[Oisf-users] Questions on suricata configuration

unite unite at openmailbox.org
Wed Jan 21 09:16:28 UTC 2015

On 2015-01-20 18:14, Andreas Herz wrote:
> On 20/01/15 at 18:08, unite wrote:
>> Andreas,
>> I have checked it one more time. Both in daemon/non-daemon mode the 
>> packet
>> gets passed to the second iptables rule. To be honest, the behaviour I
>> observe satisfies me :) I'm just a bit worried that it could be a 
>> symptom of
>> something going wrong...
> Well still strange that we both have different behaviour. Maybe someone
> else might check on that :)

Guys, can anyone help on other questions?

1. Suricata runmodes. I didn't manage to find detail explanations of the 
runmodes (I don't count the output of "--list-runmodes" option) - I mean 
some basic recomendations when to use each one. So, there are three 
runmodes for NFQ mode - auto, autofp and workers with the default of 
"autofp". Is it ok just to leave it "autofp" or should I consider 
choosing different one? How can I derive which of this runmodes is the 
most suitable for me?

4. Multi-pattern matcher. Am I right: it takes all the patterns from 
signatures and searches for them simultaneously and it looks for the 
exact signature (and it's action) only after some pattern is matched? 
It's just for my understanding of how it works.

5. Stream-engine/flow settings. I have my nf_conntrack module settings 
set to 327680 concurrent sessions max. I looked through the examples in 
suricata.yaml guide (stream-engine and flow stanzas) and found that 
besides memory allocated for different tasks there is "max_sessions" 
parameter in stream-engine settings, which defaults to 262144. I guess I 
need the nf_conntrack and this max_sessions parameter to match so both 
nf_conntrack and suricata can handle the same number of sessions? And 
also I guess I should multiply all other allocated memory by 1,25 
(262144*1,25=327680) for settings to fit each other inside suricata 

6. Also a question regarding startup script. I'm using Debian Wheezy and 
Suricata 2.0.5. I've found a startup script for Ubuntu on openinfosec 
site and also have found various sysvinit scripts for debian written by 
different people on the net. Is there some kind of "official" init 
script for debian or I should just write it myself?

Thanks in advance.

With kind regards,

More information about the Oisf-users mailing list