├── kvm-configs
    ├── cuckoo_net.xml
    └── cuckooboot
├── virtualbox-configs
    └── cuckooboot
├── README.md
├── win-scripts
    ├── stealth.bat
    ├── ZombiesXP.reg
    ├── Office2010.reg
    ├── Office2013.reg
    └── Zombieswin7.reg
├── gen-configs
    ├── nginx_config
    ├── vsftpd.conf
    ├── torrc
    ├── inetsim.conf
    └── suricata-cuckoo.yaml
├── test-scripts
    └── kvm-qemu-patching.sh
└── cuckoo.sh


/kvm-configs/cuckoo_net.xml:
--------------------------------------------------------------------------------
 1 | <network>
 2 |   <name>cuckoo</name>
 3 |   <bridge name='virbr0' stp='on' delay='0'/>
 4 |   <domain name='cuckoo'/>
 5 |   <ip address='192.168.100.1' netmask='255.255.255.0'>
 6 |     <dhcp>
 7 |       <range start='192.168.100.128' end='192.168.100.254'/>
 8 |     </dhcp>
 9 |   </ip>
10 | </network>
11 | 


--------------------------------------------------------------------------------
/kvm-configs/cuckooboot:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | CUCKOO_USER="cuckoo"
 3 | CUCKOO_PATH="/opt/cuckoo"
 4 | VIRBR_IP="192.168.100.1"
 5 | INETSIM_DNS_PORT="5342"
 6 | VIRBR_DEV="virbr0"
 7 | 
 8 | su $CUCKOO_USER -c "pkill gunicorn" >/dev/null 2>&1
 9 | su $CUCKOO_USER -c "pkill python" > /dev/null 2>&1
10 | 
11 | /usr/bin/curl -s http://$VIRBR_IP:8080/ > /dev/null
12 | 
13 | # Wait for the virtual bridge to become active before (re)starting services
14 | while [ $? -ne 0 ]
15 | do
16 | sleep 5
17 | /usr/sbin/service nginx restart
18 | /usr/bin/curl -s http://$VIRBR_IP:8080/ > /dev/null
19 | done
20 | 
21 | # Restart services that bind to the bridge
22 | /usr/sbin/service tor restart
23 | /usr/sbin/service inetsim restart
24 | /usr/sbin/service vsftpd restart
25 | 
26 | # Start Cuckoo
27 | cd $CUCKOO_PATH
28 | su $CUCKOO_USER -c "./cuckoo.py &"
29 | 
30 | # Start the Cuckoo web UI
31 | cd web
32 | su $CUCKOO_USER -c "gunicorn --reload -D -w 4 -b 127.0.0.1:8000 web.wsgi"
33 | 
34 | # Start the legacy upstream API
35 | cd ../utils
36 | su $CUCKOO_USER -c "gunicorn --reload -D -w 4 -b 127.0.0.1:8001 api"
37 | 
38 | # Redirect libvirt VM DNS quires to inetsim's DNS port
39 | /sbin/iptables -t nat -C  PREROUTING -d $VIRBR_IP -p udp --dport 53 -j REDIRECT --to-ports $INETSIM_DNS_PORT >/dev/null 2>&1
40 | if [ $? -ne 0 ]; then
41 |     /sbin/iptables -t nat -I PREROUTING -d $VIRBR_IP -p udp --dport 53 -j REDIRECT --to-ports $INETSIM_DNS_PORT
42 | fi
43 | 
44 | # Allow inetsim to accept traffic for any IP address
45 | /sbin/iptables -t nat -C PREROUTING -i $VIRBR_DEV -j REDIRECT >/dev/null 2>&1
46 | if [ $? -ne 0 ]; then
47 |     /sbin/iptables -t nat -A PREROUTING -i $VIRBR_DEV -j REDIRECT
48 | fi


--------------------------------------------------------------------------------
/virtualbox-configs/cuckooboot:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | CUCKOO_USER="cuckoo"
 3 | CUCKOO_PATH="/opt/cuckoo"
 4 | VIRBR_IP="192.168.100.1"
 5 | INETSIM_DNS_PORT="5342"
 6 | VIRBR_DEV="vboxnet0"
 7 | 
 8 | su $CUCKOO_USER -c "pkill gunicorn" >/dev/null 2>&1
 9 | su $CUCKOO_USER -c "pkill python" > /dev/null 2>&1
10 | 
11 | /usr/bin/curl -s http://$VIRBR_IP:8080/ > /dev/null
12 | 
13 | # Wait for the virtual bridge to become active before (re)starting services
14 | while [ $? -ne 0 ]
15 | do
16 | sleep 5
17 | /usr/sbin/service nginx restart
18 | /usr/bin/curl -s http://$VIRBR_IP:8080/ > /dev/null
19 | done
20 | 
21 | # Restart services that bind to the bridge
22 | /usr/sbin/service tor restart
23 | /usr/sbin/service inetsim restart
24 | /usr/sbin/service vsftpd restart
25 | 
26 | # Start Cuckoo
27 | cd $CUCKOO_PATH
28 | su $CUCKOO_USER -c "./cuckoo.py &"
29 | 
30 | # Start the Cuckoo web UI
31 | cd web
32 | su $CUCKOO_USER -c "gunicorn --reload -D -w 4 -b 127.0.0.1:8000 web.wsgi"
33 | 
34 | # Start the legacy upstream API
35 | cd ../utils
36 | su $CUCKOO_USER -c "gunicorn --reload -D -w 4 -b 127.0.0.1:8001 api"
37 | 
38 | # Redirect libvirt VM DNS quires to inetsim's DNS port
39 | /sbin/iptables -t nat -C  PREROUTING -d $VIRBR_IP -p udp --dport 53 -j REDIRECT --to-ports $INETSIM_DNS_PORT >/dev/null 2>&1
40 | if [ $? -ne 0 ]; then
41 |     /sbin/iptables -t nat -I PREROUTING -d $VIRBR_IP -p udp --dport 53 -j REDIRECT --to-ports $INETSIM_DNS_PORT
42 | fi
43 | 
44 | # Allow inetsim to accept traffic for any IP address
45 | /sbin/iptables -t nat -C PREROUTING -i $VIRBR_DEV -j REDIRECT >/dev/null 2>&1
46 | if [ $? -ne 0 ]; then
47 |     /sbin/iptables -t nat -A PREROUTING -i $VIRBR_DEV -j REDIRECT
48 | fi


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # cuckoo-autoinstall
 2 | The script "cuckoo.sh" intends to perform a full base install of the modified Cuckoo sandbox on Ubuntu 16.04 following the steps listed here: https://infosecspeakeasy.org/t/howto-build-a-cuckoo-sandbox/27
 3 | 
 4 | This script is nearly complete, but still may have some bugs. I built it out of necessity after I re-installed Cuckoo a few times trying to get the setup correct. Each install used to take a few hours, whereas this script should complete in under 15 minutes on a reasonably powered machine.
 5 | 
 6 | One important thing to be aware of is that this script will generate a secure password for the database, but also will use that generated password for the "cuckoo" user account. The account should be reasonably secure, but be aware that the password will exist in a plaintext file. Please make sure to change that password if you want the account fully secured.
 7 | 
 8 | -Usage-
 9 | ```
10 | sudo ./cuckoo <cuckoo_path> <db_pass> <ip> <machinery>
11 | ```
12 | **NOTE: Alternate install options have not been completed. For now, run without arguments.**
13 | 
14 | If no arguments are provided, it will default to the following and auto-generated values will be displayed at runtime:
15 | 
16 | Cuckoo Path: /opt
17 | 
18 | DB Password: Pseudo-random generated by hashing date and then base64 encoding
19 | 
20 | Public IP: Attempts to discover public IP and use it during install
21 | 
22 | Machinery: kvm
23 | 
24 | **Steps that need to take place after running script:**
25 | 
26 | -Build sandbox VMs in KVM
27 | 
28 | -Modify Cuckoo conf files for new sandbox VMs
29 | 
30 | -Create user/pass for web portal
31 | 
32 | ```
33 | sudo htpasswd -c /etc/nginx/htpasswd $USER
34 | sudo chown root:www-data /etc/nginx/htpasswd
35 | sudo chmod u=rw,g=r,o= /etc/nginx/htpasswd
36 | sudo service nginx restart
37 | ```
38 | **To Do List**
39 | 
40 | -Finish alternate install option of Virtualbox
41 | 
42 | -Test alternate install of mainstream version of Cuckoo
43 | 
44 | Tested on Ubuntu Server 16.04.1 LTS
45 | 


--------------------------------------------------------------------------------
/win-scripts/stealth.bat:
--------------------------------------------------------------------------------
 1 | REM HELP
 2 | REM http://www.windows-commandline.com/start-stop-service-command-line/
 3 | REM disable UAC
 4 | reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
 5 | REM disable Windows defender
 6 | sc config WinDefend start=disabled
 7 | REM disable windows update
 8 | reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v AUOptions /t REG_DWORD /d 1 /f
 9 | REM disable aero
10 | net stop uxsms
11 | REM disable the firewall
12 | netsh firewall set opmode mode=DISABLE
13 | REM disable IPv6
14 | netsh interface teredo set state disabled
15 | netsh interface ipv6 6to4 set state state=disabled undoonstop=disabled
16 | netsh interface ipv6 isatap set state state=disabled
17 | REM disable active probing
18 | reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet" /v EnableActiveProbing /t REG_DWORD /d 0 /f
19 | REM disable SSDP
20 | sc config SSDPSRV start= disabled
21 | net stop SSDPSRV
22 | REM disable computer browsing
23 | sc stop Browser
24 | sc config Browser start= disabled
25 | REM disable WinHTTP Web Proxy Auto-Discovery
26 | reg add "HKLM\SYSTEM\CurrentControlSet\services\WinHttpAutoProxySvc" /v Start /t REG_DWORD /d 4 /f
27 | REM disable Function Discovery Resource Publication service
28 | reg add "HKLM\SYSTEM\CurrentControlSet\services\FDResPud" /v Start /t REG_DWORD /d 4 /f
29 | REM IE blank page
30 | reg add "HKCU\Software\Microsoft\Internet Explorer\Main" /V "Start Page" /D "" /F
31 | REM disable IExplorer Proxy
32 | reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 00000000 /f
33 | REM disable netbios in TCP/IP
34 | wmic nicconfig where index=8 call SetTcpipNetbios 2
35 | REM disable netbios service
36 | reg add "HKLM\SYSTEM\CurrentControlSet\services\Imhosts" /v Start /t REG_DWORD /d 4 /f
37 | REM disable LLMNR
38 | reg add "HKLM\Software\policies\Microsoft\Windows NT\DNSClient" /v "EnableMulticast" /t REG_DWORD /d "0" /f
39 | REMdisable SQM
40 | reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FlexGo\FGNotify\Prechecks" /v Sqm /t REG_DWORD /d 00000002 /f
41 | REM Disable cert check
42 | reg add "HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\SslBindingInfo" /v DefaultSslCertCheckMode /t REG_DWORD /d 1 /f


--------------------------------------------------------------------------------
/win-scripts/ZombiesXP.reg:
--------------------------------------------------------------------------------
 1 | Windows Registry Editor Version 5.00
 2 | 
 3 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer]
 4 | 
 5 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Infodelivery]
 6 | 
 7 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions]
 8 | "NoSearchBox"=dword:00000001
 9 | "NoUpdateCheck"=dword:00000001
10 | 
11 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\PhishingFilter]
12 | "Enabled"=dword:00000000
13 | "EnabledV8"=dword:00000000
14 | 
15 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Privacy]
16 | "ClearBrowsingHistoryOnExit"=dword:00000001
17 | 
18 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Security]
19 | "DisableFixSecuritySettings"=dword:00000001
20 | "DisableSecuritySettingsCheck"=dword:00000001
21 | 
22 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings]
23 | "CertificateRevocation"=dword:00000000
24 | 
25 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Cache]
26 | 
27 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones]
28 | 
29 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
30 | "1001"=dword:00000000
31 | "1004"=dword:00000000
32 | "1609"=dword:00000000
33 | "1809"=dword:00000003
34 | "1803"=dword:00000000
35 | "1800"=dword:00000000
36 | "1804"=dword:00000000
37 | "1200"=dword:00000000
38 | "2301"=dword:00000003
39 | "1806"=dword:00000000
40 | 
41 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
42 | 
43 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
44 | "NoAutoUpdate"=dword:00000001
45 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]
46 | 
47 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]
48 | "EnableFirewall"=dword:00000000
49 | 
50 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]
51 | "EnableFirewall"=dword:00000000
52 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Update]
53 | "Update{8A69D345-D564-463C-AFF1-A69D9E530F96}"=dword:00000000
54 | 
55 | [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Policies\Google\Update]
56 | "Update{8A69D345-D564-463C-AFF1-A69D9E530F96}"=dword:00000000
57 | 
58 | [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting]
59 | "Disabled"=dword:00000001
60 | 
61 | [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wscsvc]
62 | "Start"=dword:00000004
63 | 
64 | [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters]
65 | "Type"="NoSync"


--------------------------------------------------------------------------------
/win-scripts/Office2010.reg:
--------------------------------------------------------------------------------
 1 | Windows Registry Editor Version 5.00
 2 | 
 3 | [HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common]
 4 | "UpdateReliabilityData"=dword:00000000
 5 | "QMSessionCount"=dword:00000002
 6 | 
 7 | [HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\TrustCenter]
 8 | "TrustBar"=dword:00000001
 9 | 
10 | [HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Internet]
11 | "UseOnlineContent"=dword:00000000
12 | "IDN_AlertOff"=dword:00000001
13 | "UseOnlineAppDetect"=dword:00000000
14 | 
15 | 
16 | [HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Research\Options]
17 | "DiscoveryNeedOptIn"=dword:00000001
18 | 
19 | [HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Security]
20 | "AccessVBOM"=dword:00000001
21 | "VBAWarnings"=dword:00000001
22 | "EnableDEP"=dword:00000000
23 | 
24 | [HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Security\FileBlock]
25 | "Word95Files"=dword:00000000
26 | "Word60Files"=dword:00000000
27 | "Word2Files"=dword:00000000
28 | "OpenInProtectedView"=dword:00000002
29 | 
30 | [HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Security\ProtectedView]
31 | "DisableInternetFilesInPV"=dword:00000001
32 | "DisableAttachmentsInPV"=dword:00000001
33 | "DisableUnsafeLocationsInPV"=dword:00000001
34 | 
35 | [HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Security\Trusted Locations]
36 | "AllowNetworkLocations"=dword:00000001
37 | 
38 | [HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Security]
39 | "AccessVBOM"=dword:00000001
40 | "VBAWarnings"=dword:00000001
41 | "EnableDEP"=dword:00000000
42 | "DataConnectionWarnings"=dword:00000000
43 | "WorkbookLinkWarnings"=dword:00000002
44 | "ExtensionHardening"=dword:00000000
45 | 
46 | [HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Security\FileBlock]
47 | "XL4Workbooks"=dword:00000000
48 | "XL4Worksheets"=dword:00000000
49 | "XL3Worksheets"=dword:00000000
50 | "XL2Worksheets"=dword:00000000
51 | "XL4Macros"=dword:00000000
52 | "XL3Macros"=dword:00000000
53 | "XL2Macros"=dword:00000000
54 | "OpenInProtectedView"=dword:00000002
55 | 
56 | [HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Security\ProtectedView]
57 | "DisableInternetFilesInPV"=dword:00000001
58 | "DisableAttachmentsInPV"=dword:00000001
59 | "DisableUnsafeLocationsInPV"=dword:00000001
60 | 
61 | 
62 | [HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\PowerPoint\Security]
63 | "AccessVBOM"=dword:00000001
64 | "VBAWarnings"=dword:00000001
65 | "EnableDEP"=dword:00000000
66 | 
67 | [HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\PowerPoint\Security\ProtectedView]
68 | "DisableInternetFilesInPV"=dword:00000001
69 | "DisableAttachmentsInPV"=dword:00000001
70 | "DisableUnsafeLocationsInPV"=dword:00000001
71 | 
72 | [HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Publisher\Security]
73 | "VBAWarnings"=dword:00000001
74 | "EnableDEP"=dword:00000000
75 | 


--------------------------------------------------------------------------------
/gen-configs/nginx_config:
--------------------------------------------------------------------------------
 1 | server {
 2 |     listen IP_Address:443 ssl http2;
 3 |     ssl_certificate /etc/nginx/ssl/cuckoo.crt;
 4 |     ssl_certificate_key /etc/nginx/ssl/cuckoo.key;
 5 |     ssl_dhparam /etc/nginx/ssl/dhparam.pem;
 6 |     ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 7 |     ssl_prefer_server_ciphers on;
 8 |     ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
 9 |     ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
10 |     ssl_session_cache shared:SSL:10m;
11 |     ssl_session_tickets off; # Requires nginx >= 1.5.9
12 |     # Uncomment this next line if you are using a signed, trusted cert
13 |     #add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
14 |     add_header X-Frame-Options SAMEORIGIN;
15 |     add_header X-Content-Type-Options nosniff;
16 |     root /usr/share/nginx/html;
17 |     index index.html index.htm;
18 |     client_max_body_size 101M;
19 |     auth_basic "Login required";
20 |     auth_basic_user_file /etc/nginx/htpasswd;
21 | 
22 |     location / {
23 |         proxy_pass http://127.0.0.1:8000;
24 |         proxy_set_header Host $host;
25 |         proxy_set_header X-Real-IP $remote_addr;
26 |         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
27 |     }
28 | 
29 |     location /storage/analysis {
30 |        alias /opt/cuckoo/storage/analyses/;
31 |        autoindex on;
32 |        autoindex_exact_size off;
33 |        autoindex_localtime on;
34 |     }
35 | 
36 |     location /static {
37 |       alias /opt/cuckoo/web/static/;
38 |     }
39 | }
40 | 
41 | server {
42 |     listen IP_Address:80 http2;
43 |     return 301 https://$server_name$request_uri;
44 | }
45 | 
46 | 
47 | server {
48 |   listen 192.168.100.1:8080;
49 | 
50 |     root /home/cuckoo/vmshared;
51 | 
52 |      location / {
53 |            try_files $uri $uri/ =404;
54 |            autoindex on;
55 |            autoindex_exact_size off;
56 |            autoindex_localtime on;
57 |      }
58 | }
59 | 
60 | # Host the upstream legacy API 
61 | server {
62 |     listen IP_Address:4343 ssl http2;
63 |     ssl_certificate /etc/nginx/ssl/cuckoo.crt;
64 |     ssl_certificate_key /etc/nginx/ssl/cuckoo.key;
65 |     ssl_dhparam /etc/nginx/ssl/dhparam.pem;
66 |     ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
67 |     ssl_prefer_server_ciphers on;
68 |     ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
69 |     ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
70 |     ssl_session_cache shared:SSL:10m;
71 |     ssl_session_tickets off; # Requires nginx >= 1.5.9
72 |    # Uncomment this next line if you are using a signed, trusted cert
73 |     #add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
74 |     add_header X-Frame-Options SAMEORIGIN;
75 |     add_header X-Content-Type-Options nosniff;
76 |     root /usr/share/nginx/html;
77 |     index index.html index.htm;
78 |     client_max_body_size 101M;
79 | 
80 |     location / {
81 |         proxy_pass http://127.0.0.1:8001;
82 |         proxy_set_header Host $host;
83 |         proxy_set_header X-Real-IP $remote_addr;
84 |         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
85 |         
86 |         # Restrict access
87 |        allow IP_Address;
88 |       #allow 192.168.1.0/24;
89 |       deny all;
90 |     }
91 | }


--------------------------------------------------------------------------------
/win-scripts/Office2013.reg:
--------------------------------------------------------------------------------
  1 | Windows Registry Editor Version 5.00
  2 | 
  3 | [HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Common]
  4 | "OverridePointerMode"=dword:00000001
  5 | "QMEnable"=dword:00000000
  6 | "UpdateReliabilityData"=dword:00000000
  7 | "QMNFN"=dword:00000002
  8 | "QMSessionCount"=dword:00000003
  9 | 
 10 | [HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Common\Feedback]
 11 | "Enabled"=dword:00000000
 12 | 
 13 | [HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Common\Internet]
 14 | "IDN_AlertOff"=dword:00000001
 15 | "UseOnlineContent"=dword:00000002
 16 | 
 17 | [HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Common\PTWatson]
 18 | "PTWOptIn"=dword:00000000
 19 | "PTWReadyToSend"=dword:00000000
 20 | "PTWNextUpload"=dword:00000000
 21 | "PTWCount"=dword:00000000
 22 | "PTWExpire"=dword:00000000
 23 | 
 24 | [HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Common\Research\Options]
 25 | "DiscoveryNeedOptIn"=dword:00000001
 26 | 
 27 | [HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Common\Research\Translation]
 28 | "UseOnline"=dword:00000000
 29 | 
 30 | [HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Common\Security\FileValidation]
 31 | "DisableReporting"=dword:00000001
 32 | 
 33 | [HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Common\TrustCenter]
 34 | "TrustBar"=dword:00000001
 35 | 
 36 | [HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Security]
 37 | "AccessVBOM"=dword:00000001
 38 | "VBAWarnings"=dword:00000001
 39 | 
 40 | [HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Security\FileBlock]
 41 | "Word95Files"=dword:00000000
 42 | "Word60Files"=dword:00000000
 43 | "Word2Files"=dword:00000000
 44 | 
 45 | [HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Security\ProtectedView]
 46 | "DisableInternetFilesInPV"=dword:00000001
 47 | "DisableAttachmentsInPV"=dword:00000001
 48 | "DisableUnsafeLocationsInPV"=dword:00000001
 49 | 
 50 | [HKEY_CURRENT_USER\Software\Microsoft\Office\Common\Security]
 51 | "UFIControls"=dword:00000001
 52 | 
 53 | [HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Excel\Security]
 54 | "AccessVBOM"=dword:00000001
 55 | "VBAWarnings"=dword:00000001
 56 | "DataConnectionWarnings"=dword:00000000
 57 | "WorkbookLinkWarnings"=dword:00000002
 58 | "ExtensionHardening"=dword:00000000
 59 | 
 60 | [HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Excel\Security\FileBlock]
 61 | "XL4Workbooks"=dword:00000000
 62 | "XL4Worksheets"=dword:00000000
 63 | "XL3Worksheets"=dword:00000000
 64 | "XL2Worksheets"=dword:00000000
 65 | "XL4Macros"=dword:00000000
 66 | "XL3Macros"=dword:00000000
 67 | "XL2Macros"=dword:00000000
 68 | "OpenInProtectedView"=dword:00000002
 69 | 
 70 | [HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Excel\Security\ProtectedView]
 71 | "DisableInternetFilesInPV"=dword:00000001
 72 | "DisableAttachmentsInPV"=dword:00000001
 73 | "DisableUnsafeLocationsInPV"=dword:00000001
 74 | 
 75 | [HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Excel\Security\Trusted Locations]
 76 | "AllowNetworkLocations"=dword:00000001
 77 | 
 78 | 
 79 | [HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Common\Internet]
 80 | "IDN_AlertOff"=dword:00000001
 81 | "UseOnlineContent"=dword:00000000
 82 | 
 83 | [HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\PowerPoint\Security]
 84 | "AccessVBOM"=dword:00000001
 85 | "VBAWarnings"=dword:00000001
 86 | 
 87 | [HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\PowerPoint\Security\FileBlock]
 88 | "OpenInProtectedView"=dword:00000002
 89 | 
 90 | [HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\PowerPoint\Security\ProtectedView]
 91 | "DisableInternetFilesInPV"=dword:00000001
 92 | "DisableAttachmentsInPV"=dword:00000001
 93 | "DisableUnsafeLocationsInPV"=dword:00000001
 94 | 
 95 | [HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Access\Security]
 96 | "VBAWarnings"=dword:00000001
 97 | 
 98 | [HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Publisher\Security]
 99 | "VBAWarnings"=dword:00000001
100 | 


--------------------------------------------------------------------------------
/win-scripts/Zombieswin7.reg:
--------------------------------------------------------------------------------
  1 | Windows Registry Editor Version 5.00
  2 | 
  3 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer]
  4 | 
  5 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Infodelivery]
  6 | 
  7 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions]
  8 | "NoSearchBox"=dword:00000001
  9 | "NoUpdateCheck"=dword:00000001
 10 | 
 11 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\PhishingFilter]
 12 | "Enabled"=dword:00000000
 13 | "EnabledV8"=dword:00000000
 14 | 
 15 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Privacy]
 16 | "ClearBrowsingHistoryOnExit"=dword:00000001
 17 | 
 18 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Security]
 19 | "DisableFixSecuritySettings"=dword:00000001
 20 | "DisableSecuritySettingsCheck"=dword:00000001
 21 | 
 22 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings]
 23 | "WarnOnBadCertRecving"=dword:00000000
 24 | "WarnOnBadCert"=dword:00000000
 25 | 
 26 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings Criteria]
 27 | "CertificateRevocation"=dword:00000000
 28 | 
 29 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Cache]
 30 | 
 31 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones]
 32 | 
 33 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
 34 | "1001"=dword:00000000
 35 | "1004"=dword:00000000
 36 | "1609"=dword:00000000
 37 | "1809"=dword:00000003
 38 | "1803"=dword:00000000
 39 | "1800"=dword:00000000
 40 | "1804"=dword:00000000
 41 | "1200"=dword:00000000
 42 | "2301"=dword:00000003
 43 | "1806"=dword:00000000
 44 | 
 45 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient]
 46 | "EnableMulticast"=dword:00000000
 47 | 
 48 | [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NlaSvc\Parameters\Internet]
 49 | "PassivePollPeriod"=dword:00000005
 50 | "StaleThreshold"=dword:0000001e
 51 | "WebTimeout"=dword:00000023
 52 | "EnableActiveProbing"=dword:00000000
 53 | "ActiveWebProbeHost"="www.msftncsi.com"
 54 | "ActiveWebProbePath"="ncsi.txt"
 55 | "ActiveWebProbeContent"="Microsoft NCSI"
 56 | "ActiveDnsProbeHost"="dns.msftncsi.com"
 57 | "ActiveDnsProbeContent"="131.107.255.255"
 58 | 
 59 | [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NlaSvc\Parameters\Internet\ManualProxies]
 60 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TCPIP]
 61 | 
 62 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TCPIP\v6Transition]
 63 | "Teredo_State"="Disabled"
 64 | 
 65 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
 66 | "EnableLUA"=dword:00000000
 67 | 
 68 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext]
 69 | "DisableAddonLoadTimePerformanceNotifications"=dword:00000001
 70 | "IgnoreFrameApprovalCheck"=dword:00000001
 71 | "NoFirsttimeprompt"=dword:00000001
 72 | 
 73 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
 74 | 
 75 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
 76 | "NoAutoUpdate"=dword:00000001
 77 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]
 78 | 
 79 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]
 80 | "EnableFirewall"=dword:00000000
 81 | 
 82 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]
 83 | "EnableFirewall"=dword:00000000
 84 | 
 85 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows]
 86 | CEIPEnable=dword:00000000
 87 | 
 88 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Update]
 89 | "Update{8A69D345-D564-463C-AFF1-A69D9E530F96}"=dword:00000000
 90 | 
 91 | [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Policies\Google\Update]
 92 | "Update{8A69D345-D564-463C-AFF1-A69D9E530F96}"=dword:00000000
 93 | 
 94 | [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\NewNetworkWindowOff]
 95 | 
 96 | [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting]
 97 | "Disabled"=dword:00000001
 98 | 
 99 | ; Disable action center icon
100 | [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
101 | "HideSCAHealth"=dword:00000001
102 | 
103 | [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinDefend]
104 | "Start"=dword:00000004
105 | 
106 | [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wscsvc]
107 | "Start"=dword:00000004
108 | 
109 | [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters]
110 | "Type"="NoSync"


--------------------------------------------------------------------------------
/test-scripts/kvm-qemu-patching.sh:
--------------------------------------------------------------------------------
  1 | #!/bin/bash
  2 | # https://doomedraven.github.io/2016/01/23/KVM-QEMU.html
  3 | 
  4 | function usage() 
  5 | {
  6 |     echo 'Usage: $0 <func_name>'
  7 |     echo
  8 |     echo 'Func:'
  9 |     echo '    All'
 10 |     echo '    KVM'
 11 |     echo '    QEMU'
 12 |     echo '    SeaBios'
 13 |     exit
 14 | }
 15 | 
 16 | function install_kvm() 
 17 | {
 18 |     apt-get install build-essential gcc pkg-config glib-2.0 libglib2.0-dev libsdl1.2-dev libaio-dev libcap-dev libattr1-dev libpixman-1-dev -y
 19 |     apt-get build-dep qemu
 20 |     apt-get install lvm2 ubuntu-virt-server python-vm-builder qemu-kvm qemu-system libvirt-bin ubuntu-vm-builder kvm-ipxe bridge-utils -y
 21 |     apt-get install virtinst python-libvirt virt-viewer virt-manager -y # Virtual Machine Manager
 22 | 	kvm-ok
 23 | }
 24 | 
 25 | function qemu_func() 
 26 | {
 27 |     #Download code
 28 |     echo '[+] Downloading QEMU source code'
 29 |     apt-get source qemu > /dev/null 2>&1
 30 |     if [ $? -eq 0 ]; then
 31 |         echo '[+] Patching QEMU clues'
 32 |         sed -i 's/QEMU HARDDISK/WDC WD20EARS/g' qemu*/hw/ide/core.c
 33 |         if [ $? -ne 0 ]; then
 34 |             echo 'QEMU HARDDISK was not replaced in core.c'
 35 |         fi
 36 |         sed -i 's/QEMU HARDDISK/WDC WD20EARS/g' qemu*/hw/scsi/scsi-disk.c > /dev/null 2>&1
 37 |             if [ $? -eq 0 ]; then
 38 |             echo 'QEMU HARDDISK was not replaced in scsi-disk.c'
 39 |         fi
 40 |         sed -i 's/QEMU DVD-ROM/DVD-ROM/g' qemu*/hw/ide/core.c > /dev/null 2>&1
 41 |             if [ $? -eq 0 ]; then
 42 |             echo 'QEMU DVD-ROM was not replaced in core.c'
 43 |         fi
 44 |         sed -i 's/QEMU DVD-ROM/DVD-ROM/g' qemu*/hw/ide/atapi.c > /dev/null 2>&1
 45 |             if [ $? -eq 0 ]; then
 46 |             echo 'QEMU DVD-ROM was not replaced in atapi.c'
 47 |         fi
 48 |         sed -i 's/s->vendor = g_strdup("QEMU");/s->vendor = g_strdup("DELL");/g' qemu*/hw/scsi/scsi-disk.c
 49 |             if [ $? -eq 0 ]; then
 50 |             echo 'Vendor string was not replaced in scsi-disk.c'
 51 |         fi
 52 |         sed -i 's/QEMU CD-ROM/CD-ROM/g' qemu*/hw/scsi/scsi-disk.c > /dev/null 2>&1
 53 |             if [ $? -eq 0 ]; then
 54 |             echo 'QEMU CD-ROM was not patched in scsi-disk.c'
 55 |         fi
 56 |         sed -i 's/padstr8(buf + 8, 8, "QEMU");/padstr8(buf + 8, 8, "DELL");/g' qemu*/hw/ide/atapi.c > /dev/null 2>&1
 57 |             if [ $? -eq 0 ]; then
 58 |             echo 'padstr was not replaced in atapi.c'
 59 |         fi
 60 |         sed -i 's/QEMU MICRODRIVE/DELL MICRODRIVE/g' qemu*/hw/ide/core.c > /dev/null 2>&1
 61 |             if [ $? -eq 0 ]; then
 62 |             echo 'QEMU MICRODRIVE was not replaced in core.c'
 63 |         fi
 64 | 
 65 |         echo '[+] Starting to compile code'
 66 |         # not make sense compile if was not patched
 67 |         apt-get source --compile qemu > /dev/null 2>&1
 68 |         if [ $? -eq 0 ]; then
 69 |             dpkg -i qemu*.deb
 70 |             if [ $? -eq 0 ]; then
 71 |                 echo '[+] Patched, compiled and installed'
 72 |             else
 73 |                 echo '[-] Install failed'
 74 |             fi
 75 |         else
 76 |             echo '[-] Compilling failed'
 77 |         fi
 78 |         echo '[+] Starting Installation'
 79 |         dpkg -i qemu*.deb
 80 | 
 81 |     else
 82 |         echo '[-] Download of QEMU source was not possible'
 83 |     fi
 84 | }
 85 | 
 86 | function seabios_func 
 87 | {
 88 |     echo '[+] Installing SeaBios dependencies'
 89 |     apt-get install git iasl > /dev/null 2>&1
 90 |     git clone git://git.seabios.org/seabios.git > /dev/null 2>&1
 91 |     if [ $? -eq 0 ]; then
 92 |         cd seabios
 93 |         sed -i 's/Bochs/DELL/g' src/config.h > /dev/null 2>&1
 94 |         sed -i 's/BOCHSCPU/DELLCPU/g' src/config.h > /dev/null 2>&1
 95 |         sed -i 's/BOCHS/DELL/g' src/config.h > /dev/null 2>&1
 96 |         sed -i 's/BXPC/DELLS/g' src/config.h > /dev/null 2>&1
 97 |         make
 98 |         if [ $? -eq 0 ]; then
 99 |             echo '[+] Compiled SeaBios, bios file located in -> out/bios.bin'
100 |             echo '[+] Replacing old bios.bin to new one, with backup'
101 |             cp /usr/share/qemu/bios.bin /usr/share/qemu/bios.bin_back
102 |             if [ $? == 0 ]; then
103 |                 echo '[+] Original bios.bin file backuped to /usr/share/qemu/bios.bin_back'
104 |                 cp out/bios.bin /usr/share/qemu/bios.bin
105 |                 if [ $? -eq 0 ]; then
106 |                     echo '[+] Patched bios.bin placed correctly'
107 |                 else:
108 |                     echo '[-] Bios patching failed'
109 |                 fi
110 |             else:
111 |                 echo '[-] Bios backup failed'
112 |             fi
113 | 
114 |         fi
115 |     else
116 |         echo '[-] Check if git installed or network connection is OK'
117 |     fi
118 | }
119 | 
120 | #check if start with root
121 | if [ $EUID -ne 0 ]; then
122 |    echo 'This script must be run as root'
123 |    exit 1
124 | fi
125 | 
126 | if [ $# -eq 0 ]; then
127 |     usage
128 | fi
129 | 
130 | if [ "$1" = '-h' ]; then
131 |     usage
132 | fi
133 | 
134 | 
135 | if [ "$1" = 'All' ]; then
136 |     install_kvm
137 |     qemu_func
138 |     seabios_func
139 | fi
140 | 
141 | if [ "$1" = 'QEMU' ]; then
142 |     qemu_func
143 | fi
144 | 
145 | if [ "$1" = 'SeaBios' ]; then
146 |     seabios_func
147 | fi
148 | 
149 | if [ "$1" = 'KVM' ]; then
150 |     install_kvm
151 | fi
152 | 


--------------------------------------------------------------------------------
/gen-configs/vsftpd.conf:
--------------------------------------------------------------------------------
  1 | # Example config file /etc/vsftpd.conf
  2 | #
  3 | # The default compiled in settings are fairly paranoid. This sample file
  4 | # loosens things up a bit, to make the ftp daemon more usable.
  5 | # Please see vsftpd.conf.5 for all compiled in defaults.
  6 | #
  7 | # READ THIS: This example file is NOT an exhaustive list of vsftpd options.
  8 | # Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
  9 | # capabilities.
 10 | #
 11 | #
 12 | # Run standalone?  vsftpd can run either from an inetd or as a standalone
 13 | # daemon started from an initscript.
 14 | listen=YES
 15 | #
 16 | # This directive enables listening on IPv6 sockets. By default, listening
 17 | # on the IPv6 "any" address (::) will accept connections from both IPv6
 18 | # and IPv4 clients. It is not necessary to listen on *both* IPv4 and IPv6
 19 | # sockets. If you want that (perhaps because you want to listen on specific
 20 | # addresses) then you must run two copies of vsftpd with two configuration
 21 | # files.
 22 | listen_ipv6=NO
 23 | #
 24 | # Allow anonymous FTP? (Disabled by default).
 25 | anonymous_enable=YES
 26 | #
 27 | # Uncomment this to allow local users to log in.
 28 | local_enable=NO
 29 | #
 30 | # Uncomment this to enable any form of FTP write command.
 31 | write_enable=YES
 32 | #
 33 | # Default umask for local users is 077. You may wish to change this to 022,
 34 | # if your users expect that (022 is used by most other ftpd's)
 35 | #local_umask=022
 36 | #
 37 | # Uncomment this to allow the anonymous FTP user to upload files. This only
 38 | # has an effect if the above global write enable is activated. Also, you will
 39 | # obviously need to create a directory writable by the FTP user.
 40 | anon_upload_enable=YES
 41 | #
 42 | # Uncomment this if you want the anonymous FTP user to be able to create
 43 | # new directories.
 44 | anon_mkdir_write_enable=YES
 45 | #
 46 | # Activate directory messages - messages given to remote users when they
 47 | # go into a certain directory.
 48 | dirmessage_enable=YES
 49 | #
 50 | # If enabled, vsftpd will display directory listings with the time
 51 | # in  your  local  time  zone.  The default is to display GMT. The
 52 | # times returned by the MDTM FTP command are also affected by this
 53 | # option.
 54 | use_localtime=YES
 55 | #
 56 | # Activate logging of uploads/downloads.
 57 | xferlog_enable=YES
 58 | #
 59 | # Make sure PORT transfer connections originate from port 20 (ftp-data).
 60 | connect_from_port_20=YES
 61 | #
 62 | # If you want, you can arrange for uploaded anonymous files to be owned by
 63 | # a different user. Note! Using "root" for uploaded files is not
 64 | # recommended!
 65 | #chown_uploads=YES
 66 | #chown_username=whoever
 67 | #
 68 | # You may override where the log file goes if you like. The default is shown
 69 | # below.
 70 | #xferlog_file=/var/log/vsftpd.log
 71 | #
 72 | # If you want, you can have your log file in standard ftpd xferlog format.
 73 | # Note that the default log file location is /var/log/xferlog in this case.
 74 | #xferlog_std_format=YES
 75 | #
 76 | # You may change the default value for timing out an idle session.
 77 | #idle_session_timeout=600
 78 | #
 79 | # You may change the default value for timing out a data connection.
 80 | #data_connection_timeout=120
 81 | #
 82 | # It is recommended that you define on your system a unique user which the
 83 | # ftp server can use as a totally isolated and unprivileged user.
 84 | #nopriv_user=ftpsecure
 85 | #
 86 | # Enable this and the server will recognise asynchronous ABOR requests. Not
 87 | # recommended for security (the code is non-trivial). Not enabling it,
 88 | # however, may confuse older FTP clients.
 89 | #async_abor_enable=YES
 90 | #
 91 | # By default the server will pretend to allow ASCII mode but in fact ignore
 92 | # the request. Turn on the below options to have the server actually do ASCII
 93 | # mangling on files when in ASCII mode.
 94 | # Beware that on some FTP servers, ASCII support allows a denial of service
 95 | # attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
 96 | # predicted this attack and has always been safe, reporting the size of the
 97 | # raw file.
 98 | # ASCII mangling is a horrible feature of the protocol.
 99 | #ascii_upload_enable=YES
100 | #ascii_download_enable=YES
101 | #
102 | # You may fully customise the login banner string:
103 | #ftpd_banner=Welcome to blah FTP service.
104 | #
105 | # You may specify a file of disallowed anonymous e-mail addresses. Apparently
106 | # useful for combatting certain DoS attacks.
107 | #deny_email_enable=YES
108 | # (default follows)
109 | #banned_email_file=/etc/vsftpd.banned_emails
110 | #
111 | # You may restrict local users to their home directories.  See the FAQ for
112 | # the possible risks in this before using chroot_local_user or
113 | # chroot_list_enable below.
114 | #chroot_local_user=YES
115 | #
116 | # You may specify an explicit list of local users to chroot() to their home
117 | # directory. If chroot_local_user is YES, then this list becomes a list of
118 | # users to NOT chroot().
119 | # (Warning! chroot'ing can be very dangerous. If using chroot, make sure that
120 | # the user does not have write access to the top level directory within the
121 | # chroot)
122 | #chroot_local_user=YES
123 | #chroot_list_enable=YES
124 | # (default follows)
125 | #chroot_list_file=/etc/vsftpd.chroot_list
126 | #
127 | # You may activate the "-R" option to the builtin ls. This is disabled by
128 | # default to avoid remote users being able to cause excessive I/O on large
129 | # sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
130 | # the presence of the "-R" option, so there is a strong case for enabling it.
131 | #ls_recurse_enable=YES
132 | #
133 | # Customization
134 | #
135 | # Some of vsftpd's settings don't fit the filesystem layout by
136 | # default.
137 | #
138 | # This option should be the name of a directory which is empty.  Also, the
139 | # directory should not be writable by the ftp user. This directory is used
140 | # as a secure chroot() jail at times vsftpd does not require filesystem
141 | # access.
142 | secure_chroot_dir=/var/run/vsftpd/empty
143 | #
144 | # This string is the name of the PAM service vsftpd will use.
145 | pam_service_name=vsftpd
146 | #
147 | # This option specifies the location of the RSA certificate to use for SSL
148 | # encrypted connections.
149 | rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
150 | rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
151 | ssl_enable=NO
152 | 
153 | #
154 | # Uncomment this to indicate that vsftpd use a utf8 filesystem.
155 | #utf8_filesystem=YES
156 | 
157 | listen_address=192.168.100.1
158 | listen_port=2121
159 | anon_root=/home/cuckoo/vmshared
160 | anon_umask=000
161 | chown_upload_mode=0666
162 | pasv_enable=Yes
163 | pasv_min_port=10090
164 | pasv_max_port=10100


--------------------------------------------------------------------------------
/gen-configs/torrc:
--------------------------------------------------------------------------------
  1 | ## Configuration file for a typical Tor user
  2 | ## Last updated 22 September 2015 for Tor 0.2.7.3-alpha.
  3 | ## (may or may not work for much older or much newer versions of Tor.)
  4 | ##
  5 | ## Lines that begin with "## " try to explain what's going on. Lines
  6 | ## that begin with just "#" are disabled commands: you can enable them
  7 | ## by removing the "#" symbol.
  8 | ##
  9 | ## See 'man tor', or https://www.torproject.org/docs/tor-manual.html,
 10 | ## for more options you can use in this file.
 11 | ##
 12 | ## Tor will look for this file in various places based on your platform:
 13 | ## https://www.torproject.org/docs/faq#torrc
 14 | 
 15 | ## Tor opens a SOCKS proxy on port 9050 by default -- even if you don't
 16 | ## configure one below. Set "SOCKSPort 0" if you plan to run Tor only
 17 | ## as a relay, and not make any local application connections yourself.
 18 | #SOCKSPort 9050 # Default: Bind to localhost:9050 for local connections.
 19 | #SOCKSPort 192.168.0.1:9100 # Bind to this address:port too.
 20 | 
 21 | ## Entry policies to allow/deny SOCKS requests based on IP address.
 22 | ## First entry that matches wins. If no SOCKSPolicy is set, we accept
 23 | ## all (and only) requests that reach a SOCKSPort. Untrusted users who
 24 | ## can access your SOCKSPort may be able to learn about the connections
 25 | ## you make.
 26 | #SOCKSPolicy accept 192.168.0.0/16
 27 | #SOCKSPolicy accept6 FC00::/7
 28 | #SOCKSPolicy reject *
 29 | 
 30 | ## Logs go to stdout at level "notice" unless redirected by something
 31 | ## else, like one of the below lines. You can have as many Log lines as
 32 | ## you want.
 33 | ##
 34 | ## We advise using "notice" in most cases, since anything more verbose
 35 | ## may provide sensitive information to an attacker who obtains the logs.
 36 | ##
 37 | ## Send all messages of level 'notice' or higher to /var/log/tor/notices.log
 38 | #Log notice file /var/log/tor/notices.log
 39 | ## Send every possible message to /var/log/tor/debug.log
 40 | #Log debug file /var/log/tor/debug.log
 41 | ## Use the system log instead of Tor's logfiles
 42 | #Log notice syslog
 43 | ## To send all messages to stderr:
 44 | #Log debug stderr
 45 | 
 46 | ## Uncomment this to start the process in the background... or use
 47 | ## --runasdaemon 1 on the command line. This is ignored on Windows;
 48 | ## see the FAQ entry if you want Tor to run as an NT service.
 49 | #RunAsDaemon 1
 50 | 
 51 | ## The directory for keeping all the keys/etc. By default, we store
 52 | ## things in $HOME/.tor on Unix, and in Application Data\tor on Windows.
 53 | #DataDirectory /var/lib/tor
 54 | 
 55 | ## The port on which Tor will listen for local connections from Tor
 56 | ## controller applications, as documented in control-spec.txt.
 57 | #ControlPort 9051
 58 | ## If you enable the controlport, be sure to enable one of these
 59 | ## authentication methods, to prevent attackers from accessing it.
 60 | #HashedControlPassword 16:872860B76453A77D60CA2BB8C1A7042072093276A3D701AD684053EC4C
 61 | #CookieAuthentication 1
 62 | 
 63 | ############### This section is just for location-hidden services ###
 64 | 
 65 | ## Once you have configured a hidden service, you can look at the
 66 | ## contents of the file ".../hidden_service/hostname" for the address
 67 | ## to tell people.
 68 | ##
 69 | ## HiddenServicePort x y:z says to redirect requests on port x to the
 70 | ## address y:z.
 71 | 
 72 | #HiddenServiceDir /var/lib/tor/hidden_service/
 73 | #HiddenServicePort 80 127.0.0.1:80
 74 | 
 75 | #HiddenServiceDir /var/lib/tor/other_hidden_service/
 76 | #HiddenServicePort 80 127.0.0.1:80
 77 | #HiddenServicePort 22 127.0.0.1:22
 78 | 
 79 | ################ This section is just for relays #####################
 80 | #
 81 | ## See https://www.torproject.org/docs/tor-doc-relay for details.
 82 | 
 83 | ## Required: what port to advertise for incoming Tor connections.
 84 | #ORPort 9001
 85 | ## If you want to listen on a port other than the one advertised in
 86 | ## ORPort (e.g. to advertise 443 but bind to 9090), you can do it as
 87 | ## follows.  You'll need to do ipchains or other port forwarding
 88 | ## yourself to make this work.
 89 | #ORPort 443 NoListen
 90 | #ORPort 127.0.0.1:9090 NoAdvertise
 91 | 
 92 | ## The IP address or full DNS name for incoming connections to your
 93 | ## relay. Leave commented out and Tor will guess.
 94 | #Address noname.example.com
 95 | 
 96 | ## If you have multiple network interfaces, you can specify one for
 97 | ## outgoing traffic to use.
 98 | # OutboundBindAddress 10.0.0.5
 99 | 
100 | ## A handle for your relay, so people don't have to refer to it by key.
101 | #Nickname ididnteditheconfig
102 | 
103 | ## Define these to limit how much relayed traffic you will allow. Your
104 | ## own traffic is still unthrottled. Note that RelayBandwidthRate must
105 | ## be at least 20 kilobytes per second.
106 | ## Note that units for these config options are bytes (per second), not
107 | ## bits (per second), and that prefixes are binary prefixes, i.e. 2^10,
108 | ## 2^20, etc.
109 | #RelayBandwidthRate 100 KBytes  # Throttle traffic to 100KB/s (800Kbps)
110 | #RelayBandwidthBurst 200 KBytes # But allow bursts up to 200KB (1600Kb)
111 | 
112 | ## Use these to restrict the maximum traffic per day, week, or month.
113 | ## Note that this threshold applies separately to sent and received bytes,
114 | ## not to their sum: setting "40 GB" may allow up to 80 GB total before
115 | ## hibernating.
116 | ##
117 | ## Set a maximum of 40 gigabytes each way per period.
118 | #AccountingMax 40 GBytes
119 | ## Each period starts daily at midnight (AccountingMax is per day)
120 | #AccountingStart day 00:00
121 | ## Each period starts on the 3rd of the month at 15:00 (AccountingMax
122 | ## is per month)
123 | #AccountingStart month 3 15:00
124 | 
125 | ## Administrative contact information for this relay or bridge. This line
126 | ## can be used to contact you if your relay or bridge is misconfigured or
127 | ## something else goes wrong. Note that we archive and publish all
128 | ## descriptors containing these lines and that Google indexes them, so
129 | ## spammers might also collect them. You may want to obscure the fact that
130 | ## it's an email address and/or generate a new address for this purpose.
131 | #ContactInfo Random Person <nobody AT example dot com>
132 | ## You might also include your PGP or GPG fingerprint if you have one:
133 | #ContactInfo 0xFFFFFFFF Random Person <nobody AT example dot com>
134 | 
135 | ## Uncomment this to mirror directory information for others. Please do
136 | ## if you have enough bandwidth.
137 | #DirPort 9030 # what port to advertise for directory connections
138 | ## If you want to listen on a port other than the one advertised in
139 | ## DirPort (e.g. to advertise 80 but bind to 9091), you can do it as
140 | ## follows.  below too. You'll need to do ipchains or other port
141 | ## forwarding yourself to make this work.
142 | #DirPort 80 NoListen
143 | #DirPort 127.0.0.1:9091 NoAdvertise
144 | ## Uncomment to return an arbitrary blob of html on your DirPort. Now you
145 | ## can explain what Tor is if anybody wonders why your IP address is
146 | ## contacting them. See contrib/tor-exit-notice.html in Tor's source
147 | ## distribution for a sample.
148 | #DirPortFrontPage /etc/tor/tor-exit-notice.html
149 | 
150 | ## Uncomment this if you run more than one Tor relay, and add the identity
151 | ## key fingerprint of each Tor relay you control, even if they're on
152 | ## different networks. You declare it here so Tor clients can avoid
153 | ## using more than one of your relays in a single circuit. See
154 | ## https://www.torproject.org/docs/faq#MultipleRelays
155 | ## However, you should never include a bridge's fingerprint here, as it would
156 | ## break its concealability and potentially reveal its IP/TCP address.
157 | #MyFamily $keyid,$keyid,...
158 | 
159 | ## A comma-separated list of exit policies. They're considered first
160 | ## to last, and the first match wins.
161 | ##
162 | ## If you want to allow the same ports on IPv4 and IPv6, write your rules
163 | ## using accept/reject *. If you want to allow different ports on IPv4 and
164 | ## IPv6, write your IPv6 rules using accept6/reject6 *6, and your IPv4 rules
165 | ## using accept/reject *4.
166 | ##
167 | ## If you want to _replace_ the default exit policy, end this with either a
168 | ## reject *:* or an accept *:*. Otherwise, you're _augmenting_ (prepending to)
169 | ## the default exit policy. Leave commented to just use the default, which is
170 | ## described in the man page or at
171 | ## https://www.torproject.org/documentation.html
172 | ##
173 | ## Look at https://www.torproject.org/faq-abuse.html#TypicalAbuses
174 | ## for issues you might encounter if you use the default exit policy.
175 | ##
176 | ## If certain IPs and ports are blocked externally, e.g. by your firewall,
177 | ## you should update your exit policy to reflect this -- otherwise Tor
178 | ## users will be told that those destinations are down.
179 | ##
180 | ## For security, by default Tor rejects connections to private (local)
181 | ## networks, including to the configured primary public IPv4 and IPv6 addresses,
182 | ## and any public IPv4 and IPv6 addresses on any interface on the relay.
183 | ## See the man page entry for ExitPolicyRejectPrivate if you want to allow
184 | ## "exit enclaving".
185 | ##
186 | #ExitPolicy accept *:6660-6667,reject *:* # allow irc ports on IPv4 and IPv6 but no more
187 | #ExitPolicy accept *:119 # accept nntp ports on IPv4 and IPv6 as well as default exit policy
188 | #ExitPolicy accept *4:119 # accept nntp ports on IPv4 only as well as default exit policy
189 | #ExitPolicy accept6 *6:119 # accept nntp ports on IPv6 only as well as default exit policy
190 | #ExitPolicy reject *:* # no exits allowed
191 | 
192 | ## Bridge relays (or "bridges") are Tor relays that aren't listed in the
193 | ## main directory. Since there is no complete public list of them, even an
194 | ## ISP that filters connections to all the known Tor relays probably
195 | ## won't be able to block all the bridges. Also, websites won't treat you
196 | ## differently because they won't know you're running Tor. If you can
197 | ## be a real relay, please do; but if not, be a bridge!
198 | #BridgeRelay 1
199 | ## By default, Tor will advertise your bridge to users through various
200 | ## mechanisms like https://bridges.torproject.org/. If you want to run
201 | ## a private bridge, for example because you'll give out your bridge
202 | ## address manually to your friends, uncomment this line:
203 | #PublishServerDescriptor 0
204 | 
205 | TransListenAddress 192.168.100.1
206 | TransPort 9040
207 | DNSListenAddress 192.168.100.1
208 | DNSPort 5353


--------------------------------------------------------------------------------
/cuckoo.sh:
--------------------------------------------------------------------------------
  1 | #!/bin/bash
  2 | 
  3 | # Thanks to Sean Whalen for this amazing post:
  4 | # https://infosecspeakeasy.org/t/howto-build-a-cuckoo-sandbox/27
  5 | 
  6 | #-------------------------------------------#
  7 | #      Install Cuckoo Sandbox Version       #
  8 | #          Tested on Ubuntu 16.04           #
  9 | #             -Daniel Gallagher             #
 10 | #-------------------------------------------#
 11 | 
 12 | function usage
 13 | {
 14 | 	echo "Usage: $0 <path> <password> <ip> <machinery>"
 15 | 	echo '---Optional Arguments---'
 16 | 	echo 'Cuckoo Install Path -> Example /opt' #option 1
 17 | 	echo 'Database Password -> PostgreSQL password' #option 2
 18 | 	echo 'Public IP -> For web console' #option 3
 19 | 	echo 'Machinery -> kvm | virtualbox' #option 4
 20 | 	exit
 21 | }
 22 | 
 23 | rand_passwd=$(date +%s | sha256sum | base64 | head -c 32 ; echo)
 24 | auto_ip=$(ip route | grep src | awk '{print $9}')
 25 | 
 26 | cuckoo_path=${1:-/opt} #Default path: /opt
 27 | passwd=${2:-$rand_passwd} #Default password is randomish
 28 | my_ip=${3:-$auto_ip} #Default IP is interface on install machine
 29 | machine=${4:-kvm} #Default machinery: kvm
 30 | 
 31 | cuckoo_passwd=$passwd
 32 | db_passwd=\'$passwd\'
 33 | 
 34 | function deps
 35 | {
 36 | 
 37 | echo -e "\e[96m[+] Cuckoo Path: $cuckoo_path \e[0m"
 38 | echo -e "\e[96m[+] DB Password: $passwd \e[0m"
 39 | echo -e "\e[96m[+] Web Portal IP: $my_ip \e[0m"
 40 | 
 41 | echo -e '\e[35m[+] APT Update \e[0m'
 42 | 	apt-get update -y >/dev/null 2>&1
 43 | 
 44 | echo -e '\e[35m[+] APT Upgrade \e[0m'
 45 | 	apt-get upgrade -y >/dev/null 2>&1
 46 | 
 47 | echo -e '\e[35m[+] APT Dist-Upgrade and Autoremove \e[0m'
 48 | 	apt-get dist-upgrade -y >/dev/null 2>&1
 49 | 	apt-get autoremove -y >/dev/null 2>&1
 50 | 
 51 | echo -e '\e[35m[+] Installing Dependencies \e[0m'
 52 | 
 53 | 	#Basic dependencies
 54 | 	echo -e '\e[93m    [+] Round 1 of 3 \e[0m'
 55 | 	apt-get install mongodb python python-dev python-pip python-m2crypto swig -y >/dev/null 2>&1
 56 | 	echo -e '\e[93m    [+] Round 2 of 3 \e[0m'
 57 | 	apt-get install libvirt-dev upx-ucl libssl-dev unzip p7zip-full libgeoip-dev libjpeg-dev -y >/dev/null 2>&1
 58 | 	echo -e '\e[93m    [+] Round 3 of 3 \e[0m'
 59 | 	apt-get install mono-utils ssdeep libfuzzy-dev libimage-exiftool-perl openjdk-8-jre-headless -y >/dev/null 2>&1
 60 | 
 61 | 	#Additional dependencies for malheur
 62 | 	apt-get install uthash-dev libtool libconfig-dev libarchive-dev autoconf automake checkinstall -y >/dev/null 2>&1
 63 | 
 64 | 	#Upgrade pip
 65 | 	pip install --upgrade pip >/dev/null 2>&1
 66 | 
 67 | 	#To generate PDF reports
 68 | 	apt-get install wkhtmltopdf xvfb xfonts-100dpi -y >/dev/null 2>&1
 69 | 
 70 | 	#Copy default configs
 71 | 	echo -e '\e[93m    [+] Copy Configuration Files \e[0m'
 72 | 	cp -r ./kvm-configs/ /tmp/
 73 | 	cp -r ./virtualbox-configs/ /tmp/
 74 | 	cp -r ./gen-configs/ /tmp/
 75 | 
 76 | echo -e '\e[35m[+] Installing Yara \e[0m'
 77 | 
 78 | 	#Yara Dependencies
 79 | 	echo -e '\e[93m    [+] Dependencies \e[0m'
 80 | 	apt-get install libjansson-dev libmagic-dev bison -y >/dev/null 2>&1
 81 | 
 82 | 	#Configure Yara for Cuckoo and Magic and then install
 83 | 	echo -e '\e[93m    [+] Git Clone \e[0m'
 84 | 	cd /opt
 85 | 	git clone https://github.com/VirusTotal/yara.git >/dev/null 2>&1
 86 | 	cd yara
 87 | 	./bootstrap.sh >/dev/null 2>&1
 88 | 	echo -e '\e[93m    [+] Configure with Cuckoo and Magic Enabled \e[0m'
 89 | 	./configure --enable-cuckoo --enable-magic >/dev/null 2>&1
 90 | 	make >/dev/null 2>&1
 91 | 	echo -e '\e[93m    [+] Installing... \e[0m'
 92 | 	make install >/dev/null 2>&1
 93 | 
 94 | 	#Install yara-python
 95 | 	echo -e '\e[93m    [+] Yara-Python \e[0m'
 96 | 	pip install yara-python >/dev/null 2>&1
 97 | 
 98 | echo -e '\e[35m[+] Installing ClamAV \e[0m'
 99 | 
100 | 	#Install ClamAV
101 | 	apt-get install clamav clamav-daemon clamav-freshclam -y >/dev/null 2>&1
102 | 
103 | echo -e '\e[35m[+] Installing Pydeep \e[0m'
104 | 
105 | 	#Install Pydeep
106 | 	pip install git+https://github.com/kbandla/pydeep.git >/dev/null 2>&1
107 | 
108 | echo -e '\e[35m[+] Installing Malheur \e[0m'
109 | 
110 | 	#Install malheur
111 | 	echo -e '\e[93m    [+] Git Clone \e[0m'
112 | 	cd /opt
113 | 	git clone https://github.com/rieck/malheur.git >/dev/null 2>&1
114 | 	cd malheur
115 | 	./bootstrap >/dev/null 2>&1
116 | 	echo -e '\e[93m    [+] Configure \e[0m'
117 | 	./configure --prefix=/usr >/dev/null 2>&1
118 | 	make >/dev/null 2>&1
119 | 	echo -e '\e[93m    [+] Installing... \e[0m'
120 | 	make install >/dev/null 2>&1
121 | 
122 | echo -e '\e[35m[+] Installing Volatility \e[0m'
123 | 
124 | 	#Install volatility
125 | 	echo -e '\e[93m    [+] Dependencies \e[0m'
126 | 	apt-get install python-pil -y >/dev/null 2>&1
127 | 	pip install distorm3 pycrypto openpyxl >/dev/null 2>&1
128 | 	echo -e '\e[93m    [+] Installing... \e[0m'
129 | 	apt-get install volatility -y >/dev/null 2>&1
130 | 
131 | echo -e '\e[35m[+] Installing PyV8 Javascript Engine (this will take some time) \e[0m'
132 | 
133 | 	#Additional dependencies for PyV8
134 | 	echo -e '\e[93m    [+] Dependencies \e[0m'
135 | 	apt-get install libboost-all-dev -y >/dev/null 2>&1
136 | 
137 | 	#Install PyV8
138 | 	echo -e '\e[93m    [+] Git Clone \e[0m'
139 | 	cd /opt
140 | 	git clone https://github.com/buffer/pyv8.git >/dev/null 2>&1
141 | 	cd pyv8
142 | 	echo -e '\e[93m    [+] Build (this is the long part...)\e[0m'
143 | 	python setup.py build >/dev/null 2>&1
144 | 	echo -e '\e[93m    [+] Installing... \e[0m'
145 | 	python setup.py install >/dev/null 2>&1
146 | 
147 | echo -e '\e[35m[+] Configuring TcpDump \e[0m'
148 | 
149 | 	#Configure tcpdump
150 | 	chmod +s /usr/sbin/tcpdump
151 | 
152 | echo -e '\e[35m[+] Installing Suricata \e[0m'
153 | 
154 | 	#Install Suricata
155 | 	apt-get install suricata -y >/dev/null 2>&1
156 | 	echo "alert http any any -> any any (msg:\"FILE store all\"; filestore; noalert; sid:15; rev:1;)"  | sudo tee /etc/suricata/rules/cuckoo.rules >/dev/null 2>&1
157 | 
158 | echo -e '\e[35m[+] Installing ETUpdate \e[0m'
159 | 
160 | 	#Install ETUpdate
161 | 	cd /opt
162 | 	git clone https://github.com/seanthegeek/etupdate.git >/dev/null 2>&1
163 | 	cp etupdate/etupdate /usr/sbin
164 | 
165 | 	#Download rules
166 | 	/usr/sbin/etupdate -V >/dev/null 2>&1
167 | 
168 | }
169 | 
170 | function postgres
171 | {
172 | 
173 | echo -e '\e[35m[+] Installing PostgreSQL \e[0m'
174 | 
175 | 	#Install PostgreSQL
176 | 	apt-get install postgresql-9.5 postgresql-contrib-9.5 libpq-dev -y >/dev/null 2>&1
177 | 	pip install psycopg2 >/dev/null 2>&1
178 | 
179 | echo -e '\e[35m[+] Configuring PostgreSQL DB \e[0m'
180 | 
181 | 	su - postgres <<EOF
182 | psql -c "CREATE USER cuckoo WITH PASSWORD $db_passwd;" >/dev/null 2>&1
183 | psql -c "CREATE DATABASE cuckoo;" >/dev/null 2>&1
184 | psql -c "GRANT ALL PRIVILEGES ON DATABASE cuckoo to cuckoo;" >/dev/null 2>&1
185 | EOF
186 | 
187 | }
188 | 
189 | function kvm
190 | {
191 | 
192 | echo -e '\e[35m[+] Installing KVM \e[0m'
193 | 
194 | 	#Install KVM and virt-manager
195 | 	apt-get install qemu-kvm libvirt-bin virt-manager libgl1-mesa-glx -y >/dev/null 2>&1
196 | 
197 | 	#Add current user to kvm and libvirt groups for admin
198 | 	usermod -a -G kvm $USER
199 | 	usermod -a -G libvirtd $USER
200 | 
201 | 	#Deactivate default network
202 | 	echo -e '\e[93m    [+] Remove Default Virtual Network \e[0m'
203 | 
204 | 	virsh net-destroy default >/dev/null 2>&1
205 | 
206 | 	#Remove default network from libvirt configuration
207 | 	virsh net-undefine default >/dev/null 2>&1
208 | 
209 | 	#Create cuckoo network configuration file
210 | 	echo -e '\e[93m    [+] Create Cuckoo Virtual Network \e[0m'
211 | 
212 | 	cat >/tmp/cuckoo_net.xml <<EOF
213 | <network>
214 | 	<name>cuckoo</name>
215 | 	<bridge name='virbr0' stp='on' delay='0'/>
216 | 	<domain name='cuckoo'/>
217 | 	<ip address='192.168.100.1' netmask='255.255.255.0'>
218 | <dhcp>
219 | 	<range start='192.168.100.128' end='192.168.100.254'/>
220 | </dhcp>
221 | </ip>
222 | </network>
223 | EOF
224 | 
225 | 	#Create new cuckoo network from xml configuration
226 | 	virsh net-define --file /tmp/cuckoo_net.xml >/dev/null 2>&1
227 | 
228 | 	#Set cuckoo network to autostart
229 | 	virsh net-autostart cuckoo >/dev/null 2>&1
230 | 
231 | 	#Start cuckoo network
232 | 	virsh net-start cuckoo >/dev/null 2>&1
233 | 
234 | }
235 | 
236 | function virtualbox
237 | {
238 | 
239 | 	#Add virtualbox repository
240 | 	apt-add-repository "deb http://download.virtualbox.org/virtualbox/debian xenial contrib"
241 | 
242 | 	#Add repository key
243 | 	wget -q https://www.virtualbox.org/download/oracle_vbox_2016.asc -O- | apt-key add -
244 | 	wget -q https://www.virtualbox.org/download/oracle_vbox.asc -O- | apt-key add -
245 | 
246 | 	#Update apt packages
247 | 	apt-get update -y
248 | 
249 | 	#Install virtualbox
250 | 	apt-get install virtualbox-5.1 -y
251 | 
252 | 	#Install dkms package
253 | 	apt-get install dkms -y
254 | 
255 | }
256 | 
257 | function create_cuckoo_user
258 | {
259 | 
260 | echo -e '\e[35m[+] Creating Cuckoo User \e[0m'
261 | 
262 | 	#Creates cuckoo system user
263 | 	adduser --system cuckoo >/dev/null 2>&1
264 | 	usermod -L cuckoo
265 | 	usermod -a -G kvm cuckoo
266 | 	usermod -a -G libvirtd cuckoo
267 | 	usermod -a -G cuckoo $USER
268 | }
269 | 
270 | function cuckoo_mod
271 | {
272 | 
273 | echo -e '\e[35m[+] Installing Modified Version of Cuckoo \e[0m'
274 | 
275 | 	#Option to install modified cuckoo version
276 | 	su - cuckoo <<EOF
277 | cd
278 | wget https://bitbucket.org/mstrobel/procyon/downloads/procyon-decompiler-0.5.30.jar >/dev/null 2>&1
279 | git clone https://github.com/doomedraven/cuckoo-modified.git >/dev/null 2>&1
280 | mkdir vmshared
281 | cp cuckoo-modified/agent/agent.py vmshared/agent.pyw
282 | EOF
283 | 
284 | 	chmod ug=rwX,o=rX /home/cuckoo/vmshared
285 | 	mv /home/cuckoo/cuckoo-modified $cuckoo_path/cuckoo
286 | 	pip install -r $cuckoo_path/cuckoo/requirements.txt >/dev/null 2>&1
287 | 	cp /tmp/gen-configs/suricata-cuckoo.yaml /etc/suricata/suricata-cuckoo.yaml
288 | 
289 | echo -e '\e[93m    [+] Installing Signatures \e[0m'
290 | 
291 | 	su - cuckoo <<EOF
292 | cd $cuckoo_path/cuckoo/utils
293 | ./community.py -afw >/dev/null 2>&1
294 | EOF
295 | 
296 | echo -e '\e[93m    [+] Modifying Config \e[0m'
297 | 
298 | 	sed -i -e "s@connection =@connection = postgresql://cuckoo:$passwd\@localhost:5432/cuckoo@" $cuckoo_path/cuckoo/conf/cuckoo.conf
299 | 
300 | 	chown -R cuckoo:cuckoo $cuckoo_path/cuckoo
301 | }
302 | 
303 | function cuckoo_orig
304 | {
305 | 
306 | echo -e '\e[35m[+] Installing Mainstream Version of Cuckoo \e[0m'
307 | 
308 | 	#Option to install original cuckoo version
309 | 	su - cuckoo <<EOF
310 | cd
311 | wget https://bitbucket.org/mstrobel/procyon/downloads/procyon-decompiler-0.5.30.jar
312 | git clone https://github.com/cuckoosandbox/cuckoo.git
313 | mkdir vmshared
314 | cp cuckoo/agent/agent.py vmshared/agent.pyw
315 | EOF
316 | 
317 | 	chmod ug=rwX,o=rX /home/cuckoo/vmshared
318 | 	mv /home/cuckoo/cuckoo $cuckoo_path/cuckoo
319 | 	pip install -r $cuckoo_path/cuckoo/requirements.txt
320 | 	cp /tmp/gen-configs/suricata-cuckoo.yaml /etc/suricata/suricata-cuckoo.yaml
321 | 
322 | echo -e '\e[35m[+] Installing Cuckoo Signatures \e[0m'
323 | 
324 | 	su - cuckoo <<EOF
325 | cd $cuckoo_path/cuckoo/utils
326 | ./community.py -afw
327 | EOF
328 | 
329 | echo -e '\e[35m[+] Modifing Cuckoo Config \e[0m'
330 | 
331 | 	sed -i -e "s@connection =@connection = postgresql://cuckoo:$passwd\@localhost:5432/cuckoo@" $cuckoo_path/cuckoo/conf/cuckoo.conf
332 | 
333 | 	chown -R cuckoo:cuckoo $cuckoo_path/cuckoo
334 | }
335 | 
336 | function nginx
337 | {
338 | 
339 | echo -e '\e[35m[+] Installing Nginx \e[0m'
340 | 
341 | 	#Install nginx
342 | 	apt-get install nginx apache2-utils -y >/dev/null 2>&1
343 | 
344 | echo -e '\e[93m    [+] Configuring \e[0m'
345 | 
346 | 	#Remove default nginx configuration
347 | 	rm /etc/nginx/sites-enabled/default
348 | 
349 | 	#Create cuckoo web server config
350 | 	cp /tmp/gen-configs/nginx_config /etc/nginx/sites-available/cuckoo
351 | 
352 | 	#Modify nginx IP for web interface
353 | 	sed -i -e "s@listen IP_Address\:443@listen $my_ip\:443@" /etc/nginx/sites-available/cuckoo
354 | 	sed -i -e "s@listen IP_Address\:80@listen $my_ip\:80@" /etc/nginx/sites-available/cuckoo
355 | 	sed -i -e "s@listen IP_Address\:4343@listen $my_ip\:4343@" /etc/nginx/sites-available/cuckoo
356 | 	sed -i -e "s@allow IP_Address@allow $my_ip@" /etc/nginx/sites-available/cuckoo
357 | 
358 | 	#Enable cuckoo nginx config
359 | 	ln -s /etc/nginx/sites-available/cuckoo /etc/nginx/sites-enabled/cuckoo
360 | 
361 | }
362 | 
363 | function self_ssl
364 | {
365 | 
366 | echo -e '\e[93m    [+] Creating Self-Signed SSL Certificate \e[0m'
367 | 
368 | 	#Create ssl key folder
369 | 	mkdir /etc/nginx/ssl
370 | 
371 | 	#Generate self-signed certificate
372 | 	openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/cuckoo.key -out /etc/nginx/ssl/cuckoo.crt -subj "/C=XX/ST=XX/L=XX/O=IT/CN=$my_ip" >/dev/null 2>&1
373 | 
374 | echo -e '\e[93m    [+] Generating Diffie-Hellman (DH) Parameters (this will take some time) \e[0m'
375 | 
376 | 	#Generate Diffie-Hellman (DH) parameters. This takes a long time!
377 | 	openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048 >/dev/null 2>&1
378 | 
379 | 	#Secure SSL keys
380 | 	chown -R root:www-data /etc/nginx/ssl
381 | 	chmod -R u=rX,g=rX,o= /etc/nginx/ssl
382 | 
383 | 	#Restart nginx
384 | 	service nginx restart
385 | 
386 | }
387 | 
388 | function misc_apps
389 | {
390 | 
391 | echo -e '\e[35m[+] Installing Inetsim \e[0m'
392 | 
393 | 	#Install inetsim
394 | 	cd /tmp
395 | 	wget http://www.inetsim.org/debian/binary/inetsim_1.2.5-1_all.deb >/dev/null 2>&1
396 | 
397 | 	#Install additional inetsim dependencies
398 | 	apt-get install libcgi-fast-perl libcgi-pm-perl libdigest-hmac-perl libfcgi-perl libio-multiplex-perl libio-socket-inet6-perl libipc-shareable-perl libnet-cidr-perl libnet-dns-perl libnet-ip-perl libnet-server-perl libsocket6-perl liblog-log4perl-perl -y >/dev/null 2>&1
399 | 	dpkg -i inetsim_1.2.5-1_all.deb >/dev/null 2>&1
400 | 
401 | 	#Copy default inetsim config
402 | 	cp /tmp/gen-configs/inetsim.conf /etc/inetsim/inetsim.conf
403 | 
404 | 	#Enable inetsim in default config
405 | 	sed -i -e 's@ENABLED=0@ENABLED=1@' /etc/default/inetsim
406 | 
407 | 	#Restart inetsim
408 | 	service inetsim restart
409 | 
410 | echo -e '\e[35m[+] Installing Tor Proxy \e[0m'
411 | 
412 | 	#Install tor
413 | 	apt-get install tor -y >/dev/null 2>&1
414 | 
415 | 	#Copy default tor config
416 | 	cp /tmp/gen-configs/torrc /etc/tor/torrc
417 | 
418 | 	#Restart tor
419 | 	service tor restart
420 | 
421 | echo -e '\e[35m[+] Installing Privoxy \e[0m'
422 | 
423 | 	#Install Privoxy
424 | 	apt-get install privoxy -y >/dev/null 2>&1
425 | 
426 | 	#Copy default privoxy config
427 | 	cp /tmp/gen-configs/privoxy_config /etc/privoxy/config
428 | 
429 | 	#Restart privoxy
430 | 	service privoxy restart
431 | 
432 | echo -e '\e[35m[+] Installing Routetor \e[0m'
433 | 
434 | 	#Install cuckoo scripts to utilize tor
435 | 	cd /opt
436 | 	git clone https://github.com/seanthegeek/routetor.git >/dev/null 2>&1
437 | 	cd routetor
438 | 	cp *tor* /usr/sbin
439 | 	/usr/sbin/routetor &
440 | 
441 | echo -e '\e[35m[+] Installing Vsftpd \e[0m'
442 | 
443 | 	#Create public accessible folder
444 | 	mkdir /home/cuckoo/vmshared/pub
445 | 	chown cuckoo:cuckoo /home/cuckoo/vmshared/pub
446 | 	chmod 777 /home/cuckoo/vmshared/pub
447 | 
448 | 	#Install vsftpd
449 | 	apt-get install vsftpd -y >/dev/null 2>&1
450 | 
451 | 	#Copy vsftpd config file
452 | 	cp /tmp/gen-configs/vsftpd.conf /etc/vsftpd.conf
453 | 
454 | 	#Restart vsftpd
455 | 	service vsftpd restart
456 | 
457 | }
458 | 
459 | function startup_script
460 | {
461 | 
462 | echo -e '\e[35m[+] Creating Startup Script for Cuckoo \e[0m'
463 | 
464 | 	#Install gunicorn
465 | 	pip install gunicorn >/dev/null 2>&1
466 | 
467 | 	#Copy default startup script
468 | 	if [ "$machine" = 'virtualbox' ]; then
469 | 		echo -e '\e[96m    [+] Startup Script Set for VirtualBox \e[0m'
470 | 		cp /tmp/virtualbox-configs/cuckooboot /usr/sbin/cuckooboot
471 | 	else
472 | 		echo -e '\e[93m    [+] Startup Script Set for KVM \e[0m'
473 | 		cp /tmp/kvm-configs/cuckooboot /usr/sbin/cuckooboot
474 | 	fi
475 | 
476 | 	chmod +x  /usr/sbin/cuckooboot
477 | 
478 | 	#Modify startup script to fit cuckoo install location
479 | 	sed -i -e "s@CUCKOO_PATH="/opt/cuckoo"@CUCKOO_PATH="$cuckoo_path/cuckoo"@" /usr/sbin/cuckooboot
480 | 
481 | 	#Add startup crontab entries
482 | 	(crontab -l -u cuckoo; echo "46 * * * * /usr/sbin/etupdate")| crontab -u cuckoo -
483 | 	(crontab -l -u cuckoo; echo "@reboot /usr/sbin/routetor")| crontab -u cuckoo -
484 | 	(crontab -l -u cuckoo; echo "@reboot /usr/sbin/cuckooboot")| crontab -u cuckoo -
485 | 
486 | 	#Run cuckoo
487 | 	#/usr/sbin/cuckooboot
488 | 
489 | echo -e '\e[35m[+] Installation Complete! \e[0m'
490 | 
491 | }
492 | 
493 | 
494 | if [ "$1" = '-h' ]; then
495 | 	usage
496 | fi
497 | 
498 | #Check if script was run as root
499 | if [ $EUID -ne 0 ]; then
500 | 	echo 'This script must be run as root'
501 | 	exit 1
502 | fi
503 | 
504 | if [ "$4" = 'virtualbox' ]; then
505 | 
506 | 	deps
507 | 	postgres
508 | 	virtualbox
509 | 	create_cuckoo_user
510 | 	cuckoo_mod
511 | 	nginx
512 | 	self_ssl
513 | 	misc_apps
514 | 	startup_script
515 | 
516 | else
517 | 
518 | 	deps
519 | 	postgres
520 | 	kvm
521 | 	create_cuckoo_user
522 | 	cuckoo_mod
523 | 	nginx
524 | 	self_ssl
525 | 	misc_apps
526 | 	startup_script
527 | fi
528 | 
529 | exit 0
530 | 


--------------------------------------------------------------------------------
/gen-configs/inetsim.conf:
--------------------------------------------------------------------------------
   1 | #############################################################
   2 | #
   3 | # INetSim configuration file
   4 | #
   5 | #############################################################
   6 | 
   7 | 
   8 | #############################################################
   9 | # Main configuration
  10 | #############################################################
  11 | 
  12 | #########################################
  13 | # start_service
  14 | #
  15 | # The services to start
  16 | #
  17 | # Syntax: start_service <service name>
  18 | #
  19 | # Default: none
  20 | #
  21 | # Available service names are:
  22 | # dns, http, smtp, pop3, tftp, ftp, ntp, time_tcp,
  23 | # time_udp, daytime_tcp, daytime_udp, echo_tcp,
  24 | # echo_udp, discard_tcp, discard_udp, quotd_tcp,
  25 | # quotd_udp, chargen_tcp, chargen_udp, finger,
  26 | # ident, syslog, dummy_tcp, dummy_udp, smtps, pop3s,
  27 | # ftps, irc, https
  28 | #
  29 | start_service dns
  30 | start_service http
  31 | start_service https
  32 | start_service smtp
  33 | start_service smtps
  34 | start_service pop3
  35 | start_service pop3s
  36 | start_service ftp
  37 | start_service ftps
  38 | start_service tftp
  39 | start_service irc
  40 | start_service ntp
  41 | start_service finger
  42 | start_service ident
  43 | start_service syslog
  44 | start_service time_tcp
  45 | start_service time_udp
  46 | start_service daytime_tcp
  47 | start_service daytime_udp
  48 | start_service echo_tcp
  49 | start_service echo_udp
  50 | start_service discard_tcp
  51 | start_service discard_udp
  52 | start_service quotd_tcp
  53 | start_service quotd_udp
  54 | start_service chargen_tcp
  55 | start_service chargen_udp
  56 | start_service dummy_tcp
  57 | start_service dummy_udp
  58 | 
  59 | 
  60 | #########################################
  61 | # service_bind_address
  62 | #
  63 | # IP address to bind services to
  64 | #
  65 | # Syntax: service_bind_address <IP address>
  66 | #
  67 | # Default: 127.0.0.1
  68 | #
  69 | service_bind_address	192.168.100.1
  70 | 
  71 | 
  72 | #########################################
  73 | # service_run_as_user
  74 | #
  75 | # User to run services
  76 | #
  77 | # Syntax: service_run_as_user <username>
  78 | #
  79 | # Default: inetsim
  80 | #
  81 | #service_run_as_user	nobody
  82 | 
  83 | 
  84 | #########################################
  85 | # service_max_childs
  86 | #
  87 | # Maximum number of child processes (parallel connections)
  88 | # for each service
  89 | #
  90 | # Syntax: service_max_childs [1..30]
  91 | #
  92 | # Default: 10
  93 | #
  94 | #service_max_childs	15
  95 | 
  96 | 
  97 | #########################################
  98 | # service_timeout
  99 | #
 100 | # If a client does not send any data for the number of seconds
 101 | # given here, the corresponding connection will be closed.
 102 | #
 103 | # Syntax: service_timeout [1..600]
 104 | #
 105 | # Default: 120
 106 | #
 107 | #service_timeout	60
 108 | 
 109 | 
 110 | #########################################
 111 | # create_reports
 112 | #
 113 | # Create report with a summary of connections
 114 | # for the session on shutdown
 115 | #
 116 | # Syntax: create_reports [yes|no]
 117 | #
 118 | # Default: yes
 119 | #
 120 | #create_reports		no
 121 | 
 122 | 
 123 | #########################################
 124 | # report_language
 125 | #
 126 | # Set language for reports
 127 | # Note: Currently only languages 'en' and 'de' are supported
 128 | #
 129 | # Syntax: report_language <language>
 130 | #
 131 | # Default: en
 132 | #
 133 | #report_language	de
 134 | 
 135 | 
 136 | #############################################################
 137 | # Faketime
 138 | #############################################################
 139 | 
 140 | #########################################
 141 | # faketime_init_delta
 142 | #
 143 | # Initial number of seconds (positive or negative)
 144 | # relative to current date/time for fake time used by all services 
 145 | #
 146 | # Syntax: faketime_init_delta <number of seconds>
 147 | #
 148 | # Default: 0  (use current date/time) 
 149 | #
 150 | #faketime_init_delta	1000
 151 | 
 152 | 
 153 | #########################################
 154 | # faketime_auto_delay
 155 | #
 156 | # Number of seconds to wait before incrementing fake time
 157 | # by value specified with 'faketime_auto_increment'.
 158 | # Setting to '0' disables this option.
 159 | #
 160 | # Syntax: faketime_auto_delay [0..86400]
 161 | #
 162 | # Default: 0  (disabled)
 163 | #
 164 | #faketime_auto_delay	1000
 165 | 
 166 | 
 167 | #########################################
 168 | # faketime_auto_increment
 169 | #
 170 | # Number of seconds by which fake time is incremented at
 171 | # regular intervals specified by 'faketime_auto_delay'.
 172 | # This option only takes effect if 'faketime_auto_delay'
 173 | # is enabled (not set to '0').
 174 | #
 175 | # Syntax: faketime_auto_increment [-31536000..31536000]
 176 | #
 177 | # Default: 3600
 178 | #
 179 | #faketime_auto_increment	86400
 180 | 
 181 | 
 182 | #############################################################
 183 | # Service DNS
 184 | #############################################################
 185 | 
 186 | #########################################
 187 | # dns_bind_port
 188 | #
 189 | # Port number to bind DNS service to
 190 | #
 191 | # Syntax: dns_bind_port <port number>
 192 | #
 193 | # Default: 53
 194 | #
 195 | dns_bind_port		5342
 196 | 
 197 | 
 198 | #########################################
 199 | # dns_default_ip
 200 | #
 201 | # Default IP address to return with DNS replies
 202 | #
 203 | # Syntax: dns_default_ip <IP address>
 204 | #
 205 | # Default: 127.0.0.1
 206 | #
 207 | dns_default_ip		192.168.100.1
 208 | 
 209 | 
 210 | #########################################
 211 | # dns_default_hostname
 212 | #
 213 | # Default hostname to return with DNS replies
 214 | #
 215 | # Syntax: dns_default_hostname <hostname>
 216 | #
 217 | # Default: www
 218 | #
 219 | #dns_default_hostname		somehost
 220 | 
 221 | 
 222 | #########################################
 223 | # dns_default_domainname
 224 | #
 225 | # Default domain name to return with DNS replies
 226 | #
 227 | # Syntax: dns_default_domainname <domain name>
 228 | #
 229 | # Default: inetsim.org
 230 | #
 231 | #dns_default_domainname		some.domain
 232 | 
 233 | 
 234 | #########################################
 235 | # dns_static
 236 | #
 237 | # Static mappings for DNS
 238 | #
 239 | # Syntax: dns_static <fqdn hostname> <IP address>
 240 | #
 241 | # Default: none
 242 | #
 243 | #dns_static	www.foo.com	10.10.10.10
 244 | #dns_static	ns1.foo.com	10.70.50.30
 245 | #dns_static	ftp.bar.net	10.10.20.30
 246 | 
 247 | 
 248 | #########################################
 249 | # dns_version
 250 | #
 251 | # DNS version
 252 | #
 253 | # Syntax: dns_version <version>
 254 | #
 255 | # Default: "INetSim DNS Server"
 256 | #
 257 | #dns_version "9.2.4"
 258 | 
 259 | 
 260 | #############################################################
 261 | # Service HTTP
 262 | #############################################################
 263 | 
 264 | #########################################
 265 | # http_bind_port
 266 | #
 267 | # Port number to bind HTTP service to
 268 | #
 269 | # Syntax: http_bind_port <port number>
 270 | #
 271 | # Default: 80
 272 | #
 273 | #http_bind_port		80
 274 | 
 275 | 
 276 | #########################################
 277 | # http_version
 278 | #
 279 | # Version string to return in HTTP replies
 280 | #
 281 | # Syntax: http_version <string>
 282 | #
 283 | # Default: "INetSim HTTP server"
 284 | #
 285 | #http_version		"Microsoft-IIS/4.0"
 286 | 
 287 | 
 288 | #########################################
 289 | # http_fakemode
 290 | #
 291 | # Turn HTTP fake mode on or off
 292 | #
 293 | # Syntax: http_fakemode [yes|no]
 294 | #
 295 | # Default: yes
 296 | #
 297 | #http_fakemode		no
 298 | 
 299 | 
 300 | #########################################
 301 | # http_fakefile
 302 | #
 303 | # Fake files returned in fake mode based on the file extension
 304 | # in the HTTP request.
 305 | # The fake files must be placed in <data-dir>/http/fakefiles
 306 | #
 307 | # Syntax: http_fakefile <extension> <filename> <mime-type>
 308 | #
 309 | # Default: none
 310 | #
 311 | http_fakefile		txt	sample.txt	text/plain
 312 | http_fakefile		htm	sample.html	text/html
 313 | http_fakefile		html	sample.html	text/html
 314 | http_fakefile		php	sample.html	text/html
 315 | http_fakefile		gif	sample.gif	image/gif
 316 | http_fakefile		jpg	sample.jpg	image/jpeg
 317 | http_fakefile		jpeg	sample.jpg	image/jpeg
 318 | http_fakefile		png	sample.png	image/png
 319 | http_fakefile		bmp	sample.bmp	image/x-ms-bmp
 320 | http_fakefile		ico	favicon.ico	image/x-icon
 321 | http_fakefile		exe	sample_gui.exe	x-msdos-program
 322 | http_fakefile		com	sample_gui.exe	x-msdos-program
 323 | 
 324 | 
 325 | #########################################
 326 | # http_default_fakefile
 327 | #
 328 | # The default fake file returned in fake mode if the file extension
 329 | # in the HTTP request does not match any of the extensions
 330 | # defined above.
 331 | #
 332 | # The default fake file must be placed in <data-dir>/http/fakefiles
 333 | #
 334 | # Syntax: http_default_fakefile <filename> <mime-type>
 335 | #
 336 | # Default: none
 337 | #
 338 | http_default_fakefile	sample.html	text/html
 339 | 
 340 | 
 341 | #########################################
 342 | # http_static_fakefile
 343 | #
 344 | # Fake files returned in fake mode based on static path.
 345 | # The fake files must be placed in <data-dir>/http/fakefiles
 346 | #
 347 | # Syntax: http_static_fakefile <path> <filename> <mime-type>
 348 | #
 349 | # Default: none
 350 | #
 351 | #http_static_fakefile	/path/			sample_gui.exe	x-msdos-program
 352 | #http_static_fakefile	/path/to/file.exe	sample_gui.exe	x-msdos-program
 353 | 
 354 | 
 355 | #############################################################
 356 | # Service HTTPS
 357 | #############################################################
 358 | 
 359 | #########################################
 360 | # https_bind_port
 361 | #
 362 | # Port number to bind HTTPS service to
 363 | #
 364 | # Syntax: https_bind_port <port number>
 365 | #
 366 | # Default: 443
 367 | #
 368 | #https_bind_port		443
 369 | 
 370 | 
 371 | #########################################
 372 | # https_version
 373 | #
 374 | # Version string to return in HTTPS replies
 375 | #
 376 | # Syntax: https_version <string>
 377 | #
 378 | # Default: "INetSim HTTPs server"
 379 | #
 380 | #https_version		"Microsoft-IIS/4.0"
 381 | 
 382 | 
 383 | #########################################
 384 | # https_fakemode
 385 | #
 386 | # Turn HTTPS fake mode on or off
 387 | #
 388 | # Syntax: https_fakemode [yes|no]
 389 | #
 390 | # Default: yes
 391 | #
 392 | #https_fakemode		no
 393 | 
 394 | 
 395 | #########################################
 396 | # https_fakefile
 397 | #
 398 | # Fake files returned in fake mode based on the file extension
 399 | # in the HTTPS request.
 400 | # The fake files must be placed in <data-dir>/http/fakefiles
 401 | #
 402 | # Syntax: https_fakefile <extension> <filename> <mime-type>
 403 | #
 404 | # Default: none
 405 | #
 406 | https_fakefile		txt	sample.txt	text/plain
 407 | https_fakefile		htm	sample.html	text/html
 408 | https_fakefile		html	sample.html	text/html
 409 | https_fakefile		php	sample.html	text/html
 410 | https_fakefile		gif	sample.gif	image/gif
 411 | https_fakefile		jpg	sample.jpg	image/jpeg
 412 | https_fakefile		jpeg	sample.jpg	image/jpeg
 413 | https_fakefile		png	sample.png	image/png
 414 | https_fakefile		bmp	sample.bmp	image/x-ms-bmp
 415 | https_fakefile		ico	favicon.ico	image/x-icon
 416 | https_fakefile		exe	sample_gui.exe	x-msdos-program
 417 | https_fakefile		com	sample_gui.exe	x-msdos-program
 418 | 
 419 | 
 420 | #########################################
 421 | # https_default_fakefile
 422 | #
 423 | # The default fake file returned in fake mode if the file extension
 424 | # in the HTTPS request does not match any of the extensions
 425 | # defined above.
 426 | #
 427 | # The default fake file must be placed in <data-dir>/http/fakefiles
 428 | #
 429 | # Syntax: https_default_fakefile <filename> <mime-type>
 430 | #
 431 | # Default: none
 432 | #
 433 | https_default_fakefile	sample.html	text/html
 434 | 
 435 | 
 436 | #########################################
 437 | # https_static_fakefile
 438 | #
 439 | # Fake files returned in fake mode based on static path.
 440 | # The fake files must be placed in <data-dir>/http/fakefiles
 441 | #
 442 | # Syntax: https_static_fakefile <path> <filename> <mime-type>
 443 | #
 444 | # Default: none
 445 | #
 446 | #https_static_fakefile	/path/			sample_gui.exe	x-msdos-program
 447 | #https_static_fakefile	/path/to/file.exe	sample_gui.exe	x-msdos-program
 448 | 
 449 | 
 450 | #########################################
 451 | # https_ssl_keyfile
 452 | #
 453 | # Name of the SSL private key PEM file.
 454 | # The key MUST NOT be encrypted!
 455 | #
 456 | # The file must be placed in <data-dir>/certs/
 457 | #
 458 | # Syntax: https_ssl_keyfile <filename>
 459 | #
 460 | # Default: default_key.pem
 461 | #
 462 | #https_ssl_keyfile	https_key.pem
 463 | 
 464 | 
 465 | #########################################
 466 | # https_ssl_certfile
 467 | #
 468 | # Name of the SSL certificate file.
 469 | #
 470 | # The file must be placed in <data-dir>/certs/
 471 | #
 472 | # Syntax: https_ssl_certfile <filename>
 473 | #
 474 | # Default: default_cert.pem
 475 | #
 476 | #https_ssl_certfile	https_cert.pem
 477 | 
 478 | 
 479 | #########################################
 480 | # https_ssl_dhfile
 481 | #
 482 | # Name of the Diffie-Hellman parameter PEM file.
 483 | #
 484 | # The file must be placed in <data-dir>/certs/
 485 | #
 486 | # Syntax: https_ssl_dhfile <filename>
 487 | #
 488 | # Default: none
 489 | #
 490 | #https_ssl_dhfile	https_dh1024.pem
 491 | 
 492 | 
 493 | #############################################################
 494 | # Service SMTP
 495 | #############################################################
 496 | 
 497 | #########################################
 498 | # smtp_bind_port
 499 | #
 500 | # Port number to bind SMTP service to
 501 | #
 502 | # Syntax: smtp_bind_port <port number>
 503 | #
 504 | # Default: 25
 505 | #
 506 | #smtp_bind_port		25
 507 | 
 508 | 
 509 | #########################################
 510 | # smtp_fqdn_hostname
 511 | #
 512 | # The FQDN hostname used for SMTP
 513 | #
 514 | # Syntax: smtp_fqdn_hostname <string>
 515 | #
 516 | # Default: mail.inetsim.org
 517 | #
 518 | #smtp_fqdn_hostname	foo.bar.org
 519 | 
 520 | 
 521 | #########################################
 522 | # smtp_banner
 523 | #
 524 | # The banner string used in SMTP greeting message
 525 | #
 526 | # Syntax: smtp_banner <string>
 527 | #
 528 | # Default: "INetSim Mail Service ready."
 529 | #
 530 | #smtp_banner		"SMTP Mailer ready."
 531 | 
 532 | 
 533 | #########################################
 534 | # smtp_helo_required
 535 | #
 536 | # Client has to send HELO/EHLO before any other command
 537 | #
 538 | # Syntax: smtp_helo_required [yes|no]
 539 | #
 540 | # Default: no
 541 | #
 542 | #smtp_helo_required	yes
 543 | 
 544 | 
 545 | #########################################
 546 | # smtp_extended_smtp
 547 | #
 548 | # Turn support for extended smtp (ESMTP) on or off
 549 | #
 550 | # Syntax: smtp_extended_smtp [yes|no]
 551 | #
 552 | # Default: yes
 553 | #
 554 | #smtp_extended_smtp	no
 555 | 
 556 | 
 557 | #########################################
 558 | # smtp_service_extension
 559 | #
 560 | # SMTP service extensions offered to client.
 561 | # For more information, see
 562 | # <http://www.iana.org/assignments/mail-parameters>
 563 | #
 564 | # Syntax: smtp_service_extension <extension [parameter(s)]>
 565 | #
 566 | # Supported extensions and parameters:
 567 | # VRFY
 568 | # EXPN
 569 | # HELP
 570 | # 8BITMIME
 571 | # SIZE			# one optional parameter
 572 | # ENHANCEDSTATUSCODES
 573 | # AUTH 			# one or more of [PLAIN LOGIN ANONYMOUS CRAM-MD5 CRAM-SHA1]
 574 | # DSN
 575 | # SEND
 576 | # SAML
 577 | # SOML
 578 | # TURN
 579 | # ETRN
 580 | # ATRN
 581 | # VERP
 582 | # MTRK
 583 | # CHUNKING
 584 | # STARTTLS
 585 | # DELIVERBY		# one optional parameter
 586 | # SUBMITTER
 587 | # CHECKPOINT
 588 | # BINARYMIME
 589 | # NO-SOLICITING		# one optional parameter
 590 | # FUTURERELEASE		# two required parameters
 591 | #
 592 | # Default: none
 593 | #
 594 | smtp_service_extension		VRFY
 595 | smtp_service_extension		EXPN
 596 | smtp_service_extension		HELP
 597 | smtp_service_extension		8BITMIME
 598 | smtp_service_extension		SIZE 102400000
 599 | smtp_service_extension		ENHANCEDSTATUSCODES
 600 | smtp_service_extension		AUTH PLAIN LOGIN ANONYMOUS CRAM-MD5 CRAM-SHA1
 601 | smtp_service_extension		DSN
 602 | smtp_service_extension		ETRN
 603 | smtp_service_extension		STARTTLS
 604 | #
 605 | 
 606 | 
 607 | #########################################
 608 | # smtp_auth_reversibleonly
 609 | #
 610 | # Only offer authentication mechanisms which allow reversing
 611 | # the authentication information sent by a client
 612 | # to clear text username/password.
 613 | # This option only takes effect if 'smtp_extended_smtp' is
 614 | # enabled and 'smtp_service_extension AUTH' is configured.
 615 | #
 616 | # Syntax: smtp_auth_reversibleonly [yes|no]
 617 | #
 618 | # Default: no
 619 | #
 620 | #smtp_auth_reversibleonly	yes
 621 | 
 622 | 
 623 | #########################################
 624 | # smtp_auth_required
 625 | #
 626 | # Force the client to authenticate.
 627 | # This option only takes effect if 'smtp_extended_smtp' is
 628 | # enabled and 'smtp_service_extension AUTH' is configured.
 629 | #
 630 | # Syntax: smtp_auth_required [yes|no]
 631 | #
 632 | # Default: no
 633 | #
 634 | #smtp_auth_required	yes
 635 | 
 636 | 
 637 | #########################################
 638 | # smtp_ssl_keyfile
 639 | #
 640 | # Name of the SSL private key PEM file.
 641 | # The key MUST NOT be encrypted!
 642 | #
 643 | # This option only takes effect if 'smtp_extended_smtp' is
 644 | # enabled and 'smtp_service_extension STARTTLS' is configured.
 645 | #
 646 | # The file must be placed in <data-dir>/certs/
 647 | #
 648 | # Note: If no key file is specified, the extension STARTTLS
 649 | # will be disabled.
 650 | #
 651 | # Syntax: smtp_ssl_keyfile <filename>
 652 | #
 653 | # Default: default_key.pem
 654 | #
 655 | #smtp_ssl_keyfile	smtp_key.pem
 656 | 
 657 | 
 658 | #########################################
 659 | # smtp_ssl_certfile
 660 | #
 661 | # Name of the SSL certificate PEM file.
 662 | #
 663 | # This option only takes effect if 'smtp_extended_smtp' is
 664 | # enabled and 'smtp_service_extension STARTTLS' is configured.
 665 | #
 666 | # The file must be placed in <data-dir>/certs/
 667 | #
 668 | # Note: If no cert file is specified, the extension STARTTLS
 669 | # will be disabled.
 670 | #
 671 | # Syntax: smtp_ssl_certfile <filename>
 672 | #
 673 | # Default: default_cert.pem
 674 | #
 675 | #smtp_ssl_certfile	smtp_cert.pem
 676 | 
 677 | 
 678 | #########################################
 679 | # smtp_ssl_dhfile
 680 | #
 681 | # Name of the Diffie-Hellman parameter PEM file.
 682 | #
 683 | # The file must be placed in <data-dir>/certs/
 684 | #
 685 | # Syntax: smtp_ssl_dhfile <filename>
 686 | #
 687 | # Default: none
 688 | #
 689 | #smtp_ssl_dhfile	smtp_dh1024.pem
 690 | 
 691 | 
 692 | 
 693 | #############################################################
 694 | # Service SMTPS
 695 | #############################################################
 696 | 
 697 | #########################################
 698 | # smtps_bind_port
 699 | #
 700 | # Port number to bind SMTPS service to
 701 | #
 702 | # Syntax: smtps_bind_port <port number>
 703 | #
 704 | # Default: 465
 705 | #
 706 | #smtps_bind_port	465
 707 | 
 708 | 
 709 | #########################################
 710 | # smtps_fqdn_hostname
 711 | #
 712 | # The FQDN hostname used for SMTPS
 713 | #
 714 | # Syntax: smtps_fqdn_hostname <string>
 715 | #
 716 | # Default: mail.inetsim.org
 717 | #
 718 | #smtps_fqdn_hostname	foo.bar.org
 719 | 
 720 | 
 721 | #########################################
 722 | # smtps_banner
 723 | #
 724 | # The banner string used in SMTPS greeting message
 725 | #
 726 | # Syntax: smtps_banner <string>
 727 | #
 728 | # Default: "INetSim Mail Service ready."
 729 | #
 730 | #smtps_banner		"SMTPS Mailer ready."
 731 | 
 732 | 
 733 | #########################################
 734 | # smtps_helo_required
 735 | #
 736 | # Client has to send HELO/EHLO before any other command
 737 | #
 738 | # Syntax: smtps_helo_required [yes|no]
 739 | #
 740 | # Default: no
 741 | #
 742 | #smtps_helo_required	yes
 743 | 
 744 | 
 745 | #########################################
 746 | # smtps_extended_smtp
 747 | #
 748 | # Turn support for extended smtp (ESMTP) on or off
 749 | #
 750 | # Syntax: smtps_extended_smtp [yes|no]
 751 | #
 752 | # Default: yes
 753 | #
 754 | #smtps_extended_smtp	no
 755 | 
 756 | 
 757 | #########################################
 758 | # smtps_service_extension
 759 | #
 760 | # SMTP service extensions offered to client.
 761 | # For more information, see
 762 | # <http://www.iana.org/assignments/mail-parameters>
 763 | #
 764 | # Syntax: smtp_service_extension <extension [parameter(s)]>
 765 | #
 766 | # Supported extensions and parameters:
 767 | # VRFY
 768 | # EXPN
 769 | # HELP
 770 | # 8BITMIME
 771 | # SIZE			# one optional parameter
 772 | # ENHANCEDSTATUSCODES
 773 | # AUTH 			# one or more of [PLAIN LOGIN ANONYMOUS CRAM-MD5 CRAM-SHA1]
 774 | # DSN
 775 | # SEND
 776 | # SAML
 777 | # SOML
 778 | # TURN
 779 | # ETRN
 780 | # ATRN
 781 | # VERP
 782 | # MTRK
 783 | # CHUNKING
 784 | # DELIVERBY		# one optional parameter
 785 | # SUBMITTER
 786 | # CHECKPOINT
 787 | # BINARYMIME
 788 | # NO-SOLICITING		# one optional parameter
 789 | # FUTURERELEASE		# two required parameters
 790 | #
 791 | # Default: none
 792 | #
 793 | smtps_service_extension		VRFY
 794 | smtps_service_extension		EXPN
 795 | smtps_service_extension		HELP
 796 | smtps_service_extension		8BITMIME
 797 | smtps_service_extension		SIZE 102400000
 798 | smtps_service_extension		ENHANCEDSTATUSCODES
 799 | smtps_service_extension		AUTH PLAIN LOGIN ANONYMOUS CRAM-MD5 CRAM-SHA1
 800 | smtps_service_extension		DSN
 801 | smtps_service_extension		ETRN
 802 | #
 803 | 
 804 | 
 805 | #########################################
 806 | # smtps_auth_reversibleonly
 807 | #
 808 | # Only offer authentication mechanisms which allow reversing
 809 | # the authentication information sent by a client
 810 | # to clear text username/password.
 811 | # This option only takes effect if 'smtps_extended_smtp' is
 812 | # enabled and 'smtps_service_extension AUTH' is configured.
 813 | #
 814 | # Syntax: smtps_auth_reversibleonly [yes|no]
 815 | #
 816 | # Default: no
 817 | #
 818 | #smtps_auth_reversibleonly	yes
 819 | 
 820 | 
 821 | #########################################
 822 | # smtps_auth_required
 823 | #
 824 | # Force the client to authenticate.
 825 | # This option only takes effect if 'smtps_extended_smtp' is
 826 | # enabled and 'smtp_service_extension AUTH' is configured.
 827 | #
 828 | # Syntax: smtps_auth_required [yes|no]
 829 | #
 830 | # Default: no
 831 | #
 832 | #smtps_auth_required	yes
 833 | 
 834 | 
 835 | #########################################
 836 | # smtps_ssl_keyfile
 837 | #
 838 | # Name of the SSL private key PEM file.
 839 | # The key MUST NOT be encrypted!
 840 | #
 841 | # The file must be placed in <data-dir>/certs/
 842 | #
 843 | # Syntax: smtps_ssl_keyfile <filename>
 844 | #
 845 | # Default: default_key.pem
 846 | #
 847 | #smtps_ssl_keyfile	smtps_key.pem
 848 | 
 849 | 
 850 | #########################################
 851 | # smtps_ssl_certfile
 852 | #
 853 | # Name of the SSL certificate PEM file.
 854 | #
 855 | # The file must be placed in <data-dir>/certs/
 856 | #
 857 | # Syntax: smtps_ssl_certfile <filename>
 858 | #
 859 | # Default: default_cert.pem
 860 | #
 861 | #smtps_ssl_certfile	smtps_cert.pem
 862 | 
 863 | 
 864 | #########################################
 865 | # smtps_ssl_dhfile
 866 | #
 867 | # Name of the Diffie-Hellman parameter PEM file.
 868 | #
 869 | # The file must be placed in <data-dir>/certs/
 870 | #
 871 | # Syntax: smtps_ssl_dhfile <filename>
 872 | #
 873 | # Default: none
 874 | #
 875 | #smtps_ssl_dhfile	smtps_dh1024.pem
 876 | 
 877 | 
 878 | #############################################################
 879 | # Service POP3
 880 | #############################################################
 881 | 
 882 | #########################################
 883 | # pop3_bind_port
 884 | #
 885 | # Port number to bind POP3 service to
 886 | #
 887 | # Syntax: pop3_bind_port <port number>
 888 | #
 889 | # Default: 110
 890 | #
 891 | #pop3_bind_port		110
 892 | 
 893 | 
 894 | #########################################
 895 | # pop3_banner
 896 | #
 897 | # The banner string used in POP3 greeting message
 898 | #
 899 | # Syntax: pop3_banner <string>
 900 | #
 901 | # Default: "INetSim POP3 Server ready"
 902 | #
 903 | #pop3_banner		"POP3 Server ready"
 904 | 
 905 | 
 906 | #########################################
 907 | # pop3_hostname
 908 | #
 909 | # The hostname used in POP3 greeting message
 910 | #
 911 | # Syntax: pop3_hostname <string>
 912 | #
 913 | # Default: pop3host
 914 | #
 915 | #pop3_hostname		pop3server
 916 | 
 917 | 
 918 | #########################################
 919 | # pop3_mbox_maxmails
 920 | #
 921 | # Maximum number of e-mails to select from supplied mbox files
 922 | # for creation of random POP3 mailbox
 923 | #
 924 | # Syntax: pop3_mbox_maxmails <number>
 925 | #
 926 | # Default: 10
 927 | #
 928 | #pop3_mbox_maxmails	20
 929 | 
 930 | 
 931 | #########################################
 932 | # pop3_mbox_reread
 933 | #
 934 | # Re-read supplied mbox files if POP3 service was inactive
 935 | # for <number> seconds
 936 | #
 937 | # Syntax: pop3_mbox_reread <number>
 938 | #
 939 | # Default: 180
 940 | #
 941 | #pop3_mbox_reread	300
 942 | 
 943 | 
 944 | #########################################
 945 | # pop3_mbox_rebuild
 946 | #
 947 | # Rebuild random POP3 mailbox if POP3 service was inactive
 948 | # for <number> seconds
 949 | #
 950 | # Syntax: pop3_mbox_rebuild <number>
 951 | #
 952 | # Default: 60
 953 | #
 954 | #pop3_mbox_rebuild	120
 955 | 
 956 | 
 957 | #########################################
 958 | # pop3_enable_apop
 959 | #
 960 | # Turn APOP on or off
 961 | #
 962 | # Syntax: pop3_enable_apop [yes|no]
 963 | #
 964 | # Default: yes
 965 | #
 966 | #pop3_enable_apop	no
 967 | 
 968 | 
 969 | #########################################
 970 | # pop3_auth_reversibleonly
 971 | #
 972 | # Only offer authentication mechanisms which allow reversing
 973 | # the authentication information sent by a client
 974 | # to clear text username/password
 975 | #
 976 | # Syntax: pop3_auth_reversibleonly [yes|no]
 977 | #
 978 | # Default: no
 979 | #
 980 | #pop3_auth_reversibleonly	yes
 981 | 
 982 | 
 983 | #########################################
 984 | # pop3_enable_capabilities
 985 | #
 986 | # Turn support for pop3 capabilities on or off
 987 | #
 988 | # Syntax: pop3_enable_capabilities [yes|no]
 989 | #
 990 | # Default: yes
 991 | #
 992 | #pop3_enable_capabilities	no
 993 | 
 994 | 
 995 | #########################################
 996 | # pop3_capability
 997 | #
 998 | # POP3 capabilities offered to client.
 999 | # For more information, see
1000 | # <http://www.iana.org/assignments/pop3-extension-mechanism>
1001 | #
1002 | # Syntax: pop3_capability <capability [parameter(s)]>
1003 | #
1004 | # Supported capabilities and parameters:
1005 | # TOP
1006 | # USER
1007 | # UIDL
1008 | # SASL			# one or more of [PLAIN LOGIN ANONYMOUS CRAM-MD5 CRAM-SHA1]
1009 | # RESP-CODES
1010 | # EXPIRE		# one required parameter and one optional parameter
1011 | # LOGIN-DELAY		# one required parameter and one optional parameter
1012 | # IMPLEMENTATION	# one required parameter
1013 | # AUTH-RESP-CODE
1014 | # STLS
1015 | #
1016 | # Default: none
1017 | #
1018 | pop3_capability		TOP
1019 | pop3_capability		USER
1020 | pop3_capability		SASL PLAIN LOGIN ANONYMOUS CRAM-MD5 CRAM-SHA1
1021 | pop3_capability		UIDL
1022 | pop3_capability		IMPLEMENTATION "INetSim POP3 server"
1023 | pop3_capability		STLS
1024 | #
1025 | 
1026 | 
1027 | #########################################
1028 | # pop3_ssl_keyfile
1029 | #
1030 | # Name of the SSL private key PEM file.
1031 | # The key MUST NOT be encrypted!
1032 | #
1033 | # This option only takes effect if 'pop3_enable_capabilities' is
1034 | # true and 'pop3_capability STLS' is configured.
1035 | #
1036 | # The file must be placed in <data-dir>/certs/
1037 | #
1038 | # Note: If no key file is specified, capability STLS will be disabled.
1039 | #
1040 | # Syntax: pop3_ssl_keyfile <filename>
1041 | #
1042 | # Default: default_key.pem
1043 | #
1044 | #pop3_ssl_keyfile	pop3_key.pem
1045 | 
1046 | 
1047 | #########################################
1048 | # pop3_ssl_certfile
1049 | #
1050 | # Name of the SSL certificate PEM file.
1051 | #
1052 | # This option only takes effect if 'pop3_enable_capabilities' is
1053 | # true and 'pop3_capability STLS' is configured.
1054 | #
1055 | # The file must be placed in <data-dir>/certs/
1056 | #
1057 | # Note: If no cert file is specified, capability STLS will be disabled.
1058 | #
1059 | # Syntax: pop3_ssl_certfile <filename>
1060 | #
1061 | # Default: default_cert.pem
1062 | #
1063 | #pop3_ssl_certfile	pop3_cert.pem
1064 | 
1065 | 
1066 | #########################################
1067 | # pop3_ssl_dhfile
1068 | #
1069 | # Name of the Diffie-Hellman parameter PEM file.
1070 | #
1071 | # The file must be placed in <data-dir>/certs/
1072 | #
1073 | # Syntax: pop3_ssl_dhfile <filename>
1074 | #
1075 | # Default: none
1076 | #
1077 | #pop3_ssl_dhfile	pop3_dh1024.pem
1078 | 
1079 | 
1080 | #############################################################
1081 | # Service POP3S
1082 | #############################################################
1083 | 
1084 | #########################################
1085 | # pop3s_bind_port
1086 | #
1087 | # Port number to bind POP3S service to
1088 | #
1089 | # Syntax: pop3s_bind_port <port number>
1090 | #
1091 | # Default: 995
1092 | #
1093 | #pop3s_bind_port		995
1094 | 
1095 | 
1096 | #########################################
1097 | # pop3s_banner
1098 | #
1099 | # The banner string used in POP3 greeting message
1100 | #
1101 | # Syntax: pop3s_banner <string>
1102 | #
1103 | # Default: "INetSim POP3 Server ready"
1104 | #
1105 | #pop3s_banner		"POP3 Server ready"
1106 | 
1107 | 
1108 | #########################################
1109 | # pop3s_hostname
1110 | #
1111 | # The hostname used in POP3 greeting message
1112 | #
1113 | # Syntax: pop3s_hostname <string>
1114 | #
1115 | # Default: pop3host
1116 | #
1117 | #pop3s_hostname		pop3server
1118 | 
1119 | 
1120 | #########################################
1121 | # pop3s_mbox_maxmails
1122 | #
1123 | # Maximum number of e-mails to select from supplied mbox files
1124 | # for creation of random POP3 mailbox
1125 | #
1126 | # Syntax: pop3s_mbox_maxmails <number>
1127 | #
1128 | # Default: 10
1129 | #
1130 | #pop3s_mbox_maxmails	20
1131 | 
1132 | 
1133 | #########################################
1134 | # pop3s_mbox_reread
1135 | #
1136 | # Re-read supplied mbox files if POP3S service was inactive
1137 | # for <number> seconds
1138 | #
1139 | # Syntax: pop3s_mbox_reread <number>
1140 | #
1141 | # Default: 180
1142 | #
1143 | #pop3s_mbox_reread	300
1144 | 
1145 | 
1146 | #########################################
1147 | # pop3s_mbox_rebuild
1148 | #
1149 | # Rebuild random POP3 mailbox if POP3S service was inactive
1150 | # for <number> seconds
1151 | #
1152 | # Syntax: pop3s_mbox_rebuild <number>
1153 | #
1154 | # Default: 60
1155 | #
1156 | #pop3s_mbox_rebuild	120
1157 | 
1158 | 
1159 | #########################################
1160 | # pop3s_enable_apop
1161 | #
1162 | # Turn APOP on or off
1163 | #
1164 | # Syntax: pop3s_enable_apop [yes|no]
1165 | #
1166 | # Default: yes
1167 | #
1168 | #pop3s_enable_apop	no
1169 | 
1170 | 
1171 | #########################################
1172 | # pop3s_auth_reversibleonly
1173 | #
1174 | # Only offer authentication mechanisms which allow reversing
1175 | # the authentication information sent by a client
1176 | # to clear text username/password
1177 | #
1178 | # Syntax: pop3s_auth_reversibleonly [yes|no]
1179 | #
1180 | # Default: no
1181 | #
1182 | #pop3s_auth_reversibleonly	yes
1183 | 
1184 | 
1185 | #########################################
1186 | # pop3s_enable_capabilities
1187 | #
1188 | # Turn support for pop3 capabilities on or off
1189 | #
1190 | # Syntax: pop3s_enable_capabilities [yes|no]
1191 | #
1192 | # Default: yes
1193 | #
1194 | #pop3s_enable_capabilities	no
1195 | 
1196 | 
1197 | #########################################
1198 | # pop3s_capability
1199 | #
1200 | # POP3 capabilities offered to client.
1201 | # For more information, see
1202 | # <http://www.iana.org/assignments/pop3-extension-mechanism>
1203 | #
1204 | # Syntax: pop3s_capability <capability [parameter(s)]>
1205 | #
1206 | # Supported capabilities and parameters:
1207 | # TOP
1208 | # USER
1209 | # UIDL
1210 | # SASL			# one or more of [PLAIN LOGIN ANONYMOUS CRAM-MD5 CRAM-SHA1]
1211 | # RESP-CODES
1212 | # EXPIRE		# one required parameter and one optional parameter
1213 | # LOGIN-DELAY		# one required parameter and one optional parameter
1214 | # IMPLEMENTATION	# one required parameter
1215 | # AUTH-RESP-CODE
1216 | #
1217 | # Default: none
1218 | #
1219 | pop3s_capability	TOP
1220 | pop3s_capability	USER
1221 | pop3s_capability	SASL PLAIN LOGIN ANONYMOUS CRAM-MD5 CRAM-SHA1
1222 | pop3s_capability	UIDL
1223 | pop3s_capability	IMPLEMENTATION "INetSim POP3s server"
1224 | #
1225 | 
1226 | 
1227 | #########################################
1228 | # pop3s_ssl_keyfile
1229 | #
1230 | # Name of the SSL private key PEM file.
1231 | # The key MUST NOT be encrypted!
1232 | #
1233 | # The file must be placed in <data-dir>/certs/
1234 | #
1235 | # Syntax: pop3s_ssl_keyfile <filename>
1236 | #
1237 | # Default: default_key.pem
1238 | #
1239 | #pop3s_ssl_keyfile	pop3s_key.pem
1240 | 
1241 | 
1242 | #########################################
1243 | # pop3s_ssl_certfile
1244 | #
1245 | # Name of the SSL certificate PEM file.
1246 | #
1247 | # The file must be placed in <data-dir>/certs/
1248 | #
1249 | # Syntax: pop3s_ssl_certfile <filename>
1250 | #
1251 | # Default: default_cert.pem
1252 | #
1253 | #pop3s_ssl_certfile	pop3s_cert.pem
1254 | 
1255 | 
1256 | #########################################
1257 | # pop3s_ssl_dhfile
1258 | #
1259 | # Name of the Diffie-Hellman parameter PEM file.
1260 | #
1261 | # The file must be placed in <data-dir>/certs/
1262 | #
1263 | # Syntax: pop3s_ssl_dhfile <filename>
1264 | #
1265 | # Default: none
1266 | #
1267 | #pop3s_ssl_dhfile	pop3s_dh1024.pem
1268 | 
1269 | 
1270 | #############################################################
1271 | # Service TFTP
1272 | #############################################################
1273 | 
1274 | #########################################
1275 | # tftp_bind_port
1276 | #
1277 | # Port number to bind TFTP service to
1278 | #
1279 | # Syntax: tftp_bind_port <port number>
1280 | #
1281 | # Default: 69
1282 | #
1283 | #tftp_bind_port		69
1284 | 
1285 | 
1286 | #########################################
1287 | # tftp_allow_overwrite
1288 | #
1289 | # Allow overwriting of existing files
1290 | #
1291 | # Syntax: tftp_allow_overwrite [yes|no]
1292 | #
1293 | # Default: no
1294 | #
1295 | #tftp_allow_overwrite	yes
1296 | 
1297 | 
1298 | #########################################
1299 | # tftp_enable_options
1300 | #
1301 | # Turn support for tftp options on or off
1302 | #
1303 | # Syntax: tftp_enable_options [yes|no]
1304 | #
1305 | # Default: yes
1306 | #
1307 | #tftp_enable_options	no
1308 | 
1309 | 
1310 | #########################################
1311 | # tftp_option
1312 | #
1313 | # TFTP extensions offered to client.
1314 | # For more information, see RFC 2347
1315 | #
1316 | # Syntax: tftp_option <option [parameter(s)]>
1317 | #
1318 | # Supported extensions and parameters:
1319 | # BLKSIZE		# two optional parameters
1320 | # TIMEOUT		# two optional parameters
1321 | # TSIZE			# one optional parameter
1322 | #
1323 | # Default: none
1324 | #
1325 | tftp_option		BLKSIZE 512 65464
1326 | tftp_option		TIMEOUT 5 60
1327 | tftp_option		TSIZE 10485760
1328 | #
1329 | 
1330 | 
1331 | #############################################################
1332 | # Service FTP
1333 | #############################################################
1334 | 
1335 | #########################################
1336 | # ftp_bind_port
1337 | #
1338 | # Port number to bind FTP service to
1339 | #
1340 | # Syntax: ftp_bind_port <port number>
1341 | #
1342 | # Default: 21
1343 | #
1344 | #ftp_bind_port		21
1345 | 
1346 | 
1347 | #########################################
1348 | # ftp_version
1349 | #
1350 | # Version string to return in replies to the STAT command
1351 | #
1352 | # Syntax: ftp_version <string>
1353 | #
1354 | # Default: "INetSim FTP Server"
1355 | #
1356 | #ftp_version		"vsFTPd 2.0.4 - secure, fast, stable"
1357 | 
1358 | 
1359 | #########################################
1360 | # ftp_banner
1361 | #
1362 | # The banner string used in FTP greeting message
1363 | #
1364 | # Syntax: ftp_banner <string>
1365 | #
1366 | # Default: "INetSim FTP Service ready."
1367 | #
1368 | #ftp_banner		"FTP Server ready"
1369 | 
1370 | 
1371 | #########################################
1372 | # ftp_recursive_delete
1373 | #
1374 | # Allow recursive deletion of directories,
1375 | # even if they are not empty
1376 | #
1377 | # Syntax: ftp_recursive_delete [yes|no]
1378 | #
1379 | # Default: no
1380 | #
1381 | #ftp_recursive_delete	yes
1382 | 
1383 | 
1384 | #############################################################
1385 | # Service FTPS
1386 | #############################################################
1387 | 
1388 | #########################################
1389 | # ftps_bind_port
1390 | #
1391 | # Port number to bind FTP service to
1392 | #
1393 | # Syntax: ftp_bind_port <port number>
1394 | #
1395 | # Default: 990
1396 | #
1397 | #ftps_bind_port		990
1398 | 
1399 | 
1400 | #########################################
1401 | # ftps_version
1402 | #
1403 | # Version string to return in replies to the STAT command
1404 | #
1405 | # Syntax: ftps_version <string>
1406 | #
1407 | # Default: "INetSim FTPs Server"
1408 | #
1409 | #ftps_version		"vsFTPd 2.0.4 - secure, fast, stable"
1410 | 
1411 | 
1412 | #########################################
1413 | # ftps_banner
1414 | #
1415 | # The banner string used in FTP greeting message
1416 | #
1417 | # Syntax: ftps_banner <string>
1418 | #
1419 | # Default: "INetSim FTP Service ready."
1420 | #
1421 | #ftps_banner		"FTP Server ready"
1422 | 
1423 | 
1424 | #########################################
1425 | # ftps_recursive_delete
1426 | #
1427 | # Allow recursive deletion of directories,
1428 | # even if they are not empty
1429 | #
1430 | # Syntax: ftps_recursive_delete [yes|no]
1431 | #
1432 | # Default: no
1433 | #
1434 | #ftps_recursive_delete	yes
1435 | 
1436 | 
1437 | #########################################
1438 | # ftps_ssl_keyfile
1439 | #
1440 | # Name of the SSL private key PEM file.
1441 | # The key MUST NOT be encrypted!
1442 | #
1443 | # The file must be placed in <data-dir>/certs/
1444 | #
1445 | # Syntax: ftps_ssl_keyfile <filename>
1446 | #
1447 | # Default: default_key.pem
1448 | #
1449 | #ftps_ssl_keyfile	ftps_key.pem
1450 | 
1451 | 
1452 | #########################################
1453 | # ftps_ssl_certfile
1454 | #
1455 | # Name of the SSL certificate PEM file.
1456 | #
1457 | # The file must be placed in <data-dir>/certs/
1458 | #
1459 | # Syntax: ftps_ssl_certfile <filename>
1460 | #
1461 | # Default: default_cert.pem
1462 | #
1463 | #ftps_ssl_certfile	ftps_cert.pem
1464 | 
1465 | 
1466 | #########################################
1467 | # ftps_ssl_dhfile
1468 | #
1469 | # Name of the Diffie-Hellman parameter PEM file.
1470 | #
1471 | # The file must be placed in <data-dir>/certs/
1472 | #
1473 | # Syntax: ftps_ssl_dhfile <filename>
1474 | #
1475 | # Default: none
1476 | #
1477 | #ftps_ssl_dhfile	ftps_dh1024.pem
1478 | 
1479 | 
1480 | #############################################################
1481 | # Service NTP
1482 | #############################################################
1483 | 
1484 | #########################################
1485 | # ntp_bind_port
1486 | #
1487 | # Port number to bind NTP service to
1488 | #
1489 | # Syntax: ntp_bind_port <port number>
1490 | #
1491 | # Default: 123
1492 | #
1493 | #ntp_bind_port		123
1494 | 
1495 | 
1496 | #########################################
1497 | # ntp_server_ip
1498 | #
1499 | # The IP address to return in NTP replies
1500 | #
1501 | # Syntax: ntp_server_ip <IP address>
1502 | #
1503 | # Default: 127.0.0.1
1504 | #
1505 | #ntp_server_ip		10.15.20.30
1506 | 
1507 | 
1508 | #########################################
1509 | # ntp_strict_checks
1510 | #
1511 | # Turn strict checks for client packets on or off
1512 | #
1513 | # Syntax: ntp_strict_checks [yes|no]
1514 | #
1515 | # Default: yes
1516 | #
1517 | #ntp_strict_checks	no
1518 | 
1519 | 
1520 | #############################################################
1521 | # Service IRC
1522 | #############################################################
1523 | 
1524 | #########################################
1525 | # irc_bind_port
1526 | #
1527 | # Port number to bind IRC service to
1528 | #
1529 | # Syntax: irc_bind_port <port number>
1530 | #
1531 | # Default: 6667
1532 | #
1533 | #irc_bind_port		6667
1534 | 
1535 | 
1536 | #########################################
1537 | # irc_fqdn_hostname
1538 | #
1539 | # The FQDN hostname used for IRC
1540 | #
1541 | # Syntax: irc_fqdn_hostname <string>
1542 | #
1543 | # Default: irc.inetsim.org
1544 | #
1545 | #irc_fqdn_hostname	foo.bar.org
1546 | 
1547 | 
1548 | #########################################
1549 | # irc_version
1550 | #
1551 | # Version string to return
1552 | #
1553 | # Syntax: irc_version <string>
1554 | #
1555 | # Default: "INetSim IRC Server"
1556 | #
1557 | #irc_version		"Unreal3.2.7"
1558 | 
1559 | 
1560 | #############################################################
1561 | # Service Time
1562 | #############################################################
1563 | 
1564 | #########################################
1565 | # time_bind_port
1566 | #
1567 | # Port number to bind time service to
1568 | #
1569 | # Syntax: time_bind_port <port number>
1570 | #
1571 | # Default: 37
1572 | #
1573 | #time_bind_port		37
1574 | 
1575 | 
1576 | #############################################################
1577 | # Service Daytime
1578 | #############################################################
1579 | 
1580 | #########################################
1581 | # daytime_bind_port
1582 | #
1583 | # Port number to bind daytime service to
1584 | #
1585 | # Syntax: daytime_bind_port <port number>
1586 | #
1587 | # Default: 13
1588 | #
1589 | #daytime_bind_port	13
1590 | 
1591 | 
1592 | #############################################################
1593 | # Service Echo
1594 | #############################################################
1595 | 
1596 | #########################################
1597 | # echo_bind_port
1598 | #
1599 | # Port number to bind echo service to
1600 | #
1601 | # Syntax: echo_bind_port <port number>
1602 | #
1603 | # Default: 7
1604 | #
1605 | #echo_bind_port		7
1606 | 
1607 | 
1608 | #############################################################
1609 | # Service Discard
1610 | #############################################################
1611 | 
1612 | #########################################
1613 | # discard_bind_port
1614 | #
1615 | # Port number to bind discard service to
1616 | #
1617 | # Syntax: discard_bind_port <port number>
1618 | #
1619 | # Default: 9
1620 | #
1621 | #discard_bind_port	9
1622 | 
1623 | 
1624 | #############################################################
1625 | # Service Quotd
1626 | #############################################################
1627 | 
1628 | #########################################
1629 | # quotd_bind_port
1630 | #
1631 | # Port number to bind quotd service to
1632 | #
1633 | # Syntax: quotd_bind_port <port number>
1634 | #
1635 | # Default: 17
1636 | #
1637 | #quotd_bind_port	17
1638 | 
1639 | 
1640 | #############################################################
1641 | # Service Chargen
1642 | #############################################################
1643 | 
1644 | #########################################
1645 | # chargen_bind_port
1646 | #
1647 | # Port number to bind chargen service to
1648 | #
1649 | # Syntax: chargen_bind_port <port number>
1650 | #
1651 | # Default: 19
1652 | #
1653 | #chargen_bind_port	19
1654 | 
1655 | 
1656 | #############################################################
1657 | # Service Finger
1658 | #############################################################
1659 | 
1660 | #########################################
1661 | # finger_bind_port
1662 | #
1663 | # Port number to bind finger service to
1664 | #
1665 | # Syntax: finger_bind_port <port number>
1666 | #
1667 | # Default: 79
1668 | #
1669 | #finger_bind_port	79
1670 | 
1671 | 
1672 | #############################################################
1673 | # Service Ident
1674 | #############################################################
1675 | 
1676 | #########################################
1677 | # ident_bind_port
1678 | #
1679 | # Port number to bind ident service to
1680 | #
1681 | # Syntax: ident_bind_port <port number>
1682 | #
1683 | # Default: 113
1684 | #
1685 | #ident_bind_port	113
1686 | 
1687 | 
1688 | #############################################################
1689 | # Service Syslog
1690 | #############################################################
1691 | 
1692 | #########################################
1693 | # syslog_bind_port
1694 | #
1695 | # Port number to bind syslog service to
1696 | #
1697 | # Syntax: syslog_bind_port <port number>
1698 | #
1699 | # Default: 514
1700 | #
1701 | #syslog_bind_port	514
1702 | 
1703 | 
1704 | #########################################
1705 | # syslog_trim_maxlength
1706 | #
1707 | # Chop syslog messages at 1024 bytes.
1708 | #
1709 | # Syntax: syslog_trim_maxlength [yes|no]
1710 | #
1711 | # Default: no
1712 | #
1713 | #syslog_trim_maxlength		yes
1714 | 
1715 | 
1716 | #########################################
1717 | # syslog_accept_invalid
1718 | #
1719 | # Accept invalid syslog messages.
1720 | #
1721 | # Syntax: syslog_accept_invalid [yes|no]
1722 | #
1723 | # Default: no
1724 | #
1725 | #syslog_accept_invalid		yes
1726 | 
1727 | 
1728 | #############################################################
1729 | # Service Dummy
1730 | #############################################################
1731 | 
1732 | #########################################
1733 | # dummy_bind_port
1734 | #
1735 | # Port number to bind dummy service to
1736 | #
1737 | # Syntax: dummy_bind_port <port number>
1738 | #
1739 | # Default: 1
1740 | #
1741 | #dummy_bind_port	1
1742 | 
1743 | 
1744 | #########################################
1745 | # dummy_banner
1746 | #
1747 | # Banner string sent to client if no data has been
1748 | # received for 'dummy_banner_wait' seconds since
1749 | # the client has established the connection.
1750 | # If set to an empty string (""), only CRLF will be sent.
1751 | # This option only takes effect if 'dummy_banner_wait'
1752 | # is not set to '0'.
1753 | #
1754 | # Syntax: dummy_banner <string>
1755 | #
1756 | # Default: "220 ESMTP FTP +OK POP3 200 OK"
1757 | #
1758 | #dummy_banner		""
1759 | 
1760 | 
1761 | #########################################
1762 | # dummy_banner_wait
1763 | #
1764 | # Number of seconds to wait for client sending any data
1765 | # after establishing a new connection.
1766 | # If no data has been received within this amount of time,
1767 | # 'dummy_banner' will be sent to the client.
1768 | # Setting to '0' disables sending of a banner string.
1769 | #
1770 | # Syntax: dummy_banner_wait [0..600]
1771 | #
1772 | # Default: 5
1773 | #
1774 | #dummy_banner_wait	3
1775 | 
1776 | 
1777 | #############################################################
1778 | # Redirect
1779 | #############################################################
1780 | 
1781 | #########################################
1782 | # redirect_enabled
1783 | #
1784 | # Turn connection redirection on or off.
1785 | #
1786 | # Syntax: redirect_enabled [yes|no]
1787 | #
1788 | # Default: no
1789 | #
1790 | #redirect_enabled	yes
1791 | 
1792 | 
1793 | #########################################
1794 | # redirect_unknown_services
1795 | #
1796 | # Redirect connection attempts to unbound ports
1797 | # to dummy service
1798 | #
1799 | # Syntax: redirect_unknown_services [yes|no]
1800 | #
1801 | # Default: yes
1802 | #
1803 | #redirect_unknown_services	no
1804 | 
1805 | 
1806 | #########################################
1807 | # redirect_external_address
1808 | #
1809 | # IP address used as source address if INetSim
1810 | # acts as a router for redirecting packets to
1811 | # external networks.
1812 | # This option only takes effect if static rules
1813 | # for redirecting packets to external networks
1814 | # are defined (see 'redirect_static_rule' below).
1815 | #
1816 | # Syntax: redirect_external_address <IP address>
1817 | #
1818 | # Default: none
1819 | #
1820 | redirect_external_address	10.10.10.1
1821 | 
1822 | 
1823 | #########################################
1824 | # redirect_static_rule
1825 | #
1826 | # Static mappings for connection redirection.
1827 | # Note: Currently only protocols tcp, udp and icmp are supported.
1828 | #
1829 | # Syntax: redirect_static_rule tcp|udp <IP address:port>      <IP address:port>
1830 | #         redirect_static_rule tcp|udp <IP address:>          <IP address:>
1831 | #         redirect_static_rule tcp|udp <:port>                <IP address:>
1832 | #         redirect_static_rule tcp|udp <:port>                <:port>
1833 | #         redirect_static_rule icmp    <IP address:icmp-type> <IP address>
1834 | #         redirect_static_rule icmp    <IP address:>          <IP address>
1835 | #         redirect_static_rule icmp    <:icmp-type>           <IP address>
1836 | #
1837 | # Default: none 
1838 | #
1839 | # Examples:
1840 | #
1841 | # WWW caching service
1842 | #redirect_static_rule	tcp             :8080			:80
1843 | #
1844 | # Submission [RFC4409]
1845 | #redirect_static_rule	tcp             :587			:25
1846 | #
1847 | # Echo-Request [RFC792]
1848 | #redirect_static_rule	icmp 10.10.10.20:echo-request	10.1.0.25
1849 | #
1850 | # Redirection based on IP address and/or port:
1851 | #redirect_static_rule	tcp	10.10.10.55:88  	 10.10.10.1:80
1852 | #redirect_static_rule	tcp	           :99  	192.168.1.1:25
1853 | #redirect_static_rule	tcp	10.10.10.20:    	 172.16.1.2:
1854 | 
1855 | 
1856 | #########################################
1857 | # redirect_change_ttl
1858 | #
1859 | # Change the time-to-live header field to a random value
1860 | # in outgoing IP packets.
1861 | #
1862 | # Syntax: redirect_change_ttl [yes|no]
1863 | #
1864 | # Default: no
1865 | #
1866 | #redirect_change_ttl	yes
1867 | 
1868 | 
1869 | #########################################
1870 | # redirect_exclude_port
1871 | #
1872 | # Connections to <service_bind_address> on this port
1873 | # are not redirected
1874 | #
1875 | # Syntax: redirect_exclude_port <protocol:port>
1876 | #
1877 | # Default: none
1878 | #
1879 | redirect_exclude_port		tcp:22
1880 | #redirect_exclude_port		udp:111
1881 | 
1882 | 
1883 | #########################################
1884 | # redirect_ignore_bootp
1885 | #
1886 | # If set to 'yes', BOOTP (DHCP) broadcasts will not be redirected
1887 | # (UDP packets with source address 0.0.0.0, port 68 and
1888 | # destination address 255.255.255.255, port 67 or vice versa)
1889 | #
1890 | # Syntax: redirect_ignore_bootp [yes|no]
1891 | #
1892 | # Default: no
1893 | #
1894 | #redirect_ignore_bootp		yes
1895 | 
1896 | 
1897 | #########################################
1898 | # redirect_ignore_netbios
1899 | #
1900 | # If set to 'yes', NetBIOS broadcasts will not be redirected
1901 | # (UDP packets with source/destination port 137/138
1902 | # and destination address x.x.x.255 on the local network)
1903 | #
1904 | # Syntax: redirect_ignore_netbios [yes|no]
1905 | #
1906 | # Default: no
1907 | #
1908 | #redirect_ignore_netbios	yes
1909 | 
1910 | 
1911 | #########################################
1912 | # redirect_icmp_timestamp
1913 | #
1914 | # If set to 'ms', ICMP Timestamp requests will be answered
1915 | # with number of milliseconds since midnight UTC according
1916 | # to faketime.
1917 | # If set to 'sec', ICMP Timestamp requests will be answered
1918 | # with number of seconds since epoch (high order bit of the
1919 | # timestamp will be set to indicate non-standard value).
1920 | # Setting to 'no' disables manipulation of ICMP Timestamp
1921 | # requests.
1922 | #
1923 | # Syntax: redirect_icmp_timestamp [ms|sec|no]
1924 | #
1925 | # Default: ms
1926 | #
1927 | #redirect_icmp_timestamp	sec
1928 | 
1929 | 
1930 | #############################################################
1931 | # End of INetSim configuration file
1932 | #############################################################
1933 | 


--------------------------------------------------------------------------------
/gen-configs/suricata-cuckoo.yaml:
--------------------------------------------------------------------------------
   1 | %YAML 1.1
   2 | ---
   3 | 
   4 | 
   5 | host-mode: auto
   6 | 
   7 | default-log-dir: /var/log/suricata/
   8 | 
   9 | unix-command:
  10 |   enabled: no
  11 |   
  12 | stats:
  13 |   enabled: yes
  14 |   interval: 8
  15 | 
  16 | outputs:
  17 | 
  18 |   - fast:
  19 |       enabled: no
  20 |       filename: fast.log
  21 |       append: yes
  22 |       
  23 |   - eve-log:
  24 |       enabled: yes
  25 |       filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
  26 |       filename: eve.json
  27 |       
  28 |       types:
  29 |         - alert:
  30 |             
  31 |             xff:
  32 |               enabled: no
  33 |               mode: extra-data
  34 |               deployment: reverse
  35 |               header: X-Forwarded-For
  36 |         - http:
  37 |             extended: yes     # enable this for extended logging information
  38 |         - tls:
  39 |             extended: yes     # enable this for extended logging information
  40 |         - files:
  41 |             force-magic: no   # force logging magic on all logged files
  42 |             force-md5: no     # force logging of md5 checksums
  43 |         - stats:
  44 |             totals: yes       # stats for all threads merged together
  45 |             threads: no       # per thread stats
  46 |             deltas: no        # include delta values
  47 | 
  48 |   - unified2-alert:
  49 |       enabled: no
  50 |       filename: unified2.alert
  51 |       xff:
  52 |         enabled: no
  53 |         mode: extra-data
  54 |         deployment: reverse
  55 |         header: X-Forwarded-For
  56 | 
  57 |   - http-log:
  58 |       enabled: yes
  59 |       filename: http.log
  60 |       append: yes
  61 | 
  62 |   - tls-log:
  63 |       enabled: no  # Log TLS connections.
  64 |       filename: tls.log # File to store TLS logs.
  65 |       append: yes
  66 | 
  67 |   - tls-store:
  68 |       enabled: no
  69 | 
  70 |   - dns-log:
  71 |       enabled: no
  72 |       filename: dns.log
  73 |       append: yes
  74 | 
  75 |   - pcap-log:
  76 |       enabled:  no
  77 |       filename: log.pcap
  78 | 
  79 |       limit: 1000mb
  80 | 
  81 |       max-files: 2000
  82 | 
  83 |       mode: normal # normal, multi or sguil.
  84 | 
  85 |       use-stream-depth: no #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets
  86 |       honor-pass-rules: no # If set to "yes", flows in which a pass rule matched will stopped being logged.
  87 | 
  88 |   - alert-debug:
  89 |       enabled: no
  90 |       filename: alert-debug.log
  91 |       append: yes
  92 | 
  93 |   - alert-prelude:
  94 |       enabled: no
  95 |       profile: suricata
  96 |       log-packet-content: no
  97 |       log-packet-header: yes
  98 | 
  99 |   - stats:
 100 |       enabled: yes
 101 |       filename: stats.log
 102 |       totals: yes       # stats for all threads merged together
 103 |       threads: no       # per thread stats
 104 | 
 105 |   - syslog:
 106 |       enabled: no
 107 | 
 108 |       facility: local5
 109 | 
 110 |   - drop:
 111 |       enabled: no
 112 |       filename: drop.log
 113 |       append: yes
 114 | 
 115 |   - file-store:
 116 |       enabled: yes       # set to yes to enable
 117 |       log-dir: files     # directory to store the files
 118 |       force-magic: yes   # force logging magic on all stored files
 119 |       force-md5: yes     # force logging of md5 checksums
 120 | 
 121 |   - file-log:
 122 |       enabled: yes
 123 |       filename: files-json.log
 124 |       append: yes
 125 | 
 126 |       force-magic: no   # force logging magic on all logged files
 127 |       force-md5: no     # force logging of md5 checksums
 128 | 
 129 | 
 130 |   - tcp-data:
 131 |       enabled: no
 132 |       type: file
 133 |       filename: tcp-data.log
 134 | 
 135 | 
 136 |   - http-body-data:
 137 |       enabled: no
 138 |       type: file
 139 |       filename: http-data.log
 140 | 
 141 |   - lua:
 142 |       enabled: no
 143 |       #scripts-dir: /etc/suricata/lua-output/
 144 |       scripts:
 145 | 
 146 | magic-file: /usr/share/file/magic
 147 | 
 148 | 
 149 | nfq:
 150 | 
 151 | nflog:
 152 | 
 153 |   - group: 2
 154 |     # netlink buffer size
 155 |     buffer-size: 18432
 156 |     # put default value here
 157 |   - group: default
 158 |     # set number of packet to queue inside kernel
 159 |     qthreshold: 1
 160 |     # set the delay before flushing packet in the queue inside kernel
 161 |     qtimeout: 100
 162 |     # netlink max buffer size
 163 |     max-size: 20000
 164 | 
 165 | # af-packet support
 166 | # Set threads to > 1 to use PACKET_FANOUT support
 167 | af-packet:
 168 |   - interface: eth0
 169 |     # Number of receive threads. "auto" uses the number of cores
 170 |     threads: auto
 171 |     # Default clusterid.  AF_PACKET will load balance packets based on flow.
 172 |     # All threads/processes that will participate need to have the same
 173 |     # clusterid.
 174 |     cluster-id: 99
 175 |     # Default AF_PACKET cluster type. AF_PACKET can load balance per flow or per hash.
 176 |     # This is only supported for Linux kernel > 3.1
 177 |     # possible value are:
 178 |     #  * cluster_round_robin: round robin load balancing
 179 |     #  * cluster_flow: all packets of a given flow are send to the same socket
 180 |     #  * cluster_cpu: all packets treated in kernel by a CPU are send to the same socket
 181 |     #  * cluster_qm: all packets linked by network card to a RSS queue are sent to the same
 182 |     #  socket. Requires at least Linux 3.14.
 183 |     #  * cluster_random: packets are sent randomly to sockets but with an equipartition.
 184 |     #  Requires at least Linux 3.14.
 185 |     #  * cluster_rollover: kernel rotates between sockets filling each socket before moving
 186 |     #  to the next. Requires at least Linux 3.10.
 187 |     # Recommended modes are cluster_flow on most boxes and cluster_cpu or cluster_qm on system
 188 |     # with capture card using RSS (require cpu affinity tuning and system irq tuning)
 189 |     cluster-type: cluster_flow
 190 |     # In some fragmentation case, the hash can not be computed. If "defrag" is set
 191 |     # to yes, the kernel will do the needed defragmentation before sending the packets.
 192 |     defrag: yes
 193 |     # After Linux kernel 3.10 it is possible to activate the rollover option: if a socket is
 194 |     # full then kernel will send the packet on the next socket with room available. This option
 195 |     # can minimize packet drop and increase the treated bandwith on single intensive flow.
 196 |     #rollover: yes
 197 |     # To use the ring feature of AF_PACKET, set 'use-mmap' to yes
 198 |     use-mmap: yes
 199 |     # Ring size will be computed with respect to max_pending_packets and number
 200 |     # of threads. You can set manually the ring size in number of packets by setting
 201 |     # the following value. If you are using flow cluster-type and have really network
 202 |     # intensive single-flow you could want to set the ring-size independantly of the number
 203 |     # of threads:
 204 |     #ring-size: 2048
 205 |     # On busy system, this could help to set it to yes to recover from a packet drop
 206 |     # phase. This will result in some packets (at max a ring flush) being non treated.
 207 |     #use-emergency-flush: yes
 208 |     # recv buffer size, increase value could improve performance
 209 |     # buffer-size: 32768
 210 |     # Set to yes to disable promiscuous mode
 211 |     # disable-promisc: no
 212 |     # Choose checksum verification mode for the interface. At the moment
 213 |     # of the capture, some packets may be with an invalid checksum due to
 214 |     # offloading to the network card of the checksum computation.
 215 |     # Possible values are:
 216 |     #  - kernel: use indication sent by kernel for each packet (default)
 217 |     #  - yes: checksum validation is forced
 218 |     #  - no: checksum validation is disabled
 219 |     #  - auto: suricata uses a statistical approach to detect when
 220 |     #  checksum off-loading is used.
 221 |     # Warning: 'checksum-validation' must be set to yes to have any validation
 222 |     #checksum-checks: kernel
 223 |     # BPF filter to apply to this interface. The pcap filter syntax apply here.
 224 |     #bpf-filter: port 80 or udp
 225 |     # You can use the following variables to activate AF_PACKET tap od IPS mode.
 226 |     # If copy-mode is set to ips or tap, the traffic coming to the current
 227 |     # interface will be copied to the copy-iface interface. If 'tap' is set, the
 228 |     # copy is complete. If 'ips' is set, the packet matching a 'drop' action
 229 |     # will not be copied.
 230 |     #copy-mode: ips
 231 |     #copy-iface: eth1
 232 |   - interface: eth1
 233 |     threads: auto
 234 |     cluster-id: 98
 235 |     cluster-type: cluster_flow
 236 |     defrag: yes
 237 |     # buffer-size: 32768
 238 |     # disable-promisc: no
 239 |   # Put default values here
 240 |   - interface: default
 241 |     #threads: auto
 242 |     #use-mmap: yes
 243 |     #rollover: yes
 244 | 
 245 | # Netmap support
 246 | #
 247 | # Netmap operates with NIC directly in driver, so you need FreeBSD wich have
 248 | # built-in netmap support or compile and install netmap module and appropriate
 249 | # NIC driver on your Linux system.
 250 | # To reach maximum throughput disable all receive-, segmentation-,
 251 | # checksum- offloadings on NIC.
 252 | # Disabling Tx checksum offloading is *required* for connecting OS endpoint
 253 | # with NIC endpoint.
 254 | # You can find more information at https://github.com/luigirizzo/netmap
 255 | #
 256 | netmap:
 257 |    # To specify OS endpoint add plus sign at the end (e.g. "eth0+")
 258 |  - interface: eth2
 259 |    # Number of receive threads. "auto" uses number of RSS queues on interface.
 260 |    threads: auto
 261 |    # You can use the following variables to activate netmap tap or IPS mode.
 262 |    # If copy-mode is set to ips or tap, the traffic coming to the current
 263 |    # interface will be copied to the copy-iface interface. If 'tap' is set, the
 264 |    # copy is complete. If 'ips' is set, the packet matching a 'drop' action
 265 |    # will not be copied.
 266 |    # To specify the OS as the copy-iface (so the OS can route packets, or forward
 267 |    # to a service running on the same machine) add a plus sign at the end
 268 |    # (e.g. "copy-iface: eth0+"). Don't forget to set up a symmetrical eth0+ -> eth0
 269 |    # for return packets. Hardware checksumming must be *off* on the interface if
 270 |    # using an OS endpoint (e.g. 'ifconfig eth0 -rxcsum -txcsum -rxcsum6 -txcsum6' for FreeBSD
 271 |    # or 'ethtool -K eth0 tx off rx off' for Linux).
 272 |    #copy-mode: tap
 273 |    #copy-iface: eth3
 274 |    # Set to yes to disable promiscuous mode
 275 |    # disable-promisc: no
 276 |    # Choose checksum verification mode for the interface. At the moment
 277 |    # of the capture, some packets may be with an invalid checksum due to
 278 |    # offloading to the network card of the checksum computation.
 279 |    # Possible values are:
 280 |    #  - yes: checksum validation is forced
 281 |    #  - no: checksum validation is disabled
 282 |    #  - auto: suricata uses a statistical approach to detect when
 283 |    #  checksum off-loading is used.
 284 |    # Warning: 'checksum-validation' must be set to yes to have any validation
 285 |    #checksum-checks: auto
 286 |    # BPF filter to apply to this interface. The pcap filter syntax apply here.
 287 |    #bpf-filter: port 80 or udp
 288 |  #- interface: eth3
 289 |    #threads: auto
 290 |    #copy-mode: tap
 291 |    #copy-iface: eth2
 292 |    # Put default values here
 293 |  - interface: default
 294 | 
 295 | legacy:
 296 |   uricontent: enabled
 297 | 
 298 | # You can specify a threshold config file by setting "threshold-file"
 299 | # to the path of the threshold config file:
 300 | # threshold-file: /etc/suricata/threshold.config
 301 | 
 302 | # The detection engine builds internal groups of signatures. The engine
 303 | # allow us to specify the profile to use for them, to manage memory on an
 304 | # efficient way keeping a good performance. For the profile keyword you
 305 | # can use the words "low", "medium", "high" or "custom". If you use custom
 306 | # make sure to define the values at "- custom-values" as your convenience.
 307 | # Usually you would prefer medium/high/low.
 308 | #
 309 | # "sgh mpm-context", indicates how the staging should allot mpm contexts for
 310 | # the signature groups.  "single" indicates the use of a single context for
 311 | # all the signature group heads.  "full" indicates a mpm-context for each
 312 | # group head.  "auto" lets the engine decide the distribution of contexts
 313 | # based on the information the engine gathers on the patterns from each
 314 | # group head.
 315 | #
 316 | # The option inspection-recursion-limit is used to limit the recursive calls
 317 | # in the content inspection code.  For certain payload-sig combinations, we
 318 | # might end up taking too much time in the content inspection code.
 319 | # If the argument specified is 0, the engine uses an internally defined
 320 | # default limit.  On not specifying a value, we use no limits on the recursion.
 321 | detect-engine:
 322 |   - profile: medium
 323 |   - custom-values:
 324 |       toclient-src-groups: 2
 325 |       toclient-dst-groups: 2
 326 |       toclient-sp-groups: 2
 327 |       toclient-dp-groups: 3
 328 |       toserver-src-groups: 2
 329 |       toserver-dst-groups: 4
 330 |       toserver-sp-groups: 2
 331 |       toserver-dp-groups: 25
 332 |   - sgh-mpm-context: auto
 333 |   - inspection-recursion-limit: 3000
 334 |   # If set to yes, the loading of signatures will be made after the capture
 335 |   # is started. This will limit the downtime in IPS mode.
 336 |   #- delayed-detect: yes
 337 | 
 338 | # Suricata is multi-threaded. Here the threading can be influenced.
 339 | threading:
 340 |   # On some cpu's/architectures it is beneficial to tie individual threads
 341 |   # to specific CPU's/CPU cores. In this case all threads are tied to CPU0,
 342 |   # and each extra CPU/core has one "detect" thread.
 343 |   #
 344 |   # On Intel Core2 and Nehalem CPU's enabling this will degrade performance.
 345 |   #
 346 |   set-cpu-affinity: no
 347 |   # Tune cpu affinity of suricata threads. Each family of threads can be bound
 348 |   # on specific CPUs.
 349 |   cpu-affinity:
 350 |     - management-cpu-set:
 351 |         cpu: [ 0 ]  # include only these cpus in affinity settings
 352 |     - receive-cpu-set:
 353 |         cpu: [ 0 ]  # include only these cpus in affinity settings
 354 |     - decode-cpu-set:
 355 |         cpu: [ 0, 1 ]
 356 |         mode: "balanced"
 357 |     - stream-cpu-set:
 358 |         cpu: [ "0-1" ]
 359 |     - detect-cpu-set:
 360 |         cpu: [ "all" ]
 361 |         mode: "exclusive" # run detect threads in these cpus
 362 |         # Use explicitely 3 threads and don't compute number by using
 363 |         # detect-thread-ratio variable:
 364 |         # threads: 3
 365 |         prio:
 366 |           low: [ 0 ]
 367 |           medium: [ "1-2" ]
 368 |           high: [ 3 ]
 369 |           default: "medium"
 370 |     - verdict-cpu-set:
 371 |         cpu: [ 0 ]
 372 |         prio:
 373 |           default: "high"
 374 |     - reject-cpu-set:
 375 |         cpu: [ 0 ]
 376 |         prio:
 377 |           default: "low"
 378 |     - output-cpu-set:
 379 |         cpu: [ "all" ]
 380 |         prio:
 381 |            default: "medium"
 382 |   #
 383 |   # By default Suricata creates one "detect" thread per available CPU/CPU core.
 384 |   # This setting allows controlling this behaviour. A ratio setting of 2 will
 385 |   # create 2 detect threads for each CPU/CPU core. So for a dual core CPU this
 386 |   # will result in 4 detect threads. If values below 1 are used, less threads
 387 |   # are created. So on a dual core CPU a setting of 0.5 results in 1 detect
 388 |   # thread being created. Regardless of the setting at a minimum 1 detect
 389 |   # thread will always be created.
 390 |   #
 391 |   detect-thread-ratio: 1.5
 392 | 
 393 | # Cuda configuration.
 394 | cuda:
 395 |   # The "mpm" profile.  On not specifying any of these parameters, the engine's
 396 |   # internal default values are used, which are same as the ones specified in
 397 |   # in the default conf file.
 398 |   mpm:
 399 |     # The minimum length required to buffer data to the gpu.
 400 |     # Anything below this is MPM'ed on the CPU.
 401 |     # Can be specified in kb, mb, gb.  Just a number indicates it's in bytes.
 402 |     # A value of 0 indicates there's no limit.
 403 |     data-buffer-size-min-limit: 0
 404 |     # The maximum length for data that we would buffer to the gpu.
 405 |     # Anything over this is MPM'ed on the CPU.
 406 |     # Can be specified in kb, mb, gb.  Just a number indicates it's in bytes.
 407 |     data-buffer-size-max-limit: 1500
 408 |     # The ring buffer size used by the CudaBuffer API to buffer data.
 409 |     cudabuffer-buffer-size: 500mb
 410 |     # The max chunk size that can be sent to the gpu in a single go.
 411 |     gpu-transfer-size: 50mb
 412 |     # The timeout limit for batching of packets in microseconds.
 413 |     batching-timeout: 2000
 414 |     # The device to use for the mpm.  Currently we don't support load balancing
 415 |     # on multiple gpus.  In case you have multiple devices on your system, you
 416 |     # can specify the device to use, using this conf.  By default we hold 0, to
 417 |     # specify the first device cuda sees.  To find out device-id associated with
 418 |     # the card(s) on the system run "suricata --list-cuda-cards".
 419 |     device-id: 0
 420 |     # No of Cuda streams used for asynchronous processing. All values > 0 are valid.
 421 |     # For this option you need a device with Compute Capability > 1.0.
 422 |     cuda-streams: 2
 423 | 
 424 | # Select the multi pattern algorithm you want to run for scan/search the
 425 | # in the engine. The supported algorithms are b2g, b3g, wumanber,
 426 | # ac, ac-bs and ac-gfbs.
 427 | #
 428 | # The mpm you choose also decides the distribution of mpm contexts for
 429 | # signature groups, specified by the conf - "detect-engine.sgh-mpm-context".
 430 | # Selecting "ac" as the mpm would require "detect-engine.sgh-mpm-context"
 431 | # to be set to "single", because of ac's memory requirements, unless the
 432 | # ruleset is small enough to fit in one's memory, in which case one can
 433 | # use "full" with "ac".  Rest of the mpms can be run in "full" mode.
 434 | #
 435 | # There is also a CUDA pattern matcher (only available if Suricata was
 436 | # compiled with --enable-cuda: b2g_cuda. Make sure to update your
 437 | # max-pending-packets setting above as well if you use b2g_cuda.
 438 | 
 439 | mpm-algo: ac
 440 | 
 441 | # The memory settings for hash size of these algorithms can vary from lowest
 442 | # (2048) - low (4096) - medium (8192) - high (16384) - higher (32768) - max
 443 | # (65536). The bloomfilter sizes of these algorithms can vary from low (512) -
 444 | # medium (1024) - high (2048).
 445 | #
 446 | # For B2g/B3g algorithms, there is a support for two different scan/search
 447 | # algorithms. For B2g the scan algorithms are B2gScan & B2gScanBNDMq, and
 448 | # search algorithms are B2gSearch & B2gSearchBNDMq. For B3g scan algorithms
 449 | # are B3gScan & B3gScanBNDMq, and search algorithms are B3gSearch &
 450 | # B3gSearchBNDMq.
 451 | #
 452 | # For B2g the different scan/search algorithms and, hash and bloom
 453 | # filter size settings. For B3g the different scan/search algorithms and, hash
 454 | # and bloom filter size settings. For wumanber the hash and bloom filter size
 455 | # settings.
 456 | 
 457 | pattern-matcher:
 458 |   - b2g:
 459 |       search-algo: B2gSearchBNDMq
 460 |       hash-size: low
 461 |       bf-size: medium
 462 |   - b3g:
 463 |       search-algo: B3gSearchBNDMq
 464 |       hash-size: low
 465 |       bf-size: medium
 466 |   - wumanber:
 467 |       hash-size: low
 468 |       bf-size: medium
 469 | 
 470 | # Defrag settings:
 471 | 
 472 | defrag:
 473 |   memcap: 32mb
 474 |   hash-size: 65536
 475 |   trackers: 65535 # number of defragmented flows to follow
 476 |   max-frags: 65535 # number of fragments to keep (higher than trackers)
 477 |   prealloc: yes
 478 |   timeout: 60
 479 | 
 480 | # Enable defrag per host settings
 481 | #  host-config:
 482 | #
 483 | #    - dmz:
 484 | #        timeout: 30
 485 | #        address: [192.168.1.0/24, 127.0.0.0/8, 1.1.1.0/24, 2.2.2.0/24, "1.1.1.1", "2.2.2.2", "::1"]
 486 | #
 487 | #    - lan:
 488 | #        timeout: 45
 489 | #        address:
 490 | #          - 192.168.0.0/24
 491 | #          - 192.168.10.0/24
 492 | #          - 172.16.14.0/24
 493 | 
 494 | # Flow settings:
 495 | # By default, the reserved memory (memcap) for flows is 32MB. This is the limit
 496 | # for flow allocation inside the engine. You can change this value to allow
 497 | # more memory usage for flows.
 498 | # The hash-size determine the size of the hash used to identify flows inside
 499 | # the engine, and by default the value is 65536.
 500 | # At the startup, the engine can preallocate a number of flows, to get a better
 501 | # performance. The number of flows preallocated is 10000 by default.
 502 | # emergency-recovery is the percentage of flows that the engine need to
 503 | # prune before unsetting the emergency state. The emergency state is activated
 504 | # when the memcap limit is reached, allowing to create new flows, but
 505 | # prunning them with the emergency timeouts (they are defined below).
 506 | # If the memcap is reached, the engine will try to prune flows
 507 | # with the default timeouts. If it doens't find a flow to prune, it will set
 508 | # the emergency bit and it will try again with more agressive timeouts.
 509 | # If that doesn't work, then it will try to kill the last time seen flows
 510 | # not in use.
 511 | # The memcap can be specified in kb, mb, gb.  Just a number indicates it's
 512 | # in bytes.
 513 | 
 514 | flow:
 515 |   memcap: 64mb
 516 |   hash-size: 65536
 517 |   prealloc: 10000
 518 |   emergency-recovery: 30
 519 |   #managers: 1 # default to one flow manager
 520 |   #recyclers: 1 # default to one flow recycler thread
 521 | 
 522 | # This option controls the use of vlan ids in the flow (and defrag)
 523 | # hashing. Normally this should be enabled, but in some (broken)
 524 | # setups where both sides of a flow are not tagged with the same vlan
 525 | # tag, we can ignore the vlan id's in the flow hashing.
 526 | vlan:
 527 |   use-for-tracking: true
 528 | 
 529 | # Specific timeouts for flows. Here you can specify the timeouts that the
 530 | # active flows will wait to transit from the current state to another, on each
 531 | # protocol. The value of "new" determine the seconds to wait after a hanshake or
 532 | # stream startup before the engine free the data of that flow it doesn't
 533 | # change the state to established (usually if we don't receive more packets
 534 | # of that flow). The value of "established" is the amount of
 535 | # seconds that the engine will wait to free the flow if it spend that amount
 536 | # without receiving new packets or closing the connection. "closed" is the
 537 | # amount of time to wait after a flow is closed (usually zero).
 538 | #
 539 | # There's an emergency mode that will become active under attack circumstances,
 540 | # making the engine to check flow status faster. This configuration variables
 541 | # use the prefix "emergency-" and work similar as the normal ones.
 542 | # Some timeouts doesn't apply to all the protocols, like "closed", for udp and
 543 | # icmp.
 544 | 
 545 | flow-timeouts:
 546 | 
 547 |   default:
 548 |     new: 30
 549 |     established: 300
 550 |     closed: 0
 551 |     emergency-new: 10
 552 |     emergency-established: 100
 553 |     emergency-closed: 0
 554 |   tcp:
 555 |     new: 60
 556 |     established: 3600
 557 |     closed: 120
 558 |     emergency-new: 10
 559 |     emergency-established: 300
 560 |     emergency-closed: 20
 561 |   udp:
 562 |     new: 30
 563 |     established: 300
 564 |     emergency-new: 10
 565 |     emergency-established: 100
 566 |   icmp:
 567 |     new: 30
 568 |     established: 300
 569 |     emergency-new: 10
 570 |     emergency-established: 100
 571 | 
 572 | # Stream engine settings. Here the TCP stream tracking and reassembly
 573 | # engine is configured.
 574 | #
 575 | # stream:
 576 | #   memcap: 32mb                # Can be specified in kb, mb, gb.  Just a
 577 | #                               # number indicates it's in bytes.
 578 | #   checksum-validation: yes    # To validate the checksum of received
 579 | #                               # packet. If csum validation is specified as
 580 | #                               # "yes", then packet with invalid csum will not
 581 | #                               # be processed by the engine stream/app layer.
 582 | #                               # Warning: locally generated trafic can be
 583 | #                               # generated without checksum due to hardware offload
 584 | #                               # of checksum. You can control the handling of checksum
 585 | #                               # on a per-interface basis via the 'checksum-checks'
 586 | #                               # option
 587 | #   prealloc-sessions: 2k       # 2k sessions prealloc'd per stream thread
 588 | #   midstream: false            # don't allow midstream session pickups
 589 | #   async-oneside: false        # don't enable async stream handling
 590 | #   inline: no                  # stream inline mode
 591 | #   max-synack-queued: 5        # Max different SYN/ACKs to queue
 592 | #
 593 | #   reassembly:
 594 | #     memcap: 64mb              # Can be specified in kb, mb, gb.  Just a number
 595 | #                               # indicates it's in bytes.
 596 | #     depth: 1mb                # Can be specified in kb, mb, gb.  Just a number
 597 | #                               # indicates it's in bytes.
 598 | #     toserver-chunk-size: 2560 # inspect raw stream in chunks of at least
 599 | #                               # this size.  Can be specified in kb, mb,
 600 | #                               # gb.  Just a number indicates it's in bytes.
 601 | #                               # The max acceptable size is 4024 bytes.
 602 | #     toclient-chunk-size: 2560 # inspect raw stream in chunks of at least
 603 | #                               # this size.  Can be specified in kb, mb,
 604 | #                               # gb.  Just a number indicates it's in bytes.
 605 | #                               # The max acceptable size is 4024 bytes.
 606 | #     randomize-chunk-size: yes # Take a random value for chunk size around the specified value.
 607 | #                               # This lower the risk of some evasion technics but could lead
 608 | #                               # detection change between runs. It is set to 'yes' by default.
 609 | #     randomize-chunk-range: 10 # If randomize-chunk-size is active, the value of chunk-size is
 610 | #                               # a random value between (1 - randomize-chunk-range/100)*randomize-chunk-size
 611 | #                               # and (1 + randomize-chunk-range/100)*randomize-chunk-size. Default value
 612 | #                               # of randomize-chunk-range is 10.
 613 | #
 614 | #     raw: yes                  # 'Raw' reassembly enabled or disabled.
 615 | #                               # raw is for content inspection by detection
 616 | #                               # engine.
 617 | #
 618 | #     chunk-prealloc: 250       # Number of preallocated stream chunks. These
 619 | #                               # are used during stream inspection (raw).
 620 | #     segments:                 # Settings for reassembly segment pool.
 621 | #       - size: 4               # Size of the (data)segment for a pool
 622 | #         prealloc: 256         # Number of segments to prealloc and keep
 623 | #                               # in the pool.
 624 | #     zero-copy-size: 128       # This option sets in bytes the value at
 625 | #                               # which segment data is passed to the app
 626 | #                               # layer API directly. Data sizes equal to
 627 | #                               # and higher than the value set are passed
 628 | #                               # on directly.
 629 | #
 630 | stream:
 631 |   memcap: 32mb
 632 |   checksum-validation: yes      # reject wrong csums
 633 |   inline: auto                  # auto will use inline mode in IPS mode, yes or no set it statically
 634 |   reassembly:
 635 |     memcap: 128mb
 636 |     depth: 0
 637 |     toserver-chunk-size: 2560
 638 |     toclient-chunk-size: 2560
 639 |     randomize-chunk-size: yes
 640 |     #randomize-chunk-range: 10
 641 |     #raw: yes
 642 |     #chunk-prealloc: 250
 643 |     #segments:
 644 |     #  - size: 4
 645 |     #    prealloc: 256
 646 |     #  - size: 16
 647 |     #    prealloc: 512
 648 |     #  - size: 112
 649 |     #    prealloc: 512
 650 |     #  - size: 248
 651 |     #    prealloc: 512
 652 |     #  - size: 512
 653 |     #    prealloc: 512
 654 |     #  - size: 768
 655 |     #    prealloc: 1024
 656 |     #  - size: 1448
 657 |     #    prealloc: 1024
 658 |     #  - size: 65535
 659 |     #    prealloc: 128
 660 |     #zero-copy-size: 128
 661 | 
 662 | # Host table:
 663 | #
 664 | # Host table is used by tagging and per host thresholding subsystems.
 665 | #
 666 | host:
 667 |   hash-size: 4096
 668 |   prealloc: 1000
 669 |   memcap: 16777216
 670 | 
 671 | # IP Pair table:
 672 | #
 673 | # Used by xbits 'ippair' tracking.
 674 | #
 675 | #ippair:
 676 | #  hash-size: 4096
 677 | #  prealloc: 1000
 678 | #  memcap: 16777216
 679 | 
 680 | # Logging configuration.  This is not about logging IDS alerts, but
 681 | # IDS output about what its doing, errors, etc.
 682 | logging:
 683 | 
 684 |   # The default log level, can be overridden in an output section.
 685 |   # Note that debug level logging will only be emitted if Suricata was
 686 |   # compiled with the --enable-debug configure option.
 687 |   #
 688 |   # This value is overriden by the SC_LOG_LEVEL env var.
 689 |   default-log-level: notice
 690 | 
 691 |   # The default output format.  Optional parameter, should default to
 692 |   # something reasonable if not provided.  Can be overriden in an
 693 |   # output section.  You can leave this out to get the default.
 694 |   #
 695 |   # This value is overriden by the SC_LOG_FORMAT env var.
 696 |   #default-log-format: "[%i] %t - (%f:%l) <%d> (%n) -- "
 697 | 
 698 |   # A regex to filter output.  Can be overridden in an output section.
 699 |   # Defaults to empty (no filter).
 700 |   #
 701 |   # This value is overriden by the SC_LOG_OP_FILTER env var.
 702 |   default-output-filter:
 703 | 
 704 |   # Define your logging outputs.  If none are defined, or they are all
 705 |   # disabled you will get the default - console output.
 706 |   outputs:
 707 |   - console:
 708 |       enabled: yes
 709 |       # type: json
 710 |   - file:
 711 |       enabled: no
 712 |       filename: /var/log/suricata/suricata.log
 713 |       # type: json
 714 |   - syslog:
 715 |       enabled: no
 716 |       facility: local5
 717 |       format: "[%i] <%d> -- "
 718 |       # type: json
 719 | 
 720 | # Tilera mpipe configuration. for use on Tilera TILE-Gx.
 721 | mpipe:
 722 | 
 723 |   # Load balancing modes: "static", "dynamic", "sticky", or "round-robin".
 724 |   load-balance: dynamic
 725 | 
 726 |   # Number of Packets in each ingress packet queue. Must be 128, 512, 2028 or 65536
 727 |   iqueue-packets: 2048
 728 | 
 729 |   # List of interfaces we will listen on.
 730 |   inputs:
 731 |   - interface: xgbe2
 732 |   - interface: xgbe3
 733 |   - interface: xgbe4
 734 | 
 735 | 
 736 |   # Relative weight of memory for packets of each mPipe buffer size.
 737 |   stack:
 738 |     size128: 0
 739 |     size256: 9
 740 |     size512: 0
 741 |     size1024: 0
 742 |     size1664: 7
 743 |     size4096: 0
 744 |     size10386: 0
 745 |     size16384: 0
 746 | 
 747 | # PF_RING configuration. for use with native PF_RING support
 748 | # for more info see http://www.ntop.org/products/pf_ring/
 749 | pfring:
 750 |   - interface: eth0
 751 |     # Number of receive threads (>1 will enable experimental flow pinned
 752 |     # runmode)
 753 |     threads: 1
 754 | 
 755 |     # Default clusterid.  PF_RING will load balance packets based on flow.
 756 |     # All threads/processes that will participate need to have the same
 757 |     # clusterid.
 758 |     cluster-id: 99
 759 | 
 760 |     # Default PF_RING cluster type. PF_RING can load balance per flow.
 761 |     # Possible values are cluster_flow or cluster_round_robin.
 762 |     cluster-type: cluster_flow
 763 |     # bpf filter for this interface
 764 |     #bpf-filter: tcp
 765 |     # Choose checksum verification mode for the interface. At the moment
 766 |     # of the capture, some packets may be with an invalid checksum due to
 767 |     # offloading to the network card of the checksum computation.
 768 |     # Possible values are:
 769 |     #  - rxonly: only compute checksum for packets received by network card.
 770 |     #  - yes: checksum validation is forced
 771 |     #  - no: checksum validation is disabled
 772 |     #  - auto: suricata uses a statistical approach to detect when
 773 |     #  checksum off-loading is used. (default)
 774 |     # Warning: 'checksum-validation' must be set to yes to have any validation
 775 |     #checksum-checks: auto
 776 |   # Second interface
 777 |   #- interface: eth1
 778 |   #  threads: 3
 779 |   #  cluster-id: 93
 780 |   #  cluster-type: cluster_flow
 781 |   # Put default values here
 782 |   - interface: default
 783 |     #threads: 2
 784 | 
 785 | pcap:
 786 |   - interface: eth0
 787 |     # On Linux, pcap will try to use mmaped capture and will use buffer-size
 788 |     # as total of memory used by the ring. So set this to something bigger
 789 |     # than 1% of your bandwidth.
 790 |     #buffer-size: 16777216
 791 |     #bpf-filter: "tcp and port 25"
 792 |     # Choose checksum verification mode for the interface. At the moment
 793 |     # of the capture, some packets may be with an invalid checksum due to
 794 |     # offloading to the network card of the checksum computation.
 795 |     # Possible values are:
 796 |     #  - yes: checksum validation is forced
 797 |     #  - no: checksum validation is disabled
 798 |     #  - auto: suricata uses a statistical approach to detect when
 799 |     #  checksum off-loading is used. (default)
 800 |     # Warning: 'checksum-validation' must be set to yes to have any validation
 801 |     #checksum-checks: auto
 802 |     # With some accelerator cards using a modified libpcap (like myricom), you
 803 |     # may want to have the same number of capture threads as the number of capture
 804 |     # rings. In this case, set up the threads variable to N to start N threads
 805 |     # listening on the same interface.
 806 |     #threads: 16
 807 |     # set to no to disable promiscuous mode:
 808 |     #promisc: no
 809 |     # set snaplen, if not set it defaults to MTU if MTU can be known
 810 |     # via ioctl call and to full capture if not.
 811 |     #snaplen: 1518
 812 |   # Put default values here
 813 |   - interface: default
 814 |     #checksum-checks: auto
 815 | 
 816 | pcap-file:
 817 |   # Possible values are:
 818 |   #  - yes: checksum validation is forced
 819 |   #  - no: checksum validation is disabled
 820 |   #  - auto: suricata uses a statistical approach to detect when
 821 |   #  checksum off-loading is used. (default)
 822 |   # Warning: 'checksum-validation' must be set to yes to have checksum tested
 823 |   checksum-checks: auto
 824 | 
 825 | # For FreeBSD ipfw(8) divert(4) support.
 826 | # Please make sure you have ipfw_load="YES" and ipdivert_load="YES"
 827 | # in /etc/loader.conf or kldload'ing the appropriate kernel modules.
 828 | # Additionally, you need to have an ipfw rule for the engine to see
 829 | # the packets from ipfw.  For Example:
 830 | #
 831 | #   ipfw add 100 divert 8000 ip from any to any
 832 | #
 833 | # The 8000 above should be the same number you passed on the command
 834 | # line, i.e. -d 8000
 835 | #
 836 | ipfw:
 837 | 
 838 |   # Reinject packets at the specified ipfw rule number.  This config
 839 |   # option is the ipfw rule number AT WHICH rule processing continues
 840 |   # in the ipfw processing system after the engine has finished
 841 |   # inspecting the packet for acceptance.  If no rule number is specified,
 842 |   # accepted packets are reinjected at the divert rule which they entered
 843 |   # and IPFW rule processing continues.  No check is done to verify
 844 |   # this will rule makes sense so care must be taken to avoid loops in ipfw.
 845 |   #
 846 |   ## The following example tells the engine to reinject packets
 847 |   # back into the ipfw firewall AT rule number 5500:
 848 |   #
 849 |   # ipfw-reinjection-rule-number: 5500
 850 | 
 851 | # Set the default rule path here to search for the files.
 852 | # if not set, it will look at the current working dir
 853 | default-rule-path: /etc/suricata/rules
 854 | rule-files:
 855 |  - botcc.rules
 856 |  - ciarmy.rules
 857 |  - compromised.rules
 858 |  - cuckoo.rules
 859 |  - drop.rules
 860 |  - dshield.rules
 861 |  - emerging-activex.rules
 862 |  - emerging-attack_response.rules
 863 |  - emerging-chat.rules
 864 |  - emerging-current_events.rules
 865 |  - emerging-dns.rules
 866 |  - emerging-dos.rules
 867 |  - emerging-exploit.rules
 868 |  - emerging-ftp.rules
 869 |  - emerging-games.rules
 870 |  - emerging-icmp_info.rules
 871 | # - emerging-icmp.rules
 872 |  - emerging-imap.rules
 873 |  - emerging-inappropriate.rules
 874 |  - emerging-malware.rules
 875 |  - emerging-misc.rules
 876 |  - emerging-mobile_malware.rules
 877 |  - emerging-netbios.rules
 878 |  - emerging-p2p.rules
 879 |  - emerging-policy.rules
 880 |  - emerging-pop3.rules
 881 |  - emerging-rpc.rules
 882 |  - emerging-scada.rules
 883 |  - emerging-scan.rules
 884 |  - emerging-shellcode.rules
 885 |  - emerging-smtp.rules
 886 |  - emerging-snmp.rules
 887 |  - emerging-sql.rules
 888 |  - emerging-telnet.rules
 889 |  - emerging-tftp.rules
 890 |  - emerging-trojan.rules
 891 |  - emerging-user_agents.rules
 892 |  - emerging-voip.rules
 893 |  - emerging-web_client.rules
 894 |  - emerging-web_server.rules
 895 |  - emerging-web_specific_apps.rules
 896 |  - emerging-worm.rules
 897 |  - tor.rules
 898 |  - decoder-events.rules # available in suricata sources under rules dir
 899 |  - stream-events.rules  # available in suricata sources under rules dir
 900 |  - http-events.rules    # available in suricata sources under rules dir
 901 |  - smtp-events.rules    # available in suricata sources under rules dir
 902 |  - dns-events.rules     # available in suricata sources under rules dir
 903 |  - tls-events.rules     # available in suricata sources under rules dir
 904 | # - modbus-events.rules  # available in suricata sources under rules dir
 905 |  - app-layer-events.rules  # available in suricata sources under rules dir
 906 | 
 907 | classification-file: /etc/suricata/classification.config
 908 | reference-config-file: /etc/suricata/reference.config
 909 | 
 910 | # Holds variables that would be used by the engine.
 911 | vars:
 912 | 
 913 |   # Holds the address group vars that would be passed in a Signature.
 914 |   # These would be retrieved during the Signature address parsing stage.
 915 |   address-groups:
 916 | 
 917 |     HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
 918 | 
 919 |     EXTERNAL_NET: "any"
 920 | 
 921 |     HTTP_SERVERS: "$HOME_NET"
 922 | 
 923 |     SMTP_SERVERS: "$HOME_NET"
 924 | 
 925 |     SQL_SERVERS: "$HOME_NET"
 926 | 
 927 |     DNS_SERVERS: "$HOME_NET"
 928 | 
 929 |     TELNET_SERVERS: "$HOME_NET"
 930 | 
 931 |     AIM_SERVERS: "$EXTERNAL_NET"
 932 | 
 933 |     DNP3_SERVER: "$HOME_NET"
 934 | 
 935 |     DNP3_CLIENT: "$HOME_NET"
 936 | 
 937 |     MODBUS_CLIENT: "$HOME_NET"
 938 | 
 939 |     MODBUS_SERVER: "$HOME_NET"
 940 | 
 941 |     ENIP_CLIENT: "$HOME_NET"
 942 | 
 943 |     ENIP_SERVER: "$HOME_NET"
 944 | 
 945 |   # Holds the port group vars that would be passed in a Signature.
 946 |   # These would be retrieved during the Signature port parsing stage.
 947 |   port-groups:
 948 | 
 949 |     HTTP_PORTS: "80"
 950 | 
 951 |     SHELLCODE_PORTS: "!80"
 952 | 
 953 |     ORACLE_PORTS: 1521
 954 | 
 955 |     SSH_PORTS: 22
 956 | 
 957 |     DNP3_PORTS: 20000
 958 | 
 959 |     MODBUS_PORTS: 502
 960 | 
 961 | # Set the order of alerts bassed on actions
 962 | # The default order is pass, drop, reject, alert
 963 | # action-order:
 964 | #   - pass
 965 | #   - drop
 966 | #   - reject
 967 | #   - alert
 968 | 
 969 | # IP Reputation
 970 | #reputation-categories-file: /etc/suricata/iprep/categories.txt
 971 | #default-reputation-path: /etc/suricata/iprep
 972 | #reputation-files:
 973 | # - reputation.list
 974 | 
 975 | # Host specific policies for defragmentation and TCP stream
 976 | # reassembly.  The host OS lookup is done using a radix tree, just
 977 | # like a routing table so the most specific entry matches.
 978 | host-os-policy:
 979 |   # Make the default policy windows.
 980 |   windows: [0.0.0.0/0]
 981 |   bsd: []
 982 |   bsd-right: []
 983 |   old-linux: []
 984 |   linux: [10.0.0.0/8, 192.168.1.100, "8762:2352:6241:7245:E000:0000:0000:0000"]
 985 |   old-solaris: []
 986 |   solaris: ["::1"]
 987 |   hpux10: []
 988 |   hpux11: []
 989 |   irix: []
 990 |   macos: []
 991 |   vista: []
 992 |   windows2k3: []
 993 | 
 994 | 
 995 | # Limit for the maximum number of asn1 frames to decode (default 256)
 996 | asn1-max-frames: 256
 997 | 
 998 | # When run with the option --engine-analysis, the engine will read each of
 999 | # the parameters below, and print reports for each of the enabled sections
1000 | # and exit.  The reports are printed to a file in the default log dir
1001 | # given by the parameter "default-log-dir", with engine reporting
1002 | # subsection below printing reports in its own report file.
1003 | engine-analysis:
1004 |   # enables printing reports for fast-pattern for every rule.
1005 |   rules-fast-pattern: yes
1006 |   # enables printing reports for each rule
1007 |   rules: yes
1008 | 
1009 | #recursion and match limits for PCRE where supported
1010 | pcre:
1011 |   match-limit: 3500
1012 |   match-limit-recursion: 1500
1013 | 
1014 | # Holds details on the app-layer. The protocols section details each protocol.
1015 | # Under each protocol, the default value for detection-enabled and "
1016 | # parsed-enabled is yes, unless specified otherwise.
1017 | # Each protocol covers enabling/disabling parsers for all ipprotos
1018 | # the app-layer protocol runs on.  For example "dcerpc" refers to the tcp
1019 | # version of the protocol as well as the udp version of the protocol.
1020 | # The option "enabled" takes 3 values - "yes", "no", "detection-only".
1021 | # "yes" enables both detection and the parser, "no" disables both, and
1022 | # "detection-only" enables detection only(parser disabled).
1023 | app-layer:
1024 |   protocols:
1025 |     tls:
1026 |       enabled: yes
1027 |       detection-ports:
1028 |         dp: 443
1029 | 
1030 |       #no-reassemble: yes
1031 |     dcerpc:
1032 |       enabled: yes
1033 |     ftp:
1034 |       enabled: yes
1035 |     ssh:
1036 |       enabled: yes
1037 |     smtp:
1038 |       enabled: yes
1039 |       # Configure SMTP-MIME Decoder
1040 |       mime:
1041 |         # Decode MIME messages from SMTP transactions
1042 |         # (may be resource intensive)
1043 |         # This field supercedes all others because it turns the entire
1044 |         # process on or off
1045 |         decode-mime: yes
1046 | 
1047 |         # Decode MIME entity bodies (ie. base64, quoted-printable, etc.)
1048 |         decode-base64: yes
1049 |         decode-quoted-printable: yes
1050 | 
1051 |         # Maximum bytes per header data value stored in the data structure
1052 |         # (default is 2000)
1053 |         header-value-depth: 2000
1054 | 
1055 |         # Extract URLs and save in state data structure
1056 |         extract-urls: yes
1057 |         # Set to yes to compute the md5 of the mail body. You will then
1058 |         # be able to journalize it.
1059 |         body-md5: no
1060 |       # Configure inspected-tracker for file_data keyword
1061 |       inspected-tracker:
1062 |         content-limit: 1000
1063 |         content-inspect-min-size: 1000
1064 |         content-inspect-window: 1000
1065 |     imap:
1066 |       enabled: detection-only
1067 |     msn:
1068 |       enabled: detection-only
1069 |     smb:
1070 |       enabled: yes
1071 |       detection-ports:
1072 |         dp: 139
1073 |     # Note: Modbus probe parser is minimalist due to the poor significant field
1074 |     # Only Modbus message length (greater than Modbus header length)
1075 |     # And Protocol ID (equal to 0) are checked in probing parser
1076 |     # It is important to enable detection port and define Modbus port
1077 |     # to avoid false positive
1078 |     modbus:
1079 |       # How many unreplied Modbus requests are considered a flood.
1080 |       # If the limit is reached, app-layer-event:modbus.flooded; will match.
1081 |       #request-flood: 500
1082 | 
1083 |       enabled: no
1084 |       detection-ports:
1085 |         dp: 502
1086 |       # According to MODBUS Messaging on TCP/IP Implementation Guide V1.0b, it 
1087 |       # is recommended to keep the TCP connection opened with a remote device 
1088 |       # and not to open and close it for each MODBUS/TCP transaction. In that 
1089 |       # case, it is important to set the depth of the stream reassembling as
1090 |       # unlimited (stream.reassembly.depth: 0)
1091 |     # smb2 detection is disabled internally inside the engine.
1092 |     #smb2:
1093 |     #  enabled: yes
1094 |     dns:
1095 |       # memcaps. Globally and per flow/state.
1096 |       #global-memcap: 16mb
1097 |       #state-memcap: 512kb
1098 | 
1099 |       # How many unreplied DNS requests are considered a flood.
1100 |       # If the limit is reached, app-layer-event:dns.flooded; will match.
1101 |       #request-flood: 500
1102 | 
1103 |       tcp:
1104 |         enabled: yes
1105 |         detection-ports:
1106 |           dp: 53
1107 |       udp:
1108 |         enabled: yes
1109 |         detection-ports:
1110 |           dp: 53
1111 |     http:
1112 |       enabled: yes
1113 |       # memcap: 64mb
1114 | 
1115 |       ###########################################################################
1116 |       # Configure libhtp.
1117 |       #
1118 |       #
1119 |       # default-config:           Used when no server-config matches
1120 |       #   personality:            List of personalities used by default
1121 |       #   request-body-limit:     Limit reassembly of request body for inspection
1122 |       #                           by http_client_body & pcre /P option.
1123 |       #   response-body-limit:    Limit reassembly of response body for inspection
1124 |       #                           by file_data, http_server_body & pcre /Q option.
1125 |       #   double-decode-path:     Double decode path section of the URI
1126 |       #   double-decode-query:    Double decode query section of the URI
1127 |       #
1128 |       # server-config:            List of server configurations to use if address matches
1129 |       #   address:                List of ip addresses or networks for this block
1130 |       #   personalitiy:           List of personalities used by this block
1131 |       #   request-body-limit:     Limit reassembly of request body for inspection
1132 |       #                           by http_client_body & pcre /P option.
1133 |       #   response-body-limit:    Limit reassembly of response body for inspection
1134 |       #                           by file_data, http_server_body & pcre /Q option.
1135 |       #   double-decode-path:     Double decode path section of the URI
1136 |       #   double-decode-query:    Double decode query section of the URI
1137 |       #
1138 |       #   uri-include-all:        Include all parts of the URI. By default the
1139 |       #                           'scheme', username/password, hostname and port
1140 |       #                           are excluded. Setting this option to true adds
1141 |       #                           all of them to the normalized uri as inspected
1142 |       #                           by http_uri, urilen, pcre with /U and the other
1143 |       #                           keywords that inspect the normalized uri.
1144 |       #                           Note that this does not affect http_raw_uri.
1145 |       #                           Also, note that including all was the default in
1146 |       #                           1.4 and 2.0beta1.
1147 |       #
1148 |       #   meta-field-limit:       Hard size limit for request and response size
1149 |       #                           limits. Applies to request line and headers,
1150 |       #                           response line and headers. Does not apply to
1151 |       #                           request or response bodies. Default is 18k.
1152 |       #                           If this limit is reached an event is raised.
1153 |       #
1154 |       # Currently Available Personalities:
1155 |       #   Minimal
1156 |       #   Generic
1157 |       #   IDS (default)
1158 |       #   IIS_4_0
1159 |       #   IIS_5_0
1160 |       #   IIS_5_1
1161 |       #   IIS_6_0
1162 |       #   IIS_7_0
1163 |       #   IIS_7_5
1164 |       #   Apache_2
1165 |       ###########################################################################
1166 |       libhtp:
1167 | 
1168 |          default-config:
1169 |            personality: IDS
1170 | 
1171 |            # Can be specified in kb, mb, gb.  Just a number indicates
1172 |            # it's in bytes.
1173 |            request-body-limit: 0
1174 |            response-body-limit: 0
1175 | 
1176 |            # inspection limits
1177 |            request-body-minimal-inspect-size: 32kb
1178 |            request-body-inspect-window: 4kb
1179 |            response-body-minimal-inspect-size: 40kb
1180 |            response-body-inspect-window: 16kb
1181 | 
1182 |            # auto will use http-body-inline mode in IPS mode, yes or no set it statically
1183 |            http-body-inline: auto
1184 | 
1185 |            # Take a random value for inspection sizes around the specified value.
1186 |            # This lower the risk of some evasion technics but could lead
1187 |            # detection change between runs. It is set to 'yes' by default.
1188 |            #randomize-inspection-sizes: yes
1189 |            # If randomize-inspection-sizes is active, the value of various
1190 |            # inspection size will be choosen in the [1 - range%, 1 + range%]
1191 |            # range
1192 |            # Default value of randomize-inspection-range is 10.
1193 |            #randomize-inspection-range: 10
1194 | 
1195 |            # decoding
1196 |            double-decode-path: no
1197 |            double-decode-query: no
1198 | 
1199 |          server-config:
1200 | 
1201 |            #- apache:
1202 |            #    address: [192.168.1.0/24, 127.0.0.0/8, "::1"]
1203 |            #    personality: Apache_2
1204 |            #    # Can be specified in kb, mb, gb.  Just a number indicates
1205 |            #    # it's in bytes.
1206 |            #    request-body-limit: 4096
1207 |            #    response-body-limit: 4096
1208 |            #    double-decode-path: no
1209 |            #    double-decode-query: no
1210 | 
1211 |            #- iis7:
1212 |            #    address:
1213 |            #      - 192.168.0.0/24
1214 |            #      - 192.168.10.0/24
1215 |            #    personality: IIS_7_0
1216 |            #    # Can be specified in kb, mb, gb.  Just a number indicates
1217 |            #    # it's in bytes.
1218 |            #    request-body-limit: 4096
1219 |            #    response-body-limit: 4096
1220 |            #    double-decode-path: no
1221 |            #    double-decode-query: no
1222 | 
1223 | # Profiling settings. Only effective if Suricata has been built with the
1224 | # the --enable-profiling configure flag.
1225 | #
1226 | profiling:
1227 |   # Run profiling for every xth packet. The default is 1, which means we
1228 |   # profile every packet. If set to 1000, one packet is profiled for every
1229 |   # 1000 received.
1230 |   #sample-rate: 1000
1231 | 
1232 |   # rule profiling
1233 |   rules:
1234 | 
1235 |     # Profiling can be disabled here, but it will still have a
1236 |     # performance impact if compiled in.
1237 |     enabled: yes
1238 |     filename: rule_perf.log
1239 |     append: yes
1240 | 
1241 |     # Sort options: ticks, avgticks, checks, matches, maxticks
1242 |     sort: avgticks
1243 | 
1244 |     # Limit the number of items printed at exit (ignored for json).
1245 |     limit: 100
1246 | 
1247 |     # output to json
1248 |     json: true
1249 | 
1250 |   # per keyword profiling
1251 |   keywords:
1252 |     enabled: yes
1253 |     filename: keyword_perf.log
1254 |     append: yes
1255 | 
1256 |   # packet profiling
1257 |   packets:
1258 | 
1259 |     # Profiling can be disabled here, but it will still have a
1260 |     # performance impact if compiled in.
1261 |     enabled: yes
1262 |     filename: packet_stats.log
1263 |     append: yes
1264 | 
1265 |     # per packet csv output
1266 |     csv:
1267 | 
1268 |       # Output can be disabled here, but it will still have a
1269 |       # performance impact if compiled in.
1270 |       enabled: no
1271 |       filename: packet_stats.csv
1272 | 
1273 |   # profiling of locking. Only available when Suricata was built with
1274 |   # --enable-profiling-locks.
1275 |   locks:
1276 |     enabled: no
1277 |     filename: lock_stats.log
1278 |     append: yes
1279 | 
1280 |   pcap-log:
1281 |     enabled: no
1282 |     filename: pcaplog_stats.log
1283 |     append: yes
1284 | 
1285 | # Suricata core dump configuration. Limits the size of the core dump file to
1286 | # approximately max-dump. The actual core dump size will be a multiple of the
1287 | # page size. Core dumps that would be larger than max-dump are truncated. On
1288 | # Linux, the actual core dump size may be a few pages larger than max-dump.
1289 | # Setting max-dump to 0 disables core dumping.
1290 | # Setting max-dump to 'unlimited' will give the full core dump file.
1291 | # On 32-bit Linux, a max-dump value >= ULONG_MAX may cause the core dump size
1292 | # to be 'unlimited'.
1293 | 
1294 | coredump:
1295 |   max-dump: unlimited
1296 | 
1297 | napatech:
1298 |     # The Host Buffer Allowance for all streams
1299 |     # (-1 = OFF, 1 - 100 = percentage of the host buffer that can be held back)
1300 |     hba: -1
1301 | 
1302 |     # use_all_streams set to "yes" will query the Napatech service for all configured
1303 |     # streams and listen on all of them. When set to "no" the streams config array
1304 |     # will be used.
1305 |     use-all-streams: yes
1306 | 
1307 |     # The streams to listen on
1308 |     streams: [1, 2, 3]
1309 | 
1310 | # Includes.  Files included here will be handled as if they were
1311 | # inlined in this configuration file.
1312 | #include: include1.yaml
1313 | #include: include2.yaml
1314 | 


--------------------------------------------------------------------------------