%YAML 1.1 --- max-pending-packets: 1024 # Runmode the engine should use. runmode: autofp # If set to auto, the variable is internally switched to 'router' in IPS # mode and 'sniffer-only' in IDS mode. host-mode: auto # Specifies the kind of flow load balancer used by the flow pinned autofp mode. autofp-scheduler: hash # Daemon working directory daemon-directory: /usr/local/etc/suricata/suricata_5045_vmx2 default-packet-size: 1514 # The default logging directory. default-log-dir: /var/log/suricata/suricata_vmx25045 # global stats configuration stats: enabled: yes interval: 10 decoder-events: true decoder-events-prefix: "decoder.event" stream-events: false # Configure the type of alert (and other) logging. outputs: # alert-pf custom blocking plugin for pfSense only - alert-pf: enabled: yes kill-state: yes block-drops-only: yes pass-list: /usr/local/etc/suricata/suricata_5045_vmx2/passlist block-ip: BOTH pf-table: snort2c passlist-debugging: no # Do not enable debugging on production systems! # a line based alerts log similar to Snort's fast.log - fast: enabled: yes filename: alerts.log append: yes filetype: regular - http-log: enabled: yes filename: http.log filetype: regular append: yes extended: yes filetype: regular # a PCAP format packet capture facility - pcap-log: enabled: no filename: log.pcap dir: / limit: 32mb max-files: 100 mode: normal compression: none ts-format: sec use-stream-depth: no honor-pass-rules: no conditional: alerts - tls-log: enabled: no filename: tls.log filetype: regular append: yes extended: yes session-resumption: no - tls-store: enabled: no certs-log-dir: - stats: enabled: no filename: stats.log append: no totals: yes threads: no null-values: yes - syslog: enabled: yes identity: suricata facility: local1 level: notice - file-store: version: 2 enabled: no length: 0 dir: filestore - eve-log: enabled: no filetype: regular filename: eve.json ethernet: no redis: server: 127.0.0.1 port: 6379 mode: list key: "suricata" identity: "suricata" facility: local1 level: notice xff: enabled: no mode: extra-data deployment: reverse header: X-Forwarded-For types: - alert: payload: yes # enable dumping payload in Base64 payload-buffer-size: 4kb # max size of payload buffer to output in eve-log payload-printable: yes # enable dumping payload in printable (lossy) format packet: yes # enable dumping of packet (without stream segments) http-body: yes # enable dumping of http body in Base64 http-body-printable: yes # enable dumping of http body in printable format metadata: yes # enable inclusion of app layer metadata with alert tagged-packets: no # enable logging of tagged packets for rules using the 'tag' keyword verdict: no # enable logging the final action taken on a packet by the engine - drop: alerts: yes verdict: no flows: all - http: extended: yes custom: [accept, accept-charset, accept-datetime, accept-encoding, accept-language, accept-range, age, allow, authorization, cache-control, connection, content-encoding, content-language, content-length, content-location, content-md5, content-range, content-type, cookie, date, dnt, etags, from, last-modified, link, location, max-forwards, origin, pragma, proxy-authenticate, proxy-authorization, range, referrer, refresh, retry-after, server, set-cookie, te, trailer, transfer-encoding, upgrade, vary, via, warning, www-authenticate, x-authenticated-user, x-flash-version, x-forwarded-proto, x-requested-with] - dns: version: 2 requests: yes responses: yes - tls: extended: yes - files: force-magic: no - dhcp: enabled: yes extended: no - ftp - http2 - ike - krb5 - mqtt - nfs - quic - rfb - smb - smtp: extended: yes custom: [bcc, received, reply-to, x-mailer, x-originating-ip] md5: [subject] - snmp - ssh - tftp - eve-log: enabled: no filetype: unix_stream filename: types: - stats: threads: yes # Magic file. The extension .mgc is added to the value here. magic-file: /usr/share/misc/magic # GeoLite2 IP geo-location database file path and filename. geoip-database: /usr/local/share/suricata/GeoLite2/GeoLite2-Country.mmdb # Specify a threshold config file threshold-file: /usr/local/etc/suricata/suricata_5045_vmx2/threshold.config detect-engine: - profile: medium - sgh-mpm-context: auto - inspection-recursion-limit: 3000 - delayed-detect: no # Suricata is multi-threaded. Here the threading can be influenced. threading: set-cpu-affinity: no detect-thread-ratio: 1.0 # Luajit has a strange memory requirement, it's 'states' need to be in the # first 2G of the process' memory. # # 'luajit.states' is used to control how many states are preallocated. # State use: per detect script: 1 per detect thread. Per output script: 1 per # script. luajit: states: 128 # Multi pattern algorithm # The default mpm-algo value of "auto" will use "hs" if Hyperscan is # available, "ac" otherwise. mpm-algo: hs # Single pattern algorithm # The default of "auto" will use "hs" if available, otherwise "bm". spm-algo: auto # Defrag settings: defrag: memcap: 33554432 memcap-policy: ignore hash-size: 65536 trackers: 65535 max-frags: 65535 prealloc: yes timeout: 60 # Flow settings: flow: memcap: 134217728 memcap-policy: ignore hash-size: 65536 prealloc: 10000 emergency-recovery: 30 prune-flows: 5 # This option controls the use of vlan ids in the flow (and defrag) # hashing. vlan: use-for-tracking: true # Specific timeouts for flows. flow-timeouts: default: new: 30 established: 300 closed: 0 emergency-new: 10 emergency-established: 100 emergency-closed: 0 tcp: new: 60 established: 3600 closed: 120 emergency-new: 10 emergency-established: 300 emergency-closed: 20 udp: new: 30 established: 300 emergency-new: 10 emergency-established: 100 icmp: new: 30 established: 300 emergency-new: 10 emergency-established: 100 stream: memcap: 268435456 memcap-policy: ignore checksum-validation: no inline: auto prealloc-sessions: 32768 midstream: false midstream-policy: ignore async-oneside: false max-synack-queued: 5 bypass: no drop-invalid: no reassembly: memcap: 131217728 memcap-policy: ignore depth: 1048576 toserver-chunk-size: 2560 toclient-chunk-size: 2560 # Host table is used by tagging and per host thresholding subsystems. host: hash-size: 4096 prealloc: 1000 memcap: 33554432 # Host specific policies for defragmentation and TCP stream reassembly. host-os-policy: bsd: [0.0.0.0/0] # Logging configuration. This is not about logging IDS alerts, but # IDS output about what its doing, errors, etc. logging: # This value is overriden by the SC_LOG_LEVEL env var. default-log-level: info default-log-format: "%t - <%d> -- " # Define your logging outputs. outputs: - console: enabled: yes - file: enabled: yes filename: /var/log/suricata/suricata_vmx25045/suricata.log - syslog: enabled: no facility: local1 level: notice format: "[%i] <%d> -- " # IPS Mode Configuration # PCAP pcap: - interface: vmx2 checksum-checks: auto promisc: yes snaplen: 1518 legacy: uricontent: enabled default-rule-path: /usr/local/etc/suricata/suricata_5045_vmx2/rules rule-files: - suricata.rules - flowbit-required.rules classification-file: /usr/local/etc/suricata/suricata_5045_vmx2/classification.config reference-config-file: /usr/local/etc/suricata/suricata_5045_vmx2/reference.config # Holds variables that would be used by the engine. vars: # Holds the address group vars that would be passed in a Signature. address-groups: HOME_NET: "[93.57.121.96/28, 93.57.121.97/32, 93.57.121.100/32, 127.0.0.1/32, 192.168.4.0/24, 192.168.8.0/22, 192.168.8.230/32, 192.168.8.234/32, 192.168.12.0/24, 192.168.13.0/24, 192.168.14.0/24, 192.168.15.0/24, 192.168.16.0/24, 192.168.17.0/24, 192.168.20.0/24, 192.168.30.0/24, 192.168.93.0/24, 192.168.94.0/24, 192.168.95.0/24, 192.168.96.0/24, 192.168.110.0/24, 192.168.120.0/24, 192.168.130.0/24, ::1/128, fe80::20c:29ff:fe71:356a/128, fe80::20c:29ff:fe71:357e/128, fe80::20c:29ff:fe71:3560/128, fe80::20c:29ff:fe71:3574/128]" EXTERNAL_NET: "[!$HOME_NET]" DNS_SERVERS: "$HOME_NET" SMTP_SERVERS: "$HOME_NET" HTTP_SERVERS: "$HOME_NET" SQL_SERVERS: "$HOME_NET" TELNET_SERVERS: "$HOME_NET" DNP3_SERVER: "$HOME_NET" DNP3_CLIENT: "$HOME_NET" MODBUS_SERVER: "$HOME_NET" MODBUS_CLIENT: "$HOME_NET" ENIP_SERVER: "$HOME_NET" ENIP_CLIENT: "$HOME_NET" FTP_SERVERS: "$HOME_NET" SSH_SERVERS: "$HOME_NET" AIM_SERVERS: "64.12.24.0/23, 64.12.28.0/23, 64.12.161.0/24, 64.12.163.0/24, 64.12.200.0/24, 205.188.3.0/24, 205.188.5.0/24, 205.188.7.0/24, 205.188.9.0/24, 205.188.153.0/24, 205.188.179.0/24, 205.188.248.0/24" SIP_SERVERS: "$HOME_NET" # Holds the port group vars that would be passed in a Signature. port-groups: FTP_PORTS: "21" HTTP_PORTS: "80" ORACLE_PORTS: "1521" SSH_PORTS: "22" SHELLCODE_PORTS: "!80" DNP3_PORTS: "20000" FILE_DATA_PORTS: "$HTTP_PORTS, 110, 143" SIP_PORTS: "5060, 5061, 5600" # Set the order of alerts based on actions action-order: - pass - drop - reject - alert # IP Reputation # Limit for the maximum number of asn1 frames to decode (default 256) asn1-max-frames: 256 engine-analysis: rules-fast-pattern: yes rules: yes #recursion and match limits for PCRE where supported pcre: match-limit: 3500 match-limit-recursion: 1500 # Holds details on the app-layer. The protocols section details each protocol. app-layer: error-policy: ignore protocols: bittorrent-dht: enabled: yes dcerpc: enabled: yes dhcp: enabled: yes dnp3: enabled: yes detection-ports: dp: 20000 dns: global-memcap: 16777216 state-memcap: 524288 request-flood: 500 tcp: enabled: yes detection-ports: dp: 53 udp: enabled: yes detection-ports: dp: 53 enip: enabled: yes ftp: enabled: yes ftp-data: enabled: yes http: enabled: yes memcap: 67108864 http2: enabled: yes ike: enabled: yes imap: enabled: detection-only krb5: enabled: yes modbus: enabled: yes request-flood: 500 detection-ports: dp: 502 stream-depth: 0 mqtt: enabled: yes msn: enabled: detection-only nfs: enabled: yes ntp: enabled: yes pgsql: enabled: no quic: enabled: yes rdp: enabled: yes rfb: enabled: yes detection-ports: dp: 5900, 5901, 5902, 5903, 5904, 5905, 5906, 5907, 5908, 5909 sip: enabled: yes smb: enabled: yes detection-ports: dp: 139, 445 smtp: enabled: yes mime: decode-mime: no decode-base64: yes decode-quoted-printable: yes header-value-depth: 2000 extract-urls: yes body-md5: no inspected-tracker: content-limit: 100000 content-inspect-min-size: 32768 content-inspect-window: 4096 ssh: enabled: yes telnet: enabled: yes tftp: enabled: yes tls: enabled: yes detection-ports: dp: 443 ja3-fingerprints: off encrypt-handling: default ########################################################################### # Configure libhtp. libhtp: default-config: personality: IDS request-body-limit: 4096 response-body-limit: 4096 meta-field-limit: 18432 double-decode-path: no double-decode-query: no uri-include-all: no coredump: max-dump: unlimited # Suricata user pass through configuration