suricata: enabled: description: Enables or disables the Suricata process. This process is used for triggering alerts and optionally for protocol metadata collection and full packet capture. forcedType: bool helpLink: suricata thresholding: sids__yaml: description: Threshold SIDS List. This setting is readonly; Use the Detections screen to modify rules. syntax: yaml file: True global: True multiline: True title: SIDS helpLink: suricata readonlyUi: True advanced: True classification: classification__config: description: Classifications config file. file: True global: True multiline: True title: Classifications helpLink: suricata pcap: enabled: description: Enables or disables the Suricata packet recording process. forcedType: bool helpLink: suricata filesize: description: Maximum file size for individual PCAP files written by Suricata. Increasing this number could improve write performance at the expense of pcap retrieval time. advanced: True helpLink: suricata maxsize: description: Maximum size in GB for total disk usage of all PCAP files written by Suricata. helpLink: suricata compression: description: Enable compression of Suricata PCAP files. advanced: True helpLink: suricata lz4-checksum: description: Enable PCAP lz4 checksum. forcedType: bool advanced: True helpLink: suricata lz4-level: description: lz4 compression level of PCAP files. Set to 0 for no compression. Set to 16 for maximum compression. advanced: True helpLink: suricata filename: description: Filename output for Suricata PCAP files. advanced: True readonly: True helpLink: suricata mode: description: Suricata PCAP mode. Currently only multi is supported. advanced: True readonly: True helpLink: suricata use-stream-depth: description: Set to false to ignore the stream depth and capture the entire flow. Set to true to truncate the flow based on the stream depth. forcedType: bool advanced: True helpLink: suricata conditional: description: Set to "all" to record PCAP for all flows. Set to "alerts" to only record PCAP for Suricata alerts. Set to "tag" to only record PCAP for tagged rules. options: - all - alerts - tag helpLink: suricata dir: description: Parent directory to store PCAP. advanced: True readonly: True helpLink: suricata config: af-packet: interface: description: The network interface that Suricata will monitor. This is set under sensor > interface. advanced: True readonly: True helpLink: suricata cluster-id: advanced: True cluster-type: advanced: True options: - cluster_flow - cluster_qm defrag: description: Enable defragmentation of IP packets before processing. forcedType: bool advanced: True use-mmap: advanced: True readonly: True mmap-locked: description: Prevent swapping by locking the memory map. forcedType: bool advanced: True helpLink: suricata threads: description: The amount of worker threads. helpLink: suricata forcedType: int tpacket-v3: advanced: True readonly: True ring-size: description: Buffer size for packets per thread. forcedType: int helpLink: suricata block-size: description: This must be configured to a sufficiently high value to accommodate a significant number of packets, considering byte size and MTU constraints. Ensure it aligns with a power of 2 and is a multiple of the page size. advanced: True forcedType: int helpLink: suricata block-timeout: description: If a block remains unfilled after the specified block-timeout milliseconds, it is passed to userspace. advanced: True forcedType: int helpLink: suricata use-emergency-flush: description: In high-traffic environments, enabling this option aids in recovering from packet drop occurrences. However, it may lead to some packets, possibly at max ring flush, not being inspected. forcedType: bool advanced: True helpLink: suricata buffer-size: description: Increasing the value of the receive buffer may improve performance. advanced: True forcedType: int helpLink: suricata disable-promisc: description: Disable promiscuous mode on the capture interface. forcedType: bool advanced: True helpLink: suricata checksum-checks: description: "Opt for the checksum verification mode suitable for the interface. During capture, it's possible that some packets may exhibit invalid checksums due to the network card handling the checksum computation. You have several options: 'kernel': Relies on indications sent by the kernel for each packet (default). 'yes': Enforces checksum validation. 'no': Disables checksum validation. 'auto': Suricata employs a statistical approach to detect checksum offloading." advanced: True options: - kernel - yes - no - auto helpLink: suricata threading: set-cpu-affinity: description: Bind or unbind management and worker threads to a core or range of cores. forcedType: bool helpLink: suricata cpu-affinity: management-cpu-set: cpu: description: Bind management threads to a core or range of cores. This can be a sigle core, list of cores, or list of range of cores. set-cpu-affinity must be set to true for this to be used. forcedType: "[]string" helpLink: suricata worker-cpu-set: cpu: description: Bind worker threads to a core or range of cores. This can be a sigle core, list of cores, or list of range of cores. set-cpu-affinity must be set to true for this to be used. forcedType: "[]string" helpLink: suricata vars: address-groups: HOME_NET: description: Assign a list of hosts, or networks, using CIDR notation, to this Suricata variable. The variable can then be re-used within Suricata rules. This allows for a single adjustment to the variable that will then affect all rules referencing the variable. regex: ^!?((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\/([0-9]|[1-2][0-9]|3[0-2]))?$|^!?((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)|:))|(([0-9A-Fa-f]{1,4}:){5}((:[0-9A-Fa-f]{1,4}){1,2}|:((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)|:))|(([0-9A-Fa-f]{1,4}:){4}((:[0-9A-Fa-f]{1,4}){1,3}|:((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)|:))|(([0-9A-Fa-f]{1,4}:){3}((:[0-9A-Fa-f]{1,4}){1,4}|:((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)|:))|(([0-9A-Fa-f]{1,4}:){2}((:[0-9A-Fa-f]{1,4}){1,5}|:((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)|:))|(([0-9A-Fa-f]{1,4}:){1}((:[0-9A-Fa-f]{1,4}){1,6}|:((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)|:))|(:((:[0-9A-Fa-f]{1,4}){1,7}|:)))(\/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8]))?$ regexFailureMessage: You must enter a valid IP address or CIDR. forcedType: "[]string" duplicates: True helpLink: suricata EXTERNAL_NET: &suriaddressgroup description: Assign a list of hosts, or networks, or other customization, to this Suricata variable. The variable can then be re-used within Suricata rules. This allows for a single adjustment to the variable that will then affect all rules referencing the variable. forcedType: "[]string" duplicates: True helpLink: suricata HTTP_SERVERS: *suriaddressgroup SMTP_SERVERS: *suriaddressgroup SQL_SERVERS: *suriaddressgroup DNS_SERVERS: *suriaddressgroup TELNET_SERVERS: *suriaddressgroup AIM_SERVERS: *suriaddressgroup DC_SERVERS: *suriaddressgroup DNP3_SERVER: *suriaddressgroup DNP3_CLIENT: *suriaddressgroup MODBUS_CLIENT: *suriaddressgroup MODBUS_SERVER: *suriaddressgroup ENIP_CLIENT: *suriaddressgroup ENIP_SERVER: *suriaddressgroup port-groups: HTTP_PORTS: &suriportgroup description: Assign a list of network port numbers to this Suricata variable. The variable can then be re-used within Suricata rules. This allows for a single adjustment to the variable that will then affect all rules referencing the variable. forcedType: "[]string" duplicates: True helpLink: suricata SHELLCODE_PORTS: *suriportgroup ORACLE_PORTS: *suriportgroup SSH_PORTS: *suriportgroup DNP3_PORTS: *suriportgroup MODBUS_PORTS: *suriportgroup FILE_DATA_PORTS: *suriportgroup FTP_PORTS: *suriportgroup VXLAN_PORTS: *suriportgroup TEREDO_PORTS: *suriportgroup SIP_PORTS: *suriportgroup GENEVE_PORTS: *suriportgroup outputs: eve-log: pcap-file: description: Log the PCAP filename that a packet was read from when processing pcap files. forcedType: bool advanced: True helpLink: suricata community-id: description: Enable Community ID flow hashing for consistent event correlation across tools. forcedType: bool advanced: True helpLink: suricata types: alert: metadata: app-layer: description: Include app-layer metadata in alert events. forcedType: bool advanced: True helpLink: suricata flow: description: Include flow metadata in alert events. forcedType: bool advanced: True helpLink: suricata rule: metadata: description: Include rule metadata in alert events. forcedType: bool advanced: True helpLink: suricata raw: description: Include raw rule text in alert events. forcedType: bool advanced: True helpLink: suricata xff: enabled: description: Enable X-Forward-For support. forcedType: bool helpLink: suricata mode: description: Operation mode. This should always be extra-data if you use PCAP. helpLink: suricata deployment: description: forward would use the first IP address and reverse would use the last. helpLink: suricata header: description: Header name where the actual IP address will be reported. helpLink: suricata asn1-max-frames: description: Maximum nuber of asn1 frames to decode. helpLink: suricata max-pending-packets: description: Number of packets preallocated per thread. helpLink: suricata default-packet-size: description: Preallocated size for each packet. helpLink: suricata pcre: match-limit: description: Match limit for PCRE. helpLink: suricata match-limit-recursion: description: Recursion limit for PCRE. helpLink: suricata defrag: memcap: description: Max memory to use for defrag. You should only change this if you know what you are doing. helpLink: suricata hash-size: description: Hash size helpLink: suricata trackers: description: Number of defragmented flows to follow. helpLink: suricata max-frags: description: Max number of fragments to keep helpLink: suricata prealloc: description: Preallocate memory. forcedType: bool helpLink: suricata timeout: description: Timeout value. helpLink: suricata flow: memcap: description: Reserverd memory for flows. helpLink: suricata hash-size: description: Determines the size of the hash used to identify flows inside the engine. helpLink: suricata prealloc: description: Number of preallocated flows. helpLink: suricata stream: memcap: description: Can be specified in kb,mb,gb. helpLink: suricata checksum-validation: description: Validate checksum of packets. forcedType: bool helpLink: suricata reassembly: memcap: description: Can be specified in kb,mb,gb. helpLink: suricata depth: description: Controls how far into a stream that reassembly is done. helpLink: suricata host: hash-size: description: Hash size in bytes. helpLink: suricata prealloc: description: How many streams to preallocate. helpLink: suricata memcap: description: Memory settings for host. helpLink: suricata decoder: teredo: enabled: description: Enable TEREDO capabilities forcedType: bool helpLink: suricata ports: description: Ports to listen for. This should be a variable. helpLink: suricata vxlan: enabled: description: Enable VXLAN capabilities. forcedType: bool helpLink: suricata ports: description: Ports to listen for. This should be a variable. helpLink: suricata geneve: enabled: description: Enable VXLAN capabilities. forcedType: bool helpLink: suricata ports: description: Ports to listen for. This should be a variable. helpLink: suricata recursion-level: use-for-tracking: description: Controls whether the decoder recursion level is used for flow tracking. forcedType: bool advanced: True helpLink: suricata vlan: use-for-tracking: description: Enable VLAN tracking for flow identification. When enabled, VLAN tags are used to differentiate flows. forcedType: bool advanced: True helpLink: suricata detect: profiling: grouping: dump-to-disk: description: Dump detection engine grouping information to disk for analysis. forcedType: bool advanced: True helpLink: suricata include-rules: description: Include individual rule details in grouping profiling output. forcedType: bool advanced: True helpLink: suricata include-mpm-stats: description: Include multi-pattern matcher statistics in grouping profiling output. forcedType: bool advanced: True helpLink: suricata security: lua: allow-rules: description: Allow Lua rules in the Suricata ruleset. Enabling Lua rules may introduce security risks. forcedType: bool advanced: True helpLink: suricata allow-restricted-functions: description: Allow restricted Lua functions such as file I/O. Enabling this may introduce security risks. forcedType: bool advanced: True helpLink: suricata