不多說,直接上干貨!
suricata的基本組成。Suricata是由所謂的線程(threads)、線程模塊 (thread-modules)和隊列(queues)組成。Suricata是一個多線程的程序,因此在同一時刻會有多個線程在工作。線程模塊是依據 功能來划分的,比如一個模塊用於解析數據包,另一個模塊用於檢測數據包等。每個數據包可能會有多個不同的線程進行處理,隊列就是用於將數據包從一個線程傳 遞到另一個線程。與此同時,一個線程可以擁有多個線程模塊,但是在某一時刻只有一個模塊在運行(原文是If they have more modules, they can only be active on a a time.看不大懂,感覺是這個意思)。
Suricata支持多種運行模式。運行模式決定了不同的線程如何用於IDS。
以下命令可以查看所有 可用的運行模式。
[root@suricata ~]# sudo /usr/local/bin/suricata --list-runmodes ------------------------------------- Runmodes ------------------------------------------ | RunMode Type | Custom Mode | Description |---------------------------------------------------------------------------------------- | PCAP_DEV | single | Single threaded pcap live mode | --------------------------------------------------------------------- | | autofp | Multi threaded pcap live mode. Packets from each flow are assigned to a single detect thread, unlike "pcap_live_auto" where packets from the same flow can be processed by any detect thread | --------------------------------------------------------------------- | | workers | Workers pcap live mode, each thread does all tasks from acquisition to logging |---------------------------------------------------------------------------------------- | PCAP_FILE | single | Single threaded pcap file mode | --------------------------------------------------------------------- | | autofp | Multi threaded pcap file mode. Packets from each flow are assigned to a single detect thread, unlike "pcap-file-auto" where packets from the same flow can be processed by any detect thread |---------------------------------------------------------------------------------------- | PFRING(DISABLED) | autofp | Multi threaded pfring mode. Packets from each flow are assigned to a single detect thread, unlike "pfring_auto" where packets from the same flow can be processed by any detect thread | --------------------------------------------------------------------- | | single | Single threaded pfring mode | --------------------------------------------------------------------- | | workers | Workers pfring mode, each thread does all tasks from acquisition to logging |---------------------------------------------------------------------------------------- | NFQ | autofp | Multi threaded NFQ IPS mode with respect to flow | --------------------------------------------------------------------- | | workers | Multi queue NFQ IPS mode with one thread per queue |---------------------------------------------------------------------------------------- | NFLOG | autofp | Multi threaded nflog mode | --------------------------------------------------------------------- | | single | Single threaded nflog mode | --------------------------------------------------------------------- | | workers | Workers nflog mode |---------------------------------------------------------------------------------------- | IPFW | autofp | Multi threaded IPFW IPS mode with respect to flow | --------------------------------------------------------------------- | | workers | Multi queue IPFW IPS mode with one thread per queue |---------------------------------------------------------------------------------------- | ERF_FILE | single | Single threaded ERF file mode | --------------------------------------------------------------------- | | autofp | Multi threaded ERF file mode. Packets from each flow are assigned to a single detect thread |---------------------------------------------------------------------------------------- | ERF_DAG | autofp | Multi threaded DAG mode. Packets from each flow are assigned to a single detect thread, unlike "dag_auto" where packets from the same flow can be processed by any detect thread | --------------------------------------------------------------------- | | single | Singled threaded DAG mode | --------------------------------------------------------------------- | | workers | Workers DAG mode, each thread does all tasks from acquisition to logging |---------------------------------------------------------------------------------------- | AF_PACKET_DEV | single | Single threaded af-packet mode | --------------------------------------------------------------------- | | workers | Workers af-packet mode, each thread does all tasks from acquisition to logging | --------------------------------------------------------------------- | | autofp | Multi socket AF_PACKET mode. Packets from each flow are assigned to a single detect thread. |---------------------------------------------------------------------------------------- | NETMAP(DISABLED) | single | Single threaded netmap mode | --------------------------------------------------------------------- | | workers | Workers netmap mode, each thread does all tasks from acquisition to logging | --------------------------------------------------------------------- | | autofp | Multi threaded netmap mode. Packets from each flow are assigned to a single detect thread. |---------------------------------------------------------------------------------------- | UNIX_SOCKET | single | Unix socket mode |---------------------------------------------------------------------------------------- [root@suricata ~]#
Suricata的運行方式就是上面介紹的線程(threads)、線程模塊(thread-modules)和隊列(queues)三種元素的不 同組合方式。
上圖中的RunMode Type並不是配置文件中的runmodes選項,而是后面的Custom Mode也就是自定義模式才可以在此處設置。比如默認的Runmodes是autofp,在線實時檢測流量的模式中其結構如下,單線程模塊獲取數據包和解碼,多線程模塊檢測。
以下大家也可以去官網看。
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Runmodes
Example of the default runmode:(即這是Suricata的的默認運行模式:autofp)
Suricata使用的默認運行模式是autofp(代表“自動流綁定負載均衡模式”)。在這種模式下,來自每一路流的數據包被分配給單一的檢測線程。流被分配給了未處理數據包數量最少的線程。
In the pfring mode, every flow follows its own fixed route in the runmode.
