[Oisf-users] Questions on suricata configuration
unite
unite at openmailbox.org
Wed Jan 21 09:16:28 UTC 2015
On 2015-01-20 18:14, Andreas Herz wrote:
> On 20/01/15 at 18:08, unite wrote:
>> Andreas,
>>
>> I have checked it one more time. Both in daemon/non-daemon mode the
>> packet
>> gets passed to the second iptables rule. To be honest, the behaviour I
>> observe satisfies me :) I'm just a bit worried that it could be a
>> symptom of
>> something going wrong...
>
> Well still strange that we both have different behaviour. Maybe someone
> else might check on that :)
Guys, can anyone help on other questions?
1. Suricata runmodes. I didn't manage to find detail explanations of the
runmodes (I don't count the output of "--list-runmodes" option) - I mean
some basic recomendations when to use each one. So, there are three
runmodes for NFQ mode - auto, autofp and workers with the default of
"autofp". Is it ok just to leave it "autofp" or should I consider
choosing different one? How can I derive which of this runmodes is the
most suitable for me?
4. Multi-pattern matcher. Am I right: it takes all the patterns from
signatures and searches for them simultaneously and it looks for the
exact signature (and it's action) only after some pattern is matched?
It's just for my understanding of how it works.
5. Stream-engine/flow settings. I have my nf_conntrack module settings
set to 327680 concurrent sessions max. I looked through the examples in
suricata.yaml guide (stream-engine and flow stanzas) and found that
besides memory allocated for different tasks there is "max_sessions"
parameter in stream-engine settings, which defaults to 262144. I guess I
need the nf_conntrack and this max_sessions parameter to match so both
nf_conntrack and suricata can handle the same number of sessions? And
also I guess I should multiply all other allocated memory by 1,25
(262144*1,25=327680) for settings to fit each other inside suricata
itself?
6. Also a question regarding startup script. I'm using Debian Wheezy and
Suricata 2.0.5. I've found a startup script for Ubuntu on openinfosec
site and also have found various sysvinit scripts for debian written by
different people on the net. Is there some kind of "official" init
script for debian or I should just write it myself?
Thanks in advance.
--
With kind regards,
Alex
More information about the Oisf-users
mailing list