本文介绍如何配置Suricata使用af-packet模块进行网络流量检测,包括设置多线程接收模式、集群ID及类型等参数,实现高效的数据包处理。
command line: suricata --af-packet --runmode workers
af-packet:
- interface: eth0
# Number of receive threads (>1 will enable experimental flow pinned
# runmode)
threads: 1
# Default clusterid. AF_PACKET will load balance packets based on flow.
# All threads/processes that will participate need to have the same
# clusterid.
cluster-id: 99
# Default AF_PACKET cluster type. AF_PACKET can load balance per flow or per hash.
# This is only supported for Linux kernel > 3.1
# possible value are:
# * cluster_round_robin: round robin load balancing
# * cluster_flow: all packets of a given flow are send to the same socket
# * cluster_cpu: all packets treated in kernel by a CPU are send to the same socket
cluster-type: cluster_flow
# In some fragmentation case, the hash can not be computed. If "defrag" is set
# to yes, the kernel will do the needed defragmentation before sending the packets.
defrag: no
# To use the ring feature of AF_PACKET, set 'use-mmap' to yes
use-mmap: yes
copy-mode: ips
copy-iface: eth1
- interface: eth1
threads: 1
cluster-id: 98
cluster-type: cluster_flow
defrag: no
use-mmap: yes
copy-mode: ips
copy-iface: eth0
# buffer-size: 32768
# disable-promisc: no
# Put default values here
#- interface: default
#threads: 2
#use-mmap: yes
af-packet:
- interface: eth0
# Number of receive threads (>1 will enable experimental flow pinned
# runmode)
threads: 1
# Default clusterid. AF_PACKET will load balance packets based on flow.
# All threads/processes that will participate need to have the same
# clusterid.
cluster-id: 99
# Default AF_PACKET cluster type. AF_PACKET can load balance per flow or per hash.
# This is only supported for Linux kernel > 3.1
# possible value are:
# * cluster_round_robin: round robin load balancing
# * cluster_flow: all packets of a given flow are send to the same socket
# * cluster_cpu: all packets treated in kernel by a CPU are send to the same socket
cluster-type: cluster_flow
# In some fragmentation case, the hash can not be computed. If "defrag" is set
# to yes, the kernel will do the needed defragmentation before sending the packets.
defrag: no
# To use the ring feature of AF_PACKET, set 'use-mmap' to yes
use-mmap: yes
copy-mode: ips
copy-iface: eth1
- interface: eth1
threads: 1
cluster-id: 98
cluster-type: cluster_flow
defrag: no
use-mmap: yes
copy-mode: ips
copy-iface: eth0
# buffer-size: 32768
# disable-promisc: no
# Put default values here
#- interface: default
#threads: 2
#use-mmap: yes
扫一扫
2043
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
