diff options
Diffstat (limited to 'recipes-ids/suricata')
-rw-r--r-- | recipes-ids/suricata/files/emerging.rules.tar.gz | bin | 0 -> 2252393 bytes | |||
-rw-r--r-- | recipes-ids/suricata/files/no_libhtp_build.patch | 38 | ||||
-rw-r--r-- | recipes-ids/suricata/files/run-ptest | 3 | ||||
-rw-r--r-- | recipes-ids/suricata/files/suricata.service | 20 | ||||
-rw-r--r-- | recipes-ids/suricata/files/suricata.yaml | 1326 | ||||
-rw-r--r-- | recipes-ids/suricata/files/volatiles.03_suricata | 2 | ||||
-rw-r--r-- | recipes-ids/suricata/libhtp_0.5.29.bb | 15 | ||||
-rw-r--r-- | recipes-ids/suricata/suricata.inc | 9 | ||||
-rw-r--r-- | recipes-ids/suricata/suricata_4.1.3.bb | 97 |
9 files changed, 1510 insertions, 0 deletions
diff --git a/recipes-ids/suricata/files/emerging.rules.tar.gz b/recipes-ids/suricata/files/emerging.rules.tar.gz new file mode 100644 index 0000000..aed3754 --- /dev/null +++ b/recipes-ids/suricata/files/emerging.rules.tar.gz | |||
Binary files differ | |||
diff --git a/recipes-ids/suricata/files/no_libhtp_build.patch b/recipes-ids/suricata/files/no_libhtp_build.patch new file mode 100644 index 0000000..2ebf021 --- /dev/null +++ b/recipes-ids/suricata/files/no_libhtp_build.patch | |||
@@ -0,0 +1,38 @@ | |||
1 | Upstream-Status: Inappropriate [configuration] | ||
2 | |||
3 | Signed-of_by: Armin Kuster <akuster808@gmail.com> | ||
4 | |||
5 | Index: suricata-2.0.5/Makefile.am | ||
6 | =================================================================== | ||
7 | --- suricata-2.0.5.orig/Makefile.am | ||
8 | +++ suricata-2.0.5/Makefile.am | ||
9 | @@ -5,7 +5,7 @@ ACLOCAL_AMFLAGS = -I m4 | ||
10 | EXTRA_DIST = ChangeLog COPYING LICENSE suricata.yaml.in \ | ||
11 | classification.config threshold.config \ | ||
12 | reference.config | ||
13 | -SUBDIRS = $(HTP_DIR) src qa rules doc contrib scripts | ||
14 | +SUBDIRS = src qa rules doc contrib scripts | ||
15 | |||
16 | CLEANFILES = stamp-h[0-9]* | ||
17 | |||
18 | Index: suricata-2.0.5/Makefile.in | ||
19 | =================================================================== | ||
20 | --- suricata-2.0.5.orig/Makefile.in | ||
21 | +++ suricata-2.0.5/Makefile.in | ||
22 | @@ -229,7 +229,6 @@ HAVE_PCAP_CONFIG = @HAVE_PCAP_CONFIG@ | ||
23 | HAVE_PKG_CONFIG = @HAVE_PKG_CONFIG@ | ||
24 | HAVE_PYTHON_CONFIG = @HAVE_PYTHON_CONFIG@ | ||
25 | HAVE_WGET = @HAVE_WGET@ | ||
26 | -HTP_DIR = @HTP_DIR@ | ||
27 | HTP_LDADD = @HTP_LDADD@ | ||
28 | INSTALL = @INSTALL@ | ||
29 | INSTALL_DATA = @INSTALL_DATA@ | ||
30 | @@ -369,7 +368,7 @@ EXTRA_DIST = ChangeLog COPYING LICENSE s | ||
31 | classification.config threshold.config \ | ||
32 | reference.config | ||
33 | |||
34 | -SUBDIRS = $(HTP_DIR) src qa rules doc contrib scripts | ||
35 | +SUBDIRS = src qa rules doc contrib scripts | ||
36 | CLEANFILES = stamp-h[0-9]* | ||
37 | all: config.h | ||
38 | $(MAKE) $(AM_MAKEFLAGS) all-recursive | ||
diff --git a/recipes-ids/suricata/files/run-ptest b/recipes-ids/suricata/files/run-ptest new file mode 100644 index 0000000..666ba9c --- /dev/null +++ b/recipes-ids/suricata/files/run-ptest | |||
@@ -0,0 +1,3 @@ | |||
1 | #!/bin/sh | ||
2 | |||
3 | suricata -u | ||
diff --git a/recipes-ids/suricata/files/suricata.service b/recipes-ids/suricata/files/suricata.service new file mode 100644 index 0000000..a99a76e --- /dev/null +++ b/recipes-ids/suricata/files/suricata.service | |||
@@ -0,0 +1,20 @@ | |||
1 | [Unit] | ||
2 | Description=Suricata IDS/IDP daemon | ||
3 | After=network.target | ||
4 | Requires=network.target | ||
5 | Documentation=man:suricata(8) man:suricatasc(8) | ||
6 | Documentation=https://redmine.openinfosecfoundation.org/projects/suricata/wiki | ||
7 | |||
8 | [Service] | ||
9 | Type=simple | ||
10 | CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW | ||
11 | RestrictAddressFamilies= | ||
12 | ExecStart=/usr/bin/suricata -c /etc/suricata/suricata.yaml eth0 | ||
13 | ExecReload=/bin/kill -HUP $MAINPID | ||
14 | PrivateTmp=yes | ||
15 | ProtectHome=yes | ||
16 | ProtectSystem=yes | ||
17 | |||
18 | [Install] | ||
19 | WantedBy=multi-user.target | ||
20 | |||
diff --git a/recipes-ids/suricata/files/suricata.yaml b/recipes-ids/suricata/files/suricata.yaml new file mode 100644 index 0000000..8d06a27 --- /dev/null +++ b/recipes-ids/suricata/files/suricata.yaml | |||
@@ -0,0 +1,1326 @@ | |||
1 | %YAML 1.1 | ||
2 | --- | ||
3 | |||
4 | # Suricata configuration file. In addition to the comments describing all | ||
5 | # options in this file, full documentation can be found at: | ||
6 | # https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricatayaml | ||
7 | |||
8 | |||
9 | # Number of packets allowed to be processed simultaneously. Default is a | ||
10 | # conservative 1024. A higher number will make sure CPU's/CPU cores will be | ||
11 | # more easily kept busy, but may negatively impact caching. | ||
12 | # | ||
13 | # If you are using the CUDA pattern matcher (mpm-algo: ac-cuda), different rules | ||
14 | # apply. In that case try something like 60000 or more. This is because the CUDA | ||
15 | # pattern matcher buffers and scans as many packets as possible in parallel. | ||
16 | #max-pending-packets: 1024 | ||
17 | |||
18 | # Runmode the engine should use. Please check --list-runmodes to get the available | ||
19 | # runmodes for each packet acquisition method. Defaults to "autofp" (auto flow pinned | ||
20 | # load balancing). | ||
21 | #runmode: autofp | ||
22 | |||
23 | # Specifies the kind of flow load balancer used by the flow pinned autofp mode. | ||
24 | # | ||
25 | # Supported schedulers are: | ||
26 | # | ||
27 | # round-robin - Flows assigned to threads in a round robin fashion. | ||
28 | # active-packets - Flows assigned to threads that have the lowest number of | ||
29 | # unprocessed packets (default). | ||
30 | # hash - Flow alloted usihng the address hash. More of a random | ||
31 | # technique. Was the default in Suricata 1.2.1 and older. | ||
32 | # | ||
33 | #autofp-scheduler: active-packets | ||
34 | |||
35 | # If suricata box is a router for the sniffed networks, set it to 'router'. If | ||
36 | # it is a pure sniffing setup, set it to 'sniffer-only'. | ||
37 | # If set to auto, the variable is internally switch to 'router' in IPS mode | ||
38 | # and 'sniffer-only' in IDS mode. | ||
39 | # This feature is currently only used by the reject* keywords. | ||
40 | host-mode: auto | ||
41 | |||
42 | # Run suricata as user and group. | ||
43 | #run-as: | ||
44 | # user: suri | ||
45 | # group: suri | ||
46 | |||
47 | # Default pid file. | ||
48 | # Will use this file if no --pidfile in command options. | ||
49 | #pid-file: /var/run/suricata.pid | ||
50 | |||
51 | # Daemon working directory | ||
52 | # Suricata will change directory to this one if provided | ||
53 | # Default: "/" | ||
54 | #daemon-directory: "/" | ||
55 | |||
56 | # Preallocated size for packet. Default is 1514 which is the classical | ||
57 | # size for pcap on ethernet. You should adjust this value to the highest | ||
58 | # packet size (MTU + hardware header) on your system. | ||
59 | #default-packet-size: 1514 | ||
60 | |||
61 | # The default logging directory. Any log or output file will be | ||
62 | # placed here if its not specified with a full path name. This can be | ||
63 | # overridden with the -l command line parameter. | ||
64 | default-log-dir: /var/log/suricata/ | ||
65 | |||
66 | # Unix command socket can be used to pass commands to suricata. | ||
67 | # An external tool can then connect to get information from suricata | ||
68 | # or trigger some modifications of the engine. Set enabled to yes | ||
69 | # to activate the feature. You can use the filename variable to set | ||
70 | # the file name of the socket. | ||
71 | unix-command: | ||
72 | enabled: no | ||
73 | #filename: custom.socket | ||
74 | |||
75 | # Configure the type of alert (and other) logging you would like. | ||
76 | outputs: | ||
77 | |||
78 | # a line based alerts log similar to Snort's fast.log | ||
79 | - fast: | ||
80 | enabled: yes | ||
81 | filename: fast.log | ||
82 | append: yes | ||
83 | #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' | ||
84 | |||
85 | # Extensible Event Format (nicknamed EVE) event log in JSON format | ||
86 | - eve-log: | ||
87 | enabled: yes | ||
88 | type: file #file|syslog|unix_dgram|unix_stream | ||
89 | filename: eve.json | ||
90 | # the following are valid when type: syslog above | ||
91 | #identity: "suricata" | ||
92 | #facility: local5 | ||
93 | #level: Info ## possible levels: Emergency, Alert, Critical, | ||
94 | ## Error, Warning, Notice, Info, Debug | ||
95 | types: | ||
96 | - alert | ||
97 | - http: | ||
98 | extended: yes # enable this for extended logging information | ||
99 | # custom allows additional http fields to be included in eve-log | ||
100 | # the example below adds three additional fields when uncommented | ||
101 | #custom: [Accept-Encoding, Accept-Language, Authorization] | ||
102 | - dns | ||
103 | - tls: | ||
104 | extended: yes # enable this for extended logging information | ||
105 | - files: | ||
106 | force-magic: no # force logging magic on all logged files | ||
107 | force-md5: no # force logging of md5 checksums | ||
108 | #- drop | ||
109 | - ssh | ||
110 | |||
111 | # alert output for use with Barnyard2 | ||
112 | - unified2-alert: | ||
113 | enabled: yes | ||
114 | filename: unified2.alert | ||
115 | |||
116 | # File size limit. Can be specified in kb, mb, gb. Just a number | ||
117 | # is parsed as bytes. | ||
118 | #limit: 32mb | ||
119 | |||
120 | # Sensor ID field of unified2 alerts. | ||
121 | #sensor-id: 0 | ||
122 | |||
123 | # HTTP X-Forwarded-For support by adding the unified2 extra header that | ||
124 | # will contain the actual client IP address or by overwriting the source | ||
125 | # IP address (helpful when inspecting traffic that is being reversed | ||
126 | # proxied). | ||
127 | xff: | ||
128 | enabled: no | ||
129 | # Two operation modes are available, "extra-data" and "overwrite". Note | ||
130 | # that in the "overwrite" mode, if the reported IP address in the HTTP | ||
131 | # X-Forwarded-For header is of a different version of the packet | ||
132 | # received, it will fall-back to "extra-data" mode. | ||
133 | mode: extra-data | ||
134 | # Header name were the actual IP address will be reported, if more than | ||
135 | # one IP address is present, the last IP address will be the one taken | ||
136 | # into consideration. | ||
137 | header: X-Forwarded-For | ||
138 | |||
139 | # a line based log of HTTP requests (no alerts) | ||
140 | - http-log: | ||
141 | enabled: yes | ||
142 | filename: http.log | ||
143 | append: yes | ||
144 | #extended: yes # enable this for extended logging information | ||
145 | #custom: yes # enabled the custom logging format (defined by customformat) | ||
146 | #customformat: "%{%D-%H:%M:%S}t.%z %{X-Forwarded-For}i %H %m %h %u %s %B %a:%p -> %A:%P" | ||
147 | #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' | ||
148 | |||
149 | # a line based log of TLS handshake parameters (no alerts) | ||
150 | - tls-log: | ||
151 | enabled: no # Log TLS connections. | ||
152 | filename: tls.log # File to store TLS logs. | ||
153 | append: yes | ||
154 | #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' | ||
155 | #extended: yes # Log extended information like fingerprint | ||
156 | certs-log-dir: certs # directory to store the certificates files | ||
157 | |||
158 | # a line based log of DNS requests and/or replies (no alerts) | ||
159 | - dns-log: | ||
160 | enabled: no | ||
161 | filename: dns.log | ||
162 | append: yes | ||
163 | #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' | ||
164 | |||
165 | # a line based log to used with pcap file study. | ||
166 | # this module is dedicated to offline pcap parsing (empty output | ||
167 | # if used with another kind of input). It can interoperate with | ||
168 | # pcap parser like wireshark via the suriwire plugin. | ||
169 | - pcap-info: | ||
170 | enabled: no | ||
171 | |||
172 | # Packet log... log packets in pcap format. 2 modes of operation: "normal" | ||
173 | # and "sguil". | ||
174 | # | ||
175 | # In normal mode a pcap file "filename" is created in the default-log-dir, | ||
176 | # or are as specified by "dir". In Sguil mode "dir" indicates the base directory. | ||
177 | # In this base dir the pcaps are created in th directory structure Sguil expects: | ||
178 | # | ||
179 | # $sguil-base-dir/YYYY-MM-DD/$filename.<timestamp> | ||
180 | # | ||
181 | # By default all packets are logged except: | ||
182 | # - TCP streams beyond stream.reassembly.depth | ||
183 | # - encrypted streams after the key exchange | ||
184 | # | ||
185 | - pcap-log: | ||
186 | enabled: no | ||
187 | filename: log.pcap | ||
188 | |||
189 | # File size limit. Can be specified in kb, mb, gb. Just a number | ||
190 | # is parsed as bytes. | ||
191 | limit: 1000mb | ||
192 | |||
193 | # If set to a value will enable ring buffer mode. Will keep Maximum of "max-files" of size "limit" | ||
194 | max-files: 2000 | ||
195 | |||
196 | mode: normal # normal or sguil. | ||
197 | #sguil-base-dir: /nsm_data/ | ||
198 | #ts-format: usec # sec or usec second format (default) is filename.sec usec is filename.sec.usec | ||
199 | use-stream-depth: no #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets | ||
200 | |||
201 | # a full alerts log containing much information for signature writers | ||
202 | # or for investigating suspected false positives. | ||
203 | - alert-debug: | ||
204 | enabled: no | ||
205 | filename: alert-debug.log | ||
206 | append: yes | ||
207 | #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' | ||
208 | |||
209 | # alert output to prelude (http://www.prelude-technologies.com/) only | ||
210 | # available if Suricata has been compiled with --enable-prelude | ||
211 | - alert-prelude: | ||
212 | enabled: no | ||
213 | profile: suricata | ||
214 | log-packet-content: no | ||
215 | log-packet-header: yes | ||
216 | |||
217 | # Stats.log contains data from various counters of the suricata engine. | ||
218 | # The interval field (in seconds) tells after how long output will be written | ||
219 | # on the log file. | ||
220 | - stats: | ||
221 | enabled: yes | ||
222 | filename: stats.log | ||
223 | interval: 8 | ||
224 | |||
225 | # a line based alerts log similar to fast.log into syslog | ||
226 | - syslog: | ||
227 | enabled: no | ||
228 | # reported identity to syslog. If ommited the program name (usually | ||
229 | # suricata) will be used. | ||
230 | #identity: "suricata" | ||
231 | facility: local5 | ||
232 | #level: Info ## possible levels: Emergency, Alert, Critical, | ||
233 | ## Error, Warning, Notice, Info, Debug | ||
234 | |||
235 | # a line based information for dropped packets in IPS mode | ||
236 | - drop: | ||
237 | enabled: no | ||
238 | filename: drop.log | ||
239 | append: yes | ||
240 | #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' | ||
241 | |||
242 | # output module to store extracted files to disk | ||
243 | # | ||
244 | # The files are stored to the log-dir in a format "file.<id>" where <id> is | ||
245 | # an incrementing number starting at 1. For each file "file.<id>" a meta | ||
246 | # file "file.<id>.meta" is created. | ||
247 | # | ||
248 | # File extraction depends on a lot of things to be fully done: | ||
249 | # - stream reassembly depth. For optimal results, set this to 0 (unlimited) | ||
250 | # - http request / response body sizes. Again set to 0 for optimal results. | ||
251 | # - rules that contain the "filestore" keyword. | ||
252 | - file-store: | ||
253 | enabled: no # set to yes to enable | ||
254 | log-dir: files # directory to store the files | ||
255 | force-magic: no # force logging magic on all stored files | ||
256 | force-md5: no # force logging of md5 checksums | ||
257 | #waldo: file.waldo # waldo file to store the file_id across runs | ||
258 | |||
259 | # output module to log files tracked in a easily parsable json format | ||
260 | - file-log: | ||
261 | enabled: no | ||
262 | filename: files-json.log | ||
263 | append: yes | ||
264 | #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' | ||
265 | |||
266 | force-magic: no # force logging magic on all logged files | ||
267 | force-md5: no # force logging of md5 checksums | ||
268 | |||
269 | # Magic file. The extension .mgc is added to the value here. | ||
270 | #magic-file: /usr/share/file/magic | ||
271 | magic-file: /usr/share/misc/magic.mgc | ||
272 | |||
273 | # When running in NFQ inline mode, it is possible to use a simulated | ||
274 | # non-terminal NFQUEUE verdict. | ||
275 | # This permit to do send all needed packet to suricata via this a rule: | ||
276 | # iptables -I FORWARD -m mark ! --mark $MARK/$MASK -j NFQUEUE | ||
277 | # And below, you can have your standard filtering ruleset. To activate | ||
278 | # this mode, you need to set mode to 'repeat' | ||
279 | # If you want packet to be sent to another queue after an ACCEPT decision | ||
280 | # set mode to 'route' and set next-queue value. | ||
281 | # On linux >= 3.1, you can set batchcount to a value > 1 to improve performance | ||
282 | # by processing several packets before sending a verdict (worker runmode only). | ||
283 | # On linux >= 3.6, you can set the fail-open option to yes to have the kernel | ||
284 | # accept the packet if suricata is not able to keep pace. | ||
285 | nfq: | ||
286 | # mode: accept | ||
287 | # repeat-mark: 1 | ||
288 | # repeat-mask: 1 | ||
289 | # route-queue: 2 | ||
290 | # batchcount: 20 | ||
291 | # fail-open: yes | ||
292 | |||
293 | #nflog support | ||
294 | nflog: | ||
295 | # netlink multicast group | ||
296 | # (the same as the iptables --nflog-group param) | ||
297 | # Group 0 is used by the kernel, so you can't use it | ||
298 | - group: 2 | ||
299 | # netlink buffer size | ||
300 | buffer-size: 18432 | ||
301 | # put default value here | ||
302 | - group: default | ||
303 | # set number of packet to queue inside kernel | ||
304 | qthreshold: 1 | ||
305 | # set the delay before flushing packet in the queue inside kernel | ||
306 | qtimeout: 100 | ||
307 | # netlink max buffer size | ||
308 | max-size: 20000 | ||
309 | |||
310 | # af-packet support | ||
311 | # Set threads to > 1 to use PACKET_FANOUT support | ||
312 | af-packet: | ||
313 | - interface: eth0 | ||
314 | # Number of receive threads (>1 will enable experimental flow pinned | ||
315 | # runmode) | ||
316 | threads: 1 | ||
317 | # Default clusterid. AF_PACKET will load balance packets based on flow. | ||
318 | # All threads/processes that will participate need to have the same | ||
319 | # clusterid. | ||
320 | cluster-id: 99 | ||
321 | # Default AF_PACKET cluster type. AF_PACKET can load balance per flow or per hash. | ||
322 | # This is only supported for Linux kernel > 3.1 | ||
323 | # possible value are: | ||
324 | # * cluster_round_robin: round robin load balancing | ||
325 | # * cluster_flow: all packets of a given flow are send to the same socket | ||
326 | # * cluster_cpu: all packets treated in kernel by a CPU are send to the same socket | ||
327 | cluster-type: cluster_flow | ||
328 | # In some fragmentation case, the hash can not be computed. If "defrag" is set | ||
329 | # to yes, the kernel will do the needed defragmentation before sending the packets. | ||
330 | defrag: yes | ||
331 | # To use the ring feature of AF_PACKET, set 'use-mmap' to yes | ||
332 | use-mmap: yes | ||
333 | # Ring size will be computed with respect to max_pending_packets and number | ||
334 | # of threads. You can set manually the ring size in number of packets by setting | ||
335 | # the following value. If you are using flow cluster-type and have really network | ||
336 | # intensive single-flow you could want to set the ring-size independantly of the number | ||
337 | # of threads: | ||
338 | #ring-size: 2048 | ||
339 | # On busy system, this could help to set it to yes to recover from a packet drop | ||
340 | # phase. This will result in some packets (at max a ring flush) being non treated. | ||
341 | #use-emergency-flush: yes | ||
342 | # recv buffer size, increase value could improve performance | ||
343 | # buffer-size: 32768 | ||
344 | # Set to yes to disable promiscuous mode | ||
345 | # disable-promisc: no | ||
346 | # Choose checksum verification mode for the interface. At the moment | ||
347 | # of the capture, some packets may be with an invalid checksum due to | ||
348 | # offloading to the network card of the checksum computation. | ||
349 | # Possible values are: | ||
350 | # - kernel: use indication sent by kernel for each packet (default) | ||
351 | # - yes: checksum validation is forced | ||
352 | # - no: checksum validation is disabled | ||
353 | # - auto: suricata uses a statistical approach to detect when | ||
354 | # checksum off-loading is used. | ||
355 | # Warning: 'checksum-validation' must be set to yes to have any validation | ||
356 | #checksum-checks: kernel | ||
357 | # BPF filter to apply to this interface. The pcap filter syntax apply here. | ||
358 | #bpf-filter: port 80 or udp | ||
359 | # You can use the following variables to activate AF_PACKET tap od IPS mode. | ||
360 | # If copy-mode is set to ips or tap, the traffic coming to the current | ||
361 | # interface will be copied to the copy-iface interface. If 'tap' is set, the | ||
362 | # copy is complete. If 'ips' is set, the packet matching a 'drop' action | ||
363 | # will not be copied. | ||
364 | #copy-mode: ips | ||
365 | #copy-iface: eth1 | ||
366 | - interface: eth1 | ||
367 | threads: 1 | ||
368 | cluster-id: 98 | ||
369 | cluster-type: cluster_flow | ||
370 | defrag: yes | ||
371 | # buffer-size: 32768 | ||
372 | # disable-promisc: no | ||
373 | # Put default values here | ||
374 | - interface: default | ||
375 | #threads: 2 | ||
376 | #use-mmap: yes | ||
377 | |||
378 | legacy: | ||
379 | uricontent: enabled | ||
380 | |||
381 | # You can specify a threshold config file by setting "threshold-file" | ||
382 | # to the path of the threshold config file: | ||
383 | # threshold-file: /etc/suricata/threshold.config | ||
384 | |||
385 | # The detection engine builds internal groups of signatures. The engine | ||
386 | # allow us to specify the profile to use for them, to manage memory on an | ||
387 | # efficient way keeping a good performance. For the profile keyword you | ||
388 | # can use the words "low", "medium", "high" or "custom". If you use custom | ||
389 | # make sure to define the values at "- custom-values" as your convenience. | ||
390 | # Usually you would prefer medium/high/low. | ||
391 | # | ||
392 | # "sgh mpm-context", indicates how the staging should allot mpm contexts for | ||
393 | # the signature groups. "single" indicates the use of a single context for | ||
394 | # all the signature group heads. "full" indicates a mpm-context for each | ||
395 | # group head. "auto" lets the engine decide the distribution of contexts | ||
396 | # based on the information the engine gathers on the patterns from each | ||
397 | # group head. | ||
398 | # | ||
399 | # The option inspection-recursion-limit is used to limit the recursive calls | ||
400 | # in the content inspection code. For certain payload-sig combinations, we | ||
401 | # might end up taking too much time in the content inspection code. | ||
402 | # If the argument specified is 0, the engine uses an internally defined | ||
403 | # default limit. On not specifying a value, we use no limits on the recursion. | ||
404 | detect-engine: | ||
405 | - profile: medium | ||
406 | - custom-values: | ||
407 | toclient-src-groups: 2 | ||
408 | toclient-dst-groups: 2 | ||
409 | toclient-sp-groups: 2 | ||
410 | toclient-dp-groups: 3 | ||
411 | toserver-src-groups: 2 | ||
412 | toserver-dst-groups: 4 | ||
413 | toserver-sp-groups: 2 | ||
414 | toserver-dp-groups: 25 | ||
415 | - sgh-mpm-context: auto | ||
416 | - inspection-recursion-limit: 3000 | ||
417 | # When rule-reload is enabled, sending a USR2 signal to the Suricata process | ||
418 | # will trigger a live rule reload. Experimental feature, use with care. | ||
419 | #- rule-reload: true | ||
420 | # If set to yes, the loading of signatures will be made after the capture | ||
421 | # is started. This will limit the downtime in IPS mode. | ||
422 | #- delayed-detect: yes | ||
423 | |||
424 | # Suricata is multi-threaded. Here the threading can be influenced. | ||
425 | threading: | ||
426 | # On some cpu's/architectures it is beneficial to tie individual threads | ||
427 | # to specific CPU's/CPU cores. In this case all threads are tied to CPU0, | ||
428 | # and each extra CPU/core has one "detect" thread. | ||
429 | # | ||
430 | # On Intel Core2 and Nehalem CPU's enabling this will degrade performance. | ||
431 | # | ||
432 | set-cpu-affinity: no | ||
433 | # Tune cpu affinity of suricata threads. Each family of threads can be bound | ||
434 | # on specific CPUs. | ||
435 | cpu-affinity: | ||
436 | - management-cpu-set: | ||
437 | cpu: [ 0 ] # include only these cpus in affinity settings | ||
438 | - receive-cpu-set: | ||
439 | cpu: [ 0 ] # include only these cpus in affinity settings | ||
440 | - decode-cpu-set: | ||
441 | cpu: [ 0, 1 ] | ||
442 | mode: "balanced" | ||
443 | - stream-cpu-set: | ||
444 | cpu: [ "0-1" ] | ||
445 | - detect-cpu-set: | ||
446 | cpu: [ "all" ] | ||
447 | mode: "exclusive" # run detect threads in these cpus | ||
448 | # Use explicitely 3 threads and don't compute number by using | ||
449 | # detect-thread-ratio variable: | ||
450 | # threads: 3 | ||
451 | prio: | ||
452 | low: [ 0 ] | ||
453 | medium: [ "1-2" ] | ||
454 | high: [ 3 ] | ||
455 | default: "medium" | ||
456 | - verdict-cpu-set: | ||
457 | cpu: [ 0 ] | ||
458 | prio: | ||
459 | default: "high" | ||
460 | - reject-cpu-set: | ||
461 | cpu: [ 0 ] | ||
462 | prio: | ||
463 | default: "low" | ||
464 | - output-cpu-set: | ||
465 | cpu: [ "all" ] | ||
466 | prio: | ||
467 | default: "medium" | ||
468 | # | ||
469 | # By default Suricata creates one "detect" thread per available CPU/CPU core. | ||
470 | # This setting allows controlling this behaviour. A ratio setting of 2 will | ||
471 | # create 2 detect threads for each CPU/CPU core. So for a dual core CPU this | ||
472 | # will result in 4 detect threads. If values below 1 are used, less threads | ||
473 | # are created. So on a dual core CPU a setting of 0.5 results in 1 detect | ||
474 | # thread being created. Regardless of the setting at a minimum 1 detect | ||
475 | # thread will always be created. | ||
476 | # | ||
477 | detect-thread-ratio: 1.5 | ||
478 | |||
479 | # Cuda configuration. | ||
480 | cuda: | ||
481 | # The "mpm" profile. On not specifying any of these parameters, the engine's | ||
482 | # internal default values are used, which are same as the ones specified in | ||
483 | # in the default conf file. | ||
484 | mpm: | ||
485 | # The minimum length required to buffer data to the gpu. | ||
486 | # Anything below this is MPM'ed on the CPU. | ||
487 | # Can be specified in kb, mb, gb. Just a number indicates it's in bytes. | ||
488 | # A value of 0 indicates there's no limit. | ||
489 | data-buffer-size-min-limit: 0 | ||
490 | # The maximum length for data that we would buffer to the gpu. | ||
491 | # Anything over this is MPM'ed on the CPU. | ||
492 | # Can be specified in kb, mb, gb. Just a number indicates it's in bytes. | ||
493 | data-buffer-size-max-limit: 1500 | ||
494 | # The ring buffer size used by the CudaBuffer API to buffer data. | ||
495 | cudabuffer-buffer-size: 500mb | ||
496 | # The max chunk size that can be sent to the gpu in a single go. | ||
497 | gpu-transfer-size: 50mb | ||
498 | # The timeout limit for batching of packets in microseconds. | ||
499 | batching-timeout: 2000 | ||
500 | # The device to use for the mpm. Currently we don't support load balancing | ||
501 | # on multiple gpus. In case you have multiple devices on your system, you | ||
502 | # can specify the device to use, using this conf. By default we hold 0, to | ||
503 | # specify the first device cuda sees. To find out device-id associated with | ||
504 | # the card(s) on the system run "suricata --list-cuda-cards". | ||
505 | device-id: 0 | ||
506 | # No of Cuda streams used for asynchronous processing. All values > 0 are valid. | ||
507 | # For this option you need a device with Compute Capability > 1.0. | ||
508 | cuda-streams: 2 | ||
509 | |||
510 | # Select the multi pattern algorithm you want to run for scan/search the | ||
511 | # in the engine. The supported algorithms are b2g, b2gc, b2gm, b3g, wumanber, | ||
512 | # ac and ac-gfbs. | ||
513 | # | ||
514 | # The mpm you choose also decides the distribution of mpm contexts for | ||
515 | # signature groups, specified by the conf - "detect-engine.sgh-mpm-context". | ||
516 | # Selecting "ac" as the mpm would require "detect-engine.sgh-mpm-context" | ||
517 | # to be set to "single", because of ac's memory requirements, unless the | ||
518 | # ruleset is small enough to fit in one's memory, in which case one can | ||
519 | # use "full" with "ac". Rest of the mpms can be run in "full" mode. | ||
520 | # | ||
521 | # There is also a CUDA pattern matcher (only available if Suricata was | ||
522 | # compiled with --enable-cuda: b2g_cuda. Make sure to update your | ||
523 | # max-pending-packets setting above as well if you use b2g_cuda. | ||
524 | |||
525 | mpm-algo: ac | ||
526 | |||
527 | # The memory settings for hash size of these algorithms can vary from lowest | ||
528 | # (2048) - low (4096) - medium (8192) - high (16384) - higher (32768) - max | ||
529 | # (65536). The bloomfilter sizes of these algorithms can vary from low (512) - | ||
530 | # medium (1024) - high (2048). | ||
531 | # | ||
532 | # For B2g/B3g algorithms, there is a support for two different scan/search | ||
533 | # algorithms. For B2g the scan algorithms are B2gScan & B2gScanBNDMq, and | ||
534 | # search algorithms are B2gSearch & B2gSearchBNDMq. For B3g scan algorithms | ||
535 | # are B3gScan & B3gScanBNDMq, and search algorithms are B3gSearch & | ||
536 | # B3gSearchBNDMq. | ||
537 | # | ||
538 | # For B2g the different scan/search algorithms and, hash and bloom | ||
539 | # filter size settings. For B3g the different scan/search algorithms and, hash | ||
540 | # and bloom filter size settings. For wumanber the hash and bloom filter size | ||
541 | # settings. | ||
542 | |||
543 | pattern-matcher: | ||
544 | - b2gc: | ||
545 | search-algo: B2gSearchBNDMq | ||
546 | hash-size: low | ||
547 | bf-size: medium | ||
548 | - b2gm: | ||
549 | search-algo: B2gSearchBNDMq | ||
550 | hash-size: low | ||
551 | bf-size: medium | ||
552 | - b2g: | ||
553 | search-algo: B2gSearchBNDMq | ||
554 | hash-size: low | ||
555 | bf-size: medium | ||
556 | - b3g: | ||
557 | search-algo: B3gSearchBNDMq | ||
558 | hash-size: low | ||
559 | bf-size: medium | ||
560 | - wumanber: | ||
561 | hash-size: low | ||
562 | bf-size: medium | ||
563 | |||
564 | # Defrag settings: | ||
565 | |||
566 | defrag: | ||
567 | memcap: 32mb | ||
568 | hash-size: 65536 | ||
569 | trackers: 65535 # number of defragmented flows to follow | ||
570 | max-frags: 65535 # number of fragments to keep (higher than trackers) | ||
571 | prealloc: yes | ||
572 | timeout: 60 | ||
573 | |||
574 | # Enable defrag per host settings | ||
575 | # host-config: | ||
576 | # | ||
577 | # - dmz: | ||
578 | # timeout: 30 | ||
579 | # address: [192.168.1.0/24, 127.0.0.0/8, 1.1.1.0/24, 2.2.2.0/24, "1.1.1.1", "2.2.2.2", "::1"] | ||
580 | # | ||
581 | # - lan: | ||
582 | # timeout: 45 | ||
583 | # address: | ||
584 | # - 192.168.0.0/24 | ||
585 | # - 192.168.10.0/24 | ||
586 | # - 172.16.14.0/24 | ||
587 | |||
588 | # Flow settings: | ||
589 | # By default, the reserved memory (memcap) for flows is 32MB. This is the limit | ||
590 | # for flow allocation inside the engine. You can change this value to allow | ||
591 | # more memory usage for flows. | ||
592 | # The hash-size determine the size of the hash used to identify flows inside | ||
593 | # the engine, and by default the value is 65536. | ||
594 | # At the startup, the engine can preallocate a number of flows, to get a better | ||
595 | # performance. The number of flows preallocated is 10000 by default. | ||
596 | # emergency-recovery is the percentage of flows that the engine need to | ||
597 | # prune before unsetting the emergency state. The emergency state is activated | ||
598 | # when the memcap limit is reached, allowing to create new flows, but | ||
599 | # prunning them with the emergency timeouts (they are defined below). | ||
600 | # If the memcap is reached, the engine will try to prune flows | ||
601 | # with the default timeouts. If it doens't find a flow to prune, it will set | ||
602 | # the emergency bit and it will try again with more agressive timeouts. | ||
603 | # If that doesn't work, then it will try to kill the last time seen flows | ||
604 | # not in use. | ||
605 | # The memcap can be specified in kb, mb, gb. Just a number indicates it's | ||
606 | # in bytes. | ||
607 | |||
608 | flow: | ||
609 | memcap: 64mb | ||
610 | hash-size: 65536 | ||
611 | prealloc: 10000 | ||
612 | emergency-recovery: 30 | ||
613 | |||
614 | # This option controls the use of vlan ids in the flow (and defrag) | ||
615 | # hashing. Normally this should be enabled, but in some (broken) | ||
616 | # setups where both sides of a flow are not tagged with the same vlan | ||
617 | # tag, we can ignore the vlan id's in the flow hashing. | ||
618 | vlan: | ||
619 | use-for-tracking: true | ||
620 | |||
621 | # Specific timeouts for flows. Here you can specify the timeouts that the | ||
622 | # active flows will wait to transit from the current state to another, on each | ||
623 | # protocol. The value of "new" determine the seconds to wait after a hanshake or | ||
624 | # stream startup before the engine free the data of that flow it doesn't | ||
625 | # change the state to established (usually if we don't receive more packets | ||
626 | # of that flow). The value of "established" is the amount of | ||
627 | # seconds that the engine will wait to free the flow if it spend that amount | ||
628 | # without receiving new packets or closing the connection. "closed" is the | ||
629 | # amount of time to wait after a flow is closed (usually zero). | ||
630 | # | ||
631 | # There's an emergency mode that will become active under attack circumstances, | ||
632 | # making the engine to check flow status faster. This configuration variables | ||
633 | # use the prefix "emergency-" and work similar as the normal ones. | ||
634 | # Some timeouts doesn't apply to all the protocols, like "closed", for udp and | ||
635 | # icmp. | ||
636 | |||
637 | flow-timeouts: | ||
638 | |||
639 | default: | ||
640 | new: 30 | ||
641 | established: 300 | ||
642 | closed: 0 | ||
643 | emergency-new: 10 | ||
644 | emergency-established: 100 | ||
645 | emergency-closed: 0 | ||
646 | tcp: | ||
647 | new: 60 | ||
648 | established: 3600 | ||
649 | closed: 120 | ||
650 | emergency-new: 10 | ||
651 | emergency-established: 300 | ||
652 | emergency-closed: 20 | ||
653 | udp: | ||
654 | new: 30 | ||
655 | established: 300 | ||
656 | emergency-new: 10 | ||
657 | emergency-established: 100 | ||
658 | icmp: | ||
659 | new: 30 | ||
660 | established: 300 | ||
661 | emergency-new: 10 | ||
662 | emergency-established: 100 | ||
663 | |||
664 | # Stream engine settings. Here the TCP stream tracking and reassembly | ||
665 | # engine is configured. | ||
666 | # | ||
667 | # stream: | ||
668 | # memcap: 32mb # Can be specified in kb, mb, gb. Just a | ||
669 | # # number indicates it's in bytes. | ||
670 | # checksum-validation: yes # To validate the checksum of received | ||
671 | # # packet. If csum validation is specified as | ||
672 | # # "yes", then packet with invalid csum will not | ||
673 | # # be processed by the engine stream/app layer. | ||
674 | # # Warning: locally generated trafic can be | ||
675 | # # generated without checksum due to hardware offload | ||
676 | # # of checksum. You can control the handling of checksum | ||
677 | # # on a per-interface basis via the 'checksum-checks' | ||
678 | # # option | ||
679 | # prealloc-sessions: 2k # 2k sessions prealloc'd per stream thread | ||
680 | # midstream: false # don't allow midstream session pickups | ||
681 | # async-oneside: false # don't enable async stream handling | ||
682 | # inline: no # stream inline mode | ||
683 | # max-synack-queued: 5 # Max different SYN/ACKs to queue | ||
684 | # | ||
685 | # reassembly: | ||
686 | # memcap: 64mb # Can be specified in kb, mb, gb. Just a number | ||
687 | # # indicates it's in bytes. | ||
688 | # depth: 1mb # Can be specified in kb, mb, gb. Just a number | ||
689 | # # indicates it's in bytes. | ||
690 | # toserver-chunk-size: 2560 # inspect raw stream in chunks of at least | ||
691 | # # this size. Can be specified in kb, mb, | ||
692 | # # gb. Just a number indicates it's in bytes. | ||
693 | # # The max acceptable size is 4024 bytes. | ||
694 | # toclient-chunk-size: 2560 # inspect raw stream in chunks of at least | ||
695 | # # this size. Can be specified in kb, mb, | ||
696 | # # gb. Just a number indicates it's in bytes. | ||
697 | # # The max acceptable size is 4024 bytes. | ||
698 | # randomize-chunk-size: yes # Take a random value for chunk size around the specified value. | ||
699 | # # This lower the risk of some evasion technics but could lead | ||
700 | # # detection change between runs. It is set to 'yes' by default. | ||
701 | # randomize-chunk-range: 10 # If randomize-chunk-size is active, the value of chunk-size is | ||
702 | # # a random value between (1 - randomize-chunk-range/100)*randomize-chunk-size | ||
703 | # # and (1 + randomize-chunk-range/100)*randomize-chunk-size. Default value | ||
704 | # # of randomize-chunk-range is 10. | ||
705 | # | ||
706 | # raw: yes # 'Raw' reassembly enabled or disabled. | ||
707 | # # raw is for content inspection by detection | ||
708 | # # engine. | ||
709 | # | ||
710 | # chunk-prealloc: 250 # Number of preallocated stream chunks. These | ||
711 | # # are used during stream inspection (raw). | ||
712 | # segments: # Settings for reassembly segment pool. | ||
713 | # - size: 4 # Size of the (data)segment for a pool | ||
714 | # prealloc: 256 # Number of segments to prealloc and keep | ||
715 | # # in the pool. | ||
716 | # | ||
717 | stream: | ||
718 | memcap: 32mb | ||
719 | checksum-validation: yes # reject wrong csums | ||
720 | inline: auto # auto will use inline mode in IPS mode, yes or no set it statically | ||
721 | reassembly: | ||
722 | memcap: 128mb | ||
723 | depth: 1mb # reassemble 1mb into a stream | ||
724 | toserver-chunk-size: 2560 | ||
725 | toclient-chunk-size: 2560 | ||
726 | randomize-chunk-size: yes | ||
727 | #randomize-chunk-range: 10 | ||
728 | #raw: yes | ||
729 | #chunk-prealloc: 250 | ||
730 | #segments: | ||
731 | # - size: 4 | ||
732 | # prealloc: 256 | ||
733 | # - size: 16 | ||
734 | # prealloc: 512 | ||
735 | # - size: 112 | ||
736 | # prealloc: 512 | ||
737 | # - size: 248 | ||
738 | # prealloc: 512 | ||
739 | # - size: 512 | ||
740 | # prealloc: 512 | ||
741 | # - size: 768 | ||
742 | # prealloc: 1024 | ||
743 | # - size: 1448 | ||
744 | # prealloc: 1024 | ||
745 | # - size: 65535 | ||
746 | # prealloc: 128 | ||
747 | |||
748 | # Host table: | ||
749 | # | ||
750 | # Host table is used by tagging and per host thresholding subsystems. | ||
751 | # | ||
752 | host: | ||
753 | hash-size: 4096 | ||
754 | prealloc: 1000 | ||
755 | memcap: 16777216 | ||
756 | |||
757 | # Logging configuration. This is not about logging IDS alerts, but | ||
758 | # IDS output about what its doing, errors, etc. | ||
759 | logging: | ||
760 | |||
761 | # The default log level, can be overridden in an output section. | ||
762 | # Note that debug level logging will only be emitted if Suricata was | ||
763 | # compiled with the --enable-debug configure option. | ||
764 | # | ||
765 | # This value is overriden by the SC_LOG_LEVEL env var. | ||
766 | default-log-level: notice | ||
767 | |||
768 | # The default output format. Optional parameter, should default to | ||
769 | # something reasonable if not provided. Can be overriden in an | ||
770 | # output section. You can leave this out to get the default. | ||
771 | # | ||
772 | # This value is overriden by the SC_LOG_FORMAT env var. | ||
773 | #default-log-format: "[%i] %t - (%f:%l) <%d> (%n) -- " | ||
774 | |||
775 | # A regex to filter output. Can be overridden in an output section. | ||
776 | # Defaults to empty (no filter). | ||
777 | # | ||
778 | # This value is overriden by the SC_LOG_OP_FILTER env var. | ||
779 | default-output-filter: | ||
780 | |||
781 | # Define your logging outputs. If none are defined, or they are all | ||
782 | # disabled you will get the default - console output. | ||
783 | outputs: | ||
784 | - console: | ||
785 | enabled: yes | ||
786 | - file: | ||
787 | enabled: no | ||
788 | filename: /var/log/suricata.log | ||
789 | - syslog: | ||
790 | enabled: yes | ||
791 | facility: local5 | ||
792 | format: "[%i] <%d> -- " | ||
793 | |||
794 | # Tilera mpipe configuration. for use on Tilera TILE-Gx. | ||
795 | mpipe: | ||
796 | |||
797 | # Load balancing modes: "static", "dynamic", "sticky", or "round-robin". | ||
798 | load-balance: dynamic | ||
799 | |||
800 | # Number of Packets in each ingress packet queue. Must be 128, 512, 2028 or 65536 | ||
801 | iqueue-packets: 2048 | ||
802 | |||
803 | # List of interfaces we will listen on. | ||
804 | inputs: | ||
805 | - interface: xgbe2 | ||
806 | - interface: xgbe3 | ||
807 | - interface: xgbe4 | ||
808 | |||
809 | |||
810 | # Relative weight of memory for packets of each mPipe buffer size. | ||
811 | stack: | ||
812 | size128: 0 | ||
813 | size256: 9 | ||
814 | size512: 0 | ||
815 | size1024: 0 | ||
816 | size1664: 7 | ||
817 | size4096: 0 | ||
818 | size10386: 0 | ||
819 | size16384: 0 | ||
820 | |||
821 | # PF_RING configuration. for use with native PF_RING support | ||
822 | # for more info see http://www.ntop.org/PF_RING.html | ||
823 | pfring: | ||
824 | - interface: eth0 | ||
825 | # Number of receive threads (>1 will enable experimental flow pinned | ||
826 | # runmode) | ||
827 | threads: 1 | ||
828 | |||
829 | # Default clusterid. PF_RING will load balance packets based on flow. | ||
830 | # All threads/processes that will participate need to have the same | ||
831 | # clusterid. | ||
832 | cluster-id: 99 | ||
833 | |||
834 | # Default PF_RING cluster type. PF_RING can load balance per flow or per hash. | ||
835 | # This is only supported in versions of PF_RING > 4.1.1. | ||
836 | cluster-type: cluster_flow | ||
837 | # bpf filter for this interface | ||
838 | #bpf-filter: tcp | ||
839 | # Choose checksum verification mode for the interface. At the moment | ||
840 | # of the capture, some packets may be with an invalid checksum due to | ||
841 | # offloading to the network card of the checksum computation. | ||
842 | # Possible values are: | ||
843 | # - rxonly: only compute checksum for packets received by network card. | ||
844 | # - yes: checksum validation is forced | ||
845 | # - no: checksum validation is disabled | ||
846 | # - auto: suricata uses a statistical approach to detect when | ||
847 | # checksum off-loading is used. (default) | ||
848 | # Warning: 'checksum-validation' must be set to yes to have any validation | ||
849 | #checksum-checks: auto | ||
850 | # Second interface | ||
851 | #- interface: eth1 | ||
852 | # threads: 3 | ||
853 | # cluster-id: 93 | ||
854 | # cluster-type: cluster_flow | ||
855 | # Put default values here | ||
856 | - interface: default | ||
857 | #threads: 2 | ||
858 | |||
859 | pcap: | ||
860 | - interface: eth0 | ||
861 | # On Linux, pcap will try to use mmaped capture and will use buffer-size | ||
862 | # as total of memory used by the ring. So set this to something bigger | ||
863 | # than 1% of your bandwidth. | ||
864 | #buffer-size: 16777216 | ||
865 | #bpf-filter: "tcp and port 25" | ||
866 | # Choose checksum verification mode for the interface. At the moment | ||
867 | # of the capture, some packets may be with an invalid checksum due to | ||
868 | # offloading to the network card of the checksum computation. | ||
869 | # Possible values are: | ||
870 | # - yes: checksum validation is forced | ||
871 | # - no: checksum validation is disabled | ||
872 | # - auto: suricata uses a statistical approach to detect when | ||
873 | # checksum off-loading is used. (default) | ||
874 | # Warning: 'checksum-validation' must be set to yes to have any validation | ||
875 | #checksum-checks: auto | ||
876 | # With some accelerator cards using a modified libpcap (like myricom), you | ||
877 | # may want to have the same number of capture threads as the number of capture | ||
878 | # rings. In this case, set up the threads variable to N to start N threads | ||
879 | # listening on the same interface. | ||
880 | #threads: 16 | ||
881 | # set to no to disable promiscuous mode: | ||
882 | #promisc: no | ||
883 | # set snaplen, if not set it defaults to MTU if MTU can be known | ||
884 | # via ioctl call and to full capture if not. | ||
885 | #snaplen: 1518 | ||
886 | # Put default values here | ||
887 | - interface: default | ||
888 | #checksum-checks: auto | ||
889 | |||
890 | pcap-file: | ||
891 | # Possible values are: | ||
892 | # - yes: checksum validation is forced | ||
893 | # - no: checksum validation is disabled | ||
894 | # - auto: suricata uses a statistical approach to detect when | ||
895 | # checksum off-loading is used. (default) | ||
896 | # Warning: 'checksum-validation' must be set to yes to have checksum tested | ||
897 | checksum-checks: auto | ||
898 | |||
899 | # For FreeBSD ipfw(8) divert(4) support. | ||
900 | # Please make sure you have ipfw_load="YES" and ipdivert_load="YES" | ||
901 | # in /etc/loader.conf or kldload'ing the appropriate kernel modules. | ||
902 | # Additionally, you need to have an ipfw rule for the engine to see | ||
903 | # the packets from ipfw. For Example: | ||
904 | # | ||
905 | # ipfw add 100 divert 8000 ip from any to any | ||
906 | # | ||
907 | # The 8000 above should be the same number you passed on the command | ||
908 | # line, i.e. -d 8000 | ||
909 | # | ||
910 | ipfw: | ||
911 | |||
912 | # Reinject packets at the specified ipfw rule number. This config | ||
913 | # option is the ipfw rule number AT WHICH rule processing continues | ||
914 | # in the ipfw processing system after the engine has finished | ||
915 | # inspecting the packet for acceptance. If no rule number is specified, | ||
916 | # accepted packets are reinjected at the divert rule which they entered | ||
917 | # and IPFW rule processing continues. No check is done to verify | ||
918 | # this will rule makes sense so care must be taken to avoid loops in ipfw. | ||
919 | # | ||
920 | ## The following example tells the engine to reinject packets | ||
921 | # back into the ipfw firewall AT rule number 5500: | ||
922 | # | ||
923 | # ipfw-reinjection-rule-number: 5500 | ||
924 | |||
925 | # Set the default rule path here to search for the files. | ||
926 | # if not set, it will look at the current working dir | ||
927 | default-rule-path: /etc/suricata/rules | ||
928 | rule-files: | ||
929 | - botcc.rules | ||
930 | - ciarmy.rules | ||
931 | - compromised.rules | ||
932 | - drop.rules | ||
933 | - dshield.rules | ||
934 | - emerging-activex.rules | ||
935 | - emerging-attack_response.rules | ||
936 | - emerging-chat.rules | ||
937 | - emerging-current_events.rules | ||
938 | - emerging-dns.rules | ||
939 | - emerging-dos.rules | ||
940 | - emerging-exploit.rules | ||
941 | - emerging-ftp.rules | ||
942 | - emerging-games.rules | ||
943 | - emerging-icmp_info.rules | ||
944 | # - emerging-icmp.rules | ||
945 | - emerging-imap.rules | ||
946 | - emerging-inappropriate.rules | ||
947 | - emerging-malware.rules | ||
948 | - emerging-misc.rules | ||
949 | - emerging-mobile_malware.rules | ||
950 | - emerging-netbios.rules | ||
951 | - emerging-p2p.rules | ||
952 | - emerging-policy.rules | ||
953 | - emerging-pop3.rules | ||
954 | - emerging-rpc.rules | ||
955 | - emerging-scada.rules | ||
956 | - emerging-scan.rules | ||
957 | - emerging-shellcode.rules | ||
958 | - emerging-smtp.rules | ||
959 | - emerging-snmp.rules | ||
960 | - emerging-sql.rules | ||
961 | - emerging-telnet.rules | ||
962 | - emerging-tftp.rules | ||
963 | - emerging-trojan.rules | ||
964 | - emerging-user_agents.rules | ||
965 | - emerging-voip.rules | ||
966 | - emerging-web_client.rules | ||
967 | - emerging-web_server.rules | ||
968 | - emerging-web_specific_apps.rules | ||
969 | - emerging-worm.rules | ||
970 | - tor.rules | ||
971 | - decoder-events.rules # available in suricata sources under rules dir | ||
972 | - stream-events.rules # available in suricata sources under rules dir | ||
973 | - http-events.rules # available in suricata sources under rules dir | ||
974 | - smtp-events.rules # available in suricata sources under rules dir | ||
975 | - dns-events.rules # available in suricata sources under rules dir | ||
976 | - tls-events.rules # available in suricata sources under rules dir | ||
977 | |||
978 | classification-file: /etc/suricata/classification.config | ||
979 | reference-config-file: /etc/suricata/reference.config | ||
980 | |||
981 | # Holds variables that would be used by the engine. | ||
982 | vars: | ||
983 | |||
984 | # Holds the address group vars that would be passed in a Signature. | ||
985 | # These would be retrieved during the Signature address parsing stage. | ||
986 | address-groups: | ||
987 | |||
988 | HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]" | ||
989 | |||
990 | EXTERNAL_NET: "!$HOME_NET" | ||
991 | |||
992 | HTTP_SERVERS: "$HOME_NET" | ||
993 | |||
994 | SMTP_SERVERS: "$HOME_NET" | ||
995 | |||
996 | SQL_SERVERS: "$HOME_NET" | ||
997 | |||
998 | DNS_SERVERS: "$HOME_NET" | ||
999 | |||
1000 | TELNET_SERVERS: "$HOME_NET" | ||
1001 | |||
1002 | AIM_SERVERS: "$EXTERNAL_NET" | ||
1003 | |||
1004 | DNP3_SERVER: "$HOME_NET" | ||
1005 | |||
1006 | DNP3_CLIENT: "$HOME_NET" | ||
1007 | |||
1008 | MODBUS_CLIENT: "$HOME_NET" | ||
1009 | |||
1010 | MODBUS_SERVER: "$HOME_NET" | ||
1011 | |||
1012 | ENIP_CLIENT: "$HOME_NET" | ||
1013 | |||
1014 | ENIP_SERVER: "$HOME_NET" | ||
1015 | |||
1016 | # Holds the port group vars that would be passed in a Signature. | ||
1017 | # These would be retrieved during the Signature port parsing stage. | ||
1018 | port-groups: | ||
1019 | |||
1020 | HTTP_PORTS: "80" | ||
1021 | |||
1022 | SHELLCODE_PORTS: "!80" | ||
1023 | |||
1024 | ORACLE_PORTS: 1521 | ||
1025 | |||
1026 | SSH_PORTS: 22 | ||
1027 | |||
1028 | DNP3_PORTS: 20000 | ||
1029 | |||
1030 | # Set the order of alerts bassed on actions | ||
1031 | # The default order is pass, drop, reject, alert | ||
1032 | action-order: | ||
1033 | - pass | ||
1034 | - drop | ||
1035 | - reject | ||
1036 | - alert | ||
1037 | |||
1038 | # IP Reputation | ||
1039 | #reputation-categories-file: /etc/suricata/iprep/categories.txt | ||
1040 | #default-reputation-path: /etc/suricata/iprep | ||
1041 | #reputation-files: | ||
1042 | # - reputation.list | ||
1043 | |||
1044 | # Host specific policies for defragmentation and TCP stream | ||
1045 | # reassembly. The host OS lookup is done using a radix tree, just | ||
1046 | # like a routing table so the most specific entry matches. | ||
1047 | host-os-policy: | ||
1048 | # Make the default policy windows. | ||
1049 | windows: [0.0.0.0/0] | ||
1050 | bsd: [] | ||
1051 | bsd-right: [] | ||
1052 | old-linux: [] | ||
1053 | linux: [10.0.0.0/8, 192.168.1.100, "8762:2352:6241:7245:E000:0000:0000:0000"] | ||
1054 | old-solaris: [] | ||
1055 | solaris: ["::1"] | ||
1056 | hpux10: [] | ||
1057 | hpux11: [] | ||
1058 | irix: [] | ||
1059 | macos: [] | ||
1060 | vista: [] | ||
1061 | windows2k3: [] | ||
1062 | |||
1063 | |||
1064 | # Limit for the maximum number of asn1 frames to decode (default 256) | ||
1065 | asn1-max-frames: 256 | ||
1066 | |||
1067 | # When run with the option --engine-analysis, the engine will read each of | ||
1068 | # the parameters below, and print reports for each of the enabled sections | ||
1069 | # and exit. The reports are printed to a file in the default log dir | ||
1070 | # given by the parameter "default-log-dir", with engine reporting | ||
1071 | # subsection below printing reports in its own report file. | ||
1072 | engine-analysis: | ||
1073 | # enables printing reports for fast-pattern for every rule. | ||
1074 | rules-fast-pattern: yes | ||
1075 | # enables printing reports for each rule | ||
1076 | rules: yes | ||
1077 | |||
1078 | #recursion and match limits for PCRE where supported | ||
1079 | pcre: | ||
1080 | match-limit: 3500 | ||
1081 | match-limit-recursion: 1500 | ||
1082 | |||
1083 | # Holds details on the app-layer. The protocols section details each protocol. | ||
1084 | # Under each protocol, the default value for detection-enabled and " | ||
1085 | # parsed-enabled is yes, unless specified otherwise. | ||
1086 | # Each protocol covers enabling/disabling parsers for all ipprotos | ||
1087 | # the app-layer protocol runs on. For example "dcerpc" refers to the tcp | ||
1088 | # version of the protocol as well as the udp version of the protocol. | ||
1089 | # The option "enabled" takes 3 values - "yes", "no", "detection-only". | ||
1090 | # "yes" enables both detection and the parser, "no" disables both, and | ||
1091 | # "detection-only" enables detection only(parser disabled). | ||
1092 | app-layer: | ||
1093 | protocols: | ||
1094 | tls: | ||
1095 | enabled: yes | ||
1096 | detection-ports: | ||
1097 | dp: 443 | ||
1098 | |||
1099 | #no-reassemble: yes | ||
1100 | dcerpc: | ||
1101 | enabled: yes | ||
1102 | ftp: | ||
1103 | enabled: yes | ||
1104 | ssh: | ||
1105 | enabled: yes | ||
1106 | smtp: | ||
1107 | enabled: yes | ||
1108 | imap: | ||
1109 | enabled: detection-only | ||
1110 | msn: | ||
1111 | enabled: detection-only | ||
1112 | smb: | ||
1113 | enabled: yes | ||
1114 | detection-ports: | ||
1115 | dp: 139 | ||
1116 | # smb2 detection is disabled internally inside the engine. | ||
1117 | #smb2: | ||
1118 | # enabled: yes | ||
1119 | dns: | ||
1120 | # memcaps. Globally and per flow/state. | ||
1121 | #global-memcap: 16mb | ||
1122 | #state-memcap: 512kb | ||
1123 | |||
1124 | # How many unreplied DNS requests are considered a flood. | ||
1125 | # If the limit is reached, app-layer-event:dns.flooded; will match. | ||
1126 | #request-flood: 500 | ||
1127 | |||
1128 | tcp: | ||
1129 | enabled: yes | ||
1130 | detection-ports: | ||
1131 | dp: 53 | ||
1132 | udp: | ||
1133 | enabled: yes | ||
1134 | detection-ports: | ||
1135 | dp: 53 | ||
1136 | http: | ||
1137 | enabled: yes | ||
1138 | # memcap: 64mb | ||
1139 | |||
1140 | ########################################################################### | ||
1141 | # Configure libhtp. | ||
1142 | # | ||
1143 | # | ||
1144 | # default-config: Used when no server-config matches | ||
1145 | # personality: List of personalities used by default | ||
1146 | # request-body-limit: Limit reassembly of request body for inspection | ||
1147 | # by http_client_body & pcre /P option. | ||
1148 | # response-body-limit: Limit reassembly of response body for inspection | ||
1149 | # by file_data, http_server_body & pcre /Q option. | ||
1150 | # double-decode-path: Double decode path section of the URI | ||
1151 | # double-decode-query: Double decode query section of the URI | ||
1152 | # | ||
1153 | # server-config: List of server configurations to use if address matches | ||
1154 | # address: List of ip addresses or networks for this block | ||
1155 | # personalitiy: List of personalities used by this block | ||
1156 | # request-body-limit: Limit reassembly of request body for inspection | ||
1157 | # by http_client_body & pcre /P option. | ||
1158 | # response-body-limit: Limit reassembly of response body for inspection | ||
1159 | # by file_data, http_server_body & pcre /Q option. | ||
1160 | # double-decode-path: Double decode path section of the URI | ||
1161 | # double-decode-query: Double decode query section of the URI | ||
1162 | # | ||
1163 | # uri-include-all: Include all parts of the URI. By default the | ||
1164 | # 'scheme', username/password, hostname and port | ||
1165 | # are excluded. Setting this option to true adds | ||
1166 | # all of them to the normalized uri as inspected | ||
1167 | # by http_uri, urilen, pcre with /U and the other | ||
1168 | # keywords that inspect the normalized uri. | ||
1169 | # Note that this does not affect http_raw_uri. | ||
1170 | # Also, note that including all was the default in | ||
1171 | # 1.4 and 2.0beta1. | ||
1172 | # | ||
1173 | # meta-field-limit: Hard size limit for request and response size | ||
1174 | # limits. Applies to request line and headers, | ||
1175 | # response line and headers. Does not apply to | ||
1176 | # request or response bodies. Default is 18k. | ||
1177 | # If this limit is reached an event is raised. | ||
1178 | # | ||
1179 | # Currently Available Personalities: | ||
1180 | # Minimal | ||
1181 | # Generic | ||
1182 | # IDS (default) | ||
1183 | # IIS_4_0 | ||
1184 | # IIS_5_0 | ||
1185 | # IIS_5_1 | ||
1186 | # IIS_6_0 | ||
1187 | # IIS_7_0 | ||
1188 | # IIS_7_5 | ||
1189 | # Apache_2 | ||
1190 | ########################################################################### | ||
1191 | libhtp: | ||
1192 | |||
1193 | default-config: | ||
1194 | personality: IDS | ||
1195 | |||
1196 | # Can be specified in kb, mb, gb. Just a number indicates | ||
1197 | # it's in bytes. | ||
1198 | request-body-limit: 3072 | ||
1199 | response-body-limit: 3072 | ||
1200 | |||
1201 | # inspection limits | ||
1202 | request-body-minimal-inspect-size: 32kb | ||
1203 | request-body-inspect-window: 4kb | ||
1204 | response-body-minimal-inspect-size: 32kb | ||
1205 | response-body-inspect-window: 4kb | ||
1206 | # Take a random value for inspection sizes around the specified value. | ||
1207 | # This lower the risk of some evasion technics but could lead | ||
1208 | # detection change between runs. It is set to 'yes' by default. | ||
1209 | #randomize-inspection-sizes: yes | ||
1210 | # If randomize-inspection-sizes is active, the value of various | ||
1211 | # inspection size will be choosen in the [1 - range%, 1 + range%] | ||
1212 | # range | ||
1213 | # Default value of randomize-inspection-range is 10. | ||
1214 | #randomize-inspection-range: 10 | ||
1215 | |||
1216 | # decoding | ||
1217 | double-decode-path: no | ||
1218 | double-decode-query: no | ||
1219 | |||
1220 | server-config: | ||
1221 | |||
1222 | #- apache: | ||
1223 | # address: [192.168.1.0/24, 127.0.0.0/8, "::1"] | ||
1224 | # personality: Apache_2 | ||
1225 | # # Can be specified in kb, mb, gb. Just a number indicates | ||
1226 | # # it's in bytes. | ||
1227 | # request-body-limit: 4096 | ||
1228 | # response-body-limit: 4096 | ||
1229 | # double-decode-path: no | ||
1230 | # double-decode-query: no | ||
1231 | |||
1232 | #- iis7: | ||
1233 | # address: | ||
1234 | # - 192.168.0.0/24 | ||
1235 | # - 192.168.10.0/24 | ||
1236 | # personality: IIS_7_0 | ||
1237 | # # Can be specified in kb, mb, gb. Just a number indicates | ||
1238 | # # it's in bytes. | ||
1239 | # request-body-limit: 4096 | ||
1240 | # response-body-limit: 4096 | ||
1241 | # double-decode-path: no | ||
1242 | # double-decode-query: no | ||
1243 | |||
1244 | # Profiling settings. Only effective if Suricata has been built with the | ||
1245 | # the --enable-profiling configure flag. | ||
1246 | # | ||
1247 | profiling: | ||
1248 | # Run profiling for every xth packet. The default is 1, which means we | ||
1249 | # profile every packet. If set to 1000, one packet is profiled for every | ||
1250 | # 1000 received. | ||
1251 | #sample-rate: 1000 | ||
1252 | |||
1253 | # rule profiling | ||
1254 | rules: | ||
1255 | |||
1256 | # Profiling can be disabled here, but it will still have a | ||
1257 | # performance impact if compiled in. | ||
1258 | enabled: yes | ||
1259 | filename: rule_perf.log | ||
1260 | append: yes | ||
1261 | |||
1262 | # Sort options: ticks, avgticks, checks, matches, maxticks | ||
1263 | sort: avgticks | ||
1264 | |||
1265 | # Limit the number of items printed at exit. | ||
1266 | limit: 100 | ||
1267 | |||
1268 | # per keyword profiling | ||
1269 | keywords: | ||
1270 | enabled: yes | ||
1271 | filename: keyword_perf.log | ||
1272 | append: yes | ||
1273 | |||
1274 | # packet profiling | ||
1275 | packets: | ||
1276 | |||
1277 | # Profiling can be disabled here, but it will still have a | ||
1278 | # performance impact if compiled in. | ||
1279 | enabled: yes | ||
1280 | filename: packet_stats.log | ||
1281 | append: yes | ||
1282 | |||
1283 | # per packet csv output | ||
1284 | csv: | ||
1285 | |||
1286 | # Output can be disabled here, but it will still have a | ||
1287 | # performance impact if compiled in. | ||
1288 | enabled: no | ||
1289 | filename: packet_stats.csv | ||
1290 | |||
1291 | # profiling of locking. Only available when Suricata was built with | ||
1292 | # --enable-profiling-locks. | ||
1293 | locks: | ||
1294 | enabled: no | ||
1295 | filename: lock_stats.log | ||
1296 | append: yes | ||
1297 | |||
1298 | # Suricata core dump configuration. Limits the size of the core dump file to | ||
1299 | # approximately max-dump. The actual core dump size will be a multiple of the | ||
1300 | # page size. Core dumps that would be larger than max-dump are truncated. On | ||
1301 | # Linux, the actual core dump size may be a few pages larger than max-dump. | ||
1302 | # Setting max-dump to 0 disables core dumping. | ||
1303 | # Setting max-dump to 'unlimited' will give the full core dump file. | ||
1304 | # On 32-bit Linux, a max-dump value >= ULONG_MAX may cause the core dump size | ||
1305 | # to be 'unlimited'. | ||
1306 | |||
1307 | coredump: | ||
1308 | max-dump: unlimited | ||
1309 | |||
1310 | napatech: | ||
1311 | # The Host Buffer Allowance for all streams | ||
1312 | # (-1 = OFF, 1 - 100 = percentage of the host buffer that can be held back) | ||
1313 | hba: -1 | ||
1314 | |||
1315 | # use_all_streams set to "yes" will query the Napatech service for all configured | ||
1316 | # streams and listen on all of them. When set to "no" the streams config array | ||
1317 | # will be used. | ||
1318 | use-all-streams: yes | ||
1319 | |||
1320 | # The streams to listen on | ||
1321 | streams: [1, 2, 3] | ||
1322 | |||
1323 | # Includes. Files included here will be handled as if they were | ||
1324 | # inlined in this configuration file. | ||
1325 | #include: include1.yaml | ||
1326 | #include: include2.yaml | ||
diff --git a/recipes-ids/suricata/files/volatiles.03_suricata b/recipes-ids/suricata/files/volatiles.03_suricata new file mode 100644 index 0000000..4627bd3 --- /dev/null +++ b/recipes-ids/suricata/files/volatiles.03_suricata | |||
@@ -0,0 +1,2 @@ | |||
1 | # <type> <owner> <group> <mode> <path> <linksource> | ||
2 | d root root 0755 /var/log/suricata none | ||
diff --git a/recipes-ids/suricata/libhtp_0.5.29.bb b/recipes-ids/suricata/libhtp_0.5.29.bb new file mode 100644 index 0000000..8305f70 --- /dev/null +++ b/recipes-ids/suricata/libhtp_0.5.29.bb | |||
@@ -0,0 +1,15 @@ | |||
1 | SUMMARY = "LibHTP is a security-aware parser for the HTTP protocol and the related bits and pieces." | ||
2 | |||
3 | require suricata.inc | ||
4 | |||
5 | LIC_FILES_CHKSUM = "file://../LICENSE;beginline=1;endline=2;md5=c70d8d3310941dcdfcd1e02800a1f548" | ||
6 | |||
7 | DEPENDS = "zlib" | ||
8 | |||
9 | inherit autotools pkgconfig | ||
10 | |||
11 | CFLAGS += "-D_DEFAULT_SOURCE" | ||
12 | |||
13 | S = "${WORKDIR}/suricata-${VER}/${BPN}" | ||
14 | |||
15 | RDEPENDS_${PN} += "zlib" | ||
diff --git a/recipes-ids/suricata/suricata.inc b/recipes-ids/suricata/suricata.inc new file mode 100644 index 0000000..7be403c --- /dev/null +++ b/recipes-ids/suricata/suricata.inc | |||
@@ -0,0 +1,9 @@ | |||
1 | HOMEPAGE = "http://suricata-ids.org/" | ||
2 | SECTION = "security Monitor/Admin" | ||
3 | LICENSE = "GPLv2" | ||
4 | |||
5 | VER = "4.1.3" | ||
6 | SRC_URI = "http://www.openinfosecfoundation.org/download/suricata-${VER}.tar.gz" | ||
7 | |||
8 | SRC_URI[md5sum] = "35c4a8e6be3910831649a073950195df" | ||
9 | SRC_URI[sha256sum] = "6cda6c80b753ce36483c6be535358b971f3890b9aa27a58c2d2f7e89dd6c6aa0" | ||
diff --git a/recipes-ids/suricata/suricata_4.1.3.bb b/recipes-ids/suricata/suricata_4.1.3.bb new file mode 100644 index 0000000..d6f5937 --- /dev/null +++ b/recipes-ids/suricata/suricata_4.1.3.bb | |||
@@ -0,0 +1,97 @@ | |||
1 | SUMMARY = "The Suricata Engine is an Open Source Next Generation Intrusion Detection and Prevention Engine" | ||
2 | |||
3 | require suricata.inc | ||
4 | |||
5 | LIC_FILES_CHKSUM = "file://LICENSE;beginline=1;endline=2;md5=c70d8d3310941dcdfcd1e02800a1f548" | ||
6 | |||
7 | SRC_URI += "file://emerging.rules.tar.gz;name=rules" | ||
8 | |||
9 | SRC_URI += " \ | ||
10 | file://volatiles.03_suricata \ | ||
11 | file://suricata.yaml \ | ||
12 | file://suricata.service \ | ||
13 | file://run-ptest \ | ||
14 | " | ||
15 | |||
16 | SRC_URI[rules.md5sum] = "205c5e5b54e489207ed892c03ad75b33" | ||
17 | SRC_URI[rules.sha256sum] = "4aa81011b246875a57181c6a0569ca887845e366904bcaf0043220f33bd69798" | ||
18 | |||
19 | inherit autotools-brokensep pkgconfig python3-dir systemd ptest | ||
20 | |||
21 | CFLAGS += "-D_DEFAULT_SOURCE" | ||
22 | |||
23 | CACHED_CONFIGUREVARS = "ac_cv_header_htp_htp_h=yes ac_cv_lib_htp_htp_conn_create=yes \ | ||
24 | ac_cv_path_HAVE_WGET=no ac_cv_path_HAVE_CURL=no " | ||
25 | |||
26 | EXTRA_OECONF += " --disable-debug \ | ||
27 | --enable-non-bundled-htp \ | ||
28 | --disable-gccmarch-native \ | ||
29 | --disable-suricata-update \ | ||
30 | " | ||
31 | |||
32 | PACKAGECONFIG ??= "htp jansson file pcre yaml pcap cap-ng net nfnetlink nss nspr" | ||
33 | PACKAGECONFIG_append = " ${@bb.utils.contains('DISTRO_FEATURES', 'ptest', 'unittests', '', d)}" | ||
34 | |||
35 | PACKAGECONFIG[htp] = "--with-libhtp-includes=${STAGING_INCDIR} --with-libhtp-libraries=${STAGING_LIBDIR}, ,libhtp," | ||
36 | PACKAGECONFIG[pcre] = "--with-libpcre-includes=${STAGING_INCDIR} --with-libpcre-libraries=${STAGING_LIBDIR}, ,libpcre ," | ||
37 | PACKAGECONFIG[yaml] = "--with-libyaml-includes=${STAGING_INCDIR} --with-libyaml-libraries=${STAGING_LIBDIR}, ,libyaml ," | ||
38 | PACKAGECONFIG[pcap] = "--with-libpcap-includes=${STAGING_INCDIR} --with-libpcap-libraries=${STAGING_LIBDIR}, ,libpcap ," | ||
39 | PACKAGECONFIG[cap-ng] = "--with-libcap_ng-includes=${STAGING_INCDIR} --with-libcap_ng-libraries=${STAGING_LIBDIR}, ,libcap-ng , " | ||
40 | PACKAGECONFIG[net] = "--with-libnet-includes=${STAGING_INCDIR} --with-libnet-libraries=${STAGING_LIBDIR}, , libnet," | ||
41 | PACKAGECONFIG[nfnetlink] = "--with-libnfnetlink-includes=${STAGING_INCDIR} --with-libnfnetlink-libraries=${STAGING_LIBDIR}, ,libnfnetlink ," | ||
42 | PACKAGECONFIG[nfq] = "--enable-nfqueue, --disable-nfqueue,libnetfilter-queue," | ||
43 | |||
44 | PACKAGECONFIG[jansson] = "--with-libjansson-includes=${STAGING_INCDIR} --with-libjansson-libraries=${STAGING_LIBDIR},,jansson, jansson" | ||
45 | PACKAGECONFIG[file] = ",,file, file" | ||
46 | PACKAGECONFIG[nss] = "--with-libnss-includes=${STAGING_INCDIR} --with-libnss-libraries=${STAGING_LIBDIR}, nss, nss," | ||
47 | PACKAGECONFIG[nspr] = "--with-libnspr-includes=${STAGING_INCDIR} --with-libnspr-libraries=${STAGING_LIBDIR}, nspr, nspr," | ||
48 | PACKAGECONFIG[python] = "--enable-python, --disable-python, python3, python3" | ||
49 | PACKAGECONFIG[unittests] = "--enable-unittests, --disable-unittests," | ||
50 | |||
51 | export logdir = "${localstatedir}/log" | ||
52 | |||
53 | do_install_append () { | ||
54 | |||
55 | install -d ${D}${sysconfdir}/suricata | ||
56 | |||
57 | oe_runmake install-conf DESTDIR=${D} | ||
58 | |||
59 | # mimic move of downloaded rules to e_sysconfrulesdir | ||
60 | cp -rf ${WORKDIR}/rules ${D}${sysconfdir}/suricata | ||
61 | |||
62 | oe_runmake install-rules DESTDIR=${D} | ||
63 | |||
64 | install -d ${D}${sysconfdir}/suricata ${D}${sysconfdir}/default/volatiles | ||
65 | install -m 0644 ${WORKDIR}/volatiles.03_suricata ${D}${sysconfdir}/default/volatiles/volatiles.03_suricata | ||
66 | |||
67 | install -m 0644 ${S}/threshold.config ${D}${sysconfdir}/suricata | ||
68 | |||
69 | install -d ${D}${systemd_unitdir}/system | ||
70 | sed -e s:/etc:${sysconfdir}:g \ | ||
71 | -e s:/var/run:/run:g \ | ||
72 | -e s:/var:${localstatedir}:g \ | ||
73 | -e s:/usr/bin:${bindir}:g \ | ||
74 | -e s:/bin/kill:${base_bindir}/kill:g \ | ||
75 | -e s:/usr/lib:${libdir}:g \ | ||
76 | ${WORKDIR}/suricata.service > ${D}${systemd_unitdir}/system/suricata.service | ||
77 | |||
78 | # Remove /var/run as it is created on startup | ||
79 | rm -rf ${D}${localstatedir}/run | ||
80 | |||
81 | } | ||
82 | |||
83 | pkg_postinst_ontarget_${PN} () { | ||
84 | if [ -e /etc/init.d/populate-volatile.sh ] ; then | ||
85 | ${sysconfdir}/init.d/populate-volatile.sh update | ||
86 | fi | ||
87 | } | ||
88 | |||
89 | SYSTEMD_PACKAGES = "${PN}" | ||
90 | |||
91 | PACKAGES =+ "${PN}-socketcontrol" | ||
92 | FILES_${PN} += "${systemd_unitdir}" | ||
93 | FILES_${PN}-socketcontrol = "${bindir}/suricatasc ${PYTHON_SITEPACKAGES_DIR}" | ||
94 | |||
95 | CONFFILES_${PN} = "${sysconfdir}/suricata/suricata.yaml" | ||
96 | |||
97 | RDEPENDS_${PN}-python = "python" | ||