From 4cf6870b03533098b52a8bc561d67f3eee0ea5b2 Mon Sep 17 00:00:00 2001 From: Ad Schellevis Date: Sun, 25 Feb 2024 15:07:13 +0100 Subject: [PATCH] Services: Intrusion Detection - bring suricata.yaml inline with https://github.com/OISF/suricata/blob/suricata-7.0.3/suricata.yaml.in and add our modifications. Most of the changes are changed comments, disabled the log settings that will add a lot of extra noise. --- .../templates/OPNsense/IDS/suricata.yaml | 1045 +++++++++++------ 1 file changed, 676 insertions(+), 369 deletions(-) diff --git a/src/opnsense/service/templates/OPNsense/IDS/suricata.yaml b/src/opnsense/service/templates/OPNsense/IDS/suricata.yaml index 117b2e128..6e7caa13b 100644 --- a/src/opnsense/service/templates/OPNsense/IDS/suricata.yaml +++ b/src/opnsense/service/templates/OPNsense/IDS/suricata.yaml @@ -3,10 +3,10 @@ # Suricata configuration file. In addition to the comments describing all # options in this file, full documentation can be found at: -# https://suricata.readthedocs.io/en/latest/configuration/suricata-yaml.html +# https://docs.suricata.io/en/latest/configuration/suricata-yaml.html ## -## Step 1: inform Suricata about your network +## Step 1: Inform Suricata about your network ## vars: @@ -37,27 +37,28 @@ vars: MODBUS_PORTS: 502 FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]" FTP_PORTS: 21 + GENEVE_PORTS: 6081 VXLAN_PORTS: 4789 - + TEREDO_PORTS: 3544 ## -## Step 2: select outputs to enable +## Step 2: Select outputs to enable ## # The default logging directory. Any log or output file will be -# placed here if its not specified with a full path name. This can be +# placed here if it's not specified with a full path name. This can be # overridden with the -l command line parameter. default-log-dir: /var/log/suricata/ -# global stats configuration +# Global stats configuration stats: enabled: yes - # The interval field (in seconds) controls at what interval - # the loggers are invoked. + # The interval field (in seconds) controls the interval at + # which stats are updated in the log. interval: 8 - # Add decode events as stats. + # Add decode events to stats. #decoder-events: true # Decoder event prefix in stats. Has been 'decoder' before, but that leads # to missing events in the eve.stats records. See issue #2225. @@ -65,6 +66,9 @@ stats: # Add stream events as stats. #stream-events: false +# Plugins -- Experimental -- specify the filename for each plugin shared object +plugins: +# - /path/to/plugin.so # Configure the type of alert (and other) logging you would like. outputs: @@ -81,12 +85,16 @@ outputs: enabled: yes filetype: regular #regular|syslog|unix_dgram|unix_stream|redis filename: eve.json + # Enable for multi-threaded eve.json output; output files are amended with + # an identifier, e.g., eve.9.json + #threaded: false #prefix: "@cee: " # prefix to prepend to each log entry # the following are valid when type: syslog above #identity: "suricata" #facility: local5 #level: Info ## possible levels: Emergency, Alert, Critical, ## Error, Warning, Notice, Info, Debug + #ethernet: no # log ethernet header in events when available #redis: # server: 127.0.0.1 # port: 6379 @@ -98,10 +106,10 @@ outputs: # Redis pipelining set up. This will enable to only do a query every # 'batch-size' events. This should lower the latency induced by network # connection at the cost of some memory. There is no flushing implemented - # so this setting as to be reserved to high traffic suricata. + # so this setting should be reserved to high traffic Suricata deployments. # pipelining: # enabled: yes ## set enable to yes to enable query pipelining - # batch-size: 10 ## number of entry to keep in buffer + # batch-size: 10 ## number of entries to keep in buffer # Include top level metadata. Default yes. #metadata: no @@ -109,11 +117,10 @@ outputs: # include the name of the input pcap file in pcap file processing mode pcap-file: false - # Community Flow ID # Adds a 'community_id' field to EVE records. These are meant to give - # a records a predictable flow id that can be used to match records to - # output of other tools such as Bro. + # records a predictable flow ID that can be used to match records to + # output of other tools such as Zeek (Bro). # # Takes a 'seed' that needs to be same across sensors and tools # to make the id less predictable. @@ -123,7 +130,6 @@ outputs: # Seed value for the ID output. Valid values are 0-65535. community-id-seed: 0 - # HTTP X-Forwarded-For support by adding an extra field or overwriting # the source or destination IP address (depending on flow direction) # with the one reported in the X-Forwarded-For HTTP header. This is @@ -131,13 +137,13 @@ outputs: # or forward proxied. xff: enabled: no - # Two operation modes are available, "extra-data" and "overwrite". + # Two operation modes are available: "extra-data" and "overwrite". mode: extra-data - # Two proxy deployments are supported, "reverse" and "forward". In + # Two proxy deployments are supported: "reverse" and "forward". In # a "reverse" deployment the IP address used is the last one, in a # "forward" deployment the first IP address is used. deployment: reverse - # Header name where the actual IP address will be reported, if more + # Header name where the actual IP address will be reported. If more # than one IP address is present, the last IP address will be the # one taken into consideration. header: X-Forwarded-For @@ -155,13 +161,17 @@ outputs: # http-body: yes # Requires metadata; enable dumping of http body in Base64 # http-body-printable: yes # Requires metadata; enable dumping of http body in printable format - # Enable the logging of tagged packets for rules using the - # "tag" keyword. - tagged-packets: yes - - http: yes - tls: yes - + # Enable the logging of tagged packets for rules using the + # "tag" keyword. + tagged-packets: yes + # Enable logging the final action taken on a packet by the engine + # (e.g: the alert may have action 'allowed' but the verdict be + # 'drop' due to another alert. That's the engine's verdict) + # verdict: yes + # app layer frames + - frame: + # disabled by default as this is very verbose. + enabled: no - anomaly: # Anomaly log records describe unexpected conditions such # as truncated packets, packets with invalid IP/UDP/TCP @@ -184,10 +194,10 @@ outputs: # specific conditions that are unexpected, invalid or are # unexpected given the application monitoring state. # - # By default, anomaly logging is disabled. When anomaly + # By default, anomaly logging is enabled. When anomaly # logging is enabled, applayer anomaly reporting is - # enabled. - # enabled: yes + # also enabled. + enabled: yes # # Choose one or more types of anomaly logging and whether to enable # logging of the packet header for packet anomalies. @@ -200,104 +210,125 @@ outputs: # - http: # #extended: yes # enable this for extended logging information -# # custom allows additional http fields to be included in eve-log -# # the example below adds three additional fields when uncommented -# #custom: [Accept-Encoding, Accept-Language, Authorization] -# # set this value to one and only one among {both, request, response} -# # to dump all http headers for every http request and/or response -# # dump-all-headers: none + # custom allows additional HTTP fields to be included in eve-log. + # the example below adds three additional fields when uncommented + #custom: [Accept-Encoding, Accept-Language, Authorization] + # set this value to one and only one from {both, request, response} + # to dump all HTTP headers for every HTTP request and/or response + # dump-all-headers: none # - dns: -# # This configuration uses the new DNS logging format, -# # the old configuration is still available: -# # https://suricata.readthedocs.io/en/latest/output/eve/eve-json-output.html#dns-v1-format -# -# # As of Suricata 5.0, version 2 of the eve dns output -# # format is the default. -# #version: 2 -# -# # Enable/disable this logger. Default: enabled. -# #enabled: yes -# -# # Control logging of requests and responses: -# # - requests: enable logging of DNS queries -# # - responses: enable logging of DNS answers -# # By default both requests and responses are logged. -# #requests: no -# #responses: no -# -# # Format of answer logging: -# # - detailed: array item per answer -# # - grouped: answers aggregated by type -# # Default: all -# #formats: [detailed, grouped] -# -# # Types to log, based on the query type. -# # Default: all. -# #types: [a, aaaa, cname, mx, ns, ptr, txt] -# - tls: -# extended: yes # enable this for extended logging information -# # output TLS transaction where the session is resumed using a -# # session id -# #session-resumption: no -# # custom allows to control which tls fields that are included -# # in eve-log -# #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3, ja3s] -# - files: -# force-magic: no # force logging magic on all logged files -# # force logging of checksums, available hash functions are md5, -# # sha1 and sha256 -# #force-hash: [md5] + # This configuration uses the new DNS logging format, + # the old configuration is still available: + # https://docs.suricata.io/en/latest/output/eve/eve-json-output.html#dns-v1-format + + # As of Suricata 5.0, version 2 of the eve dns output + # format is the default. + #version: 2 + + # Enable/disable this logger. Default: enabled. + #enabled: yes + + # Control logging of requests and responses: + # - requests: enable logging of DNS queries + # - responses: enable logging of DNS answers + # By default both requests and responses are logged. + #requests: no + #responses: no + + # Format of answer logging: + # - detailed: array item per answer + # - grouped: answers aggregated by type + # Default: all + #formats: [detailed, grouped] + + # DNS record types to log, based on the query type. + # Default: all. + #types: [a, aaaa, cname, mx, ns, ptr, txt] + #- tls: + extended: yes # enable this for extended logging information + # output TLS transaction where the session is resumed using a + # session id + #session-resumption: no + # custom controls which TLS fields that are included in eve-log + #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3, ja3s] + #- files: + force-magic: no # force logging magic on all logged files + # force logging of checksums, available hash functions are md5, + # sha1 and sha256 + #force-hash: [md5] - drop: alerts: yes # log alerts that caused drops flows: start # start or all: 'start' logs only a single drop # per flow direction. All logs each dropped pkt. -# - smtp: -# #extended: yes # enable this for extended logging information -# # this includes: bcc, message-id, subject, x_mailer, user-agent -# # custom fields logging from the list: -# # reply-to, bcc, message-id, subject, x-mailer, user-agent, received, -# # x-originating-ip, in-reply-to, references, importance, priority, -# # sensitivity, organization, content-md5, date -# #custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc] -# # output md5 of fields: body, subject -# # for the body you need to set app-layer.protocols.smtp.mime.body-md5 -# # to yes -# #md5: [body, subject] + #- smtp: + #extended: yes # enable this for extended logging information + # this includes: bcc, message-id, subject, x_mailer, user-agent + # custom fields logging from the list: + # reply-to, bcc, message-id, subject, x-mailer, user-agent, received, + # x-originating-ip, in-reply-to, references, importance, priority, + # sensitivity, organization, content-md5, date + #custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc] + # output md5 of fields: body, subject + # for the body you need to set app-layer.protocols.smtp.mime.body-md5 + # to yes + #md5: [body, subject] #- dnp3 -# - ftp + #- ftp #- rdp -# - nfs -# - smb -# - tftp -# - ikev2 -# - krb5 -# - snmp + #- nfs + #- smb + #- tftp + #- ike + #- dcerpc + #- krb5 + #- bittorrent-dht + #- snmp + #- rfb #- sip -# - dhcp: -# enabled: yes -# # When extended mode is on, all DHCP messages are logged -# # with full detail. When extended mode is off (the -# # default), just enough information to map a MAC address -# # to an IP address is logged. -# extended: no -# - ssh -# # - stats: -# # totals: yes # stats for all threads merged together -# # threads: no # per thread stats -# # deltas: no # include delta values -# # bi-directional flows -# - flow -# # uni-directional flows -# #- netflow + #- quic + #- dhcp: + #enabled: yes + # When extended mode is on, all DHCP messages are logged + # with full detail. When extended mode is off (the + # default), just enough information to map a MAC address + # to an IP address is logged. + #extended: no + - ssh + #- mqtt: + # passwords: yes # enable output of passwords + #- http2 + #- pgsql: + #enabled: no + # passwords: yes # enable output of passwords. Disabled by default + #- stats: + #totals: yes # stats for all threads merged together + #threads: no # per thread stats + #deltas: no # include delta values + # bi-directional flows + #- flow + # uni-directional flows + #- netflow # Metadata event type. Triggered whenever a pktvar is saved # and will include the pktvars, flowvars, flowbits and # flowints. #- metadata + # EXPERIMENTAL per packet output giving TCP state tracking details + # including internal state, flags, etc. + # This output is experimental, meant for debugging and subject to + # change in both config and output without any notice. + + #- stream: + # all: false # log all TCP packets + # event-set: false # log packets that have a decoder/stream event + + # state-update: false # log packets triggering a TCP state update + # spurious-retransmission: false # log spurious retransmission packets + {% if not helpers.empty('OPNsense.IDS.general.syslog_eve') %} # Extensible Event Format (nicknamed EVE) to syslog - eve-log: @@ -329,8 +360,8 @@ outputs: filename: http.log append: yes #extended: yes # enable this for extended logging information - #custom: yes # enabled the custom logging format (defined by customformat) - #customformat: "%%D-%H:%M:%St.%z %X-Forwarded-Fori %H %m %h %u %s %B %a:%p -> %A:%P" + #custom: yes # enable the custom logging format (defined by customformat) + #customformat: "%[%D-%H:%M:%S]t.%z %[X-Forwarded-For]i %H %m %h %u %s %B %a:%p -> %A:%P" #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' # a line based log of TLS handshake parameters (no alerts) @@ -340,7 +371,7 @@ outputs: append: yes #extended: yes # Log extended information like fingerprint #custom: yes # enabled the custom logging format (defined by customformat) - #customformat: "%%D-%H:%M:%St.%z %a:%p -> %A:%P %v %n %d %D" + #customformat: "%[%D-%H:%M:%S]t.%z %a:%p -> %A:%P %v %n %d %D" #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' # output TLS transaction where the session is resumed using a # session id @@ -351,11 +382,11 @@ outputs: enabled: no #certs-log-dir: certs # directory to store the certificates files - # Packet log... log packets in pcap format. 3 modes of operation: "normal" - # "multi" and "sguil". + # Packet log... log packets in pcap format. 2 modes of operation: "normal" + # and "multi". # # In normal mode a pcap file "filename" is created in the default-log-dir, - # or are as specified by "dir". + # or as specified by "dir". # In multi mode, a file is created per thread. This will perform much # better, but will create multiple files where 'normal' would create one. # In multi mode the filename takes a few special variables: @@ -372,11 +403,6 @@ outputs: # So the size limit when using 8 threads with 1000mb files and 2000 files # is: 8*1000*2000 ~ 16TiB. # - # In Sguil mode "dir" indicates the base directory. In this base dir the - # pcaps are created in th directory structure Sguil expects: - # - # $sguil-base-dir/YYYY-MM-DD/$filename. - # # By default all packets are logged except: # - TCP streams beyond stream.reassembly.depth # - encrypted streams after the key exchange @@ -389,12 +415,12 @@ outputs: # is parsed as bytes. limit: 1000mb - # If set to a value will enable ring buffer mode. Will keep Maximum of "max-files" of size "limit" + # If set to a value, ring buffer mode is enabled. Will keep maximum of + # "max-files" of size "limit" max-files: 2000 # Compression algorithm for pcap files. Possible values: none, lz4. - # Enabling compression is incompatible with the sguil mode. Note also - # that on Windows, enabling compression will *increase* disk I/O. + # Note also that on Windows, enabling compression will *increase* disk I/O. compression: none # Further options for lz4 compression. The compression level can be set @@ -403,17 +429,20 @@ outputs: #lz4-checksum: no #lz4-level: 0 - mode: normal # normal, multi or sguil. + mode: normal # normal or multi # Directory to place pcap files. If not provided the default log - # directory will be used. Required for "sguil" mode. + # directory will be used. #dir: /nsm_data/ #ts-format: usec # sec or usec second format (default) is filename.sec usec is filename.sec.usec use-stream-depth: no #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets - honor-pass-rules: no # If set to "yes", flows in which a pass rule matched will stopped being logged. + honor-pass-rules: no # If set to "yes", flows in which a pass rule matched will stop being logged. + # Use "all" to log all packets or use "alerts" to log only alerted packets and flows or "tag" + # to log only flow tagged via the "tag" keyword + #conditional: all - # a full alerts log containing much information for signature writers + # a full alert log containing much information for signature writers # or for investigating suspected false positives. - alert-debug: enabled: no @@ -421,22 +450,14 @@ outputs: append: yes #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' - # alert output to prelude (https://www.prelude-siem.org/) only - # available if Suricata has been compiled with --enable-prelude - - alert-prelude: - enabled: no - profile: suricata - log-packet-content: no - log-packet-header: yes - - # Stats.log contains data from various counters of the suricata engine. + # Stats.log contains data from various counters of the Suricata engine. - stats: enabled: yes filename: stats.log append: yes # append to file (yes) or overwrite it (no) totals: yes # stats for all threads merged together threads: no # per thread stats - #null-values: yes # print counters that have value 0 + #null-values: yes # print counters that have value 0. Default: no # a line based alerts log similar to fast.log into syslog - syslog: @@ -449,23 +470,17 @@ outputs: level: Notice ## possible levels: Emergency, Alert, Critical, ## Error, Warning, Notice, Info, Debug - # deprecated a line based information for dropped packets in IPS mode - - drop: - enabled: no - # further options documented at: - # https://suricata.readthedocs.io/en/suricata-5.0.0/configuration/suricata-yaml.html#drop-log-a-line-based-information-for-dropped-packets - - # Output module for storing files on disk. Files are stored in a + # Output module for storing files on disk. Files are stored in # directory names consisting of the first 2 characters of the # SHA256 of the file. Each file is given its SHA256 as a filename. # - # When a duplicate file is found, the existing file is touched to - # have its timestamps updated. + # When a duplicate file is found, the timestamps on the existing file + # are updated. # - # Unlike the older filestore, metadata is not written out by default + # Unlike the older filestore, metadata is not written by default # as each file should already have a "fileinfo" record in the - # eve.log. If write-fileinfo is set to yes, the each file will have - # one more associated .json files that consists of the fileinfo + # eve-log. If write-fileinfo is set to yes, then each file will have + # one more associated .json files that consist of the fileinfo # record. A fileinfo file will be written for each occurrence of the # file seen using a filename suffix to ensure uniqueness. # @@ -475,12 +490,12 @@ outputs: version: 2 enabled: no - # Set the directory for the filestore. If the path is not - # absolute will be be relative to the default-log-dir. + # Set the directory for the filestore. Relative pathnames + # are contained within the "default-log-dir". #dir: filestore - # Write out a fileinfo record for each occurrence of a - # file. Disabled by default as each occurrence is already logged + # Write out a fileinfo record for each occurrence of a file. + # Disabled by default as each occurrence is already logged # as a fileinfo record to the main eve-log. #write-fileinfo: yes @@ -488,15 +503,16 @@ outputs: #force-filestore: yes # Override the global stream-depth for sessions in which we want - # to perform file extraction. Set to 0 for unlimited. + # to perform file extraction. Set to 0 for unlimited; otherwise, + # must be greater than the global stream-depth value to be used. #stream-depth: 0 # Uncomment the following variable to define how many files can # remain open for filestore by Suricata. Default value is 0 which - # means files get closed after each write + # means files get closed after each write to the file. #max-open-files: 1000 - # Force logging of checksums, available hash functions are md5, + # Force logging of checksums: available hash functions are md5, # sha1 and sha256. Note that SHA256 is automatically forced by # the use of this output module as it uses the SHA256 as the # file naming scheme. @@ -515,33 +531,30 @@ outputs: # a "reverse" deployment the IP address used is the last one, in a # "forward" deployment the first IP address is used. deployment: reverse - # Header name where the actual IP address will be reported, if more + # Header name where the actual IP address will be reported. If more # than one IP address is present, the last IP address will be the # one taken into consideration. header: X-Forwarded-For - # deprecated - file-store v1 - - file-store: - enabled: no - # further options documented at: - # https://suricata.readthedocs.io/en/suricata-5.0.0/file-extraction/file-extraction.html#file-store-version-1 - - # Log TCP data after stream normalization - # 2 types: file or dir. File logs into a single logfile. Dir creates - # 2 files per TCP session and stores the raw TCP data into them. - # Using 'both' will enable both file and dir modes. + # Two types: file or dir: + # - file logs into a single logfile. + # - dir creates 2 files per TCP session and stores the raw TCP + # data into them. + # Use 'both' to enable both file and dir modes. # - # Note: limited by stream.reassembly.depth + # Note: limited by "stream.reassembly.depth" - tcp-data: enabled: no type: file filename: tcp-data.log - # Log HTTP body data after normalization, dechunking and unzipping. - # 2 types: file or dir. File logs into a single logfile. Dir creates - # 2 files per HTTP session and stores the normalized data into them. - # Using 'both' will enable both file and dir modes. + # Log HTTP body data after normalization, de-chunking and unzipping. + # Two types: file or dir. + # - file logs into a single logfile. + # - dir creates 2 files per HTTP session and stores the + # normalized data into them. + # Use 'both' to enable both file and dir modes. # # Note: limited by the body limit settings - http-body-data: @@ -552,20 +565,17 @@ outputs: # Lua Output Support - execute lua script to generate alert and event # output. # Documented at: - # https://suricata.readthedocs.io/en/latest/output/lua-output.html + # https://docs.suricata.io/en/latest/output/lua-output.html - lua: enabled: no #scripts-dir: /etc/suricata/lua-output/ scripts: # - script1.lua - - # Logging configuration. This is not about logging IDS alerts/events, but # output about what Suricata is doing, like startup messages, errors, etc. logging: - - # The default log level, can be overridden in an output section. + # The default log level: can be overridden in an output section. # Note that debug level logging will only be emitted if Suricata was # compiled with the --enable-debug configure option. # @@ -576,8 +586,11 @@ logging: # something reasonable if not provided. Can be overridden in an # output section. You can leave this out to get the default. # - # This value is overridden by the SC_LOG_FORMAT env var. - #default-log-format: "[%i] %t - (%f:%l) <%d> (%n) -- " + # This console log format value can be overridden by the SC_LOG_FORMAT env var. + #default-log-format: "%D: %S: %M" + # + # For the pre-7.0 log format use: + #default-log-format: "[%i] %t [%S] - (%f:%l) <%d> (%n) -- " # A regex to filter output. Can be overridden in an output section. # Defaults to empty (no filter). @@ -585,20 +598,33 @@ logging: # This value is overridden by the SC_LOG_OP_FILTER env var. default-output-filter: + # Requires libunwind to be available when Suricata is configured and built. + # If a signal unexpectedly terminates Suricata, displays a brief diagnostic + # message with the offending stacktrace if enabled. + #stacktrace-on-signal: on + # Define your logging outputs. If none are defined, or they are all - # disabled you will get the default - console output. + # disabled you will get the default: console output. outputs: - console: enabled: no + # type: json + #- file: + #enabled: yes + #level: info + #filename: suricata.log + # format: "[%i - %m] %z %d: %S: %M" + # type: json - syslog: enabled: yes facility: local5 format: "[%i] <%d> -- " + # type: json ## -## Step 4: configure common capture settings +## Step 3: Configure common capture settings ## -## See "Advanced Capture Options" below for more options, including NETMAP +## See "Advanced Capture Options" below for more options, including Netmap ## and PF_RING. ## @@ -612,30 +638,31 @@ af-packet: # Default AF_PACKET cluster type. AF_PACKET can load balance per flow or per hash. # This is only supported for Linux kernel > 3.1 # possible value are: - # * cluster_flow: all packets of a given flow are send to the same socket - # * cluster_cpu: all packets treated in kernel by a CPU are send to the same socket + # * cluster_flow: all packets of a given flow are sent to the same socket + # * cluster_cpu: all packets treated in kernel by a CPU are sent to the same socket # * cluster_qm: all packets linked by network card to a RSS queue are sent to the same # socket. Requires at least Linux 3.14. # * cluster_ebpf: eBPF file load balancing. See doc/userguide/capture-hardware/ebpf-xdp.rst for # more info. # Recommended modes are cluster_flow on most boxes and cluster_cpu or cluster_qm on system - # with capture card using RSS (require cpu affinity tuning and system irq tuning) + # with capture card using RSS (requires cpu affinity tuning and system IRQ tuning) + # cluster_rollover has been deprecated; if used, it'll be replaced with cluster_flow. cluster-type: cluster_flow - # In some fragmentation case, the hash can not be computed. If "defrag" is set + # In some fragmentation cases, the hash can not be computed. If "defrag" is set # to yes, the kernel will do the needed defragmentation before sending the packets. defrag: yes # To use the ring feature of AF_PACKET, set 'use-mmap' to yes #use-mmap: yes - # Lock memory map to avoid it goes to swap. Be careful that over subscribing could lock - # your system + # Lock memory map to avoid it being swapped. Be careful that over + # subscribing could lock your system #mmap-locked: yes # Use tpacket_v3 capture mode, only active if use-mmap is true # Don't use it in IPS or TAP mode as it causes severe latency #tpacket-v3: yes - # Ring size will be computed with respect to max_pending_packets and number + # Ring size will be computed with respect to "max-pending-packets" and number # of threads. You can set manually the ring size in number of packets by setting - # the following value. If you are using flow cluster-type and have really network - # intensive single-flow you could want to set the ring-size independently of the number + # the following value. If you are using flow "cluster-type" and have really network + # intensive single-flow you may want to set the "ring-size" independently of the number # of threads: #ring-size: 2048 # Block size is used by tpacket_v3 only. It should set to a value high enough to contain @@ -645,25 +672,25 @@ af-packet: # tpacket_v3 block timeout: an open block is passed to userspace if it is not # filled after block-timeout milliseconds. #block-timeout: 10 - # On busy system, this could help to set it to yes to recover from a packet drop - # phase. This will result in some packets (at max a ring flush) being non treated. + # On busy systems, set it to yes to help recover from a packet drop + # phase. This will result in some packets (at max a ring flush) not being inspected. #use-emergency-flush: yes - # recv buffer size, increase value could improve performance + # recv buffer size, increased value could improve performance # buffer-size: 32768 # Set to yes to disable promiscuous mode # disable-promisc: no # Choose checksum verification mode for the interface. At the moment - # of the capture, some packets may be with an invalid checksum due to - # offloading to the network card of the checksum computation. + # of the capture, some packets may have an invalid checksum due to + # the checksum computation being offloaded to the network card. # Possible values are: # - kernel: use indication sent by kernel for each packet (default) # - yes: checksum validation is forced # - no: checksum validation is disabled - # - auto: suricata uses a statistical approach to detect when + # - auto: Suricata uses a statistical approach to detect when # checksum off-loading is used. - # Warning: 'checksum-validation' must be set to yes to have any validation + # Warning: 'capture.checksum-validation' must be set to yes to have any validation #checksum-checks: kernel - # BPF filter to apply to this interface. The pcap filter syntax apply here. + # BPF filter to apply to this interface. The pcap filter syntax applies here. #bpf-filter: port 80 or udp # You can use the following variables to activate AF_PACKET tap or IPS mode. # If copy-mode is set to ips or tap, the traffic coming to the current @@ -682,25 +709,137 @@ af-packet: #use-mmap: no #tpacket-v3: yes +# Linux high speed af-xdp capture support +af-xdp: + - interface: default + # Number of receive threads. "auto" uses least between the number + # of cores and RX queues + #threads: auto + #disable-promisc: false + # XDP_DRV mode can be chosen when the driver supports XDP + # XDP_SKB mode can be chosen when the driver does not support XDP + # Possible values are: + # - drv: enable XDP_DRV mode + # - skb: enable XDP_SKB mode + # - none: disable (kernel in charge of applying mode) + #force-xdp-mode: none + # During socket binding the kernel will attempt zero-copy, if this + # fails it will fallback to copy. If this fails, the bind fails. + # The bind can be explicitly configured using the option below. + # If configured, the bind will fail if not successful (no fallback). + # Possible values are: + # - zero: enable zero-copy mode + # - copy: enable copy mode + # - none: disable (kernel in charge of applying mode) + #force-bind-mode: none + # Memory alignment mode can vary between two modes, aligned and + # unaligned chunk modes. By default, aligned chunk mode is selected. + # select 'yes' to enable unaligned chunk mode. + # Note: unaligned chunk mode uses hugepages, so the required number + # of pages must be available. + #mem-unaligned: no + # The following options configure the prefer-busy-polling socket + # options. The polling time and budget can be edited here. + # Possible values are: + # - yes: enable (default) + # - no: disable + #enable-busy-poll: yes + # busy-poll-time sets the approximate time in microseconds to busy + # poll on a blocking receive when there is no data. + #busy-poll-time: 20 + # busy-poll-budget is the budget allowed for packet batches + #busy-poll-budget: 64 + # These two tunables are used to configure the Linux OS's NAPI + # context. Their purpose is to defer enabling of interrupts and + # instead schedule the NAPI context from a watchdog timer. + # The softirq NAPI will exit early, allowing busy polling to be + # performed. Successfully setting these tunables alongside busy-polling + # should improve performance. + # Defaults are: + #gro-flush-timeout: 2000000 + #napi-defer-hard-irq: 2 + +dpdk: + eal-params: + proc-type: primary + + # DPDK capture support + # RX queues (and TX queues in IPS mode) are assigned to cores in 1:1 ratio + interfaces: + - interface: 0000:3b:00.0 # PCIe address of the NIC port + # Threading: possible values are either "auto" or number of threads + # - auto takes all cores + # in IPS mode it is required to specify the number of cores and the numbers on both interfaces must match + threads: auto + # interrupt-mode: false # true to switch to interrupt mode + promisc: true # promiscuous mode - capture all packets + multicast: true # enables also detection on multicast packets + checksum-checks: true # if Suricata should validate checksums + checksum-checks-offload: true # if possible offload checksum validation to the NIC (saves Suricata resources) + mtu: 1500 # Set MTU of the device in bytes + # rss-hash-functions: 0x0 # advanced configuration option, use only if you use untested NIC card and experience RSS warnings, + # For `rss-hash-functions` use hexadecimal 0x01ab format to specify RSS hash function flags - DumpRssFlags can help (you can see output if you use -vvv option during Suri startup) + # setting auto to rss_hf sets the default RSS hash functions (based on IP addresses) + + # To approximately calculate required amount of space (in bytes) for interface's mempool: mempool-size * mtu + # Make sure you have enough allocated hugepages. + # The optimum size for the packet memory pool (in terms of memory usage) is power of two minus one: n = (2^q - 1) + mempool-size: 65535 # The number of elements in the mbuf pool + + # Mempool cache size must be lower or equal to: + # - RTE_MEMPOOL_CACHE_MAX_SIZE (by default 512) and + # - "mempool-size / 1.5" + # It is advised to choose cache_size to have "mempool-size modulo cache_size == 0". + # If this is not the case, some elements will always stay in the pool and will never be used. + # The cache can be disabled if the cache_size argument is set to 0, can be useful to avoid losing objects in cache + # If the value is empty or set to "auto", Suricata will attempt to set cache size of the mempool to a value + # that matches the previously mentioned recommendations + mempool-cache-size: 257 + rx-descriptors: 1024 + tx-descriptors: 1024 + # + # IPS mode for Suricata works in 3 modes - none, tap, ips + # - none: IDS mode only - disables IPS functionality (does not further forward packets) + # - tap: forwards all packets and generates alerts (omits DROP action) This is not DPDK TAP + # - ips: the same as tap mode but it also drops packets that are flagged by rules to be dropped + copy-mode: none + copy-iface: none # or PCIe address of the second interface + + - interface: default + threads: auto + promisc: true + multicast: true + checksum-checks: true + checksum-checks-offload: true + mtu: 1500 + rss-hash-functions: auto + mempool-size: 65535 + mempool-cache-size: 257 + rx-descriptors: 1024 + tx-descriptors: 1024 + copy-mode: none + copy-iface: none + + # Cross platform libpcap capture support pcap: - interface: default - # On Linux, pcap will try to use mmaped capture and will use buffer-size - # as total of memory used by the ring. So set this to something bigger + # On Linux, pcap will try to use mmap'ed capture and will use "buffer-size" + # as total memory used by the ring. So set this to something bigger # than 1% of your bandwidth. #buffer-size: 16777216 #bpf-filter: "tcp and port 25" # Choose checksum verification mode for the interface. At the moment - # of the capture, some packets may be with an invalid checksum due to - # offloading to the network card of the checksum computation. + # of the capture, some packets may have an invalid checksum due to + # the checksum computation being offloaded to the network card. # Possible values are: # - yes: checksum validation is forced # - no: checksum validation is disabled # - auto: Suricata uses a statistical approach to detect when # checksum off-loading is used. (default) - # Warning: 'checksum-validation' must be set to yes to have any validation + # Warning: 'capture.checksum-validation' must be set to yes to have any validation #checksum-checks: auto - # With some accelerator cards using a modified libpcap (like myricom), you + # With some accelerator cards using a modified libpcap (like Myricom), you # may want to have the same number of capture threads as the number of capture # rings. In this case, set up the threads variable to N to start N threads # listening on the same interface. @@ -711,6 +850,7 @@ pcap: # via ioctl call and to full capture if not. #snaplen: 1518 +# Settings for reading pcap files pcap-file: # Possible values are: # - yes: checksum validation is forced @@ -720,16 +860,21 @@ pcap-file: # Warning: 'checksum-validation' must be set to yes to have checksum tested checksum-checks: auto -# See "Advanced Capture Options" below for more options, including NETMAP +# See "Advanced Capture Options" below for more options, including Netmap # and PF_RING. ## -## Step 5: App Layer Protocol Configuration +## Step 4: App Layer Protocol configuration ## -# Configure the app-layer parsers. The protocols section details each -# protocol. +# Configure the app-layer parsers. +# +# The error-policy setting applies to all app-layer parsers. Values can be +# "drop-flow", "pass-flow", "bypass", "drop-packet", "pass-packet", "reject" or +# "ignore" (the default). +# +# The protocol's section details each protocol. # # The option "enabled" takes 3 values - "yes", "no", "detection-only". # "yes" enables both detection and the parser, "no" disables both, and @@ -737,11 +882,26 @@ pcap-file: app-layer: error-policy: ignore protocols: + telnet: + enabled: yes + rfb: + enabled: yes + detection-ports: + dp: 5900, 5901, 5902, 5903, 5904, 5905, 5906, 5907, 5908, 5909 + mqtt: + enabled: yes + # max-msg-length: 1mb + # subscribe-topic-match-limit: 100 + # unsubscribe-topic-match-limit: 100 + # Maximum number of live MQTT transactions per flow + # max-tx: 4096 krb5: enabled: yes + bittorrent-dht: + enabled: yes snmp: enabled: yes - ikev2: + ike: enabled: yes tls: enabled: yes @@ -766,19 +926,37 @@ app-layer: # #encryption-handling: default + pgsql: + enabled: no + # Stream reassembly size for PostgreSQL. By default, track it completely. + stream-depth: 0 + # Maximum number of live PostgreSQL transactions per flow + # max-tx: 1024 dcerpc: enabled: yes + # Maximum number of live DCERPC transactions per flow + # max-tx: 1024 ftp: enabled: yes # memcap: 64mb - # RDP, disabled by default. rdp: - #enabled: no + #enabled: yes ssh: enabled: yes + #hassh: yes + http2: + enabled: yes + # Maximum number of live HTTP2 streams in a flow + #max-streams: 4096 + # Maximum headers table size + #max-table-size: 65536 + # Maximum reassembly size for header + continuation frames + #max-reassembly-size: 102400 smtp: enabled: yes raw-extraction: no + # Maximum number of live SMTP transactions per flow + # max-tx: 256 # Configure SMTP-MIME Decoder mime: # Decode MIME messages from SMTP transactions @@ -787,7 +965,7 @@ app-layer: # process on or off decode-mime: yes - # Decode MIME entity bodies (ie. base64, quoted-printable, etc.) + # Decode MIME entity bodies (ie. Base64, quoted-printable, etc.) decode-base64: yes decode-quoted-printable: yes @@ -797,6 +975,12 @@ app-layer: # Extract URLs and save in state data structure extract-urls: yes + # Scheme of URLs to extract + # (default is [http]) + #extract-urls-schemes: [http, https, ftp, mailto] + # Log the scheme of URLs that are extracted + # (default is no) + #log-url-scheme: yes # Set to yes to compute the md5 of the mail body. You will then # be able to journalize it. body-md5: no @@ -811,23 +995,18 @@ app-layer: enabled: yes detection-ports: dp: 139, 445 + # Maximum number of live SMB transactions per flow + # max-tx: 1024 # Stream reassembly size for SMB streams. By default track it completely. #stream-depth: 0 nfs: enabled: yes + # max-tx: 1024 tftp: enabled: yes dns: - # memcaps. Globally and per flow/state. - #global-memcap: 16mb - #state-memcap: 512kb - - # How many unreplied DNS requests are considered a flood. - # If the limit is reached, app-layer-event:dns.flooded; will match. - #request-flood: 500 - tcp: enabled: yes detection-ports: @@ -839,8 +1018,14 @@ app-layer: http: enabled: yes - # memcap: Maximum memory capacity for http - # Default is unlimited, value can be such as 64mb + + # Byte Range Containers default settings + # byterange: + # memcap: 100mb + # timeout: 60 + + # memcap: Maximum memory capacity for HTTP + # Default is unlimited, values can be 64mb, e.g. # default-config: Used when no server-config matches # personality: List of personalities used by default @@ -862,7 +1047,6 @@ app-layer: # Minimal, Generic, IDS (default), IIS_4_0, IIS_5_0, IIS_5_1, IIS_6_0, # IIS_7_0, IIS_7_5, Apache_2 libhtp: - default-config: personality: IDS @@ -883,8 +1067,8 @@ app-layer: # auto will use http-body-inline mode in IPS mode, yes or no set it statically http-body-inline: auto - # Decompress SWF files. - # 2 types: 'deflate', 'lzma', 'both' will decompress deflate and lzma + # Decompress SWF files. Disabled by default. + # Two types: 'deflate', 'lzma', 'both' will decompress deflate and lzma # compress-depth: # Specifies the maximum amount of data to decompress, # set 0 for unlimited. @@ -892,33 +1076,37 @@ app-layer: # Specifies the maximum amount of decompressed data to obtain, # set 0 for unlimited. swf-decompression: - enabled: yes + enabled: no type: both - compress-depth: 0 - decompress-depth: 0 + compress-depth: 100kb + decompress-depth: 100kb - # Take a random value for inspection sizes around the specified value. + # Use a random value for inspection sizes around the specified value. # This lowers the risk of some evasion techniques but could lead # to detection change between runs. It is set to 'yes' by default. #randomize-inspection-sizes: yes - # If randomize-inspection-sizes is active, the value of various - # inspection size will be chosen in the [1 - range%, 1 + range%] + # If "randomize-inspection-sizes" is active, the value of various + # inspection size will be chosen from the [1 - range%, 1 + range%] # range - # Default value of randomize-inspection-range is 10. + # Default value of "randomize-inspection-range" is 10. #randomize-inspection-range: 10 # decoding double-decode-path: no double-decode-query: no - # Can disable LZMA decompression - #lzma-enabled: yes + # Can enable LZMA decompression + #lzma-enabled: false # Memory limit usage for LZMA decompression dictionary # Data is decompressed until dictionary reaches this size #lzma-memlimit: 1mb # Maximum decompressed size with a compression ratio # above 2048 (only LZMA can reach this ratio, deflate cannot) #compression-bomb-limit: 1mb + # Maximum time spent decompressing a single transaction in usec + #decompression-time-limit: 100000 + # Maximum number of live transactions per flow + #max-tx: 512 server-config: @@ -944,15 +1132,14 @@ app-layer: # double-decode-path: no # double-decode-query: no - - # Note: Modbus probe parser is minimalist due to the poor significant field + # Note: Modbus probe parser is minimalist due to the limited usage in the field. # Only Modbus message length (greater than Modbus header length) - # And Protocol ID (equal to 0) are checked in probing parser + # and protocol ID (equal to 0) are checked in probing parser # It is important to enable detection port and define Modbus port - # to avoid false positive + # to avoid false positives modbus: - # How many unreplied Modbus requests are considered a flood. - # If the limit is reached, app-layer-event:modbus.flooded; will match. + # How many unanswered Modbus requests are considered a flood. + # If the limit is reached, the app-layer-event:modbus.flooded; will match. #request-flood: 500 enabled: yes @@ -983,17 +1170,37 @@ app-layer: ntp: enabled: yes + quic: + enabled: yes + dhcp: enabled: yes - # SIP, disabled by default. sip: - #enabled: no - + #enabled: yes # Limit for the maximum number of asn1 frames to decode (default 256) asn1-max-frames: 256 +# Datasets default settings +datasets: + # Default fallback memcap and hashsize values for datasets in case these + # were not explicitly defined. + defaults: + #memcap: 100mb + #hashsize: 2048 + + rules: + # Set to true to allow absolute filenames and filenames that use + # ".." components to reference parent directories in rules that specify + # their filenames. + #allow-absolute-filenames: false + + # Allow datasets in rules write access for "save" and + # "state". This is enabled by default, however write access is + # limited to the data directory. + #allow-write: true + ############################################################################## ## ## Advanced settings below @@ -1004,12 +1211,33 @@ asn1-max-frames: 256 ## Run Options ## -# Run suricata as user and group. +# Run Suricata with a specific user-id and group-id: #run-as: # user: suri # group: suri -# Some logging module will use that name in event as identifier. The default +security: + # if true, prevents process creation from Suricata by calling + # setrlimit(RLIMIT_NPROC, 0) + #limit-noproc: true + # Use landlock security module under Linux + #landlock: + #enabled: no + #directories: + #write: + # - @e_rundir@ + # /usr and /etc folders are added to read list to allow + # file magic to be used. + #read: + # - /usr/ + # - /etc/ + # - @e_sysconfdir@ + + lua: + # Allow Lua rules. Disabled by default. + #allow-rules: false + +# Some logging modules will use that name in event as identifier. The default # value is the hostname #sensor-name: suricata @@ -1023,7 +1251,6 @@ asn1-max-frames: 256 # Default: "/" #daemon-directory: "/" - # Umask. # Suricata will use this umask if it is provided. By default it will use the # umask passed on by the shell. @@ -1041,9 +1268,9 @@ asn1-max-frames: 256 coredump: max-dump: unlimited -# If Suricata box is a router for the sniffed networks, set it to 'router'. If +# If the Suricata box is a router for the sniffed networks, set it to 'router'. If # it is a pure sniffing setup, set it to 'sniffer-only'. -# If set to auto, the variable is internally switch to 'router' in IPS mode +# If set to auto, the variable is internally switched to 'router' in IPS mode # and 'sniffer-only' in IDS mode. # This feature is currently only used by the reject* keywords. host-mode: auto @@ -1065,12 +1292,14 @@ runmode: workers # # hash - Flow assigned to threads using the 5-7 tuple hash. # ippair - Flow assigned to threads using addresses only. +# ftp-hash - Flow assigned to threads using the hash, except for FTP, so that +# ftp-data flows will be handled by the same thread # #autofp-scheduler: hash -# Preallocated size for packet. Default is 1514 which is the classical -# size for pcap on ethernet. You should adjust this value to the highest +# Preallocated size for each packet. Default is 1514 which is the classical +# size for pcap on Ethernet. You should adjust this value to the highest # packet size (MTU + hardware header) on your system. {% if helpers.exists('OPNsense.IDS.general.defaultPacketSize') %} default-packet-size: {{OPNsense.IDS.general.defaultPacketSize|default('1514')}} @@ -1112,6 +1341,22 @@ legacy: # - reject # - alert +# Define maximum number of possible alerts that can be triggered for the same +# packet. Default is 15 +#packet-alert-max: 15 + +# Exception Policies +# +# Define a common behavior for all exception policies. +# In IPS mode, the default is drop-flow. For cases when that's not possible, the +# engine will fall to drop-packet. To fallback to old behavior (setting each of +# them individually, or ignoring all), set this to ignore. +# All values available for exception policies can be used, and there is one +# extra option: auto - which means drop-flow or drop-packet (as explained above) +# in IPS mode, and ignore in IDS mode. Exception policy values are: drop-packet, +# drop-flow, reject, bypass, pass-packet, pass-flow, ignore (disable). +exception-policy: auto + # IP Reputation #reputation-categories-file: /usr/local/etc/suricata/iprep/categories.txt #default-reputation-path: /usr/local/etc/suricata/iprep @@ -1134,13 +1379,12 @@ pcre: match-limit: 3500 match-limit-recursion: 1500 - ## ## Advanced Traffic Tracking and Reconstruction Settings ## # Host specific policies for defragmentation and TCP stream -# reassembly. The host OS lookup is done using a radix tree, just +# reassembly. The host OS lookup is done using a radix tree, just # like a routing table so the most specific entry matches. host-os-policy: # Make the default policy windows. @@ -1160,8 +1404,11 @@ host-os-policy: # Defrag settings: +# The memcap-policy value can be "drop-packet", "pass-packet", "reject" or +# "ignore" (which is the default). defrag: memcap: 32mb + # memcap-policy: ignore hash-size: 65536 trackers: 65535 # number of defragmented flows to follow max-frags: 65535 # number of fragments to keep (higher than trackers) @@ -1186,21 +1433,23 @@ defrag: # By default, the reserved memory (memcap) for flows is 32MB. This is the limit # for flow allocation inside the engine. You can change this value to allow # more memory usage for flows. -# The hash-size determine the size of the hash used to identify flows inside +# The hash-size determines the size of the hash used to identify flows inside # the engine, and by default the value is 65536. -# At the startup, the engine can preallocate a number of flows, to get a better +# At startup, the engine can preallocate a number of flows, to get better # performance. The number of flows preallocated is 10000 by default. -# emergency-recovery is the percentage of flows that the engine need to -# prune before unsetting the emergency state. The emergency state is activated -# when the memcap limit is reached, allowing to create new flows, but +# emergency-recovery is the percentage of flows that the engine needs to +# prune before clearing the emergency state. The emergency state is activated +# when the memcap limit is reached, allowing new flows to be created, but # pruning them with the emergency timeouts (they are defined below). # If the memcap is reached, the engine will try to prune flows # with the default timeouts. If it doesn't find a flow to prune, it will set # the emergency bit and it will try again with more aggressive timeouts. -# If that doesn't work, then it will try to kill the last time seen flows -# not in use. +# If that doesn't work, then it will try to kill the oldest flows using +# last time seen flows. # The memcap can be specified in kb, mb, gb. Just a number indicates it's # in bytes. +# The memcap-policy can be "drop-packet", "pass-packet", "reject" or "ignore" +# (which is the default). flow: memcap: 128mb @@ -1210,10 +1459,10 @@ flow: #managers: 1 # default to one flow manager #recyclers: 1 # default to one flow recycler thread -# This option controls the use of vlan ids in the flow (and defrag) +# This option controls the use of VLAN ids in the flow (and defrag) # hashing. Normally this should be enabled, but in some (broken) -# setups where both sides of a flow are not tagged with the same vlan -# tag, we can ignore the vlan id's in the flow hashing. +# setups where both sides of a flow are not tagged with the same VLAN +# tag, we can ignore the VLAN id's in the flow hashing. vlan: use-for-tracking: true @@ -1225,11 +1474,11 @@ livedev: # Specific timeouts for flows. Here you can specify the timeouts that the # active flows will wait to transit from the current state to another, on each -# protocol. The value of "new" determine the seconds to wait after a handshake or -# stream startup before the engine free the data of that flow it doesn't +# protocol. The value of "new" determines the seconds to wait after a handshake or +# stream startup before the engine frees the data of that flow it doesn't # change the state to established (usually if we don't receive more packets # of that flow). The value of "established" is the amount of -# seconds that the engine will wait to free the flow if it spend that amount +# seconds that the engine will wait to free the flow if that time elapses # without receiving new packets or closing the connection. "closed" is the # amount of time to wait after a flow is closed (usually zero). "bypassed" # timeout controls locally bypassed flows. For these flows we don't do any other @@ -1280,30 +1529,42 @@ flow-timeouts: # engine is configured. # # stream: -# memcap: 32mb # Can be specified in kb, mb, gb. Just a +# memcap: 64mb # Can be specified in kb, mb, gb. Just a # # number indicates it's in bytes. +# memcap-policy: ignore # Can be "drop-flow", "pass-flow", "bypass", +# # "drop-packet", "pass-packet", "reject" or +# # "ignore" default is "ignore" # checksum-validation: yes # To validate the checksum of received # # packet. If csum validation is specified as -# # "yes", then packet with invalid csum will not +# # "yes", then packets with invalid csum values will not # # be processed by the engine stream/app layer. # # Warning: locally generated traffic can be # # generated without checksum due to hardware offload # # of checksum. You can control the handling of checksum # # on a per-interface basis via the 'checksum-checks' # # option -# prealloc-sessions: 2k # 2k sessions prealloc'd per stream thread +# prealloc-sessions: 2048 # 2k sessions prealloc'd per stream thread # midstream: false # don't allow midstream session pickups +# midstream-policy: ignore # Can be "drop-flow", "pass-flow", "bypass", +# # "drop-packet", "pass-packet", "reject" or +# # "ignore" default is "ignore" # async-oneside: false # don't enable async stream handling # inline: no # stream inline mode # drop-invalid: yes # in inline mode, drop packets that are invalid with regards to streaming engine +# max-syn-queued: 10 # Max different SYNs to queue # max-synack-queued: 5 # Max different SYN/ACKs to queue # bypass: no # Bypass packets when stream.reassembly.depth is reached. # # Warning: first side to reach this triggers # # the bypass. +# liberal-timestamps: false # Treat all timestamps as if the Linux policy applies. This +# # means it's slightly more permissive. Enabled by default. # # reassembly: -# memcap: 64mb # Can be specified in kb, mb, gb. Just a number +# memcap: 256mb # Can be specified in kb, mb, gb. Just a number # # indicates it's in bytes. +# memcap-policy: ignore # Can be "drop-flow", "pass-flow", "bypass", +# # "drop-packet", "pass-packet", "reject" or +# # "ignore" default is "ignore" # depth: 1mb # Can be specified in kb, mb, gb. Just a number # # indicates it's in bytes. # toserver-chunk-size: 2560 # inspect raw stream in chunks of at least @@ -1337,25 +1598,26 @@ flow-timeouts: # stream: memcap: 64mb - checksum-validation: yes # reject wrong csums + #memcap-policy: ignore + checksum-validation: yes # reject incorrect csums inline: {% if OPNsense.IDS.general.ips|default("0") == "1" %}true{% else %}auto{% endif %} midstream-policy: ignore reassembly: memcap: 256mb + #memcap-policy: ignore depth: 1mb # reassemble 1mb into a stream toserver-chunk-size: 2560 toclient-chunk-size: 2560 randomize-chunk-size: yes #randomize-chunk-range: 10 #raw: yes - #chunk-prealloc: 2048 + #segment-prealloc: 2048 #check-overlap-different-data: true - # Host table: # -# Host table is used by tagging and per host thresholding subsystems. +# Host table is used by the tagging and per host thresholding subsystems. # host: hash-size: 4096 @@ -1377,21 +1639,34 @@ decoder: # as it will sometimes detect non-teredo as teredo. teredo: enabled: true + # ports to look for Teredo. Max 4 ports. If no ports are given, or + # the value is set to 'any', Teredo detection runs on _all_ UDP packets. + ports: $TEREDO_PORTS # syntax: '[3544, 1234]' or '3533' or 'any'. + # VXLAN decoder is assigned to up to 4 UDP ports. By default only the # IANA assigned port 4789 is enabled. vxlan: enabled: true - ports: $VXLAN_PORTS # syntax: '8472, 4789' + ports: $VXLAN_PORTS # syntax: '[8472, 4789]' or '4789'. + + # Geneve decoder is assigned to up to 4 UDP ports. By default only the + # IANA assigned port 6081 is enabled. + geneve: + enabled: true + ports: $GENEVE_PORTS # syntax: '[6081, 1234]' or '6081'. + + # maximum number of decoder layers for a packet + # max-layers: 16 ## ## Performance tuning and profiling ## # The detection engine builds internal groups of signatures. The engine -# allow us to specify the profile to use for them, to manage memory on an -# efficient way keeping a good performance. For the profile keyword you -# can use the words "low", "medium", "high" or "custom". If you use custom -# make sure to define the values at "- custom-values" as your convenience. +# allows us to specify the profile to use for them, to manage memory in an +# efficient way keeping good performance. For the profile keyword you +# can use the words "low", "medium", "high" or "custom". If you use custom, +# make sure to define the values in the "custom-values" section. # Usually you would prefer medium/high/low. # # "sgh mpm-context", indicates how the staging should allot mpm contexts for @@ -1405,7 +1680,7 @@ decoder: # in the content inspection code. For certain payload-sig combinations, we # might end up taking too much time in the content inspection code. # If the argument specified is 0, the engine uses an internally defined -# default limit. On not specifying a value, we use no limits on the recursion. +# default limit. When a value is not specified, there are no limits on the recursion. detect: profile: {% if helpers.exists('OPNsense.IDS.general.detect') %} {{ OPNsense.IDS.general.detect.Profile|default("medium")}} {% else %}medium{% endif %} @@ -1427,7 +1702,7 @@ detect: default: mpm # the grouping values above control how many groups are created per - # direction. Port whitelisting forces that port to get it's own group. + # direction. Port whitelisting forces that port to get its own group. # Very common ports will benefit, as well as ports with many expensive # rules. grouping: @@ -1461,8 +1736,8 @@ detect: # signature groups, specified by the conf - "detect.sgh-mpm-context". # Selecting "ac" as the mpm would require "detect.sgh-mpm-context" # to be set to "single", because of ac's memory requirements, unless the -# ruleset is small enough to fit in one's memory, in which case one can -# use "full" with "ac". Rest of the mpms can be run in "full" mode. +# ruleset is small enough to fit in memory, in which case one can +# use "full" with "ac". The rest of the mpms can be run in "full" mode. mpm-algo: {% if helpers.exists('OPNsense.IDS.general') %} {{ OPNsense.IDS.general.MPMAlgo|default("ac")}} {% else %}ac{% endif %} @@ -1479,7 +1754,7 @@ spm-algo: auto threading: set-cpu-affinity: no # Tune cpu affinity of threads. Each family of threads can be bound - # on specific CPUs. + # to specific CPUs. # # These 2 apply to the all runmodes: # management-cpu-set is used for flow timeout handling, counters @@ -1519,9 +1794,16 @@ threading: # thread will always be created. # detect-thread-ratio: 1.0 + # + # By default, the per-thread stack size is left to its default setting. If + # the default thread stack size is too small, use the following configuration + # setting to change the size. Note that if any thread's stack size cannot be + # set to this value, a fatal error occurs. + # + # Generally, the per-thread stack-size should not exceed 8MB. + #stack-size: 8mb - -# Luajit has a strange memory requirement, it's 'states' need to be in the +# Luajit has a strange memory requirement, its 'states' need to be in the # first 2G of the process' memory. # # 'luajit.states' is used to control how many states are preallocated. @@ -1530,14 +1812,14 @@ threading: luajit: states: 128 -# Profiling settings. Only effective if Suricata has been built with the +# Profiling settings. Only effective if Suricata has been built with # the --enable-profiling configure flag. # profiling: - # Run profiling for every xth packet. The default is 1, which means we - # profile every packet. If set to 1000, one packet is profiled for every - # 1000 received. - #sample-rate: 1000 + # Run profiling for every X-th packet. The default is 1, which means we + # profile every packet. If set to 1024, one packet is profiled for every + # 1024 received. The sample rate must be a power of 2. + #sample-rate: 1024 # rule profiling rules: @@ -1604,23 +1886,21 @@ profiling: filename: pcaplog_stats.log append: yes - ## ## Netfilter integration ## - # When running in NFQ inline mode, it is possible to use a simulated # non-terminal NFQUEUE verdict. -# This permit to do send all needed packet to Suricata via this a rule: +# This permits sending all needed packet to Suricata via this rule: # iptables -I FORWARD -m mark ! --mark $MARK/$MASK -j NFQUEUE # And below, you can have your standard filtering ruleset. To activate # this mode, you need to set mode to 'repeat' -# If you want packet to be sent to another queue after an ACCEPT decision -# set mode to 'route' and set next-queue value. -# On linux >= 3.1, you can set batchcount to a value > 1 to improve performance +# If you want a packet to be sent to another queue after an ACCEPT decision +# set the mode to 'route' and set next-queue value. +# On Linux >= 3.1, you can set batchcount to a value > 1 to improve performance # by processing several packets before sending a verdict (worker runmode only). -# On linux >= 3.6, you can set the fail-open option to yes to have the kernel +# On Linux >= 3.6, you can set the fail-open option to yes to have the kernel # accept the packet if Suricata is not able to keep pace. # bypass mark and mask can be used to implement NFQ bypass. If bypass mark is # set then the NFQ bypass is activated. Suricata will set the bypass mark/mask @@ -1646,81 +1926,81 @@ nflog: buffer-size: 18432 # put default value here - group: default - # set number of packet to queue inside kernel + # set number of packets to queue inside kernel qthreshold: 1 - # set the delay before flushing packet in the queue inside kernel + # set the delay before flushing packet in the kernel's queue qtimeout: 100 # netlink max buffer size max-size: 20000 - ## ## Advanced Capture Options ## -# general settings affecting packet capture +# General settings affecting packet capture capture: # disable NIC offloading. It's restored when Suricata exits. # Enabled by default. #disable-offloading: false # # disable checksum validation. Same as setting '-k none' on the - # commandline. + # command-line. #checksum-validation: none # Netmap support # -# Netmap operates with NIC directly in driver, so you need FreeBSD 11+ which have -# built-in netmap support or compile and install netmap module and appropriate -# NIC driver on your Linux system. +# Netmap operates with NIC directly in driver, so you need FreeBSD 11+ which has +# built-in Netmap support or compile and install the Netmap module and appropriate +# NIC driver for your Linux system. # To reach maximum throughput disable all receive-, segmentation-, -# checksum- offloadings on NIC. -# Disabling Tx checksum offloading is *required* for connecting OS endpoint +# checksum- offloading on your NIC (using ethtool or similar). +# Disabling TX checksum offloading is *required* for connecting OS endpoint # with NIC endpoint. # You can find more information at https://github.com/luigirizzo/netmap # netmap: - - interface: default - # Number of capture threads. "auto" uses number of RSS queues on interface. - # Warning: unless the RSS hashing is symmetrical, this will lead to - # accuracy issues. - threads: auto - # You can use the following variables to activate netmap tap or IPS mode. - # If copy-mode is set to ips or tap, the traffic coming to the current - # interface will be copied to the copy-iface interface. If 'tap' is set, the - # copy is complete. If 'ips' is set, the packet matching a 'drop' action - # will not be copied. - # To specify the OS as the copy-iface (so the OS can route packets, or forward - # to a service running on the same machine) add a plus sign at the end - # (e.g. "copy-iface: eth0+"). Don't forget to set up a symmetrical eth0+ -> eth0 - # for return packets. Hardware checksumming must be *off* on the interface if - # using an OS endpoint (e.g. 'ifconfig eth0 -rxcsum -txcsum -rxcsum6 -txcsum6' for FreeBSD - # or 'ethtool -K eth0 tx off rx off' for Linux). - copy-mode: ips - #copy-iface: eth3 - # Set to yes to disable promiscuous mode - disable-promisc: {% if helpers.empty('OPNsense.IDS.general.promisc') %}yes{% else %}no{% endif %} # promiscuous mode - # Choose checksum verification mode for the interface. At the moment - # of the capture, some packets may be with an invalid checksum due to - # offloading to the network card of the checksum computation. - # Possible values are: - # - yes: checksum validation is forced - # - no: checksum validation is disabled - # - auto: Suricata uses a statistical approach to detect when - # checksum off-loading is used. - # Warning: 'checksum-validation' must be set to yes to have any validation - checksum-checks: auto - # BPF filter to apply to this interface. The pcap filter syntax apply here. - #bpf-filter: port 80 or udp + # To specify OS endpoint add plus sign at the end (e.g. "eth0+") + - interface: default + # Number of capture threads. "auto" uses number of RSS queues on interface. + # Warning: unless the RSS hashing is symmetrical, this will lead to + # accuracy issues. + threads: auto + # You can use the following variables to activate netmap tap or IPS mode. + # If copy-mode is set to ips or tap, the traffic coming to the current + # interface will be copied to the copy-iface interface. If 'tap' is set, the + # copy is complete. If 'ips' is set, the packet matching a 'drop' action + # will not be copied. + # To specify the OS as the copy-iface (so the OS can route packets, or forward + # to a service running on the same machine) add a plus sign at the end + # (e.g. "copy-iface: eth0+"). Don't forget to set up a symmetrical eth0+ -> eth0 + # for return packets. Hardware checksumming must be *off* on the interface if + # using an OS endpoint (e.g. 'ifconfig eth0 -rxcsum -txcsum -rxcsum6 -txcsum6' for FreeBSD + # or 'ethtool -K eth0 tx off rx off' for Linux). + copy-mode: ips + #copy-iface: eth3 + # Set to yes to disable promiscuous mode + disable-promisc: {% if helpers.empty('OPNsense.IDS.general.promisc') %}yes{% else %}no{% endif %} # promiscuous mode + # Choose checksum verification mode for the interface. At the moment + # of the capture, some packets may have an invalid checksum due to + # the checksum computation being offloaded to the network card. + # Possible values are: + # - yes: checksum validation is forced + # - no: checksum validation is disabled + # - auto: Suricata uses a statistical approach to detect when + # checksum off-loading is used. + # Warning: 'checksum-validation' must be set to yes to have any validation + checksum-checks: auto + # BPF filter to apply to this interface. The pcap filter syntax apply here. + #bpf-filter: port 80 or udp {% if helpers.exists('OPNsense.IDS.general.interfaces') %} {% for intfName in OPNsense.IDS.general.interfaces.split(',') %} - - interface: {{helpers.physical_interface(intfName)}} - copy-iface: {{helpers.physical_interface(intfName)}}^ + - interface: {{helpers.physical_interface(intfName)}} + copy-iface: {{helpers.physical_interface(intfName)}}^ - - interface: {{helpers.physical_interface(intfName)}}^ - copy-iface: {{helpers.physical_interface(intfName)}} + - interface: {{helpers.physical_interface(intfName)}}^ + copy-iface: {{helpers.physical_interface(intfName)}} {% endfor %} {% endif %} @@ -1733,8 +2013,8 @@ netmap: # # ipfw add 100 divert 8000 ip from any to any # -# The 8000 above should be the same number you passed on the command -# line, i.e. -d 8000 +# N.B. This example uses "8000" -- this number must mach the values +# you passed on the command line, i.e., -d 8000 # ipfw: @@ -1753,18 +2033,12 @@ ipfw: napatech: - # The Host Buffer Allowance for all streams - # (-1 = OFF, 1 - 100 = percentage of the host buffer that can be held back) - # This may be enabled when sharing streams with another application. - # Otherwise, it should be turned off. - #hba: -1 - # When use_all_streams is set to "yes" the initialization code will query # the Napatech service for all configured streams and listen on all of them. # When set to "no" the streams config array will be used. # # This option necessitates running the appropriate NTPL commands to create - # the desired streams prior to running suricata. + # the desired streams prior to running Suricata. #use-all-streams: no # The streams to listen on when auto-config is disabled or when and threading @@ -1775,21 +2049,55 @@ napatech: # streams: ["0-3"] + # Stream stats can be enabled to provide fine grain packet and byte counters + # for each thread/stream that is configured. + # + enable-stream-stats: no + # When auto-config is enabled the streams will be created and assigned # automatically to the NUMA node where the thread resides. If cpu-affinity # is enabled in the threading section. Then the streams will be created - # according to the number of worker threads specified in the worker cpu set. + # according to the number of worker threads specified in the worker-cpu-set. # Otherwise, the streams array is used to define the streams. # - # This option cannot be used simultaneous with "use-all-streams". + # This option is intended primarily to support legacy configurations. + # + # This option cannot be used simultaneously with either "use-all-streams" + # or "hardware-bypass". # auto-config: yes - # Ports indicates which napatech ports are to be used in auto-config mode. - # these are the port ID's of the ports that will be merged prior to the + # Enable hardware level flow bypass. + # + hardware-bypass: yes + + # Enable inline operation. When enabled traffic arriving on a given port is + # automatically forwarded out its peer port after analysis by Suricata. + # + inline: no + + # Ports indicates which Napatech ports are to be used in auto-config mode. + # these are the port IDs of the ports that will be merged prior to the # traffic being distributed to the streams. # - # This can be specified in any of the following ways: + # When hardware-bypass is enabled the ports must be configured as a segment. + # specify the port(s) on which upstream and downstream traffic will arrive. + # This information is necessary for the hardware to properly process flows. + # + # When using a tap configuration one of the ports will receive inbound traffic + # for the network and the other will receive outbound traffic. The two ports on a + # given segment must reside on the same network adapter. + # + # When using a SPAN-port configuration the upstream and downstream traffic + # arrives on a single port. This is configured by setting the two sides of the + # segment to reference the same port. (e.g. 0-0 to configure a SPAN port on + # port 0). + # + # port segments are specified in the form: + # ports: [0-1,2-3,4-5,6-6,7-7] + # + # For legacy systems when hardware-bypass is disabled this can be specified in any + # of the following ways: # # a list of individual ports (e.g. ports: [0,1,2,3]) # @@ -1798,9 +2106,9 @@ napatech: # "all" to indicate that all ports are to be merged together # (e.g. ports: [all]) # - # This has no effect if auto-config is disabled. + # This parameter has no effect if auto-config is disabled. # - ports: [all] + ports: [0-1,2-3] # When auto-config is enabled the hashmode specifies the algorithm for # determining to which stream a given packet is to be delivered. @@ -1811,16 +2119,13 @@ napatech: # # See Napatech NTPL documentation other hashmodes and details on their use. # - # This has no effect if auto-config is disabled. + # This parameter has no effect if auto-config is disabled. # hashmode: hash5tuplesorted ## ## Configure Suricata to load Suricata-Update managed rules. ## -## If this section is completely commented out move down to the "Advanced rule -## file configuration". -## default-rule-path: /usr/local/etc/suricata/opnsense.rules @@ -1839,11 +2144,13 @@ reference-config-file: /usr/local/etc/suricata/reference.config ## Include other configs ## -# Includes. Files included here will be handled as if they were -# inlined in this configuration file. +# Includes: Files included here will be handled as if they were in-lined +# in this configuration file. Files with relative pathnames will be +# searched for in the same directory as this configuration file. You may +# use absolute pathnames too. # include installed rules list (generated by OPNsense install rules script) -include: installed_rules.yaml - # include custom file (may be persistently modified) -include: custom.yaml +include: + - installed_rules.yaml + - custom.yaml