NSM runmode / disabling detection¶
Suricata can be used to log event like HTTP requests, DNS queries, etc. In some situations it may actually be all you care about.
In Suricata 2.0, it became possible to disable the detection engine completely. This lowers overhead per packet, and automatically disables a few expensive operations like part of the stream reassembly.
The commandline option '--disable-detection' triggers this behaviour.
It's also possible to make this the default, by passing '--disable-detection' to configure before building Suricata. If this is done detection cannot be enabled in Suricata.
In this case, the 'configure summary' will contain 'Detection enabled: no', so shown below:
Suricata Configuration: AF_PACKET support: yes PF_RING support: no NFQueue support: yes IPFW support: no DAG enabled: no Napatech enabled: no Unix socket enabled: yes Detection enabled: no ...
The configure summary is also printed if Suricata is started with the --build-info commandline option:
$ suricata --build-info This is Suricata version 2.0dev (rev 94a5dae) Features: DEBUG UNITTESTS NFQ PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HAVE_LUAJIT HAVE_LIBJANSSON SIMD support: SSE_4_2 SSE_4_1 SSE_3 Atomic intrisics: 1 2 4 8 16 byte(s) 64-bits, Little-endian architecture GCC version 4.8.1, C version 199901 compiled with -fstack-protector L1 cache line size (CLS)=64 compiled with LibHTP v0.5.9, linked against LibHTP v0.5.9 Suricata Configuration: AF_PACKET support: yes PF_RING support: no NFQueue support: yes IPFW support: no DAG enabled: no Napatech enabled: no Unix socket enabled: yes Detection enabled: no ...