merge files from the blockchain infra repo (#59)

code/chef/templates/centos/suricata.yaml.erb

@@ -0,0 +1,317 @@
+%YAML 1.1
+---
+default-log-dir: /var/log/suricata/
+unix-command:
+  enabled: no
+run-as:
+  user: suricata
+  group: suricata
+outputs:
+  - fast:
+      enabled: yes
+      filename: fast.log
+      append: yes
+  - unified2-alert:
+      enabled: no
+      filename: unified2.alert
+  - http-log:
+      enabled: no
+      filename: http.log
+      append: yes
+  - tls-log:
+      enabled: no  # Log TLS connections.
+      filename: tls.log # File to store TLS logs.
+      certs-log-dir: certs # directory to store the certificates files
+  - pcap-info:
+      enabled: no
+  - pcap-log:
+      enabled:  no
+      filename: log.pcap
+      limit: 1000mb
+      max-files: 2000
+      mode: normal # normal or sguil.
+      use-stream-depth: no #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets
+  - alert-debug:
+      enabled: no
+      filename: alert-debug.log
+      append: yes
+  - alert-prelude:
+      enabled: no
+      profile: suricata
+      log-packet-content: no
+      log-packet-header: yes
+  - stats:
+      enabled: no
+      filename: stats.log
+      interval: 8
+  - syslog:
+      enabled: no
+      facility: local5
+  - drop:
+      enabled: no
+      filename: drop.log
+      append: yes
+  - file-store:
+      enabled: no       # set to yes to enable
+      log-dir: files    # directory to store the files
+      force-magic: no   # force logging magic on all stored files
+      force-md5: no     # force logging of md5 checksums
+  - file-log:
+      enabled: no
+      filename: files-json.log
+      append: yes
+      force-magic: no   # force logging magic on all logged files
+      force-md5: no     # force logging of md5 checksums
+magic-file: /usr/share/file/magic
+nfq:
+af-packet:
+threshold-file: /etc/suricata/threshold.config
+detect-engine:
+  - profile: medium
+  - custom-values:
+      toclient-src-groups: 2
+      toclient-dst-groups: 2
+      toclient-sp-groups: 2
+      toclient-dp-groups: 3
+      toserver-src-groups: 2
+      toserver-dst-groups: 4
+      toserver-sp-groups: 2
+      toserver-dp-groups: 25
+  - sgh-mpm-context: auto
+  - inspection-recursion-limit: 3000
+threading:
+  set-cpu-affinity: no
+  cpu-affinity:
+    - management-cpu-set:
+        cpu: [ 0 ]  # include only these cpus in affinity settings
+    - receive-cpu-set:
+        cpu: [ 0 ]  # include only these cpus in affinity settings
+    - decode-cpu-set:
+        cpu: [ 0, 1 ]
+        mode: "balanced"
+    - stream-cpu-set:
+        cpu: [ "0-1" ]
+    - detect-cpu-set:
+        cpu: [ "all" ]
+        mode: "exclusive" # run detect threads in these cpus
+        prio:
+          low: [ 0 ]
+          medium: [ "1-2" ]
+          high: [ 3 ]
+          default: "medium"
+    - verdict-cpu-set:
+        cpu: [ 0 ]
+        prio:
+          default: "high"
+    - reject-cpu-set:
+        cpu: [ 0 ]
+        prio:
+          default: "low"
+    - output-cpu-set:
+        cpu: [ "all" ]
+        prio:
+           default: "medium"
+  detect-thread-ratio: 1.5
+cuda:
+  - mpm:
+      packet-buffer-limit: 2400
+      packet-size-limit: 1500
+      packet-buffers: 10
+      batching-timeout: 1
+      page-locked: enabled
+      device-id: 0
+      cuda-streams: 2
+mpm-algo: ac
+pattern-matcher:
+  - b2gc:
+      search-algo: B2gSearchBNDMq
+      hash-size: low
+      bf-size: medium
+  - b2gm:
+      search-algo: B2gSearchBNDMq
+      hash-size: low
+      bf-size: medium
+  - b2g:
+      search-algo: B2gSearchBNDMq
+      hash-size: low
+      bf-size: medium
+  - b3g:
+      search-algo: B3gSearchBNDMq
+      hash-size: low
+      bf-size: medium
+  - wumanber:
+      hash-size: low
+      bf-size: medium
+defrag:
+  memcap: 32mb
+  hash-size: 65536
+  trackers: 65535 # number of defragmented flows to follow
+  max-frags: 65535 # number of fragments to keep (higher than trackers)
+  prealloc: yes
+  timeout: 60
+flow:
+  memcap: 32mb
+  hash-size: 65536
+  prealloc: 10000
+  emergency-recovery: 30
+flow-timeouts:
+  default:
+    new: 30
+    established: 300
+    closed: 0
+    emergency-new: 10
+    emergency-established: 100
+    emergency-closed: 0
+  tcp:
+    new: 60
+    established: 3600
+    closed: 120
+    emergency-new: 10
+    emergency-established: 300
+    emergency-closed: 20
+  udp:
+    new: 30
+    established: 300
+    emergency-new: 10
+    emergency-established: 100
+  icmp:
+    new: 30
+    established: 300
+    emergency-new: 10
+    emergency-established: 100
+stream:
+  memcap: 32mb
+  checksum-validation: yes      # reject wrong csums
+  inline: auto                  # auto will use inline mode in IPS mode, yes or no set it statically
+  reassembly:
+    memcap: 64mb
+    depth: 1mb                  # reassemble 1mb into a stream
+    toserver-chunk-size: 2560
+    toclient-chunk-size: 2560
+host:
+  hash-size: 4096
+  prealloc: 1000
+  memcap: 16777216
+logging:
+  default-log-level: info
+  default-output-filter:
+  outputs:
+  - console:
+      enabled: yes
+  - file:
+      enabled: no
+      filename: /var/log/suricata.log
+  - syslog:
+      enabled: no
+      facility: local5
+pfring:
+  - interface: <%= @pcapinterface %>
+    threads: 1
+    cluster-id: 99
+    cluster-type: cluster_flow
+  - interface: default
+pcap:
+  - interface: <%= @pcapinterface %>
+  - interface: default
+ipfw:
+default-rule-path: /etc/suricata/rules/
+rule-files:
+ - local.rules
+ - tor.rules
+ - emerging-shellcode.rules
+ - dshield.rules
+ - compromised.rules
+ - dshield.rules
+ - mobilemalware.rules
+ - nmap.rules
+ - shellcode.rules
+ - osxmalware.rules
+classification-file: /etc/suricata/classification.config
+reference-config-file: /etc/suricata/reference.config
+vars:
+  address-groups:
+
+port-groups:
+    HTTP_PORTS: "80"
+    SHELLCODE_PORTS: "!80"
+    ORACLE_PORTS: 1521
+    SSH_PORTS: 22
+    DNP3_PORTS: 20000
+action-order:
+  - pass
+  - drop
+  - reject
+  - alert
+host-os-policy:
+  windows: [0.0.0.0/0]
+  bsd: []
+  bsd-right: []
+  old-linux: []
+  linux: [10.0.0.0/8, 192.168.1.100, "8762:2352:6241:7245:E000:0000:0000:0000"]
+  old-solaris: []
+  solaris: ["::1"]
+  hpux10: []
+  hpux11: []
+  irix: []
+  macos: []
+  vista: []
+  windows2k3: []
+asn1-max-frames: 256
+engine-analysis:
+  rules-fast-pattern: yes
+  rules: yes
+pcre:
+  match-limit: 3500
+  match-limit-recursion: 1500
+libhtp:
+   default-config:
+     personality: IDS
+     request-body-limit: 3072
+     response-body-limit: 3072
+     request-body-minimal-inspect-size: 32kb
+     request-body-inspect-window: 4kb
+     response-body-minimal-inspect-size: 32kb
+     response-body-inspect-window: 4kb
+     double-decode-path: no
+     double-decode-query: no
+   server-config:
+     - apache:
+         address: [192.168.1.0/24, 127.0.0.0/8, "::1"]
+         personality: Apache_2_2
+         request-body-limit: 4096
+         response-body-limit: 4096
+         double-decode-path: no
+         double-decode-query: no
+     - iis7:
+         address:
+           - 192.168.0.0/24
+           - 192.168.10.0/24
+         personality: IIS_7_0
+         request-body-limit: 4096
+         response-body-limit: 4096
+         double-decode-path: no
+         double-decode-query: no
+profiling:
+  rules:
+    enabled: yes
+    filename: rule_perf.log
+    append: yes
+    sort: avgticks
+    limit: 100
+  packets:
+    enabled: yes
+    filename: packet_stats.log
+    append: yes
+    csv:
+      enabled: no
+      filename: packet_stats.csv
+  locks:
+    enabled: no
+    filename: lock_stats.log
+    append: yes
+coredump:
+  max-dump: unlimited
+napatech:
+    hba: -1
+    use-all-streams: yes
+    streams: [1, 2, 3]