<?php

// This is the template used to generate the suricata.yaml
// configuration file for the interface.  The contents of
// this file are written to the suricata.yaml file for
// the interface.  Key parameters are provided by the
// included string variables.

	$suricata_conf_text = <<<EOD
%YAML 1.1
---

max-pending-packets: {$max_pend_pkts}

# Runmode the engine should use.
runmode: autofp

# If set to auto, the variable is internally switched to 'router' in IPS 
# mode and 'sniffer-only' in IDS mode.
host-mode: auto

# Specifies the kind of flow load balancer used by the flow pinned autofp mode.
autofp-scheduler: active-packets

# Daemon working directory
daemon-directory: {$suricatacfgdir}

default-packet-size: 1514

# The default logging directory.
default-log-dir: {$suricatalogdir}suricata_{$if_real}{$suricata_uuid}

# Configure the type of alert (and other) logging.
outputs:

  # alert-pf blocking plugin
  - alert-pf:
      enabled: {$suri_blockoffenders}
      kill-state: {$suri_killstates}
      pass-list: {$suri_passlist}
      block-ip: {$suri_blockip}
      pf-table: {$suri_pf_table}

  # a line based alerts log similar to Snort's fast.log
  - fast:
      enabled: yes
      filename: alerts.log
      append: yes
      filetype: regular

  # alert output for use with Barnyard2
  - unified2-alert:
      enabled: {$barnyard2_enabled}
      filename: unified2.alert
      limit: {$unified2_log_limit}
      sensor-id: {$unified2_sensor_id}

  - http-log:
      enabled: {$http_log_enabled}
      filename: http.log
      append: {$http_log_append}
      extended: {$http_log_extended}
      filetype: regular

  - pcap-log:
      enabled: {$pcap_log_enabled}
      filename: log.pcap
      limit: {$pcap_log_limit_size}mb
      max-files: {$pcap_log_max_files}
      mode: normal

  - tls-log:
      enabled: {$tls_log_enabled}
      filename: tls.log
      extended: {$tls_log_extended}
      certs-log-dir: certs

  - stats:
      enabled: {$stats_log_enabled}
      filename: stats.log
      interval: {$stats_upd_interval}
      append: {$stats_log_append}

  - syslog:
      enabled: {$alert_syslog}
      identity: suricata
      facility: {$alert_syslog_facility}
      level: {$alert_syslog_priority}

  - drop:
      enabled: no
      filename: drop.log
      append: yes
      filetype: regular

  - file-store:
      enabled: {$file_store_enabled}
      log-dir: files
      force-magic: {$json_log_magic}
      force-md5: {$json_log_md5}
      waldo: file.waldo

  - file-log:
      enabled: {$json_log_enabled}
      filename: files-json.log
      append: {$json_log_append}
      filetype: regular
      force-magic: {$json_log_magic}
      force-md5: {$json_log_md5}

  - dns-log:
      enabled: {$dns_log_enabled}
      filename: dns.log
      append: {$dns_log_append}
      filetype: regular

  - eve-log:
      enabled: {$enable_eve_log}
      type: {$eve_output_type}
      filename: eve.json
      identity: "suricata"
      facility: {$eve_systemlog_facility}
      level: {$eve_systemlog_priority}
      types: {$eve_out_types}

# Magic file. The extension .mgc is added to the value here.
magic-file: /usr/share/misc/magic

# Specify a threshold config file
threshold-file: {$suricatacfgdir}/threshold.config

detect-engine:
  - profile: {$detect_eng_profile}
  - sgh-mpm-context: {$sgh_mpm_ctx}
  - inspection-recursion-limit: {$inspection_recursion_limit}
  - rule-reload: true
  - delayed-detect: {$delayed_detect}

# Suricata is multi-threaded. Here the threading can be influenced.
threading:
  set-cpu-affinity: no
  detect-thread-ratio: 1.5

mpm-algo: ac

pattern-matcher:
  - b2gc:
      search-algo: B2gSearchBNDMq
      hash-size: low
      bf-size: medium
  - b2gm:
      search-algo: B2gSearchBNDMq
      hash-size: low
      bf-size: medium
  - b2g:
      search-algo: B2gSearchBNDMq
      hash-size: low
      bf-size: medium
  - b3g:
      search-algo: B3gSearchBNDMq
      hash-size: low
      bf-size: medium
  - wumanber:
      hash-size: low
      bf-size: medium

# Defrag settings:
defrag:
  memcap: {$frag_memcap}
  hash-size: {$frag_hash_size}
  trackers: {$ip_max_trackers}
  max-frags: {$ip_max_frags}
  prealloc: yes
  timeout: {$ip_frag_timeout}

# Flow settings:
flow:
  memcap: {$flow_memcap}
  hash-size: {$flow_hash_size}
  prealloc: {$flow_prealloc}
  emergency-recovery: {$flow_emerg_recovery}
  prune-flows: {$flow_prune}

# Specific timeouts for flows.
flow-timeouts:
  default:
    new: 30
    established: 300
    closed: 0
    emergency-new: 10
    emergency-established: 100
    emergency-closed: 0
  tcp:
    new: {$flow_tcp_new_timeout}
    established: {$flow_tcp_established_timeout}
    closed: {$flow_tcp_closed_timeout}
    emergency-new: {$flow_tcp_emerg_new_timeout}
    emergency-established: {$flow_tcp_emerg_established_timeout}
    emergency-closed: {$flow_tcp_emerg_closed_timeout}
  udp:
    new: {$flow_udp_new_timeout}
    established: {$flow_udp_established_timeout}
    emergency-new: {$flow_udp_emerg_new_timeout}
    emergency-established: {$flow_udp_emerg_established_timeout}
  icmp:
    new: {$flow_icmp_new_timeout}
    established: {$flow_icmp_established_timeout}
    emergency-new: {$flow_icmp_emerg_new_timeout}
    emergency-established: {$flow_icmp_emerg_established_timeout}

stream:
  memcap: {$stream_memcap}
  checksum-validation: no
  inline: auto
  max-sessions: {$stream_max_sessions}
  prealloc-sessions: {$stream_prealloc_sessions}
  midstream: {$stream_enable_midstream}
  async-oneside: {$stream_enable_async}

reassembly:
  memcap: {$reassembly_memcap}
  depth: {$reassembly_depth}
  toserver-chunk-size: {$reassembly_to_server_chunk}
  toclient-chunk-size: {$reassembly_to_client_chunk}

# Host table is used by tagging and per host thresholding subsystems.
host:
  hash-size: 4096
  prealloc: 1000
  memcap: 16777216

# Host specific policies for defragmentation and TCP stream reassembly.
host-os-policy:
  {$host_os_policy}

# Logging configuration.  This is not about logging IDS alerts, but
# IDS output about what its doing, errors, etc.
logging:

  # This value is overriden by the SC_LOG_LEVEL env var.
  default-log-level: info
  default-log-format: "%t - <%d> -- "

  # Define your logging outputs.
  outputs:
  - console:
      enabled: yes
  - file:
      enabled: yes
      filename: {$suricatalogdir}suricata_{$if_real}{$suricata_uuid}/suricata.log
  - syslog:
      enabled: {$suricata_use_syslog}
      facility: {$suricata_use_syslog_facility}
      format: "[%i] <%d> -- "

pcap:
  - interface: {$if_real}
    checksum-checks: auto

# For FreeBSD ipfw(8) divert(4) support.
#   ipfw add 100 divert 8000 ip from any to any
#
# The 8000 above should be the same number you passed on the command
# line, i.e. -d 8000
#
#ipfw:

default-rule-path: {$suricatacfgdir}/rules
rule-files:
 - {$rules_files}

classification-file: {$suricatacfgdir}/classification.config
reference-config-file: {$suricatacfgdir}/reference.config

# Holds variables that would be used by the engine.
vars:

  # Holds the address group vars that would be passed in a Signature.
  address-groups:
    HOME_NET: "[{$home_net}]"
    EXTERNAL_NET: "{$external_net}"
    {$addr_vars}

  # Holds the port group vars that would be passed in a Signature.
  port-groups:
    {$port_vars}

# Set the order of alerts bassed on actions
action-order:
  - pass
  - drop
  - reject
  - alert

# IP Reputation
#reputation-categories-file: {$iprep_path}/categories.txt
#default-reputation-path: {$iprep_path}
#reputation-files:
# - reputation.list

# Limit for the maximum number of asn1 frames to decode (default 256)
asn1-max-frames: {$asn1_max_frames}

engine-analysis:
  rules-fast-pattern: yes
  rules: yes

#recursion and match limits for PCRE where supported
pcre:
  match-limit: 3500
  match-limit-recursion: 1500

# Holds details on the app-layer. The protocols section details each protocol.
app-layer:
  protocols:
    tls:
      enabled: {$tls_parser}
      detection-ports:
        dp: 443
      #no-reassemble: yes
    dcerpc:
      enabled: {$dcerpc_parser}
    ftp:
      enabled: {$ftp_parser}
    ssh:
      enabled: {$ssh_parser}
    smtp:
      enabled: {$smtp_parser}
    imap:
      enabled: {$imap_parser}
    msn:
      enabled: {$msn_parser}
    smb:
      enabled: {$smb_parser}
      detection-ports:
        dp: 139
    dns:
      global-memcap: {$dns_global_memcap}
      state-memcap: {$dns_state_memcap}
      request-flood: {$dns_request_flood_limit}

      tcp:
        enabled: {$dns_parser_tcp}
        detection-ports:
          dp: 53
      udp:
        enabled: {$dns_parser_udp}
        detection-ports:
          dp: 53
    http:
      enabled: {$http_parser}
      memcap: {$http_parser_memcap}

###########################################################################
# Configure libhtp.
libhtp:
   default-config:
     {$http_hosts_default_policy}

   {$http_hosts_policy}

coredump:
  max-dump: unlimited

EOD;

?>