telekom-security/tpotce
1
0
Fork 0
mirror of https://github.com/telekom-security/tpotce.git synced 2025-07-02 01:27:27 -04:00
Code Issues Packages Projects Releases Wiki Activity

tweaking

Browse Source 
updating .env, env.example and compose files regarding sentrypeer ENVs
make glutton image aware of payloads feature
bump glutton to latest master, alpine 3.19, multi-stage build
bump ipphoney to alpine 3.19
bump mailoney to alpine 3.19, adjust for py3
revert medpot to previous master, use multi stage build and alpine 3.19
bump cyberchef to latest master
bump ngninx to alpine 3.19
bump p0f to alpine 3.19, use multi stage build
bump redishoneypot to alpine 3.19, use multi stage build
bump sentrypeer to latest master, fix bug for open ports in compose files, now all tcp/5060, udp/5060 traffic will be seen
bump spiderfoot to latest master
bump spiderfoot to alpine 3.19
bump suricata to 7.0.2, fix performance issue with capture-filter-bpf by reducing the rules
update clean.sh to include glutton payloads folder
This commit is contained in:
t3chn0m4g3
2024-03-09 12:11:14 +01:00
parent c45870594b
commit 97adcbeb1b
43 changed files with 5039 additions and 315 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
docker/suricata/Dockerfile
View File

@ -5,13 +5,13 @@ COPY dist/ /root/dist/
#
# Install packages
RUN apk -U --no-cache add \
ca-certificates \
curl \
file \
hiredis \
libcap \
wget \
suricata && \
ca-certificates \
curl \
file \
hiredis \
libcap \
wget \
suricata && \
#
# Setup user, groups and configs
addgroup -g 2000 suri && \

5
docker/suricata/dist/capture-filter.bpf vendored
View File

@ -1,6 +1,3 @@
not (host sicherheitstacho.eu or community.sicherheitstacho.eu or listbot.sicherheitstacho.eu) and
not (host rules.emergingthreats.net or rules.emergingthreatspro.com) and
not (host deb.debian.org) and
not (host ghcr.io) and
not (host index.docker.io or docker.io) and
not (tcp port 64294) and
not (tcp port 64305)

416
docker/suricata/dist/suricata.yaml vendored
View File

@ -3,7 +3,10 @@
# Suricata configuration file. In addition to the comments describing all
# options in this file, full documentation can be found at:
# https://suricata.readthedocs.io/en/latest/configuration/suricata-yaml.html
# https://docs.suricata.io/en/latest/configuration/suricata-yaml.html
# This configuration file generated by Suricata 7.0.2.
suricata-version: "7.0"
##
## Step 1: Inform Suricata about your network
@ -18,8 +21,8 @@ vars:
#HOME_NET: "[172.16.0.0/12]"
#HOME_NET: "any"
#EXTERNAL_NET: "!$HOME_NET"
EXTERNAL_NET: "any"
EXTERNAL_NET: "!$HOME_NET"
#EXTERNAL_NET: "any"
HTTP_SERVERS: "$HOME_NET"
SMTP_SERVERS: "$HOME_NET"
@ -67,10 +70,14 @@ stats:
#decoder-events: true
# Decoder event prefix in stats. Has been 'decoder' before, but that leads
# to missing events in the eve.stats records. See issue #2225.
decoder-events-prefix: "decoder.event"
#decoder-events-prefix: "decoder.event"
# Add stream events as stats.
#stream-events: false
# Plugins -- Experimental -- specify the filename for each plugin shared object
plugins:
# - /path/to/plugin.so
# Configure the type of alert (and other) logging you would like.
outputs:
# a line based alerts log similar to Snort's fast.log
@ -86,7 +93,7 @@ outputs:
filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
filename: eve.json
# Enable for multi-threaded eve.json output; output files are amended with
# with an identifier, e.g., eve.9.json
# an identifier, e.g., eve.9.json
#threaded: false
#prefix: "@cee: " # prefix to prepend to each log entry
# the following are valid when type: syslog above
@ -161,6 +168,14 @@ outputs:
# Enable the logging of tagged packets for rules using the
# "tag" keyword.
tagged-packets: yes
# Enable logging the final action taken on a packet by the engine
# (e.g: the alert may have action 'allowed' but the verdict be
# 'drop' due to another alert. That's the engine's verdict)
# verdict: yes
# app layer frames
- frame:
# disabled by default as this is very verbose.
enabled: no
- anomaly:
# Anomaly log records describe unexpected conditions such
# as truncated packets, packets with invalid IP/UDP/TCP
@ -206,7 +221,7 @@ outputs:
- dns:
# This configuration uses the new DNS logging format,
# the old configuration is still available:
# https://suricata.readthedocs.io/en/latest/output/eve/eve-json-output.html#dns-v1-format
# https://docs.suricata.io/en/latest/output/eve/eve-json-output.html#dns-v1-format
# As of Suricata 5.0, version 2 of the eve dns output
# format is the default.
@ -247,6 +262,9 @@ outputs:
# alerts: yes # log alerts that caused drops
# flows: all # start or all: 'start' logs only a single drop
# # per flow direction. All logs each dropped pkt.
# Enable logging the final action taken on a packet by the engine
# (will show more information in case of a drop caused by 'reject')
# verdict: yes
- smtp:
extended: yes # enable this for extended logging information
# this includes: bcc, message-id, subject, x_mailer, user-agent
@ -254,7 +272,7 @@ outputs:
# reply-to, bcc, message-id, subject, x-mailer, user-agent, received,
# x-originating-ip, in-reply-to, references, importance, priority,
# sensitivity, organization, content-md5, date
custom: [reply-to, bcc, message-id, subject, x-mailer, user-agent, received, x-originating-ip, in-reply-to, references, organization, date]
custom: [bcc, message-id, subject, x_mailer, user-agent, reply-to, received, x-originating-ip, in-reply-to, references, importance, priority, sensitivity, organization, content-md5, date, relays]
# output md5 of fields: body, subject
# for the body you need to set app-layer.protocols.smtp.mime.body-md5
# to yes
@ -266,12 +284,14 @@ outputs:
- nfs
- smb
- tftp
- ikev2
- ike
- dcerpc
- krb5
- bittorrent-dht
- snmp
- rfb
- sip
- quic
- dhcp:
enabled: no
# When extended mode is on, all DHCP messages are logged
@ -282,16 +302,16 @@ outputs:
- ssh
- mqtt:
passwords: yes # enable output of passwords
# HTTP2 logging. HTTP2 support is currently experimental and
# disabled by default. To enable, uncomment the following line
# and be sure to enable http2 in the app-layer section.
#- http2
- http2
- pgsql:
enabled: yes
passwords: yes # enable output of passwords. Disabled by default
#- stats:
#totals: yes # stats for all threads merged together
#threads: no # per thread stats
#deltas: no # include delta values
# totals: no # stats for all threads merged together
# threads: no # per thread stats
# deltas: no # include delta values
# bi-directional flows
#- flow
- flow
# uni-directional flows
#- netflow
@ -300,6 +320,16 @@ outputs:
# flowints.
#- metadata
# EXPERIMENTAL per packet output giving TCP state tracking details
# including internal state, flags, etc.
# This output is experimental, meant for debugging and subject to
# change in both config and output without any notice.
#- stream:
# all: false # log all TCP packets
# event-set: false # log packets that have a decoder/stream event
# state-update: false # log packets triggering a TCP state update
# spurious-retransmission: false # log spurious retransmission packets
# a line based log of HTTP requests (no alerts)
- http-log:
enabled: no
@ -390,6 +420,9 @@ outputs:
#ts-format: usec # sec or usec second format (default) is filename.sec usec is filename.sec.usec
use-stream-depth: no #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets
honor-pass-rules: no # If set to "yes", flows in which a pass rule matched will stop being logged.
# Use "all" to log all packets or use "alerts" to log only alerted packets and flows or "tag"
# to log only flow tagged via the "tag" keyword
#conditional: all
# a full alert log containing much information for signature writers
# or for investigating suspected false positives.
@ -399,14 +432,6 @@ outputs:
append: yes
#filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
# alert output to prelude (https://www.prelude-siem.org/) only
# available if Suricata has been compiled with --enable-prelude
- alert-prelude:
enabled: no
profile: suricata
log-packet-content: no
log-packet-header: yes
# Stats.log contains data from various counters of the Suricata engine.
- stats:
enabled: no
@ -521,7 +546,7 @@ outputs:
# Lua Output Support - execute lua script to generate alert and event
# output.
# Documented at:
# https://suricata.readthedocs.io/en/latest/output/lua-output.html
# https://docs.suricata.io/en/latest/output/lua-output.html
- lua:
enabled: no
#scripts-dir: /etc/suricata/lua-output/
@ -542,8 +567,11 @@ logging:
# something reasonable if not provided. Can be overridden in an
# output section. You can leave this out to get the default.
#
# This value is overridden by the SC_LOG_FORMAT env var.
#default-log-format: "[%i] %t - (%f:%l) <%d> (%n) -- "
# This console log format value can be overridden by the SC_LOG_FORMAT env var.
#default-log-format: "%D: %S: %M"
#
# For the pre-7.0 log format use:
#default-log-format: "[%i] %t [%S] - (%f:%l) <%d> (%n) -- "
# A regex to filter output. Can be overridden in an output section.
# Defaults to empty (no filter).
@ -551,6 +579,11 @@ logging:
# This value is overridden by the SC_LOG_OP_FILTER env var.
default-output-filter:
# Requires libunwind to be available when Suricata is configured and built.
# If a signal unexpectedly terminates Suricata, displays a brief diagnostic
# message with the offending stacktrace if enabled.
#stacktrace-on-signal: on
# Define your logging outputs. If none are defined, or they are all
# disabled you will get the default: console output.
outputs:
@ -561,6 +594,7 @@ logging:
enabled: yes
level: info
filename: /var/log/suricata/suricata.log
# format: "[%i - %m] %z %d: %S: %M"
# type: json
- syslog:
enabled: no
@ -594,6 +628,7 @@ af-packet:
# more info.
# Recommended modes are cluster_flow on most boxes and cluster_cpu or cluster_qm on system
# with capture card using RSS (requires cpu affinity tuning and system IRQ tuning)
# cluster_rollover has been deprecated; if used, it'll be replaced with cluster_flow.
cluster-type: cluster_flow
# In some fragmentation cases, the hash can not be computed. If "defrag" is set
# to yes, the kernel will do the needed defragmentation before sending the packets.
@ -656,6 +691,117 @@ af-packet:
#use-mmap: no
#tpacket-v3: yes
# Linux high speed af-xdp capture support
af-xdp:
- interface: default
# Number of receive threads. "auto" uses least between the number
# of cores and RX queues
#threads: auto
#disable-promisc: false
# XDP_DRV mode can be chosen when the driver supports XDP
# XDP_SKB mode can be chosen when the driver does not support XDP
# Possible values are:
# - drv: enable XDP_DRV mode
# - skb: enable XDP_SKB mode
# - none: disable (kernel in charge of applying mode)
#force-xdp-mode: none
# During socket binding the kernel will attempt zero-copy, if this
# fails it will fallback to copy. If this fails, the bind fails.
# The bind can be explicitly configured using the option below.
# If configured, the bind will fail if not successful (no fallback).
# Possible values are:
# - zero: enable zero-copy mode
# - copy: enable copy mode
# - none: disable (kernel in charge of applying mode)
#force-bind-mode: none
# Memory alignment mode can vary between two modes, aligned and
# unaligned chunk modes. By default, aligned chunk mode is selected.
# select 'yes' to enable unaligned chunk mode.
# Note: unaligned chunk mode uses hugepages, so the required number
# of pages must be available.
#mem-unaligned: no
# The following options configure the prefer-busy-polling socket
# options. The polling time and budget can be edited here.
# Possible values are:
# - yes: enable (default)
# - no: disable
#enable-busy-poll: yes
# busy-poll-time sets the approximate time in microseconds to busy
# poll on a blocking receive when there is no data.
#busy-poll-time: 20
# busy-poll-budget is the budget allowed for packet batches
#busy-poll-budget: 64
# These two tunables are used to configure the Linux OS's NAPI
# context. Their purpose is to defer enabling of interrupts and
# instead schedule the NAPI context from a watchdog timer.
# The softirq NAPI will exit early, allowing busy polling to be
# performed. Successfully setting these tunables alongside busy-polling
# should improve performance.
# Defaults are:
#gro-flush-timeout: 2000000
#napi-defer-hard-irq: 2
dpdk:
eal-params:
proc-type: primary
# DPDK capture support
# RX queues (and TX queues in IPS mode) are assigned to cores in 1:1 ratio
interfaces:
- interface: 0000:3b:00.0 # PCIe address of the NIC port
# Threading: possible values are either "auto" or number of threads
# - auto takes all cores
# in IPS mode it is required to specify the number of cores and the numbers on both interfaces must match
threads: auto
promisc: true # promiscuous mode - capture all packets
multicast: true # enables also detection on multicast packets
checksum-checks: true # if Suricata should validate checksums
checksum-checks-offload: true # if possible offload checksum validation to the NIC (saves Suricata resources)
mtu: 1500 # Set MTU of the device in bytes
# rss-hash-functions: 0x0 # advanced configuration option, use only if you use untested NIC card and experience RSS warnings,
# For `rss-hash-functions` use hexadecimal 0x01ab format to specify RSS hash function flags - DumpRssFlags can help (you can see output if you use -vvv option during Suri startup)
# setting auto to rss_hf sets the default RSS hash functions (based on IP addresses)
# To approximately calculate required amount of space (in bytes) for interface's mempool: mempool-size * mtu
# Make sure you have enough allocated hugepages.
# The optimum size for the packet memory pool (in terms of memory usage) is power of two minus one: n = (2^q - 1)
mempool-size: 65535 # The number of elements in the mbuf pool
# Mempool cache size must be lower or equal to:
# - RTE_MEMPOOL_CACHE_MAX_SIZE (by default 512) and
# - "mempool-size / 1.5"
# It is advised to choose cache_size to have "mempool-size modulo cache_size == 0".
# If this is not the case, some elements will always stay in the pool and will never be used.
# The cache can be disabled if the cache_size argument is set to 0, can be useful to avoid losing objects in cache
# If the value is empty or set to "auto", Suricata will attempt to set cache size of the mempool to a value
# that matches the previously mentioned recommendations
mempool-cache-size: 257
rx-descriptors: 1024
tx-descriptors: 1024
#
# IPS mode for Suricata works in 3 modes - none, tap, ips
# - none: IDS mode only - disables IPS functionality (does not further forward packets)
# - tap: forwards all packets and generates alerts (omits DROP action) This is not DPDK TAP
# - ips: the same as tap mode but it also drops packets that are flagged by rules to be dropped
copy-mode: none
copy-iface: none # or PCIe address of the second interface
- interface: default
threads: auto
promisc: true
multicast: true
checksum-checks: true
checksum-checks-offload: true
mtu: 1500
rss-hash-functions: auto
mempool-size: 65535
mempool-cache-size: 257
rx-descriptors: 1024
tx-descriptors: 1024
copy-mode: none
copy-iface: none
# Cross platform libpcap capture support
pcap:
- interface: eth0
@ -706,27 +852,40 @@ pcap-file:
## Step 4: App Layer Protocol configuration
##
# Configure the app-layer parsers. The protocol's section details each
# protocol.
# Configure the app-layer parsers.
#
# The error-policy setting applies to all app-layer parsers. Values can be
# "drop-flow", "pass-flow", "bypass", "drop-packet", "pass-packet", "reject" or
# "ignore" (the default).
#
# The protocol's section details each protocol.
#
# The option "enabled" takes 3 values - "yes", "no", "detection-only".
# "yes" enables both detection and the parser, "no" disables both, and
# "detection-only" enables protocol detection only (parser disabled).
app-layer:
# error-policy: ignore
protocols:
telnet:
enabled: yes
rfb:
enabled: yes
detection-ports:
dp: 5900, 5901, 5902, 5903, 5904, 5905, 5906, 5907, 5908, 5909
# MQTT, disabled by default.
mqtt:
enabled: yes
max-msg-length: 1mb
# max-msg-length: 1mb
# subscribe-topic-match-limit: 100
# unsubscribe-topic-match-limit: 100
# Maximum number of live MQTT transactions per flow
# max-tx: 4096
krb5:
enabled: yes
bittorrent-dht:
enabled: yes
snmp:
enabled: yes
ikev2:
ike:
enabled: yes
tls:
enabled: yes
@ -751,8 +910,16 @@ app-layer:
#
#encryption-handling: default
pgsql:
enabled: yes
# Stream reassembly size for PostgreSQL. By default, track it completely.
stream-depth: 0
# Maximum number of live PostgreSQL transactions per flow
# max-tx: 1024
dcerpc:
enabled: yes
# Maximum number of live DCERPC transactions per flow
# max-tx: 1024
ftp:
enabled: yes
# memcap: 64mb
@ -761,9 +928,12 @@ app-layer:
ssh:
enabled: yes
hassh: yes
# HTTP2: Experimental HTTP 2 support. Disabled by default.
http2:
enabled: no
enabled: yes
# Maximum number of live HTTP2 streams in a flow
#max-streams: 4096
# Maximum headers table size
#max-table-size: 65536
smtp:
enabled: yes
raw-extraction: no
@ -785,6 +955,12 @@ app-layer:
# Extract URLs and save in state data structure
extract-urls: yes
# Scheme of URLs to extract
# (default is [http])
extract-urls-schemes: [http, https, ftp, mailto]
# Log the scheme of URLs that are extracted
# (default is no)
log-url-scheme: yes
# Set to yes to compute the md5 of the mail body. You will then
# be able to journalize it.
body-md5: yes
@ -799,12 +975,15 @@ app-layer:
enabled: yes
detection-ports:
dp: 139, 445
# Maximum number of live SMB transactions per flow
# max-tx: 1024
# Stream reassembly size for SMB streams. By default track it completely.
#stream-depth: 0
nfs:
enabled: yes
# max-tx: 1024
tftp:
enabled: yes
dns:
@ -818,6 +997,12 @@ app-layer:
dp: 53
http:
enabled: yes
# Byte Range Containers default settings
# byterange:
# memcap: 100mb
# timeout: 60
# memcap: Maximum memory capacity for HTTP
# Default is unlimited, values can be 64mb, e.g.
@ -861,7 +1046,7 @@ app-layer:
# auto will use http-body-inline mode in IPS mode, yes or no set it statically
http-body-inline: auto
# Decompress SWF files.
# Decompress SWF files. Disabled by default.
# Two types: 'deflate', 'lzma', 'both' will decompress deflate and lzma
# compress-depth:
# Specifies the maximum amount of data to decompress,
@ -870,10 +1055,10 @@ app-layer:
# Specifies the maximum amount of decompressed data to obtain,
# set 0 for unlimited.
swf-decompression:
enabled: yes
enabled: no
type: both
compress-depth: 0
decompress-depth: 0
compress-depth: 100kb
decompress-depth: 100kb
# Use a random value for inspection sizes around the specified value.
# This lowers the risk of some evasion techniques but could lead
@ -897,6 +1082,8 @@ app-layer:
# Maximum decompressed size with a compression ratio
# above 2048 (only LZMA can reach this ratio, deflate cannot)
#compression-bomb-limit: 1mb
# Maximum time spent decompressing a single transaction in usec
#decompression-time-limit: 100000
server-config:
@ -952,7 +1139,7 @@ app-layer:
# SCADA EtherNet/IP and CIP protocol support
enip:
enabled: no
enabled: yes
detection-ports:
dp: 44818
sp: 44818
@ -960,6 +1147,9 @@ app-layer:
ntp:
enabled: yes
quic:
enabled: yes
dhcp:
enabled: no
@ -970,12 +1160,23 @@ app-layer:
asn1-max-frames: 256
# Datasets default settings
# datasets:
# # Default fallback memcap and hashsize values for datasets in case these
# # were not explicitly defined.
# defaults:
# memcap: 100mb
# hashsize: 2048
datasets:
# Default fallback memcap and hashsize values for datasets in case these
# were not explicitly defined.
defaults:
#memcap: 100mb
#hashsize: 2048
rules:
# Set to true to allow absolute filenames and filenames that use
# ".." components to reference parent directories in rules that specify
# their filenames.
#allow-absolute-filenames: false
# Allow datasets in rules write access for "save" and
# "state". This is enabled by default, however write access is
# limited to the data directory.
#allow-write: true
##############################################################################
##
@ -992,6 +1193,27 @@ run-as:
user: suri
group: suri
security:
# if true, prevents process creation from Suricata by calling
# setrlimit(RLIMIT_NPROC, 0)
limit-noproc: true
# Use landlock security module under Linux
landlock:
enabled: no
directories:
#write:
# - /var/run/
# /usr and /etc folders are added to read list to allow
# file magic to be used.
read:
- /usr/
- /etc/
- /etc/suricata/
lua:
# Allow Lua rules. Disabled by default.
#allow-rules: false
# Some logging modules will use that name in event as identifier. The default
# value is the hostname
#sensor-name: suricata
@ -1046,6 +1268,8 @@ host-mode: auto
#
# hash - Flow assigned to threads using the 5-7 tuple hash.
# ippair - Flow assigned to threads using addresses only.
# ftp-hash - Flow assigned to threads using the hash, except for FTP, so that
# ftp-data flows will be handled by the same thread
#
#autofp-scheduler: hash
@ -1061,12 +1285,12 @@ host-mode: auto
# activated in live capture mode. You can use the filename variable to set
# the file name of the socket.
unix-command:
enabled: yes
enabled: auto
#filename: custom.socket
# Magic file. The extension .mgc is added to the value here.
#magic-file: /usr/share/file/magic
magic-file: /usr/share/misc/magic.mgc
magic-file: /usr/share/misc/magic.mgc
#magic-file:
# GeoIP2 database file. Specify path and filename of GeoIP2 database
# if using rules with "geoip" rule option.
@ -1087,6 +1311,22 @@ legacy:
# - reject
# - alert
# Define maximum number of possible alerts that can be triggered for the same
# packet. Default is 15
#packet-alert-max: 15
# Exception Policies
#
# Define a common behavior for all exception policies.
# In IPS mode, the default is drop-flow. For cases when that's not possible, the
# engine will fall to drop-packet. To fallback to old behavior (setting each of
# them individually, or ignoring all), set this to ignore.
# All values available for exception policies can be used, and there is one
# extra option: auto - which means drop-flow or drop-packet (as explained above)
# in IPS mode, and ignore in IDS mode. Exception policy values are: drop-packet,
# drop-flow, reject, bypass, pass-packet, pass-flow, ignore (disable).
exception-policy: auto
# IP Reputation
#reputation-categories-file: /etc/suricata/iprep/categories.txt
#default-reputation-path: /etc/suricata/iprep
@ -1134,8 +1374,11 @@ host-os-policy:
# Defrag settings:
# The memcap-policy value can be "drop-packet", "pass-packet", "reject" or
# "ignore" (which is the default).
defrag:
memcap: 32mb
# memcap-policy: ignore
hash-size: 65536
trackers: 65535 # number of defragmented flows to follow
max-frags: 65535 # number of fragments to keep (higher than trackers)
@ -1175,9 +1418,12 @@ defrag:
# last time seen flows.
# The memcap can be specified in kb, mb, gb. Just a number indicates it's
# in bytes.
# The memcap-policy can be "drop-packet", "pass-packet", "reject" or "ignore"
# (which is the default).
flow:
memcap: 128mb
#memcap-policy: ignore
hash-size: 65536
prealloc: 10000
emergency-recovery: 30
@ -1191,6 +1437,12 @@ flow:
vlan:
use-for-tracking: true
# This option controls the use of livedev ids in the flow (and defrag)
# hashing. This is enabled by default and should be disabled if
# multiple live devices are used to capture traffic from the same network
livedev:
use-for-tracking: true
# Specific timeouts for flows. Here you can specify the timeouts that the
# active flows will wait to transit from the current state to another, on each
# protocol. The value of "new" determines the seconds to wait after a handshake or
@ -1248,8 +1500,11 @@ flow-timeouts:
# engine is configured.
#
# stream:
# memcap: 32mb # Can be specified in kb, mb, gb. Just a
# memcap: 64mb # Can be specified in kb, mb, gb. Just a
# # number indicates it's in bytes.
# memcap-policy: ignore # Can be "drop-flow", "pass-flow", "bypass",
# # "drop-packet", "pass-packet", "reject" or
# # "ignore" default is "ignore"
# checksum-validation: yes # To validate the checksum of received
# # packet. If csum validation is specified as
# # "yes", then packets with invalid csum values will not
@ -1259,19 +1514,28 @@ flow-timeouts:
# # of checksum. You can control the handling of checksum
# # on a per-interface basis via the 'checksum-checks'
# # option
# prealloc-sessions: 2k # 2k sessions prealloc'd per stream thread
# prealloc-sessions: 2048 # 2k sessions prealloc'd per stream thread
# midstream: false # don't allow midstream session pickups
# midstream-policy: ignore # Can be "drop-flow", "pass-flow", "bypass",
# # "drop-packet", "pass-packet", "reject" or
# # "ignore" default is "ignore"
# async-oneside: false # don't enable async stream handling
# inline: no # stream inline mode
# drop-invalid: yes # in inline mode, drop packets that are invalid with regards to streaming engine
# max-syn-queued: 10 # Max different SYNs to queue
# max-synack-queued: 5 # Max different SYN/ACKs to queue
# bypass: no # Bypass packets when stream.reassembly.depth is reached.
# # Warning: first side to reach this triggers
# # the bypass.
# liberal-timestamps: false # Treat all timestamps as if the Linux policy applies. This
# # means it's slightly more permissive. Enabled by default.
#
# reassembly:
# memcap: 64mb # Can be specified in kb, mb, gb. Just a number
# memcap: 256mb # Can be specified in kb, mb, gb. Just a number
# # indicates it's in bytes.
# memcap-policy: ignore # Can be "drop-flow", "pass-flow", "bypass",
# # "drop-packet", "pass-packet", "reject" or
# # "ignore" default is "ignore"
# depth: 1mb # Can be specified in kb, mb, gb. Just a number
# # indicates it's in bytes.
# toserver-chunk-size: 2560 # inspect raw stream in chunks of at least
@ -1305,10 +1569,14 @@ flow-timeouts:
#
stream:
memcap: 64mb
#memcap-policy: ignore
checksum-validation: yes # reject incorrect csums
#midstream: false
#midstream-policy: ignore
inline: auto # auto will use inline mode in IPS mode, yes or no set it statically
reassembly:
memcap: 256mb
#memcap-policy: ignore
depth: 1mb # reassemble 1mb into a stream
toserver-chunk-size: 2560
toclient-chunk-size: 2560
@ -1359,6 +1627,9 @@ decoder:
enabled: true
ports: $GENEVE_PORTS # syntax: '[6081, 1234]' or '6081'.
# maximum number of decoder layers for a packet
# max-layers: 16
##
## Performance tuning and profiling
##
@ -1492,6 +1763,14 @@ threading:
# thread will always be created.
#
detect-thread-ratio: 1.0
#
# By default, the per-thread stack size is left to its default setting. If
# the default thread stack size is too small, use the following configuration
# setting to change the size. Note that if any thread's stack size cannot be
# set to this value, a fatal error occurs.
#
# Generally, the per-thread stack-size should not exceed 8MB.
#stack-size: 8mb
# Luajit has a strange memory requirement, its 'states' need to be in the
# first 2G of the process' memory.
@ -1507,9 +1786,9 @@ luajit:
#
profiling:
# Run profiling for every X-th packet. The default is 1, which means we
# profile every packet. If set to 1000, one packet is profiled for every
# 1000 received.
#sample-rate: 1000
# profile every packet. If set to 1024, one packet is profiled for every
# 1024 received. The sample rate must be a power of 2.
#sample-rate: 1024
# rule profiling
rules:
@ -1594,7 +1873,7 @@ profiling:
# accept the packet if Suricata is not able to keep pace.
# bypass mark and mask can be used to implement NFQ bypass. If bypass mark is
# set then the NFQ bypass is activated. Suricata will set the bypass mark/mask
# on packet of a flow that need to be bypassed. The Nefilter ruleset has to
# on packet of a flow that need to be bypassed. The Netfilter ruleset has to
# directly accept all packets of a flow once a packet has been marked.
nfq:
# mode: accept
@ -1634,7 +1913,7 @@ capture:
#disable-offloading: false
#
# disable checksum validation. Same as setting '-k none' on the
# commandline.
# command-line.
#checksum-validation: none
# Netmap support
@ -1703,7 +1982,13 @@ pfring:
cluster-id: 99
# Default PF_RING cluster type. PF_RING can load balance per flow.
# Possible values are cluster_flow or cluster_round_robin.
# Possible values are:
# - cluster_flow: 6-tuple: <src ip, src_port, dst ip, dst port, proto, vlan>
# - cluster_inner_flow: 6-tuple: <src ip, src port, dst ip, dst port, proto, vlan>
# - cluster_inner_flow_2_tuple: 2-tuple: <src ip, dst ip >
# - cluster_inner_flow_4_tuple: 4-tuple: <src ip, src port, dst ip, dst port >
# - cluster_inner_flow_5_tuple: 5-tuple: <src ip, src port, dst ip, dst port, proto >
# - cluster_round_robin (NOT RECOMMENDED)
cluster-type: cluster_flow
# bpf filter for this interface
@ -1762,12 +2047,6 @@ ipfw:
napatech:
# The Host Buffer Allowance for all streams
# (-1 = OFF, 1 - 100 = percentage of the host buffer that can be held back)
# This may be enabled when sharing streams with another application.
# Otherwise, it should be turned off.
#hba: -1
# When use_all_streams is set to "yes" the initialization code will query
# the Napatech service for all configured streams and listen on all of them.
# When set to "no" the streams config array will be used.
@ -1863,14 +2142,15 @@ napatech:
##
default-rule-path: /var/lib/suricata/rules
rule-files:
- suricata.rules
- suricata.rules
##
## Auxiliary configuration files.
##
classification-file: /var/lib/suricata/rules/classification.config
classification-file: /etc/suricata/classification.config
reference-config-file: /etc/suricata/reference.config
# threshold-file: /etc/suricata/threshold.config
@ -1882,6 +2162,6 @@ reference-config-file: /etc/suricata/reference.config
# in this configuration file. Files with relative pathnames will be
# searched for in the same directory as this configuration file. You may
# use absolute pathnames too.
# You can specify more than 2 configuration files, if needed.
#include: include1.yaml
#include: include2.yaml
#include:
# - include1.yaml
# - include2.yaml

2167
docker/suricata/dist/suricata_new.yaml vendored Normal file
View File

File diff suppressed because it is too large Load Diff

1887
docker/suricata/dist/suricata_old.yaml vendored Normal file
View File

File diff suppressed because it is too large Load Diff

2
docker/suricata/docker-compose.yml
View File

@ -19,4 +19,4 @@ services:
- NET_RAW
image: "dtagdevsec/suricata:alpha"
volumes:
- /data/suricata/log:/var/log/suricata
- $HOME/tpotce/data/suricata/log:/var/log/suricata