NAME
Ixchel::Actions::suricata_include - Generates the instance specific include for a suricata instance.
VERSION
Version 0.3.2
CLI SYNOPSIS
ixchel -a suricata_include [-i <instance>] [-d <base_dir>]
ixchel -a suricata_include [-w] [--np] [-i <instance>] [-d <base_dir>] [-E <exclude>] [-t <auto threading>] [--sna <0/1>] [--sno] [--snl <0/1>]
CODE SYNOPSIS
use Data::Dumper;
my $results=$ixchel->action(action=>'suricata_include', opts=>{np=>1, w=>1, });
print Dumper($results);DESCRIPTION
This generates a the general purpose include for Suricata.
The include is generated by first reading in the values under .suricata.config and then if multiple instances are enabled, then .suricata.instances.$instance is merged into it. Arrays are replaced with the new array while the rest are just merged using Hash::Merge using RIGHT_PRECEDENT with the right being .suricata.instances.$instance .
If told to write it out, it will be written out to undef .suricata.config_base with the name "include.yaml" or "include-$instance.yaml" if multiple instances are in use.
AUTOMATED THREADING
Automated threading can be enabled by setting .suricata.auto_threading.enable=1, defaults to 0.
This requires lstopo to be available package hwloc on most OSes.
Most cores are used for worker-cpu-set with those excluded from it being used for management-cpu-set and receive-cpu-set. The count is per NUMA node. Non-NUMA are treated as a single node NUMA.
core count <= 16 = excluded 2
core count > 16 = excluded 3This can be overrided by setting .suricata.auto_threading.exclude .
Will error if auto threading is enabled and exclude is greater than half the available cores.
Enabled on a system with 16 cores and a exclude of 3, will result in the below.
threading:
cpu-affinity:
- management-cpu-set:
cpu:
- 0
- 1
- 2
mode: balanced
- receive-cpu-set:
cpu:
- 0
- 1
- 2
mode: balanced
- worker-cpu-set:
cpu:
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
mode: exclusive
set-cpu-affinity: yesAUTOMATED SENSOR-NAME
.sensor-name can be autogenerated if .suricata.auto_sensor_name.enable=1 or --sna 1 is set. For it to be generated it requires .suricata.instances.$instance.sensor-name and .suricata.config.sensor-name not be specified or --sno be used.
The base of the sensor-name is set to hostname of the device, which will be shortened, removing everything after the first . if .suricata.auto_sensor_name.full=0 or --snl 1.
If this is disabled and .suricata.instances.$instance.sensor-name and .suricata.config.sensor-name is not defined, this will error as there is no value for .sensor-name specified.
FLAGS
-w
Write the generated services to service files.
-i instance
A instance to operate on.
-d <base_dir>
Use this as the base dir instead of .suricata.config_base from the config.
-E <exclude>
Exclude per NUMA nod value.
This will override .suricata.auto_threading.exclude as well as the default.
-t <auto threading>
Auto threading enable/disable, 0/1 boolean.
This will override .suricata.auto_threading.enable as well as the default.
--sna <0/1>
Override .suricata.auto_sensor_name.enable with the specified value.
--sno
Disable using .suricata.instances.$instance.sensor-name or .suricata.config.sensor-name for the value for .sensor-name in the generated include.
This will automatically set --sna 1.
--snl <0/1>
Overrides .suricata.auto_sensor_name.full.
RESULT HASH REF
.errors :: A array of errors encountered.
.status_text :: A string description of what was done and teh results.
.ok :: Set to zero if any of the above errored.