Make 'autofp' the default runmode. Increase default max-pending-packets to 1024. Move some advanced and uncommonly changed settings down in the stock suricata.yaml. Closes #433.

src/runmode-af-packet.c

@@ -60,7 +60,7 @@ const char *RunModeAFPGetDefaultMode(void)
 
 void RunModeIdsAFPRegister(void)
 {
-    default_mode_auto = "auto";
+    default_mode_auto = "autofp";
     RunModeRegisterNewRunMode(RUNMODE_AFP_DEV, "auto",
                               "Multi threaded af-packet mode",
                               RunModeIdsAFPAuto);

src/runmode-ipfw.c

@@ -57,7 +57,7 @@ const char *RunModeIpsIPFWGetDefaultMode(void)
 
 void RunModeIpsIPFWRegister(void)
 {
-    default_mode = "auto";
+    default_mode = "autofp";
     RunModeRegisterNewRunMode(RUNMODE_IPFW, "auto",
                               "Multi threaded IPFW IPS mode",
                               RunModeIpsIPFWAuto);

src/runmode-nfq.c

@@ -55,7 +55,7 @@ const char *RunModeIpsNFQGetDefaultMode(void)
 
 void RunModeIpsNFQRegister(void)
 {
-    default_mode = "auto";
+    default_mode = "autofp";
     RunModeRegisterNewRunMode(RUNMODE_NFQ, "auto",
                               "Multi threaded NFQ IPS mode",
                               RunModeIpsNFQAuto);

src/runmode-pcap-file.c

@@ -51,7 +51,7 @@ void RunModeFilePcapRegister(void)
     RunModeRegisterNewRunMode(RUNMODE_PCAP_FILE, "auto",
                               "Multi threaded pcap file mode",
                               RunModeFilePcapAuto);
-    default_mode = "auto";
+    default_mode = "autofp";
     RunModeRegisterNewRunMode(RUNMODE_PCAP_FILE, "autofp",
                               "Multi threaded pcap file mode.  Packets from "
                               "each flow are assigned to a single detect thread, "

src/runmode-pcap.c

@@ -54,7 +54,7 @@ void RunModeIdsPcapRegister(void)
     RunModeRegisterNewRunMode(RUNMODE_PCAP_DEV, "auto",
                               "Multi threaded pcap live mode",
                               RunModeIdsPcapAuto);
-    default_mode = "auto";
+    default_mode = "autofp";
     RunModeRegisterNewRunMode(RUNMODE_PCAP_DEV, "autofp",
                               "Multi threaded pcap live mode.  Packets from "
                               "each flow are assigned to a single detect thread, "

src/runmode-pfring.c

@@ -56,7 +56,7 @@ const char *RunModeIdsPfringGetDefaultMode(void)
 
 void RunModeIdsPfringRegister(void)
 {
-    default_mode_auto = "auto";
+    default_mode_auto = "autofp";
     RunModeRegisterNewRunMode(RUNMODE_PFRING, "auto",
                               "Multi threaded pfring mode",
                               RunModeIdsPfringAuto);

src/suricata.c

@@ -197,7 +197,7 @@ volatile sig_atomic_t sigterm_count = 0;
 SC_ATOMIC_DECLARE(unsigned int, engine_stage);
 
 /* Max packets processed simultaniously. */
-#define DEFAULT_MAX_PENDING_PACKETS 50
+#define DEFAULT_MAX_PENDING_PACKETS 1024
 
 /** suricata engine control flags */
 uint8_t suricata_ctl_flags = 0;

suricata.yaml.in

@@ -7,29 +7,30 @@
 
 
 # Number of packets allowed to be processed simultaneously.  Default is a
-# conservative 50. a higher number will make sure CPU's/CPU cores will be
-# more easily kept busy, but will negatively impact caching.
+# conservative 1024. A higher number will make sure CPU's/CPU cores will be
+# more easily kept busy, but may negatively impact caching.
 #
 # If you are using the CUDA pattern matcher (b2g_cuda below), different rules
 # apply. In that case try something like 4000 or more. This is because the CUDA
 # pattern matcher scans many packets in parallel.
-#max-pending-packets: 50
+#max-pending-packets: 1024
 
-# Runmode custom mode the engine should run in.  Please check --list-runmodes
-# to get the runmode custom modes that can be used here for a particular runmode.
-#runmode: auto
+# Runmode the engine should use. Please check --list-runmodes to get the available
+# runmodes for each packet acquisition method. Defaults to "autofp" (auto flow pinned
+# load balancing).
+#runmode: autofp
 
-# Specifies the kind of q scheduler used by flow pinned autofp mode.
+# Specifies the kind of flow load balancer used by the flow pinned autofp mode.
 #
 # Supported schedulers are:
 #
-# round-robin - Flows assigned to threads in a round robin fashion.
-# active-packets - Flows assigned to threads that have the lowest number of
-#                  unprocessed packets.
-# hash - Flow alloted usihng the address hash. More of a random technique. Was
-#        the default in 1.2.1 and older.
+# round-robin       - Flows assigned to threads in a round robin fashion.
+# active-packets    - Flows assigned to threads that have the lowest number of
+#                     unprocessed packets (default).
+# hash              - Flow alloted usihng the address hash. More of a random
+#                     technique. Was the default in Suricata 1.2.1 and older.
 #
-autofp-scheduler: active-packets
+#autofp-scheduler: active-packets
 
 # Default pid file.
 # Will use this file if no --pidfile in command options.
@@ -40,15 +41,6 @@ autofp-scheduler: active-packets
 # packet size (MTU + hardware header) on your system.
 #default-packet-size: 1514
 
-# Set the order of alerts bassed on actions
-# The default order is pass, drop, reject, alert
-action-order:
-  - pass
-  - drop
-  - reject
-  - alert
-
-
 # The default logging directory.  Any log or output file will be
 # placed here if its not specified with a full path name.  This can be
 # overridden with the -l command line parameter.
@@ -249,25 +241,6 @@ af-packet:
     # buffer-size: 32768
     # disable-promisc: no
 
-defrag:
-  max-frags: 65535
-  prealloc: yes
-  timeout: 60
-
-# When run with the option --engine-analysis, the engine will read each of
-# the parameters below, and print reports for each of the enabled sections
-# and exit.  The reports are printed to a file in the default log dir
-# given by the parameter "default-log-dir", with engine reporting
-# subsection below printing reports in its own report file.
-engine-analysis:
-  # enables printing reports for fast-pattern for every rule.
-  rules-fast-pattern: yes
-
-#recursion and match limits for PCRE where supported
-pcre:
-  match-limit: 3500
-  match-limit-recursion: 1500
-
 # You can specify a threshold config file by setting "threshold-file"
 # to the path of the threshold config file:
 # threshold-file: /etc/suricata/threshold.config
@@ -446,6 +419,13 @@ pattern-matcher:
       hash-size: low
       bf-size: medium
 
+# Defrag settings:
+
+defrag:
+  max-frags: 65535
+  prealloc: yes
+  timeout: 60
+
 # Flow settings:
 # By default, the reserved memory (memcap) for flows is 32MB. This is the limit
 # for flow allocation inside the engine. You can change this value to allow
@@ -767,6 +747,16 @@ vars:
 
     SSH_PORTS: 22
 
+
+# Set the order of alerts bassed on actions
+# The default order is pass, drop, reject, alert
+action-order:
+  - pass
+  - drop
+  - reject
+  - alert
+
+
 # Host specific policies for defragmentation and TCP stream
 # reassembly.  The host OS lookup is done using a radix tree, just
 # like a routing table so the most specific entry matches.
@@ -790,6 +780,20 @@ host-os-policy:
 # Limit for the maximum number of asn1 frames to decode (default 256)
 asn1-max-frames: 256
 
+# When run with the option --engine-analysis, the engine will read each of
+# the parameters below, and print reports for each of the enabled sections
+# and exit.  The reports are printed to a file in the default log dir
+# given by the parameter "default-log-dir", with engine reporting
+# subsection below printing reports in its own report file.
+engine-analysis:
+  # enables printing reports for fast-pattern for every rule.
+  rules-fast-pattern: yes
+
+#recursion and match limits for PCRE where supported
+pcre:
+  match-limit: 3500
+  match-limit-recursion: 1500
+
 ###########################################################################
 # Configure libhtp.
 #