Package: suricata
Version: 2.0.7-2
Severity: important
Hi,
I have a problem with suricata after upgrading to jessie. It seems that http
rules are no longer work after upgrade to jessie.
I have created 2 rules to make a test in a file /etc/suricata/rules/local.rules:
alert http any any -> any any (msg:"User-Agent Gecko http_user_agent";
content:"Gecko"; http_user_agent; sid:2; rev:1;)
alert ip any any -> any any (msg:"ICMP detected"; sid:3; rev:1;)
In the log file (/var/log/fast.log) I can see the rule based on the ip test
(and other alerts but no http alert):
04/28/2015-21:44:10.119672 [**] [1:3:1] ICMP detected [**] [Classification:
(null)] [Priority: 3] {TCP} 192.168.0.119:4996 -> 168.61.34.65:80
I use the rules from Emerging Threats
(https://rules.emergingthreats.net/open/suricata-2.0/emerging.rules.tar.gz).
There is no error in suricata starting:
root@ids:/var/log/suricata# suricata -c /etc/suricata/suricata-debian.yaml -i
eth1 --init-errors-fatal
28/4/2015 -- 22:09:19 - <Notice> - This is Suricata version 2.0.7 RELEASE
28/4/2015 -- 22:09:19 - <Info> - CPUs/cores online: 4
28/4/2015 -- 22:09:19 - <Info> - 'default' server has
'request-body-minimal-inspect-size' set to 33882 and
'request-body-inspect-window' set to 4053 after randomization.
28/4/2015 -- 22:09:19 - <Info> - 'default' server has
'response-body-minimal-inspect-size' set to 33695 and
'response-body-inspect-window' set to 4218 after randomization.
28/4/2015 -- 22:09:19 - <Info> - DNS request flood protection level: 500
28/4/2015 -- 22:09:19 - <Info> - DNS per flow memcap (state-memcap): 524288
28/4/2015 -- 22:09:19 - <Info> - DNS global memcap: 16777216
28/4/2015 -- 22:09:19 - <Info> - Found an MTU of 1500 for 'eth1'
28/4/2015 -- 22:09:19 - <Info> - allocated 2097152 bytes of memory for the
defrag hash... 65536 buckets of size 32
28/4/2015 -- 22:09:19 - <Info> - preallocated 65535 defrag trackers of size 116
28/4/2015 -- 22:09:19 - <Info> - defrag memory usage: 9699212 bytes, maximum:
33554432
28/4/2015 -- 22:09:19 - <Info> - AutoFP mode using default "Active Packets"
flow load balancer
28/4/2015 -- 22:09:19 - <Info> - preallocated 1024 packets. Total memory 2797568
28/4/2015 -- 22:09:19 - <Info> - allocated 262144 bytes of memory for the host
hash... 4096 buckets of size 64
28/4/2015 -- 22:09:19 - <Info> - preallocated 1000 hosts of size 72
28/4/2015 -- 22:09:19 - <Info> - host memory usage: 342144 bytes, maximum:
16777216
28/4/2015 -- 22:09:19 - <Info> - allocated 4194304 bytes of memory for the flow
hash... 65536 buckets of size 64
28/4/2015 -- 22:09:19 - <Info> - preallocated 10000 flows of size 188
28/4/2015 -- 22:09:19 - <Info> - flow memory usage: 6114304 bytes, maximum:
67108864
28/4/2015 -- 22:09:19 - <Info> - stream "prealloc-sessions": 2048 (per thread)
28/4/2015 -- 22:09:19 - <Info> - stream "memcap": 33554432
28/4/2015 -- 22:09:19 - <Info> - stream "midstream" session pickups: disabled
28/4/2015 -- 22:09:19 - <Info> - stream "async-oneside": disabled
28/4/2015 -- 22:09:19 - <Info> - stream "checksum-validation": enabled
28/4/2015 -- 22:09:19 - <Info> - stream."inline": disabled
28/4/2015 -- 22:09:19 - <Info> - stream "max-synack-queued": 5
28/4/2015 -- 22:09:19 - <Info> - stream.reassembly "memcap": 134217728
28/4/2015 -- 22:09:19 - <Info> - stream.reassembly "depth": 1048576
28/4/2015 -- 22:09:19 - <Info> - stream.reassembly "toserver-chunk-size": 2517
28/4/2015 -- 22:09:19 - <Info> - stream.reassembly "toclient-chunk-size": 2514
28/4/2015 -- 22:09:19 - <Info> - stream.reassembly.raw: enabled
28/4/2015 -- 22:09:19 - <Info> - segment pool: pktsize 4, prealloc 256
28/4/2015 -- 22:09:19 - <Info> - segment pool: pktsize 16, prealloc 512
28/4/2015 -- 22:09:19 - <Info> - segment pool: pktsize 112, prealloc 512
28/4/2015 -- 22:09:19 - <Info> - segment pool: pktsize 248, prealloc 512
28/4/2015 -- 22:09:19 - <Info> - segment pool: pktsize 512, prealloc 512
28/4/2015 -- 22:09:19 - <Info> - segment pool: pktsize 768, prealloc 1024
28/4/2015 -- 22:09:19 - <Info> - segment pool: pktsize 1448, prealloc 1024
28/4/2015 -- 22:09:19 - <Info> - segment pool: pktsize 65535, prealloc 128
28/4/2015 -- 22:09:19 - <Info> - stream.reassembly "chunk-prealloc": 250
28/4/2015 -- 22:09:19 - <Info> - IP reputation disabled
28/4/2015 -- 22:09:19 - <Info> - using magic-file /usr/share/file/magic
28/4/2015 -- 22:09:19 - <Info> - Delayed detect disabled
28/4/2015 -- 22:09:26 - <Info> - 50 rule files processed. 16837 rules
successfully loaded, 0 rules failed
28/4/2015 -- 22:09:26 - <Info> - 16845 signatures processed. 948 are IP-only
rules, 5186 are inspecting packet payload, 12575 inspect application layer, 75
are decoder event only
28/4/2015 -- 22:09:26 - <Info> - building signature grouping structure, stage
1: preprocessing rules... complete
28/4/2015 -- 22:09:26 - <Info> - building signature grouping structure, stage
2: building source address list... complete
28/4/2015 -- 22:09:28 - <Info> - building signature grouping structure, stage
3: building destination address lists... complete
28/4/2015 -- 22:09:30 - <Info> - Threshold config parsed: 0 rule(s) found
28/4/2015 -- 22:09:30 - <Info> - Core dump size set to unlimited.
28/4/2015 -- 22:09:30 - <Info> - fast output device (regular) initialized:
fast.log
28/4/2015 -- 22:09:30 - <Info> - eve-log output device (regular) initialized:
eve.json
28/4/2015 -- 22:09:30 - <Info> - returning output_ctx 0xba180c40
28/4/2015 -- 22:09:30 - <Info> - enabling 'eve-log' module 'alert'
28/4/2015 -- 22:09:30 - <Info> - enabling 'eve-log' module 'http'
28/4/2015 -- 22:09:30 - <Info> - enabling 'eve-log' module 'dns'
28/4/2015 -- 22:09:30 - <Info> - enabling 'eve-log' module 'tls'
28/4/2015 -- 22:09:30 - <Info> - enabling 'eve-log' module 'files'
28/4/2015 -- 22:09:30 - <Info> - enabling 'eve-log' module 'ssh'
28/4/2015 -- 22:09:30 - <Info> - Unified2-alert initialized: filename
unified2.alert, limit 32 MB
28/4/2015 -- 22:09:30 - <Info> - http-log output device (regular) initialized:
http.log
28/4/2015 -- 22:09:30 - <Info> - Using 1 live device(s).
28/4/2015 -- 22:09:30 - <Info> - using interface eth1
28/4/2015 -- 22:09:30 - <Info> - Running in 'auto' checksum mode. Detection of
interface state will require 1000 packets.
28/4/2015 -- 22:09:30 - <Info> - Found an MTU of 1500 for 'eth1'
28/4/2015 -- 22:09:30 - <Info> - Set snaplen to 1516 for 'eth1'
28/4/2015 -- 22:09:30 - <Info> - Generic Receive Offload is unset on eth1
28/4/2015 -- 22:09:30 - <Info> - Large Receive Offload is unset on eth1
28/4/2015 -- 22:09:30 - <Info> - using magic-file /usr/share/file/magic
28/4/2015 -- 22:09:30 - <Info> - using magic-file /usr/share/file/magic
28/4/2015 -- 22:09:30 - <Info> - using magic-file /usr/share/file/magic
28/4/2015 -- 22:09:30 - <Info> - using magic-file /usr/share/file/magic
28/4/2015 -- 22:09:30 - <Info> - using magic-file /usr/share/file/magic
28/4/2015 -- 22:09:30 - <Info> - using magic-file /usr/share/file/magic
28/4/2015 -- 22:09:30 - <Info> - RunModeIdsPcapAutoFp initialised
28/4/2015 -- 22:09:30 - <Notice> - all 7 packet processing threads, 3
management threads initialized, engine started.
28/4/2015 -- 22:10:47 - <Info> - No packets with invalid checksum, assuming
checksum offloading is NOT used
Thanks for your help.
Best Regards,
--
Olivier LARRIGAUDIERE
-- System Information:
Debian Release: 8.0
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 3.16.0-4-686-pae (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages suricata depends on:
ii libc6 2.19-18
ii libcap-ng0 0.7.4-2
ii libgcrypt20 1.6.3-2
ii libgnutls-deb0-28 3.3.8-6
ii libjansson4 2.7-1
ii libluajit-5.1-2 2.0.3+dfsg-3
ii libmagic1 1:5.22+15-2
ii libnet1 1.1.6+dfsg-3
ii libnetfilter-queue1 1.0.2-2
ii libnfnetlink0 1.0.1-3
ii libnspr4 2:4.10.7-1
ii libnss3 2:3.17.2-1.1
ii libpcap0.8 1.6.2-2
ii libpcre3 2:8.35-3.3
ii libprelude2 1.0.0-11.4
ii libyaml-0-2 0.1.6-3
ii python 2.7.9-1
ii zlib1g 1:1.2.8.dfsg-2+b1
Versions of packages suricata recommends:
ii oinkmaster 2.0-4
ii snort-rules-default 2.9.2.2-3
suricata suggests no packages.
-- Configuration Files:
/etc/default/suricata changed:
RUN=yes
SURCONF=/etc/suricata/suricata-debian.yaml
LISTENMODE=pcap
IFACE=eth1
NFQUEUE=0
TCMALLOC="YES"
PIDFILE=/var/run/suricata.pid
/etc/suricata/rules/decoder-events.rules changed:
alert pkthdr any any -> any any (msg:"SURICATA IPv4 packet too small";
decode-event:ipv4.pkt_too_small; sid:2200000; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA IPv4 header size too small";
decode-event:ipv4.hlen_too_small; sid:2200001; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA IPv4 total length smaller than
header size"; decode-event:ipv4.iplen_smaller_than_hlen; sid:2200002; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA IPv4 invalid option";
decode-event:ipv4.opt_invalid; sid:2200004; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA IPv4 invalid option length";
decode-event:ipv4.opt_invalid_len; sid:2200005; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA IPv4 malformed option";
decode-event:ipv4.opt_malformed; sid:2200006; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA IPv4 option end of list
required"; decode-event:ipv4.opt_eol_required; sid:2200008; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA IPv4 duplicated IP option";
decode-event:ipv4.opt_duplicate; sid:2200009; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA IPv4 unknown IP option";
decode-event:ipv4.opt_unknown; sid:2200010; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA IPv4 wrong IP version";
decode-event:ipv4.wrong_ip_version; sid:2200011; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA IPv6 packet too small";
decode-event:ipv6.pkt_too_small; sid:2200012; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA IPv6 truncated extension
header"; decode-event:ipv6.trunc_exthdr; sid:2200014; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA IPv6 duplicated Fragment
extension header"; decode-event:ipv6.exthdr_dupl_fh; sid:2200015; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA IPv6 useless Fragment extension
header"; decode-event:ipv6.exthdr_useless_fh; sid:2200080; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA IPv6 duplicated Routing
extension header"; decode-event:ipv6.exthdr_dupl_rh; sid:2200016; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA IPv6 duplicated Hop-By-Hop
Options extension header"; decode-event:ipv6.exthdr_dupl_hh; sid:2200017;
rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA IPv6 duplicated Destination
Options extension header"; decode-event:ipv6.exthdr_dupl_dh; sid:2200018;
rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA IPv6 duplicated Authentication
Header extension header"; decode-event:ipv6.exthdr_dupl_ah; sid:2200019; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA IPv6 duplicate ESP extension
header"; decode-event:ipv6.exthdr_dupl_eh; sid:2200020; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA IPv6 invalid option length in
header"; decode-event:ipv6.exthdr_invalid_optlen; sid:2200021; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA IPv6 wrong IP version";
decode-event:ipv6.wrong_ip_version; sid:2200022; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA IPv6 AH reserved field not 0";
decode-event:ipv6.exthdr_ah_res_not_null; sid:2200081; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA ICMPv4 packet too small";
decode-event:icmpv4.pkt_too_small; sid:2200023; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA ICMPv4 unknown type";
decode-event:icmpv4.unknown_type; sid:2200024; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA ICMPv4 unknown code";
decode-event:icmpv4.unknown_code; sid:2200025; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA ICMPv4 truncated packet";
decode-event:icmpv4.ipv4_trunc_pkt; sid:2200026; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA ICMPv4 unknown version";
decode-event:icmpv4.ipv4_unknown_ver; sid:2200027; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA ICMPv6 packet too small";
decode-event:icmpv6.pkt_too_small; sid:2200028; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA ICMPv6 unknown type";
decode-event:icmpv6.unknown_type; sid:2200029; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA ICMPv6 unknown code";
decode-event:icmpv6.unknown_code; sid:2200030; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA ICMPv6 truncated packet";
decode-event:icmpv6.ipv6_trunc_pkt; sid:2200031; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA ICMPv6 unknown version";
decode-event:icmpv6.ipv6_unknown_version; sid:2200032; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA TCP packet too small";
decode-event:tcp.pkt_too_small; sid:2200033; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA TCP header length too small";
decode-event:tcp.hlen_too_small; sid:2200034; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA TCP invalid option length";
decode-event:tcp.invalid_optlen; sid:2200035; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA TCP option invalid length";
decode-event:tcp.opt_invalid_len; sid:2200036; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA TCP duplicated option";
decode-event:tcp.opt_duplicate; sid:2200037; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA UDP packet too small";
decode-event:udp.pkt_too_small; sid:2200038; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA UDP header length too small";
decode-event:udp.hlen_too_small; sid:2200039; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA UDP invalid header length";
decode-event:udp.hlen_invalid; sid:2200040; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA SLL packet too small";
decode-event:sll.pkt_too_small; sid:2200041; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA Ethernet packet too small";
decode-event:ethernet.pkt_too_small; sid:2200042; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA PPP packet too small";
decode-event:ppp.pkt_too_small; sid:2200043; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA PPP VJU packet too small";
decode-event:ppp.vju_pkt_too_small; sid:2200044; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA PPP IPv4 packet too small";
decode-event:ppp.ip4_pkt_too_small; sid:2200045; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA PPP IPv6 too small";
decode-event:ppp.ip6_pkt_too_small; sid:2200046; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA PPP wrong type";
decode-event:ppp.wrong_type; sid:2200047; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA PPP unsupported protocol";
decode-event:ppp.unsup_proto; sid:2200048; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA PPPOE packet too small";
decode-event:pppoe.pkt_too_small; sid:2200049; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA PPPOE wrong code";
decode-event:pppoe.wrong_code; sid:2200050; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA PPPOE malformed tags";
decode-event:pppoe.malformed_tags; sid:2200051; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA GRE packet too small";
decode-event:gre.pkt_too_small; sid:2200052; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA GRE wrong version";
decode-event:gre.wrong_version; sid:2200053; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA GRE v0 recursion control";
decode-event:gre.version0_recur; sid:2200054; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA GRE v0 flags";
decode-event:gre.version0_flags; sid:2200055; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA GRE v0 header too big";
decode-event:gre.version0_hdr_too_big; sid:2200056; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA GRE v1 checksum present";
decode-event:gre.version1_chksum; sid:2200057; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA GRE v1 routing present";
decode-event:gre.version1_route; sid:2200058; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA GRE v1 strict source route";
decode-event:gre.version1_ssr; sid:2200059; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA GRE v1 recursion control";
decode-event:gre.version1_recur; sid:2200060; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA GRE v1 flags";
decode-event:gre.version1_flags; sid:2200061; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA GRE v1 no key present";
decode-event:gre.version1_no_key; sid:2200062; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA GRE v1 wrong protocol";
decode-event:gre.version1_wrong_protocol; sid:2200063; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA GRE v1 malformed Source Route
Entry header"; decode-event:gre.version1_malformed_sre_hdr; sid:2200064; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA GRE v1 header too big";
decode-event:gre.version1_hdr_too_big; sid:2200065; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA VLAN header too small ";
decode-event:vlan.header_too_small; sid:2200066; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA IP raw invalid IP version ";
decode-event:ipraw.invalid_ip_version; sid:2200068; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA FRAG IPv4 Packet size too
large"; decode-event:ipv4.frag_too_large; sid:2200069; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA FRAG IPv4 Fragmentation
overlap"; decode-event:ipv4.frag_overlap; sid:2200070; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA FRAG IPv6 Packet size too
large"; decode-event:ipv6.frag_too_large; sid:2200071; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA FRAG IPv6 Fragmentation
overlap"; decode-event:ipv6.frag_overlap; sid:2200072; rev:1;)
alert ip any any -> any any (msg:"SURICATA IPv4 invalid checksum";
ipv4-csum:invalid; sid:2200073; rev:1;)
alert tcp any any -> any any (msg:"SURICATA TCPv4 invalid checksum";
tcpv4-csum:invalid; sid:2200074; rev:1;)
alert udp any any -> any any (msg:"SURICATA UDPv4 invalid checksum";
udpv4-csum:invalid; sid:2200075; rev:1;)
alert icmp any any -> any any (msg:"SURICATA ICMPv4 invalid checksum";
icmpv4-csum:invalid; sid:2200076; rev:1;)
alert tcp any any -> any any (msg:"SURICATA TCPv6 invalid checksum";
tcpv6-csum:invalid; sid:2200077; rev:1;)
alert udp any any -> any any (msg:"SURICATA UDPv6 invalid checksum";
udpv6-csum:invalid; sid:2200078; rev:1;)
alert icmp any any -> any any (msg:"SURICATA ICMPv6 invalid checksum";
icmpv6-csum:invalid; sid:2200079; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA IPv4-in-IPv6 packet too short";
decode-event:ipv6.ipv4_in_ipv6_too_small; sid:2200082; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA IPv4-in-IPv6 invalid protocol";
decode-event:ipv6.ipv4_in_ipv6_wrong_version; sid:2200083; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA IPv6-in-IPv6 packet too short";
decode-event:ipv6.ipv6_in_ipv6_too_small; sid:2200084; rev:1;)
alert pkthdr any any -> any any (msg:"SURICATA IPv6-in-IPv6 invalid protocol";
decode-event:ipv6.ipv6_in_ipv6_wrong_version; sid:2200085; rev:1;)
/etc/suricata/rules/dns-events.rules [Errno 2] No such file or directory:
u'/etc/suricata/rules/dns-events.rules'
/etc/suricata/rules/files.rules changed:
alert http any any -> any any (msg:"FILE magic -- windows";
flow:established,to_client; filemagic:"executable for MS Windows"; filestore;
sid:18; rev:1;)
/etc/suricata/rules/http-events.rules changed:
alert http any any -> any any (msg:"SURICATA HTTP unknown error";
flow:established; app-layer-event:http.unknown_error;
flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221000;
rev:1;)
alert http any any -> any any (msg:"SURICATA HTTP request field missing colon";
flow:established,to_server; app-layer-event:http.request_field_missing_colon;
flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221002;
rev:1;)
alert http any any -> any any (msg:"SURICATA HTTP response field missing
colon"; flow:established,to_client;
app-layer-event:http.response_field_missing_colon;
flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221020;
rev:1;)
alert http any any -> any any (msg:"SURICATA HTTP invalid transfer encoding
value in request"; flow:established,to_server;
app-layer-event:http.invalid_transfer_encoding_value_in_request;
flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221005;
rev:1;)
alert http any any -> any any (msg:"SURICATA HTTP invalid transfer encoding
value in response"; flow:established,to_client;
app-layer-event:http.invalid_transfer_encoding_value_in_response;
flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221006;
rev:1;)
alert http any any -> any any (msg:"SURICATA HTTP invalid content length field
in request"; flow:established,to_server;
app-layer-event:http.invalid_content_length_field_in_request;
flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221007;
rev:1;)
alert http any any -> any any (msg:"SURICATA HTTP invalid content length field
in response"; flow:established,to_client;
app-layer-event:http.invalid_content_length_field_in_response;
flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221008;
rev:1;)
alert http any any -> any any (msg:"SURICATA HTTP invalid server port in
request"; flow:established,to_server;
app-layer-event:http.invalid_server_port_in_request;
flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221011;
rev:1;)
alert http any any -> any any (msg:"SURICATA HTTP invalid authority port";
flow:established; app-layer-event:http.invalid_authority_port;
flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221012;
rev:1;)
alert http any any -> any any (msg:"SURICATA HTTP request header invalid";
flow:established,to_server; app-layer-event:http.request_header_invalid;
flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221013;
rev:1;)
alert http any any -> any any (msg:"SURICATA HTTP response header invalid";
flow:established,to_client; app-layer-event:http.response_header_invalid;
flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221021;
rev:1;)
alert http any any -> any any (msg:"SURICATA HTTP Host header ambiguous";
flow:established,to_server; app-layer-event:http.host_header_ambiguous;
flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221015;
rev:1;)
alert http any any -> any any (msg:"SURICATA HTTP invalid request field
folding"; flow:established,to_server;
app-layer-event:http.invalid_request_field_folding;
flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221016;
rev:1;)
alert http any any -> any any (msg:"SURICATA HTTP invalid response field
folding"; flow:established,to_client;
app-layer-event:http.invalid_response_field_folding;
flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221017;
rev:1;)
alert http any any -> any any (msg:"SURICATA HTTP request field too long";
flow:established,to_server; app-layer-event:http.request_field_too_long;
flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221018;
rev:1;)
alert http any any -> any any (msg:"SURICATA HTTP response field too long";
flow:established,to_client; app-layer-event:http.response_field_too_long;
flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221019;
rev:1;)
alert http any any -> any any (msg:"SURICATA HTTP multipart no filedata";
flow:established,to_server; app-layer-event:http.multipart_no_filedata;
flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221023;
rev:1;)
alert http any any -> any any (msg:"SURICATA HTTP multipart invalid header";
flow:established,to_server; app-layer-event:http.multipart_invalid_header;
flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221024;
rev:1;)
alert http any any -> any any (msg:"SURICATA HTTP request server port doesn't
match TCP port"; flow:established,to_server;
app-layer-event:http.request_server_port_tcp_port_mismatch;
flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221026;
rev:1;)
/etc/suricata/rules/smtp-events.rules changed:
alert smtp any any -> any any (msg:"SURICATA SMTP max command line len
exceeded"; flow:established;
app-layer-event:smtp.max_command_line_len_exceeded;
flowint:smtp.anomaly.count,+,1; classtype:protocol-command-decode; sid:2220002;
rev:1;)
alert smtp any any -> any any (msg:"SURICATA SMTP max reply line len exceeded";
flow:established,to_client; app-layer-event:smtp.max_reply_line_len_exceeded;
flowint:smtp.anomaly.count,+,1; classtype:protocol-command-decode; sid:2220003;
rev:1;)
alert smtp any any -> any any (msg:"SURICATA SMTP invalid pipelined sequence";
flow:established,to_server; app-layer-event:smtp.invalid_pipelined_sequence;
flowint:smtp.anomaly.count,+,1; classtype:protocol-command-decode; sid:2220004;
rev:1;)
alert smtp any any -> any any (msg:"SURICATA SMTP bdat chunk len exceeded";
flow:established; app-layer-event:smtp.bdat_chunk_len_exceeded;
flowint:smtp.anomaly.count,+,1; classtype:protocol-command-decode; sid:2220005;
rev:1;)
alert smtp any any -> any any (msg:"SURICATA SMTP no server welcome message";
flow:established,to_client; app-layer-event:smtp.no_server_welcome_message;
flowint:smtp.anomaly.count,+,1; classtype:protocol-command-decode; sid:2220006;
rev:1;)
alert smtp any any -> any any (msg:"SURICATA SMTP data command rejected";
flow:established,to_client; app-layer-event:smtp.data_command_rejected;
flowint:smtp.anomaly.count,+,1; classtype:protocol-command-decode; sid:2220008;
rev:1;)
/etc/suricata/rules/stream-events.rules changed:
alert tcp any any -> any any (msg:"SURICATA STREAM 3way handshake with ack in
wrong dir"; stream-event:3whs_ack_in_wrong_dir; sid:2210000; rev:1;)
alert tcp any any -> any any (msg:"SURICATA STREAM 3way handshake async wrong
sequence"; stream-event:3whs_async_wrong_seq; sid:2210001; rev:1;)
alert tcp any any -> any any (msg:"SURICATA STREAM 3way handshake right seq
wrong ack evasion"; stream-event:3whs_right_seq_wrong_ack_evasion; sid:2210002;
rev:1;)
alert tcp any any -> any any (msg:"SURICATA STREAM 3way handshake SYNACK in
wrong direction"; stream-event:3whs_synack_in_wrong_direction; sid:2210003;
rev:1;)
alert tcp any any -> any any (msg:"SURICATA STREAM 3way handshake SYNACK resend
with different ack"; stream-event:3whs_synack_resend_with_different_ack;
sid:2210004; rev:1;)
alert tcp any any -> any any (msg:"SURICATA STREAM 3way handshake SYNACK resend
with different seq"; stream-event:3whs_synack_resend_with_diff_seq;
sid:2210005; rev:1;)
alert tcp any any -> any any (msg:"SURICATA STREAM 3way handshake SYNACK to
server on SYN recv"; stream-event:3whs_synack_toserver_on_syn_recv;
sid:2210006; rev:1;)
alert tcp any any -> any any (msg:"SURICATA STREAM 3way handshake SYNACK with
wrong ack"; stream-event:3whs_synack_with_wrong_ack; sid:2210007; rev:1;)
alert tcp any any -> any any (msg:"SURICATA STREAM 3way handshake SYN resend
different seq on SYN recv"; stream-event:3whs_syn_resend_diff_seq_on_syn_recv;
sid:2210008; rev:1;)
alert tcp any any -> any any (msg:"SURICATA STREAM 3way handshake SYN to client
on SYN recv"; stream-event:3whs_syn_toclient_on_syn_recv; sid:2210009; rev:1;)
alert tcp any any -> any any (msg:"SURICATA STREAM 3way handshake wrong seq
wrong ack"; stream-event:3whs_wrong_seq_wrong_ack; sid:2210010; rev:1;)
alert tcp any any -> any any (msg:"SURICATA STREAM 4way handshake SYNACK with
wrong ACK"; stream-event:4whs_synack_with_wrong_ack; sid:2210011; rev:1;)
alert tcp any any -> any any (msg:"SURICATA STREAM 4way handshake SYNACK with
wrong SYN"; stream-event:4whs_synack_with_wrong_syn; sid:2210012; rev:1;)
alert tcp any any -> any any (msg:"SURICATA STREAM 4way handshake wrong seq";
stream-event:4whs_wrong_seq; sid:2210013; rev:1;)
alert tcp any any -> any any (msg:"SURICATA STREAM 4way handshake invalid ack";
stream-event:4whs_invalid_ack; sid:2210014; rev:1;)
alert tcp any any -> any any (msg:"SURICATA STREAM CLOSEWAIT ACK out of
window"; stream-event:closewait_ack_out_of_window; sid:2210015; rev:1;)
alert tcp any any -> any any (msg:"SURICATA STREAM CLOSEWAIT FIN out of
window"; stream-event:closewait_fin_out_of_window; sid:2210016; rev:1;)
alert tcp any any -> any any (msg:"SURICATA STREAM CLOSEWAIT invalid ACK";
stream-event:closewait_invalid_ack; sid:2210017; rev:1;)
alert tcp any any -> any any (msg:"SURICATA STREAM CLOSING ACK wrong seq";
stream-event:closing_ack_wrong_seq; sid:2210018; rev:1;)
alert tcp any any -> any any (msg:"SURICATA STREAM CLOSING invalid ACK";
stream-event:closing_invalid_ack; sid:2210019; rev:1;)
alert tcp any any -> any any (msg:"SURICATA STREAM ESTABLISHED packet out of
window"; stream-event:est_packet_out_of_window; sid:2210020; rev:1;)
alert tcp any any -> any any (msg:"SURICATA STREAM ESTABLISHED retransmission
packet before last ack"; stream-event:est_pkt_before_last_ack; sid:2210021;
rev:2;)
alert tcp any any -> any any (msg:"SURICATA STREAM ESTABLISHED SYNACK resend";
stream-event:est_synack_resend; sid:2210022; rev:1;)
alert tcp any any -> any any (msg:"SURICATA STREAM ESTABLISHED SYNACK resend
with different ACK"; stream-event:est_synack_resend_with_different_ack;
sid:2210023; rev:1;)
alert tcp any any -> any any (msg:"SURICATA STREAM ESTABLISHED SYNACK resend
with different seq"; stream-event:est_synack_resend_with_diff_seq; sid:2210024;
rev:1;)
alert tcp any any -> any any (msg:"SURICATA STREAM ESTABLISHED SYNACK to
server"; stream-event:est_synack_toserver; sid:2210025; rev:1;)
alert tcp any any -> any any (msg:"SURICATA STREAM ESTABLISHED SYN resend";
stream-event:est_syn_resend; sid:2210026; rev:1;)
alert tcp any any -> any any (msg:"SURICATA STREAM ESTABLISHED SYN resend with
different seq"; stream-event:est_syn_resend_diff_seq; sid:2210027; rev:1;)
alert tcp any any -> any any (msg:"SURICATA STREAM ESTABLISHED SYN to client";
stream-event:est_syn_toclient; sid:2210028; rev:1;)
alert tcp any any -> any any (msg:"SURICATA STREAM ESTABLISHED invalid ack";
stream-event:est_invalid_ack; sid:2210029; rev:1;)
alert tcp any any -> any any (msg:"SURICATA STREAM FIN invalid ack";
stream-event:fin_invalid_ack; sid:2210030; rev:1;)
alert tcp any any -> any any (msg:"SURICATA STREAM FIN1 ack with wrong seq";
stream-event:fin1_ack_wrong_seq; sid:2210031; rev:1;)
alert tcp any any -> any any (msg:"SURICATA STREAM FIN1 FIN with wrong seq";
stream-event:fin1_fin_wrong_seq; sid:2210032; rev:1;)
alert tcp any any -> any any (msg:"SURICATA STREAM FIN1 invalid ack";
stream-event:fin1_invalid_ack; sid:2210033; rev:1;)
alert tcp any any -> any any (msg:"SURICATA STREAM FIN2 ack with wrong seq";
stream-event:fin2_ack_wrong_seq; sid:2210034; rev:1;)
alert tcp any any -> any any (msg:"SURICATA STREAM FIN2 FIN with wrong seq";
stream-event:fin2_fin_wrong_seq; sid:2210035; rev:1;)
alert tcp any any -> any any (msg:"SURICATA STREAM FIN2 invalid ack";
stream-event:fin2_invalid_ack; sid:2210036; rev:1;)
alert tcp any any -> any any (msg:"SURICATA STREAM FIN out of window";
stream-event:fin_out_of_window; sid:2210038; rev:1;)
alert tcp any any -> any any (msg:"SURICATA STREAM Last ACK with wrong seq";
stream-event:lastack_ack_wrong_seq; sid:2210039; rev:1;)
alert tcp any any -> any any (msg:"SURICATA STREAM Last ACK invalid ACK";
stream-event:lastack_invalid_ack; sid:2210040; rev:1;)
alert tcp any any -> any any (msg:"SURICATA STREAM TIMEWAIT ACK with wrong
seq"; stream-event:timewait_ack_wrong_seq; sid:2210042; rev:1;)
alert tcp any any -> any any (msg:"SURICATA STREAM TIMEWAIT invalid ack";
stream-event:timewait_invalid_ack; sid:2210043; rev:1;)
alert tcp any any -> any any (msg:"SURICATA STREAM Packet with invalid
timestamp"; stream-event:pkt_invalid_timestamp; sid:2210044; rev:1;)
alert tcp any any -> any any (msg:"SURICATA STREAM SHUTDOWN RST invalid ack";
stream-event:rst_invalid_ack; sid:2210046; rev:1;)
/etc/suricata/rules/tls-events.rules changed:
alert tls any any -> any any (msg:"SURICATA TLS invalid SSLv2 header";
flow:established; app-layer-event:tls.invalid_sslv2_header;
flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230000;
rev:1;)
alert tls any any -> any any (msg:"SURICATA TLS invalid TLS header";
flow:established; app-layer-event:tls.invalid_tls_header;
flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230001;
rev:1;)
alert tls any any -> any any (msg:"SURICATA TLS invalid record type";
flow:established; app-layer-event:tls.invalid_record_type;
flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230002;
rev:1;)
alert tls any any -> any any (msg:"SURICATA TLS invalid handshake message";
flow:established; app-layer-event:tls.invalid_handshake_message;
flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230003;
rev:1;)
alert tls any any -> any any (msg:"SURICATA TLS invalid certificate";
flow:established; app-layer-event:tls.invalid_certificate;
flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230004;
rev:1;)
alert tls any any -> any any (msg:"SURICATA TLS certificate missing element";
flow:established; app-layer-event:tls.certificate_missing_element;
flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230005;
rev:1;)
alert tls any any -> any any (msg:"SURICATA TLS certificate unknown element";
flow:established; app-layer-event:tls.certificate_unknown_element;
flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230006;
rev:1;)
alert tls any any -> any any (msg:"SURICATA TLS certificate invalid length";
flow:established; app-layer-event:tls.certificate_invalid_length;
flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230007;
rev:1;)
alert tls any any -> any any (msg:"SURICATA TLS certificate invalid string";
flow:established; app-layer-event:tls.certificate_invalid_string;
flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230008;
rev:1;)
alert tls any any -> any any (msg:"SURICATA TLS error message encountered";
flow:established; app-layer-event:tls.error_message_encountered;
flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230009;
rev:1;)
/etc/suricata/suricata-debian.yaml changed:
%YAML 1.1
---
host-mode: auto
default-log-dir: /var/log/suricata/
unix-command:
enabled: no
#filename: custom.socket
outputs:
# a line based alerts log similar to Snort's fast.log
- fast:
enabled: yes
filename: fast.log
append: yes
#filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
# Extensible Event Format (nicknamed EVE) event log in JSON format
- eve-log:
enabled: yes
type: file #file|syslog|unix_dgram|unix_stream
filename: eve.json
# the following are valid when type: syslog above
#identity: "suricata"
#facility: local5
#level: Info ## possible levels: Emergency, Alert, Critical,
## Error, Warning, Notice, Info, Debug
types:
- alert
- http:
extended: yes # enable this for extended logging information
# custom allows additional http fields to be included in eve-log
# the example below adds three additional fields when uncommented
#custom: [Accept-Encoding, Accept-Language, Authorization]
- dns
- tls:
extended: yes # enable this for extended logging information
- files:
force-magic: no # force logging magic on all logged files
force-md5: no # force logging of md5 checksums
#- drop
- ssh
# alert output for use with Barnyard2
- unified2-alert:
enabled: yes
filename: unified2.alert
# File size limit. Can be specified in kb, mb, gb. Just a number
# is parsed as bytes.
#limit: 32mb
# Sensor ID field of unified2 alerts.
#sensor-id: 0
# HTTP X-Forwarded-For support by adding the unified2 extra header that
# will contain the actual client IP address or by overwriting the source
# IP address (helpful when inspecting traffic that is being reversed
# proxied).
xff:
enabled: no
# Two operation modes are available, "extra-data" and "overwrite". Note
# that in the "overwrite" mode, if the reported IP address in the HTTP
# X-Forwarded-For header is of a different version of the packet
# received, it will fall-back to "extra-data" mode.
mode: extra-data
# Header name were the actual IP address will be reported, if more than
# one IP address is present, the last IP address will be the one taken
# into consideration.
header: X-Forwarded-For
# a line based log of HTTP requests (no alerts)
- http-log:
enabled: yes
filename: http.log
append: yes
#extended: yes # enable this for extended logging information
#custom: yes # enabled the custom logging format (defined by
customformat)
#customformat: "%{%D-%H:%M:%S}t.%z %{X-Forwarded-For}i %H %m %h %u %s %B
%a:%p -> %A:%P"
#filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
# a line based log of TLS handshake parameters (no alerts)
- tls-log:
enabled: no # Log TLS connections.
filename: tls.log # File to store TLS logs.
append: yes
#filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
#extended: yes # Log extended information like fingerprint
certs-log-dir: certs # directory to store the certificates files
# a line based log of DNS requests and/or replies (no alerts)
- dns-log:
enabled: no
filename: dns.log
append: yes
#filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
# a line based log to used with pcap file study.
# this module is dedicated to offline pcap parsing (empty output
# if used with another kind of input). It can interoperate with
# pcap parser like wireshark via the suriwire plugin.
- pcap-info:
enabled: no
# Packet log... log packets in pcap format. 2 modes of operation: "normal"
# and "sguil".
#
# In normal mode a pcap file "filename" is created in the default-log-dir,
# or are as specified by "dir". In Sguil mode "dir" indicates the base
directory.
# In this base dir the pcaps are created in th directory structure Sguil
expects:
#
# $sguil-base-dir/YYYY-MM-DD/$filename.<timestamp>
#
# By default all packets are logged except:
# - TCP streams beyond stream.reassembly.depth
# - encrypted streams after the key exchange
#
- pcap-log:
enabled: no
filename: log.pcap
# File size limit. Can be specified in kb, mb, gb. Just a number
# is parsed as bytes.
limit: 1000mb
# If set to a value will enable ring buffer mode. Will keep Maximum of
"max-files" of size "limit"
max-files: 2000
mode: normal # normal or sguil.
#sguil-base-dir: /nsm_data/
#ts-format: usec # sec or usec second format (default) is filename.sec
usec is filename.sec.usec
use-stream-depth: no #If set to "yes" packets seen after reaching stream
inspection depth are ignored. "no" logs all packets
# a full alerts log containing much information for signature writers
# or for investigating suspected false positives.
- alert-debug:
enabled: no
filename: alert-debug.log
append: yes
#filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
# alert output to prelude (http://www.prelude-technologies.com/) only
# available if Suricata has been compiled with --enable-prelude
- alert-prelude:
enabled: no
profile: suricata
log-packet-content: no
log-packet-header: yes
# Stats.log contains data from various counters of the suricata engine.
# The interval field (in seconds) tells after how long output will be written
# on the log file.
- stats:
enabled: yes
filename: stats.log
interval: 8
# a line based alerts log similar to fast.log into syslog
- syslog:
enabled: no
# reported identity to syslog. If ommited the program name (usually
# suricata) will be used.
#identity: "suricata"
facility: local5
#level: Info ## possible levels: Emergency, Alert, Critical,
## Error, Warning, Notice, Info, Debug
# a line based information for dropped packets in IPS mode
- drop:
enabled: no
filename: drop.log
append: yes
#filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
# output module to store extracted files to disk
#
# The files are stored to the log-dir in a format "file.<id>" where <id> is
# an incrementing number starting at 1. For each file "file.<id>" a meta
# file "file.<id>.meta" is created.
#
# File extraction depends on a lot of things to be fully done:
# - stream reassembly depth. For optimal results, set this to 0 (unlimited)
# - http request / response body sizes. Again set to 0 for optimal results.
# - rules that contain the "filestore" keyword.
- file-store:
enabled: no # set to yes to enable
log-dir: files # directory to store the files
force-magic: no # force logging magic on all stored files
force-md5: no # force logging of md5 checksums
#waldo: file.waldo # waldo file to store the file_id across runs
# output module to log files tracked in a easily parsable json format
- file-log:
enabled: no
filename: files-json.log
append: yes
#filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
force-magic: no # force logging magic on all logged files
force-md5: no # force logging of md5 checksums
magic-file: /usr/share/file/magic
nfq:
nflog:
# netlink multicast group
# (the same as the iptables --nflog-group param)
# Group 0 is used by the kernel, so you can't use it
- group: 2
# netlink buffer size
buffer-size: 18432
# put default value here
- group: default
# set number of packet to queue inside kernel
qthreshold: 1
# set the delay before flushing packet in the queue inside kernel
qtimeout: 100
# netlink max buffer size
max-size: 20000
af-packet:
- interface: eth0
# Number of receive threads (>1 will enable experimental flow pinned
# runmode)
threads: 1
# Default clusterid. AF_PACKET will load balance packets based on flow.
# All threads/processes that will participate need to have the same
# clusterid.
cluster-id: 99
# Default AF_PACKET cluster type. AF_PACKET can load balance per flow or
per hash.
# This is only supported for Linux kernel > 3.1
# possible value are:
# * cluster_round_robin: round robin load balancing
# * cluster_flow: all packets of a given flow are send to the same socket
# * cluster_cpu: all packets treated in kernel by a CPU are send to the
same socket
cluster-type: cluster_flow
# In some fragmentation case, the hash can not be computed. If "defrag" is
set
# to yes, the kernel will do the needed defragmentation before sending the
packets.
defrag: yes
# To use the ring feature of AF_PACKET, set 'use-mmap' to yes
use-mmap: yes
# Ring size will be computed with respect to max_pending_packets and number
# of threads. You can set manually the ring size in number of packets by
setting
# the following value. If you are using flow cluster-type and have really
network
# intensive single-flow you could want to set the ring-size independantly
of the number
# of threads:
#ring-size: 2048
# On busy system, this could help to set it to yes to recover from a packet
drop
# phase. This will result in some packets (at max a ring flush) being non
treated.
#use-emergency-flush: yes
# recv buffer size, increase value could improve performance
# buffer-size: 32768
# Set to yes to disable promiscuous mode
# disable-promisc: no
# Choose checksum verification mode for the interface. At the moment
# of the capture, some packets may be with an invalid checksum due to
# offloading to the network card of the checksum computation.
# Possible values are:
# - kernel: use indication sent by kernel for each packet (default)
# - yes: checksum validation is forced
# - no: checksum validation is disabled
# - auto: suricata uses a statistical approach to detect when
# checksum off-loading is used.
# Warning: 'checksum-validation' must be set to yes to have any validation
#checksum-checks: kernel
# BPF filter to apply to this interface. The pcap filter syntax apply here.
#bpf-filter: port 80 or udp
# You can use the following variables to activate AF_PACKET tap od IPS mode.
# If copy-mode is set to ips or tap, the traffic coming to the current
# interface will be copied to the copy-iface interface. If 'tap' is set, the
# copy is complete. If 'ips' is set, the packet matching a 'drop' action
# will not be copied.
#copy-mode: ips
#copy-iface: eth1
- interface: eth1
threads: 1
cluster-id: 98
cluster-type: cluster_flow
defrag: yes
# buffer-size: 32768
# disable-promisc: no
# Put default values here
- interface: default
#threads: 2
#use-mmap: yes
legacy:
uricontent: enabled
detect-engine:
- profile: medium
- custom-values:
toclient-src-groups: 2
toclient-dst-groups: 2
toclient-sp-groups: 2
toclient-dp-groups: 3
toserver-src-groups: 2
toserver-dst-groups: 4
toserver-sp-groups: 2
toserver-dp-groups: 25
- sgh-mpm-context: auto
- inspection-recursion-limit: 3000
# When rule-reload is enabled, sending a USR2 signal to the Suricata process
# will trigger a live rule reload. Experimental feature, use with care.
#- rule-reload: true
# If set to yes, the loading of signatures will be made after the capture
# is started. This will limit the downtime in IPS mode.
#- delayed-detect: yes
threading:
# On some cpu's/architectures it is beneficial to tie individual threads
# to specific CPU's/CPU cores. In this case all threads are tied to CPU0,
# and each extra CPU/core has one "detect" thread.
#
# On Intel Core2 and Nehalem CPU's enabling this will degrade performance.
#
set-cpu-affinity: no
# Tune cpu affinity of suricata threads. Each family of threads can be bound
# on specific CPUs.
cpu-affinity:
- management-cpu-set:
cpu: [ 0 ] # include only these cpus in affinity settings
- receive-cpu-set:
cpu: [ 0 ] # include only these cpus in affinity settings
- decode-cpu-set:
cpu: [ 0, 1 ]
mode: "balanced"
- stream-cpu-set:
cpu: [ "0-1" ]
- detect-cpu-set:
cpu: [ "all" ]
mode: "exclusive" # run detect threads in these cpus
# Use explicitely 3 threads and don't compute number by using
# detect-thread-ratio variable:
# threads: 3
prio:
low: [ 0 ]
medium: [ "1-2" ]
high: [ 3 ]
default: "medium"
- verdict-cpu-set:
cpu: [ 0 ]
prio:
default: "high"
- reject-cpu-set:
cpu: [ 0 ]
prio:
default: "low"
- output-cpu-set:
cpu: [ "all" ]
prio:
default: "medium"
#
# By default Suricata creates one "detect" thread per available CPU/CPU core.
# This setting allows controlling this behaviour. A ratio setting of 2 will
# create 2 detect threads for each CPU/CPU core. So for a dual core CPU this
# will result in 4 detect threads. If values below 1 are used, less threads
# are created. So on a dual core CPU a setting of 0.5 results in 1 detect
# thread being created. Regardless of the setting at a minimum 1 detect
# thread will always be created.
#
detect-thread-ratio: 1.5
cuda:
# The "mpm" profile. On not specifying any of these parameters, the engine's
# internal default values are used, which are same as the ones specified in
# in the default conf file.
mpm:
# The minimum length required to buffer data to the gpu.
# Anything below this is MPM'ed on the CPU.
# Can be specified in kb, mb, gb. Just a number indicates it's in bytes.
# A value of 0 indicates there's no limit.
data-buffer-size-min-limit: 0
# The maximum length for data that we would buffer to the gpu.
# Anything over this is MPM'ed on the CPU.
# Can be specified in kb, mb, gb. Just a number indicates it's in bytes.
data-buffer-size-max-limit: 1500
# The ring buffer size used by the CudaBuffer API to buffer data.
cudabuffer-buffer-size: 500mb
# The max chunk size that can be sent to the gpu in a single go.
gpu-transfer-size: 50mb
# The timeout limit for batching of packets in microseconds.
batching-timeout: 2000
# The device to use for the mpm. Currently we don't support load balancing
# on multiple gpus. In case you have multiple devices on your system, you
# can specify the device to use, using this conf. By default we hold 0, to
# specify the first device cuda sees. To find out device-id associated with
# the card(s) on the system run "suricata --list-cuda-cards".
device-id: 0
# No of Cuda streams used for asynchronous processing. All values > 0 are
valid.
# For this option you need a device with Compute Capability > 1.0.
cuda-streams: 2
mpm-algo: ac
pattern-matcher:
- b2gc:
search-algo: B2gSearchBNDMq
hash-size: low
bf-size: medium
- b2gm:
search-algo: B2gSearchBNDMq
hash-size: low
bf-size: medium
- b2g:
search-algo: B2gSearchBNDMq
hash-size: low
bf-size: medium
- b3g:
search-algo: B3gSearchBNDMq
hash-size: low
bf-size: medium
- wumanber:
hash-size: low
bf-size: medium
defrag:
memcap: 32mb
hash-size: 65536
trackers: 65535 # number of defragmented flows to follow
max-frags: 65535 # number of fragments to keep (higher than trackers)
prealloc: yes
timeout: 60
flow:
memcap: 64mb
hash-size: 65536
prealloc: 10000
emergency-recovery: 30
vlan:
use-for-tracking: true
flow-timeouts:
default:
new: 30
established: 300
closed: 0
emergency-new: 10
emergency-established: 100
emergency-closed: 0
tcp:
new: 60
established: 3600
closed: 120
emergency-new: 10
emergency-established: 300
emergency-closed: 20
udp:
new: 30
established: 300
emergency-new: 10
emergency-established: 100
icmp:
new: 30
established: 300
emergency-new: 10
emergency-established: 100
stream:
memcap: 32mb
checksum-validation: yes # reject wrong csums
inline: auto # auto will use inline mode in IPS mode, yes or
no set it statically
reassembly:
memcap: 128mb
depth: 1mb # reassemble 1mb into a stream
toserver-chunk-size: 2560
toclient-chunk-size: 2560
randomize-chunk-size: yes
#randomize-chunk-range: 10
#raw: yes
#chunk-prealloc: 250
#segments:
# - size: 4
# prealloc: 256
# - size: 16
# prealloc: 512
# - size: 112
# prealloc: 512
# - size: 248
# prealloc: 512
# - size: 512
# prealloc: 512
# - size: 768
# prealloc: 1024
# - size: 1448
# prealloc: 1024
# - size: 65535
# prealloc: 128
host:
hash-size: 4096
prealloc: 1000
memcap: 16777216
logging:
# The default log level, can be overridden in an output section.
# Note that debug level logging will only be emitted if Suricata was
# compiled with the --enable-debug configure option.
#
# This value is overriden by the SC_LOG_LEVEL env var.
default-log-level: info
# The default output format. Optional parameter, should default to
# something reasonable if not provided. Can be overriden in an
# output section. You can leave this out to get the default.
#
# This value is overriden by the SC_LOG_FORMAT env var.
#default-log-format: "[%i] %t - (%f:%l) <%d> (%n) -- "
# A regex to filter output. Can be overridden in an output section.
# Defaults to empty (no filter).
#
# This value is overriden by the SC_LOG_OP_FILTER env var.
default-output-filter:
# Define your logging outputs. If none are defined, or they are all
# disabled you will get the default - console output.
outputs:
- console:
enabled: yes
- file:
enabled: no
filename: /var/log/suricata.log
- syslog:
enabled: no
facility: local5
format: "[%i] <%d> -- "
mpipe:
# Load balancing modes: "static", "dynamic", "sticky", or "round-robin".
load-balance: dynamic
# Number of Packets in each ingress packet queue. Must be 128, 512, 2028 or
65536
iqueue-packets: 2048
# List of interfaces we will listen on.
inputs:
- interface: xgbe2
- interface: xgbe3
- interface: xgbe4
# Relative weight of memory for packets of each mPipe buffer size.
stack:
size128: 0
size256: 9
size512: 0
size1024: 0
size1664: 7
size4096: 0
size10386: 0
size16384: 0
pfring:
- interface: eth0
# Number of receive threads (>1 will enable experimental flow pinned
# runmode)
threads: 1
# Default clusterid. PF_RING will load balance packets based on flow.
# All threads/processes that will participate need to have the same
# clusterid.
cluster-id: 99
# Default PF_RING cluster type. PF_RING can load balance per flow or per
hash.
# This is only supported in versions of PF_RING > 4.1.1.
cluster-type: cluster_flow
# bpf filter for this interface
#bpf-filter: tcp
# Choose checksum verification mode for the interface. At the moment
# of the capture, some packets may be with an invalid checksum due to
# offloading to the network card of the checksum computation.
# Possible values are:
# - rxonly: only compute checksum for packets received by network card.
# - yes: checksum validation is forced
# - no: checksum validation is disabled
# - auto: suricata uses a statistical approach to detect when
# checksum off-loading is used. (default)
# Warning: 'checksum-validation' must be set to yes to have any validation
#checksum-checks: auto
# Second interface
#- interface: eth1
# threads: 3
# cluster-id: 93
# cluster-type: cluster_flow
# Put default values here
- interface: default
#threads: 2
pcap:
- interface: eth0
# On Linux, pcap will try to use mmaped capture and will use buffer-size
# as total of memory used by the ring. So set this to something bigger
# than 1% of your bandwidth.
#buffer-size: 16777216
#bpf-filter: "tcp and port 25"
# Choose checksum verification mode for the interface. At the moment
# of the capture, some packets may be with an invalid checksum due to
# offloading to the network card of the checksum computation.
# Possible values are:
# - yes: checksum validation is forced
# - no: checksum validation is disabled
# - auto: suricata uses a statistical approach to detect when
# checksum off-loading is used. (default)
# Warning: 'checksum-validation' must be set to yes to have any validation
#checksum-checks: auto
# With some accelerator cards using a modified libpcap (like myricom), you
# may want to have the same number of capture threads as the number of
capture
# rings. In this case, set up the threads variable to N to start N threads
# listening on the same interface.
#threads: 16
# set to no to disable promiscuous mode:
#promisc: no
# set snaplen, if not set it defaults to MTU if MTU can be known
# via ioctl call and to full capture if not.
#snaplen: 1518
# Put default values here
- interface: default
#checksum-checks: auto
pcap-file:
# Possible values are:
# - yes: checksum validation is forced
# - no: checksum validation is disabled
# - auto: suricata uses a statistical approach to detect when
# checksum off-loading is used. (default)
# Warning: 'checksum-validation' must be set to yes to have checksum tested
checksum-checks: auto
ipfw:
# Reinject packets at the specified ipfw rule number. This config
# option is the ipfw rule number AT WHICH rule processing continues
# in the ipfw processing system after the engine has finished
# inspecting the packet for acceptance. If no rule number is specified,
# accepted packets are reinjected at the divert rule which they entered
# and IPFW rule processing continues. No check is done to verify
# this will rule makes sense so care must be taken to avoid loops in ipfw.
#
## The following example tells the engine to reinject packets
# back into the ipfw firewall AT rule number 5500:
#
# ipfw-reinjection-rule-number: 5500
default-rule-path: /etc/suricata/rules
rule-files:
- local.rules
- botcc.portgrouped.rules
- botcc.rules
- ciarmy.rules
- compromised.rules
- decoder-events.rules
- drop.rules
- dshield.rules
- emerging-activex.rules
- emerging-attack_response.rules
- emerging-chat.rules
- emerging-current_events.rules
- emerging-dns.rules
- emerging-dos.rules
- emerging-exploit.rules
- emerging-ftp.rules
- emerging-games.rules
- emerging-icmp_info.rules
- emerging-imap.rules
- emerging-inappropriate.rules
- emerging-info.rules
- emerging-malware.rules
- emerging-misc.rules
- emerging-mobile_malware.rules
- emerging-netbios.rules
- emerging-p2p.rules
- emerging-policy.rules
- emerging-pop3.rules
- emerging-rpc.rules
- emerging-scada.rules
- emerging-scan.rules
- emerging-shellcode.rules
- emerging-smtp.rules
- emerging-snmp.rules
- emerging-sql.rules
- emerging-telnet.rules
- emerging-tftp.rules
- emerging-trojan.rules
- emerging-user_agents.rules
- emerging-voip.rules
- emerging-web_client.rules
- emerging-web_server.rules
- emerging-web_specific_apps.rules
- emerging-worm.rules
- files.rules
- http-events.rules
- smtp-events.rules
- stream-events.rules
- tls-events.rules
- tor.rules
classification-file: /etc/suricata/classification.config
reference-config-file: /etc/suricata/reference.config
vars:
# Holds the address group vars that would be passed in a Signature.
# These would be retrieved during the Signature address parsing stage.
address-groups:
HOME_NET: "[192.168.0.0/16]"
EXTERNAL_NET: "!$HOME_NET"
HTTP_SERVERS: "$HOME_NET"
SMTP_SERVERS: "$HOME_NET"
SQL_SERVERS: "$HOME_NET"
DNS_SERVERS: "$HOME_NET"
TELNET_SERVERS: "$HOME_NET"
AIM_SERVERS: "$EXTERNAL_NET"
DNP3_SERVER: "$HOME_NET"
DNP3_CLIENT: "$HOME_NET"
MODBUS_CLIENT: "$HOME_NET"
MODBUS_SERVER: "$HOME_NET"
ENIP_CLIENT: "$HOME_NET"
ENIP_SERVER: "$HOME_NET"
# Holds the port group vars that would be passed in a Signature.
# These would be retrieved during the Signature port parsing stage.
port-groups:
HTTP_PORTS: "80"
SHELLCODE_PORTS: "!80"
ORACLE_PORTS: 1521
SSH_PORTS: 22
DNP3_PORTS: 20000
action-order:
- pass
- drop
- reject
- alert
host-os-policy:
# Make the default policy windows.
windows: [0.0.0.0/0]
bsd: []
bsd-right: []
old-linux: []
linux: [192.168.0.1, 192.168.0.4]
old-solaris: []
solaris: ["::1"]
hpux10: []
hpux11: []
irix: []
macos: []
vista: []
windows2k3: []
asn1-max-frames: 256
engine-analysis:
# enables printing reports for fast-pattern for every rule.
rules-fast-pattern: yes
# enables printing reports for each rule
rules: yes
pcre:
match-limit: 3500
match-limit-recursion: 1500
app-layer:
protocols:
tls:
enabled: yes
detection-ports:
dp: 443
#no-reassemble: yes
dcerpc:
enabled: yes
ftp:
enabled: yes
ssh:
enabled: yes
smtp:
enabled: yes
imap:
enabled: detection-only
msn:
enabled: detection-only
smb:
enabled: yes
detection-ports:
dp: 139
# smb2 detection is disabled internally inside the engine.
#smb2:
# enabled: yes
dns:
# memcaps. Globally and per flow/state.
#global-memcap: 16mb
#state-memcap: 512kb
# How many unreplied DNS requests are considered a flood.
# If the limit is reached, app-layer-event:dns.flooded; will match.
#request-flood: 500
tcp:
enabled: yes
detection-ports:
dp: 53
udp:
enabled: yes
detection-ports:
dp: 53
http:
enabled: yes
# memcap: 64mb
###########################################################################
# Configure libhtp.
#
#
# default-config: Used when no server-config matches
# personality: List of personalities used by default
# request-body-limit: Limit reassembly of request body for
inspection
# by http_client_body & pcre /P option.
# response-body-limit: Limit reassembly of response body for
inspection
# by file_data, http_server_body & pcre /Q
option.
# double-decode-path: Double decode path section of the URI
# double-decode-query: Double decode query section of the URI
#
# server-config: List of server configurations to use if
address matches
# address: List of ip addresses or networks for this
block
# personalitiy: List of personalities used by this block
# request-body-limit: Limit reassembly of request body for
inspection
# by http_client_body & pcre /P option.
# response-body-limit: Limit reassembly of response body for
inspection
# by file_data, http_server_body & pcre /Q
option.
# double-decode-path: Double decode path section of the URI
# double-decode-query: Double decode query section of the URI
#
# uri-include-all: Include all parts of the URI. By default the
# 'scheme', username/password, hostname and port
# are excluded. Setting this option to true adds
# all of them to the normalized uri as inspected
# by http_uri, urilen, pcre with /U and the
other
# keywords that inspect the normalized uri.
# Note that this does not affect http_raw_uri.
# Also, note that including all was the default
in
# 1.4 and 2.0beta1.
#
# meta-field-limit: Hard size limit for request and response size
# limits. Applies to request line and headers,
# response line and headers. Does not apply to
# request or response bodies. Default is 18k.
# If this limit is reached an event is raised.
#
# Currently Available Personalities:
# Minimal
# Generic
# IDS (default)
# IIS_4_0
# IIS_5_0
# IIS_5_1
# IIS_6_0
# IIS_7_0
# IIS_7_5
# Apache_2
###########################################################################
libhtp:
default-config:
personality: IDS
# Can be specified in kb, mb, gb. Just a number indicates
# it's in bytes.
request-body-limit: 3072
response-body-limit: 3072
# inspection limits
request-body-minimal-inspect-size: 32kb
request-body-inspect-window: 4kb
response-body-minimal-inspect-size: 32kb
response-body-inspect-window: 4kb
# Take a random value for inspection sizes around the specified
value.
# This lower the risk of some evasion technics but could lead
# detection change between runs. It is set to 'yes' by default.
#randomize-inspection-sizes: yes
# If randomize-inspection-sizes is active, the value of various
# inspection size will be choosen in the [1 - range%, 1 + range%]
# range
# Default value of randomize-inspection-range is 10.
#randomize-inspection-range: 10
# decoding
double-decode-path: no
double-decode-query: no
server-config:
#- apache:
# address: [192.168.1.0/24, 127.0.0.0/8, "::1"]
# personality: Apache_2
# # Can be specified in kb, mb, gb. Just a number indicates
# # it's in bytes.
# request-body-limit: 4096
# response-body-limit: 4096
# double-decode-path: no
# double-decode-query: no
#- iis7:
# address:
# - 192.168.0.0/24
# - 192.168.10.0/24
# personality: IIS_7_0
# # Can be specified in kb, mb, gb. Just a number indicates
# # it's in bytes.
# request-body-limit: 4096
# response-body-limit: 4096
# double-decode-path: no
# double-decode-query: no
profiling:
# Run profiling for every xth packet. The default is 1, which means we
# profile every packet. If set to 1000, one packet is profiled for every
# 1000 received.
#sample-rate: 1000
# rule profiling
rules:
# Profiling can be disabled here, but it will still have a
# performance impact if compiled in.
enabled: yes
filename: rule_perf.log
append: yes
# Sort options: ticks, avgticks, checks, matches, maxticks
sort: avgticks
# Limit the number of items printed at exit.
limit: 100
# per keyword profiling
keywords:
enabled: yes
filename: keyword_perf.log
append: yes
# packet profiling
packets:
# Profiling can be disabled here, but it will still have a
# performance impact if compiled in.
enabled: yes
filename: packet_stats.log
append: yes
# per packet csv output
csv:
# Output can be disabled here, but it will still have a
# performance impact if compiled in.
enabled: no
filename: packet_stats.csv
# profiling of locking. Only available when Suricata was built with
# --enable-profiling-locks.
locks:
enabled: no
filename: lock_stats.log
append: yes
coredump:
max-dump: unlimited
napatech:
# The Host Buffer Allowance for all streams
# (-1 = OFF, 1 - 100 = percentage of the host buffer that can be held back)
hba: -1
# use_all_streams set to "yes" will query the Napatech service for all
configured
# streams and listen on all of them. When set to "no" the streams config
array
# will be used.
use-all-streams: yes
# The streams to listen on
streams: [1, 2, 3]
-- no debconf information
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
