[suricata]--Detection engine

# 0.参考

[1] [Detection engine](https://suricata.readthedocs.io/en/suricata-5.0.0-beta1/configuration/suricata-yaml.html)

# 1. Detection engine
<center>
![detection-engine grouping tree](https://leanote.com/api/file/getImage?fileId=5d4231f8ab64410f600002c3)
</center>

<center>
![Detail grouping tree](https://leanote.com/api/file/getImage?fileId=5d423286ab64410f600002c7)
</center>

```
detect:
  profile: medium  #balance of performance and little use of memory
  custom-values:
    toclient-groups: 2
    toserver-groups: 25
  sgh-mpm-context: auto # sig group head has MPM-context,full是每个sig group head 一个；single 所有的sig group head公用一个，auto两者兼得，如果采用ac ac-gfbs这两种匹配算法，他们用自己的sgh-MPM-Context
  inspection-recursion-limit: 3000 #bug 死循环，退出机制
```

## 1.1 Prefilter Engines
预过滤引擎，把所有的rule放到prefilter里,利用MPM(Multi-Pattern-Matcher)做一次匹配
for a full list of keywords that support prefilter
```
suricata --list-keywords=all
```
suricata can sutomatically select prefilter options,or it can be set manually.
```
detect:
    prefilter:
        default:mpm
```

the prefilter engines for other non-MPM keywords can then be enabled in specific fules by using the 'prefilter' keyword
E.g.
```
alert ip any any -> any any (ttl:123; prefilter; sid:1;)
```

To let suricata make these decisions set default to 'auto':
```
detect:
  prefilter:
    default: auto
```

## 1.2 Pattern matcher settings

**The multi-pattern-matcher (MPM) is a part of the detection engine within Suricata that searches for multiple patterns at once**

<center>
![MPM](https://leanote.com/api/file/getImage?fileId=5d423d9bab6441115e000321)
</center>

Suricata offers various implementations of different multi-pattern-matcher algorithm’s. These can be found below
```
mpm-algo:b2gc #b2g ,b2gc, b2gm, b3g, wumanber, ac, ac-gfbs
```

```
pattern-matcher:
  - b2gc:
      search_algo: B2gSearchBNDMq
      hash_size: low                    #Determines the size of the hash-table.
      bf_size: medium                   #Determines the size of the bloom- filter.
  - b3g:
      search_algo: B3gSearchBNDMq
      hash_size: low                    #See hash-size -b2gc.
      bf_size: medium                   #See bf-size -b2gc.
  - wumanber:
      hash_size: low                    #See hash-size -b2gc.
      bf_size: medium                   #See bf-size -b2gc.
```

信息安全从业人员^_^

导航

最近发表

友情链接