文章来源:Suricata
Suricata is the OISF IDP engine, the open source Intrusion Detection and Prevention Engine.
IDS:Intrusion Detection System入侵检测系统
IPS:Intrusion Prevention System入侵防御系统
With the max-pending-packets setting you can set the number of packets you allow Suricata to process simultaneously.
The way threads, modules and queues are arranged together is called the Runmode.
All signatures have different properties. One of those is the Action property. This one determines what will happen when a signature matches.
There are four types of Action. A summary of what will happen when a signature matches and contains one of those Actions:
1) Pass
If a signature matches and contains pass, Suricata stops scanning the packet and skips to the end of all rules (only for the current packet).
2) Drop
This only concerns the IPS/inline mode.
If the program finds a signature that matches, containing drop, it stops immediately. The packet will not be sent any further.
Drawback: The receiver does not receive a message of what is going on, resulting in a time-out (certainly with TCP). Suricata generates an alert for this packet.
3) Reject
This is an active rejection of the packet. Both receiver and sender receive a reject packet. There are two types of reject packets that will be automatically selected. If the offending packet concerns TCP, it will be a Reset-packet. For all other protocols it will be an ICMP-error packet. Suricata also generates an alert. When in Inline/IPS mode, the offending packet will also be dropped like with the ‘drop‘ action.
4) Alert
If a signature matches and contains alert, the packet will be treated like any other non-threatening packet, except for this one an alert will be generated by Suricata. Only the system administrator can notice this alert.
Suricata引擎是一个开源的下一代入侵检测和预防引擎。它并不打算取代或模仿现有的工具,但将带来新创意和新技术领域。Suricata引擎和HTP库可以在GPLv2下的使用。
Suricata是一个基于规则的ID / PS引擎,利用外部开发规则集监控网络流量和系统管理员提供警报,当发生可疑事件。
Suricata最初版本运行在Linux 2.6平台上,支持内联和被动交通监控配置,能够处理多个千兆网络水平
Multi-threading
除了硬件加速(硬件和网卡的限制),引擎是用处理能力不断增加最新的多核CPU芯片集。
引擎支持以下功能:最新的Snort VRT ,Snort日志;规则语言选项;多线程,硬件加速(硬件和网卡依赖/限制);统一输出,从而可以与外部日志管理系统互动;IPv6;基于规则的IP 评价(IP reputation),可插拔能力的库(library plug-ability)从而能与其他应用程序交互;性能统计数据输出;和一个简单而有效的入门用户手册。
Thread Module Description 一个线程模块定义了一个数据包处理单元从数据包采集到数据监测. 一个或多个模块可以在一个线程中运行
Queue Description 如果多个线程用于处理串行数据包,队列用于传输数据包。线程有一个队列处理程序函数来确定数据包是如何获得和/或抛弃。
Queue Handler Description 队列处理程序函数被调用的线程获取或去除包前或到下一个线程。
Snort’s job is to listen to TCP/IP network traffic and look for signatures in the data flow that might indicate a security threat to an organization’s network and computer systems.
Snort 的工作是监听 TCP/IP 网路交通。
文章来源:Suricata
原文:http://www.cnblogs.com/jokerwoods/p/3518714.html