[Oisf-users] Meaning of force-filestore option

Peter Manev petermanev at gmail.com
Sun Jun 24 05:37:36 UTC 2018



> On 24 Jun 2018, at 00:52, Darren S. <phatbuckett at gmail.com> wrote:
> 
>> On Sat, Jun 23, 2018 at 8:49 AM, Peter Manev <petermanev at gmail.com> wrote:
>>> On Sat, Jun 23, 2018 at 12:04 PM, Victor Julien <lists at inliniac.net> wrote:
>>>> On 23-06-18 02:41, Darren S. wrote:
>>>> Suricata version 4.0.4 RELEASE
>>>> 
>>>> outputs.13.file-store = (null)
>>>> outputs.13.file-store.enabled = yes
>>>> outputs.13.file-store.log-dir = files
>>>> outputs.13.file-store.force-magic = yes
>>>> outputs.13.file-store.force-md5 = yes
>>>> outputs.13.file-store.force-filestore = no
>>>> 
>>>> I'd like to find out what is the meaning of the force-* options in
>>>> these types of settings - understanding that they force the given data
>>>> output, but not what that means by example.
>>>> 
>>>> For example, would outputs.file-store.force-filestore result in Suri
>>>> storing all files regardless of any filestore rules active (as a
>>>> convenience factor)?
>>> 
>>> Yes.
>>> 
>>>> What cases do force-magic and force-md5 output those values where they
>>>> wouldn't normally be output when file-store.enabled = yes?
>>> 
>>> Since md5 and magic are expensive operations they are normally only
>>> performed on-demand, for example if there are rules matching on those
>>> properties. The force-* options enable them unconditionally.
>> 
>> I sometimes find it very useful when running investigation on smaller pcaps.
> 
> That's what I'm finding it very useful for right now. :)  Suricata has
> developed into an incredibly useful packet capture dissection and
> analysis tool.
> 
> One thing I'm hung up on is getting file hashes to be stored/logged.
> Including the build info and config dump below, but the following
> blocks I assumed would get the hash stored in both the file-log JSON
> data and the metadata file written out with the stored file. I've
> tried setting the force-hash value to any of these and still no sign
> of logged hashes:
> 
>  [md5]
>  [md5,sha1]
>  [md5,sha1,sha256]
> 
> outputs.13 = file-store
> outputs.13.file-store = (null)
> outputs.13.file-store.enabled = yes
> outputs.13.file-store.log-dir = files
> outputs.13.file-store.stream-depth = 0
> outputs.13.file-store.force-magic = yes
> outputs.13.file-store.force-hash = [md5]
> outputs.13.file-store.force-filestore = yes
> outputs.14 = file-log
> outputs.14.file-log = (null)
> outputs.14.file-log.enabled = yes
> outputs.14.file-log.filename = files-json.log
> outputs.14.file-log.force-magic = yes
> outputs.14.file-log.force-hash = [md5]
> outputs.14.file-log.append = no
> 
> This is on Darwin 17.6.0 Darwin Kernel Version 17.6.0: Tue May  8
> 15:22:16 PDT 2018; root:xnu-4570.61.1~1/RELEASE_X86_64 x86_64.
> 
> Suricata installed from Homebrew. At this time just running in pcap
> offline mode (-r).
> 
> Any clue?
> 
> 

I think it is worth  if you try filestotre version 2 from 4.1beta/latest git (that would become stable soon anyway) - https://suricata.readthedocs.io/en/latest/file-extraction/file-extraction.html#output



> 
> This is Suricata version 4.0.4 RELEASE
> Features: PCAP_SET_BUFF HAVE_PACKET_FANOUT LIBNET1.1
> HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HAVE_LUA HAVE_LIBJANSSON
> TLS MAGIC
> SIMD support: SSE_4_2 SSE_4_1 SSE_3
> Atomic intrisics: 1 2 4 8 16 byte(s)
> 64-bits, Little-endian architecture
> GCC version 4.2.1 Compatible Apple LLVM 9.0.0 (clang-900.0.39.2), C
> version 199901
> compiled with -fstack-protector
> compiled with _FORTIFY_SOURCE=2
> L1 cache line size (CLS)=64
> thread local storage method: __thread
> compiled with LibHTP v0.5.26, linked against LibHTP v0.5.26
> 
> Suricata Configuration:
>  AF_PACKET support:                       no
>  PF_RING support:                         no
>  NFQueue support:                         no
>  NFLOG support:                           no
>  IPFW support:                            no
>  Netmap support:                          no
>  DAG enabled:                             no
>  Napatech enabled:                        no
> 
>  Unix socket enabled:                     yes
>  Detection enabled:                       yes
> 
>  Libmagic support:                        yes
>  libnss support:                          yes
>  libnspr support:                         yes
>  libjansson support:                      yes
>  hiredis support:                         no
>  hiredis async with libevent:             no
>  Prelude support:                         no
>  PCRE jit:                                yes
>  LUA support:                             yes
>  libluajit:                               no
>  libgeoip:                                no
>  Non-bundled htp:                         no
>  Old barnyard2 support:                   no
>  CUDA enabled:                            no
>  Hyperscan support:                       no
>  Libnet support:                          yes
> 
>  Rust support (experimental):             no
>  Experimental Rust parsers:               no
>  Rust strict mode:                        no
> 
>  Suricatasc install:                      yes
> 
>  Profiling enabled:                       no
>  Profiling locks enabled:                 no
> 
> Development settings:
>  Coccinelle / spatch:                     no
>  Unit tests enabled:                      no
>  Debug output enabled:                    no
>  Debug validation enabled:                no
> 
> Generic build parameters:
>  Installation prefix:                     /usr/local/Cellar/suricata/4.0.4
>  Configuration directory:                 /usr/local/etc/suricata/
>  Log directory:                           /usr/local/var/log/suricata/
> 
>  --prefix                                 /usr/local/Cellar/suricata/4.0.4
>  --sysconfdir                             /usr/local/etc
>  --localstatedir                          /usr/local/var
> 
>  Host:                                    x86_64-apple-darwin17.4.0
>  Compiler:                                clang (exec name) / clang (real)
>  GCC Protect enabled:                     no
>  GCC march native enabled:                yes
>  GCC Profile enabled:                     no
>  Position Independent Executable enabled: no
>  CFLAGS                                   -g -O2 -DOS_DARWIN -march=native
>  PCAP_CFLAGS                               -I/usr/local/include
>  SECCFLAGS
> 
> 
> default-log-dir = tmp.suricata.d
> vars = (null)
> vars.address-groups = (null)
> vars.address-groups.HOME_NET = 10.0.0.3
> vars.address-groups.EXTERNAL_NET = !$HOME_NET
> vars.address-groups.HTTP_SERVERS = $HOME_NET
> vars.address-groups.SMTP_SERVERS = $HOME_NET
> vars.address-groups.SQL_SERVERS = $HOME_NET
> vars.address-groups.DNS_SERVERS = $HOME_NET
> vars.address-groups.TELNET_SERVERS = $HOME_NET
> vars.address-groups.AIM_SERVERS = $EXTERNAL_NET
> vars.address-groups.DNP3_SERVER = $HOME_NET
> vars.address-groups.DNP3_CLIENT = $HOME_NET
> vars.address-groups.MODBUS_CLIENT = $HOME_NET
> vars.address-groups.MODBUS_SERVER = $HOME_NET
> vars.address-groups.ENIP_CLIENT = $HOME_NET
> vars.address-groups.ENIP_SERVER = $HOME_NET
> vars.port-groups = (null)
> vars.port-groups.HTTP_PORTS = 80
> vars.port-groups.SHELLCODE_PORTS = !80
> vars.port-groups.ORACLE_PORTS = 1521
> vars.port-groups.SSH_PORTS = 22
> vars.port-groups.DNP3_PORTS = 20000
> vars.port-groups.MODBUS_PORTS = 502
> vars.port-groups.FILE_DATA_PORTS = [$HTTP_PORTS,110,143]
> vars.port-groups.FTP_PORTS = 21
> logging = (null)
> logging.outputs = (null)
> logging.outputs.0 = console
> logging.outputs.0.console = (null)
> logging.outputs.0.console.enabled = yes
> logging.outputs.1 = file
> logging.outputs.1.file = (null)
> logging.outputs.1.file.filename = tmp.suricata.d/suricata.log
> logging.outputs.1.file.append = no
> logging.outputs.1.file.enabled = yes
> logging.outputs.1.file.level = info
> logging.outputs.2 = syslog
> logging.outputs.2.syslog = (null)
> logging.outputs.2.syslog.enabled = no
> logging.outputs.2.syslog.facility = local5
> logging.outputs.2.syslog.format = [%i] <%d> --
> logging.default-log-level = notice
> logging.default-output-filter =
> outputs = (null)
> outputs.0 = fast
> outputs.0.fast = (null)
> outputs.0.fast.enabled = yes
> outputs.0.fast.append = no
> outputs.0.fast.filename = fast.log
> outputs.1 = eve-log
> outputs.1.eve-log = (null)
> outputs.1.eve-log.enabled = yes
> outputs.1.eve-log.append = no
> outputs.1.eve-log.filetype = regular
> outputs.1.eve-log.filename = eve.json
> outputs.1.eve-log.types = (null)
> outputs.1.eve-log.types.0 = alert
> outputs.1.eve-log.types.0.alert = (null)
> outputs.1.eve-log.types.0.alert.metadata = yes
> outputs.1.eve-log.types.0.alert.tagged-packets = yes
> outputs.1.eve-log.types.0.alert.xff = (null)
> outputs.1.eve-log.types.0.alert.xff.enabled = no
> outputs.1.eve-log.types.0.alert.xff.mode = extra-data
> outputs.1.eve-log.types.0.alert.xff.deployment = reverse
> outputs.1.eve-log.types.0.alert.xff.header = X-Forwarded-For
> outputs.1.eve-log.types.1 = http
> outputs.1.eve-log.types.1.http = (null)
> outputs.1.eve-log.types.1.http.extended = yes
> outputs.1.eve-log.types.2 = dns
> outputs.1.eve-log.types.2.dns = (null)
> outputs.1.eve-log.types.2.dns.query = yes
> outputs.1.eve-log.types.2.dns.answer = yes
> outputs.1.eve-log.types.3 = tls
> outputs.1.eve-log.types.3.tls = (null)
> outputs.1.eve-log.types.3.tls.extended = yes
> outputs.1.eve-log.types.4 = files
> outputs.1.eve-log.types.4.files = (null)
> outputs.1.eve-log.types.4.files.force-magic = no
> outputs.1.eve-log.types.5 = ssh
> outputs.1.eve-log.types.6 = stats
> outputs.1.eve-log.types.6.stats = (null)
> outputs.1.eve-log.types.6.stats.totals = yes
> outputs.1.eve-log.types.6.stats.threads = no
> outputs.1.eve-log.types.6.stats.deltas = no
> outputs.2 = unified2-alert
> outputs.2.unified2-alert = (null)
> outputs.2.unified2-alert.enabled = no
> outputs.2.unified2-alert.filename = unified2.alert
> outputs.2.unified2-alert.xff = (null)
> outputs.2.unified2-alert.xff.enabled = no
> outputs.2.unified2-alert.xff.mode = extra-data
> outputs.2.unified2-alert.xff.deployment = reverse
> outputs.2.unified2-alert.xff.header = X-Forwarded-For
> outputs.3 = http-log
> outputs.3.http-log = (null)
> outputs.3.http-log.enabled = yes
> outputs.3.http-log.filename = http.log
> outputs.3.http-log.append = no
> outputs.4 = tls-log
> outputs.4.tls-log = (null)
> outputs.4.tls-log.enabled = yes
> outputs.4.tls-log.filename = tls.log
> outputs.4.tls-log.append = no
> outputs.5 = tls-store
> outputs.5.tls-store = (null)
> outputs.5.tls-store.enabled = yes
> outputs.5.tls-store.certs-log-dir = certs
> outputs.6 = dns-log
> outputs.6.dns-log = (null)
> outputs.6.dns-log.enabled = yes
> outputs.6.dns-log.filename = dns.log
> outputs.6.dns-log.append = no
> outputs.7 = pcap-log
> outputs.7.pcap-log = (null)
> outputs.7.pcap-log.enabled = no
> outputs.7.pcap-log.filename = log.pcap
> outputs.7.pcap-log.limit = 1000mb
> outputs.7.pcap-log.max-files = 2000
> outputs.7.pcap-log.mode = normal
> outputs.7.pcap-log.use-stream-depth = no
> outputs.7.pcap-log.honor-pass-rules = no
> outputs.8 = alert-debug
> outputs.8.alert-debug = (null)
> outputs.8.alert-debug.enabled = no
> outputs.8.alert-debug.filename = alert-debug.log
> outputs.8.alert-debug.append = yes
> outputs.9 = alert-prelude
> outputs.9.alert-prelude = (null)
> outputs.9.alert-prelude.enabled = no
> outputs.9.alert-prelude.profile = suricata
> outputs.9.alert-prelude.log-packet-content = no
> outputs.9.alert-prelude.log-packet-header = yes
> outputs.10 = stats
> outputs.10.stats = (null)
> outputs.10.stats.enabled = no
> outputs.10.stats.filename = stats.log
> outputs.10.stats.totals = yes
> outputs.10.stats.threads = no
> outputs.11 = syslog
> outputs.11.syslog = (null)
> outputs.11.syslog.enabled = no
> outputs.11.syslog.facility = local5
> outputs.12 = drop
> outputs.12.drop = (null)
> outputs.12.drop.enabled = no
> outputs.12.drop.filename = drop.log
> outputs.12.drop.append = yes
> outputs.13 = file-store
> outputs.13.file-store = (null)
> outputs.13.file-store.enabled = yes
> outputs.13.file-store.log-dir = files
> outputs.13.file-store.stream-depth = 0
> outputs.13.file-store.force-magic = yes
> outputs.13.file-store.force-hash = [md5]
> outputs.13.file-store.force-filestore = yes
> outputs.14 = file-log
> outputs.14.file-log = (null)
> outputs.14.file-log.enabled = yes
> outputs.14.file-log.filename = files-json.log
> outputs.14.file-log.force-magic = yes
> outputs.14.file-log.force-hash = [md5]
> outputs.14.file-log.append = no
> outputs.15 = tcp-data
> outputs.15.tcp-data = (null)
> outputs.15.tcp-data.enabled = yes
> outputs.15.tcp-data.type = dir
> outputs.15.tcp-data.filename = tcp-data.log
> outputs.16 = http-body-data
> outputs.16.http-body-data = (null)
> outputs.16.http-body-data.enabled = yes
> outputs.16.http-body-data.type = dir
> outputs.16.http-body-data.filename = http-data.log
> outputs.17 = lua
> outputs.17.lua = (null)
> outputs.17.lua.enabled = no
> outputs.17.lua.scripts =
> stream = (null)
> stream.inline = no
> stream.reassembly = (null)
> stream.reassembly.depth = 0
> stream.reassembly.memcap = 256mb
> stream.reassembly.toserver-chunk-size = 2560
> stream.reassembly.toclient-chunk-size = 2560
> stream.reassembly.randomize-chunk-size = yes
> stream.memcap = 64mb
> stream.checksum-validation = yes
> libhtp = (null)
> libhtp.default-config = (null)
> libhtp.default-config.request-body-limit = 0
> libhtp.default-config.response-body-limit = 0
> default-rule-path = /var/lib/suricata/rules/
> rule-files = (null)
> rule-files.0 = suricata.rules
> classification-file = /usr/local/etc/suricata/classification.config
> reference-config-file = /usr/local/etc/suricata/reference.config
> stats = (null)
> stats.enabled = yes
> stats.interval = 8
> af-packet = (null)
> af-packet.0 = interface
> af-packet.0.interface = eth0
> af-packet.0.cluster-id = 99
> af-packet.0.cluster-type = cluster_flow
> af-packet.0.defrag = yes
> af-packet.1 = interface
> af-packet.1.interface = default
> pcap = (null)
> pcap.0 = interface
> pcap.0.interface = eth0
> pcap.1 = interface
> pcap.1.interface = default
> pcap-file = (null)
> pcap-file.checksum-checks = auto
> app-layer = (null)
> app-layer.protocols = (null)
> app-layer.protocols.tls = (null)
> app-layer.protocols.tls.enabled = yes
> app-layer.protocols.tls.detection-ports = (null)
> app-layer.protocols.tls.detection-ports.dp = 443
> app-layer.protocols.dcerpc = (null)
> app-layer.protocols.dcerpc.enabled = yes
> app-layer.protocols.ftp = (null)
> app-layer.protocols.ftp.enabled = yes
> app-layer.protocols.ssh = (null)
> app-layer.protocols.ssh.enabled = yes
> app-layer.protocols.smtp = (null)
> app-layer.protocols.smtp.enabled = yes
> app-layer.protocols.smtp.mime = (null)
> app-layer.protocols.smtp.mime.decode-mime = yes
> app-layer.protocols.smtp.mime.decode-base64 = yes
> app-layer.protocols.smtp.mime.decode-quoted-printable = yes
> app-layer.protocols.smtp.mime.header-value-depth = 2000
> app-layer.protocols.smtp.mime.extract-urls = yes
> app-layer.protocols.smtp.mime.body-md5 = no
> app-layer.protocols.smtp.inspected-tracker = (null)
> app-layer.protocols.smtp.inspected-tracker.content-limit = 100000
> app-layer.protocols.smtp.inspected-tracker.content-inspect-min-size = 32768
> app-layer.protocols.smtp.inspected-tracker.content-inspect-window = 4096
> app-layer.protocols.imap = (null)
> app-layer.protocols.imap.enabled = detection-only
> app-layer.protocols.msn = (null)
> app-layer.protocols.msn.enabled = detection-only
> app-layer.protocols.smb = (null)
> app-layer.protocols.smb.enabled = yes
> app-layer.protocols.smb.detection-ports = (null)
> app-layer.protocols.smb.detection-ports.dp = 139, 445
> app-layer.protocols.nfs = (null)
> app-layer.protocols.nfs.enabled = no
> app-layer.protocols.dns = (null)
> app-layer.protocols.dns.tcp = (null)
> app-layer.protocols.dns.tcp.enabled = yes
> app-layer.protocols.dns.tcp.detection-ports = (null)
> app-layer.protocols.dns.tcp.detection-ports.dp = 53
> app-layer.protocols.dns.udp = (null)
> app-layer.protocols.dns.udp.enabled = yes
> app-layer.protocols.dns.udp.detection-ports = (null)
> app-layer.protocols.dns.udp.detection-ports.dp = 53
> app-layer.protocols.http = (null)
> app-layer.protocols.http.enabled = yes
> app-layer.protocols.http.libhtp = (null)
> app-layer.protocols.http.libhtp.default-config = (null)
> app-layer.protocols.http.libhtp.default-config.personality = IDS
> app-layer.protocols.http.libhtp.default-config.request-body-limit = 100kb
> app-layer.protocols.http.libhtp.default-config.response-body-limit = 100kb
> app-layer.protocols.http.libhtp.default-config.request-body-minimal-inspect-size
> = 32kb
> app-layer.protocols.http.libhtp.default-config.request-body-inspect-window = 4kb
> app-layer.protocols.http.libhtp.default-config.response-body-minimal-inspect-size
> = 40kb
> app-layer.protocols.http.libhtp.default-config.response-body-inspect-window
> = 16kb
> app-layer.protocols.http.libhtp.default-config.response-body-decompress-layer-limit
> = 2
> app-layer.protocols.http.libhtp.default-config.http-body-inline = auto
> app-layer.protocols.http.libhtp.default-config.double-decode-path = no
> app-layer.protocols.http.libhtp.default-config.double-decode-query = no
> app-layer.protocols.http.libhtp.server-config =
> app-layer.protocols.modbus = (null)
> app-layer.protocols.modbus.enabled = no
> app-layer.protocols.modbus.detection-ports = (null)
> app-layer.protocols.modbus.detection-ports.dp = 502
> app-layer.protocols.modbus.stream-depth = 0
> app-layer.protocols.dnp3 = (null)
> app-layer.protocols.dnp3.enabled = no
> app-layer.protocols.dnp3.detection-ports = (null)
> app-layer.protocols.dnp3.detection-ports.dp = 20000
> app-layer.protocols.enip = (null)
> app-layer.protocols.enip.enabled = no
> app-layer.protocols.enip.detection-ports = (null)
> app-layer.protocols.enip.detection-ports.dp = 44818
> app-layer.protocols.enip.detection-ports.sp = 44818
> app-layer.protocols.ntp = (null)
> app-layer.protocols.ntp.enabled = no
> asn1-max-frames = 256
> coredump = (null)
> coredump.max-dump = unlimited
> host-mode = auto
> unix-command = (null)
> unix-command.enabled = auto
> legacy = (null)
> legacy.uricontent = enabled
> engine-analysis = (null)
> engine-analysis.rules-fast-pattern = yes
> engine-analysis.rules = yes
> pcre = (null)
> pcre.match-limit = 3500
> pcre.match-limit-recursion = 1500
> host-os-policy = (null)
> host-os-policy.windows = (null)
> host-os-policy.windows.0 = 0.0.0.0/0
> host-os-policy.bsd = (null)
> host-os-policy.bsd-right = (null)
> host-os-policy.old-linux = (null)
> host-os-policy.linux = (null)
> host-os-policy.old-solaris = (null)
> host-os-policy.solaris = (null)
> host-os-policy.hpux10 = (null)
> host-os-policy.hpux11 = (null)
> host-os-policy.irix = (null)
> host-os-policy.macos = (null)
> host-os-policy.vista = (null)
> host-os-policy.windows2k3 = (null)
> defrag = (null)
> defrag.memcap = 32mb
> defrag.hash-size = 65536
> defrag.trackers = 65535
> defrag.max-frags = 65535
> defrag.prealloc = yes
> defrag.timeout = 60
> flow = (null)
> flow.memcap = 128mb
> flow.hash-size = 65536
> flow.prealloc = 10000
> flow.emergency-recovery = 30
> vlan = (null)
> vlan.use-for-tracking = true
> flow-timeouts = (null)
> flow-timeouts.default = (null)
> flow-timeouts.default.new = 30
> flow-timeouts.default.established = 300
> flow-timeouts.default.closed = 0
> flow-timeouts.default.bypassed = 100
> flow-timeouts.default.emergency-new = 10
> flow-timeouts.default.emergency-established = 100
> flow-timeouts.default.emergency-closed = 0
> flow-timeouts.default.emergency-bypassed = 50
> flow-timeouts.tcp = (null)
> flow-timeouts.tcp.new = 60
> flow-timeouts.tcp.established = 600
> flow-timeouts.tcp.closed = 60
> flow-timeouts.tcp.bypassed = 100
> flow-timeouts.tcp.emergency-new = 5
> flow-timeouts.tcp.emergency-established = 100
> flow-timeouts.tcp.emergency-closed = 10
> flow-timeouts.tcp.emergency-bypassed = 50
> flow-timeouts.udp = (null)
> flow-timeouts.udp.new = 30
> flow-timeouts.udp.established = 300
> flow-timeouts.udp.bypassed = 100
> flow-timeouts.udp.emergency-new = 10
> flow-timeouts.udp.emergency-established = 100
> flow-timeouts.udp.emergency-bypassed = 50
> flow-timeouts.icmp = (null)
> flow-timeouts.icmp.new = 30
> flow-timeouts.icmp.established = 300
> flow-timeouts.icmp.bypassed = 100
> flow-timeouts.icmp.emergency-new = 10
> flow-timeouts.icmp.emergency-established = 100
> flow-timeouts.icmp.emergency-bypassed = 50
> host = (null)
> host.hash-size = 4096
> host.prealloc = 1000
> host.memcap = 32mb
> decoder = (null)
> decoder.teredo = (null)
> decoder.teredo.enabled = true
> detect = (null)
> detect.profile = medium
> detect.custom-values = (null)
> detect.custom-values.toclient-groups = 3
> detect.custom-values.toserver-groups = 25
> detect.sgh-mpm-context = auto
> detect.inspection-recursion-limit = 3000
> detect.prefilter = (null)
> detect.prefilter.default = mpm
> detect.grouping =
> detect.profiling = (null)
> detect.profiling.grouping = (null)
> detect.profiling.grouping.dump-to-disk = false
> detect.profiling.grouping.include-rules = false
> detect.profiling.grouping.include-mpm-stats = false
> mpm-algo = auto
> spm-algo = auto
> threading = (null)
> threading.set-cpu-affinity = no
> threading.cpu-affinity = (null)
> threading.cpu-affinity.0 = management-cpu-set
> threading.cpu-affinity.0.management-cpu-set = (null)
> threading.cpu-affinity.0.management-cpu-set.cpu = (null)
> threading.cpu-affinity.0.management-cpu-set.cpu.0 = 0
> threading.cpu-affinity.1 = receive-cpu-set
> threading.cpu-affinity.1.receive-cpu-set = (null)
> threading.cpu-affinity.1.receive-cpu-set.cpu = (null)
> threading.cpu-affinity.1.receive-cpu-set.cpu.0 = 0
> threading.cpu-affinity.2 = worker-cpu-set
> threading.cpu-affinity.2.worker-cpu-set = (null)
> threading.cpu-affinity.2.worker-cpu-set.cpu = (null)
> threading.cpu-affinity.2.worker-cpu-set.cpu.0 = all
> threading.cpu-affinity.2.worker-cpu-set.mode = exclusive
> threading.cpu-affinity.2.worker-cpu-set.prio = (null)
> threading.cpu-affinity.2.worker-cpu-set.prio.low = (null)
> threading.cpu-affinity.2.worker-cpu-set.prio.low.0 = 0
> threading.cpu-affinity.2.worker-cpu-set.prio.medium = (null)
> threading.cpu-affinity.2.worker-cpu-set.prio.medium.0 = 1-2
> threading.cpu-affinity.2.worker-cpu-set.prio.high = (null)
> threading.cpu-affinity.2.worker-cpu-set.prio.high.0 = 3
> threading.cpu-affinity.2.worker-cpu-set.prio.default = medium
> threading.detect-thread-ratio = 1.0
> luajit = (null)
> luajit.states = 128
> profiling = (null)
> profiling.rules = (null)
> profiling.rules.enabled = yes
> profiling.rules.filename = rule_perf.log
> profiling.rules.append = yes
> profiling.rules.limit = 10
> profiling.rules.json = yes
> profiling.keywords = (null)
> profiling.keywords.enabled = yes
> profiling.keywords.filename = keyword_perf.log
> profiling.keywords.append = yes
> profiling.rulegroups = (null)
> profiling.rulegroups.enabled = yes
> profiling.rulegroups.filename = rule_group_perf.log
> profiling.rulegroups.append = yes
> profiling.packets = (null)
> profiling.packets.enabled = yes
> profiling.packets.filename = packet_stats.log
> profiling.packets.append = yes
> profiling.packets.csv = (null)
> profiling.packets.csv.enabled = no
> profiling.packets.csv.filename = packet_stats.csv
> profiling.locks = (null)
> profiling.locks.enabled = no
> profiling.locks.filename = lock_stats.log
> profiling.locks.append = yes
> profiling.pcap-log = (null)
> profiling.pcap-log.enabled = no
> profiling.pcap-log.filename = pcaplog_stats.log
> profiling.pcap-log.append = yes
> nfq =
> nflog = (null)
> nflog.0 = group
> nflog.0.group = 2
> nflog.0.buffer-size = 18432
> nflog.1 = group
> nflog.1.group = default
> nflog.1.qthreshold = 1
> nflog.1.qtimeout = 100
> nflog.1.max-size = 20000
> capture =
> netmap = (null)
> netmap.0 = interface
> netmap.0.interface = eth2
> netmap.1 = interface
> netmap.1.interface = default
> pfring = (null)
> pfring.0 = interface
> pfring.0.interface = eth0
> pfring.0.threads = 1
> pfring.0.cluster-id = 99
> pfring.0.cluster-type = cluster_flow
> pfring.1 = interface
> pfring.1.interface = default
> ipfw =
> napatech = (null)
> napatech.hba = -1
> napatech.use-all-streams = yes
> napatech.streams = (null)
> napatech.streams.0 = 0-3
> mpipe = (null)
> mpipe.load-balance = dynamic
> mpipe.iqueue-packets = 2048
> mpipe.inputs = (null)
> mpipe.inputs.0 = interface
> mpipe.inputs.0.interface = xgbe2
> mpipe.inputs.1 = interface
> mpipe.inputs.1.interface = xgbe3
> mpipe.inputs.2 = interface
> mpipe.inputs.2.interface = xgbe4
> mpipe.stack = (null)
> mpipe.stack.size128 = 0
> mpipe.stack.size256 = 9
> mpipe.stack.size512 = 0
> mpipe.stack.size1024 = 0
> mpipe.stack.size1664 = 7
> mpipe.stack.size4096 = 0
> mpipe.stack.size10386 = 0
> mpipe.stack.size16384 = 0
> cuda = (null)
> cuda.mpm = (null)
> cuda.mpm.data-buffer-size-min-limit = 0
> cuda.mpm.data-buffer-size-max-limit = 1500
> cuda.mpm.cudabuffer-buffer-size = 500mb
> cuda.mpm.gpu-transfer-size = 50mb
> cuda.mpm.batching-timeout = 2000
> cuda.mpm.device-id = 0
> cuda.mpm.cuda-streams = 2
> 
> -- 
> Darren Spruell
> phatbuckett at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180624/8fdb070d/attachment-0001.html>


More information about the Oisf-users mailing list