diff options
| author | Armin Kuster <akuster808@gmail.com> | 2021-04-07 03:38:38 +0000 |
|---|---|---|
| committer | Armin Kuster <akuster808@gmail.com> | 2021-04-12 07:06:29 -0700 |
| commit | aa6d847de4c2ca341cca4079396e723f4c84716f (patch) | |
| tree | 60524aa88ed0d420c47a0139699cbfdcf4948cbd /dynamic-layers | |
| parent | f93595863c268990253ed96353cdfe0c077264a6 (diff) | |
| download | meta-security-aa6d847de4c2ca341cca4079396e723f4c84716f.tar.gz | |
suricata: update to 6.0.2
needs rust
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Diffstat (limited to 'dynamic-layers')
9 files changed, 1613 insertions, 0 deletions
diff --git a/dynamic-layers/meta-rust/recipes-ids/suricata/files/fixup.patch b/dynamic-layers/meta-rust/recipes-ids/suricata/files/fixup.patch new file mode 100644 index 0000000..fc44ce6 --- /dev/null +++ b/dynamic-layers/meta-rust/recipes-ids/suricata/files/fixup.patch | |||
| @@ -0,0 +1,32 @@ | |||
| 1 | Skip pkg Makefile from using its own rust steps | ||
| 2 | |||
| 3 | Upstream-Status: OE Specific | ||
| 4 | |||
| 5 | Signed-off-by: Armin Kuster <akuster808@gmail.com> | ||
| 6 | |||
| 7 | Index: suricata-6.0.2/Makefile.am | ||
| 8 | =================================================================== | ||
| 9 | --- suricata-6.0.2.orig/Makefile.am | ||
| 10 | +++ suricata-6.0.2/Makefile.am | ||
| 11 | @@ -7,7 +7,7 @@ EXTRA_DIST = ChangeLog COPYING LICENSE s | ||
| 12 | $(SURICATA_UPDATE_DIR) \ | ||
| 13 | lua \ | ||
| 14 | acsite.m4 | ||
| 15 | -SUBDIRS = $(HTP_DIR) rust src qa rules doc contrib etc python ebpf \ | ||
| 16 | +SUBDIRS = $(HTP_DIR) src qa rules doc contrib etc python ebpf \ | ||
| 17 | $(SURICATA_UPDATE_DIR) | ||
| 18 | |||
| 19 | CLEANFILES = stamp-h[0-9]* | ||
| 20 | Index: suricata-6.0.2/Makefile.in | ||
| 21 | =================================================================== | ||
| 22 | --- suricata-6.0.2.orig/Makefile.in | ||
| 23 | +++ suricata-6.0.2/Makefile.in | ||
| 24 | @@ -426,7 +426,7 @@ EXTRA_DIST = ChangeLog COPYING LICENSE s | ||
| 25 | lua \ | ||
| 26 | acsite.m4 | ||
| 27 | |||
| 28 | -SUBDIRS = $(HTP_DIR) rust src qa rules doc contrib etc python ebpf \ | ||
| 29 | +SUBDIRS = $(HTP_DIR) src qa rules doc contrib etc python ebpf \ | ||
| 30 | $(SURICATA_UPDATE_DIR) | ||
| 31 | |||
| 32 | CLEANFILES = stamp-h[0-9]* | ||
diff --git a/dynamic-layers/meta-rust/recipes-ids/suricata/files/run-ptest b/dynamic-layers/meta-rust/recipes-ids/suricata/files/run-ptest new file mode 100644 index 0000000..666ba9c --- /dev/null +++ b/dynamic-layers/meta-rust/recipes-ids/suricata/files/run-ptest | |||
| @@ -0,0 +1,3 @@ | |||
| 1 | #!/bin/sh | ||
| 2 | |||
| 3 | suricata -u | ||
diff --git a/dynamic-layers/meta-rust/recipes-ids/suricata/files/suricata.service b/dynamic-layers/meta-rust/recipes-ids/suricata/files/suricata.service new file mode 100644 index 0000000..a99a76e --- /dev/null +++ b/dynamic-layers/meta-rust/recipes-ids/suricata/files/suricata.service | |||
| @@ -0,0 +1,20 @@ | |||
| 1 | [Unit] | ||
| 2 | Description=Suricata IDS/IDP daemon | ||
| 3 | After=network.target | ||
| 4 | Requires=network.target | ||
| 5 | Documentation=man:suricata(8) man:suricatasc(8) | ||
| 6 | Documentation=https://redmine.openinfosecfoundation.org/projects/suricata/wiki | ||
| 7 | |||
| 8 | [Service] | ||
| 9 | Type=simple | ||
| 10 | CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW | ||
| 11 | RestrictAddressFamilies= | ||
| 12 | ExecStart=/usr/bin/suricata -c /etc/suricata/suricata.yaml eth0 | ||
| 13 | ExecReload=/bin/kill -HUP $MAINPID | ||
| 14 | PrivateTmp=yes | ||
| 15 | ProtectHome=yes | ||
| 16 | ProtectSystem=yes | ||
| 17 | |||
| 18 | [Install] | ||
| 19 | WantedBy=multi-user.target | ||
| 20 | |||
diff --git a/dynamic-layers/meta-rust/recipes-ids/suricata/files/suricata.yaml b/dynamic-layers/meta-rust/recipes-ids/suricata/files/suricata.yaml new file mode 100644 index 0000000..8d06a27 --- /dev/null +++ b/dynamic-layers/meta-rust/recipes-ids/suricata/files/suricata.yaml | |||
| @@ -0,0 +1,1326 @@ | |||
| 1 | %YAML 1.1 | ||
| 2 | --- | ||
| 3 | |||
| 4 | # Suricata configuration file. In addition to the comments describing all | ||
| 5 | # options in this file, full documentation can be found at: | ||
| 6 | # https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricatayaml | ||
| 7 | |||
| 8 | |||
| 9 | # Number of packets allowed to be processed simultaneously. Default is a | ||
| 10 | # conservative 1024. A higher number will make sure CPU's/CPU cores will be | ||
| 11 | # more easily kept busy, but may negatively impact caching. | ||
| 12 | # | ||
| 13 | # If you are using the CUDA pattern matcher (mpm-algo: ac-cuda), different rules | ||
| 14 | # apply. In that case try something like 60000 or more. This is because the CUDA | ||
| 15 | # pattern matcher buffers and scans as many packets as possible in parallel. | ||
| 16 | #max-pending-packets: 1024 | ||
| 17 | |||
| 18 | # Runmode the engine should use. Please check --list-runmodes to get the available | ||
| 19 | # runmodes for each packet acquisition method. Defaults to "autofp" (auto flow pinned | ||
| 20 | # load balancing). | ||
| 21 | #runmode: autofp | ||
| 22 | |||
| 23 | # Specifies the kind of flow load balancer used by the flow pinned autofp mode. | ||
| 24 | # | ||
| 25 | # Supported schedulers are: | ||
| 26 | # | ||
| 27 | # round-robin - Flows assigned to threads in a round robin fashion. | ||
| 28 | # active-packets - Flows assigned to threads that have the lowest number of | ||
| 29 | # unprocessed packets (default). | ||
| 30 | # hash - Flow alloted usihng the address hash. More of a random | ||
| 31 | # technique. Was the default in Suricata 1.2.1 and older. | ||
| 32 | # | ||
| 33 | #autofp-scheduler: active-packets | ||
| 34 | |||
| 35 | # If suricata box is a router for the sniffed networks, set it to 'router'. If | ||
| 36 | # it is a pure sniffing setup, set it to 'sniffer-only'. | ||
| 37 | # If set to auto, the variable is internally switch to 'router' in IPS mode | ||
| 38 | # and 'sniffer-only' in IDS mode. | ||
| 39 | # This feature is currently only used by the reject* keywords. | ||
| 40 | host-mode: auto | ||
| 41 | |||
| 42 | # Run suricata as user and group. | ||
| 43 | #run-as: | ||
| 44 | # user: suri | ||
| 45 | # group: suri | ||
| 46 | |||
| 47 | # Default pid file. | ||
| 48 | # Will use this file if no --pidfile in command options. | ||
| 49 | #pid-file: /var/run/suricata.pid | ||
| 50 | |||
| 51 | # Daemon working directory | ||
| 52 | # Suricata will change directory to this one if provided | ||
| 53 | # Default: "/" | ||
| 54 | #daemon-directory: "/" | ||
| 55 | |||
| 56 | # Preallocated size for packet. Default is 1514 which is the classical | ||
| 57 | # size for pcap on ethernet. You should adjust this value to the highest | ||
| 58 | # packet size (MTU + hardware header) on your system. | ||
| 59 | #default-packet-size: 1514 | ||
| 60 | |||
| 61 | # The default logging directory. Any log or output file will be | ||
| 62 | # placed here if its not specified with a full path name. This can be | ||
| 63 | # overridden with the -l command line parameter. | ||
| 64 | default-log-dir: /var/log/suricata/ | ||
| 65 | |||
| 66 | # Unix command socket can be used to pass commands to suricata. | ||
| 67 | # An external tool can then connect to get information from suricata | ||
| 68 | # or trigger some modifications of the engine. Set enabled to yes | ||
| 69 | # to activate the feature. You can use the filename variable to set | ||
| 70 | # the file name of the socket. | ||
| 71 | unix-command: | ||
| 72 | enabled: no | ||
| 73 | #filename: custom.socket | ||
| 74 | |||
| 75 | # Configure the type of alert (and other) logging you would like. | ||
| 76 | outputs: | ||
| 77 | |||
| 78 | # a line based alerts log similar to Snort's fast.log | ||
| 79 | - fast: | ||
| 80 | enabled: yes | ||
| 81 | filename: fast.log | ||
| 82 | append: yes | ||
| 83 | #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' | ||
| 84 | |||
| 85 | # Extensible Event Format (nicknamed EVE) event log in JSON format | ||
| 86 | - eve-log: | ||
| 87 | enabled: yes | ||
| 88 | type: file #file|syslog|unix_dgram|unix_stream | ||
| 89 | filename: eve.json | ||
| 90 | # the following are valid when type: syslog above | ||
| 91 | #identity: "suricata" | ||
| 92 | #facility: local5 | ||
| 93 | #level: Info ## possible levels: Emergency, Alert, Critical, | ||
| 94 | ## Error, Warning, Notice, Info, Debug | ||
| 95 | types: | ||
| 96 | - alert | ||
| 97 | - http: | ||
| 98 | extended: yes # enable this for extended logging information | ||
| 99 | # custom allows additional http fields to be included in eve-log | ||
| 100 | # the example below adds three additional fields when uncommented | ||
| 101 | #custom: [Accept-Encoding, Accept-Language, Authorization] | ||
| 102 | - dns | ||
| 103 | - tls: | ||
| 104 | extended: yes # enable this for extended logging information | ||
| 105 | - files: | ||
| 106 | force-magic: no # force logging magic on all logged files | ||
| 107 | force-md5: no # force logging of md5 checksums | ||
| 108 | #- drop | ||
| 109 | - ssh | ||
| 110 | |||
| 111 | # alert output for use with Barnyard2 | ||
| 112 | - unified2-alert: | ||
| 113 | enabled: yes | ||
| 114 | filename: unified2.alert | ||
| 115 | |||
| 116 | # File size limit. Can be specified in kb, mb, gb. Just a number | ||
| 117 | # is parsed as bytes. | ||
| 118 | #limit: 32mb | ||
| 119 | |||
| 120 | # Sensor ID field of unified2 alerts. | ||
| 121 | #sensor-id: 0 | ||
| 122 | |||
| 123 | # HTTP X-Forwarded-For support by adding the unified2 extra header that | ||
| 124 | # will contain the actual client IP address or by overwriting the source | ||
| 125 | # IP address (helpful when inspecting traffic that is being reversed | ||
| 126 | # proxied). | ||
| 127 | xff: | ||
| 128 | enabled: no | ||
| 129 | # Two operation modes are available, "extra-data" and "overwrite". Note | ||
| 130 | # that in the "overwrite" mode, if the reported IP address in the HTTP | ||
| 131 | # X-Forwarded-For header is of a different version of the packet | ||
| 132 | # received, it will fall-back to "extra-data" mode. | ||
| 133 | mode: extra-data | ||
| 134 | # Header name were the actual IP address will be reported, if more than | ||
| 135 | # one IP address is present, the last IP address will be the one taken | ||
| 136 | # into consideration. | ||
| 137 | header: X-Forwarded-For | ||
| 138 | |||
| 139 | # a line based log of HTTP requests (no alerts) | ||
| 140 | - http-log: | ||
| 141 | enabled: yes | ||
| 142 | filename: http.log | ||
| 143 | append: yes | ||
| 144 | #extended: yes # enable this for extended logging information | ||
| 145 | #custom: yes # enabled the custom logging format (defined by customformat) | ||
| 146 | #customformat: "%{%D-%H:%M:%S}t.%z %{X-Forwarded-For}i %H %m %h %u %s %B %a:%p -> %A:%P" | ||
| 147 | #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' | ||
| 148 | |||
| 149 | # a line based log of TLS handshake parameters (no alerts) | ||
| 150 | - tls-log: | ||
| 151 | enabled: no # Log TLS connections. | ||
| 152 | filename: tls.log # File to store TLS logs. | ||
| 153 | append: yes | ||
| 154 | #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' | ||
| 155 | #extended: yes # Log extended information like fingerprint | ||
| 156 | certs-log-dir: certs # directory to store the certificates files | ||
| 157 | |||
| 158 | # a line based log of DNS requests and/or replies (no alerts) | ||
| 159 | - dns-log: | ||
| 160 | enabled: no | ||
| 161 | filename: dns.log | ||
| 162 | append: yes | ||
| 163 | #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' | ||
| 164 | |||
| 165 | # a line based log to used with pcap file study. | ||
| 166 | # this module is dedicated to offline pcap parsing (empty output | ||
| 167 | # if used with another kind of input). It can interoperate with | ||
| 168 | # pcap parser like wireshark via the suriwire plugin. | ||
| 169 | - pcap-info: | ||
| 170 | enabled: no | ||
| 171 | |||
| 172 | # Packet log... log packets in pcap format. 2 modes of operation: "normal" | ||
| 173 | # and "sguil". | ||
| 174 | # | ||
| 175 | # In normal mode a pcap file "filename" is created in the default-log-dir, | ||
| 176 | # or are as specified by "dir". In Sguil mode "dir" indicates the base directory. | ||
| 177 | # In this base dir the pcaps are created in th directory structure Sguil expects: | ||
| 178 | # | ||
| 179 | # $sguil-base-dir/YYYY-MM-DD/$filename.<timestamp> | ||
| 180 | # | ||
| 181 | # By default all packets are logged except: | ||
| 182 | # - TCP streams beyond stream.reassembly.depth | ||
| 183 | # - encrypted streams after the key exchange | ||
| 184 | # | ||
| 185 | - pcap-log: | ||
| 186 | enabled: no | ||
| 187 | filename: log.pcap | ||
| 188 | |||
| 189 | # File size limit. Can be specified in kb, mb, gb. Just a number | ||
| 190 | # is parsed as bytes. | ||
| 191 | limit: 1000mb | ||
| 192 | |||
| 193 | # If set to a value will enable ring buffer mode. Will keep Maximum of "max-files" of size "limit" | ||
| 194 | max-files: 2000 | ||
| 195 | |||
| 196 | mode: normal # normal or sguil. | ||
| 197 | #sguil-base-dir: /nsm_data/ | ||
| 198 | #ts-format: usec # sec or usec second format (default) is filename.sec usec is filename.sec.usec | ||
| 199 | use-stream-depth: no #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets | ||
| 200 | |||
| 201 | # a full alerts log containing much information for signature writers | ||
| 202 | # or for investigating suspected false positives. | ||
| 203 | - alert-debug: | ||
| 204 | enabled: no | ||
| 205 | filename: alert-debug.log | ||
| 206 | append: yes | ||
| 207 | #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' | ||
| 208 | |||
| 209 | # alert output to prelude (http://www.prelude-technologies.com/) only | ||
| 210 | # available if Suricata has been compiled with --enable-prelude | ||
| 211 | - alert-prelude: | ||
| 212 | enabled: no | ||
| 213 | profile: suricata | ||
| 214 | log-packet-content: no | ||
| 215 | log-packet-header: yes | ||
| 216 | |||
| 217 | # Stats.log contains data from various counters of the suricata engine. | ||
| 218 | # The interval field (in seconds) tells after how long output will be written | ||
| 219 | # on the log file. | ||
| 220 | - stats: | ||
| 221 | enabled: yes | ||
| 222 | filename: stats.log | ||
| 223 | interval: 8 | ||
| 224 | |||
| 225 | # a line based alerts log similar to fast.log into syslog | ||
| 226 | - syslog: | ||
| 227 | enabled: no | ||
| 228 | # reported identity to syslog. If ommited the program name (usually | ||
| 229 | # suricata) will be used. | ||
| 230 | #identity: "suricata" | ||
| 231 | facility: local5 | ||
| 232 | #level: Info ## possible levels: Emergency, Alert, Critical, | ||
| 233 | ## Error, Warning, Notice, Info, Debug | ||
| 234 | |||
| 235 | # a line based information for dropped packets in IPS mode | ||
| 236 | - drop: | ||
| 237 | enabled: no | ||
| 238 | filename: drop.log | ||
| 239 | append: yes | ||
| 240 | #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' | ||
| 241 | |||
| 242 | # output module to store extracted files to disk | ||
| 243 | # | ||
| 244 | # The files are stored to the log-dir in a format "file.<id>" where <id> is | ||
| 245 | # an incrementing number starting at 1. For each file "file.<id>" a meta | ||
| 246 | # file "file.<id>.meta" is created. | ||
| 247 | # | ||
| 248 | # File extraction depends on a lot of things to be fully done: | ||
| 249 | # - stream reassembly depth. For optimal results, set this to 0 (unlimited) | ||
| 250 | # - http request / response body sizes. Again set to 0 for optimal results. | ||
| 251 | # - rules that contain the "filestore" keyword. | ||
| 252 | - file-store: | ||
| 253 | enabled: no # set to yes to enable | ||
| 254 | log-dir: files # directory to store the files | ||
| 255 | force-magic: no # force logging magic on all stored files | ||
| 256 | force-md5: no # force logging of md5 checksums | ||
| 257 | #waldo: file.waldo # waldo file to store the file_id across runs | ||
| 258 | |||
| 259 | # output module to log files tracked in a easily parsable json format | ||
| 260 | - file-log: | ||
| 261 | enabled: no | ||
| 262 | filename: files-json.log | ||
| 263 | append: yes | ||
| 264 | #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' | ||
| 265 | |||
| 266 | force-magic: no # force logging magic on all logged files | ||
| 267 | force-md5: no # force logging of md5 checksums | ||
| 268 | |||
| 269 | # Magic file. The extension .mgc is added to the value here. | ||
| 270 | #magic-file: /usr/share/file/magic | ||
| 271 | magic-file: /usr/share/misc/magic.mgc | ||
| 272 | |||
| 273 | # When running in NFQ inline mode, it is possible to use a simulated | ||
| 274 | # non-terminal NFQUEUE verdict. | ||
| 275 | # This permit to do send all needed packet to suricata via this a rule: | ||
| 276 | # iptables -I FORWARD -m mark ! --mark $MARK/$MASK -j NFQUEUE | ||
| 277 | # And below, you can have your standard filtering ruleset. To activate | ||
| 278 | # this mode, you need to set mode to 'repeat' | ||
| 279 | # If you want packet to be sent to another queue after an ACCEPT decision | ||
| 280 | # set mode to 'route' and set next-queue value. | ||
| 281 | # On linux >= 3.1, you can set batchcount to a value > 1 to improve performance | ||
| 282 | # by processing several packets before sending a verdict (worker runmode only). | ||
| 283 | # On linux >= 3.6, you can set the fail-open option to yes to have the kernel | ||
| 284 | # accept the packet if suricata is not able to keep pace. | ||
| 285 | nfq: | ||
| 286 | # mode: accept | ||
| 287 | # repeat-mark: 1 | ||
| 288 | # repeat-mask: 1 | ||
| 289 | # route-queue: 2 | ||
| 290 | # batchcount: 20 | ||
| 291 | # fail-open: yes | ||
| 292 | |||
| 293 | #nflog support | ||
| 294 | nflog: | ||
| 295 | # netlink multicast group | ||
| 296 | # (the same as the iptables --nflog-group param) | ||
| 297 | # Group 0 is used by the kernel, so you can't use it | ||
| 298 | - group: 2 | ||
| 299 | # netlink buffer size | ||
| 300 | buffer-size: 18432 | ||
| 301 | # put default value here | ||
| 302 | - group: default | ||
| 303 | # set number of packet to queue inside kernel | ||
| 304 | qthreshold: 1 | ||
| 305 | # set the delay before flushing packet in the queue inside kernel | ||
| 306 | qtimeout: 100 | ||
| 307 | # netlink max buffer size | ||
| 308 | max-size: 20000 | ||
| 309 | |||
| 310 | # af-packet support | ||
| 311 | # Set threads to > 1 to use PACKET_FANOUT support | ||
| 312 | af-packet: | ||
| 313 | - interface: eth0 | ||
| 314 | # Number of receive threads (>1 will enable experimental flow pinned | ||
| 315 | # runmode) | ||
| 316 | threads: 1 | ||
| 317 | # Default clusterid. AF_PACKET will load balance packets based on flow. | ||
| 318 | # All threads/processes that will participate need to have the same | ||
| 319 | # clusterid. | ||
| 320 | cluster-id: 99 | ||
| 321 | # Default AF_PACKET cluster type. AF_PACKET can load balance per flow or per hash. | ||
| 322 | # This is only supported for Linux kernel > 3.1 | ||
| 323 | # possible value are: | ||
| 324 | # * cluster_round_robin: round robin load balancing | ||
| 325 | # * cluster_flow: all packets of a given flow are send to the same socket | ||
| 326 | # * cluster_cpu: all packets treated in kernel by a CPU are send to the same socket | ||
| 327 | cluster-type: cluster_flow | ||
| 328 | # In some fragmentation case, the hash can not be computed. If "defrag" is set | ||
| 329 | # to yes, the kernel will do the needed defragmentation before sending the packets. | ||
| 330 | defrag: yes | ||
| 331 | # To use the ring feature of AF_PACKET, set 'use-mmap' to yes | ||
| 332 | use-mmap: yes | ||
| 333 | # Ring size will be computed with respect to max_pending_packets and number | ||
| 334 | # of threads. You can set manually the ring size in number of packets by setting | ||
| 335 | # the following value. If you are using flow cluster-type and have really network | ||
| 336 | # intensive single-flow you could want to set the ring-size independantly of the number | ||
| 337 | # of threads: | ||
| 338 | #ring-size: 2048 | ||
| 339 | # On busy system, this could help to set it to yes to recover from a packet drop | ||
| 340 | # phase. This will result in some packets (at max a ring flush) being non treated. | ||
| 341 | #use-emergency-flush: yes | ||
| 342 | # recv buffer size, increase value could improve performance | ||
| 343 | # buffer-size: 32768 | ||
| 344 | # Set to yes to disable promiscuous mode | ||
| 345 | # disable-promisc: no | ||
| 346 | # Choose checksum verification mode for the interface. At the moment | ||
| 347 | # of the capture, some packets may be with an invalid checksum due to | ||
| 348 | # offloading to the network card of the checksum computation. | ||
| 349 | # Possible values are: | ||
| 350 | # - kernel: use indication sent by kernel for each packet (default) | ||
| 351 | # - yes: checksum validation is forced | ||
| 352 | # - no: checksum validation is disabled | ||
| 353 | # - auto: suricata uses a statistical approach to detect when | ||
| 354 | # checksum off-loading is used. | ||
| 355 | # Warning: 'checksum-validation' must be set to yes to have any validation | ||
| 356 | #checksum-checks: kernel | ||
| 357 | # BPF filter to apply to this interface. The pcap filter syntax apply here. | ||
| 358 | #bpf-filter: port 80 or udp | ||
| 359 | # You can use the following variables to activate AF_PACKET tap od IPS mode. | ||
| 360 | # If copy-mode is set to ips or tap, the traffic coming to the current | ||
| 361 | # interface will be copied to the copy-iface interface. If 'tap' is set, the | ||
| 362 | # copy is complete. If 'ips' is set, the packet matching a 'drop' action | ||
| 363 | # will not be copied. | ||
| 364 | #copy-mode: ips | ||
| 365 | #copy-iface: eth1 | ||
| 366 | - interface: eth1 | ||
| 367 | threads: 1 | ||
| 368 | cluster-id: 98 | ||
| 369 | cluster-type: cluster_flow | ||
| 370 | defrag: yes | ||
| 371 | # buffer-size: 32768 | ||
| 372 | # disable-promisc: no | ||
| 373 | # Put default values here | ||
| 374 | - interface: default | ||
| 375 | #threads: 2 | ||
| 376 | #use-mmap: yes | ||
| 377 | |||
| 378 | legacy: | ||
| 379 | uricontent: enabled | ||
| 380 | |||
| 381 | # You can specify a threshold config file by setting "threshold-file" | ||
| 382 | # to the path of the threshold config file: | ||
| 383 | # threshold-file: /etc/suricata/threshold.config | ||
| 384 | |||
| 385 | # The detection engine builds internal groups of signatures. The engine | ||
| 386 | # allow us to specify the profile to use for them, to manage memory on an | ||
| 387 | # efficient way keeping a good performance. For the profile keyword you | ||
| 388 | # can use the words "low", "medium", "high" or "custom". If you use custom | ||
| 389 | # make sure to define the values at "- custom-values" as your convenience. | ||
| 390 | # Usually you would prefer medium/high/low. | ||
| 391 | # | ||
| 392 | # "sgh mpm-context", indicates how the staging should allot mpm contexts for | ||
| 393 | # the signature groups. "single" indicates the use of a single context for | ||
| 394 | # all the signature group heads. "full" indicates a mpm-context for each | ||
| 395 | # group head. "auto" lets the engine decide the distribution of contexts | ||
| 396 | # based on the information the engine gathers on the patterns from each | ||
| 397 | # group head. | ||
| 398 | # | ||
| 399 | # The option inspection-recursion-limit is used to limit the recursive calls | ||
| 400 | # in the content inspection code. For certain payload-sig combinations, we | ||
| 401 | # might end up taking too much time in the content inspection code. | ||
| 402 | # If the argument specified is 0, the engine uses an internally defined | ||
| 403 | # default limit. On not specifying a value, we use no limits on the recursion. | ||
| 404 | detect-engine: | ||
| 405 | - profile: medium | ||
| 406 | - custom-values: | ||
| 407 | toclient-src-groups: 2 | ||
| 408 | toclient-dst-groups: 2 | ||
| 409 | toclient-sp-groups: 2 | ||
| 410 | toclient-dp-groups: 3 | ||
| 411 | toserver-src-groups: 2 | ||
| 412 | toserver-dst-groups: 4 | ||
| 413 | toserver-sp-groups: 2 | ||
| 414 | toserver-dp-groups: 25 | ||
| 415 | - sgh-mpm-context: auto | ||
| 416 | - inspection-recursion-limit: 3000 | ||
| 417 | # When rule-reload is enabled, sending a USR2 signal to the Suricata process | ||
| 418 | # will trigger a live rule reload. Experimental feature, use with care. | ||
| 419 | #- rule-reload: true | ||
| 420 | # If set to yes, the loading of signatures will be made after the capture | ||
| 421 | # is started. This will limit the downtime in IPS mode. | ||
| 422 | #- delayed-detect: yes | ||
| 423 | |||
| 424 | # Suricata is multi-threaded. Here the threading can be influenced. | ||
| 425 | threading: | ||
| 426 | # On some cpu's/architectures it is beneficial to tie individual threads | ||
| 427 | # to specific CPU's/CPU cores. In this case all threads are tied to CPU0, | ||
| 428 | # and each extra CPU/core has one "detect" thread. | ||
| 429 | # | ||
| 430 | # On Intel Core2 and Nehalem CPU's enabling this will degrade performance. | ||
| 431 | # | ||
| 432 | set-cpu-affinity: no | ||
| 433 | # Tune cpu affinity of suricata threads. Each family of threads can be bound | ||
| 434 | # on specific CPUs. | ||
| 435 | cpu-affinity: | ||
| 436 | - management-cpu-set: | ||
| 437 | cpu: [ 0 ] # include only these cpus in affinity settings | ||
| 438 | - receive-cpu-set: | ||
| 439 | cpu: [ 0 ] # include only these cpus in affinity settings | ||
| 440 | - decode-cpu-set: | ||
| 441 | cpu: [ 0, 1 ] | ||
| 442 | mode: "balanced" | ||
| 443 | - stream-cpu-set: | ||
| 444 | cpu: [ "0-1" ] | ||
| 445 | - detect-cpu-set: | ||
| 446 | cpu: [ "all" ] | ||
| 447 | mode: "exclusive" # run detect threads in these cpus | ||
| 448 | # Use explicitely 3 threads and don't compute number by using | ||
| 449 | # detect-thread-ratio variable: | ||
| 450 | # threads: 3 | ||
| 451 | prio: | ||
| 452 | low: [ 0 ] | ||
| 453 | medium: [ "1-2" ] | ||
| 454 | high: [ 3 ] | ||
| 455 | default: "medium" | ||
| 456 | - verdict-cpu-set: | ||
| 457 | cpu: [ 0 ] | ||
| 458 | prio: | ||
| 459 | default: "high" | ||
| 460 | - reject-cpu-set: | ||
| 461 | cpu: [ 0 ] | ||
| 462 | prio: | ||
| 463 | default: "low" | ||
| 464 | - output-cpu-set: | ||
| 465 | cpu: [ "all" ] | ||
| 466 | prio: | ||
| 467 | default: "medium" | ||
| 468 | # | ||
| 469 | # By default Suricata creates one "detect" thread per available CPU/CPU core. | ||
| 470 | # This setting allows controlling this behaviour. A ratio setting of 2 will | ||
| 471 | # create 2 detect threads for each CPU/CPU core. So for a dual core CPU this | ||
| 472 | # will result in 4 detect threads. If values below 1 are used, less threads | ||
| 473 | # are created. So on a dual core CPU a setting of 0.5 results in 1 detect | ||
| 474 | # thread being created. Regardless of the setting at a minimum 1 detect | ||
| 475 | # thread will always be created. | ||
| 476 | # | ||
| 477 | detect-thread-ratio: 1.5 | ||
| 478 | |||
| 479 | # Cuda configuration. | ||
| 480 | cuda: | ||
| 481 | # The "mpm" profile. On not specifying any of these parameters, the engine's | ||
| 482 | # internal default values are used, which are same as the ones specified in | ||
| 483 | # in the default conf file. | ||
| 484 | mpm: | ||
| 485 | # The minimum length required to buffer data to the gpu. | ||
| 486 | # Anything below this is MPM'ed on the CPU. | ||
| 487 | # Can be specified in kb, mb, gb. Just a number indicates it's in bytes. | ||
| 488 | # A value of 0 indicates there's no limit. | ||
| 489 | data-buffer-size-min-limit: 0 | ||
| 490 | # The maximum length for data that we would buffer to the gpu. | ||
| 491 | # Anything over this is MPM'ed on the CPU. | ||
| 492 | # Can be specified in kb, mb, gb. Just a number indicates it's in bytes. | ||
| 493 | data-buffer-size-max-limit: 1500 | ||
| 494 | # The ring buffer size used by the CudaBuffer API to buffer data. | ||
| 495 | cudabuffer-buffer-size: 500mb | ||
| 496 | # The max chunk size that can be sent to the gpu in a single go. | ||
| 497 | gpu-transfer-size: 50mb | ||
| 498 | # The timeout limit for batching of packets in microseconds. | ||
| 499 | batching-timeout: 2000 | ||
| 500 | # The device to use for the mpm. Currently we don't support load balancing | ||
| 501 | # on multiple gpus. In case you have multiple devices on your system, you | ||
| 502 | # can specify the device to use, using this conf. By default we hold 0, to | ||
| 503 | # specify the first device cuda sees. To find out device-id associated with | ||
| 504 | # the card(s) on the system run "suricata --list-cuda-cards". | ||
| 505 | device-id: 0 | ||
| 506 | # No of Cuda streams used for asynchronous processing. All values > 0 are valid. | ||
| 507 | # For this option you need a device with Compute Capability > 1.0. | ||
| 508 | cuda-streams: 2 | ||
| 509 | |||
| 510 | # Select the multi pattern algorithm you want to run for scan/search the | ||
| 511 | # in the engine. The supported algorithms are b2g, b2gc, b2gm, b3g, wumanber, | ||
| 512 | # ac and ac-gfbs. | ||
| 513 | # | ||
| 514 | # The mpm you choose also decides the distribution of mpm contexts for | ||
| 515 | # signature groups, specified by the conf - "detect-engine.sgh-mpm-context". | ||
| 516 | # Selecting "ac" as the mpm would require "detect-engine.sgh-mpm-context" | ||
| 517 | # to be set to "single", because of ac's memory requirements, unless the | ||
| 518 | # ruleset is small enough to fit in one's memory, in which case one can | ||
| 519 | # use "full" with "ac". Rest of the mpms can be run in "full" mode. | ||
| 520 | # | ||
| 521 | # There is also a CUDA pattern matcher (only available if Suricata was | ||
| 522 | # compiled with --enable-cuda: b2g_cuda. Make sure to update your | ||
| 523 | # max-pending-packets setting above as well if you use b2g_cuda. | ||
| 524 | |||
| 525 | mpm-algo: ac | ||
| 526 | |||
| 527 | # The memory settings for hash size of these algorithms can vary from lowest | ||
| 528 | # (2048) - low (4096) - medium (8192) - high (16384) - higher (32768) - max | ||
| 529 | # (65536). The bloomfilter sizes of these algorithms can vary from low (512) - | ||
| 530 | # medium (1024) - high (2048). | ||
| 531 | # | ||
| 532 | # For B2g/B3g algorithms, there is a support for two different scan/search | ||
| 533 | # algorithms. For B2g the scan algorithms are B2gScan & B2gScanBNDMq, and | ||
| 534 | # search algorithms are B2gSearch & B2gSearchBNDMq. For B3g scan algorithms | ||
| 535 | # are B3gScan & B3gScanBNDMq, and search algorithms are B3gSearch & | ||
| 536 | # B3gSearchBNDMq. | ||
| 537 | # | ||
| 538 | # For B2g the different scan/search algorithms and, hash and bloom | ||
| 539 | # filter size settings. For B3g the different scan/search algorithms and, hash | ||
| 540 | # and bloom filter size settings. For wumanber the hash and bloom filter size | ||
| 541 | # settings. | ||
| 542 | |||
| 543 | pattern-matcher: | ||
| 544 | - b2gc: | ||
| 545 | search-algo: B2gSearchBNDMq | ||
| 546 | hash-size: low | ||
| 547 | bf-size: medium | ||
| 548 | - b2gm: | ||
| 549 | search-algo: B2gSearchBNDMq | ||
| 550 | hash-size: low | ||
| 551 | bf-size: medium | ||
| 552 | - b2g: | ||
| 553 | search-algo: B2gSearchBNDMq | ||
| 554 | hash-size: low | ||
| 555 | bf-size: medium | ||
| 556 | - b3g: | ||
| 557 | search-algo: B3gSearchBNDMq | ||
| 558 | hash-size: low | ||
| 559 | bf-size: medium | ||
| 560 | - wumanber: | ||
| 561 | hash-size: low | ||
| 562 | bf-size: medium | ||
| 563 | |||
| 564 | # Defrag settings: | ||
| 565 | |||
| 566 | defrag: | ||
| 567 | memcap: 32mb | ||
| 568 | hash-size: 65536 | ||
| 569 | trackers: 65535 # number of defragmented flows to follow | ||
| 570 | max-frags: 65535 # number of fragments to keep (higher than trackers) | ||
| 571 | prealloc: yes | ||
| 572 | timeout: 60 | ||
| 573 | |||
| 574 | # Enable defrag per host settings | ||
| 575 | # host-config: | ||
| 576 | # | ||
| 577 | # - dmz: | ||
| 578 | # timeout: 30 | ||
| 579 | # address: [192.168.1.0/24, 127.0.0.0/8, 1.1.1.0/24, 2.2.2.0/24, "1.1.1.1", "2.2.2.2", "::1"] | ||
| 580 | # | ||
| 581 | # - lan: | ||
| 582 | # timeout: 45 | ||
| 583 | # address: | ||
| 584 | # - 192.168.0.0/24 | ||
| 585 | # - 192.168.10.0/24 | ||
| 586 | # - 172.16.14.0/24 | ||
| 587 | |||
| 588 | # Flow settings: | ||
| 589 | # By default, the reserved memory (memcap) for flows is 32MB. This is the limit | ||
| 590 | # for flow allocation inside the engine. You can change this value to allow | ||
| 591 | # more memory usage for flows. | ||
| 592 | # The hash-size determine the size of the hash used to identify flows inside | ||
| 593 | # the engine, and by default the value is 65536. | ||
| 594 | # At the startup, the engine can preallocate a number of flows, to get a better | ||
| 595 | # performance. The number of flows preallocated is 10000 by default. | ||
| 596 | # emergency-recovery is the percentage of flows that the engine need to | ||
| 597 | # prune before unsetting the emergency state. The emergency state is activated | ||
| 598 | # when the memcap limit is reached, allowing to create new flows, but | ||
| 599 | # prunning them with the emergency timeouts (they are defined below). | ||
| 600 | # If the memcap is reached, the engine will try to prune flows | ||
| 601 | # with the default timeouts. If it doens't find a flow to prune, it will set | ||
| 602 | # the emergency bit and it will try again with more agressive timeouts. | ||
| 603 | # If that doesn't work, then it will try to kill the last time seen flows | ||
| 604 | # not in use. | ||
| 605 | # The memcap can be specified in kb, mb, gb. Just a number indicates it's | ||
| 606 | # in bytes. | ||
| 607 | |||
| 608 | flow: | ||
| 609 | memcap: 64mb | ||
| 610 | hash-size: 65536 | ||
| 611 | prealloc: 10000 | ||
| 612 | emergency-recovery: 30 | ||
| 613 | |||
| 614 | # This option controls the use of vlan ids in the flow (and defrag) | ||
| 615 | # hashing. Normally this should be enabled, but in some (broken) | ||
| 616 | # setups where both sides of a flow are not tagged with the same vlan | ||
| 617 | # tag, we can ignore the vlan id's in the flow hashing. | ||
| 618 | vlan: | ||
| 619 | use-for-tracking: true | ||
| 620 | |||
| 621 | # Specific timeouts for flows. Here you can specify the timeouts that the | ||
| 622 | # active flows will wait to transit from the current state to another, on each | ||
| 623 | # protocol. The value of "new" determine the seconds to wait after a hanshake or | ||
| 624 | # stream startup before the engine free the data of that flow it doesn't | ||
| 625 | # change the state to established (usually if we don't receive more packets | ||
| 626 | # of that flow). The value of "established" is the amount of | ||
| 627 | # seconds that the engine will wait to free the flow if it spend that amount | ||
| 628 | # without receiving new packets or closing the connection. "closed" is the | ||
| 629 | # amount of time to wait after a flow is closed (usually zero). | ||
| 630 | # | ||
| 631 | # There's an emergency mode that will become active under attack circumstances, | ||
| 632 | # making the engine to check flow status faster. This configuration variables | ||
| 633 | # use the prefix "emergency-" and work similar as the normal ones. | ||
| 634 | # Some timeouts doesn't apply to all the protocols, like "closed", for udp and | ||
| 635 | # icmp. | ||
| 636 | |||
| 637 | flow-timeouts: | ||
| 638 | |||
| 639 | default: | ||
| 640 | new: 30 | ||
| 641 | established: 300 | ||
| 642 | closed: 0 | ||
| 643 | emergency-new: 10 | ||
| 644 | emergency-established: 100 | ||
| 645 | emergency-closed: 0 | ||
| 646 | tcp: | ||
| 647 | new: 60 | ||
| 648 | established: 3600 | ||
| 649 | closed: 120 | ||
| 650 | emergency-new: 10 | ||
| 651 | emergency-established: 300 | ||
| 652 | emergency-closed: 20 | ||
| 653 | udp: | ||
| 654 | new: 30 | ||
| 655 | established: 300 | ||
| 656 | emergency-new: 10 | ||
| 657 | emergency-established: 100 | ||
| 658 | icmp: | ||
| 659 | new: 30 | ||
| 660 | established: 300 | ||
| 661 | emergency-new: 10 | ||
| 662 | emergency-established: 100 | ||
| 663 | |||
| 664 | # Stream engine settings. Here the TCP stream tracking and reassembly | ||
| 665 | # engine is configured. | ||
| 666 | # | ||
| 667 | # stream: | ||
| 668 | # memcap: 32mb # Can be specified in kb, mb, gb. Just a | ||
| 669 | # # number indicates it's in bytes. | ||
| 670 | # checksum-validation: yes # To validate the checksum of received | ||
| 671 | # # packet. If csum validation is specified as | ||
| 672 | # # "yes", then packet with invalid csum will not | ||
| 673 | # # be processed by the engine stream/app layer. | ||
| 674 | # # Warning: locally generated trafic can be | ||
| 675 | # # generated without checksum due to hardware offload | ||
| 676 | # # of checksum. You can control the handling of checksum | ||
| 677 | # # on a per-interface basis via the 'checksum-checks' | ||
| 678 | # # option | ||
| 679 | # prealloc-sessions: 2k # 2k sessions prealloc'd per stream thread | ||
| 680 | # midstream: false # don't allow midstream session pickups | ||
| 681 | # async-oneside: false # don't enable async stream handling | ||
| 682 | # inline: no # stream inline mode | ||
| 683 | # max-synack-queued: 5 # Max different SYN/ACKs to queue | ||
| 684 | # | ||
| 685 | # reassembly: | ||
| 686 | # memcap: 64mb # Can be specified in kb, mb, gb. Just a number | ||
| 687 | # # indicates it's in bytes. | ||
| 688 | # depth: 1mb # Can be specified in kb, mb, gb. Just a number | ||
| 689 | # # indicates it's in bytes. | ||
| 690 | # toserver-chunk-size: 2560 # inspect raw stream in chunks of at least | ||
| 691 | # # this size. Can be specified in kb, mb, | ||
| 692 | # # gb. Just a number indicates it's in bytes. | ||
| 693 | # # The max acceptable size is 4024 bytes. | ||
| 694 | # toclient-chunk-size: 2560 # inspect raw stream in chunks of at least | ||
| 695 | # # this size. Can be specified in kb, mb, | ||
| 696 | # # gb. Just a number indicates it's in bytes. | ||
| 697 | # # The max acceptable size is 4024 bytes. | ||
| 698 | # randomize-chunk-size: yes # Take a random value for chunk size around the specified value. | ||
| 699 | # # This lower the risk of some evasion technics but could lead | ||
| 700 | # # detection change between runs. It is set to 'yes' by default. | ||
| 701 | # randomize-chunk-range: 10 # If randomize-chunk-size is active, the value of chunk-size is | ||
| 702 | # # a random value between (1 - randomize-chunk-range/100)*randomize-chunk-size | ||
| 703 | # # and (1 + randomize-chunk-range/100)*randomize-chunk-size. Default value | ||
| 704 | # # of randomize-chunk-range is 10. | ||
| 705 | # | ||
| 706 | # raw: yes # 'Raw' reassembly enabled or disabled. | ||
| 707 | # # raw is for content inspection by detection | ||
| 708 | # # engine. | ||
| 709 | # | ||
| 710 | # chunk-prealloc: 250 # Number of preallocated stream chunks. These | ||
| 711 | # # are used during stream inspection (raw). | ||
| 712 | # segments: # Settings for reassembly segment pool. | ||
| 713 | # - size: 4 # Size of the (data)segment for a pool | ||
| 714 | # prealloc: 256 # Number of segments to prealloc and keep | ||
| 715 | # # in the pool. | ||
| 716 | # | ||
| 717 | stream: | ||
| 718 | memcap: 32mb | ||
| 719 | checksum-validation: yes # reject wrong csums | ||
| 720 | inline: auto # auto will use inline mode in IPS mode, yes or no set it statically | ||
| 721 | reassembly: | ||
| 722 | memcap: 128mb | ||
| 723 | depth: 1mb # reassemble 1mb into a stream | ||
| 724 | toserver-chunk-size: 2560 | ||
| 725 | toclient-chunk-size: 2560 | ||
| 726 | randomize-chunk-size: yes | ||
| 727 | #randomize-chunk-range: 10 | ||
| 728 | #raw: yes | ||
| 729 | #chunk-prealloc: 250 | ||
| 730 | #segments: | ||
| 731 | # - size: 4 | ||
| 732 | # prealloc: 256 | ||
| 733 | # - size: 16 | ||
| 734 | # prealloc: 512 | ||
| 735 | # - size: 112 | ||
| 736 | # prealloc: 512 | ||
| 737 | # - size: 248 | ||
| 738 | # prealloc: 512 | ||
| 739 | # - size: 512 | ||
| 740 | # prealloc: 512 | ||
| 741 | # - size: 768 | ||
| 742 | # prealloc: 1024 | ||
| 743 | # - size: 1448 | ||
| 744 | # prealloc: 1024 | ||
| 745 | # - size: 65535 | ||
| 746 | # prealloc: 128 | ||
| 747 | |||
| 748 | # Host table: | ||
| 749 | # | ||
| 750 | # Host table is used by tagging and per host thresholding subsystems. | ||
| 751 | # | ||
| 752 | host: | ||
| 753 | hash-size: 4096 | ||
| 754 | prealloc: 1000 | ||
| 755 | memcap: 16777216 | ||
| 756 | |||
| 757 | # Logging configuration. This is not about logging IDS alerts, but | ||
| 758 | # IDS output about what its doing, errors, etc. | ||
| 759 | logging: | ||
| 760 | |||
| 761 | # The default log level, can be overridden in an output section. | ||
| 762 | # Note that debug level logging will only be emitted if Suricata was | ||
| 763 | # compiled with the --enable-debug configure option. | ||
| 764 | # | ||
| 765 | # This value is overriden by the SC_LOG_LEVEL env var. | ||
| 766 | default-log-level: notice | ||
| 767 | |||
| 768 | # The default output format. Optional parameter, should default to | ||
| 769 | # something reasonable if not provided. Can be overriden in an | ||
| 770 | # output section. You can leave this out to get the default. | ||
| 771 | # | ||
| 772 | # This value is overriden by the SC_LOG_FORMAT env var. | ||
| 773 | #default-log-format: "[%i] %t - (%f:%l) <%d> (%n) -- " | ||
| 774 | |||
| 775 | # A regex to filter output. Can be overridden in an output section. | ||
| 776 | # Defaults to empty (no filter). | ||
| 777 | # | ||
| 778 | # This value is overriden by the SC_LOG_OP_FILTER env var. | ||
| 779 | default-output-filter: | ||
| 780 | |||
| 781 | # Define your logging outputs. If none are defined, or they are all | ||
| 782 | # disabled you will get the default - console output. | ||
| 783 | outputs: | ||
| 784 | - console: | ||
| 785 | enabled: yes | ||
| 786 | - file: | ||
| 787 | enabled: no | ||
| 788 | filename: /var/log/suricata.log | ||
| 789 | - syslog: | ||
| 790 | enabled: yes | ||
| 791 | facility: local5 | ||
| 792 | format: "[%i] <%d> -- " | ||
| 793 | |||
| 794 | # Tilera mpipe configuration. for use on Tilera TILE-Gx. | ||
| 795 | mpipe: | ||
| 796 | |||
| 797 | # Load balancing modes: "static", "dynamic", "sticky", or "round-robin". | ||
| 798 | load-balance: dynamic | ||
| 799 | |||
| 800 | # Number of Packets in each ingress packet queue. Must be 128, 512, 2028 or 65536 | ||
| 801 | iqueue-packets: 2048 | ||
| 802 | |||
| 803 | # List of interfaces we will listen on. | ||
| 804 | inputs: | ||
| 805 | - interface: xgbe2 | ||
| 806 | - interface: xgbe3 | ||
| 807 | - interface: xgbe4 | ||
| 808 | |||
| 809 | |||
| 810 | # Relative weight of memory for packets of each mPipe buffer size. | ||
| 811 | stack: | ||
| 812 | size128: 0 | ||
| 813 | size256: 9 | ||
| 814 | size512: 0 | ||
| 815 | size1024: 0 | ||
| 816 | size1664: 7 | ||
| 817 | size4096: 0 | ||
| 818 | size10386: 0 | ||
| 819 | size16384: 0 | ||
| 820 | |||
| 821 | # PF_RING configuration. for use with native PF_RING support | ||
| 822 | # for more info see http://www.ntop.org/PF_RING.html | ||
| 823 | pfring: | ||
| 824 | - interface: eth0 | ||
| 825 | # Number of receive threads (>1 will enable experimental flow pinned | ||
| 826 | # runmode) | ||
| 827 | threads: 1 | ||
| 828 | |||
| 829 | # Default clusterid. PF_RING will load balance packets based on flow. | ||
| 830 | # All threads/processes that will participate need to have the same | ||
| 831 | # clusterid. | ||
| 832 | cluster-id: 99 | ||
| 833 | |||
| 834 | # Default PF_RING cluster type. PF_RING can load balance per flow or per hash. | ||
| 835 | # This is only supported in versions of PF_RING > 4.1.1. | ||
| 836 | cluster-type: cluster_flow | ||
| 837 | # bpf filter for this interface | ||
| 838 | #bpf-filter: tcp | ||
| 839 | # Choose checksum verification mode for the interface. At the moment | ||
| 840 | # of the capture, some packets may be with an invalid checksum due to | ||
| 841 | # offloading to the network card of the checksum computation. | ||
| 842 | # Possible values are: | ||
| 843 | # - rxonly: only compute checksum for packets received by network card. | ||
| 844 | # - yes: checksum validation is forced | ||
| 845 | # - no: checksum validation is disabled | ||
| 846 | # - auto: suricata uses a statistical approach to detect when | ||
| 847 | # checksum off-loading is used. (default) | ||
| 848 | # Warning: 'checksum-validation' must be set to yes to have any validation | ||
| 849 | #checksum-checks: auto | ||
| 850 | # Second interface | ||
| 851 | #- interface: eth1 | ||
| 852 | # threads: 3 | ||
| 853 | # cluster-id: 93 | ||
| 854 | # cluster-type: cluster_flow | ||
| 855 | # Put default values here | ||
| 856 | - interface: default | ||
| 857 | #threads: 2 | ||
| 858 | |||
| 859 | pcap: | ||
| 860 | - interface: eth0 | ||
| 861 | # On Linux, pcap will try to use mmaped capture and will use buffer-size | ||
| 862 | # as total of memory used by the ring. So set this to something bigger | ||
| 863 | # than 1% of your bandwidth. | ||
| 864 | #buffer-size: 16777216 | ||
| 865 | #bpf-filter: "tcp and port 25" | ||
| 866 | # Choose checksum verification mode for the interface. At the moment | ||
| 867 | # of the capture, some packets may be with an invalid checksum due to | ||
| 868 | # offloading to the network card of the checksum computation. | ||
| 869 | # Possible values are: | ||
| 870 | # - yes: checksum validation is forced | ||
| 871 | # - no: checksum validation is disabled | ||
| 872 | # - auto: suricata uses a statistical approach to detect when | ||
| 873 | # checksum off-loading is used. (default) | ||
| 874 | # Warning: 'checksum-validation' must be set to yes to have any validation | ||
| 875 | #checksum-checks: auto | ||
| 876 | # With some accelerator cards using a modified libpcap (like myricom), you | ||
| 877 | # may want to have the same number of capture threads as the number of capture | ||
| 878 | # rings. In this case, set up the threads variable to N to start N threads | ||
| 879 | # listening on the same interface. | ||
| 880 | #threads: 16 | ||
| 881 | # set to no to disable promiscuous mode: | ||
| 882 | #promisc: no | ||
| 883 | # set snaplen, if not set it defaults to MTU if MTU can be known | ||
| 884 | # via ioctl call and to full capture if not. | ||
| 885 | #snaplen: 1518 | ||
| 886 | # Put default values here | ||
| 887 | - interface: default | ||
| 888 | #checksum-checks: auto | ||
| 889 | |||
| 890 | pcap-file: | ||
| 891 | # Possible values are: | ||
| 892 | # - yes: checksum validation is forced | ||
| 893 | # - no: checksum validation is disabled | ||
| 894 | # - auto: suricata uses a statistical approach to detect when | ||
| 895 | # checksum off-loading is used. (default) | ||
| 896 | # Warning: 'checksum-validation' must be set to yes to have checksum tested | ||
| 897 | checksum-checks: auto | ||
| 898 | |||
| 899 | # For FreeBSD ipfw(8) divert(4) support. | ||
| 900 | # Please make sure you have ipfw_load="YES" and ipdivert_load="YES" | ||
| 901 | # in /etc/loader.conf or kldload'ing the appropriate kernel modules. | ||
| 902 | # Additionally, you need to have an ipfw rule for the engine to see | ||
| 903 | # the packets from ipfw. For Example: | ||
| 904 | # | ||
| 905 | # ipfw add 100 divert 8000 ip from any to any | ||
| 906 | # | ||
| 907 | # The 8000 above should be the same number you passed on the command | ||
| 908 | # line, i.e. -d 8000 | ||
| 909 | # | ||
| 910 | ipfw: | ||
| 911 | |||
| 912 | # Reinject packets at the specified ipfw rule number. This config | ||
| 913 | # option is the ipfw rule number AT WHICH rule processing continues | ||
| 914 | # in the ipfw processing system after the engine has finished | ||
| 915 | # inspecting the packet for acceptance. If no rule number is specified, | ||
| 916 | # accepted packets are reinjected at the divert rule which they entered | ||
| 917 | # and IPFW rule processing continues. No check is done to verify | ||
| 918 | # this will rule makes sense so care must be taken to avoid loops in ipfw. | ||
| 919 | # | ||
| 920 | ## The following example tells the engine to reinject packets | ||
| 921 | # back into the ipfw firewall AT rule number 5500: | ||
| 922 | # | ||
| 923 | # ipfw-reinjection-rule-number: 5500 | ||
| 924 | |||
| 925 | # Set the default rule path here to search for the files. | ||
| 926 | # if not set, it will look at the current working dir | ||
| 927 | default-rule-path: /etc/suricata/rules | ||
| 928 | rule-files: | ||
| 929 | - botcc.rules | ||
| 930 | - ciarmy.rules | ||
| 931 | - compromised.rules | ||
| 932 | - drop.rules | ||
| 933 | - dshield.rules | ||
| 934 | - emerging-activex.rules | ||
| 935 | - emerging-attack_response.rules | ||
| 936 | - emerging-chat.rules | ||
| 937 | - emerging-current_events.rules | ||
| 938 | - emerging-dns.rules | ||
| 939 | - emerging-dos.rules | ||
| 940 | - emerging-exploit.rules | ||
| 941 | - emerging-ftp.rules | ||
| 942 | - emerging-games.rules | ||
| 943 | - emerging-icmp_info.rules | ||
| 944 | # - emerging-icmp.rules | ||
| 945 | - emerging-imap.rules | ||
| 946 | - emerging-inappropriate.rules | ||
| 947 | - emerging-malware.rules | ||
| 948 | - emerging-misc.rules | ||
| 949 | - emerging-mobile_malware.rules | ||
| 950 | - emerging-netbios.rules | ||
| 951 | - emerging-p2p.rules | ||
| 952 | - emerging-policy.rules | ||
| 953 | - emerging-pop3.rules | ||
| 954 | - emerging-rpc.rules | ||
| 955 | - emerging-scada.rules | ||
| 956 | - emerging-scan.rules | ||
| 957 | - emerging-shellcode.rules | ||
| 958 | - emerging-smtp.rules | ||
| 959 | - emerging-snmp.rules | ||
| 960 | - emerging-sql.rules | ||
| 961 | - emerging-telnet.rules | ||
| 962 | - emerging-tftp.rules | ||
| 963 | - emerging-trojan.rules | ||
| 964 | - emerging-user_agents.rules | ||
| 965 | - emerging-voip.rules | ||
| 966 | - emerging-web_client.rules | ||
| 967 | - emerging-web_server.rules | ||
| 968 | - emerging-web_specific_apps.rules | ||
| 969 | - emerging-worm.rules | ||
| 970 | - tor.rules | ||
| 971 | - decoder-events.rules # available in suricata sources under rules dir | ||
| 972 | - stream-events.rules # available in suricata sources under rules dir | ||
| 973 | - http-events.rules # available in suricata sources under rules dir | ||
| 974 | - smtp-events.rules # available in suricata sources under rules dir | ||
| 975 | - dns-events.rules # available in suricata sources under rules dir | ||
| 976 | - tls-events.rules # available in suricata sources under rules dir | ||
| 977 | |||
| 978 | classification-file: /etc/suricata/classification.config | ||
| 979 | reference-config-file: /etc/suricata/reference.config | ||
| 980 | |||
| 981 | # Holds variables that would be used by the engine. | ||
| 982 | vars: | ||
| 983 | |||
| 984 | # Holds the address group vars that would be passed in a Signature. | ||
| 985 | # These would be retrieved during the Signature address parsing stage. | ||
| 986 | address-groups: | ||
| 987 | |||
| 988 | HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]" | ||
| 989 | |||
| 990 | EXTERNAL_NET: "!$HOME_NET" | ||
| 991 | |||
| 992 | HTTP_SERVERS: "$HOME_NET" | ||
| 993 | |||
| 994 | SMTP_SERVERS: "$HOME_NET" | ||
| 995 | |||
| 996 | SQL_SERVERS: "$HOME_NET" | ||
| 997 | |||
| 998 | DNS_SERVERS: "$HOME_NET" | ||
| 999 | |||
| 1000 | TELNET_SERVERS: "$HOME_NET" | ||
| 1001 | |||
| 1002 | AIM_SERVERS: "$EXTERNAL_NET" | ||
| 1003 | |||
| 1004 | DNP3_SERVER: "$HOME_NET" | ||
| 1005 | |||
| 1006 | DNP3_CLIENT: "$HOME_NET" | ||
| 1007 | |||
| 1008 | MODBUS_CLIENT: "$HOME_NET" | ||
| 1009 | |||
| 1010 | MODBUS_SERVER: "$HOME_NET" | ||
| 1011 | |||
| 1012 | ENIP_CLIENT: "$HOME_NET" | ||
| 1013 | |||
| 1014 | ENIP_SERVER: "$HOME_NET" | ||
| 1015 | |||
| 1016 | # Holds the port group vars that would be passed in a Signature. | ||
| 1017 | # These would be retrieved during the Signature port parsing stage. | ||
| 1018 | port-groups: | ||
| 1019 | |||
| 1020 | HTTP_PORTS: "80" | ||
| 1021 | |||
| 1022 | SHELLCODE_PORTS: "!80" | ||
| 1023 | |||
| 1024 | ORACLE_PORTS: 1521 | ||
| 1025 | |||
| 1026 | SSH_PORTS: 22 | ||
| 1027 | |||
| 1028 | DNP3_PORTS: 20000 | ||
| 1029 | |||
| 1030 | # Set the order of alerts bassed on actions | ||
| 1031 | # The default order is pass, drop, reject, alert | ||
| 1032 | action-order: | ||
| 1033 | - pass | ||
| 1034 | - drop | ||
| 1035 | - reject | ||
| 1036 | - alert | ||
| 1037 | |||
| 1038 | # IP Reputation | ||
| 1039 | #reputation-categories-file: /etc/suricata/iprep/categories.txt | ||
| 1040 | #default-reputation-path: /etc/suricata/iprep | ||
| 1041 | #reputation-files: | ||
| 1042 | # - reputation.list | ||
| 1043 | |||
| 1044 | # Host specific policies for defragmentation and TCP stream | ||
| 1045 | # reassembly. The host OS lookup is done using a radix tree, just | ||
| 1046 | # like a routing table so the most specific entry matches. | ||
| 1047 | host-os-policy: | ||
| 1048 | # Make the default policy windows. | ||
| 1049 | windows: [0.0.0.0/0] | ||
| 1050 | bsd: [] | ||
| 1051 | bsd-right: [] | ||
| 1052 | old-linux: [] | ||
| 1053 | linux: [10.0.0.0/8, 192.168.1.100, "8762:2352:6241:7245:E000:0000:0000:0000"] | ||
| 1054 | old-solaris: [] | ||
| 1055 | solaris: ["::1"] | ||
| 1056 | hpux10: [] | ||
| 1057 | hpux11: [] | ||
| 1058 | irix: [] | ||
| 1059 | macos: [] | ||
| 1060 | vista: [] | ||
| 1061 | windows2k3: [] | ||
| 1062 | |||
| 1063 | |||
| 1064 | # Limit for the maximum number of asn1 frames to decode (default 256) | ||
| 1065 | asn1-max-frames: 256 | ||
| 1066 | |||
| 1067 | # When run with the option --engine-analysis, the engine will read each of | ||
| 1068 | # the parameters below, and print reports for each of the enabled sections | ||
| 1069 | # and exit. The reports are printed to a file in the default log dir | ||
| 1070 | # given by the parameter "default-log-dir", with engine reporting | ||
| 1071 | # subsection below printing reports in its own report file. | ||
| 1072 | engine-analysis: | ||
| 1073 | # enables printing reports for fast-pattern for every rule. | ||
| 1074 | rules-fast-pattern: yes | ||
| 1075 | # enables printing reports for each rule | ||
| 1076 | rules: yes | ||
| 1077 | |||
| 1078 | #recursion and match limits for PCRE where supported | ||
| 1079 | pcre: | ||
| 1080 | match-limit: 3500 | ||
| 1081 | match-limit-recursion: 1500 | ||
| 1082 | |||
| 1083 | # Holds details on the app-layer. The protocols section details each protocol. | ||
| 1084 | # Under each protocol, the default value for detection-enabled and " | ||
| 1085 | # parsed-enabled is yes, unless specified otherwise. | ||
| 1086 | # Each protocol covers enabling/disabling parsers for all ipprotos | ||
| 1087 | # the app-layer protocol runs on. For example "dcerpc" refers to the tcp | ||
| 1088 | # version of the protocol as well as the udp version of the protocol. | ||
| 1089 | # The option "enabled" takes 3 values - "yes", "no", "detection-only". | ||
| 1090 | # "yes" enables both detection and the parser, "no" disables both, and | ||
| 1091 | # "detection-only" enables detection only(parser disabled). | ||
| 1092 | app-layer: | ||
| 1093 | protocols: | ||
| 1094 | tls: | ||
| 1095 | enabled: yes | ||
| 1096 | detection-ports: | ||
| 1097 | dp: 443 | ||
| 1098 | |||
| 1099 | #no-reassemble: yes | ||
| 1100 | dcerpc: | ||
| 1101 | enabled: yes | ||
| 1102 | ftp: | ||
| 1103 | enabled: yes | ||
| 1104 | ssh: | ||
| 1105 | enabled: yes | ||
| 1106 | smtp: | ||
| 1107 | enabled: yes | ||
| 1108 | imap: | ||
| 1109 | enabled: detection-only | ||
| 1110 | msn: | ||
| 1111 | enabled: detection-only | ||
| 1112 | smb: | ||
| 1113 | enabled: yes | ||
| 1114 | detection-ports: | ||
| 1115 | dp: 139 | ||
| 1116 | # smb2 detection is disabled internally inside the engine. | ||
| 1117 | #smb2: | ||
| 1118 | # enabled: yes | ||
| 1119 | dns: | ||
| 1120 | # memcaps. Globally and per flow/state. | ||
| 1121 | #global-memcap: 16mb | ||
| 1122 | #state-memcap: 512kb | ||
| 1123 | |||
| 1124 | # How many unreplied DNS requests are considered a flood. | ||
| 1125 | # If the limit is reached, app-layer-event:dns.flooded; will match. | ||
| 1126 | #request-flood: 500 | ||
| 1127 | |||
| 1128 | tcp: | ||
| 1129 | enabled: yes | ||
| 1130 | detection-ports: | ||
| 1131 | dp: 53 | ||
| 1132 | udp: | ||
| 1133 | enabled: yes | ||
| 1134 | detection-ports: | ||
| 1135 | dp: 53 | ||
| 1136 | http: | ||
| 1137 | enabled: yes | ||
| 1138 | # memcap: 64mb | ||
| 1139 | |||
| 1140 | ########################################################################### | ||
| 1141 | # Configure libhtp. | ||
| 1142 | # | ||
| 1143 | # | ||
| 1144 | # default-config: Used when no server-config matches | ||
| 1145 | # personality: List of personalities used by default | ||
| 1146 | # request-body-limit: Limit reassembly of request body for inspection | ||
| 1147 | # by http_client_body & pcre /P option. | ||
| 1148 | # response-body-limit: Limit reassembly of response body for inspection | ||
| 1149 | # by file_data, http_server_body & pcre /Q option. | ||
| 1150 | # double-decode-path: Double decode path section of the URI | ||
| 1151 | # double-decode-query: Double decode query section of the URI | ||
| 1152 | # | ||
| 1153 | # server-config: List of server configurations to use if address matches | ||
| 1154 | # address: List of ip addresses or networks for this block | ||
| 1155 | # personalitiy: List of personalities used by this block | ||
| 1156 | # request-body-limit: Limit reassembly of request body for inspection | ||
| 1157 | # by http_client_body & pcre /P option. | ||
| 1158 | # response-body-limit: Limit reassembly of response body for inspection | ||
| 1159 | # by file_data, http_server_body & pcre /Q option. | ||
| 1160 | # double-decode-path: Double decode path section of the URI | ||
| 1161 | # double-decode-query: Double decode query section of the URI | ||
| 1162 | # | ||
| 1163 | # uri-include-all: Include all parts of the URI. By default the | ||
| 1164 | # 'scheme', username/password, hostname and port | ||
| 1165 | # are excluded. Setting this option to true adds | ||
| 1166 | # all of them to the normalized uri as inspected | ||
| 1167 | # by http_uri, urilen, pcre with /U and the other | ||
| 1168 | # keywords that inspect the normalized uri. | ||
| 1169 | # Note that this does not affect http_raw_uri. | ||
| 1170 | # Also, note that including all was the default in | ||
| 1171 | # 1.4 and 2.0beta1. | ||
| 1172 | # | ||
| 1173 | # meta-field-limit: Hard size limit for request and response size | ||
| 1174 | # limits. Applies to request line and headers, | ||
| 1175 | # response line and headers. Does not apply to | ||
| 1176 | # request or response bodies. Default is 18k. | ||
| 1177 | # If this limit is reached an event is raised. | ||
| 1178 | # | ||
| 1179 | # Currently Available Personalities: | ||
| 1180 | # Minimal | ||
| 1181 | # Generic | ||
| 1182 | # IDS (default) | ||
| 1183 | # IIS_4_0 | ||
| 1184 | # IIS_5_0 | ||
| 1185 | # IIS_5_1 | ||
| 1186 | # IIS_6_0 | ||
| 1187 | # IIS_7_0 | ||
| 1188 | # IIS_7_5 | ||
| 1189 | # Apache_2 | ||
| 1190 | ########################################################################### | ||
| 1191 | libhtp: | ||
| 1192 | |||
| 1193 | default-config: | ||
| 1194 | personality: IDS | ||
| 1195 | |||
| 1196 | # Can be specified in kb, mb, gb. Just a number indicates | ||
| 1197 | # it's in bytes. | ||
| 1198 | request-body-limit: 3072 | ||
| 1199 | response-body-limit: 3072 | ||
| 1200 | |||
| 1201 | # inspection limits | ||
| 1202 | request-body-minimal-inspect-size: 32kb | ||
| 1203 | request-body-inspect-window: 4kb | ||
| 1204 | response-body-minimal-inspect-size: 32kb | ||
| 1205 | response-body-inspect-window: 4kb | ||
| 1206 | # Take a random value for inspection sizes around the specified value. | ||
| 1207 | # This lower the risk of some evasion technics but could lead | ||
| 1208 | # detection change between runs. It is set to 'yes' by default. | ||
| 1209 | #randomize-inspection-sizes: yes | ||
| 1210 | # If randomize-inspection-sizes is active, the value of various | ||
| 1211 | # inspection size will be choosen in the [1 - range%, 1 + range%] | ||
| 1212 | # range | ||
| 1213 | # Default value of randomize-inspection-range is 10. | ||
| 1214 | #randomize-inspection-range: 10 | ||
| 1215 | |||
| 1216 | # decoding | ||
| 1217 | double-decode-path: no | ||
| 1218 | double-decode-query: no | ||
| 1219 | |||
| 1220 | server-config: | ||
| 1221 | |||
| 1222 | #- apache: | ||
| 1223 | # address: [192.168.1.0/24, 127.0.0.0/8, "::1"] | ||
| 1224 | # personality: Apache_2 | ||
| 1225 | # # Can be specified in kb, mb, gb. Just a number indicates | ||
| 1226 | # # it's in bytes. | ||
| 1227 | # request-body-limit: 4096 | ||
| 1228 | # response-body-limit: 4096 | ||
| 1229 | # double-decode-path: no | ||
| 1230 | # double-decode-query: no | ||
| 1231 | |||
| 1232 | #- iis7: | ||
| 1233 | # address: | ||
| 1234 | # - 192.168.0.0/24 | ||
| 1235 | # - 192.168.10.0/24 | ||
| 1236 | # personality: IIS_7_0 | ||
| 1237 | # # Can be specified in kb, mb, gb. Just a number indicates | ||
| 1238 | # # it's in bytes. | ||
| 1239 | # request-body-limit: 4096 | ||
| 1240 | # response-body-limit: 4096 | ||
| 1241 | # double-decode-path: no | ||
| 1242 | # double-decode-query: no | ||
| 1243 | |||
| 1244 | # Profiling settings. Only effective if Suricata has been built with the | ||
| 1245 | # the --enable-profiling configure flag. | ||
| 1246 | # | ||
| 1247 | profiling: | ||
| 1248 | # Run profiling for every xth packet. The default is 1, which means we | ||
| 1249 | # profile every packet. If set to 1000, one packet is profiled for every | ||
| 1250 | # 1000 received. | ||
| 1251 | #sample-rate: 1000 | ||
| 1252 | |||
| 1253 | # rule profiling | ||
| 1254 | rules: | ||
| 1255 | |||
| 1256 | # Profiling can be disabled here, but it will still have a | ||
| 1257 | # performance impact if compiled in. | ||
| 1258 | enabled: yes | ||
| 1259 | filename: rule_perf.log | ||
| 1260 | append: yes | ||
| 1261 | |||
| 1262 | # Sort options: ticks, avgticks, checks, matches, maxticks | ||
| 1263 | sort: avgticks | ||
| 1264 | |||
| 1265 | # Limit the number of items printed at exit. | ||
| 1266 | limit: 100 | ||
| 1267 | |||
| 1268 | # per keyword profiling | ||
| 1269 | keywords: | ||
| 1270 | enabled: yes | ||
| 1271 | filename: keyword_perf.log | ||
| 1272 | append: yes | ||
| 1273 | |||
| 1274 | # packet profiling | ||
| 1275 | packets: | ||
| 1276 | |||
| 1277 | # Profiling can be disabled here, but it will still have a | ||
| 1278 | # performance impact if compiled in. | ||
| 1279 | enabled: yes | ||
| 1280 | filename: packet_stats.log | ||
| 1281 | append: yes | ||
| 1282 | |||
| 1283 | # per packet csv output | ||
| 1284 | csv: | ||
| 1285 | |||
| 1286 | # Output can be disabled here, but it will still have a | ||
| 1287 | # performance impact if compiled in. | ||
| 1288 | enabled: no | ||
| 1289 | filename: packet_stats.csv | ||
| 1290 | |||
| 1291 | # profiling of locking. Only available when Suricata was built with | ||
| 1292 | # --enable-profiling-locks. | ||
| 1293 | locks: | ||
| 1294 | enabled: no | ||
| 1295 | filename: lock_stats.log | ||
| 1296 | append: yes | ||
| 1297 | |||
| 1298 | # Suricata core dump configuration. Limits the size of the core dump file to | ||
| 1299 | # approximately max-dump. The actual core dump size will be a multiple of the | ||
| 1300 | # page size. Core dumps that would be larger than max-dump are truncated. On | ||
| 1301 | # Linux, the actual core dump size may be a few pages larger than max-dump. | ||
| 1302 | # Setting max-dump to 0 disables core dumping. | ||
| 1303 | # Setting max-dump to 'unlimited' will give the full core dump file. | ||
| 1304 | # On 32-bit Linux, a max-dump value >= ULONG_MAX may cause the core dump size | ||
| 1305 | # to be 'unlimited'. | ||
| 1306 | |||
| 1307 | coredump: | ||
| 1308 | max-dump: unlimited | ||
| 1309 | |||
| 1310 | napatech: | ||
| 1311 | # The Host Buffer Allowance for all streams | ||
| 1312 | # (-1 = OFF, 1 - 100 = percentage of the host buffer that can be held back) | ||
| 1313 | hba: -1 | ||
| 1314 | |||
| 1315 | # use_all_streams set to "yes" will query the Napatech service for all configured | ||
| 1316 | # streams and listen on all of them. When set to "no" the streams config array | ||
| 1317 | # will be used. | ||
| 1318 | use-all-streams: yes | ||
| 1319 | |||
| 1320 | # The streams to listen on | ||
| 1321 | streams: [1, 2, 3] | ||
| 1322 | |||
| 1323 | # Includes. Files included here will be handled as if they were | ||
| 1324 | # inlined in this configuration file. | ||
| 1325 | #include: include1.yaml | ||
| 1326 | #include: include2.yaml | ||
diff --git a/dynamic-layers/meta-rust/recipes-ids/suricata/files/tmpfiles.suricata b/dynamic-layers/meta-rust/recipes-ids/suricata/files/tmpfiles.suricata new file mode 100644 index 0000000..fbf3784 --- /dev/null +++ b/dynamic-layers/meta-rust/recipes-ids/suricata/files/tmpfiles.suricata | |||
| @@ -0,0 +1,2 @@ | |||
| 1 | #Type Path Mode UID GID Age Argument | ||
| 2 | d /var/log/suricata 0755 root root | ||
diff --git a/dynamic-layers/meta-rust/recipes-ids/suricata/files/volatiles.03_suricata b/dynamic-layers/meta-rust/recipes-ids/suricata/files/volatiles.03_suricata new file mode 100644 index 0000000..4627bd3 --- /dev/null +++ b/dynamic-layers/meta-rust/recipes-ids/suricata/files/volatiles.03_suricata | |||
| @@ -0,0 +1,2 @@ | |||
| 1 | # <type> <owner> <group> <mode> <path> <linksource> | ||
| 2 | d root root 0755 /var/log/suricata none | ||
diff --git a/dynamic-layers/meta-rust/recipes-ids/suricata/libhtp_0.5.37.bb b/dynamic-layers/meta-rust/recipes-ids/suricata/libhtp_0.5.37.bb new file mode 100644 index 0000000..34e72e9 --- /dev/null +++ b/dynamic-layers/meta-rust/recipes-ids/suricata/libhtp_0.5.37.bb | |||
| @@ -0,0 +1,27 @@ | |||
| 1 | SUMMARY = "LibHTP is a security-aware parser for the HTTP protocol and the related bits and pieces." | ||
| 2 | |||
| 3 | require suricata.inc | ||
| 4 | |||
| 5 | LIC_FILES_CHKSUM = "file://LICENSE;beginline=1;endline=2;md5=596ab7963a1a0e5198e5a1c4aa621843" | ||
| 6 | |||
| 7 | SRC_URI = "git://github.com/OISF/libhtp.git;protocol=https;branch=0.5.x" | ||
| 8 | SRCREV = "eaa2db29e65e7f2691c18a9022aeb5fb836ec5f1" | ||
| 9 | |||
| 10 | DEPENDS = "zlib" | ||
| 11 | |||
| 12 | inherit autotools-brokensep pkgconfig | ||
| 13 | |||
| 14 | CFLAGS += "-D_DEFAULT_SOURCE" | ||
| 15 | |||
| 16 | #S = "${WORKDIR}/suricata-${VER}/${BPN}" | ||
| 17 | |||
| 18 | S = "${WORKDIR}/git" | ||
| 19 | |||
| 20 | do_configure () { | ||
| 21 | cd ${S} | ||
| 22 | ./autogen.sh | ||
| 23 | oe_runconf | ||
| 24 | } | ||
| 25 | |||
| 26 | RDEPENDS_${PN} += "zlib" | ||
| 27 | |||
diff --git a/dynamic-layers/meta-rust/recipes-ids/suricata/suricata.inc b/dynamic-layers/meta-rust/recipes-ids/suricata/suricata.inc new file mode 100644 index 0000000..85f419e --- /dev/null +++ b/dynamic-layers/meta-rust/recipes-ids/suricata/suricata.inc | |||
| @@ -0,0 +1,8 @@ | |||
| 1 | HOMEPAGE = "http://suricata-ids.org/" | ||
| 2 | SECTION = "security Monitor/Admin" | ||
| 3 | LICENSE = "GPLv2" | ||
| 4 | |||
| 5 | VER = "6.0.2" | ||
| 6 | SRC_URI = "http://www.openinfosecfoundation.org/download/suricata-${VER}.tar.gz" | ||
| 7 | |||
| 8 | SRC_URI[sha256sum] = "5e4647a07cb31b5d6d0049972a45375c137de908a964a44e2d6d231fa3ad4b52" | ||
diff --git a/dynamic-layers/meta-rust/recipes-ids/suricata/suricata_6.0.2.bb b/dynamic-layers/meta-rust/recipes-ids/suricata/suricata_6.0.2.bb new file mode 100644 index 0000000..a4255d2 --- /dev/null +++ b/dynamic-layers/meta-rust/recipes-ids/suricata/suricata_6.0.2.bb | |||
| @@ -0,0 +1,193 @@ | |||
| 1 | SUMMARY = "The Suricata Engine is an Open Source Next Generation Intrusion Detection and Prevention Engine" | ||
| 2 | |||
| 3 | require suricata.inc | ||
| 4 | |||
| 5 | DEPENDS = "lz4 libhtp" | ||
| 6 | |||
| 7 | LIC_FILES_CHKSUM = "file://LICENSE;beginline=1;endline=2;md5=c70d8d3310941dcdfcd1e02800a1f548" | ||
| 8 | |||
| 9 | SRC_URI += " \ | ||
| 10 | file://volatiles.03_suricata \ | ||
| 11 | file://tmpfiles.suricata \ | ||
| 12 | file://suricata.yaml \ | ||
| 13 | file://suricata.service \ | ||
| 14 | file://run-ptest \ | ||
| 15 | file://fixup.patch \ | ||
| 16 | " | ||
| 17 | |||
| 18 | SRC_URI += " \ | ||
| 19 | crate://crates.io/autocfg/1.0.1 \ | ||
| 20 | crate://crates.io/semver-parser/0.7.0 \ | ||
| 21 | crate://crates.io/arrayvec/0.4.12 \ | ||
| 22 | crate://crates.io/ryu/1.0.5 \ | ||
| 23 | crate://crates.io/libc/0.2.86 \ | ||
| 24 | crate://crates.io/bitflags/1.2.1 \ | ||
| 25 | crate://crates.io/version_check/0.9.2 \ | ||
| 26 | crate://crates.io/memchr/2.3.4 \ | ||
| 27 | crate://crates.io/nodrop/0.1.14 \ | ||
| 28 | crate://crates.io/cfg-if/0.1.9 \ | ||
| 29 | crate://crates.io/static_assertions/0.3.4 \ | ||
| 30 | crate://crates.io/getrandom/0.1.16 \ | ||
| 31 | crate://crates.io/cfg-if/1.0.0 \ | ||
| 32 | crate://crates.io/siphasher/0.3.3 \ | ||
| 33 | crate://crates.io/ppv-lite86/0.2.10 \ | ||
| 34 | crate://crates.io/proc-macro-hack/0.5.19 \ | ||
| 35 | crate://crates.io/proc-macro2/0.4.30 \ | ||
| 36 | crate://crates.io/unicode-xid/0.1.0 \ | ||
| 37 | crate://crates.io/syn/0.15.44 \ | ||
| 38 | crate://crates.io/build_const/0.2.1 \ | ||
| 39 | crate://crates.io/num-derive/0.2.5 \ | ||
| 40 | crate://crates.io/base64/0.11.0 \ | ||
| 41 | crate://crates.io/widestring/0.4.3 \ | ||
| 42 | crate://crates.io/md5/0.7.0 \ | ||
| 43 | crate://crates.io/uuid/0.8.2 \ | ||
| 44 | crate://crates.io/byteorder/1.4.2 \ | ||
| 45 | crate://crates.io/semver/0.9.0 \ | ||
| 46 | crate://crates.io/nom/5.1.1 \ | ||
| 47 | crate://crates.io/num-traits/0.2.14 \ | ||
| 48 | crate://crates.io/num-integer/0.1.44 \ | ||
| 49 | crate://crates.io/num-bigint/0.2.6 \ | ||
| 50 | crate://crates.io/num-bigint/0.3.1 \ | ||
| 51 | crate://crates.io/num-rational/0.2.4 \ | ||
| 52 | crate://crates.io/num-complex/0.2.4 \ | ||
| 53 | crate://crates.io/num-iter/0.1.42 \ | ||
| 54 | crate://crates.io/phf_shared/0.8.0 \ | ||
| 55 | crate://crates.io/crc/1.8.1 \ | ||
| 56 | crate://crates.io/rustc_version/0.2.3 \ | ||
| 57 | crate://crates.io/phf/0.8.0 \ | ||
| 58 | crate://crates.io/lexical-core/0.6.7 \ | ||
| 59 | crate://crates.io/time/0.1.44 \ | ||
| 60 | crate://crates.io/quote/0.6.13 \ | ||
| 61 | crate://crates.io/rand_core/0.5.1 \ | ||
| 62 | crate://crates.io/rand_chacha/0.2.2 \ | ||
| 63 | crate://crates.io/rand_pcg/0.2.1 \ | ||
| 64 | crate://crates.io/num-traits/0.1.43 \ | ||
| 65 | crate://crates.io/rand/0.7.3 \ | ||
| 66 | crate://crates.io/enum_primitive/0.1.1 \ | ||
| 67 | crate://crates.io/phf_generator/0.8.0 \ | ||
| 68 | crate://crates.io/phf_codegen/0.8.0 \ | ||
| 69 | crate://crates.io/tls-parser/0.9.4 \ | ||
| 70 | crate://crates.io/num/0.2.1 \ | ||
| 71 | crate://crates.io/rusticata-macros/2.1.0 \ | ||
| 72 | crate://crates.io/ntp-parser/0.4.0 \ | ||
| 73 | crate://crates.io/der-oid-macro/0.2.0 \ | ||
| 74 | crate://crates.io/der-parser/3.0.4 \ | ||
| 75 | crate://crates.io/ipsec-parser/0.5.0 \ | ||
| 76 | crate://crates.io/x509-parser/0.6.5 \ | ||
| 77 | crate://crates.io/der-parser/4.1.0 \ | ||
| 78 | crate://crates.io/snmp-parser/0.6.0 \ | ||
| 79 | crate://crates.io/kerberos-parser/0.5.0 \ | ||
| 80 | crate://crates.io/wasi/0.10.0+wasi-snapshot-preview1 \ | ||
| 81 | crate://crates.io/winapi/0.3.9 \ | ||
| 82 | crate://crates.io/winapi-i686-pc-windows-gnu/0.4.0 \ | ||
| 83 | crate://crates.io/winapi-x86_64-pc-windows-gnu/0.4.0 \ | ||
| 84 | crate://crates.io/log/0.4.0 \ | ||
| 85 | crate://crates.io/rand_hc/0.2.0 \ | ||
| 86 | crate://crates.io/wasi/0.9.0+wasi-snapshot-preview1 \ | ||
| 87 | " | ||
| 88 | |||
| 89 | # test case support | ||
| 90 | SRC_URI += " \ | ||
| 91 | crate://crates.io/test-case/1.0.1 \ | ||
| 92 | crate://crates.io/proc-macro2/1.0.1 \ | ||
| 93 | crate://crates.io/quote/1.0.1 \ | ||
| 94 | crate://crates.io/syn/1.0.1 \ | ||
| 95 | crate://crates.io/unicode-xid/0.2.0 \ | ||
| 96 | " | ||
| 97 | |||
| 98 | inherit autotools pkgconfig python3native systemd ptest cargo | ||
| 99 | |||
| 100 | EXTRA_OECONF += " --disable-debug \ | ||
| 101 | --disable-gccmarch-native \ | ||
| 102 | --enable-non-bundled-htp \ | ||
| 103 | --disable-suricata-update \ | ||
| 104 | --with-libhtp-includes=${STAGING_INCDIR} --with-libhtp-libraries=${STAGING_LIBDIR} \ | ||
| 105 | " | ||
| 106 | |||
| 107 | CARGO_SRC_DIR = "rust" | ||
| 108 | |||
| 109 | B = "${S}" | ||
| 110 | |||
| 111 | PACKAGECONFIG ??= "jansson file pcre yaml python pcap cap-ng net nfnetlink nss nspr " | ||
| 112 | PACKAGECONFIG_append = " ${@bb.utils.contains('DISTRO_FEATURES', 'ptest', 'unittests', '', d)}" | ||
| 113 | |||
| 114 | PACKAGECONFIG[pcre] = "--with-libpcre-includes=${STAGING_INCDIR} --with-libpcre-libraries=${STAGING_LIBDIR}, ,libpcre ," | ||
| 115 | PACKAGECONFIG[yaml] = "--with-libyaml-includes=${STAGING_INCDIR} --with-libyaml-libraries=${STAGING_LIBDIR}, ,libyaml ," | ||
| 116 | PACKAGECONFIG[pcap] = "--with-libpcap-includes=${STAGING_INCDIR} --with-libpcap-libraries=${STAGING_LIBDIR}, ,libpcap" | ||
| 117 | PACKAGECONFIG[cap-ng] = "--with-libcap_ng-includes=${STAGING_INCDIR} --with-libcap_ng-libraries=${STAGING_LIBDIR}, ,libcap-ng , " | ||
| 118 | PACKAGECONFIG[net] = "--with-libnet-includes=${STAGING_INCDIR} --with-libnet-libraries=${STAGING_LIBDIR}, , libnet," | ||
| 119 | PACKAGECONFIG[nfnetlink] = "--with-libnfnetlink-includes=${STAGING_INCDIR} --with-libnfnetlink-libraries=${STAGING_LIBDIR}, ,libnfnetlink ," | ||
| 120 | PACKAGECONFIG[nfq] = "--enable-nfqueue, --disable-nfqueue,libnetfilter-queue," | ||
| 121 | |||
| 122 | PACKAGECONFIG[jansson] = "--with-libjansson-includes=${STAGING_INCDIR} --with-libjansson-libraries=${STAGING_LIBDIR},,jansson, jansson" | ||
| 123 | PACKAGECONFIG[file] = ",,file, file" | ||
| 124 | PACKAGECONFIG[nss] = "--with-libnss-includes=${STAGING_INCDIR} --with-libnss-libraries=${STAGING_LIBDIR}, nss, nss," | ||
| 125 | PACKAGECONFIG[nspr] = "--with-libnspr-includes=${STAGING_INCDIR} --with-libnspr-libraries=${STAGING_LIBDIR}, nspr, nspr," | ||
| 126 | PACKAGECONFIG[python] = "--enable-python, --disable-python, python3, python3-core" | ||
| 127 | PACKAGECONFIG[unittests] = "--enable-unittests, --disable-unittests," | ||
| 128 | |||
| 129 | export logdir = "${localstatedir}/log" | ||
| 130 | |||
| 131 | CACHED_CONFIGUREVARS = "ac_cv_func_malloc_0_nonnull=yes ac_cv_func_realloc_0_nonnull=yes" | ||
| 132 | |||
| 133 | do_configure_prepend () { | ||
| 134 | oe_runconf | ||
| 135 | } | ||
| 136 | |||
| 137 | do_compile () { | ||
| 138 | # we do this to bypass the make provided by this pkg | ||
| 139 | # patches Makefile to skip the subdir | ||
| 140 | cargo_do_compile | ||
| 141 | |||
| 142 | # Finish building | ||
| 143 | cd ${S} | ||
| 144 | make | ||
| 145 | } | ||
| 146 | |||
| 147 | do_install () { | ||
| 148 | install -d ${D}${sysconfdir}/suricata | ||
| 149 | |||
| 150 | oe_runmake install DESTDIR=${D} | ||
| 151 | |||
| 152 | install -d ${D}${sysconfdir}/suricata ${D}${sysconfdir}/default/volatiles | ||
| 153 | install -m 0644 ${WORKDIR}/volatiles.03_suricata ${D}${sysconfdir}/default/volatiles/03_suricata | ||
| 154 | |||
| 155 | install -m 0644 ${S}/threshold.config ${D}${sysconfdir}/suricata | ||
| 156 | install -m 0644 ${S}/suricata.yaml ${D}${sysconfdir}/suricata | ||
| 157 | |||
| 158 | if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then | ||
| 159 | install -d ${D}${sysconfdir}/tmpfiles.d | ||
| 160 | install -m 0644 ${WORKDIR}/tmpfiles.suricata ${D}${sysconfdir}/tmpfiles.d/suricata.conf | ||
| 161 | |||
| 162 | install -d ${D}${systemd_unitdir}/system | ||
| 163 | sed -e s:/etc:${sysconfdir}:g \ | ||
| 164 | -e s:/var/run:/run:g \ | ||
| 165 | -e s:/var:${localstatedir}:g \ | ||
| 166 | -e s:/usr/bin:${bindir}:g \ | ||
| 167 | -e s:/bin/kill:${base_bindir}/kill:g \ | ||
| 168 | -e s:/usr/lib:${libdir}:g \ | ||
| 169 | ${WORKDIR}/suricata.service > ${D}${systemd_unitdir}/system/suricata.service | ||
| 170 | fi | ||
| 171 | |||
| 172 | # Remove /var/run as it is created on startup | ||
| 173 | rm -rf ${D}${localstatedir}/run | ||
| 174 | |||
| 175 | sed -i -e "s:#!.*$:#!${USRBINPATH}/env ${PYTHON_PN}:g" ${D}${bindir}/suricatasc | ||
| 176 | sed -i -e "s:#!.*$:#!${USRBINPATH}/env ${PYTHON_PN}:g" ${D}${bindir}/suricatactl | ||
| 177 | } | ||
| 178 | |||
| 179 | pkg_postinst_ontarget_${PN} () { | ||
| 180 | if command -v systemd-tmpfiles >/dev/null; then | ||
| 181 | systemd-tmpfiles --create ${sysconfdir}/tmpfiles.d/suricata.conf | ||
| 182 | elif [ -e ${sysconfdir}/init.d/populate-volatile.sh ]; then | ||
| 183 | ${sysconfdir}/init.d/populate-volatile.sh update | ||
| 184 | fi | ||
| 185 | } | ||
| 186 | |||
| 187 | SYSTEMD_PACKAGES = "${PN}" | ||
| 188 | |||
| 189 | PACKAGES =+ "${PN}-python" | ||
| 190 | FILES_${PN} += "${systemd_unitdir} ${sysconfdir}/tmpfiles.d" | ||
| 191 | FILES_${PN}-python = "${bindir}/suricatasc ${PYTHON_SITEPACKAGES_DIR}" | ||
| 192 | |||
| 193 | CONFFILES_${PN} = "${sysconfdir}/suricata/suricata.yaml" | ||
