{"id":904,"date":"2018-03-09T19:47:33","date_gmt":"2018-03-09T11:47:33","guid":{"rendered":"http:\/\/weizn.net\/?p=904"},"modified":"2021-09-22T17:09:55","modified_gmt":"2021-09-22T09:09:55","slug":"suricata-pf_ring%ef%bc%88zc%e6%a8%a1%e5%bc%8f%ef%bc%89%e9%83%a8%e7%bd%b210g%e9%87%87%e9%9b%86%e5%99%a8","status":"publish","type":"post","link":"http:\/\/weizn.net\/?p=904","title":{"rendered":"Suricata + PF_RING\uff08ZC\u6a21\u5f0f\uff09\u90e8\u7f7215G+\u91c7\u96c6\u5668"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_17 counter-hierarchy\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\">\u76ee\u5f55<\/p>\n<span class=\"ez-toc-title-toggle\"><a class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" style=\"display: none;\"><i class=\"ez-toc-glyphicon ez-toc-icon-toggle\"><\/i><\/a><\/span><\/div>\n<nav><ul class=\"ez-toc-list ez-toc-list-level-1\"><li class=\"ez-toc-page-1 ez-toc-heading-level-1\"><a class=\"ez-toc-link ez-toc-heading-1\" href=\"http:\/\/weizn.net\/?p=904\/#%E4%B8%80%E3%80%81%E5%BF%85%E8%A6%81%E8%BD%AF%E4%BB%B6%E5%AE%89%E8%A3%85\" title=\"\u4e00\u3001\u5fc5\u8981\u8f6f\u4ef6\u5b89\u88c5\">\u4e00\u3001\u5fc5\u8981\u8f6f\u4ef6\u5b89\u88c5<\/a><ul class=\"ez-toc-list-level-2\"><li class=\"ez-toc-heading-level-2\"><a class=\"ez-toc-link ez-toc-heading-2\" href=\"http:\/\/weizn.net\/?p=904\/#1%E3%80%81%E7%BC%96%E8%AF%91%E5%B9%B6%E5%AE%89%E8%A3%85PF_RING%E5%95%86%E4%B8%9A%E7%89%88\" title=\"1\u3001\u7f16\u8bd1\u5e76\u5b89\u88c5PF_RING\u5546\u4e1a\u7248\">1\u3001\u7f16\u8bd1\u5e76\u5b89\u88c5PF_RING\u5546\u4e1a\u7248<\/a><\/li><li class=\"ez-toc-page-1 ez-toc-heading-level-2\"><a class=\"ez-toc-link ez-toc-heading-3\" href=\"http:\/\/weizn.net\/?p=904\/#2%E3%80%81%E5%8A%A0%E8%BD%BDPF_RING%E9%A9%B1%E5%8A%A8\" title=\"2\u3001\u52a0\u8f7dPF_RING\u9a71\u52a8\">2\u3001\u52a0\u8f7dPF_RING\u9a71\u52a8<\/a><\/li><li class=\"ez-toc-page-1 ez-toc-heading-level-2\"><a class=\"ez-toc-link ez-toc-heading-4\" href=\"http:\/\/weizn.net\/?p=904\/#3%E3%80%81%E5%AE%89%E8%A3%85hiredis\" title=\"3\u3001\u5b89\u88c5hiredis\">3\u3001\u5b89\u88c5hiredis<\/a><\/li><li class=\"ez-toc-page-1 ez-toc-heading-level-2\"><a class=\"ez-toc-link ez-toc-heading-5\" href=\"http:\/\/weizn.net\/?p=904\/#4%E3%80%81%E5%AE%89%E8%A3%85boost160\" title=\"4\u3001\u5b89\u88c5boost.1.60\">4\u3001\u5b89\u88c5boost.1.60<\/a><\/li><li class=\"ez-toc-page-1 ez-toc-heading-level-2\"><a class=\"ez-toc-link ez-toc-heading-6\" href=\"http:\/\/weizn.net\/?p=904\/#5%E3%80%81%E5%AE%89%E8%A3%85hyperscan\" title=\"5\u3001\u5b89\u88c5hyperscan\">5\u3001\u5b89\u88c5hyperscan<\/a><\/li><li class=\"ez-toc-page-1 ez-toc-heading-level-2\"><a class=\"ez-toc-link ez-toc-heading-7\" href=\"http:\/\/weizn.net\/?p=904\/#6%E3%80%81%E5%AE%89%E8%A3%85Suricata\" title=\"6\u3001\u5b89\u88c5Suricata\">6\u3001\u5b89\u88c5Suricata<\/a><\/li><\/ul><\/li><li class=\"ez-toc-page-1 ez-toc-heading-level-1\"><a class=\"ez-toc-link ez-toc-heading-8\" href=\"http:\/\/weizn.net\/?p=904\/#%E4%BA%8C%E3%80%81%E4%BC%98%E5%8C%96%E5%8F%82%E6%95%B0\" title=\"\u4e8c\u3001\u4f18\u5316\u53c2\u6570\">\u4e8c\u3001\u4f18\u5316\u53c2\u6570<\/a><ul class=\"ez-toc-list-level-2\"><li class=\"ez-toc-heading-level-2\"><a class=\"ez-toc-link ez-toc-heading-9\" href=\"http:\/\/weizn.net\/?p=904\/#1%E3%80%81%E7%BD%91%E5%8D%A1%E5%8F%82%E6%95%B0\" title=\"1\u3001\u7f51\u5361\u53c2\u6570\">1\u3001\u7f51\u5361\u53c2\u6570<\/a><\/li><li class=\"ez-toc-page-1 ez-toc-heading-level-2\"><a class=\"ez-toc-link ez-toc-heading-10\" href=\"http:\/\/weizn.net\/?p=904\/#2%E3%80%81%E7%B3%BB%E7%BB%9F%E5%8F%82%E6%95%B0\" title=\"2\u3001\u7cfb\u7edf\u53c2\u6570\">2\u3001\u7cfb\u7edf\u53c2\u6570<\/a><\/li><li class=\"ez-toc-page-1 ez-toc-heading-level-2\"><a class=\"ez-toc-link ez-toc-heading-11\" href=\"http:\/\/weizn.net\/?p=904\/#3%E3%80%81Suricata%E5%85%B3%E9%94%AE%E5%8F%82%E6%95%B0\" title=\"3\u3001Suricata\u5173\u952e\u53c2\u6570\">3\u3001Suricata\u5173\u952e\u53c2\u6570<\/a><\/li><\/ul><\/li><li class=\"ez-toc-page-1 ez-toc-heading-level-1\"><a class=\"ez-toc-link ez-toc-heading-12\" href=\"http:\/\/weizn.net\/?p=904\/#%E4%B8%89%E3%80%81%E5%90%AF%E5%8A%A8Suricata\" title=\"\u4e09\u3001\u542f\u52a8Suricata\">\u4e09\u3001\u542f\u52a8Suricata<\/a><\/li><li class=\"ez-toc-page-1 ez-toc-heading-level-1\"><a class=\"ez-toc-link ez-toc-heading-13\" href=\"http:\/\/weizn.net\/?p=904\/#%E5%9B%9B%E3%80%81%E8%AF%84%E4%BC%B0%E8%A7%84%E5%88%99%E9%9B%86%E6%80%A7%E8%83%BD\" title=\"\u56db\u3001\u8bc4\u4f30\u89c4\u5219\u96c6\u6027\u80fd\">\u56db\u3001\u8bc4\u4f30\u89c4\u5219\u96c6\u6027\u80fd<\/a><\/li><\/ul><\/nav><\/div>\n<div class=\"gfmr-markdown-container\"><div class=\"gfmr-markdown-source\" style=\"display: none;\">&lt;p&gt;\u524d\u7f6e\u6761\u4ef6\u51c6\u5907\u4e00\u4e2a\u5e72\u51c0\u7684CentOS7\u73af\u5883\uff0c\u90e8\u7f72\u7248\u672cSuricata_4.0.4 + PF_RING_ZC_7.0.0\uff0c\u786c\u4ef6\u914d\u7f6e32\u6838\u5fc3200GB\u5185\u5b58\u3002&lt;\/p&gt;\n&lt;p&gt;&nbsp;&lt;\/p&gt;\n&lt;h1&gt;\u4e00\u3001\u5fc5\u8981\u8f6f\u4ef6\u5b89\u88c5&lt;\/h1&gt;\n&lt;h2&gt;1\u3001\u7f16\u8bd1\u5e76\u5b89\u88c5PF_RING\u5546\u4e1a\u7248&lt;\/h2&gt;\n&lt;pre class=&quot;EnlighterJSRAW&quot; data-enlighter-language=&quot;generic&quot;&gt;pf_ring_dir=&quot;PF_RING-7.0.0-stable&quot; \r\n\r\nyum install gcc cmake bison flex file-devel libhugetlbfs -y \r\n\r\ncd $pf_ring_dir\/kernel \r\n\r\nmake \r\n\r\nmake install \r\n\r\ncd ..\/userland\/lib \r\n\r\n.\/configure \r\n\r\nmake \r\n\r\nmake install \r\n\r\ncd ..\/libpcap-1.8.1\/ \r\n\r\n.\/configure \r\n\r\nmake \r\n\r\nmake install \r\n\r\ncd ..\/..\/drivers\/intel\/ixgbe\/ixgbe-5.0.4-zc\/src\/ \r\n\r\nmake \r\n\r\nsudo make install\r\n\r\ncd $pf_ring_dir\/userland\/examples\r\n\r\nmake \r\n\r\nmake install\r\n\r\ncd ..\/examples_zc\r\n\r\nmake\r\n\r\nmake install\r\n\r\ncd ..\/tcpdump\r\n\r\n.\/configure\r\n\r\nmake\r\n\r\nmake install\r\n&lt;\/pre&gt;\n&lt;p&gt;&nbsp;&lt;\/p&gt;\n&lt;h2&gt;2\u3001\u52a0\u8f7dPF_RING\u9a71\u52a8&lt;\/h2&gt;\n&lt;pre class=&quot;EnlighterJSRAW&quot; data-enlighter-language=&quot;shell&quot;&gt;cd $pf_ring_dir\/drivers\/intel\/ixgbe\/ixgbe-5.0.4-zc\/src\/\r\n\r\nbash load_driver.sh&lt;\/pre&gt;\n&lt;p&gt;\u68c0\u67e5\u4e07\u5146\u7f51\u5361\u9a71\u52a8\u662f\u5426\u52a0\u8f7d\u6210\u529f\uff1a&lt;\/p&gt;\n&lt;p&gt;$ modinfo ixgbe&lt;\/p&gt;\n&lt;p&gt;&lt;img class=&quot;alignnone wp-image-905&quot; title=&quot;21648c67156434aca6fe74068b0e330c&quot; src=&quot;http:\/\/weizn.net\/wp-content\/uploads\/2021\/09\/21648c67156434aca6fe74068b0e330c.png&quot; alt=&quot;21648c67156434aca6fe74068b0e330c&quot; width=&quot;656&quot; height=&quot;283&quot; \/&gt;&lt;\/p&gt;\n&lt;p&gt;\u68c0\u67e5PF_RING\u9a71\u52a8\u662f\u5426\u52a0\u8f7d\u6210\u529f\uff1a&lt;\/p&gt;\n&lt;p&gt;$ modinfo pf_ring&lt;\/p&gt;\n&lt;p&gt;&lt;img class=&quot;alignnone wp-image-906&quot; title=&quot;bc9782b378122a7cd86829ba1f9d8ace&quot; src=&quot;http:\/\/weizn.net\/wp-content\/uploads\/2021\/09\/bc9782b378122a7cd86829ba1f9d8ace.png&quot; alt=&quot;bc9782b378122a7cd86829ba1f9d8ace&quot; width=&quot;666&quot; height=&quot;281&quot; \/&gt;&lt;\/p&gt;\n&lt;p&gt;&nbsp;&lt;\/p&gt;\n&lt;h2&gt;3\u3001\u5b89\u88c5hiredis&lt;\/h2&gt;\n&lt;pre class=&quot;EnlighterJSRAW&quot; data-enlighter-language=&quot;shell&quot;&gt;yum -y install gcc automake autoconf libtool make\r\n\r\ngit clone https:\/\/github.com\/redis\/hiredis.git  \r\n\r\ncd hiredis\/  \r\n\r\nmake\r\n\r\nsudo make install&lt;\/pre&gt;\n&lt;p&gt;&nbsp;&lt;\/p&gt;\n&lt;h2&gt;4\u3001\u5b89\u88c5boost.1.60&lt;\/h2&gt;\n&lt;pre class=&quot;EnlighterJSRAW&quot; data-enlighter-language=&quot;shell&quot;&gt;sudo yum install python-devel -y\r\n\r\nsudo yum install libquadmath -y\r\n\r\nsudo yum install libquadmath-devel -y\r\n\r\nsudo yum install bzip2-devel -y\r\n\r\nsudo yum install cmake ragel -y\r\n\r\nsudo yum install boost-devel -y\r\n\r\nwget http:\/\/downloads.sourceforge.net\/project\/boost\/boost\/1.60.0\/boost_1_60_0.tar.gz\r\n\r\ntar xvzf boost_1_60_0.tar.gz\r\n\r\ncd boost_1_60_0\r\n\r\nmkdir -p \/tmp\/boost-1.60_tmp\r\n\r\n.\/bootstrap.sh --prefix=\/tmp\/boost-1.60_tmp\r\n\r\n.\/b2\r\n\r\n.\/b2 install&lt;\/pre&gt;\n&lt;p&gt;&nbsp;&lt;\/p&gt;\n&lt;h2&gt;5\u3001\u5b89\u88c5hyperscan&lt;\/h2&gt;\n&lt;p&gt;\u5728\u300e\/etc\/profile\u300f\u6dfb\u52a0\u4ee5\u4e0b\u547d\u4ee4\u884c\uff1a&lt;\/p&gt;\n&lt;pre class=&quot;EnlighterJSRAW&quot; data-enlighter-language=&quot;shell&quot;&gt;export PATH=\/usr\/local\/bin\/:$PATH\r\nexport LD_LIBRARY_PATH=\/usr\/local\/lib64:$LD_LIBRARY_PATH&lt;\/pre&gt;\n&lt;p&gt;\u8ba9\u540e\u6267\u884c\u300esource \/etc\/profile\u300f\u3002&lt;\/p&gt;\n&lt;pre class=&quot;EnlighterJSRAW&quot; data-enlighter-language=&quot;generic&quot;&gt;wget http:\/\/www.colm.net\/files\/ragel\/ragel-6.10.tar.gz\r\n\r\ntar -zxvf ragel-6.10.tar.gz\r\n\r\ncd ragel-6.10\r\n\r\n.\/configure\r\n\r\nmake\r\n\r\nmake install\r\n\r\nldconfig\r\n\r\ncd ..\r\n\r\n#########################################################\r\nwget https:\/\/ftp.gnu.org\/gnu\/binutils\/binutils-2.37.tar.gz\r\n\r\ntar -zxvf binutils-2.37.tar.gz\r\n\r\ncd binutils-2.37\r\n\r\n.\/configure\r\n\r\nmake\r\n\r\nmake install\r\n\r\ncd ..\r\n\r\n\r\n#########################################################\r\ngit clone https:\/\/github.com\/01org\/hyperscan\r\n\r\ncd hyperscan\r\n\r\nmkdir build\r\n\r\ncd build\r\n\r\ncmake -DBUILD_STATIC_AND_SHARED=1 -DBOOST_ROOT=\/tmp\/boost-1.60_tmp ..\/\r\n\r\nmake -j4\r\n\r\nsudo make install\r\n&lt;\/pre&gt;\n&lt;p&gt;&nbsp;&lt;\/p&gt;\n&lt;p&gt;&nbsp;&lt;\/p&gt;\n&lt;h2&gt;6\u3001\u5b89\u88c5Suricata&lt;\/h2&gt;\n&lt;p&gt;\u7f16\u8bd1\u53c2\u6570\u300e&#8211;enable-profiling\u300f\u52a0\u4e0a\u540e\uff0c\u65e0\u8bba\u5728\u914d\u7f6e\u6587\u4ef6\u4e2d\u662f\u5426\u5f00\u542f\u300eprofiling-rules\u300f\u529f\u80fd\u90fd\u4f1a\u5f71\u54cd\u6027\u80fd\uff0c\u4f46\u53ea\u6709\u52a0\u4e0a\u8fd9\u4e2a\u53c2\u6570\u540e\u624d\u80fd\u8bc4\u4f30\u89c4\u5219\u96c6\u7684\u68c0\u6d4b\u6548\u7387\uff0c\u6240\u4ee5\u5efa\u8bae\u5728\u6d4b\u8bd5\u73af\u5883\u4e2d\u5f00\u542f\u8fd9\u4e2a\u53c2\u6570\u6765\u4f18\u5316\u89c4\u5219\uff0c\u4f46\u7ebf\u4e0a\u73af\u5883\u53d6\u6d88\u8fd9\u4e2a\u7f16\u8bd1\u53c2\u6570\uff1a&lt;\/p&gt;\n&lt;p&gt;&lt;img class=&quot;alignnone wp-image-938&quot; title=&quot;f17abf36a836f03ab8fb9e05d4e6f4ce-2&quot; src=&quot;http:\/\/weizn.net\/wp-content\/uploads\/2021\/09\/f17abf36a836f03ab8fb9e05d4e6f4ce-2.png&quot; alt=&quot;f17abf36a836f03ab8fb9e05d4e6f4ce-2&quot; width=&quot;598&quot; height=&quot;415&quot; \/&gt;&lt;\/p&gt;\n&lt;pre class=&quot;EnlighterJSRAW&quot; data-enlighter-language=&quot;shell&quot;&gt;# \u6b64\u8fc7\u7a0b\u8f6f\u4ef6\u5305\u53ef\u80fd\u4e0d\u5168\uff0c\u7b49Suricata\u914d\u7f6emake\u6587\u4ef6\u4e0d\u901a\u8fc7\u65f6\u4f1a\u63d0\u9192\u5b89\u88c5\u7f3a\u5931\u8f6f\u4ef6\u3002\r\n\r\nsudo yum install wget libpcap-devel libnet-devel pcre-devel gcc-c++ automake autoconf libtool make libyaml-devel zlib-devel file-devel jansson-devel nss-devel  libevent-devel lua-devel GeoIP-devel gperftools-libs -y\r\n\r\ncd $suricata_dir\/\r\n\r\n.\/configure --enable-lua --enable-pfring --enable-old-barnyard2 --enable-hiredis --enable-unix-socket --enable-profiling --enable-geoip --with-libnss-libraries=\/usr\/lib64 --with-libnss-includes=\/usr\/include\/nss3 --with-libnspr-libraries=\/usr\/lib64 --with-libnspr-includes=\/usr\/include\/nspr4 --with-libpfring-includes=\/usr\/local\/include --with-libpfring-libraries=\/usr\/local\/lib --with-libhs-includes=\/usr\/local\/include\/hs\/ --with-libhs-libraries=\/usr\/local\/lib\/\r\n\r\nmake\r\n\r\nmake install\r\n\r\necho &quot;\/usr\/local\/lib64&quot; | tee --append \/etc\/ld.so.conf.d\/usrlocal.conf\r\n\r\nldconfig&lt;\/pre&gt;\n&lt;p&gt;&nbsp;&lt;\/p&gt;\n&lt;h1&gt;\u4e8c\u3001\u4f18\u5316\u53c2\u6570&lt;\/h1&gt;\n&lt;h2&gt;1\u3001\u7f51\u5361\u53c2\u6570&lt;\/h2&gt;\n&lt;p&gt;\u5982\u679c\u955c\u50cf\u53e3\u5728eth3\u548ceth4\u4e0a\uff0c\u6267\u884c\u5982\u4e0b\u547d\u4ee4\uff1a&lt;\/p&gt;\n&lt;pre class=&quot;EnlighterJSRAW&quot; data-enlighter-language=&quot;shell&quot;&gt;sudo ethtool -K eth3 rx off\r\nsudo ethtool -K eth3 tx off\r\nsudo ethtool -K eth3 sg off\r\nsudo ethtool -K eth3 tso off\r\nsudo ethtool -K eth3 gso off\r\nsudo ethtool -K eth3 gro off\r\nsudo ethtool -K eth3 lro off\r\nsudo ethtool -K eth3 rxvlan off\r\nsudo ethtool -K eth3 txvlan off\r\nsudo ethtool -K eth3 ntuple off\r\nsudo ethtool -K eth3 rxhash off\r\nsudo ethtool -A eth3 rx off tx off\r\n\r\nsudo ethtool -K eth4 rx off\r\nsudo ethtool -K eth4 tx off\r\nsudo ethtool -K eth4 sg off\r\nsudo ethtool -K eth4 tso off\r\nsudo ethtool -K eth4 gso off\r\nsudo ethtool -K eth4 gro off\r\nsudo ethtool -K eth4 lro off\r\nsudo ethtool -K eth4 rxvlan off\r\nsudo ethtool -K eth4 txvlan off\r\nsudo ethtool -K eth4 ntuple off\r\nsudo ethtool -K eth4 rxhash off\r\nsudo ethtool -A eth4 rx off tx off\r\n\r\nifconfig eth4 mtu 1522\r\nifconfig eth3 mtu 1522\r\n\r\n# \u8fd9\u6b65\u5f88\u91cd\u8981\uff0cZC\u6a21\u5f0f\u4e0b\u5fc5\u987b\u5c06\u7f51\u5361\u961f\u5217\u8bbe\u7f6e\u4e3a1\uff0c\u5426\u5219\u4f1a\u9020\u6210fordwarded\u7ed9suricata\u7684\u6d41\u91cf\u4e0d\u5b8c\u6574\r\nethtool -L eth3 combined 1 \r\nethtool -L eth4 combined 1 \r\n&lt;\/pre&gt;\n&lt;h2&gt;2\u3001\u7cfb\u7edf\u53c2\u6570&lt;\/h2&gt;\n&lt;pre class=&quot;EnlighterJSRAW&quot; data-enlighter-language=&quot;shell&quot;&gt;# \u914d\u7f6e\u5185\u5b58\u5927\u9875\r\nmkdir \/hugetlbf\r\nmount -t hugetlbfs nodev \/hugetlbf\r\nsysctl -w vm.nr_hugepages=10240\r\n\r\n# \u751f\u6548\u65b0\u914d\u7f6e\r\nsysctl -p&lt;\/pre&gt;\n&lt;p&gt;\u8bbe\u7f6eCPU\u9694\u79bb\uff0c\u4f8b\u598232\u6838\u673a\u5668\uff0c\u7ed9\u7cfb\u7edf\u9884\u75592\u4e2aCPU\uff0c\u5176\u4f59\u7684\u5168\u90e8\u9694\u79bb\u8d77\u6765\uff0c\u7b49\u5f85Suricata\u72ec\u5360\uff0c\u4fee\u6539\/etc\/default\/grub\u6587\u4ef6\uff08\u4e0d\u540c\u7684\u7cfb\u7edf\u6587\u4ef6\u4f4d\u7f6e\u53ef\u80fd\u4e0d\u540c\uff09\uff0c\u52a0\u5165\u4ee5\u4e0b\u53c2\u6570\uff1a&lt;\/p&gt;\n&lt;pre class=&quot;EnlighterJSRAW&quot; data-enlighter-language=&quot;generic&quot;&gt;isolcpus=0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29 nohz_full=0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29 rcu_nocbs=0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29&lt;\/pre&gt;\n&lt;p&gt;&lt;img class=&quot;alignnone wp-image-933&quot; title=&quot;49a3a8be78f21e95caace7099053a0c6&quot; src=&quot;http:\/\/weizn.net\/wp-content\/uploads\/2021\/09\/49a3a8be78f21e95caace7099053a0c6.png&quot; alt=&quot;49a3a8be78f21e95caace7099053a0c6&quot; width=&quot;692&quot; height=&quot;312&quot; \/&gt;&lt;\/p&gt;\n&lt;p&gt;\u4fdd\u5b58\u540e\u91cd\u542f\u7cfb\u7edf\uff0c\u7136\u540e\u6267\u884c\u547d\u4ee4\u300ecat \/proc\/cmdline\u300f\u67e5\u770b\u914d\u7f6e\u662f\u5426\u751f\u6548\uff1a&lt;\/p&gt;\n&lt;h2&gt;&lt;img class=&quot;alignnone size-full wp-image-924&quot; title=&quot;c9dc8949f0ad8b00a049a58b8a0206f3&quot; src=&quot;http:\/\/weizn.net\/wp-content\/uploads\/2021\/09\/c9dc8949f0ad8b00a049a58b8a0206f3.png&quot; alt=&quot;c9dc8949f0ad8b00a049a58b8a0206f3&quot; width=&quot;2246&quot; height=&quot;230&quot; \/&gt;&lt;\/h2&gt;\n&lt;p&gt;\u67e5\u770bCPU\u4f7f\u7528\u7387\u7684\u65f6\u5019\uff0c\u53d1\u73b0\u53ea\u6709\u672a\u88ab\u9694\u79bb\u7684CPU\u5728\u88ab\u8c03\u5ea6\uff0c\u8bf4\u660e\u914d\u7f6e\u6210\u529f\u4e86\uff1a&lt;\/p&gt;\n&lt;h2&gt;&lt;img class=&quot;alignnone size-full wp-image-925&quot; title=&quot;7d46cc646abd7da583612419fd57195f&quot; src=&quot;http:\/\/weizn.net\/wp-content\/uploads\/2021\/09\/7d46cc646abd7da583612419fd57195f.png&quot; alt=&quot;7d46cc646abd7da583612419fd57195f&quot; width=&quot;2200&quot; height=&quot;602&quot; \/&gt;3\u3001Suricata\u5173\u952e\u53c2\u6570&lt;\/h2&gt;\n&lt;p&gt;\u5148\u67e5\u770bCPU\u67b6\u6784\uff1a&lt;\/p&gt;\n&lt;p&gt;$ lscpu&lt;\/p&gt;\n&lt;p&gt;&lt;img class=&quot;alignnone wp-image-907&quot; title=&quot;8de7a227a931423ed74c677141089f9e&quot; src=&quot;http:\/\/weizn.net\/wp-content\/uploads\/2021\/09\/8de7a227a931423ed74c677141089f9e.png&quot; alt=&quot;8de7a227a931423ed74c677141089f9e&quot; width=&quot;648&quot; height=&quot;557&quot; \/&gt;&lt;\/p&gt;\n&lt;p&gt;\u914d\u7f6eCPU\u4eb2\u548c\uff1a&lt;\/p&gt;\n&lt;pre class=&quot;EnlighterJSRAW&quot; data-enlighter-language=&quot;yaml&quot;&gt;threading:\r\n  set-cpu-affinity: yes\r\n  # Tune cpu affinity of threads. Each family of threads can be bound\r\n  # to specific CPUs.\r\n  #\r\n  # These 2 apply to the all runmodes:\r\n  # management-cpu-set is used for flow timeout handling, counters\r\n  # worker-cpu-set is used for &#039;worker&#039; threads\r\n  #\r\n  # Additionally, for autofp these apply:\r\n  # receive-cpu-set is used for capture threads\r\n  # verdict-cpu-set is used for IPS verdict threads\r\n  #\r\n  cpu-affinity:\r\n    - management-cpu-set:\r\n        # \u91cd\u70b9\u662f\u53ea\u5728\u9694\u79bb\u7684CPU\u4e2d\u914d\u7f6e\uff0c\u5e76\u4e14\u76f8\u540c\u4efb\u52a1\u914d\u7f6e\u4e3a\u540c\u4e00\u4fa7NODE\u7684CPU\u7f16\u53f7\uff0c\u5982\u4e0a\u56fe\u67e5\u8be2\u7ed3\u679c\r\n        cpu: [1,3]  # include only these CPUs in affinity settings\r\n        mode: &quot;exclusive&quot;\r\n    - worker-cpu-set:\r\n        cpu: [0,2,4,6,8,10,12,14,16,18,20,22,24,26,28, 1,3,5,7,9,11,13,15,17,19,21,23,25,27,29]\r\n        mode: &quot;exclusive&quot;\r\n        prio:\r\n          # \u6ce8\u610fCPU NODE\u5206\u9694\r\n          medium: [0,2,4,6,8,10,12,14,16,18,20,22,24,26,28]\r\n          high: [1,3,5,7,9,11,13,15,17,19,21,23,25,27,29]\r\n          default: &quot;medium&quot;\r\n  #\r\n  # By default Suricata creates one &quot;detect&quot; thread per available CPU\/CPU core.\r\n  # This setting allows controlling this behaviour. A ratio setting of 2 will\r\n  # create 2 detect threads for each CPU\/CPU core. So for a dual core CPU this\r\n  # will result in 4 detect threads. If values below 1 are used, less threads\r\n  # are created. So on a dual core CPU a setting of 0.5 results in 1 detect\r\n  # thread being created. Regardless of the setting at a minimum 1 detect\r\n  # thread will always be created.\r\n  #\r\n  detect-thread-ratio: 1.5&lt;\/pre&gt;\n&lt;p&gt;\u914d\u7f6ePF_RING\u6293\u5305\uff0c\u76d1\u542c\u7ebf\u7a0b\u6570\u91cf\u4e0ezbalance_ipc\u7684-n\u53c2\u6570\u6307\u5b9a\u901a\u9053\u6570\u4e00\u81f4\uff0c\u8fd0\u884c\u6a21\u5f0f\u4e00\u5b9a\u8981\u662fworkers\uff1a&lt;\/p&gt;\n&lt;pre class=&quot;EnlighterJSRAW&quot; data-enlighter-language=&quot;yaml&quot;&gt;pfring:\r\n  - interface: zc:99@0\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@1\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@2\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@3\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@4\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@5\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@6\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@7\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@8\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@9\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@10\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@11\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@12\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@13\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@14\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@15\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@16\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@17\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@18\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@19\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@20\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@21\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@22\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@23\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@24\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@25\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@26\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@27\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no&lt;\/pre&gt;\n&lt;p&gt;&nbsp;&lt;\/p&gt;\n&lt;h1&gt;\u4e09\u3001\u542f\u52a8Suricata&lt;\/h1&gt;\n&lt;pre class=&quot;EnlighterJSRAW&quot; data-enlighter-language=&quot;shell&quot;&gt;# \u6293\u5305\u7684CPU\u6ce8\u610fNODE\u4e3a\u540c\u4e00\u4fa7\uff0c\u5e76\u4e14\u5c5e\u4e8e\u9694\u79bbCPU\r\n.\/zbalance_ipc -i zc:eth3,zc:eth4 -c 99 -g 29,31 -n 28 -m 4\r\n\r\n# \u542f\u52a8Suricata\r\nsuricata --pfring -c \/ids\/suricata.yaml -v&lt;\/pre&gt;\n&lt;p&gt;&nbsp;&lt;\/p&gt;\n&lt;h1&gt;\u56db\u3001\u8bc4\u4f30\u89c4\u5219\u96c6\u6027\u80fd&lt;\/h1&gt;\n&lt;p&gt;\u5982\u679csuricata\u542f\u52a8\u540e\u53d1\u73b0\uff0c\u5728\u4e0d\u52a0\u8f7d\u4efb\u4f55\u89c4\u5219\uff0c\u4ec5\u4ec5\u7ec4\u5305\u7684\u60c5\u51b5\u4e0b\uff0cCPU\u5360\u7528\u5e76\u4e0d\u9ad8\uff0c\u4f46\u662f\u4e00\u65e6\u52a0\u8f7d\u89c4\u5219\u96c6\uff0cCPU\u7acb\u523b\u98d9\u5347\u5230100%\uff0c\u5c31\u8981\u8bc4\u4f30\u4e00\u4e0b\u89c4\u5219\u96c6\u4e2d\u662f\u5426\u6709\u300e\u5bb3\u7fa4\u4e4b\u9a6c\u300f\u4e86\uff0c\u627e\u51fa\u6709\u95ee\u9898\u7684\u89c4\u5219\u5e76\u4fee\u6b63\uff1a&lt;\/p&gt;\n&lt;blockquote class=&quot;wp-embedded-content&quot; data-secret=&quot;zNIEpSwOAe&quot;&gt;&lt;p&gt;&lt;a href=&quot;http:\/\/weizn.net\/?p=942&quot;&gt;Suricata\u89c4\u5219\u6027\u80fd\u8bc4\u4f30\u4ee5\u53ca\u4f18\u5316\u5efa\u8bae&lt;\/a&gt;&lt;\/p&gt;&lt;\/blockquote&gt;\n&lt;p&gt;&lt;iframe class=&quot;wp-embedded-content&quot; sandbox=&quot;allow-scripts&quot; security=&quot;restricted&quot; style=&quot;position: absolute; clip: rect(1px, 1px, 1px, 1px);&quot; title=&quot;\u300aSuricata\u89c4\u5219\u6027\u80fd\u8bc4\u4f30\u4ee5\u53ca\u4f18\u5316\u5efa\u8bae\u300b\u2014Wayne&#039;s Blog&quot; src=&quot;http:\/\/weizn.net\/?p=942&#038;embed=true#?secret=zNIEpSwOAe&quot; data-secret=&quot;zNIEpSwOAe&quot; width=&quot;600&quot; height=&quot;338&quot; frameborder=&quot;0&quot; marginwidth=&quot;0&quot; marginheight=&quot;0&quot; scrolling=&quot;no&quot;&gt;&lt;\/iframe&gt;&lt;\/p&gt;\n&lt;p&gt;&nbsp;&lt;\/p&gt;\n&lt;p&gt;\u66f4\u591a\u6027\u80fd\u4f18\u5316\u53ef\u53c2\u8003\u6587\u6863\uff1a&lt;\/p&gt;\n&lt;p&gt;&lt;a href=&quot;http:\/\/weizn.net\/wp-content\/uploads\/2018\/03\/septun.pdf&quot;&gt;septun&lt;\/a&gt;&lt;\/p&gt;\n&lt;p&gt;&nbsp;&lt;\/p&gt;\n&lt;p&gt;\u6700\u540e\u9644\u4e0asuricata.yaml\u5b8c\u6574\u914d\u7f6e\u6587\u4ef6\u4f9b\u53c2\u8003\uff0c\u6b64\u5916\uff0c\u5982\u679c\u5185\u7f51\u5c0f\u5305\u975e\u5e38\u591a\u7684\u60c5\u51b5\u4e0b\uff0c\u53ef\u5728\u914d\u7f6e\u6587\u4ef6\u4e2d\u964d\u4f4eflow\u8ddf\u8e2a\u8d85\u65f6\u65f6\u95f4\uff0c\u5e76\u589e\u5927\u5185\u5b58\u4f7f\u7528\u9650\u5236\uff1a&lt;\/p&gt;\n&lt;pre class=&quot;EnlighterJSRAW&quot; data-enlighter-language=&quot;yaml&quot;&gt;%YAML 1.1\r\n---\r\n\r\n# Suricata configuration file. In addition to the comments describing all\r\n# options in this file, full documentation can be found at:\r\n# https:\/\/suricata.readthedocs.io\/en\/latest\/configuration\/suricata-yaml.html\r\n\r\n##\r\n## Step 1: Inform Suricata about your network\r\n##\r\n\r\nvars:\r\n  # more specific is better for alert accuracy and performance\r\n  address-groups:\r\n    HOME_NET: &quot;any&quot;\r\n    #HOME_NET: &quot;[192.168.0.0\/16]&quot;\r\n    #HOME_NET: &quot;[10.0.0.0\/8]&quot;\r\n    #HOME_NET: &quot;[172.16.0.0\/12]&quot;\r\n    #HOME_NET: &quot;any&quot;\r\n\r\n    EXTERNAL_NET: &quot;any&quot;\r\n    #EXTERNAL_NET: &quot;any&quot;\r\n\r\n    HTTP_SERVERS: &quot;$HOME_NET&quot;\r\n    SMTP_SERVERS: &quot;$HOME_NET&quot;\r\n    SQL_SERVERS: &quot;$HOME_NET&quot;\r\n    DNS_SERVERS: &quot;$HOME_NET&quot;\r\n    TELNET_SERVERS: &quot;$HOME_NET&quot;\r\n    AIM_SERVERS: &quot;$EXTERNAL_NET&quot;\r\n    DC_SERVERS: &quot;$HOME_NET&quot;\r\n    DNP3_SERVER: &quot;$HOME_NET&quot;\r\n    DNP3_CLIENT: &quot;$HOME_NET&quot;\r\n    MODBUS_CLIENT: &quot;$HOME_NET&quot;\r\n    MODBUS_SERVER: &quot;$HOME_NET&quot;\r\n    ENIP_CLIENT: &quot;$HOME_NET&quot;\r\n    ENIP_SERVER: &quot;$HOME_NET&quot;\r\n\r\n  port-groups:\r\n    HTTP_PORTS: &quot;80&quot;\r\n    SHELLCODE_PORTS: &quot;!80&quot;\r\n    ORACLE_PORTS: 1521\r\n    SSH_PORTS: 22\r\n    DNP3_PORTS: 20000\r\n    MODBUS_PORTS: 502\r\n    FILE_DATA_PORTS: &quot;[$HTTP_PORTS,110,143]&quot;\r\n    FTP_PORTS: 21\r\n    GENEVE_PORTS: 6081\r\n    VXLAN_PORTS: 4789\r\n    TEREDO_PORTS: 3544\r\n\r\n##\r\n## Step 2: Select outputs to enable\r\n##\r\n\r\n# The default logging directory.  Any log or output file will be\r\n# placed here if it&#039;s not specified with a full path name. This can be\r\n# overridden with the -l command line parameter.\r\ndefault-rule-path: \/test\/suricata_files\/ruleset\r\nrule-files:\r\n  # - scirius.rules\r\n  - it.rules\r\n\r\nclassification-file: \/test\/suricata_files\/ruleset\/classification.config\r\nreference-config-file: \/test\/suricata_files\/ruleset\/reference.config\r\nthreshold-file: \/test\/suricata_files\/ruleset\/threshold.config\r\n\r\ndefault-log-dir: \/opt\/suricata_files\/logs\r\n\r\n# Global stats configuration\r\nstats:\r\n  enabled: yes\r\n  # The interval field (in seconds) controls the interval at\r\n  # which stats are updated in the log.\r\n  interval: 3\r\n  # Add decode events to stats.\r\n  #decoder-events: true\r\n  # Decoder event prefix in stats. Has been &#039;decoder&#039; before, but that leads\r\n  # to missing events in the eve.stats records. See issue #2225.\r\n  #decoder-events-prefix: &quot;decoder.event&quot;\r\n  # Add stream events as stats.\r\n  #stream-events: false\r\n\r\n# Configure the type of alert (and other) logging you would like.\r\noutputs:\r\n  # a line based alerts log similar to Snort&#039;s fast.log\r\n  - fast:\r\n      enabled: yes\r\n      filename: fast.log\r\n      append: yes\r\n      #filetype: regular # &#039;regular&#039;, &#039;unix_stream&#039; or &#039;unix_dgram&#039;\r\n\r\n  # Extensible Event Format (nicknamed EVE) event log in JSON format\r\n  - eve-log:\r\n      enabled: yes\r\n      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis\r\n      # filename: \/test\/suricata_files\/logstash.socket\r\n      # Enable for multi-threaded eve.json output; output files are amended with\r\n      # with an identifier, e.g., eve.9.json\r\n      #threaded: false\r\n      #prefix: &quot;@cee: &quot; # prefix to prepend to each log entry\r\n      # the following are valid when type: syslog above\r\n      # identity: &quot;suricata&quot;\r\n      #facility: local5\r\n      #level: Info ## possible levels: Emergency, Alert, Critical,\r\n                   ## Error, Warning, Notice, Info, Debug\r\n      #ethernet: no  # log ethernet header in events when available\r\n      redis:\r\n       server: 127.0.0.1\r\n       port: 6379\r\n       # async: true ## if redis replies are read asynchronously\r\n       mode: list ## possible values: list|lpush (default), rpush, channel|publish\r\n      #             ## lpush and rpush are using a Redis list. &quot;list&quot; is an alias for lpush\r\n      #             ## publish is using a Redis channel. &quot;channel&quot; is an alias for publish\r\n       key: suricata ## key or channel to use (default to suricata)\r\n      # Redis pipelining set up. This will enable to only do a query every\r\n      # &#039;batch-size&#039; events. This should lower the latency induced by network\r\n      # connection at the cost of some memory. There is no flushing implemented\r\n      # so this setting should be reserved to high traffic Suricata deployments.\r\n       pipelining:\r\n         enabled: yes ## set enable to yes to enable query pipelining\r\n         batch-size: 200 ## number of entries to keep in buffer\r\n\r\n      # Include top level metadata. Default yes.\r\n      #metadata: no\r\n\r\n      # include the name of the input pcap file in pcap file processing mode\r\n      pcap-file: false\r\n\r\n      # Community Flow ID\r\n      # Adds a &#039;community_id&#039; field to EVE records. These are meant to give\r\n      # records a predictable flow ID that can be used to match records to\r\n      # output of other tools such as Zeek (Bro).\r\n      #\r\n      # Takes a &#039;seed&#039; that needs to be same across sensors and tools\r\n      # to make the id less predictable.\r\n\r\n      # enable\/disable the community id feature.\r\n      community-id: false\r\n      # Seed value for the ID output. Valid values are 0-65535.\r\n      community-id-seed: 0\r\n\r\n      # HTTP X-Forwarded-For support by adding an extra field or overwriting\r\n      # the source or destination IP address (depending on flow direction)\r\n      # with the one reported in the X-Forwarded-For HTTP header. This is\r\n      # helpful when reviewing alerts for traffic that is being reverse\r\n      # or forward proxied.\r\n      xff:\r\n        enabled: yes\r\n        # Two operation modes are available: &quot;extra-data&quot; and &quot;overwrite&quot;.\r\n        mode: extra-data\r\n        # Two proxy deployments are supported: &quot;reverse&quot; and &quot;forward&quot;. In\r\n        # a &quot;reverse&quot; deployment the IP address used is the last one, in a\r\n        # &quot;forward&quot; deployment the first IP address is used.\r\n        deployment: reverse\r\n        # Header name where the actual IP address will be reported. If more\r\n        # than one IP address is present, the last IP address will be the\r\n        # one taken into consideration.\r\n        header: X-Forwarded-For\r\n\r\n      types:\r\n        - alert:\r\n            payload: yes             # enable dumping payload in Base64\r\n            payload-buffer-size: 64kb # max size of payload buffer to output in eve-log\r\n            payload-printable: yes   # enable dumping payload in printable (lossy) format\r\n            packet: yes              # enable dumping of packet (without stream segments)\r\n            http-body: yes           # enable dumping of http body in Base64\r\n            http-body-printable: yes # enable dumping of http body in printable format\r\n            metadata: yes              # add L7\/applayer fields, flowbit and other vars to the alert\r\n\r\n            # Enable the logging of tagged packets for rules using the\r\n            # &quot;tag&quot; keyword.\r\n            tagged-packets: yes\r\n        # - anomaly:\r\n        #     # Anomaly log records describe unexpected conditions such\r\n        #     # as truncated packets, packets with invalid IP\/UDP\/TCP\r\n        #     # length values, and other events that render the packet\r\n        #     # invalid for further processing or describe unexpected\r\n        #     # behavior on an established stream. Networks which\r\n        #     # experience high occurrences of anomalies may experience\r\n        #     # packet processing degradation.\r\n        #     #\r\n        #     # Anomalies are reported for the following:\r\n        #     # 1. Decode: Values and conditions that are detected while\r\n        #     # decoding individual packets. This includes invalid or\r\n        #     # unexpected values for low-level protocol lengths as well\r\n        #     # as stream related events (TCP 3-way handshake issues,\r\n        #     # unexpected sequence number, etc).\r\n        #     # 2. Stream: This includes stream related events (TCP\r\n        #     # 3-way handshake issues, unexpected sequence number,\r\n        #     # etc).\r\n        #     # 3. Application layer: These denote application layer\r\n        #     # specific conditions that are unexpected, invalid or are\r\n        #     # unexpected given the application monitoring state.\r\n        #     #\r\n        #     # By default, anomaly logging is enabled. When anomaly\r\n        #     # logging is enabled, applayer anomaly reporting is\r\n        #     # also enabled.\r\n        #     enabled: no\r\n        #     #\r\n        #     # Choose one or more types of anomaly logging and whether to enable\r\n        #     # logging of the packet header for packet anomalies.\r\n        #     types:\r\n              # decode: no\r\n              # stream: no\r\n              # applayer: yes\r\n            #packethdr: no\r\n        # - http:\r\n        #     extended: yes     # enable this for extended logging information\r\n            # custom allows additional HTTP fields to be included in eve-log.\r\n            # the example below adds three additional fields when uncommented\r\n            #custom: [Accept-Encoding, Accept-Language, Authorization]\r\n            # set this value to one and only one from {both, request, response}\r\n            # to dump all HTTP headers for every HTTP request and\/or response\r\n            # dump-all-headers: none\r\n        # - dns:\r\n        #     query: yes     # enable logging of DNS queries\r\n        #     answer: yes    # enable logging of DNS answers\r\n            # This configuration uses the new DNS logging format,\r\n            # the old configuration is still available:\r\n            # https:\/\/suricata.readthedocs.io\/en\/latest\/output\/eve\/eve-json-output.html#dns-v1-format\r\n\r\n            # As of Suricata 5.0, version 2 of the eve dns output\r\n            # format is the default.\r\n            #version: 2\r\n\r\n            # Enable\/disable this logger. Default: enabled.\r\n            #enabled: yes\r\n\r\n            # Control logging of requests and responses:\r\n            # - requests: enable logging of DNS queries\r\n            # - responses: enable logging of DNS answers\r\n            # By default both requests and responses are logged.\r\n            #requests: no\r\n            #responses: no\r\n\r\n            # Format of answer logging:\r\n            # - detailed: array item per answer\r\n            # - grouped: answers aggregated by type\r\n            # Default: all\r\n            #formats: [detailed, grouped]\r\n\r\n            # DNS record types to log, based on the query type.\r\n            # Default: all.\r\n            #types: [a, aaaa, cname, mx, ns, ptr, txt]\r\n        # - tls:\r\n        #     extended: yes     # enable this for extended logging information\r\n            # output TLS transaction where the session is resumed using a\r\n            # session id\r\n            #session-resumption: no\r\n            # custom controls which TLS fields that are included in eve-log\r\n            #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3, ja3s]\r\n        # - files:\r\n        #     force-magic: no   # force logging magic on all logged files\r\n            # force logging of checksums, available hash functions are md5,\r\n            # sha1 and sha256\r\n            #force-hash: [md5]\r\n        #- drop:\r\n        #    alerts: yes      # log alerts that caused drops\r\n        #    flows: all       # start or all: &#039;start&#039; logs only a single drop\r\n        #                     # per flow direction. All logs each dropped pkt.\r\n        # - smtp:\r\n        #     extended: no # enable this for extended logging information\r\n            # this includes: bcc, message-id, subject, x_mailer, user-agent\r\n            # custom fields logging from the list:\r\n            #  reply-to, bcc, message-id, subject, x-mailer, user-agent, received,\r\n            #  x-originating-ip, in-reply-to, references, importance, priority,\r\n            #  sensitivity, organization, content-md5, date\r\n            #custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc]\r\n            # output md5 of fields: body, subject\r\n            # for the body you need to set app-layer.protocols.smtp.mime.body-md5\r\n            # to yes\r\n            #md5: [body, subject]\r\n\r\n        #- dnp3\r\n        # - ftp\r\n        # - rdp\r\n        # - nfs\r\n        # - smb\r\n        # - tftp\r\n        # - ikev2\r\n        # - dcerpc\r\n        # - krb5\r\n        # - snmp\r\n        # - rfb\r\n        # - sip\r\n        # - dhcp:\r\n        #     enabled: no\r\n        #     # When extended mode is on, all DHCP messages are logged\r\n        #     # with full detail. When extended mode is off (the\r\n        #     # default), just enough information to map a MAC address\r\n        #     # to an IP address is logged.\r\n        #     extended: no\r\n        # - ssh\r\n        # - mqtt:\r\n            # passwords: yes           # enable output of passwords\r\n        # HTTP2 logging. HTTP2 support is currently experimental and\r\n        # disabled by default. To enable, uncomment the following line\r\n        # and be sure to enable http2 in the app-layer section.\r\n        #- http2\r\n        - stats:\r\n            totals: yes       # stats for all threads merged together\r\n            threads: no       # per thread stats\r\n            deltas: yes        # include delta values\r\n        # bi-directional flows\r\n        # - flow\r\n        # uni-directional flows\r\n        # - netflow\r\n\r\n        # Metadata event type. Triggered whenever a pktvar is saved\r\n        # and will include the pktvars, flowvars, flowbits and\r\n        # flowints.\r\n        #- metadata\r\n\r\n  # a line based log of HTTP requests (no alerts)\r\n  - http-log:\r\n      enabled: no\r\n      filename: http.log\r\n      append: yes\r\n      #extended: yes     # enable this for extended logging information\r\n      #custom: yes       # enable the custom logging format (defined by customformat)\r\n      #customformat: &quot;%{%D-%H:%M:%S}t.%z %{X-Forwarded-For}i %H %m %h %u %s %B %a:%p -&gt; %A:%P&quot;\r\n      #filetype: regular # &#039;regular&#039;, &#039;unix_stream&#039; or &#039;unix_dgram&#039;\r\n\r\n  # a line based log of TLS handshake parameters (no alerts)\r\n  - tls-log:\r\n      enabled: no  # Log TLS connections.\r\n      filename: tls.log # File to store TLS logs.\r\n      append: yes\r\n      #extended: yes     # Log extended information like fingerprint\r\n      #custom: yes       # enabled the custom logging format (defined by customformat)\r\n      #customformat: &quot;%{%D-%H:%M:%S}t.%z %a:%p -&gt; %A:%P %v %n %d %D&quot;\r\n      #filetype: regular # &#039;regular&#039;, &#039;unix_stream&#039; or &#039;unix_dgram&#039;\r\n      # output TLS transaction where the session is resumed using a\r\n      # session id\r\n      #session-resumption: no\r\n\r\n  # output module to store certificates chain to disk\r\n  - tls-store:\r\n      enabled: no\r\n      #certs-log-dir: certs # directory to store the certificates files\r\n\r\n  # Packet log... log packets in pcap format. 3 modes of operation: &quot;normal&quot;\r\n  # &quot;multi&quot; and &quot;sguil&quot;.\r\n  #\r\n  # In normal mode a pcap file &quot;filename&quot; is created in the default-log-dir,\r\n  # or as specified by &quot;dir&quot;.\r\n  # In multi mode, a file is created per thread. This will perform much\r\n  # better, but will create multiple files where &#039;normal&#039; would create one.\r\n  # In multi mode the filename takes a few special variables:\r\n  # - %n -- thread number\r\n  # - %i -- thread id\r\n  # - %t -- timestamp (secs or secs.usecs based on &#039;ts-format&#039;\r\n  # E.g. filename: pcap.%n.%t\r\n  #\r\n  # Note that it&#039;s possible to use directories, but the directories are not\r\n  # created by Suricata. E.g. filename: pcaps\/%n\/log.%s will log into the\r\n  # per thread directory.\r\n  #\r\n  # Also note that the limit and max-files settings are enforced per thread.\r\n  # So the size limit when using 8 threads with 1000mb files and 2000 files\r\n  # is: 8*1000*2000 ~ 16TiB.\r\n  #\r\n  # In Sguil mode &quot;dir&quot; indicates the base directory. In this base dir the\r\n  # pcaps are created in the directory structure Sguil expects:\r\n  #\r\n  # $sguil-base-dir\/YYYY-MM-DD\/$filename.&lt;timestamp&gt;\r\n  #\r\n  # By default all packets are logged except:\r\n  # - TCP streams beyond stream.reassembly.depth\r\n  # - encrypted streams after the key exchange\r\n  #\r\n  - pcap-log:\r\n      enabled: no\r\n      filename: log.pcap\r\n\r\n      # File size limit.  Can be specified in kb, mb, gb.  Just a number\r\n      # is parsed as bytes.\r\n      limit: 1000mb\r\n\r\n      # If set to a value, ring buffer mode is enabled. Will keep maximum of\r\n      # &quot;max-files&quot; of size &quot;limit&quot;\r\n      max-files: 2000\r\n\r\n      # Compression algorithm for pcap files. Possible values: none, lz4.\r\n      # Enabling compression is incompatible with the sguil mode. Note also\r\n      # that on Windows, enabling compression will *increase* disk I\/O.\r\n      compression: none\r\n\r\n      # Further options for lz4 compression. The compression level can be set\r\n      # to a value between 0 and 16, where higher values result in higher\r\n      # compression.\r\n      #lz4-checksum: no\r\n      #lz4-level: 0\r\n\r\n      mode: normal # normal, multi or sguil.\r\n\r\n      # Directory to place pcap files. If not provided the default log\r\n      # directory will be used. Required for &quot;sguil&quot; mode.\r\n      #dir: \/nsm_data\/\r\n\r\n      #ts-format: usec # sec or usec second format (default) is filename.sec usec is filename.sec.usec\r\n      use-stream-depth: no #If set to &quot;yes&quot; packets seen after reaching stream inspection depth are ignored. &quot;no&quot; logs all packets\r\n      honor-pass-rules: no # If set to &quot;yes&quot;, flows in which a pass rule matched will stop being logged.\r\n\r\n  # a full alert log containing much information for signature writers\r\n  # or for investigating suspected false positives.\r\n  - alert-debug:\r\n      enabled: no\r\n      filename: alert-debug.log\r\n      append: yes\r\n      #filetype: regular # &#039;regular&#039;, &#039;unix_stream&#039; or &#039;unix_dgram&#039;\r\n\r\n  # alert output to prelude (https:\/\/www.prelude-siem.org\/) only\r\n  # available if Suricata has been compiled with --enable-prelude\r\n  - alert-prelude:\r\n      enabled: no\r\n      profile: suricata\r\n      log-packet-content: no\r\n      log-packet-header: yes\r\n\r\n  # Stats.log contains data from various counters of the Suricata engine.\r\n  - stats:\r\n      enabled: yes\r\n      filename: stats.log\r\n      append: yes       # append to file (yes) or overwrite it (no)\r\n      totals: yes       # stats for all threads merged together\r\n      threads: no       # per thread stats\r\n      #null-values: yes  # print counters that have value 0. Default: no\r\n\r\n  # a line based alerts log similar to fast.log into syslog\r\n  - syslog:\r\n      enabled: no\r\n      # reported identity to syslog. If omitted the program name (usually\r\n      # suricata) will be used.\r\n      #identity: &quot;suricata&quot;\r\n      facility: local5\r\n      #level: Info ## possible levels: Emergency, Alert, Critical,\r\n                   ## Error, Warning, Notice, Info, Debug\r\n\r\n  # Output module for storing files on disk. Files are stored in\r\n  # directory names consisting of the first 2 characters of the\r\n  # SHA256 of the file. Each file is given its SHA256 as a filename.\r\n  #\r\n  # When a duplicate file is found, the timestamps on the existing file\r\n  # are updated.\r\n  #\r\n  # Unlike the older filestore, metadata is not written by default\r\n  # as each file should already have a &quot;fileinfo&quot; record in the\r\n  # eve-log. If write-fileinfo is set to yes, then each file will have\r\n  # one more associated .json files that consist of the fileinfo\r\n  # record. A fileinfo file will be written for each occurrence of the\r\n  # file seen using a filename suffix to ensure uniqueness.\r\n  #\r\n  # To prune the filestore directory see the &quot;suricatactl filestore\r\n  # prune&quot; command which can delete files over a certain age.\r\n  - file-store:\r\n      version: 2\r\n      enabled: no\r\n\r\n      # Set the directory for the filestore. Relative pathnames\r\n      # are contained within the &quot;default-log-dir&quot;.\r\n      #dir: filestore\r\n\r\n      # Write out a fileinfo record for each occurrence of a file.\r\n      # Disabled by default as each occurrence is already logged\r\n      # as a fileinfo record to the main eve-log.\r\n      #write-fileinfo: yes\r\n\r\n      # Force storing of all files. Default: no.\r\n      #force-filestore: yes\r\n\r\n      # Override the global stream-depth for sessions in which we want\r\n      # to perform file extraction. Set to 0 for unlimited; otherwise,\r\n      # must be greater than the global stream-depth value to be used.\r\n      #stream-depth: 0\r\n\r\n      # Uncomment the following variable to define how many files can\r\n      # remain open for filestore by Suricata. Default value is 0 which\r\n      # means files get closed after each write to the file.\r\n      #max-open-files: 1000\r\n\r\n      # Force logging of checksums: available hash functions are md5,\r\n      # sha1 and sha256. Note that SHA256 is automatically forced by\r\n      # the use of this output module as it uses the SHA256 as the\r\n      # file naming scheme.\r\n      #force-hash: [sha1, md5]\r\n      # NOTE: X-Forwarded configuration is ignored if write-fileinfo is disabled\r\n      # HTTP X-Forwarded-For support by adding an extra field or overwriting\r\n      # the source or destination IP address (depending on flow direction)\r\n      # with the one reported in the X-Forwarded-For HTTP header. This is\r\n      # helpful when reviewing alerts for traffic that is being reverse\r\n      # or forward proxied.\r\n      xff:\r\n        enabled: no\r\n        # Two operation modes are available, &quot;extra-data&quot; and &quot;overwrite&quot;.\r\n        mode: extra-data\r\n        # Two proxy deployments are supported, &quot;reverse&quot; and &quot;forward&quot;. In\r\n        # a &quot;reverse&quot; deployment the IP address used is the last one, in a\r\n        # &quot;forward&quot; deployment the first IP address is used.\r\n        deployment: reverse\r\n        # Header name where the actual IP address will be reported. If more\r\n        # than one IP address is present, the last IP address will be the\r\n        # one taken into consideration.\r\n        header: X-Forwarded-For\r\n\r\n  # Log TCP data after stream normalization\r\n  # Two types: file or dir:\r\n  #     - file logs into a single logfile.\r\n  #     - dir creates 2 files per TCP session and stores the raw TCP\r\n  #            data into them.\r\n  # Use &#039;both&#039; to enable both file and dir modes.\r\n  #\r\n  # Note: limited by &quot;stream.reassembly.depth&quot;\r\n  - tcp-data:\r\n      enabled: no\r\n      type: file\r\n      filename: tcp-data.log\r\n\r\n  # Log HTTP body data after normalization, de-chunking and unzipping.\r\n  # Two types: file or dir.\r\n  #     - file logs into a single logfile.\r\n  #     - dir creates 2 files per HTTP session and stores the\r\n  #           normalized data into them.\r\n  # Use &#039;both&#039; to enable both file and dir modes.\r\n  #\r\n  # Note: limited by the body limit settings\r\n  - http-body-data:\r\n      enabled: no\r\n      type: file\r\n      filename: http-data.log\r\n\r\n  # Lua Output Support - execute lua script to generate alert and event\r\n  # output.\r\n  # Documented at:\r\n  # https:\/\/suricata.readthedocs.io\/en\/latest\/output\/lua-output.html\r\n  - lua:\r\n      enabled: no\r\n      #scripts-dir: \/etc\/suricata\/lua-output\/\r\n      scripts:\r\n      #   - script1.lua\r\n\r\n# Logging configuration.  This is not about logging IDS alerts\/events, but\r\n# output about what Suricata is doing, like startup messages, errors, etc.\r\nlogging:\r\n  # The default log level: can be overridden in an output section.\r\n  # Note that debug level logging will only be emitted if Suricata was\r\n  # compiled with the --enable-debug configure option.\r\n  #\r\n  # This value is overridden by the SC_LOG_LEVEL env var.\r\n  default-log-level: notice\r\n\r\n  # The default output format.  Optional parameter, should default to\r\n  # something reasonable if not provided.  Can be overridden in an\r\n  # output section.  You can leave this out to get the default.\r\n  #\r\n  # This value is overridden by the SC_LOG_FORMAT env var.\r\n  #default-log-format: &quot;[%i] %t - (%f:%l) &lt;%d&gt; (%n) -- &quot;\r\n\r\n  # A regex to filter output.  Can be overridden in an output section.\r\n  # Defaults to empty (no filter).\r\n  #\r\n  # This value is overridden by the SC_LOG_OP_FILTER env var.\r\n  default-output-filter:\r\n\r\n  # Define your logging outputs.  If none are defined, or they are all\r\n  # disabled you will get the default: console output.\r\n  outputs:\r\n  - console:\r\n      enabled: no\r\n      # type: json\r\n  - file:\r\n      enabled: no\r\n      level: info\r\n      filename: suricata.log\r\n      # type: json\r\n  - syslog:\r\n      enabled: no\r\n      facility: local5\r\n      format: &quot;[%i] &lt;%d&gt; -- &quot;\r\n      # type: json\r\n\r\n\r\n##\r\n## Step 3: Configure common capture settings\r\n##\r\n## See &quot;Advanced Capture Options&quot; below for more options, including Netmap\r\n## and PF_RING.\r\n##\r\n\r\n# Linux high speed capture support\r\naf-packet:\r\n  - interface: eth0\r\n    # Number of receive threads. &quot;auto&quot; uses the number of cores\r\n    #threads: auto\r\n    # Default clusterid. AF_PACKET will load balance packets based on flow.\r\n    cluster-id: 99\r\n    # Default AF_PACKET cluster type. AF_PACKET can load balance per flow or per hash.\r\n    # This is only supported for Linux kernel &gt; 3.1\r\n    # possible value are:\r\n    #  * cluster_flow: all packets of a given flow are sent to the same socket\r\n    #  * cluster_cpu: all packets treated in kernel by a CPU are sent to the same socket\r\n    #  * cluster_qm: all packets linked by network card to a RSS queue are sent to the same\r\n    #  socket. Requires at least Linux 3.14.\r\n    #  * cluster_ebpf: eBPF file load balancing. See doc\/userguide\/capture-hardware\/ebpf-xdp.rst for\r\n    #  more info.\r\n    # Recommended modes are cluster_flow on most boxes and cluster_cpu or cluster_qm on system\r\n    # with capture card using RSS (requires cpu affinity tuning and system IRQ tuning)\r\n    cluster-type: cluster_flow\r\n    # In some fragmentation cases, the hash can not be computed. If &quot;defrag&quot; is set\r\n    # to yes, the kernel will do the needed defragmentation before sending the packets.\r\n    defrag: yes\r\n    # To use the ring feature of AF_PACKET, set &#039;use-mmap&#039; to yes\r\n    #use-mmap: yes\r\n    # Lock memory map to avoid it being swapped. Be careful that over\r\n    # subscribing could lock your system\r\n    #mmap-locked: yes\r\n    # Use tpacket_v3 capture mode, only active if use-mmap is true\r\n    # Don&#039;t use it in IPS or TAP mode as it causes severe latency\r\n    #tpacket-v3: yes\r\n    # Ring size will be computed with respect to &quot;max-pending-packets&quot; and number\r\n    # of threads. You can set manually the ring size in number of packets by setting\r\n    # the following value. If you are using flow &quot;cluster-type&quot; and have really network\r\n    # intensive single-flow you may want to set the &quot;ring-size&quot; independently of the number\r\n    # of threads:\r\n    #ring-size: 2048\r\n    # Block size is used by tpacket_v3 only. It should set to a value high enough to contain\r\n    # a decent number of packets. Size is in bytes so please consider your MTU. It should be\r\n    # a power of 2 and it must be multiple of page size (usually 4096).\r\n    #block-size: 32768\r\n    # tpacket_v3 block timeout: an open block is passed to userspace if it is not\r\n    # filled after block-timeout milliseconds.\r\n    #block-timeout: 10\r\n    # On busy systems, set it to yes to help recover from a packet drop\r\n    # phase. This will result in some packets (at max a ring flush) not being inspected.\r\n    #use-emergency-flush: yes\r\n    # recv buffer size, increased value could improve performance\r\n    # buffer-size: 32768\r\n    # Set to yes to disable promiscuous mode\r\n    # disable-promisc: no\r\n    # Choose checksum verification mode for the interface. At the moment\r\n    # of the capture, some packets may have an invalid checksum due to\r\n    # the checksum computation being offloaded to the network card.\r\n    # Possible values are:\r\n    #  - kernel: use indication sent by kernel for each packet (default)\r\n    #  - yes: checksum validation is forced\r\n    #  - no: checksum validation is disabled\r\n    #  - auto: Suricata uses a statistical approach to detect when\r\n    #  checksum off-loading is used.\r\n    # Warning: &#039;capture.checksum-validation&#039; must be set to yes to have any validation\r\n    #checksum-checks: kernel\r\n    # BPF filter to apply to this interface. The pcap filter syntax applies here.\r\n    #bpf-filter: port 80 or udp\r\n    # You can use the following variables to activate AF_PACKET tap or IPS mode.\r\n    # If copy-mode is set to ips or tap, the traffic coming to the current\r\n    # interface will be copied to the copy-iface interface. If &#039;tap&#039; is set, the\r\n    # copy is complete. If &#039;ips&#039; is set, the packet matching a &#039;drop&#039; action\r\n    # will not be copied.\r\n    #copy-mode: ips\r\n    #copy-iface: eth1\r\n    #  For eBPF and XDP setup including bypass, filter and load balancing, please\r\n    #  see doc\/userguide\/capture-hardware\/ebpf-xdp.rst for more info.\r\n\r\n  # Put default values here. These will be used for an interface that is not\r\n  # in the list above.\r\n  - interface: default\r\n    #threads: auto\r\n    #use-mmap: no\r\n    #tpacket-v3: yes\r\n\r\n# Cross platform libpcap capture support\r\npcap:\r\n  - interface: eth0\r\n    # On Linux, pcap will try to use mmap&#039;ed capture and will use &quot;buffer-size&quot;\r\n    # as total memory used by the ring. So set this to something bigger\r\n    # than 1% of your bandwidth.\r\n    #buffer-size: 16777216\r\n    #bpf-filter: &quot;tcp and port 25&quot;\r\n    # Choose checksum verification mode for the interface. At the moment\r\n    # of the capture, some packets may have an invalid checksum due to\r\n    # the checksum computation being offloaded to the network card.\r\n    # Possible values are:\r\n    #  - yes: checksum validation is forced\r\n    #  - no: checksum validation is disabled\r\n    #  - auto: Suricata uses a statistical approach to detect when\r\n    #  checksum off-loading is used. (default)\r\n    # Warning: &#039;capture.checksum-validation&#039; must be set to yes to have any validation\r\n    #checksum-checks: auto\r\n    # With some accelerator cards using a modified libpcap (like Myricom), you\r\n    # may want to have the same number of capture threads as the number of capture\r\n    # rings. In this case, set up the threads variable to N to start N threads\r\n    # listening on the same interface.\r\n    #threads: 16\r\n    # set to no to disable promiscuous mode:\r\n    #promisc: no\r\n    # set snaplen, if not set it defaults to MTU if MTU can be known\r\n    # via ioctl call and to full capture if not.\r\n    #snaplen: 1518\r\n  # Put default values here\r\n  - interface: default\r\n    #checksum-checks: auto\r\n\r\n# Settings for reading pcap files\r\npcap-file:\r\n  # Possible values are:\r\n  #  - yes: checksum validation is forced\r\n  #  - no: checksum validation is disabled\r\n  #  - auto: Suricata uses a statistical approach to detect when\r\n  #  checksum off-loading is used. (default)\r\n  # Warning: &#039;checksum-validation&#039; must be set to yes to have checksum tested\r\n  checksum-checks: auto\r\n\r\n# See &quot;Advanced Capture Options&quot; below for more options, including Netmap\r\n# and PF_RING.\r\n\r\n\r\n##\r\n## Step 4: App Layer Protocol configuration\r\n##\r\n\r\n# Configure the app-layer parsers. The protocol&#039;s section details each\r\n# protocol.\r\n#\r\n# The option &quot;enabled&quot; takes 3 values - &quot;yes&quot;, &quot;no&quot;, &quot;detection-only&quot;.\r\n# &quot;yes&quot; enables both detection and the parser, &quot;no&quot; disables both, and\r\n# &quot;detection-only&quot; enables protocol detection only (parser disabled).\r\napp-layer:\r\n  protocols:\r\n    rfb:\r\n      enabled: no\r\n      detection-ports:\r\n        dp: 5900, 5901, 5902, 5903, 5904, 5905, 5906, 5907, 5908, 5909\r\n    # MQTT, disabled by default.\r\n    mqtt:\r\n      # enabled: no\r\n      # max-msg-length: 1mb\r\n      # subscribe-topic-match-limit: 100\r\n      # unsubscribe-topic-match-limit: 100\r\n    krb5:\r\n      enabled: no\r\n    snmp:\r\n      enabled: no\r\n    ikev2:\r\n      enabled: no\r\n    tls:\r\n      enabled: yes\r\n      detection-ports:\r\n        dp: 443\r\n\r\n      # Generate JA3 fingerprint from client hello. If not specified it\r\n      # will be disabled by default, but enabled if rules require it.\r\n      #ja3-fingerprints: auto\r\n\r\n      # What to do when the encrypted communications start:\r\n      # - default: keep tracking TLS session, check for protocol anomalies,\r\n      #            inspect tls_* keywords. Disables inspection of unmodified\r\n      #            &#039;content&#039; signatures.\r\n      # - bypass:  stop processing this flow as much as possible. No further\r\n      #            TLS parsing and inspection. Offload flow bypass to kernel\r\n      #            or hardware if possible.\r\n      # - full:    keep tracking and inspection as normal. Unmodified content\r\n      #            keyword signatures are inspected as well.\r\n      #\r\n      # For best performance, select &#039;bypass&#039;.\r\n      #\r\n      #encryption-handling: default\r\n\r\n    dcerpc:\r\n      enabled: no\r\n    ftp:\r\n      enabled: yes\r\n      memcap: 10gb\r\n    rdp:\r\n      #enabled: yes\r\n    ssh:\r\n      enabled: no\r\n      #hassh: yes\r\n    # HTTP2: Experimental HTTP 2 support. Disabled by default.\r\n    http2:\r\n      enabled: no\r\n    smtp:\r\n      enabled: no\r\n      raw-extraction: no\r\n      # Configure SMTP-MIME Decoder\r\n      mime:\r\n        # Decode MIME messages from SMTP transactions\r\n        # (may be resource intensive)\r\n        # This field supersedes all others because it turns the entire\r\n        # process on or off\r\n        decode-mime: yes\r\n\r\n        # Decode MIME entity bodies (ie. Base64, quoted-printable, etc.)\r\n        decode-base64: yes\r\n        decode-quoted-printable: yes\r\n\r\n        # Maximum bytes per header data value stored in the data structure\r\n        # (default is 2000)\r\n        header-value-depth: 2000\r\n\r\n        # Extract URLs and save in state data structure\r\n        extract-urls: yes\r\n        # Set to yes to compute the md5 of the mail body. You will then\r\n        # be able to journalize it.\r\n        body-md5: no\r\n      # Configure inspected-tracker for file_data keyword\r\n      inspected-tracker:\r\n        content-limit: 100000\r\n        content-inspect-min-size: 32768\r\n        content-inspect-window: 4096\r\n    imap:\r\n      enabled: no\r\n    smb:\r\n      enabled: yes\r\n      detection-ports:\r\n        dp: 139, 445\r\n\r\n      # Stream reassembly size for SMB streams. By default track it completely.\r\n      #stream-depth: 0\r\n\r\n    nfs:\r\n      enabled: no\r\n    tftp:\r\n      enabled: no\r\n    dns:\r\n      tcp:\r\n        enabled: yes\r\n        detection-ports:\r\n          dp: 53\r\n      udp:\r\n        enabled: yes\r\n        detection-ports:\r\n          dp: 53\r\n    http:\r\n      enabled: yes\r\n      memcap: 40gb\r\n      # memcap:                   Maximum memory capacity for HTTP\r\n      #                           Default is unlimited, values can be 64mb, e.g.\r\n\r\n      # default-config:           Used when no server-config matches\r\n      #   personality:            List of personalities used by default\r\n      #   request-body-limit:     Limit reassembly of request body for inspection\r\n      #                           by http_client_body &amp; pcre \/P option.\r\n      #   response-body-limit:    Limit reassembly of response body for inspection\r\n      #                           by file_data, http_server_body &amp; pcre \/Q option.\r\n      #\r\n      #   For advanced options, see the user guide\r\n\r\n\r\n      # server-config:            List of server configurations to use if address matches\r\n      #   address:                List of IP addresses or networks for this block\r\n      #   personality:            List of personalities used by this block\r\n      #\r\n      #                           Then, all the fields from default-config can be overloaded\r\n      #\r\n      # Currently Available Personalities:\r\n      #   Minimal, Generic, IDS (default), IIS_4_0, IIS_5_0, IIS_5_1, IIS_6_0,\r\n      #   IIS_7_0, IIS_7_5, Apache_2\r\n      libhtp:\r\n         default-config:\r\n           personality: IDS\r\n\r\n           # Can be specified in kb, mb, gb.  Just a number indicates\r\n           # it&#039;s in bytes.\r\n           request-body-limit: 64kb\r\n           response-body-limit: 64kb\r\n\r\n           # inspection limits\r\n           request-body-minimal-inspect-size: 32kb\r\n           request-body-inspect-window: 16kb\r\n           response-body-minimal-inspect-size: 32kb\r\n           response-body-inspect-window: 16kb\r\n\r\n           # response body decompression (0 disables)\r\n           response-body-decompress-layer-limit: 5\r\n\r\n           # auto will use http-body-inline mode in IPS mode, yes or no set it statically\r\n           http-body-inline: no\r\n\r\n           # Decompress SWF files.\r\n           # Two types: &#039;deflate&#039;, &#039;lzma&#039;, &#039;both&#039; will decompress deflate and lzma\r\n           # compress-depth:\r\n           # Specifies the maximum amount of data to decompress,\r\n           # set 0 for unlimited.\r\n           # decompress-depth:\r\n           # Specifies the maximum amount of decompressed data to obtain,\r\n           # set 0 for unlimited.\r\n           # swf-decompression:\r\n           #   enabled: no\r\n           #   type: both\r\n           #   compress-depth: 100kb\r\n           #   decompress-depth: 100kb\r\n\r\n           # Use a random value for inspection sizes around the specified value.\r\n           # This lowers the risk of some evasion techniques but could lead\r\n           # to detection change between runs. It is set to &#039;yes&#039; by default.\r\n           #randomize-inspection-sizes: yes\r\n           # If &quot;randomize-inspection-sizes&quot; is active, the value of various\r\n           # inspection size will be chosen from the [1 - range%, 1 + range%]\r\n           # range\r\n           # Default value of &quot;randomize-inspection-range&quot; is 10.\r\n           #randomize-inspection-range: 10\r\n\r\n           # decoding\r\n           double-decode-path: yes\r\n           double-decode-query: yes\r\n\r\n           # Can enable LZMA decompression\r\n           #lzma-enabled: false\r\n           # Memory limit usage for LZMA decompression dictionary\r\n           # Data is decompressed until dictionary reaches this size\r\n           #lzma-memlimit: 1mb\r\n           # Maximum decompressed size with a compression ratio\r\n           # above 2048 (only LZMA can reach this ratio, deflate cannot)\r\n           #compression-bomb-limit: 1mb\r\n           # Maximum time spent decompressing a single transaction in usec\r\n           #decompression-time-limit: 100000\r\n\r\n         server-config:\r\n\r\n           #- apache:\r\n           #    address: [192.168.1.0\/24, 127.0.0.0\/8, &quot;::1&quot;]\r\n           #    personality: Apache_2\r\n           #    # Can be specified in kb, mb, gb.  Just a number indicates\r\n           #    # it&#039;s in bytes.\r\n           #    request-body-limit: 4096\r\n           #    response-body-limit: 4096\r\n           #    double-decode-path: no\r\n           #    double-decode-query: no\r\n\r\n           #- iis7:\r\n           #    address:\r\n           #      - 192.168.0.0\/24\r\n           #      - 192.168.10.0\/24\r\n           #    personality: IIS_7_0\r\n           #    # Can be specified in kb, mb, gb.  Just a number indicates\r\n           #    # it&#039;s in bytes.\r\n           #    request-body-limit: 4096\r\n           #    response-body-limit: 4096\r\n           #    double-decode-path: no\r\n           #    double-decode-query: no\r\n\r\n    # Note: Modbus probe parser is minimalist due to the limited usage in the field.\r\n    # Only Modbus message length (greater than Modbus header length)\r\n    # and protocol ID (equal to 0) are checked in probing parser\r\n    # It is important to enable detection port and define Modbus port\r\n    # to avoid false positives\r\n    modbus:\r\n      # How many unanswered Modbus requests are considered a flood.\r\n      # If the limit is reached, the app-layer-event:modbus.flooded; will match.\r\n      #request-flood: 500\r\n\r\n      enabled: no\r\n      detection-ports:\r\n        dp: 502\r\n      # According to MODBUS Messaging on TCP\/IP Implementation Guide V1.0b, it\r\n      # is recommended to keep the TCP connection opened with a remote device\r\n      # and not to open and close it for each MODBUS\/TCP transaction. In that\r\n      # case, it is important to set the depth of the stream reassembling as\r\n      # unlimited (stream.reassembly.depth: 0)\r\n\r\n      # Stream reassembly size for modbus. By default track it completely.\r\n      stream-depth: 0\r\n\r\n    # DNP3\r\n    dnp3:\r\n      enabled: no\r\n      detection-ports:\r\n        dp: 20000\r\n\r\n    # SCADA EtherNet\/IP and CIP protocol support\r\n    enip:\r\n      enabled: no\r\n      detection-ports:\r\n        dp: 44818\r\n        sp: 44818\r\n\r\n    ntp:\r\n      enabled: no\r\n\r\n    dhcp:\r\n      enabled: no\r\n\r\n    sip:\r\n      #enabled: no\r\n\r\n# Limit for the maximum number of asn1 frames to decode (default 256)\r\nasn1-max-frames: 1024\r\n\r\n# Datasets default settings\r\n# datasets:\r\n#   # Default fallback memcap and hashsize values for datasets in case these\r\n#   # were not explicitly defined.\r\n#   defaults:\r\n#     memcap: 100mb\r\n#     hashsize: 2048\r\n\r\n##############################################################################\r\n##\r\n## Advanced settings below\r\n##\r\n##############################################################################\r\n\r\n##\r\n## Run Options\r\n##\r\n\r\n# Run Suricata with a specific user-id and group-id:\r\n#run-as:\r\n#  user: suri\r\n#  group: suri\r\n\r\n# Some logging modules will use that name in event as identifier. The default\r\n# value is the hostname\r\n#sensor-name: suricata\r\n\r\n# Default location of the pid file. The pid file is only used in\r\n# daemon mode (start Suricata with -D). If not running in daemon mode\r\n# the --pidfile command line option must be used to create a pid file.\r\npid-file: \/test\/suricata_files\/suricata.pid\r\n\r\n# Daemon working directory\r\n# Suricata will change directory to this one if provided\r\n# Default: &quot;\/&quot;\r\n#daemon-directory: &quot;\/&quot;\r\n\r\n# Umask.\r\n# Suricata will use this umask if it is provided. By default it will use the\r\n# umask passed on by the shell.\r\n#umask: 022\r\n\r\n# Suricata core dump configuration. Limits the size of the core dump file to\r\n# approximately max-dump. The actual core dump size will be a multiple of the\r\n# page size. Core dumps that would be larger than max-dump are truncated. On\r\n# Linux, the actual core dump size may be a few pages larger than max-dump.\r\n# Setting max-dump to 0 disables core dumping.\r\n# Setting max-dump to &#039;unlimited&#039; will give the full core dump file.\r\n# On 32-bit Linux, a max-dump value &gt;= ULONG_MAX may cause the core dump size\r\n# to be &#039;unlimited&#039;.\r\n\r\ncoredump:\r\n  max-dump: unlimited\r\n\r\n# If the Suricata box is a router for the sniffed networks, set it to &#039;router&#039;. If\r\n# it is a pure sniffing setup, set it to &#039;sniffer-only&#039;.\r\n# If set to auto, the variable is internally switched to &#039;router&#039; in IPS mode\r\n# and &#039;sniffer-only&#039; in IDS mode.\r\n# This feature is currently only used by the reject* keywords.\r\nhost-mode: sniffer-only\r\n\r\n# Number of packets preallocated per thread. The default is 1024. A higher number \r\n# will make sure each CPU will be more easily kept busy, but may negatively \r\n# impact caching.\r\nmax-pending-packets: 8096\r\n\r\n# Runmode the engine should use. Please check --list-runmodes to get the available\r\n# runmodes for each packet acquisition method. Default depends on selected capture\r\n# method. &#039;workers&#039; generally gives best performance.\r\nrunmode: workers\r\n\r\n# Specifies the kind of flow load balancer used by the flow pinned autofp mode.\r\n#\r\n# Supported schedulers are:\r\n#\r\n# hash     - Flow assigned to threads using the 5-7 tuple hash.\r\n# ippair   - Flow assigned to threads using addresses only.\r\n#\r\n#autofp-scheduler: hash\r\n\r\n# Preallocated size for each packet. Default is 1514 which is the classical\r\n# size for pcap on Ethernet. You should adjust this value to the highest\r\n# packet size (MTU + hardware header) on your system.\r\ndefault-packet-size: 1522\r\n\r\n# Unix command socket that can be used to pass commands to Suricata.\r\n# An external tool can then connect to get information from Suricata\r\n# or trigger some modifications of the engine. Set enabled to yes\r\n# to activate the feature. In auto mode, the feature will only be\r\n# activated in live capture mode. You can use the filename variable to set\r\n# the file name of the socket.\r\nunix-command:\r\n  enabled: no\r\n  #filename: custom.socket\r\n\r\n# Magic file. The extension .mgc is added to the value here.\r\n#magic-file: \/usr\/share\/file\/magic\r\n#magic-file: \r\n\r\n# GeoIP2 database file. Specify path and filename of GeoIP2 database\r\n# if using rules with &quot;geoip&quot; rule option.\r\n#geoip-database: \/usr\/local\/share\/GeoLite2\/GeoLite2-Country.mmdb\r\n\r\nlegacy:\r\n  uricontent: enabled\r\n\r\n##\r\n## Detection settings\r\n##\r\n\r\n# Set the order of alerts based on actions\r\n# The default order is pass, drop, reject, alert\r\n# action-order:\r\n#   - pass\r\n#   - drop\r\n#   - reject\r\n#   - alert\r\n\r\n# IP Reputation\r\n#reputation-categories-file: \/usr\/local\/etc\/suricata\/iprep\/categories.txt\r\n#default-reputation-path: \/usr\/local\/etc\/suricata\/iprep\r\n#reputation-files:\r\n# - reputation.list\r\n\r\n# When run with the option --engine-analysis, the engine will read each of\r\n# the parameters below, and print reports for each of the enabled sections\r\n# and exit.  The reports are printed to a file in the default log dir\r\n# given by the parameter &quot;default-log-dir&quot;, with engine reporting\r\n# subsection below printing reports in its own report file.\r\nengine-analysis:\r\n  # enables printing reports for fast-pattern for every rule.\r\n  rules-fast-pattern: yes\r\n  # enables printing reports for each rule\r\n  rules: yes\r\n\r\n#recursion and match limits for PCRE where supported\r\npcre:\r\n  match-limit: 3500\r\n  match-limit-recursion: 1500\r\n\r\n##\r\n## Advanced Traffic Tracking and Reconstruction Settings\r\n##\r\n\r\n# Host specific policies for defragmentation and TCP stream\r\n# reassembly. The host OS lookup is done using a radix tree, just\r\n# like a routing table so the most specific entry matches.\r\nhost-os-policy:\r\n  # Make the default policy windows.\r\n  windows: [0.0.0.0\/0]\r\n  bsd: []\r\n  bsd-right: []\r\n  old-linux: []\r\n  linux: []\r\n  old-solaris: []\r\n  solaris: []\r\n  hpux10: []\r\n  hpux11: []\r\n  irix: []\r\n  macos: []\r\n  vista: []\r\n  windows2k3: []\r\n\r\n# Defrag settings:\r\n\r\ndefrag:\r\n  memcap: 60gb\r\n  hash-size: 10000000\r\n  # trackers: 65535 # number of defragmented flows to follow\r\n  # max-frags: 65535 # number of fragments to keep (higher than trackers)\r\n  # prealloc: yes\r\n  timeout: 3\r\n\r\n# Enable defrag per host settings\r\n#  host-config:\r\n#\r\n#    - dmz:\r\n#        timeout: 30\r\n#        address: [192.168.1.0\/24, 127.0.0.0\/8, 1.1.1.0\/24, 2.2.2.0\/24, &quot;1.1.1.1&quot;, &quot;2.2.2.2&quot;, &quot;::1&quot;]\r\n#\r\n#    - lan:\r\n#        timeout: 45\r\n#        address:\r\n#          - 192.168.0.0\/24\r\n#          - 192.168.10.0\/24\r\n#          - 172.16.14.0\/24\r\n\r\n# Flow settings:\r\n# By default, the reserved memory (memcap) for flows is 32MB. This is the limit\r\n# for flow allocation inside the engine. You can change this value to allow\r\n# more memory usage for flows.\r\n# The hash-size determines the size of the hash used to identify flows inside\r\n# the engine, and by default the value is 65536.\r\n# At startup, the engine can preallocate a number of flows, to get better\r\n# performance. The number of flows preallocated is 10000 by default.\r\n# emergency-recovery is the percentage of flows that the engine needs to\r\n# prune before clearing the emergency state. The emergency state is activated\r\n# when the memcap limit is reached, allowing new flows to be created, but\r\n# pruning them with the emergency timeouts (they are defined below).\r\n# If the memcap is reached, the engine will try to prune flows\r\n# with the default timeouts. If it doesn&#039;t find a flow to prune, it will set\r\n# the emergency bit and it will try again with more aggressive timeouts.\r\n# If that doesn&#039;t work, then it will try to kill the oldest flows using\r\n# last time seen flows.\r\n# The memcap can be specified in kb, mb, gb.  Just a number indicates it&#039;s\r\n# in bytes.\r\n\r\nflow:\r\n  memcap: 60gb\r\n  hash-size: 1000000\r\n  prealloc: 500000\r\n  emergency-recovery: 30\r\n  managers: 1 # default to one flow manager\r\n  recyclers: 1 # default to one flow recycler thread\r\n\r\n# This option controls the use of VLAN ids in the flow (and defrag)\r\n# hashing. Normally this should be enabled, but in some (broken)\r\n# setups where both sides of a flow are not tagged with the same VLAN\r\n# tag, we can ignore the VLAN id&#039;s in the flow hashing.\r\nvlan:\r\n  use-for-tracking: false\r\n\r\n# Specific timeouts for flows. Here you can specify the timeouts that the\r\n# active flows will wait to transit from the current state to another, on each\r\n# protocol. The value of &quot;new&quot; determines the seconds to wait after a handshake or\r\n# stream startup before the engine frees the data of that flow it doesn&#039;t\r\n# change the state to established (usually if we don&#039;t receive more packets\r\n# of that flow). The value of &quot;established&quot; is the amount of\r\n# seconds that the engine will wait to free the flow if that time elapses\r\n# without receiving new packets or closing the connection. &quot;closed&quot; is the\r\n# amount of time to wait after a flow is closed (usually zero). &quot;bypassed&quot;\r\n# timeout controls locally bypassed flows. For these flows we don&#039;t do any other\r\n# tracking. If no packets have been seen after this timeout, the flow is discarded.\r\n#\r\n# There&#039;s an emergency mode that will become active under attack circumstances,\r\n# making the engine to check flow status faster. This configuration variables\r\n# use the prefix &quot;emergency-&quot; and work similar as the normal ones.\r\n# Some timeouts doesn&#039;t apply to all the protocols, like &quot;closed&quot;, for udp and\r\n# icmp.\r\n\r\n# flow-timeouts:\r\n#   default:\r\n#     new: 2\r\n#     established: 10\r\n#     closed: 0\r\n#     bypassed: 5\r\n#     emergency-new: 1\r\n#     emergency-established: 3\r\n#     emergency-closed: 0\r\n#     emergency-bypassed: 2\r\n#   tcp:\r\n#     new: 2\r\n#     established: 10\r\n#     closed: 0\r\n#     bypassed: 5\r\n#     emergency-new: 1\r\n#     emergency-established: 3\r\n#     emergency-closed: 0\r\n#     emergency-bypassed: 2\r\n#   udp:\r\n#     new: 2\r\n#     established: 5\r\n#     bypassed: 3\r\n#     emergency-new: 1\r\n#     emergency-established: 3\r\n#     emergency-bypassed: 2\r\n#   icmp:\r\n#     new: 2\r\n#     established: 5\r\n#     bypassed: 3\r\n#     emergency-new: 1\r\n#     emergency-established: 3\r\n#     emergency-bypassed: 2\r\n\r\nflow-timeouts:\r\n  default:\r\n    new: 3\r\n    established: 30\r\n    closed: 0\r\n    bypassed: 5\r\n    emergency-new: 1\r\n    emergency-established: 5\r\n    emergency-closed: 0\r\n    emergency-bypassed: 2\r\n  tcp:\r\n    new: 3\r\n    established: 30\r\n    closed: 0\r\n    bypassed: 5\r\n    emergency-new: 1\r\n    emergency-established: 5\r\n    emergency-closed: 0\r\n    emergency-bypassed: 2\r\n  udp:\r\n    new: 2\r\n    established: 5\r\n    bypassed: 3\r\n    emergency-new: 1\r\n    emergency-established: 3\r\n    emergency-bypassed: 2\r\n  icmp:\r\n    new: 2\r\n    established: 5\r\n    bypassed: 3\r\n    emergency-new: 1\r\n    emergency-established: 3\r\n    emergency-bypassed: 2\r\n\r\n# Stream engine settings. Here the TCP stream tracking and reassembly\r\n# engine is configured.\r\n#\r\n# stream:\r\n#   memcap: 32mb                # Can be specified in kb, mb, gb.  Just a\r\n#                               # number indicates it&#039;s in bytes.\r\n#   checksum-validation: yes    # To validate the checksum of received\r\n#                               # packet. If csum validation is specified as\r\n#                               # &quot;yes&quot;, then packets with invalid csum values will not\r\n#                               # be processed by the engine stream\/app layer.\r\n#                               # Warning: locally generated traffic can be\r\n#                               # generated without checksum due to hardware offload\r\n#                               # of checksum. You can control the handling of checksum\r\n#                               # on a per-interface basis via the &#039;checksum-checks&#039;\r\n#                               # option\r\n#   prealloc-sessions: 2k       # 2k sessions prealloc&#039;d per stream thread\r\n#   midstream: false            # don&#039;t allow midstream session pickups\r\n#   async-oneside: false        # don&#039;t enable async stream handling\r\n#   inline: no                  # stream inline mode\r\n#   drop-invalid: yes           # in inline mode, drop packets that are invalid with regards to streaming engine\r\n#   max-synack-queued: 5        # Max different SYN\/ACKs to queue\r\n#   bypass: no                  # Bypass packets when stream.reassembly.depth is reached.\r\n#                               # Warning: first side to reach this triggers\r\n#                               # the bypass.\r\n#\r\n#   reassembly:\r\n#     memcap: 64mb              # Can be specified in kb, mb, gb.  Just a number\r\n#                               # indicates it&#039;s in bytes.\r\n#     depth: 1mb                # Can be specified in kb, mb, gb.  Just a number\r\n#                               # indicates it&#039;s in bytes.\r\n#     toserver-chunk-size: 2560 # inspect raw stream in chunks of at least\r\n#                               # this size.  Can be specified in kb, mb,\r\n#                               # gb.  Just a number indicates it&#039;s in bytes.\r\n#     toclient-chunk-size: 2560 # inspect raw stream in chunks of at least\r\n#                               # this size.  Can be specified in kb, mb,\r\n#                               # gb.  Just a number indicates it&#039;s in bytes.\r\n#     randomize-chunk-size: yes # Take a random value for chunk size around the specified value.\r\n#                               # This lowers the risk of some evasion techniques but could lead\r\n#                               # to detection change between runs. It is set to &#039;yes&#039; by default.\r\n#     randomize-chunk-range: 10 # If randomize-chunk-size is active, the value of chunk-size is\r\n#                               # a random value between (1 - randomize-chunk-range\/100)*toserver-chunk-size\r\n#                               # and (1 + randomize-chunk-range\/100)*toserver-chunk-size and the same\r\n#                               # calculation for toclient-chunk-size.\r\n#                               # Default value of randomize-chunk-range is 10.\r\n#\r\n#     raw: yes                  # &#039;Raw&#039; reassembly enabled or disabled.\r\n#                               # raw is for content inspection by detection\r\n#                               # engine.\r\n#\r\n#     segment-prealloc: 2048    # number of segments preallocated per thread\r\n#\r\n#     check-overlap-different-data: true|false\r\n#                               # check if a segment contains different data\r\n#                               # than what we&#039;ve already seen for that\r\n#                               # position in the stream.\r\n#                               # This is enabled automatically if inline mode\r\n#                               # is used or when stream-event:reassembly_overlap_different_data;\r\n#                               # is used in a rule.\r\n#\r\nstream:\r\n  memcap: 40gb\r\n  prealloc-sessions: 900000\r\n  midstream: true\r\n  drop-invalid: yes\r\n  # checksum-validation: yes      # reject incorrect csums\r\n  inline: no                  # auto will use inline mode in IPS mode, yes or no set it statically\r\n  bypass: yes\r\n  reassembly:\r\n    memcap: 40gb\r\n    depth: 64kb                  # reassemble 1mb into a stream\r\n    toserver-chunk-size: 2560\r\n    toclient-chunk-size: 2560\r\n    randomize-chunk-size: no\r\n    #randomize-chunk-range: 10\r\n    #raw: yes\r\n    segment-prealloc: 20480\r\n    check-overlap-different-data: true\r\n\r\n# Host table:\r\n#\r\n# Host table is used by the tagging and per host thresholding subsystems.\r\n#\r\nhost:\r\n  hash-size: 1000000\r\n  # prealloc: 1000\r\n  memcap: 10gb\r\n\r\n# IP Pair table:\r\n#\r\n# Used by xbits &#039;ippair&#039; tracking.\r\n#\r\n#ippair:\r\n#  hash-size: 4096\r\n#  prealloc: 1000\r\n#  memcap: 32mb\r\n\r\n# Decoder settings\r\n\r\ndecoder:\r\n  # Teredo decoder is known to not be completely accurate\r\n  # as it will sometimes detect non-teredo as teredo.\r\n  teredo:\r\n    enabled: true\r\n    # ports to look for Teredo. Max 4 ports. If no ports are given, or\r\n    # the value is set to &#039;any&#039;, Teredo detection runs on _all_ UDP packets.\r\n    ports: $TEREDO_PORTS # syntax: &#039;[3544, 1234]&#039; or &#039;3533&#039; or &#039;any&#039;.\r\n\r\n  # VXLAN decoder is assigned to up to 4 UDP ports. By default only the\r\n  # IANA assigned port 4789 is enabled.\r\n  vxlan:\r\n    enabled: true\r\n    ports: $VXLAN_PORTS # syntax: &#039;[8472, 4789]&#039; or &#039;4789&#039;.\r\n\r\n  # VNTag decode support\r\n  vntag:\r\n    enabled: false\r\n\r\n  # Geneve decoder is assigned to up to 4 UDP ports. By default only the\r\n  # IANA assigned port 6081 is enabled.\r\n  geneve:\r\n    enabled: true\r\n    ports: $GENEVE_PORTS # syntax: &#039;[6081, 1234]&#039; or &#039;6081&#039;.\r\n\r\n  # maximum number of decoder layers for a packet\r\n  # max-layers: 16\r\n\r\n##\r\n## Performance tuning and profiling\r\n##\r\n\r\n# The detection engine builds internal groups of signatures. The engine\r\n# allows us to specify the profile to use for them, to manage memory in an\r\n# efficient way keeping good performance. For the profile keyword you\r\n# can use the words &quot;low&quot;, &quot;medium&quot;, &quot;high&quot; or &quot;custom&quot;. If you use custom,\r\n# make sure to define the values in the &quot;custom-values&quot; section.\r\n# Usually you would prefer medium\/high\/low.\r\n#\r\n# &quot;sgh mpm-context&quot;, indicates how the staging should allot mpm contexts for\r\n# the signature groups.  &quot;single&quot; indicates the use of a single context for\r\n# all the signature group heads.  &quot;full&quot; indicates a mpm-context for each\r\n# group head.  &quot;auto&quot; lets the engine decide the distribution of contexts\r\n# based on the information the engine gathers on the patterns from each\r\n# group head.\r\n#\r\n# The option inspection-recursion-limit is used to limit the recursive calls\r\n# in the content inspection code.  For certain payload-sig combinations, we\r\n# might end up taking too much time in the content inspection code.\r\n# If the argument specified is 0, the engine uses an internally defined\r\n# default limit.  When a value is not specified, there are no limits on the recursion.\r\ndetect:\r\n  profile: custom\r\n  custom-values:\r\n    toclient-groups: 2000\r\n    toserver-groups: 2000\r\n  sgh-mpm-context: auto\r\n  inspection-recursion-limit: 200\r\n  # If set to yes, the loading of signatures will be made after the capture\r\n  # is started. This will limit the downtime in IPS mode.\r\n  delayed-detect: yes\r\n\r\n  prefilter:\r\n    # default prefiltering setting. &quot;mpm&quot; only creates MPM\/fast_pattern\r\n    # engines. &quot;auto&quot; also sets up prefilter engines for other keywords.\r\n    # Use --list-keywords=all to see which keywords support prefiltering.\r\n    default: auto\r\n\r\n  # the grouping values above control how many groups are created per\r\n  # direction. Port whitelisting forces that port to get its own group.\r\n  # Very common ports will benefit, as well as ports with many expensive\r\n  # rules.\r\n  grouping:\r\n    tcp-whitelist: 443\r\n    #tcp-whitelist: 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080\r\n    #udp-whitelist: 53, 135, 5060\r\n\r\n  profiling:\r\n    # Log the rules that made it past the prefilter stage, per packet\r\n    # default is off. The threshold setting determines how many rules\r\n    # must have made it past pre-filter for that rule to trigger the\r\n    # logging.\r\n    #inspect-logging-threshold: 200\r\n    # grouping:\r\n    #   dump-to-disk: false\r\n    #   include-rules: false      # very verbose\r\n    #   include-mpm-stats: false\r\n\r\n# Select the multi pattern algorithm you want to run for scan\/search the\r\n# in the engine.\r\n#\r\n# The supported algorithms are:\r\n# &quot;ac&quot;      - Aho-Corasick, default implementation\r\n# &quot;ac-bs&quot;   - Aho-Corasick, reduced memory implementation\r\n# &quot;ac-ks&quot;   - Aho-Corasick, &quot;Ken Steele&quot; variant\r\n# &quot;hs&quot;      - Hyperscan, available when built with Hyperscan support\r\n#\r\n# The default mpm-algo value of &quot;auto&quot; will use &quot;hs&quot; if Hyperscan is\r\n# available, &quot;ac&quot; otherwise.\r\n#\r\n# The mpm you choose also decides the distribution of mpm contexts for\r\n# signature groups, specified by the conf - &quot;detect.sgh-mpm-context&quot;.\r\n# Selecting &quot;ac&quot; as the mpm would require &quot;detect.sgh-mpm-context&quot;\r\n# to be set to &quot;single&quot;, because of ac&#039;s memory requirements, unless the\r\n# ruleset is small enough to fit in memory, in which case one can\r\n# use &quot;full&quot; with &quot;ac&quot;.  The rest of the mpms can be run in &quot;full&quot; mode.\r\n\r\nmpm-algo: hs\r\n\r\n# Select the matching algorithm you want to use for single-pattern searches.\r\n#\r\n# Supported algorithms are &quot;bm&quot; (Boyer-Moore) and &quot;hs&quot; (Hyperscan, only\r\n# available if Suricata has been built with Hyperscan support).\r\n#\r\n# The default of &quot;auto&quot; will use &quot;hs&quot; if available, otherwise &quot;bm&quot;.\r\n\r\nspm-algo: hs\r\n\r\n# Suricata is multi-threaded. Here the threading can be influenced.\r\nthreading:\r\n  set-cpu-affinity: yes\r\n  # Tune cpu affinity of threads. Each family of threads can be bound\r\n  # to specific CPUs.\r\n  #\r\n  # These 2 apply to the all runmodes:\r\n  # management-cpu-set is used for flow timeout handling, counters\r\n  # worker-cpu-set is used for &#039;worker&#039; threads\r\n  #\r\n  # Additionally, for autofp these apply:\r\n  # receive-cpu-set is used for capture threads\r\n  # verdict-cpu-set is used for IPS verdict threads\r\n  #\r\n  cpu-affinity:\r\n    - management-cpu-set:\r\n        cpu: [1,3]  # include only these CPUs in affinity settings\r\n        mode: &quot;exclusive&quot;\r\n    - worker-cpu-set:\r\n        cpu: [0,2,4,6,8,10,12,14,16,18,20,22,24,  5,7,9,11,13,15,17,19,21,23,25,27,29,31]\r\n        mode: &quot;exclusive&quot;\r\n        prio:\r\n          medium: [0,2,4,6,8,10,12,14,16,18,20,22,24]\r\n          high: [5,7,9,11,13,15,17,19,21,23,25,27,29,31]\r\n          default: &quot;medium&quot;\r\n  #\r\n  # By default Suricata creates one &quot;detect&quot; thread per available CPU\/CPU core.\r\n  # This setting allows controlling this behaviour. A ratio setting of 2 will\r\n  # create 2 detect threads for each CPU\/CPU core. So for a dual core CPU this\r\n  # will result in 4 detect threads. If values below 1 are used, less threads\r\n  # are created. So on a dual core CPU a setting of 0.5 results in 1 detect\r\n  # thread being created. Regardless of the setting at a minimum 1 detect\r\n  # thread will always be created.\r\n  #\r\n  detect-thread-ratio: 1.0\r\n\r\n# Luajit has a strange memory requirement, its &#039;states&#039; need to be in the\r\n# first 2G of the process&#039; memory.\r\n#\r\n# &#039;luajit.states&#039; is used to control how many states are preallocated.\r\n# State use: per detect script: 1 per detect thread. Per output script: 1 per\r\n# script.\r\nluajit:\r\n  states: 128\r\n\r\n# Profiling settings. Only effective if Suricata has been built with\r\n# the --enable-profiling configure flag.\r\n#\r\nprofiling:\r\n  # Run profiling for every X-th packet. The default is 1, which means we\r\n  # profile every packet. If set to 1000, one packet is profiled for every\r\n  # 1000 received.\r\n  #sample-rate: 1000\r\n\r\n  # rule profiling\r\n  rules:\r\n\r\n    # Profiling can be disabled here, but it will still have a\r\n    # performance impact if compiled in.\r\n    enabled: no\r\n    filename: rule_perf.log\r\n    append: yes\r\n\r\n    # Sort options: ticks, avgticks, checks, matches, maxticks\r\n    # If commented out all the sort options will be used.\r\n    #sort: avgticks\r\n\r\n    # Limit the number of sids for which stats are shown at exit (per sort).\r\n    limit: 50\r\n\r\n    # output to json\r\n    json: no\r\n\r\n  # per keyword profiling\r\n  keywords:\r\n    enabled: no\r\n    filename: keyword_perf.log\r\n    append: yes\r\n\r\n  prefilter:\r\n    enabled: no\r\n    filename: prefilter_perf.log\r\n    append: yes\r\n\r\n  # per rulegroup profiling\r\n  rulegroups:\r\n    enabled: no\r\n    filename: rule_group_perf.log\r\n    append: yes\r\n\r\n  # packet profiling\r\n  packets:\r\n\r\n    # Profiling can be disabled here, but it will still have a\r\n    # performance impact if compiled in.\r\n    enabled: no\r\n    filename: packet_stats.log\r\n    append: yes\r\n\r\n    # per packet csv output\r\n    csv:\r\n\r\n      # Output can be disabled here, but it will still have a\r\n      # performance impact if compiled in.\r\n      enabled: no\r\n      filename: packet_stats.csv\r\n\r\n  # profiling of locking. Only available when Suricata was built with\r\n  # --enable-profiling-locks.\r\n  locks:\r\n    enabled: no\r\n    filename: lock_stats.log\r\n    append: yes\r\n\r\n  pcap-log:\r\n    enabled: no\r\n    filename: pcaplog_stats.log\r\n    append: yes\r\n\r\n##\r\n## Netfilter integration\r\n##\r\n\r\n# When running in NFQ inline mode, it is possible to use a simulated\r\n# non-terminal NFQUEUE verdict.\r\n# This permits sending all needed packet to Suricata via this rule:\r\n#        iptables -I FORWARD -m mark ! --mark $MARK\/$MASK -j NFQUEUE\r\n# And below, you can have your standard filtering ruleset. To activate\r\n# this mode, you need to set mode to &#039;repeat&#039;\r\n# If you want a packet to be sent to another queue after an ACCEPT decision\r\n# set the mode to &#039;route&#039; and set next-queue value.\r\n# On Linux &gt;= 3.1, you can set batchcount to a value &gt; 1 to improve performance\r\n# by processing several packets before sending a verdict (worker runmode only).\r\n# On Linux &gt;= 3.6, you can set the fail-open option to yes to have the kernel\r\n# accept the packet if Suricata is not able to keep pace.\r\n# bypass mark and mask can be used to implement NFQ bypass. If bypass mark is\r\n# set then the NFQ bypass is activated. Suricata will set the bypass mark\/mask\r\n# on packet of a flow that need to be bypassed. The Nefilter ruleset has to\r\n# directly accept all packets of a flow once a packet has been marked.\r\nnfq:\r\n#  mode: accept\r\n#  repeat-mark: 1\r\n#  repeat-mask: 1\r\n#  bypass-mark: 1\r\n#  bypass-mask: 1\r\n#  route-queue: 2\r\n#  batchcount: 20\r\n#  fail-open: yes\r\n\r\n#nflog support\r\nnflog:\r\n    # netlink multicast group\r\n    # (the same as the iptables --nflog-group param)\r\n    # Group 0 is used by the kernel, so you can&#039;t use it\r\n  - group: 2\r\n    # netlink buffer size\r\n    buffer-size: 18432\r\n    # put default value here\r\n  - group: default\r\n    # set number of packets to queue inside kernel\r\n    qthreshold: 1\r\n    # set the delay before flushing packet in the kernel&#039;s queue\r\n    qtimeout: 100\r\n    # netlink max buffer size\r\n    max-size: 20000\r\n\r\n##\r\n## Advanced Capture Options\r\n##\r\n\r\n# General settings affecting packet capture\r\ncapture:\r\n  # disable NIC offloading. It&#039;s restored when Suricata exits.\r\n  # Enabled by default.\r\n  #disable-offloading: false\r\n  #\r\n  # disable checksum validation. Same as setting &#039;-k none&#039; on the\r\n  # commandline.\r\n  #checksum-validation: none\r\n\r\n# Netmap support\r\n#\r\n# Netmap operates with NIC directly in driver, so you need FreeBSD 11+ which has\r\n# built-in Netmap support or compile and install the Netmap module and appropriate\r\n# NIC driver for your Linux system.\r\n# To reach maximum throughput disable all receive-, segmentation-,\r\n# checksum- offloading on your NIC (using ethtool or similar).\r\n# Disabling TX checksum offloading is *required* for connecting OS endpoint\r\n# with NIC endpoint.\r\n# You can find more information at https:\/\/github.com\/luigirizzo\/netmap\r\n#\r\nnetmap:\r\n   # To specify OS endpoint add plus sign at the end (e.g. &quot;eth0+&quot;)\r\n - interface: eth2\r\n   # Number of capture threads. &quot;auto&quot; uses number of RSS queues on interface.\r\n   # Warning: unless the RSS hashing is symmetrical, this will lead to\r\n   # accuracy issues.\r\n   #threads: auto\r\n   # You can use the following variables to activate netmap tap or IPS mode.\r\n   # If copy-mode is set to ips or tap, the traffic coming to the current\r\n   # interface will be copied to the copy-iface interface. If &#039;tap&#039; is set, the\r\n   # copy is complete. If &#039;ips&#039; is set, the packet matching a &#039;drop&#039; action\r\n   # will not be copied.\r\n   # To specify the OS as the copy-iface (so the OS can route packets, or forward\r\n   # to a service running on the same machine) add a plus sign at the end\r\n   # (e.g. &quot;copy-iface: eth0+&quot;). Don&#039;t forget to set up a symmetrical eth0+ -&gt; eth0\r\n   # for return packets. Hardware checksumming must be *off* on the interface if\r\n   # using an OS endpoint (e.g. &#039;ifconfig eth0 -rxcsum -txcsum -rxcsum6 -txcsum6&#039; for FreeBSD\r\n   # or &#039;ethtool -K eth0 tx off rx off&#039; for Linux).\r\n   #copy-mode: tap\r\n   #copy-iface: eth3\r\n   # Set to yes to disable promiscuous mode\r\n   # disable-promisc: no\r\n   # Choose checksum verification mode for the interface. At the moment\r\n   # of the capture, some packets may have an invalid checksum due to\r\n   # the checksum computation being offloaded to the network card.\r\n   # Possible values are:\r\n   #  - yes: checksum validation is forced\r\n   #  - no: checksum validation is disabled\r\n   #  - auto: Suricata uses a statistical approach to detect when\r\n   #  checksum off-loading is used.\r\n   # Warning: &#039;checksum-validation&#039; must be set to yes to have any validation\r\n   #checksum-checks: auto\r\n   # BPF filter to apply to this interface. The pcap filter syntax apply here.\r\n   #bpf-filter: port 80 or udp\r\n #- interface: eth3\r\n   #threads: auto\r\n   #copy-mode: tap\r\n   #copy-iface: eth2\r\n   # Put default values here\r\n - interface: default\r\n\r\n# PF_RING configuration: for use with native PF_RING support\r\n# for more info see http:\/\/www.ntop.org\/products\/pf_ring\/\r\npfring:\r\n  # - interface: eth0\r\n  #   # Number of receive threads. If set to &#039;auto&#039; Suricata will first try\r\n  #   # to use CPU (core) count and otherwise RSS queue count.\r\n  #   threads: auto\r\n\r\n  #   # Default clusterid.  PF_RING will load balance packets based on flow.\r\n  #   # All threads\/processes that will participate need to have the same\r\n  #   # clusterid.\r\n  #   cluster-id: 99\r\n\r\n  #   # Default PF_RING cluster type. PF_RING can load balance per flow.\r\n  #   # Possible values are cluster_flow or cluster_round_robin.\r\n  #   cluster-type: cluster_flow\r\n\r\n  - interface: zc:99@0\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@1\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@2\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@3\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@4\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@5\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@6\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@7\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@8\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@9\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@10\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@11\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@12\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@13\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@14\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@15\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@16\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@17\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@18\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@19\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@20\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@21\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@22\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@23\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@24\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@25\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@26\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n\r\n\r\n  # - interface: zc:99@28\r\n  #   threads: 1\r\n  #   cluster-type: cluster_flow\r\n  #   checksum-checks: no\r\n  # - interface: zc:99@29\r\n  #   threads: 1\r\n  #   cluster-type: cluster_flow\r\n  #   checksum-checks: no\r\n\r\n    # bpf filter for this interface\r\n    #bpf-filter: tcp\r\n\r\n    # If bypass is set then the PF_RING hw bypass is activated, when supported\r\n    # by the network interface. Suricata will instruct the interface to bypass\r\n    # all future packets for a flow that need to be bypassed.\r\n    #bypass: yes\r\n\r\n    # Choose checksum verification mode for the interface. At the moment\r\n    # of the capture, some packets may have an invalid checksum due to\r\n    # the checksum computation being offloaded to the network card.\r\n    # Possible values are:\r\n    #  - rxonly: only compute checksum for packets received by network card.\r\n    #  - yes: checksum validation is forced\r\n    #  - no: checksum validation is disabled\r\n    #  - auto: Suricata uses a statistical approach to detect when\r\n    #  checksum off-loading is used. (default)\r\n    # Warning: &#039;checksum-validation&#039; must be set to yes to have any validation\r\n    #checksum-checks: auto\r\n  # Second interface\r\n  #- interface: eth1\r\n  #  threads: 3\r\n  #  cluster-id: 93\r\n  #  cluster-type: cluster_flow\r\n  # Put default values here\r\n  # - interface: default\r\n    #threads: 2\r\n\r\n# For FreeBSD ipfw(8) divert(4) support.\r\n# Please make sure you have ipfw_load=&quot;YES&quot; and ipdivert_load=&quot;YES&quot;\r\n# in \/etc\/loader.conf or kldload&#039;ing the appropriate kernel modules.\r\n# Additionally, you need to have an ipfw rule for the engine to see\r\n# the packets from ipfw.  For Example:\r\n#\r\n#   ipfw add 100 divert 8000 ip from any to any\r\n#\r\n# N.B. This example uses &quot;8000&quot; -- this number must mach the values\r\n# you passed on the command line, i.e., -d 8000\r\n#\r\nipfw:\r\n\r\n  # Reinject packets at the specified ipfw rule number.  This config\r\n  # option is the ipfw rule number AT WHICH rule processing continues\r\n  # in the ipfw processing system after the engine has finished\r\n  # inspecting the packet for acceptance.  If no rule number is specified,\r\n  # accepted packets are reinjected at the divert rule which they entered\r\n  # and IPFW rule processing continues.  No check is done to verify\r\n  # this will rule makes sense so care must be taken to avoid loops in ipfw.\r\n  #\r\n  ## The following example tells the engine to reinject packets\r\n  # back into the ipfw firewall AT rule number 5500:\r\n  #\r\n  # ipfw-reinjection-rule-number: 5500\r\n\r\n\r\nnapatech:\r\n    # When use_all_streams is set to &quot;yes&quot; the initialization code will query\r\n    # the Napatech service for all configured streams and listen on all of them.\r\n    # When set to &quot;no&quot; the streams config array will be used.\r\n    #\r\n    # This option necessitates running the appropriate NTPL commands to create\r\n    # the desired streams prior to running Suricata.\r\n    #use-all-streams: no\r\n\r\n    # The streams to listen on when auto-config is disabled or when and threading\r\n    # cpu-affinity is disabled.  This can be either:\r\n    #   an individual stream (e.g. streams: [0])\r\n    # or\r\n    #   a range of streams (e.g. streams: [&quot;0-3&quot;])\r\n    #\r\n    streams: [&quot;0-3&quot;]\r\n\r\n    # Stream stats can be enabled to provide fine grain packet and byte counters\r\n    # for each thread\/stream that is configured.\r\n    #\r\n    enable-stream-stats: no\r\n\r\n    # When auto-config is enabled the streams will be created and assigned\r\n    # automatically to the NUMA node where the thread resides.  If cpu-affinity\r\n    # is enabled in the threading section.  Then the streams will be created\r\n    # according to the number of worker threads specified in the worker-cpu-set.\r\n    # Otherwise, the streams array is used to define the streams.\r\n    #\r\n    # This option is intended primarily to support legacy configurations.\r\n    #\r\n    # This option cannot be used simultaneously with either &quot;use-all-streams&quot;\r\n    # or &quot;hardware-bypass&quot;.\r\n    #\r\n    auto-config: yes\r\n\r\n    # Enable hardware level flow bypass.\r\n    #\r\n    hardware-bypass: yes\r\n\r\n    # Enable inline operation.  When enabled traffic arriving on a given port is\r\n    # automatically forwarded out its peer port after analysis by Suricata.\r\n    #\r\n    inline: no\r\n\r\n    # Ports indicates which Napatech ports are to be used in auto-config mode.\r\n    # these are the port IDs of the ports that will be merged prior to the\r\n    # traffic being distributed to the streams.\r\n    #\r\n    # When hardware-bypass is enabled the ports must be configured as a segment.\r\n    # specify the port(s) on which upstream and downstream traffic will arrive.\r\n    # This information is necessary for the hardware to properly process flows.\r\n    #\r\n    # When using a tap configuration one of the ports will receive inbound traffic\r\n    # for the network and the other will receive outbound traffic. The two ports on a\r\n    # given segment must reside on the same network adapter.\r\n    #\r\n    # When using a SPAN-port configuration the upstream and downstream traffic\r\n    # arrives on a single port. This is configured by setting the two sides of the\r\n    # segment to reference the same port.  (e.g. 0-0 to configure a SPAN port on\r\n    # port 0).\r\n    #\r\n    # port segments are specified in the form:\r\n    #    ports: [0-1,2-3,4-5,6-6,7-7]\r\n    #\r\n    # For legacy systems when hardware-bypass is disabled this can be specified in any\r\n    # of the following ways:\r\n    #\r\n    #   a list of individual ports (e.g. ports: [0,1,2,3])\r\n    #\r\n    #   a range of ports (e.g. ports: [0-3])\r\n    #\r\n    #   &quot;all&quot; to indicate that all ports are to be merged together\r\n    #   (e.g. ports: [all])\r\n    #\r\n    # This parameter has no effect if auto-config is disabled.\r\n    #\r\n    ports: [0-1,2-3]\r\n\r\n    # When auto-config is enabled the hashmode specifies the algorithm for\r\n    # determining to which stream a given packet is to be delivered.\r\n    # This can be any valid Napatech NTPL hashmode command.\r\n    #\r\n    # The most common hashmode commands are:  hash2tuple, hash2tuplesorted,\r\n    # hash5tuple, hash5tuplesorted and roundrobin.\r\n    #\r\n    # See Napatech NTPL documentation other hashmodes and details on their use.\r\n    #\r\n    # This parameter has no effect if auto-config is disabled.\r\n    #\r\n    hashmode: hash5tuplesorted\r\n\r\n##\r\n## Configure Suricata to load Suricata-Update managed rules.\r\n##\r\n&lt;\/pre&gt;\n&lt;p&gt;&nbsp;&lt;\/p&gt;\n&lt;p&gt;&nbsp;&lt;\/p&gt;\n<\/div><div class=\"gfmr-markdown-rendered\"><p>\u524d\u7f6e\u6761\u4ef6\u51c6\u5907\u4e00\u4e2a\u5e72\u51c0\u7684CentOS7\u73af\u5883\uff0c\u90e8\u7f72\u7248\u672cSuricata_4.0.4 + PF_RING_ZC_7.0.0\uff0c\u786c\u4ef6\u914d\u7f6e32\u6838\u5fc3200GB\u5185\u5b58\u3002<\/p>\n<p>&nbsp;<\/p>\n<h1><span class=\"ez-toc-section\" id=\"%E4%B8%80%E3%80%81%E5%BF%85%E8%A6%81%E8%BD%AF%E4%BB%B6%E5%AE%89%E8%A3%85\"><\/span>\u4e00\u3001\u5fc5\u8981\u8f6f\u4ef6\u5b89\u88c5<span class=\"ez-toc-section-end\"><\/span><\/h1>\n<h2><span class=\"ez-toc-section\" id=\"1%E3%80%81%E7%BC%96%E8%AF%91%E5%B9%B6%E5%AE%89%E8%A3%85PF_RING%E5%95%86%E4%B8%9A%E7%89%88\"><\/span>1\u3001\u7f16\u8bd1\u5e76\u5b89\u88c5PF_RING\u5546\u4e1a\u7248<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\">pf_ring_dir=\"PF_RING-7.0.0-stable\" \r\n\r\nyum install gcc cmake bison flex file-devel libhugetlbfs -y \r\n\r\ncd $pf_ring_dir\/kernel \r\n\r\nmake \r\n\r\nmake install \r\n\r\ncd ..\/userland\/lib \r\n\r\n.\/configure \r\n\r\nmake \r\n\r\nmake install \r\n\r\ncd ..\/libpcap-1.8.1\/ \r\n\r\n.\/configure \r\n\r\nmake \r\n\r\nmake install \r\n\r\ncd ..\/..\/drivers\/intel\/ixgbe\/ixgbe-5.0.4-zc\/src\/ \r\n\r\nmake \r\n\r\nsudo make install\r\n\r\ncd $pf_ring_dir\/userland\/examples\r\n\r\nmake \r\n\r\nmake install\r\n\r\ncd ..\/examples_zc\r\n\r\nmake\r\n\r\nmake install\r\n\r\ncd ..\/tcpdump\r\n\r\n.\/configure\r\n\r\nmake\r\n\r\nmake install\r\n<\/pre>\n<p>&nbsp;<\/p>\n<h2><span class=\"ez-toc-section\" id=\"2%E3%80%81%E5%8A%A0%E8%BD%BDPF_RING%E9%A9%B1%E5%8A%A8\"><\/span>2\u3001\u52a0\u8f7dPF_RING\u9a71\u52a8<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"shell\">cd $pf_ring_dir\/drivers\/intel\/ixgbe\/ixgbe-5.0.4-zc\/src\/\r\n\r\nbash load_driver.sh<\/pre>\n<p>\u68c0\u67e5\u4e07\u5146\u7f51\u5361\u9a71\u52a8\u662f\u5426\u52a0\u8f7d\u6210\u529f\uff1a<\/p>\n<p>$ modinfo ixgbe<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-905\" title=\"21648c67156434aca6fe74068b0e330c\" src=\"http:\/\/weizn.net\/wp-content\/uploads\/2021\/09\/21648c67156434aca6fe74068b0e330c.png\" alt=\"21648c67156434aca6fe74068b0e330c\" width=\"656\" height=\"283\" srcset=\"http:\/\/weizn.net\/wp-content\/uploads\/2021\/09\/21648c67156434aca6fe74068b0e330c.png 1602w, http:\/\/weizn.net\/wp-content\/uploads\/2021\/09\/21648c67156434aca6fe74068b0e330c-768x331.png 768w, http:\/\/weizn.net\/wp-content\/uploads\/2021\/09\/21648c67156434aca6fe74068b0e330c-1536x662.png 1536w, http:\/\/weizn.net\/wp-content\/uploads\/2021\/09\/21648c67156434aca6fe74068b0e330c-1170x504.png 1170w, http:\/\/weizn.net\/wp-content\/uploads\/2021\/09\/21648c67156434aca6fe74068b0e330c-585x252.png 585w\" sizes=\"auto, (max-width: 656px) 100vw, 656px\" \/><\/p>\n<p>\u68c0\u67e5PF_RING\u9a71\u52a8\u662f\u5426\u52a0\u8f7d\u6210\u529f\uff1a<\/p>\n<p>$ modinfo pf_ring<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-906\" title=\"bc9782b378122a7cd86829ba1f9d8ace\" src=\"http:\/\/weizn.net\/wp-content\/uploads\/2021\/09\/bc9782b378122a7cd86829ba1f9d8ace.png\" alt=\"bc9782b378122a7cd86829ba1f9d8ace\" width=\"666\" height=\"281\" srcset=\"http:\/\/weizn.net\/wp-content\/uploads\/2021\/09\/bc9782b378122a7cd86829ba1f9d8ace.png 1546w, http:\/\/weizn.net\/wp-content\/uploads\/2021\/09\/bc9782b378122a7cd86829ba1f9d8ace-768x324.png 768w, http:\/\/weizn.net\/wp-content\/uploads\/2021\/09\/bc9782b378122a7cd86829ba1f9d8ace-1536x648.png 1536w, http:\/\/weizn.net\/wp-content\/uploads\/2021\/09\/bc9782b378122a7cd86829ba1f9d8ace-1170x493.png 1170w, http:\/\/weizn.net\/wp-content\/uploads\/2021\/09\/bc9782b378122a7cd86829ba1f9d8ace-585x247.png 585w\" sizes=\"auto, (max-width: 666px) 100vw, 666px\" \/><\/p>\n<p>&nbsp;<\/p>\n<h2><span class=\"ez-toc-section\" id=\"3%E3%80%81%E5%AE%89%E8%A3%85hiredis\"><\/span>3\u3001\u5b89\u88c5hiredis<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"shell\">yum -y install gcc automake autoconf libtool make\r\n\r\ngit clone https:\/\/github.com\/redis\/hiredis.git  \r\n\r\ncd hiredis\/  \r\n\r\nmake\r\n\r\nsudo make install<\/pre>\n<p>&nbsp;<\/p>\n<h2><span class=\"ez-toc-section\" id=\"4%E3%80%81%E5%AE%89%E8%A3%85boost160\"><\/span>4\u3001\u5b89\u88c5boost.1.60<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"shell\">sudo yum install python-devel -y\r\n\r\nsudo yum install libquadmath -y\r\n\r\nsudo yum install libquadmath-devel -y\r\n\r\nsudo yum install bzip2-devel -y\r\n\r\nsudo yum install cmake ragel -y\r\n\r\nsudo yum install boost-devel -y\r\n\r\nwget http:\/\/downloads.sourceforge.net\/project\/boost\/boost\/1.60.0\/boost_1_60_0.tar.gz\r\n\r\ntar xvzf boost_1_60_0.tar.gz\r\n\r\ncd boost_1_60_0\r\n\r\nmkdir -p \/tmp\/boost-1.60_tmp\r\n\r\n.\/bootstrap.sh --prefix=\/tmp\/boost-1.60_tmp\r\n\r\n.\/b2\r\n\r\n.\/b2 install<\/pre>\n<p>&nbsp;<\/p>\n<h2><span class=\"ez-toc-section\" id=\"5%E3%80%81%E5%AE%89%E8%A3%85hyperscan\"><\/span>5\u3001\u5b89\u88c5hyperscan<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>\u5728\u300e\/etc\/profile\u300f\u6dfb\u52a0\u4ee5\u4e0b\u547d\u4ee4\u884c\uff1a<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"shell\">export PATH=\/usr\/local\/bin\/:$PATH\r\nexport LD_LIBRARY_PATH=\/usr\/local\/lib64:$LD_LIBRARY_PATH<\/pre>\n<p>\u8ba9\u540e\u6267\u884c\u300esource \/etc\/profile\u300f\u3002<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\">wget http:\/\/www.colm.net\/files\/ragel\/ragel-6.10.tar.gz\r\n\r\ntar -zxvf ragel-6.10.tar.gz\r\n\r\ncd ragel-6.10\r\n\r\n.\/configure\r\n\r\nmake\r\n\r\nmake install\r\n\r\nldconfig\r\n\r\ncd ..\r\n\r\n#########################################################\r\nwget https:\/\/ftp.gnu.org\/gnu\/binutils\/binutils-2.37.tar.gz\r\n\r\ntar -zxvf binutils-2.37.tar.gz\r\n\r\ncd binutils-2.37\r\n\r\n.\/configure\r\n\r\nmake\r\n\r\nmake install\r\n\r\ncd ..\r\n\r\n\r\n#########################################################\r\ngit clone https:\/\/github.com\/01org\/hyperscan\r\n\r\ncd hyperscan\r\n\r\nmkdir build\r\n\r\ncd build\r\n\r\ncmake -DBUILD_STATIC_AND_SHARED=1 -DBOOST_ROOT=\/tmp\/boost-1.60_tmp ..\/\r\n\r\nmake -j4\r\n\r\nsudo make install\r\n<\/pre>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<h2><span class=\"ez-toc-section\" id=\"6%E3%80%81%E5%AE%89%E8%A3%85Suricata\"><\/span>6\u3001\u5b89\u88c5Suricata<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>\u7f16\u8bd1\u53c2\u6570\u300e&#8211;enable-profiling\u300f\u52a0\u4e0a\u540e\uff0c\u65e0\u8bba\u5728\u914d\u7f6e\u6587\u4ef6\u4e2d\u662f\u5426\u5f00\u542f\u300eprofiling-rules\u300f\u529f\u80fd\u90fd\u4f1a\u5f71\u54cd\u6027\u80fd\uff0c\u4f46\u53ea\u6709\u52a0\u4e0a\u8fd9\u4e2a\u53c2\u6570\u540e\u624d\u80fd\u8bc4\u4f30\u89c4\u5219\u96c6\u7684\u68c0\u6d4b\u6548\u7387\uff0c\u6240\u4ee5\u5efa\u8bae\u5728\u6d4b\u8bd5\u73af\u5883\u4e2d\u5f00\u542f\u8fd9\u4e2a\u53c2\u6570\u6765\u4f18\u5316\u89c4\u5219\uff0c\u4f46\u7ebf\u4e0a\u73af\u5883\u53d6\u6d88\u8fd9\u4e2a\u7f16\u8bd1\u53c2\u6570\uff1a<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-938\" title=\"f17abf36a836f03ab8fb9e05d4e6f4ce-2\" src=\"http:\/\/weizn.net\/wp-content\/uploads\/2021\/09\/f17abf36a836f03ab8fb9e05d4e6f4ce-2.png\" alt=\"f17abf36a836f03ab8fb9e05d4e6f4ce-2\" width=\"598\" height=\"415\" srcset=\"http:\/\/weizn.net\/wp-content\/uploads\/2021\/09\/f17abf36a836f03ab8fb9e05d4e6f4ce-2.png 1198w, http:\/\/weizn.net\/wp-content\/uploads\/2021\/09\/f17abf36a836f03ab8fb9e05d4e6f4ce-2-768x532.png 768w, http:\/\/weizn.net\/wp-content\/uploads\/2021\/09\/f17abf36a836f03ab8fb9e05d4e6f4ce-2-1170x811.png 1170w, http:\/\/weizn.net\/wp-content\/uploads\/2021\/09\/f17abf36a836f03ab8fb9e05d4e6f4ce-2-585x405.png 585w\" sizes=\"auto, (max-width: 598px) 100vw, 598px\" \/><\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"shell\"># \u6b64\u8fc7\u7a0b\u8f6f\u4ef6\u5305\u53ef\u80fd\u4e0d\u5168\uff0c\u7b49Suricata\u914d\u7f6emake\u6587\u4ef6\u4e0d\u901a\u8fc7\u65f6\u4f1a\u63d0\u9192\u5b89\u88c5\u7f3a\u5931\u8f6f\u4ef6\u3002\r\n\r\nsudo yum install wget libpcap-devel libnet-devel pcre-devel gcc-c++ automake autoconf libtool make libyaml-devel zlib-devel file-devel jansson-devel nss-devel  libevent-devel lua-devel GeoIP-devel gperftools-libs -y\r\n\r\ncd $suricata_dir\/\r\n\r\n.\/configure --enable-lua --enable-pfring --enable-old-barnyard2 --enable-hiredis --enable-unix-socket --enable-profiling --enable-geoip --with-libnss-libraries=\/usr\/lib64 --with-libnss-includes=\/usr\/include\/nss3 --with-libnspr-libraries=\/usr\/lib64 --with-libnspr-includes=\/usr\/include\/nspr4 --with-libpfring-includes=\/usr\/local\/include --with-libpfring-libraries=\/usr\/local\/lib --with-libhs-includes=\/usr\/local\/include\/hs\/ --with-libhs-libraries=\/usr\/local\/lib\/\r\n\r\nmake\r\n\r\nmake install\r\n\r\necho \"\/usr\/local\/lib64\" | tee --append \/etc\/ld.so.conf.d\/usrlocal.conf\r\n\r\nldconfig<\/pre>\n<p>&nbsp;<\/p>\n<h1><span class=\"ez-toc-section\" id=\"%E4%BA%8C%E3%80%81%E4%BC%98%E5%8C%96%E5%8F%82%E6%95%B0\"><\/span>\u4e8c\u3001\u4f18\u5316\u53c2\u6570<span class=\"ez-toc-section-end\"><\/span><\/h1>\n<h2><span class=\"ez-toc-section\" id=\"1%E3%80%81%E7%BD%91%E5%8D%A1%E5%8F%82%E6%95%B0\"><\/span>1\u3001\u7f51\u5361\u53c2\u6570<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>\u5982\u679c\u955c\u50cf\u53e3\u5728eth3\u548ceth4\u4e0a\uff0c\u6267\u884c\u5982\u4e0b\u547d\u4ee4\uff1a<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"shell\">sudo ethtool -K eth3 rx off\r\nsudo ethtool -K eth3 tx off\r\nsudo ethtool -K eth3 sg off\r\nsudo ethtool -K eth3 tso off\r\nsudo ethtool -K eth3 gso off\r\nsudo ethtool -K eth3 gro off\r\nsudo ethtool -K eth3 lro off\r\nsudo ethtool -K eth3 rxvlan off\r\nsudo ethtool -K eth3 txvlan off\r\nsudo ethtool -K eth3 ntuple off\r\nsudo ethtool -K eth3 rxhash off\r\nsudo ethtool -A eth3 rx off tx off\r\n\r\nsudo ethtool -K eth4 rx off\r\nsudo ethtool -K eth4 tx off\r\nsudo ethtool -K eth4 sg off\r\nsudo ethtool -K eth4 tso off\r\nsudo ethtool -K eth4 gso off\r\nsudo ethtool -K eth4 gro off\r\nsudo ethtool -K eth4 lro off\r\nsudo ethtool -K eth4 rxvlan off\r\nsudo ethtool -K eth4 txvlan off\r\nsudo ethtool -K eth4 ntuple off\r\nsudo ethtool -K eth4 rxhash off\r\nsudo ethtool -A eth4 rx off tx off\r\n\r\nifconfig eth4 mtu 1522\r\nifconfig eth3 mtu 1522\r\n\r\n# \u8fd9\u6b65\u5f88\u91cd\u8981\uff0cZC\u6a21\u5f0f\u4e0b\u5fc5\u987b\u5c06\u7f51\u5361\u961f\u5217\u8bbe\u7f6e\u4e3a1\uff0c\u5426\u5219\u4f1a\u9020\u6210fordwarded\u7ed9suricata\u7684\u6d41\u91cf\u4e0d\u5b8c\u6574\r\nethtool -L eth3 combined 1 \r\nethtool -L eth4 combined 1 \r\n<\/pre>\n<h2><span class=\"ez-toc-section\" id=\"2%E3%80%81%E7%B3%BB%E7%BB%9F%E5%8F%82%E6%95%B0\"><\/span>2\u3001\u7cfb\u7edf\u53c2\u6570<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"shell\"># \u914d\u7f6e\u5185\u5b58\u5927\u9875\r\nmkdir \/hugetlbf\r\nmount -t hugetlbfs nodev \/hugetlbf\r\nsysctl -w vm.nr_hugepages=10240\r\n\r\n# \u751f\u6548\u65b0\u914d\u7f6e\r\nsysctl -p<\/pre>\n<p>\u8bbe\u7f6eCPU\u9694\u79bb\uff0c\u4f8b\u598232\u6838\u673a\u5668\uff0c\u7ed9\u7cfb\u7edf\u9884\u75592\u4e2aCPU\uff0c\u5176\u4f59\u7684\u5168\u90e8\u9694\u79bb\u8d77\u6765\uff0c\u7b49\u5f85Suricata\u72ec\u5360\uff0c\u4fee\u6539\/etc\/default\/grub\u6587\u4ef6\uff08\u4e0d\u540c\u7684\u7cfb\u7edf\u6587\u4ef6\u4f4d\u7f6e\u53ef\u80fd\u4e0d\u540c\uff09\uff0c\u52a0\u5165\u4ee5\u4e0b\u53c2\u6570\uff1a<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\">isolcpus=0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29 nohz_full=0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29 rcu_nocbs=0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29<\/pre>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-933\" title=\"49a3a8be78f21e95caace7099053a0c6\" src=\"http:\/\/weizn.net\/wp-content\/uploads\/2021\/09\/49a3a8be78f21e95caace7099053a0c6.png\" alt=\"49a3a8be78f21e95caace7099053a0c6\" width=\"692\" height=\"312\" srcset=\"http:\/\/weizn.net\/wp-content\/uploads\/2021\/09\/49a3a8be78f21e95caace7099053a0c6.png 2262w, http:\/\/weizn.net\/wp-content\/uploads\/2021\/09\/49a3a8be78f21e95caace7099053a0c6-768x346.png 768w, http:\/\/weizn.net\/wp-content\/uploads\/2021\/09\/49a3a8be78f21e95caace7099053a0c6-1536x691.png 1536w, http:\/\/weizn.net\/wp-content\/uploads\/2021\/09\/49a3a8be78f21e95caace7099053a0c6-2048x922.png 2048w, http:\/\/weizn.net\/wp-content\/uploads\/2021\/09\/49a3a8be78f21e95caace7099053a0c6-1920x864.png 1920w, http:\/\/weizn.net\/wp-content\/uploads\/2021\/09\/49a3a8be78f21e95caace7099053a0c6-1170x527.png 1170w, http:\/\/weizn.net\/wp-content\/uploads\/2021\/09\/49a3a8be78f21e95caace7099053a0c6-585x263.png 585w\" sizes=\"auto, (max-width: 692px) 100vw, 692px\" \/><\/p>\n<p>\u4fdd\u5b58\u540e\u91cd\u542f\u7cfb\u7edf\uff0c\u7136\u540e\u6267\u884c\u547d\u4ee4\u300ecat \/proc\/cmdline\u300f\u67e5\u770b\u914d\u7f6e\u662f\u5426\u751f\u6548\uff1a<\/p>\n<h2><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-924\" title=\"c9dc8949f0ad8b00a049a58b8a0206f3\" src=\"http:\/\/weizn.net\/wp-content\/uploads\/2021\/09\/c9dc8949f0ad8b00a049a58b8a0206f3.png\" alt=\"c9dc8949f0ad8b00a049a58b8a0206f3\" width=\"2246\" height=\"230\" srcset=\"http:\/\/weizn.net\/wp-content\/uploads\/2021\/09\/c9dc8949f0ad8b00a049a58b8a0206f3.png 2246w, http:\/\/weizn.net\/wp-content\/uploads\/2021\/09\/c9dc8949f0ad8b00a049a58b8a0206f3-768x79.png 768w, http:\/\/weizn.net\/wp-content\/uploads\/2021\/09\/c9dc8949f0ad8b00a049a58b8a0206f3-1536x157.png 1536w, http:\/\/weizn.net\/wp-content\/uploads\/2021\/09\/c9dc8949f0ad8b00a049a58b8a0206f3-2048x210.png 2048w, http:\/\/weizn.net\/wp-content\/uploads\/2021\/09\/c9dc8949f0ad8b00a049a58b8a0206f3-1920x197.png 1920w, http:\/\/weizn.net\/wp-content\/uploads\/2021\/09\/c9dc8949f0ad8b00a049a58b8a0206f3-1170x120.png 1170w, http:\/\/weizn.net\/wp-content\/uploads\/2021\/09\/c9dc8949f0ad8b00a049a58b8a0206f3-585x60.png 585w\" sizes=\"auto, (max-width: 2246px) 100vw, 2246px\" \/><\/h2>\n<p>\u67e5\u770bCPU\u4f7f\u7528\u7387\u7684\u65f6\u5019\uff0c\u53d1\u73b0\u53ea\u6709\u672a\u88ab\u9694\u79bb\u7684CPU\u5728\u88ab\u8c03\u5ea6\uff0c\u8bf4\u660e\u914d\u7f6e\u6210\u529f\u4e86\uff1a<\/p>\n<h2><span class=\"ez-toc-section\" id=\"3%E3%80%81Suricata%E5%85%B3%E9%94%AE%E5%8F%82%E6%95%B0\"><\/span><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-925\" title=\"7d46cc646abd7da583612419fd57195f\" src=\"http:\/\/weizn.net\/wp-content\/uploads\/2021\/09\/7d46cc646abd7da583612419fd57195f.png\" alt=\"7d46cc646abd7da583612419fd57195f\" width=\"2200\" height=\"602\" srcset=\"http:\/\/weizn.net\/wp-content\/uploads\/2021\/09\/7d46cc646abd7da583612419fd57195f.png 2200w, http:\/\/weizn.net\/wp-content\/uploads\/2021\/09\/7d46cc646abd7da583612419fd57195f-768x210.png 768w, http:\/\/weizn.net\/wp-content\/uploads\/2021\/09\/7d46cc646abd7da583612419fd57195f-1536x420.png 1536w, http:\/\/weizn.net\/wp-content\/uploads\/2021\/09\/7d46cc646abd7da583612419fd57195f-2048x560.png 2048w, http:\/\/weizn.net\/wp-content\/uploads\/2021\/09\/7d46cc646abd7da583612419fd57195f-1920x525.png 1920w, http:\/\/weizn.net\/wp-content\/uploads\/2021\/09\/7d46cc646abd7da583612419fd57195f-1170x320.png 1170w, http:\/\/weizn.net\/wp-content\/uploads\/2021\/09\/7d46cc646abd7da583612419fd57195f-585x160.png 585w\" sizes=\"auto, (max-width: 2200px) 100vw, 2200px\" \/>3\u3001Suricata\u5173\u952e\u53c2\u6570<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>\u5148\u67e5\u770bCPU\u67b6\u6784\uff1a<\/p>\n<p>$ lscpu<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-907\" title=\"8de7a227a931423ed74c677141089f9e\" src=\"http:\/\/weizn.net\/wp-content\/uploads\/2021\/09\/8de7a227a931423ed74c677141089f9e.png\" alt=\"8de7a227a931423ed74c677141089f9e\" width=\"648\" height=\"557\" srcset=\"http:\/\/weizn.net\/wp-content\/uploads\/2021\/09\/8de7a227a931423ed74c677141089f9e.png 1112w, http:\/\/weizn.net\/wp-content\/uploads\/2021\/09\/8de7a227a931423ed74c677141089f9e-768x660.png 768w, http:\/\/weizn.net\/wp-content\/uploads\/2021\/09\/8de7a227a931423ed74c677141089f9e-585x503.png 585w\" sizes=\"auto, (max-width: 648px) 100vw, 648px\" \/><\/p>\n<p>\u914d\u7f6eCPU\u4eb2\u548c\uff1a<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"yaml\">threading:\r\n  set-cpu-affinity: yes\r\n  # Tune cpu affinity of threads. Each family of threads can be bound\r\n  # to specific CPUs.\r\n  #\r\n  # These 2 apply to the all runmodes:\r\n  # management-cpu-set is used for flow timeout handling, counters\r\n  # worker-cpu-set is used for 'worker' threads\r\n  #\r\n  # Additionally, for autofp these apply:\r\n  # receive-cpu-set is used for capture threads\r\n  # verdict-cpu-set is used for IPS verdict threads\r\n  #\r\n  cpu-affinity:\r\n    - management-cpu-set:\r\n        # \u91cd\u70b9\u662f\u53ea\u5728\u9694\u79bb\u7684CPU\u4e2d\u914d\u7f6e\uff0c\u5e76\u4e14\u76f8\u540c\u4efb\u52a1\u914d\u7f6e\u4e3a\u540c\u4e00\u4fa7NODE\u7684CPU\u7f16\u53f7\uff0c\u5982\u4e0a\u56fe\u67e5\u8be2\u7ed3\u679c\r\n        cpu: [1,3]  # include only these CPUs in affinity settings\r\n        mode: \"exclusive\"\r\n    - worker-cpu-set:\r\n        cpu: [0,2,4,6,8,10,12,14,16,18,20,22,24,26,28, 1,3,5,7,9,11,13,15,17,19,21,23,25,27,29]\r\n        mode: \"exclusive\"\r\n        prio:\r\n          # \u6ce8\u610fCPU NODE\u5206\u9694\r\n          medium: [0,2,4,6,8,10,12,14,16,18,20,22,24,26,28]\r\n          high: [1,3,5,7,9,11,13,15,17,19,21,23,25,27,29]\r\n          default: \"medium\"\r\n  #\r\n  # By default Suricata creates one \"detect\" thread per available CPU\/CPU core.\r\n  # This setting allows controlling this behaviour. A ratio setting of 2 will\r\n  # create 2 detect threads for each CPU\/CPU core. So for a dual core CPU this\r\n  # will result in 4 detect threads. If values below 1 are used, less threads\r\n  # are created. So on a dual core CPU a setting of 0.5 results in 1 detect\r\n  # thread being created. Regardless of the setting at a minimum 1 detect\r\n  # thread will always be created.\r\n  #\r\n  detect-thread-ratio: 1.5<\/pre>\n<p>\u914d\u7f6ePF_RING\u6293\u5305\uff0c\u76d1\u542c\u7ebf\u7a0b\u6570\u91cf\u4e0ezbalance_ipc\u7684-n\u53c2\u6570\u6307\u5b9a\u901a\u9053\u6570\u4e00\u81f4\uff0c\u8fd0\u884c\u6a21\u5f0f\u4e00\u5b9a\u8981\u662fworkers\uff1a<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"yaml\">pfring:\r\n  - interface: zc:99@0\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@1\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@2\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@3\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@4\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@5\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@6\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@7\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@8\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@9\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@10\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@11\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@12\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@13\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@14\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@15\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@16\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@17\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@18\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@19\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@20\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@21\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@22\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@23\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@24\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@25\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@26\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@27\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no<\/pre>\n<p>&nbsp;<\/p>\n<h1><span class=\"ez-toc-section\" id=\"%E4%B8%89%E3%80%81%E5%90%AF%E5%8A%A8Suricata\"><\/span>\u4e09\u3001\u542f\u52a8Suricata<span class=\"ez-toc-section-end\"><\/span><\/h1>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"shell\"># \u6293\u5305\u7684CPU\u6ce8\u610fNODE\u4e3a\u540c\u4e00\u4fa7\uff0c\u5e76\u4e14\u5c5e\u4e8e\u9694\u79bbCPU\r\n.\/zbalance_ipc -i zc:eth3,zc:eth4 -c 99 -g 29,31 -n 28 -m 4\r\n\r\n# \u542f\u52a8Suricata\r\nsuricata --pfring -c \/ids\/suricata.yaml -v<\/pre>\n<p>&nbsp;<\/p>\n<h1><span class=\"ez-toc-section\" id=\"%E5%9B%9B%E3%80%81%E8%AF%84%E4%BC%B0%E8%A7%84%E5%88%99%E9%9B%86%E6%80%A7%E8%83%BD\"><\/span>\u56db\u3001\u8bc4\u4f30\u89c4\u5219\u96c6\u6027\u80fd<span class=\"ez-toc-section-end\"><\/span><\/h1>\n<p>\u5982\u679csuricata\u542f\u52a8\u540e\u53d1\u73b0\uff0c\u5728\u4e0d\u52a0\u8f7d\u4efb\u4f55\u89c4\u5219\uff0c\u4ec5\u4ec5\u7ec4\u5305\u7684\u60c5\u51b5\u4e0b\uff0cCPU\u5360\u7528\u5e76\u4e0d\u9ad8\uff0c\u4f46\u662f\u4e00\u65e6\u52a0\u8f7d\u89c4\u5219\u96c6\uff0cCPU\u7acb\u523b\u98d9\u5347\u5230100%\uff0c\u5c31\u8981\u8bc4\u4f30\u4e00\u4e0b\u89c4\u5219\u96c6\u4e2d\u662f\u5426\u6709\u300e\u5bb3\u7fa4\u4e4b\u9a6c\u300f\u4e86\uff0c\u627e\u51fa\u6709\u95ee\u9898\u7684\u89c4\u5219\u5e76\u4fee\u6b63\uff1a<\/p>\n<blockquote class=\"wp-embedded-content\" data-secret=\"zNIEpSwOAe\"><p><a href=\"http:\/\/weizn.net\/?p=942\">Suricata\u89c4\u5219\u6027\u80fd\u8bc4\u4f30\u4ee5\u53ca\u4f18\u5316\u5efa\u8bae<\/a><\/p><\/blockquote>\n<p><\/p>\n<p>&nbsp;<\/p>\n<p>\u66f4\u591a\u6027\u80fd\u4f18\u5316\u53ef\u53c2\u8003\u6587\u6863\uff1a<\/p>\n<p><a href=\"http:\/\/weizn.net\/wp-content\/uploads\/2018\/03\/septun.pdf\">septun<\/a><\/p>\n<p>&nbsp;<\/p>\n<p>\u6700\u540e\u9644\u4e0asuricata.yaml\u5b8c\u6574\u914d\u7f6e\u6587\u4ef6\u4f9b\u53c2\u8003\uff0c\u6b64\u5916\uff0c\u5982\u679c\u5185\u7f51\u5c0f\u5305\u975e\u5e38\u591a\u7684\u60c5\u51b5\u4e0b\uff0c\u53ef\u5728\u914d\u7f6e\u6587\u4ef6\u4e2d\u964d\u4f4eflow\u8ddf\u8e2a\u8d85\u65f6\u65f6\u95f4\uff0c\u5e76\u589e\u5927\u5185\u5b58\u4f7f\u7528\u9650\u5236\uff1a<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"yaml\">%YAML 1.1\r\n---\r\n\r\n# Suricata configuration file. In addition to the comments describing all\r\n# options in this file, full documentation can be found at:\r\n# https:\/\/suricata.readthedocs.io\/en\/latest\/configuration\/suricata-yaml.html\r\n\r\n##\r\n## Step 1: Inform Suricata about your network\r\n##\r\n\r\nvars:\r\n  # more specific is better for alert accuracy and performance\r\n  address-groups:\r\n    HOME_NET: \"any\"\r\n    #HOME_NET: \"[192.168.0.0\/16]\"\r\n    #HOME_NET: \"[10.0.0.0\/8]\"\r\n    #HOME_NET: \"[172.16.0.0\/12]\"\r\n    #HOME_NET: \"any\"\r\n\r\n    EXTERNAL_NET: \"any\"\r\n    #EXTERNAL_NET: \"any\"\r\n\r\n    HTTP_SERVERS: \"$HOME_NET\"\r\n    SMTP_SERVERS: \"$HOME_NET\"\r\n    SQL_SERVERS: \"$HOME_NET\"\r\n    DNS_SERVERS: \"$HOME_NET\"\r\n    TELNET_SERVERS: \"$HOME_NET\"\r\n    AIM_SERVERS: \"$EXTERNAL_NET\"\r\n    DC_SERVERS: \"$HOME_NET\"\r\n    DNP3_SERVER: \"$HOME_NET\"\r\n    DNP3_CLIENT: \"$HOME_NET\"\r\n    MODBUS_CLIENT: \"$HOME_NET\"\r\n    MODBUS_SERVER: \"$HOME_NET\"\r\n    ENIP_CLIENT: \"$HOME_NET\"\r\n    ENIP_SERVER: \"$HOME_NET\"\r\n\r\n  port-groups:\r\n    HTTP_PORTS: \"80\"\r\n    SHELLCODE_PORTS: \"!80\"\r\n    ORACLE_PORTS: 1521\r\n    SSH_PORTS: 22\r\n    DNP3_PORTS: 20000\r\n    MODBUS_PORTS: 502\r\n    FILE_DATA_PORTS: \"[$HTTP_PORTS,110,143]\"\r\n    FTP_PORTS: 21\r\n    GENEVE_PORTS: 6081\r\n    VXLAN_PORTS: 4789\r\n    TEREDO_PORTS: 3544\r\n\r\n##\r\n## Step 2: Select outputs to enable\r\n##\r\n\r\n# The default logging directory.  Any log or output file will be\r\n# placed here if it's not specified with a full path name. This can be\r\n# overridden with the -l command line parameter.\r\ndefault-rule-path: \/test\/suricata_files\/ruleset\r\nrule-files:\r\n  # - scirius.rules\r\n  - it.rules\r\n\r\nclassification-file: \/test\/suricata_files\/ruleset\/classification.config\r\nreference-config-file: \/test\/suricata_files\/ruleset\/reference.config\r\nthreshold-file: \/test\/suricata_files\/ruleset\/threshold.config\r\n\r\ndefault-log-dir: \/opt\/suricata_files\/logs\r\n\r\n# Global stats configuration\r\nstats:\r\n  enabled: yes\r\n  # The interval field (in seconds) controls the interval at\r\n  # which stats are updated in the log.\r\n  interval: 3\r\n  # Add decode events to stats.\r\n  #decoder-events: true\r\n  # Decoder event prefix in stats. Has been 'decoder' before, but that leads\r\n  # to missing events in the eve.stats records. See issue #2225.\r\n  #decoder-events-prefix: \"decoder.event\"\r\n  # Add stream events as stats.\r\n  #stream-events: false\r\n\r\n# Configure the type of alert (and other) logging you would like.\r\noutputs:\r\n  # a line based alerts log similar to Snort's fast.log\r\n  - fast:\r\n      enabled: yes\r\n      filename: fast.log\r\n      append: yes\r\n      #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'\r\n\r\n  # Extensible Event Format (nicknamed EVE) event log in JSON format\r\n  - eve-log:\r\n      enabled: yes\r\n      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis\r\n      # filename: \/test\/suricata_files\/logstash.socket\r\n      # Enable for multi-threaded eve.json output; output files are amended with\r\n      # with an identifier, e.g., eve.9.json\r\n      #threaded: false\r\n      #prefix: \"@cee: \" # prefix to prepend to each log entry\r\n      # the following are valid when type: syslog above\r\n      # identity: \"suricata\"\r\n      #facility: local5\r\n      #level: Info ## possible levels: Emergency, Alert, Critical,\r\n                   ## Error, Warning, Notice, Info, Debug\r\n      #ethernet: no  # log ethernet header in events when available\r\n      redis:\r\n       server: 127.0.0.1\r\n       port: 6379\r\n       # async: true ## if redis replies are read asynchronously\r\n       mode: list ## possible values: list|lpush (default), rpush, channel|publish\r\n      #             ## lpush and rpush are using a Redis list. \"list\" is an alias for lpush\r\n      #             ## publish is using a Redis channel. \"channel\" is an alias for publish\r\n       key: suricata ## key or channel to use (default to suricata)\r\n      # Redis pipelining set up. This will enable to only do a query every\r\n      # 'batch-size' events. This should lower the latency induced by network\r\n      # connection at the cost of some memory. There is no flushing implemented\r\n      # so this setting should be reserved to high traffic Suricata deployments.\r\n       pipelining:\r\n         enabled: yes ## set enable to yes to enable query pipelining\r\n         batch-size: 200 ## number of entries to keep in buffer\r\n\r\n      # Include top level metadata. Default yes.\r\n      #metadata: no\r\n\r\n      # include the name of the input pcap file in pcap file processing mode\r\n      pcap-file: false\r\n\r\n      # Community Flow ID\r\n      # Adds a 'community_id' field to EVE records. These are meant to give\r\n      # records a predictable flow ID that can be used to match records to\r\n      # output of other tools such as Zeek (Bro).\r\n      #\r\n      # Takes a 'seed' that needs to be same across sensors and tools\r\n      # to make the id less predictable.\r\n\r\n      # enable\/disable the community id feature.\r\n      community-id: false\r\n      # Seed value for the ID output. Valid values are 0-65535.\r\n      community-id-seed: 0\r\n\r\n      # HTTP X-Forwarded-For support by adding an extra field or overwriting\r\n      # the source or destination IP address (depending on flow direction)\r\n      # with the one reported in the X-Forwarded-For HTTP header. This is\r\n      # helpful when reviewing alerts for traffic that is being reverse\r\n      # or forward proxied.\r\n      xff:\r\n        enabled: yes\r\n        # Two operation modes are available: \"extra-data\" and \"overwrite\".\r\n        mode: extra-data\r\n        # Two proxy deployments are supported: \"reverse\" and \"forward\". In\r\n        # a \"reverse\" deployment the IP address used is the last one, in a\r\n        # \"forward\" deployment the first IP address is used.\r\n        deployment: reverse\r\n        # Header name where the actual IP address will be reported. If more\r\n        # than one IP address is present, the last IP address will be the\r\n        # one taken into consideration.\r\n        header: X-Forwarded-For\r\n\r\n      types:\r\n        - alert:\r\n            payload: yes             # enable dumping payload in Base64\r\n            payload-buffer-size: 64kb # max size of payload buffer to output in eve-log\r\n            payload-printable: yes   # enable dumping payload in printable (lossy) format\r\n            packet: yes              # enable dumping of packet (without stream segments)\r\n            http-body: yes           # enable dumping of http body in Base64\r\n            http-body-printable: yes # enable dumping of http body in printable format\r\n            metadata: yes              # add L7\/applayer fields, flowbit and other vars to the alert\r\n\r\n            # Enable the logging of tagged packets for rules using the\r\n            # \"tag\" keyword.\r\n            tagged-packets: yes\r\n        # - anomaly:\r\n        #     # Anomaly log records describe unexpected conditions such\r\n        #     # as truncated packets, packets with invalid IP\/UDP\/TCP\r\n        #     # length values, and other events that render the packet\r\n        #     # invalid for further processing or describe unexpected\r\n        #     # behavior on an established stream. Networks which\r\n        #     # experience high occurrences of anomalies may experience\r\n        #     # packet processing degradation.\r\n        #     #\r\n        #     # Anomalies are reported for the following:\r\n        #     # 1. Decode: Values and conditions that are detected while\r\n        #     # decoding individual packets. This includes invalid or\r\n        #     # unexpected values for low-level protocol lengths as well\r\n        #     # as stream related events (TCP 3-way handshake issues,\r\n        #     # unexpected sequence number, etc).\r\n        #     # 2. Stream: This includes stream related events (TCP\r\n        #     # 3-way handshake issues, unexpected sequence number,\r\n        #     # etc).\r\n        #     # 3. Application layer: These denote application layer\r\n        #     # specific conditions that are unexpected, invalid or are\r\n        #     # unexpected given the application monitoring state.\r\n        #     #\r\n        #     # By default, anomaly logging is enabled. When anomaly\r\n        #     # logging is enabled, applayer anomaly reporting is\r\n        #     # also enabled.\r\n        #     enabled: no\r\n        #     #\r\n        #     # Choose one or more types of anomaly logging and whether to enable\r\n        #     # logging of the packet header for packet anomalies.\r\n        #     types:\r\n              # decode: no\r\n              # stream: no\r\n              # applayer: yes\r\n            #packethdr: no\r\n        # - http:\r\n        #     extended: yes     # enable this for extended logging information\r\n            # custom allows additional HTTP fields to be included in eve-log.\r\n            # the example below adds three additional fields when uncommented\r\n            #custom: [Accept-Encoding, Accept-Language, Authorization]\r\n            # set this value to one and only one from {both, request, response}\r\n            # to dump all HTTP headers for every HTTP request and\/or response\r\n            # dump-all-headers: none\r\n        # - dns:\r\n        #     query: yes     # enable logging of DNS queries\r\n        #     answer: yes    # enable logging of DNS answers\r\n            # This configuration uses the new DNS logging format,\r\n            # the old configuration is still available:\r\n            # https:\/\/suricata.readthedocs.io\/en\/latest\/output\/eve\/eve-json-output.html#dns-v1-format\r\n\r\n            # As of Suricata 5.0, version 2 of the eve dns output\r\n            # format is the default.\r\n            #version: 2\r\n\r\n            # Enable\/disable this logger. Default: enabled.\r\n            #enabled: yes\r\n\r\n            # Control logging of requests and responses:\r\n            # - requests: enable logging of DNS queries\r\n            # - responses: enable logging of DNS answers\r\n            # By default both requests and responses are logged.\r\n            #requests: no\r\n            #responses: no\r\n\r\n            # Format of answer logging:\r\n            # - detailed: array item per answer\r\n            # - grouped: answers aggregated by type\r\n            # Default: all\r\n            #formats: [detailed, grouped]\r\n\r\n            # DNS record types to log, based on the query type.\r\n            # Default: all.\r\n            #types: [a, aaaa, cname, mx, ns, ptr, txt]\r\n        # - tls:\r\n        #     extended: yes     # enable this for extended logging information\r\n            # output TLS transaction where the session is resumed using a\r\n            # session id\r\n            #session-resumption: no\r\n            # custom controls which TLS fields that are included in eve-log\r\n            #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3, ja3s]\r\n        # - files:\r\n        #     force-magic: no   # force logging magic on all logged files\r\n            # force logging of checksums, available hash functions are md5,\r\n            # sha1 and sha256\r\n            #force-hash: [md5]\r\n        #- drop:\r\n        #    alerts: yes      # log alerts that caused drops\r\n        #    flows: all       # start or all: 'start' logs only a single drop\r\n        #                     # per flow direction. All logs each dropped pkt.\r\n        # - smtp:\r\n        #     extended: no # enable this for extended logging information\r\n            # this includes: bcc, message-id, subject, x_mailer, user-agent\r\n            # custom fields logging from the list:\r\n            #  reply-to, bcc, message-id, subject, x-mailer, user-agent, received,\r\n            #  x-originating-ip, in-reply-to, references, importance, priority,\r\n            #  sensitivity, organization, content-md5, date\r\n            #custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc]\r\n            # output md5 of fields: body, subject\r\n            # for the body you need to set app-layer.protocols.smtp.mime.body-md5\r\n            # to yes\r\n            #md5: [body, subject]\r\n\r\n        #- dnp3\r\n        # - ftp\r\n        # - rdp\r\n        # - nfs\r\n        # - smb\r\n        # - tftp\r\n        # - ikev2\r\n        # - dcerpc\r\n        # - krb5\r\n        # - snmp\r\n        # - rfb\r\n        # - sip\r\n        # - dhcp:\r\n        #     enabled: no\r\n        #     # When extended mode is on, all DHCP messages are logged\r\n        #     # with full detail. When extended mode is off (the\r\n        #     # default), just enough information to map a MAC address\r\n        #     # to an IP address is logged.\r\n        #     extended: no\r\n        # - ssh\r\n        # - mqtt:\r\n            # passwords: yes           # enable output of passwords\r\n        # HTTP2 logging. HTTP2 support is currently experimental and\r\n        # disabled by default. To enable, uncomment the following line\r\n        # and be sure to enable http2 in the app-layer section.\r\n        #- http2\r\n        - stats:\r\n            totals: yes       # stats for all threads merged together\r\n            threads: no       # per thread stats\r\n            deltas: yes        # include delta values\r\n        # bi-directional flows\r\n        # - flow\r\n        # uni-directional flows\r\n        # - netflow\r\n\r\n        # Metadata event type. Triggered whenever a pktvar is saved\r\n        # and will include the pktvars, flowvars, flowbits and\r\n        # flowints.\r\n        #- metadata\r\n\r\n  # a line based log of HTTP requests (no alerts)\r\n  - http-log:\r\n      enabled: no\r\n      filename: http.log\r\n      append: yes\r\n      #extended: yes     # enable this for extended logging information\r\n      #custom: yes       # enable the custom logging format (defined by customformat)\r\n      #customformat: \"%{%D-%H:%M:%S}t.%z %{X-Forwarded-For}i %H %m %h %u %s %B %a:%p -&gt; %A:%P\"\r\n      #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'\r\n\r\n  # a line based log of TLS handshake parameters (no alerts)\r\n  - tls-log:\r\n      enabled: no  # Log TLS connections.\r\n      filename: tls.log # File to store TLS logs.\r\n      append: yes\r\n      #extended: yes     # Log extended information like fingerprint\r\n      #custom: yes       # enabled the custom logging format (defined by customformat)\r\n      #customformat: \"%{%D-%H:%M:%S}t.%z %a:%p -&gt; %A:%P %v %n %d %D\"\r\n      #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'\r\n      # output TLS transaction where the session is resumed using a\r\n      # session id\r\n      #session-resumption: no\r\n\r\n  # output module to store certificates chain to disk\r\n  - tls-store:\r\n      enabled: no\r\n      #certs-log-dir: certs # directory to store the certificates files\r\n\r\n  # Packet log... log packets in pcap format. 3 modes of operation: \"normal\"\r\n  # \"multi\" and \"sguil\".\r\n  #\r\n  # In normal mode a pcap file \"filename\" is created in the default-log-dir,\r\n  # or as specified by \"dir\".\r\n  # In multi mode, a file is created per thread. This will perform much\r\n  # better, but will create multiple files where 'normal' would create one.\r\n  # In multi mode the filename takes a few special variables:\r\n  # - %n -- thread number\r\n  # - %i -- thread id\r\n  # - %t -- timestamp (secs or secs.usecs based on 'ts-format'\r\n  # E.g. filename: pcap.%n.%t\r\n  #\r\n  # Note that it's possible to use directories, but the directories are not\r\n  # created by Suricata. E.g. filename: pcaps\/%n\/log.%s will log into the\r\n  # per thread directory.\r\n  #\r\n  # Also note that the limit and max-files settings are enforced per thread.\r\n  # So the size limit when using 8 threads with 1000mb files and 2000 files\r\n  # is: 8*1000*2000 ~ 16TiB.\r\n  #\r\n  # In Sguil mode \"dir\" indicates the base directory. In this base dir the\r\n  # pcaps are created in the directory structure Sguil expects:\r\n  #\r\n  # $sguil-base-dir\/YYYY-MM-DD\/$filename.&lt;timestamp&gt;\r\n  #\r\n  # By default all packets are logged except:\r\n  # - TCP streams beyond stream.reassembly.depth\r\n  # - encrypted streams after the key exchange\r\n  #\r\n  - pcap-log:\r\n      enabled: no\r\n      filename: log.pcap\r\n\r\n      # File size limit.  Can be specified in kb, mb, gb.  Just a number\r\n      # is parsed as bytes.\r\n      limit: 1000mb\r\n\r\n      # If set to a value, ring buffer mode is enabled. Will keep maximum of\r\n      # \"max-files\" of size \"limit\"\r\n      max-files: 2000\r\n\r\n      # Compression algorithm for pcap files. Possible values: none, lz4.\r\n      # Enabling compression is incompatible with the sguil mode. Note also\r\n      # that on Windows, enabling compression will *increase* disk I\/O.\r\n      compression: none\r\n\r\n      # Further options for lz4 compression. The compression level can be set\r\n      # to a value between 0 and 16, where higher values result in higher\r\n      # compression.\r\n      #lz4-checksum: no\r\n      #lz4-level: 0\r\n\r\n      mode: normal # normal, multi or sguil.\r\n\r\n      # Directory to place pcap files. If not provided the default log\r\n      # directory will be used. Required for \"sguil\" mode.\r\n      #dir: \/nsm_data\/\r\n\r\n      #ts-format: usec # sec or usec second format (default) is filename.sec usec is filename.sec.usec\r\n      use-stream-depth: no #If set to \"yes\" packets seen after reaching stream inspection depth are ignored. \"no\" logs all packets\r\n      honor-pass-rules: no # If set to \"yes\", flows in which a pass rule matched will stop being logged.\r\n\r\n  # a full alert log containing much information for signature writers\r\n  # or for investigating suspected false positives.\r\n  - alert-debug:\r\n      enabled: no\r\n      filename: alert-debug.log\r\n      append: yes\r\n      #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'\r\n\r\n  # alert output to prelude (https:\/\/www.prelude-siem.org\/) only\r\n  # available if Suricata has been compiled with --enable-prelude\r\n  - alert-prelude:\r\n      enabled: no\r\n      profile: suricata\r\n      log-packet-content: no\r\n      log-packet-header: yes\r\n\r\n  # Stats.log contains data from various counters of the Suricata engine.\r\n  - stats:\r\n      enabled: yes\r\n      filename: stats.log\r\n      append: yes       # append to file (yes) or overwrite it (no)\r\n      totals: yes       # stats for all threads merged together\r\n      threads: no       # per thread stats\r\n      #null-values: yes  # print counters that have value 0. Default: no\r\n\r\n  # a line based alerts log similar to fast.log into syslog\r\n  - syslog:\r\n      enabled: no\r\n      # reported identity to syslog. If omitted the program name (usually\r\n      # suricata) will be used.\r\n      #identity: \"suricata\"\r\n      facility: local5\r\n      #level: Info ## possible levels: Emergency, Alert, Critical,\r\n                   ## Error, Warning, Notice, Info, Debug\r\n\r\n  # Output module for storing files on disk. Files are stored in\r\n  # directory names consisting of the first 2 characters of the\r\n  # SHA256 of the file. Each file is given its SHA256 as a filename.\r\n  #\r\n  # When a duplicate file is found, the timestamps on the existing file\r\n  # are updated.\r\n  #\r\n  # Unlike the older filestore, metadata is not written by default\r\n  # as each file should already have a \"fileinfo\" record in the\r\n  # eve-log. If write-fileinfo is set to yes, then each file will have\r\n  # one more associated .json files that consist of the fileinfo\r\n  # record. A fileinfo file will be written for each occurrence of the\r\n  # file seen using a filename suffix to ensure uniqueness.\r\n  #\r\n  # To prune the filestore directory see the \"suricatactl filestore\r\n  # prune\" command which can delete files over a certain age.\r\n  - file-store:\r\n      version: 2\r\n      enabled: no\r\n\r\n      # Set the directory for the filestore. Relative pathnames\r\n      # are contained within the \"default-log-dir\".\r\n      #dir: filestore\r\n\r\n      # Write out a fileinfo record for each occurrence of a file.\r\n      # Disabled by default as each occurrence is already logged\r\n      # as a fileinfo record to the main eve-log.\r\n      #write-fileinfo: yes\r\n\r\n      # Force storing of all files. Default: no.\r\n      #force-filestore: yes\r\n\r\n      # Override the global stream-depth for sessions in which we want\r\n      # to perform file extraction. Set to 0 for unlimited; otherwise,\r\n      # must be greater than the global stream-depth value to be used.\r\n      #stream-depth: 0\r\n\r\n      # Uncomment the following variable to define how many files can\r\n      # remain open for filestore by Suricata. Default value is 0 which\r\n      # means files get closed after each write to the file.\r\n      #max-open-files: 1000\r\n\r\n      # Force logging of checksums: available hash functions are md5,\r\n      # sha1 and sha256. Note that SHA256 is automatically forced by\r\n      # the use of this output module as it uses the SHA256 as the\r\n      # file naming scheme.\r\n      #force-hash: [sha1, md5]\r\n      # NOTE: X-Forwarded configuration is ignored if write-fileinfo is disabled\r\n      # HTTP X-Forwarded-For support by adding an extra field or overwriting\r\n      # the source or destination IP address (depending on flow direction)\r\n      # with the one reported in the X-Forwarded-For HTTP header. This is\r\n      # helpful when reviewing alerts for traffic that is being reverse\r\n      # or forward proxied.\r\n      xff:\r\n        enabled: no\r\n        # Two operation modes are available, \"extra-data\" and \"overwrite\".\r\n        mode: extra-data\r\n        # Two proxy deployments are supported, \"reverse\" and \"forward\". In\r\n        # a \"reverse\" deployment the IP address used is the last one, in a\r\n        # \"forward\" deployment the first IP address is used.\r\n        deployment: reverse\r\n        # Header name where the actual IP address will be reported. If more\r\n        # than one IP address is present, the last IP address will be the\r\n        # one taken into consideration.\r\n        header: X-Forwarded-For\r\n\r\n  # Log TCP data after stream normalization\r\n  # Two types: file or dir:\r\n  #     - file logs into a single logfile.\r\n  #     - dir creates 2 files per TCP session and stores the raw TCP\r\n  #            data into them.\r\n  # Use 'both' to enable both file and dir modes.\r\n  #\r\n  # Note: limited by \"stream.reassembly.depth\"\r\n  - tcp-data:\r\n      enabled: no\r\n      type: file\r\n      filename: tcp-data.log\r\n\r\n  # Log HTTP body data after normalization, de-chunking and unzipping.\r\n  # Two types: file or dir.\r\n  #     - file logs into a single logfile.\r\n  #     - dir creates 2 files per HTTP session and stores the\r\n  #           normalized data into them.\r\n  # Use 'both' to enable both file and dir modes.\r\n  #\r\n  # Note: limited by the body limit settings\r\n  - http-body-data:\r\n      enabled: no\r\n      type: file\r\n      filename: http-data.log\r\n\r\n  # Lua Output Support - execute lua script to generate alert and event\r\n  # output.\r\n  # Documented at:\r\n  # https:\/\/suricata.readthedocs.io\/en\/latest\/output\/lua-output.html\r\n  - lua:\r\n      enabled: no\r\n      #scripts-dir: \/etc\/suricata\/lua-output\/\r\n      scripts:\r\n      #   - script1.lua\r\n\r\n# Logging configuration.  This is not about logging IDS alerts\/events, but\r\n# output about what Suricata is doing, like startup messages, errors, etc.\r\nlogging:\r\n  # The default log level: can be overridden in an output section.\r\n  # Note that debug level logging will only be emitted if Suricata was\r\n  # compiled with the --enable-debug configure option.\r\n  #\r\n  # This value is overridden by the SC_LOG_LEVEL env var.\r\n  default-log-level: notice\r\n\r\n  # The default output format.  Optional parameter, should default to\r\n  # something reasonable if not provided.  Can be overridden in an\r\n  # output section.  You can leave this out to get the default.\r\n  #\r\n  # This value is overridden by the SC_LOG_FORMAT env var.\r\n  #default-log-format: \"[%i] %t - (%f:%l) &lt;%d&gt; (%n) -- \"\r\n\r\n  # A regex to filter output.  Can be overridden in an output section.\r\n  # Defaults to empty (no filter).\r\n  #\r\n  # This value is overridden by the SC_LOG_OP_FILTER env var.\r\n  default-output-filter:\r\n\r\n  # Define your logging outputs.  If none are defined, or they are all\r\n  # disabled you will get the default: console output.\r\n  outputs:\r\n  - console:\r\n      enabled: no\r\n      # type: json\r\n  - file:\r\n      enabled: no\r\n      level: info\r\n      filename: suricata.log\r\n      # type: json\r\n  - syslog:\r\n      enabled: no\r\n      facility: local5\r\n      format: \"[%i] &lt;%d&gt; -- \"\r\n      # type: json\r\n\r\n\r\n##\r\n## Step 3: Configure common capture settings\r\n##\r\n## See \"Advanced Capture Options\" below for more options, including Netmap\r\n## and PF_RING.\r\n##\r\n\r\n# Linux high speed capture support\r\naf-packet:\r\n  - interface: eth0\r\n    # Number of receive threads. \"auto\" uses the number of cores\r\n    #threads: auto\r\n    # Default clusterid. AF_PACKET will load balance packets based on flow.\r\n    cluster-id: 99\r\n    # Default AF_PACKET cluster type. AF_PACKET can load balance per flow or per hash.\r\n    # This is only supported for Linux kernel &gt; 3.1\r\n    # possible value are:\r\n    #  * cluster_flow: all packets of a given flow are sent to the same socket\r\n    #  * cluster_cpu: all packets treated in kernel by a CPU are sent to the same socket\r\n    #  * cluster_qm: all packets linked by network card to a RSS queue are sent to the same\r\n    #  socket. Requires at least Linux 3.14.\r\n    #  * cluster_ebpf: eBPF file load balancing. See doc\/userguide\/capture-hardware\/ebpf-xdp.rst for\r\n    #  more info.\r\n    # Recommended modes are cluster_flow on most boxes and cluster_cpu or cluster_qm on system\r\n    # with capture card using RSS (requires cpu affinity tuning and system IRQ tuning)\r\n    cluster-type: cluster_flow\r\n    # In some fragmentation cases, the hash can not be computed. If \"defrag\" is set\r\n    # to yes, the kernel will do the needed defragmentation before sending the packets.\r\n    defrag: yes\r\n    # To use the ring feature of AF_PACKET, set 'use-mmap' to yes\r\n    #use-mmap: yes\r\n    # Lock memory map to avoid it being swapped. Be careful that over\r\n    # subscribing could lock your system\r\n    #mmap-locked: yes\r\n    # Use tpacket_v3 capture mode, only active if use-mmap is true\r\n    # Don't use it in IPS or TAP mode as it causes severe latency\r\n    #tpacket-v3: yes\r\n    # Ring size will be computed with respect to \"max-pending-packets\" and number\r\n    # of threads. You can set manually the ring size in number of packets by setting\r\n    # the following value. If you are using flow \"cluster-type\" and have really network\r\n    # intensive single-flow you may want to set the \"ring-size\" independently of the number\r\n    # of threads:\r\n    #ring-size: 2048\r\n    # Block size is used by tpacket_v3 only. It should set to a value high enough to contain\r\n    # a decent number of packets. Size is in bytes so please consider your MTU. It should be\r\n    # a power of 2 and it must be multiple of page size (usually 4096).\r\n    #block-size: 32768\r\n    # tpacket_v3 block timeout: an open block is passed to userspace if it is not\r\n    # filled after block-timeout milliseconds.\r\n    #block-timeout: 10\r\n    # On busy systems, set it to yes to help recover from a packet drop\r\n    # phase. This will result in some packets (at max a ring flush) not being inspected.\r\n    #use-emergency-flush: yes\r\n    # recv buffer size, increased value could improve performance\r\n    # buffer-size: 32768\r\n    # Set to yes to disable promiscuous mode\r\n    # disable-promisc: no\r\n    # Choose checksum verification mode for the interface. At the moment\r\n    # of the capture, some packets may have an invalid checksum due to\r\n    # the checksum computation being offloaded to the network card.\r\n    # Possible values are:\r\n    #  - kernel: use indication sent by kernel for each packet (default)\r\n    #  - yes: checksum validation is forced\r\n    #  - no: checksum validation is disabled\r\n    #  - auto: Suricata uses a statistical approach to detect when\r\n    #  checksum off-loading is used.\r\n    # Warning: 'capture.checksum-validation' must be set to yes to have any validation\r\n    #checksum-checks: kernel\r\n    # BPF filter to apply to this interface. The pcap filter syntax applies here.\r\n    #bpf-filter: port 80 or udp\r\n    # You can use the following variables to activate AF_PACKET tap or IPS mode.\r\n    # If copy-mode is set to ips or tap, the traffic coming to the current\r\n    # interface will be copied to the copy-iface interface. If 'tap' is set, the\r\n    # copy is complete. If 'ips' is set, the packet matching a 'drop' action\r\n    # will not be copied.\r\n    #copy-mode: ips\r\n    #copy-iface: eth1\r\n    #  For eBPF and XDP setup including bypass, filter and load balancing, please\r\n    #  see doc\/userguide\/capture-hardware\/ebpf-xdp.rst for more info.\r\n\r\n  # Put default values here. These will be used for an interface that is not\r\n  # in the list above.\r\n  - interface: default\r\n    #threads: auto\r\n    #use-mmap: no\r\n    #tpacket-v3: yes\r\n\r\n# Cross platform libpcap capture support\r\npcap:\r\n  - interface: eth0\r\n    # On Linux, pcap will try to use mmap'ed capture and will use \"buffer-size\"\r\n    # as total memory used by the ring. So set this to something bigger\r\n    # than 1% of your bandwidth.\r\n    #buffer-size: 16777216\r\n    #bpf-filter: \"tcp and port 25\"\r\n    # Choose checksum verification mode for the interface. At the moment\r\n    # of the capture, some packets may have an invalid checksum due to\r\n    # the checksum computation being offloaded to the network card.\r\n    # Possible values are:\r\n    #  - yes: checksum validation is forced\r\n    #  - no: checksum validation is disabled\r\n    #  - auto: Suricata uses a statistical approach to detect when\r\n    #  checksum off-loading is used. (default)\r\n    # Warning: 'capture.checksum-validation' must be set to yes to have any validation\r\n    #checksum-checks: auto\r\n    # With some accelerator cards using a modified libpcap (like Myricom), you\r\n    # may want to have the same number of capture threads as the number of capture\r\n    # rings. In this case, set up the threads variable to N to start N threads\r\n    # listening on the same interface.\r\n    #threads: 16\r\n    # set to no to disable promiscuous mode:\r\n    #promisc: no\r\n    # set snaplen, if not set it defaults to MTU if MTU can be known\r\n    # via ioctl call and to full capture if not.\r\n    #snaplen: 1518\r\n  # Put default values here\r\n  - interface: default\r\n    #checksum-checks: auto\r\n\r\n# Settings for reading pcap files\r\npcap-file:\r\n  # Possible values are:\r\n  #  - yes: checksum validation is forced\r\n  #  - no: checksum validation is disabled\r\n  #  - auto: Suricata uses a statistical approach to detect when\r\n  #  checksum off-loading is used. (default)\r\n  # Warning: 'checksum-validation' must be set to yes to have checksum tested\r\n  checksum-checks: auto\r\n\r\n# See \"Advanced Capture Options\" below for more options, including Netmap\r\n# and PF_RING.\r\n\r\n\r\n##\r\n## Step 4: App Layer Protocol configuration\r\n##\r\n\r\n# Configure the app-layer parsers. The protocol's section details each\r\n# protocol.\r\n#\r\n# The option \"enabled\" takes 3 values - \"yes\", \"no\", \"detection-only\".\r\n# \"yes\" enables both detection and the parser, \"no\" disables both, and\r\n# \"detection-only\" enables protocol detection only (parser disabled).\r\napp-layer:\r\n  protocols:\r\n    rfb:\r\n      enabled: no\r\n      detection-ports:\r\n        dp: 5900, 5901, 5902, 5903, 5904, 5905, 5906, 5907, 5908, 5909\r\n    # MQTT, disabled by default.\r\n    mqtt:\r\n      # enabled: no\r\n      # max-msg-length: 1mb\r\n      # subscribe-topic-match-limit: 100\r\n      # unsubscribe-topic-match-limit: 100\r\n    krb5:\r\n      enabled: no\r\n    snmp:\r\n      enabled: no\r\n    ikev2:\r\n      enabled: no\r\n    tls:\r\n      enabled: yes\r\n      detection-ports:\r\n        dp: 443\r\n\r\n      # Generate JA3 fingerprint from client hello. If not specified it\r\n      # will be disabled by default, but enabled if rules require it.\r\n      #ja3-fingerprints: auto\r\n\r\n      # What to do when the encrypted communications start:\r\n      # - default: keep tracking TLS session, check for protocol anomalies,\r\n      #            inspect tls_* keywords. Disables inspection of unmodified\r\n      #            'content' signatures.\r\n      # - bypass:  stop processing this flow as much as possible. No further\r\n      #            TLS parsing and inspection. Offload flow bypass to kernel\r\n      #            or hardware if possible.\r\n      # - full:    keep tracking and inspection as normal. Unmodified content\r\n      #            keyword signatures are inspected as well.\r\n      #\r\n      # For best performance, select 'bypass'.\r\n      #\r\n      #encryption-handling: default\r\n\r\n    dcerpc:\r\n      enabled: no\r\n    ftp:\r\n      enabled: yes\r\n      memcap: 10gb\r\n    rdp:\r\n      #enabled: yes\r\n    ssh:\r\n      enabled: no\r\n      #hassh: yes\r\n    # HTTP2: Experimental HTTP 2 support. Disabled by default.\r\n    http2:\r\n      enabled: no\r\n    smtp:\r\n      enabled: no\r\n      raw-extraction: no\r\n      # Configure SMTP-MIME Decoder\r\n      mime:\r\n        # Decode MIME messages from SMTP transactions\r\n        # (may be resource intensive)\r\n        # This field supersedes all others because it turns the entire\r\n        # process on or off\r\n        decode-mime: yes\r\n\r\n        # Decode MIME entity bodies (ie. Base64, quoted-printable, etc.)\r\n        decode-base64: yes\r\n        decode-quoted-printable: yes\r\n\r\n        # Maximum bytes per header data value stored in the data structure\r\n        # (default is 2000)\r\n        header-value-depth: 2000\r\n\r\n        # Extract URLs and save in state data structure\r\n        extract-urls: yes\r\n        # Set to yes to compute the md5 of the mail body. You will then\r\n        # be able to journalize it.\r\n        body-md5: no\r\n      # Configure inspected-tracker for file_data keyword\r\n      inspected-tracker:\r\n        content-limit: 100000\r\n        content-inspect-min-size: 32768\r\n        content-inspect-window: 4096\r\n    imap:\r\n      enabled: no\r\n    smb:\r\n      enabled: yes\r\n      detection-ports:\r\n        dp: 139, 445\r\n\r\n      # Stream reassembly size for SMB streams. By default track it completely.\r\n      #stream-depth: 0\r\n\r\n    nfs:\r\n      enabled: no\r\n    tftp:\r\n      enabled: no\r\n    dns:\r\n      tcp:\r\n        enabled: yes\r\n        detection-ports:\r\n          dp: 53\r\n      udp:\r\n        enabled: yes\r\n        detection-ports:\r\n          dp: 53\r\n    http:\r\n      enabled: yes\r\n      memcap: 40gb\r\n      # memcap:                   Maximum memory capacity for HTTP\r\n      #                           Default is unlimited, values can be 64mb, e.g.\r\n\r\n      # default-config:           Used when no server-config matches\r\n      #   personality:            List of personalities used by default\r\n      #   request-body-limit:     Limit reassembly of request body for inspection\r\n      #                           by http_client_body &amp; pcre \/P option.\r\n      #   response-body-limit:    Limit reassembly of response body for inspection\r\n      #                           by file_data, http_server_body &amp; pcre \/Q option.\r\n      #\r\n      #   For advanced options, see the user guide\r\n\r\n\r\n      # server-config:            List of server configurations to use if address matches\r\n      #   address:                List of IP addresses or networks for this block\r\n      #   personality:            List of personalities used by this block\r\n      #\r\n      #                           Then, all the fields from default-config can be overloaded\r\n      #\r\n      # Currently Available Personalities:\r\n      #   Minimal, Generic, IDS (default), IIS_4_0, IIS_5_0, IIS_5_1, IIS_6_0,\r\n      #   IIS_7_0, IIS_7_5, Apache_2\r\n      libhtp:\r\n         default-config:\r\n           personality: IDS\r\n\r\n           # Can be specified in kb, mb, gb.  Just a number indicates\r\n           # it's in bytes.\r\n           request-body-limit: 64kb\r\n           response-body-limit: 64kb\r\n\r\n           # inspection limits\r\n           request-body-minimal-inspect-size: 32kb\r\n           request-body-inspect-window: 16kb\r\n           response-body-minimal-inspect-size: 32kb\r\n           response-body-inspect-window: 16kb\r\n\r\n           # response body decompression (0 disables)\r\n           response-body-decompress-layer-limit: 5\r\n\r\n           # auto will use http-body-inline mode in IPS mode, yes or no set it statically\r\n           http-body-inline: no\r\n\r\n           # Decompress SWF files.\r\n           # Two types: 'deflate', 'lzma', 'both' will decompress deflate and lzma\r\n           # compress-depth:\r\n           # Specifies the maximum amount of data to decompress,\r\n           # set 0 for unlimited.\r\n           # decompress-depth:\r\n           # Specifies the maximum amount of decompressed data to obtain,\r\n           # set 0 for unlimited.\r\n           # swf-decompression:\r\n           #   enabled: no\r\n           #   type: both\r\n           #   compress-depth: 100kb\r\n           #   decompress-depth: 100kb\r\n\r\n           # Use a random value for inspection sizes around the specified value.\r\n           # This lowers the risk of some evasion techniques but could lead\r\n           # to detection change between runs. It is set to 'yes' by default.\r\n           #randomize-inspection-sizes: yes\r\n           # If \"randomize-inspection-sizes\" is active, the value of various\r\n           # inspection size will be chosen from the [1 - range%, 1 + range%]\r\n           # range\r\n           # Default value of \"randomize-inspection-range\" is 10.\r\n           #randomize-inspection-range: 10\r\n\r\n           # decoding\r\n           double-decode-path: yes\r\n           double-decode-query: yes\r\n\r\n           # Can enable LZMA decompression\r\n           #lzma-enabled: false\r\n           # Memory limit usage for LZMA decompression dictionary\r\n           # Data is decompressed until dictionary reaches this size\r\n           #lzma-memlimit: 1mb\r\n           # Maximum decompressed size with a compression ratio\r\n           # above 2048 (only LZMA can reach this ratio, deflate cannot)\r\n           #compression-bomb-limit: 1mb\r\n           # Maximum time spent decompressing a single transaction in usec\r\n           #decompression-time-limit: 100000\r\n\r\n         server-config:\r\n\r\n           #- apache:\r\n           #    address: [192.168.1.0\/24, 127.0.0.0\/8, \"::1\"]\r\n           #    personality: Apache_2\r\n           #    # Can be specified in kb, mb, gb.  Just a number indicates\r\n           #    # it's in bytes.\r\n           #    request-body-limit: 4096\r\n           #    response-body-limit: 4096\r\n           #    double-decode-path: no\r\n           #    double-decode-query: no\r\n\r\n           #- iis7:\r\n           #    address:\r\n           #      - 192.168.0.0\/24\r\n           #      - 192.168.10.0\/24\r\n           #    personality: IIS_7_0\r\n           #    # Can be specified in kb, mb, gb.  Just a number indicates\r\n           #    # it's in bytes.\r\n           #    request-body-limit: 4096\r\n           #    response-body-limit: 4096\r\n           #    double-decode-path: no\r\n           #    double-decode-query: no\r\n\r\n    # Note: Modbus probe parser is minimalist due to the limited usage in the field.\r\n    # Only Modbus message length (greater than Modbus header length)\r\n    # and protocol ID (equal to 0) are checked in probing parser\r\n    # It is important to enable detection port and define Modbus port\r\n    # to avoid false positives\r\n    modbus:\r\n      # How many unanswered Modbus requests are considered a flood.\r\n      # If the limit is reached, the app-layer-event:modbus.flooded; will match.\r\n      #request-flood: 500\r\n\r\n      enabled: no\r\n      detection-ports:\r\n        dp: 502\r\n      # According to MODBUS Messaging on TCP\/IP Implementation Guide V1.0b, it\r\n      # is recommended to keep the TCP connection opened with a remote device\r\n      # and not to open and close it for each MODBUS\/TCP transaction. In that\r\n      # case, it is important to set the depth of the stream reassembling as\r\n      # unlimited (stream.reassembly.depth: 0)\r\n\r\n      # Stream reassembly size for modbus. By default track it completely.\r\n      stream-depth: 0\r\n\r\n    # DNP3\r\n    dnp3:\r\n      enabled: no\r\n      detection-ports:\r\n        dp: 20000\r\n\r\n    # SCADA EtherNet\/IP and CIP protocol support\r\n    enip:\r\n      enabled: no\r\n      detection-ports:\r\n        dp: 44818\r\n        sp: 44818\r\n\r\n    ntp:\r\n      enabled: no\r\n\r\n    dhcp:\r\n      enabled: no\r\n\r\n    sip:\r\n      #enabled: no\r\n\r\n# Limit for the maximum number of asn1 frames to decode (default 256)\r\nasn1-max-frames: 1024\r\n\r\n# Datasets default settings\r\n# datasets:\r\n#   # Default fallback memcap and hashsize values for datasets in case these\r\n#   # were not explicitly defined.\r\n#   defaults:\r\n#     memcap: 100mb\r\n#     hashsize: 2048\r\n\r\n##############################################################################\r\n##\r\n## Advanced settings below\r\n##\r\n##############################################################################\r\n\r\n##\r\n## Run Options\r\n##\r\n\r\n# Run Suricata with a specific user-id and group-id:\r\n#run-as:\r\n#  user: suri\r\n#  group: suri\r\n\r\n# Some logging modules will use that name in event as identifier. The default\r\n# value is the hostname\r\n#sensor-name: suricata\r\n\r\n# Default location of the pid file. The pid file is only used in\r\n# daemon mode (start Suricata with -D). If not running in daemon mode\r\n# the --pidfile command line option must be used to create a pid file.\r\npid-file: \/test\/suricata_files\/suricata.pid\r\n\r\n# Daemon working directory\r\n# Suricata will change directory to this one if provided\r\n# Default: \"\/\"\r\n#daemon-directory: \"\/\"\r\n\r\n# Umask.\r\n# Suricata will use this umask if it is provided. By default it will use the\r\n# umask passed on by the shell.\r\n#umask: 022\r\n\r\n# Suricata core dump configuration. Limits the size of the core dump file to\r\n# approximately max-dump. The actual core dump size will be a multiple of the\r\n# page size. Core dumps that would be larger than max-dump are truncated. On\r\n# Linux, the actual core dump size may be a few pages larger than max-dump.\r\n# Setting max-dump to 0 disables core dumping.\r\n# Setting max-dump to 'unlimited' will give the full core dump file.\r\n# On 32-bit Linux, a max-dump value &gt;= ULONG_MAX may cause the core dump size\r\n# to be 'unlimited'.\r\n\r\ncoredump:\r\n  max-dump: unlimited\r\n\r\n# If the Suricata box is a router for the sniffed networks, set it to 'router'. If\r\n# it is a pure sniffing setup, set it to 'sniffer-only'.\r\n# If set to auto, the variable is internally switched to 'router' in IPS mode\r\n# and 'sniffer-only' in IDS mode.\r\n# This feature is currently only used by the reject* keywords.\r\nhost-mode: sniffer-only\r\n\r\n# Number of packets preallocated per thread. The default is 1024. A higher number \r\n# will make sure each CPU will be more easily kept busy, but may negatively \r\n# impact caching.\r\nmax-pending-packets: 8096\r\n\r\n# Runmode the engine should use. Please check --list-runmodes to get the available\r\n# runmodes for each packet acquisition method. Default depends on selected capture\r\n# method. 'workers' generally gives best performance.\r\nrunmode: workers\r\n\r\n# Specifies the kind of flow load balancer used by the flow pinned autofp mode.\r\n#\r\n# Supported schedulers are:\r\n#\r\n# hash     - Flow assigned to threads using the 5-7 tuple hash.\r\n# ippair   - Flow assigned to threads using addresses only.\r\n#\r\n#autofp-scheduler: hash\r\n\r\n# Preallocated size for each packet. Default is 1514 which is the classical\r\n# size for pcap on Ethernet. You should adjust this value to the highest\r\n# packet size (MTU + hardware header) on your system.\r\ndefault-packet-size: 1522\r\n\r\n# Unix command socket that can be used to pass commands to Suricata.\r\n# An external tool can then connect to get information from Suricata\r\n# or trigger some modifications of the engine. Set enabled to yes\r\n# to activate the feature. In auto mode, the feature will only be\r\n# activated in live capture mode. You can use the filename variable to set\r\n# the file name of the socket.\r\nunix-command:\r\n  enabled: no\r\n  #filename: custom.socket\r\n\r\n# Magic file. The extension .mgc is added to the value here.\r\n#magic-file: \/usr\/share\/file\/magic\r\n#magic-file: \r\n\r\n# GeoIP2 database file. Specify path and filename of GeoIP2 database\r\n# if using rules with \"geoip\" rule option.\r\n#geoip-database: \/usr\/local\/share\/GeoLite2\/GeoLite2-Country.mmdb\r\n\r\nlegacy:\r\n  uricontent: enabled\r\n\r\n##\r\n## Detection settings\r\n##\r\n\r\n# Set the order of alerts based on actions\r\n# The default order is pass, drop, reject, alert\r\n# action-order:\r\n#   - pass\r\n#   - drop\r\n#   - reject\r\n#   - alert\r\n\r\n# IP Reputation\r\n#reputation-categories-file: \/usr\/local\/etc\/suricata\/iprep\/categories.txt\r\n#default-reputation-path: \/usr\/local\/etc\/suricata\/iprep\r\n#reputation-files:\r\n# - reputation.list\r\n\r\n# When run with the option --engine-analysis, the engine will read each of\r\n# the parameters below, and print reports for each of the enabled sections\r\n# and exit.  The reports are printed to a file in the default log dir\r\n# given by the parameter \"default-log-dir\", with engine reporting\r\n# subsection below printing reports in its own report file.\r\nengine-analysis:\r\n  # enables printing reports for fast-pattern for every rule.\r\n  rules-fast-pattern: yes\r\n  # enables printing reports for each rule\r\n  rules: yes\r\n\r\n#recursion and match limits for PCRE where supported\r\npcre:\r\n  match-limit: 3500\r\n  match-limit-recursion: 1500\r\n\r\n##\r\n## Advanced Traffic Tracking and Reconstruction Settings\r\n##\r\n\r\n# Host specific policies for defragmentation and TCP stream\r\n# reassembly. The host OS lookup is done using a radix tree, just\r\n# like a routing table so the most specific entry matches.\r\nhost-os-policy:\r\n  # Make the default policy windows.\r\n  windows: [0.0.0.0\/0]\r\n  bsd: []\r\n  bsd-right: []\r\n  old-linux: []\r\n  linux: []\r\n  old-solaris: []\r\n  solaris: []\r\n  hpux10: []\r\n  hpux11: []\r\n  irix: []\r\n  macos: []\r\n  vista: []\r\n  windows2k3: []\r\n\r\n# Defrag settings:\r\n\r\ndefrag:\r\n  memcap: 60gb\r\n  hash-size: 10000000\r\n  # trackers: 65535 # number of defragmented flows to follow\r\n  # max-frags: 65535 # number of fragments to keep (higher than trackers)\r\n  # prealloc: yes\r\n  timeout: 3\r\n\r\n# Enable defrag per host settings\r\n#  host-config:\r\n#\r\n#    - dmz:\r\n#        timeout: 30\r\n#        address: [192.168.1.0\/24, 127.0.0.0\/8, 1.1.1.0\/24, 2.2.2.0\/24, \"1.1.1.1\", \"2.2.2.2\", \"::1\"]\r\n#\r\n#    - lan:\r\n#        timeout: 45\r\n#        address:\r\n#          - 192.168.0.0\/24\r\n#          - 192.168.10.0\/24\r\n#          - 172.16.14.0\/24\r\n\r\n# Flow settings:\r\n# By default, the reserved memory (memcap) for flows is 32MB. This is the limit\r\n# for flow allocation inside the engine. You can change this value to allow\r\n# more memory usage for flows.\r\n# The hash-size determines the size of the hash used to identify flows inside\r\n# the engine, and by default the value is 65536.\r\n# At startup, the engine can preallocate a number of flows, to get better\r\n# performance. The number of flows preallocated is 10000 by default.\r\n# emergency-recovery is the percentage of flows that the engine needs to\r\n# prune before clearing the emergency state. The emergency state is activated\r\n# when the memcap limit is reached, allowing new flows to be created, but\r\n# pruning them with the emergency timeouts (they are defined below).\r\n# If the memcap is reached, the engine will try to prune flows\r\n# with the default timeouts. If it doesn't find a flow to prune, it will set\r\n# the emergency bit and it will try again with more aggressive timeouts.\r\n# If that doesn't work, then it will try to kill the oldest flows using\r\n# last time seen flows.\r\n# The memcap can be specified in kb, mb, gb.  Just a number indicates it's\r\n# in bytes.\r\n\r\nflow:\r\n  memcap: 60gb\r\n  hash-size: 1000000\r\n  prealloc: 500000\r\n  emergency-recovery: 30\r\n  managers: 1 # default to one flow manager\r\n  recyclers: 1 # default to one flow recycler thread\r\n\r\n# This option controls the use of VLAN ids in the flow (and defrag)\r\n# hashing. Normally this should be enabled, but in some (broken)\r\n# setups where both sides of a flow are not tagged with the same VLAN\r\n# tag, we can ignore the VLAN id's in the flow hashing.\r\nvlan:\r\n  use-for-tracking: false\r\n\r\n# Specific timeouts for flows. Here you can specify the timeouts that the\r\n# active flows will wait to transit from the current state to another, on each\r\n# protocol. The value of \"new\" determines the seconds to wait after a handshake or\r\n# stream startup before the engine frees the data of that flow it doesn't\r\n# change the state to established (usually if we don't receive more packets\r\n# of that flow). The value of \"established\" is the amount of\r\n# seconds that the engine will wait to free the flow if that time elapses\r\n# without receiving new packets or closing the connection. \"closed\" is the\r\n# amount of time to wait after a flow is closed (usually zero). \"bypassed\"\r\n# timeout controls locally bypassed flows. For these flows we don't do any other\r\n# tracking. If no packets have been seen after this timeout, the flow is discarded.\r\n#\r\n# There's an emergency mode that will become active under attack circumstances,\r\n# making the engine to check flow status faster. This configuration variables\r\n# use the prefix \"emergency-\" and work similar as the normal ones.\r\n# Some timeouts doesn't apply to all the protocols, like \"closed\", for udp and\r\n# icmp.\r\n\r\n# flow-timeouts:\r\n#   default:\r\n#     new: 2\r\n#     established: 10\r\n#     closed: 0\r\n#     bypassed: 5\r\n#     emergency-new: 1\r\n#     emergency-established: 3\r\n#     emergency-closed: 0\r\n#     emergency-bypassed: 2\r\n#   tcp:\r\n#     new: 2\r\n#     established: 10\r\n#     closed: 0\r\n#     bypassed: 5\r\n#     emergency-new: 1\r\n#     emergency-established: 3\r\n#     emergency-closed: 0\r\n#     emergency-bypassed: 2\r\n#   udp:\r\n#     new: 2\r\n#     established: 5\r\n#     bypassed: 3\r\n#     emergency-new: 1\r\n#     emergency-established: 3\r\n#     emergency-bypassed: 2\r\n#   icmp:\r\n#     new: 2\r\n#     established: 5\r\n#     bypassed: 3\r\n#     emergency-new: 1\r\n#     emergency-established: 3\r\n#     emergency-bypassed: 2\r\n\r\nflow-timeouts:\r\n  default:\r\n    new: 3\r\n    established: 30\r\n    closed: 0\r\n    bypassed: 5\r\n    emergency-new: 1\r\n    emergency-established: 5\r\n    emergency-closed: 0\r\n    emergency-bypassed: 2\r\n  tcp:\r\n    new: 3\r\n    established: 30\r\n    closed: 0\r\n    bypassed: 5\r\n    emergency-new: 1\r\n    emergency-established: 5\r\n    emergency-closed: 0\r\n    emergency-bypassed: 2\r\n  udp:\r\n    new: 2\r\n    established: 5\r\n    bypassed: 3\r\n    emergency-new: 1\r\n    emergency-established: 3\r\n    emergency-bypassed: 2\r\n  icmp:\r\n    new: 2\r\n    established: 5\r\n    bypassed: 3\r\n    emergency-new: 1\r\n    emergency-established: 3\r\n    emergency-bypassed: 2\r\n\r\n# Stream engine settings. Here the TCP stream tracking and reassembly\r\n# engine is configured.\r\n#\r\n# stream:\r\n#   memcap: 32mb                # Can be specified in kb, mb, gb.  Just a\r\n#                               # number indicates it's in bytes.\r\n#   checksum-validation: yes    # To validate the checksum of received\r\n#                               # packet. If csum validation is specified as\r\n#                               # \"yes\", then packets with invalid csum values will not\r\n#                               # be processed by the engine stream\/app layer.\r\n#                               # Warning: locally generated traffic can be\r\n#                               # generated without checksum due to hardware offload\r\n#                               # of checksum. You can control the handling of checksum\r\n#                               # on a per-interface basis via the 'checksum-checks'\r\n#                               # option\r\n#   prealloc-sessions: 2k       # 2k sessions prealloc'd per stream thread\r\n#   midstream: false            # don't allow midstream session pickups\r\n#   async-oneside: false        # don't enable async stream handling\r\n#   inline: no                  # stream inline mode\r\n#   drop-invalid: yes           # in inline mode, drop packets that are invalid with regards to streaming engine\r\n#   max-synack-queued: 5        # Max different SYN\/ACKs to queue\r\n#   bypass: no                  # Bypass packets when stream.reassembly.depth is reached.\r\n#                               # Warning: first side to reach this triggers\r\n#                               # the bypass.\r\n#\r\n#   reassembly:\r\n#     memcap: 64mb              # Can be specified in kb, mb, gb.  Just a number\r\n#                               # indicates it's in bytes.\r\n#     depth: 1mb                # Can be specified in kb, mb, gb.  Just a number\r\n#                               # indicates it's in bytes.\r\n#     toserver-chunk-size: 2560 # inspect raw stream in chunks of at least\r\n#                               # this size.  Can be specified in kb, mb,\r\n#                               # gb.  Just a number indicates it's in bytes.\r\n#     toclient-chunk-size: 2560 # inspect raw stream in chunks of at least\r\n#                               # this size.  Can be specified in kb, mb,\r\n#                               # gb.  Just a number indicates it's in bytes.\r\n#     randomize-chunk-size: yes # Take a random value for chunk size around the specified value.\r\n#                               # This lowers the risk of some evasion techniques but could lead\r\n#                               # to detection change between runs. It is set to 'yes' by default.\r\n#     randomize-chunk-range: 10 # If randomize-chunk-size is active, the value of chunk-size is\r\n#                               # a random value between (1 - randomize-chunk-range\/100)*toserver-chunk-size\r\n#                               # and (1 + randomize-chunk-range\/100)*toserver-chunk-size and the same\r\n#                               # calculation for toclient-chunk-size.\r\n#                               # Default value of randomize-chunk-range is 10.\r\n#\r\n#     raw: yes                  # 'Raw' reassembly enabled or disabled.\r\n#                               # raw is for content inspection by detection\r\n#                               # engine.\r\n#\r\n#     segment-prealloc: 2048    # number of segments preallocated per thread\r\n#\r\n#     check-overlap-different-data: true|false\r\n#                               # check if a segment contains different data\r\n#                               # than what we've already seen for that\r\n#                               # position in the stream.\r\n#                               # This is enabled automatically if inline mode\r\n#                               # is used or when stream-event:reassembly_overlap_different_data;\r\n#                               # is used in a rule.\r\n#\r\nstream:\r\n  memcap: 40gb\r\n  prealloc-sessions: 900000\r\n  midstream: true\r\n  drop-invalid: yes\r\n  # checksum-validation: yes      # reject incorrect csums\r\n  inline: no                  # auto will use inline mode in IPS mode, yes or no set it statically\r\n  bypass: yes\r\n  reassembly:\r\n    memcap: 40gb\r\n    depth: 64kb                  # reassemble 1mb into a stream\r\n    toserver-chunk-size: 2560\r\n    toclient-chunk-size: 2560\r\n    randomize-chunk-size: no\r\n    #randomize-chunk-range: 10\r\n    #raw: yes\r\n    segment-prealloc: 20480\r\n    check-overlap-different-data: true\r\n\r\n# Host table:\r\n#\r\n# Host table is used by the tagging and per host thresholding subsystems.\r\n#\r\nhost:\r\n  hash-size: 1000000\r\n  # prealloc: 1000\r\n  memcap: 10gb\r\n\r\n# IP Pair table:\r\n#\r\n# Used by xbits 'ippair' tracking.\r\n#\r\n#ippair:\r\n#  hash-size: 4096\r\n#  prealloc: 1000\r\n#  memcap: 32mb\r\n\r\n# Decoder settings\r\n\r\ndecoder:\r\n  # Teredo decoder is known to not be completely accurate\r\n  # as it will sometimes detect non-teredo as teredo.\r\n  teredo:\r\n    enabled: true\r\n    # ports to look for Teredo. Max 4 ports. If no ports are given, or\r\n    # the value is set to 'any', Teredo detection runs on _all_ UDP packets.\r\n    ports: $TEREDO_PORTS # syntax: '[3544, 1234]' or '3533' or 'any'.\r\n\r\n  # VXLAN decoder is assigned to up to 4 UDP ports. By default only the\r\n  # IANA assigned port 4789 is enabled.\r\n  vxlan:\r\n    enabled: true\r\n    ports: $VXLAN_PORTS # syntax: '[8472, 4789]' or '4789'.\r\n\r\n  # VNTag decode support\r\n  vntag:\r\n    enabled: false\r\n\r\n  # Geneve decoder is assigned to up to 4 UDP ports. By default only the\r\n  # IANA assigned port 6081 is enabled.\r\n  geneve:\r\n    enabled: true\r\n    ports: $GENEVE_PORTS # syntax: '[6081, 1234]' or '6081'.\r\n\r\n  # maximum number of decoder layers for a packet\r\n  # max-layers: 16\r\n\r\n##\r\n## Performance tuning and profiling\r\n##\r\n\r\n# The detection engine builds internal groups of signatures. The engine\r\n# allows us to specify the profile to use for them, to manage memory in an\r\n# efficient way keeping good performance. For the profile keyword you\r\n# can use the words \"low\", \"medium\", \"high\" or \"custom\". If you use custom,\r\n# make sure to define the values in the \"custom-values\" section.\r\n# Usually you would prefer medium\/high\/low.\r\n#\r\n# \"sgh mpm-context\", indicates how the staging should allot mpm contexts for\r\n# the signature groups.  \"single\" indicates the use of a single context for\r\n# all the signature group heads.  \"full\" indicates a mpm-context for each\r\n# group head.  \"auto\" lets the engine decide the distribution of contexts\r\n# based on the information the engine gathers on the patterns from each\r\n# group head.\r\n#\r\n# The option inspection-recursion-limit is used to limit the recursive calls\r\n# in the content inspection code.  For certain payload-sig combinations, we\r\n# might end up taking too much time in the content inspection code.\r\n# If the argument specified is 0, the engine uses an internally defined\r\n# default limit.  When a value is not specified, there are no limits on the recursion.\r\ndetect:\r\n  profile: custom\r\n  custom-values:\r\n    toclient-groups: 2000\r\n    toserver-groups: 2000\r\n  sgh-mpm-context: auto\r\n  inspection-recursion-limit: 200\r\n  # If set to yes, the loading of signatures will be made after the capture\r\n  # is started. This will limit the downtime in IPS mode.\r\n  delayed-detect: yes\r\n\r\n  prefilter:\r\n    # default prefiltering setting. \"mpm\" only creates MPM\/fast_pattern\r\n    # engines. \"auto\" also sets up prefilter engines for other keywords.\r\n    # Use --list-keywords=all to see which keywords support prefiltering.\r\n    default: auto\r\n\r\n  # the grouping values above control how many groups are created per\r\n  # direction. Port whitelisting forces that port to get its own group.\r\n  # Very common ports will benefit, as well as ports with many expensive\r\n  # rules.\r\n  grouping:\r\n    tcp-whitelist: 443\r\n    #tcp-whitelist: 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080\r\n    #udp-whitelist: 53, 135, 5060\r\n\r\n  profiling:\r\n    # Log the rules that made it past the prefilter stage, per packet\r\n    # default is off. The threshold setting determines how many rules\r\n    # must have made it past pre-filter for that rule to trigger the\r\n    # logging.\r\n    #inspect-logging-threshold: 200\r\n    # grouping:\r\n    #   dump-to-disk: false\r\n    #   include-rules: false      # very verbose\r\n    #   include-mpm-stats: false\r\n\r\n# Select the multi pattern algorithm you want to run for scan\/search the\r\n# in the engine.\r\n#\r\n# The supported algorithms are:\r\n# \"ac\"      - Aho-Corasick, default implementation\r\n# \"ac-bs\"   - Aho-Corasick, reduced memory implementation\r\n# \"ac-ks\"   - Aho-Corasick, \"Ken Steele\" variant\r\n# \"hs\"      - Hyperscan, available when built with Hyperscan support\r\n#\r\n# The default mpm-algo value of \"auto\" will use \"hs\" if Hyperscan is\r\n# available, \"ac\" otherwise.\r\n#\r\n# The mpm you choose also decides the distribution of mpm contexts for\r\n# signature groups, specified by the conf - \"detect.sgh-mpm-context\".\r\n# Selecting \"ac\" as the mpm would require \"detect.sgh-mpm-context\"\r\n# to be set to \"single\", because of ac's memory requirements, unless the\r\n# ruleset is small enough to fit in memory, in which case one can\r\n# use \"full\" with \"ac\".  The rest of the mpms can be run in \"full\" mode.\r\n\r\nmpm-algo: hs\r\n\r\n# Select the matching algorithm you want to use for single-pattern searches.\r\n#\r\n# Supported algorithms are \"bm\" (Boyer-Moore) and \"hs\" (Hyperscan, only\r\n# available if Suricata has been built with Hyperscan support).\r\n#\r\n# The default of \"auto\" will use \"hs\" if available, otherwise \"bm\".\r\n\r\nspm-algo: hs\r\n\r\n# Suricata is multi-threaded. Here the threading can be influenced.\r\nthreading:\r\n  set-cpu-affinity: yes\r\n  # Tune cpu affinity of threads. Each family of threads can be bound\r\n  # to specific CPUs.\r\n  #\r\n  # These 2 apply to the all runmodes:\r\n  # management-cpu-set is used for flow timeout handling, counters\r\n  # worker-cpu-set is used for 'worker' threads\r\n  #\r\n  # Additionally, for autofp these apply:\r\n  # receive-cpu-set is used for capture threads\r\n  # verdict-cpu-set is used for IPS verdict threads\r\n  #\r\n  cpu-affinity:\r\n    - management-cpu-set:\r\n        cpu: [1,3]  # include only these CPUs in affinity settings\r\n        mode: \"exclusive\"\r\n    - worker-cpu-set:\r\n        cpu: [0,2,4,6,8,10,12,14,16,18,20,22,24,  5,7,9,11,13,15,17,19,21,23,25,27,29,31]\r\n        mode: \"exclusive\"\r\n        prio:\r\n          medium: [0,2,4,6,8,10,12,14,16,18,20,22,24]\r\n          high: [5,7,9,11,13,15,17,19,21,23,25,27,29,31]\r\n          default: \"medium\"\r\n  #\r\n  # By default Suricata creates one \"detect\" thread per available CPU\/CPU core.\r\n  # This setting allows controlling this behaviour. A ratio setting of 2 will\r\n  # create 2 detect threads for each CPU\/CPU core. So for a dual core CPU this\r\n  # will result in 4 detect threads. If values below 1 are used, less threads\r\n  # are created. So on a dual core CPU a setting of 0.5 results in 1 detect\r\n  # thread being created. Regardless of the setting at a minimum 1 detect\r\n  # thread will always be created.\r\n  #\r\n  detect-thread-ratio: 1.0\r\n\r\n# Luajit has a strange memory requirement, its 'states' need to be in the\r\n# first 2G of the process' memory.\r\n#\r\n# 'luajit.states' is used to control how many states are preallocated.\r\n# State use: per detect script: 1 per detect thread. Per output script: 1 per\r\n# script.\r\nluajit:\r\n  states: 128\r\n\r\n# Profiling settings. Only effective if Suricata has been built with\r\n# the --enable-profiling configure flag.\r\n#\r\nprofiling:\r\n  # Run profiling for every X-th packet. The default is 1, which means we\r\n  # profile every packet. If set to 1000, one packet is profiled for every\r\n  # 1000 received.\r\n  #sample-rate: 1000\r\n\r\n  # rule profiling\r\n  rules:\r\n\r\n    # Profiling can be disabled here, but it will still have a\r\n    # performance impact if compiled in.\r\n    enabled: no\r\n    filename: rule_perf.log\r\n    append: yes\r\n\r\n    # Sort options: ticks, avgticks, checks, matches, maxticks\r\n    # If commented out all the sort options will be used.\r\n    #sort: avgticks\r\n\r\n    # Limit the number of sids for which stats are shown at exit (per sort).\r\n    limit: 50\r\n\r\n    # output to json\r\n    json: no\r\n\r\n  # per keyword profiling\r\n  keywords:\r\n    enabled: no\r\n    filename: keyword_perf.log\r\n    append: yes\r\n\r\n  prefilter:\r\n    enabled: no\r\n    filename: prefilter_perf.log\r\n    append: yes\r\n\r\n  # per rulegroup profiling\r\n  rulegroups:\r\n    enabled: no\r\n    filename: rule_group_perf.log\r\n    append: yes\r\n\r\n  # packet profiling\r\n  packets:\r\n\r\n    # Profiling can be disabled here, but it will still have a\r\n    # performance impact if compiled in.\r\n    enabled: no\r\n    filename: packet_stats.log\r\n    append: yes\r\n\r\n    # per packet csv output\r\n    csv:\r\n\r\n      # Output can be disabled here, but it will still have a\r\n      # performance impact if compiled in.\r\n      enabled: no\r\n      filename: packet_stats.csv\r\n\r\n  # profiling of locking. Only available when Suricata was built with\r\n  # --enable-profiling-locks.\r\n  locks:\r\n    enabled: no\r\n    filename: lock_stats.log\r\n    append: yes\r\n\r\n  pcap-log:\r\n    enabled: no\r\n    filename: pcaplog_stats.log\r\n    append: yes\r\n\r\n##\r\n## Netfilter integration\r\n##\r\n\r\n# When running in NFQ inline mode, it is possible to use a simulated\r\n# non-terminal NFQUEUE verdict.\r\n# This permits sending all needed packet to Suricata via this rule:\r\n#        iptables -I FORWARD -m mark ! --mark $MARK\/$MASK -j NFQUEUE\r\n# And below, you can have your standard filtering ruleset. To activate\r\n# this mode, you need to set mode to 'repeat'\r\n# If you want a packet to be sent to another queue after an ACCEPT decision\r\n# set the mode to 'route' and set next-queue value.\r\n# On Linux &gt;= 3.1, you can set batchcount to a value &gt; 1 to improve performance\r\n# by processing several packets before sending a verdict (worker runmode only).\r\n# On Linux &gt;= 3.6, you can set the fail-open option to yes to have the kernel\r\n# accept the packet if Suricata is not able to keep pace.\r\n# bypass mark and mask can be used to implement NFQ bypass. If bypass mark is\r\n# set then the NFQ bypass is activated. Suricata will set the bypass mark\/mask\r\n# on packet of a flow that need to be bypassed. The Nefilter ruleset has to\r\n# directly accept all packets of a flow once a packet has been marked.\r\nnfq:\r\n#  mode: accept\r\n#  repeat-mark: 1\r\n#  repeat-mask: 1\r\n#  bypass-mark: 1\r\n#  bypass-mask: 1\r\n#  route-queue: 2\r\n#  batchcount: 20\r\n#  fail-open: yes\r\n\r\n#nflog support\r\nnflog:\r\n    # netlink multicast group\r\n    # (the same as the iptables --nflog-group param)\r\n    # Group 0 is used by the kernel, so you can't use it\r\n  - group: 2\r\n    # netlink buffer size\r\n    buffer-size: 18432\r\n    # put default value here\r\n  - group: default\r\n    # set number of packets to queue inside kernel\r\n    qthreshold: 1\r\n    # set the delay before flushing packet in the kernel's queue\r\n    qtimeout: 100\r\n    # netlink max buffer size\r\n    max-size: 20000\r\n\r\n##\r\n## Advanced Capture Options\r\n##\r\n\r\n# General settings affecting packet capture\r\ncapture:\r\n  # disable NIC offloading. It's restored when Suricata exits.\r\n  # Enabled by default.\r\n  #disable-offloading: false\r\n  #\r\n  # disable checksum validation. Same as setting '-k none' on the\r\n  # commandline.\r\n  #checksum-validation: none\r\n\r\n# Netmap support\r\n#\r\n# Netmap operates with NIC directly in driver, so you need FreeBSD 11+ which has\r\n# built-in Netmap support or compile and install the Netmap module and appropriate\r\n# NIC driver for your Linux system.\r\n# To reach maximum throughput disable all receive-, segmentation-,\r\n# checksum- offloading on your NIC (using ethtool or similar).\r\n# Disabling TX checksum offloading is *required* for connecting OS endpoint\r\n# with NIC endpoint.\r\n# You can find more information at https:\/\/github.com\/luigirizzo\/netmap\r\n#\r\nnetmap:\r\n   # To specify OS endpoint add plus sign at the end (e.g. \"eth0+\")\r\n - interface: eth2\r\n   # Number of capture threads. \"auto\" uses number of RSS queues on interface.\r\n   # Warning: unless the RSS hashing is symmetrical, this will lead to\r\n   # accuracy issues.\r\n   #threads: auto\r\n   # You can use the following variables to activate netmap tap or IPS mode.\r\n   # If copy-mode is set to ips or tap, the traffic coming to the current\r\n   # interface will be copied to the copy-iface interface. If 'tap' is set, the\r\n   # copy is complete. If 'ips' is set, the packet matching a 'drop' action\r\n   # will not be copied.\r\n   # To specify the OS as the copy-iface (so the OS can route packets, or forward\r\n   # to a service running on the same machine) add a plus sign at the end\r\n   # (e.g. \"copy-iface: eth0+\"). Don't forget to set up a symmetrical eth0+ -&gt; eth0\r\n   # for return packets. Hardware checksumming must be *off* on the interface if\r\n   # using an OS endpoint (e.g. 'ifconfig eth0 -rxcsum -txcsum -rxcsum6 -txcsum6' for FreeBSD\r\n   # or 'ethtool -K eth0 tx off rx off' for Linux).\r\n   #copy-mode: tap\r\n   #copy-iface: eth3\r\n   # Set to yes to disable promiscuous mode\r\n   # disable-promisc: no\r\n   # Choose checksum verification mode for the interface. At the moment\r\n   # of the capture, some packets may have an invalid checksum due to\r\n   # the checksum computation being offloaded to the network card.\r\n   # Possible values are:\r\n   #  - yes: checksum validation is forced\r\n   #  - no: checksum validation is disabled\r\n   #  - auto: Suricata uses a statistical approach to detect when\r\n   #  checksum off-loading is used.\r\n   # Warning: 'checksum-validation' must be set to yes to have any validation\r\n   #checksum-checks: auto\r\n   # BPF filter to apply to this interface. The pcap filter syntax apply here.\r\n   #bpf-filter: port 80 or udp\r\n #- interface: eth3\r\n   #threads: auto\r\n   #copy-mode: tap\r\n   #copy-iface: eth2\r\n   # Put default values here\r\n - interface: default\r\n\r\n# PF_RING configuration: for use with native PF_RING support\r\n# for more info see http:\/\/www.ntop.org\/products\/pf_ring\/\r\npfring:\r\n  # - interface: eth0\r\n  #   # Number of receive threads. If set to 'auto' Suricata will first try\r\n  #   # to use CPU (core) count and otherwise RSS queue count.\r\n  #   threads: auto\r\n\r\n  #   # Default clusterid.  PF_RING will load balance packets based on flow.\r\n  #   # All threads\/processes that will participate need to have the same\r\n  #   # clusterid.\r\n  #   cluster-id: 99\r\n\r\n  #   # Default PF_RING cluster type. PF_RING can load balance per flow.\r\n  #   # Possible values are cluster_flow or cluster_round_robin.\r\n  #   cluster-type: cluster_flow\r\n\r\n  - interface: zc:99@0\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@1\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@2\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@3\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@4\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@5\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@6\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@7\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@8\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@9\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@10\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@11\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@12\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@13\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@14\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@15\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@16\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@17\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@18\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@19\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@20\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@21\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@22\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@23\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@24\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@25\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n  - interface: zc:99@26\r\n    threads: 1\r\n    cluster-type: cluster_flow\r\n    checksum-checks: no\r\n\r\n\r\n  # - interface: zc:99@28\r\n  #   threads: 1\r\n  #   cluster-type: cluster_flow\r\n  #   checksum-checks: no\r\n  # - interface: zc:99@29\r\n  #   threads: 1\r\n  #   cluster-type: cluster_flow\r\n  #   checksum-checks: no\r\n\r\n    # bpf filter for this interface\r\n    #bpf-filter: tcp\r\n\r\n    # If bypass is set then the PF_RING hw bypass is activated, when supported\r\n    # by the network interface. Suricata will instruct the interface to bypass\r\n    # all future packets for a flow that need to be bypassed.\r\n    #bypass: yes\r\n\r\n    # Choose checksum verification mode for the interface. At the moment\r\n    # of the capture, some packets may have an invalid checksum due to\r\n    # the checksum computation being offloaded to the network card.\r\n    # Possible values are:\r\n    #  - rxonly: only compute checksum for packets received by network card.\r\n    #  - yes: checksum validation is forced\r\n    #  - no: checksum validation is disabled\r\n    #  - auto: Suricata uses a statistical approach to detect when\r\n    #  checksum off-loading is used. (default)\r\n    # Warning: 'checksum-validation' must be set to yes to have any validation\r\n    #checksum-checks: auto\r\n  # Second interface\r\n  #- interface: eth1\r\n  #  threads: 3\r\n  #  cluster-id: 93\r\n  #  cluster-type: cluster_flow\r\n  # Put default values here\r\n  # - interface: default\r\n    #threads: 2\r\n\r\n# For FreeBSD ipfw(8) divert(4) support.\r\n# Please make sure you have ipfw_load=\"YES\" and ipdivert_load=\"YES\"\r\n# in \/etc\/loader.conf or kldload'ing the appropriate kernel modules.\r\n# Additionally, you need to have an ipfw rule for the engine to see\r\n# the packets from ipfw.  For Example:\r\n#\r\n#   ipfw add 100 divert 8000 ip from any to any\r\n#\r\n# N.B. This example uses \"8000\" -- this number must mach the values\r\n# you passed on the command line, i.e., -d 8000\r\n#\r\nipfw:\r\n\r\n  # Reinject packets at the specified ipfw rule number.  This config\r\n  # option is the ipfw rule number AT WHICH rule processing continues\r\n  # in the ipfw processing system after the engine has finished\r\n  # inspecting the packet for acceptance.  If no rule number is specified,\r\n  # accepted packets are reinjected at the divert rule which they entered\r\n  # and IPFW rule processing continues.  No check is done to verify\r\n  # this will rule makes sense so care must be taken to avoid loops in ipfw.\r\n  #\r\n  ## The following example tells the engine to reinject packets\r\n  # back into the ipfw firewall AT rule number 5500:\r\n  #\r\n  # ipfw-reinjection-rule-number: 5500\r\n\r\n\r\nnapatech:\r\n    # When use_all_streams is set to \"yes\" the initialization code will query\r\n    # the Napatech service for all configured streams and listen on all of them.\r\n    # When set to \"no\" the streams config array will be used.\r\n    #\r\n    # This option necessitates running the appropriate NTPL commands to create\r\n    # the desired streams prior to running Suricata.\r\n    #use-all-streams: no\r\n\r\n    # The streams to listen on when auto-config is disabled or when and threading\r\n    # cpu-affinity is disabled.  This can be either:\r\n    #   an individual stream (e.g. streams: [0])\r\n    # or\r\n    #   a range of streams (e.g. streams: [\"0-3\"])\r\n    #\r\n    streams: [\"0-3\"]\r\n\r\n    # Stream stats can be enabled to provide fine grain packet and byte counters\r\n    # for each thread\/stream that is configured.\r\n    #\r\n    enable-stream-stats: no\r\n\r\n    # When auto-config is enabled the streams will be created and assigned\r\n    # automatically to the NUMA node where the thread resides.  If cpu-affinity\r\n    # is enabled in the threading section.  Then the streams will be created\r\n    # according to the number of worker threads specified in the worker-cpu-set.\r\n    # Otherwise, the streams array is used to define the streams.\r\n    #\r\n    # This option is intended primarily to support legacy configurations.\r\n    #\r\n    # This option cannot be used simultaneously with either \"use-all-streams\"\r\n    # or \"hardware-bypass\".\r\n    #\r\n    auto-config: yes\r\n\r\n    # Enable hardware level flow bypass.\r\n    #\r\n    hardware-bypass: yes\r\n\r\n    # Enable inline operation.  When enabled traffic arriving on a given port is\r\n    # automatically forwarded out its peer port after analysis by Suricata.\r\n    #\r\n    inline: no\r\n\r\n    # Ports indicates which Napatech ports are to be used in auto-config mode.\r\n    # these are the port IDs of the ports that will be merged prior to the\r\n    # traffic being distributed to the streams.\r\n    #\r\n    # When hardware-bypass is enabled the ports must be configured as a segment.\r\n    # specify the port(s) on which upstream and downstream traffic will arrive.\r\n    # This information is necessary for the hardware to properly process flows.\r\n    #\r\n    # When using a tap configuration one of the ports will receive inbound traffic\r\n    # for the network and the other will receive outbound traffic. The two ports on a\r\n    # given segment must reside on the same network adapter.\r\n    #\r\n    # When using a SPAN-port configuration the upstream and downstream traffic\r\n    # arrives on a single port. This is configured by setting the two sides of the\r\n    # segment to reference the same port.  (e.g. 0-0 to configure a SPAN port on\r\n    # port 0).\r\n    #\r\n    # port segments are specified in the form:\r\n    #    ports: [0-1,2-3,4-5,6-6,7-7]\r\n    #\r\n    # For legacy systems when hardware-bypass is disabled this can be specified in any\r\n    # of the following ways:\r\n    #\r\n    #   a list of individual ports (e.g. ports: [0,1,2,3])\r\n    #\r\n    #   a range of ports (e.g. ports: [0-3])\r\n    #\r\n    #   \"all\" to indicate that all ports are to be merged together\r\n    #   (e.g. ports: [all])\r\n    #\r\n    # This parameter has no effect if auto-config is disabled.\r\n    #\r\n    ports: [0-1,2-3]\r\n\r\n    # When auto-config is enabled the hashmode specifies the algorithm for\r\n    # determining to which stream a given packet is to be delivered.\r\n    # This can be any valid Napatech NTPL hashmode command.\r\n    #\r\n    # The most common hashmode commands are:  hash2tuple, hash2tuplesorted,\r\n    # hash5tuple, hash5tuplesorted and roundrobin.\r\n    #\r\n    # See Napatech NTPL documentation other hashmodes and details on their use.\r\n    #\r\n    # This parameter has no effect if auto-config is disabled.\r\n    #\r\n    hashmode: hash5tuplesorted\r\n\r\n##\r\n## Configure Suricata to load Suricata-Update managed rules.\r\n##\r\n<\/pre>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<\/div><\/div>","protected":false},"excerpt":{"rendered":"<p>&lt;p&gt;\u524d\u7f6e\u6761\u4ef6\u51c6\u5907\u4e00\u4e2a\u5e72\u51c0\u7684CentOS7\u73af\u5883\uff0c&hellip;<\/p>\n","protected":false},"author":1,"featured_media":915,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[321],"tags":[360,359,358],"class_list":["post-904","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","tag-ids","tag-pf_ring","tag-suricata"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v16.9 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Suricata + PF_RING\uff08ZC\u6a21\u5f0f\uff09\u90e8\u7f7215G+\u91c7\u96c6\u5668 - Wayne&#039;s Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"http:\/\/weizn.net\/?p=904\" \/>\n<meta property=\"og:locale\" content=\"zh_CN\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Suricata + PF_RING\uff08ZC\u6a21\u5f0f\uff09\u90e8\u7f7215G+\u91c7\u96c6\u5668 - Wayne&#039;s Blog\" \/>\n<meta property=\"og:description\" content=\"&lt;p&gt;\u524d\u7f6e\u6761\u4ef6\u51c6\u5907\u4e00\u4e2a\u5e72\u51c0\u7684CentOS7\u73af\u5883\uff0c&hellip;\" \/>\n<meta property=\"og:url\" content=\"http:\/\/weizn.net\/?p=904\" \/>\n<meta property=\"og:site_name\" content=\"Wayne&#039;s Blog\" \/>\n<meta property=\"article:published_time\" content=\"2018-03-09T11:47:33+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2021-09-22T09:09:55+00:00\" \/>\n<meta property=\"og:image\" content=\"http:\/\/weizn.net\/wp-content\/uploads\/2018\/03\/meerkats.jpeg\" \/>\n\t<meta property=\"og:image:width\" content=\"2048\" \/>\n\t<meta property=\"og:image:height\" content=\"1365\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"\u4f5c\u8005\" \/>\n\t<meta name=\"twitter:data1\" content=\"zinan\" \/>\n\t<meta name=\"twitter:label2\" content=\"\u9884\u8ba1\u9605\u8bfb\u65f6\u95f4\" \/>\n\t<meta name=\"twitter:data2\" content=\"52 \u5206\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebSite\",\"@id\":\"http:\/\/weizn.net\/#website\",\"url\":\"http:\/\/weizn.net\/\",\"name\":\"Wayne&#039;s Blog\",\"description\":\"\",\"publisher\":{\"@id\":\"http:\/\/weizn.net\/#\/schema\/person\/e88bc12c590502d8b6249326f960b264\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"http:\/\/weizn.net\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"zh-Hans\"},{\"@type\":\"ImageObject\",\"@id\":\"http:\/\/weizn.net\/?p=904#primaryimage\",\"inLanguage\":\"zh-Hans\",\"url\":\"http:\/\/weizn.net\/wp-content\/uploads\/2018\/03\/meerkats.jpeg\",\"contentUrl\":\"http:\/\/weizn.net\/wp-content\/uploads\/2018\/03\/meerkats.jpeg\",\"width\":2048,\"height\":1365},{\"@type\":\"WebPage\",\"@id\":\"http:\/\/weizn.net\/?p=904#webpage\",\"url\":\"http:\/\/weizn.net\/?p=904\",\"name\":\"Suricata + PF_RING\\uff08ZC\\u6a21\\u5f0f\\uff09\\u90e8\\u7f7215G+\\u91c7\\u96c6\\u5668 - Wayne&#039;s Blog\",\"isPartOf\":{\"@id\":\"http:\/\/weizn.net\/#website\"},\"primaryImageOfPage\":{\"@id\":\"http:\/\/weizn.net\/?p=904#primaryimage\"},\"datePublished\":\"2018-03-09T11:47:33+00:00\",\"dateModified\":\"2021-09-22T09:09:55+00:00\",\"breadcrumb\":{\"@id\":\"http:\/\/weizn.net\/?p=904#breadcrumb\"},\"inLanguage\":\"zh-Hans\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"http:\/\/weizn.net\/?p=904\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"http:\/\/weizn.net\/?p=904#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"\\u9996\\u9875\",\"item\":\"http:\/\/weizn.net\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Suricata + PF_RING\\uff08ZC\\u6a21\\u5f0f\\uff09\\u90e8\\u7f7215G+\\u91c7\\u96c6\\u5668\"}]},{\"@type\":\"Article\",\"@id\":\"http:\/\/weizn.net\/?p=904#article\",\"isPartOf\":{\"@id\":\"http:\/\/weizn.net\/?p=904#webpage\"},\"author\":{\"@id\":\"http:\/\/weizn.net\/#\/schema\/person\/e88bc12c590502d8b6249326f960b264\"},\"headline\":\"Suricata + PF_RING\\uff08ZC\\u6a21\\u5f0f\\uff09\\u90e8\\u7f7215G+\\u91c7\\u96c6\\u5668\",\"datePublished\":\"2018-03-09T11:47:33+00:00\",\"dateModified\":\"2021-09-22T09:09:55+00:00\",\"mainEntityOfPage\":{\"@id\":\"http:\/\/weizn.net\/?p=904#webpage\"},\"wordCount\":82,\"commentCount\":0,\"publisher\":{\"@id\":\"http:\/\/weizn.net\/#\/schema\/person\/e88bc12c590502d8b6249326f960b264\"},\"image\":{\"@id\":\"http:\/\/weizn.net\/?p=904#primaryimage\"},\"thumbnailUrl\":\"http:\/\/weizn.net\/wp-content\/uploads\/2018\/03\/meerkats.jpeg\",\"keywords\":[\"IDS\",\"PF_RING\",\"Suricata\"],\"articleSection\":[\"\\u5e94\\u7528\\u5b89\\u5168\"],\"inLanguage\":\"zh-Hans\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"http:\/\/weizn.net\/?p=904#respond\"]}]},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"http:\/\/weizn.net\/#\/schema\/person\/e88bc12c590502d8b6249326f960b264\",\"name\":\"zinan\",\"logo\":{\"@id\":\"http:\/\/weizn.net\/#personlogo\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Suricata + PF_RING\uff08ZC\u6a21\u5f0f\uff09\u90e8\u7f7215G+\u91c7\u96c6\u5668 - Wayne&#039;s Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"http:\/\/weizn.net\/?p=904","og_locale":"zh_CN","og_type":"article","og_title":"Suricata + PF_RING\uff08ZC\u6a21\u5f0f\uff09\u90e8\u7f7215G+\u91c7\u96c6\u5668 - Wayne&#039;s Blog","og_description":"&lt;p&gt;\u524d\u7f6e\u6761\u4ef6\u51c6\u5907\u4e00\u4e2a\u5e72\u51c0\u7684CentOS7\u73af\u5883\uff0c&hellip;","og_url":"http:\/\/weizn.net\/?p=904","og_site_name":"Wayne&#039;s Blog","article_published_time":"2018-03-09T11:47:33+00:00","article_modified_time":"2021-09-22T09:09:55+00:00","og_image":[{"width":2048,"height":1365,"url":"http:\/\/weizn.net\/wp-content\/uploads\/2018\/03\/meerkats.jpeg","path":"\/app\/wp-content\/uploads\/2018\/03\/meerkats.jpeg","size":"full","id":915,"alt":"","pixels":2795520,"type":"image\/jpeg"}],"twitter_card":"summary_large_image","twitter_misc":{"\u4f5c\u8005":"zinan","\u9884\u8ba1\u9605\u8bfb\u65f6\u95f4":"52 \u5206"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebSite","@id":"http:\/\/weizn.net\/#website","url":"http:\/\/weizn.net\/","name":"Wayne&#039;s Blog","description":"","publisher":{"@id":"http:\/\/weizn.net\/#\/schema\/person\/e88bc12c590502d8b6249326f960b264"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"http:\/\/weizn.net\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"zh-Hans"},{"@type":"ImageObject","@id":"http:\/\/weizn.net\/?p=904#primaryimage","inLanguage":"zh-Hans","url":"http:\/\/weizn.net\/wp-content\/uploads\/2018\/03\/meerkats.jpeg","contentUrl":"http:\/\/weizn.net\/wp-content\/uploads\/2018\/03\/meerkats.jpeg","width":2048,"height":1365},{"@type":"WebPage","@id":"http:\/\/weizn.net\/?p=904#webpage","url":"http:\/\/weizn.net\/?p=904","name":"Suricata + PF_RING\uff08ZC\u6a21\u5f0f\uff09\u90e8\u7f7215G+\u91c7\u96c6\u5668 - Wayne&#039;s Blog","isPartOf":{"@id":"http:\/\/weizn.net\/#website"},"primaryImageOfPage":{"@id":"http:\/\/weizn.net\/?p=904#primaryimage"},"datePublished":"2018-03-09T11:47:33+00:00","dateModified":"2021-09-22T09:09:55+00:00","breadcrumb":{"@id":"http:\/\/weizn.net\/?p=904#breadcrumb"},"inLanguage":"zh-Hans","potentialAction":[{"@type":"ReadAction","target":["http:\/\/weizn.net\/?p=904"]}]},{"@type":"BreadcrumbList","@id":"http:\/\/weizn.net\/?p=904#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"\u9996\u9875","item":"http:\/\/weizn.net\/"},{"@type":"ListItem","position":2,"name":"Suricata + PF_RING\uff08ZC\u6a21\u5f0f\uff09\u90e8\u7f7215G+\u91c7\u96c6\u5668"}]},{"@type":"Article","@id":"http:\/\/weizn.net\/?p=904#article","isPartOf":{"@id":"http:\/\/weizn.net\/?p=904#webpage"},"author":{"@id":"http:\/\/weizn.net\/#\/schema\/person\/e88bc12c590502d8b6249326f960b264"},"headline":"Suricata + PF_RING\uff08ZC\u6a21\u5f0f\uff09\u90e8\u7f7215G+\u91c7\u96c6\u5668","datePublished":"2018-03-09T11:47:33+00:00","dateModified":"2021-09-22T09:09:55+00:00","mainEntityOfPage":{"@id":"http:\/\/weizn.net\/?p=904#webpage"},"wordCount":82,"commentCount":0,"publisher":{"@id":"http:\/\/weizn.net\/#\/schema\/person\/e88bc12c590502d8b6249326f960b264"},"image":{"@id":"http:\/\/weizn.net\/?p=904#primaryimage"},"thumbnailUrl":"http:\/\/weizn.net\/wp-content\/uploads\/2018\/03\/meerkats.jpeg","keywords":["IDS","PF_RING","Suricata"],"articleSection":["\u5e94\u7528\u5b89\u5168"],"inLanguage":"zh-Hans","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["http:\/\/weizn.net\/?p=904#respond"]}]},{"@type":["Person","Organization"],"@id":"http:\/\/weizn.net\/#\/schema\/person\/e88bc12c590502d8b6249326f960b264","name":"zinan","logo":{"@id":"http:\/\/weizn.net\/#personlogo"}}]}},"_links":{"self":[{"href":"http:\/\/weizn.net\/index.php?rest_route=\/wp\/v2\/posts\/904","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/weizn.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/weizn.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/weizn.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/weizn.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=904"}],"version-history":[{"count":30,"href":"http:\/\/weizn.net\/index.php?rest_route=\/wp\/v2\/posts\/904\/revisions"}],"predecessor-version":[{"id":965,"href":"http:\/\/weizn.net\/index.php?rest_route=\/wp\/v2\/posts\/904\/revisions\/965"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/weizn.net\/index.php?rest_route=\/wp\/v2\/media\/915"}],"wp:attachment":[{"href":"http:\/\/weizn.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=904"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/weizn.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=904"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/weizn.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=904"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}