Help configuring Suricata

Hello Suricata experts,
I am a self-hoster deploying Suricata to monitor my network traffic. Not being a network expert, I have some difficulties figuring how I should declare the ports in the dedicated variables in the suricata.yamlin order to fully benefit from the monitoring. My main concerns are about the following ports

  • SMTP ports 25 and 465,
  • IMAP4 port 993,
  • TURN and STURN ports 3478 and 5349 (both TCP and UDP),
  • TURN range 49152-49272/UDP
  • VPN port 51820/UDP.

Any clue in which variable I should insert each of them ?

Note that the rule variables are variables used during rule evaluation/loading.

If the rules don’t reference the rule variables, then the rule variables are unused.

If you’re not referring to rule variables, then the default values used by Suricata are a good place to start. Suricata will auto recognize many protocols, including smtp and imap.

1 Like