Commit Graph

215 Commits (fc35a78ba14c04c528adf198f8f10b97521e8012)

Author SHA1 Message Date
Victor Julien 2997d086be eve-drop: allow logging all drops
- drop:
    alerts: yes      # log alerts that caused drops
    flows: all       # start or all: 'start' logs only a single drop
                     # per flow direction. All logs each dropped pkt.
9 years ago
Tom DeCanio 0f6c8806a0 output-json-dns: dns output filtering. 9 years ago
Jason Ish 1691c10681 eve: make logging of tagged packets optional
But it is enabled in the default configuration.
9 years ago
Victor Julien f7124b1149 afpacket: disable tpacket-v3 by default
It's still considered experimental at this point.
9 years ago
Victor Julien 5ec885e451 http: set of response body decompress limit
This is a per personality setting.
10 years ago
Victor Julien 0b6171854d yaml: improve affinity defaults 10 years ago
Victor Julien 723e90a174 affinity: rename detect-cpu-set to worker-cpu-set
Add fallback for existing configs.
10 years ago
Victor Julien 45b72d61c9 affinity: improve suricata.yaml doc 10 years ago
Victor Julien 570b9d06e0 affinity: remove unused settings
These were never referenced to in the code so they can be removed.

Add bypass to config parser in case the settings are still in old
yamls.
10 years ago
Victor Julien 1c0f20f0e5 yaml: profiling 'json' depend on jansson availability 10 years ago
Victor Julien d58d02fed5 netmap: handle missing config with better defaults
Default to 'threads: auto' which uses RSS RX count when no config
has been created for a interface.
10 years ago
Victor Julien be9cd0fd84 yaml: replace ac-tile by ac-ks 10 years ago
Victor Julien f55dbca57b yaml: make eve log in yaml depend on libjansson 10 years ago
Victor Julien df6f9269ec yaml: improve capture comments 10 years ago
Victor Julien 766bc95e3c yaml: move classification etc below the rules 10 years ago
Victor Julien 1b4e1ea389 yaml: new defaults for outputs
Enable eve.flow, disable plain http.log.
10 years ago
Victor Julien 4d056912d3 yaml: file logging at info level 10 years ago
Victor Julien cb47c2f682 yaml: improved defaults and misc cleanups 10 years ago
Victor Julien ea7923cc81 yaml: add performance tuning section 10 years ago
Victor Julien 6d7b4c81e3 yaml: more reshuffling 10 years ago
Victor Julien a6a69f0099 yaml: create advancted sections
Sections for advancted detection settings and traffic tracking and
reconstruction.
10 years ago
Victor Julien d79c95dded yaml: add hw accel section, move cuda there 10 years ago
Victor Julien 8fae138d3b yaml: add netfilter section 10 years ago
Victor Julien 056f88b458 yaml: move outputs to the logging step 10 years ago
Victor Julien 11e6809d55 yaml: introduce 'advanced settings' 10 years ago
Victor Julien c5ca642a28 yaml: move app layer up 10 years ago
Victor Julien c160f78758 yaml: move afpacket, pcap, pcap-file up 10 years ago
Victor Julien d48098f189 yaml: move logging up 10 years ago
Victor Julien c949668863 yaml: move rules up in the file
Also disable decoder and stream events by default, as they are too noisy
in a untuned environment.
10 years ago
Victor Julien a9cea53e62 yaml: move vars to the top 10 years ago
Justin Viiret c9d0d6f698 mpm: add "auto" default for mpm-algo
Setting mpm-algo to "auto" will use "hs" if Suricata was built against
Hyperscan, and "ac" otherwise (or "ac-tile" on Tilera platforms).
10 years ago
Eric Leblond ff05fb760b af-packet: fix some typos in yaml 10 years ago
Eric Leblond 876b356bbe af-packet: use mmap capture by default
Update the code to use mmap capture by default even in unset in
configuration file. mmap capture is now be turned off by using
explicitely 'use-mmap: no' in configuration.
10 years ago
Eric Leblond f5c2019167 af-packet: add option to use memory locked mmap 10 years ago
Eric Leblond 234aefdff9 af-packet: configurable tpacket_v3 block timeout
Block timeout defines the maximum filling duration of a block.
10 years ago
Eric Leblond fa902abedf af-packet: configurable tpacket_v3 block size
It is used to set the block size in tpacket_v3. It will allow user
to tune the capture depending on his bandwidth.

Default block size value has been updated to a bigger value to
allow more efficient wlak on block.
10 years ago
Eric Leblond bae1b03cf5 af-packet: tpacket_v3 implementation
This patch adds a basic implementation of AF_PACKET tpacket v3. It
is basic in the way it is only working for 'workers' runnning mode.
If not in 'workers' mode there is a fallback to tpacket_v2. Feature
is activated via tpacket-v3 option in the af-packet section of
Suricata YAML.
10 years ago
Justin Viiret 91011b30a6 spm: add "spm-algo: auto" setting
This will default to Hyperscan when Suricata is built with Hyperscan
support. Otherwise, Boyer-Moore is used by default.
10 years ago
Justin Viiret 7ba9dbe36a suricata.yaml: document spm-algo option 10 years ago
maxtors c6bbd89251 Added payload-buffer-size option to yaml configuration 10 years ago
Victor Julien 5f676167a3 detect grouping: make json dump configurable
Make the rule grouping dump to rule_group.json configurable.

detect:
  profiling:
    grouping:
      dump-to-disk: false
      include-rules: false      # very verbose
      include-mpm-stats: false
10 years ago
Victor Julien d6ba01b1b7 detect: make port whitelisting configurable
Make the port grouping whitelisting configurable. A whitelisted port
ends up in it's own port group.

detect:
  grouping:
    tcp-whitelist: 80, 443
    udp-whitelist: 53, 5060

No portranges are allowed at this point.
10 years ago
Victor Julien 725d6c3739 yaml: convert detect-engine to just detect
Instead of detect-engine which used a list for no good reason, use a
simple map now.

detect:
  profile: medium
  custom-values:
    toclient-groups: 3
    toserver-groups: 25
  sgh-mpm-context: auto
  inspection-recursion-limit: 3000
  # If set to yes, the loading of signatures will be made after the capture
  # is started. This will limit the downtime in IPS mode.
  #delayed-detect: yes
10 years ago
Victor Julien caea596ce5 profiling: output post-prefilter matches
Dump a json record containing all sigs that need to be inspected after
prefilter. Part of profiling. Only dump if threshold is met, which is
currently set by:

 --set detect.profiling.inspect-logging-threshold=200

A file called packet_inspected_rules.json is created in the default
log dir.
10 years ago
Victor Julien 722e2dbf7c profiling: initial rulegroup tracking
Per rule group tracking of checks, use of lists, mpm matches,
post filter counts.

Logs SGH id so it can be compared with the rule_group.json output.

Implemented both in a human readable text format and a JSON format.
10 years ago
Victor Julien 4f8e1f59a6 mpm: remove obsolete mpm algos
Remove: ac-gfbs, wumanber, b2g, b3g.
10 years ago
Victor Julien 4526aed2b1 smtp: fix config parsing and config defaults 10 years ago
Travis Green 72c9debbd6 yaml: disable rules by default
Change to "disable by default" rulefiles
10 years ago
Tom DeCanio 559747e325 file-store: add force-filestore configuration option to enable writing all
extracted files to filesystem.
10 years ago
Andreas Herz 5cee70f9ae Fix the comment and explanation for random-chunk-size 10 years ago