diff options
Diffstat (limited to 'framework/src/suricata/suricata.yaml.in')
-rw-r--r-- | framework/src/suricata/suricata.yaml.in | 49 |
1 files changed, 44 insertions, 5 deletions
diff --git a/framework/src/suricata/suricata.yaml.in b/framework/src/suricata/suricata.yaml.in index 56d4d362..af54b527 100644 --- a/framework/src/suricata/suricata.yaml.in +++ b/framework/src/suricata/suricata.yaml.in @@ -44,9 +44,13 @@ host-mode: auto # user: suri # group: suri +# Some logging module will use that name in event as identifier. The default +# value is the hostname +#sensor-name: suricata + # Default pid file. # Will use this file if no --pidfile in command options. -#pid-file: /var/run/suricata.pid +#pid-file: @e_rundir@suricata.pid # Daemon working directory # Suricata will change directory to this one if provided @@ -92,7 +96,7 @@ outputs: # Extensible Event Format (nicknamed EVE) event log in JSON format - eve-log: enabled: yes - filetype: regular #regular|syslog|unix_dgram|unix_stream + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis filename: eve.json #prefix: "@cee: " # prefix to prepend to each log entry # the following are valid when type: syslog above @@ -100,6 +104,18 @@ outputs: #facility: local5 #level: Info ## possible levels: Emergency, Alert, Critical, ## Error, Warning, Notice, Info, Debug + #redis: + # server: 127.0.0.1 + # port: 6379 + # mode: list ## possible values: list (default), channel + # key: suricata ## key or channel to use (default to suricata) + # Redis pipelining set up. This will enable to only do a query every + # 'batch-size' events. This should lower the latency induced by network + # connection at the cost of some memory. There is no flushing implemented + # so this setting as to be reserved to high traffic suricata. + # pipelining: + # enabled: yes ## set enable to yes to enable query pipelining + # batch-size: 10 ## number of entry to keep in buffer types: - alert: # payload: yes # enable dumping payload in Base64 @@ -108,6 +124,7 @@ outputs: # http: yes # enable dumping of http fields # tls: yes # enable dumping of tls fields # ssh: yes # enable dumping of ssh fields + # smtp: yes # enable dumping of smtp fields # HTTP X-Forwarded-For support by adding an extra field or overwriting # the source or destination IP address (depending on flow direction) @@ -139,7 +156,19 @@ outputs: force-md5: no # force logging of md5 checksums #- drop: # alerts: no # log alerts that caused drops - - smtp + - smtp: + #extended: yes # enable this for extended logging information + # this includes: bcc, message-id, subject, x_mailer, user-agent + # custom fields logging from the list: + # reply-to, bcc, message-id, subject, x-mailer, user-agent, received, + # x-originating-ip, in-reply-to, references, importance, priority, + # sensitivity, organization, content-md5, date + #custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc] + # output md5 of fields: body, subject + # for the body you need to set app-layer.protocols.smtp.mime.body-md5 + # to yes + #md5: [body, subject] + - ssh - stats: totals: yes # stats for all threads merged together @@ -162,6 +191,10 @@ outputs: # Sensor ID field of unified2 alerts. #sensor-id: 0 + # Include payload of packets related to alerts. Defaults to true, set to + # false if payload is not required. + #payload: yes + # HTTP X-Forwarded-For support by adding the unified2 extra header or # overwriting the source or destination IP address (depending on flow # direction) with the one reported in the X-Forwarded-For HTTP header. @@ -947,7 +980,7 @@ logging: # type: json - file: enabled: no - filename: /var/log/suricata.log + filename: @e_logdir@suricata.log # type: json - syslog: enabled: no @@ -1291,6 +1324,9 @@ app-layer: # Extract URLs and save in state data structure extract-urls: yes + # Set to yes to compute the md5 of the mail body. You will then + # be able to journalize it. + body-md5: no # Configure inspected-tracker for file_data keyword inspected-tracker: content-limit: 1000 @@ -1475,9 +1511,12 @@ profiling: # Sort options: ticks, avgticks, checks, matches, maxticks sort: avgticks - # Limit the number of items printed at exit. + # Limit the number of items printed at exit (ignored for json). limit: 100 + # output to json + json: true + # per keyword profiling keywords: enabled: yes |