%YAML 1.1 --- vars: address-groups: HOME_NET: "[192.168.100.0/24]" EXTERNAL_NET: "!$HOME_NET" HTTP_SERVERS: "$HOME_NET" SMTP_SERVERS: "$HOME_NET" SQL_SERVERS: "$HOME_NET" DNS_SERVERS: "$HOME_NET" TELNET_SERVERS: "$HOME_NET" AIM_SERVERS: "$EXTERNAL_NET" DC_SERVERS: "$HOME_NET" DNP3_SERVER: "$HOME_NET" DNP3_CLIENT: "$HOME_NET" MODBUS_CLIENT: "$HOME_NET" MODBUS_SERVER: "$HOME_NET" ENIP_CLIENT: "$HOME_NET" ENIP_SERVER: "$HOME_NET" port-groups: HTTP_PORTS: "80" SHELLCODE_PORTS: "!80" ORACLE_PORTS: 1521 SSH_PORTS: 22 DNP3_PORTS: 20000 MODBUS_PORTS: 502 FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]" FTP_PORTS: 21 GENEVE_PORTS: 6081 VXLAN_PORTS: 4789 TEREDO_PORTS: 3544 SIP_PORTS: "[5060, 5061]" default-log-dir: /home/logging/logs classification-file: /etc/suricata/classification.config reference-config-file: /etc/suricata/reference.config default-rule-path: /etc/suricata/rules rule-files: - suricata.rules stats: enabled: yes af-packet: - interface: enp6s18 use-mmap: yes tpacket-v3: yes cluster-id: 99 cluster-type: cluster_flow defrag: yes outputs: - fast: enabled: yes filename: fast.log append: yes - eve-log: enabled: yes filetype: regular filename: eve.json types: - alert: tagged-packets: yes - http: extended: yes - http2 - dns: enabled: yes - tls: extended: yes - flow - mqtt - ssh - dhcp: enabled: yes - arp: enabled: yes - ldap - quic - sip - rfb - snmp - bittorrent-dht - krb5 - dcerpc - ike - tftp - smb - nfs - rdp - ftp - websocket - smtp - pcap-log: enabled: yes filename: log.pcap limit: 1gb max-files: 20 - stats: enabled: yes filename: stats.log append: yes totals: yes threads: no