• Suricata


    Suricata is the OISF IDP engine, the open source Intrusion Detection and Prevention Engine.

    IDS:Intrusion Detection System入侵检测系统

    IPS:Intrusion Prevention System入侵防御系统 

    Suricata.yaml

    Max-pending-packets

    With the max-pending-packets setting you can set the number of packets you allow Suricata to process simultaneously.

    Runmodes

    The way threads, modules and queues are arranged together is called the Runmode.

    Action-order

    All signatures have different properties. One of those is the Action property. This one determines what will happen when a signature matches.
    There are four types of Action. A summary of what will happen when a signature matches and contains one of those Actions:

    1) Pass
    If a signature matches and contains pass, Suricata stops scanning the packet and skips to the end of all rules (only for the current packet).

    2) Drop
    This only concerns the IPS/inline mode.
    If the program finds a signature that matches, containing drop, it stops immediately. The packet will not be sent any further. 
    Drawback: The receiver does not receive a message of what is going on, resulting in a time-out (certainly with TCP). Suricata generates an alert for this packet.

    3) Reject
    This is an active rejection of the packet. Both receiver and sender receive a reject packet. There are two types of reject packets that will be automatically selected. If the offending packet concerns TCP, it will be a Reset-packet. For all other protocols it will be an ICMP-error packet. Suricata also generates an alert. When in Inline/IPS mode, the offending packet will also be dropped like with the 'drop' action.

    4) Alert
    If a signature matches and contains alert, the packet will be treated like any other non-threatening packet, except for this one an alert will be generated by Suricata. Only the system administrator can notice this alert.

    Suricata引擎是一个开源的下一代入侵检测和预防引擎。它并不打算取代或模仿现有的工具,但将带来新创意和新技术领域。Suricata引擎和HTP库可以在GPLv2下的使用。

     

    Suricata是一个基于规则的ID / PS引擎,利用外部开发规则集监控网络流量和系统管理员提供警报,当发生可疑事件。

     

    Suricata最初版本运行在Linux 2.6平台上,支持内联和被动交通监控配置,能够处理多个千兆网络水平

     

     

    Multi-threading

    除了硬件加速(硬件和网卡的限制),引擎是用处理能力不断增加最新的多核CPU芯片集。

     

    引擎支持以下功能:最新的Snort VRT ,Snort日志;规则语言选项;多线程,硬件加速(硬件和网卡依赖/限制);统一输出,从而可以与外部日志管理系统互动;IPv6;基于规则的IP 评价(IP reputation),可插拔能力的库(library plug-ability)从而能与其他应用程序交互;性能统计数据输出;和一个简单而有效的入门用户手册。

     

    Multi Threading

    Thread Module Description 一个线程模块定义了一个数据包处理单元从数据包采集到数据监测. 一个或多个模块可以在一个线程中运行

     

    Queue Description 如果多个线程用于处理串行数据包,队列用于传输数据包。线程有一个队列处理程序函数来确定数据包是如何获得和/或抛弃。

     

     

    Queue Handler Description 队列处理程序函数被调用的线程获取或去除包前或到下一个线程。


    Snorts job is to listen to TCP/IP network traffic and look for signatures in the data flow that might indicate a security threat to an organizations network and computer systems.

    Snort 的工作是监听 TCP/IP 网路交通。

  • 相关阅读:
    Sqlserver中 登录用户只能看到自己拥有权限的库
    数据库的快照隔离级别(Snapshot Isolation)
    (0.2.4)Mysql安装——yum源安装
    sql server动态行列转换
    yum源的报错排除
    sql server dba概念系列引用
    (4.18)数据压缩
    如何查看windows某个目录下所有文件/文件夹的大小?(TreeSize Free)
    持续集成
    PM加油站
  • 原文地址:https://www.cnblogs.com/jokerwoods/p/3518714.html
Copyright © 2020-2023  润新知