With the release of 2.0rc1 , Suricata IDPS introduced a feature/possibility to override config parameters.
This is a brief article to give you the idea of how to override config parameters when you start the Suricata on the command line at will/on demand without having to edit/save the suricata.yaml config for that.
This article follows the initial instruction posted HERE....PLUS some extra examples.
There are three sections in the article:
- First Step
- Overriding multiple parameters
- Take it to the next level
- Where to get the values from
First step
So how does it work. Simple , you should use the "--set <parameter=value>" syntax:suricata -c /etc/suricata/suricata.yaml -i eth0 -v -S empty.rules --set threading.detect-thread-ratio=3
So imagine you start Suricata on the command line like so:
root@LTS-64-1:~/Work/tmp# suricata -c /etc/suricata/suricata.yaml --af-packet -v -S empty.rulesin suricata yaml in your af-packet section you have
- (suricata.c:973) <Notice> (SCPrintVersion) -- This is Suricata version 2.0dev (rev f791d0f)
- (util-cpu.c:170) <Info> (UtilCpuPrintSummary) -- CPUs/cores online: 2
...
af-packet:
- interface: eth0
# Number of receive threads (>1 will enable experimental flow pinned
# runmode)
threads: 6
and you get :
.....
- (stream-tcp-reassemble.c:456) <Info> (StreamTcpReassemblyConfig) -- stream.reassembly "chunk-prealloc": 250
- (tm-threads.c:2196) <Notice> (TmThreadWaitOnThreadInit) -- all 6 packet processing threads, 3 management threads initialized, engine started.
....
Then you can try the follwoing:
root@LTS-64-1:~/Work/tmp# suricata -c /etc/suricata/suricata.yaml --af-packet -v -S empty.rules --set af-packet.0.threads=4
- (suricata.c:973) <Notice> (SCPrintVersion) -- This is Suricata version 2.0dev (rev f791d0f)
- (util-cpu.c:170) <Info> (UtilCpuPrintSummary) -- CPUs/cores online: 2
....
and you would get:
....
- (tm-threads.c:2196) <Notice> (TmThreadWaitOnThreadInit) -- all 4 packet processing threads, 3 management threads initialized, engine started.
...
Simple.
Now lets try to chage some memory settings on the fly. If in your suricata.yaml you have :
stream:which is the default settings. When you start Suricata without overriding any values, it will have something like this most likely:
memcap: 32mb
checksum-validation: yes # reject wrong csums
inline: auto # auto will use inline mode in IPS mode, yes or no set it statically
reassembly:
memcap: 64mb
depth: 1mb # reassemble 1mb into a stream
toserver-chunk-size: 2560
toclient-chunk-size: 2560
randomize-chunk-size: yes
#randomize-chunk-range: 10
root@LTS-64-1:~/Work/tmp# suricata -c /etc/suricata/suricata.yaml -i eth0 -v -S empty.rules
....
- (stream-tcp.c:373) <Info> (StreamTcpInitConfig) -- stream "prealloc-sessions": 2048 (per thread)
- (stream-tcp.c:389) <Info> (StreamTcpInitConfig) -- stream "memcap": 33554432
- (stream-tcp.c:395) <Info> (StreamTcpInitConfig) -- stream "midstream" session pickups: disabled
- (stream-tcp.c:401) <Info> (StreamTcpInitConfig) -- stream "async-oneside": disabled
- (stream-tcp.c:418) <Info> (StreamTcpInitConfig) -- stream "checksum-validation": enabled
- (stream-tcp.c:440) <Info> (StreamTcpInitConfig) -- stream."inline": disabled
- (stream-tcp.c:453) <Info> (StreamTcpInitConfig) -- stream "max-synack-queued": 5
- (stream-tcp.c:471) <Info> (StreamTcpInitConfig) -- stream.reassembly "memcap": 67108864
- (stream-tcp.c:489) <Info> (StreamTcpInitConfig) -- stream.reassembly "depth": 1048576
....
Lets say you want to double the stream reassembly memcap settings because you are seeing a lot of drops and you want to determine of this is the issue. The you could try:
root@LTS-64-1:~/Work/tmp# suricata -c /etc/suricata/suricata.yaml -i eth0 -v -S empty.rules --set stream.reassembly.memcap=512mb
- (stream-tcp.c:373) <Info> (StreamTcpInitConfig) -- stream "prealloc-sessions": 2048 (per thread)
- (stream-tcp.c:389) <Info> (StreamTcpInitConfig) -- stream "memcap": 33554432
- (stream-tcp.c:395) <Info> (StreamTcpInitConfig) -- stream "midstream" session pickups: disabled
- (stream-tcp.c:401) <Info> (StreamTcpInitConfig) -- stream "async-oneside": disabled
- (stream-tcp.c:418) <Info> (StreamTcpInitConfig) -- stream "checksum-validation": enabled
- (stream-tcp.c:440) <Info> (StreamTcpInitConfig) -- stream."inline": disabled
- (stream-tcp.c:453) <Info> (StreamTcpInitConfig) -- stream "max-synack-queued": 5
- (stream-tcp.c:471) <Info> (StreamTcpInitConfig) -- stream.reassembly "memcap": 536870912
- (stream-tcp.c:489) <Info> (StreamTcpInitConfig) -- stream.reassembly "depth": 1048576
and there it is 512MB of stream reassembly memcap.
You could override all the variables in suricata.yaml that way. Another example:
root@LTS-64-1:~/Work/tmp# suricata -c /etc/suricata/suricata.yaml -i eth0 -v -S empty.rules --set flow-timeouts.tcp.established=720
this would change the tcp timeouts to 720 seconds. The corresponding default section for the example above in the suricata.yaml will be:
flow-timeouts:
default:
new: 30
established: 300
closed: 0
emergency-new: 10
emergency-established: 100
emergency-closed: 0
tcp:
new: 60
established: 3600
closed: 120
emergency-new: 10
emergency-established: 300
emergency-closed: 20
Override multiple parameters
Sure, no problem:root@LTS-64-1:~/Work/tmp# suricata -c /etc/suricata/suricata.yaml -i eth0 -v -S empty.rules --set flow-timeouts.tcp.established=720 --set stream.reassembly.memcap=512mb
Take it to the next level
Here you go:src/suricata --af-packet=${NIC_IN} -S /dev/null -c suricata.yaml -l "${TD}/logs" -D --pidfile="${TD}/suricata.pid" --set "logging.outputs.1.file.enabled=yes" --set "logging.outputs.1.file.filename=${TD}/logs/suricata.log" --set "af-packet.0.interface=eth2" --set "af-packet.0.threads=4" --set "flow.memcap=256mb" --set "stream.reassembly.memcap=512mb" --runmode=workers --set "af-packet.0.buffer-size=8388608"
Yep ... one liner :) - my favorites, compliments to Victor Julien.
You could use variables too ! Handy...very handy I believe.Where to get the key/values from
( thanks to a friendly reminder form regit )So how do you know what are the key value pairs..aka where do i get the key and value for af-packet.0.buffer-size=8388608
key -> af-packet.0.buffer-size
value -> 8388608
(the value is the one that you can adjust)
Easy, just issue a "suricata --dump-config" comand on the pc/server that you have Suricata installed:
root@LTS-64-1:~# suricata --dump-config
15/2/2014 -- 10:39:02 - <Notice> - This is Suricata version 2.0rc1 RELEASE
host-mode = auto
default-log-dir = /var/log/suricata/
unix-command = (null)
unix-command.enabled = yes
outputs = (null)
outputs.0 = fast
outputs.0.fast = (null)
outputs.0.fast.enabled = yes
outputs.0.fast.filename = fast.log
outputs.0.fast.append = no
outputs.1 = eve-log
outputs.1.eve-log = (null)
outputs.1.eve-log.enabled = yes
outputs.1.eve-log.type = file
outputs.1.eve-log.filename = eve.json
outputs.1.eve-log.types = (null)
outputs.1.eve-log.types.0 = alert
outputs.1.eve-log.types.1 = http
outputs.1.eve-log.types.1.http = (null)
outputs.1.eve-log.types.1.http.extended = yes
outputs.1.eve-log.types.2 = dns
outputs.1.eve-log.types.3 = tls
outputs.1.eve-log.types.3.tls = (null)
outputs.1.eve-log.types.3.tls.extended = yes
outputs.1.eve-log.types.4 = files
outputs.1.eve-log.types.4.files = (null)
outputs.1.eve-log.types.4.files.force-magic = no
outputs.1.eve-log.types.4.files.force-md5 = no
...
...
...
vlan.use-for-tracking = true
flow-timeouts = (null)
flow-timeouts.default = (null)
flow-timeouts.default.new = 30
flow-timeouts.default.established = 300
flow-timeouts.default.closed = 0
flow-timeouts.default.emergency-new = 10
flow-timeouts.default.emergency-established = 100
flow-timeouts.default.emergency-closed = 0
flow-timeouts.tcp = (null)
flow-timeouts.tcp.new = 60
flow-timeouts.tcp.established = 3600
flow-timeouts.tcp.closed = 120
flow-timeouts.tcp.emergency-new = 10
flow-timeouts.tcp.emergency-established = 300
flow-timeouts.tcp.emergency-closed = 20
flow-timeouts.udp = (null)
flow-timeouts.udp.new = 30
flow-timeouts.udp.established = 300
flow-timeouts.udp.emergency-new = 10
flow-timeouts.udp.emergency-established = 100
flow-timeouts.icmp = (null)
flow-timeouts.icmp.new = 30
flow-timeouts.icmp.established = 300
flow-timeouts.icmp.emergency-new = 10
flow-timeouts.icmp.emergency-established = 100
stream = (null)
stream.memcap = 32mb
stream.checksum-validation = yes
stream.inline = auto
stream.reassembly = (null)
stream.reassembly.memcap = 64mb
stream.reassembly.depth = 1mb
stream.reassembly.toserver-chunk-size = 2560
stream.reassembly.toclient-chunk-size = 2560
stream.reassembly.randomize-chunk-size = yes
.......
it will be a LONG list, but you get all the key value pairs from that :)
No comments:
Post a Comment