--- suricata-6.0.14/suricata.yaml.in 2023-09-13 16:27:17.000000000 +0200
+++ suricata-7.0.4/suricata.yaml.in 2024-03-19 12:50:47.000000000 +0100
@@ -3,7 +3,7 @@
# Suricata configuration file. In addition to the comments describing all
# options in this file, full documentation can be found at:
-# https://suricata.readthedocs.io/en/latest/configuration/suricata-yaml.html
+# https://docs.suricata.io/en/latest/configuration/suricata-yaml.html
# This configuration file generated by Suricata @PACKAGE_VERSION@.
suricata-version: "@MAJOR_MINOR@"
@@ -74,6 +74,10 @@
# Add stream events as stats.
#stream-events: false
+# Plugins -- Experimental -- specify the filename for each plugin shared object
+plugins:
+# - /path/to/plugin.so
+
# Configure the type of alert (and other) logging you would like.
outputs:
# a line based alerts log similar to Snort's fast.log
@@ -89,7 +93,7 @@
filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
filename: eve.json
# Enable for multi-threaded eve.json output; output files are amended with
- # with an identifier, e.g., eve.9.json
+ # an identifier, e.g., eve.9.json
#threaded: false
#prefix: "@cee: " # prefix to prepend to each log entry
# the following are valid when type: syslog above
@@ -168,6 +172,10 @@
# (e.g: the alert may have action 'allowed' but the verdict be
# 'drop' due to another alert. That's the engine's verdict)
# verdict: yes
+ # app layer frames
+ - frame:
+ # disabled by default as this is very verbose.
+ enabled: no
- anomaly:
# Anomaly log records describe unexpected conditions such
# as truncated packets, packets with invalid IP/UDP/TCP
@@ -213,7 +221,7 @@
- dns:
# This configuration uses the new DNS logging format,
# the old configuration is still available:
- # https://suricata.readthedocs.io/en/latest/output/eve/eve-json-output.html#dns-v1-format
+ # https://docs.suricata.io/en/latest/output/eve/eve-json-output.html#dns-v1-format
# As of Suricata 5.0, version 2 of the eve dns output
# format is the default.
@@ -254,9 +262,9 @@
# alerts: yes # log alerts that caused drops
# flows: all # start or all: 'start' logs only a single drop
# # per flow direction. All logs each dropped pkt.
- # verdict: yes # Enable logging the final action taken on a packet
- # by the engine (will show more information in case
- # of a drop caused by 'reject')
+ # Enable logging the final action taken on a packet by the engine
+ # (will show more information in case of a drop caused by 'reject')
+ # verdict: yes
- smtp:
#extended: yes # enable this for extended logging information
# this includes: bcc, message-id, subject, x_mailer, user-agent
@@ -276,12 +284,14 @@
- nfs
- smb
- tftp
- - ikev2
+ - ike
- dcerpc
- krb5
+ - bittorrent-dht
- snmp
- rfb
- sip
+ - quic
- dhcp:
enabled: yes
# When extended mode is on, all DHCP messages are logged
@@ -292,10 +302,10 @@
- ssh
- mqtt:
# passwords: yes # enable output of passwords
- # HTTP2 logging. HTTP2 support is currently experimental and
- # disabled by default. To enable, uncomment the following line
- # and be sure to enable http2 in the app-layer section.
- #- http2
+ - http2
+ - pgsql:
+ enabled: no
+ # passwords: yes # enable output of passwords. Disabled by default
- stats:
totals: yes # stats for all threads merged together
threads: no # per thread stats
@@ -310,6 +320,16 @@
# flowints.
#- metadata
+ # EXPERIMENTAL per packet output giving TCP state tracking details
+ # including internal state, flags, etc.
+ # This output is experimental, meant for debugging and subject to
+ # change in both config and output without any notice.
+ #- stream:
+ # all: false # log all TCP packets
+ # event-set: false # log packets that have a decoder/stream event
+ # state-update: false # log packets triggering a TCP state update
+ # spurious-retransmission: false # log spurious retransmission packets
+
# a line based log of HTTP requests (no alerts)
- http-log:
enabled: no
@@ -400,6 +420,9 @@
#ts-format: usec # sec or usec second format (default) is filename.sec usec is filename.sec.usec
use-stream-depth: no #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets
honor-pass-rules: no # If set to "yes", flows in which a pass rule matched will stop being logged.
+ # Use "all" to log all packets or use "alerts" to log only alerted packets and flows or "tag"
+ # to log only flow tagged via the "tag" keyword
+ #conditional: all
# a full alert log containing much information for signature writers
# or for investigating suspected false positives.
@@ -409,14 +432,6 @@
append: yes
#filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
- # alert output to prelude (https://www.prelude-siem.org/) only
- # available if Suricata has been compiled with --enable-prelude
- - alert-prelude:
- enabled: no
- profile: suricata
- log-packet-content: no
- log-packet-header: yes
-
# Stats.log contains data from various counters of the Suricata engine.
- stats:
enabled: yes
@@ -531,7 +546,7 @@
# Lua Output Support - execute lua script to generate alert and event
# output.
# Documented at:
- # https://suricata.readthedocs.io/en/latest/output/lua-output.html
+ # https://docs.suricata.io/en/latest/output/lua-output.html
- lua:
enabled: no
#scripts-dir: /etc/suricata/lua-output/
@@ -552,8 +567,11 @@
# something reasonable if not provided. Can be overridden in an
# output section. You can leave this out to get the default.
#
- # This value is overridden by the SC_LOG_FORMAT env var.
- #default-log-format: "[%i] %t - (%f:%l) <%d> (%n) -- "
+ # This console log format value can be overridden by the SC_LOG_FORMAT env var.
+ #default-log-format: "%D: %S: %M"
+ #
+ # For the pre-7.0 log format use:
+ #default-log-format: "[%i] %t [%S] - (%f:%l) <%d> (%n) -- "
# A regex to filter output. Can be overridden in an output section.
# Defaults to empty (no filter).
@@ -576,6 +594,7 @@
enabled: yes
level: info
filename: suricata.log
+ # format: "[%i - %m] %z %d: %S: %M"
# type: json
- syslog:
enabled: no
@@ -609,6 +628,7 @@
# more info.
# Recommended modes are cluster_flow on most boxes and cluster_cpu or cluster_qm on system
# with capture card using RSS (requires cpu affinity tuning and system IRQ tuning)
+ # cluster_rollover has been deprecated; if used, it'll be replaced with cluster_flow.
cluster-type: cluster_flow
# In some fragmentation cases, the hash can not be computed. If "defrag" is set
# to yes, the kernel will do the needed defragmentation before sending the packets.
@@ -671,6 +691,117 @@
#use-mmap: no
#tpacket-v3: yes
+# Linux high speed af-xdp capture support
+af-xdp:
+ - interface: default
+ # Number of receive threads. "auto" uses least between the number
+ # of cores and RX queues
+ #threads: auto
+ #disable-promisc: false
+ # XDP_DRV mode can be chosen when the driver supports XDP
+ # XDP_SKB mode can be chosen when the driver does not support XDP
+ # Possible values are:
+ # - drv: enable XDP_DRV mode
+ # - skb: enable XDP_SKB mode
+ # - none: disable (kernel in charge of applying mode)
+ #force-xdp-mode: none
+ # During socket binding the kernel will attempt zero-copy, if this
+ # fails it will fallback to copy. If this fails, the bind fails.
+ # The bind can be explicitly configured using the option below.
+ # If configured, the bind will fail if not successful (no fallback).
+ # Possible values are:
+ # - zero: enable zero-copy mode
+ # - copy: enable copy mode
+ # - none: disable (kernel in charge of applying mode)
+ #force-bind-mode: none
+ # Memory alignment mode can vary between two modes, aligned and
+ # unaligned chunk modes. By default, aligned chunk mode is selected.
+ # select 'yes' to enable unaligned chunk mode.
+ # Note: unaligned chunk mode uses hugepages, so the required number
+ # of pages must be available.
+ #mem-unaligned: no
+ # The following options configure the prefer-busy-polling socket
+ # options. The polling time and budget can be edited here.
+ # Possible values are:
+ # - yes: enable (default)
+ # - no: disable
+ #enable-busy-poll: yes
+ # busy-poll-time sets the approximate time in microseconds to busy
+ # poll on a blocking receive when there is no data.
+ #busy-poll-time: 20
+ # busy-poll-budget is the budget allowed for packet batches
+ #busy-poll-budget: 64
+ # These two tunables are used to configure the Linux OS's NAPI
+ # context. Their purpose is to defer enabling of interrupts and
+ # instead schedule the NAPI context from a watchdog timer.
+ # The softirq NAPI will exit early, allowing busy polling to be
+ # performed. Successfully setting these tunables alongside busy-polling
+ # should improve performance.
+ # Defaults are:
+ #gro-flush-timeout: 2000000
+ #napi-defer-hard-irq: 2
+
+dpdk:
+ eal-params:
+ proc-type: primary
+
+ # DPDK capture support
+ # RX queues (and TX queues in IPS mode) are assigned to cores in 1:1 ratio
+ interfaces:
+ - interface: 0000:3b:00.0 # PCIe address of the NIC port
+ # Threading: possible values are either "auto" or number of threads
+ # - auto takes all cores
+ # in IPS mode it is required to specify the number of cores and the numbers on both interfaces must match
+ threads: auto
+ promisc: true # promiscuous mode - capture all packets
+ multicast: true # enables also detection on multicast packets
+ checksum-checks: true # if Suricata should validate checksums
+ checksum-checks-offload: true # if possible offload checksum validation to the NIC (saves Suricata resources)
+ mtu: 1500 # Set MTU of the device in bytes
+ # rss-hash-functions: 0x0 # advanced configuration option, use only if you use untested NIC card and experience RSS warnings,
+ # For `rss-hash-functions` use hexadecimal 0x01ab format to specify RSS hash function flags - DumpRssFlags can help (you can see output if you use -vvv option during Suri startup)
+ # setting auto to rss_hf sets the default RSS hash functions (based on IP addresses)
+
+ # To approximately calculate required amount of space (in bytes) for interface's mempool: mempool-size * mtu
+ # Make sure you have enough allocated hugepages.
+ # The optimum size for the packet memory pool (in terms of memory usage) is power of two minus one: n = (2^q - 1)
+ mempool-size: 65535 # The number of elements in the mbuf pool
+
+ # Mempool cache size must be lower or equal to:
+ # - RTE_MEMPOOL_CACHE_MAX_SIZE (by default 512) and
+ # - "mempool-size / 1.5"
+ # It is advised to choose cache_size to have "mempool-size modulo cache_size == 0".
+ # If this is not the case, some elements will always stay in the pool and will never be used.
+ # The cache can be disabled if the cache_size argument is set to 0, can be useful to avoid losing objects in cache
+ # If the value is empty or set to "auto", Suricata will attempt to set cache size of the mempool to a value
+ # that matches the previously mentioned recommendations
+ mempool-cache-size: 257
+ rx-descriptors: 1024
+ tx-descriptors: 1024
+ #
+ # IPS mode for Suricata works in 3 modes - none, tap, ips
+ # - none: IDS mode only - disables IPS functionality (does not further forward packets)
+ # - tap: forwards all packets and generates alerts (omits DROP action) This is not DPDK TAP
+ # - ips: the same as tap mode but it also drops packets that are flagged by rules to be dropped
+ copy-mode: none
+ copy-iface: none # or PCIe address of the second interface
+
+ - interface: default
+ threads: auto
+ promisc: true
+ multicast: true
+ checksum-checks: true
+ checksum-checks-offload: true
+ mtu: 1500
+ rss-hash-functions: auto
+ mempool-size: 65535
+ mempool-cache-size: 257
+ rx-descriptors: 1024
+ tx-descriptors: 1024
+ copy-mode: none
+ copy-iface: none
+
+
# Cross platform libpcap capture support
pcap:
- interface: eth0
@@ -735,11 +866,12 @@
app-layer:
# error-policy: ignore
protocols:
+ telnet:
+ enabled: yes
rfb:
enabled: yes
detection-ports:
dp: 5900, 5901, 5902, 5903, 5904, 5905, 5906, 5907, 5908, 5909
- # MQTT, disabled by default.
mqtt:
enabled: yes
# max-msg-length: 1mb
@@ -749,9 +881,11 @@
# max-tx: 4096
krb5:
enabled: yes
+ bittorrent-dht:
+ enabled: yes
snmp:
enabled: yes
- ikev2:
+ ike:
enabled: yes
tls:
enabled: yes
@@ -776,24 +910,37 @@
#
#encryption-handling: default
+ pgsql:
+ enabled: no
+ # Stream reassembly size for PostgreSQL. By default, track it completely.
+ stream-depth: 0
+ # Maximum number of live PostgreSQL transactions per flow
+ # max-tx: 1024
dcerpc:
enabled: yes
+ # Maximum number of live DCERPC transactions per flow
+ # max-tx: 1024
ftp:
enabled: yes
# memcap: 64mb
rdp:
- enabled: yes
+ #enabled: yes
ssh:
enabled: yes
#hassh: yes
- # HTTP2: Experimental HTTP 2 support. Disabled by default.
http2:
- enabled: no
- # use http keywords on HTTP2 traffic
- http1-rules: no
+ enabled: yes
+ # Maximum number of live HTTP2 streams in a flow
+ #max-streams: 4096
+ # Maximum headers table size
+ #max-table-size: 65536
+ # Maximum reassembly size for header + continuation frames
+ #max-reassembly-size: 102400
smtp:
enabled: yes
raw-extraction: no
+ # Maximum number of live SMTP transactions per flow
+ # max-tx: 256
# Configure SMTP-MIME Decoder
mime:
# Decode MIME messages from SMTP transactions
@@ -812,6 +959,12 @@
# Extract URLs and save in state data structure
extract-urls: yes
+ # Scheme of URLs to extract
+ # (default is [http])
+ #extract-urls-schemes: [http, https, ftp, mailto]
+ # Log the scheme of URLs that are extracted
+ # (default is no)
+ #log-url-scheme: yes
# Set to yes to compute the md5 of the mail body. You will then
# be able to journalize it.
body-md5: no
@@ -826,12 +979,15 @@
enabled: yes
detection-ports:
dp: 139, 445
+ # Maximum number of live SMB transactions per flow
+ # max-tx: 1024
# Stream reassembly size for SMB streams. By default track it completely.
#stream-depth: 0
nfs:
enabled: yes
+ # max-tx: 1024
tftp:
enabled: yes
dns:
@@ -845,6 +1001,12 @@
dp: 53
http:
enabled: yes
+
+ # Byte Range Containers default settings
+ # byterange:
+ # memcap: 100mb
+ # timeout: 60
+
# memcap: Maximum memory capacity for HTTP
# Default is unlimited, values can be 64mb, e.g.
@@ -888,7 +1050,7 @@
# auto will use http-body-inline mode in IPS mode, yes or no set it statically
http-body-inline: auto
- # Decompress SWF files.
+ # Decompress SWF files. Disabled by default.
# Two types: 'deflate', 'lzma', 'both' will decompress deflate and lzma
# compress-depth:
# Specifies the maximum amount of data to decompress,
@@ -897,7 +1059,7 @@
# Specifies the maximum amount of decompressed data to obtain,
# set 0 for unlimited.
swf-decompression:
- enabled: yes
+ enabled: no
type: both
compress-depth: 100kb
decompress-depth: 100kb
@@ -926,6 +1088,8 @@
#compression-bomb-limit: 1mb
# Maximum time spent decompressing a single transaction in usec
#decompression-time-limit: 100000
+ # Maximum number of live transactions per flow
+ #max-tx: 512
server-config:
@@ -989,11 +1153,14 @@
ntp:
enabled: yes
+ quic:
+ enabled: yes
+
dhcp:
enabled: yes
sip:
- enabled: yes
+ #enabled: yes
# Limit for the maximum number of asn1 frames to decode (default 256)
asn1-max-frames: 256
@@ -1033,6 +1200,22 @@
# group: suri
security:
+ # if true, prevents process creation from Suricata by calling
+ # setrlimit(RLIMIT_NPROC, 0)
+ limit-noproc: true
+ # Use landlock security module under Linux
+ landlock:
+ enabled: no
+ directories:
+ #write:
+ # - @e_rundir@
+ # /usr and /etc folders are added to read list to allow
+ # file magic to be used.
+ read:
+ - /usr/
+ - /etc/
+ - @e_sysconfdir@
+
lua:
# Allow Lua rules. Disabled by default.
#allow-rules: false
@@ -1091,6 +1274,8 @@
#
# hash - Flow assigned to threads using the 5-7 tuple hash.
# ippair - Flow assigned to threads using addresses only.
+# ftp-hash - Flow assigned to threads using the hash, except for FTP, so that
+# ftp-data flows will be handled by the same thread
#
#autofp-scheduler: hash
@@ -1139,13 +1324,13 @@
# Exception Policies
#
# Define a common behavior for all exception policies.
-# Default is ignore.
+# In IPS mode, the default is drop-flow. For cases when that's not possible, the
+# engine will fall to drop-packet. To fallback to old behavior (setting each of
+# them individually, or ignoring all), set this to ignore.
# All values available for exception policies can be used, and there is one
-# extra option: auto - which means ignore (in Suricata 7.0 this changes to drop
-# in IPS mode).
-#
-# Exception policy values are: drop-packet, drop-flow, reject, bypass,
-# pass-packet, pass-flow, auto or ignore (disable).
+# extra option: auto - which means drop-flow or drop-packet (as explained above)
+# in IPS mode, and ignore in IDS mode. Exception policy values are: drop-packet,
+# drop-flow, reject, bypass, pass-packet, pass-flow, ignore (disable).
exception-policy: auto
# IP Reputation
@@ -1258,6 +1443,12 @@
vlan:
use-for-tracking: true
+# This option controls the use of livedev ids in the flow (and defrag)
+# hashing. This is enabled by default and should be disabled if
+# multiple live devices are used to capture traffic from the same network
+livedev:
+ use-for-tracking: true
+
# Specific timeouts for flows. Here you can specify the timeouts that the
# active flows will wait to transit from the current state to another, on each
# protocol. The value of "new" determines the seconds to wait after a handshake or
@@ -1329,7 +1520,7 @@
# # of checksum. You can control the handling of checksum
# # on a per-interface basis via the 'checksum-checks'
# # option
-# prealloc-sessions: 2k # 2k sessions prealloc'd per stream thread
+# prealloc-sessions: 2048 # 2k sessions prealloc'd per stream thread
# midstream: false # don't allow midstream session pickups
# midstream-policy: ignore # Can be "drop-flow", "pass-flow", "bypass",
# # "drop-packet", "pass-packet", "reject" or
@@ -1337,6 +1528,7 @@
# async-oneside: false # don't enable async stream handling
# inline: no # stream inline mode
# drop-invalid: yes # in inline mode, drop packets that are invalid with regards to streaming engine
+# max-syn-queued: 10 # Max different SYNs to queue
# max-synack-queued: 5 # Max different SYN/ACKs to queue
# bypass: no # Bypass packets when stream.reassembly.depth is reached.
# # Warning: first side to reach this triggers
@@ -1435,10 +1627,6 @@
enabled: true
ports: $VXLAN_PORTS # syntax: '[8472, 4789]' or '4789'.
- # VNTag decode support
- vntag:
- enabled: false
-
# Geneve decoder is assigned to up to 4 UDP ports. By default only the
# IANA assigned port 6081 is enabled.
geneve:
@@ -1604,9 +1792,9 @@
#
profiling:
# Run profiling for every X-th packet. The default is 1, which means we
- # profile every packet. If set to 1000, one packet is profiled for every
- # 1000 received.
- #sample-rate: 1000
+ # profile every packet. If set to 1024, one packet is profiled for every
+ # 1024 received. The sample rate must be a power of 2.
+ #sample-rate: 1024
# rule profiling
rules:
@@ -1691,7 +1879,7 @@
# accept the packet if Suricata is not able to keep pace.
# bypass mark and mask can be used to implement NFQ bypass. If bypass mark is
# set then the NFQ bypass is activated. Suricata will set the bypass mark/mask
-# on packet of a flow that need to be bypassed. The Nefilter ruleset has to
+# on packet of a flow that need to be bypassed. The Netfilter ruleset has to
# directly accept all packets of a flow once a packet has been marked.
nfq:
# mode: accept
@@ -1731,7 +1919,7 @@
#disable-offloading: false
#
# disable checksum validation. Same as setting '-k none' on the
- # commandline.
+ # command-line.
#checksum-validation: none
# Netmap support
@@ -1980,6 +2168,6 @@
# in this configuration file. Files with relative pathnames will be
# searched for in the same directory as this configuration file. You may
# use absolute pathnames too.
-# You can specify more than 2 configuration files, if needed.
-#include: include1.yaml
-#include: include2.yaml
+#include:
+# - include1.yaml
+# - include2.yaml