# Suricata configuration ## Please note the following: * Different Sensor configurations (numbers of cpu cores, memory, etc) will have different thread and CPU settings in the `suricata.yaml` file. * Vectra works to maximize the performance potential for each Sensor type. * Please see the [Vectra Match Performance and Ruleset Optimization Guidance](/deployment/match/performance-and-rulset-optimization.md) article for more details. * Vectra automatically populates the `HOME_NET` variable based on the configuration defined in the: * Internal IP Addresses (CIDR) - "Internal subnet" * Viewable in your Vectra UI at *Configuration → COVERAGE → Data Sources → Network → Brain Setup → IP Address Classification* * Excluded Subnet of Internal IP Addresses (CIDR) - "Excluded subnet" * Viewable in your Vectra UI at *Configuration → COVERAGE → Data Sources → Network → Brain Setup → IP Address Classification* * Automatically discovered Southside Proxy IPs * Viewable at the CLI of your Brain with `show proxy --southside` command. * For Example: * If you have 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 as your Internal subnets * And 10.0.0.1, 10.0.0.2, 10.0.0.3 as Southside Proxy IP's, * And you've excluded 10.254.1.0/24 in the Excluded subnet, * The HOME\_NET variable would look like: * `[10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16,!PROXY_IPs,!EXCLUDE_NET]` * With `PROXY_IPs` being `[10.0.0.1, 10.0.0.2, 10.0.0.3]` * And `EXCLUDE_NET` would be `[10.254.1.0/24]` * In addition to the `HOME_NET` Variable, Vectra supports the following variables: * `EXTERNAL_NET` variable is `[!HOME_NET, PROXY_IPs, EXCLUDE_NET]` * `PROXY_IPs` is a list of IP's that are automatically added to the `PROXY_IPs` variable if detected by Vectra's Southside proxy detection. * Northside proxies are not factored in here. * This variable was introduced in 9.0 and enables users to automatically treat any traffic sent to Proxies as External even if they have an internal address. * You can view the list of Southside proxies on the Brain CLI using `show proxy --southside` * `EXCLUDE_NET` * The `EXCLUDE_NET` variable is automatically populated via the Excluded Subnet configuration under *Configuration → COVERAGE → Data Sources → Network → Brain Setup → IP Address Classification* * Customers may use any of the supported Variables (`HOME_NET`, `PROXY_IPs`, `EXCLUDE_NET`, and `EXTERNAL_NET`) in your own rules. * If you have further custom variables, you can always resolve them into the IP netblocks and use those in the rules instead, as this is all that Suricata does when a variable is in the `Suricata.yaml` file. ## Example `internal_networks.yaml` file: This example file is based on what the *Configuration → COVERAGE → Data Sources → Network → Brain Setup > IP Address Classification > Internal IP Addresses (CIDR)* contains. The contents of this file is updated every time the data changes or the system discovers new south-side proxies. This file in the included in the underlying Suricata configuration so the variables describe in the prior section can be used in rules. ```language-markup %YAML 1.1 --- DROP_NET: '[192.168.7.0/24]' EXCLUDE_NET: '[10.100.1.0/24]' HOME_NET: '[10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,32.100.1.0/24,fd00::/8,!10.100.1.0/24]' PROXY_IPs: '[]' ... ``` ## Example suricata.yaml configuration file (as of v9.1): ```language-markup %YAML 1.1 --- af-packet: - cluster-id: 99 cluster-type: cluster_flow defrag: true interface: eth0 - interface: default app-layer: protocols: bittorrent-dht: enabled: true dcerpc: enabled: true dhcp: enabled: true dnp3: detection-ports: dp: 20000 enabled: true dns: tcp: detection-ports: dp: 53 enabled: true udp: detection-ports: dp: 53 enabled: true enip: detection-ports: dp: 44818 sp: 44818 enabled: true ftp: enabled: true http: enabled: true libhtp: default-config: double-decode-path: false double-decode-query: false http-body-inline: auto personality: IDS request-body-inspect-window: 4kb request-body-limit: 100kb request-body-minimal-inspect-size: 32kb response-body-decompress-layer-limit: 2 response-body-inspect-window: 16kb response-body-limit: 100kb response-body-minimal-inspect-size: 40kb swf-decompression: compress-depth: 100kb decompress-depth: 100kb enabled: true type: both server-config: null http2: enabled: true ike: enabled: true imap: enabled: detection-only krb5: enabled: true modbus: detection-ports: dp: 502 enabled: true stream-depth: 0 mqtt: enabled: true nfs: enabled: true ntp: enabled: true pgsql: enabled: false stream-depth: 0 quic: enabled: true rdp: enabled: true rfb: detection-ports: dp: 5900, 5901, 5902, 5903, 5904, 5905, 5906, 5907, 5908, 5909 enabled: true sip: enabled: true smb: detection-ports: dp: 139, 445 enabled: true smtp: enabled: true inspected-tracker: content-inspect-min-size: 32768 content-inspect-window: 4096 content-limit: 100000 mime: body-md5: false decode-base64: true decode-mime: true decode-quoted-printable: true extract-urls: true header-value-depth: 2000 raw-extraction: false snmp: enabled: true ssh: enabled: true telnet: enabled: true tftp: enabled: true tls: detection-ports: dp: 443 enabled: true ja3-fingerprints: true ja4-fingerprints: true asn1-max-frames: 256 capture: null classification-file: /etc/suricata/classification.config coredump: max-dump: unlimited datasets: defaults: null rules: null decoder: geneve: enabled: true ports: $GENEVE_PORTS teredo: enabled: true ports: $TEREDO_PORTS vxlan: enabled: true ports: $VXLAN_PORTS default-log-dir: /data/colossus/capture/suricata/ default-rule-path: /data/platform/suricata/rules defrag: hash-size: 65536 max-frags: 65535 memcap: 32mb prealloc: true timeout: 60 trackers: 65535 detect: custom-values: toclient-groups: 100 toserver-groups: 100 grouping: null inspection-recursion-limit: 3000 prefilter: default: mpm profile: high profiling: grouping: dump-to-disk: false include-mpm-stats: false include-rules: false sgh-mpm-context: single dpdk: eal-params: file-prefix: suri proc-type: primary vdev: net_memif,role=client,rsize=14,bsize=10240 interfaces: - checksum-checks: true checksum-checks-offload: true copy-iface: none copy-mode: none interface: net_memif mbuf-size: 10240 mempool-cache-size: 257 mempool-size: 8191 mtu: 1500 multicast: true promisc: true rss-hash-functions: auto rx-descriptors: 1024 socket-id: 1 threads: 16 tx-descriptors: 1024 engine-analysis: rules: true rules-fast-pattern: true exception-policy: auto flow: emergency-recovery: 30 hash-size: 65536 memcap: 256mb prealloc: 10000 flow-timeouts: default: bypassed: 100 closed: 0 emergency-bypassed: 50 emergency-closed: 0 emergency-established: 100 emergency-new: 10 established: 300 new: 30 icmp: bypassed: 100 emergency-bypassed: 50 emergency-established: 100 emergency-new: 10 established: 300 new: 30 tcp: bypassed: 100 closed: 60 emergency-bypassed: 50 emergency-closed: 10 emergency-established: 100 emergency-new: 5 established: 600 new: 60 udp: bypassed: 100 emergency-bypassed: 50 emergency-established: 100 emergency-new: 10 established: 300 new: 30 host: hash-size: 4096 memcap: 32mb prealloc: 1000 host-mode: auto host-os-policy: bsd: [] bsd-right: [] hpux10: [] hpux11: [] irix: [] linux: [] macos: [] old-linux: [] old-solaris: [] solaris: [] vista: [] windows: - 0.0.0.0/0 windows2k3: [] ipfw: null legacy: uricontent: enabled livedev: use-for-tracking: true logging: default-log-level: notice default-output-filter: null outputs: - console: enabled: true - file: enabled: true filename: suricata.log level: info - syslog: enabled: false facility: local5 format: '[%i] <%d> -- ' luajit: states: 128 mpm-algo: hs napatech: auto-config: true enable-stream-stats: false hardware-bypass: true hashmode: hash5tuplesorted inline: false ports: - 0-1 - 2-3 streams: - 0-3 netmap: - interface: eth2 - interface: default nflog: - buffer-size: 18432 group: 2 - group: default max-size: 20000 qthreshold: 1 qtimeout: 100 nfq: null outputs: - fast: append: true enabled: true filename: fast.log - eve-log: enabled: true filename: /var/run/colossus/eve.sock filetype: unix_stream include: /etc/suricata/community_id.yaml types: - alert: enabled: true packet: true payload: true payload-printable: true tagged-packets: true - eve-log: enabled: true filename: eve-stats.json filetype: regular types: - stats: deltas: false enabled: true threads: false totals: true - http-log: append: true enabled: false filename: http.log - tls-log: append: true enabled: false filename: tls.log - tls-store: enabled: false - pcap-log: compression: none enabled: false filename: log.pcap honor-pass-rules: false limit: 1000mb max-files: 2000 mode: normal use-stream-depth: false - alert-debug: append: true enabled: false filename: alert-debug.log - stats: append: true enabled: true filename: stats.log threads: false totals: true - syslog: enabled: false facility: local5 - file-store: enabled: false version: 2 xff: deployment: reverse enabled: false header: X-Forwarded-For mode: extra-data - tcp-data: enabled: false filename: tcp-data.log type: file - http-body-data: enabled: false filename: http-data.log type: file - lua: enabled: false scripts: null pcap: - interface: eth0 - interface: default pcap-file: checksum-checks: auto pcre: match-limit: 3500 match-limit-recursion: 1500 pfring: - cluster-id: 99 cluster-type: cluster_flow interface: eth0 threads: auto - interface: default plugins: null profiling: keywords: append: true enabled: true filename: keyword_perf.log locks: append: true enabled: false filename: lock_stats.log packets: append: true csv: enabled: false filename: packet_stats.csv enabled: true filename: packet_stats.log pcap-log: append: true enabled: false filename: pcaplog_stats.log prefilter: append: true enabled: true filename: prefilter_perf.log rulegroups: append: true enabled: true filename: rule_group_perf.log rules: append: true enabled: true filename: rule_perf.log json: true limit: 10 reference-config-file: /etc/suricata/reference.config rule-files: - '*.rules' runmode: workers security: landlock: directories: read: - /usr/ - /etc/ enabled: false limit-noproc: true lua: null spm-algo: hs stats: enabled: true interval: 8 stream: bypass: true checksum-validation: false inline: auto memcap: 64mb reassembly: depth: 1mb memcap: 256mb randomize-chunk-size: true toclient-chunk-size: 2560 toserver-chunk-size: 2560 suricata-version: 7.0.8 threading: cpu-affinity: - management-cpu-set: cpu: - 0 - worker-cpu-set: cpu: - 0 - 1 - 2 - 3 - 4 - 5 - 6 - 7 - 8 - 36 - 37 - 38 - 39 - 40 - 41 - 42 mode: exclusive prio: default: high detect-thread-ratio: 1.0 set-cpu-affinity: true unix-command: enabled: true vars: address-groups: AIM_SERVERS: $EXTERNAL_NET DC_SERVERS: $HOME_NET DNP3_CLIENT: $HOME_NET DNP3_SERVER: $HOME_NET DNS_SERVERS: $HOME_NET ENIP_CLIENT: $HOME_NET ENIP_SERVER: $HOME_NET EXTERNAL_NET: '!$HOME_NET' HTTP_SERVERS: $HOME_NET MODBUS_CLIENT: $HOME_NET MODBUS_SERVER: $HOME_NET SMTP_SERVERS: $HOME_NET SQL_SERVERS: $HOME_NET TELNET_SERVERS: $HOME_NET include: /data/platform/suricata/conf.d/internal_networks.yaml port-groups: DNP3_PORTS: 20000 FILE_DATA_PORTS: '[$HTTP_PORTS,110,143]' FTP_PORTS: 21 GENEVE_PORTS: 6081 HTTP_PORTS: '80' MODBUS_PORTS: 502 ORACLE_PORTS: 1521 SHELLCODE_PORTS: '!80' SSH_PORTS: 22 TEREDO_PORTS: 3544 VXLAN_PORTS: 4789 vlan: use-for-tracking: true ... ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.vectra.ai/deployment/match/suricata-configuration.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.