不多说,直接上干货!

  suricata的基本组成。Suricata是由所谓的线程(threads)、线程模块 (thread-modules)和队列(queues)组成。Suricata是一个多线程的程序,因此在同一时刻会有多个线程在工作。线程模块是依据 功能来划分的,比如一个模块用于解析数据包,另一个模块用于检测数据包等。每个数据包可能会有多个不同的线程进行处理,队列就是用于将数据包从一个线程传 递到另一个线程。与此同时,一个线程可以拥有多个线程模块,但是在某一时刻只有一个模块在运行(原文是If they have more modules, they can only be active on a a time.看不大懂,感觉是这个意思)。

  Suricata支持多种运行模式。运行模式决定了不同的线程如何用于IDS。

  以下命令可以查看所有 可用的运行模式

[root@suricata ~]# sudo /usr/local/bin/suricata --list-runmodes

------------------------------------- Runmodes ------------------------------------------

| RunMode Type  | Custom Mode       | Description

|----------------------------------------------------------------------------------------

| PCAP_DEV          | single            | Single threaded pcap live mode

|                   ---------------------------------------------------------------------

|                   | autofp            | Multi threaded pcap live mode.  Packets from each flow are assigned to a single detect thread, unlike "pcap_live_auto" where packets from the same flow can be processed by any detect thread

|                   ---------------------------------------------------------------------

|                   | workers           | Workers pcap live mode, each thread does all tasks from acquisition to logging

|----------------------------------------------------------------------------------------

| PCAP_FILE         | single            | Single threaded pcap file mode

|                   ---------------------------------------------------------------------

|                   | autofp            | Multi threaded pcap file mode.  Packets from each flow are assigned to a single detect thread, unlike "pcap-file-auto" where packets from the same flow can be processed by any detect thread

|----------------------------------------------------------------------------------------

| PFRING(DISABLED)  | autofp            | Multi threaded pfring mode.  Packets from each flow are assigned to a single detect thread, unlike "pfring_auto" where packets from the same flow can be processed by any detect thread

|                   ---------------------------------------------------------------------

|                   | single            | Single threaded pfring mode

|                   ---------------------------------------------------------------------

|                   | workers           | Workers pfring mode, each thread does all tasks from acquisition to logging

|----------------------------------------------------------------------------------------

| NFQ               | autofp            | Multi threaded NFQ IPS mode with respect to flow

|                   ---------------------------------------------------------------------

|                   | workers           | Multi queue NFQ IPS mode with one thread per queue

|----------------------------------------------------------------------------------------

| NFLOG             | autofp            | Multi threaded nflog mode

|                   ---------------------------------------------------------------------

|                   | single            | Single threaded nflog mode

|                   ---------------------------------------------------------------------

|                   | workers           | Workers nflog mode

|----------------------------------------------------------------------------------------

| IPFW              | autofp            | Multi threaded IPFW IPS mode with respect to flow

|                   ---------------------------------------------------------------------

|                   | workers           | Multi queue IPFW IPS mode with one thread per queue

|----------------------------------------------------------------------------------------

| ERF_FILE          | single            | Single threaded ERF file mode

|                   ---------------------------------------------------------------------

|                   | autofp            | Multi threaded ERF file mode.  Packets from each flow are assigned to a single detect thread

|----------------------------------------------------------------------------------------

| ERF_DAG           | autofp            | Multi threaded DAG mode.  Packets from each flow are assigned to a single detect thread, unlike "dag_auto" where packets from the same flow can be processed by any detect thread

|                   ---------------------------------------------------------------------

|                   | single            | Singled threaded DAG mode

|                   ---------------------------------------------------------------------

|                   | workers           | Workers DAG mode, each thread does all  tasks from acquisition to logging

|----------------------------------------------------------------------------------------

| AF_PACKET_DEV     | single            | Single threaded af-packet mode

|                   ---------------------------------------------------------------------

|                   | workers           | Workers af-packet mode, each thread does all tasks from acquisition to logging

|                   ---------------------------------------------------------------------

|                   | autofp            | Multi socket AF_PACKET mode.  Packets from each flow are assigned to a single detect thread.

|----------------------------------------------------------------------------------------

| NETMAP(DISABLED)  | single            | Single threaded netmap mode

|                   ---------------------------------------------------------------------

|                   | workers           | Workers netmap mode, each thread does all tasks from acquisition to logging

|                   ---------------------------------------------------------------------

|                   | autofp            | Multi threaded netmap mode.  Packets from each flow are assigned to a single detect thread.

|----------------------------------------------------------------------------------------

| UNIX_SOCKET       | single            | Unix socket mode

|----------------------------------------------------------------------------------------

[root@suricata ~]#

  Suricata的运行方式就是上面介绍的线程(threads)线程模块(thread-modules)队列(queues)三种元素的不 同组合方式。

  上图中的RunMode Type并不是配置文件中的runmodes选项,而是后面的Custom Mode也就是自定义模式才可以在此处设置。比如默认的Runmodes是autofp,在线实时检测流量的模式中其结构如下,单线程模块获取数据包和解码,多线程模块检测。

  以下大家也可以去官网看。

https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Runmodes

Example of the default runmode:(即这是Suricata的的默认运行模式:autofp)

  Suricata使用的默认运行模式是autofp(代表“自动流绑定负载均衡模式”)。在这种模式下,来自每一路流的数据包被分配给单一的检测线程。流被分配给了未处理数据包数量最少的线程。

In the pfring mode, every flow follows its own fixed route in the runmode.

最新文章

  1. UVa11427 Expect the Expected
  2. 使用 Git Hooks 实现自动项目部署
  3. Scrum介绍
  4. 利用name或id属性设置页面跳转的锚点
  5. 网页爬虫的设计与实现(Java版)
  6. HDU 1372 (搜索方向稍有改变) Knight Moves
  7. Ledongli
  8. bzoj 2618 2618: [Cqoi2006]凸多边形(半平面交)
  9. OpenGL ES2.0基础入门
  10. java编程小技巧
  11. sql2012笔记
  12. Go 语言多维数组
  13. linux 关机命令shutdown
  14. PHPExcel防止大数以科学计数法显示
  15. 【手记】.net正则行尾匹配符$的问题
  16. [转]Java对象的序列化和反序列化
  17. ODI Studio拓扑结构的创建与配置(MySQL)
  18. Dubbo 实例
  19. 乘风破浪:LeetCode真题_021_Merge Two Sorted Lists
  20. C/C++学习计划

热门文章

  1. Structual设计--Bridge模式
  2. vue :src 文件路径错误
  3. asp.net mvc的权限管理设计
  4. OpenCV入门笔记(二) 图片的文件操作
  5. 使用word模板生成pdf文件
  6. (八)Java 修饰符
  7. mac上为nginx打开防火墙
  8. atom及其插件activate-power-mode下载安装
  9. PR 修改保存的增强 ME_UPDATE_REQUISITION
  10. (22) java web的struts2框架的使用-struts配置文件