# Suricata configuration ## Please note the following: * Different Sensor configurations (numbers of cpu cores, memory, etc) will have different thread and CPU settings in the `suricata.yaml` file. * Vectra works to maximize the performance potential for each Sensor type. * Please see the [Vectra Match Performance and Ruleset Optimization Guidance](https://docs.vectra.ai/deployment/match/performance-and-rulset-optimization) article for more details. * Vectra automatically populates the `HOME_NET` variable based on the configuration defined in the: * Internal IP Addresses (CIDR) - "Internal subnet" * Viewable in your Vectra UI at *Configuration → COVERAGE → Data Sources → Network → Brain Setup → IP Address Classification* * Excluded Subnet of Internal IP Addresses (CIDR) - "Excluded subnet" * Viewable in your Vectra UI at *Configuration → COVERAGE → Data Sources → Network → Brain Setup → IP Address Classification* * Automatically discovered Southside Proxy IPs * Viewable at the CLI of your Brain with `show proxy --southside` command. * For Example: * If you have 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 as your Internal subnets * And 10.0.0.1, 10.0.0.2, 10.0.0.3 as Southside Proxy IP's, * And you've excluded 10.254.1.0/24 in the Excluded subnet, * The HOME\_NET variable would look like: * `[10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16,!PROXY_IPs,!EXCLUDE_NET]` * With `PROXY_IPs` being `[10.0.0.1, 10.0.0.2, 10.0.0.3]` * And `EXCLUDE_NET` would be `[10.254.1.0/24]` * In addition to the `HOME_NET` Variable, Vectra supports the following variables: * `EXTERNAL_NET` variable is `[!HOME_NET, PROXY_IPs, EXCLUDE_NET]` * `PROXY_IPs` is a list of IP's that are automatically added to the `PROXY_IPs` variable if detected by Vectra's Southside proxy detection. * Northside proxies are not factored in here. * This variable was introduced in 9.0 and enables users to automatically treat any traffic sent to Proxies as External even if they have an internal address. * You can view the list of Southside proxies on the Brain CLI using `show proxy --southside` * `EXCLUDE_NET` * The `EXCLUDE_NET` variable is automatically populated via the Excluded Subnet configuration under *Configuration → COVERAGE → Data Sources → Network → Brain Setup → IP Address Classification* * Customers may use any of the supported Variables (`HOME_NET`, `PROXY_IPs`, `EXCLUDE_NET`, and `EXTERNAL_NET`) in your own rules. * If you have further custom variables, you can always resolve them into the IP netblocks and use those in the rules instead, as this is all that Suricata does when a variable is in the `Suricata.yaml` file. ## Example `internal_networks.yaml` file: This example file is based on what the *Configuration → COVERAGE → Data Sources → Network → Brain Setup > IP Address Classification > Internal IP Addresses (CIDR)* contains. The contents of this file is updated every time the data changes or the system discovers new south-side proxies. This file in the included in the underlying Suricata configuration so the variables describe in the prior section can be used in rules. ```language-markup %YAML 1.1 --- DROP_NET: '[192.168.7.0/24]' EXCLUDE_NET: '[10.100.1.0/24]' HOME_NET: '[10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,32.100.1.0/24,fd00::/8,!10.100.1.0/24]' PROXY_IPs: '[]' ... ``` ## Example suricata.yaml configuration file (as of v9.1): ```language-markup %YAML 1.1 --- af-packet: - cluster-id: 99 cluster-type: cluster_flow defrag: true interface: eth0 - interface: default app-layer: protocols: bittorrent-dht: enabled: true dcerpc: enabled: true dhcp: enabled: true dnp3: detection-ports: dp: 20000 enabled: true dns: tcp: detection-ports: dp: 53 enabled: true udp: detection-ports: dp: 53 enabled: true enip: detection-ports: dp: 44818 sp: 44818 enabled: true ftp: enabled: true http: enabled: true libhtp: default-config: double-decode-path: false double-decode-query: false http-body-inline: auto personality: IDS request-body-inspect-window: 4kb request-body-limit: 100kb request-body-minimal-inspect-size: 32kb response-body-decompress-layer-limit: 2 response-body-inspect-window: 16kb response-body-limit: 100kb response-body-minimal-inspect-size: 40kb swf-decompression: compress-depth: 100kb decompress-depth: 100kb enabled: true type: both server-config: null http2: enabled: true ike: enabled: true imap: enabled: detection-only krb5: enabled: true modbus: detection-ports: dp: 502 enabled: true stream-depth: 0 mqtt: enabled: true nfs: enabled: true ntp: enabled: true pgsql: enabled: false stream-depth: 0 quic: enabled: true rdp: enabled: true rfb: detection-ports: dp: 5900, 5901, 5902, 5903, 5904, 5905, 5906, 5907, 5908, 5909 enabled: true sip: enabled: true smb: detection-ports: dp: 139, 445 enabled: true smtp: enabled: true inspected-tracker: content-inspect-min-size: 32768 content-inspect-window: 4096 content-limit: 100000 mime: body-md5: false decode-base64: true decode-mime: true decode-quoted-printable: true extract-urls: true header-value-depth: 2000 raw-extraction: false snmp: enabled: true ssh: enabled: true telnet: enabled: true tftp: enabled: true tls: detection-ports: dp: 443 enabled: true ja3-fingerprints: true ja4-fingerprints: true asn1-max-frames: 256 capture: null classification-file: /etc/suricata/classification.config coredump: max-dump: unlimited datasets: defaults: null rules: null decoder: geneve: enabled: true ports: $GENEVE_PORTS teredo: enabled: true ports: $TEREDO_PORTS vxlan: enabled: true ports: $VXLAN_PORTS default-log-dir: /data/colossus/capture/suricata/ default-rule-path: /data/platform/suricata/rules defrag: hash-size: 65536 max-frags: 65535 memcap: 32mb prealloc: true timeout: 60 trackers: 65535 detect: custom-values: toclient-groups: 100 toserver-groups: 100 grouping: null inspection-recursion-limit: 3000 prefilter: default: mpm profile: high profiling: grouping: dump-to-disk: false include-mpm-stats: false include-rules: false sgh-mpm-context: single dpdk: eal-params: file-prefix: suri proc-type: primary vdev: net_memif,role=client,rsize=14,bsize=10240 interfaces: - checksum-checks: true checksum-checks-offload: true copy-iface: none copy-mode: none interface: net_memif mbuf-size: 10240 mempool-cache-size: 257 mempool-size: 8191 mtu: 1500 multicast: true promisc: true rss-hash-functions: auto rx-descriptors: 1024 socket-id: 1 threads: 16 tx-descriptors: 1024 engine-analysis: rules: true rules-fast-pattern: true exception-policy: auto flow: emergency-recovery: 30 hash-size: 65536 memcap: 256mb prealloc: 10000 flow-timeouts: default: bypassed: 100 closed: 0 emergency-bypassed: 50 emergency-closed: 0 emergency-established: 100 emergency-new: 10 established: 300 new: 30 icmp: bypassed: 100 emergency-bypassed: 50 emergency-established: 100 emergency-new: 10 established: 300 new: 30 tcp: bypassed: 100 closed: 60 emergency-bypassed: 50 emergency-closed: 10 emergency-established: 100 emergency-new: 5 established: 600 new: 60 udp: bypassed: 100 emergency-bypassed: 50 emergency-established: 100 emergency-new: 10 established: 300 new: 30 host: hash-size: 4096 memcap: 32mb prealloc: 1000 host-mode: auto host-os-policy: bsd: [] bsd-right: [] hpux10: [] hpux11: [] irix: [] linux: [] macos: [] old-linux: [] old-solaris: [] solaris: [] vista: [] windows: - 0.0.0.0/0 windows2k3: [] ipfw: null legacy: uricontent: enabled livedev: use-for-tracking: true logging: default-log-level: notice default-output-filter: null outputs: - console: enabled: true - file: enabled: true filename: suricata.log level: info - syslog: enabled: false facility: local5 format: '[%i] <%d> -- ' luajit: states: 128 mpm-algo: hs napatech: auto-config: true enable-stream-stats: false hardware-bypass: true hashmode: hash5tuplesorted inline: false ports: - 0-1 - 2-3 streams: - 0-3 netmap: - interface: eth2 - interface: default nflog: - buffer-size: 18432 group: 2 - group: default max-size: 20000 qthreshold: 1 qtimeout: 100 nfq: null outputs: - fast: append: true enabled: true filename: fast.log - eve-log: enabled: true filename: /var/run/colossus/eve.sock filetype: unix_stream include: /etc/suricata/community_id.yaml types: - alert: enabled: true packet: true payload: true payload-printable: true tagged-packets: true - eve-log: enabled: true filename: eve-stats.json filetype: regular types: - stats: deltas: false enabled: true threads: false totals: true - http-log: append: true enabled: false filename: http.log - tls-log: append: true enabled: false filename: tls.log - tls-store: enabled: false - pcap-log: compression: none enabled: false filename: log.pcap honor-pass-rules: false limit: 1000mb max-files: 2000 mode: normal use-stream-depth: false - alert-debug: append: true enabled: false filename: alert-debug.log - stats: append: true enabled: true filename: stats.log threads: false totals: true - syslog: enabled: false facility: local5 - file-store: enabled: false version: 2 xff: deployment: reverse enabled: false header: X-Forwarded-For mode: extra-data - tcp-data: enabled: false filename: tcp-data.log type: file - http-body-data: enabled: false filename: http-data.log type: file - lua: enabled: false scripts: null pcap: - interface: eth0 - interface: default pcap-file: checksum-checks: auto pcre: match-limit: 3500 match-limit-recursion: 1500 pfring: - cluster-id: 99 cluster-type: cluster_flow interface: eth0 threads: auto - interface: default plugins: null profiling: keywords: append: true enabled: true filename: keyword_perf.log locks: append: true enabled: false filename: lock_stats.log packets: append: true csv: enabled: false filename: packet_stats.csv enabled: true filename: packet_stats.log pcap-log: append: true enabled: false filename: pcaplog_stats.log prefilter: append: true enabled: true filename: prefilter_perf.log rulegroups: append: true enabled: true filename: rule_group_perf.log rules: append: true enabled: true filename: rule_perf.log json: true limit: 10 reference-config-file: /etc/suricata/reference.config rule-files: - '*.rules' runmode: workers security: landlock: directories: read: - /usr/ - /etc/ enabled: false limit-noproc: true lua: null spm-algo: hs stats: enabled: true interval: 8 stream: bypass: true checksum-validation: false inline: auto memcap: 64mb reassembly: depth: 1mb memcap: 256mb randomize-chunk-size: true toclient-chunk-size: 2560 toserver-chunk-size: 2560 suricata-version: 7.0.8 threading: cpu-affinity: - management-cpu-set: cpu: - 0 - worker-cpu-set: cpu: - 0 - 1 - 2 - 3 - 4 - 5 - 6 - 7 - 8 - 36 - 37 - 38 - 39 - 40 - 41 - 42 mode: exclusive prio: default: high detect-thread-ratio: 1.0 set-cpu-affinity: true unix-command: enabled: true vars: address-groups: AIM_SERVERS: $EXTERNAL_NET DC_SERVERS: $HOME_NET DNP3_CLIENT: $HOME_NET DNP3_SERVER: $HOME_NET DNS_SERVERS: $HOME_NET ENIP_CLIENT: $HOME_NET ENIP_SERVER: $HOME_NET EXTERNAL_NET: '!$HOME_NET' HTTP_SERVERS: $HOME_NET MODBUS_CLIENT: $HOME_NET MODBUS_SERVER: $HOME_NET SMTP_SERVERS: $HOME_NET SQL_SERVERS: $HOME_NET TELNET_SERVERS: $HOME_NET include: /data/platform/suricata/conf.d/internal_networks.yaml port-groups: DNP3_PORTS: 20000 FILE_DATA_PORTS: '[$HTTP_PORTS,110,143]' FTP_PORTS: 21 GENEVE_PORTS: 6081 HTTP_PORTS: '80' MODBUS_PORTS: 502 ORACLE_PORTS: 1521 SHELLCODE_PORTS: '!80' SSH_PORTS: 22 TEREDO_PORTS: 3544 VXLAN_PORTS: 4789 vlan: use-for-tracking: true ... ```