aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Adding settings for detect engine group config

Browse Source
remotes/origin/master-1.0.x
Pablo Rincon 16 years ago committed by Victor Julien
parent fbdf1baf1c
commit 38dc7ffebc
4 changed files with 365 additions and 30 deletions
Show Stats Download Patch File Download Diff File

296
src/detect-engine.c
Unescape Escape View File

@ -24,11 +24,13 @@
//#include "util-mpm.h"
#include "util-error.h"
#include "util-hash.h"
#include "util-byte.h"
#include "util-debug.h"
#include "util-var-name.h"
#include "tm-modules.h"
static uint8_t DetectEngineCtxLoadConf(DetectEngineCtx *);
DetectEngineCtx *DetectEngineCtxInit(void) {
DetectEngineCtx *de_ctx;
@ -44,6 +46,7 @@ DetectEngineCtx *DetectEngineCtxInit(void) {
}
de_ctx->mpm_matcher = PatternMatchDefaultMatcher();
DetectEngineCtxLoadConf(de_ctx);
SigGroupHeadHashInit(de_ctx);
SigGroupHeadMpmHashInit(de_ctx);
@ -90,6 +93,299 @@ void DetectEngineCtxFree(DetectEngineCtx *de_ctx) {
//DetectPortPrintMemory();
}
/** \brief Function that load DetectEngineCtx config for grouping sigs
* used by the engine
* \retval 0 if no config provided, 1 if config was provided
* and loaded successfuly
*/
static uint8_t DetectEngineCtxLoadConf(DetectEngineCtx *de_ctx) {
uint8_t profile = ENGINE_PROFILE_UNKNOWN;
char *de_ctx_profile = NULL;
const char *max_uniq_toclient_src_groups_str = NULL;
const char *max_uniq_toclient_dst_groups_str = NULL;
const char *max_uniq_toclient_sp_groups_str = NULL;
const char *max_uniq_toclient_dp_groups_str = NULL;
const char *max_uniq_toserver_src_groups_str = NULL;
const char *max_uniq_toserver_dst_groups_str = NULL;
const char *max_uniq_toserver_sp_groups_str = NULL;
const char *max_uniq_toserver_dp_groups_str = NULL;
const char *max_uniq_small_toclient_src_groups_str = NULL;
const char *max_uniq_small_toclient_dst_groups_str = NULL;
const char *max_uniq_small_toclient_sp_groups_str = NULL;
const char *max_uniq_small_toclient_dp_groups_str = NULL;
const char *max_uniq_small_toserver_src_groups_str = NULL;
const char *max_uniq_small_toserver_dst_groups_str = NULL;
const char *max_uniq_small_toserver_sp_groups_str = NULL;
const char *max_uniq_small_toserver_dp_groups_str = NULL;
ConfNode *de_ctx_custom = ConfGetNode("detect-engine");
ConfNode *opt = NULL;
if (de_ctx_custom != NULL) {
TAILQ_FOREACH(opt, &de_ctx_custom->head, next) {
if (strncmp(opt->val, "profile", 3) == 0) {
de_ctx_profile = opt->head.tqh_first->val;
}
}
}
if (de_ctx_profile != NULL) {
if (strncmp(de_ctx_profile, "low", 3) == 0) {
profile = ENGINE_PROFILE_LOW;
} else if (strncmp(de_ctx_profile, "medium", 6) == 0) {
profile = ENGINE_PROFILE_MEDIUM;
} else if (strncmp(de_ctx_profile, "high", 4) == 0) {
profile = ENGINE_PROFILE_HIGH;
} else if (strncmp(de_ctx_profile, "custom", 4) == 0) {
profile = ENGINE_PROFILE_CUSTOM;
}
SCLogInfo("Profile for detection engine groups is \"%s\"", de_ctx_profile);
} else {
SCLogInfo("Profile for detection engine groups not provided "
"at suricata.yaml. Using default (\"medium\").");
}
opt = NULL;
switch (profile) {
case ENGINE_PROFILE_LOW:
de_ctx->max_uniq_toclient_src_groups = 2;
de_ctx->max_uniq_toclient_dst_groups = 2;
de_ctx->max_uniq_toclient_sp_groups = 2;
de_ctx->max_uniq_toclient_dp_groups = 3;
de_ctx->max_uniq_toserver_src_groups = 2;
de_ctx->max_uniq_toserver_dst_groups = 2;
de_ctx->max_uniq_toserver_sp_groups = 2;
de_ctx->max_uniq_toserver_dp_groups = 3;
de_ctx->max_uniq_small_toclient_src_groups = 2;
de_ctx->max_uniq_small_toclient_dst_groups = 2;
de_ctx->max_uniq_small_toclient_sp_groups = 2;
de_ctx->max_uniq_small_toclient_dp_groups = 3;
de_ctx->max_uniq_small_toserver_src_groups = 2;
de_ctx->max_uniq_small_toserver_dst_groups = 2;
de_ctx->max_uniq_small_toserver_sp_groups = 2;
de_ctx->max_uniq_small_toserver_dp_groups = 3;
break;
case ENGINE_PROFILE_HIGH:
de_ctx->max_uniq_toclient_src_groups = 5;
de_ctx->max_uniq_toclient_dst_groups = 5;
de_ctx->max_uniq_toclient_sp_groups = 5;
de_ctx->max_uniq_toclient_dp_groups = 10;
de_ctx->max_uniq_toserver_src_groups = 5;
de_ctx->max_uniq_toserver_dst_groups = 5;
de_ctx->max_uniq_toserver_sp_groups = 5;
de_ctx->max_uniq_toserver_dp_groups = 30;
de_ctx->max_uniq_small_toclient_src_groups = 5;
de_ctx->max_uniq_small_toclient_dst_groups = 5;
de_ctx->max_uniq_small_toclient_sp_groups = 5;
de_ctx->max_uniq_small_toclient_dp_groups = 10;
de_ctx->max_uniq_small_toserver_src_groups = 5;
de_ctx->max_uniq_small_toserver_dst_groups = 5;
de_ctx->max_uniq_small_toserver_sp_groups = 5;
de_ctx->max_uniq_small_toserver_dp_groups = 10;
break;
case ENGINE_PROFILE_CUSTOM:
TAILQ_FOREACH(opt, &de_ctx_custom->head, next) {
if (strncmp(opt->val, "custom-values", 3) == 0) {
max_uniq_toclient_src_groups_str = ConfNodeLookupChildValue
(opt->head.tqh_first, "toclient_src_groups");
max_uniq_toclient_dst_groups_str = ConfNodeLookupChildValue
(opt->head.tqh_first, "toclient_dst_groups");
max_uniq_toclient_sp_groups_str = ConfNodeLookupChildValue
(opt->head.tqh_first, "toclient_sp_groups");
max_uniq_toclient_dp_groups_str = ConfNodeLookupChildValue
(opt->head.tqh_first, "toclient_dp_groups");
max_uniq_toserver_src_groups_str = ConfNodeLookupChildValue
(opt->head.tqh_first, "toserver_src_groups");
max_uniq_toserver_dst_groups_str = ConfNodeLookupChildValue
(opt->head.tqh_first, "toserver_dst_groups");
max_uniq_toserver_sp_groups_str = ConfNodeLookupChildValue
(opt->head.tqh_first, "toserver_sp_groups");
max_uniq_toserver_dp_groups_str = ConfNodeLookupChildValue
(opt->head.tqh_first, "toserver_dp_groups");
max_uniq_small_toclient_src_groups_str = ConfNodeLookupChildValue
(opt->head.tqh_first, "small_toclient_src_groups");
max_uniq_small_toclient_dst_groups_str = ConfNodeLookupChildValue
(opt->head.tqh_first, "small_toclient_dst_groups");
max_uniq_small_toclient_sp_groups_str = ConfNodeLookupChildValue
(opt->head.tqh_first, "small_toclient_sp_groups");
max_uniq_small_toclient_dp_groups_str = ConfNodeLookupChildValue
(opt->head.tqh_first, "small_toclient_dp_groups");
max_uniq_small_toserver_src_groups_str = ConfNodeLookupChildValue
(opt->head.tqh_first, "small_toserver_src_groups");
max_uniq_small_toserver_dst_groups_str = ConfNodeLookupChildValue
(opt->head.tqh_first, "small_toserver_dst_groups");
max_uniq_small_toserver_sp_groups_str = ConfNodeLookupChildValue
(opt->head.tqh_first, "small_toserver_sp_groups");
max_uniq_small_toserver_dp_groups_str = ConfNodeLookupChildValue
(opt->head.tqh_first, "small_toserver_dp_groups");
}
}
if (max_uniq_toclient_src_groups_str != NULL) {
if (ByteExtractStringUint16(&de_ctx->max_uniq_toclient_src_groups, 10,
strlen(max_uniq_toclient_src_groups_str),
(const char *)max_uniq_toclient_src_groups_str) <= 0)
de_ctx->max_uniq_toclient_src_groups = 2;
} else {
de_ctx->max_uniq_toclient_src_groups = 2;
}
if (max_uniq_toclient_dst_groups_str != NULL) {
if (ByteExtractStringUint16(&de_ctx->max_uniq_toclient_dst_groups, 10,
strlen(max_uniq_toclient_dst_groups_str),
(const char *)max_uniq_toclient_dst_groups_str) <= 0)
de_ctx->max_uniq_toclient_dst_groups = 2;
} else {
de_ctx->max_uniq_toclient_dst_groups = 2;
}
if (max_uniq_toclient_sp_groups_str != NULL) {
if (ByteExtractStringUint16(&de_ctx->max_uniq_toclient_sp_groups, 10,
strlen(max_uniq_toclient_sp_groups_str),
(const char *)max_uniq_toclient_sp_groups_str) <= 0)
de_ctx->max_uniq_toclient_sp_groups = 2;
} else {
de_ctx->max_uniq_toclient_sp_groups = 2;
}
if (max_uniq_toclient_dp_groups_str != NULL) {
if (ByteExtractStringUint16(&de_ctx->max_uniq_toclient_dp_groups, 10,
strlen(max_uniq_toclient_dp_groups_str),
(const char *)max_uniq_toclient_dp_groups_str) <= 0)
de_ctx->max_uniq_toclient_dp_groups = 2;
} else {
de_ctx->max_uniq_toclient_dp_groups = 2;
}
if (max_uniq_toserver_src_groups_str != NULL) {
if (ByteExtractStringUint16(&de_ctx->max_uniq_toserver_src_groups, 10,
strlen(max_uniq_toserver_src_groups_str),
(const char *)max_uniq_toserver_src_groups_str) <= 0)
de_ctx->max_uniq_toserver_src_groups = 2;
} else {
de_ctx->max_uniq_toserver_src_groups = 2;
}
if (max_uniq_toserver_dst_groups_str != NULL) {
if (ByteExtractStringUint16(&de_ctx->max_uniq_toserver_dst_groups, 10,
strlen(max_uniq_toserver_dst_groups_str),
(const char *)max_uniq_toserver_dst_groups_str) <= 0)
de_ctx->max_uniq_toserver_dst_groups = 2;
} else {
de_ctx->max_uniq_toserver_dst_groups = 2;
}
if (max_uniq_toserver_sp_groups_str != NULL) {
if (ByteExtractStringUint16(&de_ctx->max_uniq_toserver_sp_groups, 10,
strlen(max_uniq_toserver_sp_groups_str),
(const char *)max_uniq_toserver_sp_groups_str) <= 0)
de_ctx->max_uniq_toserver_sp_groups = 2;
} else {
de_ctx->max_uniq_toserver_sp_groups = 2;
}
if (max_uniq_toserver_dp_groups_str != NULL) {
if (ByteExtractStringUint16(&de_ctx->max_uniq_toserver_dp_groups, 10,
strlen(max_uniq_toserver_dp_groups_str),
(const char *)max_uniq_toserver_dp_groups_str) <= 0)
de_ctx->max_uniq_toserver_dp_groups = 2;
} else {
de_ctx->max_uniq_toserver_dp_groups = 2;
}
if (max_uniq_small_toclient_src_groups_str != NULL) {
if (ByteExtractStringUint16(&de_ctx->max_uniq_small_toclient_src_groups, 10,
strlen(max_uniq_small_toclient_src_groups_str),
(const char *)max_uniq_small_toclient_src_groups_str) <= 0)
de_ctx->max_uniq_small_toclient_src_groups = 2;
} else {
de_ctx->max_uniq_small_toclient_src_groups = 2;
}
if (max_uniq_small_toclient_dst_groups_str != NULL) {
if (ByteExtractStringUint16(&de_ctx->max_uniq_small_toclient_dst_groups, 10,
strlen(max_uniq_small_toclient_dst_groups_str),
(const char *)max_uniq_small_toclient_dst_groups_str) <= 0)
de_ctx->max_uniq_small_toclient_dst_groups = 2;
} else {
de_ctx->max_uniq_small_toclient_dst_groups = 2;
}
if (max_uniq_small_toclient_sp_groups_str != NULL) {
if (ByteExtractStringUint16(&de_ctx->max_uniq_small_toclient_sp_groups, 10,
strlen(max_uniq_small_toclient_sp_groups_str),
(const char *)max_uniq_small_toclient_sp_groups_str) <= 0)
de_ctx->max_uniq_small_toclient_sp_groups = 2;
} else {
de_ctx->max_uniq_small_toclient_sp_groups = 2;
}
if (max_uniq_small_toclient_dp_groups_str != NULL) {
if (ByteExtractStringUint16(&de_ctx->max_uniq_small_toclient_dp_groups, 10,
strlen(max_uniq_small_toclient_dp_groups_str),
(const char *)max_uniq_small_toclient_dp_groups_str) <= 0)
de_ctx->max_uniq_small_toclient_dp_groups = 2;
} else {
de_ctx->max_uniq_small_toclient_dp_groups = 2;
}
if (max_uniq_small_toserver_src_groups_str != NULL) {
if (ByteExtractStringUint16(&de_ctx->max_uniq_small_toserver_src_groups, 10,
strlen(max_uniq_small_toserver_src_groups_str),
(const char *)max_uniq_small_toserver_src_groups_str) <= 0)
de_ctx->max_uniq_small_toserver_src_groups = 2;
} else {
de_ctx->max_uniq_small_toserver_src_groups = 2;
}
if (max_uniq_small_toserver_dst_groups_str != NULL) {
if (ByteExtractStringUint16(&de_ctx->max_uniq_small_toserver_dst_groups, 10,
strlen(max_uniq_small_toserver_dst_groups_str),
(const char *)max_uniq_small_toserver_dst_groups_str) <= 0)
de_ctx->max_uniq_small_toserver_dst_groups = 2;
} else {
de_ctx->max_uniq_small_toserver_dst_groups = 2;
}
if (max_uniq_small_toserver_sp_groups_str != NULL) {
if (ByteExtractStringUint16(&de_ctx->max_uniq_small_toserver_sp_groups, 10,
strlen(max_uniq_small_toserver_sp_groups_str),
(const char *)max_uniq_small_toserver_sp_groups_str) <= 0)
de_ctx->max_uniq_small_toserver_sp_groups = 2;
} else {
de_ctx->max_uniq_small_toserver_sp_groups = 2;
}
if (max_uniq_small_toserver_dp_groups_str != NULL) {
if (ByteExtractStringUint16(&de_ctx->max_uniq_small_toserver_dp_groups, 10,
strlen(max_uniq_small_toserver_dp_groups_str),
(const char *)max_uniq_small_toserver_dp_groups_str) <= 0)
de_ctx->max_uniq_small_toserver_dp_groups = 2;
} else {
de_ctx->max_uniq_small_toserver_dp_groups = 2;
}
break;
/* Default (or no config provided) is profile medium */
case ENGINE_PROFILE_MEDIUM:
case ENGINE_PROFILE_UNKNOWN:
default:
de_ctx->max_uniq_toclient_src_groups = 2;
de_ctx->max_uniq_toclient_dst_groups = 2;
de_ctx->max_uniq_toclient_sp_groups = 2;
de_ctx->max_uniq_toclient_dp_groups = 3;
de_ctx->max_uniq_toserver_src_groups = 2;
de_ctx->max_uniq_toserver_dst_groups = 4;
de_ctx->max_uniq_toserver_sp_groups = 2;
de_ctx->max_uniq_toserver_dp_groups = 25;
de_ctx->max_uniq_small_toclient_src_groups = 2;
de_ctx->max_uniq_small_toclient_dst_groups = 2;
de_ctx->max_uniq_small_toclient_sp_groups = 2;
de_ctx->max_uniq_small_toclient_dp_groups = 2;
de_ctx->max_uniq_small_toserver_src_groups = 2;
de_ctx->max_uniq_small_toserver_dst_groups = 2;
de_ctx->max_uniq_small_toserver_sp_groups = 2;
de_ctx->max_uniq_small_toserver_dp_groups = 8;
break;
}
if (profile == ENGINE_PROFILE_UNKNOWN)
return 0;
return 1;
}
/*
* getting & (re)setting the internal sig i
*/

40
src/detect.c
Unescape Escape View File

@ -1295,26 +1295,6 @@ static DetectAddress *GetHeadPtr(DetectAddressHead *head, int family) {
return grhead;
}
#define MAX_UNIQ_TOCLIENT_SRC_GROUPS 2
#define MAX_UNIQ_TOCLIENT_DST_GROUPS 2
#define MAX_UNIQ_TOCLIENT_SP_GROUPS 2
#define MAX_UNIQ_TOCLIENT_DP_GROUPS 3
#define MAX_UNIQ_TOSERVER_SRC_GROUPS 2
#define MAX_UNIQ_TOSERVER_DST_GROUPS 4
#define MAX_UNIQ_TOSERVER_SP_GROUPS 2
#define MAX_UNIQ_TOSERVER_DP_GROUPS 25
#define MAX_UNIQ_SMALL_TOCLIENT_SRC_GROUPS 2
#define MAX_UNIQ_SMALL_TOCLIENT_DST_GROUPS 2
#define MAX_UNIQ_SMALL_TOCLIENT_SP_GROUPS 2
#define MAX_UNIQ_SMALL_TOCLIENT_DP_GROUPS 2
#define MAX_UNIQ_SMALL_TOSERVER_SRC_GROUPS 2
#define MAX_UNIQ_SMALL_TOSERVER_DST_GROUPS 2
#define MAX_UNIQ_SMALL_TOSERVER_SP_GROUPS 2
#define MAX_UNIQ_SMALL_TOSERVER_DP_GROUPS 8
//#define SMALL_MPM(c) 0
#define SMALL_MPM(c) ((c) == 1)
// || (c) == 2)
@ -1706,8 +1686,8 @@ int SigAddressPrepareStage2(DetectEngineCtx *de_ctx) {
for (ds = 0; ds < DSIZE_STATES; ds++) {
for (f = 0; f < FLOW_STATES; f++) {
for (proto = 0; proto < 256; proto++) {
int groups = ds ? (f ? MAX_UNIQ_TOSERVER_SRC_GROUPS : MAX_UNIQ_TOCLIENT_SRC_GROUPS) :
(f ? MAX_UNIQ_SMALL_TOSERVER_SRC_GROUPS : MAX_UNIQ_SMALL_TOCLIENT_SRC_GROUPS);
int groups = ds ? (f ? de_ctx->max_uniq_toserver_src_groups : de_ctx->max_uniq_toclient_src_groups) :
(f ? de_ctx->max_uniq_small_toserver_src_groups : de_ctx->max_uniq_small_toclient_src_groups);
CreateGroupedAddrList(de_ctx,
de_ctx->dsize_gh[ds].flow_gh[f].tmp_gh[proto]->ipv4_head, AF_INET,
@ -1904,8 +1884,8 @@ int BuildDestinationAddressHeads(DetectEngineCtx *de_ctx, DetectAddressHead *hea
/* Create the destination address list, keeping in
* mind the limits we use. */
int groups = dsize ? (flow ? MAX_UNIQ_TOSERVER_DST_GROUPS : MAX_UNIQ_TOCLIENT_DST_GROUPS) :
(flow ? MAX_UNIQ_SMALL_TOSERVER_DST_GROUPS : MAX_UNIQ_SMALL_TOCLIENT_DST_GROUPS);
int groups = dsize ? (flow ? de_ctx->max_uniq_toserver_dst_groups : de_ctx->max_uniq_toclient_dst_groups) :
(flow ? de_ctx->max_uniq_small_toserver_dst_groups : de_ctx->max_uniq_small_toclient_dst_groups);
CreateGroupedAddrList(de_ctx, tmp_gr_list, family, gr->dst_gh, groups, CreateGroupedAddrListCmpMpmMaxlen, max_idx);
/* see if the sig group head of each address group is the
@ -2078,8 +2058,8 @@ static int BuildDestinationAddressHeadsWithBothPorts(DetectEngineCtx *de_ctx, De
/* Create the destination address list, keeping in
* mind the limits we use. */
int groups = dsize ? (flow ? MAX_UNIQ_TOSERVER_DST_GROUPS : MAX_UNIQ_TOCLIENT_DST_GROUPS) :
(flow ? MAX_UNIQ_SMALL_TOSERVER_DST_GROUPS : MAX_UNIQ_SMALL_TOCLIENT_DST_GROUPS);
int groups = dsize ? (flow ? de_ctx->max_uniq_toserver_dst_groups : de_ctx->max_uniq_toclient_dst_groups) :
(flow ? de_ctx->max_uniq_small_toserver_dst_groups : de_ctx->max_uniq_small_toclient_dst_groups);
CreateGroupedAddrList(de_ctx, tmp_gr_list, family, src_gr->dst_gh, groups, CreateGroupedAddrListCmpMpmMaxlen, max_idx);
/* add the ports to the dst address groups and the sigs
@ -2129,8 +2109,8 @@ static int BuildDestinationAddressHeadsWithBothPorts(DetectEngineCtx *de_ctx, De
}
}
int spgroups = dsize ? (flow ? MAX_UNIQ_TOSERVER_SP_GROUPS : MAX_UNIQ_TOCLIENT_SP_GROUPS) :
(flow ? MAX_UNIQ_SMALL_TOSERVER_SP_GROUPS : MAX_UNIQ_SMALL_TOCLIENT_SP_GROUPS);
int spgroups = dsize ? (flow ? de_ctx->max_uniq_toserver_sp_groups : de_ctx->max_uniq_toclient_sp_groups) :
(flow ? de_ctx->max_uniq_small_toserver_sp_groups : de_ctx->max_uniq_small_toclient_sp_groups);
CreateGroupedPortList(de_ctx, de_ctx->sport_hash_table, &dst_gr->port, spgroups, CreateGroupedPortListCmpMpmMaxlen, max_idx);
SCLogDebug("adding sgh %p to the hash", dst_gr->sh);
@ -2183,8 +2163,8 @@ static int BuildDestinationAddressHeadsWithBothPorts(DetectEngineCtx *de_ctx, De
}
}
int dpgroups = dsize ? (flow ? MAX_UNIQ_TOSERVER_DP_GROUPS : MAX_UNIQ_TOCLIENT_DP_GROUPS) :
(flow ? MAX_UNIQ_SMALL_TOSERVER_DP_GROUPS : MAX_UNIQ_SMALL_TOCLIENT_DP_GROUPS);
int dpgroups = dsize ? (flow ? de_ctx->max_uniq_toserver_dp_groups : de_ctx->max_uniq_toclient_dp_groups) :
(flow ? de_ctx->max_uniq_small_toserver_dp_groups : de_ctx->max_uniq_small_toclient_dp_groups);
CreateGroupedPortList(de_ctx, de_ctx->dport_hash_table,
&sp->dst_ph, dpgroups,
CreateGroupedPortListCmpMpmMaxlen, max_idx);

32
src/detect.h
Unescape Escape View File

@ -299,8 +299,40 @@ typedef struct DetectEngineCtx_ {
* hold the cuda context for all the rules content */
int cuda_rc_mod_handle;
#endif
/* Config options */
uint16_t max_uniq_toclient_src_groups;
uint16_t max_uniq_toclient_dst_groups;
uint16_t max_uniq_toclient_sp_groups;
uint16_t max_uniq_toclient_dp_groups;
uint16_t max_uniq_toserver_src_groups;
uint16_t max_uniq_toserver_dst_groups;
uint16_t max_uniq_toserver_sp_groups;
uint16_t max_uniq_toserver_dp_groups;
uint16_t max_uniq_small_toclient_src_groups;
uint16_t max_uniq_small_toclient_dst_groups;
uint16_t max_uniq_small_toclient_sp_groups;
uint16_t max_uniq_small_toclient_dp_groups;
uint16_t max_uniq_small_toserver_src_groups;
uint16_t max_uniq_small_toserver_dst_groups;
uint16_t max_uniq_small_toserver_sp_groups;
uint16_t max_uniq_small_toserver_dp_groups;
} DetectEngineCtx;
/* Engine groups profiles (low, medium, high, custom) */
enum {
ENGINE_PROFILE_UNKNOWN,
ENGINE_PROFILE_LOW,
ENGINE_PROFILE_MEDIUM,
ENGINE_PROFILE_HIGH,
ENGINE_PROFILE_CUSTOM,
ENGINE_PROFILE_MAX
};
/**
* Detection engine thread data.
*/

27
suricata.yaml
Unescape Escape View File

@ -55,6 +55,33 @@ defrag:
prealloc: yes
timeout: 60
# The detection engine build internal groups of signatures. The engine
# allow us to specify the profile to use for them, to manage memory on an
# efficient way keeping a good performance. For the profile keyword you
# can use the words "low", "medium", "high" or "custom". If you use custom
# make sure to define the values at "- custom-values" as your convenience.
# Usually you would prefer medium/high/low
detect-engine:
- profile: medium
- custom-values:
toclient_src_groups: 2
toclient_dst_groups: 2
toclient_sp_groups: 2
toclient_dp_groups: 3
toserver_src_groups: 2
toserver_dst_groups: 4
toserver_sp_groups: 2
toserver_dp_groups: 25
small_toclient_src_groups: 2
small_toclient_dst_groups: 2
small_toclient_sp_groups: 2
small_toclient_dp_groups: 2
small_toserver_src_groups: 2
small_toserver_dst_groups: 2
small_toserver_sp_groups: 2
small_toserver_dp_groups: 8
# Select the multi pattern algorithm you want to run for scan/search the
# in the engine. The supported algorithms are b2g, b3g and wumanber.

Write Preview
Loading…
Cancel
Save