Suricata的所有运行方式模式(图文详解)
2017-08-09 22:14
676 查看
不多说,直接上干货!
suricata的基本组成。[b]Suricata[/b]是由所谓的线程(threads)、线程模块 (thread-modules)和队列(queues)组成。Suricata是一个多线程的程序,因此在同一时刻会有多个线程在工作。线程模块是依据 功能来划分的,比如一个模块用于解析数据包,另一个模块用于检测数据包等。每个数据包可能会有多个不同的线程进行处理,队列就是用于将数据包从一个线程传 递到另一个线程。与此同时,一个线程可以拥有多个线程模块,但是在某一时刻只有一个模块在运行(原文是If they have more modules, they can only be active on a a time.看不大懂,感觉是这个意思)。
Suricata支持多种运行模式。运行模式决定了不同的线程如何用于IDS。
以下命令可以查看所有 可用的运行模式。
[b]Suricata的运行方式[/b]就是上面介绍的线程(threads)、线程模块(thread-modules)和[b]队列(queues)[/b]三种元素的不 同组合方式。
上图中的RunMode Type并不是配置文件中的runmodes选项,而是后面的Custom Mode也就是自定义模式才可以在此处设置。比如默认的Runmodes是autofp,在线实时检测流量的模式中其结构如下,单线程模块获取数据包和解码,多线程模块检测。
以下大家也可以去官网看。
[b]Example of the default runmode:(即这是Suricata的的默认运行模式:autofp)[/b]
Suricata使用的默认运行模式是autofp(代表“自动流绑定负载均衡模式”)。在这种模式下,来自每一路流的数据包被分配给单一的检测线程。流被分配给了未处理数据包数量最少的线程。
[b]In the pfring mode, every flow follows its own fixed route in the runmode.[/b]
suricata的基本组成。[b]Suricata[/b]是由所谓的线程(threads)、线程模块 (thread-modules)和队列(queues)组成。Suricata是一个多线程的程序,因此在同一时刻会有多个线程在工作。线程模块是依据 功能来划分的,比如一个模块用于解析数据包,另一个模块用于检测数据包等。每个数据包可能会有多个不同的线程进行处理,队列就是用于将数据包从一个线程传 递到另一个线程。与此同时,一个线程可以拥有多个线程模块,但是在某一时刻只有一个模块在运行(原文是If they have more modules, they can only be active on a a time.看不大懂,感觉是这个意思)。
Suricata支持多种运行模式。运行模式决定了不同的线程如何用于IDS。
以下命令可以查看所有 可用的运行模式。
[root@suricata ~]# sudo /usr/local/bin/suricata --list-runmodes ------------------------------------- Runmodes ------------------------------------------ | RunMode Type | Custom Mode | Description |---------------------------------------------------------------------------------------- | PCAP_DEV | single | Single threaded pcap live mode | --------------------------------------------------------------------- | | autofp | Multi threaded pcap live mode. Packets from each flow are assigned to a single detect thread, unlike "pcap_live_auto" where packets from the same flow can be processed by any detect thread | --------------------------------------------------------------------- | | workers | Workers pcap live mode, each thread does all tasks from acquisition to logging |---------------------------------------------------------------------------------------- | PCAP_FILE | single | Single threaded pcap file mode | --------------------------------------------------------------------- | | autofp | Multi threaded pcap file mode. Packets from each flow are assigned to a single detect thread, unlike "pcap-file-auto" where packets from the same flow can be processed by any detect thread |---------------------------------------------------------------------------------------- | PFRING(DISABLED) | autofp | Multi threaded pfring mode. Packets from each flow are assigned to a single detect thread, unlike "pfring_auto" where packets from the same flow can be processed by any detect thread | --------------------------------------------------------------------- | | single | Single threaded pfring mode | --------------------------------------------------------------------- | | workers | Workers pfring mode, each thread does all tasks from acquisition to logging |---------------------------------------------------------------------------------------- | NFQ | autofp | Multi threaded NFQ IPS mode with respect to flow | --------------------------------------------------------------------- | | workers | Multi queue NFQ IPS mode with one thread per queue |---------------------------------------------------------------------------------------- | NFLOG | autofp | Multi threaded nflog mode | --------------------------------------------------------------------- | | single | Single threaded nflog mode | --------------------------------------------------------------------- | | workers | Workers nflog mode |---------------------------------------------------------------------------------------- | IPFW | autofp | Multi threaded IPFW IPS mode with respect to flow | --------------------------------------------------------------------- | | workers | Multi queue IPFW IPS mode with one thread per queue |---------------------------------------------------------------------------------------- | ERF_FILE | single | Single threaded ERF file mode | --------------------------------------------------------------------- | | autofp | Multi threaded ERF file mode. Packets from each flow are assigned to a single detect thread |---------------------------------------------------------------------------------------- | ERF_DAG | autofp | Multi threaded DAG mode. Packets from each flow are assigned to a single detect thread, unlike "dag_auto" where packets from the same flow can be processed by any detect thread | --------------------------------------------------------------------- | | single | Singled threaded DAG mode | --------------------------------------------------------------------- | | workers | Workers DAG mode, each thread does all tasks from acquisition to logging |---------------------------------------------------------------------------------------- | AF_PACKET_DEV | single | Single threaded af-packet mode | --------------------------------------------------------------------- | | workers | Workers af-packet mode, each thread does all tasks from acquisition to logging | --------------------------------------------------------------------- | | autofp | Multi socket AF_PACKET mode. Packets from each flow are assigned to a single detect thread. |---------------------------------------------------------------------------------------- | NETMAP(DISABLED) | single | Single threaded netmap mode | --------------------------------------------------------------------- | | workers | Workers netmap mode, each thread does all tasks from acquisition to logging | --------------------------------------------------------------------- | | autofp | Multi threaded netmap mode. Packets from each flow are assigned to a single detect thread. |---------------------------------------------------------------------------------------- | UNIX_SOCKET | single | Unix socket mode |---------------------------------------------------------------------------------------- [root@suricata ~]#
[b]Suricata的运行方式[/b]就是上面介绍的线程(threads)、线程模块(thread-modules)和[b]队列(queues)[/b]三种元素的不 同组合方式。
上图中的RunMode Type并不是配置文件中的runmodes选项,而是后面的Custom Mode也就是自定义模式才可以在此处设置。比如默认的Runmodes是autofp,在线实时检测流量的模式中其结构如下,单线程模块获取数据包和解码,多线程模块检测。
以下大家也可以去官网看。
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Runmodes
[b]Example of the default runmode:(即这是Suricata的的默认运行模式:autofp)[/b]
Suricata使用的默认运行模式是autofp(代表“自动流绑定负载均衡模式”)。在这种模式下,来自每一路流的数据包被分配给单一的检测线程。流被分配给了未处理数据包数量最少的线程。
[b]In the pfring mode, every flow follows its own fixed route in the runmode.[/b]
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- Window下PHP三种运行方式图文详解
- Windows下图文详解PHP三种运行方式(php_mod、cgi、fastcgi)
- Windows下图文详解PHP三种运行方式(php_mod、cgi、fastcgi)
- Spark standalone运行模式(图文详解)
- Window下PHP三种运行方式图文详解
- Window下PHP三种运行方式图文详解,window下的php是不是单进程的?
- [转]Window下图文详解PHP三种运行方式
- pig的各种运行模式与运行方式详解
- yarn模式运行spark作业所有属性详解
- Window下PHP三种运行方式图文详解
- 全网最详细的IDEA、Eclipse和MyEclipse之间于Java web项目发布到Tomcat上运行成功的对比事宜【博主强烈推荐】【适合普通的还是Maven方式创建的】(图文详解)
- Window下PHP三种运行方式图文详解
- Window下PHP三种运行方式图文详解
- Activity启动模式图文详解:standard, singleTop, singleTask 以及 singleInstance
- Windows下PHP线程安全与非线程安全、Apache版本选择,及详解五种运行模式。
- Centos_7.2 下 Kafka_2.13 分布式消息系统的集群模式配置图文详解
- suricata.yaml (一款高性能的网络IDS、IPS和网络安全监控引擎)默认配置文件(图文详解)
- Ubuntu14.04下Mongodb(在线安装方式|apt-get)安装部署步骤(图文详解)(博主推荐)
- 【转】Activity启动模式图文详解:standard, singleTop, singleTask 以及 singleInstance
- 基于php在各种web服务器的运行模式详解