[Oisf-users] Meaning of force-filestore option
Peter Manev
petermanev at gmail.com
Sun Jun 24 05:37:36 UTC 2018
> On 24 Jun 2018, at 00:52, Darren S. <phatbuckett at gmail.com> wrote:
>
>> On Sat, Jun 23, 2018 at 8:49 AM, Peter Manev <petermanev at gmail.com> wrote:
>>> On Sat, Jun 23, 2018 at 12:04 PM, Victor Julien <lists at inliniac.net> wrote:
>>>> On 23-06-18 02:41, Darren S. wrote:
>>>> Suricata version 4.0.4 RELEASE
>>>>
>>>> outputs.13.file-store = (null)
>>>> outputs.13.file-store.enabled = yes
>>>> outputs.13.file-store.log-dir = files
>>>> outputs.13.file-store.force-magic = yes
>>>> outputs.13.file-store.force-md5 = yes
>>>> outputs.13.file-store.force-filestore = no
>>>>
>>>> I'd like to find out what is the meaning of the force-* options in
>>>> these types of settings - understanding that they force the given data
>>>> output, but not what that means by example.
>>>>
>>>> For example, would outputs.file-store.force-filestore result in Suri
>>>> storing all files regardless of any filestore rules active (as a
>>>> convenience factor)?
>>>
>>> Yes.
>>>
>>>> What cases do force-magic and force-md5 output those values where they
>>>> wouldn't normally be output when file-store.enabled = yes?
>>>
>>> Since md5 and magic are expensive operations they are normally only
>>> performed on-demand, for example if there are rules matching on those
>>> properties. The force-* options enable them unconditionally.
>>
>> I sometimes find it very useful when running investigation on smaller pcaps.
>
> That's what I'm finding it very useful for right now. :) Suricata has
> developed into an incredibly useful packet capture dissection and
> analysis tool.
>
> One thing I'm hung up on is getting file hashes to be stored/logged.
> Including the build info and config dump below, but the following
> blocks I assumed would get the hash stored in both the file-log JSON
> data and the metadata file written out with the stored file. I've
> tried setting the force-hash value to any of these and still no sign
> of logged hashes:
>
> [md5]
> [md5,sha1]
> [md5,sha1,sha256]
>
> outputs.13 = file-store
> outputs.13.file-store = (null)
> outputs.13.file-store.enabled = yes
> outputs.13.file-store.log-dir = files
> outputs.13.file-store.stream-depth = 0
> outputs.13.file-store.force-magic = yes
> outputs.13.file-store.force-hash = [md5]
> outputs.13.file-store.force-filestore = yes
> outputs.14 = file-log
> outputs.14.file-log = (null)
> outputs.14.file-log.enabled = yes
> outputs.14.file-log.filename = files-json.log
> outputs.14.file-log.force-magic = yes
> outputs.14.file-log.force-hash = [md5]
> outputs.14.file-log.append = no
>
> This is on Darwin 17.6.0 Darwin Kernel Version 17.6.0: Tue May 8
> 15:22:16 PDT 2018; root:xnu-4570.61.1~1/RELEASE_X86_64 x86_64.
>
> Suricata installed from Homebrew. At this time just running in pcap
> offline mode (-r).
>
> Any clue?
>
>
I think it is worth if you try filestotre version 2 from 4.1beta/latest git (that would become stable soon anyway) - https://suricata.readthedocs.io/en/latest/file-extraction/file-extraction.html#output
>
> This is Suricata version 4.0.4 RELEASE
> Features: PCAP_SET_BUFF HAVE_PACKET_FANOUT LIBNET1.1
> HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HAVE_LUA HAVE_LIBJANSSON
> TLS MAGIC
> SIMD support: SSE_4_2 SSE_4_1 SSE_3
> Atomic intrisics: 1 2 4 8 16 byte(s)
> 64-bits, Little-endian architecture
> GCC version 4.2.1 Compatible Apple LLVM 9.0.0 (clang-900.0.39.2), C
> version 199901
> compiled with -fstack-protector
> compiled with _FORTIFY_SOURCE=2
> L1 cache line size (CLS)=64
> thread local storage method: __thread
> compiled with LibHTP v0.5.26, linked against LibHTP v0.5.26
>
> Suricata Configuration:
> AF_PACKET support: no
> PF_RING support: no
> NFQueue support: no
> NFLOG support: no
> IPFW support: no
> Netmap support: no
> DAG enabled: no
> Napatech enabled: no
>
> Unix socket enabled: yes
> Detection enabled: yes
>
> Libmagic support: yes
> libnss support: yes
> libnspr support: yes
> libjansson support: yes
> hiredis support: no
> hiredis async with libevent: no
> Prelude support: no
> PCRE jit: yes
> LUA support: yes
> libluajit: no
> libgeoip: no
> Non-bundled htp: no
> Old barnyard2 support: no
> CUDA enabled: no
> Hyperscan support: no
> Libnet support: yes
>
> Rust support (experimental): no
> Experimental Rust parsers: no
> Rust strict mode: no
>
> Suricatasc install: yes
>
> Profiling enabled: no
> Profiling locks enabled: no
>
> Development settings:
> Coccinelle / spatch: no
> Unit tests enabled: no
> Debug output enabled: no
> Debug validation enabled: no
>
> Generic build parameters:
> Installation prefix: /usr/local/Cellar/suricata/4.0.4
> Configuration directory: /usr/local/etc/suricata/
> Log directory: /usr/local/var/log/suricata/
>
> --prefix /usr/local/Cellar/suricata/4.0.4
> --sysconfdir /usr/local/etc
> --localstatedir /usr/local/var
>
> Host: x86_64-apple-darwin17.4.0
> Compiler: clang (exec name) / clang (real)
> GCC Protect enabled: no
> GCC march native enabled: yes
> GCC Profile enabled: no
> Position Independent Executable enabled: no
> CFLAGS -g -O2 -DOS_DARWIN -march=native
> PCAP_CFLAGS -I/usr/local/include
> SECCFLAGS
>
>
> default-log-dir = tmp.suricata.d
> vars = (null)
> vars.address-groups = (null)
> vars.address-groups.HOME_NET = 10.0.0.3
> vars.address-groups.EXTERNAL_NET = !$HOME_NET
> vars.address-groups.HTTP_SERVERS = $HOME_NET
> vars.address-groups.SMTP_SERVERS = $HOME_NET
> vars.address-groups.SQL_SERVERS = $HOME_NET
> vars.address-groups.DNS_SERVERS = $HOME_NET
> vars.address-groups.TELNET_SERVERS = $HOME_NET
> vars.address-groups.AIM_SERVERS = $EXTERNAL_NET
> vars.address-groups.DNP3_SERVER = $HOME_NET
> vars.address-groups.DNP3_CLIENT = $HOME_NET
> vars.address-groups.MODBUS_CLIENT = $HOME_NET
> vars.address-groups.MODBUS_SERVER = $HOME_NET
> vars.address-groups.ENIP_CLIENT = $HOME_NET
> vars.address-groups.ENIP_SERVER = $HOME_NET
> vars.port-groups = (null)
> vars.port-groups.HTTP_PORTS = 80
> vars.port-groups.SHELLCODE_PORTS = !80
> vars.port-groups.ORACLE_PORTS = 1521
> vars.port-groups.SSH_PORTS = 22
> vars.port-groups.DNP3_PORTS = 20000
> vars.port-groups.MODBUS_PORTS = 502
> vars.port-groups.FILE_DATA_PORTS = [$HTTP_PORTS,110,143]
> vars.port-groups.FTP_PORTS = 21
> logging = (null)
> logging.outputs = (null)
> logging.outputs.0 = console
> logging.outputs.0.console = (null)
> logging.outputs.0.console.enabled = yes
> logging.outputs.1 = file
> logging.outputs.1.file = (null)
> logging.outputs.1.file.filename = tmp.suricata.d/suricata.log
> logging.outputs.1.file.append = no
> logging.outputs.1.file.enabled = yes
> logging.outputs.1.file.level = info
> logging.outputs.2 = syslog
> logging.outputs.2.syslog = (null)
> logging.outputs.2.syslog.enabled = no
> logging.outputs.2.syslog.facility = local5
> logging.outputs.2.syslog.format = [%i] <%d> --
> logging.default-log-level = notice
> logging.default-output-filter =
> outputs = (null)
> outputs.0 = fast
> outputs.0.fast = (null)
> outputs.0.fast.enabled = yes
> outputs.0.fast.append = no
> outputs.0.fast.filename = fast.log
> outputs.1 = eve-log
> outputs.1.eve-log = (null)
> outputs.1.eve-log.enabled = yes
> outputs.1.eve-log.append = no
> outputs.1.eve-log.filetype = regular
> outputs.1.eve-log.filename = eve.json
> outputs.1.eve-log.types = (null)
> outputs.1.eve-log.types.0 = alert
> outputs.1.eve-log.types.0.alert = (null)
> outputs.1.eve-log.types.0.alert.metadata = yes
> outputs.1.eve-log.types.0.alert.tagged-packets = yes
> outputs.1.eve-log.types.0.alert.xff = (null)
> outputs.1.eve-log.types.0.alert.xff.enabled = no
> outputs.1.eve-log.types.0.alert.xff.mode = extra-data
> outputs.1.eve-log.types.0.alert.xff.deployment = reverse
> outputs.1.eve-log.types.0.alert.xff.header = X-Forwarded-For
> outputs.1.eve-log.types.1 = http
> outputs.1.eve-log.types.1.http = (null)
> outputs.1.eve-log.types.1.http.extended = yes
> outputs.1.eve-log.types.2 = dns
> outputs.1.eve-log.types.2.dns = (null)
> outputs.1.eve-log.types.2.dns.query = yes
> outputs.1.eve-log.types.2.dns.answer = yes
> outputs.1.eve-log.types.3 = tls
> outputs.1.eve-log.types.3.tls = (null)
> outputs.1.eve-log.types.3.tls.extended = yes
> outputs.1.eve-log.types.4 = files
> outputs.1.eve-log.types.4.files = (null)
> outputs.1.eve-log.types.4.files.force-magic = no
> outputs.1.eve-log.types.5 = ssh
> outputs.1.eve-log.types.6 = stats
> outputs.1.eve-log.types.6.stats = (null)
> outputs.1.eve-log.types.6.stats.totals = yes
> outputs.1.eve-log.types.6.stats.threads = no
> outputs.1.eve-log.types.6.stats.deltas = no
> outputs.2 = unified2-alert
> outputs.2.unified2-alert = (null)
> outputs.2.unified2-alert.enabled = no
> outputs.2.unified2-alert.filename = unified2.alert
> outputs.2.unified2-alert.xff = (null)
> outputs.2.unified2-alert.xff.enabled = no
> outputs.2.unified2-alert.xff.mode = extra-data
> outputs.2.unified2-alert.xff.deployment = reverse
> outputs.2.unified2-alert.xff.header = X-Forwarded-For
> outputs.3 = http-log
> outputs.3.http-log = (null)
> outputs.3.http-log.enabled = yes
> outputs.3.http-log.filename = http.log
> outputs.3.http-log.append = no
> outputs.4 = tls-log
> outputs.4.tls-log = (null)
> outputs.4.tls-log.enabled = yes
> outputs.4.tls-log.filename = tls.log
> outputs.4.tls-log.append = no
> outputs.5 = tls-store
> outputs.5.tls-store = (null)
> outputs.5.tls-store.enabled = yes
> outputs.5.tls-store.certs-log-dir = certs
> outputs.6 = dns-log
> outputs.6.dns-log = (null)
> outputs.6.dns-log.enabled = yes
> outputs.6.dns-log.filename = dns.log
> outputs.6.dns-log.append = no
> outputs.7 = pcap-log
> outputs.7.pcap-log = (null)
> outputs.7.pcap-log.enabled = no
> outputs.7.pcap-log.filename = log.pcap
> outputs.7.pcap-log.limit = 1000mb
> outputs.7.pcap-log.max-files = 2000
> outputs.7.pcap-log.mode = normal
> outputs.7.pcap-log.use-stream-depth = no
> outputs.7.pcap-log.honor-pass-rules = no
> outputs.8 = alert-debug
> outputs.8.alert-debug = (null)
> outputs.8.alert-debug.enabled = no
> outputs.8.alert-debug.filename = alert-debug.log
> outputs.8.alert-debug.append = yes
> outputs.9 = alert-prelude
> outputs.9.alert-prelude = (null)
> outputs.9.alert-prelude.enabled = no
> outputs.9.alert-prelude.profile = suricata
> outputs.9.alert-prelude.log-packet-content = no
> outputs.9.alert-prelude.log-packet-header = yes
> outputs.10 = stats
> outputs.10.stats = (null)
> outputs.10.stats.enabled = no
> outputs.10.stats.filename = stats.log
> outputs.10.stats.totals = yes
> outputs.10.stats.threads = no
> outputs.11 = syslog
> outputs.11.syslog = (null)
> outputs.11.syslog.enabled = no
> outputs.11.syslog.facility = local5
> outputs.12 = drop
> outputs.12.drop = (null)
> outputs.12.drop.enabled = no
> outputs.12.drop.filename = drop.log
> outputs.12.drop.append = yes
> outputs.13 = file-store
> outputs.13.file-store = (null)
> outputs.13.file-store.enabled = yes
> outputs.13.file-store.log-dir = files
> outputs.13.file-store.stream-depth = 0
> outputs.13.file-store.force-magic = yes
> outputs.13.file-store.force-hash = [md5]
> outputs.13.file-store.force-filestore = yes
> outputs.14 = file-log
> outputs.14.file-log = (null)
> outputs.14.file-log.enabled = yes
> outputs.14.file-log.filename = files-json.log
> outputs.14.file-log.force-magic = yes
> outputs.14.file-log.force-hash = [md5]
> outputs.14.file-log.append = no
> outputs.15 = tcp-data
> outputs.15.tcp-data = (null)
> outputs.15.tcp-data.enabled = yes
> outputs.15.tcp-data.type = dir
> outputs.15.tcp-data.filename = tcp-data.log
> outputs.16 = http-body-data
> outputs.16.http-body-data = (null)
> outputs.16.http-body-data.enabled = yes
> outputs.16.http-body-data.type = dir
> outputs.16.http-body-data.filename = http-data.log
> outputs.17 = lua
> outputs.17.lua = (null)
> outputs.17.lua.enabled = no
> outputs.17.lua.scripts =
> stream = (null)
> stream.inline = no
> stream.reassembly = (null)
> stream.reassembly.depth = 0
> stream.reassembly.memcap = 256mb
> stream.reassembly.toserver-chunk-size = 2560
> stream.reassembly.toclient-chunk-size = 2560
> stream.reassembly.randomize-chunk-size = yes
> stream.memcap = 64mb
> stream.checksum-validation = yes
> libhtp = (null)
> libhtp.default-config = (null)
> libhtp.default-config.request-body-limit = 0
> libhtp.default-config.response-body-limit = 0
> default-rule-path = /var/lib/suricata/rules/
> rule-files = (null)
> rule-files.0 = suricata.rules
> classification-file = /usr/local/etc/suricata/classification.config
> reference-config-file = /usr/local/etc/suricata/reference.config
> stats = (null)
> stats.enabled = yes
> stats.interval = 8
> af-packet = (null)
> af-packet.0 = interface
> af-packet.0.interface = eth0
> af-packet.0.cluster-id = 99
> af-packet.0.cluster-type = cluster_flow
> af-packet.0.defrag = yes
> af-packet.1 = interface
> af-packet.1.interface = default
> pcap = (null)
> pcap.0 = interface
> pcap.0.interface = eth0
> pcap.1 = interface
> pcap.1.interface = default
> pcap-file = (null)
> pcap-file.checksum-checks = auto
> app-layer = (null)
> app-layer.protocols = (null)
> app-layer.protocols.tls = (null)
> app-layer.protocols.tls.enabled = yes
> app-layer.protocols.tls.detection-ports = (null)
> app-layer.protocols.tls.detection-ports.dp = 443
> app-layer.protocols.dcerpc = (null)
> app-layer.protocols.dcerpc.enabled = yes
> app-layer.protocols.ftp = (null)
> app-layer.protocols.ftp.enabled = yes
> app-layer.protocols.ssh = (null)
> app-layer.protocols.ssh.enabled = yes
> app-layer.protocols.smtp = (null)
> app-layer.protocols.smtp.enabled = yes
> app-layer.protocols.smtp.mime = (null)
> app-layer.protocols.smtp.mime.decode-mime = yes
> app-layer.protocols.smtp.mime.decode-base64 = yes
> app-layer.protocols.smtp.mime.decode-quoted-printable = yes
> app-layer.protocols.smtp.mime.header-value-depth = 2000
> app-layer.protocols.smtp.mime.extract-urls = yes
> app-layer.protocols.smtp.mime.body-md5 = no
> app-layer.protocols.smtp.inspected-tracker = (null)
> app-layer.protocols.smtp.inspected-tracker.content-limit = 100000
> app-layer.protocols.smtp.inspected-tracker.content-inspect-min-size = 32768
> app-layer.protocols.smtp.inspected-tracker.content-inspect-window = 4096
> app-layer.protocols.imap = (null)
> app-layer.protocols.imap.enabled = detection-only
> app-layer.protocols.msn = (null)
> app-layer.protocols.msn.enabled = detection-only
> app-layer.protocols.smb = (null)
> app-layer.protocols.smb.enabled = yes
> app-layer.protocols.smb.detection-ports = (null)
> app-layer.protocols.smb.detection-ports.dp = 139, 445
> app-layer.protocols.nfs = (null)
> app-layer.protocols.nfs.enabled = no
> app-layer.protocols.dns = (null)
> app-layer.protocols.dns.tcp = (null)
> app-layer.protocols.dns.tcp.enabled = yes
> app-layer.protocols.dns.tcp.detection-ports = (null)
> app-layer.protocols.dns.tcp.detection-ports.dp = 53
> app-layer.protocols.dns.udp = (null)
> app-layer.protocols.dns.udp.enabled = yes
> app-layer.protocols.dns.udp.detection-ports = (null)
> app-layer.protocols.dns.udp.detection-ports.dp = 53
> app-layer.protocols.http = (null)
> app-layer.protocols.http.enabled = yes
> app-layer.protocols.http.libhtp = (null)
> app-layer.protocols.http.libhtp.default-config = (null)
> app-layer.protocols.http.libhtp.default-config.personality = IDS
> app-layer.protocols.http.libhtp.default-config.request-body-limit = 100kb
> app-layer.protocols.http.libhtp.default-config.response-body-limit = 100kb
> app-layer.protocols.http.libhtp.default-config.request-body-minimal-inspect-size
> = 32kb
> app-layer.protocols.http.libhtp.default-config.request-body-inspect-window = 4kb
> app-layer.protocols.http.libhtp.default-config.response-body-minimal-inspect-size
> = 40kb
> app-layer.protocols.http.libhtp.default-config.response-body-inspect-window
> = 16kb
> app-layer.protocols.http.libhtp.default-config.response-body-decompress-layer-limit
> = 2
> app-layer.protocols.http.libhtp.default-config.http-body-inline = auto
> app-layer.protocols.http.libhtp.default-config.double-decode-path = no
> app-layer.protocols.http.libhtp.default-config.double-decode-query = no
> app-layer.protocols.http.libhtp.server-config =
> app-layer.protocols.modbus = (null)
> app-layer.protocols.modbus.enabled = no
> app-layer.protocols.modbus.detection-ports = (null)
> app-layer.protocols.modbus.detection-ports.dp = 502
> app-layer.protocols.modbus.stream-depth = 0
> app-layer.protocols.dnp3 = (null)
> app-layer.protocols.dnp3.enabled = no
> app-layer.protocols.dnp3.detection-ports = (null)
> app-layer.protocols.dnp3.detection-ports.dp = 20000
> app-layer.protocols.enip = (null)
> app-layer.protocols.enip.enabled = no
> app-layer.protocols.enip.detection-ports = (null)
> app-layer.protocols.enip.detection-ports.dp = 44818
> app-layer.protocols.enip.detection-ports.sp = 44818
> app-layer.protocols.ntp = (null)
> app-layer.protocols.ntp.enabled = no
> asn1-max-frames = 256
> coredump = (null)
> coredump.max-dump = unlimited
> host-mode = auto
> unix-command = (null)
> unix-command.enabled = auto
> legacy = (null)
> legacy.uricontent = enabled
> engine-analysis = (null)
> engine-analysis.rules-fast-pattern = yes
> engine-analysis.rules = yes
> pcre = (null)
> pcre.match-limit = 3500
> pcre.match-limit-recursion = 1500
> host-os-policy = (null)
> host-os-policy.windows = (null)
> host-os-policy.windows.0 = 0.0.0.0/0
> host-os-policy.bsd = (null)
> host-os-policy.bsd-right = (null)
> host-os-policy.old-linux = (null)
> host-os-policy.linux = (null)
> host-os-policy.old-solaris = (null)
> host-os-policy.solaris = (null)
> host-os-policy.hpux10 = (null)
> host-os-policy.hpux11 = (null)
> host-os-policy.irix = (null)
> host-os-policy.macos = (null)
> host-os-policy.vista = (null)
> host-os-policy.windows2k3 = (null)
> defrag = (null)
> defrag.memcap = 32mb
> defrag.hash-size = 65536
> defrag.trackers = 65535
> defrag.max-frags = 65535
> defrag.prealloc = yes
> defrag.timeout = 60
> flow = (null)
> flow.memcap = 128mb
> flow.hash-size = 65536
> flow.prealloc = 10000
> flow.emergency-recovery = 30
> vlan = (null)
> vlan.use-for-tracking = true
> flow-timeouts = (null)
> flow-timeouts.default = (null)
> flow-timeouts.default.new = 30
> flow-timeouts.default.established = 300
> flow-timeouts.default.closed = 0
> flow-timeouts.default.bypassed = 100
> flow-timeouts.default.emergency-new = 10
> flow-timeouts.default.emergency-established = 100
> flow-timeouts.default.emergency-closed = 0
> flow-timeouts.default.emergency-bypassed = 50
> flow-timeouts.tcp = (null)
> flow-timeouts.tcp.new = 60
> flow-timeouts.tcp.established = 600
> flow-timeouts.tcp.closed = 60
> flow-timeouts.tcp.bypassed = 100
> flow-timeouts.tcp.emergency-new = 5
> flow-timeouts.tcp.emergency-established = 100
> flow-timeouts.tcp.emergency-closed = 10
> flow-timeouts.tcp.emergency-bypassed = 50
> flow-timeouts.udp = (null)
> flow-timeouts.udp.new = 30
> flow-timeouts.udp.established = 300
> flow-timeouts.udp.bypassed = 100
> flow-timeouts.udp.emergency-new = 10
> flow-timeouts.udp.emergency-established = 100
> flow-timeouts.udp.emergency-bypassed = 50
> flow-timeouts.icmp = (null)
> flow-timeouts.icmp.new = 30
> flow-timeouts.icmp.established = 300
> flow-timeouts.icmp.bypassed = 100
> flow-timeouts.icmp.emergency-new = 10
> flow-timeouts.icmp.emergency-established = 100
> flow-timeouts.icmp.emergency-bypassed = 50
> host = (null)
> host.hash-size = 4096
> host.prealloc = 1000
> host.memcap = 32mb
> decoder = (null)
> decoder.teredo = (null)
> decoder.teredo.enabled = true
> detect = (null)
> detect.profile = medium
> detect.custom-values = (null)
> detect.custom-values.toclient-groups = 3
> detect.custom-values.toserver-groups = 25
> detect.sgh-mpm-context = auto
> detect.inspection-recursion-limit = 3000
> detect.prefilter = (null)
> detect.prefilter.default = mpm
> detect.grouping =
> detect.profiling = (null)
> detect.profiling.grouping = (null)
> detect.profiling.grouping.dump-to-disk = false
> detect.profiling.grouping.include-rules = false
> detect.profiling.grouping.include-mpm-stats = false
> mpm-algo = auto
> spm-algo = auto
> threading = (null)
> threading.set-cpu-affinity = no
> threading.cpu-affinity = (null)
> threading.cpu-affinity.0 = management-cpu-set
> threading.cpu-affinity.0.management-cpu-set = (null)
> threading.cpu-affinity.0.management-cpu-set.cpu = (null)
> threading.cpu-affinity.0.management-cpu-set.cpu.0 = 0
> threading.cpu-affinity.1 = receive-cpu-set
> threading.cpu-affinity.1.receive-cpu-set = (null)
> threading.cpu-affinity.1.receive-cpu-set.cpu = (null)
> threading.cpu-affinity.1.receive-cpu-set.cpu.0 = 0
> threading.cpu-affinity.2 = worker-cpu-set
> threading.cpu-affinity.2.worker-cpu-set = (null)
> threading.cpu-affinity.2.worker-cpu-set.cpu = (null)
> threading.cpu-affinity.2.worker-cpu-set.cpu.0 = all
> threading.cpu-affinity.2.worker-cpu-set.mode = exclusive
> threading.cpu-affinity.2.worker-cpu-set.prio = (null)
> threading.cpu-affinity.2.worker-cpu-set.prio.low = (null)
> threading.cpu-affinity.2.worker-cpu-set.prio.low.0 = 0
> threading.cpu-affinity.2.worker-cpu-set.prio.medium = (null)
> threading.cpu-affinity.2.worker-cpu-set.prio.medium.0 = 1-2
> threading.cpu-affinity.2.worker-cpu-set.prio.high = (null)
> threading.cpu-affinity.2.worker-cpu-set.prio.high.0 = 3
> threading.cpu-affinity.2.worker-cpu-set.prio.default = medium
> threading.detect-thread-ratio = 1.0
> luajit = (null)
> luajit.states = 128
> profiling = (null)
> profiling.rules = (null)
> profiling.rules.enabled = yes
> profiling.rules.filename = rule_perf.log
> profiling.rules.append = yes
> profiling.rules.limit = 10
> profiling.rules.json = yes
> profiling.keywords = (null)
> profiling.keywords.enabled = yes
> profiling.keywords.filename = keyword_perf.log
> profiling.keywords.append = yes
> profiling.rulegroups = (null)
> profiling.rulegroups.enabled = yes
> profiling.rulegroups.filename = rule_group_perf.log
> profiling.rulegroups.append = yes
> profiling.packets = (null)
> profiling.packets.enabled = yes
> profiling.packets.filename = packet_stats.log
> profiling.packets.append = yes
> profiling.packets.csv = (null)
> profiling.packets.csv.enabled = no
> profiling.packets.csv.filename = packet_stats.csv
> profiling.locks = (null)
> profiling.locks.enabled = no
> profiling.locks.filename = lock_stats.log
> profiling.locks.append = yes
> profiling.pcap-log = (null)
> profiling.pcap-log.enabled = no
> profiling.pcap-log.filename = pcaplog_stats.log
> profiling.pcap-log.append = yes
> nfq =
> nflog = (null)
> nflog.0 = group
> nflog.0.group = 2
> nflog.0.buffer-size = 18432
> nflog.1 = group
> nflog.1.group = default
> nflog.1.qthreshold = 1
> nflog.1.qtimeout = 100
> nflog.1.max-size = 20000
> capture =
> netmap = (null)
> netmap.0 = interface
> netmap.0.interface = eth2
> netmap.1 = interface
> netmap.1.interface = default
> pfring = (null)
> pfring.0 = interface
> pfring.0.interface = eth0
> pfring.0.threads = 1
> pfring.0.cluster-id = 99
> pfring.0.cluster-type = cluster_flow
> pfring.1 = interface
> pfring.1.interface = default
> ipfw =
> napatech = (null)
> napatech.hba = -1
> napatech.use-all-streams = yes
> napatech.streams = (null)
> napatech.streams.0 = 0-3
> mpipe = (null)
> mpipe.load-balance = dynamic
> mpipe.iqueue-packets = 2048
> mpipe.inputs = (null)
> mpipe.inputs.0 = interface
> mpipe.inputs.0.interface = xgbe2
> mpipe.inputs.1 = interface
> mpipe.inputs.1.interface = xgbe3
> mpipe.inputs.2 = interface
> mpipe.inputs.2.interface = xgbe4
> mpipe.stack = (null)
> mpipe.stack.size128 = 0
> mpipe.stack.size256 = 9
> mpipe.stack.size512 = 0
> mpipe.stack.size1024 = 0
> mpipe.stack.size1664 = 7
> mpipe.stack.size4096 = 0
> mpipe.stack.size10386 = 0
> mpipe.stack.size16384 = 0
> cuda = (null)
> cuda.mpm = (null)
> cuda.mpm.data-buffer-size-min-limit = 0
> cuda.mpm.data-buffer-size-max-limit = 1500
> cuda.mpm.cudabuffer-buffer-size = 500mb
> cuda.mpm.gpu-transfer-size = 50mb
> cuda.mpm.batching-timeout = 2000
> cuda.mpm.device-id = 0
> cuda.mpm.cuda-streams = 2
>
> --
> Darren Spruell
> phatbuckett at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180624/8fdb070d/attachment-0001.html>
More information about the Oisf-users
mailing list