# option only when using DPDK to capture packets or to forwarding packets dpdk-option = "--syslog=syslog --log-level=5 -c 0x55555555555" #root stack of network protocol # for Ethernet: 1 # for ieee802154: 800 # for Linux cooked capture: 624 stack-type = 1 input { # in case for PCAP the input mode can be ONLINE or OFFLINE, however for DPDK it's only ONLINE mode = ONLINE # input source for PCAP online mode (interface name) and for offline mode (pcap name), # however for DPDK its interface port number # in DPDK mode, MMT supports also multi-port inputs, # - e.g., source="0,1" will tell MMT to capture packets on port 0 and 1 # - MMT will aggregate traffic on these 2 ports, thus 2 packets of one flow can be received on 2 different ports source = "lo" # maximal size of a packet snap-len = 65535 # } output { enable = true output-dir = "./" # Location where files are written: sample-interval = 5 #a new sample file is created each x seconds given by output.cache-period report-description = true # true to include rule's description into the alert reports, # otherwise it will be excluded (thus rules's descriptions will be an empty string in the reports) # Excluding rules's descriptions will reduce the size of reports. } engine { thread-nb = 0 # the number of security threads per one probe thread , e .g . , if we have 16 probe threads and thread-nb = x , # then x*16 security threads will be used . # If set to zero this means that the security analysis will be done by the threads of the probe . exclude-rules = "0-89,91-200" # Range of rules to be excluded from the verification rules-mask = "" # Mapping of rules to the security threads: # Format: rules-mask = (thread-index:rule-range); # thread-index = a number greater than 0 # rule-range = number greater than 0, or a range of numbers greater than 0. # Example: If we have thread-nb = 3 and "(1:1,2,4-6)(2:3)" , # this means that: # thread 1 verifies rules 1 ,2 ,4 ,5 ,6; # thread 2 verifies only rule 3; and # thread 3 verifies the rest # Note: if we have thread-nb = 2 and "(1:1)(2:3)", then only rules 1 and 3 are verified (the others are not) ip-encapsulation-index = LAST # If traffic is ip-in-ip, this option selects which IP will be analysed. # - FIRST: first ip in the protocol hierarchy # - LAST: last ip in the protocol hierarchy # - i: i-th ip in ther protocol hierarchy. # For example, given ETH.IP.UDP.GTP.IP.TCP.VPN.IP.SSL, # - FIRST, or 1, indicates IP after ETH # - LAST, or any number >= 3, indicates IP after VPN # - 2 indicates IP after GTP # NOTE: this option will be ignored in non ip-in-ip traffic # number of fsm instances of one rule max-instances = 100000 } # A mem_pool contains several pools. Each pool stores several blocks of memory # having the same size. # This parameter set the maximum elements of a pool. mempool { # This parameter set the Maximum bytes of a pool: 2 GBytes max-bytes = 2000000000 # Max number of elements in a pool max-elements = 1000 # maximum size, in bytes, of a report received from mmt-probe max-message-size = 3000 # Number of reports can be stored in a ring buffer smp-ring-size = 1000 } forward { enable = true output-nic = "ens38" nb-copies = 2 #number of copies of a packet to be sent snap-len = 0 #specifies the snapshot length to be set on the handle. promisc = 1 #specifies whether the interface is to be put into promiscuous mode. If promisc is non-zero, promiscuous mode will be set, otherwise it will not be set. default = FORWARD #default action when packets are not selected/satisfied by any rule # either FORWARD to forward the packets or DROP to drop the packets #forward packets to a target using SCTP protocol: MMT will be a SCTP client, # - it connects to the given "sctp-host" at "sctp-port" # - the SCTP packets' payload will be sent to the target using this SCTP connection target-protocols = { UDP} target-hosts = { "192.168.49.7" } target-ports = { 2152 } }