From: Victor Julien Date: Thu, 22 Mar 2012 12:17:51 +0000 (+0100) Subject: Make 'autofp' the default runmode. Increase default max-pending-packets to 1024.... X-Git-Tag: suricata-1.3beta1~58 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8d1fe9f2fa40953cf8a46fb5f90a176a4a6fbb50;p=thirdparty%2Fsuricata.git Make 'autofp' the default runmode. Increase default max-pending-packets to 1024. Move some advanced and uncommonly changed settings down in the stock suricata.yaml. Closes #433. --- diff --git a/src/runmode-af-packet.c b/src/runmode-af-packet.c index 1eb9c2e925..d97ac33668 100644 --- a/src/runmode-af-packet.c +++ b/src/runmode-af-packet.c @@ -60,7 +60,7 @@ const char *RunModeAFPGetDefaultMode(void) void RunModeIdsAFPRegister(void) { - default_mode_auto = "auto"; + default_mode_auto = "autofp"; RunModeRegisterNewRunMode(RUNMODE_AFP_DEV, "auto", "Multi threaded af-packet mode", RunModeIdsAFPAuto); diff --git a/src/runmode-ipfw.c b/src/runmode-ipfw.c index 787db2c4a2..cd021ac0ed 100644 --- a/src/runmode-ipfw.c +++ b/src/runmode-ipfw.c @@ -57,7 +57,7 @@ const char *RunModeIpsIPFWGetDefaultMode(void) void RunModeIpsIPFWRegister(void) { - default_mode = "auto"; + default_mode = "autofp"; RunModeRegisterNewRunMode(RUNMODE_IPFW, "auto", "Multi threaded IPFW IPS mode", RunModeIpsIPFWAuto); diff --git a/src/runmode-nfq.c b/src/runmode-nfq.c index f481c4c471..9a69e0445d 100644 --- a/src/runmode-nfq.c +++ b/src/runmode-nfq.c @@ -55,7 +55,7 @@ const char *RunModeIpsNFQGetDefaultMode(void) void RunModeIpsNFQRegister(void) { - default_mode = "auto"; + default_mode = "autofp"; RunModeRegisterNewRunMode(RUNMODE_NFQ, "auto", "Multi threaded NFQ IPS mode", RunModeIpsNFQAuto); diff --git a/src/runmode-pcap-file.c b/src/runmode-pcap-file.c index 0bfe01ec12..e34d079ed8 100644 --- a/src/runmode-pcap-file.c +++ b/src/runmode-pcap-file.c @@ -51,7 +51,7 @@ void RunModeFilePcapRegister(void) RunModeRegisterNewRunMode(RUNMODE_PCAP_FILE, "auto", "Multi threaded pcap file mode", RunModeFilePcapAuto); - default_mode = "auto"; + default_mode = "autofp"; RunModeRegisterNewRunMode(RUNMODE_PCAP_FILE, "autofp", "Multi threaded pcap file mode. Packets from " "each flow are assigned to a single detect thread, " diff --git a/src/runmode-pcap.c b/src/runmode-pcap.c index c723279dd2..db4753f8e6 100644 --- a/src/runmode-pcap.c +++ b/src/runmode-pcap.c @@ -54,7 +54,7 @@ void RunModeIdsPcapRegister(void) RunModeRegisterNewRunMode(RUNMODE_PCAP_DEV, "auto", "Multi threaded pcap live mode", RunModeIdsPcapAuto); - default_mode = "auto"; + default_mode = "autofp"; RunModeRegisterNewRunMode(RUNMODE_PCAP_DEV, "autofp", "Multi threaded pcap live mode. Packets from " "each flow are assigned to a single detect thread, " diff --git a/src/runmode-pfring.c b/src/runmode-pfring.c index 567b539834..f907b849df 100644 --- a/src/runmode-pfring.c +++ b/src/runmode-pfring.c @@ -56,7 +56,7 @@ const char *RunModeIdsPfringGetDefaultMode(void) void RunModeIdsPfringRegister(void) { - default_mode_auto = "auto"; + default_mode_auto = "autofp"; RunModeRegisterNewRunMode(RUNMODE_PFRING, "auto", "Multi threaded pfring mode", RunModeIdsPfringAuto); diff --git a/src/suricata.c b/src/suricata.c index 766951ce15..9459f376a5 100644 --- a/src/suricata.c +++ b/src/suricata.c @@ -197,7 +197,7 @@ volatile sig_atomic_t sigterm_count = 0; SC_ATOMIC_DECLARE(unsigned int, engine_stage); /* Max packets processed simultaniously. */ -#define DEFAULT_MAX_PENDING_PACKETS 50 +#define DEFAULT_MAX_PENDING_PACKETS 1024 /** suricata engine control flags */ uint8_t suricata_ctl_flags = 0; diff --git a/suricata.yaml.in b/suricata.yaml.in index e73dae3541..be7c7d865c 100644 --- a/suricata.yaml.in +++ b/suricata.yaml.in @@ -7,29 +7,30 @@ # Number of packets allowed to be processed simultaneously. Default is a -# conservative 50. a higher number will make sure CPU's/CPU cores will be -# more easily kept busy, but will negatively impact caching. +# conservative 1024. A higher number will make sure CPU's/CPU cores will be +# more easily kept busy, but may negatively impact caching. # # If you are using the CUDA pattern matcher (b2g_cuda below), different rules # apply. In that case try something like 4000 or more. This is because the CUDA # pattern matcher scans many packets in parallel. -#max-pending-packets: 50 +#max-pending-packets: 1024 -# Runmode custom mode the engine should run in. Please check --list-runmodes -# to get the runmode custom modes that can be used here for a particular runmode. -#runmode: auto +# Runmode the engine should use. Please check --list-runmodes to get the available +# runmodes for each packet acquisition method. Defaults to "autofp" (auto flow pinned +# load balancing). +#runmode: autofp -# Specifies the kind of q scheduler used by flow pinned autofp mode. +# Specifies the kind of flow load balancer used by the flow pinned autofp mode. # # Supported schedulers are: # -# round-robin - Flows assigned to threads in a round robin fashion. -# active-packets - Flows assigned to threads that have the lowest number of -# unprocessed packets. -# hash - Flow alloted usihng the address hash. More of a random technique. Was -# the default in 1.2.1 and older. +# round-robin - Flows assigned to threads in a round robin fashion. +# active-packets - Flows assigned to threads that have the lowest number of +# unprocessed packets (default). +# hash - Flow alloted usihng the address hash. More of a random +# technique. Was the default in Suricata 1.2.1 and older. # -autofp-scheduler: active-packets +#autofp-scheduler: active-packets # Default pid file. # Will use this file if no --pidfile in command options. @@ -40,15 +41,6 @@ autofp-scheduler: active-packets # packet size (MTU + hardware header) on your system. #default-packet-size: 1514 -# Set the order of alerts bassed on actions -# The default order is pass, drop, reject, alert -action-order: - - pass - - drop - - reject - - alert - - # The default logging directory. Any log or output file will be # placed here if its not specified with a full path name. This can be # overridden with the -l command line parameter. @@ -249,25 +241,6 @@ af-packet: # buffer-size: 32768 # disable-promisc: no -defrag: - max-frags: 65535 - prealloc: yes - timeout: 60 - -# When run with the option --engine-analysis, the engine will read each of -# the parameters below, and print reports for each of the enabled sections -# and exit. The reports are printed to a file in the default log dir -# given by the parameter "default-log-dir", with engine reporting -# subsection below printing reports in its own report file. -engine-analysis: - # enables printing reports for fast-pattern for every rule. - rules-fast-pattern: yes - -#recursion and match limits for PCRE where supported -pcre: - match-limit: 3500 - match-limit-recursion: 1500 - # You can specify a threshold config file by setting "threshold-file" # to the path of the threshold config file: # threshold-file: /etc/suricata/threshold.config @@ -446,6 +419,13 @@ pattern-matcher: hash-size: low bf-size: medium +# Defrag settings: + +defrag: + max-frags: 65535 + prealloc: yes + timeout: 60 + # Flow settings: # By default, the reserved memory (memcap) for flows is 32MB. This is the limit # for flow allocation inside the engine. You can change this value to allow @@ -767,6 +747,16 @@ vars: SSH_PORTS: 22 + +# Set the order of alerts bassed on actions +# The default order is pass, drop, reject, alert +action-order: + - pass + - drop + - reject + - alert + + # Host specific policies for defragmentation and TCP stream # reassembly. The host OS lookup is done using a radix tree, just # like a routing table so the most specific entry matches. @@ -790,6 +780,20 @@ host-os-policy: # Limit for the maximum number of asn1 frames to decode (default 256) asn1-max-frames: 256 +# When run with the option --engine-analysis, the engine will read each of +# the parameters below, and print reports for each of the enabled sections +# and exit. The reports are printed to a file in the default log dir +# given by the parameter "default-log-dir", with engine reporting +# subsection below printing reports in its own report file. +engine-analysis: + # enables printing reports for fast-pattern for every rule. + rules-fast-pattern: yes + +#recursion and match limits for PCRE where supported +pcre: + match-limit: 3500 + match-limit-recursion: 1500 + ########################################################################### # Configure libhtp. #