10. Configuration

• 10.1. Suricata.yaml
  • 10.1.1. Max-pending-packets
  • 10.1.2. Runmodes
  • 10.1.3. Default-packet-size
  • 10.1.4. User and group
  • 10.1.5. PID File
  • 10.1.6. Action-order
  • 10.1.7. Splitting configuration in multiple files
  • 10.1.8. Event output
    • 10.1.8.1. Default logging directory
    • 10.1.8.2. Stats
    • 10.1.8.3. Outputs
    • 10.1.8.4. Line based alerts log (fast.log)
    • 10.1.8.5. Eve (Extensible Event Format)
    • 10.1.8.6. A line based log of HTTP requests (http.log)
    • 10.1.8.7. Packet log (pcap-log)
    • 10.1.8.8. Verbose Alerts Log (alert-debug.log)
    • 10.1.8.9. Alert output to prelude (alert-prelude)
    • 10.1.8.10. Stats
    • 10.1.8.11. Syslog
    • 10.1.8.12. File-store (File Extraction)
  • 10.1.9. Detection engine
    • 10.1.9.1. Inspection configuration
    • 10.1.9.2. Prefilter Engines
    • 10.1.9.3. Pattern matcher settings
  • 10.1.10. Threading
    • 10.1.10.1. Relevant cpu-affinity settings for IDS/IPS modes
    • 10.1.10.2. IDS mode
    • 10.1.10.3. IPS mode
  • 10.1.11. IP Defrag
  • 10.1.12. Flow and Stream handling
    • 10.1.12.1. Flow Settings
    • 10.1.12.2. Flow Time-Outs
    • 10.1.12.3. Stream-engine
  • 10.1.13. Application Layer Parsers
    • 10.1.13.1. Asn1_max_frames (new in 1.0.3 and 1.1)
    • 10.1.13.2. Configure HTTP (libhtp)
  • 10.1.14. decompression-time-limit
  • 10.1.15. HTTP2
    • 10.1.15.1. Configure SMB (Rust)
  • 10.1.16. Engine Logging
    • 10.1.16.1. Default Configuration Example
    • 10.1.16.2. Default Log Level
    • 10.1.16.3. Default Log Format
    • 10.1.16.4. Output Filter
    • 10.1.16.5. Logging Outputs
  • 10.1.17. Packet Acquisition
    • 10.1.17.1. Pf-ring
    • 10.1.17.2. NFQ
    • 10.1.17.3. Ipfw
  • 10.1.18. Rules
    • 10.1.18.1. Rule-files
    • 10.1.18.2. Threshold-file
    • 10.1.18.3. Classifications
    • 10.1.18.4. Rule-vars
    • 10.1.18.5. Host-os-policy
  • 10.1.19. Engine analysis and profiling
    • 10.1.19.1. Engine-analysis
    • 10.1.19.2. Rule and Packet Profiling settings
    • 10.1.19.3. Packet Profiling
  • 10.1.20. Application layers
    • 10.1.20.1. SSL/TLS
      • 10.1.20.1.1. Encrypted traffic
    • 10.1.20.2. Modbus
    • 10.1.20.3. MQTT
    • 10.1.20.4. SMTP
  • 10.1.21. Decoder
    • 10.1.21.1. Teredo
  • 10.1.22. Advanced Options
    • 10.1.22.1. luajit
      • 10.1.22.1.1. states
• 10.2. Global-Thresholds
  • 10.2.1. Threshold Config
    • 10.2.1.1. threshold/event_filter
    • 10.2.1.2. rate_filter
      • 10.2.1.2.1. gen_id
      • 10.2.1.2.2. sig_id
      • 10.2.1.2.3. track
      • 10.2.1.2.4. count
      • 10.2.1.2.5. seconds
      • 10.2.1.2.6. new_action
      • 10.2.1.2.7. timeout
      • 10.2.1.2.8. Example
    • 10.2.1.3. suppress
  • 10.2.2. Global thresholds vs rule thresholds
    • 10.2.2.1. Suppress
    • 10.2.2.2. Threshold/event_filter
    • 10.2.2.3. Rate_filter
• 10.3. Snort.conf to Suricata.yaml
  • 10.3.1. Variables
  • 10.3.2. Decoder alerts
  • 10.3.3. Checksum handling
  • 10.3.4. Various configs
    • 10.3.4.1. Active response
    • 10.3.4.2. Dropping privileges
    • 10.3.4.3. Snaplen
    • 10.3.4.4. Bpf
  • 10.3.5. Log directory
  • 10.3.6. Packet acquisition
  • 10.3.7. Rules
• 10.4. Multi Tenancy
  • 10.4.1. Introduction
  • 10.4.2. YAML
    • 10.4.2.1. vlanid
    • 10.4.2.2. device
  • 10.4.3. Per tenant settings
  • 10.4.4. Unix Socket
    • 10.4.4.1. Registration
    • 10.4.4.2. Unix socket runmode (pcap processing)
    • 10.4.4.3. Live traffic mode
    • 10.4.4.4. Registration
• 10.5. Dropping Privileges After Startup