|
|
|
@ -162,7 +162,7 @@ outputs:
|
|
|
|
types:
|
|
|
|
types:
|
|
|
|
- alert:
|
|
|
|
- alert:
|
|
|
|
# payload: yes # enable dumping payload in Base64
|
|
|
|
# payload: yes # enable dumping payload in Base64
|
|
|
|
# payload-buffer-size: 4kb # max size of payload buffer to output in eve-log
|
|
|
|
# payload-buffer-size: 4 KiB # max size of payload buffer to output in eve-log
|
|
|
|
# payload-printable: yes # enable dumping payload in printable (lossy) format
|
|
|
|
# payload-printable: yes # enable dumping payload in printable (lossy) format
|
|
|
|
# payload-length: yes # enable dumping payload length, including the gaps
|
|
|
|
# payload-length: yes # enable dumping payload length, including the gaps
|
|
|
|
# packet: yes # enable dumping of packet (without stream segments)
|
|
|
|
# packet: yes # enable dumping of packet (without stream segments)
|
|
|
|
@ -183,7 +183,7 @@ outputs:
|
|
|
|
- frame:
|
|
|
|
- frame:
|
|
|
|
# disabled by default as this is very verbose.
|
|
|
|
# disabled by default as this is very verbose.
|
|
|
|
enabled: no
|
|
|
|
enabled: no
|
|
|
|
# payload-buffer-size: 4kb # max size of frame payload buffer to output in eve-log
|
|
|
|
# payload-buffer-size: 4 KiB # max size of frame payload buffer to output in eve-log
|
|
|
|
- anomaly:
|
|
|
|
- anomaly:
|
|
|
|
# Anomaly log records describe unexpected conditions such
|
|
|
|
# Anomaly log records describe unexpected conditions such
|
|
|
|
# as truncated packets, packets with invalid IP/UDP/TCP
|
|
|
|
# as truncated packets, packets with invalid IP/UDP/TCP
|
|
|
|
@ -311,9 +311,9 @@ outputs:
|
|
|
|
- ssh
|
|
|
|
- ssh
|
|
|
|
- mqtt:
|
|
|
|
- mqtt:
|
|
|
|
# passwords: yes # enable output of passwords
|
|
|
|
# passwords: yes # enable output of passwords
|
|
|
|
# string-log-limit: 1kb # limit size of logged strings in bytes.
|
|
|
|
# string-log-limit: 1KiB # limit size of logged strings in bytes.
|
|
|
|
# Can be specified in kb, mb, gb. Just a number
|
|
|
|
# Can be specified in KiB, MiB, GiB. Just a number
|
|
|
|
# is parsed as bytes. Default is 1KB.
|
|
|
|
# is parsed as bytes. Default is 1 KiB.
|
|
|
|
# Use a value of 0 to disable limiting.
|
|
|
|
# Use a value of 0 to disable limiting.
|
|
|
|
# Note that the size is also bounded by
|
|
|
|
# Note that the size is also bounded by
|
|
|
|
# the maximum parsed message size (see
|
|
|
|
# the maximum parsed message size (see
|
|
|
|
@ -394,7 +394,7 @@ outputs:
|
|
|
|
# per thread directory.
|
|
|
|
# per thread directory.
|
|
|
|
#
|
|
|
|
#
|
|
|
|
# Also note that the limit and max-files settings are enforced per thread.
|
|
|
|
# Also note that the limit and max-files settings are enforced per thread.
|
|
|
|
# So the size limit when using 8 threads with 1000mb files and 2000 files
|
|
|
|
# So the size limit when using 8 threads with 1000 MiB files and 2000 files
|
|
|
|
# is: 8*1000*2000 ~ 16TiB.
|
|
|
|
# is: 8*1000*2000 ~ 16TiB.
|
|
|
|
#
|
|
|
|
#
|
|
|
|
# By default all packets are logged except:
|
|
|
|
# By default all packets are logged except:
|
|
|
|
@ -407,7 +407,7 @@ outputs:
|
|
|
|
|
|
|
|
|
|
|
|
# File size limit. Can be specified in kb, mb, gb. Just a number
|
|
|
|
# File size limit. Can be specified in kb, mb, gb. Just a number
|
|
|
|
# is parsed as bytes.
|
|
|
|
# is parsed as bytes.
|
|
|
|
limit: 1000mb
|
|
|
|
limit: 1000 MiB
|
|
|
|
|
|
|
|
|
|
|
|
# If set to a value, ring buffer mode is enabled. Will keep maximum of
|
|
|
|
# If set to a value, ring buffer mode is enabled. Will keep maximum of
|
|
|
|
# "max-files" of size "limit"
|
|
|
|
# "max-files" of size "limit"
|
|
|
|
@ -887,7 +887,7 @@ app-layer:
|
|
|
|
dp: 5900, 5901, 5902, 5903, 5904, 5905, 5906, 5907, 5908, 5909
|
|
|
|
dp: 5900, 5901, 5902, 5903, 5904, 5905, 5906, 5907, 5908, 5909
|
|
|
|
mqtt:
|
|
|
|
mqtt:
|
|
|
|
enabled: yes
|
|
|
|
enabled: yes
|
|
|
|
# max-msg-length: 1mb
|
|
|
|
# max-msg-length: 1 MiB
|
|
|
|
# subscribe-topic-match-limit: 100
|
|
|
|
# subscribe-topic-match-limit: 100
|
|
|
|
# unsubscribe-topic-match-limit: 100
|
|
|
|
# unsubscribe-topic-match-limit: 100
|
|
|
|
# Maximum number of live MQTT transactions per flow
|
|
|
|
# Maximum number of live MQTT transactions per flow
|
|
|
|
@ -936,11 +936,11 @@ app-layer:
|
|
|
|
# max-tx: 1024
|
|
|
|
# max-tx: 1024
|
|
|
|
ftp:
|
|
|
|
ftp:
|
|
|
|
enabled: yes
|
|
|
|
enabled: yes
|
|
|
|
# memcap: 64mb
|
|
|
|
# memcap: 64 MiB
|
|
|
|
websocket:
|
|
|
|
websocket:
|
|
|
|
#enabled: yes
|
|
|
|
#enabled: yes
|
|
|
|
# Maximum used payload size, the rest is skipped
|
|
|
|
# Maximum used payload size, the rest is skipped
|
|
|
|
# max-payload-size: 65535
|
|
|
|
# max-payload-size: 64 KiB
|
|
|
|
rdp:
|
|
|
|
rdp:
|
|
|
|
#enabled: yes
|
|
|
|
#enabled: yes
|
|
|
|
ssh:
|
|
|
|
ssh:
|
|
|
|
@ -1024,11 +1024,11 @@ app-layer:
|
|
|
|
|
|
|
|
|
|
|
|
# Byte Range Containers default settings
|
|
|
|
# Byte Range Containers default settings
|
|
|
|
# byterange:
|
|
|
|
# byterange:
|
|
|
|
# memcap: 100mb
|
|
|
|
# memcap: 100 MiB
|
|
|
|
# timeout: 60
|
|
|
|
# timeout: 60
|
|
|
|
|
|
|
|
|
|
|
|
# memcap: Maximum memory capacity for HTTP
|
|
|
|
# memcap: Maximum memory capacity for HTTP
|
|
|
|
# Default is unlimited, values can be 64mb, e.g.
|
|
|
|
# Default is unlimited, values can be 64 MiB, e.g.
|
|
|
|
|
|
|
|
|
|
|
|
# default-config: Used when no server-config matches
|
|
|
|
# default-config: Used when no server-config matches
|
|
|
|
# personality: List of personalities used by default
|
|
|
|
# personality: List of personalities used by default
|
|
|
|
@ -1053,16 +1053,16 @@ app-layer:
|
|
|
|
default-config:
|
|
|
|
default-config:
|
|
|
|
personality: IDS
|
|
|
|
personality: IDS
|
|
|
|
|
|
|
|
|
|
|
|
# Can be specified in kb, mb, gb. Just a number indicates
|
|
|
|
# Can be specified in KiB, MiB, GiB. Just a number indicates
|
|
|
|
# it's in bytes.
|
|
|
|
# it's in bytes.
|
|
|
|
request-body-limit: 100kb
|
|
|
|
request-body-limit: 100 KiB
|
|
|
|
response-body-limit: 100kb
|
|
|
|
response-body-limit: 100 KiB
|
|
|
|
|
|
|
|
|
|
|
|
# inspection limits
|
|
|
|
# inspection limits
|
|
|
|
request-body-minimal-inspect-size: 32kb
|
|
|
|
request-body-minimal-inspect-size: 32 KiB
|
|
|
|
request-body-inspect-window: 4kb
|
|
|
|
request-body-inspect-window: 4 KiB
|
|
|
|
response-body-minimal-inspect-size: 40kb
|
|
|
|
response-body-minimal-inspect-size: 40 KiB
|
|
|
|
response-body-inspect-window: 16kb
|
|
|
|
response-body-inspect-window: 16 KiB
|
|
|
|
|
|
|
|
|
|
|
|
# response body decompression (0 disables)
|
|
|
|
# response body decompression (0 disables)
|
|
|
|
response-body-decompress-layer-limit: 2
|
|
|
|
response-body-decompress-layer-limit: 2
|
|
|
|
@ -1081,8 +1081,8 @@ app-layer:
|
|
|
|
swf-decompression:
|
|
|
|
swf-decompression:
|
|
|
|
enabled: no
|
|
|
|
enabled: no
|
|
|
|
type: both
|
|
|
|
type: both
|
|
|
|
compress-depth: 100kb
|
|
|
|
compress-depth: 100 KiB
|
|
|
|
decompress-depth: 100kb
|
|
|
|
decompress-depth: 100 KiB
|
|
|
|
|
|
|
|
|
|
|
|
# Use a random value for inspection sizes around the specified value.
|
|
|
|
# Use a random value for inspection sizes around the specified value.
|
|
|
|
# This lowers the risk of some evasion techniques but could lead
|
|
|
|
# This lowers the risk of some evasion techniques but could lead
|
|
|
|
@ -1102,10 +1102,10 @@ app-layer:
|
|
|
|
#lzma-enabled: false
|
|
|
|
#lzma-enabled: false
|
|
|
|
# Memory limit usage for LZMA decompression dictionary
|
|
|
|
# Memory limit usage for LZMA decompression dictionary
|
|
|
|
# Data is decompressed until dictionary reaches this size
|
|
|
|
# Data is decompressed until dictionary reaches this size
|
|
|
|
#lzma-memlimit: 1mb
|
|
|
|
#lzma-memlimit: 1 MiB
|
|
|
|
# Maximum decompressed size with a compression ratio
|
|
|
|
# Maximum decompressed size with a compression ratio
|
|
|
|
# above 2048 (only LZMA can reach this ratio, deflate cannot)
|
|
|
|
# above 2048 (only LZMA can reach this ratio, deflate cannot)
|
|
|
|
#compression-bomb-limit: 1mb
|
|
|
|
#compression-bomb-limit: 1 MiB
|
|
|
|
# Maximum time spent decompressing a single transaction in usec
|
|
|
|
# Maximum time spent decompressing a single transaction in usec
|
|
|
|
#decompression-time-limit: 100000
|
|
|
|
#decompression-time-limit: 100000
|
|
|
|
# Maximum number of live transactions per flow
|
|
|
|
# Maximum number of live transactions per flow
|
|
|
|
@ -1116,7 +1116,7 @@ app-layer:
|
|
|
|
#- apache:
|
|
|
|
#- apache:
|
|
|
|
# address: [192.168.1.0/24, 127.0.0.0/8, "::1"]
|
|
|
|
# address: [192.168.1.0/24, 127.0.0.0/8, "::1"]
|
|
|
|
# personality: Apache_2
|
|
|
|
# personality: Apache_2
|
|
|
|
# # Can be specified in kb, mb, gb. Just a number indicates
|
|
|
|
# # Can be specified in KiB, MiB, GiB. Just a number indicates
|
|
|
|
# # it's in bytes.
|
|
|
|
# # it's in bytes.
|
|
|
|
# request-body-limit: 4096
|
|
|
|
# request-body-limit: 4096
|
|
|
|
# response-body-limit: 4096
|
|
|
|
# response-body-limit: 4096
|
|
|
|
@ -1128,7 +1128,7 @@ app-layer:
|
|
|
|
# - 192.168.0.0/24
|
|
|
|
# - 192.168.0.0/24
|
|
|
|
# - 192.168.10.0/24
|
|
|
|
# - 192.168.10.0/24
|
|
|
|
# personality: IIS_7_0
|
|
|
|
# personality: IIS_7_0
|
|
|
|
# # Can be specified in kb, mb, gb. Just a number indicates
|
|
|
|
# # Can be specified in KiB, MiB, GiB. Just a number indicates
|
|
|
|
# # it's in bytes.
|
|
|
|
# # it's in bytes.
|
|
|
|
# request-body-limit: 4096
|
|
|
|
# request-body-limit: 4096
|
|
|
|
# response-body-limit: 4096
|
|
|
|
# response-body-limit: 4096
|
|
|
|
@ -1190,7 +1190,7 @@ datasets:
|
|
|
|
# Default fallback memcap and hashsize values for datasets in case these
|
|
|
|
# Default fallback memcap and hashsize values for datasets in case these
|
|
|
|
# were not explicitly defined.
|
|
|
|
# were not explicitly defined.
|
|
|
|
defaults:
|
|
|
|
defaults:
|
|
|
|
#memcap: 100mb
|
|
|
|
#memcap: 100 MiB
|
|
|
|
#hashsize: 2048
|
|
|
|
#hashsize: 2048
|
|
|
|
|
|
|
|
|
|
|
|
rules:
|
|
|
|
rules:
|
|
|
|
@ -1403,7 +1403,7 @@ host-os-policy:
|
|
|
|
# The exception policy memcap-policy value can be "drop-packet", "pass-packet",
|
|
|
|
# The exception policy memcap-policy value can be "drop-packet", "pass-packet",
|
|
|
|
# "reject" or "ignore" (which is the default).
|
|
|
|
# "reject" or "ignore" (which is the default).
|
|
|
|
defrag:
|
|
|
|
defrag:
|
|
|
|
memcap: 32mb
|
|
|
|
memcap: 32 MiB
|
|
|
|
# memcap-policy: ignore
|
|
|
|
# memcap-policy: ignore
|
|
|
|
hash-size: 65536
|
|
|
|
hash-size: 65536
|
|
|
|
trackers: 65535 # number of defragmented flows to follow
|
|
|
|
trackers: 65535 # number of defragmented flows to follow
|
|
|
|
@ -1426,7 +1426,7 @@ defrag:
|
|
|
|
# - 172.16.14.0/24
|
|
|
|
# - 172.16.14.0/24
|
|
|
|
|
|
|
|
|
|
|
|
# Flow settings:
|
|
|
|
# Flow settings:
|
|
|
|
# By default, the reserved memory (memcap) for flows is 32MB. This is the limit
|
|
|
|
# By default, the reserved memory (memcap) for flows is 32 MiB. This is the limit
|
|
|
|
# for flow allocation inside the engine. You can change this value to allow
|
|
|
|
# for flow allocation inside the engine. You can change this value to allow
|
|
|
|
# more memory usage for flows.
|
|
|
|
# more memory usage for flows.
|
|
|
|
# The hash-size determines the size of the hash used to identify flows inside
|
|
|
|
# The hash-size determines the size of the hash used to identify flows inside
|
|
|
|
@ -1442,13 +1442,13 @@ defrag:
|
|
|
|
# the emergency bit and it will try again with more aggressive timeouts.
|
|
|
|
# the emergency bit and it will try again with more aggressive timeouts.
|
|
|
|
# If that doesn't work, then it will try to kill the oldest flows using
|
|
|
|
# If that doesn't work, then it will try to kill the oldest flows using
|
|
|
|
# last time seen flows.
|
|
|
|
# last time seen flows.
|
|
|
|
# The memcap can be specified in kb, mb, gb. Just a number indicates it's
|
|
|
|
# The memcap can be specified in KiB, MiB, GiB. Just a number indicates it's
|
|
|
|
# in bytes.
|
|
|
|
# in bytes.
|
|
|
|
# The exception policy memcap-policy can be "drop-packet", "pass-packet",
|
|
|
|
# The exception policy memcap-policy can be "drop-packet", "pass-packet",
|
|
|
|
# "reject" or "ignore" (which is the default).
|
|
|
|
# "reject" or "ignore" (which is the default).
|
|
|
|
|
|
|
|
|
|
|
|
flow:
|
|
|
|
flow:
|
|
|
|
memcap: 128mb
|
|
|
|
memcap: 128 MiB
|
|
|
|
#memcap-policy: ignore
|
|
|
|
#memcap-policy: ignore
|
|
|
|
hash-size: 65536
|
|
|
|
hash-size: 65536
|
|
|
|
prealloc: 10000
|
|
|
|
prealloc: 10000
|
|
|
|
@ -1526,7 +1526,7 @@ flow-timeouts:
|
|
|
|
# engine is configured.
|
|
|
|
# engine is configured.
|
|
|
|
#
|
|
|
|
#
|
|
|
|
# stream:
|
|
|
|
# stream:
|
|
|
|
# memcap: 64mb # Can be specified in kb, mb, gb. Just a
|
|
|
|
# memcap: 64 MiB # Can be specified in KiB, MiB, GiB. Just a
|
|
|
|
# # number indicates it's in bytes.
|
|
|
|
# # number indicates it's in bytes.
|
|
|
|
# memcap-policy: ignore # The exception policy value can be "drop-flow",
|
|
|
|
# memcap-policy: ignore # The exception policy value can be "drop-flow",
|
|
|
|
# # "pass-flow", "bypass", "drop-packet",
|
|
|
|
# # "pass-flow", "bypass", "drop-packet",
|
|
|
|
@ -1557,19 +1557,19 @@ flow-timeouts:
|
|
|
|
# # means it's slightly more permissive. Enabled by default.
|
|
|
|
# # means it's slightly more permissive. Enabled by default.
|
|
|
|
#
|
|
|
|
#
|
|
|
|
# reassembly:
|
|
|
|
# reassembly:
|
|
|
|
# memcap: 256mb # Can be specified in kb, mb, gb. Just a number
|
|
|
|
# memcap: 256 MiB # Can be specified in KiB, MiB, GiB. Just a number
|
|
|
|
# # indicates it's in bytes.
|
|
|
|
# # indicates it's in bytes.
|
|
|
|
# memcap-policy: ignore # The exception policy value can be "drop-flow",
|
|
|
|
# memcap-policy: ignore # The exception policy value can be "drop-flow",
|
|
|
|
# # "pass-flow", "bypass", "drop-packet", "pass-packet",
|
|
|
|
# # "pass-flow", "bypass", "drop-packet", "pass-packet",
|
|
|
|
# # "reject" or "ignore" default is "ignore"
|
|
|
|
# # "reject" or "ignore" default is "ignore"
|
|
|
|
# depth: 1mb # Can be specified in kb, mb, gb. Just a number
|
|
|
|
# depth: 1 MiB # Can be specified in KiB, MiB, GiB. Just a number
|
|
|
|
# # indicates it's in bytes.
|
|
|
|
# # indicates it's in bytes.
|
|
|
|
# toserver-chunk-size: 2560 # inspect raw stream in chunks of at least
|
|
|
|
# toserver-chunk-size: 2560 # inspect raw stream in chunks of at least
|
|
|
|
# # this size. Can be specified in kb, mb,
|
|
|
|
# # this size. Can be specified in KiB, MiB, GiB.
|
|
|
|
# # gb. Just a number indicates it's in bytes.
|
|
|
|
# # Just a number indicates it's in bytes.
|
|
|
|
# toclient-chunk-size: 2560 # inspect raw stream in chunks of at least
|
|
|
|
# toclient-chunk-size: 2560 # inspect raw stream in chunks of at least
|
|
|
|
# # this size. Can be specified in kb, mb,
|
|
|
|
# # this size. Can be specified in KiB, MiB, GiB.
|
|
|
|
# # gb. Just a number indicates it's in bytes.
|
|
|
|
# # Just a number indicates it's in bytes.
|
|
|
|
# randomize-chunk-size: yes # Take a random value for chunk size around the specified value.
|
|
|
|
# randomize-chunk-size: yes # Take a random value for chunk size around the specified value.
|
|
|
|
# # This lowers the risk of some evasion techniques but could lead
|
|
|
|
# # This lowers the risk of some evasion techniques but could lead
|
|
|
|
# # to detection change between runs. It is set to 'yes' by default.
|
|
|
|
# # to detection change between runs. It is set to 'yes' by default.
|
|
|
|
@ -1594,16 +1594,16 @@ flow-timeouts:
|
|
|
|
# # is used in a rule.
|
|
|
|
# # is used in a rule.
|
|
|
|
#
|
|
|
|
#
|
|
|
|
stream:
|
|
|
|
stream:
|
|
|
|
memcap: 64mb
|
|
|
|
memcap: 64 MiB
|
|
|
|
#memcap-policy: ignore
|
|
|
|
#memcap-policy: ignore
|
|
|
|
checksum-validation: yes # reject incorrect csums
|
|
|
|
checksum-validation: yes # reject incorrect csums
|
|
|
|
#midstream: false
|
|
|
|
#midstream: false
|
|
|
|
#midstream-policy: ignore
|
|
|
|
#midstream-policy: ignore
|
|
|
|
inline: auto # auto will use inline mode in IPS mode, yes or no set it statically
|
|
|
|
inline: auto # auto will use inline mode in IPS mode, yes or no set it statically
|
|
|
|
reassembly:
|
|
|
|
reassembly:
|
|
|
|
memcap: 256mb
|
|
|
|
memcap: 256 MiB
|
|
|
|
#memcap-policy: ignore
|
|
|
|
#memcap-policy: ignore
|
|
|
|
depth: 1mb # reassemble 1mb into a stream
|
|
|
|
depth: 1 MiB # reassemble 1 MiB into a stream
|
|
|
|
toserver-chunk-size: 2560
|
|
|
|
toserver-chunk-size: 2560
|
|
|
|
toclient-chunk-size: 2560
|
|
|
|
toclient-chunk-size: 2560
|
|
|
|
randomize-chunk-size: yes
|
|
|
|
randomize-chunk-size: yes
|
|
|
|
@ -1619,7 +1619,7 @@ stream:
|
|
|
|
host:
|
|
|
|
host:
|
|
|
|
hash-size: 4096
|
|
|
|
hash-size: 4096
|
|
|
|
prealloc: 1000
|
|
|
|
prealloc: 1000
|
|
|
|
memcap: 32mb
|
|
|
|
memcap: 32 MiB
|
|
|
|
|
|
|
|
|
|
|
|
# IP Pair table:
|
|
|
|
# IP Pair table:
|
|
|
|
#
|
|
|
|
#
|
|
|
|
@ -1628,7 +1628,7 @@ host:
|
|
|
|
#ippair:
|
|
|
|
#ippair:
|
|
|
|
# hash-size: 4096
|
|
|
|
# hash-size: 4096
|
|
|
|
# prealloc: 1000
|
|
|
|
# prealloc: 1000
|
|
|
|
# memcap: 32mb
|
|
|
|
# memcap: 32 MiB
|
|
|
|
|
|
|
|
|
|
|
|
# Decoder settings
|
|
|
|
# Decoder settings
|
|
|
|
|
|
|
|
|
|
|
|
@ -1707,7 +1707,7 @@ detect:
|
|
|
|
# Thresholding hash table settings.
|
|
|
|
# Thresholding hash table settings.
|
|
|
|
thresholds:
|
|
|
|
thresholds:
|
|
|
|
hash-size: 16384
|
|
|
|
hash-size: 16384
|
|
|
|
memcap: 16mb
|
|
|
|
memcap: 16 MiB
|
|
|
|
|
|
|
|
|
|
|
|
profiling:
|
|
|
|
profiling:
|
|
|
|
# Log the rules that made it past the prefilter stage, per packet
|
|
|
|
# Log the rules that made it past the prefilter stage, per packet
|
|
|
|
@ -1801,7 +1801,7 @@ threading:
|
|
|
|
# set to this value, a fatal error occurs.
|
|
|
|
# set to this value, a fatal error occurs.
|
|
|
|
#
|
|
|
|
#
|
|
|
|
# Generally, the per-thread stack-size should not exceed 8MB.
|
|
|
|
# Generally, the per-thread stack-size should not exceed 8MB.
|
|
|
|
#stack-size: 8mb
|
|
|
|
#stack-size: 8 MiB
|
|
|
|
|
|
|
|
|
|
|
|
# Profiling settings. Only effective if Suricata has been built with
|
|
|
|
# Profiling settings. Only effective if Suricata has been built with
|
|
|
|
# the --enable-profiling configure flag.
|
|
|
|
# the --enable-profiling configure flag.
|
|
|
|
|
Victor Julien
1 year ago
committed by
Victor Julien