suricata: enabled: description: Enables or disables the Suricata process. This process is used for triggering alerts and optionally for protocol metadata collection and full packet capture. helpLink: suricata.html thresholding: sids__yaml: description: Threshold SIDS List. This setting is readonly; Use the Detections screen to modify rules. syntax: yaml file: True global: True multiline: True title: SIDS helpLink: suricata.html readonlyUi: True advanced: True classification: classification__config: description: Classifications config file. file: True global: True multiline: True title: Classifications helpLink: suricata.html pcap: filesize: description: Maximum file size for individual PCAP files written by Suricata. Increasing this number could improve write performance at the expense of pcap retrieval time. advanced: True helpLink: suricata.html maxsize: description: Maximum size in GB for total disk usage of all PCAP files written by Suricata. helpLink: suricata.html compression: description: Enable compression of Suricata PCAP files. advanced: True helpLink: suricata.html lz4-checksum: description: Enable PCAP lz4 checksum. advanced: True helpLink: suricata.html lz4-level: description: lz4 compression level of PCAP files. Set to 0 for no compression. Set to 16 for maximum compression. advanced: True helpLink: suricata.html filename: description: Filename output for Suricata PCAP files. advanced: True readonly: True helpLink: suricata.html mode: description: Suricata PCAP mode. Currently only multi is supported. advanced: True readonly: True helpLink: suricata.html use-stream-depth: description: Set to "no" to ignore the stream depth and capture the entire flow. Set to "yes" to truncate the flow based on the stream depth. advanced: True regex: ^(yes|no)$ regexFailureMessage: You must enter either yes or no. helpLink: suricata.html conditional: description: Set to "all" to record PCAP for all flows. Set to "alerts" to only record PCAP for Suricata alerts. Set to "tag" to only record PCAP for tagged rules. regex: ^(all|alerts|tag)$ regexFailureMessage: You must enter either all, alert or tag. helpLink: suricata.html dir: description: Parent directory to store PCAP. advanced: True readonly: True helpLink: suricata.html config: af-packet: interface: description: The network interface that Suricata will monitor. This is set under sensor > interface. advanced: True readonly: True helpLink: suricata.html cluster-id: advanced: True cluster-type: advanced: True regex: ^(cluster_flow|cluster_qm)$ defrag: advanced: True regex: ^(yes|no)$ use-mmap: advanced: True readonly: True mmap-locked: description: Prevent swapping by locking the memory map. advanced: True regex: ^(yes|no)$ helpLink: suricata.html threads: description: The amount of worker threads. helpLink: suricata.html forcedType: int tpacket-v3: advanced: True readonly: True ring-size: description: Buffer size for packets per thread. forcedType: int helpLink: suricata.html block-size: description: This must be configured to a sufficiently high value to accommodate a significant number of packets, considering byte size and MTU constraints. Ensure it aligns with a power of 2 and is a multiple of the page size. advanced: True forcedType: int helpLink: suricata.html block-timeout: description: If a block remains unfilled after the specified block-timeout milliseconds, it is passed to userspace. advanced: True forcedType: int helpLink: suricata.html use-emergency-flush: description: In high-traffic environments, enabling this option to 'yes' aids in recovering from packet drop occurrences. However, it may lead to some packets, possibly at max ring flush, not being inspected. advanced: True regex: ^(yes|no)$ helpLink: suricata.html buffer-size: description: Increasing the value of the receive buffer may improve performance. advanced: True forcedType: int helpLink: suricata.html disable-promisc: description: Promiscuous mode can be disabled by setting this to "yes". advanced: True regex: ^(yes|no)$ helpLink: suricata.html checksum-checks: description: "Opt for the checksum verification mode suitable for the interface. During capture, it's possible that some packets may exhibit invalid checksums due to the network card handling the checksum computation. You have several options: 'kernel': Relies on indications sent by the kernel for each packet (default). 'yes': Enforces checksum validation. 'no': Disables checksum validation. 'auto': Suricata employs a statistical approach to detect checksum offloading." advanced: True regex: ^(kernel|yes|no|auto)$ helpLink: suricata.html threading: set-cpu-affinity: description: Bind(yes) or unbind(no) management and worker threads to a core or range of cores. regex: ^(yes|no)$ regexFailureMessage: You must enter either yes or no. helpLink: suricata.html cpu-affinity: management-cpu-set: cpu: description: Bind management threads to a core or range of cores. This can be a sigle core, list of cores, or list of range of cores. set-cpu-affinity must be set to 'yes' for this to be used. forcedType: "[]string" helpLink: suricata.html worker-cpu-set: cpu: description: Bind worker threads to a core or range of cores. This can be a sigle core, list of cores, or list of range of cores. set-cpu-affinity must be set to 'yes' for this to be used. forcedType: "[]string" helpLink: suricata.html vars: address-groups: HOME_NET: description: Assign a list of hosts, or networks, using CIDR notation, to this Suricata variable. The variable can then be re-used within Suricata rules. This allows for a single adjustment to the variable that will then affect all rules referencing the variable. regex: ^(((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\/([0-9]|[1-2][0-9]|3[0-2]))?$|^((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?))|:))|(([0-9A-Fa-f]{1,4}:){5}((:[0-9A-Fa-f]{1,4}){1,2}|:((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)|:))|(([0-9A-Fa-f]{1,4}:){4}((:[0-9A-Fa-f]{1,4}){1,3}|:((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)|:))|(([0-9A-Fa-f]{1,4}:){3}((:[0-9A-Fa-f]{1,4}){1,4}|:((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)|:))|(([0-9A-Fa-f]{1,4}:){2}((:[0-9A-Fa-f]{1,4}){1,5}|:((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)|:))|(([0-9A-Fa-f]{1,4}:){1}((:[0-9A-Fa-f]{1,4}){1,6}|:((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)|:))|(:((:[0-9A-Fa-f]{1,4}){1,7}|:)))(\/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8]))?$ regexFailureMessage: You must enter a valid IP address or CIDR. forcedType: "[]string" duplicates: True helpLink: suricata.html EXTERNAL_NET: &suriaddressgroup description: Assign a list of hosts, or networks, or other customization, to this Suricata variable. The variable can then be re-used within Suricata rules. This allows for a single adjustment to the variable that will then affect all rules referencing the variable. forcedType: "[]string" duplicates: True helpLink: suricata.html HTTP_SERVERS: *suriaddressgroup SMTP_SERVERS: *suriaddressgroup SQL_SERVERS: *suriaddressgroup DNS_SERVERS: *suriaddressgroup TELNET_SERVERS: *suriaddressgroup AIM_SERVERS: *suriaddressgroup DC_SERVERS: *suriaddressgroup DNP3_SERVER: *suriaddressgroup DNP3_CLIENT: *suriaddressgroup MODBUS_CLIENT: *suriaddressgroup MODBUS_SERVER: *suriaddressgroup ENIP_CLIENT: *suriaddressgroup ENIP_SERVER: *suriaddressgroup port-groups: HTTP_PORTS: &suriportgroup description: Assign a list of network port numbers to this Suricata variable. The variable can then be re-used within Suricata rules. This allows for a single adjustment to the variable that will then affect all rules referencing the variable. forcedType: "[]string" duplicates: True helpLink: suricata.html SHELLCODE_PORTS: *suriportgroup ORACLE_PORTS: *suriportgroup SSH_PORTS: *suriportgroup DNP3_PORTS: *suriportgroup MODBUS_PORTS: *suriportgroup FILE_DATA_PORTS: *suriportgroup FTP_PORTS: *suriportgroup VXLAN_PORTS: *suriportgroup TEREDO_PORTS: *suriportgroup outputs: eve-log: types: alert: xff: enabled: description: Enable X-Forward-For support. helpLink: suricata.html mode: description: Operation mode. This should always be extra-data if you use PCAP. helpLink: suricata.html deployment: description: forward would use the first IP address and reverse would use the last. helpLink: suricata.html header: description: Header name where the actual IP address will be reported. helpLink: suricata.html pcap-log: enabled: description: This value is ignored by SO. pcapengine in globals takes precidence. readonly: True helpLink: suricata.html advanced: True asn1-max-frames: description: Maximum nuber of asn1 frames to decode. helpLink: suricata.html max-pending-packets: description: Number of packets preallocated per thread. helpLink: suricata.html default-packet-size: description: Preallocated size for each packet. helpLink: suricata.html pcre: match-limit: description: Match limit for PCRE. helpLink: suricata.html match-limit-recursion: description: Recursion limit for PCRE. helpLink: suricata.html defrag: memcap: description: Max memory to use for defrag. You should only change this if you know what you are doing. helpLink: suricata.html hash-size: description: Hash size helpLink: suricata.html trackers: description: Number of defragmented flows to follow. helpLink: suricata.html max-frags: description: Max number of fragments to keep helpLink: suricata.html prealloc: description: Preallocate memory. helpLink: suricata.html timeout: description: Timeout value. helpLink: suricata.html flow: memcap: description: Reserverd memory for flows. helpLink: suricata.html hash-size: description: Determines the size of the hash used to identify flows inside the engine. helpLink: suricata.html prealloc: description: Number of preallocated flows. helpLink: suricata.html stream: memcap: description: Can be specified in kb,mb,gb. helpLink: suricata.html checksum-validation: description: Validate checksum of packets. helpLink: suricata.html reassembly: memcap: description: Can be specified in kb,mb,gb. helpLink: suricata.html depth: description: Controls how far into a stream that reassembly is done. helpLink: suricata.html host: hash-size: description: Hash size in bytes. helpLink: suricata.html prealloc: description: How many streams to preallocate. helpLink: suricata.html memcap: description: Memory settings for host. helpLink: suricata.html decoder: teredo: enabled: description: Enable TEREDO capabilities helpLink: suricata.html ports: description: Ports to listen for. This should be a variable. helpLink: suricata.html vxlan: enabled: description: Enable VXLAN capabilities. helpLink: suricata.html ports: description: Ports to listen for. This should be a variable. helpLink: suricata.html