Suricata
Suricata is the OISF IDP engine, the open source Intrusion Detection and Prevention Engine.
IDS:Intrusion Detection System入侵检测系统
IPS:Intrusion Prevention System入侵防御系统
Suricata.yaml
Max-pending-packets
With the max-pending-packets setting you can set the number of packets you allow Suricata to process simultaneously.
Runmodes
The way threads, modules and queues are arranged together is called the Runmode.
Action-order
All signatures have different properties. One of those is the Action property. This one determines what will happen when a signature matches.
There are four types of Action. A summary of what will happen when a signature matches and contains one of those Actions:
1) Pass
If a signature matches and contains pass, Suricata stops scanning the packet and skips to the end of all rules (only for the current packet).
2) Drop
This only concerns the IPS/inline mode.
If the program finds a signature that matches, containing drop, it stops immediately. The packet will not be sent any further.
Drawback: The receiver does not receive a message of what is going on, resulting in a time-out (certainly with TCP). Suricata generates an alert for this packet.
3) Reject
This is an active rejection of the packet. Both receiver and sender receive a reject packet. There are two types of reject packets that will be automatically selected. If the offending packet concerns TCP, it will be a Reset-packet. For all other protocols it will be an ICMP-error packet. Suricata also generates an alert. When in Inline/IPS mode, the offending packet will also be dropped like with the 'drop' action.
4) Alert
If a signature matches and contains alert, the packet will be treated like any other non-threatening packet, except for this one an alert will be generated by Suricata. Only the system administrator can notice this alert.
Suricata引擎是一个开源的下一代入侵检测和预防引擎。它并不打算取代或模仿现有的工具,但将带来新创意和新技术领域。Suricata引擎和HTP库可以在GPLv2下的使用。
Suricata是一个基于规则的ID / PS引擎,利用外部开发规则集监控网络流量和系统管理员提供警报,当发生可疑事件。
Suricata最初版本运行在Linux 2.6平台上,支持内联和被动交通监控配置,能够处理多个千兆网络水平
Multi-threading
除了硬件加速(硬件和网卡的限制),引擎是用处理能力不断增加最新的多核CPU芯片集。
引擎支持以下功能:最新的Snort VRT ,Snort日志;规则语言选项;多线程,硬件加速(硬件和网卡依赖/限制);统一输出,从而可以与外部日志管理系统互动;IPv6;基于规则的IP 评价(IP reputation),可插拔能力的库(library plug-ability)从而能与其他应用程序交互;性能统计数据输出;和一个简单而有效的入门用户手册。
Multi Threading
Thread Module Description 一个线程模块定义了一个数据包处理单元从数据包采集到数据监测. 一个或多个模块可以在一个线程中运行
Queue Description 如果多个线程用于处理串行数据包,队列用于传输数据包。线程有一个队列处理程序函数来确定数据包是如何获得和/或抛弃。
Queue Handler Description 队列处理程序函数被调用的线程获取或去除包前或到下一个线程。
Snort’s job is to listen to TCP/IP network traffic and look for signatures in the data flow that might indicate a security threat to an organization’s network and computer systems.
Snort 的工作是监听 TCP/IP 网路交通。
