配置篇-suricata.yaml-1

2019-01-17 11:39 更新

suricata版本為4.0.3

user and group

用于設置啟動suricata的用戶及其分組。

# Run suricata as user and group.
# run-as:
#  user: suri
#  group: suri

max-pending-packets

該選項設置了suricata能夠同時處理的數(shù)據(jù)包的數(shù)量,最少為1,最大值取決于內(nèi)存的大小,更大的內(nèi)存可以設置更大的值并擁有更好的性能,默認值是1024。但是官方文檔中并沒有指出其數(shù)量與內(nèi)存之間的具體關(guān)系。設置格式為:

# Number of packets preallocated per thread. The default is 1024. A higher number 
# will make sure each CPU will be more easily kept busy, but may negatively 
# impact caching.
#
# If you are using the CUDA pattern matcher (mpm-algo: ac-cuda), different rules
# apply. In that case try something like 60000 or more. This is because the CUDA
# pattern matcher buffers and scans as many packets as possible in parallel.

# max-pending-packets: 1024

runmodes

該選項設置了suricata的運行方式,使用命令./suricata --list-runmodes可以查看所有的運行方式,部分截圖如下:

這里寫圖片描述

在介紹運行方式(Runmodes)之前首先了解一下suricata的基本組成。Suricata是由所謂的線程(threads)、線程模塊 (thread-modules)和隊列(queues)組成。Suricata是一個多線程的程序,因此在同一時刻會有多個線程在工作。線程模塊是依據(jù) 功能來劃分的,比如一個模塊用于解析數(shù)據(jù)包,另一個模塊用于檢測數(shù)據(jù)包等。每個數(shù)據(jù)包可能會有多個不同的線程進行處理,隊列就是用于將數(shù)據(jù)包從一個線程傳 遞到另一個線程。與此同時,一個線程可以擁有多個線程模塊,但是在某一時刻只有一個模塊在運行(原文是If they have more modules, they can only be active on a a time.看不大懂,感覺是這個意思)。

Suricata的運行方式就是上面介紹的線程(threads)、線程模塊(thread-modules)和隊列(queues)三種元素的不 同組合方式。上圖中的RunMode Type并不是配置文件中的runmodes選項,而是后面的Custom Mode也就是自定義模式才可以在此處設置。比如默認的Runmodes是autofp,在線實時檢測流量的模式中其結(jié)構(gòu)如下,單線程模塊獲取數(shù)據(jù)包和解 碼,多線程模塊檢測,單模塊輸出:

這里寫圖片描述

而在pfring模式下的autofp則有所不同,可以看到它有多個模塊獲取及解碼數(shù)據(jù)包,通過流綁定隊列分配到多個檢測模塊中進行檢測,這應該是pfring模式獲取數(shù)據(jù)包效率更高的原因:

這里寫圖片描述

default-packet-size

之前的max-pending-packets選項設置了最多同時處理的數(shù)據(jù)包數(shù)量,這些同時處理的數(shù)據(jù)包都是需要存儲在內(nèi)存中的,所以需要對每個 數(shù)據(jù)包的大小進行限制,而當前選項就是做這個事的。雖然有時候可能需要檢測較大的數(shù)據(jù)包,但是大部分情況下為了性能還是需要做出一定的限制。其配置方式如 下,默認值是1514,這也是TCP數(shù)據(jù)包的最大長度(當數(shù)據(jù)超過這個長度便會使用TCP報文重組技術(shù)):

# Preallocated size for packet. Default is 1514 which is the classical
# size for pcap on ethernet. You should adjust this value to the highest
# packet size (MTU + hardware header) on your system.
#default-packet-size: 1514

action-order

action指的是每條規(guī)則匹配時需要執(zhí)行的操作,比如下面這條規(guī)則執(zhí)行alert警告操作:

這里寫圖片描述

而當前字段設置的是多條規(guī)則同時匹配的時候的執(zhí)行順序。action共有四種:pass、drop、reject、alert。

pass   指的是處理的數(shù)據(jù)包匹配當前規(guī)則時直接跳過后面的所有規(guī)則,也就是說不匹配后面的規(guī)則 
drop   只能工作在 IPS 模式下,當數(shù)據(jù)包匹配到 drop 的規(guī)則時則會被丟棄并且產(chǎn)生一個警告 
reject 會給數(shù)據(jù)包的發(fā)送和接收端都發(fā)生一個拒絕的數(shù)據(jù)包,如果原本的協(xié)議是TCP,則發(fā)生reset數(shù)據(jù)包,
       否則發(fā)送 ICMP 錯誤的數(shù)據(jù)包,同時產(chǎn)生一個警告。在 IPS 模式下也會丟棄匹配到的數(shù)據(jù)包 
alert  則對發(fā)送和接收者都沒有影響,只會生成一個警告

Suricata按照規(guī)則的出現(xiàn)順序依次加載,但是處理的順序則根據(jù)配置文件中設置的action重要程度來排列。默認的順序如下,

表示當一個數(shù)據(jù)包匹配多條規(guī)則時,優(yōu)先處理的是pass的規(guī)則,其次是drop,然后是reject,最后是alert:

action-order: 
 - pass
 - drop
 - reject
 - alert

default-log-dir

Suricata 默認的日志存儲目錄是 /var/log/suricata,在配置文件中可以通過當前選項指定,比如程序目錄下的log文件夾,也可以在運行時的-l參數(shù)指定:

# The default logging directory.  Any log or output file will be
# placed here if its not specified with a full path name. This can be
# overridden with the -l command line parameter.
default-log-dir: /var/log/suricata/

outputs

outputs選項下有很多可以輸出的配置選項,包括警告、檢測的數(shù)據(jù)包、產(chǎn)生的結(jié)果等。在配置的過程中并不需要開啟每一種輸出,根據(jù)自己的需求進行配置。

警告輸出(fast.log)

這個日志輸出由單行的警告信息組成,比如下面這個輸出例子由四個警告組成:

其配置如下:

# a line based alerts log similar to Snort's fast.log
- fast:
    enabled: yes
    filename: fast.log
    append: yes
    #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'

事件輸出(eve.log)

Suricata可以在匹配一條規(guī)則后記錄一條信息,該條信息包括數(shù)據(jù)包的時間戳、五元組信息、對應的簽名信息等,默認存儲在日志目錄下的 eve.log文件中。下面是幾條典型的eve日志,這些日志是json格式的,因此很多其他的程序可以對其進行處理產(chǎn)生進一步的輸出:

可以對其進行如下配置,輸出的類型可以多種多樣,包括文件、系統(tǒng)日志、輸出到 socket 等,輸出的內(nèi)容可以包括匹配到有 alert、http、 dns 等規(guī)則的數(shù)據(jù)包信息。簡單的說比如一條規(guī)則的 action 是 alert,檢測到有一個數(shù)據(jù)包匹配這條規(guī)則,那數(shù)據(jù)包和規(guī)則的信息則會儲存到事件日志中:

  # Extensible Event Format (nicknamed EVE) event log in JSON format
  - eve-log:
      enabled: yes
      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
      filename: eve.json
      #prefix: "@cee: " # prefix to prepend to each log entry
      # the following are valid when type: syslog above
      #identity: "suricata"
      #facility: local5
      #level: Info ## possible levels: Emergency, Alert, Critical,
                   ## Error, Warning, Notice, Info, Debug
      #redis:
      #  server: 127.0.0.1
      #  port: 6379
      #  async: true ## if redis replies are read asynchronously
      #  mode: list ## possible values: list|lpush (default), rpush, channel|publish
      #             ## lpush and rpush are using a Redis list. "list" is an alias for lpush
      #             ## publish is using a Redis channel. "channel" is an alias for publish
      #  key: suricata ## key or channel to use (default to suricata)
      # Redis pipelining set up. This will enable to only do a query every
      # 'batch-size' events. This should lower the latency induced by network
      # connection at the cost of some memory. There is no flushing implemented
      # so this setting as to be reserved to high traffic suricata.
      #  pipelining:
      #    enabled: yes ## set enable to yes to enable query pipelining
      #    batch-size: 10 ## number of entry to keep in buffer
      types:
        - alert:
            # payload: yes             # enable dumping payload in Base64
            # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log
            # payload-printable: yes   # enable dumping payload in printable (lossy) format
            # packet: yes              # enable dumping of packet (without stream segments)
            # http-body: yes           # enable dumping of http body in Base64
            # http-body-printable: yes # enable dumping of http body in printable format
            metadata: yes              # add L7/applayer fields, flowbit and other vars to the alert

            # Enable the logging of tagged packets for rules using the
            # "tag" keyword.
            tagged-packets: yes

            # HTTP X-Forwarded-For support by adding an extra field or overwriting
            # the source or destination IP address (depending on flow direction)
            # with the one reported in the X-Forwarded-For HTTP header. This is
            # helpful when reviewing alerts for traffic that is being reverse
            # or forward proxied.
            xff:
              enabled: no
              # Two operation modes are available, "extra-data" and "overwrite".
              mode: extra-data
              # Two proxy deployments are supported, "reverse" and "forward". In
              # a "reverse" deployment the IP address used is the last one, in a
              # "forward" deployment the first IP address is used.
              deployment: reverse
              # Header name where the actual IP address will be reported, if more
              # than one IP address is present, the last IP address will be the
              # one taken into consideration.
              header: X-Forwarded-For
        - http:
            extended: yes     # enable this for extended logging information
            # custom allows additional http fields to be included in eve-log
            # the example below adds three additional fields when uncommented
            #custom: [Accept-Encoding, Accept-Language, Authorization]
        - dns:
            # control logging of queries and answers
            # default yes, no to disable
            query: yes     # enable logging of DNS queries
            answer: yes    # enable logging of DNS answers
            # control which RR types are logged
            # all enabled if custom not specified
            #custom: [a, aaaa, cname, mx, ns, ptr, txt]
        - tls:
            extended: yes     # enable this for extended logging information
            # output TLS transaction where the session is resumed using a
            # session id
            #session-resumption: no
            # custom allows to control which tls fields that are included
            # in eve-log
            #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain]
        - files:
            force-magic: no   # force logging magic on all logged files
            # force logging of checksums, available hash functions are md5,
            # sha1 and sha256
            #force-hash: [md5]
        #- drop:
        #    alerts: yes      # log alerts that caused drops
        #    flows: all       # start or all: 'start' logs only a single drop
        #                     # per flow direction. All logs each dropped pkt.
        - smtp:
            #extended: yes # enable this for extended logging information
            # this includes: bcc, message-id, subject, x_mailer, user-agent
            # custom fields logging from the list:
            #  reply-to, bcc, message-id, subject, x-mailer, user-agent, received,
            #  x-originating-ip, in-reply-to, references, importance, priority,
            #  sensitivity, organization, content-md5, date
            #custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc]
            # output md5 of fields: body, subject
            # for the body you need to set app-layer.protocols.smtp.mime.body-md5
            # to yes
            #md5: [body, subject]

        #- dnp3
        #- nfs
        - ssh
        - stats:
            totals: yes       # stats for all threads merged together
            threads: no       # per thread stats
            deltas: no        # include delta values
        # bi-directional flows
        - flow
        # uni-directional flows
        #- netflow
        # Vars log flowbits and other packet and flow vars
        #- vars

當然也可以把不同類別的信息輸出到不同的日志文件中,如下配置表明 alert 和 drop 輸出到 eve-ips.json,http 等協(xié)議輸出到 eve-nsm.json:

outputs:
  - eve-log:
      enabled: yes
      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
      filename: eve-ips.json
      types:
        - alert
        - drop

  - eve-log:
      enabled: yes
      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
      filename: eve-nsm.json
      types:
        - http
        - dns
        - tls

還有一些其他的輸出方法及格式可以參考EveJSONFormat

數(shù)據(jù)包輸出(unified2.alert)

當suricata檢測到一個可疑的數(shù)據(jù)包時便可以將整個數(shù)據(jù)包以二進制的方式存儲到文件中,目前已經(jīng)支持了IPv4和IPv6的數(shù)據(jù)包。其輸出的格式可以被Barnyard2 (參考網(wǎng)頁)程序處理,這是一個用于將suricata輸出的包存儲到數(shù)據(jù)庫中的程序,可以配合 Sguil(參考網(wǎng)頁)進行對網(wǎng)絡流量的實時監(jiān)控和輸出。一般上的配置格式如下,由于這里對每個文件的大小有32M的限制,所以在文件大于這個值時便會新建一個文件繼續(xù)存儲:

  # alert output for use with Barnyard2
  - unified2-alert:             # The log-name.
      enabled: yes              # This log is enabled. Set 'no' to disable.
      filename: unified2.alert  # The name of the file in the default logging directory.

      # File size limit.  Can be specified in kb, mb, gb.  Just a number
      # is parsed as bytes.
      #limit: 32mb

      # By default unified2 log files have the file creation time (in
      # unix epoch format) appended to the filename. Set this to yes to
      # disable this behaviour.
      #nostamp: no

      # Sensor ID field of unified2 alerts.
      #sensor-id: 0

      # Include payload of packets related to alerts. Defaults to true, set to
      # false if payload is not required.
      #payload: yes

在這個選項里還有一個X-Forwarded-For功能,這個功能是用來記錄經(jīng)過多個HTTP代理服務器之后真正的客戶端IP地址,而不是代理服 務器的IP地址,HTTP協(xié)議會在頭里面加入一個X-Forwarded-For字段以記錄原始IP以及經(jīng)過的每個代理服務器的IP,詳細可參考X-Forwarded-For-維基百科,無論是在客戶端的代理還是服務端的反向代理(百度百科)都非常有用,默認是關(guān)閉的:

      # HTTP X-Forwarded-For support by adding the unified2 extra header or
      # overwriting the source or destination IP address (depending on flow
      # direction) with the one reported in the X-Forwarded-For HTTP header.
      # This is helpful when reviewing alerts for traffic that is being reverse
      # or forward proxied.
      xff:
        enabled: no
        # Two operation modes are available, "extra-data" and "overwrite". Note
        # that in the "overwrite" mode, if the reported IP address in the HTTP
        # X-Forwarded-For header is of a different version of the packet
        # received, it will fall-back to "extra-data" mode.
        mode: extra-data
        # Two proxy deployments are supported, "reverse" and "forward". In
        # a "reverse" deployment the IP address used is the last one, in a
        # "forward" deployment the first IP address is used.
        deployment: reverse
        # Header name where the actual IP address will be reported, if more
        # than one IP address is present, the last IP address will be the
        # one taken into consideration.
        header: X-Forwarded-For

HTTP日志(http.log)

HTTP日志會記錄所有的HTTP流量信息,包含了http請求、HOST字段、URI字段和User-Agent字段,這里是普通的輸出,除此之 外也可以在eve-log中指定http以便輸出json格式的內(nèi)容。另外也可以設置是否擴展以輸出更多的信息,未擴展時輸出的內(nèi)容:


關(guān)于此項的配置如下,擴展選項默認關(guān)閉,用戶還可以通過customformat來自定義輸出的格式,同時也可以配置輸出到socket文件:

  # a line based log of HTTP requests (no alerts)
  - http-log:
      enabled: yes
      filename: http.log
      append: yes        # If this option is set to yes, the last filled http.log-file will not be
                         # overwritten while restarting Suricata.
      #extended: yes     # enable this for extended logging information
      #custom: yes       # enabled the custom logging format (defined by customformat)
      #customformat: "%{%D-%H:%M:%S}t.%z %{X-Forwarded-For}i %H %m %h %u %s %B %a:%p -> %A:%P"
      #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'

還有一個存儲 DNS 流量和 TLS 的配置,與 HTTP 的類似,詳見 -tls-log 與 -dns-log, 這里就不做過多解釋了。

數(shù)據(jù)包日志(pcap-log)

通過pcap-log選項可以保存所有的數(shù)據(jù)包,這樣在檢測到問題數(shù)據(jù)包時就能更容易地找到之前的流量以便對整個事件進行確認和分析?;九渲萌?下,與之前的HTTP日志一樣,pcap文件也是可以限定大小和文件數(shù)的,當一個文件達到限制的大小時便會創(chuàng)建一個新文件,同時這里還有文件數(shù)量的限制:

  # Packet log... log packets in pcap format. 3 modes of operation: "normal"
  # "multi" and "sguil".
  #
  # In normal mode a pcap file "filename" is created in the default-log-dir,
  # or are as specified by "dir".
  # In multi mode, a file is created per thread. This will perform much
  # better, but will create multiple files where 'normal' would create one.
  # In multi mode the filename takes a few special variables:
  # - %n -- thread number
  # - %i -- thread id
  # - %t -- timestamp (secs or secs.usecs based on 'ts-format'
  # E.g. filename: pcap.%n.%t
  #
  # Note that it's possible to use directories, but the directories are not
  # created by Suricata. E.g. filename: pcaps/%n/log.%s will log into the
  # per thread directory.
  #
  # Also note that the limit and max-files settings are enforced per thread.
  # So the size limit when using 8 threads with 1000mb files and 2000 files
  # is: 8*1000*2000 ~ 16TiB.
  #
  # In Sguil mode "dir" indicates the base directory. In this base dir the
  # pcaps are created in th directory structure Sguil expects:
  #
  # $sguil-base-dir/YYYY-MM-DD/$filename.<timestamp>
  #
  # By default all packets are logged except:
  # - TCP streams beyond stream.reassembly.depth
  # - encrypted streams after the key exchange
  #
  - pcap-log:
      enabled: yes
      filename: log.pcap

      # File size limit.  Can be specified in kb, mb, gb.  Just a number
      # is parsed as bytes.
      limit: 1000mb

      # If set to a value will enable ring buffer mode. Will keep Maximum of "max-files" of size "limit"
      max-files: 2000

      mode: normal # normal, multi or sguil.

      # Directory to place pcap files. If not provided the default log
      # directory will be used. Required for "sguil" mode.
      #dir: /nsm_data/

      #ts-format: usec # sec or usec second format (default) is filename.sec usec is filename.sec.usec
      use-stream-depth: no #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets
      honor-pass-rules: no # If set to "yes", flows in which a pass rule matched will stopped being logged.

配置中的mode有兩種情況,一個是普通的normal,會將文件存儲在之前指定的日志存儲目錄,而sguil模式則需要sguil_base_dir選項指定目錄,并且存儲的文件按照日期劃分目錄,并加上時間戳:

$sguil-base-dir/YYYY-MM-DD/$filename.<timestamp>

use-stream-depth選項,如果設為“yes”只會存儲不大于stream.reassembly.depth長度的數(shù)據(jù),后面的將會舍棄(在一個stream中),“no”則會存儲所有的數(shù)據(jù)包。

詳細的警告日志(alert-debug.log)

如果開啟這一選項,suricata會記錄每一個警告產(chǎn)生的詳細信息,包括數(shù)據(jù)包、規(guī)則等各種信息。一個典型的輸出如下所示,這些信息可以使得維護人員更快的排除誤報、檢查規(guī)則的問題等:


雖然這個功能非常有用,但是在生產(chǎn)環(huán)境中啟動并不是一個明智的行為,它會在檢測流時處理和輸出大量的信息,導致性能有很大的下降,因此默認的配置是不開啟的:

  # a full alerts log containing much information for signature writers
  # or for investigating suspected false positives.
  - alert-debug:
      enabled: no
      filename: alert-debug.log
      append: yes        # If this option is set to yes, the last filled fast.log-file will not be
# overwritten while restarting Suricata. #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'

Syslog

這個選項決定了是否將suricata的警告輸出到syslog文件中,配置如下:

  # a line based alerts log similar to fast.log into syslog
  - syslog:
      enabled: no
      # reported identity to syslog. If ommited the program name (usually
      # suricata) will be used.
      #identity: "suricata"
      facility: local5  ## In this option you can set a syslog facility
      #level: Info      ## possible levels: Emergency, Alert, Critical,
                        ## Error, Warning, Notice, Info, Debug

可以看到syslog選項默認是關(guān)閉的,如果開啟,facility字段表示產(chǎn)生日志的分類為local5。關(guān)于syslog日志處理系統(tǒng)的更多信息可以參考Syslog-維基百科。

Drop.log

當suricata工作在IPS模式下的時候,可以使用drop操作的規(guī)則,這些drop掉的數(shù)據(jù)包信息就會存儲在drop.log文件中,配置如下:

  # a line based information for dropped packets in IPS mode
  - drop:
      enabled: no
      filename: drop.log
      append: yes        # If this option is set to yes, the last filled drop.log-file will not be                               
# overwritten while restarting Suricata. If set to 'no' the last filled drop.log file will be overwritten. #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'

檢測引擎相關(guān)配置

detect-engine

Suricata在對流量檢測之前需要將所有的規(guī)則簽名加載到內(nèi)存,而數(shù)據(jù)包在匹配規(guī)則時并不需要匹配所有的規(guī)則,事實上大量的規(guī)則是完全沒必要匹 配的,比如當前數(shù)據(jù)包時基于UDP協(xié)議的,那TCP的所有規(guī)則都是沒有必要匹配的。因此需要根據(jù)一定的依據(jù)對所有的規(guī)則進行分組,這樣數(shù)據(jù)包只需要與符合 條件的分組內(nèi)的所有規(guī)則進行匹配即可。而需要如何分組則是一個關(guān)鍵的問題。

下面是detect-engine的一種配置。profile選項有high、low和medium三種。high表示分組較多,但是會占用更多的 內(nèi)存,性能也會更好;low則正好相反,占用更少的內(nèi)存,性能也相對較差;medium是默認配置,是性能和內(nèi)存使用的折中選擇。除此之外高級用戶可以在 custom-values字段自定義分組的配置,如下是根據(jù)數(shù)據(jù)包來源、源地址、目的地址、源端口、目的端口來進行分組,這些數(shù)字可以根據(jù)實際需要的性 能和需求進行調(diào)整:

# The detection engine builds internal groups of signatures. The engine
# allow us to specify the profile to use for them, to manage memory on an
# efficient way keeping a good performance. For the profile keyword you
# can use the words "low", "medium", "high" or "custom". If you use custom
# make sure to define the values at "- custom-values" as your convenience.
# Usually you would prefer medium/high/low.
#
# "sgh mpm-context", indicates how the staging should allot mpm contexts for
# the signature groups.  "single" indicates the use of a single context for
# all the signature group heads.  "full" indicates a mpm-context for each
# group head.  "auto" lets the engine decide the distribution of contexts
# based on the information the engine gathers on the patterns from each
# group head.
#
# The option inspection-recursion-limit is used to limit the recursive calls
# in the content inspection code.  For certain payload-sig combinations, we
# might end up taking too much time in the content inspection code.
# If the argument specified is 0, the engine uses an internally defined
# default limit.  On not specifying a value, we use no limits on the recursion.
detect:
  profile: medium
  custom-values:
    toclient-groups: 3
    toserver-groups: 25
  sgh-mpm-context: auto
  inspection-recursion-limit: 3000

數(shù)據(jù)包檢測規(guī)則的分組圖可以看得更清楚:

這里寫圖片描述

接下來是sgh-mpm-context,這個字段指明MPM算法使用的content是否公用。當其值為auto時,是否公用取決于配置文件中指 定MPM的算法,若為ac或ac-gfbs,則使用single模式,表示所有的規(guī)則分組使用單個MPM-content,其余算法則使用full模式, 每個分組擁有自己的MPM-content。而當sgh-mpm-context字段的值為single或full時則不受MPM算法的影響。關(guān)于 suricata的MPM機制可以參考fast_parttern,后面的配置也會做進一步的說明。

最后的inspection-recursion-limit則是為了減少suricata的出錯次數(shù),因為網(wǎng)絡流量狀況非常復雜,suricata難免會遇上無限循環(huán)或是遞歸地處理數(shù)據(jù)包的情況,這時指定一個最大值,當循環(huán)或遞歸次數(shù)大于這個值則停止處理當前數(shù)據(jù)包。

mpm-algo

之前已經(jīng)了解過,suricata在content的多模匹配支持很多算法,不同的算法有不同的優(yōu)缺點。設置如下,可選的算法包括ac, ac-bs, ac-cuda, ac-ks和hs:

# Select the multi pattern algorithm you want to run for scan/search the
# in the engine.
#
# The supported algorithms are:
# "ac"      - Aho-Corasick, default implementation
# "ac-bs"   - Aho-Corasick, reduced memory implementation
# "ac-cuda" - Aho-Corasick, CUDA implementation
# "ac-ks"   - Aho-Corasick, "Ken Steele" variant
# "hs"      - Hyperscan, available when built with Hyperscan support
#
# The default mpm-algo value of "auto" will use "hs" if Hyperscan is
# available, "ac" otherwise.
#
# The mpm you choose also decides the distribution of mpm contexts for
# signature groups, specified by the conf - "detect.sgh-mpm-context".
# Selecting "ac" as the mpm would require "detect.sgh-mpm-context"
# to be set to "single", because of ac's memory requirements, unless the
# ruleset is small enough to fit in one's memory, in which case one can
# use "full" with "ac".  Rest of the mpms can be run in "full" mode.
#
# There is also a CUDA pattern matcher (only available if Suricata was
# compiled with --enable-cuda: b2g_cuda. Make sure to update your
# max-pending-packets setting above as well if you use b2g_cuda.

mpm-algo: auto

PS:網(wǎng)上其他suricata的配置說明文檔記載的算法為:b2g, b2gc, b2gm, b3g, wumanber, ac和ac-gfbs,有待了解新舊算法的特點。

CUDA(Compute United Device Architecture)

CUDA的翻譯是統(tǒng)一計算設備架構(gòu),為的是讓CPU和GPU在執(zhí)行運算的時候發(fā)揮自身的優(yōu)勢,協(xié)同處理,詳細可參考CUDA-維基百科。 由于這項技術(shù)是NVIDIA主導的,且出現(xiàn)時間并不長,因此suricata只是在MPM多模匹配中可以使用,并且只有在編譯前的configure時加 入–enable-cuda才具有這項功能,并且目前其他的GPU并不支持這項功能。因此這里就不做過多介紹,等后面這項技術(shù)推廣開來,便有更加實用的意義。

# Cuda configuration.
cuda:
  # The "mpm" profile.  On not specifying any of these parameters, the engine's
  # internal default values are used, which are same as the ones specified in
  # in the default conf file.
  mpm:
    # The minimum length required to buffer data to the gpu.
    # Anything below this is MPM'ed on the CPU.
    # Can be specified in kb, mb, gb.  Just a number indicates it's in bytes.
    # A value of 0 indicates there's no limit.
    data-buffer-size-min-limit: 0
    # The maximum length for data that we would buffer to the gpu.
    # Anything over this is MPM'ed on the CPU.
    # Can be specified in kb, mb, gb.  Just a number indicates it's in bytes.
    data-buffer-size-max-limit: 1500
    # The ring buffer size used by the CudaBuffer API to buffer data.
    cudabuffer-buffer-size: 500mb
    # The max chunk size that can be sent to the gpu in a single go.
    gpu-transfer-size: 50mb
    # The timeout limit for batching of packets in microseconds.
    batching-timeout: 2000
    # The device to use for the mpm.  Currently we don't support load balancing
    # on multiple gpus.  In case you have multiple devices on your system, you
    # can specify the device to use, using this conf.  By default we hold 0, to
    # specify the first device cuda sees.  To find out device-id associated with
    # the card(s) on the system run "suricata --list-cuda-cards".
    device-id: 0
    # No of Cuda streams used for asynchronous processing. All values > 0 are valid.
    # For this option you need a device with Compute Capability > 1.0.
    cuda-streams: 2
以上內(nèi)容是否對您有幫助:
在線筆記
App下載
App下載

掃描二維碼

下載編程獅App

公眾號
微信公眾號

編程獅公眾號