Suricata configuration

This article provides a sample suricata.yaml file that is the configuration file used by Vectra Sensors that run Vectra Match.

Please note the following:

Different Sensor configurations (numbers of cpu cores, memory, etc) will have different thread and CPU settings in the suricata.yaml file.
- Vectra works to maximize the performance potential for each Sensor type.
- Please see the Vectra Match Performance and Ruleset Optimization Guidance article for more details.
Vectra automatically populates the HOME_NET variable based on the configuration defined in the:
- Internal IP Addresses (CIDR) - "Internal subnet"
  - Viewable in your Vectra UI at Configuration → COVERAGE → Data Sources → Network → Brain Setup → IP Address Classification
- Excluded Subnet of Internal IP Addresses (CIDR) - "Excluded subnet"
  - Viewable in your Vectra UI at Configuration → COVERAGE → Data Sources → Network → Brain Setup → IP Address Classification
- Automatically discovered Southside Proxy IPs
  - Viewable at the CLI of your Brain with show proxy --southside command.
- For Example:
  - If you have 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 as your Internal subnets
  - And 10.0.0.1, 10.0.0.2, 10.0.0.3 as Southside Proxy IP's,
  - And you've excluded 10.254.1.0/24 in the Excluded subnet,
  - The HOME_NET variable would look like:
    [10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16,!PROXY_IPs,!EXCLUDE_NET]
  - With PROXY_IPs being [10.0.0.1, 10.0.0.2, 10.0.0.3]
  - And EXCLUDE_NET would be [10.254.1.0/24]
In addition to the HOME_NET Variable, Vectra supports the following variables:
- EXTERNAL_NET variable is [!HOME_NET, PROXY_IPs, EXCLUDE_NET]
- PROXY_IPs is a list of IP's that are automatically added to the PROXY_IPs variable if detected by Vectra's Southside proxy detection.
  - Northside proxies are not factored in here.
  - This variable was introduced in 9.0 and enables users to automatically treat any traffic sent to Proxies as External even if they have an internal address.
  - You can view the list of Southside proxies on the Brain CLI using show proxy --southside
- EXCLUDE_NET
  - The EXCLUDE_NET variable is automatically populated via the Excluded Subnet configuration under Configuration → COVERAGE → Data Sources → Network → Brain Setup → IP Address Classification
Customers may use any of the supported Variables (HOME_NET, PROXY_IPs, EXCLUDE_NET, and EXTERNAL_NET) in your own rules.
If you have further custom variables, you can always resolve them into the IP netblocks and use those in the rules instead, as this is all that Suricata does when a variable is in the Suricata.yaml file.

Example `internal_networks.yaml` file:

This example file is based on what the Configuration → COVERAGE → Data Sources → Network → Brain Setup > IP Address Classification > Internal IP Addresses (CIDR) contains. The contents of this file is updated every time the data changes or the system discovers new south-side proxies. This file in the included in the underlying Suricata configuration so the variables describe in the prior section can be used in rules.

%YAML 1.1
---
DROP_NET: '[192.168.7.0/24]'
EXCLUDE_NET: '[10.100.1.0/24]'
HOME_NET: '[10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,32.100.1.0/24,fd00::/8,!10.100.1.0/24]'
PROXY_IPs: '[]'
...

Example suricata.yaml configuration file (as of v9.1):

%YAML 1.1
---
af-packet:
- cluster-id: 99
  cluster-type: cluster_flow
  defrag: true
  interface: eth0
- interface: default
app-layer:
  protocols:
    bittorrent-dht:
      enabled: true
    dcerpc:
      enabled: true
    dhcp:
      enabled: true
    dnp3:
      detection-ports:
        dp: 20000
      enabled: true
    dns:
      tcp:
        detection-ports:
          dp: 53
        enabled: true
      udp:
        detection-ports:
          dp: 53
        enabled: true
    enip:
      detection-ports:
        dp: 44818
        sp: 44818
      enabled: true
    ftp:
      enabled: true
    http:
      enabled: true
      libhtp:
        default-config:
          double-decode-path: false
          double-decode-query: false
          http-body-inline: auto
          personality: IDS
          request-body-inspect-window: 4kb
          request-body-limit: 100kb
          request-body-minimal-inspect-size: 32kb
          response-body-decompress-layer-limit: 2
          response-body-inspect-window: 16kb
          response-body-limit: 100kb
          response-body-minimal-inspect-size: 40kb
          swf-decompression:
            compress-depth: 100kb
            decompress-depth: 100kb
            enabled: true
            type: both
        server-config: null
    http2:
      enabled: true
    ike:
      enabled: true
    imap:
      enabled: detection-only
    krb5:
      enabled: true
    modbus:
      detection-ports:
        dp: 502
      enabled: true
      stream-depth: 0
    mqtt:
      enabled: true
    nfs:
      enabled: true
    ntp:
      enabled: true
    pgsql:
      enabled: false
      stream-depth: 0
    quic:
      enabled: true
    rdp:
      enabled: true
    rfb:
      detection-ports:
        dp: 5900, 5901, 5902, 5903, 5904, 5905, 5906, 5907, 5908, 5909
      enabled: true
    sip:
      enabled: true
    smb:
      detection-ports:
        dp: 139, 445
      enabled: true
    smtp:
      enabled: true
      inspected-tracker:
        content-inspect-min-size: 32768
        content-inspect-window: 4096
        content-limit: 100000
      mime:
        body-md5: false
        decode-base64: true
        decode-mime: true
        decode-quoted-printable: true
        extract-urls: true
        header-value-depth: 2000
      raw-extraction: false
    snmp:
      enabled: true
    ssh:
      enabled: true
    telnet:
      enabled: true
    tftp:
      enabled: true
    tls:
      detection-ports:
        dp: 443
      enabled: true
      ja3-fingerprints: true
      ja4-fingerprints: true
asn1-max-frames: 256
capture: null
classification-file: /etc/suricata/classification.config
coredump:
  max-dump: unlimited
datasets:
  defaults: null
  rules: null
decoder:
  geneve:
    enabled: true
    ports: $GENEVE_PORTS
  teredo:
    enabled: true
    ports: $TEREDO_PORTS
  vxlan:
    enabled: true
    ports: $VXLAN_PORTS
default-log-dir: /data/colossus/capture/suricata/
default-rule-path: /data/platform/suricata/rules
defrag:
  hash-size: 65536
  max-frags: 65535
  memcap: 32mb
  prealloc: true
  timeout: 60
  trackers: 65535
detect:
  custom-values:
    toclient-groups: 100
    toserver-groups: 100
  grouping: null
  inspection-recursion-limit: 3000
  prefilter:
    default: mpm
  profile: high
  profiling:
    grouping:
      dump-to-disk: false
      include-mpm-stats: false
      include-rules: false
  sgh-mpm-context: single
dpdk:
  eal-params:
    file-prefix: suri
    proc-type: primary
    vdev: net_memif,role=client,rsize=14,bsize=10240
  interfaces:
  - checksum-checks: true
    checksum-checks-offload: true
    copy-iface: none
    copy-mode: none
    interface: net_memif
    mbuf-size: 10240
    mempool-cache-size: 257
    mempool-size: 8191
    mtu: 1500
    multicast: true
    promisc: true
    rss-hash-functions: auto
    rx-descriptors: 1024
    socket-id: 1
    threads: 16
    tx-descriptors: 1024
engine-analysis:
  rules: true
  rules-fast-pattern: true
exception-policy: auto
flow:
  emergency-recovery: 30
  hash-size: 65536
  memcap: 256mb
  prealloc: 10000
flow-timeouts:
  default:
    bypassed: 100
    closed: 0
    emergency-bypassed: 50
    emergency-closed: 0
    emergency-established: 100
    emergency-new: 10
    established: 300
    new: 30
  icmp:
    bypassed: 100
    emergency-bypassed: 50
    emergency-established: 100
    emergency-new: 10
    established: 300
    new: 30
  tcp:
    bypassed: 100
    closed: 60
    emergency-bypassed: 50
    emergency-closed: 10
    emergency-established: 100
    emergency-new: 5
    established: 600
    new: 60
  udp:
    bypassed: 100
    emergency-bypassed: 50
    emergency-established: 100
    emergency-new: 10
    established: 300
    new: 30
host:
  hash-size: 4096
  memcap: 32mb
  prealloc: 1000
host-mode: auto
host-os-policy:
  bsd: []
  bsd-right: []
  hpux10: []
  hpux11: []
  irix: []
  linux: []
  macos: []
  old-linux: []
  old-solaris: []
  solaris: []
  vista: []
  windows:
  - 0.0.0.0/0
  windows2k3: []
ipfw: null
legacy:
  uricontent: enabled
livedev:
  use-for-tracking: true
logging:
  default-log-level: notice
  default-output-filter: null
  outputs:
  - console:
      enabled: true
  - file:
      enabled: true
      filename: suricata.log
      level: info
  - syslog:
      enabled: false
      facility: local5
      format: '[%i] <%d> -- '
luajit:
  states: 128
mpm-algo: hs
napatech:
  auto-config: true
  enable-stream-stats: false
  hardware-bypass: true
  hashmode: hash5tuplesorted
  inline: false
  ports:
  - 0-1
  - 2-3
  streams:
  - 0-3
netmap:
- interface: eth2
- interface: default
nflog:
- buffer-size: 18432
  group: 2
- group: default
  max-size: 20000
  qthreshold: 1
  qtimeout: 100
nfq: null
outputs:
- fast:
    append: true
    enabled: true
    filename: fast.log
- eve-log:
    enabled: true
    filename: /var/run/colossus/eve.sock
    filetype: unix_stream
    include: /etc/suricata/community_id.yaml
    types:
    - alert:
        enabled: true
        packet: true
        payload: true
        payload-printable: true
        tagged-packets: true
- eve-log:
    enabled: true
    filename: eve-stats.json
    filetype: regular
    types:
    - stats:
        deltas: false
        enabled: true
        threads: false
        totals: true
- http-log:
    append: true
    enabled: false
    filename: http.log
- tls-log:
    append: true
    enabled: false
    filename: tls.log
- tls-store:
    enabled: false
- pcap-log:
    compression: none
    enabled: false
    filename: log.pcap
    honor-pass-rules: false
    limit: 1000mb
    max-files: 2000
    mode: normal
    use-stream-depth: false
- alert-debug:
    append: true
    enabled: false
    filename: alert-debug.log
- stats:
    append: true
    enabled: true
    filename: stats.log
    threads: false
    totals: true
- syslog:
    enabled: false
    facility: local5
- file-store:
    enabled: false
    version: 2
    xff:
      deployment: reverse
      enabled: false
      header: X-Forwarded-For
      mode: extra-data
- tcp-data:
    enabled: false
    filename: tcp-data.log
    type: file
- http-body-data:
    enabled: false
    filename: http-data.log
    type: file
- lua:
    enabled: false
    scripts: null
pcap:
- interface: eth0
- interface: default
pcap-file:
  checksum-checks: auto
pcre:
  match-limit: 3500
  match-limit-recursion: 1500
pfring:
- cluster-id: 99
  cluster-type: cluster_flow
  interface: eth0
  threads: auto
- interface: default
plugins: null
profiling:
  keywords:
    append: true
    enabled: true
    filename: keyword_perf.log
  locks:
    append: true
    enabled: false
    filename: lock_stats.log
  packets:
    append: true
    csv:
      enabled: false
      filename: packet_stats.csv
    enabled: true
    filename: packet_stats.log
  pcap-log:
    append: true
    enabled: false
    filename: pcaplog_stats.log
  prefilter:
    append: true
    enabled: true
    filename: prefilter_perf.log
  rulegroups:
    append: true
    enabled: true
    filename: rule_group_perf.log
  rules:
    append: true
    enabled: true
    filename: rule_perf.log
    json: true
    limit: 10
reference-config-file: /etc/suricata/reference.config
rule-files:
- '*.rules'
runmode: workers
security:
  landlock:
    directories:
      read:
      - /usr/
      - /etc/
    enabled: false
  limit-noproc: true
  lua: null
spm-algo: hs
stats:
  enabled: true
  interval: 8
stream:
  bypass: true
  checksum-validation: false
  inline: auto
  memcap: 64mb
  reassembly:
    depth: 1mb
    memcap: 256mb
    randomize-chunk-size: true
    toclient-chunk-size: 2560
    toserver-chunk-size: 2560
suricata-version: 7.0.8
threading:
  cpu-affinity:
  - management-cpu-set:
      cpu:
      - 0
  - worker-cpu-set:
      cpu:
      - 0
      - 1
      - 2
      - 3
      - 4
      - 5
      - 6
      - 7
      - 8
      - 36
      - 37
      - 38
      - 39
      - 40
      - 41
      - 42
      mode: exclusive
      prio:
        default: high
  detect-thread-ratio: 1.0
  set-cpu-affinity: true
unix-command:
  enabled: true
vars:
  address-groups:
    AIM_SERVERS: $EXTERNAL_NET
    DC_SERVERS: $HOME_NET
    DNP3_CLIENT: $HOME_NET
    DNP3_SERVER: $HOME_NET
    DNS_SERVERS: $HOME_NET
    ENIP_CLIENT: $HOME_NET
    ENIP_SERVER: $HOME_NET
    EXTERNAL_NET: '!$HOME_NET'
    HTTP_SERVERS: $HOME_NET
    MODBUS_CLIENT: $HOME_NET
    MODBUS_SERVER: $HOME_NET
    SMTP_SERVERS: $HOME_NET
    SQL_SERVERS: $HOME_NET
    TELNET_SERVERS: $HOME_NET
    include: /data/platform/suricata/conf.d/internal_networks.yaml
  port-groups:
    DNP3_PORTS: 20000
    FILE_DATA_PORTS: '[$HTTP_PORTS,110,143]'
    FTP_PORTS: 21
    GENEVE_PORTS: 6081
    HTTP_PORTS: '80'
    MODBUS_PORTS: 502
    ORACLE_PORTS: 1521
    SHELLCODE_PORTS: '!80'
    SSH_PORTS: 22
    TEREDO_PORTS: 3544
    VXLAN_PORTS: 4789
vlan:
  use-for-tracking: true
...

PreviousPerformance and rulset optimization NextStream

Last updated 8 days ago

Was this helpful?

Good evening

hashtagPlease note the following:

hashtagExample internal_networks.yaml file:

hashtagExample suricata.yaml configuration file (as of v9.1):

Please note the following:

Example `internal_networks.yaml` file:

Example suricata.yaml configuration file (as of v9.1):