Add better default suricata configuration for different traffic sizes and cpu/system architectures
Related to improving Out of the Box Experience.
- 1 Gpbs
- 10 Gbps
- 2-3 (sniffing) port
- IPS set up for AFP
The above should be based on certain assumptions (mainly available CPU/RAM etc).
Updated by Victor Julien almost 2 years ago
- Assignee set to OISF Dev
- Target version set to TBD
I think this ticket contains 2 separate tasks: 1) create an easy system to produce these configs based on a single 'master' yaml. 2) define the various settings for the various profiles.
Updated by Jason Ish almost 2 years ago
A few thoughts here.
We should identify all the fields in the suricata.yaml that would need to be customized and put
place_holder type values in them. Then using YAML, we could create a file with a list of named profiles to provide these values. A Python script (or even sed) could output a config with the
place_holder values replaced. Idea for profiles could be AWS instance types, or suggested settings for certain requirements.
Would it make sense for a script to profile the system (memory size, etc) and auto-generate a profile?
Script could be part of suricatactl.
Updated by Peter Manev over 1 year ago
A script would make sense indeed - though the expectation would be that Suri only would be running on the system.
Long time ago I started this - https://github.com/pevma/AAIS as part of similar effort.
We could also set up couple of "hardcoded" configs that aim at covering 1Gbps setups - those should be pretty easy I think. A 10Gbps setup would be a bit more complex as it would depend actually also on NUMA/Intel/AMD architecture.