af-packet: - interface: eth2 # Number of receive threads. "auto" uses th

1. af-packet:
2. - interface: eth2
3. # Number of receive threads. "auto" uses the number of cores
4. threads: auto
5. # Default clusterid. AF_PACKET will load balance packets based on flow.
6. # All threads/processes that will participate need to have the same
7. # clusterid.
8. cluster-id: 99
9. # Default AF_PACKET cluster type. AF_PACKET can load balance per flow or per hash.
10. # This is only supported for Linux kernel > 3.1
11. # possible value are:
12. # * cluster_round_robin: round robin load balancing
13. # * cluster_flow: all packets of a given flow are send to the same socket
14. # * cluster_cpu: all packets treated in kernel by a CPU are send to the same socket
15. cluster-type: cluster_flow
16. # In some fragmentation case, the hash can not be computed. If "defrag" is set
17. # to yes, the kernel will do the needed defragmentation before sending the packets.
18. defrag: yes
19. # To use the ring feature of AF_PACKET, set 'use-mmap' to yes
20. use-mmap: yes
21. # Ring size will be computed with respect to max_pending_packets and number
22. # of threads. You can set manually the ring size in number of packets by setting
23. # the following value. If you are using flow cluster-type and have really network
24. # intensive single-flow you could want to set the ring-size independantly of the number
25. # of threads:
26. #ring-size: 2048
27. # On busy system, this could help to set it to yes to recover from a packet drop
28. # phase. This will result in some packets (at max a ring flush) being non treated.
29. #use-emergency-flush: yes
30. # recv buffer size, increase value could improve performance
31. # buffer-size: 32768
32. # Set to yes to disable promiscuous mode
33. # disable-promisc: no
34. # Choose checksum verification mode for the interface. At the moment
35. # of the capture, some packets may be with an invalid checksum due to
36. # offloading to the network card of the checksum computation.
37. # Possible values are:
38. # - kernel: use indication sent by kernel for each packet (default)
39. # - yes: checksum validation is forced
40. # - no: checksum validation is disabled
41. # - auto: suricata uses a statistical approach to detect when
42. # checksum off-loading is used.
43. # Warning: 'checksum-validation' must be set to yes to have any validation
44. #checksum-checks: kernel
45. # BPF filter to apply to this interface. The pcap filter syntax apply here.
46. bpf-filter: "not (host 52.27.128.56 or host 52.27.128.59 or host 52.27.128.62)"
47. # You can use the following variables to activate AF_PACKET tap od IPS mode.
48. # If copy-mode is set to ips or tap, the traffic coming to the current
49. # interface will be copied to the copy-iface interface. If 'tap' is set, the
50. # copy is complete. If 'ips' is set, the packet matching a 'drop' action
51. # will not be copied.
52. #copy-mode: ips
53. #copy-iface: eth1
54. - interface: eth1
55. threads: auto
56. cluster-id: 98
57. cluster-type: cluster_flow
58. defrag: yes
59. # buffer-size: 32768
60. # disable-promisc: no
61. # Put default values here
62. - interface: default
63. #threads: auto
64. #use-mmap: yes
65. rollover: yes