Merge pull request #809 from Security-Onion-Solutions/feature/metasuri

Suricata 5 Meta Data
2025-12-06 17:22:49 +01:00 · 2020-06-01 11:05:38 -04:00
parent 551c663046 03f34404b1
commit b091fe07c9
1 changed files with 259 additions and 307 deletions
--- a/salt/suricata/files/suricataMETA.yaml
+++ b/salt/suricata/files/suricataMETA.yaml
@@ -3,6 +3,8 @@
    {%- set interface = salt['pillar.get']('sensor:interface', 'bond0') %}
    {%- if grains['role'] == 'so-eval' %}
    {%- set MTU = 1500 %}
    {%- elif grains['role'] == 'so-helix' %}
    {%- set MTU = 9000 %}
    {%- else %}
    {%- set MTU = salt['pillar.get']('sensor:mtu', '1500') %}
    {%- endif %}
@@ -23,6 +25,11 @@ vars:
  # more specific is better for alert accuracy and performance
  address-groups:
    HOME_NET: "[{{ homenet }}]"
    #HOME_NET: "[192.168.0.0/16]"
    #HOME_NET: "[10.0.0.0/8]"
    #HOME_NET: "[172.16.0.0/12]"
    #HOME_NET: "any"
    EXTERNAL_NET: "!$HOME_NET"
    #EXTERNAL_NET: "any"
@@ -49,6 +56,8 @@ vars:
    MODBUS_PORTS: 502
    FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
    FTP_PORTS: 21
    VXLAN_PORTS: 4789
    TEREDO_PORTS: 3544
 ##
 ## Step 2: select outputs to enable
@@ -64,9 +73,12 @@ stats:
  enabled: yes
  # The interval field (in seconds) controls at what interval
  # the loggers are invoked.
-  interval: 8
+  interval: 30
  # Add decode events as stats.
  #decoder-events: true
  # Decoder event prefix in stats. Has been 'decoder' before, but that leads
  # to missing events in the eve.stats records. See issue #2225.
  #decoder-events-prefix: "decoder.event"
  # Add stream events as stats.
  #stream-events: false
@@ -83,18 +95,35 @@ outputs:
  - eve-log:
      enabled: yes
      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
-      filename: eve.json
+      filename: /nsm/eve.json
      rotate-interval: hour
      #prefix: "@cee: " # prefix to prepend to each log entry
      # the following are valid when type: syslog above
      #identity: "suricata"
      #facility: local5
      #level: Info ## possible levels: Emergency, Alert, Critical,
                   ## Error, Warning, Notice, Info, Debug
      #redis:
      #  server: 127.0.0.1
      #  port: 6379
      #  async: true ## if redis replies are read asynchronously
      #  mode: list ## possible values: list|lpush (default), rpush, channel|publish
      #             ## lpush and rpush are using a Redis list. "list" is an alias for lpush
      #             ## publish is using a Redis channel. "channel" is an alias for publish
      #  key: suricata ## key or channel to use (default to suricata)
      # Redis pipelining set up. This will enable to only do a query every
      # 'batch-size' events. This should lower the latency induced by network
      # connection at the cost of some memory. There is no flushing implemented
      # so this setting as to be reserved to high traffic suricata.
      #  pipelining:
      #    enabled: yes ## set enable to yes to enable query pipelining
      #    batch-size: 10 ## number of entry to keep in buffer
      # Include top level metadata. Default yes.
      #metadata: no
      # include the name of the input pcap file in pcap file processing mode
      pcap-file: false
      # Community Flow ID
@@ -106,7 +135,7 @@ outputs:
      # to make the id less predictable.
      # enable/disable the community id feature.
-      community-id: false
+      community-id: true
      # Seed value for the ID output. Valid values are 0-65535.
      community-id-seed: 0
@@ -130,36 +159,76 @@ outputs:
      types:
        - alert:
-            # payload: yes             # enable dumping payload in Base64
+            payload: no             # enable dumping payload in Base64
-            # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log
+            payload-buffer-size: 4kb # max size of payload buffer to output in eve-log
-            # payload-printable: yes   # enable dumping payload in printable (lossy) format
+            payload-printable: yes   # enable dumping payload in printable (lossy) format
-            # packet: yes              # enable dumping of packet (without stream segments)
+            packet: yes              # enable dumping of packet (without stream segments)
-            # http-body: yes           # enable dumping of http body in Base64
+            metadata: 
-            # http-body-printable: yes # enable dumping of http body in printable format
+                app-layer: false
-            # metadata: no             # enable inclusion of app layer metadata with alert. Default yes
+                flow: false
                rule:
                  metadata: true
                  raw: true
            # http-body: yes           # Requires metadata; enable dumping of http body in Base64
            # http-body-printable: yes # Requires metadata; enable dumping of http body in printable format
            # Enable the logging of tagged packets for rules using the
            # "tag" keyword.
            tagged-packets: no
        - anomaly:
            # Anomaly log records describe unexpected conditions such
            # as truncated packets, packets with invalid IP/UDP/TCP
            # length values, and other events that render the packet
            # invalid for further processing or describe unexpected
            # behavior on an established stream. Networks which
            # experience high occurrences of anomalies may experience
            # packet processing degradation.
            #
            # Anomalies are reported for the following:
            # 1. Decode: Values and conditions that are detected while
            # decoding individual packets. This includes invalid or
            # unexpected values for low-level protocol lengths as well
            # as stream related events (TCP 3-way handshake issues,
            # unexpected sequence number, etc).
            # 2. Stream: This includes stream related events (TCP
            # 3-way handshake issues, unexpected sequence number,
            # etc).
            # 3. Application layer: These denote application layer
            # specific conditions that are unexpected, invalid or are
            # unexpected given the application monitoring state.
            #
            # By default, anomaly logging is disabled. When anomaly
            # logging is enabled, applayer anomaly reporting is
            # enabled.
            enabled: no
            #
            # Choose one or more types of anomaly logging and whether to enable
            # logging of the packet header for packet anomalies.
            types:
               decode: no
               stream: no
               applayer: yes
            packethdr: no
        - http:
            extended: yes     # enable this for extended logging information
            # custom allows additional http fields to be included in eve-log
            # the example below adds three additional fields when uncommented
            #custom: [Accept-Encoding, Accept-Language, Authorization]
            # set this value to one and only one among {both, request, response}
            # to dump all http headers for every http request and/or response
            # dump-all-headers: none
        - dns:
            # This configuration uses the new DNS logging format,
            # the old configuration is still available:
-            # http://suricata.readthedocs.io/en/latest/configuration/suricata-yaml.html#eve-extensible-event-format
+            # https://suricata.readthedocs.io/en/latest/output/eve/eve-json-output.html#dns-v1-format
-            # Use version 2 logging with the new format:
+
-            # DNS answers will be logged in one single event
+            # As of Suricata 5.0, version 2 of the eve dns output
-            # rather than an event for each of it.
+            # format is the default.
            # Without setting a version the version
            # will fallback to 1 for backwards compatibility.
            # Note: version 1 is not available with rust enabled
            version: 2
            # Enable/disable this logger. Default: enabled.
-            #enabled: no
+            enabled: yes
            # Control logging of requests and responses:
            # - requests: enable logging of DNS queries
@@ -174,8 +243,8 @@ outputs:
            # Default: all
            #formats: [detailed, grouped]
-            # Answer types to log.
+            # Types to log, based on the query type.
-            # Default: all
+            # Default: all.
            #types: [a, aaaa, cname, mx, ns, ptr, txt]
        - tls:
            extended: yes     # enable this for extended logging information
@@ -184,7 +253,7 @@ outputs:
            #session-resumption: no
            # custom allows to control which tls fields that are included
            # in eve-log
-            #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3]
+            #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3, ja3s]
        - files:
            force-magic: no   # force logging magic on all logged files
            # force logging of checksums, available hash functions are md5,
@@ -207,20 +276,23 @@ outputs:
            # to yes
            #md5: [body, subject]
-        #- dnp3
+        - dnp3
        - ftp
        - rdp
        - nfs
        - smb
        - tftp
        - ikev2
        - krb5
        - snmp
        - sip
        - dhcp:
            # DHCP logging requires Rust.
            enabled: yes
            # When extended mode is on, all DHCP messages are logged
            # with full detail. When extended mode is off (the
            # default), just enough information to map a MAC address
            # to an IP address is logged.
-            extended: no
+        #    extended: no
        - ssh
        #- stats:
        #    totals: yes       # stats for all threads merged together
@@ -236,47 +308,11 @@ outputs:
        # flowints.
        #- metadata
-  # alert output for use with Barnyard2
+  # deprecated - unified2 alert format for use with Barnyard2
  - unified2-alert:
      enabled: no
-      filename: unified2.alert
+      # for further options see:
-
+      # https://suricata.readthedocs.io/en/suricata-5.0.0/configuration/suricata-yaml.html#alert-output-for-use-with-barnyard2-unified2-alert
      # File size limit.  Can be specified in kb, mb, gb.  Just a number
      # is parsed as bytes.
      #limit: 32mb
      # By default unified2 log files have the file creation time (in
      # unix epoch format) appended to the filename. Set this to yes to
      # disable this behaviour.
      #nostamp: no
      # Sensor ID field of unified2 alerts.
      #sensor-id: 0
      # Include payload of packets related to alerts. Defaults to true, set to
      # false if payload is not required.
      #payload: yes
      # HTTP X-Forwarded-For support by adding the unified2 extra header or
      # overwriting the source or destination IP address (depending on flow
      # direction) with the one reported in the X-Forwarded-For HTTP header.
      # This is helpful when reviewing alerts for traffic that is being reverse
      # or forward proxied.
      xff:
        enabled: no
        # Two operation modes are available, "extra-data" and "overwrite". Note
        # that in the "overwrite" mode, if the reported IP address in the HTTP
        # X-Forwarded-For header is of a different version of the packet
        # received, it will fall-back to "extra-data" mode.
        mode: extra-data
        # Two proxy deployments are supported, "reverse" and "forward". In
        # a "reverse" deployment the IP address used is the last one, in a
        # "forward" deployment the first IP address is used.
        deployment: reverse
        # Header name where the actual IP address will be reported, if more
        # than one IP address is present, the last IP address will be the
        # one taken into consideration.
        header: X-Forwarded-For
  # a line based log of HTTP requests (no alerts)
  - http-log:
@@ -285,6 +321,7 @@ outputs:
      append: yes
      #extended: yes     # enable this for extended logging information
      #custom: yes       # enabled the custom logging format (defined by customformat)
      #customformat: ""
      #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
  # a line based log of TLS handshake parameters (no alerts)
@@ -294,6 +331,7 @@ outputs:
      append: yes
      #extended: yes     # Log extended information like fingerprint
      #custom: yes       # enabled the custom logging format (defined by customformat)
      #customformat: ""
      #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
      # output TLS transaction where the session is resumed using a
      # session id
@@ -304,14 +342,6 @@ outputs:
      enabled: no
      #certs-log-dir: certs # directory to store the certificates files
  # a line based log of DNS requests and/or replies (no alerts)
  # Note: not available when Rust is enabled (--enable-rust).
  - dns-log:
      enabled: no
      filename: dns.log
      append: yes
      #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
  # Packet log... log packets in pcap format. 3 modes of operation: "normal"
  # "multi" and "sguil".
  #
@@ -382,7 +412,7 @@ outputs:
      append: yes
      #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
-  # alert output to prelude (http://www.prelude-technologies.com/) only
+  # alert output to prelude (https://www.prelude-siem.org/) only
  # available if Suricata has been compiled with --enable-prelude
  - alert-prelude:
      enabled: no
@@ -397,7 +427,7 @@ outputs:
      append: yes       # append to file (yes) or overwrite it (no)
      totals: yes       # stats for all threads merged together
      threads: no       # per thread stats
-      #null-values: yes  # print counters that have value 0
+      null-values: yes  # print counters that have value 0
  # a line based alerts log similar to fast.log into syslog
  - syslog:
@@ -409,12 +439,11 @@ outputs:
      #level: Info ## possible levels: Emergency, Alert, Critical,
                   ## Error, Warning, Notice, Info, Debug
-  # a line based information for dropped packets in IPS mode
+  # deprecated a line based information for dropped packets in IPS mode
  - drop:
      enabled: no
-      filename: drop.log
+      # further options documented at:
-      append: yes
+      # https://suricata.readthedocs.io/en/suricata-5.0.0/configuration/suricata-yaml.html#drop-log-a-line-based-information-for-dropped-packets
      #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
  # Output module for storing files on disk. Files are stored in a
  # directory names consisting of the first 2 characters of the
@@ -481,58 +510,18 @@ outputs:
        # one taken into consideration.
        header: X-Forwarded-For
-  # output module to store extracted files to disk (old style, deprecated)
+  # deprecated - file-store v1
  #
  # The files are stored to the log-dir in a format "file.<id>" where <id> is
  # an incrementing number starting at 1. For each file "file.<id>" a meta
  # file "file.<id>.meta" is created. Before they are finalized, they will
  # have a ".tmp" suffix to indicate that they are still being processed.
  #
  # If include-pid is yes, then the files are instead "file.<pid>.<id>", with
  # meta files named as "file.<pid>.<id>.meta"
  #
  # File extraction depends on a lot of things to be fully done:
  # - file-store stream-depth. For optimal results, set this to 0 (unlimited)
  # - http request / response body sizes. Again set to 0 for optimal results.
  # - rules that contain the "filestore" keyword.
  - file-store:
      enabled: no       # set to yes to enable
      log-dir: files    # directory to store the files
      force-magic: no   # force logging magic on all stored files
      # force logging of checksums, available hash functions are md5,
      # sha1 and sha256
      #force-hash: [md5]
      force-filestore: no # force storing of all files
      # override global stream-depth for sessions in which we want to
      # perform file extraction. Set to 0 for unlimited.
      #stream-depth: 0
      #waldo: file.waldo # waldo file to store the file_id across runs
      # uncomment to disable meta file writing
      #write-meta: no
      # uncomment the following variable to define how many files can
      # remain open for filestore by Suricata. Default value is 0 which
      # means files get closed after each write
      #max-open-files: 1000
      include-pid: no # set to yes to include pid in file names
  # output module to log files tracked in a easily parsable JSON format
  - file-log:
      enabled: no
-      filename: files-json.log
+      # further options documented at:
-      append: yes
+      # https://suricata.readthedocs.io/en/suricata-5.0.0/file-extraction/file-extraction.html#file-store-version-1
      #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
      force-magic: no   # force logging magic on all logged files
      # force logging of checksums, available hash functions are md5,
      # sha1 and sha256
      #force-hash: [md5]
  # Log TCP data after stream normalization
  # 2 types: file or dir. File logs into a single logfile. Dir creates
  # 2 files per TCP session and stores the raw TCP data into them.
  # Using 'both' will enable both file and dir modes.
  #
-  # Note: limited by stream.depth
+  # Note: limited by stream.reassembly.depth
  - tcp-data:
      enabled: no
      type: file
@@ -591,10 +580,14 @@ logging:
  - file:
      enabled: yes
      level: info
-      filename: /var/log/suricata/suricata.log
+      filename: suricata.log
      # type: json
  - syslog:
      enabled: no
      facility: local5
      format: "[%i] <%d> -- "
      # type: json
 ##
 ## Step 4: configure common capture settings
@@ -613,16 +606,11 @@ af-packet:
    # Default AF_PACKET cluster type. AF_PACKET can load balance per flow or per hash.
    # This is only supported for Linux kernel > 3.1
    # possible value are:
    #  * cluster_round_robin: round robin load balancing
    #  * cluster_flow: all packets of a given flow are send to the same socket
    #  * cluster_cpu: all packets treated in kernel by a CPU are send to the same socket
    #  * cluster_qm: all packets linked by network card to a RSS queue are sent to the same
    #  socket. Requires at least Linux 3.14.
-    #  * cluster_random: packets are sent randomly to sockets but with an equipartition.
+    #  * cluster_ebpf: eBPF file load balancing. See doc/userguide/capture-hardware/ebpf-xdp.rst for
    #  Requires at least Linux 3.14.
    #  * cluster_rollover: kernel rotates between sockets filling each socket before moving
    #  to the next. Requires at least Linux 3.10.
    #  * cluster_ebpf: eBPF file load balancing. See doc/userguide/capture/ebpf-xdt.rst for
    #  more info.
    # Recommended modes are cluster_flow on most boxes and cluster_cpu or cluster_qm on system
    # with capture card using RSS (require cpu affinity tuning and system irq tuning)
@@ -630,12 +618,8 @@ af-packet:
    # In some fragmentation case, the hash can not be computed. If "defrag" is set
    # to yes, the kernel will do the needed defragmentation before sending the packets.
    defrag: yes
    # After Linux kernel 3.10 it is possible to activate the rollover option: if a socket is
    # full then kernel will send the packet on the next socket with room available. This option
    # can minimize packet drop and increase the treated bandwidth on single intensive flow.
    #rollover: yes
    # To use the ring feature of AF_PACKET, set 'use-mmap' to yes
-    #use-mmap: yes
+    use-mmap: yes
    # Lock memory map to avoid it goes to swap. Be careful that over subscribing could lock
    # your system
    #mmap-locked: yes
@@ -683,14 +667,13 @@ af-packet:
    #copy-mode: ips
    #copy-iface: eth1
    #  For eBPF and XDP setup including bypass, filter and load balancing, please
-    #  see doc/userguide/capture/ebpf-xdt.rst for more info.
+    #  see doc/userguide/capture-hardware/ebpf-xdp.rst for more info.
  # Put default values here. These will be used for an interface that is not
  # in the list above.
  - interface: default
    #threads: auto
    #use-mmap: no
    #rollover: yes
    #tpacket-v3: yes
 # Cross platform libpcap capture support
@@ -753,6 +736,8 @@ app-layer:
  protocols:
    krb5:
      enabled: yes
    snmp:
      enabled: yes
    ikev2:
      enabled: yes
    tls:
@@ -760,8 +745,9 @@ app-layer:
      detection-ports:
        dp: 443
-      # Generate JA3 fingerprint from client hello
+      # Generate JA3 fingerprint from client hello. If not specified it
-      ja3-fingerprints: yes
+      # will be disabled by default, but enabled if rules require it.
      #ja3-fingerprints: auto
      # What to do when the encrypted communications start:
      # - default: keep tracking TLS session, check for protocol anomalies,
@@ -775,17 +761,21 @@ app-layer:
      #
      # For best performance, select 'bypass'.
      #
-      #encrypt-handling: default
+      #encryption-handling: default
    dcerpc:
      enabled: yes
    ftp:
      enabled: yes
      # memcap: 64mb
    # RDP, disabled by default.
    rdp:
      #enabled: no
    ssh:
      enabled: yes
    smtp:
      enabled: yes
      raw-extraction: no
      # Configure SMTP-MIME Decoder
      mime:
        # Decode MIME messages from SMTP transactions
@@ -814,10 +804,6 @@ app-layer:
        content-inspect-window: 4096
    imap:
      enabled: detection-only
    msn:
      enabled: detection-only
    # Note: --enable-rust is required for full SMB1/2 support. W/o rust
    # only minimal SMB1 support is available.
    smb:
      enabled: yes
      detection-ports:
@@ -826,8 +812,6 @@ app-layer:
      # Stream reassembly size for SMB streams. By default track it completely.
      #stream-depth: 0
    # Note: NFS parser depends on Rust support: pass --enable-rust
    # to configure.
    nfs:
      enabled: yes
    tftp:
@@ -851,7 +835,8 @@ app-layer:
          dp: 53
    http:
      enabled: yes
-      # memcap: 64mb
+      # memcap:                   Maximum memory capacity for http
      #                           Default is unlimited, value can be such as 64mb
      # default-config:           Used when no server-config matches
      #   personality:            List of personalities used by default
@@ -859,37 +844,15 @@ app-layer:
      #                           by http_client_body & pcre /P option.
      #   response-body-limit:    Limit reassembly of response body for inspection
      #                           by file_data, http_server_body & pcre /Q option.
      #   double-decode-path:     Double decode path section of the URI
      #   double-decode-query:    Double decode query section of the URI
      #   response-body-decompress-layer-limit:
      #                           Limit to how many layers of compression will be
      #                           decompressed. Defaults to 2.
      #
      #   For advanced options, see the user guide
      # server-config:            List of server configurations to use if address matches
      #   address:                List of IP addresses or networks for this block
      #   personalitiy:           List of personalities used by this block
      #   request-body-limit:     Limit reassembly of request body for inspection
      #                           by http_client_body & pcre /P option.
      #   response-body-limit:    Limit reassembly of response body for inspection
      #                           by file_data, http_server_body & pcre /Q option.
      #   double-decode-path:     Double decode path section of the URI
      #   double-decode-query:    Double decode query section of the URI
      #
-      #   uri-include-all:        Include all parts of the URI. By default the
+      #                           Then, all the fields from default-config can be overloaded
      #                           'scheme', username/password, hostname and port
      #                           are excluded. Setting this option to true adds
      #                           all of them to the normalized uri as inspected
      #                           by http_uri, urilen, pcre with /U and the other
      #                           keywords that inspect the normalized uri.
      #                           Note that this does not affect http_raw_uri.
      #                           Also, note that including all was the default in
      #                           1.4 and 2.0beta1.
      #
      #   meta-field-limit:       Hard size limit for request and response size
      #                           limits. Applies to request line and headers,
      #                           response line and headers. Does not apply to
      #                           request or response bodies. Default is 18k.
      #                           If this limit is reached an event is raised.
      #
      # Currently Available Personalities:
      #   Minimal, Generic, IDS (default), IIS_4_0, IIS_5_0, IIS_5_1, IIS_6_0,
@@ -943,6 +906,15 @@ app-layer:
           double-decode-path: no
           double-decode-query: no
           # Can disable LZMA decompression
           #lzma-enabled: yes
           # Memory limit usage for LZMA decompression dictionary
           # Data is decompressed until dictionary reaches this size
           #lzma-memlimit: 1mb
           # Maximum decompressed size with a compression ratio
           # above 2048 (only LZMA can reach this ratio, deflate cannot)
           #compression-bomb-limit: 1mb
         server-config:
           #- apache:
@@ -1002,13 +974,16 @@ app-layer:
        dp: 44818
        sp: 44818
    # Note: parser depends on Rust support
    ntp:
      enabled: yes
    dhcp:
      enabled: yes
    # SIP, disabled by default.
    sip:
      #enabled: no
 # Limit for the maximum number of asn1 frames to decode (default 256)
 asn1-max-frames: 256
@@ -1024,9 +999,9 @@ asn1-max-frames: 256
 ##
 # Run suricata as user and group.
-#run-as:
+run-as:
-#  user: suri
+  user: suricata
-#  group: suri
+  group: suricata
 # Some logging module will use that name in event as identifier. The default
 # value is the hostname
@@ -1069,29 +1044,26 @@ host-mode: auto
 # Number of packets preallocated per thread. The default is 1024. A higher number
 # will make sure each CPU will be more easily kept busy, but may negatively
 # impact caching.
-#max-pending-packets: 1024
+max-pending-packets: 5000
 # Runmode the engine should use. Please check --list-runmodes to get the available
-# runmodes for each packet acquisition method. Defaults to "autofp" (auto flow pinned
+# runmodes for each packet acquisition method. Default depends on selected capture
-# load balancing).
+# method. 'workers' generally gives best performance.
 runmode: workers
 # Specifies the kind of flow load balancer used by the flow pinned autofp mode.
 #
 # Supported schedulers are:
 #
-# round-robin       - Flows assigned to threads in a round robin fashion.
+# hash     - Flow assigned to threads using the 5-7 tuple hash.
-# active-packets    - Flows assigned to threads that have the lowest number of
+# ippair   - Flow assigned to threads using addresses only.
 #                     unprocessed packets (default).
 # hash              - Flow allocated using the address hash. More of a random
 #                     technique. Was the default in Suricata 1.2.1 and older.
 #
-#autofp-scheduler: active-packets
+#autofp-scheduler: hash
 # Preallocated size for packet. Default is 1514 which is the classical
 # size for pcap on ethernet. You should adjust this value to the highest
 # packet size (MTU + hardware header) on your system.
-#default-packet-size: 1514
+default-packet-size: {{ MTU + 15 }}
 # Unix command socket can be used to pass commands to Suricata.
 # An external tool can then connect to get information from Suricata
@@ -1107,6 +1079,10 @@ unix-command:
 #magic-file: /usr/share/file/magic
 #magic-file:
 # GeoIP2 database file. Specify path and filename of GeoIP2 database
 # if using rules with "geoip" rule option.
 #geoip-database: /usr/local/share/GeoLite2/GeoLite2-Country.mmdb
 legacy:
  uricontent: enabled
@@ -1300,7 +1276,9 @@ flow-timeouts:
 #   inline: no                  # stream inline mode
 #   drop-invalid: yes           # in inline mode, drop packets that are invalid with regards to streaming engine
 #   max-synack-queued: 5        # Max different SYN/ACKs to queue
-#   bypass: no                  # Bypass packets when stream.depth is reached
+#   bypass: no                  # Bypass packets when stream.reassembly.depth is reached.
 #                               # Warning: first side to reach this triggers
 #                               # the bypass.
 #
 #   reassembly:
 #     memcap: 64mb              # Can be specified in kb, mb, gb.  Just a number
@@ -1373,9 +1351,22 @@ host:
 decoder:
  # Teredo decoder is known to not be completely accurate
-  # it will sometimes detect non-teredo as teredo.
+  # as it will sometimes detect non-teredo as teredo.
  teredo:
    enabled: true
    # ports to look for Teredo. Max 4 ports. If no ports are given, or
    # the value is set to 'any', Teredo detection runs on _all_ UDP packets.
    ports: $TEREDO_PORTS # syntax: '[3544, 1234]' or '3533' or 'any'.
  # VXLAN decoder is assigned to up to 4 UDP ports. By default only the
  # IANA assigned port 4789 is enabled.
  vxlan:
    enabled: true
    ports: $VXLAN_PORTS # syntax: '8472, 4789'
  # ERSPAN Type I decode support
  erspan:
    typeI:
      enabled: false
 ##
@@ -1484,19 +1475,26 @@ threading:
  {%- if salt['pillar.get']('sensor:suriprocs') %}
  cpu-affinity:
    - management-cpu-set:
-        cpu: [ all ]  # include only these cpus in affinity settings
+        cpu: [ all ]  # include only these CPUs in affinity settings
    - receive-cpu-set:
-        cpu: [ all ]  # include only these cpus in affinity settings
+        cpu: [ all ]  # include only these CPUs in affinity settings
    - worker-cpu-set:
        cpu: [ "all" ]
        mode: "exclusive"
        # Use explicitely 3 threads and don't compute number by using
        # detect-thread-ratio variable:
        # threads: 3
        threads: {{ salt['pillar.get']('sensor:suriprocs') }}
        prio:
-          default: "medium"
+          low: [ 0 ]
-  {% endif %}
+          medium: [ "1-2" ]
-
+          high: [ 3 ]
          default: "high"
    #- verdict-cpu-set:
    #    cpu: [ 0 ]
    #    prio:
    #      default: "high"
  {%- endif -%}
  {%- if salt['pillar.get']('sensor:suripins') %}
  cpu-affinity:
    - management-cpu-set:
@@ -1512,6 +1510,8 @@ threading:
        prio:
          default: "high"
  {% endif %}
  #
  # By default Suricata creates one "detect" thread per available CPU/CPU core.
  # This setting allows controlling this behaviour. A ratio setting of 2 will
  # create 2 detect threads for each CPU/CPU core. So for a dual core CPU this
@@ -1545,7 +1545,7 @@ profiling:
    # Profiling can be disabled here, but it will still have a
    # performance impact if compiled in.
-    enabled: no
+    enabled: yes
    filename: rule_perf.log
    append: yes
@@ -1668,7 +1668,7 @@ capture:
 # Netmap support
 #
-# Netmap operates with NIC directly in driver, so you need FreeBSD which have
+# Netmap operates with NIC directly in driver, so you need FreeBSD 11+ which have
 # built-in netmap support or compile and install netmap module and appropriate
 # NIC driver on your Linux system.
 # To reach maximum throughput disable all receive-, segmentation-,
@@ -1680,7 +1680,9 @@ capture:
 netmap:
   # To specify OS endpoint add plus sign at the end (e.g. "eth0+")
 - interface: eth2
-   # Number of receive threads. "auto" uses number of RSS queues on interface.
+   # Number of capture threads. "auto" uses number of RSS queues on interface.
   # Warning: unless the RSS hashing is symmetrical, this will lead to
   # accuracy issues.
   #threads: auto
   # You can use the following variables to activate netmap tap or IPS mode.
   # If copy-mode is set to ips or tap, the traffic coming to the current
@@ -1793,45 +1795,63 @@ napatech:
    # (-1 = OFF, 1 - 100 = percentage of the host buffer that can be held back)
    # This may be enabled when sharing streams with another application.
    # Otherwise, it should be turned off.
-    hba: -1
+    #hba: -1
-    # use_all_streams set to "yes" will query the Napatech service for all configured
+    # When use_all_streams is set to "yes" the initialization code will query
-    # streams and listen on all of them. When set to "no" the streams config array
+    # the Napatech service for all configured streams and listen on all of them.
-    # will be used.
+    # When set to "no" the streams config array will be used.
-    use-all-streams: yes
+    #
    # This option necessitates running the appropriate NTPL commands to create
    # the desired streams prior to running suricata.
    #use-all-streams: no
-    # The streams to listen on.  This can be either:
+    # The streams to listen on when auto-config is disabled or when and threading
-    #   a list of individual streams (e.g. streams: [0,1,2,3])
+    # cpu-affinity is disabled.  This can be either:
    #   an individual stream (e.g. streams: [0])
    # or
    #   a range of streams (e.g. streams: ["0-3"])
    #
    streams: ["0-3"]
-# Tilera mpipe configuration. for use on Tilera TILE-Gx.
+    # When auto-config is enabled the streams will be created and assigned
-mpipe:
+    # automatically to the NUMA node where the thread resides.  If cpu-affinity
    # is enabled in the threading section.  Then the streams will be created
    # according to the number of worker threads specified in the worker cpu set.
    # Otherwise, the streams array is used to define the streams.
    #
    # This option cannot be used simultaneous with "use-all-streams".
    #
    auto-config: yes
-  # Load balancing modes: "static", "dynamic", "sticky", or "round-robin".
+    # Ports indicates which napatech ports are to be used in auto-config mode.
-  load-balance: dynamic
+    # these are the port ID's of the ports that will be merged prior to the
    # traffic being distributed to the streams.
    #
    # This can be specified in any of the following ways:
    #
    #   a list of individual ports (e.g. ports: [0,1,2,3])
    #
    #   a range of ports (e.g. ports: [0-3])
    #
    #   "all" to indicate that all ports are to be merged together
    #   (e.g. ports: [all])
    #
    # This has no effect if auto-config is disabled.
    #
    ports: [all]
-  # Number of Packets in each ingress packet queue. Must be 128, 512, 2028 or 65536
+    # When auto-config is enabled the hashmode specifies the algorithm for
-  iqueue-packets: 2048
+    # determining to which stream a given packet is to be delivered.
-
+    # This can be any valid Napatech NTPL hashmode command.
-  # List of interfaces we will listen on.
+    #
-  inputs:
+    # The most common hashmode commands are:  hash2tuple, hash2tuplesorted,
-  - interface: xgbe2
+    # hash5tuple, hash5tuplesorted and roundrobin.
-  - interface: xgbe3
+    #
-  - interface: xgbe4
+    # See Napatech NTPL documentation other hashmodes and details on their use.
-
+    #
-
+    # This has no effect if auto-config is disabled.
-  # Relative weight of memory for packets of each mPipe buffer size.
+    #
-  stack:
+    hashmode: hash5tuplesorted
    size128: 0
    size256: 9
    size512: 0
    size1024: 0
    size1664: 7
    size4096: 0
    size10386: 0
    size16384: 0
 ##
 ## Configure Suricata to load Suricata-Update managed rules.
@@ -1841,78 +1861,10 @@ mpipe:
 ##
 default-rule-path: /etc/suricata/rules
 rule-files:
  - all.rules
 ##
 ## Advanced rule file configuration.
 ##
 ## If this section is completely commented out then your configuration
 ## is setup for suricata-update as it was most likely bundled and
 ## installed with Suricata.
 ##
 #default-rule-path: /var/lib/suricata/rules
 #rule-files:
 # - botcc.rules
 # # - botcc.portgrouped.rules
 # - ciarmy.rules
 # - compromised.rules
 # - drop.rules
 # - dshield.rules
 ## - emerging-activex.rules
 # - emerging-attack_response.rules
 # - emerging-chat.rules
 # - emerging-current_events.rules
 # - emerging-dns.rules
 # - emerging-dos.rules
 # - emerging-exploit.rules
 # - emerging-ftp.rules
 ## - emerging-games.rules
 ## - emerging-icmp_info.rules
 ## - emerging-icmp.rules
 # - emerging-imap.rules
 ## - emerging-inappropriate.rules
 ## - emerging-info.rules
 # - emerging-malware.rules
 # - emerging-misc.rules
 # - emerging-mobile_malware.rules
 # - emerging-netbios.rules
 # - emerging-p2p.rules
 # - emerging-policy.rules
 # - emerging-pop3.rules
 # - emerging-rpc.rules
 ## - emerging-scada.rules
 ## - emerging-scada_special.rules
 # - emerging-scan.rules
 ## - emerging-shellcode.rules
 # - emerging-smtp.rules
 # - emerging-snmp.rules
 # - emerging-sql.rules
 # - emerging-telnet.rules
 # - emerging-tftp.rules
 # - emerging-trojan.rules
 # - emerging-user_agents.rules
 # - emerging-voip.rules
 # - emerging-web_client.rules
 # - emerging-web_server.rules
 ## - emerging-web_specific_apps.rules
 # - emerging-worm.rules
 # - tor.rules
 ## - decoder-events.rules # available in suricata sources under rules dir
 ## - stream-events.rules  # available in suricata sources under rules dir
 # - http-events.rules    # available in suricata sources under rules dir
 # - smtp-events.rules    # available in suricata sources under rules dir
 # - dns-events.rules     # available in suricata sources under rules dir
 # - tls-events.rules     # available in suricata sources under rules dir
 ## - modbus-events.rules  # available in suricata sources under rules dir
 ## - app-layer-events.rules  # available in suricata sources under rules dir
 ## - dnp3-events.rules       # available in suricata sources under rules dir
 ## - ntp-events.rules       # available in suricata sources under rules dir
 ## - ipsec-events.rules       # available in suricata sources under rules dir
 ## - kerberos-events.rules       # available in suricata sources under rules dir
 ##
 ## Auxiliary configuration files.
 ##