suricata版本為4.0.3
用于設置啟動suricata的用戶及其分組。
# Run suricata as user and group.
# run-as:
# user: suri
# group: suri
max-pending-packets
該選項設置了suricata能夠同時處理的數(shù)據(jù)包的數(shù)量,最少為1,最大值取決于內(nèi)存的大小,更大的內(nèi)存可以設置更大的值并擁有更好的性能,默認值是1024。但是官方文檔中并沒有指出其數(shù)量與內(nèi)存之間的具體關(guān)系。設置格式為:
# Number of packets preallocated per thread. The default is 1024. A higher number
# will make sure each CPU will be more easily kept busy, but may negatively
# impact caching.
#
# If you are using the CUDA pattern matcher (mpm-algo: ac-cuda), different rules
# apply. In that case try something like 60000 or more. This is because the CUDA
# pattern matcher buffers and scans as many packets as possible in parallel.
# max-pending-packets: 1024
該選項設置了suricata的運行方式,使用命令./suricata --list-runmodes可以查看所有的運行方式,部分截圖如下:
在介紹運行方式(Runmodes)之前首先了解一下suricata的基本組成。Suricata是由所謂的線程(threads)、線程模塊 (thread-modules)和隊列(queues)組成。Suricata是一個多線程的程序,因此在同一時刻會有多個線程在工作。線程模塊是依據(jù) 功能來劃分的,比如一個模塊用于解析數(shù)據(jù)包,另一個模塊用于檢測數(shù)據(jù)包等。每個數(shù)據(jù)包可能會有多個不同的線程進行處理,隊列就是用于將數(shù)據(jù)包從一個線程傳 遞到另一個線程。與此同時,一個線程可以擁有多個線程模塊,但是在某一時刻只有一個模塊在運行(原文是If they have more modules, they can only be active on a a time.看不大懂,感覺是這個意思)。
Suricata的運行方式就是上面介紹的線程(threads)、線程模塊(thread-modules)和隊列(queues)三種元素的不 同組合方式。上圖中的RunMode Type并不是配置文件中的runmodes選項,而是后面的Custom Mode也就是自定義模式才可以在此處設置。比如默認的Runmodes是autofp,在線實時檢測流量的模式中其結(jié)構(gòu)如下,單線程模塊獲取數(shù)據(jù)包和解 碼,多線程模塊檢測,單模塊輸出:
而在pfring模式下的autofp則有所不同,可以看到它有多個模塊獲取及解碼數(shù)據(jù)包,通過流綁定隊列分配到多個檢測模塊中進行檢測,這應該是pfring模式獲取數(shù)據(jù)包效率更高的原因:
之前的max-pending-packets選項設置了最多同時處理的數(shù)據(jù)包數(shù)量,這些同時處理的數(shù)據(jù)包都是需要存儲在內(nèi)存中的,所以需要對每個 數(shù)據(jù)包的大小進行限制,而當前選項就是做這個事的。雖然有時候可能需要檢測較大的數(shù)據(jù)包,但是大部分情況下為了性能還是需要做出一定的限制。其配置方式如 下,默認值是1514,這也是TCP數(shù)據(jù)包的最大長度(當數(shù)據(jù)超過這個長度便會使用TCP報文重組技術(shù)):
# Preallocated size for packet. Default is 1514 which is the classical
# size for pcap on ethernet. You should adjust this value to the highest
# packet size (MTU + hardware header) on your system.
#default-packet-size: 1514
action指的是每條規(guī)則匹配時需要執(zhí)行的操作,比如下面這條規(guī)則執(zhí)行alert警告操作:
而當前字段設置的是多條規(guī)則同時匹配的時候的執(zhí)行順序。action共有四種:pass、drop、reject、alert。
pass 指的是處理的數(shù)據(jù)包匹配當前規(guī)則時直接跳過后面的所有規(guī)則,也就是說不匹配后面的規(guī)則
drop 只能工作在 IPS 模式下,當數(shù)據(jù)包匹配到 drop 的規(guī)則時則會被丟棄并且產(chǎn)生一個警告
reject 會給數(shù)據(jù)包的發(fā)送和接收端都發(fā)生一個拒絕的數(shù)據(jù)包,如果原本的協(xié)議是TCP,則發(fā)生reset數(shù)據(jù)包,
否則發(fā)送 ICMP 錯誤的數(shù)據(jù)包,同時產(chǎn)生一個警告。在 IPS 模式下也會丟棄匹配到的數(shù)據(jù)包
alert 則對發(fā)送和接收者都沒有影響,只會生成一個警告
Suricata按照規(guī)則的出現(xiàn)順序依次加載,但是處理的順序則根據(jù)配置文件中設置的action重要程度來排列。默認的順序如下,
表示當一個數(shù)據(jù)包匹配多條規(guī)則時,優(yōu)先處理的是pass的規(guī)則,其次是drop,然后是reject,最后是alert:
action-order:
- pass
- drop
- reject
- alert
Suricata 默認的日志存儲目錄是 /var/log/suricata,在配置文件中可以通過當前選項指定,比如程序目錄下的log文件夾,也可以在運行時的-l參數(shù)指定:
# The default logging directory. Any log or output file will be
# placed here if its not specified with a full path name. This can be
# overridden with the -l command line parameter.
default-log-dir: /var/log/suricata/
outputs選項下有很多可以輸出的配置選項,包括警告、檢測的數(shù)據(jù)包、產(chǎn)生的結(jié)果等。在配置的過程中并不需要開啟每一種輸出,根據(jù)自己的需求進行配置。
這個日志輸出由單行的警告信息組成,比如下面這個輸出例子由四個警告組成:
其配置如下:
# a line based alerts log similar to Snort's fast.log
- fast:
enabled: yes
filename: fast.log
append: yes
#filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
Suricata可以在匹配一條規(guī)則后記錄一條信息,該條信息包括數(shù)據(jù)包的時間戳、五元組信息、對應的簽名信息等,默認存儲在日志目錄下的 eve.log文件中。下面是幾條典型的eve日志,這些日志是json格式的,因此很多其他的程序可以對其進行處理產(chǎn)生進一步的輸出:
可以對其進行如下配置,輸出的類型可以多種多樣,包括文件、系統(tǒng)日志、輸出到 socket 等,輸出的內(nèi)容可以包括匹配到有 alert、http、 dns 等規(guī)則的數(shù)據(jù)包信息。簡單的說比如一條規(guī)則的 action 是 alert,檢測到有一個數(shù)據(jù)包匹配這條規(guī)則,那數(shù)據(jù)包和規(guī)則的信息則會儲存到事件日志中:
# Extensible Event Format (nicknamed EVE) event log in JSON format
- eve-log:
enabled: yes
filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
filename: eve.json
#prefix: "@cee: " # prefix to prepend to each log entry
# the following are valid when type: syslog above
#identity: "suricata"
#facility: local5
#level: Info ## possible levels: Emergency, Alert, Critical,
## Error, Warning, Notice, Info, Debug
#redis:
# server: 127.0.0.1
# port: 6379
# async: true ## if redis replies are read asynchronously
# mode: list ## possible values: list|lpush (default), rpush, channel|publish
# ## lpush and rpush are using a Redis list. "list" is an alias for lpush
# ## publish is using a Redis channel. "channel" is an alias for publish
# key: suricata ## key or channel to use (default to suricata)
# Redis pipelining set up. This will enable to only do a query every
# 'batch-size' events. This should lower the latency induced by network
# connection at the cost of some memory. There is no flushing implemented
# so this setting as to be reserved to high traffic suricata.
# pipelining:
# enabled: yes ## set enable to yes to enable query pipelining
# batch-size: 10 ## number of entry to keep in buffer
types:
- alert:
# payload: yes # enable dumping payload in Base64
# payload-buffer-size: 4kb # max size of payload buffer to output in eve-log
# payload-printable: yes # enable dumping payload in printable (lossy) format
# packet: yes # enable dumping of packet (without stream segments)
# http-body: yes # enable dumping of http body in Base64
# http-body-printable: yes # enable dumping of http body in printable format
metadata: yes # add L7/applayer fields, flowbit and other vars to the alert
# Enable the logging of tagged packets for rules using the
# "tag" keyword.
tagged-packets: yes
# HTTP X-Forwarded-For support by adding an extra field or overwriting
# the source or destination IP address (depending on flow direction)
# with the one reported in the X-Forwarded-For HTTP header. This is
# helpful when reviewing alerts for traffic that is being reverse
# or forward proxied.
xff:
enabled: no
# Two operation modes are available, "extra-data" and "overwrite".
mode: extra-data
# Two proxy deployments are supported, "reverse" and "forward". In
# a "reverse" deployment the IP address used is the last one, in a
# "forward" deployment the first IP address is used.
deployment: reverse
# Header name where the actual IP address will be reported, if more
# than one IP address is present, the last IP address will be the
# one taken into consideration.
header: X-Forwarded-For
- http:
extended: yes # enable this for extended logging information
# custom allows additional http fields to be included in eve-log
# the example below adds three additional fields when uncommented
#custom: [Accept-Encoding, Accept-Language, Authorization]
- dns:
# control logging of queries and answers
# default yes, no to disable
query: yes # enable logging of DNS queries
answer: yes # enable logging of DNS answers
# control which RR types are logged
# all enabled if custom not specified
#custom: [a, aaaa, cname, mx, ns, ptr, txt]
- tls:
extended: yes # enable this for extended logging information
# output TLS transaction where the session is resumed using a
# session id
#session-resumption: no
# custom allows to control which tls fields that are included
# in eve-log
#custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain]
- files:
force-magic: no # force logging magic on all logged files
# force logging of checksums, available hash functions are md5,
# sha1 and sha256
#force-hash: [md5]
#- drop:
# alerts: yes # log alerts that caused drops
# flows: all # start or all: 'start' logs only a single drop
# # per flow direction. All logs each dropped pkt.
- smtp:
#extended: yes # enable this for extended logging information
# this includes: bcc, message-id, subject, x_mailer, user-agent
# custom fields logging from the list:
# reply-to, bcc, message-id, subject, x-mailer, user-agent, received,
# x-originating-ip, in-reply-to, references, importance, priority,
# sensitivity, organization, content-md5, date
#custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc]
# output md5 of fields: body, subject
# for the body you need to set app-layer.protocols.smtp.mime.body-md5
# to yes
#md5: [body, subject]
#- dnp3
#- nfs
- ssh
- stats:
totals: yes # stats for all threads merged together
threads: no # per thread stats
deltas: no # include delta values
# bi-directional flows
- flow
# uni-directional flows
#- netflow
# Vars log flowbits and other packet and flow vars
#- vars
當然也可以把不同類別的信息輸出到不同的日志文件中,如下配置表明 alert 和 drop 輸出到 eve-ips.json,http 等協(xié)議輸出到 eve-nsm.json:
outputs:
- eve-log:
enabled: yes
filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
filename: eve-ips.json
types:
- alert
- drop
- eve-log:
enabled: yes
filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
filename: eve-nsm.json
types:
- http
- dns
- tls
還有一些其他的輸出方法及格式可以參考EveJSONFormat。
當suricata檢測到一個可疑的數(shù)據(jù)包時便可以將整個數(shù)據(jù)包以二進制的方式存儲到文件中,目前已經(jīng)支持了IPv4和IPv6的數(shù)據(jù)包。其輸出的格式可以被Barnyard2 (參考網(wǎng)頁)程序處理,這是一個用于將suricata輸出的包存儲到數(shù)據(jù)庫中的程序,可以配合 Sguil(參考網(wǎng)頁)進行對網(wǎng)絡流量的實時監(jiān)控和輸出。一般上的配置格式如下,由于這里對每個文件的大小有32M的限制,所以在文件大于這個值時便會新建一個文件繼續(xù)存儲:
# alert output for use with Barnyard2
- unified2-alert: # The log-name.
enabled: yes # This log is enabled. Set 'no' to disable.
filename: unified2.alert # The name of the file in the default logging directory.
# File size limit. Can be specified in kb, mb, gb. Just a number
# is parsed as bytes.
#limit: 32mb
# By default unified2 log files have the file creation time (in
# unix epoch format) appended to the filename. Set this to yes to
# disable this behaviour.
#nostamp: no
# Sensor ID field of unified2 alerts.
#sensor-id: 0
# Include payload of packets related to alerts. Defaults to true, set to
# false if payload is not required.
#payload: yes
在這個選項里還有一個X-Forwarded-For功能,這個功能是用來記錄經(jīng)過多個HTTP代理服務器之后真正的客戶端IP地址,而不是代理服 務器的IP地址,HTTP協(xié)議會在頭里面加入一個X-Forwarded-For字段以記錄原始IP以及經(jīng)過的每個代理服務器的IP,詳細可參考X-Forwarded-For-維基百科,無論是在客戶端的代理還是服務端的反向代理(百度百科)都非常有用,默認是關(guān)閉的:
# HTTP X-Forwarded-For support by adding the unified2 extra header or
# overwriting the source or destination IP address (depending on flow
# direction) with the one reported in the X-Forwarded-For HTTP header.
# This is helpful when reviewing alerts for traffic that is being reverse
# or forward proxied.
xff:
enabled: no
# Two operation modes are available, "extra-data" and "overwrite". Note
# that in the "overwrite" mode, if the reported IP address in the HTTP
# X-Forwarded-For header is of a different version of the packet
# received, it will fall-back to "extra-data" mode.
mode: extra-data
# Two proxy deployments are supported, "reverse" and "forward". In
# a "reverse" deployment the IP address used is the last one, in a
# "forward" deployment the first IP address is used.
deployment: reverse
# Header name where the actual IP address will be reported, if more
# than one IP address is present, the last IP address will be the
# one taken into consideration.
header: X-Forwarded-For
HTTP日志會記錄所有的HTTP流量信息,包含了http請求、HOST字段、URI字段和User-Agent字段,這里是普通的輸出,除此之 外也可以在eve-log中指定http以便輸出json格式的內(nèi)容。另外也可以設置是否擴展以輸出更多的信息,未擴展時輸出的內(nèi)容:
關(guān)于此項的配置如下,擴展選項默認關(guān)閉,用戶還可以通過customformat來自定義輸出的格式,同時也可以配置輸出到socket文件:
# a line based log of HTTP requests (no alerts)
- http-log:
enabled: yes
filename: http.log
append: yes # If this option is set to yes, the last filled http.log-file will not be
# overwritten while restarting Suricata.
#extended: yes # enable this for extended logging information
#custom: yes # enabled the custom logging format (defined by customformat)
#customformat: "%{%D-%H:%M:%S}t.%z %{X-Forwarded-For}i %H %m %h %u %s %B %a:%p -> %A:%P"
#filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
還有一個存儲 DNS 流量和 TLS 的配置,與 HTTP 的類似,詳見 -tls-log 與 -dns-log, 這里就不做過多解釋了。
通過pcap-log選項可以保存所有的數(shù)據(jù)包,這樣在檢測到問題數(shù)據(jù)包時就能更容易地找到之前的流量以便對整個事件進行確認和分析?;九渲萌?下,與之前的HTTP日志一樣,pcap文件也是可以限定大小和文件數(shù)的,當一個文件達到限制的大小時便會創(chuàng)建一個新文件,同時這里還有文件數(shù)量的限制:
# Packet log... log packets in pcap format. 3 modes of operation: "normal"
# "multi" and "sguil".
#
# In normal mode a pcap file "filename" is created in the default-log-dir,
# or are as specified by "dir".
# In multi mode, a file is created per thread. This will perform much
# better, but will create multiple files where 'normal' would create one.
# In multi mode the filename takes a few special variables:
# - %n -- thread number
# - %i -- thread id
# - %t -- timestamp (secs or secs.usecs based on 'ts-format'
# E.g. filename: pcap.%n.%t
#
# Note that it's possible to use directories, but the directories are not
# created by Suricata. E.g. filename: pcaps/%n/log.%s will log into the
# per thread directory.
#
# Also note that the limit and max-files settings are enforced per thread.
# So the size limit when using 8 threads with 1000mb files and 2000 files
# is: 8*1000*2000 ~ 16TiB.
#
# In Sguil mode "dir" indicates the base directory. In this base dir the
# pcaps are created in th directory structure Sguil expects:
#
# $sguil-base-dir/YYYY-MM-DD/$filename.<timestamp>
#
# By default all packets are logged except:
# - TCP streams beyond stream.reassembly.depth
# - encrypted streams after the key exchange
#
- pcap-log:
enabled: yes
filename: log.pcap
# File size limit. Can be specified in kb, mb, gb. Just a number
# is parsed as bytes.
limit: 1000mb
# If set to a value will enable ring buffer mode. Will keep Maximum of "max-files" of size "limit"
max-files: 2000
mode: normal # normal, multi or sguil.
# Directory to place pcap files. If not provided the default log
# directory will be used. Required for "sguil" mode.
#dir: /nsm_data/
#ts-format: usec # sec or usec second format (default) is filename.sec usec is filename.sec.usec
use-stream-depth: no #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets
honor-pass-rules: no # If set to "yes", flows in which a pass rule matched will stopped being logged.
配置中的mode有兩種情況,一個是普通的normal,會將文件存儲在之前指定的日志存儲目錄,而sguil模式則需要sguil_base_dir選項指定目錄,并且存儲的文件按照日期劃分目錄,并加上時間戳:
$sguil-base-dir/YYYY-MM-DD/$filename.<timestamp>
use-stream-depth選項,如果設為“yes”只會存儲不大于stream.reassembly.depth長度的數(shù)據(jù),后面的將會舍棄(在一個stream中),“no”則會存儲所有的數(shù)據(jù)包。
如果開啟這一選項,suricata會記錄每一個警告產(chǎn)生的詳細信息,包括數(shù)據(jù)包、規(guī)則等各種信息。一個典型的輸出如下所示,這些信息可以使得維護人員更快的排除誤報、檢查規(guī)則的問題等:
雖然這個功能非常有用,但是在生產(chǎn)環(huán)境中啟動并不是一個明智的行為,它會在檢測流時處理和輸出大量的信息,導致性能有很大的下降,因此默認的配置是不開啟的:
# a full alerts log containing much information for signature writers
# or for investigating suspected false positives.
- alert-debug:
enabled: no
filename: alert-debug.log
append: yes # If this option is set to yes, the last filled fast.log-file will not be
# overwritten while restarting Suricata.
#filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
這個選項決定了是否將suricata的警告輸出到syslog文件中,配置如下:
# a line based alerts log similar to fast.log into syslog
- syslog:
enabled: no
# reported identity to syslog. If ommited the program name (usually
# suricata) will be used.
#identity: "suricata"
facility: local5 ## In this option you can set a syslog facility
#level: Info ## possible levels: Emergency, Alert, Critical,
## Error, Warning, Notice, Info, Debug
可以看到syslog選項默認是關(guān)閉的,如果開啟,facility字段表示產(chǎn)生日志的分類為local5。關(guān)于syslog日志處理系統(tǒng)的更多信息可以參考Syslog-維基百科。
當suricata工作在IPS模式下的時候,可以使用drop操作的規(guī)則,這些drop掉的數(shù)據(jù)包信息就會存儲在drop.log文件中,配置如下:
# a line based information for dropped packets in IPS mode
- drop:
enabled: no
filename: drop.log
append: yes # If this option is set to yes, the last filled drop.log-file will not be
# overwritten while restarting Suricata. If set to 'no' the last filled drop.log file will be overwritten.
#filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
Suricata在對流量檢測之前需要將所有的規(guī)則簽名加載到內(nèi)存,而數(shù)據(jù)包在匹配規(guī)則時并不需要匹配所有的規(guī)則,事實上大量的規(guī)則是完全沒必要匹 配的,比如當前數(shù)據(jù)包時基于UDP協(xié)議的,那TCP的所有規(guī)則都是沒有必要匹配的。因此需要根據(jù)一定的依據(jù)對所有的規(guī)則進行分組,這樣數(shù)據(jù)包只需要與符合 條件的分組內(nèi)的所有規(guī)則進行匹配即可。而需要如何分組則是一個關(guān)鍵的問題。
下面是detect-engine的一種配置。profile選項有high、low和medium三種。high表示分組較多,但是會占用更多的 內(nèi)存,性能也會更好;low則正好相反,占用更少的內(nèi)存,性能也相對較差;medium是默認配置,是性能和內(nèi)存使用的折中選擇。除此之外高級用戶可以在 custom-values字段自定義分組的配置,如下是根據(jù)數(shù)據(jù)包來源、源地址、目的地址、源端口、目的端口來進行分組,這些數(shù)字可以根據(jù)實際需要的性 能和需求進行調(diào)整:
# The detection engine builds internal groups of signatures. The engine
# allow us to specify the profile to use for them, to manage memory on an
# efficient way keeping a good performance. For the profile keyword you
# can use the words "low", "medium", "high" or "custom". If you use custom
# make sure to define the values at "- custom-values" as your convenience.
# Usually you would prefer medium/high/low.
#
# "sgh mpm-context", indicates how the staging should allot mpm contexts for
# the signature groups. "single" indicates the use of a single context for
# all the signature group heads. "full" indicates a mpm-context for each
# group head. "auto" lets the engine decide the distribution of contexts
# based on the information the engine gathers on the patterns from each
# group head.
#
# The option inspection-recursion-limit is used to limit the recursive calls
# in the content inspection code. For certain payload-sig combinations, we
# might end up taking too much time in the content inspection code.
# If the argument specified is 0, the engine uses an internally defined
# default limit. On not specifying a value, we use no limits on the recursion.
detect:
profile: medium
custom-values:
toclient-groups: 3
toserver-groups: 25
sgh-mpm-context: auto
inspection-recursion-limit: 3000
數(shù)據(jù)包檢測規(guī)則的分組圖可以看得更清楚:
接下來是sgh-mpm-context,這個字段指明MPM算法使用的content是否公用。當其值為auto時,是否公用取決于配置文件中指 定MPM的算法,若為ac或ac-gfbs,則使用single模式,表示所有的規(guī)則分組使用單個MPM-content,其余算法則使用full模式, 每個分組擁有自己的MPM-content。而當sgh-mpm-context字段的值為single或full時則不受MPM算法的影響。關(guān)于 suricata的MPM機制可以參考fast_parttern,后面的配置也會做進一步的說明。
最后的inspection-recursion-limit則是為了減少suricata的出錯次數(shù),因為網(wǎng)絡流量狀況非常復雜,suricata難免會遇上無限循環(huán)或是遞歸地處理數(shù)據(jù)包的情況,這時指定一個最大值,當循環(huán)或遞歸次數(shù)大于這個值則停止處理當前數(shù)據(jù)包。
之前已經(jīng)了解過,suricata在content的多模匹配支持很多算法,不同的算法有不同的優(yōu)缺點。設置如下,可選的算法包括ac, ac-bs, ac-cuda, ac-ks和hs:
# Select the multi pattern algorithm you want to run for scan/search the
# in the engine.
#
# The supported algorithms are:
# "ac" - Aho-Corasick, default implementation
# "ac-bs" - Aho-Corasick, reduced memory implementation
# "ac-cuda" - Aho-Corasick, CUDA implementation
# "ac-ks" - Aho-Corasick, "Ken Steele" variant
# "hs" - Hyperscan, available when built with Hyperscan support
#
# The default mpm-algo value of "auto" will use "hs" if Hyperscan is
# available, "ac" otherwise.
#
# The mpm you choose also decides the distribution of mpm contexts for
# signature groups, specified by the conf - "detect.sgh-mpm-context".
# Selecting "ac" as the mpm would require "detect.sgh-mpm-context"
# to be set to "single", because of ac's memory requirements, unless the
# ruleset is small enough to fit in one's memory, in which case one can
# use "full" with "ac". Rest of the mpms can be run in "full" mode.
#
# There is also a CUDA pattern matcher (only available if Suricata was
# compiled with --enable-cuda: b2g_cuda. Make sure to update your
# max-pending-packets setting above as well if you use b2g_cuda.
mpm-algo: auto
PS:網(wǎng)上其他suricata的配置說明文檔記載的算法為:b2g, b2gc, b2gm, b3g, wumanber, ac和ac-gfbs,有待了解新舊算法的特點。
CUDA的翻譯是統(tǒng)一計算設備架構(gòu),為的是讓CPU和GPU在執(zhí)行運算的時候發(fā)揮自身的優(yōu)勢,協(xié)同處理,詳細可參考CUDA-維基百科。 由于這項技術(shù)是NVIDIA主導的,且出現(xiàn)時間并不長,因此suricata只是在MPM多模匹配中可以使用,并且只有在編譯前的configure時加 入–enable-cuda才具有這項功能,并且目前其他的GPU并不支持這項功能。因此這里就不做過多介紹,等后面這項技術(shù)推廣開來,便有更加實用的意義。
# Cuda configuration.
cuda:
# The "mpm" profile. On not specifying any of these parameters, the engine's
# internal default values are used, which are same as the ones specified in
# in the default conf file.
mpm:
# The minimum length required to buffer data to the gpu.
# Anything below this is MPM'ed on the CPU.
# Can be specified in kb, mb, gb. Just a number indicates it's in bytes.
# A value of 0 indicates there's no limit.
data-buffer-size-min-limit: 0
# The maximum length for data that we would buffer to the gpu.
# Anything over this is MPM'ed on the CPU.
# Can be specified in kb, mb, gb. Just a number indicates it's in bytes.
data-buffer-size-max-limit: 1500
# The ring buffer size used by the CudaBuffer API to buffer data.
cudabuffer-buffer-size: 500mb
# The max chunk size that can be sent to the gpu in a single go.
gpu-transfer-size: 50mb
# The timeout limit for batching of packets in microseconds.
batching-timeout: 2000
# The device to use for the mpm. Currently we don't support load balancing
# on multiple gpus. In case you have multiple devices on your system, you
# can specify the device to use, using this conf. By default we hold 0, to
# specify the first device cuda sees. To find out device-id associated with
# the card(s) on the system run "suricata --list-cuda-cards".
device-id: 0
# No of Cuda streams used for asynchronous processing. All values > 0 are valid.
# For this option you need a device with Compute Capability > 1.0.
cuda-streams: 2
更多建議: