suricata: enabled: False pcap: enabled: false filesize: 1000mb maxsize: 25 compression: "none" lz4-checksum: false lz4-level: 8 filename: "%n/so-pcap.%t" mode: "multi" use-stream-depth: false conditional: "all" dir: "/nsm/suripcap" config: threading: set-cpu-affinity: false cpu-affinity: management-cpu-set: cpu: - 1 worker-cpu-set: cpu: - 2-3 mode: exclusive prio: default: high af-packet: interface: bond0 cluster-id: 59 cluster-type: cluster_flow defrag: true use-mmap: true mmap-locked: false threads: 1 tpacket-v3: true ring-size: 5000 block-size: 69632 block-timeout: 10 use-emergency-flush: true buffer-size: 32768 disable-promisc: false checksum-checks: kernel vars: address-groups: HOME_NET: - 192.168.0.0/16 - 10.0.0.0/8 - 172.16.0.0/12 EXTERNAL_NET: - any HTTP_SERVERS: - $HOME_NET SMTP_SERVERS: - $HOME_NET SQL_SERVERS: - $HOME_NET DNS_SERVERS: - $HOME_NET TELNET_SERVERS: - $HOME_NET AIM_SERVERS: - $EXTERNAL_NET DC_SERVERS: - $HOME_NET DNP3_SERVER: - $HOME_NET DNP3_CLIENT: - $HOME_NET MODBUS_CLIENT: - $HOME_NET MODBUS_SERVER: - $HOME_NET ENIP_CLIENT: - $HOME_NET ENIP_SERVER: - $HOME_NET port-groups: HTTP_PORTS: - 80 SHELLCODE_PORTS: - "!80" ORACLE_PORTS: - 1521 SSH_PORTS: - 22 DNP3_PORTS: - 20000 MODBUS_PORTS: - 502 FILE_DATA_PORTS: - $HTTP_PORTS - 110 - 143 FTP_PORTS: - 21 VXLAN_PORTS: - 4789 TEREDO_PORTS: - 3544 SIP_PORTS: - 5060 - 5061 GENEVE_PORTS: - 6081 default-log-dir: /var/log/suricata/ stats: enabled: true interval: 30 outputs: fast: enabled: false filename: fast.log append: true eve-log: enabled: true filetype: regular filename: /nsm/eve-%Y-%m-%d-%H:%M.json rotate-interval: hour pcap-file: false community-id: true community-id-seed: 0 types: alert: payload: false payload-buffer-size: 4kb payload-printable: true packet: true metadata: app-layer: false flow: false rule: metadata: true raw: true tagged-packets: false xff: enabled: false mode: extra-data deployment: reverse header: X-Forwarded-For unified2-alert: enabled: false tls-store: enabled: false alert-debug: enabled: false alert-prelude: enabled: false stats: enabled: true filename: stats.log append: true totals: true threads: false null-values: true drop: enabled: false file-store: version: 2 enabled: false xff: enabled: false mode: extra-data deployment: reverse header: X-Forwarded-For tcp-data: enabled: false type: file filename: tcp-data.log http-body-data: enabled: false type: file filename: http-data.log lua: enabled: false scripts: logging: default-log-level: notice outputs: - console: enabled: true - file: enabled: true level: info filename: suricata.log - syslog: enabled: false facility: local5 format: "[%i] <%d> -- " app-layer: protocols: krb5: enabled: true snmp: enabled: true ikev2: enabled: true tls: enabled: true detection-ports: dp: 443 ja3-fingerprints: auto ja4-fingerprints: auto encryption-handling: track-only dcerpc: enabled: true ftp: enabled: true rdp: enabled: true ssh: enabled: true smtp: enabled: true raw-extraction: false mime: decode-mime: true decode-base64: true decode-quoted-printable: true header-value-depth: 2000 extract-urls: true body-md5: false inspected-tracker: content-limit: 100000 content-inspect-min-size: 32768 content-inspect-window: 4096 imap: enabled: detection-only smb: enabled: true detection-ports: dp: 139, 445 nfs: enabled: true tftp: enabled: true dns: global-memcap: 16mb state-memcap: 512kb request-flood: 500 tcp: enabled: true detection-ports: dp: 53 udp: enabled: true detection-ports: dp: 53 http: enabled: true libhtp: default-config: personality: IDS request-body-limit: 100 KiB response-body-limit: 100 KiB request-body-minimal-inspect-size: 32 KiB request-body-inspect-window: 4 KiB response-body-minimal-inspect-size: 40 KiB response-body-inspect-window: 16 KiB response-body-decompress-layer-limit: 2 http-body-inline: auto swf-decompression: enabled: false type: both compress-depth: 100 KiB decompress-depth: 100 KiB randomize-inspection-sizes: true randomize-inspection-range: 10 double-decode-path: false double-decode-query: false server-config: modbus: enabled: true detection-ports: dp: 502 stream-depth: 0 dnp3: enabled: true detection-ports: dp: 20000 enip: enabled: true detection-ports: dp: 44818 sp: 44818 ntp: enabled: true dhcp: enabled: true sip: enabled: true rfb: enabled: true detection-ports: dp: 5900, 5901, 5902, 5903, 5904, 5905, 5906, 5907, 5908, 5909 mqtt: enabled: false http2: enabled: true asn1-max-frames: 256 run-as: user: suricata group: suricata coredump: max-dump: unlimited host-mode: auto max-pending-packets: 5000 runmode: workers default-packet-size: 9014 unix-command: enabled: auto legacy: uricontent: enabled engine-analysis: rules-fast-pattern: true rules: true pcre: match-limit: 3500 match-limit-recursion: 1500 host-os-policy: windows: [0.0.0.0/0] bsd: [] bsd-right: [] old-linux: [] linux: [] old-solaris: [] solaris: [] hpux10: [] hpux11: [] irix: [] macos: [] vista: [] windows2k3: [] defrag: memcap: 32mb hash-size: 65536 trackers: 65535 max-frags: 65535 prealloc: true timeout: 60 flow: memcap: 128mb hash-size: 65536 prealloc: 10000 emergency-recovery: 30 vlan: use-for-tracking: true flow-timeouts: default: new: 30 established: 300 closed: 0 bypassed: 100 emergency-new: 10 emergency-established: 100 emergency-closed: 0 emergency-bypassed: 50 tcp: new: 60 established: 600 closed: 60 bypassed: 100 emergency-new: 5 emergency-established: 100 emergency-closed: 10 emergency-bypassed: 50 udp: new: 30 established: 300 bypassed: 100 emergency-new: 10 emergency-established: 100 emergency-bypassed: 50 icmp: new: 30 established: 300 bypassed: 100 emergency-new: 10 emergency-established: 100 emergency-bypassed: 50 stream: memcap: 64mb checksum-validation: true inline: auto reassembly: memcap: 256mb depth: 1mb toserver-chunk-size: 2560 toclient-chunk-size: 2560 randomize-chunk-size: true host: hash-size: 4096 prealloc: 1000 memcap: 32mb decoder: teredo: enabled: true ports: $TEREDO_PORTS vxlan: enabled: true ports: $VXLAN_PORTS geneve: enabled: true ports: $GENEVE_PORTS max-layers: 16 recursion-level: use-for-tracking: true detect: profile: medium custom-values: toclient-groups: 3 toserver-groups: 25 sgh-mpm-context: auto inspection-recursion-limit: 3000 prefilter: default: mpm grouping: profiling: grouping: dump-to-disk: false include-rules: false include-mpm-stats: false mpm-algo: auto spm-algo: auto luajit: states: 128 security: lua: allow-rules: false max-bytes: 500000 max-instructions: 500000 allow-restricted-functions: false profiling: rules: enabled: true filename: rule_perf.log append: true limit: 10 json: true keywords: enabled: true filename: keyword_perf.log append: true prefilter: enabled: true filename: prefilter_perf.log append: true rulegroups: enabled: true filename: rule_group_perf.log append: true packets: enabled: true filename: packet_stats.log append: true csv: enabled: false filename: packet_stats.csv locks: enabled: false filename: lock_stats.log append: true pcap-log: enabled: false filename: pcaplog_stats.log append: true default-rule-path: /etc/suricata/rules rule-files: - all-rulesets.rules classification-file: /etc/suricata/classification.config reference-config-file: /etc/suricata/reference.config threshold-file: /etc/suricata/threshold.conf