Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
O
OpnSense
Project
Project
Details
Activity
Releases
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Kulya
OpnSense
Commits
18b0bb46
Commit
18b0bb46
authored
Jun 23, 2015
by
Ad Schellevis
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
(ids) update config template
parent
487a9a69
Changes
1
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
21 additions
and
236 deletions
+21
-236
suricata.yaml
src/opnsense/service/templates/OPNsense/IDS/suricata.yaml
+21
-236
No files found.
src/opnsense/service/templates/OPNsense/IDS/suricata.yaml
View file @
18b0bb46
...
...
@@ -37,7 +37,7 @@
# If set to auto, the variable is internally switch to 'router' in IPS mode
# and 'sniffer-only' in IDS mode.
# This feature is currently only used by the reject* keywords.
host-mode
:
auto
host-mode
:
sniffer-only
# Run suricata as user and group.
#run-as:
...
...
@@ -77,7 +77,7 @@ outputs:
# a line based alerts log similar to Snort's fast.log
-
fast
:
enabled
:
yes
enabled
:
no
filename
:
fast.log
append
:
yes
#filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
...
...
@@ -94,23 +94,23 @@ outputs:
## Error, Warning, Notice, Info, Debug
types
:
-
alert
-
http
:
extended
:
yes
# enable this for extended logging information
# custom allows additional http fields to be included in eve-log
# the example below adds three additional fields when uncommented
#custom: [Accept-Encoding, Accept-Language, Authorization]
-
dns
-
tls
:
extended
:
yes
# enable this for extended logging information
-
files
:
force-magic
:
no
# force logging magic on all logged files
force-md5
:
no
# force logging of md5 checksums
#- drop
-
ssh
#
- http:
#
extended: yes # enable this for extended logging information
#
# custom allows additional http fields to be included in eve-log
#
# the example below adds three additional fields when uncommented
#
#custom: [Accept-Encoding, Accept-Language, Authorization]
#
- dns
#
- tls:
#
extended: yes # enable this for extended logging information
#
- files:
#
force-magic: no # force logging magic on all logged files
#
force-md5: no # force logging of md5 checksums
#
#- drop
#
- ssh
# alert output for use with Barnyard2
-
unified2-alert
:
enabled
:
yes
enabled
:
no
filename
:
unified2.alert
# File size limit. Can be specified in kb, mb, gb. Just a number
...
...
@@ -138,7 +138,7 @@ outputs:
# a line based log of HTTP requests (no alerts)
-
http-log
:
enabled
:
yes
enabled
:
no
filename
:
http.log
append
:
yes
#extended: yes # enable this for extended logging information
...
...
@@ -307,76 +307,8 @@ nflog:
# netlink max buffer size
max-size
:
20000
# af-packet support
# Set threads to > 1 to use PACKET_FANOUT support
af-packet
:
-
interface
:
eth0
# Number of receive threads (>1 will enable experimental flow pinned
# runmode)
threads
:
1
# Default clusterid. AF_PACKET will load balance packets based on flow.
# All threads/processes that will participate need to have the same
# clusterid.
cluster-id
:
99
# Default AF_PACKET cluster type. AF_PACKET can load balance per flow or per hash.
# This is only supported for Linux kernel > 3.1
# possible value are:
# * cluster_round_robin: round robin load balancing
# * cluster_flow: all packets of a given flow are send to the same socket
# * cluster_cpu: all packets treated in kernel by a CPU are send to the same socket
cluster-type
:
cluster_flow
# In some fragmentation case, the hash can not be computed. If "defrag" is set
# to yes, the kernel will do the needed defragmentation before sending the packets.
defrag
:
yes
# To use the ring feature of AF_PACKET, set 'use-mmap' to yes
use-mmap
:
yes
# Ring size will be computed with respect to max_pending_packets and number
# of threads. You can set manually the ring size in number of packets by setting
# the following value. If you are using flow cluster-type and have really network
# intensive single-flow you could want to set the ring-size independantly of the number
# of threads:
#ring-size: 2048
# On busy system, this could help to set it to yes to recover from a packet drop
# phase. This will result in some packets (at max a ring flush) being non treated.
#use-emergency-flush: yes
# recv buffer size, increase value could improve performance
# buffer-size: 32768
# Set to yes to disable promiscuous mode
# disable-promisc: no
# Choose checksum verification mode for the interface. At the moment
# of the capture, some packets may be with an invalid checksum due to
# offloading to the network card of the checksum computation.
# Possible values are:
# - kernel: use indication sent by kernel for each packet (default)
# - yes: checksum validation is forced
# - no: checksum validation is disabled
# - auto: suricata uses a statistical approach to detect when
# checksum off-loading is used.
# Warning: 'checksum-validation' must be set to yes to have any validation
#checksum-checks: kernel
# BPF filter to apply to this interface. The pcap filter syntax apply here.
#bpf-filter: port 80 or udp
# You can use the following variables to activate AF_PACKET tap od IPS mode.
# If copy-mode is set to ips or tap, the traffic coming to the current
# interface will be copied to the copy-iface interface. If 'tap' is set, the
# copy is complete. If 'ips' is set, the packet matching a 'drop' action
# will not be copied.
#copy-mode: ips
#copy-iface: eth1
-
interface
:
eth1
threads
:
1
cluster-id
:
98
cluster-type
:
cluster_flow
defrag
:
yes
# buffer-size: 32768
# disable-promisc: no
# Put default values here
-
interface
:
default
#threads: 2
#use-mmap: yes
legacy
:
uricontent
:
en
abled
uricontent
:
dis
abled
# You can specify a threshold config file by setting "threshold-file"
# to the path of the threshold config file:
...
...
@@ -782,7 +714,7 @@ logging:
# disabled you will get the default - console output.
outputs
:
-
console
:
enabled
:
yes
enabled
:
no
-
file
:
enabled
:
yes
filename
:
/var/log/suricata.log
...
...
@@ -791,101 +723,6 @@ logging:
facility
:
local5
format
:
"
[%i]
<%d>
--
"
# Tilera mpipe configuration. for use on Tilera TILE-Gx.
mpipe
:
# Load balancing modes: "static", "dynamic", "sticky", or "round-robin".
load-balance
:
dynamic
# Number of Packets in each ingress packet queue. Must be 128, 512, 2028 or 65536
iqueue-packets
:
2048
# List of interfaces we will listen on.
inputs
:
-
interface
:
xgbe2
-
interface
:
xgbe3
-
interface
:
xgbe4
# Relative weight of memory for packets of each mPipe buffer size.
stack
:
size128
:
0
size256
:
9
size512
:
0
size1024
:
0
size1664
:
7
size4096
:
0
size10386
:
0
size16384
:
0
# PF_RING configuration. for use with native PF_RING support
# for more info see http://www.ntop.org/PF_RING.html
pfring
:
-
interface
:
eth0
# Number of receive threads (>1 will enable experimental flow pinned
# runmode)
threads
:
1
# Default clusterid. PF_RING will load balance packets based on flow.
# All threads/processes that will participate need to have the same
# clusterid.
cluster-id
:
99
# Default PF_RING cluster type. PF_RING can load balance per flow or per hash.
# This is only supported in versions of PF_RING > 4.1.1.
cluster-type
:
cluster_flow
# bpf filter for this interface
#bpf-filter: tcp
# Choose checksum verification mode for the interface. At the moment
# of the capture, some packets may be with an invalid checksum due to
# offloading to the network card of the checksum computation.
# Possible values are:
# - rxonly: only compute checksum for packets received by network card.
# - yes: checksum validation is forced
# - no: checksum validation is disabled
# - auto: suricata uses a statistical approach to detect when
# checksum off-loading is used. (default)
# Warning: 'checksum-validation' must be set to yes to have any validation
#checksum-checks: auto
# Second interface
#- interface: eth1
# threads: 3
# cluster-id: 93
# cluster-type: cluster_flow
# Put default values here
-
interface
:
default
#threads: 2
pcap
:
-
interface
:
eth0
# On Linux, pcap will try to use mmaped capture and will use buffer-size
# as total of memory used by the ring. So set this to something bigger
# than 1% of your bandwidth.
#buffer-size: 16777216
#bpf-filter: "tcp and port 25"
# Choose checksum verification mode for the interface. At the moment
# of the capture, some packets may be with an invalid checksum due to
# offloading to the network card of the checksum computation.
# Possible values are:
# - yes: checksum validation is forced
# - no: checksum validation is disabled
# - auto: suricata uses a statistical approach to detect when
# checksum off-loading is used. (default)
# Warning: 'checksum-validation' must be set to yes to have any validation
#checksum-checks: auto
# With some accelerator cards using a modified libpcap (like myricom), you
# may want to have the same number of capture threads as the number of capture
# rings. In this case, set up the threads variable to N to start N threads
# listening on the same interface.
#threads: 16
# set to no to disable promiscuous mode:
#promisc: no
# set snaplen, if not set it defaults to MTU if MTU can be known
# via ioctl call and to full capture if not.
#snaplen: 1518
# Put default values here
-
interface
:
default
#checksum-checks: auto
pcap-file
:
# Possible values are:
...
...
@@ -925,56 +762,6 @@ ipfw:
# Set the default rule path here to search for the files.
# if not set, it will look at the current working dir
default-rule-path
:
/usr/local/etc/suricata/opnsense.rules
rule-files
:
-
botcc.rules
-
ciarmy.rules
-
compromised.rules
-
drop.rules
-
dshield.rules
-
emerging-activex.rules
-
emerging-attack_response.rules
-
emerging-chat.rules
-
emerging-current_events.rules
-
emerging-dns.rules
-
emerging-dos.rules
-
emerging-exploit.rules
-
emerging-ftp.rules
-
emerging-games.rules
-
emerging-icmp_info.rules
# - emerging-icmp.rules
-
emerging-imap.rules
-
emerging-inappropriate.rules
-
emerging-malware.rules
-
emerging-misc.rules
-
emerging-mobile_malware.rules
-
emerging-netbios.rules
-
emerging-p2p.rules
-
emerging-policy.rules
-
emerging-pop3.rules
-
emerging-rpc.rules
-
emerging-scada.rules
-
emerging-scan.rules
-
emerging-shellcode.rules
-
emerging-smtp.rules
-
emerging-snmp.rules
-
emerging-sql.rules
-
emerging-telnet.rules
-
emerging-tftp.rules
-
emerging-trojan.rules
-
emerging-user_agents.rules
-
emerging-voip.rules
-
emerging-web_client.rules
-
emerging-web_server.rules
-
emerging-web_specific_apps.rules
-
emerging-worm.rules
-
tor.rules
-
decoder-events.rules
# available in suricata sources under rules dir
-
stream-events.rules
# available in suricata sources under rules dir
-
http-events.rules
# available in suricata sources under rules dir
-
smtp-events.rules
# available in suricata sources under rules dir
-
dns-events.rules
# available in suricata sources under rules dir
-
tls-events.rules
# available in suricata sources under rules dir
classification-file
:
/usr/local/etc/suricata/classification.config
reference-config-file
:
/usr/local/etc/suricata/reference.config
...
...
@@ -1320,7 +1107,5 @@ napatech:
# The streams to listen on
streams
:
[
1
,
2
,
3
]
# Includes. Files included here will be handled as if they were
# inlined in this configuration file.
#include: include1.yaml
#include: include2.yaml
# include installed rules list (generated by OPNsense install rules script)
include
:
installed_rules.yaml
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment