不多说,直接上干货!

  suricata的基本组成。Suricata是由所谓的线程(threads)、线程模块 (thread-modules)和队列(queues)组成。Suricata是一个多线程的程序,因此在同一时刻会有多个线程在工作。线程模块是依据 功能来划分的,比如一个模块用于解析数据包,另一个模块用于检测数据包等。每个数据包可能会有多个不同的线程进行处理,队列就是用于将数据包从一个线程传 递到另一个线程。与此同时,一个线程可以拥有多个线程模块,但是在某一时刻只有一个模块在运行(原文是If they have more modules, they can only be active on a a time.看不大懂,感觉是这个意思)。

  Suricata支持多种运行模式。运行模式决定了不同的线程如何用于IDS。

  以下命令可以查看所有 可用的运行模式

[root@suricata ~]# sudo /usr/local/bin/suricata --list-runmodes

------------------------------------- Runmodes ------------------------------------------

| RunMode Type  | Custom Mode       | Description

|----------------------------------------------------------------------------------------

| PCAP_DEV          | single            | Single threaded pcap live mode

|                   ---------------------------------------------------------------------

|                   | autofp            | Multi threaded pcap live mode.  Packets from each flow are assigned to a single detect thread, unlike "pcap_live_auto" where packets from the same flow can be processed by any detect thread

|                   ---------------------------------------------------------------------

|                   | workers           | Workers pcap live mode, each thread does all tasks from acquisition to logging

|----------------------------------------------------------------------------------------

| PCAP_FILE         | single            | Single threaded pcap file mode

|                   ---------------------------------------------------------------------

|                   | autofp            | Multi threaded pcap file mode.  Packets from each flow are assigned to a single detect thread, unlike "pcap-file-auto" where packets from the same flow can be processed by any detect thread

|----------------------------------------------------------------------------------------

| PFRING(DISABLED)  | autofp            | Multi threaded pfring mode.  Packets from each flow are assigned to a single detect thread, unlike "pfring_auto" where packets from the same flow can be processed by any detect thread

|                   ---------------------------------------------------------------------

|                   | single            | Single threaded pfring mode

|                   ---------------------------------------------------------------------

|                   | workers           | Workers pfring mode, each thread does all tasks from acquisition to logging

|----------------------------------------------------------------------------------------

| NFQ               | autofp            | Multi threaded NFQ IPS mode with respect to flow

|                   ---------------------------------------------------------------------

|                   | workers           | Multi queue NFQ IPS mode with one thread per queue

|----------------------------------------------------------------------------------------

| NFLOG             | autofp            | Multi threaded nflog mode

|                   ---------------------------------------------------------------------

|                   | single            | Single threaded nflog mode

|                   ---------------------------------------------------------------------

|                   | workers           | Workers nflog mode

|----------------------------------------------------------------------------------------

| IPFW              | autofp            | Multi threaded IPFW IPS mode with respect to flow

|                   ---------------------------------------------------------------------

|                   | workers           | Multi queue IPFW IPS mode with one thread per queue

|----------------------------------------------------------------------------------------

| ERF_FILE          | single            | Single threaded ERF file mode

|                   ---------------------------------------------------------------------

|                   | autofp            | Multi threaded ERF file mode.  Packets from each flow are assigned to a single detect thread

|----------------------------------------------------------------------------------------

| ERF_DAG           | autofp            | Multi threaded DAG mode.  Packets from each flow are assigned to a single detect thread, unlike "dag_auto" where packets from the same flow can be processed by any detect thread

|                   ---------------------------------------------------------------------

|                   | single            | Singled threaded DAG mode

|                   ---------------------------------------------------------------------

|                   | workers           | Workers DAG mode, each thread does all  tasks from acquisition to logging

|----------------------------------------------------------------------------------------

| AF_PACKET_DEV     | single            | Single threaded af-packet mode

|                   ---------------------------------------------------------------------

|                   | workers           | Workers af-packet mode, each thread does all tasks from acquisition to logging

|                   ---------------------------------------------------------------------

|                   | autofp            | Multi socket AF_PACKET mode.  Packets from each flow are assigned to a single detect thread.

|----------------------------------------------------------------------------------------

| NETMAP(DISABLED)  | single            | Single threaded netmap mode

|                   ---------------------------------------------------------------------

|                   | workers           | Workers netmap mode, each thread does all tasks from acquisition to logging

|                   ---------------------------------------------------------------------

|                   | autofp            | Multi threaded netmap mode.  Packets from each flow are assigned to a single detect thread.

|----------------------------------------------------------------------------------------

| UNIX_SOCKET       | single            | Unix socket mode

|----------------------------------------------------------------------------------------

[root@suricata ~]#

  Suricata的运行方式就是上面介绍的线程(threads)线程模块(thread-modules)队列(queues)三种元素的不 同组合方式。

  上图中的RunMode Type并不是配置文件中的runmodes选项,而是后面的Custom Mode也就是自定义模式才可以在此处设置。比如默认的Runmodes是autofp,在线实时检测流量的模式中其结构如下,单线程模块获取数据包和解码,多线程模块检测。

  以下大家也可以去官网看。

https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Runmodes

Example of the default runmode:(即这是Suricata的的默认运行模式:autofp)

  Suricata使用的默认运行模式是autofp(代表“自动流绑定负载均衡模式”)。在这种模式下,来自每一路流的数据包被分配给单一的检测线程。流被分配给了未处理数据包数量最少的线程。

In the pfring mode, every flow follows its own fixed route in the runmode.

Suricata的所有运行方式模式(图文详解)的更多相关文章

  1. Activity启动模式图文详解

    转载自:http://jcodecraeer.com/a/anzhuokaifa/androidkaifa/2015/0520/2897.html  英文原文:Understand Android A ...

  2. Centos 7 进入单用户模式图文详解

    由于昨晚做了一个很傻X的事情,所以有幸进入了CentOS 7 的单用户模式. CentOS 7 在进入单用户的时候和6.x做了很多的改变, 下面让我们来看看如何进入单用户模式. 如何进入CentOS ...

  3. Stamus Networks的产品SELKS(Suricata IDPS、Elasticsearch 、Logstash 、Kibana 和 Scirius )的下载和安装(带桌面版和不带桌面版)(图文详解)

    不多说,直接上干货!  SELKS是什么? SELKS 是Stamus Networks的产品,它是基于Debian的自启动运行发行,面向网络安全管理.它基于自己的图形规则管理器提供一套完整的.易于使 ...

  4. Window下PHP三种运行方式图文详解,window下的php是不是单进程的?

    Window下PHP三种运行方式图文详解,window下的php是不是单进程的? PHP运行目前为止主要有三种方式: a.以模块加载的方式运行,初学者可能不容易理解,其实就是将PHP集成到Apache ...

  5. 基于CentOS6.5或Ubuntu14.04下Suricata里搭配安装 ELK (elasticsearch, logstash, kibana)(图文详解)

    前期博客 基于CentOS6.5下Suricata(一款高性能的网络IDS.IPS和网络安全监控引擎)的搭建(图文详解)(博主推荐) 基于Ubuntu14.04下Suricata(一款高性能的网络ID ...

  6. suricata.yaml (一款高性能的网络IDS、IPS和网络安全监控引擎)默认配置文件(图文详解)

    不多说,直接上干货! 前期博客 基于CentOS6.5下Suricata(一款高性能的网络IDS.IPS和网络安全监控引擎)的搭建(图文详解)(博主推荐) 或者 基于Ubuntu14.04下Suric ...

  7. 基于CentOS6.5下Suricata(一款高性能的网络IDS、IPS和网络安全监控引擎)的搭建(图文详解)(博主推荐)

    不多说,直接上干货! 为什么,要写这篇论文? 是因为,目前科研的我,正值研三,致力于网络安全.大数据.机器学习研究领域! 论文方向的需要,同时不局限于真实物理环境机器实验室的攻防环境.也不局限于真实物 ...

  8. Cocos2d-x win7 + vs2010 配置图文详解

    Cocos2d-x win7 + vs2010 配置图文详解 下载最新版的cocos2d-x.打开浏览器,输入cocos2d-x.org,然后选择Download,本教程写作时最新版本为cocos2d ...

  9. Hadoop集群搭建安装过程(三)(图文详解---尽情点击!!!)

    Hadoop集群搭建安装过程(三)(图文详解---尽情点击!!!) 一.JDK的安装 安装位置都在同一位置(/usr/tools/jdk1.8.0_73) jdk的安装在克隆三台机器的时候可以提前安装 ...

  10. HTML标签----图文详解

    国庆节快乐,还在加班的童鞋,良辰必有重谢! 本文主要内容 头标签 排版标签:<p>     <br>     <hr>     <center>     ...

随机推荐

  1. flex集成IFrame,IFrame集成UnityWebPlayer直接通讯调用解决方式

    做Web开发一般是flex与JS交互,UnityWebPlayer与JS交互. 它们之间相互调用比較常见. /** * Flex调用Javascript函数 * @params functionNam ...

  2. 提高比特率 有损 无损 Video-and-Audio-file-format-conversion 视频声音转码

    3 Ways to Change Bitrate on MP3 Files https://www.online-tech-tips.com/software-reviews/change-bitra ...

  3. Common non-standard response fields

    https://en.wikipedia.org/wiki/List_of_HTTP_header_fields#cite_note-52 Common non-standard response f ...

  4. DataTabless Add rows

    参考官网案例:https://datatables.net/examples/api/add_row.html JS: $(document).ready(function() {     var t ...

  5. EJB3.0

    由于EJB2.0的复杂性,在Spring和Hibernate[1]  等轻量级框架出现后,大量的用户转向应用轻量级框架.在大家的呼声中, EJB 期待已久的EJB3.0规范终于发布了.在本文中将对新的 ...

  6. (1)JDBC基础-java链接mysql数据库

    怎么操作数据库: 1,通过客户端(比如mac的终端,或者sql pro等专业工具)登陆数据库服务器(mysql -u root -p) 2,编写sql语句 3,发生sql语句到数据库服务器执行. JD ...

  7. Gradle 安装

    Gradle介绍 Gradle是一个基于JVM的构建工具,它提供了: 像Ant一样,通用灵活的构建工具 可以切换的,基于约定的构建框架 强大的多工程构建支持 基于Apache Ivy的强大的依赖管理 ...

  8. RK3288 make otapackage 出错的问题【转】

    本文转载自:http://blog.csdn.net/u010439962/article/details/51734631 Installed file list: out/target/produ ...

  9. YTU 2402: Common Subsequence

    2402: Common Subsequence 时间限制: 1 Sec  内存限制: 32 MB 提交: 63  解决: 33 题目描述 A subsequence of a given seque ...

  10. frameset 框架整体退出登录的问题

    1 设置其他的页面都验证session,如果session不存在就跳转到 Login 页: 2 Login中添加下面的js代码: <script language="JavaScrip ...