%YAML 1.1 --- default-log-dir: /var/log/suricata/ unix-command: enabled: no run-as: user: suricata group: suricata outputs: - fast: enabled: yes filename: fast.log append: yes - unified2-alert: enabled: no filename: unified2.alert - http-log: enabled: no filename: http.log append: yes - tls-log: enabled: no # Log TLS connections. filename: tls.log # File to store TLS logs. certs-log-dir: certs # directory to store the certificates files - pcap-info: enabled: no - pcap-log: enabled: no filename: log.pcap limit: 1000mb max-files: 2000 mode: normal # normal or sguil. use-stream-depth: no #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets - alert-debug: enabled: no filename: alert-debug.log append: yes - alert-prelude: enabled: no profile: suricata log-packet-content: no log-packet-header: yes - stats: enabled: no filename: stats.log interval: 8 - syslog: enabled: no facility: local5 - drop: enabled: no filename: drop.log append: yes - file-store: enabled: no # set to yes to enable log-dir: files # directory to store the files force-magic: no # force logging magic on all stored files force-md5: no # force logging of md5 checksums - file-log: enabled: no filename: files-json.log append: yes force-magic: no # force logging magic on all logged files force-md5: no # force logging of md5 checksums magic-file: /usr/share/file/magic nfq: af-packet: threshold-file: /etc/suricata/threshold.config detect-engine: - profile: medium - custom-values: toclient-src-groups: 2 toclient-dst-groups: 2 toclient-sp-groups: 2 toclient-dp-groups: 3 toserver-src-groups: 2 toserver-dst-groups: 4 toserver-sp-groups: 2 toserver-dp-groups: 25 - sgh-mpm-context: auto - inspection-recursion-limit: 3000 threading: set-cpu-affinity: no cpu-affinity: - management-cpu-set: cpu: [ 0 ] # include only these cpus in affinity settings - receive-cpu-set: cpu: [ 0 ] # include only these cpus in affinity settings - decode-cpu-set: cpu: [ 0, 1 ] mode: "balanced" - stream-cpu-set: cpu: [ "0-1" ] - detect-cpu-set: cpu: [ "all" ] mode: "exclusive" # run detect threads in these cpus prio: low: [ 0 ] medium: [ "1-2" ] high: [ 3 ] default: "medium" - verdict-cpu-set: cpu: [ 0 ] prio: default: "high" - reject-cpu-set: cpu: [ 0 ] prio: default: "low" - output-cpu-set: cpu: [ "all" ] prio: default: "medium" detect-thread-ratio: 1.5 cuda: - mpm: packet-buffer-limit: 2400 packet-size-limit: 1500 packet-buffers: 10 batching-timeout: 1 page-locked: enabled device-id: 0 cuda-streams: 2 mpm-algo: ac pattern-matcher: - b2gc: search-algo: B2gSearchBNDMq hash-size: low bf-size: medium - b2gm: search-algo: B2gSearchBNDMq hash-size: low bf-size: medium - b2g: search-algo: B2gSearchBNDMq hash-size: low bf-size: medium - b3g: search-algo: B3gSearchBNDMq hash-size: low bf-size: medium - wumanber: hash-size: low bf-size: medium defrag: memcap: 32mb hash-size: 65536 trackers: 65535 # number of defragmented flows to follow max-frags: 65535 # number of fragments to keep (higher than trackers) prealloc: yes timeout: 60 flow: memcap: 32mb hash-size: 65536 prealloc: 10000 emergency-recovery: 30 flow-timeouts: default: new: 30 established: 300 closed: 0 emergency-new: 10 emergency-established: 100 emergency-closed: 0 tcp: new: 60 established: 3600 closed: 120 emergency-new: 10 emergency-established: 300 emergency-closed: 20 udp: new: 30 established: 300 emergency-new: 10 emergency-established: 100 icmp: new: 30 established: 300 emergency-new: 10 emergency-established: 100 stream: memcap: 32mb checksum-validation: yes # reject wrong csums inline: auto # auto will use inline mode in IPS mode, yes or no set it statically reassembly: memcap: 64mb depth: 1mb # reassemble 1mb into a stream toserver-chunk-size: 2560 toclient-chunk-size: 2560 host: hash-size: 4096 prealloc: 1000 memcap: 16777216 logging: default-log-level: info default-output-filter: outputs: - console: enabled: yes - file: enabled: no filename: /var/log/suricata.log - syslog: enabled: no facility: local5 pfring: - interface: <%= @pcapinterface %> threads: 1 cluster-id: 99 cluster-type: cluster_flow - interface: default pcap: - interface: <%= @pcapinterface %> - interface: default ipfw: default-rule-path: /etc/suricata/rules/ rule-files: - local.rules - tor.rules - emerging-shellcode.rules - dshield.rules - compromised.rules - dshield.rules - mobilemalware.rules - nmap.rules - shellcode.rules - osxmalware.rules classification-file: /etc/suricata/classification.config reference-config-file: /etc/suricata/reference.config vars: address-groups: HOME_NET: "[10.0.0.0/8,172.16.0.0/12]" port-groups: HTTP_PORTS: "80" action-order: - pass - drop - reject - alert host-os-policy: windows: [0.0.0.0/0] bsd: [] bsd-right: [] old-linux: [] linux: [10.0.0.0/8, 192.168.1.100, "8762:2352:6241:7245:E000:0000:0000:0000"] old-solaris: [] solaris: ["::1"] hpux10: [] hpux11: [] irix: [] macos: [] vista: [] windows2k3: [] asn1-max-frames: 256 engine-analysis: rules-fast-pattern: yes rules: yes pcre: match-limit: 3500 match-limit-recursion: 1500 libhtp: default-config: personality: IDS request-body-limit: 3072 response-body-limit: 3072 request-body-minimal-inspect-size: 32kb request-body-inspect-window: 4kb response-body-minimal-inspect-size: 32kb response-body-inspect-window: 4kb double-decode-path: no double-decode-query: no server-config: - apache: address: [192.168.1.0/24, 127.0.0.0/8, "::1"] personality: Apache_2_2 request-body-limit: 4096 response-body-limit: 4096 double-decode-path: no double-decode-query: no - iis7: address: - 192.168.0.0/24 - 192.168.10.0/24 personality: IIS_7_0 request-body-limit: 4096 response-body-limit: 4096 double-decode-path: no double-decode-query: no profiling: rules: enabled: yes filename: rule_perf.log append: yes sort: avgticks limit: 100 packets: enabled: yes filename: packet_stats.log append: yes csv: enabled: no filename: packet_stats.csv locks: enabled: no filename: lock_stats.log append: yes coredump: max-dump: unlimited napatech: hba: -1 use-all-streams: yes streams: [1, 2, 3]