├── .gitignore ├── README.md ├── Vagrantfile ├── bootstrap.sh └── resources ├── disablesid.conf ├── pulledpork.conf └── suricata.yaml /.gitignore: -------------------------------------------------------------------------------- 1 | .vagrant 2 | .DS_Store 3 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Vagrant-IDS 2 | 3 | # Purpose 4 | This Vagrant file will spin up an Ubuntu 16.04 box (Bento) and install and configure the following software: 5 | * Suricata (3.2.8 - Latest stable build at time of writing) 6 | * PulledPork 7 | * Bro (Latest) 8 | * Splunk (6.6.2 - Latest at time of writing) 9 | 10 | ## Setup 11 | 1. Install a provider (Virtualbox/VMWare/etc) 12 | 2. Install [Vagrant](https://www.vagrantup.com/) 13 | 3. `$ git clone https://github.com/Centurion89/vagrant-ids.git` 14 | 4. `$ cd vagrant-ids` 15 | 5. `$ vagrant up --provider=[vmware_fusion/virtualbox/etc]` 16 | 17 | ## Suricata 18 | The suricata.yaml file that will be installed includes a few small changes, primarily: 19 | * JSON logging (eve.json) is enabled and configured fairly verbosely 20 | * The config assumes HOME_NET = 192.168.0.0/16 21 | * The only rule file being imported is pulledpork.rules 22 | 23 | Suricata is configured to startup using the sole "ens32" interface. Rules are stored in `/etc/suricata/rules`. 24 | 25 | After installation, Suricata will perform two curl commands to ensure that the detection engine and logging are functioning properly. However, please note that the vagrant build will continue even if the tests fail. 26 | 27 | ## PulledPork 28 | [PulledPork](https://github.com/shirkdog/pulledpork) is used to configure rule management and updates in Suricata. It is installed in /opt/pulledpork and is configured to pull down EmergingThreats rules. You can manually run PulledPork via `/opt/pulledpork/pulledpork.pl -c etc/pulledpork.conf -S suricata-3.0`. Also consider adding that command to cron if you would like updates to run on a schedule automatically 29 | 30 | ## Bro 31 | Bro is cloned and installed into `/opt/bro`. Similar to Suricata, it assumes all RFC1918 is part of private networks and uses "ens32" as the interface it monitors. JSON logging is enabled and it is configured to run in standalone mode. 32 | 33 | ## Splunk 34 | Splunk will be installed with two indexes: 35 | * suricata 36 | * bro 37 | 38 | Access Splunk at https://vagrant:8000. The default credentials are `admin:changeme` and can be changed via CLI or web interface. 39 | 40 | By default, Splunk is configured to ingest `/var/log/suricata/eve.json` and all ".log" files in `/opt/bro/logs/current/`. To modify what logs are collected, edit `/opt/splunk/etc/system/local/inputs.conf` 41 | 42 | ## Contributing 43 | If you encounter any issues or would like to request any features, please feel free to submit a PR or create an issue. 44 | 45 | ## References 46 | * [How to Install and Configure Bro on Ubuntu Linux](https://komunity.komand.com/learn/article/network-security/how-to-install-and-configure-bro-on-ubuntu-linux/) 47 | * [How To Install Bro-IDS 2.2 on Ubuntu 12.04](https://www.digitalocean.com/community/tutorials/how-to-install-bro-ids-2-2-on-ubuntu-12-04) 48 | * [How to install Suricata intrusion detection system on Linux](http://xmodulo.com/install-suricata-intrusion-detection-system-linux.html) 49 | * [Install Perl modul with assume yes for given options non-interactively](https://stackoverflow.com/questions/18458194/install-perl-modul-with-assume-yes-for-given-options-non-interactively) 50 | -------------------------------------------------------------------------------- /Vagrantfile: -------------------------------------------------------------------------------- 1 | # -*- mode: ruby -*- 2 | # vi: set ft=ruby : 3 | Vagrant.configure("2") do |cfg| 4 | cfg.vm.box = "bento/ubuntu-16.04" 5 | cfg.vm.network :forwarded_port, guest: 8000, host: 8000 6 | cfg.vm.provision :shell, path: "bootstrap.sh" 7 | cfg.vm.provider "vmware_fusion" do |v, override| 8 | v.memory = 4096 9 | v.cpus = 2 10 | v.gui = true 11 | end 12 | cfg.vm.provider "virtualbox" do |v, override| 13 | v.memory = 4096 14 | v.cpus = 2 15 | v.gui = true 16 | end 17 | end 18 | -------------------------------------------------------------------------------- /bootstrap.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # Author: Chris Long (@Centurion) 3 | # Creation Date: 8/13/2017 4 | 5 | apt-get update 6 | export DEBIAN_FRONTEND=noninteractive 7 | apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" upgrade 8 | ## User defined packages 9 | apt-get install -y build-essential whois jq git-core 10 | ## Suricata dependencies 11 | apt-get install -y wget libpcre3-dev libpcre3-dbg automake autoconf libtool libpcap-dev libnet1-dev libyaml-dev zlib1g-dev libcap-ng-dev libjansson-dev pkg-config 12 | ## Bro dependencies 13 | apt-get install -y bison cmake flex g++ gdb make libmagic-dev libpcap-dev libgeoip-dev libssl-dev python-dev swig2.0 zlib1g-dev 14 | 15 | ## Download and install Suricata 16 | wget "https://www.openinfosecfoundation.org/download/suricata-3.2.3.tar.gz" 17 | tar -xvf suricata-3.2.3.tar.gz 18 | cd suricata-3.2.3 19 | ./configure --sysconfdir=/etc --localstatedir=/var 20 | make 21 | make install 22 | make install-conf 23 | mkdir /etc/suricata/rules 24 | mkdir /var/log/suricata/certs 25 | echo -e "\n\nYou will still have to configre your network and interfaces in /etc/suricata/suricata.yml\!\!" 26 | # Needed to find one of the libraries required by Suricata 27 | echo 'include /usr/local/lib/' >> /etc/ld.so.conf 28 | ldconfig 29 | # Copy our config over the default 30 | cp /vagrant/resources/suricata.yaml /etc/suricata/suricata.yaml 31 | 32 | ## Download and clone the pulledpork repo 33 | cd /opt 34 | git clone https://github.com/shirkdog/pulledpork.git 35 | cd pulledpork 36 | # Copy our configs over the default 37 | cp /vagrant/resources/disablesid.conf /opt/pulledpork/etc/ 38 | cp /vagrant/resources/pulledpork.conf /opt/pulledpork/etc/ 39 | # Needed to run CPAN in noninteractive mode 40 | export PERL_MM_USE_DEFAULT=1 41 | perl -MCPAN -e 'install Bundle::LWP' 42 | perl -MCPAN -e 'install Crypt::SSLeay' 43 | # Run pulledpork and load the rules into /etc/suricata/rules 44 | ./pulledpork.pl -c etc/pulledpork.conf -S suricata-3.0 45 | 46 | # Determine name of default network interface 47 | DEFAULTIF=$(ifconfig | grep ^[a-z] | grep -v lo | cut -d ' ' -f 1) 48 | # Start suricata 49 | # -D Daemon mode 50 | # -c path to suricata.yaml 51 | # -i interface 52 | # -v verbose 53 | suricata -D -c /etc/suricata/suricata.yaml -i $DEFAULTIF -v 54 | 55 | # Give Suricata a few seconds to initialize and run tests 56 | sleep 5 57 | echo -e "Running tests...\n" 58 | curl -A "BlackSun" example.com 59 | sleep 3; 60 | curl testmyids.com 61 | sleep 3; 62 | BLACKSUNTEST=$(grep -c 'ET USER_AGENTS Suspicious User Agent (BlackSun)' /var/log/suricata/eve.json) 63 | if [ "$BLACKSUNTEST" -ge 1 ]; then 64 | echo -e "Test 1/2 passed!\n" 65 | else 66 | echo -e "Test 1/2 failed! Something might be misconfigured.\n" 67 | fi 68 | TESTMYIDS=$(grep -c 'GPL ATTACK_RESPONSE id check returned root' /var/log/suricata/eve.json) 69 | if [ "$TESTMYIDS" -ge 1 ]; then 70 | echo -e "Test 2/2 passed!\n" 71 | else 72 | echo -e "Test 2/2 failed! Something might be misconfigured.\m" 73 | fi 74 | echo -e "Suricata has attempted to start and run tests. If tests fail, further configuration may be required.\n" 75 | 76 | # Download GeoIP DBs for Bro 77 | wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz -O /usr/share/GeoIP/GeoIPCity.dat.gz 78 | wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCityv6-beta/GeoLiteCityv6.dat.gz -O /usr/share/GeoIP/GeoIPCityv6.dat.gz 79 | gunzip /usr/share/GeoIP/GeoIPCity.dat.gz 80 | gunzip /usr/share/GeoIP/GeoIPCityv6.dat.gz 81 | 82 | ## Download and install Bro IDS 83 | cd /opt 84 | git clone --recursive git://git.bro.org/bro 85 | cd bro 86 | ./configure --prefix=/opt/bro 87 | make 88 | make install 89 | echo 'export PATH=$PATH:/opt/bro/bin' >> ~/.bashrc 90 | source ~/.bashrc 91 | echo -e "[bro] 92 | type=standalone 93 | host=localhost 94 | interface=$DEFAULTIF" > /opt/bro/etc/node.cfg 95 | # Enable JSON logs 96 | echo -e 'redef LogAscii::use_json = T;' >> /opt/bro/share/bro/base/frameworks/logging/writers/ascii.bro 97 | # Start BroIDS 98 | /opt/bro/bin/broctl deploy 99 | 100 | ## Download and install Splunk 101 | cd /vagrant 102 | wget --progress=bar:force -O splunk-6.6.2-4b804538c686-linux-2.6-amd64.deb 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=6.6.2&product=splunk&filename=splunk-6.6.2-4b804538c686-linux-2.6-amd64.deb&wget=true' 103 | dpkg -i splunk-6.6.2-4b804538c686-linux-2.6-amd64.deb 104 | /opt/splunk/bin/splunk start --accept-license 105 | /opt/splunk/bin/splunk add index suricata -auth 'admin:changeme' 106 | /opt/splunk/bin/splunk add index bro -auth 'admin:changeme' 107 | # Configure Splunk inputs 108 | echo '[monitor:///var/log/suricata/eve.json] 109 | index=suricata 110 | sourcetype=suricata:json 111 | 112 | [monitor:///opt/bro/logs/current/*.log] 113 | index=bro 114 | sourcetype=bro:json' >> /opt/splunk/etc/system/local/inputs.conf 115 | # Fix broken extrations for some Bro log files 116 | echo '[bro:json] 117 | INDEXED_EXTRACTIONS=json 118 | TIME_PREFIX=\"ts\"\:' > /opt/splunk/etc/system/local/props.conf 119 | # Skip Splunk Tour and Change Password Dialog 120 | touch /opt/splunk/etc/.ui_login 121 | # Enable SSL login 122 | cp /opt/splunk/etc/system/default/web.conf /opt/splunk/etc/system/local/web.conf 123 | sed -i 's/enableSplunkWebSSL = false/enableSplunkWebSSL = true/g' /opt/splunk/etc/system/local/web.conf 124 | # Reboot Splunk to make changes take effect 125 | /opt/splunk/bin/splunk restart 126 | /opt/splunk/bin/splunk enable boot-start 127 | -------------------------------------------------------------------------------- /resources/disablesid.conf: -------------------------------------------------------------------------------- 1 | # example disablesid.conf V3.1 2 | 3 | # Example of modifying state for individual rules 4 | # 1:1034,1:9837,1:1270,1:3390,1:710,1:1249,3:13010 5 | 2016149,2016150,2018904,2018905,2018906,2018907,2018908 6 | 7 | # Example of modifying state for rule ranges 8 | # 1:220-1:3264,3:13010-3:13013 9 | 10 | # Comments are allowed in this file, and can also be on the same line 11 | # As the modify state syntax, as long as it is a trailing comment 12 | # 1:1011 # I Disabled this rule because I could! 13 | 14 | # Example of modifying state for MS and cve rules, note the use of the : 15 | # in cve. This will modify MS09-008, cve 2009-0233, bugtraq 21301, 16 | # and all MS00 and all cve 2000 related sids! These support regular expression 17 | # matching only after you have specified what you are looking for, i.e. 18 | # MS00- or cve:, the first section CANNOT contain a regular 19 | # expression (MS\d{2}-\d+) will NOT work, use the pcre: keyword (below) 20 | # for this. 21 | # MS09-008,cve:2009-0233,bugtraq:21301,MS00-\d+,cve:2000-\d+ 22 | 23 | # Example of using the pcre: keyword to modify rulestate. the pcre keyword 24 | # allows for full use of regular expression syntax, you do not need to designate 25 | # with / and all pcre searches are treated as case insensitive. For more information 26 | # about regular expression syntax: http://www.regular-expressions.info/ 27 | # The following example modifies state for all MS07 through MS10 28 | # pcre:MS(0[7-9]|10)-\d+ 29 | 30 | # Example of modifying state for specific categories entirely (see README.CATEGORIES) 31 | # VRT-web-iis,ET-shellcode,ET-emergingthreats-smtp,Custom-shellcode,Custom-emergingthreats-smtp 32 | 33 | # Any of the above values can be on a single line or multiple lines, when 34 | # on a single line they simply need to be separated by a , 35 | # 1:9837,1:220-1:3264,3:13010-3:13013,pcre:MS(0[0-7])-\d+,MS09-008,cve:2009-0233 36 | 37 | # The modifications in this file are for sample/example purposes only and 38 | # should not actively be used, you need to modify this file to fit your 39 | # environment. 40 | 41 | 1:2016149 42 | 1:2016150 43 | 1:2018904 44 | 1:2018905 45 | 1:2018906 46 | 1:2018907 47 | 1:2018908 48 | 1:2404035 49 | 1:2020565 50 | 1:2018908 51 | 1:2018906 52 | 1:2404035 53 | 1:2003311 54 | 1:2012647 55 | 1:2012648 56 | 1:2014313 57 | 1:2014928 58 | 1:2017014 59 | 1:2017015 60 | 1:2020332 61 | 1:2020565 62 | 1:2021325 63 | 1:2022967 64 | 1:2024388 65 | 1:2024403 66 | 1:2013028 67 | -------------------------------------------------------------------------------- /resources/pulledpork.conf: -------------------------------------------------------------------------------- 1 | # Config file for pulledpork 2 | # Be sure to read through the entire configuration file 3 | # If you specify any of these items on the command line, it WILL take 4 | # precedence over any value that you specify in this file! 5 | 6 | ####### 7 | ####### The below section defines what your oinkcode is (required for 8 | ####### VRT rules), defines a temp path (must be writable) and also 9 | ####### defines what version of rules that you are getting (for your 10 | ####### snort version and subscription etc...) 11 | ####### 12 | 13 | # You can specify one or as many rule_urls as you like, they 14 | # must appear as http://what.site.com/|rulesfile.tar.gz|1234567. You can specify 15 | # each on an individual line, or you can specify them in a , separated list 16 | # i.e. rule_url=http://x.y.z/|a.tar.gz|123,http://z.y.z/|b.tar.gz|456 17 | # note that the url, rule file, and oinkcode itself are separated by a pipe | 18 | # i.e. url|tarball|123456789, 19 | #rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz| 20 | # NEW Community ruleset: 21 | #rule_url=https://snort.org/downloads/community/|community-rules.tar.gz|Community 22 | # NEW For IP Blacklisting! Note the format is urltofile|IPBLACKLIST| 23 | # This format MUST be followed to let pulledpork know that this is a blacklist 24 | #rule_url=https://talosintelligence.com/documents/ip-blacklist|IPBLACKLIST|open 25 | # URL for rule documentation! (slow to process) 26 | #rule_url=https://snort.org/downloads/community/|opensource.tar.gz|Opensource 27 | # THE FOLLOWING URL is for emergingthreats downloads, note the tarball name change! 28 | # and open-nogpl, to avoid conflicts. 29 | rule_url=https://rules.emergingthreats.net/|emerging.rules.tar.gz|open 30 | # THE FOLLOWING URL is for etpro downloads, note the tarball name change! 31 | # and the et oinkcode requirement! 32 | #rule_url=https://rules.emergingthreatspro.com/|etpro.rules.tar.gz| 33 | # NOTE above that the VRT snortrules-snapshot does not contain the version 34 | # portion of the tarball name, this is because PP now automatically populates 35 | # this value for you, if, however you put the version information in, PP will 36 | # NOT populate this value but will use your value! 37 | 38 | # Specify rule categories to ignore from the tarball in a comma separated list 39 | # with no spaces. There are four ways to do this: 40 | # 1) Specify the category name with no suffix at all to ignore the category 41 | # regardless of what rule-type it is, ie: netbios 42 | # 2) Specify the category name with a '.rules' suffix to ignore only gid 1 43 | # rulefiles located in the /rules directory of the tarball, ie: policy.rules 44 | # 3) Specify the category name with a '.preproc' suffix to ignore only 45 | # preprocessor rules located in the /preproc_rules directory of the tarball, 46 | # ie: sensitive-data.preproc 47 | # 4) Specify the category name with a '.so' suffix to ignore only shared-object 48 | # rules located in the /so_rules directory of the tarball, ie: netbios.so 49 | # The example below ignores dos rules wherever they may appear, sensitive- 50 | # data preprocessor rules, p2p so-rules (while including gid 1 p2p rules), 51 | # and netbios gid-1 rules (while including netbios so-rules): 52 | # ignore = dos,sensitive-data.preproc,p2p.so,netbios.rules 53 | # These defaults are reasonable for the VRT ruleset with Snort 2.9.0.x. 54 | ignore=deleted.rules,experimental.rules,local.rules 55 | # IMPORTANT, if you are NOT yet using 2.8.6 then you MUST comment out the 56 | # previous ignore line and uncomment the following! 57 | # ignore=deleted,experimental,local,decoder,preprocessor,sensitive-data 58 | 59 | # What is our temp path, be sure this path has a bit of space for rule 60 | # extraction and manipulation, no trailing slash 61 | temp_path=/tmp 62 | 63 | ####### 64 | ####### The below section is for rule processing. This section is 65 | ####### required if you are not specifying the configuration using 66 | ####### runtime switches. Note that runtime switches do SUPERSEED 67 | ####### any values that you have specified here! 68 | ####### 69 | 70 | # What path you want the .rules file containing all of the processed 71 | # rules? (this value has changed as of 0.4.0, previously we copied 72 | # all of the rules, now we are creating a single large rules file 73 | # but still keeping a separate file for your so_rules! 74 | rule_path=/etc/suricata/rules/pulledpork.rules 75 | 76 | # What path you want the .rules files to be written to, this is UNIQUE 77 | # from the rule_path and cannot be used in conjunction, this is to be used with the 78 | # -k runtime flag, this can be set at runtime using the -K flag or specified 79 | # here. If specified here, the -k option must also be passed at runtime, however 80 | # specifying -K at runtime forces the -k option to also be set 81 | # out_path=/usr/local/etc/snort/rules/ 82 | 83 | # If you are running any rules in your local.rules file, we need to 84 | # know about them to properly build a sid-msg.map that will contain your 85 | # local.rules metadata (msg) information. You can specify other rules 86 | # files that are local to your system here by adding a comma and more paths... 87 | # remember that the FULL path must be specified for EACH value. 88 | # local_rules=/path/to/these.rules,/path/to/those.rules 89 | #local_rules=/usr/local/etc/snort/rules/local.rules 90 | 91 | # Where should I put the sid-msg.map file? 92 | sid_msg=/etc/suricata/sid-msg.map 93 | 94 | # New for by2 and more advanced msg mapping. Valid options are 1 or 2 95 | # specify version 2 if you are running barnyard2.2+. Otherwise use 1 96 | sid_msg_version=1 97 | 98 | # Where do you want me to put the sid changelog? This is a changelog 99 | # that pulledpork maintains of all new sids that are imported 100 | sid_changelog=/var/log/sid_changes.log 101 | # this value is optional 102 | 103 | ####### 104 | ####### The below section is for so_rule processing only. If you don't 105 | ####### need to use them.. then comment this section out! 106 | ####### Alternately, if you are not using pulledpork to process 107 | ####### so_rules, you can specify -T at runtime to bypass this altogether 108 | ####### 109 | 110 | # What path you want the .so files to actually go to *i.e. where is it 111 | # defined in your snort.conf, needs a trailing slash 112 | #sorule_path=/usr/local/lib/snort_dynamicrules/ 113 | 114 | # Path to the snort binary, we need this to generate the stub files 115 | snort_path=/usr/bin/suricata 116 | 117 | # We need to know where your snort.conf file lives so that we can 118 | # generate the stub files 119 | config_path=/etc/suricata/suricata.conf 120 | 121 | ##### Deprecated - The stubs are now categorically written to the single rule file! 122 | # sostub_path=/usr/local/etc/snort/rules/so_rules.rules 123 | 124 | # Define your distro, this is for the precompiled shared object libs! 125 | # Valid Distro Types: 126 | # Debian-6-0, Ubuntu-10-4 127 | # Ubuntu-12-04, Centos-5-4 128 | # FC-12, FC-14, RHEL-5-5, RHEL-6-0 129 | # FreeBSD-8-1, FreeBSD-9-0, FreeBSD-10-0 130 | # OpenBSD-5-2, OpenBSD-5-3 131 | # OpenSUSE-11-4, OpenSUSE-12-1 132 | # Slackware-13-1 133 | distro=Ubuntu-12-04 134 | 135 | ####### This next section is optional, but probably pretty useful to you. 136 | ####### Please read thoroughly! 137 | 138 | # If you are using IP Reputation and getting some public lists, you will probably 139 | # want to tell pulledpork where your blacklist file lives, PP automagically will 140 | # de-dupe any duplicate IPs from different sources. 141 | black_list=/etc/suricata/rules/iplists/default.blacklist 142 | 143 | # IP Reputation does NOT require a full snort HUP, it introduces a concept whereby 144 | # the IP list can be reloaded while snort is running through the use of a control 145 | # socket. Please be sure that you built snort with the following optins: 146 | # -enable-shared-rep and --enable-control-socket. Be sure to read about how to 147 | # configure these! The following option tells pulledpork where to place the version 148 | # file for use with control socket ip list reloads! 149 | # This should be the same path where your black_list lives! 150 | #IPRVersion=/usr/local/etc/snort/rules/iplists 151 | 152 | # The following option tells snort where the snort_control tool is located. 153 | snort_control=/usr/local/bin/snort_control 154 | 155 | # What do you want to backup and archive? This is a comma separated list 156 | # of file or directory values. If a directory is specified, PP will recurse 157 | # through said directory and all subdirectories to archive all files. 158 | # The following example backs up all snort config files, rules, pulledpork 159 | # config files, and snort shared object binary rules. 160 | # backup=/usr/local/etc/snort,/usr/local/etc/pulledpork,/usr/local/lib/snort_dynamicrules/ 161 | 162 | # what path and filename should we use for the backup tarball? 163 | # note that an epoch time value and the .tgz extension is automatically added 164 | # to the backup_file name on completeion i.e. the written file is: 165 | # pp_backup.1295886020.tgz 166 | # backup_file=/tmp/pp_backup 167 | 168 | # Where do you want the signature docs to be copied, if this is commented 169 | # out then they will not be copied / extracted. Note that extracting them 170 | # will add considerable runtime to pulledpork. 171 | # docs=/path/to/base/www 172 | 173 | # The following option, state_order, allows you to more finely control the order 174 | # that pulledpork performs the modify operations, specifically the enablesid 175 | # disablesid and dropsid functions. An example use case here would be to 176 | # disable an entire category and later enable only a rule or two out of it. 177 | # the valid values are disable, drop, and enable. 178 | state_order=disable,drop,enable 179 | 180 | 181 | # Define the path to the pid files of any running process that you want to 182 | # HUP after PP has completed its run. 183 | # pid_path=/var/run/snort.pid,/var/run/barnyard.pid,/var/run/barnyard2.pid 184 | # and so on... 185 | # pid_path=/var/run/snort_eth0.pid 186 | 187 | # This defines the version of snort that you are using, for use ONLY if the 188 | # proper snort binary is not on the system that you are fetching the rules with 189 | # This value MUST contain all 4 minor version 190 | # numbers. ET rules are now also dependant on this, verify supported ET versions 191 | # prior to simply throwing rubbish in this variable kthx! 192 | # 193 | # Suricata users - set this to 'suricata-3.x.x' to process rule files 194 | # for suricata, this mimics the -S flag on the command line. 195 | # snort_version=2.9.0.0 196 | 197 | # Here you can specify what rule modification files to run automatically. 198 | # simply uncomment and specify the apt path. 199 | # enablesid=/usr/local/etc/snort/enablesid.conf 200 | dropsid=/opt/pulledpork/etc/disablesid.conf 201 | disablesid=/opt/pulledpork/etc/disablesid.conf 202 | # modifysid=/usr/local/etc/snort/modifysid.conf 203 | 204 | # What is the base ruleset that you want to use, please uncomment to use 205 | # and see the README.RULESETS for a description of the options. 206 | # Note that setting this value will disable all ET rulesets if you are 207 | # Running such rulesets 208 | # ips_policy=security 209 | 210 | ####### Remember, a number of these values are optional.. if you don't 211 | ####### need to process so_rules, simply comment out the so_rule section 212 | ####### you can also specify -T at runtime to process only GID 1 rules. 213 | 214 | version=0.7.3 215 | -------------------------------------------------------------------------------- /resources/suricata.yaml: -------------------------------------------------------------------------------- 1 | %YAML 1.1 2 | --- 3 | 4 | # Suricata configuration file. In addition to the comments describing all 5 | # options in this file, full documentation can be found at: 6 | # https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricatayaml 7 | 8 | ## 9 | ## Step 1: inform Suricata about your network 10 | ## 11 | 12 | vars: 13 | # more specifc is better for alert accuracy and performance 14 | address-groups: 15 | HOME_NET: "[192.168.0.0/16]" 16 | #HOME_NET: "[192.168.0.0/16]" 17 | #HOME_NET: "[10.0.0.0/8]" 18 | #HOME_NET: "[172.16.0.0/12]" 19 | #HOME_NET: "any" 20 | 21 | EXTERNAL_NET: "!$HOME_NET" 22 | #EXTERNAL_NET: "any" 23 | 24 | HTTP_SERVERS: "$HOME_NET" 25 | SMTP_SERVERS: "$HOME_NET" 26 | SQL_SERVERS: "$HOME_NET" 27 | DNS_SERVERS: "$HOME_NET" 28 | TELNET_SERVERS: "$HOME_NET" 29 | AIM_SERVERS: "$EXTERNAL_NET" 30 | DNP3_SERVER: "$HOME_NET" 31 | DNP3_CLIENT: "$HOME_NET" 32 | MODBUS_CLIENT: "$HOME_NET" 33 | MODBUS_SERVER: "$HOME_NET" 34 | ENIP_CLIENT: "$HOME_NET" 35 | ENIP_SERVER: "$HOME_NET" 36 | 37 | port-groups: 38 | HTTP_PORTS: "80" 39 | SHELLCODE_PORTS: "!80" 40 | ORACLE_PORTS: 1521 41 | SSH_PORTS: 22 42 | DNP3_PORTS: 20000 43 | MODBUS_PORTS: 502 44 | 45 | 46 | ## 47 | ## Step 2: select the rules to enable or disable 48 | ## 49 | 50 | default-rule-path: /etc/suricata/rules 51 | rule-files: 52 | - pulledpork.rules 53 | 54 | classification-file: /etc/suricata/classification.config 55 | reference-config-file: /etc/suricata/reference.config 56 | # threshold-file: /etc/suricata/threshold.config 57 | 58 | 59 | ## 60 | ## Step 3: select outputs to enable 61 | ## 62 | 63 | # The default logging directory. Any log or output file will be 64 | # placed here if its not specified with a full path name. This can be 65 | # overridden with the -l command line parameter. 66 | default-log-dir: /var/log/suricata/ 67 | 68 | # global stats configuration 69 | stats: 70 | enabled: yes 71 | # The interval field (in seconds) controls at what interval 72 | # the loggers are invoked. 73 | interval: 8 74 | 75 | # Configure the type of alert (and other) logging you would like. 76 | outputs: 77 | # a line based alerts log similar to Snort's fast.log 78 | - fast: 79 | enabled: yes 80 | filename: fast.log 81 | append: yes 82 | #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' 83 | 84 | # Extensible Event Format (nicknamed EVE) event log in JSON format 85 | - eve-log: 86 | enabled: yes 87 | filetype: regular #regular|syslog|unix_dgram|unix_stream|redis 88 | filename: eve.json 89 | #prefix: "@cee: " # prefix to prepend to each log entry 90 | # the following are valid when type: syslog above 91 | #identity: "suricata" 92 | #facility: local5 93 | #level: Info ## possible levels: Emergency, Alert, Critical, 94 | ## Error, Warning, Notice, Info, Debug 95 | #redis: 96 | # server: 127.0.0.1 97 | # port: 6379 98 | # mode: list ## possible values: list (default), channel 99 | # key: suricata ## key or channel to use (default to suricata) 100 | # Redis pipelining set up. This will enable to only do a query every 101 | # 'batch-size' events. This should lower the latency induced by network 102 | # connection at the cost of some memory. There is no flushing implemented 103 | # so this setting as to be reserved to high traffic suricata. 104 | # pipelining: 105 | # enabled: yes ## set enable to yes to enable query pipelining 106 | # batch-size: 10 ## number of entry to keep in buffer 107 | types: 108 | - alert: 109 | payload: yes # enable dumping payload in Base64 110 | payload-buffer-size: 4kb # max size of payload buffer to output in eve-log 111 | payload-printable: yes # enable dumping payload in printable (lossy) format 112 | packet: yes # enable dumping of packet (without stream segments) 113 | http: yes # enable dumping of http fields 114 | tls: yes # enable dumping of tls fields 115 | ssh: yes # enable dumping of ssh fields 116 | smtp: yes # enable dumping of smtp fields 117 | dnp3: yes # enable dumping of DNP3 fields 118 | 119 | # Enable the logging of tagged packets for rules using the 120 | # "tag" keyword. 121 | tagged-packets: yes 122 | 123 | # HTTP X-Forwarded-For support by adding an extra field or overwriting 124 | # the source or destination IP address (depending on flow direction) 125 | # with the one reported in the X-Forwarded-For HTTP header. This is 126 | # helpful when reviewing alerts for traffic that is being reverse 127 | # or forward proxied. 128 | xff: 129 | enabled: no 130 | # Two operation modes are available, "extra-data" and "overwrite". 131 | mode: extra-data 132 | # Two proxy deployments are supported, "reverse" and "forward". In 133 | # a "reverse" deployment the IP address used is the last one, in a 134 | # "forward" deployment the first IP address is used. 135 | deployment: reverse 136 | # Header name where the actual IP address will be reported, if more 137 | # than one IP address is present, the last IP address will be the 138 | # one taken into consideration. 139 | header: X-Forwarded-For 140 | #- http: 141 | #extended: yes # enable this for extended logging information 142 | # custom allows additional http fields to be included in eve-log 143 | # the example below adds three additional fields when uncommented 144 | #custom: [Accept-Encoding, Accept-Language, Authorization] 145 | #- dns: 146 | # control logging of queries and answers 147 | # default yes, no to disable 148 | #query: yes # enable logging of DNS queries 149 | #answer: yes # enable logging of DNS answers 150 | # control which RR types are logged 151 | # all enabled if custom not specified 152 | #custom: [a, aaaa, cname, mx, ns, ptr, txt] 153 | #- tls: 154 | #extended: yes # enable this for extended logging information 155 | #- files: 156 | #force-magic: yes # force logging magic on all logged files 157 | # force logging of checksums, available hash functions are md5, 158 | # sha1 and sha256 159 | #force-hash: [md5] 160 | #- drop: 161 | # alerts: yes # log alerts that caused drops 162 | # flows: all # start or all: 'start' logs only a single drop 163 | # # per flow direction. All logs each dropped pkt. 164 | #- smtp: 165 | #extended: yes # enable this for extended logging information 166 | # this includes: bcc, message-id, subject, x_mailer, user-agent 167 | # custom fields logging from the list: 168 | # reply-to, bcc, message-id, subject, x-mailer, user-agent, received, 169 | # x-originating-ip, in-reply-to, references, importance, priority, 170 | # sensitivity, organization, content-md5, date 171 | #custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc] 172 | # output md5 of fields: body, subject 173 | # for the body you need to set app-layer.protocols.smtp.mime.body-md5 174 | # to yes 175 | #md5: [body, subject] 176 | 177 | #- ssh 178 | #- stats: 179 | #totals: yes # stats for all threads merged together 180 | #threads: no # per thread stats 181 | #deltas: no # include delta values 182 | # bi-directional flows 183 | #- flow 184 | # uni-directional flows 185 | #- netflow 186 | #- dnp3 187 | 188 | # alert output for use with Barnyard2 189 | - unified2-alert: 190 | enabled: no 191 | filename: unified2.alert 192 | 193 | # File size limit. Can be specified in kb, mb, gb. Just a number 194 | # is parsed as bytes. 195 | #limit: 32mb 196 | 197 | # Sensor ID field of unified2 alerts. 198 | #sensor-id: 0 199 | 200 | # Include payload of packets related to alerts. Defaults to true, set to 201 | # false if payload is not required. 202 | #payload: yes 203 | 204 | # HTTP X-Forwarded-For support by adding the unified2 extra header or 205 | # overwriting the source or destination IP address (depending on flow 206 | # direction) with the one reported in the X-Forwarded-For HTTP header. 207 | # This is helpful when reviewing alerts for traffic that is being reverse 208 | # or forward proxied. 209 | xff: 210 | enabled: no 211 | # Two operation modes are available, "extra-data" and "overwrite". Note 212 | # that in the "overwrite" mode, if the reported IP address in the HTTP 213 | # X-Forwarded-For header is of a different version of the packet 214 | # received, it will fall-back to "extra-data" mode. 215 | mode: extra-data 216 | # Two proxy deployments are supported, "reverse" and "forward". In 217 | # a "reverse" deployment the IP address used is the last one, in a 218 | # "forward" deployment the first IP address is used. 219 | deployment: reverse 220 | # Header name where the actual IP address will be reported, if more 221 | # than one IP address is present, the last IP address will be the 222 | # one taken into consideration. 223 | header: X-Forwarded-For 224 | 225 | # a line based log of HTTP requests (no alerts) 226 | - http-log: 227 | enabled: yes 228 | filename: http.log 229 | append: yes 230 | #extended: yes # enable this for extended logging information 231 | #custom: yes # enabled the custom logging format (defined by customformat) 232 | #customformat: "%{%D-%H:%M:%S}t.%z %{X-Forwarded-For}i %H %m %h %u %s %B %a:%p -> %A:%P" 233 | #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' 234 | 235 | # a line based log of TLS handshake parameters (no alerts) 236 | - tls-log: 237 | enabled: no # Log TLS connections. 238 | filename: tls.log # File to store TLS logs. 239 | append: yes 240 | #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' 241 | #extended: yes # Log extended information like fingerprint 242 | 243 | # output module to store certificates chain to disk 244 | - tls-store: 245 | enabled: yes 246 | certs-log-dir: /var/log/suricata/certs # directory to store the certificates files 247 | 248 | # a line based log of DNS requests and/or replies (no alerts) 249 | - dns-log: 250 | enabled: no 251 | filename: dns.log 252 | append: yes 253 | #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' 254 | 255 | # Packet log... log packets in pcap format. 3 modes of operation: "normal" 256 | # "multi" and "sguil". 257 | # 258 | # In normal mode a pcap file "filename" is created in the default-log-dir, 259 | # or are as specified by "dir". 260 | # In multi mode, a file is created per thread. This will perform much 261 | # better, but will create multiple files where 'normal' would create one. 262 | # In multi mode the filename takes a few special variables: 263 | # - %n -- thread number 264 | # - %i -- thread id 265 | # - %t -- timestamp (secs or secs.usecs based on 'ts-format' 266 | # E.g. filename: pcap.%n.%t 267 | # 268 | # Note that it's possible to use directories, but the directories are not 269 | # created by Suricata. E.g. filename: pcaps/%n/log.%s will log into the 270 | # per thread directory. 271 | # 272 | # Also note that the limit and max-files settings are enforced per thread. 273 | # So the size limit when using 8 threads with 1000mb files and 2000 files 274 | # is: 8*1000*2000 ~ 16TiB. 275 | # 276 | # In Sguil mode "dir" indicates the base directory. In this base dir the 277 | # pcaps are created in th directory structure Sguil expects: 278 | # 279 | # $sguil-base-dir/YYYY-MM-DD/$filename. 280 | # 281 | # By default all packets are logged except: 282 | # - TCP streams beyond stream.reassembly.depth 283 | # - encrypted streams after the key exchange 284 | # 285 | - pcap-log: 286 | enabled: no 287 | filename: log.pcap 288 | 289 | # File size limit. Can be specified in kb, mb, gb. Just a number 290 | # is parsed as bytes. 291 | limit: 1000mb 292 | 293 | # If set to a value will enable ring buffer mode. Will keep Maximum of "max-files" of size "limit" 294 | max-files: 2000 295 | 296 | mode: normal # normal, multi or sguil. 297 | 298 | # Directory to place pcap files. If not provided the default log 299 | # directory will be used. Required for "sguil" mode. 300 | #dir: /nsm_data/ 301 | 302 | #ts-format: usec # sec or usec second format (default) is filename.sec usec is filename.sec.usec 303 | use-stream-depth: no #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets 304 | honor-pass-rules: no # If set to "yes", flows in which a pass rule matched will stopped being logged. 305 | 306 | # a full alerts log containing much information for signature writers 307 | # or for investigating suspected false positives. 308 | - alert-debug: 309 | enabled: no 310 | filename: alert-debug.log 311 | append: yes 312 | #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' 313 | 314 | # alert output to prelude (http://www.prelude-technologies.com/) only 315 | # available if Suricata has been compiled with --enable-prelude 316 | - alert-prelude: 317 | enabled: no 318 | profile: suricata 319 | log-packet-content: no 320 | log-packet-header: yes 321 | 322 | # Stats.log contains data from various counters of the suricata engine. 323 | - stats: 324 | enabled: yes 325 | filename: stats.log 326 | totals: yes # stats for all threads merged together 327 | threads: no # per thread stats 328 | #null-values: yes # print counters that have value 0 329 | 330 | # a line based alerts log similar to fast.log into syslog 331 | - syslog: 332 | enabled: no 333 | # reported identity to syslog. If ommited the program name (usually 334 | # suricata) will be used. 335 | #identity: "suricata" 336 | facility: local5 337 | #level: Info ## possible levels: Emergency, Alert, Critical, 338 | ## Error, Warning, Notice, Info, Debug 339 | 340 | # a line based information for dropped packets in IPS mode 341 | - drop: 342 | enabled: no 343 | filename: drop.log 344 | append: yes 345 | #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' 346 | 347 | # output module to store extracted files to disk 348 | # 349 | # The files are stored to the log-dir in a format "file." where is 350 | # an incrementing number starting at 1. For each file "file." a meta 351 | # file "file..meta" is created. 352 | # 353 | # File extraction depends on a lot of things to be fully done: 354 | # - file-store stream-depth. For optimal results, set this to 0 (unlimited) 355 | # - http request / response body sizes. Again set to 0 for optimal results. 356 | # - rules that contain the "filestore" keyword. 357 | - file-store: 358 | enabled: no # set to yes to enable 359 | log-dir: files # directory to store the files 360 | force-magic: no # force logging magic on all stored files 361 | # force logging of checksums, available hash functions are md5, 362 | # sha1 and sha256 363 | #force-hash: [md5] 364 | force-filestore: no # force storing of all files 365 | # override global stream-depth for sessions in which we want to 366 | # perform file extraction. Set to 0 for unlimited. 367 | #stream-depth: 0 368 | #waldo: file.waldo # waldo file to store the file_id across runs 369 | 370 | # output module to log files tracked in a easily parsable json format 371 | - file-log: 372 | enabled: yes 373 | filename: files-json.log 374 | append: yes 375 | #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' 376 | 377 | force-magic: yes # force logging magic on all logged files 378 | # force logging of checksums, available hash functions are md5, 379 | # sha1 and sha256 380 | #force-hash: [md5] 381 | 382 | # Log TCP data after stream normalization 383 | # 2 types: file or dir. File logs into a single logfile. Dir creates 384 | # 2 files per TCP session and stores the raw TCP data into them. 385 | # Using 'both' will enable both file and dir modes. 386 | # 387 | # Note: limited by stream.depth 388 | - tcp-data: 389 | enabled: no 390 | type: file 391 | filename: tcp-data.log 392 | 393 | # Log HTTP body data after normalization, dechunking and unzipping. 394 | # 2 types: file or dir. File logs into a single logfile. Dir creates 395 | # 2 files per HTTP session and stores the normalized data into them. 396 | # Using 'both' will enable both file and dir modes. 397 | # 398 | # Note: limited by the body limit settings 399 | - http-body-data: 400 | enabled: no 401 | type: file 402 | filename: http-data.log 403 | 404 | # Lua Output Support - execute lua script to generate alert and event 405 | # output. 406 | # Documented at: 407 | # https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Lua_Output 408 | - lua: 409 | enabled: no 410 | #scripts-dir: /etc/suricata/lua-output/ 411 | scripts: 412 | # - script1.lua 413 | 414 | # Logging configuration. This is not about logging IDS alerts/events, but 415 | # output about what Suricata is doing, like startup messages, errors, etc. 416 | logging: 417 | # The default log level, can be overridden in an output section. 418 | # Note that debug level logging will only be emitted if Suricata was 419 | # compiled with the --enable-debug configure option. 420 | # 421 | # This value is overriden by the SC_LOG_LEVEL env var. 422 | default-log-level: notice 423 | 424 | # The default output format. Optional parameter, should default to 425 | # something reasonable if not provided. Can be overriden in an 426 | # output section. You can leave this out to get the default. 427 | # 428 | # This value is overriden by the SC_LOG_FORMAT env var. 429 | #default-log-format: "[%i] %t - (%f:%l) <%d> (%n) -- " 430 | 431 | # A regex to filter output. Can be overridden in an output section. 432 | # Defaults to empty (no filter). 433 | # 434 | # This value is overriden by the SC_LOG_OP_FILTER env var. 435 | default-output-filter: 436 | 437 | # Define your logging outputs. If none are defined, or they are all 438 | # disabled you will get the default - console output. 439 | outputs: 440 | - console: 441 | enabled: yes 442 | # type: json 443 | - file: 444 | enabled: yes 445 | level: info 446 | filename: /var/log/suricata/suricata.log 447 | # type: json 448 | - syslog: 449 | enabled: no 450 | facility: local5 451 | format: "[%i] <%d> -- " 452 | # type: json 453 | 454 | 455 | ## 456 | ## Step 4: configure common capture settings 457 | ## 458 | ## See "Advanced Capture Options" below for more options, including NETMAP 459 | ## and PF_RING. 460 | ## 461 | 462 | # Linux high speed capture support 463 | af-packet: 464 | - interface: eth0 465 | # Number of receive threads. "auto" uses the number of cores 466 | #threads: auto 467 | # Default clusterid. AF_PACKET will load balance packets based on flow. 468 | cluster-id: 99 469 | # Default AF_PACKET cluster type. AF_PACKET can load balance per flow or per hash. 470 | # This is only supported for Linux kernel > 3.1 471 | # possible value are: 472 | # * cluster_round_robin: round robin load balancing 473 | # * cluster_flow: all packets of a given flow are send to the same socket 474 | # * cluster_cpu: all packets treated in kernel by a CPU are send to the same socket 475 | # * cluster_qm: all packets linked by network card to a RSS queue are sent to the same 476 | # socket. Requires at least Linux 3.14. 477 | # * cluster_random: packets are sent randomly to sockets but with an equipartition. 478 | # Requires at least Linux 3.14. 479 | # * cluster_rollover: kernel rotates between sockets filling each socket before moving 480 | # to the next. Requires at least Linux 3.10. 481 | # Recommended modes are cluster_flow on most boxes and cluster_cpu or cluster_qm on system 482 | # with capture card using RSS (require cpu affinity tuning and system irq tuning) 483 | cluster-type: cluster_flow 484 | # In some fragmentation case, the hash can not be computed. If "defrag" is set 485 | # to yes, the kernel will do the needed defragmentation before sending the packets. 486 | defrag: yes 487 | # After Linux kernel 3.10 it is possible to activate the rollover option: if a socket is 488 | # full then kernel will send the packet on the next socket with room available. This option 489 | # can minimize packet drop and increase the treated bandwidth on single intensive flow. 490 | #rollover: yes 491 | # To use the ring feature of AF_PACKET, set 'use-mmap' to yes 492 | #use-mmap: yes 493 | # Lock memory map to avoid it goes to swap. Be careful that over suscribing could lock 494 | # your system 495 | #mmap-locked: yes 496 | # Use experimental tpacket_v3 capture mode, only active if use-mmap is true 497 | #tpacket-v3: yes 498 | # Ring size will be computed with respect to max_pending_packets and number 499 | # of threads. You can set manually the ring size in number of packets by setting 500 | # the following value. If you are using flow cluster-type and have really network 501 | # intensive single-flow you could want to set the ring-size independently of the number 502 | # of threads: 503 | #ring-size: 2048 504 | # Block size is used by tpacket_v3 only. It should set to a value high enough to contain 505 | # a decent number of packets. Size is in bytes so please consider your MTU. It should be 506 | # a power of 2 and it must be multiple of page size (usually 4096). 507 | #block-size: 32768 508 | # tpacket_v3 block timeout: an open block is passed to userspace if it is not 509 | # filled after block-timeout milliseconds. 510 | #block-timeout: 10 511 | # On busy system, this could help to set it to yes to recover from a packet drop 512 | # phase. This will result in some packets (at max a ring flush) being non treated. 513 | #use-emergency-flush: yes 514 | # recv buffer size, increase value could improve performance 515 | # buffer-size: 32768 516 | # Set to yes to disable promiscuous mode 517 | # disable-promisc: no 518 | # Choose checksum verification mode for the interface. At the moment 519 | # of the capture, some packets may be with an invalid checksum due to 520 | # offloading to the network card of the checksum computation. 521 | # Possible values are: 522 | # - kernel: use indication sent by kernel for each packet (default) 523 | # - yes: checksum validation is forced 524 | # - no: checksum validation is disabled 525 | # - auto: suricata uses a statistical approach to detect when 526 | # checksum off-loading is used. 527 | # Warning: 'checksum-validation' must be set to yes to have any validation 528 | #checksum-checks: kernel 529 | # BPF filter to apply to this interface. The pcap filter syntax apply here. 530 | #bpf-filter: port 80 or udp 531 | # You can use the following variables to activate AF_PACKET tap or IPS mode. 532 | # If copy-mode is set to ips or tap, the traffic coming to the current 533 | # interface will be copied to the copy-iface interface. If 'tap' is set, the 534 | # copy is complete. If 'ips' is set, the packet matching a 'drop' action 535 | # will not be copied. 536 | #copy-mode: ips 537 | #copy-iface: eth1 538 | 539 | # Put default values here. These will be used for an interface that is not 540 | # in the list above. 541 | - interface: default 542 | #threads: auto 543 | #use-mmap: no 544 | #rollover: yes 545 | #tpacket-v3: yes 546 | 547 | # Cross platform libpcap capture support 548 | pcap: 549 | - interface: eth0 550 | # On Linux, pcap will try to use mmaped capture and will use buffer-size 551 | # as total of memory used by the ring. So set this to something bigger 552 | # than 1% of your bandwidth. 553 | #buffer-size: 16777216 554 | #bpf-filter: "tcp and port 25" 555 | # Choose checksum verification mode for the interface. At the moment 556 | # of the capture, some packets may be with an invalid checksum due to 557 | # offloading to the network card of the checksum computation. 558 | # Possible values are: 559 | # - yes: checksum validation is forced 560 | # - no: checksum validation is disabled 561 | # - auto: suricata uses a statistical approach to detect when 562 | # checksum off-loading is used. (default) 563 | # Warning: 'checksum-validation' must be set to yes to have any validation 564 | #checksum-checks: auto 565 | # With some accelerator cards using a modified libpcap (like myricom), you 566 | # may want to have the same number of capture threads as the number of capture 567 | # rings. In this case, set up the threads variable to N to start N threads 568 | # listening on the same interface. 569 | #threads: 16 570 | # set to no to disable promiscuous mode: 571 | #promisc: no 572 | # set snaplen, if not set it defaults to MTU if MTU can be known 573 | # via ioctl call and to full capture if not. 574 | #snaplen: 1518 575 | # Put default values here 576 | - interface: default 577 | #checksum-checks: auto 578 | 579 | # Settings for reading pcap files 580 | pcap-file: 581 | # Possible values are: 582 | # - yes: checksum validation is forced 583 | # - no: checksum validation is disabled 584 | # - auto: suricata uses a statistical approach to detect when 585 | # checksum off-loading is used. (default) 586 | # Warning: 'checksum-validation' must be set to yes to have checksum tested 587 | checksum-checks: auto 588 | 589 | # See "Advanced Capture Options" below for more options, including NETMAP 590 | # and PF_RING. 591 | 592 | 593 | ## 594 | ## Step 5: App Layer Protocol Configuration 595 | ## 596 | 597 | # Configure the app-layer parsers. The protocols section details each 598 | # protocol. 599 | # 600 | # The option "enabled" takes 3 values - "yes", "no", "detection-only". 601 | # "yes" enables both detection and the parser, "no" disables both, and 602 | # "detection-only" enables protocol detection only (parser disabled). 603 | app-layer: 604 | protocols: 605 | tls: 606 | enabled: yes 607 | detection-ports: 608 | dp: 443 609 | 610 | # Completely stop processing TLS/SSL session after the handshake 611 | # completed. If bypass is enabled this will also trigger flow 612 | # bypass. If disabled (the default), TLS/SSL session is still 613 | # tracked for Heartbleed and other anomalies. 614 | #no-reassemble: yes 615 | dcerpc: 616 | enabled: yes 617 | ftp: 618 | enabled: yes 619 | ssh: 620 | enabled: yes 621 | smtp: 622 | enabled: yes 623 | # Configure SMTP-MIME Decoder 624 | mime: 625 | # Decode MIME messages from SMTP transactions 626 | # (may be resource intensive) 627 | # This field supercedes all others because it turns the entire 628 | # process on or off 629 | decode-mime: yes 630 | 631 | # Decode MIME entity bodies (ie. base64, quoted-printable, etc.) 632 | decode-base64: yes 633 | decode-quoted-printable: yes 634 | 635 | # Maximum bytes per header data value stored in the data structure 636 | # (default is 2000) 637 | header-value-depth: 2000 638 | 639 | # Extract URLs and save in state data structure 640 | extract-urls: yes 641 | # Set to yes to compute the md5 of the mail body. You will then 642 | # be able to journalize it. 643 | body-md5: no 644 | # Configure inspected-tracker for file_data keyword 645 | inspected-tracker: 646 | content-limit: 100000 647 | content-inspect-min-size: 32768 648 | content-inspect-window: 4096 649 | imap: 650 | enabled: detection-only 651 | msn: 652 | enabled: detection-only 653 | smb: 654 | enabled: yes 655 | detection-ports: 656 | dp: 139, 445 657 | # smb2 detection is disabled internally inside the engine. 658 | #smb2: 659 | # enabled: yes 660 | dns: 661 | # memcaps. Globally and per flow/state. 662 | #global-memcap: 16mb 663 | #state-memcap: 512kb 664 | 665 | # How many unreplied DNS requests are considered a flood. 666 | # If the limit is reached, app-layer-event:dns.flooded; will match. 667 | #request-flood: 500 668 | 669 | tcp: 670 | enabled: yes 671 | detection-ports: 672 | dp: 53 673 | udp: 674 | enabled: yes 675 | detection-ports: 676 | dp: 53 677 | http: 678 | enabled: yes 679 | # memcap: 64mb 680 | 681 | # default-config: Used when no server-config matches 682 | # personality: List of personalities used by default 683 | # request-body-limit: Limit reassembly of request body for inspection 684 | # by http_client_body & pcre /P option. 685 | # response-body-limit: Limit reassembly of response body for inspection 686 | # by file_data, http_server_body & pcre /Q option. 687 | # double-decode-path: Double decode path section of the URI 688 | # double-decode-query: Double decode query section of the URI 689 | # response-body-decompress-layer-limit: 690 | # Limit to how many layers of compression will be 691 | # decompressed. Defaults to 2. 692 | # 693 | # server-config: List of server configurations to use if address matches 694 | # address: List of ip addresses or networks for this block 695 | # personalitiy: List of personalities used by this block 696 | # request-body-limit: Limit reassembly of request body for inspection 697 | # by http_client_body & pcre /P option. 698 | # response-body-limit: Limit reassembly of response body for inspection 699 | # by file_data, http_server_body & pcre /Q option. 700 | # double-decode-path: Double decode path section of the URI 701 | # double-decode-query: Double decode query section of the URI 702 | # 703 | # uri-include-all: Include all parts of the URI. By default the 704 | # 'scheme', username/password, hostname and port 705 | # are excluded. Setting this option to true adds 706 | # all of them to the normalized uri as inspected 707 | # by http_uri, urilen, pcre with /U and the other 708 | # keywords that inspect the normalized uri. 709 | # Note that this does not affect http_raw_uri. 710 | # Also, note that including all was the default in 711 | # 1.4 and 2.0beta1. 712 | # 713 | # meta-field-limit: Hard size limit for request and response size 714 | # limits. Applies to request line and headers, 715 | # response line and headers. Does not apply to 716 | # request or response bodies. Default is 18k. 717 | # If this limit is reached an event is raised. 718 | # 719 | # Currently Available Personalities: 720 | # Minimal, Generic, IDS (default), IIS_4_0, IIS_5_0, IIS_5_1, IIS_6_0, 721 | # IIS_7_0, IIS_7_5, Apache_2 722 | libhtp: 723 | default-config: 724 | personality: IDS 725 | 726 | # Can be specified in kb, mb, gb. Just a number indicates 727 | # it's in bytes. 728 | request-body-limit: 100kb 729 | response-body-limit: 100kb 730 | 731 | # inspection limits 732 | request-body-minimal-inspect-size: 32kb 733 | request-body-inspect-window: 4kb 734 | response-body-minimal-inspect-size: 40kb 735 | response-body-inspect-window: 16kb 736 | 737 | # response body decompression (0 disables) 738 | response-body-decompress-layer-limit: 2 739 | 740 | # auto will use http-body-inline mode in IPS mode, yes or no set it statically 741 | http-body-inline: auto 742 | 743 | # Take a random value for inspection sizes around the specified value. 744 | # This lower the risk of some evasion technics but could lead 745 | # detection change between runs. It is set to 'yes' by default. 746 | #randomize-inspection-sizes: yes 747 | # If randomize-inspection-sizes is active, the value of various 748 | # inspection size will be choosen in the [1 - range%, 1 + range%] 749 | # range 750 | # Default value of randomize-inspection-range is 10. 751 | #randomize-inspection-range: 10 752 | 753 | # decoding 754 | double-decode-path: no 755 | double-decode-query: no 756 | 757 | server-config: 758 | 759 | #- apache: 760 | # address: [192.168.1.0/24, 127.0.0.0/8, "::1"] 761 | # personality: Apache_2 762 | # # Can be specified in kb, mb, gb. Just a number indicates 763 | # # it's in bytes. 764 | # request-body-limit: 4096 765 | # response-body-limit: 4096 766 | # double-decode-path: no 767 | # double-decode-query: no 768 | 769 | #- iis7: 770 | # address: 771 | # - 192.168.0.0/24 772 | # - 192.168.10.0/24 773 | # personality: IIS_7_0 774 | # # Can be specified in kb, mb, gb. Just a number indicates 775 | # # it's in bytes. 776 | # request-body-limit: 4096 777 | # response-body-limit: 4096 778 | # double-decode-path: no 779 | # double-decode-query: no 780 | 781 | # Note: Modbus probe parser is minimalist due to the poor significant field 782 | # Only Modbus message length (greater than Modbus header length) 783 | # And Protocol ID (equal to 0) are checked in probing parser 784 | # It is important to enable detection port and define Modbus port 785 | # to avoid false positive 786 | modbus: 787 | # How many unreplied Modbus requests are considered a flood. 788 | # If the limit is reached, app-layer-event:modbus.flooded; will match. 789 | #request-flood: 500 790 | 791 | enabled: no 792 | detection-ports: 793 | dp: 502 794 | # According to MODBUS Messaging on TCP/IP Implementation Guide V1.0b, it 795 | # is recommended to keep the TCP connection opened with a remote device 796 | # and not to open and close it for each MODBUS/TCP transaction. In that 797 | # case, it is important to set the depth of the stream reassembling as 798 | # unlimited (stream.reassembly.depth: 0) 799 | 800 | # Stream reassembly size for modbus. By default track it completely. 801 | stream-depth: 0 802 | 803 | # DNP3 804 | dnp3: 805 | enabled: no 806 | detection-ports: 807 | dp: 20000 808 | 809 | # SCADA EtherNet/IP and CIP protocol support 810 | enip: 811 | enabled: no 812 | detection-ports: 813 | dp: 44818 814 | sp: 44818 815 | 816 | # Limit for the maximum number of asn1 frames to decode (default 256) 817 | asn1-max-frames: 256 818 | 819 | 820 | ############################################################################## 821 | ## 822 | ## Advanced settings below 823 | ## 824 | ############################################################################## 825 | 826 | ## 827 | ## Run Options 828 | ## 829 | 830 | # Run suricata as user and group. 831 | #run-as: 832 | # user: suri 833 | # group: suri 834 | 835 | # Some logging module will use that name in event as identifier. The default 836 | # value is the hostname 837 | #sensor-name: suricata 838 | 839 | # Default pid file. 840 | # Will use this file if no --pidfile in command options. 841 | #pid-file: /var/run/suricata.pid 842 | 843 | # Daemon working directory 844 | # Suricata will change directory to this one if provided 845 | # Default: "/" 846 | #daemon-directory: "/" 847 | 848 | # Suricata core dump configuration. Limits the size of the core dump file to 849 | # approximately max-dump. The actual core dump size will be a multiple of the 850 | # page size. Core dumps that would be larger than max-dump are truncated. On 851 | # Linux, the actual core dump size may be a few pages larger than max-dump. 852 | # Setting max-dump to 0 disables core dumping. 853 | # Setting max-dump to 'unlimited' will give the full core dump file. 854 | # On 32-bit Linux, a max-dump value >= ULONG_MAX may cause the core dump size 855 | # to be 'unlimited'. 856 | 857 | coredump: 858 | max-dump: unlimited 859 | 860 | # If suricata box is a router for the sniffed networks, set it to 'router'. If 861 | # it is a pure sniffing setup, set it to 'sniffer-only'. 862 | # If set to auto, the variable is internally switch to 'router' in IPS mode 863 | # and 'sniffer-only' in IDS mode. 864 | # This feature is currently only used by the reject* keywords. 865 | host-mode: auto 866 | 867 | # Number of packets preallocated per thread. The default is 1024. A higher number 868 | # will make sure each CPU will be more easily kept busy, but may negatively 869 | # impact caching. 870 | # 871 | # If you are using the CUDA pattern matcher (mpm-algo: ac-cuda), different rules 872 | # apply. In that case try something like 60000 or more. This is because the CUDA 873 | # pattern matcher buffers and scans as many packets as possible in parallel. 874 | #max-pending-packets: 1024 875 | 876 | # Runmode the engine should use. Please check --list-runmodes to get the available 877 | # runmodes for each packet acquisition method. Defaults to "autofp" (auto flow pinned 878 | # load balancing). 879 | #runmode: autofp 880 | 881 | # Specifies the kind of flow load balancer used by the flow pinned autofp mode. 882 | # 883 | # Supported schedulers are: 884 | # 885 | # round-robin - Flows assigned to threads in a round robin fashion. 886 | # active-packets - Flows assigned to threads that have the lowest number of 887 | # unprocessed packets (default). 888 | # hash - Flow alloted usihng the address hash. More of a random 889 | # technique. Was the default in Suricata 1.2.1 and older. 890 | # 891 | #autofp-scheduler: active-packets 892 | 893 | # Preallocated size for packet. Default is 1514 which is the classical 894 | # size for pcap on ethernet. You should adjust this value to the highest 895 | # packet size (MTU + hardware header) on your system. 896 | #default-packet-size: 1514 897 | 898 | # Unix command socket can be used to pass commands to suricata. 899 | # An external tool can then connect to get information from suricata 900 | # or trigger some modifications of the engine. Set enabled to yes 901 | # to activate the feature. In auto mode, the feature will only be 902 | # activated in live capture mode. You can use the filename variable to set 903 | # the file name of the socket. 904 | unix-command: 905 | enabled: auto 906 | #filename: custom.socket 907 | 908 | # Magic file. The extension .mgc is added to the value here. 909 | #magic-file: /usr/share/file/magic 910 | #magic-file: 911 | 912 | legacy: 913 | uricontent: enabled 914 | 915 | ## 916 | ## Detection settings 917 | ## 918 | 919 | # Set the order of alerts bassed on actions 920 | # The default order is pass, drop, reject, alert 921 | # action-order: 922 | # - pass 923 | # - drop 924 | # - reject 925 | # - alert 926 | 927 | # IP Reputation 928 | #reputation-categories-file: /etc/suricata/iprep/categories.txt 929 | #default-reputation-path: /etc/suricata/iprep 930 | #reputation-files: 931 | # - reputation.list 932 | 933 | # When run with the option --engine-analysis, the engine will read each of 934 | # the parameters below, and print reports for each of the enabled sections 935 | # and exit. The reports are printed to a file in the default log dir 936 | # given by the parameter "default-log-dir", with engine reporting 937 | # subsection below printing reports in its own report file. 938 | engine-analysis: 939 | # enables printing reports for fast-pattern for every rule. 940 | rules-fast-pattern: yes 941 | # enables printing reports for each rule 942 | rules: yes 943 | 944 | #recursion and match limits for PCRE where supported 945 | pcre: 946 | match-limit: 3500 947 | match-limit-recursion: 1500 948 | 949 | ## 950 | ## Advanced Traffic Tracking and Reconstruction Settings 951 | ## 952 | 953 | # Host specific policies for defragmentation and TCP stream 954 | # reassembly. The host OS lookup is done using a radix tree, just 955 | # like a routing table so the most specific entry matches. 956 | host-os-policy: 957 | # Make the default policy windows. 958 | windows: [0.0.0.0/0] 959 | bsd: [] 960 | bsd-right: [] 961 | old-linux: [] 962 | linux: [] 963 | old-solaris: [] 964 | solaris: [] 965 | hpux10: [] 966 | hpux11: [] 967 | irix: [] 968 | macos: [] 969 | vista: [] 970 | windows2k3: [] 971 | 972 | # Defrag settings: 973 | 974 | defrag: 975 | memcap: 32mb 976 | hash-size: 65536 977 | trackers: 65535 # number of defragmented flows to follow 978 | max-frags: 65535 # number of fragments to keep (higher than trackers) 979 | prealloc: yes 980 | timeout: 60 981 | 982 | # Enable defrag per host settings 983 | # host-config: 984 | # 985 | # - dmz: 986 | # timeout: 30 987 | # address: [192.168.1.0/24, 127.0.0.0/8, 1.1.1.0/24, 2.2.2.0/24, "1.1.1.1", "2.2.2.2", "::1"] 988 | # 989 | # - lan: 990 | # timeout: 45 991 | # address: 992 | # - 192.168.0.0/24 993 | # - 192.168.10.0/24 994 | # - 172.16.14.0/24 995 | 996 | # Flow settings: 997 | # By default, the reserved memory (memcap) for flows is 32MB. This is the limit 998 | # for flow allocation inside the engine. You can change this value to allow 999 | # more memory usage for flows. 1000 | # The hash-size determine the size of the hash used to identify flows inside 1001 | # the engine, and by default the value is 65536. 1002 | # At the startup, the engine can preallocate a number of flows, to get a better 1003 | # performance. The number of flows preallocated is 10000 by default. 1004 | # emergency-recovery is the percentage of flows that the engine need to 1005 | # prune before unsetting the emergency state. The emergency state is activated 1006 | # when the memcap limit is reached, allowing to create new flows, but 1007 | # prunning them with the emergency timeouts (they are defined below). 1008 | # If the memcap is reached, the engine will try to prune flows 1009 | # with the default timeouts. If it doens't find a flow to prune, it will set 1010 | # the emergency bit and it will try again with more agressive timeouts. 1011 | # If that doesn't work, then it will try to kill the last time seen flows 1012 | # not in use. 1013 | # The memcap can be specified in kb, mb, gb. Just a number indicates it's 1014 | # in bytes. 1015 | 1016 | flow: 1017 | memcap: 128mb 1018 | hash-size: 65536 1019 | prealloc: 10000 1020 | emergency-recovery: 30 1021 | #managers: 1 # default to one flow manager 1022 | #recyclers: 1 # default to one flow recycler thread 1023 | 1024 | # This option controls the use of vlan ids in the flow (and defrag) 1025 | # hashing. Normally this should be enabled, but in some (broken) 1026 | # setups where both sides of a flow are not tagged with the same vlan 1027 | # tag, we can ignore the vlan id's in the flow hashing. 1028 | vlan: 1029 | use-for-tracking: true 1030 | 1031 | # Specific timeouts for flows. Here you can specify the timeouts that the 1032 | # active flows will wait to transit from the current state to another, on each 1033 | # protocol. The value of "new" determine the seconds to wait after a hanshake or 1034 | # stream startup before the engine free the data of that flow it doesn't 1035 | # change the state to established (usually if we don't receive more packets 1036 | # of that flow). The value of "established" is the amount of 1037 | # seconds that the engine will wait to free the flow if it spend that amount 1038 | # without receiving new packets or closing the connection. "closed" is the 1039 | # amount of time to wait after a flow is closed (usually zero). "bypassed" 1040 | # timeout controls locally bypassed flows. For these flows we don't do any other 1041 | # tracking. If no packets have been seen after this timeout, the flow is discarded. 1042 | # 1043 | # There's an emergency mode that will become active under attack circumstances, 1044 | # making the engine to check flow status faster. This configuration variables 1045 | # use the prefix "emergency-" and work similar as the normal ones. 1046 | # Some timeouts doesn't apply to all the protocols, like "closed", for udp and 1047 | # icmp. 1048 | 1049 | flow-timeouts: 1050 | 1051 | default: 1052 | new: 30 1053 | established: 300 1054 | closed: 0 1055 | bypassed: 100 1056 | emergency-new: 10 1057 | emergency-established: 100 1058 | emergency-closed: 0 1059 | emergency-bypassed: 50 1060 | tcp: 1061 | new: 60 1062 | established: 600 1063 | closed: 60 1064 | bypassed: 100 1065 | emergency-new: 5 1066 | emergency-established: 100 1067 | emergency-closed: 10 1068 | emergency-bypassed: 50 1069 | udp: 1070 | new: 30 1071 | established: 300 1072 | bypassed: 100 1073 | emergency-new: 10 1074 | emergency-established: 100 1075 | emergency-bypassed: 50 1076 | icmp: 1077 | new: 30 1078 | established: 300 1079 | bypassed: 100 1080 | emergency-new: 10 1081 | emergency-established: 100 1082 | emergency-bypassed: 50 1083 | 1084 | # Stream engine settings. Here the TCP stream tracking and reassembly 1085 | # engine is configured. 1086 | # 1087 | # stream: 1088 | # memcap: 32mb # Can be specified in kb, mb, gb. Just a 1089 | # # number indicates it's in bytes. 1090 | # checksum-validation: yes # To validate the checksum of received 1091 | # # packet. If csum validation is specified as 1092 | # # "yes", then packet with invalid csum will not 1093 | # # be processed by the engine stream/app layer. 1094 | # # Warning: locally generated trafic can be 1095 | # # generated without checksum due to hardware offload 1096 | # # of checksum. You can control the handling of checksum 1097 | # # on a per-interface basis via the 'checksum-checks' 1098 | # # option 1099 | # prealloc-sessions: 2k # 2k sessions prealloc'd per stream thread 1100 | # midstream: false # don't allow midstream session pickups 1101 | # async-oneside: false # don't enable async stream handling 1102 | # inline: no # stream inline mode 1103 | # max-synack-queued: 5 # Max different SYN/ACKs to queue 1104 | # bypass: no # Bypass packets when stream.depth is reached 1105 | # 1106 | # reassembly: 1107 | # memcap: 64mb # Can be specified in kb, mb, gb. Just a number 1108 | # # indicates it's in bytes. 1109 | # depth: 1mb # Can be specified in kb, mb, gb. Just a number 1110 | # # indicates it's in bytes. 1111 | # toserver-chunk-size: 2560 # inspect raw stream in chunks of at least 1112 | # # this size. Can be specified in kb, mb, 1113 | # # gb. Just a number indicates it's in bytes. 1114 | # # The max acceptable size is 4024 bytes. 1115 | # toclient-chunk-size: 2560 # inspect raw stream in chunks of at least 1116 | # # this size. Can be specified in kb, mb, 1117 | # # gb. Just a number indicates it's in bytes. 1118 | # # The max acceptable size is 4024 bytes. 1119 | # randomize-chunk-size: yes # Take a random value for chunk size around the specified value. 1120 | # # This lower the risk of some evasion technics but could lead 1121 | # # detection change between runs. It is set to 'yes' by default. 1122 | # randomize-chunk-range: 10 # If randomize-chunk-size is active, the value of chunk-size is 1123 | # # a random value between (1 - randomize-chunk-range/100)*toserver-chunk-size 1124 | # # and (1 + randomize-chunk-range/100)*toserver-chunk-size and the same 1125 | # # calculation for toclient-chunk-size. 1126 | # # Default value of randomize-chunk-range is 10. 1127 | # 1128 | # raw: yes # 'Raw' reassembly enabled or disabled. 1129 | # # raw is for content inspection by detection 1130 | # # engine. 1131 | # 1132 | # chunk-prealloc: 250 # Number of preallocated stream chunks. These 1133 | # # are used during stream inspection (raw). 1134 | # segments: # Settings for reassembly segment pool. 1135 | # - size: 4 # Size of the (data)segment for a pool 1136 | # prealloc: 256 # Number of segments to prealloc and keep 1137 | # # in the pool. 1138 | # zero-copy-size: 128 # This option sets in bytes the value at 1139 | # # which segment data is passed to the app 1140 | # # layer API directly. Data sizes equal to 1141 | # # and higher than the value set are passed 1142 | # # on directly. 1143 | # 1144 | stream: 1145 | memcap: 64mb 1146 | checksum-validation: yes # reject wrong csums 1147 | inline: auto # auto will use inline mode in IPS mode, yes or no set it statically 1148 | reassembly: 1149 | memcap: 256mb 1150 | depth: 1mb # reassemble 1mb into a stream 1151 | toserver-chunk-size: 2560 1152 | toclient-chunk-size: 2560 1153 | randomize-chunk-size: yes 1154 | #randomize-chunk-range: 10 1155 | #raw: yes 1156 | #chunk-prealloc: 250 1157 | #segments: 1158 | # - size: 4 1159 | # prealloc: 256 1160 | # - size: 16 1161 | # prealloc: 512 1162 | # - size: 112 1163 | # prealloc: 512 1164 | # - size: 248 1165 | # prealloc: 512 1166 | # - size: 512 1167 | # prealloc: 512 1168 | # - size: 768 1169 | # prealloc: 1024 1170 | # 'from_mtu' means that the size is mtu - 40, 1171 | # or 1460 if mtu couldn't be determined. 1172 | # - size: from_mtu 1173 | # prealloc: 1024 1174 | # - size: 65535 1175 | # prealloc: 128 1176 | #zero-copy-size: 128 1177 | 1178 | # Host table: 1179 | # 1180 | # Host table is used by tagging and per host thresholding subsystems. 1181 | # 1182 | host: 1183 | hash-size: 4096 1184 | prealloc: 1000 1185 | memcap: 32mb 1186 | 1187 | # IP Pair table: 1188 | # 1189 | # Used by xbits 'ippair' tracking. 1190 | # 1191 | #ippair: 1192 | # hash-size: 4096 1193 | # prealloc: 1000 1194 | # memcap: 32mb 1195 | 1196 | 1197 | ## 1198 | ## Performance tuning and profiling 1199 | ## 1200 | 1201 | # The detection engine builds internal groups of signatures. The engine 1202 | # allow us to specify the profile to use for them, to manage memory on an 1203 | # efficient way keeping a good performance. For the profile keyword you 1204 | # can use the words "low", "medium", "high" or "custom". If you use custom 1205 | # make sure to define the values at "- custom-values" as your convenience. 1206 | # Usually you would prefer medium/high/low. 1207 | # 1208 | # "sgh mpm-context", indicates how the staging should allot mpm contexts for 1209 | # the signature groups. "single" indicates the use of a single context for 1210 | # all the signature group heads. "full" indicates a mpm-context for each 1211 | # group head. "auto" lets the engine decide the distribution of contexts 1212 | # based on the information the engine gathers on the patterns from each 1213 | # group head. 1214 | # 1215 | # The option inspection-recursion-limit is used to limit the recursive calls 1216 | # in the content inspection code. For certain payload-sig combinations, we 1217 | # might end up taking too much time in the content inspection code. 1218 | # If the argument specified is 0, the engine uses an internally defined 1219 | # default limit. On not specifying a value, we use no limits on the recursion. 1220 | detect: 1221 | profile: medium 1222 | custom-values: 1223 | toclient-groups: 3 1224 | toserver-groups: 25 1225 | sgh-mpm-context: auto 1226 | inspection-recursion-limit: 3000 1227 | # If set to yes, the loading of signatures will be made after the capture 1228 | # is started. This will limit the downtime in IPS mode. 1229 | #delayed-detect: yes 1230 | 1231 | prefilter: 1232 | # default prefiltering setting. "mpm" only creates MPM/fast_pattern 1233 | # engines. "auto" also sets up prefilter engines for other keywords. 1234 | # Use --list-keywords=all to see which keywords support prefiltering. 1235 | default: mpm 1236 | 1237 | # the grouping values above control how many groups are created per 1238 | # direction. Port whitelisting forces that port to get it's own group. 1239 | # Very common ports will benefit, as well as ports with many expensive 1240 | # rules. 1241 | grouping: 1242 | #tcp-whitelist: 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080 1243 | #udp-whitelist: 53, 135, 5060 1244 | 1245 | profiling: 1246 | # Log the rules that made it past the prefilter stage, per packet 1247 | # default is off. The threshold setting determines how many rules 1248 | # must have made it past pre-filter for that rule to trigger the 1249 | # logging. 1250 | #inspect-logging-threshold: 200 1251 | grouping: 1252 | dump-to-disk: false 1253 | include-rules: false # very verbose 1254 | include-mpm-stats: false 1255 | 1256 | # Select the multi pattern algorithm you want to run for scan/search the 1257 | # in the engine. 1258 | # 1259 | # The supported algorithms are: 1260 | # "ac" - Aho-Corasick, default implementation 1261 | # "ac-bs" - Aho-Corasick, reduced memory implementation 1262 | # "ac-cuda" - Aho-Corasick, CUDA implementation 1263 | # "ac-ks" - Aho-Corasick, "Ken Steele" variant 1264 | # "hs" - Hyperscan, available when built with Hyperscan support 1265 | # 1266 | # The default mpm-algo value of "auto" will use "hs" if Hyperscan is 1267 | # available, "ac" otherwise. 1268 | # 1269 | # The mpm you choose also decides the distribution of mpm contexts for 1270 | # signature groups, specified by the conf - "detect.sgh-mpm-context". 1271 | # Selecting "ac" as the mpm would require "detect.sgh-mpm-context" 1272 | # to be set to "single", because of ac's memory requirements, unless the 1273 | # ruleset is small enough to fit in one's memory, in which case one can 1274 | # use "full" with "ac". Rest of the mpms can be run in "full" mode. 1275 | # 1276 | # There is also a CUDA pattern matcher (only available if Suricata was 1277 | # compiled with --enable-cuda: b2g_cuda. Make sure to update your 1278 | # max-pending-packets setting above as well if you use b2g_cuda. 1279 | 1280 | mpm-algo: auto 1281 | 1282 | # Select the matching algorithm you want to use for single-pattern searches. 1283 | # 1284 | # Supported algorithms are "bm" (Boyer-Moore) and "hs" (Hyperscan, only 1285 | # available if Suricata has been built with Hyperscan support). 1286 | # 1287 | # The default of "auto" will use "hs" if available, otherwise "bm". 1288 | 1289 | spm-algo: auto 1290 | 1291 | # Suricata is multi-threaded. Here the threading can be influenced. 1292 | threading: 1293 | set-cpu-affinity: no 1294 | # Tune cpu affinity of threads. Each family of threads can be bound 1295 | # on specific CPUs. 1296 | # 1297 | # These 2 apply to the all runmodes: 1298 | # management-cpu-set is used for flow timeout handling, counters 1299 | # worker-cpu-set is used for 'worker' threads 1300 | # 1301 | # Additionally, for autofp these apply: 1302 | # receive-cpu-set is used for capture threads 1303 | # verdict-cpu-set is used for IPS verdict threads 1304 | # 1305 | cpu-affinity: 1306 | - management-cpu-set: 1307 | cpu: [ 0 ] # include only these cpus in affinity settings 1308 | - receive-cpu-set: 1309 | cpu: [ 0 ] # include only these cpus in affinity settings 1310 | - worker-cpu-set: 1311 | cpu: [ "all" ] 1312 | mode: "exclusive" 1313 | # Use explicitely 3 threads and don't compute number by using 1314 | # detect-thread-ratio variable: 1315 | # threads: 3 1316 | prio: 1317 | low: [ 0 ] 1318 | medium: [ "1-2" ] 1319 | high: [ 3 ] 1320 | default: "medium" 1321 | #- verdict-cpu-set: 1322 | # cpu: [ 0 ] 1323 | # prio: 1324 | # default: "high" 1325 | # 1326 | # By default Suricata creates one "detect" thread per available CPU/CPU core. 1327 | # This setting allows controlling this behaviour. A ratio setting of 2 will 1328 | # create 2 detect threads for each CPU/CPU core. So for a dual core CPU this 1329 | # will result in 4 detect threads. If values below 1 are used, less threads 1330 | # are created. So on a dual core CPU a setting of 0.5 results in 1 detect 1331 | # thread being created. Regardless of the setting at a minimum 1 detect 1332 | # thread will always be created. 1333 | # 1334 | detect-thread-ratio: 1.0 1335 | 1336 | # Luajit has a strange memory requirement, it's 'states' need to be in the 1337 | # first 2G of the process' memory. 1338 | # 1339 | # 'luajit.states' is used to control how many states are preallocated. 1340 | # State use: per detect script: 1 per detect thread. Per output script: 1 per 1341 | # script. 1342 | luajit: 1343 | states: 128 1344 | 1345 | # Profiling settings. Only effective if Suricata has been built with the 1346 | # the --enable-profiling configure flag. 1347 | # 1348 | profiling: 1349 | # Run profiling for every xth packet. The default is 1, which means we 1350 | # profile every packet. If set to 1000, one packet is profiled for every 1351 | # 1000 received. 1352 | #sample-rate: 1000 1353 | 1354 | # rule profiling 1355 | rules: 1356 | 1357 | # Profiling can be disabled here, but it will still have a 1358 | # performance impact if compiled in. 1359 | enabled: yes 1360 | filename: rule_perf.log 1361 | append: yes 1362 | 1363 | # Sort options: ticks, avgticks, checks, matches, maxticks 1364 | sort: avgticks 1365 | 1366 | # Limit the number of items printed at exit (ignored for json). 1367 | limit: 100 1368 | 1369 | # output to json 1370 | json: yes 1371 | 1372 | # per keyword profiling 1373 | keywords: 1374 | enabled: yes 1375 | filename: keyword_perf.log 1376 | append: yes 1377 | 1378 | # per rulegroup profiling 1379 | rulegroups: 1380 | enabled: yes 1381 | filename: rule_group_perf.log 1382 | append: yes 1383 | 1384 | # packet profiling 1385 | packets: 1386 | 1387 | # Profiling can be disabled here, but it will still have a 1388 | # performance impact if compiled in. 1389 | enabled: yes 1390 | filename: packet_stats.log 1391 | append: yes 1392 | 1393 | # per packet csv output 1394 | csv: 1395 | 1396 | # Output can be disabled here, but it will still have a 1397 | # performance impact if compiled in. 1398 | enabled: no 1399 | filename: packet_stats.csv 1400 | 1401 | # profiling of locking. Only available when Suricata was built with 1402 | # --enable-profiling-locks. 1403 | locks: 1404 | enabled: no 1405 | filename: lock_stats.log 1406 | append: yes 1407 | 1408 | pcap-log: 1409 | enabled: no 1410 | filename: pcaplog_stats.log 1411 | append: yes 1412 | 1413 | ## 1414 | ## Netfilter integration 1415 | ## 1416 | 1417 | # When running in NFQ inline mode, it is possible to use a simulated 1418 | # non-terminal NFQUEUE verdict. 1419 | # This permit to do send all needed packet to suricata via this a rule: 1420 | # iptables -I FORWARD -m mark ! --mark $MARK/$MASK -j NFQUEUE 1421 | # And below, you can have your standard filtering ruleset. To activate 1422 | # this mode, you need to set mode to 'repeat' 1423 | # If you want packet to be sent to another queue after an ACCEPT decision 1424 | # set mode to 'route' and set next-queue value. 1425 | # On linux >= 3.1, you can set batchcount to a value > 1 to improve performance 1426 | # by processing several packets before sending a verdict (worker runmode only). 1427 | # On linux >= 3.6, you can set the fail-open option to yes to have the kernel 1428 | # accept the packet if suricata is not able to keep pace. 1429 | # bypass mark and mask can be used to implement NFQ bypass. If bypass mark is 1430 | # set then the NFQ bypass is activated. Suricata will set the bypass mark/mask 1431 | # on packet of a flow that need to be bypassed. The Nefilter ruleset has to 1432 | # directly accept all packets of a flow once a packet has been marked. 1433 | nfq: 1434 | # mode: accept 1435 | # repeat-mark: 1 1436 | # repeat-mask: 1 1437 | # bypass-mark: 1 1438 | # bypass-mask: 1 1439 | # route-queue: 2 1440 | # batchcount: 20 1441 | # fail-open: yes 1442 | 1443 | #nflog support 1444 | nflog: 1445 | # netlink multicast group 1446 | # (the same as the iptables --nflog-group param) 1447 | # Group 0 is used by the kernel, so you can't use it 1448 | - group: 2 1449 | # netlink buffer size 1450 | buffer-size: 18432 1451 | # put default value here 1452 | - group: default 1453 | # set number of packet to queue inside kernel 1454 | qthreshold: 1 1455 | # set the delay before flushing packet in the queue inside kernel 1456 | qtimeout: 100 1457 | # netlink max buffer size 1458 | max-size: 20000 1459 | 1460 | ## 1461 | ## Advanced Capture Options 1462 | ## 1463 | 1464 | # general settings affecting packet capture 1465 | capture: 1466 | # disable NIC offloading. It's restored when Suricata exists. 1467 | # Enabled by default 1468 | #disable-offloading: false 1469 | # 1470 | # disable checksum validation. Same as setting '-k none' on the 1471 | # commandline 1472 | #checksum-validation: none 1473 | 1474 | # Netmap support 1475 | # 1476 | # Netmap operates with NIC directly in driver, so you need FreeBSD wich have 1477 | # built-in netmap support or compile and install netmap module and appropriate 1478 | # NIC driver on your Linux system. 1479 | # To reach maximum throughput disable all receive-, segmentation-, 1480 | # checksum- offloadings on NIC. 1481 | # Disabling Tx checksum offloading is *required* for connecting OS endpoint 1482 | # with NIC endpoint. 1483 | # You can find more information at https://github.com/luigirizzo/netmap 1484 | # 1485 | netmap: 1486 | # To specify OS endpoint add plus sign at the end (e.g. "eth0+") 1487 | - interface: eth2 1488 | # Number of receive threads. "auto" uses number of RSS queues on interface. 1489 | #threads: auto 1490 | # You can use the following variables to activate netmap tap or IPS mode. 1491 | # If copy-mode is set to ips or tap, the traffic coming to the current 1492 | # interface will be copied to the copy-iface interface. If 'tap' is set, the 1493 | # copy is complete. If 'ips' is set, the packet matching a 'drop' action 1494 | # will not be copied. 1495 | # To specify the OS as the copy-iface (so the OS can route packets, or forward 1496 | # to a service running on the same machine) add a plus sign at the end 1497 | # (e.g. "copy-iface: eth0+"). Don't forget to set up a symmetrical eth0+ -> eth0 1498 | # for return packets. Hardware checksumming must be *off* on the interface if 1499 | # using an OS endpoint (e.g. 'ifconfig eth0 -rxcsum -txcsum -rxcsum6 -txcsum6' for FreeBSD 1500 | # or 'ethtool -K eth0 tx off rx off' for Linux). 1501 | #copy-mode: tap 1502 | #copy-iface: eth3 1503 | # Set to yes to disable promiscuous mode 1504 | # disable-promisc: no 1505 | # Choose checksum verification mode for the interface. At the moment 1506 | # of the capture, some packets may be with an invalid checksum due to 1507 | # offloading to the network card of the checksum computation. 1508 | # Possible values are: 1509 | # - yes: checksum validation is forced 1510 | # - no: checksum validation is disabled 1511 | # - auto: suricata uses a statistical approach to detect when 1512 | # checksum off-loading is used. 1513 | # Warning: 'checksum-validation' must be set to yes to have any validation 1514 | #checksum-checks: auto 1515 | # BPF filter to apply to this interface. The pcap filter syntax apply here. 1516 | #bpf-filter: port 80 or udp 1517 | #- interface: eth3 1518 | #threads: auto 1519 | #copy-mode: tap 1520 | #copy-iface: eth2 1521 | # Put default values here 1522 | - interface: default 1523 | 1524 | # PF_RING configuration. for use with native PF_RING support 1525 | # for more info see http://www.ntop.org/products/pf_ring/ 1526 | pfring: 1527 | - interface: eth0 1528 | # Number of receive threads (>1 will enable experimental flow pinned 1529 | # runmode) 1530 | threads: 1 1531 | 1532 | # Default clusterid. PF_RING will load balance packets based on flow. 1533 | # All threads/processes that will participate need to have the same 1534 | # clusterid. 1535 | cluster-id: 99 1536 | 1537 | # Default PF_RING cluster type. PF_RING can load balance per flow. 1538 | # Possible values are cluster_flow or cluster_round_robin. 1539 | cluster-type: cluster_flow 1540 | # bpf filter for this interface 1541 | #bpf-filter: tcp 1542 | # Choose checksum verification mode for the interface. At the moment 1543 | # of the capture, some packets may be with an invalid checksum due to 1544 | # offloading to the network card of the checksum computation. 1545 | # Possible values are: 1546 | # - rxonly: only compute checksum for packets received by network card. 1547 | # - yes: checksum validation is forced 1548 | # - no: checksum validation is disabled 1549 | # - auto: suricata uses a statistical approach to detect when 1550 | # checksum off-loading is used. (default) 1551 | # Warning: 'checksum-validation' must be set to yes to have any validation 1552 | #checksum-checks: auto 1553 | # Second interface 1554 | #- interface: eth1 1555 | # threads: 3 1556 | # cluster-id: 93 1557 | # cluster-type: cluster_flow 1558 | # Put default values here 1559 | - interface: default 1560 | #threads: 2 1561 | 1562 | # For FreeBSD ipfw(8) divert(4) support. 1563 | # Please make sure you have ipfw_load="YES" and ipdivert_load="YES" 1564 | # in /etc/loader.conf or kldload'ing the appropriate kernel modules. 1565 | # Additionally, you need to have an ipfw rule for the engine to see 1566 | # the packets from ipfw. For Example: 1567 | # 1568 | # ipfw add 100 divert 8000 ip from any to any 1569 | # 1570 | # The 8000 above should be the same number you passed on the command 1571 | # line, i.e. -d 8000 1572 | # 1573 | ipfw: 1574 | 1575 | # Reinject packets at the specified ipfw rule number. This config 1576 | # option is the ipfw rule number AT WHICH rule processing continues 1577 | # in the ipfw processing system after the engine has finished 1578 | # inspecting the packet for acceptance. If no rule number is specified, 1579 | # accepted packets are reinjected at the divert rule which they entered 1580 | # and IPFW rule processing continues. No check is done to verify 1581 | # this will rule makes sense so care must be taken to avoid loops in ipfw. 1582 | # 1583 | ## The following example tells the engine to reinject packets 1584 | # back into the ipfw firewall AT rule number 5500: 1585 | # 1586 | # ipfw-reinjection-rule-number: 5500 1587 | 1588 | 1589 | napatech: 1590 | # The Host Buffer Allowance for all streams 1591 | # (-1 = OFF, 1 - 100 = percentage of the host buffer that can be held back) 1592 | hba: -1 1593 | 1594 | # use_all_streams set to "yes" will query the Napatech service for all configured 1595 | # streams and listen on all of them. When set to "no" the streams config array 1596 | # will be used. 1597 | use-all-streams: yes 1598 | 1599 | # The streams to listen on 1600 | streams: [1, 2, 3] 1601 | 1602 | # Tilera mpipe configuration. for use on Tilera TILE-Gx. 1603 | mpipe: 1604 | 1605 | # Load balancing modes: "static", "dynamic", "sticky", or "round-robin". 1606 | load-balance: dynamic 1607 | 1608 | # Number of Packets in each ingress packet queue. Must be 128, 512, 2028 or 65536 1609 | iqueue-packets: 2048 1610 | 1611 | # List of interfaces we will listen on. 1612 | inputs: 1613 | - interface: xgbe2 1614 | - interface: xgbe3 1615 | - interface: xgbe4 1616 | 1617 | 1618 | # Relative weight of memory for packets of each mPipe buffer size. 1619 | stack: 1620 | size128: 0 1621 | size256: 9 1622 | size512: 0 1623 | size1024: 0 1624 | size1664: 7 1625 | size4096: 0 1626 | size10386: 0 1627 | size16384: 0 1628 | 1629 | ## 1630 | ## Hardware accelaration 1631 | ## 1632 | 1633 | # Cuda configuration. 1634 | cuda: 1635 | # The "mpm" profile. On not specifying any of these parameters, the engine's 1636 | # internal default values are used, which are same as the ones specified in 1637 | # in the default conf file. 1638 | mpm: 1639 | # The minimum length required to buffer data to the gpu. 1640 | # Anything below this is MPM'ed on the CPU. 1641 | # Can be specified in kb, mb, gb. Just a number indicates it's in bytes. 1642 | # A value of 0 indicates there's no limit. 1643 | data-buffer-size-min-limit: 0 1644 | # The maximum length for data that we would buffer to the gpu. 1645 | # Anything over this is MPM'ed on the CPU. 1646 | # Can be specified in kb, mb, gb. Just a number indicates it's in bytes. 1647 | data-buffer-size-max-limit: 1500 1648 | # The ring buffer size used by the CudaBuffer API to buffer data. 1649 | cudabuffer-buffer-size: 500mb 1650 | # The max chunk size that can be sent to the gpu in a single go. 1651 | gpu-transfer-size: 50mb 1652 | # The timeout limit for batching of packets in microseconds. 1653 | batching-timeout: 2000 1654 | # The device to use for the mpm. Currently we don't support load balancing 1655 | # on multiple gpus. In case you have multiple devices on your system, you 1656 | # can specify the device to use, using this conf. By default we hold 0, to 1657 | # specify the first device cuda sees. To find out device-id associated with 1658 | # the card(s) on the system run "suricata --list-cuda-cards". 1659 | device-id: 0 1660 | # No of Cuda streams used for asynchronous processing. All values > 0 are valid. 1661 | # For this option you need a device with Compute Capability > 1.0. 1662 | cuda-streams: 2 1663 | 1664 | ## 1665 | ## Include other configs 1666 | ## 1667 | 1668 | # Includes. Files included here will be handled as if they were 1669 | # inlined in this configuration file. 1670 | #include: include1.yaml 1671 | #include: include2.yaml 1672 | --------------------------------------------------------------------------------