├── docs ├── images │ ├── index_pattern.PNG │ ├── overview_dash.PNG │ ├── quick_count.PNG │ ├── quick_filters.PNG │ ├── saved_alerts.png │ ├── discover_magnify.PNG │ ├── configure_index_pattern.PNG │ ├── toggle_column_in_table.PNG │ ├── visualization_event_count.PNG │ └── dashboard_alert_exploration.PNG ├── setup.md ├── hardware_and_os.md ├── kibana.md ├── elastic_stack.md ├── pulledpork_setup.md └── suricata_configuration.md ├── scripts ├── rule_tuner │ ├── requirements.txt │ └── rule_tuner.py └── update_rules.sh ├── docker ├── logstash │ ├── beats_to_elastic.conf │ └── Dockerfile └── suricata │ ├── Dockerfile │ ├── filebeat.yml │ └── suricata.yaml ├── LICENSE ├── kibana_exports ├── exported_searches.json ├── exported_dashboards.json └── all_exported_visualizations.json ├── .gitignore ├── README.md └── configs └── suricata.yaml /docs/images/index_pattern.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gradiuscypher/grIDS/HEAD/docs/images/index_pattern.PNG -------------------------------------------------------------------------------- /docs/images/overview_dash.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gradiuscypher/grIDS/HEAD/docs/images/overview_dash.PNG -------------------------------------------------------------------------------- /docs/images/quick_count.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gradiuscypher/grIDS/HEAD/docs/images/quick_count.PNG -------------------------------------------------------------------------------- /docs/images/quick_filters.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gradiuscypher/grIDS/HEAD/docs/images/quick_filters.PNG -------------------------------------------------------------------------------- /docs/images/saved_alerts.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gradiuscypher/grIDS/HEAD/docs/images/saved_alerts.png -------------------------------------------------------------------------------- /docs/images/discover_magnify.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gradiuscypher/grIDS/HEAD/docs/images/discover_magnify.PNG -------------------------------------------------------------------------------- /docs/images/configure_index_pattern.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gradiuscypher/grIDS/HEAD/docs/images/configure_index_pattern.PNG -------------------------------------------------------------------------------- /docs/images/toggle_column_in_table.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gradiuscypher/grIDS/HEAD/docs/images/toggle_column_in_table.PNG -------------------------------------------------------------------------------- /docs/images/visualization_event_count.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gradiuscypher/grIDS/HEAD/docs/images/visualization_event_count.PNG -------------------------------------------------------------------------------- /docs/images/dashboard_alert_exploration.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gradiuscypher/grIDS/HEAD/docs/images/dashboard_alert_exploration.PNG -------------------------------------------------------------------------------- /scripts/rule_tuner/requirements.txt: -------------------------------------------------------------------------------- 1 | decorator==4.1.2 2 | elasticsearch==5.4.0 3 | ipython==6.1.0 4 | ipython-genutils==0.2.0 5 | jedi==0.10.2 6 | pexpect==4.2.1 7 | pickleshare==0.7.4 8 | prompt-toolkit==1.0.15 9 | ptyprocess==0.5.2 10 | Pygments==2.2.0 11 | simplegeneric==0.8.1 12 | six==1.10.0 13 | traitlets==4.3.2 14 | urllib3==1.22 15 | wcwidth==0.1.7 16 | -------------------------------------------------------------------------------- /docker/logstash/beats_to_elastic.conf: -------------------------------------------------------------------------------- 1 | input { 2 | beats { 3 | port => 5044 4 | } 5 | } 6 | 7 | filter { 8 | json { 9 | source => "message" 10 | remove_field => ["message"] 11 | } 12 | } 13 | 14 | output { 15 | elasticsearch { 16 | hosts => "localhost:9200" 17 | manage_template => false 18 | index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}" 19 | document_type => "%{[@metadata][type]}" 20 | } 21 | } 22 | -------------------------------------------------------------------------------- /docker/logstash/Dockerfile: -------------------------------------------------------------------------------- 1 | # Dockerfile to build a Logstash container with the proper configuration 2 | 3 | # Set the base image to Elastic's Logstash docker container 4 | FROM docker.elastic.co/logstash/logstash:6.4.1 5 | 6 | # File Author 7 | MAINTAINER gradiuscypher 8 | 9 | # Remove the old Logstash config 10 | # Reference: https://www.elastic.co/guide/en/logstash/current/_configuring_logstash_for_docker.html#_custom_images 11 | RUN rm -f /usr/share/logstash/pipeline/logstash.conf 12 | 13 | # Copy the config to its config location 14 | ADD beats_to_elastic.conf /usr/share/logstash/pipeline/beats_to_elastic.conf 15 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2017 gradius 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /docs/setup.md: -------------------------------------------------------------------------------- 1 | # Configuration Steps - System, Data storage, IDS software 2 | Configuration will be completed by following each of these steps in order. Each sub-document is responsible for setting up the various parts of the system. 3 | 4 | ## Setup the Hardware and the OS 5 | This step is all about getting the system ready for the suite of tools we're going to be installing. 6 | 7 | [Hardware/OS configuration](hardware_and_os.md) 8 | 9 | ## Configuring the Elastic Stack 10 | This step is about configuring our Elastic stack to store the data that we're generating, and make it easily searchable. 11 | 12 | [Elastic Stack Configuration](elastic_stack.md) 13 | 14 | ## Suricata Configuration 15 | This step is about configuring the IDS/IPS software, Suricata. 16 | 17 | [Suricata Configuration](suricata_configuration.md) 18 | 19 | ## PulledPork Configuration 20 | This step is about configuring the Suricata rule management tool, PulledPork 21 | 22 | [PulledPork Configuration](pulledpork_setup.md) 23 | 24 | ## Kibana Visualization and Saved Searches 25 | This step will help get Kibana configured with useful dashboards, visualizations, and saved searches 26 | 27 | [Kibana Visualization and Saved Searches](kibana.md) 28 | -------------------------------------------------------------------------------- /docker/suricata/Dockerfile: -------------------------------------------------------------------------------- 1 | # Dockerfile to build a Suricata docker container 2 | 3 | # Set the base image to Ubuntu 4 | FROM ubuntu 5 | 6 | # File Author 7 | MAINTAINER gradiuscypher 8 | 9 | # Update the repos 10 | RUN apt update 11 | 12 | # Allows us to add repositories 13 | RUN apt install -y software-properties-common wget apt-transport-https 14 | 15 | # Add the Elastic key for Filebeat and add repo 16 | RUN wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | apt-key add - 17 | RUN echo "deb https://artifacts.elastic.co/packages/6.x/apt stable main" | tee -a /etc/apt/sources.list.d/elastic-6.x.list 18 | 19 | # Add the Suricata repository 20 | RUN add-apt-repository -y ppa:oisf/suricata-stable 21 | 22 | # Update the repos and install Suricata 23 | RUN apt update && apt install -y suricata 24 | 25 | # Install Filebeat 26 | RUN apt install -y filebeat 27 | 28 | # Copy the suricata config to its config location 29 | ADD filebeat.yml /etc/filebeat 30 | RUN chown root /etc/filebeat/filebeat.yml 31 | RUN chmod 0644 /etc/filebeat/filebeat.yml 32 | 33 | # Copy the suricata config to its config location 34 | ADD suricata.yaml /etc/suricata/suricata.yaml 35 | 36 | # Start the Suricata/Filebeat service when the container is started 37 | CMD service suricata start && service filebeat start && tail -F /var/log/suricata/suricata.log 38 | -------------------------------------------------------------------------------- /scripts/update_rules.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Script for updating Suricata rules via pulledpork.pl and restarting the Suricata service once complete. 3 | # Author: gradiuscypher | Last Modified: 2017-09-03 4 | # TODO: Include steps for downloading/updating local.rules from a remote source 5 | 6 | # Run pulledpork.pl to download newest rules, process disabled rules, and save new ruleset. 7 | update_rules () { 8 | # md5sum the current file to see if the rules change 9 | if [[ -f /etc/suricata/rules/downloaded.rules ]]; then 10 | old_md5=$(md5sum /etc/suricata/rules/downloaded.rules | cut -d' ' -f1) 11 | else 12 | old_md5="" 13 | fi 14 | 15 | # Get suricata version for pulledpork 16 | suri_version=$(suricata -V | cut -d' ' -f5) 17 | 18 | # run pulledpork.pl 19 | pulledpork.pl -c /etc/pulledpork/pulledpork.conf -T -S suricata-"${suri_version}" 20 | 21 | # get md5sum of new file 22 | new_md5=$(md5sum /etc/suricata/rules/downloaded.rules | cut -d' ' -f1) 23 | } 24 | 25 | restart_suricata () { 26 | if [[ "${old_md5}" != "${new_md5}" ]]; then 27 | echo "Restarting Suricata..." 28 | if [[ -f /bin/systemctl || -f /usr/bin/systemctl ]]; then 29 | systemctl restart suricata 30 | else 31 | /etc/init.d/suricata restart 32 | fi 33 | fi 34 | } 35 | 36 | # Main 37 | main () { 38 | update_rules 39 | restart_suricata 40 | } 41 | 42 | # Execute main 43 | main 44 | -------------------------------------------------------------------------------- /kibana_exports/exported_searches.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "_id": "85998220-762f-11e7-a385-0f2eb986f8d0", 4 | "_type": "search", 5 | "_source": { 6 | "title": "Alert Search", 7 | "description": "", 8 | "hits": 0, 9 | "columns": [ 10 | "src_ip", 11 | "src_port", 12 | "dest_ip", 13 | "dest_port", 14 | "alert.category", 15 | "alert.signature" 16 | ], 17 | "sort": [ 18 | "@timestamp", 19 | "desc" 20 | ], 21 | "version": 1, 22 | "kibanaSavedObjectMeta": { 23 | "searchSourceJSON": "{\n \"index\": \"filebeat-*\",\n \"highlightAll\": true,\n \"version\": true,\n \"query\": {\n \"query_string\": {\n \"query\": \"event_type:alert\",\n \"analyze_wildcard\": true\n }\n },\n \"filter\": []\n}" 24 | } 25 | } 26 | }, 27 | { 28 | "_id": "31522580-9139-11e7-a228-f5baa3b209de", 29 | "_type": "search", 30 | "_source": { 31 | "title": "Event Overview", 32 | "description": "", 33 | "hits": 0, 34 | "columns": [ 35 | "event_type", 36 | "src_ip", 37 | "src_port", 38 | "dest_ip", 39 | "dest_port" 40 | ], 41 | "sort": [ 42 | "@timestamp", 43 | "desc" 44 | ], 45 | "version": 1, 46 | "kibanaSavedObjectMeta": { 47 | "searchSourceJSON": "{\"index\":\"filebeat-*\",\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}}}" 48 | } 49 | } 50 | } 51 | ] -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Gradius ignores 2 | .idea/ 3 | venv3/ 4 | scripts/rule_tuner/downloaded.rules 5 | 6 | # Byte-compiled / optimized / DLL files 7 | __pycache__/ 8 | *.py[cod] 9 | *$py.class 10 | 11 | # C extensions 12 | *.so 13 | 14 | # Distribution / packaging 15 | .Python 16 | env/ 17 | build/ 18 | develop-eggs/ 19 | dist/ 20 | downloads/ 21 | eggs/ 22 | .eggs/ 23 | lib/ 24 | lib64/ 25 | parts/ 26 | sdist/ 27 | var/ 28 | wheels/ 29 | *.egg-info/ 30 | .installed.cfg 31 | *.egg 32 | 33 | # PyInstaller 34 | # Usually these files are written by a python script from a template 35 | # before PyInstaller builds the exe, so as to inject date/other infos into it. 36 | *.manifest 37 | *.spec 38 | 39 | # Installer logs 40 | pip-log.txt 41 | pip-delete-this-directory.txt 42 | 43 | # Unit test / coverage reports 44 | htmlcov/ 45 | .tox/ 46 | .coverage 47 | .coverage.* 48 | .cache 49 | nosetests.xml 50 | coverage.xml 51 | *.cover 52 | .hypothesis/ 53 | 54 | # Translations 55 | *.mo 56 | *.pot 57 | 58 | # Django stuff: 59 | *.log 60 | local_settings.py 61 | 62 | # Flask stuff: 63 | instance/ 64 | .webassets-cache 65 | 66 | # Scrapy stuff: 67 | .scrapy 68 | 69 | # Sphinx documentation 70 | docs/_build/ 71 | 72 | # PyBuilder 73 | target/ 74 | 75 | # Jupyter Notebook 76 | .ipynb_checkpoints 77 | 78 | # pyenv 79 | .python-version 80 | 81 | # celery beat schedule file 82 | celerybeat-schedule 83 | 84 | # SageMath parsed files 85 | *.sage.py 86 | 87 | # dotenv 88 | .env 89 | 90 | # virtualenv 91 | .venv 92 | venv/ 93 | ENV/ 94 | 95 | # Spyder project settings 96 | .spyderproject 97 | .spyproject 98 | 99 | # Rope project settings 100 | .ropeproject 101 | 102 | # mkdocs documentation 103 | /site 104 | 105 | # mypy 106 | .mypy_cache/ 107 | -------------------------------------------------------------------------------- /scripts/rule_tuner/rule_tuner.py: -------------------------------------------------------------------------------- 1 | import elasticsearch 2 | import argparse 3 | import re 4 | 5 | 6 | def parse_rule_line(rule_line): 7 | """ 8 | Parse each rule line and return a dict representation of a rule 9 | :param rule_line: 10 | :return: rule dict 11 | """ 12 | rule_dict = {} 13 | rule_info = re.search("\((.*)\)", rule_line).group(1) 14 | msg_sections = rule_info.split(';') 15 | 16 | # Get the rule action 17 | rule_dict['action'] = rule_line.split()[0] 18 | 19 | # Get the rule headers 20 | rule_dict['headers'] = rule_line.split("(")[0].replace(rule_dict["action"], "").strip() 21 | 22 | # Get the rest of the rule options 23 | for section in msg_sections: 24 | if len(section) > 0: 25 | # print(repr(section)) 26 | split_section = section.split(':') 27 | section_key = split_section[0].strip() 28 | 29 | if len(split_section) > 1: 30 | section_value = split_section[1].strip() 31 | 32 | if "," in section_value: 33 | rule_dict[section_key] = [i.strip() for i in section_value.split(',')] 34 | else: 35 | rule_dict[section_key] = section_value 36 | else: 37 | rule_dict[section_key] = "" 38 | return rule_dict 39 | 40 | 41 | def parse_rules(filename="/etc/suricata/rules/downloaded.rules"): 42 | """ 43 | :param filename: the rule file to parse 44 | Parse the rule file to use in reporting 45 | :return: rule_dict: return a dict of rule_id:rule 46 | """ 47 | rules_dict = {} 48 | rule_file = open(filename, 'r') 49 | for line in rule_file: 50 | if not line.startswith("#") and line != "\n": 51 | rule = parse_rule_line(line.strip()) 52 | rules_dict[rule['sid']] = rule 53 | return rules_dict 54 | 55 | if __name__ == '__main__': 56 | pass 57 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # grIDS 2 | My network monitoring solution and tools that go along with it. This setup is designed to be contained in an all-in-one sort of system, but services can be separated into individual hosts if you have a higher load that requires more resources. 3 | 4 | The goal for this project is to help people combine multiple open-source tools to have a useful network monitoring solution. Within this project, I'll also include custom scripts that help make this system even more useful. 5 | 6 | Feedback, corrections, and suggestions are welcomed and appreciated. Reach out to me on [Twitter](https://www.twitter.com/0xgradius) or here on Github as an [Issue](https://github.com/gradiuscypher/grIDS/issues). 7 | 8 | # Manual Configuration Steps 9 | 10 | [Wiki](https://github.com/gradiuscypher/grIDS/wiki) 11 | 12 | To get started with configuring the system, follow the steps found in the [Wiki](https://github.com/gradiuscypher/grIDS/wiki). Each of the [Configuration](https://github.com/gradiuscypher/grIDS/wiki/Configuration) sections walks you through the parts of building a working all-in-one IDS system. 13 | 14 | # Docker Configuration Steps 15 | 16 | To deploy the NSM via Docker containers, follow the instructions found under the [Docker Configuration](https://github.com/gradiuscypher/grIDS/wiki/Docker-Configuration) section of the Wiki. 17 | 18 | # Screenshots 19 | Screenshots of some Kibana Dashboards that have been created and powered using this setup 20 | 21 | ![DASH1](docs/images/overview_dash.PNG) 22 | ![DASH2](docs/images/dashboard_alert_exploration.PNG) 23 | 24 | # Future Additions + Modifications + Ideas 25 | This is a list of future tools that could be added to this toolset for even more features. Also includes modifications. 26 | 27 | #### Features 28 | * Sysmon logging 29 | * Bro logging 30 | * Centralized Logging 31 | * Webhook integration for alerts 32 | * FPC and usability tools 33 | * Pi-Hole DNS service 34 | * Include [EveBox](https://evebox.org/) for alerting 35 | * Include [Scirius](https://github.com/StamusNetworks/scirius) rule management. 36 | 37 | #### Modifications 38 | * Performance tuning for Elastic Stack 39 | * Performance tuning of Suricata - spread load between CPU threads 40 | 41 | #### Ideas 42 | * IDS Sensor on a Raspberry Pi 43 | * Spreading services out among hosts, multiple sensor configuration and management 44 | * Setting up an iptables sensor 45 | * Setting up a hardware network tap 46 | * Process for upgrading/updating the OS 47 | -------------------------------------------------------------------------------- /kibana_exports/exported_dashboards.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "_id": "722afdc0-7654-11e7-8d29-cd9233d141f6", 4 | "_type": "dashboard", 5 | "_source": { 6 | "title": "IDS Monitoring Dashboard", 7 | "hits": 0, 8 | "description": "", 9 | "panelsJSON": "[{\"col\":9,\"id\":\"65cccae0-7654-11e7-85bf-75a8a64df4ed\",\"panelIndex\":1,\"row\":4,\"size_x\":4,\"size_y\":2,\"type\":\"visualization\"},{\"col\":9,\"id\":\"2c47f320-7655-11e7-85bf-75a8a64df4ed\",\"panelIndex\":2,\"row\":1,\"size_x\":4,\"size_y\":3,\"type\":\"visualization\"},{\"col\":1,\"id\":\"ca3dace0-9145-11e7-a470-2be0517a0eb2\",\"panelIndex\":3,\"row\":1,\"size_x\":8,\"size_y\":5,\"type\":\"visualization\"},{\"col\":1,\"id\":\"28b53800-9147-11e7-a470-2be0517a0eb2\",\"panelIndex\":4,\"row\":6,\"size_x\":3,\"size_y\":3,\"type\":\"visualization\"},{\"col\":4,\"id\":\"c2957610-9147-11e7-a470-2be0517a0eb2\",\"panelIndex\":5,\"row\":6,\"size_x\":3,\"size_y\":3,\"type\":\"visualization\"},{\"col\":7,\"id\":\"08f8b7c0-9148-11e7-a470-2be0517a0eb2\",\"panelIndex\":6,\"row\":6,\"size_x\":3,\"size_y\":3,\"type\":\"visualization\"},{\"size_x\":3,\"size_y\":3,\"panelIndex\":7,\"type\":\"visualization\",\"id\":\"20704f30-914d-11e7-a470-2be0517a0eb2\",\"col\":10,\"row\":6}]", 10 | "optionsJSON": "{\"darkTheme\":true}", 11 | "uiStateJSON": "{\"P-4\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"P-5\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"P-6\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}}", 12 | "version": 1, 13 | "timeRestore": true, 14 | "timeTo": "now", 15 | "timeFrom": "now-12h", 16 | "refreshInterval": { 17 | "display": "Off", 18 | "pause": false, 19 | "value": 0 20 | }, 21 | "kibanaSavedObjectMeta": { 22 | "searchSourceJSON": "{\"filter\":[{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}}}],\"highlightAll\":true,\"version\":true}" 23 | } 24 | } 25 | }, 26 | { 27 | "_id": "a17845a0-914e-11e7-89e4-17092d42d2c9", 28 | "_type": "dashboard", 29 | "_source": { 30 | "title": "Alert Exploration Dashboard", 31 | "hits": 0, 32 | "description": "", 33 | "panelsJSON": "[{\"col\":3,\"id\":\"f2294630-914d-11e7-a470-2be0517a0eb2\",\"panelIndex\":1,\"row\":1,\"size_x\":2,\"size_y\":3,\"type\":\"visualization\"},{\"col\":1,\"id\":\"d9c19020-914d-11e7-a470-2be0517a0eb2\",\"panelIndex\":2,\"row\":1,\"size_x\":2,\"size_y\":3,\"type\":\"visualization\"},{\"col\":5,\"id\":\"8551b2d0-914e-11e7-a470-2be0517a0eb2\",\"panelIndex\":3,\"row\":1,\"size_x\":5,\"size_y\":3,\"type\":\"visualization\"},{\"col\":1,\"columns\":[\"src_ip\",\"src_port\",\"dest_ip\",\"dest_port\",\"alert.category\",\"alert.signature\"],\"id\":\"85998220-762f-11e7-a385-0f2eb986f8d0\",\"panelIndex\":4,\"row\":4,\"size_x\":12,\"size_y\":5,\"sort\":[\"@timestamp\",\"desc\"],\"type\":\"search\"},{\"col\":10,\"id\":\"ec677810-914e-11e7-a470-2be0517a0eb2\",\"panelIndex\":5,\"row\":1,\"size_x\":3,\"size_y\":3,\"type\":\"visualization\"}]", 34 | "optionsJSON": "{\"darkTheme\":true}", 35 | "uiStateJSON": "{\"P-1\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"P-2\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"P-3\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"P-5\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}}", 36 | "version": 1, 37 | "timeRestore": true, 38 | "timeTo": "now", 39 | "timeFrom": "now-24h", 40 | "refreshInterval": { 41 | "display": "Off", 42 | "pause": false, 43 | "value": 0 44 | }, 45 | "kibanaSavedObjectMeta": { 46 | "searchSourceJSON": "{\"filter\":[{\"query\":{\"query_string\":{\"query\":\"event_type:alert\",\"analyze_wildcard\":true}}}],\"highlightAll\":true,\"version\":true}" 47 | } 48 | } 49 | } 50 | ] -------------------------------------------------------------------------------- /docs/hardware_and_os.md: -------------------------------------------------------------------------------- 1 | # Network Hardware Configuration 2 | Essentially, you'll need the ability to get network traffic from the ports you want to monitor to the monitoring port on the IDS system. This can be done a few different ways, either with hardware or software (if your router has the ability). 3 | 4 | With hardware, you can use a switch to span/mirror the port going to your WAN. This way, you're capturing all traffic that comes into and leaves your network. One downside to spanning the WAN is that you miss traffic that never crosses the WAN, but we still see most traffic including malware callbacks, C&C, etc (the things you want to spot). 5 | 6 | With hardware, you can also build a network tap that goes between your LAN and WAN. I'm not using this method, so I don't have documentation for this approach. I personally don't like this approach, as it puts our system inbetween LAN and WAN traffic, and if it fails incorrectly, the network can be taken offline. I'll collect some network tap guides for a later update for those that want to try this approach. 7 | 8 | With software (if your router hardware supports it), you could use iptables to mirror all traffic to another device on the network. I haven't tried this method yet, but I know people have successfully used this approach in the past. Currently, I don't have any documentation for this approach, but I'll collect some guides for a later update. 9 | 10 | TL;DR - Get the traffic you want to see on the IDS to a network port on the IDS system. I'm currently using a Ubiquiti 8 port PoE switch, mirroring the WAN port to the second NIC of my IDS box. If your router supports iptables, you can also mirror the traffic using iptables rules. You can also use a hardware network tap. 11 | 12 | # PC Hardware Configuration 13 | You'll want a system that matches your network throughput. A key requirement is multiple NICs - one as the management interface, and one for traffic monitoring from your mirror port. 14 | 15 | For a rough baseline, on a 200Mbs down/20Mbs up Internet connection, I'm using a Shuttle Mini PC with a Core i5 and 8GB of RAM, along with a 128GB SSD. Even while running a full Elastic stack along with Suricata, it's not struggling to keep up. The only real limitation you'll have to pay attention to is how long you'll want to retain PCAP files, as that's all about storage. 16 | 17 | # OS Configuration 18 | 19 | ## OS Installation 20 | I'm using Ubuntu 16.04 LTS Server for compatability with most tools available. Other flavors of Linux can be used, but I'll be writing this guide with Ubuntu 16.04 in mind. 21 | 22 | ## NIC Configuration 23 | ### Management Interface 24 | Configure your management interface as you would any other server. Either leverage DHCP or static addresses, whichever your network calls for. 25 | 26 | ### Monitoring Port 27 | Now we'll configure the other port to monitor traffic from. 28 | 29 | #### What device? 30 | Find the name of the device that you'll be monitoring from. In this example, we're concerned with enp8s0 (YAY SYSTEMD NAMING). 31 | 32 | `root@grIDS:~# ip a` 33 | 34 | ``` 35 | 1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1 36 | 37 | 2: enp4s0: mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 38 | 39 | 3: enp7s0: mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000 40 | link/ether 00:0a:cd:21:47:23 brd ff:ff:ff:ff:ff:ff 41 | 4: enp8s0: mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 42 | link/ether 00:0a:cd:21:47:24 brd ff:ff:ff:ff:ff:ff 43 | inet6 fe80::20a:cdff:fe21:4724/64 scope link 44 | valid_lft forever preferred_lft forever 45 | ``` 46 | 47 | #### Disable multicast 48 | ``` 49 | ip link set enp8s0 multicast off 50 | ``` 51 | 52 | #### Enable promiscuous mode 53 | ``` 54 | root@grIDS:~# ip link set enp8s0 promisc on 55 | ``` 56 | 57 | #### Turn on the link 58 | ``` 59 | root@grIDS:~# ip link set enp8s0 up 60 | ``` 61 | 62 | #### Validate traffic 63 | Validating traffic is difficult if you're not aware of what might be passing through the network. The best approach I've found to ensure you're not only seeing broadcast traffic is to use tcpdump to check that you're seeing common network traffic like HTTP/DNS/etc. Try navigating to a site that uses only HTTP (`ragu.com` is an option). 64 | 65 | ``` 66 | root@grIDS:~# tcpdump -i $INTERFACE port 80 67 | ``` 68 | 69 | #### Promisc on boot 70 | Now that the configuration has been validated, save these settings to `/etc/network/interfaces` where `$INTERFACE` is the name of the interface you configured earlier: 71 | 72 | ``` 73 | up ip link set $INTERFACE multicast off 74 | up ip link set $INTERFACE up 75 | up ip link set $INTERFACE promisc on 76 | ``` 77 | -------------------------------------------------------------------------------- /docs/kibana.md: -------------------------------------------------------------------------------- 1 | # Kibana 2 | Kibana is the visualization tool that we'll be using to create dashboards and saved searches to navigate our data. Kibana uses [Lucene](https://www.elastic.co/guide/en/kibana/current/search.html) queries to search the data stored in Elasticsearch. 3 | 4 | ## Kibana Setup 5 | 6 | ### Accessing Kibana 7 | To access Kibana, log into the IDS server on port 5601 in your browser: 8 | 9 | `http://IDS_SERVER_IP:5601` 10 | 11 | ### Create Index Pattern 12 | On the left-hand side of Kibana, click the "gear" icon. Then click "Create Index Pattern" 13 | 14 | ![INDEX_PATTERN](images/index_pattern.PNG) 15 | 16 | For the section "Index name or pattern" enter: `filebeat-*`. This allows us to visualize all the information saved in the `filebeat` indexes, separated by date. Leave the "Time Filter field name" as `@timestamp` 17 | 18 | ![CONFIGURE_INDEX_PATTERN](images/configure_index_pattern.PNG) 19 | 20 | ### Kibana Overview 21 | Kibana has its functionality split into various pieces: Discover, Visualize, Dashboard, Timelion, Dev Tools, and Management. 22 | 23 | #### Discover 24 | Explore the data with searches. Each log entry is a row. By default no columns are selected, but can be selected by clicking "Toggle column in table" 25 | 26 | ![TOGGLE_COLUMN_IN_TABLE](images/toggle_column_in_table.PNG) 27 | 28 | Data can be quick filtered out with the magnifying glasses with plus and minus. Quick filters appear as bubbles near the top left next to the search bar. They can be enabled, disabled, deleted, and pinned. Pinned filters will follow you across Discover, Visualization, Dashboard, etc. 29 | 30 | ![DISCOVER_MAGNIFY](images/discover_magnify.PNG) 31 | 32 | ![QUICK_FILTERS](images/quick_filters.PNG) 33 | 34 | Along with data in the center, you can also show a quick count of the top five values of each field, on the left side. For fields with more than 5 values, you can also click "visualize" to get a bar graph of the top 20 values. Just click the field name on the left to expand it. 35 | 36 | ![QUICK_COUNT](images/quick_count.PNG) 37 | 38 | #### Visualization 39 | Visualizations allow you to put data into various different graphs. You can create visualizations by clicking "+" in on the Visualizations tab. 40 | 41 | From there, you can select the type of chart. Formats include Area, Heat Map, Horizontal Bar, Line, Pie, etc. The best way to understand how visualizations format data is to click around and use them. 42 | 43 | #### Dashboard 44 | Dashboards are just combinations of both saved Discovery searches and Visualizations. Dashboards let you drag these pieces around and resize as needed. 45 | 46 | ## Example Search 47 | All fields in Elasticsearch can be filtered/searched on. For this example, we'll be displaying all of the IDS alerts Suricata. 48 | 49 | #### Lucene Query 50 | For the Lucene query, we'll be using `event_type:alert`. This allows us to only see our IDS alerts. 51 | 52 | #### Field Columns 53 | As mentioned in the overview, you can click the columns button on each relevant field to show them in the Discover screen. Afterwards, you'll end up with something like this: 54 | 55 | ![SAVED_ALERTS](images/saved_alerts.png) 56 | 57 | #### JSON Export of Example Search 58 | The exported JSON can be found [here](../kibana_exports/alert_search.json). For more information on how to use this JSON, check out [this section](#importing-exported-json). 59 | 60 | ## Example Visualization 61 | 62 | #### Heads up! 63 | Visualizations are difficult to get right, even the 100th time. It takes a lot of practice, tinkering, and Google searches. If you experience any trouble with coming up with a specific approach, reach out to me on [Twitter](https://twitter.com/0xGradius). I'm not an expert, but I like tinkering with Kibana. 64 | 65 | This example visualization will be a line graph to display the count of events being saved to Elasticsearch. 66 | 67 | #### Steps 68 | * Click "Visualize" on the left hand side, then click the "+" icon to create a new visualization. Click the "Line" visualization icon. 69 | * Click the left-hand column and the index name "filebeat-*" 70 | * For Y-Axis, we'll leave "Count" selected. In the future, this might be used for average value grouping, sums, percential, etc. 71 | * For X-Axis, select "X-Axis" bucket type, then for Aggregation select "Date Histogram" 72 | * Click the "Play" arrow in the top-right corner. This will create the visualization. 73 | 74 | ![VISUALIZATON_EVENT_COUNT](images/visualization_event_count.PNG) 75 | 76 | #### JSON Export of Example Visualization 77 | You can find the JSON export [here](../kibana_exports/visualization_event_count.json). 78 | 79 | ## Importing Exported JSON 80 | To import any of these JSON files, or to export any created objects, follow these instructions: 81 | 82 | * Click "Management" on the left-hand side bar. 83 | * Click "Saved Objects" on the upper tab bar. 84 | * To Export an object, check the object name, and press the "Export" button. 85 | * To Import an object, click the "Import" button in the top right. Then select the desired JSON file for imports. 86 | 87 | ## Saved Searches 88 | * [Alert Searches](../kibana_exports/exported_searches.json) 89 | 90 | ## Saved Visualizations 91 | * [Event Count](../kibana_exports/all_exported_visualizations.json) 92 | 93 | ## Saved Dashboards 94 | * [Dashboards](../kibana_exports/exported_dashboards.json) 95 | -------------------------------------------------------------------------------- /docker/suricata/filebeat.yml: -------------------------------------------------------------------------------- 1 | ###################### Filebeat Configuration Example ######################### 2 | 3 | # This file is an example configuration file highlighting only the most common 4 | # options. The filebeat.reference.yml file from the same directory contains all the 5 | # supported options with more comments. You can use it as a reference. 6 | # 7 | # You can find the full configuration reference here: 8 | # https://www.elastic.co/guide/en/beats/filebeat/index.html 9 | 10 | # For more available modules and options, please see the filebeat.reference.yml sample 11 | # configuration file. 12 | 13 | #=========================== Filebeat prospectors ============================= 14 | 15 | filebeat.prospectors: 16 | 17 | # Each - is a prospector. Most options can be set at the prospector level, so 18 | # you can use different prospectors for various configurations. 19 | # Below are the prospector specific configurations. 20 | 21 | - type: log 22 | 23 | # Change to true to enable this prospector configuration. 24 | enabled: true 25 | 26 | # Paths that should be crawled and fetched. Glob based paths. 27 | paths: 28 | - /var/log/suricata/eve.json 29 | #- c:\programdata\elasticsearch\logs\* 30 | 31 | # Exclude lines. A list of regular expressions to match. It drops the lines that are 32 | # matching any regular expression from the list. 33 | #exclude_lines: ['^DBG'] 34 | 35 | # Include lines. A list of regular expressions to match. It exports the lines that are 36 | # matching any regular expression from the list. 37 | #include_lines: ['^ERR', '^WARN'] 38 | 39 | # Exclude files. A list of regular expressions to match. Filebeat drops the files that 40 | # are matching any regular expression from the list. By default, no files are dropped. 41 | #exclude_files: ['.gz$'] 42 | 43 | # Optional additional fields. These fields can be freely picked 44 | # to add additional information to the crawled log files for filtering 45 | #fields: 46 | # level: debug 47 | # review: 1 48 | 49 | ### Multiline options 50 | 51 | # Mutiline can be used for log messages spanning multiple lines. This is common 52 | # for Java Stack Traces or C-Line Continuation 53 | 54 | # The regexp Pattern that has to be matched. The example pattern matches all lines starting with [ 55 | #multiline.pattern: ^\[ 56 | 57 | # Defines if the pattern set under pattern should be negated or not. Default is false. 58 | #multiline.negate: false 59 | 60 | # Match can be set to "after" or "before". It is used to define if lines should be append to a pattern 61 | # that was (not) matched before or after or as long as a pattern is not matched based on negate. 62 | # Note: After is the equivalent to previous and before is the equivalent to to next in Logstash 63 | #multiline.match: after 64 | 65 | 66 | #============================= Filebeat modules =============================== 67 | 68 | filebeat.config.modules: 69 | strict.perms: false 70 | # Glob pattern for configuration loading 71 | path: ${path.config}/modules.d/*.yml 72 | 73 | # Set to true to enable config reloading 74 | reload.enabled: false 75 | 76 | # Period on which files under path should be checked for changes 77 | #reload.period: 10s 78 | 79 | #==================== Elasticsearch template setting ========================== 80 | 81 | setup.template.settings: 82 | index.number_of_shards: 3 83 | #index.codec: best_compression 84 | #_source.enabled: false 85 | 86 | #================================ General ===================================== 87 | 88 | # The name of the shipper that publishes the network data. It can be used to group 89 | # all the transactions sent by a single shipper in the web interface. 90 | #name: 91 | 92 | # The tags of the shipper are included in their own field with each 93 | # transaction published. 94 | #tags: ["service-X", "web-tier"] 95 | 96 | # Optional fields that you can specify to add additional information to the 97 | # output. 98 | #fields: 99 | # env: staging 100 | 101 | 102 | #============================== Dashboards ===================================== 103 | # These settings control loading the sample dashboards to the Kibana index. Loading 104 | # the dashboards is disabled by default and can be enabled either by setting the 105 | # options here, or by using the `-setup` CLI flag or the `setup` command. 106 | #setup.dashboards.enabled: false 107 | 108 | # The URL from where to download the dashboards archive. By default this URL 109 | # has a value which is computed based on the Beat name and version. For released 110 | # versions, this URL points to the dashboard archive on the artifacts.elastic.co 111 | # website. 112 | #setup.dashboards.url: 113 | 114 | #============================== Kibana ===================================== 115 | 116 | # Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API. 117 | # This requires a Kibana endpoint configuration. 118 | setup.kibana: 119 | 120 | # Kibana Host 121 | # Scheme and port can be left out and will be set to the default (http and 5601) 122 | # In case you specify and additional path, the scheme is required: http://localhost:5601/path 123 | # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601 124 | #host: "localhost:5601" 125 | 126 | #============================= Elastic Cloud ================================== 127 | 128 | # These settings simplify using filebeat with the Elastic Cloud (https://cloud.elastic.co/). 129 | 130 | # The cloud.id setting overwrites the `output.elasticsearch.hosts` and 131 | # `setup.kibana.host` options. 132 | # You can find the `cloud.id` in the Elastic Cloud web UI. 133 | #cloud.id: 134 | 135 | # The cloud.auth setting overwrites the `output.elasticsearch.username` and 136 | # `output.elasticsearch.password` settings. The format is `:`. 137 | #cloud.auth: 138 | 139 | #================================ Outputs ===================================== 140 | 141 | # Configure what output to use when sending the data collected by the beat. 142 | 143 | #-------------------------- Elasticsearch output ------------------------------ 144 | #output.elasticsearch: 145 | # Array of hosts to connect to. 146 | #hosts: ["elastic:9200"] 147 | 148 | # Optional protocol and basic auth credentials. 149 | #protocol: "https" 150 | #username: "elastic" 151 | #password: "changeme" 152 | 153 | #----------------------------- Logstash output -------------------------------- 154 | output.logstash: 155 | # The Logstash hosts 156 | hosts: ["localhost:5044"] 157 | 158 | # Optional SSL. By default is off. 159 | # List of root certificates for HTTPS server verifications 160 | #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] 161 | 162 | # Certificate for SSL client authentication 163 | #ssl.certificate: "/etc/pki/client/cert.pem" 164 | 165 | # Client Certificate Key 166 | #ssl.key: "/etc/pki/client/cert.key" 167 | 168 | #================================ Logging ===================================== 169 | 170 | # Sets log level. The default log level is info. 171 | # Available log levels are: critical, error, warning, info, debug 172 | #logging.level: debug 173 | 174 | # At debug level, you can selectively enable logging only for some components. 175 | # To enable all selectors use ["*"]. Examples of other selectors are "beat", 176 | # "publish", "service". 177 | #logging.selectors: ["*"] 178 | -------------------------------------------------------------------------------- /docs/elastic_stack.md: -------------------------------------------------------------------------------- 1 | # Elastic stack setup and configuration 2 | 3 | ## Pre-requisite - Java 4 | This is to install the default OpenJRE, but you can also install Oracle Java if you'd prefer. I'm unaware of performance impact between the two, but it may be something to consider. 5 | 6 | ``` 7 | sudo apt-get install default-jre 8 | ``` 9 | 10 | ## Elasticsearch 11 | Reference documenation [HERE](https://www.elastic.co/guide/en/elasticsearch/reference/current/deb.html) 12 | 13 | ### Install the PGP key for the Elastic DEB repo 14 | ``` 15 | wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add - 16 | ``` 17 | 18 | #### Configure the APT repo for Elastic products 19 | ``` 20 | echo "deb https://artifacts.elastic.co/packages/5.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-5.x.list 21 | ``` 22 | 23 | #### Update APT and install ElasticSearch 24 | ``` 25 | sudo apt-get update && sudo apt-get install elasticsearch 26 | ``` 27 | #### Configure Elasticsearch to listen on 0.0.0.0 28 | Edit the file `/etc/elasticsearch/elasticsearch.yml` and find the lines below, change network.host to 0.0.0.0 29 | 30 | ``` 31 | # ---------------------------------- Network ----------------------------------- 32 | # 33 | # Set the bind address to a specific IP (IPv4 or IPv6): 34 | # 35 | network.host: 0.0.0.0 36 | ``` 37 | 38 | #### Configure the JVM settings 39 | Edit the file `/etc/elasticsearch/jvm.options` 40 | 41 | Change the heap size to something appropriate to how much ram your system has. The inline configuration documentation is good. For example: 42 | ``` 43 | # Xms represents the initial size of total heap space 44 | # Xmx represents the maximum size of total heap space 45 | 46 | -Xms3g 47 | -Xmx3g 48 | ``` 49 | 50 | 51 | #### Enable Elasticsearch to start on boot 52 | ``` 53 | systemctl enable elasticsearch 54 | ``` 55 | 56 | #### Start Elasticsearch 57 | ``` 58 | systemctl start elasticsearch 59 | ``` 60 | 61 | #### Check the logs to ensure Elasticsearch is running 62 | ``` 63 | root@grIDS:~# journalctl -u elasticsearch 64 | -- Logs begin at Fri 2017-07-21 10:31:00 PDT, end at Fri 2017-07-21 12:06:17 PDT. -- 65 | Jul 21 12:06:17 grIDS systemd[1]: Starting Elasticsearch... 66 | Jul 21 12:06:17 grIDS systemd[1]: Started Elasticsearch. 67 | ``` 68 | 69 | #### Use curl to check Elasticsearch's API 70 | ``` 71 | root@grIDS:~# curl localhost:9200 72 | { 73 | "name" : "9NabvE3", 74 | "cluster_name" : "elasticsearch", 75 | "cluster_uuid" : "mKQHCf_HTySXM0Ze96isWw", 76 | "version" : { 77 | "number" : "5.5.0", 78 | "build_hash" : "260387d", 79 | "build_date" : "2017-06-30T23:16:05.735Z", 80 | "build_snapshot" : false, 81 | "lucene_version" : "6.6.0" 82 | }, 83 | "tagline" : "You Know, for Search" 84 | } 85 | ``` 86 | 87 | ## Kibana 88 | 89 | #### Installation 90 | If you followed the previous instructions for setting up the Elastic APT repo, you can now just install Kibana via apt 91 | 92 | ``` 93 | apt-get install kibana 94 | ``` 95 | 96 | #### Configure Kibana to listen on 0.0.0.0 97 | Edit the file `/etc/kibana/kibana.yml` and find the lines below, change server.host to 0.0.0.0 98 | 99 | ``` 100 | # Specifies the address to which the Kibana server will bind. IP addresses and host names are both valid values. 101 | # The default is 'localhost', which usually means remote machines will not be able to connect. 102 | # To allow connections from remote users, set this parameter to a non-loopback address. 103 | server.host: 0.0.0.0 104 | ``` 105 | 106 | #### Enable Kibana to start at boot 107 | ``` 108 | systemctl enable kibana 109 | ``` 110 | 111 | #### Start Kibana 112 | ``` 113 | systemctl start kibana 114 | ``` 115 | 116 | #### Check the logs to ensure Kibana is running 117 | ``` 118 | root@grIDS:~# journalctl -u kibana 119 | -- Logs begin at Fri 2017-07-21 10:31:00 PDT, end at Fri 2017-07-21 12:17:06 PDT. -- 120 | Jul 21 12:16:58 grIDS systemd[1]: Started Kibana. 121 | ``` 122 | 123 | #### Connect to the Kibana web interface 124 | Navigate your browser to the IP you set up earlier on the port 5601. You should be greeted with an index setup page, for example: 125 | ``` 126 | http://192.168.1.209:5601 127 | ``` 128 | 129 | ## Logstash 130 | Logstash will be the log aggregator for all of our log collection. 131 | 132 | #### Installation 133 | If you followed the previous instructions for setting up the Elastic apt repo, you can now just install Logstash via apt 134 | 135 | ``` 136 | apt-get install logstash 137 | ``` 138 | 139 | #### Configuration 140 | Logstash is made up of multiple configuration files that route information based on what's configured. Configs live in `/etc/logstash/conf.d`. Each configuration can have input, output, filtering, etc functions that each do different things. For more information see the [logstash documentation](https://www.elastic.co/guide/en/logstash/current/index.html). 141 | 142 | ##### Logstash config for Filebeat 143 | To collect data into Logstash from Filebeat, we have to set up a logstash configuration. 144 | 145 | Add this to `/etc/logstash/conf.d/beats_to_elastic.conf` 146 | ``` 147 | input { 148 | beats { 149 | port => 5044 150 | } 151 | } 152 | 153 | filter { 154 | json { 155 | source => "message" 156 | remove_field => ["message"] 157 | } 158 | } 159 | 160 | output { 161 | #file { path => "/var/log/logstash/output.log" } 162 | elasticsearch { 163 | hosts => "localhost:9200" 164 | manage_template => false 165 | index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}" 166 | document_type => "%{[@metadata][type]}" 167 | } 168 | } 169 | ``` 170 | 171 | Once that's added to the configuration file, save and restart logstash: 172 | ``` 173 | systemctl restart logstash 174 | ``` 175 | 176 | Check that everything started happily: 177 | ``` 178 | journalctl -fu logstash 179 | ``` 180 | 181 | ## Filebeats 182 | Filebeat is a log shipper that can take many inputs and ship to many different places. It also has a lot of resiliance to failure, with a ton of store+forward and other features built in. 183 | 184 | #### Installation 185 | If you followed the previous instructions for setting up the Elastic apt repo, you can now just install Filebeat via apt 186 | 187 | ``` 188 | apt-get install filebeat 189 | ``` 190 | 191 | #### Configuration 192 | First let's make sure Elasticsearch is ready for Filebeat type data: 193 | 194 | Upload the Filebeat template to Elasticsearch: 195 | ``` 196 | curl -H 'Content-Type: application/json' -XPUT 'http://localhost:9200/_template/filebeat' -d@/etc/filebeat/filebeat.template.json 197 | ``` 198 | 199 | Now, configuration file for Filebeat can be found at `/etc/filebeat/filebeat.yml`. We're going to make a few changes to ensure our data is being shipped to it. 200 | 201 | Under `input_type: log` in the `paths:` section, we're going to remove the default settings and add our `eve.json` log that we'll be configuring via Suricata later. 202 | 203 | `/var/log/suricata/eve.json` 204 | 205 | Under `Outputs` we're going to comment everything out in the `Elasticsearch output` section, and uncomment the `output.logstash` and `hosts: ["localhost:5044"]` lines. 206 | 207 | Once that's completed, restart filebeats. In a few steps, we'll check to make sure that the data is flowing from Suricata to Filebeats to Elastic, and accessable on Kibana. 208 | 209 | ``` 210 | systemctl restart filebeat 211 | ``` 212 | 213 | And check it with ... 214 | ``` 215 | journalctl -fu filebeat 216 | ``` 217 | -------------------------------------------------------------------------------- /docs/pulledpork_setup.md: -------------------------------------------------------------------------------- 1 | # PulledPork Configuration 2 | 3 | ## Summary 4 | PulledPork is a Perl script that's used to manage rules for Suricata and Snort. PulledPork creates bundled rule files into a single file. It can modify/disable which rules get included in the bundled file, can can pull from multiple sources. PulledPork has multiple configuration files that determine which rules to enable or disable. 5 | 6 | ### enablesid.conf / disablesid.conf / modifysid.conf 7 | When PulledPork is creating a new bundled ruleset, it references this configuration file to determine which rules to included as commented out. This is helpful when tuning your IDS, for example when disabling/modifying noisy or low-value rules. 8 | 9 | ### dropsid.conf 10 | Modify a signature to drop traffic when a rule is triggered rather than alerting. In the grIDS setup, the sensor is not inline, so it cannot do any blocking. We won't be touching this file. 11 | 12 | ## Setup 13 | ### Download from Github 14 | Download PulledPork from their [Github](https://github.com/shirkdog/pulledpork) repo. 15 | 16 | ``` 17 | root@grIDS:~# git clone https://github.com/shirkdog/pulledpork.git 18 | ``` 19 | 20 | ### Install required Perl modules 21 | ``` 22 | root@grIDS:~/pulledpork# apt-get install libwww-perl libcrypt-ssleay-perl 23 | ``` 24 | 25 | ### Copy pulledpork.pl to /usr/bin and test execution 26 | ``` 27 | root@grIDS:~# cd pulledpork/ 28 | root@grIDS:~/pulledpork# cp pulledpork.pl /usr/bin/ 29 | root@grIDS:~/pulledpork# pulledpork.pl -V 30 | ``` 31 | 32 | Expected output: 33 | ``` 34 | PulledPork v0.7.3 - Making signature updates great again! 35 | ``` 36 | 37 | ### Copy config files 38 | ``` 39 | root@grIDS:~/pulledpork# cd etc/ 40 | root@grIDS:~/pulledpork/etc# mkdir /etc/pulledpork 41 | root@grIDS:~/pulledpork/etc# cp * /etc/pulledpork/ 42 | ``` 43 | 44 | ### Modify pulledpork.conf 45 | We'll prep the pulledpork.conf with the settings that we need. 46 | 47 | #### Remove rule_urls 48 | The EmergingThreats ruleset contains Suricata specific rules, which is what we'll be using. 49 | 50 | We'll disable these rules by commenting them out: 51 | ``` 52 | rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz| 53 | rule_url=https://snort.org/downloads/community/|community-rules.tar.gz|Community 54 | rule_url=https://talosintelligence.com/documents/ip-blacklist|IPBLACKLIST|open 55 | rule_url=https://snort.org/downloads/community/|opensource.gz|Opensource 56 | ``` 57 | 58 | We'll enable this EmergingThreats URL by uncommenting its line: 59 | ``` 60 | rule_url=https://rules.emergingthreats.net/|emerging.rules.tar.gz|open-nogpl 61 | ``` 62 | 63 | #### Modify rule_paths 64 | This is where PulledPork stores the rules it's downloaded. We're going to change its location to where Suricata reads its rules: 65 | 66 | Modify this line: 67 | ``` 68 | rule_path=/usr/local/etc/snort/rules/snort.rules 69 | ``` 70 | 71 | To: 72 | ``` 73 | rule_path=/etc/suricata/rules/downloaded.rules 74 | ``` 75 | 76 | Secondly, we'll want to modify where PulledPork finds its `local.rules`. This file is where you can store custom written rules that will be incorproated into `downloaded.rules`. 77 | 78 | Modify this line: 79 | ``` 80 | local_rules=/usr/local/etc/snort/rules/local.rules 81 | ``` 82 | 83 | To: 84 | ``` 85 | local_rules=/etc/suricata/rules/local.rules 86 | ``` 87 | 88 | Lastly, modify the sid-msg.map to a directory that exists. sid-msg is used for Snort and a process called unified2, for identifying alert IDs. It's not used our process, but PulledPork needs a valid directory here or it won't run. 89 | 90 | From: 91 | ``` 92 | sid_msg=/usr/local/etc/snort/sid-msg.map 93 | ``` 94 | 95 | To: 96 | ``` 97 | sid_msg=/etc/suricata/rules/sid-msg.map 98 | ``` 99 | 100 | ## Doing a test-run of PulledPork 101 | If everything is configured properly, this command should grab the Suricata rules from Emerging Threats and save them to `/etc/suricata/rules/downloaded.rules`. This command should be run every time we want to update the ruleset. ET updates rules quite often, so we'll want to put a script that updates these rules and restart Suricata. 102 | 103 | **Note:** PulledPork saves the downloaded rules tarbal to `/tmp/`. It will not process the rules or download them again if they match. If you wish to test this command again, you may have to delete the downloaded rules from `/tmp/` 104 | 105 | ``` 106 | root@grIDS:~# pulledpork.pl -c /etc/pulledpork/pulledpork.conf -T -S suricata-4.0.0 107 | 108 | https://github.com/shirkdog/pulledpork 109 | _____ ____ 110 | `----,\ ) 111 | `--==\\ / PulledPork v0.7.3 - Making signature updates great again! 112 | `--==\\/ 113 | .-~~~~-.Y|\\_ Copyright (C) 2009-2016 JJ Cummings 114 | @_/ / 66\_ cummingsj@gmail.com 115 | | \ \ _(") 116 | \ /-| ||'--' Rules give me wings! 117 | \_\ \_\\ 118 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 119 | 120 | Checking latest MD5 for emerging.rules.tar.gz.... 121 | Rules tarball download of emerging.rules.tar.gz.... 122 | They Match 123 | Done! 124 | Prepping rules from emerging.rules.tar.gz for work.... 125 | Done! 126 | Reading rules... 127 | Reading rules... 128 | Setting Flowbit State.... 129 | Enabled 109 flowbits 130 | Done 131 | Writing /etc/suricata/rules/downloaded.rules.... 132 | Done 133 | Generating sid-msg.map.... 134 | Done 135 | Writing v1 /etc/suricata/rules/sid-msg.map.... 136 | Done 137 | Writing /var/log/sid_changes.log.... 138 | Done 139 | Rule Stats... 140 | New:-------0 141 | Deleted:---0 142 | Enabled Rules:----18053 143 | Dropped Rules:----0 144 | Disabled Rules:---4744 145 | Total Rules:------22797 146 | No IP Blacklist Changes 147 | 148 | Done 149 | Please review /var/log/sid_changes.log for additional details 150 | Fly Piggy Fly! 151 | ``` 152 | 153 | ## Automated scripts and cron setup 154 | Since the Emerging Threats ruleset can change as often as they push new rules, we'll want to download them as soon as they're out. We'll do that with our `update-rules.sh` script found [here](https://github.com/gradiuscypher/grIDS/blob/master/scripts/update_rules.sh). 155 | 156 | ### Download update-rules.sh and chmod 157 | 158 | Prep the file location: 159 | ``` 160 | gradius@grIDS:~$ sudo -i 161 | root@grIDS:~# mkdir scripts 162 | root@grIDS:~# cd scripts/ 163 | ``` 164 | 165 | Download the raw file via Github with wget: 166 | ``` 167 | root@grIDS:~/scripts# wget https://raw.githubusercontent.com/gradiuscypher/grIDS/master/scripts/update_rules.sh 168 | --2017-09-03 14:47:31-- https://raw.githubusercontent.com/gradiuscypher/grIDS/master/scripts/update_rules.sh 169 | Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.0.133, 151.101.64.133, 151.101.128.133, ... 170 | Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.0.133|:443... connected. 171 | HTTP request sent, awaiting response... 200 OK 172 | Length: 1127 (1.1K) [text/plain] 173 | Saving to: ‘update_rules.sh’ 174 | 175 | update_rules.sh 100%[========================================================================================================================================>] 1.10K --.-KB/s in 0s 176 | 177 | 2017-09-03 14:47:31 (250 MB/s) - ‘update_rules.sh’ saved [1127/1127] 178 | 179 | root@grIDS:~/scripts# ls 180 | update_rules.sh 181 | ``` 182 | 183 | chmod the file to make it executable: 184 | ``` 185 | root@grIDS:~/scripts# chmod +x update_rules.sh 186 | ``` 187 | 188 | ### Configure root crontab 189 | Now that we have a script to run, let's set it up in crontab to execute every 15 minutes, that way we can pick up the rules as soon as possible. 190 | 191 | ``` 192 | root@grIDS:~/scripts# crontab -e 193 | ``` 194 | 195 | Add this to the bottom: 196 | ``` 197 | */15 * * * * /root/scripts/update_rules.sh 198 | ``` 199 | 200 | ### Change rules in suricata.yaml 201 | Now that we've got our new rule file set up, we'll have to configure Suricata to use it. 202 | 203 | Edit `/etc/suricata/suricata.yaml` and remove all of the entries under `rule-files`, and place a single line: 204 | 205 | ``` 206 | default-rule-path: /etc/suricata/rules 207 | rule-files: 208 | - downloaded.rules 209 | ``` 210 | 211 | Restart Suricata with `systemctl restart suricata` to start with the new rule set. 212 | -------------------------------------------------------------------------------- /docs/suricata_configuration.md: -------------------------------------------------------------------------------- 1 | # Suricata Configuration 2 | Suricata is an open source network intrusion detection/prevention software. You can learn more about it [here](https://suricata-ids.org/). We'll feed Suricata our network traffic, Suricata will run it through the ruleset we've configured and then will send alerts and logs to our Elastic stack for investigation. 3 | 4 | My example Suricata configuration file [can be found here](../configs/suricata.yaml). I highly suggest referencing this file if Suricata fails to start. 5 | 6 | ## Installing Suricata 7 | We're going to use the PPA provided by OSIF to make our updating a little bit easier. More information about OSIF can be found [HERE](https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Ubuntu_Installation_-_Personal_Package_Archives_(PPA)) 8 | 9 | When we install Suricata this way, it also downloads the latest EmergingThreats IDS ruleset. We'll talk more about rules and configuration a bit later. 10 | 11 | ``` 12 | sudo add-apt-repository ppa:oisf/suricata-stable 13 | sudo apt-get update 14 | sudo apt-get install suricata 15 | ``` 16 | 17 | ## Configuring Suricata 18 | 19 | Useful Reference: [Suricata Documentation](http://suricata.readthedocs.io/en/latest/) 20 | 21 | First we need to stop the process that started when we installed Suricata with the PPA, but enable the service to start on boot. 22 | ``` 23 | systemctl stop suricata 24 | systemctl enable suricata 25 | ``` 26 | 27 | Next we'll work on getting through the important bits of the Suricata config file. There are hundreds of lines, and many tweaks you can do to improve performance and enable features, but we'll focus on the basics. As we make changes to the configuration, we'll be launching Suricata on the command line to ensure everything is working. 28 | 29 | The Suricata config can be found at : `/etc/suricata/suricata.yaml` 30 | 31 | ### Step 1: HOME_NET and EXTERNAL_NET address-groups 32 | Each rule written for Suricata has a direction of traffic flow that it's looking for. The setting list `HOME_NET` is considered the local network that you're monitoring. `EXTERNAL_NET` is the outside networks that you're monitoring traffic from. 33 | 34 | It is important to get these settings right, as it impacts how the rules are interpreted. Incorrect address-groups can lead to both false positives and false negatives. Other than `HOME_NET` and `EXTERNAL_NET` you also need to evaluate each of the other address groups (eg: `HTTP_SERVERS`). Address groups help Suricata determine if it needs to apply rules to traffic it's monitoring. 35 | 36 | For example settings, my `HOME_NET` is going to be configured as ` HOME_NET: "[192.168.1.0/24]"` since I have a small homelab network on that IP space. For `EXTERNAL_NET`, my network is configured as `EXTERNAL_NET: "!$HOME_NET"` which is shorthand for everything else that isn't inside `HOME_NET`. 37 | 38 | ### Step 2: Suricata Rules 39 | Again, rules are the lifeblood of Suricata. We're going to be leveraging a tool called `PulledPork` for our rule management, so we'll come back to this section in a later document. 40 | 41 | ### Step 3: Outputs 42 | Outputs are how we get data out of Suricata and into different systems. There will be a few different outputs that we'll concern ourselves with. 43 | 44 | #### stats 45 | Statistics for the Suricata process with things like flow count, uptime, etc. Useful and doesn't take up much space, so leave it enabled. 46 | 47 | #### fast 48 | A line based log, sends output to the file `/var/log/suricata/fast.log` by default in our install. It's useful for debug purposes, but since we'll be shipping all of our data to Elastic, it's not needed so set `enabled: no` 49 | 50 | #### eve-log 51 | Extensible Event Format (nicknamed EVE) is a JOSN format log that contains many different subsets of information. This is the log we'll be leveraging to ship off to Elastic. It's important to leave this enabled. 52 | 53 | First, add a setting to rotate the eve.json file every time suricata is restarted (called `append: no`): 54 | ``` 55 | filename: eve.json 56 | append: no 57 | ``` 58 | 59 | Below are each of the output types that eve.json will ship. 60 | 61 | ##### alert 62 | These are the IDS alerts that are generated by Suricata when a rule is triggered. We want this in eve.json. 63 | 64 | We also want to enable the following fields in addition to the ones already enabled: 65 | * `payload: yes` - payload will give us a Base64 encoded payload of what triggered the alert, which can then be decoded via Kibana. 66 | * `http-body: yes` - the body of an http request, if applicable, encoded in Base64 67 | 68 | ##### http 69 | Logging of all HTTP requests. Useful for data enrichment and historical analysis. Leave the fields configured as-is. 70 | 71 | ##### dns 72 | Logging of all DNS requests. Useful for data enrichment, as well as historical context around strange DNS queries. Will also allow for tracking the most and least commonly resolved DNS names. Leave the fields configured as-is. 73 | 74 | ##### tls 75 | TLS session tracking. Without breaking SSL, we can still obtain useful information about certificates passing over the wire. Leave the fields configured as-is. 76 | 77 | ##### files 78 | File tracking. Useful for historical context around file downloads, as well as searching for IoCs in file hashes. 79 | 80 | We also want to include additonal hashes, for better visibility: 81 | * `force-hash: [md5, sha1, sha256]` 82 | 83 | ##### smtp 84 | Since I don't have an SMTP server on my network, I'll be disabling this setting by commenting out `-smtp`, but determine if this is something you might need on your network. 85 | 86 | ##### ssh 87 | SSH logging is quite verbose, and it's not something that I leverage that often, so I will be commenting out `-ssh`, but determine if this is something you might need on your network. 88 | 89 | ##### stats 90 | I don't think that pushing stats to our Elastic setup is valuable, so I will be commenting out `-stats` and the lines below it. 91 | 92 | ##### flow 93 | Netflow logging is quite helpful for many different segments of an investigation. Consider it network metadata of all connections on the network. Leave it enabled. 94 | 95 | #### Unified2-alert 96 | Since we're not leveraging Barnyard2, we don't need this. 97 | 98 | #### http-log, tls-log, tls-store, dns-log 99 | These connections are already being shipped to Elastic via eve.json, so this isn't needed. Leave them set to `enabled: no` 100 | 101 | #### pcap-log 102 | Network traffic captures (PCAP files) are important to have, but they're a beast of their own, so we'll cover packet captures in another section. 103 | 104 | The remaining output settings can be left as is, but I recommend reading them to understand what might be applicable for your network. The inline documentation is quite verbose and useful. 105 | 106 | ### Step 4: configure common capture settings 107 | 108 | #### af-packet 109 | This is the standard capture library, and the one we'll be using. Set the `interface` setting to the network interface you set up as the monitoring interface earlier. 110 | 111 | #### pcap 112 | This is the standard pcap library, and the one we'll be using. Set the `interface` setting to the network interface you set up as the monitoring interface earlier. 113 | 114 | ### Remaining Configuration 115 | The remaining configuration for Suricata is focused mainly around performance tuning and monitoring tweaks, so the defaults are safe for most users. In the future, I believe a tuning guide might be of value for higher throughput networks. 116 | 117 | #### VLAN Configuration 118 | If you're only seeing partial traffic (seeing DNS and netflow, but not seeing HTTP and other traffic), you might have to disable vlan tagging. Search for `vlan` and change the setting `use-for-tracking: false` 119 | 120 | ### Testing Suricata Configuration 121 | Now that configuration is complete, we'll want to test our install from the command line, with more verbose options, to see where anything has failed. 122 | 123 | First, double check that the service for Suricata is not running: 124 | ``` 125 | systemctl status suricata 126 | ``` 127 | 128 | Then, run Suricata from the command line with this command, and check for errors, as well as large percentages of packet drops: 129 | ``` 130 | suricata -vvvc /etc/suricata/suricata.yaml -i enp8s0 131 | ``` 132 | 133 | You should see output, and then a line ending with something like: 134 | ``` 135 | 30/7/2017 -- 15:52:17 - - all 4 packet processing threads, 4 management threads initialized, engine started. 136 | 30/7/2017 -- 15:52:17 - - AF_PACKET RX Ring params: block_size=32768 block_nr=26 frame_size=1600 frame_nr=520 137 | 30/7/2017 -- 15:52:17 - - AF_PACKET RX Ring params: block_size=32768 block_nr=26 frame_size=1600 frame_nr=520 138 | 30/7/2017 -- 15:52:17 - - AF_PACKET RX Ring params: block_size=32768 block_nr=26 frame_size=1600 frame_nr=520 139 | 30/7/2017 -- 15:52:17 - - AF_PACKET RX Ring params: block_size=32768 block_nr=26 frame_size=1600 frame_nr=520 140 | 30/7/2017 -- 15:52:17 - - All AFP capture threads are running. 141 | ``` 142 | 143 | Let this run for about a minute, then ctrl-c the command to see what the reported packet drop was. 144 | 145 | ### Starting Suricata 146 | Now that we know our Suricata configuration is working, we can start it as a service: 147 | 148 | ``` 149 | systemctl start suricata 150 | ``` 151 | -------------------------------------------------------------------------------- /kibana_exports/all_exported_visualizations.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "_id": "ca3dace0-9145-11e7-a470-2be0517a0eb2", 4 | "_type": "visualization", 5 | "_source": { 6 | "title": "Line Graph - Event Types over time", 7 | "visState": "{\"title\":\"Line Graph - Event Types over time\",\"type\":\"area\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"@timestamp per 30 seconds\"},\"type\":\"category\"}],\"grid\":{\"categoryLines\":true,\"style\":{\"color\":\"#eee\"},\"valueAxis\":\"ValueAxis-1\"},\"legendPosition\":\"right\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\",\"interpolate\":\"cardinal\"}],\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"event_type\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 8 | "uiStateJSON": "{}", 9 | "description": "", 10 | "version": 1, 11 | "kibanaSavedObjectMeta": { 12 | "searchSourceJSON": "{\"index\":\"filebeat-*\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}},\"filter\":[]}" 13 | } 14 | } 15 | }, 16 | { 17 | "_id": "438daeb0-9141-11e7-bbce-71259f2f16af", 18 | "_type": "visualization", 19 | "_source": { 20 | "title": "Event Count", 21 | "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customInterval\":\"2h\",\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"@timestamp per 30 minutes\"},\"type\":\"category\"}],\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"legendPosition\":\"right\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"normal\",\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Event Count\",\"type\":\"line\"}", 22 | "uiStateJSON": "{}", 23 | "description": "", 24 | "version": 1, 25 | "kibanaSavedObjectMeta": { 26 | "searchSourceJSON": "{\"index\":\"filebeat-*\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}},\"filter\":[]}" 27 | } 28 | } 29 | }, 30 | { 31 | "_id": "28b53800-9147-11e7-a470-2be0517a0eb2", 32 | "_type": "visualization", 33 | "_source": { 34 | "title": "Chart - Top 10 DNS Lookups", 35 | "visState": "{\"title\":\"Chart - Top 10 DNS Lookups\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dns.rrname\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 36 | "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", 37 | "description": "", 38 | "version": 1, 39 | "kibanaSavedObjectMeta": { 40 | "searchSourceJSON": "{\"index\":\"filebeat-*\",\"query\":{\"query_string\":{\"query\":\"event_type:dns\",\"analyze_wildcard\":true}},\"filter\":[]}" 41 | } 42 | } 43 | }, 44 | { 45 | "_id": "2c47f320-7655-11e7-85bf-75a8a64df4ed", 46 | "_type": "visualization", 47 | "_source": { 48 | "title": "Pie Chart - Internal Traffic Breakdown", 49 | "visState": "{\"title\":\"Pie Chart - Internal Traffic Breakdown\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"src_ip\",\"size\":256,\"order\":\"desc\",\"orderBy\":\"1\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"dest_port\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 50 | "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", 51 | "description": "", 52 | "version": 1, 53 | "kibanaSavedObjectMeta": { 54 | "searchSourceJSON": "{\"index\":\"filebeat-*\",\"query\":{\"query_string\":{\"query\":\"src_ip:192.168.1.*\",\"analyze_wildcard\":true}},\"filter\":[]}" 55 | } 56 | } 57 | }, 58 | { 59 | "_id": "65cccae0-7654-11e7-85bf-75a8a64df4ed", 60 | "_type": "visualization", 61 | "_source": { 62 | "title": "Pie Chart - Event Types", 63 | "visState": "{\"title\":\"Pie Chart - Event Types\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"event_type\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 64 | "uiStateJSON": "{}", 65 | "description": "", 66 | "version": 1, 67 | "kibanaSavedObjectMeta": { 68 | "searchSourceJSON": "{\"index\":\"filebeat-*\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}" 69 | } 70 | } 71 | }, 72 | { 73 | "_id": "6a9f62c0-9149-11e7-a470-2be0517a0eb2", 74 | "_type": "visualization", 75 | "_source": { 76 | "title": "Metric - Total Bytes", 77 | "visState": "{\"title\":\"Metric - Total Bytes\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":true,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":100,\"to\":200}],\"invertColors\":false,\"labels\":{\"show\":true,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":60,\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"sum\",\"schema\":\"metric\",\"params\":{\"field\":\"flow.bytes_toclient\",\"customLabel\":\"Total Bytes In\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"sum\",\"schema\":\"metric\",\"params\":{\"field\":\"flow.bytes_toserver\",\"customLabel\":\"Total Bytes Out\"}}],\"listeners\":{}}", 78 | "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"100 - 200\":\"rgb(0,104,55)\"}}}", 79 | "description": "", 80 | "version": 1, 81 | "kibanaSavedObjectMeta": { 82 | "searchSourceJSON": "{\"index\":\"filebeat-*\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}" 83 | } 84 | } 85 | }, 86 | { 87 | "_id": "20704f30-914d-11e7-a470-2be0517a0eb2", 88 | "_type": "visualization", 89 | "_source": { 90 | "title": "Events Per Second", 91 | "visState": "{\"title\":\"Events Per Second\",\"type\":\"metrics\",\"params\":{\"id\":\"7f94ea90-914b-11e7-a470-2be0517a0eb2\",\"type\":\"metric\",\"series\":[{\"id\":\"7f94ea91-914b-11e7-a470-2be0517a0eb2\",\"color\":\"#68BC00\",\"split_mode\":\"everything\",\"metrics\":[{\"id\":\"7f94ea92-914b-11e7-a470-2be0517a0eb2\",\"type\":\"count\",\"field\":\"flow.bytes_toclient\"}],\"seperate_axis\":0,\"axis_position\":\"right\",\"formatter\":\"number\",\"chart_type\":\"line\",\"line_width\":1,\"point_size\":1,\"fill\":0.5,\"stacked\":\"none\",\"offset_time\":\"\",\"value_template\":\"{{value}} events/sec\",\"label\":\" \",\"split_filters\":[{\"filter\":\"\",\"label\":\"\",\"color\":\"#68BC00\",\"id\":\"dcb87e70-914c-11e7-a470-2be0517a0eb2\"}]}],\"time_field\":\"@timestamp\",\"index_pattern\":\"*\",\"interval\":\"auto\",\"axis_position\":\"left\",\"axis_formatter\":\"number\",\"show_legend\":1,\"gauge_color_rules\":[{\"id\":\"80db4d40-914b-11e7-a470-2be0517a0eb2\"}],\"gauge_width\":\"10\",\"gauge_inner_width\":\"10\",\"gauge_style\":\"half\",\"gauge_max\":\"200000000\",\"background_color_rules\":[{\"id\":\"c35662d0-914c-11e7-a470-2be0517a0eb2\"}]},\"aggs\":[],\"listeners\":{}}", 92 | "uiStateJSON": "{}", 93 | "description": "", 94 | "version": 1, 95 | "kibanaSavedObjectMeta": { 96 | "searchSourceJSON": "{\"query\":{\"query_string\":{\"query\":\"*\"}},\"filter\":[]}" 97 | } 98 | } 99 | }, 100 | { 101 | "_id": "ee9e95a0-9149-11e7-a470-2be0517a0eb2", 102 | "_type": "visualization", 103 | "_source": { 104 | "title": "Metric - Bytes", 105 | "visState": "{\"title\":\"Metric - Bytes\",\"type\":\"metrics\",\"params\":{\"id\":\"a4181010-9149-11e7-a470-2be0517a0eb2\",\"type\":\"metric\",\"series\":[{\"id\":\"413d18e0-914a-11e7-a470-2be0517a0eb2\",\"color\":\"#68BC00\",\"split_mode\":\"everything\",\"metrics\":[{\"id\":\"413d18e1-914a-11e7-a470-2be0517a0eb2\",\"type\":\"sum\",\"field\":\"flow.bytes_toclient\"}],\"seperate_axis\":0,\"axis_position\":\"right\",\"formatter\":\"bytes\",\"chart_type\":\"line\",\"line_width\":1,\"point_size\":1,\"fill\":0.5,\"stacked\":\"none\",\"label\":\"Bytes Ingress\"},{\"id\":\"a4181011-9149-11e7-a470-2be0517a0eb2\",\"color\":\"#68BC00\",\"split_mode\":\"everything\",\"metrics\":[{\"id\":\"a4181012-9149-11e7-a470-2be0517a0eb2\",\"type\":\"sum\",\"field\":\"flow.bytes_toserver\"}],\"seperate_axis\":0,\"axis_position\":\"right\",\"formatter\":\"bytes\",\"chart_type\":\"line\",\"line_width\":1,\"point_size\":1,\"fill\":0.5,\"stacked\":\"none\",\"terms_field\":\"flow.bytes_toserver\",\"label\":\"Bytes Egress\"}],\"time_field\":\"@timestamp\",\"index_pattern\":\"*\",\"interval\":\"auto\",\"axis_position\":\"left\",\"axis_formatter\":\"number\",\"show_legend\":1,\"background_color_rules\":[{\"id\":\"a6c2bdb0-9149-11e7-a470-2be0517a0eb2\"}],\"gauge_color_rules\":[{\"id\":\"ffec8420-9149-11e7-a470-2be0517a0eb2\"}],\"gauge_width\":10,\"gauge_inner_width\":10,\"gauge_style\":\"half\"},\"aggs\":[],\"listeners\":{}}", 106 | "uiStateJSON": "{}", 107 | "description": "", 108 | "version": 1, 109 | "kibanaSavedObjectMeta": { 110 | "searchSourceJSON": "{\"query\":{\"query_string\":{\"query\":\"*\"}},\"filter\":[]}" 111 | } 112 | } 113 | }, 114 | { 115 | "_id": "08f8b7c0-9148-11e7-a470-2be0517a0eb2", 116 | "_type": "visualization", 117 | "_source": { 118 | "title": "Chart - Top 10 HTTP Hostnames", 119 | "visState": "{\"title\":\"Chart - Top 10 HTTP Hostnames\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"http.hostname\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 120 | "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", 121 | "description": "", 122 | "version": 1, 123 | "kibanaSavedObjectMeta": { 124 | "searchSourceJSON": "{\"index\":\"filebeat-*\",\"query\":{\"query_string\":{\"query\":\"event_type:http\",\"analyze_wildcard\":true}},\"filter\":[]}" 125 | } 126 | } 127 | }, 128 | { 129 | "_id": "c2957610-9147-11e7-a470-2be0517a0eb2", 130 | "_type": "visualization", 131 | "_source": { 132 | "title": "Chart - Top 10 SSL Subjects", 133 | "visState": "{\"title\":\"Chart - Top 10 SSL Subjects\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"tls.sni\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 134 | "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", 135 | "description": "", 136 | "version": 1, 137 | "kibanaSavedObjectMeta": { 138 | "searchSourceJSON": "{\"index\":\"filebeat-*\",\"query\":{\"query_string\":{\"query\":\"event_type:tls\",\"analyze_wildcard\":true}},\"filter\":[]}" 139 | } 140 | } 141 | }, 142 | { 143 | "_id": "b7797870-914d-11e7-a470-2be0517a0eb2", 144 | "_type": "visualization", 145 | "_source": { 146 | "title": "Event Types", 147 | "visState": "{\"title\":\"Event Types\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"event_type\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 148 | "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", 149 | "description": "", 150 | "version": 1, 151 | "kibanaSavedObjectMeta": { 152 | "searchSourceJSON": "{\"index\":\"filebeat-*\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}" 153 | } 154 | } 155 | }, 156 | { 157 | "_id": "8551b2d0-914e-11e7-a470-2be0517a0eb2", 158 | "_type": "visualization", 159 | "_source": { 160 | "title": "Chart - Alert Signatures", 161 | "visState": "{\"title\":\"Chart - Alert Signatures\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"alert.signature\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 162 | "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", 163 | "description": "", 164 | "version": 1, 165 | "kibanaSavedObjectMeta": { 166 | "searchSourceJSON": "{\"index\":\"filebeat-*\",\"query\":{\"query_string\":{\"query\":\"event_type:alert\",\"analyze_wildcard\":true}},\"filter\":[]}" 167 | } 168 | } 169 | }, 170 | { 171 | "_id": "ec677810-914e-11e7-a470-2be0517a0eb2", 172 | "_type": "visualization", 173 | "_source": { 174 | "title": "Chart - Alert Category", 175 | "visState": "{\"title\":\"Chart - Alert Category\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"alert.category\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 176 | "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", 177 | "description": "", 178 | "version": 1, 179 | "kibanaSavedObjectMeta": { 180 | "searchSourceJSON": "{\"index\":\"filebeat-*\",\"query\":{\"query_string\":{\"query\":\"event_type:alert\",\"analyze_wildcard\":true}},\"filter\":[]}" 181 | } 182 | } 183 | }, 184 | { 185 | "_id": "d9c19020-914d-11e7-a470-2be0517a0eb2", 186 | "_type": "visualization", 187 | "_source": { 188 | "title": "Chart - Source IP", 189 | "visState": "{\"title\":\"Chart - Source IP\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"src_ip\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 190 | "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", 191 | "description": "", 192 | "version": 1, 193 | "kibanaSavedObjectMeta": { 194 | "searchSourceJSON": "{\"index\":\"filebeat-*\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}" 195 | } 196 | } 197 | }, 198 | { 199 | "_id": "f2294630-914d-11e7-a470-2be0517a0eb2", 200 | "_type": "visualization", 201 | "_source": { 202 | "title": "Chart - Destination IP", 203 | "visState": "{\"title\":\"Chart - Destination IP\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dest_ip\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", 204 | "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", 205 | "description": "", 206 | "version": 1, 207 | "kibanaSavedObjectMeta": { 208 | "searchSourceJSON": "{\"index\":\"filebeat-*\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}" 209 | } 210 | } 211 | } 212 | ] -------------------------------------------------------------------------------- /configs/suricata.yaml: -------------------------------------------------------------------------------- 1 | %YAML 1.1 2 | --- 3 | 4 | # Suricata configuration file. In addition to the comments describing all 5 | # options in this file, full documentation can be found at: 6 | # https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricatayaml 7 | 8 | ## 9 | ## Step 1: inform Suricata about your network 10 | ## 11 | 12 | vars: 13 | # more specifc is better for alert accuracy and performance 14 | address-groups: 15 | #HOME_NET: "[192.168.1.0/24]" 16 | HOME_NET: "[192.168.0.0/16]" 17 | #HOME_NET: "[10.0.0.0/8]" 18 | #HOME_NET: "[172.16.0.0/12]" 19 | #HOME_NET: "any" 20 | 21 | EXTERNAL_NET: "!$HOME_NET" 22 | #EXTERNAL_NET: "any" 23 | 24 | HTTP_SERVERS: "$HOME_NET" 25 | SMTP_SERVERS: "$HOME_NET" 26 | SQL_SERVERS: "$HOME_NET" 27 | DNS_SERVERS: "$HOME_NET" 28 | TELNET_SERVERS: "$HOME_NET" 29 | AIM_SERVERS: "$EXTERNAL_NET" 30 | DNP3_SERVER: "$HOME_NET" 31 | DNP3_CLIENT: "$HOME_NET" 32 | MODBUS_CLIENT: "$HOME_NET" 33 | MODBUS_SERVER: "$HOME_NET" 34 | ENIP_CLIENT: "$HOME_NET" 35 | ENIP_SERVER: "$HOME_NET" 36 | 37 | port-groups: 38 | HTTP_PORTS: "80" 39 | SHELLCODE_PORTS: "!80" 40 | ORACLE_PORTS: 1521 41 | SSH_PORTS: 22 42 | DNP3_PORTS: 20000 43 | MODBUS_PORTS: 502 44 | FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]" 45 | FTP_PORTS: 21 46 | 47 | 48 | ## 49 | ## Step 2: select the rules to enable or disable 50 | ## 51 | 52 | default-rule-path: /etc/suricata/rules 53 | rule-files: 54 | - downloaded.rules 55 | 56 | classification-file: /etc/suricata/classification.config 57 | reference-config-file: /etc/suricata/reference.config 58 | # threshold-file: /etc/suricata/threshold.config 59 | 60 | 61 | ## 62 | ## Step 3: select outputs to enable 63 | ## 64 | 65 | # The default logging directory. Any log or output file will be 66 | # placed here if its not specified with a full path name. This can be 67 | # overridden with the -l command line parameter. 68 | default-log-dir: /var/log/suricata/ 69 | 70 | # global stats configuration 71 | stats: 72 | enabled: yes 73 | # The interval field (in seconds) controls at what interval 74 | # the loggers are invoked. 75 | interval: 8 76 | 77 | # Configure the type of alert (and other) logging you would like. 78 | outputs: 79 | # a line based alerts log similar to Snort's fast.log 80 | - fast: 81 | enabled: no 82 | filename: fast.log 83 | append: yes 84 | #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' 85 | 86 | # Extensible Event Format (nicknamed EVE) event log in JSON format 87 | - eve-log: 88 | enabled: yes 89 | filetype: regular #regular|syslog|unix_dgram|unix_stream|redis 90 | filename: eve.json 91 | append: no 92 | #prefix: "@cee: " # prefix to prepend to each log entry 93 | # the following are valid when type: syslog above 94 | #identity: "suricata" 95 | #facility: local5 96 | #level: Info ## possible levels: Emergency, Alert, Critical, 97 | ## Error, Warning, Notice, Info, Debug 98 | #redis: 99 | # server: 127.0.0.1 100 | # port: 6379 101 | # async: true ## if redis replies are read asynchronously 102 | # mode: list ## possible values: list (default), channel 103 | # key: suricata ## key or channel to use (default to suricata) 104 | # Redis pipelining set up. This will enable to only do a query every 105 | # 'batch-size' events. This should lower the latency induced by network 106 | # connection at the cost of some memory. There is no flushing implemented 107 | # so this setting as to be reserved to high traffic suricata. 108 | # pipelining: 109 | # enabled: yes ## set enable to yes to enable query pipelining 110 | # batch-size: 10 ## number of entry to keep in buffer 111 | types: 112 | - alert: 113 | payload: yes # enable dumping payload in Base64 114 | # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log 115 | # payload-printable: yes # enable dumping payload in printable (lossy) format 116 | # packet: yes # enable dumping of packet (without stream segments) 117 | http-body: yes # enable dumping of http body in Base64 118 | # http-body-printable: yes # enable dumping of http body in printable format 119 | metadata: yes # add L7/applayer fields, flowbit and other vars to the alert 120 | 121 | # Enable the logging of tagged packets for rules using the 122 | # "tag" keyword. 123 | tagged-packets: yes 124 | 125 | # HTTP X-Forwarded-For support by adding an extra field or overwriting 126 | # the source or destination IP address (depending on flow direction) 127 | # with the one reported in the X-Forwarded-For HTTP header. This is 128 | # helpful when reviewing alerts for traffic that is being reverse 129 | # or forward proxied. 130 | xff: 131 | enabled: no 132 | # Two operation modes are available, "extra-data" and "overwrite". 133 | mode: extra-data 134 | # Two proxy deployments are supported, "reverse" and "forward". In 135 | # a "reverse" deployment the IP address used is the last one, in a 136 | # "forward" deployment the first IP address is used. 137 | deployment: reverse 138 | # Header name where the actual IP address will be reported, if more 139 | # than one IP address is present, the last IP address will be the 140 | # one taken into consideration. 141 | header: X-Forwarded-For 142 | - http: 143 | extended: yes # enable this for extended logging information 144 | # custom allows additional http fields to be included in eve-log 145 | # the example below adds three additional fields when uncommented 146 | #custom: [Accept-Encoding, Accept-Language, Authorization] 147 | - dns: 148 | # control logging of queries and answers 149 | # default yes, no to disable 150 | query: yes # enable logging of DNS queries 151 | answer: yes # enable logging of DNS answers 152 | # control which RR types are logged 153 | # all enabled if custom not specified 154 | #custom: [a, aaaa, cname, mx, ns, ptr, txt] 155 | - tls: 156 | extended: yes # enable this for extended logging information 157 | # output TLS transaction where the session is resumed using a 158 | # session id 159 | #session-resumption: no 160 | # custom allows to control which tls fields that are included 161 | # in eve-log 162 | #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain] 163 | - files: 164 | force-magic: no # force logging magic on all logged files 165 | # force logging of checksums, available hash functions are md5, 166 | # sha1 and sha256 167 | force-hash: [md5, sha256] 168 | #- drop: 169 | # alerts: yes # log alerts that caused drops 170 | # flows: all # start or all: 'start' logs only a single drop 171 | # # per flow direction. All logs each dropped pkt. 172 | #- smtp: 173 | #extended: yes # enable this for extended logging information 174 | # this includes: bcc, message-id, subject, x_mailer, user-agent 175 | # custom fields logging from the list: 176 | # reply-to, bcc, message-id, subject, x-mailer, user-agent, received, 177 | # x-originating-ip, in-reply-to, references, importance, priority, 178 | # sensitivity, organization, content-md5, date 179 | #custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc] 180 | # output md5 of fields: body, subject 181 | # for the body you need to set app-layer.protocols.smtp.mime.body-md5 182 | # to yes 183 | #md5: [body, subject] 184 | 185 | #- dnp3 186 | #- nfs 187 | #- ssh 188 | #- stats: 189 | # totals: yes # stats for all threads merged together 190 | # threads: no # per thread stats 191 | # deltas: no # include delta values 192 | # bi-directional flows 193 | - flow 194 | # uni-directional flows 195 | #- netflow 196 | # Vars log flowbits and other packet and flow vars 197 | #- vars 198 | 199 | # alert output for use with Barnyard2 200 | - unified2-alert: 201 | enabled: no 202 | filename: unified2.alert 203 | 204 | # File size limit. Can be specified in kb, mb, gb. Just a number 205 | # is parsed as bytes. 206 | #limit: 32mb 207 | 208 | # By default unified2 log files have the file creation time (in 209 | # unix epoch format) appended to the filename. Set this to yes to 210 | # disable this behaviour. 211 | #nostamp: no 212 | 213 | # Sensor ID field of unified2 alerts. 214 | #sensor-id: 0 215 | 216 | # Include payload of packets related to alerts. Defaults to true, set to 217 | # false if payload is not required. 218 | #payload: yes 219 | 220 | # HTTP X-Forwarded-For support by adding the unified2 extra header or 221 | # overwriting the source or destination IP address (depending on flow 222 | # direction) with the one reported in the X-Forwarded-For HTTP header. 223 | # This is helpful when reviewing alerts for traffic that is being reverse 224 | # or forward proxied. 225 | xff: 226 | enabled: no 227 | # Two operation modes are available, "extra-data" and "overwrite". Note 228 | # that in the "overwrite" mode, if the reported IP address in the HTTP 229 | # X-Forwarded-For header is of a different version of the packet 230 | # received, it will fall-back to "extra-data" mode. 231 | mode: extra-data 232 | # Two proxy deployments are supported, "reverse" and "forward". In 233 | # a "reverse" deployment the IP address used is the last one, in a 234 | # "forward" deployment the first IP address is used. 235 | deployment: reverse 236 | # Header name where the actual IP address will be reported, if more 237 | # than one IP address is present, the last IP address will be the 238 | # one taken into consideration. 239 | header: X-Forwarded-For 240 | 241 | # a line based log of HTTP requests (no alerts) 242 | - http-log: 243 | enabled: no 244 | filename: http.log 245 | append: yes 246 | #extended: yes # enable this for extended logging information 247 | #custom: yes # enabled the custom logging format (defined by customformat) 248 | #customformat: "%{%D-%H:%M:%S}t.%z %{X-Forwarded-For}i %H %m %h %u %s %B %a:%p -> %A:%P" 249 | #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' 250 | 251 | # a line based log of TLS handshake parameters (no alerts) 252 | - tls-log: 253 | enabled: no # Log TLS connections. 254 | filename: tls.log # File to store TLS logs. 255 | append: yes 256 | #extended: yes # Log extended information like fingerprint 257 | #custom: yes # enabled the custom logging format (defined by customformat) 258 | #customformat: "%{%D-%H:%M:%S}t.%z %a:%p -> %A:%P %v %n %d %D" 259 | #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' 260 | # output TLS transaction where the session is resumed using a 261 | # session id 262 | #session-resumption: no 263 | 264 | # output module to store certificates chain to disk 265 | - tls-store: 266 | enabled: no 267 | #certs-log-dir: certs # directory to store the certificates files 268 | 269 | # a line based log of DNS requests and/or replies (no alerts) 270 | - dns-log: 271 | enabled: no 272 | filename: dns.log 273 | append: yes 274 | #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' 275 | 276 | # Packet log... log packets in pcap format. 3 modes of operation: "normal" 277 | # "multi" and "sguil". 278 | # 279 | # In normal mode a pcap file "filename" is created in the default-log-dir, 280 | # or are as specified by "dir". 281 | # In multi mode, a file is created per thread. This will perform much 282 | # better, but will create multiple files where 'normal' would create one. 283 | # In multi mode the filename takes a few special variables: 284 | # - %n -- thread number 285 | # - %i -- thread id 286 | # - %t -- timestamp (secs or secs.usecs based on 'ts-format' 287 | # E.g. filename: pcap.%n.%t 288 | # 289 | # Note that it's possible to use directories, but the directories are not 290 | # created by Suricata. E.g. filename: pcaps/%n/log.%s will log into the 291 | # per thread directory. 292 | # 293 | # Also note that the limit and max-files settings are enforced per thread. 294 | # So the size limit when using 8 threads with 1000mb files and 2000 files 295 | # is: 8*1000*2000 ~ 16TiB. 296 | # 297 | # In Sguil mode "dir" indicates the base directory. In this base dir the 298 | # pcaps are created in th directory structure Sguil expects: 299 | # 300 | # $sguil-base-dir/YYYY-MM-DD/$filename. 301 | # 302 | # By default all packets are logged except: 303 | # - TCP streams beyond stream.reassembly.depth 304 | # - encrypted streams after the key exchange 305 | # 306 | - pcap-log: 307 | enabled: no 308 | filename: log.pcap 309 | 310 | # File size limit. Can be specified in kb, mb, gb. Just a number 311 | # is parsed as bytes. 312 | limit: 1000mb 313 | 314 | # If set to a value will enable ring buffer mode. Will keep Maximum of "max-files" of size "limit" 315 | max-files: 2000 316 | 317 | mode: normal # normal, multi or sguil. 318 | 319 | # Directory to place pcap files. If not provided the default log 320 | # directory will be used. Required for "sguil" mode. 321 | #dir: /nsm_data/ 322 | 323 | #ts-format: usec # sec or usec second format (default) is filename.sec usec is filename.sec.usec 324 | use-stream-depth: no #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets 325 | honor-pass-rules: no # If set to "yes", flows in which a pass rule matched will stopped being logged. 326 | 327 | # a full alerts log containing much information for signature writers 328 | # or for investigating suspected false positives. 329 | - alert-debug: 330 | enabled: no 331 | filename: alert-debug.log 332 | append: yes 333 | #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' 334 | 335 | # alert output to prelude (http://www.prelude-technologies.com/) only 336 | # available if Suricata has been compiled with --enable-prelude 337 | - alert-prelude: 338 | enabled: no 339 | profile: suricata 340 | log-packet-content: no 341 | log-packet-header: yes 342 | 343 | # Stats.log contains data from various counters of the suricata engine. 344 | - stats: 345 | enabled: yes 346 | filename: stats.log 347 | totals: yes # stats for all threads merged together 348 | threads: no # per thread stats 349 | #null-values: yes # print counters that have value 0 350 | 351 | # a line based alerts log similar to fast.log into syslog 352 | - syslog: 353 | enabled: no 354 | # reported identity to syslog. If ommited the program name (usually 355 | # suricata) will be used. 356 | #identity: "suricata" 357 | facility: local5 358 | #level: Info ## possible levels: Emergency, Alert, Critical, 359 | ## Error, Warning, Notice, Info, Debug 360 | 361 | # a line based information for dropped packets in IPS mode 362 | - drop: 363 | enabled: no 364 | filename: drop.log 365 | append: yes 366 | #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' 367 | 368 | # output module to store extracted files to disk 369 | # 370 | # The files are stored to the log-dir in a format "file." where is 371 | # an incrementing number starting at 1. For each file "file." a meta 372 | # file "file..meta" is created. 373 | # 374 | # File extraction depends on a lot of things to be fully done: 375 | # - file-store stream-depth. For optimal results, set this to 0 (unlimited) 376 | # - http request / response body sizes. Again set to 0 for optimal results. 377 | # - rules that contain the "filestore" keyword. 378 | - file-store: 379 | enabled: no # set to yes to enable 380 | log-dir: files # directory to store the files 381 | force-magic: no # force logging magic on all stored files 382 | # force logging of checksums, available hash functions are md5, 383 | # sha1 and sha256 384 | #force-hash: [md5] 385 | force-filestore: no # force storing of all files 386 | # override global stream-depth for sessions in which we want to 387 | # perform file extraction. Set to 0 for unlimited. 388 | #stream-depth: 0 389 | #waldo: file.waldo # waldo file to store the file_id across runs 390 | # uncomment to disable meta file writing 391 | #write-meta: no 392 | # uncomment the following variable to define how many files can 393 | # remain open for filestore by Suricata. Default value is 0 which 394 | # means files get closed after each write 395 | #max-open-files: 1000 396 | 397 | # output module to log files tracked in a easily parsable json format 398 | - file-log: 399 | enabled: no 400 | filename: files-json.log 401 | append: yes 402 | #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' 403 | 404 | force-magic: no # force logging magic on all logged files 405 | # force logging of checksums, available hash functions are md5, 406 | # sha1 and sha256 407 | #force-hash: [md5] 408 | 409 | # Log TCP data after stream normalization 410 | # 2 types: file or dir. File logs into a single logfile. Dir creates 411 | # 2 files per TCP session and stores the raw TCP data into them. 412 | # Using 'both' will enable both file and dir modes. 413 | # 414 | # Note: limited by stream.depth 415 | - tcp-data: 416 | enabled: no 417 | type: file 418 | filename: tcp-data.log 419 | 420 | # Log HTTP body data after normalization, dechunking and unzipping. 421 | # 2 types: file or dir. File logs into a single logfile. Dir creates 422 | # 2 files per HTTP session and stores the normalized data into them. 423 | # Using 'both' will enable both file and dir modes. 424 | # 425 | # Note: limited by the body limit settings 426 | - http-body-data: 427 | enabled: no 428 | type: file 429 | filename: http-data.log 430 | 431 | # Lua Output Support - execute lua script to generate alert and event 432 | # output. 433 | # Documented at: 434 | # https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Lua_Output 435 | - lua: 436 | enabled: no 437 | #scripts-dir: /etc/suricata/lua-output/ 438 | scripts: 439 | # - script1.lua 440 | 441 | # Logging configuration. This is not about logging IDS alerts/events, but 442 | # output about what Suricata is doing, like startup messages, errors, etc. 443 | logging: 444 | # The default log level, can be overridden in an output section. 445 | # Note that debug level logging will only be emitted if Suricata was 446 | # compiled with the --enable-debug configure option. 447 | # 448 | # This value is overriden by the SC_LOG_LEVEL env var. 449 | default-log-level: notice 450 | 451 | # The default output format. Optional parameter, should default to 452 | # something reasonable if not provided. Can be overriden in an 453 | # output section. You can leave this out to get the default. 454 | # 455 | # This value is overriden by the SC_LOG_FORMAT env var. 456 | #default-log-format: "[%i] %t - (%f:%l) <%d> (%n) -- " 457 | 458 | # A regex to filter output. Can be overridden in an output section. 459 | # Defaults to empty (no filter). 460 | # 461 | # This value is overriden by the SC_LOG_OP_FILTER env var. 462 | default-output-filter: 463 | 464 | # Define your logging outputs. If none are defined, or they are all 465 | # disabled you will get the default - console output. 466 | outputs: 467 | - console: 468 | enabled: yes 469 | # type: json 470 | - file: 471 | enabled: yes 472 | level: info 473 | filename: /var/log/suricata/suricata.log 474 | # type: json 475 | - syslog: 476 | enabled: no 477 | facility: local5 478 | format: "[%i] <%d> -- " 479 | # type: json 480 | 481 | 482 | ## 483 | ## Step 4: configure common capture settings 484 | ## 485 | ## See "Advanced Capture Options" below for more options, including NETMAP 486 | ## and PF_RING. 487 | ## 488 | 489 | # Linux high speed capture support 490 | af-packet: 491 | - interface: enp8s0 492 | # Number of receive threads. "auto" uses the number of cores 493 | #threads: auto 494 | # Default clusterid. AF_PACKET will load balance packets based on flow. 495 | cluster-id: 99 496 | # Default AF_PACKET cluster type. AF_PACKET can load balance per flow or per hash. 497 | # This is only supported for Linux kernel > 3.1 498 | # possible value are: 499 | # * cluster_round_robin: round robin load balancing 500 | # * cluster_flow: all packets of a given flow are send to the same socket 501 | # * cluster_cpu: all packets treated in kernel by a CPU are send to the same socket 502 | # * cluster_qm: all packets linked by network card to a RSS queue are sent to the same 503 | # socket. Requires at least Linux 3.14. 504 | # * cluster_random: packets are sent randomly to sockets but with an equipartition. 505 | # Requires at least Linux 3.14. 506 | # * cluster_rollover: kernel rotates between sockets filling each socket before moving 507 | # to the next. Requires at least Linux 3.10. 508 | # Recommended modes are cluster_flow on most boxes and cluster_cpu or cluster_qm on system 509 | # with capture card using RSS (require cpu affinity tuning and system irq tuning) 510 | cluster-type: cluster_flow 511 | # In some fragmentation case, the hash can not be computed. If "defrag" is set 512 | # to yes, the kernel will do the needed defragmentation before sending the packets. 513 | defrag: yes 514 | # After Linux kernel 3.10 it is possible to activate the rollover option: if a socket is 515 | # full then kernel will send the packet on the next socket with room available. This option 516 | # can minimize packet drop and increase the treated bandwidth on single intensive flow. 517 | #rollover: yes 518 | # To use the ring feature of AF_PACKET, set 'use-mmap' to yes 519 | #use-mmap: yes 520 | # Lock memory map to avoid it goes to swap. Be careful that over suscribing could lock 521 | # your system 522 | #mmap-locked: yes 523 | # Use tpacket_v3 capture mode, only active if use-mmap is true 524 | # Don't use it in IPS or TAP mode as it causes severe latency 525 | #tpacket-v3: yes 526 | # Ring size will be computed with respect to max_pending_packets and number 527 | # of threads. You can set manually the ring size in number of packets by setting 528 | # the following value. If you are using flow cluster-type and have really network 529 | # intensive single-flow you could want to set the ring-size independently of the number 530 | # of threads: 531 | #ring-size: 2048 532 | # Block size is used by tpacket_v3 only. It should set to a value high enough to contain 533 | # a decent number of packets. Size is in bytes so please consider your MTU. It should be 534 | # a power of 2 and it must be multiple of page size (usually 4096). 535 | #block-size: 32768 536 | # tpacket_v3 block timeout: an open block is passed to userspace if it is not 537 | # filled after block-timeout milliseconds. 538 | #block-timeout: 10 539 | # On busy system, this could help to set it to yes to recover from a packet drop 540 | # phase. This will result in some packets (at max a ring flush) being non treated. 541 | #use-emergency-flush: yes 542 | # recv buffer size, increase value could improve performance 543 | # buffer-size: 32768 544 | # Set to yes to disable promiscuous mode 545 | # disable-promisc: no 546 | # Choose checksum verification mode for the interface. At the moment 547 | # of the capture, some packets may be with an invalid checksum due to 548 | # offloading to the network card of the checksum computation. 549 | # Possible values are: 550 | # - kernel: use indication sent by kernel for each packet (default) 551 | # - yes: checksum validation is forced 552 | # - no: checksum validation is disabled 553 | # - auto: suricata uses a statistical approach to detect when 554 | # checksum off-loading is used. 555 | # Warning: 'checksum-validation' must be set to yes to have any validation 556 | #checksum-checks: kernel 557 | # BPF filter to apply to this interface. The pcap filter syntax apply here. 558 | #bpf-filter: port 80 or udp 559 | # You can use the following variables to activate AF_PACKET tap or IPS mode. 560 | # If copy-mode is set to ips or tap, the traffic coming to the current 561 | # interface will be copied to the copy-iface interface. If 'tap' is set, the 562 | # copy is complete. If 'ips' is set, the packet matching a 'drop' action 563 | # will not be copied. 564 | #copy-mode: ips 565 | #copy-iface: eth1 566 | 567 | # Put default values here. These will be used for an interface that is not 568 | # in the list above. 569 | - interface: default 570 | #threads: auto 571 | #use-mmap: no 572 | #rollover: yes 573 | #tpacket-v3: yes 574 | 575 | # Cross platform libpcap capture support 576 | pcap: 577 | - interface: enp8s0 578 | # On Linux, pcap will try to use mmaped capture and will use buffer-size 579 | # as total of memory used by the ring. So set this to something bigger 580 | # than 1% of your bandwidth. 581 | #buffer-size: 16777216 582 | #bpf-filter: "tcp and port 25" 583 | # Choose checksum verification mode for the interface. At the moment 584 | # of the capture, some packets may be with an invalid checksum due to 585 | # offloading to the network card of the checksum computation. 586 | # Possible values are: 587 | # - yes: checksum validation is forced 588 | # - no: checksum validation is disabled 589 | # - auto: suricata uses a statistical approach to detect when 590 | # checksum off-loading is used. (default) 591 | # Warning: 'checksum-validation' must be set to yes to have any validation 592 | #checksum-checks: auto 593 | # With some accelerator cards using a modified libpcap (like myricom), you 594 | # may want to have the same number of capture threads as the number of capture 595 | # rings. In this case, set up the threads variable to N to start N threads 596 | # listening on the same interface. 597 | #threads: 16 598 | # set to no to disable promiscuous mode: 599 | #promisc: no 600 | # set snaplen, if not set it defaults to MTU if MTU can be known 601 | # via ioctl call and to full capture if not. 602 | #snaplen: 1518 603 | # Put default values here 604 | - interface: default 605 | #checksum-checks: auto 606 | 607 | # Settings for reading pcap files 608 | pcap-file: 609 | # Possible values are: 610 | # - yes: checksum validation is forced 611 | # - no: checksum validation is disabled 612 | # - auto: suricata uses a statistical approach to detect when 613 | # checksum off-loading is used. (default) 614 | # Warning: 'checksum-validation' must be set to yes to have checksum tested 615 | checksum-checks: auto 616 | 617 | # See "Advanced Capture Options" below for more options, including NETMAP 618 | # and PF_RING. 619 | 620 | 621 | ## 622 | ## Step 5: App Layer Protocol Configuration 623 | ## 624 | 625 | # Configure the app-layer parsers. The protocols section details each 626 | # protocol. 627 | # 628 | # The option "enabled" takes 3 values - "yes", "no", "detection-only". 629 | # "yes" enables both detection and the parser, "no" disables both, and 630 | # "detection-only" enables protocol detection only (parser disabled). 631 | app-layer: 632 | protocols: 633 | tls: 634 | enabled: yes 635 | detection-ports: 636 | dp: 443 637 | 638 | # Completely stop processing TLS/SSL session after the handshake 639 | # completed. If bypass is enabled this will also trigger flow 640 | # bypass. If disabled (the default), TLS/SSL session is still 641 | # tracked for Heartbleed and other anomalies. 642 | #no-reassemble: yes 643 | dcerpc: 644 | enabled: yes 645 | ftp: 646 | enabled: yes 647 | ssh: 648 | enabled: yes 649 | smtp: 650 | enabled: yes 651 | # Configure SMTP-MIME Decoder 652 | mime: 653 | # Decode MIME messages from SMTP transactions 654 | # (may be resource intensive) 655 | # This field supercedes all others because it turns the entire 656 | # process on or off 657 | decode-mime: yes 658 | 659 | # Decode MIME entity bodies (ie. base64, quoted-printable, etc.) 660 | decode-base64: yes 661 | decode-quoted-printable: yes 662 | 663 | # Maximum bytes per header data value stored in the data structure 664 | # (default is 2000) 665 | header-value-depth: 2000 666 | 667 | # Extract URLs and save in state data structure 668 | extract-urls: yes 669 | # Set to yes to compute the md5 of the mail body. You will then 670 | # be able to journalize it. 671 | body-md5: no 672 | # Configure inspected-tracker for file_data keyword 673 | inspected-tracker: 674 | content-limit: 100000 675 | content-inspect-min-size: 32768 676 | content-inspect-window: 4096 677 | imap: 678 | enabled: detection-only 679 | msn: 680 | enabled: detection-only 681 | smb: 682 | enabled: yes 683 | detection-ports: 684 | dp: 139, 445 685 | # smb2 detection is disabled internally inside the engine. 686 | #smb2: 687 | # enabled: yes 688 | # Note: NFS parser depends on Rust support: pass --enable-rust 689 | # to configure. 690 | nfs: 691 | enabled: no 692 | dns: 693 | # memcaps. Globally and per flow/state. 694 | #global-memcap: 16mb 695 | #state-memcap: 512kb 696 | 697 | # How many unreplied DNS requests are considered a flood. 698 | # If the limit is reached, app-layer-event:dns.flooded; will match. 699 | #request-flood: 500 700 | 701 | tcp: 702 | enabled: yes 703 | detection-ports: 704 | dp: 53 705 | udp: 706 | enabled: yes 707 | detection-ports: 708 | dp: 53 709 | http: 710 | enabled: yes 711 | # memcap: 64mb 712 | 713 | # default-config: Used when no server-config matches 714 | # personality: List of personalities used by default 715 | # request-body-limit: Limit reassembly of request body for inspection 716 | # by http_client_body & pcre /P option. 717 | # response-body-limit: Limit reassembly of response body for inspection 718 | # by file_data, http_server_body & pcre /Q option. 719 | # double-decode-path: Double decode path section of the URI 720 | # double-decode-query: Double decode query section of the URI 721 | # response-body-decompress-layer-limit: 722 | # Limit to how many layers of compression will be 723 | # decompressed. Defaults to 2. 724 | # 725 | # server-config: List of server configurations to use if address matches 726 | # address: List of ip addresses or networks for this block 727 | # personalitiy: List of personalities used by this block 728 | # request-body-limit: Limit reassembly of request body for inspection 729 | # by http_client_body & pcre /P option. 730 | # response-body-limit: Limit reassembly of response body for inspection 731 | # by file_data, http_server_body & pcre /Q option. 732 | # double-decode-path: Double decode path section of the URI 733 | # double-decode-query: Double decode query section of the URI 734 | # 735 | # uri-include-all: Include all parts of the URI. By default the 736 | # 'scheme', username/password, hostname and port 737 | # are excluded. Setting this option to true adds 738 | # all of them to the normalized uri as inspected 739 | # by http_uri, urilen, pcre with /U and the other 740 | # keywords that inspect the normalized uri. 741 | # Note that this does not affect http_raw_uri. 742 | # Also, note that including all was the default in 743 | # 1.4 and 2.0beta1. 744 | # 745 | # meta-field-limit: Hard size limit for request and response size 746 | # limits. Applies to request line and headers, 747 | # response line and headers. Does not apply to 748 | # request or response bodies. Default is 18k. 749 | # If this limit is reached an event is raised. 750 | # 751 | # Currently Available Personalities: 752 | # Minimal, Generic, IDS (default), IIS_4_0, IIS_5_0, IIS_5_1, IIS_6_0, 753 | # IIS_7_0, IIS_7_5, Apache_2 754 | libhtp: 755 | default-config: 756 | personality: IDS 757 | 758 | # Can be specified in kb, mb, gb. Just a number indicates 759 | # it's in bytes. 760 | request-body-limit: 100kb 761 | response-body-limit: 100kb 762 | 763 | # inspection limits 764 | request-body-minimal-inspect-size: 32kb 765 | request-body-inspect-window: 4kb 766 | response-body-minimal-inspect-size: 40kb 767 | response-body-inspect-window: 16kb 768 | 769 | # response body decompression (0 disables) 770 | response-body-decompress-layer-limit: 2 771 | 772 | # auto will use http-body-inline mode in IPS mode, yes or no set it statically 773 | http-body-inline: auto 774 | 775 | # Take a random value for inspection sizes around the specified value. 776 | # This lower the risk of some evasion technics but could lead 777 | # detection change between runs. It is set to 'yes' by default. 778 | #randomize-inspection-sizes: yes 779 | # If randomize-inspection-sizes is active, the value of various 780 | # inspection size will be choosen in the [1 - range%, 1 + range%] 781 | # range 782 | # Default value of randomize-inspection-range is 10. 783 | #randomize-inspection-range: 10 784 | 785 | # decoding 786 | double-decode-path: no 787 | double-decode-query: no 788 | 789 | server-config: 790 | 791 | #- apache: 792 | # address: [192.168.1.0/24, 127.0.0.0/8, "::1"] 793 | # personality: Apache_2 794 | # # Can be specified in kb, mb, gb. Just a number indicates 795 | # # it's in bytes. 796 | # request-body-limit: 4096 797 | # response-body-limit: 4096 798 | # double-decode-path: no 799 | # double-decode-query: no 800 | 801 | #- iis7: 802 | # address: 803 | # - 192.168.0.0/24 804 | # - 192.168.10.0/24 805 | # personality: IIS_7_0 806 | # # Can be specified in kb, mb, gb. Just a number indicates 807 | # # it's in bytes. 808 | # request-body-limit: 4096 809 | # response-body-limit: 4096 810 | # double-decode-path: no 811 | # double-decode-query: no 812 | 813 | # Note: Modbus probe parser is minimalist due to the poor significant field 814 | # Only Modbus message length (greater than Modbus header length) 815 | # And Protocol ID (equal to 0) are checked in probing parser 816 | # It is important to enable detection port and define Modbus port 817 | # to avoid false positive 818 | modbus: 819 | # How many unreplied Modbus requests are considered a flood. 820 | # If the limit is reached, app-layer-event:modbus.flooded; will match. 821 | #request-flood: 500 822 | 823 | enabled: no 824 | detection-ports: 825 | dp: 502 826 | # According to MODBUS Messaging on TCP/IP Implementation Guide V1.0b, it 827 | # is recommended to keep the TCP connection opened with a remote device 828 | # and not to open and close it for each MODBUS/TCP transaction. In that 829 | # case, it is important to set the depth of the stream reassembling as 830 | # unlimited (stream.reassembly.depth: 0) 831 | 832 | # Stream reassembly size for modbus. By default track it completely. 833 | stream-depth: 0 834 | 835 | # DNP3 836 | dnp3: 837 | enabled: no 838 | detection-ports: 839 | dp: 20000 840 | 841 | # SCADA EtherNet/IP and CIP protocol support 842 | enip: 843 | enabled: no 844 | detection-ports: 845 | dp: 44818 846 | sp: 44818 847 | 848 | # Note: parser depends on experimental Rust support 849 | # with --enable-rust-experimental passed to configure 850 | ntp: 851 | enabled: no 852 | 853 | # Limit for the maximum number of asn1 frames to decode (default 256) 854 | asn1-max-frames: 256 855 | 856 | 857 | ############################################################################## 858 | ## 859 | ## Advanced settings below 860 | ## 861 | ############################################################################## 862 | 863 | ## 864 | ## Run Options 865 | ## 866 | 867 | # Run suricata as user and group. 868 | #run-as: 869 | # user: suri 870 | # group: suri 871 | 872 | # Some logging module will use that name in event as identifier. The default 873 | # value is the hostname 874 | #sensor-name: suricata 875 | 876 | # Default location of the pid file. The pid file is only used in 877 | # daemon mode (start Suricata with -D). If not running in daemon mode 878 | # the --pidfile command line option must be used to create a pid file. 879 | #pid-file: /var/run/suricata.pid 880 | 881 | # Daemon working directory 882 | # Suricata will change directory to this one if provided 883 | # Default: "/" 884 | #daemon-directory: "/" 885 | 886 | # Suricata core dump configuration. Limits the size of the core dump file to 887 | # approximately max-dump. The actual core dump size will be a multiple of the 888 | # page size. Core dumps that would be larger than max-dump are truncated. On 889 | # Linux, the actual core dump size may be a few pages larger than max-dump. 890 | # Setting max-dump to 0 disables core dumping. 891 | # Setting max-dump to 'unlimited' will give the full core dump file. 892 | # On 32-bit Linux, a max-dump value >= ULONG_MAX may cause the core dump size 893 | # to be 'unlimited'. 894 | 895 | coredump: 896 | max-dump: unlimited 897 | 898 | # If suricata box is a router for the sniffed networks, set it to 'router'. If 899 | # it is a pure sniffing setup, set it to 'sniffer-only'. 900 | # If set to auto, the variable is internally switch to 'router' in IPS mode 901 | # and 'sniffer-only' in IDS mode. 902 | # This feature is currently only used by the reject* keywords. 903 | host-mode: auto 904 | 905 | # Number of packets preallocated per thread. The default is 1024. A higher number 906 | # will make sure each CPU will be more easily kept busy, but may negatively 907 | # impact caching. 908 | # 909 | # If you are using the CUDA pattern matcher (mpm-algo: ac-cuda), different rules 910 | # apply. In that case try something like 60000 or more. This is because the CUDA 911 | # pattern matcher buffers and scans as many packets as possible in parallel. 912 | #max-pending-packets: 1024 913 | 914 | # Runmode the engine should use. Please check --list-runmodes to get the available 915 | # runmodes for each packet acquisition method. Defaults to "autofp" (auto flow pinned 916 | # load balancing). 917 | #runmode: autofp 918 | 919 | # Specifies the kind of flow load balancer used by the flow pinned autofp mode. 920 | # 921 | # Supported schedulers are: 922 | # 923 | # round-robin - Flows assigned to threads in a round robin fashion. 924 | # active-packets - Flows assigned to threads that have the lowest number of 925 | # unprocessed packets (default). 926 | # hash - Flow alloted usihng the address hash. More of a random 927 | # technique. Was the default in Suricata 1.2.1 and older. 928 | # 929 | #autofp-scheduler: active-packets 930 | 931 | # Preallocated size for packet. Default is 1514 which is the classical 932 | # size for pcap on ethernet. You should adjust this value to the highest 933 | # packet size (MTU + hardware header) on your system. 934 | #default-packet-size: 1514 935 | 936 | # Unix command socket can be used to pass commands to suricata. 937 | # An external tool can then connect to get information from suricata 938 | # or trigger some modifications of the engine. Set enabled to yes 939 | # to activate the feature. In auto mode, the feature will only be 940 | # activated in live capture mode. You can use the filename variable to set 941 | # the file name of the socket. 942 | unix-command: 943 | enabled: auto 944 | #filename: custom.socket 945 | 946 | # Magic file. The extension .mgc is added to the value here. 947 | #magic-file: /usr/share/file/magic 948 | #magic-file: 949 | 950 | legacy: 951 | uricontent: enabled 952 | 953 | ## 954 | ## Detection settings 955 | ## 956 | 957 | # Set the order of alerts bassed on actions 958 | # The default order is pass, drop, reject, alert 959 | # action-order: 960 | # - pass 961 | # - drop 962 | # - reject 963 | # - alert 964 | 965 | # IP Reputation 966 | #reputation-categories-file: /etc/suricata/iprep/categories.txt 967 | #default-reputation-path: /etc/suricata/iprep 968 | #reputation-files: 969 | # - reputation.list 970 | 971 | # When run with the option --engine-analysis, the engine will read each of 972 | # the parameters below, and print reports for each of the enabled sections 973 | # and exit. The reports are printed to a file in the default log dir 974 | # given by the parameter "default-log-dir", with engine reporting 975 | # subsection below printing reports in its own report file. 976 | engine-analysis: 977 | # enables printing reports for fast-pattern for every rule. 978 | rules-fast-pattern: yes 979 | # enables printing reports for each rule 980 | rules: yes 981 | 982 | #recursion and match limits for PCRE where supported 983 | pcre: 984 | match-limit: 3500 985 | match-limit-recursion: 1500 986 | 987 | ## 988 | ## Advanced Traffic Tracking and Reconstruction Settings 989 | ## 990 | 991 | # Host specific policies for defragmentation and TCP stream 992 | # reassembly. The host OS lookup is done using a radix tree, just 993 | # like a routing table so the most specific entry matches. 994 | host-os-policy: 995 | # Make the default policy windows. 996 | windows: [0.0.0.0/0] 997 | bsd: [] 998 | bsd-right: [] 999 | old-linux: [] 1000 | linux: [] 1001 | old-solaris: [] 1002 | solaris: [] 1003 | hpux10: [] 1004 | hpux11: [] 1005 | irix: [] 1006 | macos: [] 1007 | vista: [] 1008 | windows2k3: [] 1009 | 1010 | # Defrag settings: 1011 | 1012 | defrag: 1013 | memcap: 32mb 1014 | hash-size: 65536 1015 | trackers: 65535 # number of defragmented flows to follow 1016 | max-frags: 65535 # number of fragments to keep (higher than trackers) 1017 | prealloc: yes 1018 | timeout: 60 1019 | 1020 | # Enable defrag per host settings 1021 | # host-config: 1022 | # 1023 | # - dmz: 1024 | # timeout: 30 1025 | # address: [192.168.1.0/24, 127.0.0.0/8, 1.1.1.0/24, 2.2.2.0/24, "1.1.1.1", "2.2.2.2", "::1"] 1026 | # 1027 | # - lan: 1028 | # timeout: 45 1029 | # address: 1030 | # - 192.168.0.0/24 1031 | # - 192.168.10.0/24 1032 | # - 172.16.14.0/24 1033 | 1034 | # Flow settings: 1035 | # By default, the reserved memory (memcap) for flows is 32MB. This is the limit 1036 | # for flow allocation inside the engine. You can change this value to allow 1037 | # more memory usage for flows. 1038 | # The hash-size determine the size of the hash used to identify flows inside 1039 | # the engine, and by default the value is 65536. 1040 | # At the startup, the engine can preallocate a number of flows, to get a better 1041 | # performance. The number of flows preallocated is 10000 by default. 1042 | # emergency-recovery is the percentage of flows that the engine need to 1043 | # prune before unsetting the emergency state. The emergency state is activated 1044 | # when the memcap limit is reached, allowing to create new flows, but 1045 | # prunning them with the emergency timeouts (they are defined below). 1046 | # If the memcap is reached, the engine will try to prune flows 1047 | # with the default timeouts. If it doens't find a flow to prune, it will set 1048 | # the emergency bit and it will try again with more agressive timeouts. 1049 | # If that doesn't work, then it will try to kill the last time seen flows 1050 | # not in use. 1051 | # The memcap can be specified in kb, mb, gb. Just a number indicates it's 1052 | # in bytes. 1053 | 1054 | flow: 1055 | memcap: 128mb 1056 | hash-size: 65536 1057 | prealloc: 10000 1058 | emergency-recovery: 30 1059 | #managers: 1 # default to one flow manager 1060 | #recyclers: 1 # default to one flow recycler thread 1061 | 1062 | # This option controls the use of vlan ids in the flow (and defrag) 1063 | # hashing. Normally this should be enabled, but in some (broken) 1064 | # setups where both sides of a flow are not tagged with the same vlan 1065 | # tag, we can ignore the vlan id's in the flow hashing. 1066 | vlan: 1067 | use-for-tracking: false 1068 | 1069 | # Specific timeouts for flows. Here you can specify the timeouts that the 1070 | # active flows will wait to transit from the current state to another, on each 1071 | # protocol. The value of "new" determine the seconds to wait after a hanshake or 1072 | # stream startup before the engine free the data of that flow it doesn't 1073 | # change the state to established (usually if we don't receive more packets 1074 | # of that flow). The value of "established" is the amount of 1075 | # seconds that the engine will wait to free the flow if it spend that amount 1076 | # without receiving new packets or closing the connection. "closed" is the 1077 | # amount of time to wait after a flow is closed (usually zero). "bypassed" 1078 | # timeout controls locally bypassed flows. For these flows we don't do any other 1079 | # tracking. If no packets have been seen after this timeout, the flow is discarded. 1080 | # 1081 | # There's an emergency mode that will become active under attack circumstances, 1082 | # making the engine to check flow status faster. This configuration variables 1083 | # use the prefix "emergency-" and work similar as the normal ones. 1084 | # Some timeouts doesn't apply to all the protocols, like "closed", for udp and 1085 | # icmp. 1086 | 1087 | flow-timeouts: 1088 | 1089 | default: 1090 | new: 30 1091 | established: 300 1092 | closed: 0 1093 | bypassed: 100 1094 | emergency-new: 10 1095 | emergency-established: 100 1096 | emergency-closed: 0 1097 | emergency-bypassed: 50 1098 | tcp: 1099 | new: 60 1100 | established: 600 1101 | closed: 60 1102 | bypassed: 100 1103 | emergency-new: 5 1104 | emergency-established: 100 1105 | emergency-closed: 10 1106 | emergency-bypassed: 50 1107 | udp: 1108 | new: 30 1109 | established: 300 1110 | bypassed: 100 1111 | emergency-new: 10 1112 | emergency-established: 100 1113 | emergency-bypassed: 50 1114 | icmp: 1115 | new: 30 1116 | established: 300 1117 | bypassed: 100 1118 | emergency-new: 10 1119 | emergency-established: 100 1120 | emergency-bypassed: 50 1121 | 1122 | # Stream engine settings. Here the TCP stream tracking and reassembly 1123 | # engine is configured. 1124 | # 1125 | # stream: 1126 | # memcap: 32mb # Can be specified in kb, mb, gb. Just a 1127 | # # number indicates it's in bytes. 1128 | # checksum-validation: yes # To validate the checksum of received 1129 | # # packet. If csum validation is specified as 1130 | # # "yes", then packet with invalid csum will not 1131 | # # be processed by the engine stream/app layer. 1132 | # # Warning: locally generated trafic can be 1133 | # # generated without checksum due to hardware offload 1134 | # # of checksum. You can control the handling of checksum 1135 | # # on a per-interface basis via the 'checksum-checks' 1136 | # # option 1137 | # prealloc-sessions: 2k # 2k sessions prealloc'd per stream thread 1138 | # midstream: false # don't allow midstream session pickups 1139 | # async-oneside: false # don't enable async stream handling 1140 | # inline: no # stream inline mode 1141 | # drop-invalid: yes # in inline mode, drop packets that are invalid with regards to streaming engine 1142 | # max-synack-queued: 5 # Max different SYN/ACKs to queue 1143 | # bypass: no # Bypass packets when stream.depth is reached 1144 | # 1145 | # reassembly: 1146 | # memcap: 64mb # Can be specified in kb, mb, gb. Just a number 1147 | # # indicates it's in bytes. 1148 | # depth: 1mb # Can be specified in kb, mb, gb. Just a number 1149 | # # indicates it's in bytes. 1150 | # toserver-chunk-size: 2560 # inspect raw stream in chunks of at least 1151 | # # this size. Can be specified in kb, mb, 1152 | # # gb. Just a number indicates it's in bytes. 1153 | # toclient-chunk-size: 2560 # inspect raw stream in chunks of at least 1154 | # # this size. Can be specified in kb, mb, 1155 | # # gb. Just a number indicates it's in bytes. 1156 | # randomize-chunk-size: yes # Take a random value for chunk size around the specified value. 1157 | # # This lower the risk of some evasion technics but could lead 1158 | # # detection change between runs. It is set to 'yes' by default. 1159 | # randomize-chunk-range: 10 # If randomize-chunk-size is active, the value of chunk-size is 1160 | # # a random value between (1 - randomize-chunk-range/100)*toserver-chunk-size 1161 | # # and (1 + randomize-chunk-range/100)*toserver-chunk-size and the same 1162 | # # calculation for toclient-chunk-size. 1163 | # # Default value of randomize-chunk-range is 10. 1164 | # 1165 | # raw: yes # 'Raw' reassembly enabled or disabled. 1166 | # # raw is for content inspection by detection 1167 | # # engine. 1168 | # 1169 | # segment-prealloc: 2048 # number of segments preallocated per thread 1170 | # 1171 | # check-overlap-different-data: true|false 1172 | # # check if a segment contains different data 1173 | # # than what we've already seen for that 1174 | # # position in the stream. 1175 | # # This is enabled automatically if inline mode 1176 | # # is used or when stream-event:reassembly_overlap_different_data; 1177 | # # is used in a rule. 1178 | # 1179 | stream: 1180 | memcap: 64mb 1181 | checksum-validation: yes # reject wrong csums 1182 | inline: auto # auto will use inline mode in IPS mode, yes or no set it statically 1183 | reassembly: 1184 | memcap: 256mb 1185 | depth: 1mb # reassemble 1mb into a stream 1186 | toserver-chunk-size: 2560 1187 | toclient-chunk-size: 2560 1188 | randomize-chunk-size: yes 1189 | #randomize-chunk-range: 10 1190 | #raw: yes 1191 | #segment-prealloc: 2048 1192 | #check-overlap-different-data: true 1193 | 1194 | # Host table: 1195 | # 1196 | # Host table is used by tagging and per host thresholding subsystems. 1197 | # 1198 | host: 1199 | hash-size: 4096 1200 | prealloc: 1000 1201 | memcap: 32mb 1202 | 1203 | # IP Pair table: 1204 | # 1205 | # Used by xbits 'ippair' tracking. 1206 | # 1207 | #ippair: 1208 | # hash-size: 4096 1209 | # prealloc: 1000 1210 | # memcap: 32mb 1211 | 1212 | # Decoder settings 1213 | 1214 | decoder: 1215 | # Teredo decoder is known to not be completely accurate 1216 | # it will sometimes detect non-teredo as teredo. 1217 | teredo: 1218 | enabled: true 1219 | 1220 | 1221 | ## 1222 | ## Performance tuning and profiling 1223 | ## 1224 | 1225 | # The detection engine builds internal groups of signatures. The engine 1226 | # allow us to specify the profile to use for them, to manage memory on an 1227 | # efficient way keeping a good performance. For the profile keyword you 1228 | # can use the words "low", "medium", "high" or "custom". If you use custom 1229 | # make sure to define the values at "- custom-values" as your convenience. 1230 | # Usually you would prefer medium/high/low. 1231 | # 1232 | # "sgh mpm-context", indicates how the staging should allot mpm contexts for 1233 | # the signature groups. "single" indicates the use of a single context for 1234 | # all the signature group heads. "full" indicates a mpm-context for each 1235 | # group head. "auto" lets the engine decide the distribution of contexts 1236 | # based on the information the engine gathers on the patterns from each 1237 | # group head. 1238 | # 1239 | # The option inspection-recursion-limit is used to limit the recursive calls 1240 | # in the content inspection code. For certain payload-sig combinations, we 1241 | # might end up taking too much time in the content inspection code. 1242 | # If the argument specified is 0, the engine uses an internally defined 1243 | # default limit. On not specifying a value, we use no limits on the recursion. 1244 | detect: 1245 | profile: medium 1246 | custom-values: 1247 | toclient-groups: 3 1248 | toserver-groups: 25 1249 | sgh-mpm-context: auto 1250 | inspection-recursion-limit: 3000 1251 | # If set to yes, the loading of signatures will be made after the capture 1252 | # is started. This will limit the downtime in IPS mode. 1253 | #delayed-detect: yes 1254 | 1255 | prefilter: 1256 | # default prefiltering setting. "mpm" only creates MPM/fast_pattern 1257 | # engines. "auto" also sets up prefilter engines for other keywords. 1258 | # Use --list-keywords=all to see which keywords support prefiltering. 1259 | default: mpm 1260 | 1261 | # the grouping values above control how many groups are created per 1262 | # direction. Port whitelisting forces that port to get it's own group. 1263 | # Very common ports will benefit, as well as ports with many expensive 1264 | # rules. 1265 | grouping: 1266 | #tcp-whitelist: 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080 1267 | #udp-whitelist: 53, 135, 5060 1268 | 1269 | profiling: 1270 | # Log the rules that made it past the prefilter stage, per packet 1271 | # default is off. The threshold setting determines how many rules 1272 | # must have made it past pre-filter for that rule to trigger the 1273 | # logging. 1274 | #inspect-logging-threshold: 200 1275 | grouping: 1276 | dump-to-disk: false 1277 | include-rules: false # very verbose 1278 | include-mpm-stats: false 1279 | 1280 | # Select the multi pattern algorithm you want to run for scan/search the 1281 | # in the engine. 1282 | # 1283 | # The supported algorithms are: 1284 | # "ac" - Aho-Corasick, default implementation 1285 | # "ac-bs" - Aho-Corasick, reduced memory implementation 1286 | # "ac-cuda" - Aho-Corasick, CUDA implementation 1287 | # "ac-ks" - Aho-Corasick, "Ken Steele" variant 1288 | # "hs" - Hyperscan, available when built with Hyperscan support 1289 | # 1290 | # The default mpm-algo value of "auto" will use "hs" if Hyperscan is 1291 | # available, "ac" otherwise. 1292 | # 1293 | # The mpm you choose also decides the distribution of mpm contexts for 1294 | # signature groups, specified by the conf - "detect.sgh-mpm-context". 1295 | # Selecting "ac" as the mpm would require "detect.sgh-mpm-context" 1296 | # to be set to "single", because of ac's memory requirements, unless the 1297 | # ruleset is small enough to fit in one's memory, in which case one can 1298 | # use "full" with "ac". Rest of the mpms can be run in "full" mode. 1299 | # 1300 | # There is also a CUDA pattern matcher (only available if Suricata was 1301 | # compiled with --enable-cuda: b2g_cuda. Make sure to update your 1302 | # max-pending-packets setting above as well if you use b2g_cuda. 1303 | 1304 | mpm-algo: auto 1305 | 1306 | # Select the matching algorithm you want to use for single-pattern searches. 1307 | # 1308 | # Supported algorithms are "bm" (Boyer-Moore) and "hs" (Hyperscan, only 1309 | # available if Suricata has been built with Hyperscan support). 1310 | # 1311 | # The default of "auto" will use "hs" if available, otherwise "bm". 1312 | 1313 | spm-algo: auto 1314 | 1315 | # Suricata is multi-threaded. Here the threading can be influenced. 1316 | threading: 1317 | set-cpu-affinity: no 1318 | # Tune cpu affinity of threads. Each family of threads can be bound 1319 | # on specific CPUs. 1320 | # 1321 | # These 2 apply to the all runmodes: 1322 | # management-cpu-set is used for flow timeout handling, counters 1323 | # worker-cpu-set is used for 'worker' threads 1324 | # 1325 | # Additionally, for autofp these apply: 1326 | # receive-cpu-set is used for capture threads 1327 | # verdict-cpu-set is used for IPS verdict threads 1328 | # 1329 | cpu-affinity: 1330 | - management-cpu-set: 1331 | cpu: [ 0 ] # include only these cpus in affinity settings 1332 | - receive-cpu-set: 1333 | cpu: [ 0 ] # include only these cpus in affinity settings 1334 | - worker-cpu-set: 1335 | cpu: [ "all" ] 1336 | mode: "exclusive" 1337 | # Use explicitely 3 threads and don't compute number by using 1338 | # detect-thread-ratio variable: 1339 | # threads: 3 1340 | prio: 1341 | low: [ 0 ] 1342 | medium: [ "1-2" ] 1343 | high: [ 3 ] 1344 | default: "medium" 1345 | #- verdict-cpu-set: 1346 | # cpu: [ 0 ] 1347 | # prio: 1348 | # default: "high" 1349 | # 1350 | # By default Suricata creates one "detect" thread per available CPU/CPU core. 1351 | # This setting allows controlling this behaviour. A ratio setting of 2 will 1352 | # create 2 detect threads for each CPU/CPU core. So for a dual core CPU this 1353 | # will result in 4 detect threads. If values below 1 are used, less threads 1354 | # are created. So on a dual core CPU a setting of 0.5 results in 1 detect 1355 | # thread being created. Regardless of the setting at a minimum 1 detect 1356 | # thread will always be created. 1357 | # 1358 | detect-thread-ratio: 1.0 1359 | 1360 | # Luajit has a strange memory requirement, it's 'states' need to be in the 1361 | # first 2G of the process' memory. 1362 | # 1363 | # 'luajit.states' is used to control how many states are preallocated. 1364 | # State use: per detect script: 1 per detect thread. Per output script: 1 per 1365 | # script. 1366 | luajit: 1367 | states: 128 1368 | 1369 | # Profiling settings. Only effective if Suricata has been built with the 1370 | # the --enable-profiling configure flag. 1371 | # 1372 | profiling: 1373 | # Run profiling for every xth packet. The default is 1, which means we 1374 | # profile every packet. If set to 1000, one packet is profiled for every 1375 | # 1000 received. 1376 | #sample-rate: 1000 1377 | 1378 | # rule profiling 1379 | rules: 1380 | 1381 | # Profiling can be disabled here, but it will still have a 1382 | # performance impact if compiled in. 1383 | enabled: yes 1384 | filename: rule_perf.log 1385 | append: yes 1386 | 1387 | # Sort options: ticks, avgticks, checks, matches, maxticks 1388 | # If commented out all the sort options will be used. 1389 | #sort: avgticks 1390 | 1391 | # Limit the number of sids for which stats are shown at exit (per sort). 1392 | limit: 10 1393 | 1394 | # output to json 1395 | json: yes 1396 | 1397 | # per keyword profiling 1398 | keywords: 1399 | enabled: yes 1400 | filename: keyword_perf.log 1401 | append: yes 1402 | 1403 | # per rulegroup profiling 1404 | rulegroups: 1405 | enabled: yes 1406 | filename: rule_group_perf.log 1407 | append: yes 1408 | 1409 | # packet profiling 1410 | packets: 1411 | 1412 | # Profiling can be disabled here, but it will still have a 1413 | # performance impact if compiled in. 1414 | enabled: yes 1415 | filename: packet_stats.log 1416 | append: yes 1417 | 1418 | # per packet csv output 1419 | csv: 1420 | 1421 | # Output can be disabled here, but it will still have a 1422 | # performance impact if compiled in. 1423 | enabled: no 1424 | filename: packet_stats.csv 1425 | 1426 | # profiling of locking. Only available when Suricata was built with 1427 | # --enable-profiling-locks. 1428 | locks: 1429 | enabled: no 1430 | filename: lock_stats.log 1431 | append: yes 1432 | 1433 | pcap-log: 1434 | enabled: no 1435 | filename: pcaplog_stats.log 1436 | append: yes 1437 | 1438 | ## 1439 | ## Netfilter integration 1440 | ## 1441 | 1442 | # When running in NFQ inline mode, it is possible to use a simulated 1443 | # non-terminal NFQUEUE verdict. 1444 | # This permit to do send all needed packet to suricata via this a rule: 1445 | # iptables -I FORWARD -m mark ! --mark $MARK/$MASK -j NFQUEUE 1446 | # And below, you can have your standard filtering ruleset. To activate 1447 | # this mode, you need to set mode to 'repeat' 1448 | # If you want packet to be sent to another queue after an ACCEPT decision 1449 | # set mode to 'route' and set next-queue value. 1450 | # On linux >= 3.1, you can set batchcount to a value > 1 to improve performance 1451 | # by processing several packets before sending a verdict (worker runmode only). 1452 | # On linux >= 3.6, you can set the fail-open option to yes to have the kernel 1453 | # accept the packet if suricata is not able to keep pace. 1454 | # bypass mark and mask can be used to implement NFQ bypass. If bypass mark is 1455 | # set then the NFQ bypass is activated. Suricata will set the bypass mark/mask 1456 | # on packet of a flow that need to be bypassed. The Nefilter ruleset has to 1457 | # directly accept all packets of a flow once a packet has been marked. 1458 | nfq: 1459 | # mode: accept 1460 | # repeat-mark: 1 1461 | # repeat-mask: 1 1462 | # bypass-mark: 1 1463 | # bypass-mask: 1 1464 | # route-queue: 2 1465 | # batchcount: 20 1466 | # fail-open: yes 1467 | 1468 | #nflog support 1469 | nflog: 1470 | # netlink multicast group 1471 | # (the same as the iptables --nflog-group param) 1472 | # Group 0 is used by the kernel, so you can't use it 1473 | - group: 2 1474 | # netlink buffer size 1475 | buffer-size: 18432 1476 | # put default value here 1477 | - group: default 1478 | # set number of packet to queue inside kernel 1479 | qthreshold: 1 1480 | # set the delay before flushing packet in the queue inside kernel 1481 | qtimeout: 100 1482 | # netlink max buffer size 1483 | max-size: 20000 1484 | 1485 | ## 1486 | ## Advanced Capture Options 1487 | ## 1488 | 1489 | # general settings affecting packet capture 1490 | capture: 1491 | # disable NIC offloading. It's restored when Suricata exists. 1492 | # Enabled by default 1493 | #disable-offloading: false 1494 | # 1495 | # disable checksum validation. Same as setting '-k none' on the 1496 | # commandline 1497 | #checksum-validation: none 1498 | 1499 | # Netmap support 1500 | # 1501 | # Netmap operates with NIC directly in driver, so you need FreeBSD wich have 1502 | # built-in netmap support or compile and install netmap module and appropriate 1503 | # NIC driver on your Linux system. 1504 | # To reach maximum throughput disable all receive-, segmentation-, 1505 | # checksum- offloadings on NIC. 1506 | # Disabling Tx checksum offloading is *required* for connecting OS endpoint 1507 | # with NIC endpoint. 1508 | # You can find more information at https://github.com/luigirizzo/netmap 1509 | # 1510 | netmap: 1511 | # To specify OS endpoint add plus sign at the end (e.g. "eth0+") 1512 | - interface: eth2 1513 | # Number of receive threads. "auto" uses number of RSS queues on interface. 1514 | #threads: auto 1515 | # You can use the following variables to activate netmap tap or IPS mode. 1516 | # If copy-mode is set to ips or tap, the traffic coming to the current 1517 | # interface will be copied to the copy-iface interface. If 'tap' is set, the 1518 | # copy is complete. If 'ips' is set, the packet matching a 'drop' action 1519 | # will not be copied. 1520 | # To specify the OS as the copy-iface (so the OS can route packets, or forward 1521 | # to a service running on the same machine) add a plus sign at the end 1522 | # (e.g. "copy-iface: eth0+"). Don't forget to set up a symmetrical eth0+ -> eth0 1523 | # for return packets. Hardware checksumming must be *off* on the interface if 1524 | # using an OS endpoint (e.g. 'ifconfig eth0 -rxcsum -txcsum -rxcsum6 -txcsum6' for FreeBSD 1525 | # or 'ethtool -K eth0 tx off rx off' for Linux). 1526 | #copy-mode: tap 1527 | #copy-iface: eth3 1528 | # Set to yes to disable promiscuous mode 1529 | # disable-promisc: no 1530 | # Choose checksum verification mode for the interface. At the moment 1531 | # of the capture, some packets may be with an invalid checksum due to 1532 | # offloading to the network card of the checksum computation. 1533 | # Possible values are: 1534 | # - yes: checksum validation is forced 1535 | # - no: checksum validation is disabled 1536 | # - auto: suricata uses a statistical approach to detect when 1537 | # checksum off-loading is used. 1538 | # Warning: 'checksum-validation' must be set to yes to have any validation 1539 | #checksum-checks: auto 1540 | # BPF filter to apply to this interface. The pcap filter syntax apply here. 1541 | #bpf-filter: port 80 or udp 1542 | #- interface: eth3 1543 | #threads: auto 1544 | #copy-mode: tap 1545 | #copy-iface: eth2 1546 | # Put default values here 1547 | - interface: default 1548 | 1549 | # PF_RING configuration. for use with native PF_RING support 1550 | # for more info see http://www.ntop.org/products/pf_ring/ 1551 | pfring: 1552 | - interface: eth0 1553 | # Number of receive threads (>1 will enable experimental flow pinned 1554 | # runmode) 1555 | threads: 1 1556 | 1557 | # Default clusterid. PF_RING will load balance packets based on flow. 1558 | # All threads/processes that will participate need to have the same 1559 | # clusterid. 1560 | cluster-id: 99 1561 | 1562 | # Default PF_RING cluster type. PF_RING can load balance per flow. 1563 | # Possible values are cluster_flow or cluster_round_robin. 1564 | cluster-type: cluster_flow 1565 | # bpf filter for this interface 1566 | #bpf-filter: tcp 1567 | # Choose checksum verification mode for the interface. At the moment 1568 | # of the capture, some packets may be with an invalid checksum due to 1569 | # offloading to the network card of the checksum computation. 1570 | # Possible values are: 1571 | # - rxonly: only compute checksum for packets received by network card. 1572 | # - yes: checksum validation is forced 1573 | # - no: checksum validation is disabled 1574 | # - auto: suricata uses a statistical approach to detect when 1575 | # checksum off-loading is used. (default) 1576 | # Warning: 'checksum-validation' must be set to yes to have any validation 1577 | #checksum-checks: auto 1578 | # Second interface 1579 | #- interface: eth1 1580 | # threads: 3 1581 | # cluster-id: 93 1582 | # cluster-type: cluster_flow 1583 | # Put default values here 1584 | - interface: default 1585 | #threads: 2 1586 | 1587 | # For FreeBSD ipfw(8) divert(4) support. 1588 | # Please make sure you have ipfw_load="YES" and ipdivert_load="YES" 1589 | # in /etc/loader.conf or kldload'ing the appropriate kernel modules. 1590 | # Additionally, you need to have an ipfw rule for the engine to see 1591 | # the packets from ipfw. For Example: 1592 | # 1593 | # ipfw add 100 divert 8000 ip from any to any 1594 | # 1595 | # The 8000 above should be the same number you passed on the command 1596 | # line, i.e. -d 8000 1597 | # 1598 | ipfw: 1599 | 1600 | # Reinject packets at the specified ipfw rule number. This config 1601 | # option is the ipfw rule number AT WHICH rule processing continues 1602 | # in the ipfw processing system after the engine has finished 1603 | # inspecting the packet for acceptance. If no rule number is specified, 1604 | # accepted packets are reinjected at the divert rule which they entered 1605 | # and IPFW rule processing continues. No check is done to verify 1606 | # this will rule makes sense so care must be taken to avoid loops in ipfw. 1607 | # 1608 | ## The following example tells the engine to reinject packets 1609 | # back into the ipfw firewall AT rule number 5500: 1610 | # 1611 | # ipfw-reinjection-rule-number: 5500 1612 | 1613 | 1614 | napatech: 1615 | # The Host Buffer Allowance for all streams 1616 | # (-1 = OFF, 1 - 100 = percentage of the host buffer that can be held back) 1617 | hba: -1 1618 | 1619 | # use_all_streams set to "yes" will query the Napatech service for all configured 1620 | # streams and listen on all of them. When set to "no" the streams config array 1621 | # will be used. 1622 | use-all-streams: yes 1623 | 1624 | # The streams to listen on 1625 | streams: [1, 2, 3] 1626 | 1627 | # Tilera mpipe configuration. for use on Tilera TILE-Gx. 1628 | mpipe: 1629 | 1630 | # Load balancing modes: "static", "dynamic", "sticky", or "round-robin". 1631 | load-balance: dynamic 1632 | 1633 | # Number of Packets in each ingress packet queue. Must be 128, 512, 2028 or 65536 1634 | iqueue-packets: 2048 1635 | 1636 | # List of interfaces we will listen on. 1637 | inputs: 1638 | - interface: xgbe2 1639 | - interface: xgbe3 1640 | - interface: xgbe4 1641 | 1642 | 1643 | # Relative weight of memory for packets of each mPipe buffer size. 1644 | stack: 1645 | size128: 0 1646 | size256: 9 1647 | size512: 0 1648 | size1024: 0 1649 | size1664: 7 1650 | size4096: 0 1651 | size10386: 0 1652 | size16384: 0 1653 | 1654 | ## 1655 | ## Hardware accelaration 1656 | ## 1657 | 1658 | # Cuda configuration. 1659 | cuda: 1660 | # The "mpm" profile. On not specifying any of these parameters, the engine's 1661 | # internal default values are used, which are same as the ones specified in 1662 | # in the default conf file. 1663 | mpm: 1664 | # The minimum length required to buffer data to the gpu. 1665 | # Anything below this is MPM'ed on the CPU. 1666 | # Can be specified in kb, mb, gb. Just a number indicates it's in bytes. 1667 | # A value of 0 indicates there's no limit. 1668 | data-buffer-size-min-limit: 0 1669 | # The maximum length for data that we would buffer to the gpu. 1670 | # Anything over this is MPM'ed on the CPU. 1671 | # Can be specified in kb, mb, gb. Just a number indicates it's in bytes. 1672 | data-buffer-size-max-limit: 1500 1673 | # The ring buffer size used by the CudaBuffer API to buffer data. 1674 | cudabuffer-buffer-size: 500mb 1675 | # The max chunk size that can be sent to the gpu in a single go. 1676 | gpu-transfer-size: 50mb 1677 | # The timeout limit for batching of packets in microseconds. 1678 | batching-timeout: 2000 1679 | # The device to use for the mpm. Currently we don't support load balancing 1680 | # on multiple gpus. In case you have multiple devices on your system, you 1681 | # can specify the device to use, using this conf. By default we hold 0, to 1682 | # specify the first device cuda sees. To find out device-id associated with 1683 | # the card(s) on the system run "suricata --list-cuda-cards". 1684 | device-id: 0 1685 | # No of Cuda streams used for asynchronous processing. All values > 0 are valid. 1686 | # For this option you need a device with Compute Capability > 1.0. 1687 | cuda-streams: 2 1688 | 1689 | ## 1690 | ## Include other configs 1691 | ## 1692 | 1693 | # Includes. Files included here will be handled as if they were 1694 | # inlined in this configuration file. 1695 | #include: include1.yaml 1696 | #include: include2.yaml 1697 | -------------------------------------------------------------------------------- /docker/suricata/suricata.yaml: -------------------------------------------------------------------------------- 1 | %YAML 1.1 2 | --- 3 | 4 | # Suricata configuration file. In addition to the comments describing all 5 | # options in this file, full documentation can be found at: 6 | # https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricatayaml 7 | 8 | ## 9 | ## Step 1: inform Suricata about your network 10 | ## 11 | 12 | vars: 13 | # more specifc is better for alert accuracy and performance 14 | address-groups: 15 | #HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]" 16 | HOME_NET: "[192.168.1.0/24]" 17 | #HOME_NET: "[10.0.0.0/8]" 18 | #HOME_NET: "[172.16.0.0/12]" 19 | #HOME_NET: "any" 20 | 21 | EXTERNAL_NET: "!$HOME_NET" 22 | #EXTERNAL_NET: "any" 23 | 24 | HTTP_SERVERS: "$HOME_NET" 25 | SMTP_SERVERS: "$HOME_NET" 26 | SQL_SERVERS: "$HOME_NET" 27 | DNS_SERVERS: "$HOME_NET" 28 | TELNET_SERVERS: "$HOME_NET" 29 | AIM_SERVERS: "$EXTERNAL_NET" 30 | DNP3_SERVER: "$HOME_NET" 31 | DNP3_CLIENT: "$HOME_NET" 32 | MODBUS_CLIENT: "$HOME_NET" 33 | MODBUS_SERVER: "$HOME_NET" 34 | ENIP_CLIENT: "$HOME_NET" 35 | ENIP_SERVER: "$HOME_NET" 36 | 37 | port-groups: 38 | HTTP_PORTS: "80" 39 | SHELLCODE_PORTS: "!80" 40 | ORACLE_PORTS: 1521 41 | SSH_PORTS: 22 42 | DNP3_PORTS: 20000 43 | MODBUS_PORTS: 502 44 | FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]" 45 | FTP_PORTS: 21 46 | 47 | 48 | ## 49 | ## Step 2: select the rules to enable or disable 50 | ## 51 | 52 | default-rule-path: /etc/suricata/rules 53 | rule-files: 54 | - botcc.rules 55 | # - botcc.portgrouped.rules 56 | - ciarmy.rules 57 | - compromised.rules 58 | - drop.rules 59 | - dshield.rules 60 | # - emerging-activex.rules 61 | - emerging-attack_response.rules 62 | - emerging-chat.rules 63 | - emerging-current_events.rules 64 | - emerging-dns.rules 65 | - emerging-dos.rules 66 | - emerging-exploit.rules 67 | - emerging-ftp.rules 68 | # - emerging-games.rules 69 | # - emerging-icmp_info.rules 70 | # - emerging-icmp.rules 71 | - emerging-imap.rules 72 | # - emerging-inappropriate.rules 73 | # - emerging-info.rules 74 | - emerging-malware.rules 75 | - emerging-misc.rules 76 | - emerging-mobile_malware.rules 77 | - emerging-netbios.rules 78 | - emerging-p2p.rules 79 | - emerging-policy.rules 80 | - emerging-pop3.rules 81 | - emerging-rpc.rules 82 | # - emerging-scada.rules 83 | # - emerging-scada_special.rules 84 | - emerging-scan.rules 85 | # - emerging-shellcode.rules 86 | - emerging-smtp.rules 87 | - emerging-snmp.rules 88 | - emerging-sql.rules 89 | - emerging-telnet.rules 90 | - emerging-tftp.rules 91 | - emerging-trojan.rules 92 | - emerging-user_agents.rules 93 | - emerging-voip.rules 94 | - emerging-web_client.rules 95 | - emerging-web_server.rules 96 | # - emerging-web_specific_apps.rules 97 | - emerging-worm.rules 98 | - tor.rules 99 | # - decoder-events.rules # available in suricata sources under rules dir 100 | # - stream-events.rules # available in suricata sources under rules dir 101 | - http-events.rules # available in suricata sources under rules dir 102 | - smtp-events.rules # available in suricata sources under rules dir 103 | - dns-events.rules # available in suricata sources under rules dir 104 | - tls-events.rules # available in suricata sources under rules dir 105 | # - modbus-events.rules # available in suricata sources under rules dir 106 | # - app-layer-events.rules # available in suricata sources under rules dir 107 | # - dnp3-events.rules # available in suricata sources under rules dir 108 | # - ntp-events.rules # available in suricata sources under rules dir 109 | 110 | classification-file: /etc/suricata/classification.config 111 | reference-config-file: /etc/suricata/reference.config 112 | # threshold-file: /etc/suricata/threshold.config 113 | 114 | 115 | ## 116 | ## Step 3: select outputs to enable 117 | ## 118 | 119 | # The default logging directory. Any log or output file will be 120 | # placed here if its not specified with a full path name. This can be 121 | # overridden with the -l command line parameter. 122 | default-log-dir: /var/log/suricata/ 123 | 124 | # global stats configuration 125 | stats: 126 | enabled: yes 127 | # The interval field (in seconds) controls at what interval 128 | # the loggers are invoked. 129 | interval: 8 130 | 131 | # Configure the type of alert (and other) logging you would like. 132 | outputs: 133 | # a line based alerts log similar to Snort's fast.log 134 | - fast: 135 | enabled: yes 136 | filename: fast.log 137 | append: yes 138 | #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' 139 | 140 | # Extensible Event Format (nicknamed EVE) event log in JSON format 141 | - eve-log: 142 | enabled: yes 143 | filetype: regular #regular|syslog|unix_dgram|unix_stream|redis 144 | filename: eve.json 145 | append: no 146 | #prefix: "@cee: " # prefix to prepend to each log entry 147 | # the following are valid when type: syslog above 148 | #identity: "suricata" 149 | #facility: local5 150 | #level: Info ## possible levels: Emergency, Alert, Critical, 151 | ## Error, Warning, Notice, Info, Debug 152 | #redis: 153 | # server: 127.0.0.1 154 | # port: 6379 155 | # async: true ## if redis replies are read asynchronously 156 | # mode: list ## possible values: list|lpush (default), rpush, channel|publish 157 | # ## lpush and rpush are using a Redis list. "list" is an alias for lpush 158 | # ## publish is using a Redis channel. "channel" is an alias for publish 159 | # key: suricata ## key or channel to use (default to suricata) 160 | # Redis pipelining set up. This will enable to only do a query every 161 | # 'batch-size' events. This should lower the latency induced by network 162 | # connection at the cost of some memory. There is no flushing implemented 163 | # so this setting as to be reserved to high traffic suricata. 164 | # pipelining: 165 | # enabled: yes ## set enable to yes to enable query pipelining 166 | # batch-size: 10 ## number of entry to keep in buffer 167 | types: 168 | - alert: 169 | # payload: yes # enable dumping payload in Base64 170 | # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log 171 | # payload-printable: yes # enable dumping payload in printable (lossy) format 172 | # packet: yes # enable dumping of packet (without stream segments) 173 | # http-body: yes # enable dumping of http body in Base64 174 | # http-body-printable: yes # enable dumping of http body in printable format 175 | metadata: yes # add L7/applayer fields, flowbit and other vars to the alert 176 | 177 | # Enable the logging of tagged packets for rules using the 178 | # "tag" keyword. 179 | tagged-packets: yes 180 | 181 | # HTTP X-Forwarded-For support by adding an extra field or overwriting 182 | # the source or destination IP address (depending on flow direction) 183 | # with the one reported in the X-Forwarded-For HTTP header. This is 184 | # helpful when reviewing alerts for traffic that is being reverse 185 | # or forward proxied. 186 | xff: 187 | enabled: no 188 | # Two operation modes are available, "extra-data" and "overwrite". 189 | mode: extra-data 190 | # Two proxy deployments are supported, "reverse" and "forward". In 191 | # a "reverse" deployment the IP address used is the last one, in a 192 | # "forward" deployment the first IP address is used. 193 | deployment: reverse 194 | # Header name where the actual IP address will be reported, if more 195 | # than one IP address is present, the last IP address will be the 196 | # one taken into consideration. 197 | header: X-Forwarded-For 198 | - http: 199 | extended: yes # enable this for extended logging information 200 | # custom allows additional http fields to be included in eve-log 201 | # the example below adds three additional fields when uncommented 202 | #custom: [Accept-Encoding, Accept-Language, Authorization] 203 | - dns: 204 | # control logging of queries and answers 205 | # default yes, no to disable 206 | query: yes # enable logging of DNS queries 207 | answer: yes # enable logging of DNS answers 208 | # control which RR types are logged 209 | # all enabled if custom not specified 210 | #custom: [a, aaaa, cname, mx, ns, ptr, txt] 211 | - tls: 212 | extended: yes # enable this for extended logging information 213 | # output TLS transaction where the session is resumed using a 214 | # session id 215 | #session-resumption: no 216 | # custom allows to control which tls fields that are included 217 | # in eve-log 218 | #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain] 219 | - files: 220 | force-magic: no # force logging magic on all logged files 221 | # force logging of checksums, available hash functions are md5, 222 | # sha1 and sha256 223 | force-hash: [md5, sha256] 224 | #- drop: 225 | # alerts: yes # log alerts that caused drops 226 | # flows: all # start or all: 'start' logs only a single drop 227 | # # per flow direction. All logs each dropped pkt. 228 | #- smtp: 229 | #extended: yes # enable this for extended logging information 230 | # this includes: bcc, message-id, subject, x_mailer, user-agent 231 | # custom fields logging from the list: 232 | # reply-to, bcc, message-id, subject, x-mailer, user-agent, received, 233 | # x-originating-ip, in-reply-to, references, importance, priority, 234 | # sensitivity, organization, content-md5, date 235 | #custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc] 236 | # output md5 of fields: body, subject 237 | # for the body you need to set app-layer.protocols.smtp.mime.body-md5 238 | # to yes 239 | #md5: [body, subject] 240 | 241 | #- dnp3 242 | #- nfs 243 | - ssh 244 | #- stats: 245 | # totals: yes # stats for all threads merged together 246 | # threads: no # per thread stats 247 | # deltas: no # include delta values 248 | # bi-directional flows 249 | - flow 250 | # uni-directional flows 251 | #- netflow 252 | # Vars log flowbits and other packet and flow vars 253 | #- vars 254 | 255 | # alert output for use with Barnyard2 256 | - unified2-alert: 257 | enabled: no 258 | filename: unified2.alert 259 | 260 | # File size limit. Can be specified in kb, mb, gb. Just a number 261 | # is parsed as bytes. 262 | #limit: 32mb 263 | 264 | # By default unified2 log files have the file creation time (in 265 | # unix epoch format) appended to the filename. Set this to yes to 266 | # disable this behaviour. 267 | #nostamp: no 268 | 269 | # Sensor ID field of unified2 alerts. 270 | #sensor-id: 0 271 | 272 | # Include payload of packets related to alerts. Defaults to true, set to 273 | # false if payload is not required. 274 | #payload: yes 275 | 276 | # HTTP X-Forwarded-For support by adding the unified2 extra header or 277 | # overwriting the source or destination IP address (depending on flow 278 | # direction) with the one reported in the X-Forwarded-For HTTP header. 279 | # This is helpful when reviewing alerts for traffic that is being reverse 280 | # or forward proxied. 281 | xff: 282 | enabled: no 283 | # Two operation modes are available, "extra-data" and "overwrite". Note 284 | # that in the "overwrite" mode, if the reported IP address in the HTTP 285 | # X-Forwarded-For header is of a different version of the packet 286 | # received, it will fall-back to "extra-data" mode. 287 | mode: extra-data 288 | # Two proxy deployments are supported, "reverse" and "forward". In 289 | # a "reverse" deployment the IP address used is the last one, in a 290 | # "forward" deployment the first IP address is used. 291 | deployment: reverse 292 | # Header name where the actual IP address will be reported, if more 293 | # than one IP address is present, the last IP address will be the 294 | # one taken into consideration. 295 | header: X-Forwarded-For 296 | 297 | # a line based log of HTTP requests (no alerts) 298 | - http-log: 299 | enabled: no 300 | filename: http.log 301 | append: yes 302 | #extended: yes # enable this for extended logging information 303 | #custom: yes # enabled the custom logging format (defined by customformat) 304 | #customformat: "%{%D-%H:%M:%S}t.%z %{X-Forwarded-For}i %H %m %h %u %s %B %a:%p -> %A:%P" 305 | #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' 306 | 307 | # a line based log of TLS handshake parameters (no alerts) 308 | - tls-log: 309 | enabled: no # Log TLS connections. 310 | filename: tls.log # File to store TLS logs. 311 | append: yes 312 | #extended: yes # Log extended information like fingerprint 313 | #custom: yes # enabled the custom logging format (defined by customformat) 314 | #customformat: "%{%D-%H:%M:%S}t.%z %a:%p -> %A:%P %v %n %d %D" 315 | #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' 316 | # output TLS transaction where the session is resumed using a 317 | # session id 318 | #session-resumption: no 319 | 320 | # output module to store certificates chain to disk 321 | - tls-store: 322 | enabled: no 323 | #certs-log-dir: certs # directory to store the certificates files 324 | 325 | # a line based log of DNS requests and/or replies (no alerts) 326 | - dns-log: 327 | enabled: no 328 | filename: dns.log 329 | append: yes 330 | #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' 331 | 332 | # Packet log... log packets in pcap format. 3 modes of operation: "normal" 333 | # "multi" and "sguil". 334 | # 335 | # In normal mode a pcap file "filename" is created in the default-log-dir, 336 | # or are as specified by "dir". 337 | # In multi mode, a file is created per thread. This will perform much 338 | # better, but will create multiple files where 'normal' would create one. 339 | # In multi mode the filename takes a few special variables: 340 | # - %n -- thread number 341 | # - %i -- thread id 342 | # - %t -- timestamp (secs or secs.usecs based on 'ts-format' 343 | # E.g. filename: pcap.%n.%t 344 | # 345 | # Note that it's possible to use directories, but the directories are not 346 | # created by Suricata. E.g. filename: pcaps/%n/log.%s will log into the 347 | # per thread directory. 348 | # 349 | # Also note that the limit and max-files settings are enforced per thread. 350 | # So the size limit when using 8 threads with 1000mb files and 2000 files 351 | # is: 8*1000*2000 ~ 16TiB. 352 | # 353 | # In Sguil mode "dir" indicates the base directory. In this base dir the 354 | # pcaps are created in th directory structure Sguil expects: 355 | # 356 | # $sguil-base-dir/YYYY-MM-DD/$filename. 357 | # 358 | # By default all packets are logged except: 359 | # - TCP streams beyond stream.reassembly.depth 360 | # - encrypted streams after the key exchange 361 | # 362 | - pcap-log: 363 | enabled: no 364 | filename: log.pcap 365 | 366 | # File size limit. Can be specified in kb, mb, gb. Just a number 367 | # is parsed as bytes. 368 | limit: 1000mb 369 | 370 | # If set to a value will enable ring buffer mode. Will keep Maximum of "max-files" of size "limit" 371 | max-files: 2000 372 | 373 | mode: normal # normal, multi or sguil. 374 | 375 | # Directory to place pcap files. If not provided the default log 376 | # directory will be used. Required for "sguil" mode. 377 | #dir: /nsm_data/ 378 | 379 | #ts-format: usec # sec or usec second format (default) is filename.sec usec is filename.sec.usec 380 | use-stream-depth: no #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets 381 | honor-pass-rules: no # If set to "yes", flows in which a pass rule matched will stopped being logged. 382 | 383 | # a full alerts log containing much information for signature writers 384 | # or for investigating suspected false positives. 385 | - alert-debug: 386 | enabled: no 387 | filename: alert-debug.log 388 | append: yes 389 | #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' 390 | 391 | # alert output to prelude (http://www.prelude-technologies.com/) only 392 | # available if Suricata has been compiled with --enable-prelude 393 | - alert-prelude: 394 | enabled: no 395 | profile: suricata 396 | log-packet-content: no 397 | log-packet-header: yes 398 | 399 | # Stats.log contains data from various counters of the suricata engine. 400 | - stats: 401 | enabled: yes 402 | filename: stats.log 403 | append: yes # append to file (yes) or overwrite it (no) 404 | totals: yes # stats for all threads merged together 405 | threads: no # per thread stats 406 | #null-values: yes # print counters that have value 0 407 | 408 | # a line based alerts log similar to fast.log into syslog 409 | - syslog: 410 | enabled: no 411 | # reported identity to syslog. If ommited the program name (usually 412 | # suricata) will be used. 413 | #identity: "suricata" 414 | facility: local5 415 | #level: Info ## possible levels: Emergency, Alert, Critical, 416 | ## Error, Warning, Notice, Info, Debug 417 | 418 | # a line based information for dropped packets in IPS mode 419 | - drop: 420 | enabled: no 421 | filename: drop.log 422 | append: yes 423 | #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' 424 | 425 | # output module to store extracted files to disk 426 | # 427 | # The files are stored to the log-dir in a format "file." where is 428 | # an incrementing number starting at 1. For each file "file." a meta 429 | # file "file..meta" is created. 430 | # 431 | # File extraction depends on a lot of things to be fully done: 432 | # - file-store stream-depth. For optimal results, set this to 0 (unlimited) 433 | # - http request / response body sizes. Again set to 0 for optimal results. 434 | # - rules that contain the "filestore" keyword. 435 | - file-store: 436 | enabled: no # set to yes to enable 437 | log-dir: files # directory to store the files 438 | force-magic: no # force logging magic on all stored files 439 | # force logging of checksums, available hash functions are md5, 440 | # sha1 and sha256 441 | #force-hash: [md5] 442 | force-filestore: no # force storing of all files 443 | # override global stream-depth for sessions in which we want to 444 | # perform file extraction. Set to 0 for unlimited. 445 | #stream-depth: 0 446 | #waldo: file.waldo # waldo file to store the file_id across runs 447 | # uncomment to disable meta file writing 448 | #write-meta: no 449 | # uncomment the following variable to define how many files can 450 | # remain open for filestore by Suricata. Default value is 0 which 451 | # means files get closed after each write 452 | #max-open-files: 1000 453 | 454 | # output module to log files tracked in a easily parsable json format 455 | - file-log: 456 | enabled: no 457 | filename: files-json.log 458 | append: yes 459 | #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' 460 | 461 | force-magic: no # force logging magic on all logged files 462 | # force logging of checksums, available hash functions are md5, 463 | # sha1 and sha256 464 | #force-hash: [md5] 465 | 466 | # Log TCP data after stream normalization 467 | # 2 types: file or dir. File logs into a single logfile. Dir creates 468 | # 2 files per TCP session and stores the raw TCP data into them. 469 | # Using 'both' will enable both file and dir modes. 470 | # 471 | # Note: limited by stream.depth 472 | - tcp-data: 473 | enabled: no 474 | type: file 475 | filename: tcp-data.log 476 | 477 | # Log HTTP body data after normalization, dechunking and unzipping. 478 | # 2 types: file or dir. File logs into a single logfile. Dir creates 479 | # 2 files per HTTP session and stores the normalized data into them. 480 | # Using 'both' will enable both file and dir modes. 481 | # 482 | # Note: limited by the body limit settings 483 | - http-body-data: 484 | enabled: no 485 | type: file 486 | filename: http-data.log 487 | 488 | # Lua Output Support - execute lua script to generate alert and event 489 | # output. 490 | # Documented at: 491 | # https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Lua_Output 492 | - lua: 493 | enabled: no 494 | #scripts-dir: /etc/suricata/lua-output/ 495 | scripts: 496 | # - script1.lua 497 | 498 | # Logging configuration. This is not about logging IDS alerts/events, but 499 | # output about what Suricata is doing, like startup messages, errors, etc. 500 | logging: 501 | # The default log level, can be overridden in an output section. 502 | # Note that debug level logging will only be emitted if Suricata was 503 | # compiled with the --enable-debug configure option. 504 | # 505 | # This value is overriden by the SC_LOG_LEVEL env var. 506 | default-log-level: notice 507 | 508 | # The default output format. Optional parameter, should default to 509 | # something reasonable if not provided. Can be overriden in an 510 | # output section. You can leave this out to get the default. 511 | # 512 | # This value is overriden by the SC_LOG_FORMAT env var. 513 | #default-log-format: "[%i] %t - (%f:%l) <%d> (%n) -- " 514 | 515 | # A regex to filter output. Can be overridden in an output section. 516 | # Defaults to empty (no filter). 517 | # 518 | # This value is overriden by the SC_LOG_OP_FILTER env var. 519 | default-output-filter: 520 | 521 | # Define your logging outputs. If none are defined, or they are all 522 | # disabled you will get the default - console output. 523 | outputs: 524 | - console: 525 | enabled: yes 526 | # type: json 527 | - file: 528 | enabled: yes 529 | level: info 530 | filename: /var/log/suricata/suricata.log 531 | # type: json 532 | - syslog: 533 | enabled: no 534 | facility: local5 535 | format: "[%i] <%d> -- " 536 | # type: json 537 | 538 | 539 | ## 540 | ## Step 4: configure common capture settings 541 | ## 542 | ## See "Advanced Capture Options" below for more options, including NETMAP 543 | ## and PF_RING. 544 | ## 545 | 546 | # Linux high speed capture support 547 | af-packet: 548 | - interface: enp8s0 549 | # Number of receive threads. "auto" uses the number of cores 550 | #threads: auto 551 | # Default clusterid. AF_PACKET will load balance packets based on flow. 552 | cluster-id: 99 553 | # Default AF_PACKET cluster type. AF_PACKET can load balance per flow or per hash. 554 | # This is only supported for Linux kernel > 3.1 555 | # possible value are: 556 | # * cluster_round_robin: round robin load balancing 557 | # * cluster_flow: all packets of a given flow are send to the same socket 558 | # * cluster_cpu: all packets treated in kernel by a CPU are send to the same socket 559 | # * cluster_qm: all packets linked by network card to a RSS queue are sent to the same 560 | # socket. Requires at least Linux 3.14. 561 | # * cluster_random: packets are sent randomly to sockets but with an equipartition. 562 | # Requires at least Linux 3.14. 563 | # * cluster_rollover: kernel rotates between sockets filling each socket before moving 564 | # to the next. Requires at least Linux 3.10. 565 | # Recommended modes are cluster_flow on most boxes and cluster_cpu or cluster_qm on system 566 | # with capture card using RSS (require cpu affinity tuning and system irq tuning) 567 | cluster-type: cluster_flow 568 | # In some fragmentation case, the hash can not be computed. If "defrag" is set 569 | # to yes, the kernel will do the needed defragmentation before sending the packets. 570 | defrag: yes 571 | # After Linux kernel 3.10 it is possible to activate the rollover option: if a socket is 572 | # full then kernel will send the packet on the next socket with room available. This option 573 | # can minimize packet drop and increase the treated bandwidth on single intensive flow. 574 | #rollover: yes 575 | # To use the ring feature of AF_PACKET, set 'use-mmap' to yes 576 | #use-mmap: yes 577 | # Lock memory map to avoid it goes to swap. Be careful that over suscribing could lock 578 | # your system 579 | #mmap-locked: yes 580 | # Use tpacket_v3 capture mode, only active if use-mmap is true 581 | # Don't use it in IPS or TAP mode as it causes severe latency 582 | #tpacket-v3: yes 583 | # Ring size will be computed with respect to max_pending_packets and number 584 | # of threads. You can set manually the ring size in number of packets by setting 585 | # the following value. If you are using flow cluster-type and have really network 586 | # intensive single-flow you could want to set the ring-size independently of the number 587 | # of threads: 588 | #ring-size: 2048 589 | # Block size is used by tpacket_v3 only. It should set to a value high enough to contain 590 | # a decent number of packets. Size is in bytes so please consider your MTU. It should be 591 | # a power of 2 and it must be multiple of page size (usually 4096). 592 | #block-size: 32768 593 | # tpacket_v3 block timeout: an open block is passed to userspace if it is not 594 | # filled after block-timeout milliseconds. 595 | #block-timeout: 10 596 | # On busy system, this could help to set it to yes to recover from a packet drop 597 | # phase. This will result in some packets (at max a ring flush) being non treated. 598 | #use-emergency-flush: yes 599 | # recv buffer size, increase value could improve performance 600 | # buffer-size: 32768 601 | # Set to yes to disable promiscuous mode 602 | # disable-promisc: no 603 | # Choose checksum verification mode for the interface. At the moment 604 | # of the capture, some packets may be with an invalid checksum due to 605 | # offloading to the network card of the checksum computation. 606 | # Possible values are: 607 | # - kernel: use indication sent by kernel for each packet (default) 608 | # - yes: checksum validation is forced 609 | # - no: checksum validation is disabled 610 | # - auto: suricata uses a statistical approach to detect when 611 | # checksum off-loading is used. 612 | # Warning: 'checksum-validation' must be set to yes to have any validation 613 | #checksum-checks: kernel 614 | # BPF filter to apply to this interface. The pcap filter syntax apply here. 615 | #bpf-filter: port 80 or udp 616 | # You can use the following variables to activate AF_PACKET tap or IPS mode. 617 | # If copy-mode is set to ips or tap, the traffic coming to the current 618 | # interface will be copied to the copy-iface interface. If 'tap' is set, the 619 | # copy is complete. If 'ips' is set, the packet matching a 'drop' action 620 | # will not be copied. 621 | #copy-mode: ips 622 | #copy-iface: eth1 623 | 624 | # Put default values here. These will be used for an interface that is not 625 | # in the list above. 626 | - interface: default 627 | #threads: auto 628 | #use-mmap: no 629 | #rollover: yes 630 | #tpacket-v3: yes 631 | 632 | # Cross platform libpcap capture support 633 | pcap: 634 | - interface: enp8s0 635 | # On Linux, pcap will try to use mmaped capture and will use buffer-size 636 | # as total of memory used by the ring. So set this to something bigger 637 | # than 1% of your bandwidth. 638 | #buffer-size: 16777216 639 | #bpf-filter: "tcp and port 25" 640 | # Choose checksum verification mode for the interface. At the moment 641 | # of the capture, some packets may be with an invalid checksum due to 642 | # offloading to the network card of the checksum computation. 643 | # Possible values are: 644 | # - yes: checksum validation is forced 645 | # - no: checksum validation is disabled 646 | # - auto: suricata uses a statistical approach to detect when 647 | # checksum off-loading is used. (default) 648 | # Warning: 'checksum-validation' must be set to yes to have any validation 649 | #checksum-checks: auto 650 | # With some accelerator cards using a modified libpcap (like myricom), you 651 | # may want to have the same number of capture threads as the number of capture 652 | # rings. In this case, set up the threads variable to N to start N threads 653 | # listening on the same interface. 654 | #threads: 16 655 | # set to no to disable promiscuous mode: 656 | #promisc: no 657 | # set snaplen, if not set it defaults to MTU if MTU can be known 658 | # via ioctl call and to full capture if not. 659 | #snaplen: 1518 660 | # Put default values here 661 | - interface: default 662 | #checksum-checks: auto 663 | 664 | # Settings for reading pcap files 665 | pcap-file: 666 | # Possible values are: 667 | # - yes: checksum validation is forced 668 | # - no: checksum validation is disabled 669 | # - auto: suricata uses a statistical approach to detect when 670 | # checksum off-loading is used. (default) 671 | # Warning: 'checksum-validation' must be set to yes to have checksum tested 672 | checksum-checks: auto 673 | 674 | # See "Advanced Capture Options" below for more options, including NETMAP 675 | # and PF_RING. 676 | 677 | 678 | ## 679 | ## Step 5: App Layer Protocol Configuration 680 | ## 681 | 682 | # Configure the app-layer parsers. The protocols section details each 683 | # protocol. 684 | # 685 | # The option "enabled" takes 3 values - "yes", "no", "detection-only". 686 | # "yes" enables both detection and the parser, "no" disables both, and 687 | # "detection-only" enables protocol detection only (parser disabled). 688 | app-layer: 689 | protocols: 690 | tls: 691 | enabled: yes 692 | detection-ports: 693 | dp: 443 694 | 695 | # Completely stop processing TLS/SSL session after the handshake 696 | # completed. If bypass is enabled this will also trigger flow 697 | # bypass. If disabled (the default), TLS/SSL session is still 698 | # tracked for Heartbleed and other anomalies. 699 | #no-reassemble: yes 700 | dcerpc: 701 | enabled: yes 702 | ftp: 703 | enabled: yes 704 | ssh: 705 | enabled: yes 706 | smtp: 707 | enabled: yes 708 | # Configure SMTP-MIME Decoder 709 | mime: 710 | # Decode MIME messages from SMTP transactions 711 | # (may be resource intensive) 712 | # This field supercedes all others because it turns the entire 713 | # process on or off 714 | decode-mime: yes 715 | 716 | # Decode MIME entity bodies (ie. base64, quoted-printable, etc.) 717 | decode-base64: yes 718 | decode-quoted-printable: yes 719 | 720 | # Maximum bytes per header data value stored in the data structure 721 | # (default is 2000) 722 | header-value-depth: 2000 723 | 724 | # Extract URLs and save in state data structure 725 | extract-urls: yes 726 | # Set to yes to compute the md5 of the mail body. You will then 727 | # be able to journalize it. 728 | body-md5: no 729 | # Configure inspected-tracker for file_data keyword 730 | inspected-tracker: 731 | content-limit: 100000 732 | content-inspect-min-size: 32768 733 | content-inspect-window: 4096 734 | imap: 735 | enabled: detection-only 736 | msn: 737 | enabled: detection-only 738 | smb: 739 | enabled: yes 740 | detection-ports: 741 | dp: 139, 445 742 | # smb2 detection is disabled internally inside the engine. 743 | #smb2: 744 | # enabled: yes 745 | # Note: NFS parser depends on Rust support: pass --enable-rust 746 | # to configure. 747 | nfs: 748 | enabled: no 749 | dns: 750 | # memcaps. Globally and per flow/state. 751 | #global-memcap: 16mb 752 | #state-memcap: 512kb 753 | 754 | # How many unreplied DNS requests are considered a flood. 755 | # If the limit is reached, app-layer-event:dns.flooded; will match. 756 | #request-flood: 500 757 | 758 | tcp: 759 | enabled: yes 760 | detection-ports: 761 | dp: 53 762 | udp: 763 | enabled: yes 764 | detection-ports: 765 | dp: 53 766 | http: 767 | enabled: yes 768 | # memcap: 64mb 769 | 770 | # default-config: Used when no server-config matches 771 | # personality: List of personalities used by default 772 | # request-body-limit: Limit reassembly of request body for inspection 773 | # by http_client_body & pcre /P option. 774 | # response-body-limit: Limit reassembly of response body for inspection 775 | # by file_data, http_server_body & pcre /Q option. 776 | # double-decode-path: Double decode path section of the URI 777 | # double-decode-query: Double decode query section of the URI 778 | # response-body-decompress-layer-limit: 779 | # Limit to how many layers of compression will be 780 | # decompressed. Defaults to 2. 781 | # 782 | # server-config: List of server configurations to use if address matches 783 | # address: List of ip addresses or networks for this block 784 | # personalitiy: List of personalities used by this block 785 | # request-body-limit: Limit reassembly of request body for inspection 786 | # by http_client_body & pcre /P option. 787 | # response-body-limit: Limit reassembly of response body for inspection 788 | # by file_data, http_server_body & pcre /Q option. 789 | # double-decode-path: Double decode path section of the URI 790 | # double-decode-query: Double decode query section of the URI 791 | # 792 | # uri-include-all: Include all parts of the URI. By default the 793 | # 'scheme', username/password, hostname and port 794 | # are excluded. Setting this option to true adds 795 | # all of them to the normalized uri as inspected 796 | # by http_uri, urilen, pcre with /U and the other 797 | # keywords that inspect the normalized uri. 798 | # Note that this does not affect http_raw_uri. 799 | # Also, note that including all was the default in 800 | # 1.4 and 2.0beta1. 801 | # 802 | # meta-field-limit: Hard size limit for request and response size 803 | # limits. Applies to request line and headers, 804 | # response line and headers. Does not apply to 805 | # request or response bodies. Default is 18k. 806 | # If this limit is reached an event is raised. 807 | # 808 | # Currently Available Personalities: 809 | # Minimal, Generic, IDS (default), IIS_4_0, IIS_5_0, IIS_5_1, IIS_6_0, 810 | # IIS_7_0, IIS_7_5, Apache_2 811 | libhtp: 812 | default-config: 813 | personality: IDS 814 | 815 | # Can be specified in kb, mb, gb. Just a number indicates 816 | # it's in bytes. 817 | request-body-limit: 100kb 818 | response-body-limit: 100kb 819 | 820 | # inspection limits 821 | request-body-minimal-inspect-size: 32kb 822 | request-body-inspect-window: 4kb 823 | response-body-minimal-inspect-size: 40kb 824 | response-body-inspect-window: 16kb 825 | 826 | # response body decompression (0 disables) 827 | response-body-decompress-layer-limit: 2 828 | 829 | # auto will use http-body-inline mode in IPS mode, yes or no set it statically 830 | http-body-inline: auto 831 | 832 | # Take a random value for inspection sizes around the specified value. 833 | # This lower the risk of some evasion technics but could lead 834 | # detection change between runs. It is set to 'yes' by default. 835 | #randomize-inspection-sizes: yes 836 | # If randomize-inspection-sizes is active, the value of various 837 | # inspection size will be choosen in the [1 - range%, 1 + range%] 838 | # range 839 | # Default value of randomize-inspection-range is 10. 840 | #randomize-inspection-range: 10 841 | 842 | # decoding 843 | double-decode-path: no 844 | double-decode-query: no 845 | 846 | server-config: 847 | 848 | #- apache: 849 | # address: [192.168.1.0/24, 127.0.0.0/8, "::1"] 850 | # personality: Apache_2 851 | # # Can be specified in kb, mb, gb. Just a number indicates 852 | # # it's in bytes. 853 | # request-body-limit: 4096 854 | # response-body-limit: 4096 855 | # double-decode-path: no 856 | # double-decode-query: no 857 | 858 | #- iis7: 859 | # address: 860 | # - 192.168.0.0/24 861 | # - 192.168.10.0/24 862 | # personality: IIS_7_0 863 | # # Can be specified in kb, mb, gb. Just a number indicates 864 | # # it's in bytes. 865 | # request-body-limit: 4096 866 | # response-body-limit: 4096 867 | # double-decode-path: no 868 | # double-decode-query: no 869 | 870 | # Note: Modbus probe parser is minimalist due to the poor significant field 871 | # Only Modbus message length (greater than Modbus header length) 872 | # And Protocol ID (equal to 0) are checked in probing parser 873 | # It is important to enable detection port and define Modbus port 874 | # to avoid false positive 875 | modbus: 876 | # How many unreplied Modbus requests are considered a flood. 877 | # If the limit is reached, app-layer-event:modbus.flooded; will match. 878 | #request-flood: 500 879 | 880 | enabled: no 881 | detection-ports: 882 | dp: 502 883 | # According to MODBUS Messaging on TCP/IP Implementation Guide V1.0b, it 884 | # is recommended to keep the TCP connection opened with a remote device 885 | # and not to open and close it for each MODBUS/TCP transaction. In that 886 | # case, it is important to set the depth of the stream reassembling as 887 | # unlimited (stream.reassembly.depth: 0) 888 | 889 | # Stream reassembly size for modbus. By default track it completely. 890 | stream-depth: 0 891 | 892 | # DNP3 893 | dnp3: 894 | enabled: no 895 | detection-ports: 896 | dp: 20000 897 | 898 | # SCADA EtherNet/IP and CIP protocol support 899 | enip: 900 | enabled: no 901 | detection-ports: 902 | dp: 44818 903 | sp: 44818 904 | 905 | # Note: parser depends on experimental Rust support 906 | # with --enable-rust-experimental passed to configure 907 | ntp: 908 | enabled: no 909 | 910 | # Limit for the maximum number of asn1 frames to decode (default 256) 911 | asn1-max-frames: 256 912 | 913 | 914 | ############################################################################## 915 | ## 916 | ## Advanced settings below 917 | ## 918 | ############################################################################## 919 | 920 | ## 921 | ## Run Options 922 | ## 923 | 924 | # Run suricata as user and group. 925 | #run-as: 926 | #user: suricata 927 | #group: nsm 928 | 929 | # Some logging module will use that name in event as identifier. The default 930 | # value is the hostname 931 | #sensor-name: suricata 932 | 933 | # Default location of the pid file. The pid file is only used in 934 | # daemon mode (start Suricata with -D). If not running in daemon mode 935 | # the --pidfile command line option must be used to create a pid file. 936 | #pid-file: /var/run/suricata.pid 937 | 938 | # Daemon working directory 939 | # Suricata will change directory to this one if provided 940 | # Default: "/" 941 | #daemon-directory: "/" 942 | 943 | # Suricata core dump configuration. Limits the size of the core dump file to 944 | # approximately max-dump. The actual core dump size will be a multiple of the 945 | # page size. Core dumps that would be larger than max-dump are truncated. On 946 | # Linux, the actual core dump size may be a few pages larger than max-dump. 947 | # Setting max-dump to 0 disables core dumping. 948 | # Setting max-dump to 'unlimited' will give the full core dump file. 949 | # On 32-bit Linux, a max-dump value >= ULONG_MAX may cause the core dump size 950 | # to be 'unlimited'. 951 | 952 | coredump: 953 | max-dump: unlimited 954 | 955 | # If suricata box is a router for the sniffed networks, set it to 'router'. If 956 | # it is a pure sniffing setup, set it to 'sniffer-only'. 957 | # If set to auto, the variable is internally switch to 'router' in IPS mode 958 | # and 'sniffer-only' in IDS mode. 959 | # This feature is currently only used by the reject* keywords. 960 | host-mode: auto 961 | 962 | # Number of packets preallocated per thread. The default is 1024. A higher number 963 | # will make sure each CPU will be more easily kept busy, but may negatively 964 | # impact caching. 965 | # 966 | # If you are using the CUDA pattern matcher (mpm-algo: ac-cuda), different rules 967 | # apply. In that case try something like 60000 or more. This is because the CUDA 968 | # pattern matcher buffers and scans as many packets as possible in parallel. 969 | #max-pending-packets: 1024 970 | 971 | # Runmode the engine should use. Please check --list-runmodes to get the available 972 | # runmodes for each packet acquisition method. Defaults to "autofp" (auto flow pinned 973 | # load balancing). 974 | #runmode: autofp 975 | 976 | # Specifies the kind of flow load balancer used by the flow pinned autofp mode. 977 | # 978 | # Supported schedulers are: 979 | # 980 | # round-robin - Flows assigned to threads in a round robin fashion. 981 | # active-packets - Flows assigned to threads that have the lowest number of 982 | # unprocessed packets (default). 983 | # hash - Flow alloted usihng the address hash. More of a random 984 | # technique. Was the default in Suricata 1.2.1 and older. 985 | # 986 | #autofp-scheduler: active-packets 987 | 988 | # Preallocated size for packet. Default is 1514 which is the classical 989 | # size for pcap on ethernet. You should adjust this value to the highest 990 | # packet size (MTU + hardware header) on your system. 991 | #default-packet-size: 1514 992 | 993 | # Unix command socket can be used to pass commands to suricata. 994 | # An external tool can then connect to get information from suricata 995 | # or trigger some modifications of the engine. Set enabled to yes 996 | # to activate the feature. In auto mode, the feature will only be 997 | # activated in live capture mode. You can use the filename variable to set 998 | # the file name of the socket. 999 | unix-command: 1000 | enabled: auto 1001 | #filename: custom.socket 1002 | 1003 | # Magic file. The extension .mgc is added to the value here. 1004 | #magic-file: /usr/share/file/magic 1005 | #magic-file: 1006 | 1007 | legacy: 1008 | uricontent: enabled 1009 | 1010 | ## 1011 | ## Detection settings 1012 | ## 1013 | 1014 | # Set the order of alerts bassed on actions 1015 | # The default order is pass, drop, reject, alert 1016 | # action-order: 1017 | # - pass 1018 | # - drop 1019 | # - reject 1020 | # - alert 1021 | 1022 | # IP Reputation 1023 | #reputation-categories-file: /etc/suricata/iprep/categories.txt 1024 | #default-reputation-path: /etc/suricata/iprep 1025 | #reputation-files: 1026 | # - reputation.list 1027 | 1028 | # When run with the option --engine-analysis, the engine will read each of 1029 | # the parameters below, and print reports for each of the enabled sections 1030 | # and exit. The reports are printed to a file in the default log dir 1031 | # given by the parameter "default-log-dir", with engine reporting 1032 | # subsection below printing reports in its own report file. 1033 | engine-analysis: 1034 | # enables printing reports for fast-pattern for every rule. 1035 | rules-fast-pattern: yes 1036 | # enables printing reports for each rule 1037 | rules: yes 1038 | 1039 | #recursion and match limits for PCRE where supported 1040 | pcre: 1041 | match-limit: 3500 1042 | match-limit-recursion: 1500 1043 | 1044 | ## 1045 | ## Advanced Traffic Tracking and Reconstruction Settings 1046 | ## 1047 | 1048 | # Host specific policies for defragmentation and TCP stream 1049 | # reassembly. The host OS lookup is done using a radix tree, just 1050 | # like a routing table so the most specific entry matches. 1051 | host-os-policy: 1052 | # Make the default policy windows. 1053 | windows: [0.0.0.0/0] 1054 | bsd: [] 1055 | bsd-right: [] 1056 | old-linux: [] 1057 | linux: [] 1058 | old-solaris: [] 1059 | solaris: [] 1060 | hpux10: [] 1061 | hpux11: [] 1062 | irix: [] 1063 | macos: [] 1064 | vista: [] 1065 | windows2k3: [] 1066 | 1067 | # Defrag settings: 1068 | 1069 | defrag: 1070 | memcap: 32mb 1071 | hash-size: 65536 1072 | trackers: 65535 # number of defragmented flows to follow 1073 | max-frags: 65535 # number of fragments to keep (higher than trackers) 1074 | prealloc: yes 1075 | timeout: 60 1076 | 1077 | # Enable defrag per host settings 1078 | # host-config: 1079 | # 1080 | # - dmz: 1081 | # timeout: 30 1082 | # address: [192.168.1.0/24, 127.0.0.0/8, 1.1.1.0/24, 2.2.2.0/24, "1.1.1.1", "2.2.2.2", "::1"] 1083 | # 1084 | # - lan: 1085 | # timeout: 45 1086 | # address: 1087 | # - 192.168.0.0/24 1088 | # - 192.168.10.0/24 1089 | # - 172.16.14.0/24 1090 | 1091 | # Flow settings: 1092 | # By default, the reserved memory (memcap) for flows is 32MB. This is the limit 1093 | # for flow allocation inside the engine. You can change this value to allow 1094 | # more memory usage for flows. 1095 | # The hash-size determine the size of the hash used to identify flows inside 1096 | # the engine, and by default the value is 65536. 1097 | # At the startup, the engine can preallocate a number of flows, to get a better 1098 | # performance. The number of flows preallocated is 10000 by default. 1099 | # emergency-recovery is the percentage of flows that the engine need to 1100 | # prune before unsetting the emergency state. The emergency state is activated 1101 | # when the memcap limit is reached, allowing to create new flows, but 1102 | # prunning them with the emergency timeouts (they are defined below). 1103 | # If the memcap is reached, the engine will try to prune flows 1104 | # with the default timeouts. If it doens't find a flow to prune, it will set 1105 | # the emergency bit and it will try again with more agressive timeouts. 1106 | # If that doesn't work, then it will try to kill the last time seen flows 1107 | # not in use. 1108 | # The memcap can be specified in kb, mb, gb. Just a number indicates it's 1109 | # in bytes. 1110 | 1111 | flow: 1112 | memcap: 128mb 1113 | hash-size: 65536 1114 | prealloc: 10000 1115 | emergency-recovery: 30 1116 | #managers: 1 # default to one flow manager 1117 | #recyclers: 1 # default to one flow recycler thread 1118 | 1119 | # This option controls the use of vlan ids in the flow (and defrag) 1120 | # hashing. Normally this should be enabled, but in some (broken) 1121 | # setups where both sides of a flow are not tagged with the same vlan 1122 | # tag, we can ignore the vlan id's in the flow hashing. 1123 | vlan: 1124 | use-for-tracking: false 1125 | 1126 | # Specific timeouts for flows. Here you can specify the timeouts that the 1127 | # active flows will wait to transit from the current state to another, on each 1128 | # protocol. The value of "new" determine the seconds to wait after a hanshake or 1129 | # stream startup before the engine free the data of that flow it doesn't 1130 | # change the state to established (usually if we don't receive more packets 1131 | # of that flow). The value of "established" is the amount of 1132 | # seconds that the engine will wait to free the flow if it spend that amount 1133 | # without receiving new packets or closing the connection. "closed" is the 1134 | # amount of time to wait after a flow is closed (usually zero). "bypassed" 1135 | # timeout controls locally bypassed flows. For these flows we don't do any other 1136 | # tracking. If no packets have been seen after this timeout, the flow is discarded. 1137 | # 1138 | # There's an emergency mode that will become active under attack circumstances, 1139 | # making the engine to check flow status faster. This configuration variables 1140 | # use the prefix "emergency-" and work similar as the normal ones. 1141 | # Some timeouts doesn't apply to all the protocols, like "closed", for udp and 1142 | # icmp. 1143 | 1144 | flow-timeouts: 1145 | 1146 | default: 1147 | new: 30 1148 | established: 300 1149 | closed: 0 1150 | bypassed: 100 1151 | emergency-new: 10 1152 | emergency-established: 100 1153 | emergency-closed: 0 1154 | emergency-bypassed: 50 1155 | tcp: 1156 | new: 60 1157 | established: 600 1158 | closed: 60 1159 | bypassed: 100 1160 | emergency-new: 5 1161 | emergency-established: 100 1162 | emergency-closed: 10 1163 | emergency-bypassed: 50 1164 | udp: 1165 | new: 30 1166 | established: 300 1167 | bypassed: 100 1168 | emergency-new: 10 1169 | emergency-established: 100 1170 | emergency-bypassed: 50 1171 | icmp: 1172 | new: 30 1173 | established: 300 1174 | bypassed: 100 1175 | emergency-new: 10 1176 | emergency-established: 100 1177 | emergency-bypassed: 50 1178 | 1179 | # Stream engine settings. Here the TCP stream tracking and reassembly 1180 | # engine is configured. 1181 | # 1182 | # stream: 1183 | # memcap: 32mb # Can be specified in kb, mb, gb. Just a 1184 | # # number indicates it's in bytes. 1185 | # checksum-validation: yes # To validate the checksum of received 1186 | # # packet. If csum validation is specified as 1187 | # # "yes", then packet with invalid csum will not 1188 | # # be processed by the engine stream/app layer. 1189 | # # Warning: locally generated trafic can be 1190 | # # generated without checksum due to hardware offload 1191 | # # of checksum. You can control the handling of checksum 1192 | # # on a per-interface basis via the 'checksum-checks' 1193 | # # option 1194 | # prealloc-sessions: 2k # 2k sessions prealloc'd per stream thread 1195 | # midstream: false # don't allow midstream session pickups 1196 | # async-oneside: false # don't enable async stream handling 1197 | # inline: no # stream inline mode 1198 | # drop-invalid: yes # in inline mode, drop packets that are invalid with regards to streaming engine 1199 | # max-synack-queued: 5 # Max different SYN/ACKs to queue 1200 | # bypass: no # Bypass packets when stream.depth is reached 1201 | # 1202 | # reassembly: 1203 | # memcap: 64mb # Can be specified in kb, mb, gb. Just a number 1204 | # # indicates it's in bytes. 1205 | # depth: 1mb # Can be specified in kb, mb, gb. Just a number 1206 | # # indicates it's in bytes. 1207 | # toserver-chunk-size: 2560 # inspect raw stream in chunks of at least 1208 | # # this size. Can be specified in kb, mb, 1209 | # # gb. Just a number indicates it's in bytes. 1210 | # toclient-chunk-size: 2560 # inspect raw stream in chunks of at least 1211 | # # this size. Can be specified in kb, mb, 1212 | # # gb. Just a number indicates it's in bytes. 1213 | # randomize-chunk-size: yes # Take a random value for chunk size around the specified value. 1214 | # # This lower the risk of some evasion technics but could lead 1215 | # # detection change between runs. It is set to 'yes' by default. 1216 | # randomize-chunk-range: 10 # If randomize-chunk-size is active, the value of chunk-size is 1217 | # # a random value between (1 - randomize-chunk-range/100)*toserver-chunk-size 1218 | # # and (1 + randomize-chunk-range/100)*toserver-chunk-size and the same 1219 | # # calculation for toclient-chunk-size. 1220 | # # Default value of randomize-chunk-range is 10. 1221 | # 1222 | # raw: yes # 'Raw' reassembly enabled or disabled. 1223 | # # raw is for content inspection by detection 1224 | # # engine. 1225 | # 1226 | # segment-prealloc: 2048 # number of segments preallocated per thread 1227 | # 1228 | # check-overlap-different-data: true|false 1229 | # # check if a segment contains different data 1230 | # # than what we've already seen for that 1231 | # # position in the stream. 1232 | # # This is enabled automatically if inline mode 1233 | # # is used or when stream-event:reassembly_overlap_different_data; 1234 | # # is used in a rule. 1235 | # 1236 | stream: 1237 | memcap: 64mb 1238 | checksum-validation: yes # reject wrong csums 1239 | inline: auto # auto will use inline mode in IPS mode, yes or no set it statically 1240 | reassembly: 1241 | memcap: 256mb 1242 | depth: 1mb # reassemble 1mb into a stream 1243 | toserver-chunk-size: 2560 1244 | toclient-chunk-size: 2560 1245 | randomize-chunk-size: yes 1246 | #randomize-chunk-range: 10 1247 | #raw: yes 1248 | #segment-prealloc: 2048 1249 | #check-overlap-different-data: true 1250 | 1251 | # Host table: 1252 | # 1253 | # Host table is used by tagging and per host thresholding subsystems. 1254 | # 1255 | host: 1256 | hash-size: 4096 1257 | prealloc: 1000 1258 | memcap: 32mb 1259 | 1260 | # IP Pair table: 1261 | # 1262 | # Used by xbits 'ippair' tracking. 1263 | # 1264 | #ippair: 1265 | # hash-size: 4096 1266 | # prealloc: 1000 1267 | # memcap: 32mb 1268 | 1269 | # Decoder settings 1270 | 1271 | decoder: 1272 | # Teredo decoder is known to not be completely accurate 1273 | # it will sometimes detect non-teredo as teredo. 1274 | teredo: 1275 | enabled: true 1276 | 1277 | 1278 | ## 1279 | ## Performance tuning and profiling 1280 | ## 1281 | 1282 | # The detection engine builds internal groups of signatures. The engine 1283 | # allow us to specify the profile to use for them, to manage memory on an 1284 | # efficient way keeping a good performance. For the profile keyword you 1285 | # can use the words "low", "medium", "high" or "custom". If you use custom 1286 | # make sure to define the values at "- custom-values" as your convenience. 1287 | # Usually you would prefer medium/high/low. 1288 | # 1289 | # "sgh mpm-context", indicates how the staging should allot mpm contexts for 1290 | # the signature groups. "single" indicates the use of a single context for 1291 | # all the signature group heads. "full" indicates a mpm-context for each 1292 | # group head. "auto" lets the engine decide the distribution of contexts 1293 | # based on the information the engine gathers on the patterns from each 1294 | # group head. 1295 | # 1296 | # The option inspection-recursion-limit is used to limit the recursive calls 1297 | # in the content inspection code. For certain payload-sig combinations, we 1298 | # might end up taking too much time in the content inspection code. 1299 | # If the argument specified is 0, the engine uses an internally defined 1300 | # default limit. On not specifying a value, we use no limits on the recursion. 1301 | detect: 1302 | profile: medium 1303 | custom-values: 1304 | toclient-groups: 3 1305 | toserver-groups: 25 1306 | sgh-mpm-context: auto 1307 | inspection-recursion-limit: 3000 1308 | # If set to yes, the loading of signatures will be made after the capture 1309 | # is started. This will limit the downtime in IPS mode. 1310 | #delayed-detect: yes 1311 | 1312 | prefilter: 1313 | # default prefiltering setting. "mpm" only creates MPM/fast_pattern 1314 | # engines. "auto" also sets up prefilter engines for other keywords. 1315 | # Use --list-keywords=all to see which keywords support prefiltering. 1316 | default: mpm 1317 | 1318 | # the grouping values above control how many groups are created per 1319 | # direction. Port whitelisting forces that port to get it's own group. 1320 | # Very common ports will benefit, as well as ports with many expensive 1321 | # rules. 1322 | grouping: 1323 | #tcp-whitelist: 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080 1324 | #udp-whitelist: 53, 135, 5060 1325 | 1326 | profiling: 1327 | # Log the rules that made it past the prefilter stage, per packet 1328 | # default is off. The threshold setting determines how many rules 1329 | # must have made it past pre-filter for that rule to trigger the 1330 | # logging. 1331 | #inspect-logging-threshold: 200 1332 | grouping: 1333 | dump-to-disk: false 1334 | include-rules: false # very verbose 1335 | include-mpm-stats: false 1336 | 1337 | # Select the multi pattern algorithm you want to run for scan/search the 1338 | # in the engine. 1339 | # 1340 | # The supported algorithms are: 1341 | # "ac" - Aho-Corasick, default implementation 1342 | # "ac-bs" - Aho-Corasick, reduced memory implementation 1343 | # "ac-cuda" - Aho-Corasick, CUDA implementation 1344 | # "ac-ks" - Aho-Corasick, "Ken Steele" variant 1345 | # "hs" - Hyperscan, available when built with Hyperscan support 1346 | # 1347 | # The default mpm-algo value of "auto" will use "hs" if Hyperscan is 1348 | # available, "ac" otherwise. 1349 | # 1350 | # The mpm you choose also decides the distribution of mpm contexts for 1351 | # signature groups, specified by the conf - "detect.sgh-mpm-context". 1352 | # Selecting "ac" as the mpm would require "detect.sgh-mpm-context" 1353 | # to be set to "single", because of ac's memory requirements, unless the 1354 | # ruleset is small enough to fit in one's memory, in which case one can 1355 | # use "full" with "ac". Rest of the mpms can be run in "full" mode. 1356 | # 1357 | # There is also a CUDA pattern matcher (only available if Suricata was 1358 | # compiled with --enable-cuda: b2g_cuda. Make sure to update your 1359 | # max-pending-packets setting above as well if you use b2g_cuda. 1360 | 1361 | mpm-algo: auto 1362 | 1363 | # Select the matching algorithm you want to use for single-pattern searches. 1364 | # 1365 | # Supported algorithms are "bm" (Boyer-Moore) and "hs" (Hyperscan, only 1366 | # available if Suricata has been built with Hyperscan support). 1367 | # 1368 | # The default of "auto" will use "hs" if available, otherwise "bm". 1369 | 1370 | spm-algo: auto 1371 | 1372 | # Suricata is multi-threaded. Here the threading can be influenced. 1373 | threading: 1374 | set-cpu-affinity: no 1375 | # Tune cpu affinity of threads. Each family of threads can be bound 1376 | # on specific CPUs. 1377 | # 1378 | # These 2 apply to the all runmodes: 1379 | # management-cpu-set is used for flow timeout handling, counters 1380 | # worker-cpu-set is used for 'worker' threads 1381 | # 1382 | # Additionally, for autofp these apply: 1383 | # receive-cpu-set is used for capture threads 1384 | # verdict-cpu-set is used for IPS verdict threads 1385 | # 1386 | cpu-affinity: 1387 | - management-cpu-set: 1388 | cpu: [ 0 ] # include only these cpus in affinity settings 1389 | - receive-cpu-set: 1390 | cpu: [ 0 ] # include only these cpus in affinity settings 1391 | - worker-cpu-set: 1392 | cpu: [ "all" ] 1393 | mode: "exclusive" 1394 | # Use explicitely 3 threads and don't compute number by using 1395 | # detect-thread-ratio variable: 1396 | # threads: 3 1397 | prio: 1398 | low: [ 0 ] 1399 | medium: [ "1-2" ] 1400 | high: [ 3 ] 1401 | default: "medium" 1402 | #- verdict-cpu-set: 1403 | # cpu: [ 0 ] 1404 | # prio: 1405 | # default: "high" 1406 | # 1407 | # By default Suricata creates one "detect" thread per available CPU/CPU core. 1408 | # This setting allows controlling this behaviour. A ratio setting of 2 will 1409 | # create 2 detect threads for each CPU/CPU core. So for a dual core CPU this 1410 | # will result in 4 detect threads. If values below 1 are used, less threads 1411 | # are created. So on a dual core CPU a setting of 0.5 results in 1 detect 1412 | # thread being created. Regardless of the setting at a minimum 1 detect 1413 | # thread will always be created. 1414 | # 1415 | detect-thread-ratio: 1.0 1416 | 1417 | # Luajit has a strange memory requirement, it's 'states' need to be in the 1418 | # first 2G of the process' memory. 1419 | # 1420 | # 'luajit.states' is used to control how many states are preallocated. 1421 | # State use: per detect script: 1 per detect thread. Per output script: 1 per 1422 | # script. 1423 | luajit: 1424 | states: 128 1425 | 1426 | # Profiling settings. Only effective if Suricata has been built with the 1427 | # the --enable-profiling configure flag. 1428 | # 1429 | profiling: 1430 | # Run profiling for every xth packet. The default is 1, which means we 1431 | # profile every packet. If set to 1000, one packet is profiled for every 1432 | # 1000 received. 1433 | #sample-rate: 1000 1434 | 1435 | # rule profiling 1436 | rules: 1437 | 1438 | # Profiling can be disabled here, but it will still have a 1439 | # performance impact if compiled in. 1440 | enabled: yes 1441 | filename: rule_perf.log 1442 | append: yes 1443 | 1444 | # Sort options: ticks, avgticks, checks, matches, maxticks 1445 | # If commented out all the sort options will be used. 1446 | #sort: avgticks 1447 | 1448 | # Limit the number of sids for which stats are shown at exit (per sort). 1449 | limit: 10 1450 | 1451 | # output to json 1452 | json: yes 1453 | 1454 | # per keyword profiling 1455 | keywords: 1456 | enabled: yes 1457 | filename: keyword_perf.log 1458 | append: yes 1459 | 1460 | # per rulegroup profiling 1461 | rulegroups: 1462 | enabled: yes 1463 | filename: rule_group_perf.log 1464 | append: yes 1465 | 1466 | # packet profiling 1467 | packets: 1468 | 1469 | # Profiling can be disabled here, but it will still have a 1470 | # performance impact if compiled in. 1471 | enabled: yes 1472 | filename: packet_stats.log 1473 | append: yes 1474 | 1475 | # per packet csv output 1476 | csv: 1477 | 1478 | # Output can be disabled here, but it will still have a 1479 | # performance impact if compiled in. 1480 | enabled: no 1481 | filename: packet_stats.csv 1482 | 1483 | # profiling of locking. Only available when Suricata was built with 1484 | # --enable-profiling-locks. 1485 | locks: 1486 | enabled: no 1487 | filename: lock_stats.log 1488 | append: yes 1489 | 1490 | pcap-log: 1491 | enabled: no 1492 | filename: pcaplog_stats.log 1493 | append: yes 1494 | 1495 | ## 1496 | ## Netfilter integration 1497 | ## 1498 | 1499 | # When running in NFQ inline mode, it is possible to use a simulated 1500 | # non-terminal NFQUEUE verdict. 1501 | # This permit to do send all needed packet to suricata via this a rule: 1502 | # iptables -I FORWARD -m mark ! --mark $MARK/$MASK -j NFQUEUE 1503 | # And below, you can have your standard filtering ruleset. To activate 1504 | # this mode, you need to set mode to 'repeat' 1505 | # If you want packet to be sent to another queue after an ACCEPT decision 1506 | # set mode to 'route' and set next-queue value. 1507 | # On linux >= 3.1, you can set batchcount to a value > 1 to improve performance 1508 | # by processing several packets before sending a verdict (worker runmode only). 1509 | # On linux >= 3.6, you can set the fail-open option to yes to have the kernel 1510 | # accept the packet if suricata is not able to keep pace. 1511 | # bypass mark and mask can be used to implement NFQ bypass. If bypass mark is 1512 | # set then the NFQ bypass is activated. Suricata will set the bypass mark/mask 1513 | # on packet of a flow that need to be bypassed. The Nefilter ruleset has to 1514 | # directly accept all packets of a flow once a packet has been marked. 1515 | nfq: 1516 | # mode: accept 1517 | # repeat-mark: 1 1518 | # repeat-mask: 1 1519 | # bypass-mark: 1 1520 | # bypass-mask: 1 1521 | # route-queue: 2 1522 | # batchcount: 20 1523 | # fail-open: yes 1524 | 1525 | #nflog support 1526 | nflog: 1527 | # netlink multicast group 1528 | # (the same as the iptables --nflog-group param) 1529 | # Group 0 is used by the kernel, so you can't use it 1530 | - group: 2 1531 | # netlink buffer size 1532 | buffer-size: 18432 1533 | # put default value here 1534 | - group: default 1535 | # set number of packet to queue inside kernel 1536 | qthreshold: 1 1537 | # set the delay before flushing packet in the queue inside kernel 1538 | qtimeout: 100 1539 | # netlink max buffer size 1540 | max-size: 20000 1541 | 1542 | ## 1543 | ## Advanced Capture Options 1544 | ## 1545 | 1546 | # general settings affecting packet capture 1547 | capture: 1548 | # disable NIC offloading. It's restored when Suricata exists. 1549 | # Enabled by default 1550 | #disable-offloading: false 1551 | # 1552 | # disable checksum validation. Same as setting '-k none' on the 1553 | # commandline 1554 | #checksum-validation: none 1555 | 1556 | # Netmap support 1557 | # 1558 | # Netmap operates with NIC directly in driver, so you need FreeBSD wich have 1559 | # built-in netmap support or compile and install netmap module and appropriate 1560 | # NIC driver on your Linux system. 1561 | # To reach maximum throughput disable all receive-, segmentation-, 1562 | # checksum- offloadings on NIC. 1563 | # Disabling Tx checksum offloading is *required* for connecting OS endpoint 1564 | # with NIC endpoint. 1565 | # You can find more information at https://github.com/luigirizzo/netmap 1566 | # 1567 | netmap: 1568 | # To specify OS endpoint add plus sign at the end (e.g. "eth0+") 1569 | - interface: eth2 1570 | # Number of receive threads. "auto" uses number of RSS queues on interface. 1571 | #threads: auto 1572 | # You can use the following variables to activate netmap tap or IPS mode. 1573 | # If copy-mode is set to ips or tap, the traffic coming to the current 1574 | # interface will be copied to the copy-iface interface. If 'tap' is set, the 1575 | # copy is complete. If 'ips' is set, the packet matching a 'drop' action 1576 | # will not be copied. 1577 | # To specify the OS as the copy-iface (so the OS can route packets, or forward 1578 | # to a service running on the same machine) add a plus sign at the end 1579 | # (e.g. "copy-iface: eth0+"). Don't forget to set up a symmetrical eth0+ -> eth0 1580 | # for return packets. Hardware checksumming must be *off* on the interface if 1581 | # using an OS endpoint (e.g. 'ifconfig eth0 -rxcsum -txcsum -rxcsum6 -txcsum6' for FreeBSD 1582 | # or 'ethtool -K eth0 tx off rx off' for Linux). 1583 | #copy-mode: tap 1584 | #copy-iface: eth3 1585 | # Set to yes to disable promiscuous mode 1586 | # disable-promisc: no 1587 | # Choose checksum verification mode for the interface. At the moment 1588 | # of the capture, some packets may be with an invalid checksum due to 1589 | # offloading to the network card of the checksum computation. 1590 | # Possible values are: 1591 | # - yes: checksum validation is forced 1592 | # - no: checksum validation is disabled 1593 | # - auto: suricata uses a statistical approach to detect when 1594 | # checksum off-loading is used. 1595 | # Warning: 'checksum-validation' must be set to yes to have any validation 1596 | #checksum-checks: auto 1597 | # BPF filter to apply to this interface. The pcap filter syntax apply here. 1598 | #bpf-filter: port 80 or udp 1599 | #- interface: eth3 1600 | #threads: auto 1601 | #copy-mode: tap 1602 | #copy-iface: eth2 1603 | # Put default values here 1604 | - interface: default 1605 | 1606 | # PF_RING configuration. for use with native PF_RING support 1607 | # for more info see http://www.ntop.org/products/pf_ring/ 1608 | pfring: 1609 | - interface: eth0 1610 | # Number of receive threads (>1 will enable experimental flow pinned 1611 | # runmode) 1612 | threads: 1 1613 | 1614 | # Default clusterid. PF_RING will load balance packets based on flow. 1615 | # All threads/processes that will participate need to have the same 1616 | # clusterid. 1617 | cluster-id: 99 1618 | 1619 | # Default PF_RING cluster type. PF_RING can load balance per flow. 1620 | # Possible values are cluster_flow or cluster_round_robin. 1621 | cluster-type: cluster_flow 1622 | # bpf filter for this interface 1623 | #bpf-filter: tcp 1624 | # Choose checksum verification mode for the interface. At the moment 1625 | # of the capture, some packets may be with an invalid checksum due to 1626 | # offloading to the network card of the checksum computation. 1627 | # Possible values are: 1628 | # - rxonly: only compute checksum for packets received by network card. 1629 | # - yes: checksum validation is forced 1630 | # - no: checksum validation is disabled 1631 | # - auto: suricata uses a statistical approach to detect when 1632 | # checksum off-loading is used. (default) 1633 | # Warning: 'checksum-validation' must be set to yes to have any validation 1634 | #checksum-checks: auto 1635 | # Second interface 1636 | #- interface: eth1 1637 | # threads: 3 1638 | # cluster-id: 93 1639 | # cluster-type: cluster_flow 1640 | # Put default values here 1641 | - interface: default 1642 | #threads: 2 1643 | 1644 | # For FreeBSD ipfw(8) divert(4) support. 1645 | # Please make sure you have ipfw_load="YES" and ipdivert_load="YES" 1646 | # in /etc/loader.conf or kldload'ing the appropriate kernel modules. 1647 | # Additionally, you need to have an ipfw rule for the engine to see 1648 | # the packets from ipfw. For Example: 1649 | # 1650 | # ipfw add 100 divert 8000 ip from any to any 1651 | # 1652 | # The 8000 above should be the same number you passed on the command 1653 | # line, i.e. -d 8000 1654 | # 1655 | ipfw: 1656 | 1657 | # Reinject packets at the specified ipfw rule number. This config 1658 | # option is the ipfw rule number AT WHICH rule processing continues 1659 | # in the ipfw processing system after the engine has finished 1660 | # inspecting the packet for acceptance. If no rule number is specified, 1661 | # accepted packets are reinjected at the divert rule which they entered 1662 | # and IPFW rule processing continues. No check is done to verify 1663 | # this will rule makes sense so care must be taken to avoid loops in ipfw. 1664 | # 1665 | ## The following example tells the engine to reinject packets 1666 | # back into the ipfw firewall AT rule number 5500: 1667 | # 1668 | # ipfw-reinjection-rule-number: 5500 1669 | 1670 | 1671 | napatech: 1672 | # The Host Buffer Allowance for all streams 1673 | # (-1 = OFF, 1 - 100 = percentage of the host buffer that can be held back) 1674 | # This may be enabled when sharing streams with another application. 1675 | # Otherwise, it should be turned off. 1676 | hba: -1 1677 | 1678 | # use_all_streams set to "yes" will query the Napatech service for all configured 1679 | # streams and listen on all of them. When set to "no" the streams config array 1680 | # will be used. 1681 | use-all-streams: yes 1682 | 1683 | # The streams to listen on. This can be either: 1684 | # a list of individual streams (e.g. streams: [0,1,2,3]) 1685 | # or 1686 | # a range of streams (e.g. streams: ["0-3"]) 1687 | streams: ["0-3"] 1688 | 1689 | # Tilera mpipe configuration. for use on Tilera TILE-Gx. 1690 | mpipe: 1691 | 1692 | # Load balancing modes: "static", "dynamic", "sticky", or "round-robin". 1693 | load-balance: dynamic 1694 | 1695 | # Number of Packets in each ingress packet queue. Must be 128, 512, 2028 or 65536 1696 | iqueue-packets: 2048 1697 | 1698 | # List of interfaces we will listen on. 1699 | inputs: 1700 | - interface: xgbe2 1701 | - interface: xgbe3 1702 | - interface: xgbe4 1703 | 1704 | 1705 | # Relative weight of memory for packets of each mPipe buffer size. 1706 | stack: 1707 | size128: 0 1708 | size256: 9 1709 | size512: 0 1710 | size1024: 0 1711 | size1664: 7 1712 | size4096: 0 1713 | size10386: 0 1714 | size16384: 0 1715 | 1716 | ## 1717 | ## Hardware accelaration 1718 | ## 1719 | 1720 | # Cuda configuration. 1721 | cuda: 1722 | # The "mpm" profile. On not specifying any of these parameters, the engine's 1723 | # internal default values are used, which are same as the ones specified in 1724 | # in the default conf file. 1725 | mpm: 1726 | # The minimum length required to buffer data to the gpu. 1727 | # Anything below this is MPM'ed on the CPU. 1728 | # Can be specified in kb, mb, gb. Just a number indicates it's in bytes. 1729 | # A value of 0 indicates there's no limit. 1730 | data-buffer-size-min-limit: 0 1731 | # The maximum length for data that we would buffer to the gpu. 1732 | # Anything over this is MPM'ed on the CPU. 1733 | # Can be specified in kb, mb, gb. Just a number indicates it's in bytes. 1734 | data-buffer-size-max-limit: 1500 1735 | # The ring buffer size used by the CudaBuffer API to buffer data. 1736 | cudabuffer-buffer-size: 500mb 1737 | # The max chunk size that can be sent to the gpu in a single go. 1738 | gpu-transfer-size: 50mb 1739 | # The timeout limit for batching of packets in microseconds. 1740 | batching-timeout: 2000 1741 | # The device to use for the mpm. Currently we don't support load balancing 1742 | # on multiple gpus. In case you have multiple devices on your system, you 1743 | # can specify the device to use, using this conf. By default we hold 0, to 1744 | # specify the first device cuda sees. To find out device-id associated with 1745 | # the card(s) on the system run "suricata --list-cuda-cards". 1746 | device-id: 0 1747 | # No of Cuda streams used for asynchronous processing. All values > 0 are valid. 1748 | # For this option you need a device with Compute Capability > 1.0. 1749 | cuda-streams: 2 1750 | 1751 | ## 1752 | ## Include other configs 1753 | ## 1754 | 1755 | # Includes. Files included here will be handled as if they were 1756 | # inlined in this configuration file. 1757 | #include: include1.yaml 1758 | #include: include2.yaml 1759 | --------------------------------------------------------------------------------