effected by exercising rights under this License with respect to
190 | the covered work, and you disclaim any intention to limit operation or
191 | modification of the work as a means of enforcing, against the work's
192 | users, your or third parties' legal rights to forbid circumvention of
193 | technological measures.
194 |
195 | 4. Conveying Verbatim Copies.
196 |
197 | You may convey verbatim copies of the Program's source code as you
198 | receive it, in any medium, provided that you conspicuously and
199 | appropriately publish on each copy an appropriate copyright notice;
200 | keep intact all notices stating that this License and any
201 | non-permissive terms added in accord with section 7 apply to the code;
202 | keep intact all notices of the absence of any warranty; and give all
203 | recipients a copy of this License along with the Program.
204 |
205 | You may charge any price or no price for each copy that you convey,
206 | and you may offer support or warranty protection for a fee.
207 |
208 | 5. Conveying Modified Source Versions.
209 |
210 | You may convey a work based on the Program, or the modifications to
211 | produce it from the Program, in the form of source code under the
212 | terms of section 4, provided that you also meet all of these conditions:
213 |
214 | a) The work must carry prominent notices stating that you modified
215 | it, and giving a relevant date.
216 |
217 | b) The work must carry prominent notices stating that it is
218 | released under this License and any conditions added under section
219 | 7. This requirement modifies the requirement in section 4 to
220 | "keep intact all notices".
221 |
222 | c) You must license the entire work, as a whole, under this
223 | License to anyone who comes into possession of a copy. This
224 | License will therefore apply, along with any applicable section 7
225 | additional terms, to the whole of the work, and all its parts,
226 | regardless of how they are packaged. This License gives no
227 | permission to license the work in any other way, but it does not
228 | invalidate such permission if you have separately received it.
229 |
230 | d) If the work has interactive user interfaces, each must display
231 | Appropriate Legal Notices; however, if the Program has interactive
232 | interfaces that do not display Appropriate Legal Notices, your
233 | work need not make them do so.
234 |
235 | A compilation of a covered work with other separate and independent
236 | works, which are not by their nature extensions of the covered work,
237 | and which are not combined with it such as to form a larger program,
238 | in or on a volume of a storage or distribution medium, is called an
239 | "aggregate" if the compilation and its resulting copyright are not
240 | used to limit the access or legal rights of the compilation's users
241 | beyond what the individual works permit. Inclusion of a covered work
242 | in an aggregate does not cause this License to apply to the other
243 | parts of the aggregate.
244 |
245 | 6. Conveying Non-Source Forms.
246 |
247 | You may convey a covered work in object code form under the terms
248 | of sections 4 and 5, provided that you also convey the
249 | machine-readable Corresponding Source under the terms of this License,
250 | in one of these ways:
251 |
252 | a) Convey the object code in, or embodied in, a physical product
253 | (including a physical distribution medium), accompanied by the
254 | Corresponding Source fixed on a durable physical medium
255 | customarily used for software interchange.
256 |
257 | b) Convey the object code in, or embodied in, a physical product
258 | (including a physical distribution medium), accompanied by a
259 | written offer, valid for at least three years and valid for as
260 | long as you offer spare parts or customer support for that product
261 | model, to give anyone who possesses the object code either (1) a
262 | copy of the Corresponding Source for all the software in the
263 | product that is covered by this License, on a durable physical
264 | medium customarily used for software interchange, for a price no
265 | more than your reasonable cost of physically performing this
266 | conveying of source, or (2) access to copy the
267 | Corresponding Source from a network server at no charge.
268 |
269 | c) Convey individual copies of the object code with a copy of the
270 | written offer to provide the Corresponding Source. This
271 | alternative is allowed only occasionally and noncommercially, and
272 | only if you received the object code with such an offer, in accord
273 | with subsection 6b.
274 |
275 | d) Convey the object code by offering access from a designated
276 | place (gratis or for a charge), and offer equivalent access to the
277 | Corresponding Source in the same way through the same place at no
278 | further charge. You need not require recipients to copy the
279 | Corresponding Source along with the object code. If the place to
280 | copy the object code is a network server, the Corresponding Source
281 | may be on a different server (operated by you or a third party)
282 | that supports equivalent copying facilities, provided you maintain
283 | clear directions next to the object code saying where to find the
284 | Corresponding Source. Regardless of what server hosts the
285 | Corresponding Source, you remain obligated to ensure that it is
286 | available for as long as needed to satisfy these requirements.
287 |
288 | e) Convey the object code using peer-to-peer transmission, provided
289 | you inform other peers where the object code and Corresponding
290 | Source of the work are being offered to the general public at no
291 | charge under subsection 6d.
292 |
293 | A separable portion of the object code, whose source code is excluded
294 | from the Corresponding Source as a System Library, need not be
295 | included in conveying the object code work.
296 |
297 | A "User Product" is either (1) a "consumer product", which means any
298 | tangible personal property which is normally used for personal, family,
299 | or household purposes, or (2) anything designed or sold for incorporation
300 | into a dwelling. In determining whether a product is a consumer product,
301 | doubtful cases shall be resolved in favor of coverage. For a particular
302 | product received by a particular user, "normally used" refers to a
303 | typical or common use of that class of product, regardless of the status
304 | of the particular user or of the way in which the particular user
305 | actually uses, or expects or is expected to use, the product. A product
306 | is a consumer product regardless of whether the product has substantial
307 | commercial, industrial or non-consumer uses, unless such uses represent
308 | the only significant mode of use of the product.
309 |
310 | "Installation Information" for a User Product means any methods,
311 | procedures, authorization keys, or other information required to install
312 | and execute modified versions of a covered work in that User Product from
313 | a modified version of its Corresponding Source. The information must
314 | suffice to ensure that the continued functioning of the modified object
315 | code is in no case prevented or interfered with solely because
316 | modification has been made.
317 |
318 | If you convey an object code work under this section in, or with, or
319 | specifically for use in, a User Product, and the conveying occurs as
320 | part of a transaction in which the right of possession and use of the
321 | User Product is transferred to the recipient in perpetuity or for a
322 | fixed term (regardless of how the transaction is characterized), the
323 | Corresponding Source conveyed under this section must be accompanied
324 | by the Installation Information. But this requirement does not apply
325 | if neither you nor any third party retains the ability to install
326 | modified object code on the User Product (for example, the work has
327 | been installed in ROM).
328 |
329 | The requirement to provide Installation Information does not include a
330 | requirement to continue to provide support service, warranty, or updates
331 | for a work that has been modified or installed by the recipient, or for
332 | the User Product in which it has been modified or installed. Access to a
333 | network may be denied when the modification itself materially and
334 | adversely affects the operation of the network or violates the rules and
335 | protocols for communication across the network.
336 |
337 | Corresponding Source conveyed, and Installation Information provided,
338 | in accord with this section must be in a format that is publicly
339 | documented (and with an implementation available to the public in
340 | source code form), and must require no special password or key for
341 | unpacking, reading or copying.
342 |
343 | 7. Additional Terms.
344 |
345 | "Additional permissions" are terms that supplement the terms of this
346 | License by making exceptions from one or more of its conditions.
347 | Additional permissions that are applicable to the entire Program shall
348 | be treated as though they were included in this License, to the extent
349 | that they are valid under applicable law. If additional permissions
350 | apply only to part of the Program, that part may be used separately
351 | under those permissions, but the entire Program remains governed by
352 | this License without regard to the additional permissions.
353 |
354 | When you convey a copy of a covered work, you may at your option
355 | remove any additional permissions from that copy, or from any part of
356 | it. (Additional permissions may be written to require their own
357 | removal in certain cases when you modify the work.) You may place
358 | additional permissions on material, added by you to a covered work,
359 | for which you have or can give appropriate copyright permission.
360 |
361 | Notwithstanding any other provision of this License, for material you
362 | add to a covered work, you may (if authorized by the copyright holders of
363 | that material) supplement the terms of this License with terms:
364 |
365 | a) Disclaiming warranty or limiting liability differently from the
366 | terms of sections 15 and 16 of this License; or
367 |
368 | b) Requiring preservation of specified reasonable legal notices or
369 | author attributions in that material or in the Appropriate Legal
370 | Notices displayed by works containing it; or
371 |
372 | c) Prohibiting misrepresentation of the origin of that material, or
373 | requiring that modified versions of such material be marked in
374 | reasonable ways as different from the original version; or
375 |
376 | d) Limiting the use for publicity purposes of names of licensors or
377 | authors of the material; or
378 |
379 | e) Declining to grant rights under trademark law for use of some
380 | trade names, trademarks, or service marks; or
381 |
382 | f) Requiring indemnification of licensors and authors of that
383 | material by anyone who conveys the material (or modified versions of
384 | it) with contractual assumptions of liability to the recipient, for
385 | any liability that these contractual assumptions directly impose on
386 | those licensors and authors.
387 |
388 | All other non-permissive additional terms are considered "further
389 | restrictions" within the meaning of section 10. If the Program as you
390 | received it, or any part of it, contains a notice stating that it is
391 | governed by this License along with a term that is a further
392 | restriction, you may remove that term. If a license document contains
393 | a further restriction but permits relicensing or conveying under this
394 | License, you may add to a covered work material governed by the terms
395 | of that license document, provided that the further restriction does
396 | not survive such relicensing or conveying.
397 |
398 | If you add terms to a covered work in accord with this section, you
399 | must place, in the relevant source files, a statement of the
400 | additional terms that apply to those files, or a notice indicating
401 | where to find the applicable terms.
402 |
403 | Additional terms, permissive or non-permissive, may be stated in the
404 | form of a separately written license, or stated as exceptions;
405 | the above requirements apply either way.
406 |
407 | 8. Termination.
408 |
409 | You may not propagate or modify a covered work except as expressly
410 | provided under this License. Any attempt otherwise to propagate or
411 | modify it is void, and will automatically terminate your rights under
412 | this License (including any patent licenses granted under the third
413 | paragraph of section 11).
414 |
415 | However, if you cease all violation of this License, then your
416 | license from a particular copyright holder is reinstated (a)
417 | provisionally, unless and until the copyright holder explicitly and
418 | finally terminates your license, and (b) permanently, if the copyright
419 | holder fails to notify you of the violation by some reasonable means
420 | prior to 60 days after the cessation.
421 |
422 | Moreover, your license from a particular copyright holder is
423 | reinstated permanently if the copyright holder notifies you of the
424 | violation by some reasonable means, this is the first time you have
425 | received notice of violation of this License (for any work) from that
426 | copyright holder, and you cure the violation prior to 30 days after
427 | your receipt of the notice.
428 |
429 | Termination of your rights under this section does not terminate the
430 | licenses of parties who have received copies or rights from you under
431 | this License. If your rights have been terminated and not permanently
432 | reinstated, you do not qualify to receive new licenses for the same
433 | material under section 10.
434 |
435 | 9. Acceptance Not Required for Having Copies.
436 |
437 | You are not required to accept this License in order to receive or
438 | run a copy of the Program. Ancillary propagation of a covered work
439 | occurring solely as a consequence of using peer-to-peer transmission
440 | to receive a copy likewise does not require acceptance. However,
441 | nothing other than this License grants you permission to propagate or
442 | modify any covered work. These actions infringe copyright if you do
443 | not accept this License. Therefore, by modifying or propagating a
444 | covered work, you indicate your acceptance of this License to do so.
445 |
446 | 10. Automatic Licensing of Downstream Recipients.
447 |
448 | Each time you convey a covered work, the recipient automatically
449 | receives a license from the original licensors, to run, modify and
450 | propagate that work, subject to this License. You are not responsible
451 | for enforcing compliance by third parties with this License.
452 |
453 | An "entity transaction" is a transaction transferring control of an
454 | organization, or substantially all assets of one, or subdividing an
455 | organization, or merging organizations. If propagation of a covered
456 | work results from an entity transaction, each party to that
457 | transaction who receives a copy of the work also receives whatever
458 | licenses to the work the party's predecessor in interest had or could
459 | give under the previous paragraph, plus a right to possession of the
460 | Corresponding Source of the work from the predecessor in interest, if
461 | the predecessor has it or can get it with reasonable efforts.
462 |
463 | You may not impose any further restrictions on the exercise of the
464 | rights granted or affirmed under this License. For example, you may
465 | not impose a license fee, royalty, or other charge for exercise of
466 | rights granted under this License, and you may not initiate litigation
467 | (including a cross-claim or counterclaim in a lawsuit) alleging that
468 | any patent claim is infringed by making, using, selling, offering for
469 | sale, or importing the Program or any portion of it.
470 |
471 | 11. Patents.
472 |
473 | A "contributor" is a copyright holder who authorizes use under this
474 | License of the Program or a work on which the Program is based. The
475 | work thus licensed is called the contributor's "contributor version".
476 |
477 | A contributor's "essential patent claims" are all patent claims
478 | owned or controlled by the contributor, whether already acquired or
479 | hereafter acquired, that would be infringed by some manner, permitted
480 | by this License, of making, using, or selling its contributor version,
481 | but do not include claims that would be infringed only as a
482 | consequence of further modification of the contributor version. For
483 | purposes of this definition, "control" includes the right to grant
484 | patent sublicenses in a manner consistent with the requirements of
485 | this License.
486 |
487 | Each contributor grants you a non-exclusive, worldwide, royalty-free
488 | patent license under the contributor's essential patent claims, to
489 | make, use, sell, offer for sale, import and otherwise run, modify and
490 | propagate the contents of its contributor version.
491 |
492 | In the following three paragraphs, a "patent license" is any express
493 | agreement or commitment, however denominated, not to enforce a patent
494 | (such as an express permission to practice a patent or covenant not to
495 | sue for patent infringement). To "grant" such a patent license to a
496 | party means to make such an agreement or commitment not to enforce a
497 | patent against the party.
498 |
499 | If you convey a covered work, knowingly relying on a patent license,
500 | and the Corresponding Source of the work is not available for anyone
501 | to copy, free of charge and under the terms of this License, through a
502 | publicly available network server or other readily accessible means,
503 | then you must either (1) cause the Corresponding Source to be so
504 | available, or (2) arrange to deprive yourself of the benefit of the
505 | patent license for this particular work, or (3) arrange, in a manner
506 | consistent with the requirements of this License, to extend the patent
507 | license to downstream recipients. "Knowingly relying" means you have
508 | actual knowledge that, but for the patent license, your conveying the
509 | covered work in a country, or your recipient's use of the covered work
510 | in a country, would infringe one or more identifiable patents in that
511 | country that you have reason to believe are valid.
512 |
513 | If, pursuant to or in connection with a single transaction or
514 | arrangement, you convey, or propagate by procuring conveyance of, a
515 | covered work, and grant a patent license to some of the parties
516 | receiving the covered work authorizing them to use, propagate, modify
517 | or convey a specific copy of the covered work, then the patent license
518 | you grant is automatically extended to all recipients of the covered
519 | work and works based on it.
520 |
521 | A patent license is "discriminatory" if it does not include within
522 | the scope of its coverage, prohibits the exercise of, or is
523 | conditioned on the non-exercise of one or more of the rights that are
524 | specifically granted under this License. You may not convey a covered
525 | work if you are a party to an arrangement with a third party that is
526 | in the business of distributing software, under which you make payment
527 | to the third party based on the extent of your activity of conveying
528 | the work, and under which the third party grants, to any of the
529 | parties who would receive the covered work from you, a discriminatory
530 | patent license (a) in connection with copies of the covered work
531 | conveyed by you (or copies made from those copies), or (b) primarily
532 | for and in connection with specific products or compilations that
533 | contain the covered work, unless you entered into that arrangement,
534 | or that patent license was granted, prior to 28 March 2007.
535 |
536 | Nothing in this License shall be construed as excluding or limiting
537 | any implied license or other defenses to infringement that may
538 | otherwise be available to you under applicable patent law.
539 |
540 | 12. No Surrender of Others' Freedom.
541 |
542 | If conditions are imposed on you (whether by court order, agreement or
543 | otherwise) that contradict the conditions of this License, they do not
544 | excuse you from the conditions of this License. If you cannot convey a
545 | covered work so as to satisfy simultaneously your obligations under this
546 | License and any other pertinent obligations, then as a consequence you may
547 | not convey it at all. For example, if you agree to terms that obligate you
548 | to collect a royalty for further conveying from those to whom you convey
549 | the Program, the only way you could satisfy both those terms and this
550 | License would be to refrain entirely from conveying the Program.
551 |
552 | 13. Use with the GNU Affero General Public License.
553 |
554 | Notwithstanding any other provision of this License, you have
555 | permission to link or combine any covered work with a work licensed
556 | under version 3 of the GNU Affero General Public License into a single
557 | combined work, and to convey the resulting work. The terms of this
558 | License will continue to apply to the part which is the covered work,
559 | but the special requirements of the GNU Affero General Public License,
560 | section 13, concerning interaction through a network will apply to the
561 | combination as such.
562 |
563 | 14. Revised Versions of this License.
564 |
565 | The Free Software Foundation may publish revised and/or new versions of
566 | the GNU General Public License from time to time. Such new versions will
567 | be similar in spirit to the present version, but may differ in detail to
568 | address new problems or concerns.
569 |
570 | Each version is given a distinguishing version number. If the
571 | Program specifies that a certain numbered version of the GNU General
572 | Public License "or any later version" applies to it, you have the
573 | option of following the terms and conditions either of that numbered
574 | version or of any later version published by the Free Software
575 | Foundation. If the Program does not specify a version number of the
576 | GNU General Public License, you may choose any version ever published
577 | by the Free Software Foundation.
578 |
579 | If the Program specifies that a proxy can decide which future
580 | versions of the GNU General Public License can be used, that proxy's
581 | public statement of acceptance of a version permanently authorizes you
582 | to choose that version for the Program.
583 |
584 | Later license versions may give you additional or different
585 | permissions. However, no additional obligations are imposed on any
586 | author or copyright holder as a result of your choosing to follow a
587 | later version.
588 |
589 | 15. Disclaimer of Warranty.
590 |
591 | THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
592 | APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
593 | HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
594 | OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
595 | THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
596 | PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
597 | IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
598 | ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
599 |
600 | 16. Limitation of Liability.
601 |
602 | IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
603 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
604 | THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
605 | GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
606 | USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
607 | DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
608 | PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
609 | EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
610 | SUCH DAMAGES.
611 |
612 | 17. Interpretation of Sections 15 and 16.
613 |
614 | If the disclaimer of warranty and limitation of liability provided
615 | above cannot be given local legal effect according to their terms,
616 | reviewing courts shall apply local law that most closely approximates
617 | an absolute waiver of all civil liability in connection with the
618 | Program, unless a warranty or assumption of liability accompanies a
619 | copy of the Program in return for a fee.
620 |
621 | END OF TERMS AND CONDITIONS
622 |
623 | How to Apply These Terms to Your New Programs
624 |
625 | If you develop a new program, and you want it to be of the greatest
626 | possible use to the public, the best way to achieve this is to make it
627 | free software which everyone can redistribute and change under these terms.
628 |
629 | To do so, attach the following notices to the program. It is safest
630 | to attach them to the start of each source file to most effectively
631 | state the exclusion of warranty; and each file should have at least
632 | the "copyright" line and a pointer to where the full notice is found.
633 |
634 |
635 | Copyright (C)
636 |
637 | This program is free software: you can redistribute it and/or modify
638 | it under the terms of the GNU General Public License as published by
639 | the Free Software Foundation, either version 3 of the License, or
640 | (at your option) any later version.
641 |
642 | This program is distributed in the hope that it will be useful,
643 | but WITHOUT ANY WARRANTY; without even the implied warranty of
644 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
645 | GNU General Public License for more details.
646 |
647 | You should have received a copy of the GNU General Public License
648 | along with this program. If not, see .
649 |
650 | Also add information on how to contact you by electronic and paper mail.
651 |
652 | If the program does terminal interaction, make it output a short
653 | notice like this when it starts in an interactive mode:
654 |
655 | Copyright (C)
656 | This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
657 | This is free software, and you are welcome to redistribute it
658 | under certain conditions; type `show c' for details.
659 |
660 | The hypothetical commands `show w' and `show c' should show the appropriate
661 | parts of the General Public License. Of course, your program's commands
662 | might be different; for a GUI interface, you would use an "about box".
663 |
664 | You should also get your employer (if you work as a programmer) or school,
665 | if any, to sign a "copyright disclaimer" for the program, if necessary.
666 | For more information on this, and how to apply and follow the GNU GPL, see
667 | .
668 |
669 | The GNU General Public License does not permit incorporating your program
670 | into proprietary programs. If your program is a subroutine library, you
671 | may consider it more useful to permit linking proprietary applications with
672 | the library. If this is what you want to do, use the GNU Lesser General
673 | Public License instead of this License. But first, please read
674 | .
675 |
--------------------------------------------------------------------------------
/README.rst:
--------------------------------------------------------------------------------
1 | **This repository is archived as `SELKS `_ is now based on Docker**
2 |
3 | =========
4 | Amsterdam
5 | =========
6 |
7 | Introduction
8 | ============
9 |
10 | Amsterdam is SELKS and Docker using Compose. The result of Amsterdam is a set of containers
11 | providing a complete Suricata IDS/NSM ecosystem:
12 |
13 | - Suricata
14 | - Elasticsearch
15 | - Logstash
16 | - Kibana
17 | - Scirius
18 | - Evebox (https://github.com/jasonish/evebox)
19 |
20 | The ELK stack is created using the official docker images. Communication between
21 | logstash and suricata is done via a share directory (from the host). The same
22 | applies to scirius and suricata where the `/etc/suricata/rules` directory is shared.
23 |
24 | Installation
25 | ============
26 |
27 | Generic
28 | -------
29 |
30 | You can install amsterdam from the source directory by running ::
31 |
32 | sudo python setup.py install
33 |
34 | Or you can use pip to install latest released version ::
35 |
36 | sudo pip install amsterdam
37 |
38 | Debian
39 | ------
40 |
41 | You need to install Docker. On Debian ::
42 |
43 | sudo apt-get install docker.io docker-compose python-pip python-docker
44 | sudo pip install amsterdam
45 |
46 | Ubuntu
47 | ------
48 |
49 | On Ubuntu, you can run ::
50 |
51 | sudo apt-get install docker.io python-pip
52 | sudo pip install amsterdam
53 |
54 | Usage
55 | =====
56 |
57 | To sniff the `wlan0` interface and store data and config in the `ams` directory,
58 | you can run ::
59 |
60 | amsterdam -d ams -i wlan0 setup
61 | amsterdam -d ams start
62 |
63 | As of now the start command will take really long on first run as it will fetch from Docker hub
64 | all the necessary images and build some custom containers.
65 |
66 | Subsequent run should take less than 1 minute.
67 |
68 | You can then connect to:
69 |
70 | - https://localhost/ on scirius with scirius/scirius as login/password
71 | - https://localhost/kibana/ on kibana
72 | - https://localhost/evebox/ on evebox
73 |
74 | The HTTPS server is accessible from outside so you can connect to IP or hostname from
75 | there. So don't forget to change the default password.
76 |
77 | To stop the amsterdam instance, run ::
78 |
79 | amsterdam -d ams stop
80 |
81 | To remove an amsterdam instance in directory hacklu, run ::
82 |
83 | amsterdam -d ~/builds/amsterdam/hacklu/ rm
84 |
85 | and remove the data directory if you want to delete data.
86 |
87 | Updating
88 | ========
89 |
90 | Updating amsterdam
91 | ------------------
92 |
93 | For installation done via setup.py, you can just update the source code and
94 | rerun the installation procedure ::
95 |
96 | git pull
97 | sudo python setup.py install
98 |
99 | For installation done via pip, one can run ::
100 |
101 | pip install --upgrade --no-deps amsterdam
102 |
103 | Updating an instance
104 | --------------------
105 |
106 | When code is updated (new suricata package or new ELK versions), you can run (supposing your
107 | suricata listen on eth0) ::
108 |
109 | amsterdam -d ams -i eth0 update
110 |
111 | Then, you can restart the services ::
112 |
113 | amsterdam -d ams restart
114 |
115 | To do a complete update including Docker recipes and configuration files ::
116 |
117 | amsterdam -d ams -f -i eth0 update
118 |
119 | Tuning and coding
120 | =================
121 |
122 | The configuration are stored in the config directory. For now only
123 | scirius, logstash and suricata are configured that way.
124 |
125 | Running Scirius from latest git
126 | -------------------------------
127 |
128 | To do so, simply edit docker-compose.yml in the data directory and uncomment and
129 | set the path to the scirius source tree. You will also need to copy the local_settings.py
130 | in config/scirius directory to in scirius subdirectory of your scirius source.
131 |
132 | Once done, you can restart the services ::
133 |
134 | amsterdam -d ams restart
135 |
136 | Run a migration inside the container ::
137 |
138 | docker exec ams_scirius_1 python /opt/selks/scirius/manage.py migrate
139 |
140 | Backup
141 | ======
142 | Backups in the scirius container are shared with the host. `/var/backups` directory is shared in `$basepath/backups` on the host.
143 |
144 | To start a backup, run ::
145 |
146 | docker exec ams_scirius_1 python /opt/selks/scirius/manage.py scbackup
147 |
148 | To restore a backup and erase all your data, you can run ::
149 |
150 | docker exec ams_scirius_1 python /opt/selks/scirius/manage.py screstore
151 | docker exec ams_scirius_1 python /opt/selks/scirius/manage.py migrate
152 |
153 | This will restore the latest backup. To choose another backup, indicate a backup filename as first argument.
154 | To get list of available backup, use ::
155 |
156 | docker exec ams_scirius_1 python /opt/selks/scirius/manage.py listbackups
157 |
158 | You can not restore a backup to a scirius which is older than the one where the backup has been done.
159 |
--------------------------------------------------------------------------------
/TODO:
--------------------------------------------------------------------------------
1 | - switch scirius to fastcgi
2 |
--------------------------------------------------------------------------------
/amsterdam:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # Copyright (C) 2015,2016 Stamus Networks
3 | #
4 | # You can copy, redistribute or modify this Program under the terms of
5 | # the GNU General Public License version 3 as published by the Free
6 | # Software Foundation.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # version 3 along with this program; if not, write to the Free Software
15 | # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
16 | # 02110-1301, USA.
17 |
18 | import sys
19 | import argparse
20 | import os.path
21 | from amsterdam import Amsterdam, AmsterdamException, AMSTERDAM_VERSION
22 |
23 | parser = argparse.ArgumentParser(description='Amsterdam, SELKS on docker')
24 | parser.add_argument('-i', '--iface', default=None, help='Host iface to sniff')
25 | parser.add_argument('-v', '--verbose', default=False, action="count", help="Show verbose output, use multiple times increase verbosity")
26 | parser.add_argument('-d', '--data', default=None, help='Directory to store generated data into (default to ./data)')
27 | parser.add_argument('-n', '--name', default=None, help='Set project name')
28 | parser.add_argument('-f', '--full', default=False, const=True, action='store_const', help="Do a full update of instance. This will erase any modified version of config and Dockerfile")
29 | parser.add_argument('command', metavar='command', nargs=1, help='Amsterdam command [setup|start|stop|restart|update|rm])', default=None)
30 | parser.add_argument('-V', '--version', action='version', version='%(prog)s ' + AMSTERDAM_VERSION)
31 |
32 | args = parser.parse_args()
33 |
34 | if args.command[0] not in ['setup', 'start', 'stop', 'restart', 'update', 'rm']:
35 | sys.stderr.write("Invalid command: '%s'\n" % args.command)
36 | sys.exit(-1)
37 |
38 | basepath = './data'
39 | if args.data:
40 | basepath = args.data
41 |
42 | if not args.name:
43 | args.name = os.path.basename(args.data)
44 |
45 | try:
46 | ams = Amsterdam(args.name, args.iface, basepath)
47 | except AmsterdamException as err:
48 | sys.stderr.write("%s\n" % (err))
49 | sys.exit(-1)
50 |
51 | if args.command[0] == 'setup':
52 | if args.iface == None:
53 | sys.stderr.write("You need to specify an interface with -i to setup the system\n")
54 | sys.exit(-1)
55 | if ams.setup(args) != 0:
56 | sys.exit(-1)
57 | if args.command[0] == 'start':
58 | try:
59 | if ams.start(args) != 0:
60 | sys.exit(-1)
61 | except KeyboardInterrupt:
62 | ams.stop(args)
63 | elif args.command[0] == 'stop':
64 | if ams.stop(args) != 0:
65 | sys.exit(-1)
66 | elif args.command[0] == 'restart':
67 | if ams.restart(args) != 0:
68 | sys.exit(-1)
69 | elif args.command[0] == 'update':
70 | if args.iface == None:
71 | sys.stderr.write("You need to specify an interface with -i to update the system\n")
72 | sys.exit(-1)
73 | if ams.update(args) != 0:
74 | sys.exit(-1)
75 | elif args.command[0] == 'rm':
76 | sys.stdout.write("Please remove the data directory if you want to clean the system\n")
77 | if ams.rm(args) != 0:
78 | sys.exit(-1)
79 |
--------------------------------------------------------------------------------
/scripts/systemd/amsterdam.service:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=Amsterdam
3 | After=docker.service
4 | Requires=docker.service
5 |
6 | [Service]
7 | Type=simple
8 | ExecStart=/usr/bin/amsterdam -d /opt/ams start
9 | ExecStop=/usr/bin/amsterdam -d /opt/ams stop
10 |
11 | [Install]
12 | WantedBy=multi-user.target
13 |
--------------------------------------------------------------------------------
/setup.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | from setuptools import setup
3 | from src.amsterdam import AMSTERDAM_VERSION
4 | import os
5 |
6 | data_files = []
7 | dir_list = ['docker', 'config', 'templates']
8 | os.chdir('src')
9 | for directory in dir_list:
10 | for (dir, _, files) in os.walk(directory):
11 | for f in files:
12 | if not f.startswith('.') and not f.endswith('pyc'):
13 | path = os.path.join(dir, f)
14 | data_files.append(path)
15 | os.chdir('..')
16 |
17 |
18 | setup(name='amsterdam',
19 | version=AMSTERDAM_VERSION,
20 | description='Suricata, ELK, Scirius on Docker',
21 | author='Stamus Networks',
22 | author_email='oss@stamus-networks.com',
23 | url='https://github.com/StamusNetworks/amsterdam',
24 | scripts=['amsterdam'],
25 | packages=['amsterdam'],
26 | package_dir={'amsterdam':'src'},
27 | package_data={'amsterdam': data_files},
28 | provides=['amsterdam'],
29 | install_requires=['argparse', "docker-compose", 'pyOpenSSL'],
30 | classifiers=[
31 | 'Development Status :: 5 - Production/Stable',
32 | 'Environment :: Console',
33 | 'Intended Audience :: System Administrators',
34 | 'License :: OSI Approved :: GNU General Public License v3 (GPLv3)',
35 | 'Operating System :: POSIX',
36 | 'Programming Language :: Python',
37 | 'Topic :: Security',
38 | ],
39 | )
40 |
--------------------------------------------------------------------------------
/src/__init__.py:
--------------------------------------------------------------------------------
1 |
2 | from .amsterdam import *
3 |
--------------------------------------------------------------------------------
/src/amsterdam.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # Copyright (C) 2015-2017 Stamus Networks
3 | #
4 | # You can copy, redistribute or modify this Program under the terms of
5 | # the GNU General Public License version 3 as published by the Free
6 | # Software Foundation.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # version 3 along with this program; if not, write to the Free Software
15 | # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
16 | # 02110-1301, USA.
17 |
18 | from __future__ import print_function
19 |
20 | import os
21 | import sys
22 | import subprocess
23 | import shutil
24 | import re
25 | import time
26 | from string import Template
27 | from OpenSSL import crypto
28 | from socket import gethostname
29 |
30 | try:
31 | from docker import APIClient as Client
32 | except ImportError:
33 | try:
34 | from docker import Client
35 | except ImportError:
36 | print("Unable to import docker-py Client module", file=sys.stderr)
37 | sys.exit(-1)
38 |
39 | import requests
40 |
41 | AMSTERDAM_VERSION = "1.2"
42 |
43 | class AmsterdamException(Exception):
44 | """
45 | Generic class for Amsterdam exception
46 | """
47 | def __init__(self, value):
48 | self.value = value
49 |
50 | def __str__(self):
51 | return self.value
52 |
53 | class Amsterdam:
54 | def __init__(self, name, iface, basepath):
55 | self.name = name
56 | self.iface = iface
57 | self.basepath = os.path.abspath(basepath)
58 | self.check_environment()
59 |
60 | def get_sys_data_dirs(self, component):
61 | this_dir, this_filename = os.path.split(__file__)
62 | datadir = os.path.join(this_dir, component)
63 | return datadir
64 |
65 | def create_data_dirs(self):
66 | for directory in ['scirius', 'suricata', 'elasticsearch', 'backups']:
67 | dir_path = os.path.join(self.basepath, directory)
68 | if not os.path.exists(dir_path):
69 | os.makedirs(dir_path)
70 |
71 | def update_files(self, source='docker'):
72 | sourcetree = os.path.join(self.basepath, source)
73 | if os.path.exists(sourcetree):
74 | shutil.rmtree(sourcetree)
75 | if os.path.exists(self.basepath):
76 | shutil.copytree(self.get_sys_data_dirs(source), sourcetree)
77 |
78 | def update_config(self):
79 | try:
80 | shutil.copytree(self.get_sys_data_dirs('config'), os.path.join(self.basepath, 'config'))
81 | shutil.copytree(self.get_sys_data_dirs('docker'), os.path.join(self.basepath, 'docker'))
82 | # FIXME
83 | except Exception as err:
84 | sys.stderr.write("Unable to copy config files: %s\n" % (err))
85 | pass
86 |
87 | def update_docker(self):
88 | return self.update_files('docker')
89 |
90 | def update_config_files(self):
91 | return self.update_files('config')
92 |
93 | def generate_template(self, options):
94 | template_path = os.path.join(self.get_sys_data_dirs('templates'), 'docker-compose.yml.j2')
95 | with open(template_path, 'r') as amsterdam_file:
96 | # get the string and build template
97 | amsterdam_tmpl = amsterdam_file.read()
98 | amsterdam_config_tmpl = Template(amsterdam_tmpl)
99 |
100 | amsterdam_config = amsterdam_config_tmpl.substitute(options)
101 |
102 | with open(os.path.join(self.basepath, 'docker-compose.yml'), 'w') as amsterdam_compose_file:
103 | if sys.version < '3':
104 | amsterdam_compose_file.write(amsterdam_config)
105 | else:
106 | amsterdam_compose_file.write(bytes(amsterdam_config, 'UTF-8'))
107 | template_path = os.path.join(self.get_sys_data_dirs('templates'), 'ethtool.conf.j2')
108 | with open(template_path, 'r') as ethtool_file:
109 | # get the string and build template
110 | ethtool_tmpl = ethtool_file.read()
111 | ethtool_config_tmpl = Template(ethtool_tmpl)
112 |
113 | ethtool_config = ethtool_config_tmpl.substitute(options)
114 |
115 | with open(os.path.join(self.basepath, 'config', 'suricata', 'ethtool.conf'), 'w') as ethtool_compose_file:
116 | if sys.version < '3':
117 | ethtool_compose_file.write(ethtool_config)
118 | else:
119 | ethtool_compose_file.write(bytes(ethtool_config, 'UTF-8'))
120 |
121 | def get_api_version(self, i = 0):
122 | try:
123 | self.api_version = Client().version()['ApiVersion']
124 | except requests.exceptions.ReadTimeout:
125 | if i < 4:
126 | i += 1
127 | self.get_api_version(i = i)
128 | else:
129 | raise AmsterdamException("Unable to get version from Docker")
130 |
131 | def check_environment(self):
132 | try:
133 | self.name.decode('ascii')
134 | except UnicodeDecodeError:
135 | pass
136 | raise AmsterdamException("Name or data directory can't contain/finish with non ascii character")
137 | if " " in self.name:
138 | raise AmsterdamException("Name or data directory can't contain/finish with space")
139 |
140 | self.get_api_version()
141 |
142 | self.env = os.environ.copy()
143 | self.env["COMPOSE_API_VERSION"] = self.api_version
144 | docker_cmd = ['docker-compose', '-v']
145 | try:
146 | out = subprocess.check_output(docker_cmd, env=self.env)
147 | except OSError as err:
148 | if err.errno == 2:
149 | pass
150 | raise AmsterdamException("No docker-compose binary in path")
151 | version = out.decode('UTF-8')
152 | if ':' in version:
153 | self.docker_compose_version = version.split(': ')[1]
154 | elif ',' in version:
155 | versionregexp = re.compile("([\d\.]+)")
156 | match = versionregexp.search(version)
157 | self.docker_compose_version = match.groups()[0]
158 | else:
159 | sys.stderr.write("docker-compose version number '%s' is not handled by code\n" % (version.rstrip()))
160 | self.docker_compose_version = version
161 |
162 | docker_compose_path = os.path.join(os.getcwd(), self.basepath)
163 |
164 | self.convertpath = False
165 | if os.environ.has_key('LANG'):
166 | if not 'utf8' in os.environ['LANG']:
167 | try:
168 | docker_compose_path.decode('ascii')
169 | except UnicodeDecodeError:
170 | self.convertpath = True
171 | if self.convertpath:
172 | self.env['LANG'] = "en_US.utf8"
173 |
174 | def run_docker_compose(self, cmd, options = None):
175 | docker_cmd = ['docker-compose', '-p', self.name, '-f',
176 | os.path.join(self.basepath, 'docker-compose.yml'), cmd]
177 | if options:
178 | docker_cmd.extend(options)
179 | return subprocess.call(docker_cmd, env = self.env)
180 |
181 | def setup_options(self, args):
182 | self.options = {}
183 | self.options['capture_option'] = "--af-packet=%s" % args.iface
184 | self.options['basepath'] = self.basepath
185 | self.options['iface'] = args.iface
186 |
187 | def setup(self, args):
188 | self.setup_options(args)
189 | if args.verbose:
190 | sys.stdout.write("Generating docker compose file\n")
191 | self.create_data_dirs()
192 | self.update_config()
193 | self.generate_template(self.options)
194 | self.create_self_signed_cert()
195 | return 0
196 |
197 | def start(self, args):
198 | if not os.path.exists(os.path.join(self.basepath, 'docker-compose.yml')):
199 | sys.stderr.write("'%s' directory does not exist or is empty, please run setup command\n" % (self.basepath))
200 | return False
201 | return self.run_docker_compose('up')
202 |
203 | def stop(self, args):
204 | return self.run_docker_compose('stop')
205 |
206 | def rm(self, args):
207 | self.stop(args)
208 | return self.run_docker_compose('rm')
209 |
210 | def restart(self, args):
211 | self.stop(None)
212 | self.start(None)
213 | return True
214 |
215 | def update(self, args):
216 | if args.full:
217 | self.setup_options(args)
218 | self.update_docker()
219 | self.update_config_files()
220 | self.create_self_signed_cert()
221 | self.generate_template(self.options)
222 | self.run_docker_compose('pull')
223 | self.run_docker_compose('build', options = ['--no-cache'])
224 | return True
225 |
226 | def create_self_signed_cert(self):
227 | k = crypto.PKey()
228 | k.generate_key(crypto.TYPE_RSA, 1024)
229 |
230 | # CREATE A SELF-SIGNED CERT
231 | cert = crypto.X509()
232 | cert.get_subject().C = "FR"
233 | cert.get_subject().ST = "Paris"
234 | cert.get_subject().L = "Paris"
235 | cert.get_subject().O = "Stamus Networks"
236 | cert.get_subject().OU = "Amsterdam"
237 | cert.get_subject().CN = gethostname()
238 | cert.set_serial_number(int(time.time() * 10))
239 | cert.gmtime_adj_notBefore(0)
240 | cert.gmtime_adj_notAfter(365*24*60*60)
241 | cert.set_issuer(cert.get_subject())
242 | cert.set_pubkey(k)
243 | cert.sign(k, 'sha256')
244 | # export
245 |
246 | dir_path = os.path.join(self.basepath, 'config', 'nginx', 'ssl')
247 | if not os.path.exists(dir_path):
248 | os.makedirs(dir_path)
249 | cert_file = os.path.join(dir_path, 'amsterdam.crt')
250 | key_file = os.path.join(dir_path, 'amsterdam.key')
251 | open(cert_file, "wt").write(
252 | crypto.dump_certificate(crypto.FILETYPE_PEM, cert))
253 | open(key_file, "wt").write(
254 | crypto.dump_privatekey(crypto.FILETYPE_PEM, k))
255 |
--------------------------------------------------------------------------------
/src/config/logstash/conf.d/logstash.conf:
--------------------------------------------------------------------------------
1 | input {
2 | file {
3 | path => ["/var/log/suricata/*.json"]
4 | #sincedb_path => ["/var/lib/logstash/"]
5 | codec => json
6 | type => "SELKS"
7 | }
8 |
9 | }
10 |
11 | filter {
12 | if [type] == "SELKS" {
13 | date {
14 | match => [ "timestamp", "ISO8601" ]
15 | }
16 | ruby {
17 | code => "if event['event_type'] == 'fileinfo'; event['fileinfo']['type']=event['fileinfo']['magic'].to_s.split(',')[0]; end;"
18 | }
19 | ruby {
20 | code => "if event['event_type'] == 'alert'; sp = event['alert']['signature'].to_s.split(' group '); if (sp.length == 2) and /\A\d+\z/.match(sp[1]); event['alert']['signature'] = sp[0] ;end; end;"
21 | }
22 |
23 | metrics {
24 | meter => [ "eve_insert" ]
25 | add_tag => "metric"
26 | flush_interval => 30
27 | }
28 | }
29 |
30 | if [http] {
31 | useragent {
32 | source => "[http][http_user_agent]"
33 | target => "[http][user_agent]"
34 | }
35 | }
36 |
37 | if [src_ip] {
38 | if [src_ip] !~ ":" {
39 | mutate {
40 | add_field => [ "[src_ip4]", "%{src_ip}" ]
41 | }
42 | }
43 | geoip {
44 | source => "src_ip"
45 | target => "geoip"
46 | #database => "/opt/logstash/vendor/geoip/GeoLiteCity.dat"
47 | add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
48 | add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
49 | }
50 | mutate {
51 | convert => [ "[geoip][coordinates]", "float" ]
52 | }
53 | if ![geoip.ip] {
54 | if [dest_ip] {
55 | geoip {
56 | source => "dest_ip"
57 | target => "geoip"
58 | #database => "/opt/logstash/vendor/geoip/GeoLiteCity.dat"
59 | add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
60 | add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
61 | }
62 | mutate {
63 | convert => [ "[geoip][coordinates]", "float" ]
64 | }
65 | }
66 | }
67 | }
68 | if [dest_ip] {
69 | if [dest_ip] !~ ":" {
70 | mutate {
71 | add_field => [ "[dest_ip4]", "%{dest_ip}" ]
72 | }
73 | }
74 | }
75 | }
76 |
77 | output {
78 | if [event_type] and [event_type] not in ['stats', 'engine'] {
79 | elasticsearch {
80 | hosts => elasticsearch
81 | index => "logstash-%{event_type}-%{+YYYY.MM.dd}"
82 | template => "/etc/logstash/elasticsearch-template.json"
83 | }
84 | } else {
85 | elasticsearch {
86 | hosts => elasticsearch
87 | index => "logstash-%{+YYYY.MM.dd}"
88 | }
89 | }
90 | #stdout { codec => rubydebug }
91 | if "metric" in [tags] {
92 | stdout {
93 | codec => line {
94 | format => "EVE insert rate: %{[eve_insert][rate_1m]}"
95 | }
96 | }
97 | }
98 | }
99 |
--------------------------------------------------------------------------------
/src/config/logstash/elasticsearch-template.json:
--------------------------------------------------------------------------------
1 | {
2 | "template" : "logstash-*",
3 | "settings" : {
4 | "index.refresh_interval" : "5s"
5 | },
6 | "mappings" : {
7 | "_default_" : {
8 | "_all" : {"enabled" : true, "omit_norms" : true},
9 | "dynamic_templates" : [ {
10 | "message_field" : {
11 | "match" : "message",
12 | "match_mapping_type" : "string",
13 | "mapping" : {
14 | "type" : "string", "index" : "analyzed", "omit_norms" : true,
15 | "fielddata" : { "format" : "disabled" }
16 | }
17 | }
18 | }, {
19 | "string_fields" : {
20 | "match" : "*",
21 | "match_mapping_type" : "string",
22 | "mapping" : {
23 | "type" : "string", "index" : "analyzed", "omit_norms" : true,
24 | "fielddata" : { "format" : "disabled" },
25 | "fields" : {
26 | "raw" : {"type": "string", "index" : "not_analyzed", "doc_values" : true, "ignore_above" : 256}
27 | }
28 | }
29 | }
30 | }, {
31 | "float_fields" : {
32 | "match" : "*",
33 | "match_mapping_type" : "float",
34 | "mapping" : { "type" : "float", "doc_values" : true }
35 | }
36 | }, {
37 | "double_fields" : {
38 | "match" : "*",
39 | "match_mapping_type" : "double",
40 | "mapping" : { "type" : "double", "doc_values" : true }
41 | }
42 | }, {
43 | "byte_fields" : {
44 | "match" : "*",
45 | "match_mapping_type" : "byte",
46 | "mapping" : { "type" : "byte", "doc_values" : true }
47 | }
48 | }, {
49 | "short_fields" : {
50 | "match" : "*",
51 | "match_mapping_type" : "short",
52 | "mapping" : { "type" : "short", "doc_values" : true }
53 | }
54 | }, {
55 | "integer_fields" : {
56 | "match" : "*",
57 | "match_mapping_type" : "integer",
58 | "mapping" : { "type" : "integer", "doc_values" : true }
59 | }
60 | }, {
61 | "long_fields" : {
62 | "match" : "*",
63 | "match_mapping_type" : "long",
64 | "mapping" : { "type" : "long", "doc_values" : true }
65 | }
66 | }, {
67 | "date_fields" : {
68 | "match" : "*",
69 | "match_mapping_type" : "date",
70 | "mapping" : { "type" : "date", "doc_values" : true }
71 | }
72 | }, {
73 | "geo_point_fields" : {
74 | "match" : "*",
75 | "match_mapping_type" : "geo_point",
76 | "mapping" : { "type" : "geo_point", "doc_values" : true }
77 | }
78 | } ],
79 | "properties" : {
80 | "@timestamp": { "type": "date", "doc_values" : true },
81 | "@version": { "type": "string", "index": "not_analyzed", "doc_values" : true },
82 | "geoip" : {
83 | "type" : "object",
84 | "dynamic": true,
85 | "properties" : {
86 | "ip": { "type": "ip", "doc_values" : true },
87 | "location" : { "type" : "geo_point", "doc_values" : true },
88 | "latitude" : { "type" : "float", "doc_values" : true },
89 | "longitude" : { "type" : "float", "doc_values" : true }
90 | }
91 | },
92 | "alert" : {
93 | "type": "object",
94 | "dynamic": true,
95 | "properties" : {
96 | "payload" : { "type": "string", "index": "not_analyzed", "doc_values" : true },
97 | "packet" : { "type": "string", "index": "not_analyzed", "doc_values" : true }
98 | }
99 | },
100 | "src_ip4" : { "type": "ip", "doc_values" : true },
101 | "dest_ip4" : { "type": "ip", "doc_values" : true }
102 | }
103 | }
104 | }
105 | }
106 |
--------------------------------------------------------------------------------
/src/config/nginx/amsterdam.conf:
--------------------------------------------------------------------------------
1 | server {
2 | listen 443;
3 | ssl on;
4 | ssl_certificate /etc/nginx/ssl/amsterdam.crt;
5 | ssl_certificate_key /etc/nginx/ssl/amsterdam.key;
6 | server_name amsterdam;
7 | access_log /var/log/nginx/stamus.access.log;
8 | error_log /var/log/nginx/stamus.error.log;
9 | client_max_body_size 50M;
10 |
11 | location /static/ {
12 | alias /sciriusstatic/;
13 | }
14 |
15 | location /media/ {
16 | alias /sciriusstatic/;
17 | }
18 |
19 | location / {
20 | proxy_pass http://scirius:8000;
21 | proxy_read_timeout 600;
22 | proxy_set_header Host $http_host;
23 | proxy_set_header X-Forwarded-Proto https;
24 | proxy_redirect off;
25 | }
26 | }
27 |
--------------------------------------------------------------------------------
/src/config/scirius/local_settings.py:
--------------------------------------------------------------------------------
1 | import os
2 |
3 | ALLOWED_HOSTS = ['*']
4 |
5 | USE_ELASTICSEARCH = True
6 | ELASTICSEARCH_ADDRESS = "elasticsearch:9200"
7 | ELASTICSEARCH_2X = True
8 | KIBANA_VERSION=4
9 | KIBANA_INDEX = ".kibana"
10 | KIBANA_URL = "http://kibana:5601"
11 |
12 | SURICATA_UNIX_SOCKET = "/var/run/suricata/suricata-command.socket"
13 |
14 | USE_KIBANA = True
15 | KIBANA_PROXY = True
16 | KIBANA_DASHBOARDS_COUNT = 25
17 |
18 | USE_EVEBOX = True
19 | EVEBOX_ADDRESS = "evebox:5636"
20 |
21 | USE_SURICATA_STATS = True
22 | USE_LOGSTASH_STATS = True
23 | ELASTICSEARCH_LOGSTASH_ALERT_INDEX="logstash-alert-"
24 |
25 | DATA_DIR = "/sciriusdata/"
26 | STATIC_ROOT = "/sciriusstatic/"
27 |
28 | DATABASES = {
29 | 'default': {
30 | 'ENGINE': 'django.db.backends.sqlite3',
31 | 'NAME': os.path.join(DATA_DIR, 'scirius.sqlite3'),
32 | }
33 | }
34 |
35 | GIT_SOURCES_BASE_DIRECTORY = os.path.join(DATA_DIR, 'git-sources/')
36 |
37 | SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
38 |
39 | DBBACKUP_STORAGE = 'dbbackup.storage.filesystem_storage'
40 | DBBACKUP_STORAGE_OPTIONS = {'location': '/var/backups/'}
41 |
--------------------------------------------------------------------------------
/src/config/suricata/suricata.yaml:
--------------------------------------------------------------------------------
1 | %YAML 1.1
2 | ---
3 |
4 | # Suricata configuration file. In addition to the comments describing all
5 | # options in this file, full documentation can be found at:
6 | # https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricatayaml
7 |
8 |
9 | # Number of packets preallocated per thread. The default is 1024. A higher number
10 | # will make sure each CPU will be more easily kept busy, but may negatively
11 | # impact caching.
12 | #
13 | # If you are using the CUDA pattern matcher (mpm-algo: ac-cuda), different rules
14 | # apply. In that case try something like 60000 or more. This is because the CUDA
15 | # pattern matcher buffers and scans as many packets as possible in parallel.
16 | #max-pending-packets: 1024
17 |
18 | # Runmode the engine should use. Please check --list-runmodes to get the available
19 | # runmodes for each packet acquisition method. Defaults to "autofp" (auto flow pinned
20 | # load balancing).
21 | #runmode: autofp
22 |
23 | # Specifies the kind of flow load balancer used by the flow pinned autofp mode.
24 | #
25 | # Supported schedulers are:
26 | #
27 | # round-robin - Flows assigned to threads in a round robin fashion.
28 | # active-packets - Flows assigned to threads that have the lowest number of
29 | # unprocessed packets (default).
30 | # hash - Flow alloted usihng the address hash. More of a random
31 | # technique. Was the default in Suricata 1.2.1 and older.
32 | #
33 | #autofp-scheduler: active-packets
34 |
35 | # If suricata box is a router for the sniffed networks, set it to 'router'. If
36 | # it is a pure sniffing setup, set it to 'sniffer-only'.
37 | # If set to auto, the variable is internally switch to 'router' in IPS mode
38 | # and 'sniffer-only' in IDS mode.
39 | # This feature is currently only used by the reject* keywords.
40 | host-mode: auto
41 |
42 | # Run suricata as user and group.
43 | #run-as:
44 | # user: suri
45 | # group: suri
46 |
47 | # Default pid file.
48 | # Will use this file if no --pidfile in command options.
49 | #pid-file: /var/run/suricata.pid
50 |
51 | # Daemon working directory
52 | # Suricata will change directory to this one if provided
53 | # Default: "/"
54 | #daemon-directory: "/"
55 |
56 | # Preallocated size for packet. Default is 1514 which is the classical
57 | # size for pcap on ethernet. You should adjust this value to the highest
58 | # packet size (MTU + hardware header) on your system.
59 | #default-packet-size: 1514
60 |
61 | # The default logging directory. Any log or output file will be
62 | # placed here if its not specified with a full path name. This can be
63 | # overridden with the -l command line parameter.
64 | default-log-dir: /var/log/suricata/
65 |
66 | # Unix command socket can be used to pass commands to suricata.
67 | # An external tool can then connect to get information from suricata
68 | # or trigger some modifications of the engine. Set enabled to yes
69 | # to activate the feature. You can use the filename variable to set
70 | # the file name of the socket.
71 | unix-command:
72 | enabled: yes
73 | #filename: custom.socket
74 |
75 | # global stats configuration
76 | stats:
77 | enabled: yes
78 | # The interval field (in seconds) controls at what interval
79 | # the loggers are invoked.
80 | interval: 15
81 |
82 | # Configure the type of alert (and other) logging you would like.
83 | outputs:
84 |
85 | # a line based alerts log similar to Snort's fast.log
86 | - fast:
87 | enabled: yes
88 | filename: fast.log
89 | append: yes
90 | #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
91 |
92 | # Extensible Event Format (nicknamed EVE) event log in JSON format
93 | - eve-log:
94 | enabled: yes
95 | filetype: regular #regular|syslog|unix_dgram|unix_stream
96 | filename: eve.json
97 | #prefix: "@cee: " # prefix to prepend to each log entry
98 | # the following are valid when type: syslog above
99 | #identity: "suricata"
100 | #facility: local5
101 | #level: Info ## possible levels: Emergency, Alert, Critical,
102 | ## Error, Warning, Notice, Info, Debug
103 | types:
104 | - alert:
105 | payload: yes # enable dumping payload in Base64
106 | payload-printable: yes # enable dumping payload in printable (lossy) format
107 | packet: yes # enable dumping of packet (without stream segments)
108 | http: yes # enable dumping of http fields
109 | tls: yes # enable dumping of tls fields
110 | ssh: yes # enable dumping of ssh fields
111 | modbus: yes
112 |
113 | # HTTP X-Forwarded-For support by adding an extra field or overwriting
114 | # the source or destination IP address (depending on flow direction)
115 | # with the one reported in the X-Forwarded-For HTTP header. This is
116 | # helpful when reviewing alerts for traffic that is being reverse
117 | # or forward proxied.
118 | xff:
119 | enabled: no
120 | # Two operation modes are available, "extra-data" and "overwrite".
121 | mode: extra-data
122 | # Two proxy deployments are supported, "reverse" and "forward". In
123 | # a "reverse" deployment the IP address used is the last one, in a
124 | # "forward" deployment the first IP address is used.
125 | deployment: reverse
126 | # Header name where the actual IP address will be reported, if more
127 | # than one IP address is present, the last IP address will be the
128 | # one taken into consideration.
129 | header: X-Forwarded-For
130 | - http:
131 | extended: yes # enable this for extended logging information
132 | # custom allows additional http fields to be included in eve-log
133 | # the example below adds three additional fields when uncommented
134 | #custom: [Accept-Encoding, Accept-Language, Authorization]
135 | custom: [accept, accept-charset, accept-encoding, accept-language,
136 | accept-datetime, authorization, cache-control, cookie, from,
137 | max-forwards, origin, pragma, proxy-authorization, range, te, via,
138 | x-requested-with, dnt, x-forwarded-proto, accept-range, age,
139 | allow, connection, content-encoding, content-language,
140 | content-length, content-location, content-md5, content-range,
141 | content-type, date, etags, last-modified, link, location,
142 | proxy-authenticate, referrer, refresh, retry-after, server,
143 | set-cookie, trailer, transfer-encoding, upgrade, vary, warning,
144 | www-authenticate]
145 | - dns
146 | - tls:
147 | extended: yes # enable this for extended logging information
148 | - files:
149 | force-magic: yes # force logging magic on all logged files
150 | force-hash: [md5, sha256] # force logging of md5 checksums
151 | #- drop:
152 | # alerts: no # log alerts that caused drops
153 | - smtp
154 | - ssh
155 | - stats:
156 | totals: yes # stats for all threads merged together
157 | threads: no # per thread stats
158 | deltas: yes # include delta values
159 | # bi-directional flows
160 | - flow
161 | # uni-directional flows
162 | #- netflow
163 |
164 | # alert output for use with Barnyard2
165 | - unified2-alert:
166 | enabled: no
167 | filename: unified2.alert
168 |
169 | # File size limit. Can be specified in kb, mb, gb. Just a number
170 | # is parsed as bytes.
171 | #limit: 32mb
172 |
173 | # Sensor ID field of unified2 alerts.
174 | #sensor-id: 0
175 |
176 | # HTTP X-Forwarded-For support by adding the unified2 extra header or
177 | # overwriting the source or destination IP address (depending on flow
178 | # direction) with the one reported in the X-Forwarded-For HTTP header.
179 | # This is helpful when reviewing alerts for traffic that is being reverse
180 | # or forward proxied.
181 | xff:
182 | enabled: no
183 | # Two operation modes are available, "extra-data" and "overwrite". Note
184 | # that in the "overwrite" mode, if the reported IP address in the HTTP
185 | # X-Forwarded-For header is of a different version of the packet
186 | # received, it will fall-back to "extra-data" mode.
187 | mode: extra-data
188 | # Two proxy deployments are supported, "reverse" and "forward". In
189 | # a "reverse" deployment the IP address used is the last one, in a
190 | # "forward" deployment the first IP address is used.
191 | deployment: reverse
192 | # Header name where the actual IP address will be reported, if more
193 | # than one IP address is present, the last IP address will be the
194 | # one taken into consideration.
195 | header: X-Forwarded-For
196 |
197 | # a line based log of HTTP requests (no alerts)
198 | - http-log:
199 | enabled: yes
200 | filename: http.log
201 | append: yes
202 | #extended: yes # enable this for extended logging information
203 | #custom: yes # enabled the custom logging format (defined by customformat)
204 | #customformat: "%{%D-%H:%M:%S}t.%z %{X-Forwarded-For}i %H %m %h %u %s %B %a:%p -> %A:%P"
205 | #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
206 |
207 | # a line based log of TLS handshake parameters (no alerts)
208 | - tls-log:
209 | enabled: no # Log TLS connections.
210 | filename: tls.log # File to store TLS logs.
211 | append: yes
212 | #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
213 | #extended: yes # Log extended information like fingerprint
214 |
215 | # output module to store certificates chain to disk
216 | - tls-store:
217 | enabled: no
218 | #certs-log-dir: certs # directory to store the certificates files
219 |
220 | # a line based log of DNS requests and/or replies (no alerts)
221 | - dns-log:
222 | enabled: no
223 | filename: dns.log
224 | append: yes
225 | #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
226 |
227 | # Packet log... log packets in pcap format. 3 modes of operation: "normal"
228 | # "multi" and "sguil".
229 | #
230 | # In normal mode a pcap file "filename" is created in the default-log-dir,
231 | # or are as specified by "dir".
232 | # In multi mode, a file is created per thread. This will perform much
233 | # better, but will create multiple files where 'normal' would create one.
234 | # In multi mode the filename takes a few special variables:
235 | # - %n -- thread number
236 | # - %i -- thread id
237 | # - %t -- timestamp (secs or secs.usecs based on 'ts-format'
238 | # E.g. filename: pcap.%n.%t
239 | #
240 | # Note that it's possible to use directories, but the directories are not
241 | # created by Suricata. E.g. filename: pcaps/%n/log.%s will log into the
242 | # per thread directory.
243 | #
244 | # Also note that the limit and max-files settings are enforced per thread.
245 | # So the size limit when using 8 threads with 1000mb files and 2000 files
246 | # is: 8*1000*2000 ~ 16TiB.
247 | #
248 | # In Sguil mode "dir" indicates the base directory. In this base dir the
249 | # pcaps are created in th directory structure Sguil expects:
250 | #
251 | # $sguil-base-dir/YYYY-MM-DD/$filename.
252 | #
253 | # By default all packets are logged except:
254 | # - TCP streams beyond stream.reassembly.depth
255 | # - encrypted streams after the key exchange
256 | #
257 | - pcap-log:
258 | enabled: no
259 | filename: log.pcap
260 |
261 | # File size limit. Can be specified in kb, mb, gb. Just a number
262 | # is parsed as bytes.
263 | limit: 1000mb
264 |
265 | # If set to a value will enable ring buffer mode. Will keep Maximum of "max-files" of size "limit"
266 | max-files: 2000
267 |
268 | mode: normal # normal, multi or sguil.
269 | #sguil-base-dir: /nsm_data/
270 | #ts-format: usec # sec or usec second format (default) is filename.sec usec is filename.sec.usec
271 | use-stream-depth: no #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets
272 | honor-pass-rules: no # If set to "yes", flows in which a pass rule matched will stopped being logged.
273 |
274 | # a full alerts log containing much information for signature writers
275 | # or for investigating suspected false positives.
276 | - alert-debug:
277 | enabled: no
278 | filename: alert-debug.log
279 | append: yes
280 | #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
281 |
282 | # alert output to prelude (http://www.prelude-technologies.com/) only
283 | # available if Suricata has been compiled with --enable-prelude
284 | - alert-prelude:
285 | enabled: no
286 | profile: suricata
287 | log-packet-content: no
288 | log-packet-header: yes
289 |
290 | # Stats.log contains data from various counters of the suricata engine.
291 | - stats:
292 | enabled: no
293 | filename: stats.log
294 | totals: yes # stats for all threads merged together
295 | threads: no # per thread stats
296 |
297 | # a line based alerts log similar to fast.log into syslog
298 | - syslog:
299 | enabled: no
300 | # reported identity to syslog. If ommited the program name (usually
301 | # suricata) will be used.
302 | #identity: "suricata"
303 | facility: local5
304 | #level: Info ## possible levels: Emergency, Alert, Critical,
305 | ## Error, Warning, Notice, Info, Debug
306 |
307 | # a line based information for dropped packets in IPS mode
308 | - drop:
309 | enabled: no
310 | filename: drop.log
311 | append: yes
312 | #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
313 |
314 | # output module to store extracted files to disk
315 | #
316 | # The files are stored to the log-dir in a format "file." where is
317 | # an incrementing number starting at 1. For each file "file." a meta
318 | # file "file..meta" is created.
319 | #
320 | # File extraction depends on a lot of things to be fully done:
321 | # - stream reassembly depth. For optimal results, set this to 0 (unlimited)
322 | # - http request / response body sizes. Again set to 0 for optimal results.
323 | # - rules that contain the "filestore" keyword.
324 | - file-store:
325 | enabled: yes # set to yes to enable
326 | log-dir: files # directory to store the files
327 | force-magic: yes # force logging magic on all stored files
328 | force-md5: yes # force logging of md5 checksums
329 | waldo: file.waldo # waldo file to store the file_id across runs
330 |
331 | # output module to log files tracked in a easily parsable json format
332 | - file-log:
333 | enabled: no
334 | filename: files-json.log
335 | append: yes
336 | #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
337 |
338 | force-magic: no # force logging magic on all logged files
339 | force-md5: no # force logging of md5 checksums
340 |
341 | # Log TCP data after stream normalization
342 | # 2 types: file or dir. File logs into a single logfile. Dir creates
343 | # 2 files per TCP session and stores the raw TCP data into them.
344 | # Using 'both' will enable both file and dir modes.
345 | #
346 | # Note: limited by stream.depth
347 | - tcp-data:
348 | enabled: no
349 | type: file
350 | filename: tcp-data.log
351 |
352 | # Log HTTP body data after normalization, dechunking and unzipping.
353 | # 2 types: file or dir. File logs into a single logfile. Dir creates
354 | # 2 files per HTTP session and stores the normalized data into them.
355 | # Using 'both' will enable both file and dir modes.
356 | #
357 | # Note: limited by the body limit settings
358 | - http-body-data:
359 | enabled: no
360 | type: file
361 | filename: http-data.log
362 |
363 | # Lua Output Support - execute lua script to generate alert and event
364 | # output.
365 | # Documented at:
366 | # https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Lua_Output
367 | - lua:
368 | enabled: no
369 | #scripts-dir: /etc/suricata/lua-output/
370 | scripts:
371 | # - script1.lua
372 |
373 | # Magic file. The extension .mgc is added to the value here.
374 | #magic-file: /usr/share/file/magic
375 | magic-file: /usr/share/file/magic
376 |
377 | # When running in NFQ inline mode, it is possible to use a simulated
378 | # non-terminal NFQUEUE verdict.
379 | # This permit to do send all needed packet to suricata via this a rule:
380 | # iptables -I FORWARD -m mark ! --mark $MARK/$MASK -j NFQUEUE
381 | # And below, you can have your standard filtering ruleset. To activate
382 | # this mode, you need to set mode to 'repeat'
383 | # If you want packet to be sent to another queue after an ACCEPT decision
384 | # set mode to 'route' and set next-queue value.
385 | # On linux >= 3.1, you can set batchcount to a value > 1 to improve performance
386 | # by processing several packets before sending a verdict (worker runmode only).
387 | # On linux >= 3.6, you can set the fail-open option to yes to have the kernel
388 | # accept the packet if suricata is not able to keep pace.
389 | nfq:
390 | # mode: accept
391 | # repeat-mark: 1
392 | # repeat-mask: 1
393 | # route-queue: 2
394 | # batchcount: 20
395 | # fail-open: yes
396 |
397 | #nflog support
398 | nflog:
399 | # netlink multicast group
400 | # (the same as the iptables --nflog-group param)
401 | # Group 0 is used by the kernel, so you can't use it
402 | - group: 2
403 | # netlink buffer size
404 | buffer-size: 18432
405 | # put default value here
406 | - group: default
407 | # set number of packet to queue inside kernel
408 | qthreshold: 1
409 | # set the delay before flushing packet in the queue inside kernel
410 | qtimeout: 100
411 | # netlink max buffer size
412 | max-size: 20000
413 |
414 | # af-packet support
415 | # Set threads to > 1 to use PACKET_FANOUT support
416 | af-packet:
417 | - interface: eth0
418 | # Number of receive threads. "auto" uses the number of cores
419 | threads: auto
420 | # Default clusterid. AF_PACKET will load balance packets based on flow.
421 | # All threads/processes that will participate need to have the same
422 | # clusterid.
423 | cluster-id: 42
424 | # Default AF_PACKET cluster type. AF_PACKET can load balance per flow or per hash.
425 | # This is only supported for Linux kernel > 3.1
426 | # possible value are:
427 | # * cluster_round_robin: round robin load balancing
428 | # * cluster_flow: all packets of a given flow are send to the same socket
429 | # * cluster_cpu: all packets treated in kernel by a CPU are send to the same socket
430 | # * cluster_qm: all packets linked by network card to a RSS queue are sent to the same
431 | # socket. Requires at least Linux 3.14.
432 | # * cluster_random: packets are sent randomly to sockets but with an equipartition.
433 | # Requires at least Linux 3.14.
434 | # * cluster_rollover: kernel rotates between sockets filling each socket before moving
435 | # to the next. Requires at least Linux 3.10.
436 | # Recommended modes are cluster_flow on most boxes and cluster_cpu or cluster_qm on system
437 | # with capture card using RSS (require cpu affinity tuning and system irq tuning)
438 | cluster-type: cluster_flow
439 | # In some fragmentation case, the hash can not be computed. If "defrag" is set
440 | # to yes, the kernel will do the needed defragmentation before sending the packets.
441 | defrag: yes
442 | # After Linux kernel 3.10 it is possible to activate the rollover option: if a socket is
443 | # full then kernel will send the packet on the next socket with room available. This option
444 | # can minimize packet drop and increase the treated bandwith on single intensive flow.
445 | #rollover: yes
446 | # To use the ring feature of AF_PACKET, set 'use-mmap' to yes
447 | use-mmap: yes
448 | # Ring size will be computed with respect to max_pending_packets and number
449 | # of threads. You can set manually the ring size in number of packets by setting
450 | # the following value. If you are using flow cluster-type and have really network
451 | # intensive single-flow you could want to set the ring-size independantly of the number
452 | # of threads:
453 | #ring-size: 2048
454 | # On busy system, this could help to set it to yes to recover from a packet drop
455 | # phase. This will result in some packets (at max a ring flush) being non treated.
456 | #use-emergency-flush: yes
457 | # recv buffer size, increase value could improve performance
458 | # buffer-size: 32768
459 | # Set to yes to disable promiscuous mode
460 | # disable-promisc: no
461 | # Choose checksum verification mode for the interface. At the moment
462 | # of the capture, some packets may be with an invalid checksum due to
463 | # offloading to the network card of the checksum computation.
464 | # Possible values are:
465 | # - kernel: use indication sent by kernel for each packet (default)
466 | # - yes: checksum validation is forced
467 | # - no: checksum validation is disabled
468 | # - auto: suricata uses a statistical approach to detect when
469 | # checksum off-loading is used.
470 | # Warning: 'checksum-validation' must be set to yes to have any validation
471 | #checksum-checks: kernel
472 | # BPF filter to apply to this interface. The pcap filter syntax apply here.
473 | #bpf-filter: port 80 or udp
474 | # You can use the following variables to activate AF_PACKET tap od IPS mode.
475 | # If copy-mode is set to ips or tap, the traffic coming to the current
476 | # interface will be copied to the copy-iface interface. If 'tap' is set, the
477 | # copy is complete. If 'ips' is set, the packet matching a 'drop' action
478 | # will not be copied.
479 | #copy-mode: ips
480 | #copy-iface: eth1
481 | # Put default values here
482 | - interface: default
483 | threads: auto
484 | use-mmap: yes
485 | cluster-type: cluster_flow
486 | defrag: yes
487 | #rollover: yes
488 |
489 | # Netmap support
490 | #
491 | # Netmap operates with NIC directly in driver, so you need FreeBSD wich have
492 | # built-in netmap support or compile and install netmap module and appropriate
493 | # NIC driver on your Linux system.
494 | # To reach maximum throughput disable all receive-, segmentation-,
495 | # checksum- offloadings on NIC.
496 | # Disabling Tx checksum offloading is *required* for connecting OS endpoint
497 | # with NIC endpoint.
498 | # You can find more information at https://github.com/luigirizzo/netmap
499 | #
500 | netmap:
501 | # To specify OS endpoint add plus sign at the end (e.g. "eth0+")
502 | - interface: eth2
503 | # Number of receive threads. "auto" uses number of RSS queues on interface.
504 | threads: auto
505 | # You can use the following variables to activate netmap tap or IPS mode.
506 | # If copy-mode is set to ips or tap, the traffic coming to the current
507 | # interface will be copied to the copy-iface interface. If 'tap' is set, the
508 | # copy is complete. If 'ips' is set, the packet matching a 'drop' action
509 | # will not be copied.
510 | #copy-mode: tap
511 | #copy-iface: eth3
512 | # Set to yes to disable promiscuous mode
513 | # disable-promisc: no
514 | # Choose checksum verification mode for the interface. At the moment
515 | # of the capture, some packets may be with an invalid checksum due to
516 | # offloading to the network card of the checksum computation.
517 | # Possible values are:
518 | # - yes: checksum validation is forced
519 | # - no: checksum validation is disabled
520 | # - auto: suricata uses a statistical approach to detect when
521 | # checksum off-loading is used.
522 | # Warning: 'checksum-validation' must be set to yes to have any validation
523 | #checksum-checks: auto
524 | # BPF filter to apply to this interface. The pcap filter syntax apply here.
525 | #bpf-filter: port 80 or udp
526 | #- interface: eth3
527 | #threads: auto
528 | #copy-mode: tap
529 | #copy-iface: eth2
530 | # Put default values here
531 | - interface: default
532 |
533 | legacy:
534 | uricontent: enabled
535 |
536 | # You can specify a threshold config file by setting "threshold-file"
537 | # to the path of the threshold config file:
538 | threshold-file: /etc/suricata/rules/threshold.config
539 |
540 | # The detection engine builds internal groups of signatures. The engine
541 | # allow us to specify the profile to use for them, to manage memory on an
542 | # efficient way keeping a good performance. For the profile keyword you
543 | # can use the words "low", "medium", "high" or "custom". If you use custom
544 | # make sure to define the values at "- custom-values" as your convenience.
545 | # Usually you would prefer medium/high/low.
546 | #
547 | # "sgh mpm-context", indicates how the staging should allot mpm contexts for
548 | # the signature groups. "single" indicates the use of a single context for
549 | # all the signature group heads. "full" indicates a mpm-context for each
550 | # group head. "auto" lets the engine decide the distribution of contexts
551 | # based on the information the engine gathers on the patterns from each
552 | # group head.
553 | #
554 | # The option inspection-recursion-limit is used to limit the recursive calls
555 | # in the content inspection code. For certain payload-sig combinations, we
556 | # might end up taking too much time in the content inspection code.
557 | # If the argument specified is 0, the engine uses an internally defined
558 | # default limit. On not specifying a value, we use no limits on the recursion.
559 | detect-engine:
560 | - profile: medium
561 | - custom-values:
562 | toclient-src-groups: 2
563 | toclient-dst-groups: 2
564 | toclient-sp-groups: 2
565 | toclient-dp-groups: 3
566 | toserver-src-groups: 2
567 | toserver-dst-groups: 4
568 | toserver-sp-groups: 2
569 | toserver-dp-groups: 25
570 | - sgh-mpm-context: auto
571 | - inspection-recursion-limit: 3000
572 | # If set to yes, the loading of signatures will be made after the capture
573 | # is started. This will limit the downtime in IPS mode.
574 | #- delayed-detect: yes
575 |
576 | # Suricata is multi-threaded. Here the threading can be influenced.
577 | threading:
578 | # On some cpu's/architectures it is beneficial to tie individual threads
579 | # to specific CPU's/CPU cores. In this case all threads are tied to CPU0,
580 | # and each extra CPU/core has one "detect" thread.
581 | #
582 | # On Intel Core2 and Nehalem CPU's enabling this will degrade performance.
583 | #
584 | set-cpu-affinity: no
585 | # Tune cpu affinity of suricata threads. Each family of threads can be bound
586 | # on specific CPUs.
587 | cpu-affinity:
588 | - management-cpu-set:
589 | cpu: [ 0 ] # include only these cpus in affinity settings
590 | - receive-cpu-set:
591 | cpu: [ 0 ] # include only these cpus in affinity settings
592 | - decode-cpu-set:
593 | cpu: [ 0, 1 ]
594 | mode: "balanced"
595 | - stream-cpu-set:
596 | cpu: [ "0-1" ]
597 | - detect-cpu-set:
598 | cpu: [ "all" ]
599 | mode: "exclusive" # run detect threads in these cpus
600 | # Use explicitely 3 threads and don't compute number by using
601 | # detect-thread-ratio variable:
602 | # threads: 3
603 | prio:
604 | low: [ 0 ]
605 | medium: [ "1-2" ]
606 | high: [ 3 ]
607 | default: "medium"
608 | - verdict-cpu-set:
609 | cpu: [ 0 ]
610 | prio:
611 | default: "high"
612 | - reject-cpu-set:
613 | cpu: [ 0 ]
614 | prio:
615 | default: "low"
616 | - output-cpu-set:
617 | cpu: [ "all" ]
618 | prio:
619 | default: "medium"
620 | #
621 | # By default Suricata creates one "detect" thread per available CPU/CPU core.
622 | # This setting allows controlling this behaviour. A ratio setting of 2 will
623 | # create 2 detect threads for each CPU/CPU core. So for a dual core CPU this
624 | # will result in 4 detect threads. If values below 1 are used, less threads
625 | # are created. So on a dual core CPU a setting of 0.5 results in 1 detect
626 | # thread being created. Regardless of the setting at a minimum 1 detect
627 | # thread will always be created.
628 | #
629 | detect-thread-ratio: 1.5
630 |
631 | # Cuda configuration.
632 | cuda:
633 | # The "mpm" profile. On not specifying any of these parameters, the engine's
634 | # internal default values are used, which are same as the ones specified in
635 | # in the default conf file.
636 | mpm:
637 | # The minimum length required to buffer data to the gpu.
638 | # Anything below this is MPM'ed on the CPU.
639 | # Can be specified in kb, mb, gb. Just a number indicates it's in bytes.
640 | # A value of 0 indicates there's no limit.
641 | data-buffer-size-min-limit: 0
642 | # The maximum length for data that we would buffer to the gpu.
643 | # Anything over this is MPM'ed on the CPU.
644 | # Can be specified in kb, mb, gb. Just a number indicates it's in bytes.
645 | data-buffer-size-max-limit: 1500
646 | # The ring buffer size used by the CudaBuffer API to buffer data.
647 | cudabuffer-buffer-size: 500mb
648 | # The max chunk size that can be sent to the gpu in a single go.
649 | gpu-transfer-size: 50mb
650 | # The timeout limit for batching of packets in microseconds.
651 | batching-timeout: 2000
652 | # The device to use for the mpm. Currently we don't support load balancing
653 | # on multiple gpus. In case you have multiple devices on your system, you
654 | # can specify the device to use, using this conf. By default we hold 0, to
655 | # specify the first device cuda sees. To find out device-id associated with
656 | # the card(s) on the system run "suricata --list-cuda-cards".
657 | device-id: 0
658 | # No of Cuda streams used for asynchronous processing. All values > 0 are valid.
659 | # For this option you need a device with Compute Capability > 1.0.
660 | cuda-streams: 2
661 |
662 | # Select the multi pattern algorithm you want to run for scan/search the
663 | # in the engine. The supported algorithms are b2g, b3g, wumanber,
664 | # ac, ac-bs and ac-gfbs.
665 | #
666 | # The mpm you choose also decides the distribution of mpm contexts for
667 | # signature groups, specified by the conf - "detect-engine.sgh-mpm-context".
668 | # Selecting "ac" as the mpm would require "detect-engine.sgh-mpm-context"
669 | # to be set to "single", because of ac's memory requirements, unless the
670 | # ruleset is small enough to fit in one's memory, in which case one can
671 | # use "full" with "ac". Rest of the mpms can be run in "full" mode.
672 | #
673 | # There is also a CUDA pattern matcher (only available if Suricata was
674 | # compiled with --enable-cuda: b2g_cuda. Make sure to update your
675 | # max-pending-packets setting above as well if you use b2g_cuda.
676 |
677 | mpm-algo: ac
678 |
679 | # The memory settings for hash size of these algorithms can vary from lowest
680 | # (2048) - low (4096) - medium (8192) - high (16384) - higher (32768) - max
681 | # (65536). The bloomfilter sizes of these algorithms can vary from low (512) -
682 | # medium (1024) - high (2048).
683 | #
684 | # For B2g/B3g algorithms, there is a support for two different scan/search
685 | # algorithms. For B2g the scan algorithms are B2gScan & B2gScanBNDMq, and
686 | # search algorithms are B2gSearch & B2gSearchBNDMq. For B3g scan algorithms
687 | # are B3gScan & B3gScanBNDMq, and search algorithms are B3gSearch &
688 | # B3gSearchBNDMq.
689 | #
690 | # For B2g the different scan/search algorithms and, hash and bloom
691 | # filter size settings. For B3g the different scan/search algorithms and, hash
692 | # and bloom filter size settings. For wumanber the hash and bloom filter size
693 | # settings.
694 |
695 | pattern-matcher:
696 | - b2g:
697 | search-algo: B2gSearchBNDMq
698 | hash-size: low
699 | bf-size: medium
700 | - b3g:
701 | search-algo: B3gSearchBNDMq
702 | hash-size: low
703 | bf-size: medium
704 | - wumanber:
705 | hash-size: low
706 | bf-size: medium
707 |
708 | # Defrag settings:
709 |
710 | defrag:
711 | memcap: 32mb
712 | hash-size: 65536
713 | trackers: 65535 # number of defragmented flows to follow
714 | max-frags: 65535 # number of fragments to keep (higher than trackers)
715 | prealloc: yes
716 | timeout: 60
717 |
718 | # Enable defrag per host settings
719 | # host-config:
720 | #
721 | # - dmz:
722 | # timeout: 30
723 | # address: [192.168.1.0/24, 127.0.0.0/8, 1.1.1.0/24, 2.2.2.0/24, "1.1.1.1", "2.2.2.2", "::1"]
724 | #
725 | # - lan:
726 | # timeout: 45
727 | # address:
728 | # - 192.168.0.0/24
729 | # - 192.168.10.0/24
730 | # - 172.16.14.0/24
731 |
732 | # Flow settings:
733 | # By default, the reserved memory (memcap) for flows is 32MB. This is the limit
734 | # for flow allocation inside the engine. You can change this value to allow
735 | # more memory usage for flows.
736 | # The hash-size determine the size of the hash used to identify flows inside
737 | # the engine, and by default the value is 65536.
738 | # At the startup, the engine can preallocate a number of flows, to get a better
739 | # performance. The number of flows preallocated is 10000 by default.
740 | # emergency-recovery is the percentage of flows that the engine need to
741 | # prune before unsetting the emergency state. The emergency state is activated
742 | # when the memcap limit is reached, allowing to create new flows, but
743 | # prunning them with the emergency timeouts (they are defined below).
744 | # If the memcap is reached, the engine will try to prune flows
745 | # with the default timeouts. If it doens't find a flow to prune, it will set
746 | # the emergency bit and it will try again with more agressive timeouts.
747 | # If that doesn't work, then it will try to kill the last time seen flows
748 | # not in use.
749 | # The memcap can be specified in kb, mb, gb. Just a number indicates it's
750 | # in bytes.
751 |
752 | flow:
753 | memcap: 64mb
754 | hash-size: 65536
755 | prealloc: 10000
756 | emergency-recovery: 30
757 | #managers: 1 # default to one flow manager
758 | #recyclers: 1 # default to one flow recycler thread
759 |
760 | # This option controls the use of vlan ids in the flow (and defrag)
761 | # hashing. Normally this should be enabled, but in some (broken)
762 | # setups where both sides of a flow are not tagged with the same vlan
763 | # tag, we can ignore the vlan id's in the flow hashing.
764 | vlan:
765 | use-for-tracking: true
766 |
767 | # Specific timeouts for flows. Here you can specify the timeouts that the
768 | # active flows will wait to transit from the current state to another, on each
769 | # protocol. The value of "new" determine the seconds to wait after a hanshake or
770 | # stream startup before the engine free the data of that flow it doesn't
771 | # change the state to established (usually if we don't receive more packets
772 | # of that flow). The value of "established" is the amount of
773 | # seconds that the engine will wait to free the flow if it spend that amount
774 | # without receiving new packets or closing the connection. "closed" is the
775 | # amount of time to wait after a flow is closed (usually zero).
776 | #
777 | # There's an emergency mode that will become active under attack circumstances,
778 | # making the engine to check flow status faster. This configuration variables
779 | # use the prefix "emergency-" and work similar as the normal ones.
780 | # Some timeouts doesn't apply to all the protocols, like "closed", for udp and
781 | # icmp.
782 |
783 | flow-timeouts:
784 |
785 | default:
786 | new: 30
787 | established: 300
788 | closed: 0
789 | emergency-new: 10
790 | emergency-established: 100
791 | emergency-closed: 0
792 | tcp:
793 | new: 60
794 | established: 3600
795 | closed: 120
796 | emergency-new: 10
797 | emergency-established: 300
798 | emergency-closed: 20
799 | udp:
800 | new: 30
801 | established: 300
802 | emergency-new: 10
803 | emergency-established: 100
804 | icmp:
805 | new: 30
806 | established: 300
807 | emergency-new: 10
808 | emergency-established: 100
809 |
810 | # Stream engine settings. Here the TCP stream tracking and reassembly
811 | # engine is configured.
812 | #
813 | # stream:
814 | # memcap: 32mb # Can be specified in kb, mb, gb. Just a
815 | # # number indicates it's in bytes.
816 | # checksum-validation: yes # To validate the checksum of received
817 | # # packet. If csum validation is specified as
818 | # # "yes", then packet with invalid csum will not
819 | # # be processed by the engine stream/app layer.
820 | # # Warning: locally generated trafic can be
821 | # # generated without checksum due to hardware offload
822 | # # of checksum. You can control the handling of checksum
823 | # # on a per-interface basis via the 'checksum-checks'
824 | # # option
825 | # prealloc-sessions: 2k # 2k sessions prealloc'd per stream thread
826 | # midstream: false # don't allow midstream session pickups
827 | # async-oneside: false # don't enable async stream handling
828 | # inline: no # stream inline mode
829 | # max-synack-queued: 5 # Max different SYN/ACKs to queue
830 | #
831 | # reassembly:
832 | # memcap: 64mb # Can be specified in kb, mb, gb. Just a number
833 | # # indicates it's in bytes.
834 | # depth: 1mb # Can be specified in kb, mb, gb. Just a number
835 | # # indicates it's in bytes.
836 | # toserver-chunk-size: 2560 # inspect raw stream in chunks of at least
837 | # # this size. Can be specified in kb, mb,
838 | # # gb. Just a number indicates it's in bytes.
839 | # # The max acceptable size is 4024 bytes.
840 | # toclient-chunk-size: 2560 # inspect raw stream in chunks of at least
841 | # # this size. Can be specified in kb, mb,
842 | # # gb. Just a number indicates it's in bytes.
843 | # # The max acceptable size is 4024 bytes.
844 | # randomize-chunk-size: yes # Take a random value for chunk size around the specified value.
845 | # # This lower the risk of some evasion technics but could lead
846 | # # detection change between runs. It is set to 'yes' by default.
847 | # randomize-chunk-range: 10 # If randomize-chunk-size is active, the value of chunk-size is
848 | # # a random value between (1 - randomize-chunk-range/100)*randomize-chunk-size
849 | # # and (1 + randomize-chunk-range/100)*randomize-chunk-size. Default value
850 | # # of randomize-chunk-range is 10.
851 | #
852 | # raw: yes # 'Raw' reassembly enabled or disabled.
853 | # # raw is for content inspection by detection
854 | # # engine.
855 | #
856 | # chunk-prealloc: 250 # Number of preallocated stream chunks. These
857 | # # are used during stream inspection (raw).
858 | # segments: # Settings for reassembly segment pool.
859 | # - size: 4 # Size of the (data)segment for a pool
860 | # prealloc: 256 # Number of segments to prealloc and keep
861 | # # in the pool.
862 | # zero-copy-size: 128 # This option sets in bytes the value at
863 | # # which segment data is passed to the app
864 | # # layer API directly. Data sizes equal to
865 | # # and higher than the value set are passed
866 | # # on directly.
867 | #
868 | stream:
869 | memcap: 32mb
870 | checksum-validation: yes # reject wrong csums
871 | inline: auto # auto will use inline mode in IPS mode, yes or no set it statically
872 | reassembly:
873 | memcap: 128mb
874 | depth: 2mb # reassemble 1mb into a stream
875 | toserver-chunk-size: 2560
876 | toclient-chunk-size: 2560
877 | randomize-chunk-size: yes
878 | #randomize-chunk-range: 10
879 | #raw: yes
880 | #chunk-prealloc: 250
881 | #segments:
882 | # - size: 4
883 | # prealloc: 256
884 | # - size: 16
885 | # prealloc: 512
886 | # - size: 112
887 | # prealloc: 512
888 | # - size: 248
889 | # prealloc: 512
890 | # - size: 512
891 | # prealloc: 512
892 | # - size: 768
893 | # prealloc: 1024
894 | # - size: 1448
895 | # prealloc: 1024
896 | # - size: 65535
897 | # prealloc: 128
898 | #zero-copy-size: 128
899 |
900 | # Host table:
901 | #
902 | # Host table is used by tagging and per host thresholding subsystems.
903 | #
904 | host:
905 | hash-size: 4096
906 | prealloc: 1000
907 | memcap: 16777216
908 |
909 | # Logging configuration. This is not about logging IDS alerts, but
910 | # IDS output about what its doing, errors, etc.
911 | logging:
912 |
913 | # The default log level, can be overridden in an output section.
914 | # Note that debug level logging will only be emitted if Suricata was
915 | # compiled with the --enable-debug configure option.
916 | #
917 | # This value is overriden by the SC_LOG_LEVEL env var.
918 | default-log-level: notice
919 |
920 | # The default output format. Optional parameter, should default to
921 | # something reasonable if not provided. Can be overriden in an
922 | # output section. You can leave this out to get the default.
923 | #
924 | # This value is overriden by the SC_LOG_FORMAT env var.
925 | #default-log-format: "[%i] %t - (%f:%l) <%d> (%n) -- "
926 |
927 | # A regex to filter output. Can be overridden in an output section.
928 | # Defaults to empty (no filter).
929 | #
930 | # This value is overriden by the SC_LOG_OP_FILTER env var.
931 | default-output-filter:
932 |
933 | # Define your logging outputs. If none are defined, or they are all
934 | # disabled you will get the default - console output.
935 | outputs:
936 | - console:
937 | enabled: yes
938 | # type: json
939 | - file:
940 | enabled: yes
941 | filename: /var/log/suricata/suricata.json
942 | type: json
943 | - syslog:
944 | enabled: no
945 | facility: local5
946 | format: "[%i] <%d> -- "
947 | # type: json
948 |
949 | # Tilera mpipe configuration. for use on Tilera TILE-Gx.
950 | mpipe:
951 |
952 | # Load balancing modes: "static", "dynamic", "sticky", or "round-robin".
953 | load-balance: dynamic
954 |
955 | # Number of Packets in each ingress packet queue. Must be 128, 512, 2028 or 65536
956 | iqueue-packets: 2048
957 |
958 | # List of interfaces we will listen on.
959 | inputs:
960 | - interface: xgbe2
961 | - interface: xgbe3
962 | - interface: xgbe4
963 |
964 |
965 | # Relative weight of memory for packets of each mPipe buffer size.
966 | stack:
967 | size128: 0
968 | size256: 9
969 | size512: 0
970 | size1024: 0
971 | size1664: 7
972 | size4096: 0
973 | size10386: 0
974 | size16384: 0
975 |
976 | # PF_RING configuration. for use with native PF_RING support
977 | # for more info see http://www.ntop.org/products/pf_ring/
978 | pfring:
979 | - interface: eth0
980 | # Number of receive threads (>1 will enable experimental flow pinned
981 | # runmode)
982 | threads: 1
983 |
984 | # Default clusterid. PF_RING will load balance packets based on flow.
985 | # All threads/processes that will participate need to have the same
986 | # clusterid.
987 | cluster-id: 99
988 |
989 | # Default PF_RING cluster type. PF_RING can load balance per flow.
990 | # Possible values are cluster_flow or cluster_round_robin.
991 | cluster-type: cluster_flow
992 | # bpf filter for this interface
993 | #bpf-filter: tcp
994 | # Choose checksum verification mode for the interface. At the moment
995 | # of the capture, some packets may be with an invalid checksum due to
996 | # offloading to the network card of the checksum computation.
997 | # Possible values are:
998 | # - rxonly: only compute checksum for packets received by network card.
999 | # - yes: checksum validation is forced
1000 | # - no: checksum validation is disabled
1001 | # - auto: suricata uses a statistical approach to detect when
1002 | # checksum off-loading is used. (default)
1003 | # Warning: 'checksum-validation' must be set to yes to have any validation
1004 | #checksum-checks: auto
1005 | # Second interface
1006 | #- interface: eth1
1007 | # threads: 3
1008 | # cluster-id: 93
1009 | # cluster-type: cluster_flow
1010 | # Put default values here
1011 | - interface: default
1012 | #threads: 2
1013 |
1014 | pcap:
1015 | - interface: eth0
1016 | # On Linux, pcap will try to use mmaped capture and will use buffer-size
1017 | # as total of memory used by the ring. So set this to something bigger
1018 | # than 1% of your bandwidth.
1019 | #buffer-size: 16777216
1020 | #bpf-filter: "tcp and port 25"
1021 | # Choose checksum verification mode for the interface. At the moment
1022 | # of the capture, some packets may be with an invalid checksum due to
1023 | # offloading to the network card of the checksum computation.
1024 | # Possible values are:
1025 | # - yes: checksum validation is forced
1026 | # - no: checksum validation is disabled
1027 | # - auto: suricata uses a statistical approach to detect when
1028 | # checksum off-loading is used. (default)
1029 | # Warning: 'checksum-validation' must be set to yes to have any validation
1030 | #checksum-checks: auto
1031 | # With some accelerator cards using a modified libpcap (like myricom), you
1032 | # may want to have the same number of capture threads as the number of capture
1033 | # rings. In this case, set up the threads variable to N to start N threads
1034 | # listening on the same interface.
1035 | #threads: 16
1036 | # set to no to disable promiscuous mode:
1037 | #promisc: no
1038 | # set snaplen, if not set it defaults to MTU if MTU can be known
1039 | # via ioctl call and to full capture if not.
1040 | #snaplen: 1518
1041 | # Put default values here
1042 | - interface: default
1043 | #checksum-checks: auto
1044 |
1045 | pcap-file:
1046 | # Possible values are:
1047 | # - yes: checksum validation is forced
1048 | # - no: checksum validation is disabled
1049 | # - auto: suricata uses a statistical approach to detect when
1050 | # checksum off-loading is used. (default)
1051 | # Warning: 'checksum-validation' must be set to yes to have checksum tested
1052 | checksum-checks: auto
1053 |
1054 | # For FreeBSD ipfw(8) divert(4) support.
1055 | # Please make sure you have ipfw_load="YES" and ipdivert_load="YES"
1056 | # in /etc/loader.conf or kldload'ing the appropriate kernel modules.
1057 | # Additionally, you need to have an ipfw rule for the engine to see
1058 | # the packets from ipfw. For Example:
1059 | #
1060 | # ipfw add 100 divert 8000 ip from any to any
1061 | #
1062 | # The 8000 above should be the same number you passed on the command
1063 | # line, i.e. -d 8000
1064 | #
1065 | ipfw:
1066 |
1067 | # Reinject packets at the specified ipfw rule number. This config
1068 | # option is the ipfw rule number AT WHICH rule processing continues
1069 | # in the ipfw processing system after the engine has finished
1070 | # inspecting the packet for acceptance. If no rule number is specified,
1071 | # accepted packets are reinjected at the divert rule which they entered
1072 | # and IPFW rule processing continues. No check is done to verify
1073 | # this will rule makes sense so care must be taken to avoid loops in ipfw.
1074 | #
1075 | ## The following example tells the engine to reinject packets
1076 | # back into the ipfw firewall AT rule number 5500:
1077 | #
1078 | # ipfw-reinjection-rule-number: 5500
1079 |
1080 | # Set the default rule path here to search for the files.
1081 | # if not set, it will look at the current working dir
1082 | default-rule-path: /etc/suricata/rules
1083 | rule-files:
1084 | - scirius.rules
1085 |
1086 | classification-file: /etc/suricata/rules/classification.config
1087 | reference-config-file: /etc/suricata/rules/reference.config
1088 |
1089 | # Holds variables that would be used by the engine.
1090 | vars:
1091 |
1092 | # Holds the address group vars that would be passed in a Signature.
1093 | # These would be retrieved during the Signature address parsing stage.
1094 | address-groups:
1095 |
1096 | HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
1097 |
1098 | EXTERNAL_NET: "!$HOME_NET"
1099 |
1100 | HTTP_SERVERS: "$HOME_NET"
1101 |
1102 | SMTP_SERVERS: "$HOME_NET"
1103 |
1104 | SQL_SERVERS: "$HOME_NET"
1105 |
1106 | DNS_SERVERS: "$HOME_NET"
1107 |
1108 | TELNET_SERVERS: "$HOME_NET"
1109 |
1110 | AIM_SERVERS: "$EXTERNAL_NET"
1111 |
1112 | DNP3_SERVER: "$HOME_NET"
1113 |
1114 | DNP3_CLIENT: "$HOME_NET"
1115 |
1116 | MODBUS_CLIENT: "$HOME_NET"
1117 |
1118 | MODBUS_SERVER: "$HOME_NET"
1119 |
1120 | ENIP_CLIENT: "$HOME_NET"
1121 |
1122 | ENIP_SERVER: "$HOME_NET"
1123 |
1124 | # Holds the port group vars that would be passed in a Signature.
1125 | # These would be retrieved during the Signature port parsing stage.
1126 | port-groups:
1127 |
1128 | HTTP_PORTS: "80"
1129 |
1130 | SHELLCODE_PORTS: "!80"
1131 |
1132 | ORACLE_PORTS: 1521
1133 |
1134 | SSH_PORTS: 22
1135 |
1136 | DNP3_PORTS: 20000
1137 |
1138 | MODBUS_PORTS: 502
1139 |
1140 | # Set the order of alerts bassed on actions
1141 | # The default order is pass, drop, reject, alert
1142 | action-order:
1143 | - pass
1144 | - drop
1145 | - reject
1146 | - alert
1147 |
1148 | # IP Reputation
1149 | #reputation-categories-file: /etc/suricata/iprep/categories.txt
1150 | #default-reputation-path: /etc/suricata/iprep
1151 | #reputation-files:
1152 | # - reputation.list
1153 |
1154 | # Host specific policies for defragmentation and TCP stream
1155 | # reassembly. The host OS lookup is done using a radix tree, just
1156 | # like a routing table so the most specific entry matches.
1157 | host-os-policy:
1158 | # Make the default policy windows.
1159 | windows: [0.0.0.0/0]
1160 | bsd: []
1161 | bsd-right: []
1162 | old-linux: []
1163 | linux: [10.0.0.0/8, 192.168.1.100, "8762:2352:6241:7245:E000:0000:0000:0000"]
1164 | old-solaris: []
1165 | solaris: ["::1"]
1166 | hpux10: []
1167 | hpux11: []
1168 | irix: []
1169 | macos: []
1170 | vista: []
1171 | windows2k3: []
1172 |
1173 |
1174 | # Limit for the maximum number of asn1 frames to decode (default 256)
1175 | asn1-max-frames: 256
1176 |
1177 | # When run with the option --engine-analysis, the engine will read each of
1178 | # the parameters below, and print reports for each of the enabled sections
1179 | # and exit. The reports are printed to a file in the default log dir
1180 | # given by the parameter "default-log-dir", with engine reporting
1181 | # subsection below printing reports in its own report file.
1182 | engine-analysis:
1183 | # enables printing reports for fast-pattern for every rule.
1184 | rules-fast-pattern: yes
1185 | # enables printing reports for each rule
1186 | rules: yes
1187 |
1188 | #recursion and match limits for PCRE where supported
1189 | pcre:
1190 | match-limit: 3500
1191 | match-limit-recursion: 1500
1192 |
1193 | # Holds details on the app-layer. The protocols section details each protocol.
1194 | # Under each protocol, the default value for detection-enabled and "
1195 | # parsed-enabled is yes, unless specified otherwise.
1196 | # Each protocol covers enabling/disabling parsers for all ipprotos
1197 | # the app-layer protocol runs on. For example "dcerpc" refers to the tcp
1198 | # version of the protocol as well as the udp version of the protocol.
1199 | # The option "enabled" takes 3 values - "yes", "no", "detection-only".
1200 | # "yes" enables both detection and the parser, "no" disables both, and
1201 | # "detection-only" enables detection only(parser disabled).
1202 | app-layer:
1203 | protocols:
1204 | tls:
1205 | enabled: yes
1206 | detection-ports:
1207 | dp: 443
1208 |
1209 | #no-reassemble: yes
1210 | dcerpc:
1211 | enabled: yes
1212 | ftp:
1213 | enabled: yes
1214 | ssh:
1215 | enabled: yes
1216 | smtp:
1217 | enabled: yes
1218 | # Configure SMTP-MIME Decoder
1219 | mime:
1220 | # Decode MIME messages from SMTP transactions
1221 | # (may be resource intensive)
1222 | # This field supercedes all others because it turns the entire
1223 | # process on or off
1224 | decode-mime: yes
1225 |
1226 | # Decode MIME entity bodies (ie. base64, quoted-printable, etc.)
1227 | decode-base64: yes
1228 | decode-quoted-printable: yes
1229 |
1230 | # Maximum bytes per header data value stored in the data structure
1231 | # (default is 2000)
1232 | header-value-depth: 2000
1233 |
1234 | # Extract URLs and save in state data structure
1235 | extract-urls: yes
1236 | # Configure inspected-tracker for file_data keyword
1237 | inspected-tracker:
1238 | content-limit: 1000
1239 | content-inspect-min-size: 1000
1240 | content-inspect-window: 1000
1241 | imap:
1242 | enabled: detection-only
1243 | msn:
1244 | enabled: detection-only
1245 | smb:
1246 | enabled: yes
1247 | detection-ports:
1248 | dp: 139
1249 | # Note: Modbus probe parser is minimalist due to the poor significant field
1250 | # Only Modbus message length (greater than Modbus header length)
1251 | # And Protocol ID (equal to 0) are checked in probing parser
1252 | # It is important to enable detection port and define Modbus port
1253 | # to avoid false positive
1254 | modbus:
1255 | # How many unreplied Modbus requests are considered a flood.
1256 | # If the limit is reached, app-layer-event:modbus.flooded; will match.
1257 | #request-flood: 500
1258 |
1259 | enabled: yes
1260 | detection-ports:
1261 | dp: 502
1262 | # According to MODBUS Messaging on TCP/IP Implementation Guide V1.0b, it
1263 | # is recommended to keep the TCP connection opened with a remote device
1264 | # and not to open and close it for each MODBUS/TCP transaction. In that
1265 | # case, it is important to set the depth of the stream reassembling as
1266 | # unlimited (stream.reassembly.depth: 0)
1267 | # smb2 detection is disabled internally inside the engine.
1268 | #smb2:
1269 | # enabled: yes
1270 | dns:
1271 | # memcaps. Globally and per flow/state.
1272 | #global-memcap: 16mb
1273 | #state-memcap: 512kb
1274 |
1275 | # How many unreplied DNS requests are considered a flood.
1276 | # If the limit is reached, app-layer-event:dns.flooded; will match.
1277 | #request-flood: 500
1278 |
1279 | tcp:
1280 | enabled: yes
1281 | detection-ports:
1282 | dp: 53
1283 | udp:
1284 | enabled: yes
1285 | detection-ports:
1286 | dp: 53
1287 | http:
1288 | enabled: yes
1289 | # memcap: 64mb
1290 |
1291 | ###########################################################################
1292 | # Configure libhtp.
1293 | #
1294 | #
1295 | # default-config: Used when no server-config matches
1296 | # personality: List of personalities used by default
1297 | # request-body-limit: Limit reassembly of request body for inspection
1298 | # by http_client_body & pcre /P option.
1299 | # response-body-limit: Limit reassembly of response body for inspection
1300 | # by file_data, http_server_body & pcre /Q option.
1301 | # double-decode-path: Double decode path section of the URI
1302 | # double-decode-query: Double decode query section of the URI
1303 | #
1304 | # server-config: List of server configurations to use if address matches
1305 | # address: List of ip addresses or networks for this block
1306 | # personalitiy: List of personalities used by this block
1307 | # request-body-limit: Limit reassembly of request body for inspection
1308 | # by http_client_body & pcre /P option.
1309 | # response-body-limit: Limit reassembly of response body for inspection
1310 | # by file_data, http_server_body & pcre /Q option.
1311 | # double-decode-path: Double decode path section of the URI
1312 | # double-decode-query: Double decode query section of the URI
1313 | #
1314 | # uri-include-all: Include all parts of the URI. By default the
1315 | # 'scheme', username/password, hostname and port
1316 | # are excluded. Setting this option to true adds
1317 | # all of them to the normalized uri as inspected
1318 | # by http_uri, urilen, pcre with /U and the other
1319 | # keywords that inspect the normalized uri.
1320 | # Note that this does not affect http_raw_uri.
1321 | # Also, note that including all was the default in
1322 | # 1.4 and 2.0beta1.
1323 | #
1324 | # meta-field-limit: Hard size limit for request and response size
1325 | # limits. Applies to request line and headers,
1326 | # response line and headers. Does not apply to
1327 | # request or response bodies. Default is 18k.
1328 | # If this limit is reached an event is raised.
1329 | #
1330 | # Currently Available Personalities:
1331 | # Minimal
1332 | # Generic
1333 | # IDS (default)
1334 | # IIS_4_0
1335 | # IIS_5_0
1336 | # IIS_5_1
1337 | # IIS_6_0
1338 | # IIS_7_0
1339 | # IIS_7_5
1340 | # Apache_2
1341 | ###########################################################################
1342 | libhtp:
1343 |
1344 | default-config:
1345 | personality: IDS
1346 |
1347 | # Can be specified in kb, mb, gb. Just a number indicates
1348 | # it's in bytes.
1349 | request-body-limit: 2mb
1350 | response-body-limit: 2mb
1351 |
1352 | # inspection limits
1353 | request-body-minimal-inspect-size: 32kb
1354 | request-body-inspect-window: 4kb
1355 | response-body-minimal-inspect-size: 32kb
1356 | response-body-inspect-window: 4kb
1357 |
1358 | # auto will use http-body-inline mode in IPS mode, yes or no set it statically
1359 | http-body-inline: auto
1360 |
1361 | # Take a random value for inspection sizes around the specified value.
1362 | # This lower the risk of some evasion technics but could lead
1363 | # detection change between runs. It is set to 'yes' by default.
1364 | #randomize-inspection-sizes: yes
1365 | # If randomize-inspection-sizes is active, the value of various
1366 | # inspection size will be choosen in the [1 - range%, 1 + range%]
1367 | # range
1368 | # Default value of randomize-inspection-range is 10.
1369 | #randomize-inspection-range: 10
1370 |
1371 | # decoding
1372 | double-decode-path: no
1373 | double-decode-query: no
1374 |
1375 | server-config:
1376 |
1377 | #- apache:
1378 | # address: [192.168.1.0/24, 127.0.0.0/8, "::1"]
1379 | # personality: Apache_2
1380 | # # Can be specified in kb, mb, gb. Just a number indicates
1381 | # # it's in bytes.
1382 | # request-body-limit: 4096
1383 | # response-body-limit: 4096
1384 | # double-decode-path: no
1385 | # double-decode-query: no
1386 |
1387 | #- iis7:
1388 | # address:
1389 | # - 192.168.0.0/24
1390 | # - 192.168.10.0/24
1391 | # personality: IIS_7_0
1392 | # # Can be specified in kb, mb, gb. Just a number indicates
1393 | # # it's in bytes.
1394 | # request-body-limit: 4096
1395 | # response-body-limit: 4096
1396 | # double-decode-path: no
1397 | # double-decode-query: no
1398 |
1399 | # Profiling settings. Only effective if Suricata has been built with the
1400 | # the --enable-profiling configure flag.
1401 | #
1402 | profiling:
1403 | # Run profiling for every xth packet. The default is 1, which means we
1404 | # profile every packet. If set to 1000, one packet is profiled for every
1405 | # 1000 received.
1406 | #sample-rate: 1000
1407 |
1408 | # rule profiling
1409 | rules:
1410 |
1411 | # Profiling can be disabled here, but it will still have a
1412 | # performance impact if compiled in.
1413 | enabled: yes
1414 | filename: rule_perf.log
1415 | append: yes
1416 |
1417 | # Sort options: ticks, avgticks, checks, matches, maxticks
1418 | sort: avgticks
1419 |
1420 | # Limit the number of items printed at exit.
1421 | limit: 100
1422 |
1423 | # per keyword profiling
1424 | keywords:
1425 | enabled: yes
1426 | filename: keyword_perf.log
1427 | append: yes
1428 |
1429 | # packet profiling
1430 | packets:
1431 |
1432 | # Profiling can be disabled here, but it will still have a
1433 | # performance impact if compiled in.
1434 | enabled: yes
1435 | filename: packet_stats.log
1436 | append: yes
1437 |
1438 | # per packet csv output
1439 | csv:
1440 |
1441 | # Output can be disabled here, but it will still have a
1442 | # performance impact if compiled in.
1443 | enabled: no
1444 | filename: packet_stats.csv
1445 |
1446 | # profiling of locking. Only available when Suricata was built with
1447 | # --enable-profiling-locks.
1448 | locks:
1449 | enabled: no
1450 | filename: lock_stats.log
1451 | append: yes
1452 |
1453 | pcap-log:
1454 | enabled: no
1455 | filename: pcaplog_stats.log
1456 | append: yes
1457 |
1458 | # Suricata core dump configuration. Limits the size of the core dump file to
1459 | # approximately max-dump. The actual core dump size will be a multiple of the
1460 | # page size. Core dumps that would be larger than max-dump are truncated. On
1461 | # Linux, the actual core dump size may be a few pages larger than max-dump.
1462 | # Setting max-dump to 0 disables core dumping.
1463 | # Setting max-dump to 'unlimited' will give the full core dump file.
1464 | # On 32-bit Linux, a max-dump value >= ULONG_MAX may cause the core dump size
1465 | # to be 'unlimited'.
1466 |
1467 | coredump:
1468 | max-dump: unlimited
1469 |
1470 | napatech:
1471 | # The Host Buffer Allowance for all streams
1472 | # (-1 = OFF, 1 - 100 = percentage of the host buffer that can be held back)
1473 | hba: -1
1474 |
1475 | # use_all_streams set to "yes" will query the Napatech service for all configured
1476 | # streams and listen on all of them. When set to "no" the streams config array
1477 | # will be used.
1478 | use-all-streams: yes
1479 |
1480 | # The streams to listen on
1481 | streams: [1, 2, 3]
1482 |
1483 | # Includes. Files included here will be handled as if they were
1484 | # inlined in this configuration file.
1485 | #include: include1.yaml
1486 | #include: include2.yaml
1487 |
--------------------------------------------------------------------------------
/src/config/suricata/threshold.config:
--------------------------------------------------------------------------------
1 | # Thresholding:
2 | #
3 | # This feature is used to reduce the number of logged alerts for noisy rules.
4 | # Thresholding commands limit the number of times a particular event is logged
5 | # during a specified time interval.
6 | #
7 | # The syntax is the following:
8 | #
9 | # threshold gen_id , sig_id , type , track , count , seconds
10 | #
11 | # event_filter gen_id , sig_id , type , track , count , seconds
12 | #
13 | # suppress gen_id , sig_id
14 | # suppress gen_id , sig_id , track , ip
15 | #
16 | # The options are documented at https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Global-Thresholds
17 | #
18 | # Please note that thresholding can also be set inside a signature. The interaction between rule based thresholds
19 | # and global thresholds is documented here:
20 | # https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Global-Thresholds#Global-thresholds-vs-rule-thresholds
21 |
22 | # Limit to 10 alerts every 10 seconds for each source host
23 | #threshold gen_id 0, sig_id 0, type threshold, track by_src, count 10, seconds 10
24 |
25 | # Limit to 1 alert every 10 seconds for signature with sid 2404000
26 | #threshold gen_id 1, sig_id 2404000, type threshold, track by_dst, count 1, seconds 10
27 |
28 | # Avoid to alert on f-secure update
29 | # Example taken from http://blog.inliniac.net/2012/03/07/f-secure-av-updates-and-suricata-ips/
30 | #suppress gen_id 1, sig_id 2009557, track by_src, ip 217.110.97.128/25
31 | #suppress gen_id 1, sig_id 2012086, track by_src, ip 217.110.97.128/25
32 | #suppress gen_id 1, sig_id 2003614, track by_src, ip 217.110.97.128/25
33 |
--------------------------------------------------------------------------------
/src/docker/elasticsearch/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM elasticsearch:2.4
2 |
3 | RUN /usr/share/elasticsearch/bin/plugin install delete-by-query
4 |
--------------------------------------------------------------------------------
/src/docker/kibana/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM kibana:4.6
2 |
3 | RUN /opt/kibana/bin/kibana plugin -i kibana/timelion
4 | RUN chown -R kibana.kibana /opt/kibana/optimize/
5 |
--------------------------------------------------------------------------------
/src/templates/docker-compose.yml.j2:
--------------------------------------------------------------------------------
1 | suricata:
2 | image: stamus/suricata
3 | volumes:
4 | - $basepath/config/suricata/suricata.yaml:/etc/suricata/suricata.yaml:ro
5 | - $basepath/suricata:/var/log/suricata:rw
6 | - $basepath/suricata/run/:/var/run/suricata:rw
7 | - $basepath/config/suricata/ethtool.conf:/etc/supervisor/conf.d/ethtool.conf:ro
8 | - $basepath/scirius/:/etc/suricata/rules:rw
9 | cap_add:
10 | - NET_ADMIN
11 | - NET_RAW
12 | net: host
13 | # TODO set your suricata iface here
14 | environment:
15 | - SURICATA_ARGS="$capture_option"
16 |
17 | elasticsearch:
18 | build: $basepath/docker/elasticsearch
19 | command: -Des.network.bind_host=0.0.0.0 -Des.index.number_of_replicas=0
20 | volumes:
21 | - $basepath/elasticsearch:/usr/share/elasticsearch/data:rw
22 |
23 | logstash:
24 | image: logstash:2
25 | links:
26 | - elasticsearch
27 | command: /opt/logstash/bin/logstash -f /etc/logstash/conf.d/
28 | volumes:
29 | - $basepath/config/logstash:/etc/logstash:ro
30 | - $basepath/suricata:/var/log/suricata:ro
31 | hostname: suricata
32 |
33 | kibana:
34 | build: $basepath/docker/kibana
35 | links:
36 | - elasticsearch
37 |
38 | scirius:
39 | image: stamus/scirius
40 | volumes:
41 | - $basepath/config/scirius:/etc/scirius:ro
42 | - $basepath/config/suricata/suricata.yaml:/etc/suricata/suricata.yaml:ro
43 | - $basepath/scirius:/etc/suricata/rules:rw
44 | - $basepath/suricata/run:/var/run/suricata:ro
45 | - $basepath/backups:/var/backups:rw
46 | # TODO uncomment correctly set path to scirius git tree on host below
47 | # to run a specific scirius version
48 | #- /path/to/git/stamus/scirius/:/opt/selks/scirius/:ro
49 | links:
50 | - elasticsearch
51 | - kibana
52 | - evebox
53 | volumes_from:
54 | - sciriusdata
55 | - sciriusstatic
56 |
57 | sciriusdata:
58 | image: busybox
59 | command: /bin/true
60 | volumes:
61 | - /sciriusdata
62 |
63 | sciriusstatic:
64 | image: busybox
65 | command: /bin/true
66 | volumes:
67 | - /sciriusstatic
68 |
69 | evebox:
70 | image: jasonish/evebox:latest
71 | links:
72 | - elasticsearch
73 |
74 | nginx:
75 | image: nginx
76 | ports:
77 | - 443:443
78 | volumes:
79 | - $basepath/config/nginx/amsterdam.conf:/etc/nginx/conf.d/default.conf:ro
80 | - $basepath/config/nginx/ssl/:/etc/nginx/ssl/:ro
81 | links:
82 | - scirius
83 | volumes_from:
84 | - sciriusstatic
85 |
--------------------------------------------------------------------------------
/src/templates/ethtool.conf.j2:
--------------------------------------------------------------------------------
1 | [program:ethtool]
2 | command=/sbin/ethtool -K $iface tx off sg off gro off gso off lro off tso off
3 | auto_restart=false
4 | startsecs=0
5 | exitcodes=0,1
6 |
--------------------------------------------------------------------------------