Go to the documentation of this file.
34 #ifdef HAVE_SYS_RESOURCE_H
36 #include <sys/resource.h>
144 #ifdef SYSTEMD_NOTIFY
169 #define DEFAULT_MAX_PENDING_PACKETS 1024
194 #ifndef AFLFUZZ_NO_RANDOM
301 #ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
302 static void SignalHandlerSigint(
int sig)
306 static void SignalHandlerSigterm(
int sig)
312 #define UNW_LOCAL_ONLY
313 #include <libunwind.h>
314 static void SignalHandlerUnexpected(
int sig_num, siginfo_t *info,
void *context)
319 signal(SIGABRT, SIG_DFL);
320 signal(SIGSEGV, SIG_DFL);
322 if ((r = unw_init_local(&cursor, (unw_context_t *)(context)) != 0)) {
323 SCLogError(
"unable to obtain stack trace: unw_init_local: %s", unw_strerror(r));
332 if (unw_is_signal_frame(&cursor) == 0) {
335 if (unw_get_proc_name(&cursor,
name,
sizeof(
name), &off) == UNW_ENOMEM) {
344 r = unw_step(&cursor);
354 kill(getpid(), sig_num);
356 #undef UNW_LOCAL_ONLY
366 static void SignalHandlerSigusr2(
int sig)
376 static void SignalHandlerSigHup(
int sig)
429 #ifdef HAVE_AF_PACKET
437 #ifdef BUILD_HYPERSCAN
458 static void OnNotifyRunning(
void)
460 #ifdef SYSTEMD_NOTIFY
486 static int SetBpfString(
int argc,
char *argv[])
488 char *bpf_filter = NULL;
489 uint32_t bpf_len = 0;
494 while(argv[tmpindex] != NULL) {
495 bpf_len+=strlen(argv[tmpindex]) + 1;
507 while(argv[tmpindex] != NULL) {
508 strlcat(bpf_filter, argv[tmpindex],bpf_len);
509 if(argv[tmpindex + 1] != NULL) {
510 strlcat(bpf_filter,
" ", bpf_len);
515 if(strlen(bpf_filter) > 0) {
527 static void SetBpfStringFromFile(
char *filename)
529 char *bpf_filter = NULL;
530 char *bpf_comment_tmp = NULL;
531 char *bpf_comment_start = NULL;
537 fp = fopen(filename,
"r");
539 SCLogError(
"Failed to open file %s", filename);
544 SCLogError(
"Failed to stat file %s", filename);
548 bpf_len = ((size_t)(st.st_size)) + 1;
552 SCLogError(
"Failed to allocate buffer for bpf filter in file %s", filename);
556 nm = fread(bpf_filter, 1, bpf_len - 1, fp);
557 if ((ferror(fp) != 0) || (nm != (bpf_len - 1))) {
558 SCLogError(
"Failed to read complete BPF file %s", filename);
564 bpf_filter[nm] =
'\0';
566 if(strlen(bpf_filter) > 0) {
568 bpf_comment_start = bpf_filter;
569 while((bpf_comment_tmp = strchr(bpf_comment_start,
'#')) != NULL) {
570 while((*bpf_comment_tmp !=
'\0') &&
571 (*bpf_comment_tmp !=
'\r') && (*bpf_comment_tmp !=
'\n'))
573 *bpf_comment_tmp++ =
' ';
575 bpf_comment_start = bpf_comment_tmp;
578 while((bpf_comment_tmp = strchr(bpf_filter,
'\r')) != NULL) {
579 *bpf_comment_tmp =
' ';
581 while((bpf_comment_tmp = strchr(bpf_filter,
'\n')) != NULL) {
582 *bpf_comment_tmp =
' ';
585 while (strlen(bpf_filter) > 0 &&
586 bpf_filter[strlen(bpf_filter)-1] ==
' ')
588 bpf_filter[strlen(bpf_filter)-1] =
'\0';
590 if (strlen(bpf_filter) > 0) {
600 static void PrintUsage(
const char *progname)
607 printf(
"USAGE: %s [OPTIONS] [BPF FILTER]\n\n", progname);
609 printf(
"\n General:\n");
610 printf(
"\t-v : be more verbose (use multiple times to "
611 "increase verbosity)\n");
612 printf(
"\t-c <path> : path to configuration file\n");
613 printf(
"\t-l <dir> : default log directory\n");
614 printf(
"\t--include <path> : additional configuration file\n");
615 printf(
"\t--set name=value : set a configuration value\n");
616 printf(
"\t--pidfile <file> : write pid to this file\n");
617 printf(
"\t-T : test configuration file (use with -c)\n");
618 printf(
"\t--init-errors-fatal : enable fatal failure on signature init "
621 printf(
"\t-D : run as daemon\n");
623 printf(
"\t--service-install : install as service\n");
624 printf(
"\t--service-remove : remove service\n");
625 printf(
"\t--service-change-params : change service startup parameters\n");
627 #ifdef HAVE_LIBCAP_NG
628 printf(
"\t--user <user> : run suricata as this user after init\n");
629 printf(
"\t--group <group> : run suricata as this group after init\n");
631 #ifdef BUILD_UNIX_SOCKET
632 printf(
"\t--unix-socket[=<file>] : use unix socket to control suricata work\n");
634 printf(
"\t--runmode <runmode_id> : specific runmode modification the engine should run. The argument\n"
635 "\t supplied should be the id for the runmode obtained by running\n"
636 "\t --list-runmodes\n");
638 printf(
"\n Capture and IPS:\n");
640 printf(
"\t-F <bpf filter file> : bpf filter file\n");
641 printf(
"\t-k [all|none] : force checksum check (all) or disabled it "
643 printf(
"\t-i <dev or ip> : run in pcap live mode\n");
644 printf(
"\t--pcap[=<dev>] : run in pcap mode, no value select interfaces "
645 "from suricata.yaml\n");
646 #ifdef HAVE_PCAP_SET_BUFF
647 printf(
"\t--pcap-buffer-size : size of the pcap buffer value from 0 - %i\n",INT_MAX);
650 printf(
"\t-q <qid[:qid]> : run in inline nfqueue mode (use colon to "
651 "specify a range of queues)\n");
654 printf(
"\t-d <divert port> : run in inline ipfw divert mode\n");
656 #ifdef HAVE_AF_PACKET
657 printf(
"\t--af-packet[=<dev>] : run in af-packet mode, no value select interfaces from suricata.yaml\n");
660 printf(
"\t--af-xdp[=<dev>] : run in af-xdp mode, no value select "
661 "interfaces from suricata.yaml\n");
664 printf(
"\t--netmap[=<dev>] : run in netmap mode, no value select interfaces from suricata.yaml\n");
667 printf(
"\t--pfring[=<dev>] : run in pfring mode, use interfaces from suricata.yaml\n");
668 printf(
"\t--pfring-int <dev> : run in pfring mode, use interface <dev>\n");
669 printf(
"\t--pfring-cluster-id <id> : pfring cluster id \n");
670 printf(
"\t--pfring-cluster-type <type> : pfring cluster type for PF_RING 4.1.2 and later cluster_round_robin|cluster_flow\n");
673 printf(
"\t--dpdk : run in dpdk mode, uses interfaces from "
677 printf(
"\t--dag <dagX:Y> : process ERF records from DAG interface X, stream Y\n");
680 printf(
"\t--windivert <filter> : run in inline WinDivert mode\n");
681 printf(
"\t--windivert-forward <filter> : run in inline WinDivert mode, as a gateway\n");
684 printf(
"\t--reject-dev <dev> : send reject packets from this interface\n");
687 printf(
"\n Capture Files:\n");
688 printf(
"\t-r <path> : run in pcap file/offline mode\n");
689 printf(
"\t--pcap-file-continuous : when running in pcap mode with a directory, "
690 "continue checking directory for pcaps until interrupted\n");
691 printf(
"\t--pcap-file-delete : when running in replay mode (-r with "
692 "directory or file), will delete pcap files that have been processed when done\n");
693 printf(
"\t--pcap-file-recursive : will descend into subdirectories when running "
694 "in replay mode (-r)\n");
695 printf(
"\t--pcap-file-buffer-size : set read buffer size (setvbuf)\n");
696 printf(
"\t--erf-in <path> : process an ERF file\n");
698 printf(
"\n Detection:\n");
699 printf(
"\t-s <path> : path to signature file loaded in addition to "
700 "suricata.yaml settings (optional)\n");
701 printf(
"\t-S <path> : path to signature file loaded exclusively "
703 printf(
"\t--disable-detection : disable detection engine\n");
704 printf(
"\t--engine-analysis : print reports on analysis of different "
705 "sections in the engine and exit.\n"
706 "\t Please have a look at the conf parameter "
707 "engine-analysis on what reports\n"
708 "\t can be printed\n");
710 printf(
"\n Firewall:\n");
711 printf(
"\t--firewall : enable firewall mode\n");
712 printf(
"\t--firewall-rules-exclusive=<path> : path to firewall rule file loaded "
715 printf(
"\n Info:\n");
716 printf(
"\t-V : display Suricata version\n");
717 printf(
"\t--list-keywords[=all|csv|<kword>] : list keywords implemented by the engine\n");
718 printf(
"\t--list-runmodes : list supported runmodes\n");
719 printf(
"\t--list-app-layer-protos : list supported app layer protocols\n");
720 printf(
"\t--list-app-layer-hooks : list supported app layer hooks for use in "
722 printf(
"\t--dump-config : show the running configuration\n");
723 printf(
"\t--dump-features : display provided features\n");
724 printf(
"\t--build-info : display build information\n");
726 printf(
"\n Testing:\n");
727 printf(
"\t--simulate-ips : force engine into IPS mode. Useful for QA\n");
729 printf(
"\t-u : run the unittests and exit\n");
730 printf(
"\t-U=REGEX, --unittest-filter=REGEX : filter unittests with a pcre compatible "
732 printf(
"\t--list-unittests : list unit tests\n");
733 printf(
"\t--fatal-unittests : enable fatal failure on unittest error\n");
734 printf(
"\t--unittests-coverage : display unittest coverage report\n");
737 printf(
"\nTo run " PROG_NAME " with default configuration on "
738 "interface eth0 with signature file \"signatures.rules\", run the "
739 "command as:\n\n%s -c suricata.yaml -s signatures.rules -i eth0 \n\n",
743 static void PrintBuildInfo(
void)
747 char features[2048] =
"";
752 strlcat(features,
"DEBUG ",
sizeof(features));
754 #ifdef DEBUG_VALIDATION
755 strlcat(features,
"DEBUG_VALIDATION ",
sizeof(features));
758 strlcat(features,
"UNITTESTS ",
sizeof(features));
761 strlcat(features,
"NFQ ",
sizeof(features));
764 strlcat(features,
"IPFW ",
sizeof(features));
766 #ifdef HAVE_PCAP_SET_BUFF
767 strlcat(features,
"PCAP_SET_BUFF ",
sizeof(features));
770 strlcat(features,
"PF_RING ",
sizeof(features));
773 strlcat(features,
"NAPATECH ",
sizeof(features));
775 #ifdef HAVE_AF_PACKET
776 strlcat(features,
"AF_PACKET ",
sizeof(features));
779 strlcat(features,
"NETMAP ",
sizeof(features));
781 #ifdef HAVE_PACKET_FANOUT
782 strlcat(features,
"HAVE_PACKET_FANOUT ",
sizeof(features));
785 strlcat(features,
"DAG ",
sizeof(features));
787 #ifdef HAVE_LIBCAP_NG
788 strlcat(features,
"LIBCAP_NG ",
sizeof(features));
791 strlcat(features,
"LIBNET1.1 ",
sizeof(features));
793 strlcat(features,
"HAVE_HTP_URI_NORMALIZE_HOOK ",
sizeof(features));
794 #ifdef PCRE2_HAVE_JIT
795 strlcat(features,
"PCRE_JIT ",
sizeof(features));
798 strlcat(features,
"HAVE_NSS ",
sizeof(features));
800 strlcat(features,
"HTTP2_DECOMPRESSION ",
sizeof(features));
802 strlcat(features,
"HAVE_LUA ",
sizeof(features));
804 strlcat(features,
"HAVE_JA3 ",
sizeof(features));
807 strlcat(features,
"HAVE_JA4 ",
sizeof(features));
809 strlcat(features,
"HAVE_LIBJANSSON ",
sizeof(features));
811 strlcat(features,
"PROFILING ",
sizeof(features));
813 #ifdef PROFILE_LOCKING
814 strlcat(features,
"PROFILE_LOCKING ",
sizeof(features));
816 #if defined(TLS_C11) || defined(TLS_GNU)
817 strlcat(features,
"TLS ",
sizeof(features));
820 strlcat(features,
"TLS_C11 ",
sizeof(features));
821 #elif defined(TLS_GNU)
822 strlcat(features,
"TLS_GNU ",
sizeof(features));
825 strlcat(features,
"MAGIC ",
sizeof(features));
827 strlcat(features,
"RUST ",
sizeof(features));
828 #if defined(SC_ADDRESS_SANITIZER)
829 strlcat(features,
"ASAN ",
sizeof(features));
831 #if defined(HAVE_POPCNT64)
832 strlcat(features,
"POPCNT64 ",
sizeof(features));
834 if (strlen(features) == 0) {
835 strlcat(features,
"none",
sizeof(features));
838 printf(
"Features: %s\n", features);
841 memset(features, 0x00,
sizeof(features));
842 #if defined(__SSE4_2__)
843 strlcat(features,
"SSE_4_2 ",
sizeof(features));
845 #if defined(__SSE4_1__)
846 strlcat(features,
"SSE_4_1 ",
sizeof(features));
848 #if defined(__SSE3__)
849 strlcat(features,
"SSE_3 ",
sizeof(features));
851 #if defined(__SSE2__)
852 strlcat(features,
"SSE_2 ",
sizeof(features));
854 if (strlen(features) == 0) {
855 strlcat(features,
"none",
sizeof(features));
857 printf(
"SIMD support: %s\n", features);
860 memset(features, 0x00,
sizeof(features));
861 #if defined(__GCC_HAVE_SYNC_COMPARE_AND_SWAP_1)
862 strlcat(features,
"1 ",
sizeof(features));
864 #if defined(__GCC_HAVE_SYNC_COMPARE_AND_SWAP_2)
865 strlcat(features,
"2 ",
sizeof(features));
867 #if defined(__GCC_HAVE_SYNC_COMPARE_AND_SWAP_4)
868 strlcat(features,
"4 ",
sizeof(features));
870 #if defined(__GCC_HAVE_SYNC_COMPARE_AND_SWAP_8)
871 strlcat(features,
"8 ",
sizeof(features));
873 #if defined(__GCC_HAVE_SYNC_COMPARE_AND_SWAP_16)
874 strlcat(features,
"16 ",
sizeof(features));
876 if (strlen(features) == 0) {
877 strlcat(features,
"none",
sizeof(features));
879 strlcat(features,
"byte(s)",
sizeof(features));
881 printf(
"Atomic intrinsics: %s\n", features);
885 #elif __WORDSIZE == 32
888 bits =
"<unknown>-bits";
891 #if __BYTE_ORDER == __BIG_ENDIAN
892 endian =
"Big-endian";
893 #elif __BYTE_ORDER == __LITTLE_ENDIAN
894 endian =
"Little-endian";
896 endian =
"<unknown>-endian";
899 printf(
"%s, %s architecture\n", bits, endian);
901 printf(
"GCC version %s, C version %"PRIiMAX
"\n", __VERSION__, (intmax_t)__STDC_VERSION__);
903 printf(
"C version %"PRIiMAX
"\n", (intmax_t)__STDC_VERSION__);
907 printf(
"compiled with -fstack-protector\n");
910 printf(
"compiled with -fstack-protector-all\n");
919 #if _FORTIFY_SOURCE == 2
920 printf(
"compiled with _FORTIFY_SOURCE=2\n");
921 #elif _FORTIFY_SOURCE == 1
922 printf(
"compiled with _FORTIFY_SOURCE=1\n");
923 #elif _FORTIFY_SOURCE == 0
924 printf(
"compiled with _FORTIFY_SOURCE=0\n");
927 printf(
"L1 cache line size (CLS)=%d\n",
CLS);
930 tls =
"_Thread_local";
931 #elif defined(TLS_GNU)
934 #error "Unsupported thread local"
936 printf(
"thread local storage method: %s\n", tls);
938 printf(
"compiled with %s\n", htp_get_version());
940 #include "build-info.h"
1036 static TmEcode ParseInterfacesList(
const int runmode,
char *pcap_dev)
1042 if (strlen(pcap_dev) == 0) {
1045 SCLogError(
"No interface found in config for pcap");
1052 if (strlen(pcap_dev)) {
1054 SCLogError(
"Failed to set pfring.live-interface");
1061 char iface_selector[] =
"dpdk.interfaces";
1064 SCLogError(
"No interface found in config for %s", iface_selector);
1068 #ifdef HAVE_AF_PACKET
1071 if (strlen(pcap_dev)) {
1073 SCLogError(
"Failed to set af-packet.live-interface");
1079 SCLogError(
"No interface found in config for af-packet");
1087 if (strlen(pcap_dev)) {
1089 SCLogError(
"Failed to set af-xdp.live-interface");
1095 SCLogError(
"No interface found in config for af-xdp");
1103 if (strlen(pcap_dev)) {
1105 SCLogError(
"Failed to set netmap.live-interface");
1111 SCLogError(
"No interface found in config for netmap");
1120 SCLogError(
"No group found in config for nflog");
1129 static void SCInstanceInit(
SCInstance *suri,
const char *progname)
1131 memset(suri, 0x00,
sizeof(*suri));
1158 #if HAVE_DETECT_DISABLED==1
1168 if (strstr(prog_ver,
"RELEASE") != NULL) {
1188 if (strstr(
PROG_VER,
"-dev") == NULL) {
1199 static TmEcode PrintVersion(
void)
1207 const char *mode = suri->
system ?
"SYSTEM" :
"USER";
1208 SCLogNotice(
"This is %s version %s running in %s mode",
1219 static void SCPrintElapsedTime(
struct timeval *start_time)
1221 if (start_time == NULL)
1223 struct timeval end_time;
1224 memset(&end_time, 0,
sizeof(end_time));
1225 gettimeofday(&end_time, NULL);
1226 uint64_t milliseconds = ((end_time.tv_sec - start_time->tv_sec) * 1000) +
1227 (((1000000 + end_time.tv_usec - start_time->tv_usec) / 1000) - 1000);
1228 SCLogInfo(
"time elapsed %.3fs", (
float)milliseconds/(
float)1000);
1231 static int ParseCommandLineAfpacket(
SCInstance *suri,
const char *in_arg)
1233 #ifdef HAVE_AF_PACKET
1245 SCLogInfo(
"Multiple af-packet option without interface on each is useless");
1249 "has been specified");
1255 SCLogError(
"AF_PACKET not enabled. On Linux "
1256 "host, make sure to pass --enable-af-packet to "
1257 "configure when building.");
1262 static int ParseCommandLineAfxdp(
SCInstance *suri,
const char *in_arg)
1276 SCLogInfo(
"Multiple af-xdp options without interface on each is useless");
1280 "has been specified");
1287 "host, make sure correct libraries are installed,"
1288 " see documentation for information.");
1293 static int ParseCommandLineDpdk(
SCInstance *suri,
const char *in_arg)
1299 SCLogInfo(
"Multiple dpdk options have no effect on Suricata");
1302 "has been specified");
1309 "host, make sure to pass --enable-dpdk to "
1310 "configure when building.");
1315 static int ParseCommandLinePcapLive(
SCInstance *suri,
const char *in_arg)
1317 #if defined(OS_WIN32) && !defined(HAVE_LIBWPCAP)
1319 FatalError(
"Live capture not available. To support live capture compile against Npcap.");
1323 if (in_arg != NULL) {
1326 if (strlen(in_arg) > 9 && strncmp(in_arg,
"DeviceNPF", 9) == 0) {
1327 snprintf(suri->
pcap_dev,
sizeof(suri->
pcap_dev),
"\\Device\\NPF%s", in_arg+9);
1333 if (strcmp(suri->
pcap_dev, in_arg) != 0) {
1335 }
else if (strlen(suri->
pcap_dev) > 0 && isdigit((
unsigned char)suri->
pcap_dev[0])) {
1336 SCLogError(
"failed to find a pcap device for IP %s", in_arg);
1350 "has been specified");
1360 static bool IsLogDirectoryWritable(
const char*
str)
1362 if (access(
str, W_OK) == 0)
1374 int dump_config = 0;
1375 int dump_features = 0;
1376 int list_app_layer_protocols = 0;
1377 int list_app_layer_hooks = 0;
1378 int list_unittests = 0;
1379 int list_runmodes = 0;
1380 int list_keywords = 0;
1385 int is_firewall = 0;
1394 struct option long_opts[] = {
1396 {
"dump-config", 0, &dump_config, 1},
1397 {
"dump-features", 0, &dump_features, 1},
1398 {
"pfring", optional_argument, 0, 0},
1399 {
"pfring-int", required_argument, 0, 0},
1400 {
"pfring-cluster-id", required_argument, 0, 0},
1401 {
"pfring-cluster-type", required_argument, 0, 0},
1405 {
"af-packet", optional_argument, 0, 0},
1406 {
"af-xdp", optional_argument, 0, 0},
1407 {
"netmap", optional_argument, 0, 0},
1408 {
"pcap", optional_argument, 0, 0},
1409 {
"pcap-file-continuous", 0, 0, 0},
1410 {
"pcap-file-delete", 0, 0, 0},
1411 {
"pcap-file-recursive", 0, 0, 0},
1412 {
"pcap-file-buffer-size", required_argument, 0, 0},
1413 {
"simulate-ips", 0, 0 , 0},
1415 {
"strict-rule-keywords", optional_argument, 0, 0},
1417 {
"capture-plugin", required_argument, 0, 0},
1418 {
"capture-plugin-args", required_argument, 0, 0},
1420 #ifdef BUILD_UNIX_SOCKET
1421 {
"unix-socket", optional_argument, 0, 0},
1423 {
"pcap-buffer-size", required_argument, 0, 0},
1424 {
"unittest-filter", required_argument, 0,
'U'},
1425 {
"list-app-layer-protos", 0, &list_app_layer_protocols, 1},
1426 {
"list-app-layer-hooks", 0, &list_app_layer_hooks, 1},
1427 {
"list-unittests", 0, &list_unittests, 1},
1428 {
"list-runmodes", 0, &list_runmodes, 1},
1429 {
"list-keywords", optional_argument, &list_keywords, 1},
1430 {
"runmode", required_argument, NULL, 0},
1433 {
"service-install", 0, 0, 0},
1434 {
"service-remove", 0, 0, 0},
1435 {
"service-change-params", 0, 0, 0},
1437 {
"pidfile", required_argument, 0, 0},
1438 {
"init-errors-fatal", 0, 0, 0},
1439 {
"disable-detection", 0, 0, 0},
1440 {
"disable-hashing", 0, 0, 0},
1441 {
"fatal-unittests", 0, 0, 0},
1443 {
"user", required_argument, 0, 0},
1444 {
"group", required_argument, 0, 0},
1445 {
"erf-in", required_argument, 0, 0},
1446 {
"dag", required_argument, 0, 0},
1447 {
"build-info", 0, &build_info, 1},
1448 {
"data-dir", required_argument, 0, 0},
1450 {
"windivert", required_argument, 0, 0},
1451 {
"windivert-forward", required_argument, 0, 0},
1453 #ifdef HAVE_LIBNET11
1454 {
"reject-dev", required_argument, 0, 0},
1456 {
"set", required_argument, 0, 0},
1458 {
"nflog", optional_argument, 0, 0},
1460 {
"simulate-packet-flow-memcap", required_argument, 0, 0},
1461 {
"simulate-applayer-error-at-offset-ts", required_argument, 0, 0},
1462 {
"simulate-applayer-error-at-offset-tc", required_argument, 0, 0},
1463 {
"simulate-packet-loss", required_argument, 0, 0},
1464 {
"simulate-packet-tcp-reassembly-memcap", required_argument, 0, 0},
1465 {
"simulate-packet-tcp-ssn-memcap", required_argument, 0, 0},
1466 {
"simulate-packet-defrag-memcap", required_argument, 0, 0},
1467 {
"simulate-alert-queue-realloc-failure", 0, 0, 0},
1471 {
"firewall", 0, &is_firewall, 1 },
1472 {
"firewall-rules-exclusive", required_argument, 0, 0},
1474 {
"include", required_argument, 0, 0},
1481 int option_index = 0;
1483 char short_opts[] =
"c:TDhi:l:q:d:r:us:S:U:VF:vk:";
1485 while ((opt = getopt_long(argc, argv, short_opts, long_opts, &option_index)) != -1) {
1488 if (strcmp((long_opts[option_index]).
name,
"help") == 0) {
1491 }
else if (strcmp((long_opts[option_index]).
name,
"pfring") == 0 ||
1492 strcmp((long_opts[option_index]).
name,
"pfring-int") == 0) {
1497 if (optarg != NULL) {
1500 ((strlen(optarg) <
sizeof(suri->
pcap_dev)) ?
1501 (strlen(optarg) + 1) :
sizeof(suri->
pcap_dev)));
1506 "to pass --enable-pfring to configure when building.");
1509 }
else if (strcmp((long_opts[option_index]).
name,
"pfring-cluster-id") == 0) {
1512 SCLogError(
"failed to set pfring.cluster-id");
1517 "to pass --enable-pfring to configure when building.");
1520 }
else if (strcmp((long_opts[option_index]).
name,
"pfring-cluster-type") == 0) {
1523 SCLogError(
"failed to set pfring.cluster-type");
1528 "to pass --enable-pfring to configure when building.");
1531 }
else if (strcmp((long_opts[option_index]).
name,
"capture-plugin") == 0) {
1534 }
else if (strcmp((long_opts[option_index]).
name,
"capture-plugin-args") == 0) {
1536 }
else if (strcmp((long_opts[option_index]).
name,
"dpdk") == 0) {
1537 if (ParseCommandLineDpdk(suri, optarg) !=
TM_ECODE_OK) {
1540 }
else if (strcmp((long_opts[option_index]).
name,
"af-packet") == 0) {
1541 if (ParseCommandLineAfpacket(suri, optarg) !=
TM_ECODE_OK) {
1544 }
else if (strcmp((long_opts[option_index]).
name,
"af-xdp") == 0) {
1545 if (ParseCommandLineAfxdp(suri, optarg) !=
TM_ECODE_OK) {
1548 }
else if (strcmp((long_opts[option_index]).
name,
"netmap") == 0) {
1556 ((strlen(optarg) <
sizeof(suri->
pcap_dev)) ?
1557 (strlen(optarg) + 1) :
sizeof(suri->
pcap_dev)));
1563 SCLogInfo(
"Multiple netmap option without interface on each is useless");
1568 "has been specified");
1569 PrintUsage(argv[0]);
1576 }
else if (strcmp((long_opts[option_index]).
name,
"nflog") == 0) {
1586 }
else if (strcmp((long_opts[option_index]).
name,
"pcap") == 0) {
1587 if (ParseCommandLinePcapLive(suri, optarg) !=
TM_ECODE_OK) {
1590 }
else if (strcmp((long_opts[option_index]).
name,
"simulate-ips") == 0) {
1593 }
else if (strcmp((long_opts[option_index]).
name,
"init-errors-fatal") == 0) {
1595 SCLogError(
"failed to set engine init-failure-fatal");
1598 #ifdef BUILD_UNIX_SOCKET
1599 }
else if (strcmp((long_opts[option_index]).
name ,
"unix-socket") == 0) {
1604 SCLogError(
"failed to set unix-command.filename");
1610 "has been specified");
1611 PrintUsage(argv[0]);
1616 else if(strcmp((long_opts[option_index]).
name,
"list-app-layer-protocols") == 0) {
1618 }
else if (strcmp((long_opts[option_index]).
name,
"list-app-layer-hooks") == 0) {
1620 }
else if (strcmp((long_opts[option_index]).
name,
"list-unittests") == 0) {
1624 SCLogError(
"unit tests not enabled. Make sure to pass --enable-unittests to "
1625 "configure when building");
1628 }
else if (strcmp((long_opts[option_index]).
name,
"list-runmodes") == 0) {
1631 }
else if (strcmp((long_opts[option_index]).
name,
"list-keywords") == 0) {
1633 if (strcmp(
"short", optarg) != 0) {
1637 }
else if (strcmp((long_opts[option_index]).
name,
"runmode") == 0) {
1639 }
else if (strcmp((long_opts[option_index]).
name,
"engine-analysis") == 0) {
1643 else if (strcmp((long_opts[option_index]).
name,
"service-install") == 0) {
1644 suri->
run_mode = RUNMODE_INSTALL_SERVICE;
1646 }
else if (strcmp((long_opts[option_index]).
name,
"service-remove") == 0) {
1647 suri->
run_mode = RUNMODE_REMOVE_SERVICE;
1649 }
else if (strcmp((long_opts[option_index]).
name,
"service-change-params") == 0) {
1650 suri->
run_mode = RUNMODE_CHANGE_SERVICE_PARAMS;
1654 else if (strcmp((long_opts[option_index]).
name,
"pidfile") == 0) {
1657 SCLogError(
"strdup failed: %s", strerror(errno));
1660 }
else if (strcmp((long_opts[option_index]).
name,
"disable-detection") == 0) {
1662 }
else if (strcmp((long_opts[option_index]).
name,
"disable-hashing") == 0) {
1666 }
else if (strcmp((long_opts[option_index]).
name,
"fatal-unittests") == 0) {
1670 SCLogError(
"unit tests not enabled. Make sure to pass --enable-unittests to "
1671 "configure when building");
1674 }
else if (strcmp((long_opts[option_index]).
name,
"user") == 0) {
1675 #ifndef HAVE_LIBCAP_NG
1677 " drop privileges, but it was not compiled into Suricata.");
1683 }
else if (strcmp((long_opts[option_index]).
name,
"group") == 0) {
1684 #ifndef HAVE_LIBCAP_NG
1686 " drop privileges, but it was not compiled into Suricata.");
1692 }
else if (strcmp((long_opts[option_index]).
name,
"erf-in") == 0) {
1698 }
else if (strcmp((long_opts[option_index]).
name,
"dag") == 0) {
1704 SCLogError(
"more than one run mode has been specified");
1705 PrintUsage(argv[0]);
1710 SCLogError(
"libdag and a DAG card are required"
1711 " to receive packets using --dag.");
1714 }
else if (strcmp((long_opts[option_index]).
name,
"napatech") == 0) {
1715 #ifdef HAVE_NAPATECH
1718 SCLogError(
"libntapi and a Napatech adapter are required"
1719 " to capture packets using --napatech.");
1722 }
else if (strcmp((long_opts[option_index]).
name,
"pcap-buffer-size") == 0) {
1723 #ifdef HAVE_PCAP_SET_BUFF
1725 SCLogError(
"failed to set pcap-buffer-size");
1730 " doesn't support setting buffer size.");
1732 }
else if (strcmp((long_opts[option_index]).
name,
"build-info") == 0) {
1735 }
else if (strcmp((long_opts[option_index]).
name,
"windivert-forward") == 0) {
1739 if (WinDivertRegisterQueue(
true, optarg) == -1) {
1743 if (WinDivertRegisterQueue(
true, optarg) == -1) {
1748 "has been specified");
1749 PrintUsage(argv[0]);
1753 else if(strcmp((long_opts[option_index]).
name,
"windivert") == 0) {
1756 if (WinDivertRegisterQueue(
false, optarg) == -1) {
1760 if (WinDivertRegisterQueue(
false, optarg) == -1) {
1765 "has been specified");
1766 PrintUsage(argv[0]);
1770 SCLogError(
"WinDivert not enabled. Make sure to pass --enable-windivert to "
1771 "configure when building.");
1774 }
else if(strcmp((long_opts[option_index]).
name,
"reject-dev") == 0) {
1775 #ifdef HAVE_LIBNET11
1777 extern char *g_reject_dev;
1778 extern uint16_t g_reject_dev_mtu;
1779 g_reject_dev = optarg;
1782 g_reject_dev_mtu = (uint16_t)mtu;
1785 SCLogError(
"Libnet 1.1 support not enabled. Compile Suricata with libnet support.");
1789 else if (strcmp((long_opts[option_index]).
name,
"set") == 0) {
1790 if (optarg != NULL) {
1792 char *val = strchr(optarg,
'=');
1794 FatalError(
"Invalid argument for --set, must be key=val.");
1797 FatalError(
"failed to set configuration value %s", optarg);
1801 else if (strcmp((long_opts[option_index]).
name,
"pcap-file-continuous") == 0) {
1803 SCLogError(
"Failed to set pcap-file.continuous");
1807 else if (strcmp((long_opts[option_index]).
name,
"pcap-file-delete") == 0) {
1809 SCLogError(
"Failed to set pcap-file.delete-when-done");
1813 else if (strcmp((long_opts[option_index]).
name,
"pcap-file-recursive") == 0) {
1815 SCLogError(
"failed to set pcap-file.recursive");
1818 }
else if (strcmp((long_opts[option_index]).
name,
"pcap-file-buffer-size") == 0) {
1820 SCLogError(
"failed to set pcap-file.buffer-size");
1823 }
else if (strcmp((long_opts[option_index]).
name,
"data-dir") == 0) {
1824 if (optarg == NULL) {
1825 SCLogError(
"no option argument (optarg) for -d");
1835 " supplied at the command-line (-d %s) doesn't "
1836 "exist. Shutting down the engine.",
1841 }
else if (strcmp((long_opts[option_index]).
name,
"strict-rule-keywords") == 0) {
1842 if (optarg == NULL) {
1848 FatalError(
"failed to duplicate 'strict' string");
1850 }
else if (strcmp((long_opts[option_index]).
name,
"include") == 0) {
1855 "Failed to allocate memory for additional configuration files: %s",
1860 for (
int i = 0;; i++) {
1862 const char **additional_configs =
1864 if (additional_configs == NULL) {
1865 FatalError(
"Failed to allocate memory for additional configuration "
1877 }
else if (strcmp((long_opts[option_index]).
name,
"firewall-rules-exclusive") == 0) {
1879 SCLogError(
"can't have multiple --firewall-rules-exclusive options");
1887 (long_opts[option_index]).
name, optarg);
1898 SCLogError(
"failed to set engine init-failure-fatal");
1911 if (optarg == NULL) {
1912 SCLogError(
"no option argument (optarg) for -i");
1915 #ifdef HAVE_AF_PACKET
1916 if (ParseCommandLineAfpacket(suri, optarg) !=
TM_ECODE_OK) {
1921 #if defined HAVE_NETMAP
1927 "option%s %s available:"
1929 " NETMAP (--netmap=%s)"
1931 ". Use --pcap=%s to suppress this warning",
1932 i == 1 ?
"" :
"s", i == 1 ?
"is" :
"are"
1940 if (ParseCommandLinePcapLive(suri, optarg) !=
TM_ECODE_OK) {
1946 if (optarg == NULL) {
1947 SCLogError(
"no option argument (optarg) for -l");
1957 " supplied at the command-line (-l %s) doesn't "
1958 "exist. Shutting down the engine.",
1962 if (!IsLogDirectoryWritable(optarg)) {
1964 " supplied at the command-line (-l %s) is not "
1965 "writable. Shutting down the engine.",
1984 "has been specified");
1985 PrintUsage(argv[0]);
1989 SCLogError(
"NFQUEUE not enabled. Make sure to pass --enable-nfqueue to configure when "
2006 "has been specified");
2007 PrintUsage(argv[0]);
2011 SCLogError(
"IPFW not enabled. Make sure to pass --enable-ipfw to configure when "
2022 "has been specified");
2023 PrintUsage(argv[0]);
2028 SCLogError(
"pcap file '%s': %s", optarg, strerror(errno));
2032 SCLogError(
"ERROR: Failed to set pcap-file.file\n");
2039 SCLogError(
"can't have multiple -s options or mix -s and -S.");
2046 SCLogError(
"can't have multiple -S options or mix -s and -S.");
2059 PrintUsage(argv[0]);
2063 SCLogError(
"unit tests not enabled. Make sure to pass --enable-unittests to configure "
2080 if (optarg == NULL) {
2081 SCLogError(
"no option argument (optarg) for -F");
2085 SetBpfStringFromFile(optarg);
2091 if (optarg == NULL) {
2092 SCLogError(
"no option argument (optarg) for -k");
2095 if (!strcmp(
"all", optarg))
2097 else if (!strcmp(
"none", optarg))
2100 SCLogError(
"option '%s' invalid for -k", optarg);
2105 PrintUsage(argv[0]);
2115 SCLogError(
"can't use -s/-S or --firewall-rules-exclusive when detection is disabled");
2122 if (list_app_layer_protocols)
2124 if (list_app_layer_hooks)
2142 ret = SetBpfString(optind, argv);
2150 int WindowsInitService(
int argc,
char **argv)
2152 if (SCRunningAsService()) {
2153 char path[MAX_PATH];
2155 strlcpy(path, argv[0], MAX_PATH);
2156 if ((p = strrchr(path,
'\\'))) {
2159 if (!SetCurrentDirectory(path)) {
2160 SCLogError(
"Can't set current directory to: %s", path);
2163 SCLogInfo(
"Current directory is set to: %s", path);
2164 SCServiceInit(argc, argv);
2169 if (0 != WSAStartup(MAKEWORD(2, 2), &wsaData)) {
2170 SCLogError(
"Can't initialize Windows sockets: %d", WSAGetLastError());
2181 const char *pid_filename;
2183 if (
SCConfGet(
"pid-file", &pid_filename) == 1) {
2184 SCLogInfo(
"Use pid file %s from config file.", pid_filename);
2191 SCLogError(
"strdup failed: %s", strerror(errno));
2210 SCLogError(
"Unable to create PID file, concurrent run of"
2211 " Suricata can occur.");
2212 SCLogError(
"PID file creation WILL be mandatory for daemon mode"
2213 " in future version");
2228 if (
SCConfGet(
"run-as.user", &
id) == 1) {
2232 if (
SCConfGet(
"run-as.group", &
id) == 1) {
2250 static int InitSignalHandler(
SCInstance *suri)
2253 #ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
2258 if (
SCConfGetBool(
"logging.stacktrace-on-signal", &enabled) == 0) {
2263 SCLogInfo(
"Preparing unexpected signal handling");
2264 struct sigaction stacktrace_action;
2265 memset(&stacktrace_action, 0,
sizeof(stacktrace_action));
2266 stacktrace_action.sa_sigaction = SignalHandlerUnexpected;
2267 stacktrace_action.sa_flags = SA_SIGINFO;
2268 sigaction(SIGSEGV, &stacktrace_action, NULL);
2269 sigaction(SIGABRT, &stacktrace_action, NULL);
2292 #ifdef PROFILE_RULES
2293 SCProfilingRulesGlobalInit();
2300 #ifdef PROFILE_RULES
2353 SCPrintElapsedTime(start_time);
2415 PrintUsage(argv[0]);
2425 case RUNMODE_INSTALL_SERVICE:
2426 if (SCServiceInstall(argc, argv)) {
2429 SCLogInfo(
"Suricata service has been successfully installed.");
2431 case RUNMODE_REMOVE_SERVICE:
2432 if (SCServiceRemove()) {
2435 SCLogInfo(
"Suricata service has been successfully removed.");
2437 case RUNMODE_CHANGE_SERVICE_PARAMS:
2438 if (SCServiceChangeParams(argc, argv)) {
2441 SCLogInfo(
"Suricata service startup parameters has been successfully changed.");
2469 static void SetupDelayedDetect(
SCInstance *suri)
2478 if (decnf != NULL) {
2480 if (strcmp(denode->
val,
"delayed-detect") == 0) {
2491 SCLogInfo(
"Packets will start being processed before signatures are active.");
2509 static int ConfigGetCaptureValue(
SCInstance *suri)
2513 intmax_t tmp_max_pending_packets;
2514 if (
SCConfGetInt(
"max-pending-packets", &tmp_max_pending_packets) != 1)
2516 if (tmp_max_pending_packets < 1 || tmp_max_pending_packets > 2147483648) {
2517 SCLogError(
"Maximum max-pending-packets setting is 2147483648 and must be greater than 0. "
2518 "Please check %s for errors",
2529 const char *temp_default_packet_size;
2530 if ((
SCConfGet(
"default-packet-size", &temp_default_packet_size)) != 1) {
2533 int strip_trailing_plus = 0;
2543 const int mtu = GetGlobalMTUWin32();
2557 strip_trailing_plus = 1;
2563 for (lthread = 0; lthread < nlive; lthread++) {
2566 (void)
strlcpy(dev, live_dev,
sizeof(dev));
2568 if (strip_trailing_plus) {
2569 size_t len = strlen(dev);
2571 (dev[
len-1] ==
'+' ||
2572 dev[
len-1] ==
'^' ||
2591 SCLogError(
"Error parsing max-pending-packets "
2592 "from conf file - %s. Killing engine",
2593 temp_default_packet_size);
2603 static void PostRunStartedDetectSetup(
const SCInstance *suri)
2617 SCLogNotice(
"Signature(s) loaded, Detect thread(s) activated.");
2629 SetupDelayedDetect(suri);
2632 int default_tenant = 0;
2634 (void)
SCConfGetBool(
"multi-detect.default", &default_tenant);
2637 "detection engine contexts failed.");
2647 FatalError(
"initializing detection engine failed.");
2661 static void PostConfLoadedSetupHostMode(
void)
2663 const char *hostmode = NULL;
2665 if (
SCConfGet(
"host-mode", &hostmode) == 1) {
2666 if (!strcmp(hostmode,
"router")) {
2668 }
else if (!strcmp(hostmode,
"sniffer-only")) {
2671 if (strcmp(hostmode,
"auto") != 0) {
2683 SCLogInfo(
"No 'host-mode': suricata is in IPS mode, using "
2684 "default setting 'router'");
2687 SCLogInfo(
"No 'host-mode': suricata is in IDS mode, using "
2688 "default setting 'sniffer-only'");
2700 FatalError(
"could not set USER mode logdir");
2706 FatalError(
"could not set USER mode datadir");
2718 int cnf_firewall_enabled = 0;
2719 if (
SCConfGetBool(
"firewall.enabled", &cnf_firewall_enabled) == 1) {
2720 if (cnf_firewall_enabled == 1) {
2724 FatalError(
"firewall mode enabled through commandline, but disabled in config");
2729 SCLogWarning(
"firewall mode is EXPERIMENTAL and subject to change");
2737 int disable_offloading;
2738 if (
SCConfGetBool(
"capture.disable-offloading", &disable_offloading) == 0)
2739 disable_offloading = 1;
2740 if (disable_offloading) {
2747 const char *cv = NULL;
2748 if (
SCConfGet(
"capture.checksum-validation", &cv) == 1) {
2749 if (strcmp(cv,
"none") == 0) {
2751 }
else if (strcmp(cv,
"all") == 0) {
2758 SCConfSet(
"stream.checksum-validation",
"0");
2761 SCConfSet(
"stream.checksum-validation",
"1");
2770 #ifdef HAVE_PACKET_EBPF
2772 EBPFRegisterExtension();
2795 SCLogInfo(
"Setting engine mode to IDS mode by default");
2816 const char *custom_umask;
2817 if (
SCConfGet(
"umask", &custom_umask) == 1) {
2819 if (
StringParseUint16(&mask, 8, (uint16_t)strlen(custom_umask), custom_umask) > 0) {
2820 umask((mode_t)mask);
2837 SCLogInfo(
"== Carrying out Engine Analysis ==");
2838 const char *temp = NULL;
2839 if (
SCConfGet(
"engine-analysis", &temp) == 0) {
2840 SCLogInfo(
"no engine-analysis parameter(s) defined in conf file. "
2841 "Please define/enable them in the conf to use this "
2860 "basic address vars test failed. Please check %s for errors", suri->
conf_filename);
2889 "supplied by %s (default-log-dir) doesn't exist. "
2890 "Shutting down the engine",
2894 if (!IsLogDirectoryWritable(suri->
log_dir)) {
2896 "supplied by %s (default-log-dir) is not writable. "
2897 "Shutting down the engine",
2915 PostConfLoadedSetupHostMode();
2984 return EXIT_FAILURE;
3005 SCInstanceInit(&
suricata, progname);
3023 if (
SCConfGetBool(
"vlan.use-for-tracking", &tracking) == 1 && !tracking) {
3027 SCLogDebug(
"vlan tracking is %s", tracking == 1 ?
"enabled" :
"disabled");
3028 if (
SCConfGetBool(
"livedev.use-for-tracking", &tracking) == 1 && !tracking) {
3032 if (
SCConfGetBool(
"decoder.recursion-level.use-for-tracking", &tracking) == 1 && !tracking) {
3048 SCLogInfo(
"Running suricata under test mode");
3077 SCLogNotice(
"Configuration provided was successfully loaded. Exiting.");
3120 int limit_nproc = 0;
3121 if (
SCConfGetBool(
"security.limit-noproc", &limit_nproc) == 0) {
3125 #if defined(SC_ADDRESS_SANITIZER)
3128 "\"security.limit-noproc\" (setrlimit()) not set when using address sanitizer");
3134 #if defined(HAVE_SYS_RESOURCE_H)
3137 SCLogWarning(
"setrlimit has no effect when running as root.");
3140 struct rlimit r = { 0, 0 };
3141 if (setrlimit(RLIMIT_NPROC, &r) != 0) {
3142 SCLogWarning(
"setrlimit failed to prevent process creation.");
3164 PostRunStartedDetectSetup(&
suricata);
@ RUNMODE_LIST_APP_LAYERS
enum SCRunModes SCRunMode
@ RUNMODE_ENGINE_ANALYSIS
void TmModuleUnixManagerRegister(void)
void StatsReleaseResources(void)
Releases the resources allotted by the Stats API.
void TmModuleReceiveIPFWRegister(void)
Registration Function for RecieveIPFW.
void SuricataMainLoop(void)
int ExceptionSimulationCommandLineParser(const char *name, const char *arg)
char * firewall_rule_file
void AppLayerHtpNeedFileInspection(void)
Sets a flag that informs the HTP app layer that some module in the engine needs the http request file...
void TmThreadDisablePacketThreads(const uint16_t set, const uint16_t check, const uint8_t module_flags)
Disable all packet threads.
enum SCRunModes aux_run_mode
void IPPairInitConfig(bool quiet)
initialize the configuration
void SCLogInitLogModule(SCLogInitData *sc_lid)
Initializes the logging module.
void SCEnableDefaultSignalHandlers(void)
Enable default signal handlers.
int LiveDeviceListClean(void)
void DetectEngineDeReference(DetectEngineCtx **de_ctx)
struct timeval start_time
bool IsRunModeOffline(enum SCRunModes run_mode_to_check)
#define SC_ATOMIC_INIT(name)
wrapper for initializing an atomic variable.
SystemHugepageSnapshot * prerun_snap
void TmThreadContinueThreads(void)
Unpauses all threads present in tv_root.
enum DetectEngineType type
int SigLoadSignatures(DetectEngineCtx *de_ctx, char *sig_file, bool sig_file_exclusive)
Load signatures.
const char * firewall_rule_file_exclusive
#define SC_ATOMIC_SET(name, val)
Set the value for the atomic variable.
SCConfNode * SCConfGetRootNode(void)
Get the root configuration node.
DetectEngineCtx * DetectEngineCtxInitStubForDD(void)
void LiveDevRegisterExtension(void)
void OutputTxShutdown(void)
void AppLayerHtpPrintStats(void)
void StatsSetupPostConfigPreOutput(void)
char * runmode_custom_mode
struct HtpBodyChunk_ * next
void TmModuleReceiveNFQRegister(void)
int LiveBuildDeviceList(const char *runmode)
void RunModeShutDown(void)
void SCProtoNameInit(void)
void SuricataPostInit(void)
void RunModeDispatch(int runmode, const char *custom_mode, const char *capture_plugin_name, const char *capture_plugin_args)
volatile sig_atomic_t sigint_count
SC_ATOMIC_DECLARE(unsigned int, engine_stage)
void TmModuleRunDeInit(void)
void TmThreadsUnsealThreads(void)
void RegisterFlowBypassInfo(void)
#define SCSetThreadName(n)
int SCConfYamlHandleInclude(SCConfNode *parent, const char *filename)
Include a file in the configuration.
void SCLogDeInitLogModule(void)
De-Initializes the logging module.
void TmModuleDecodeErfFileRegister(void)
Register the ERF file decoder module.
main detection engine ctx
int StringParseUint16(uint16_t *res, int base, size_t len, const char *str)
void DetectEngineReloadSetIdle(void)
void DatalinkTableDeinit(void)
int SCConfGet(const char *name, const char **vptr)
Retrieve the value of a configuration node.
DetectEngineCtx * DetectEngineGetCurrent(void)
int EngineModeIsUnknown(void)
void VarNameStoreInit(void)
void TmModuleFlowRecyclerRegister(void)
int SCConfNodeChildValueIsTrue(const SCConfNode *node, const char *key)
Test if a configuration node has a true value.
void DatalinkTableInit(void)
void Daemonize(void)
Daemonize the process.
void UtilSignalHandlerSetup(int sig, void(*handler)(int))
#define TAILQ_FOREACH(var, head, field)
void TmModuleDecodeAFPRegister(void)
Registration Function for DecodeAFP.
void TmModuleDecodeWinDivertRegister(void)
int DetectEngineAddToMaster(DetectEngineCtx *de_ctx)
int SCConfGetChildValueBool(const SCConfNode *base, const char *name, int *val)
void TmModuleStatsLoggerRegister(void)
void RegisterAllModules(void)
int DetectEngineMultiTenantSetup(const bool unix_socket)
setup multi-detect / multi-tenancy
void SupportFastPatternForSigMatchTypes(void)
Registers the keywords(SMs) that should be given fp support.
const SuricataContext suricata_context
TmEcode SCParseCommandLine(int argc, char **argv)
int CheckValidDaemonModes(int daemon, int mode)
Check for a valid combination daemon/mode.
void SCGetGroupID(const char *group_name, uint32_t *gid)
Function to get the group ID from the specified group name.
int SCConfGetBool(const char *name, int *val)
Retrieve a configuration value as a boolean.
void TmThreadDisableReceiveThreads(void)
Disable all threads having the specified TMs.
void StatsInit(void)
Initializes the perf counter api. Things are hard coded currently. More work to be done when we imple...
void PreRunInit(const int runmode)
void MacSetRegisterFlowStorage(void)
void EngineModeSetFirewall(void)
void SuricataShutdown(void)
const char * conf_filename
int GetIfaceMTU(const char *dev)
output the link MTU
void GlobalsInitPreConfig(void)
void TmModuleReceiveNetmapRegister(void)
void PacketPoolPostRunmodes(void)
Set the max_pending_return_packets value.
void NFQInitConfig(bool quiet)
To initialize the NFQ global configuration data.
void TmModuleReceiveWinDivertRegister(void)
bool EngineModeIsFirewall(void)
void SCProfilingDestroy(void)
Free resources used by profiling.
void AFPPeersListClean(void)
Clean the global peers list.
void RunModeInitializeOutputs(void)
int DetectPortTestConfVars(void)
void SCThresholdConfGlobalInit(void)
void DecodeUnregisterCounters(void)
const char * capture_plugin_name
int SCConfYamlLoadFile(const char *filename)
Load configuration from a YAML file.
void HostBitInitCtx(void)
bool IsRunModeSystem(enum SCRunModes run_mode_to_check)
const char * capture_plugin_args
void TmModuleLoggerRegister(void)
void PacketPoolInit(void)
int AppLayerDeSetup(void)
De initializes the app layer.
@ RUNMODE_LIST_APP_LAYER_HOOKS
size_t strlcpy(char *dst, const char *src, size_t siz)
void PcapTranslateIPToDevice(char *pcap_dev, size_t len)
void FlowDisableFlowRecyclerThread(void)
Used to disable flow recycler thread(s).
void SCRunmodeSet(SCRunMode run_mode)
Set the current run mode.
void TmModuleDecodePcapFileRegister(void)
void TmModuleBypassedFlowManagerRegister(void)
void IPPairShutdown(void)
shutdown the flow engine
void SCConfInit(void)
Initialize the configuration system.
void DetectParseFreeRegexes(void)
void SCConfDump(void)
Dump configuration to stdout.
void TmModuleDecodeNFLOGRegister(void)
int NFQParseAndRegisterQueues(const char *queues)
Parses and adds Netfilter queue(s).
void FlowInitConfig(bool quiet)
initialize the configuration
int AppLayerSetup(void)
Setup the app layer.
void FeatureTrackingRegister(void)
void TmModuleReceiveDPDKRegister(void)
void UnixManagerThreadSpawnNonRunmode(const bool unix_socket_enabled)
void RunModeInitializeThreadSettings(void)
void StreamTcpInitConfig(bool)
To initialize the stream global configuration data.
int GetIfaceMaxPacketSize(LiveDevice *ld)
output max packet size for a link
SCRunMode SCRunmodeGet(void)
Get the current run mode.
void TmModuleDecodeNetmapRegister(void)
Registration Function for DecodeNetmap.
void PreRunPostPrivsDropInit(const int runmode)
void SigTableCleanup(void)
int DetectEngineMoveToFreeList(DetectEngineCtx *de_ctx)
volatile sig_atomic_t sigterm_count
TmEcode TmThreadWaitOnThreadInit(void)
Used to check if all threads have finished their initialization. On finding an un-initialized thread,...
void TmModuleVerdictNFQRegister(void)
void AppLayerRegisterGlobalCounters(void)
HACK to work around our broken unix manager (re)init loop.
void RunModeListRunmodes(void)
Lists all registered runmodes.
size_t strlcat(char *, const char *src, size_t siz)
void LiveSetOffloadDisable(void)
void StatsSetupPostConfigPostOutput(void)
void EngineModeSetIDS(void)
void TmModuleReceiveAFPRegister(void)
Registration Function for RecieveAFP.
int LiveBuildDeviceListCustom(const char *runmode, const char *itemname)
LiveDevice * LiveGetDevice(const char *name)
Get a pointer to the device at idx.
void UnixSocketKillSocketThread(void)
void TmModuleVerdictIPFWRegister(void)
Registration Function for VerdictIPFW.
int SCConfGetInt(const char *name, intmax_t *val)
Retrieve a configuration value as an integer.
bool g_stats_eps_per_app_proto_errors
void HttpRangeContainersInit(void)
struct timeval last_reload
void TmModuleVerdictWinDivertRegister(void)
void HostCleanup(void)
Cleanup the host engine.
void FlowDisableFlowManagerThread(void)
Used to disable flow manager thread(s).
int UtilSignalUnblock(int signum)
int DetectEngineEnabled(void)
Check if detection is enabled.
void TmThreadClearThreadsFamily(int family)
#define THV_REQ_FLOW_LOOP
void FlowRateRegisterFlowStorage(void)
void TmModuleRunInit(void)
void EngineModeSetIPS(void)
void HTPAtExitPrintStats(void)
Print the stats of the HTTP requests.
int UtilSignalBlock(int signum)
void SCProfilingPrefilterGlobalInit(void)
void ThresholdDestroy(void)
#define SCLogWarning(...)
Macro used to log WARNING messages.
int PostConfLoadedSetup(SCInstance *suri)
const char * GetProgramVersion(void)
get string with program version
void TmModuleReceivePcapFileRegister(void)
int32_t CoredumpLoadConfig(void)
Configures the core dump size.
int IPFWRegisterQueue(char *queue)
Add an IPFW divert.
int ListAppLayerHooks(const char *conf_filename)
int ListAppLayerProtocols(const char *conf_filename)
void DatasetsDestroy(void)
void UtilCpuPrintSummary(void)
Print a summary of CPUs detected (configured and online)
int profiling_packets_enabled
int SystemDNotifyReady(void)
void TmThreadKillThreads(void)
void OutputDeregisterAll(void)
Deregister all modules. Useful for a memory clean exit.
void PostConfLoadedDetectSetup(SCInstance *suri)
int EngineModeIsIDS(void)
TmModule tmm_modules[TMM_SIZE]
const char * SCConfigGetLogDirectory(void)
void OutputNotifyFileRotation(void)
Notifies all registered file rotation notification flags.
int StorageFinalize(void)
void VarNameStoreDestroy(void)
void TmModuleFlowWorkerRegister(void)
uint32_t max_pending_packets
const char ** additional_configs
#define DEFAULT_PID_FILENAME
volatile sig_atomic_t sighup_count
TmEcode ConfigSetDataDirectory(char *name)
void TmModuleDecodeErfDagRegister(void)
Register the ERF file decoder module.
#define SCDropMainThreadCaps(...)
void TmModuleDebugList(void)
void TmModuleDecodeNFQRegister(void)
void SCProtoNameRelease(void)
int RunmodeIsUnittests(void)
void SCPluginsLoad(const char *capture_plugin_name, const char *capture_plugin_args)
#define SCLogInfo(...)
Macro used to log INFORMATIONAL messages.
void TmModuleReceiveNFLOGRegister(void)
#define DEFAULT_PACKET_SIZE
#define WarnInvalidConfEntry(param_name, format, value)
Generic API that can be used by all to log an invalid conf entry.
#define TM_FLAG_RECEIVE_TM
void TmModuleReceiveErfFileRegister(void)
Register the ERF file receiver (reader) module.
int SCConfSetFromString(const char *input, int final)
Set a configuration parameter from a string.
int SCConfSetFinal(const char *name, const char *val)
Set a final configuration value.
#define SCRealloc(ptr, sz)
void TmModuleDecodeAFXDPRegister(void)
Registration Function for DecodeAFXDP.
uint32_t default_packet_size
void SigTableApplyStrictCommandLineOption(const char *str)
@ SURI_HOST_IS_SNIFFER_ONLY
@ DETECT_ENGINE_TYPE_NORMAL
void TmThreadKillThreadsFamily(int family)
void FeatureTrackingRelease(void)
void TmqhCleanup(void)
Clean up registration time allocs.
void StreamTcpFreeConfig(bool quiet)
void DecodeGlobalConfig(void)
char * strict_rule_parsing_string
DetectEngineCtx * DetectEngineCtxInitStubForMT(void)
const char * LiveGetDeviceName(int number)
Get a pointer to the device name at idx.
void FlowShutdown(void)
shutdown the flow engine
void SCHInfoLoadFromConfig(void)
Load the host os policy information from the configuration.
void DetectEngineBumpVersion(void)
void TmModuleFlowManagerRegister(void)
int SCStartInternalRunMode(int argc, char **argv)
int SCPidfileTestRunning(const char *pid_filename)
Check the Suricata pid file (used at the startup)
void HostShutdown(void)
shutdown the flow engine
#define SCFstatFn(fd, statbuf)
void LiveSetOffloadWarn(void)
void ParseSizeDeinit(void)
void SCConfDeInit(void)
De-initializes the configuration system.
void RunModeRegisterRunModes(void)
Register all runmodes in the engine.
void SCProfilingDump(void)
void TmModuleReceiveAFXDPRegister(void)
void EngineStop(void)
make sure threads can stop the engine by calling this function. Purpose: pcap file mode needs to be a...
int ParseSizeStringU32(const char *size, uint32_t *res)
void TmModuleReceiveErfDagRegister(void)
Register the ERF file receiver (reader) module.
void IPPairBitInitCtx(void)
TmEcode ConfigSetLogDirectory(const char *name)
void TmModuleDecodeIPFWRegister(void)
Registration Function for DecodeIPFW.
int ConfUnixSocketIsEnable(void)
#define TM_FLAG_PACKET_ALL
struct SCLogConfig_ SCLogConfig
Holds the config state used by the logging api.
volatile sig_atomic_t sigusr2_count
void SystemHugepageSnapshotDestroy(SystemHugepageSnapshot *s)
void TmModuleDecodePcapRegister(void)
Registration Function for DecodePcap.
TmEcode SCLoadYamlConfig(void)
TmEcode ConfigCheckDataDirectory(const char *data_dir)
SCConfNode * SCConfGetNode(const char *name)
Get a SCConfNode by name.
#define SCLogError(...)
Macro used to log ERROR messages.
int DetectEngineReloadStart(void)
void TopologyDestroy(void)
#define DEFAULT_CONF_FILE
#define SC_LOG_MAX_LOG_MSG_LEN
void AppLayerParserPostStreamSetup(void)
void TmModuleReceivePcapRegister(void)
Registration Function for ReceivePcap.
void SCGetUserID(const char *user_name, const char *group_name, uint32_t *uid, uint32_t *gid)
Function to get the user and group ID from the specified user name.
bool install_signal_handlers
void TmModuleRespondRejectRegister(void)
void CoredumpEnable(void)
Enable coredumps on systems where coredumps can and need to be enabled.
void RunUnittests(int list_unittests, const char *regex_arg)
TmEcode ConfigCheckLogDirectoryExists(const char *log_dir)
int SCConfSet(const char *name, const char *val)
Set a configuration value.
void PacketAlertTagInit(void)
int RunModeEngineIsIPS(int capture_mode, const char *runmode, const char *capture_plugin_name)
DetectEngineCtx * DetectEngineCtxInit(void)
void SCOnLoggingReady(void)
Invokes all registered logging ready callbacks.
void TmModuleDecodeLibRegister(void)
register a "Decode" module for suricata as a library.
int EngineModeIsIPS(void)
void SCProfilingKeywordsGlobalInit(void)
void EngineDone(void)
Used to indicate that the current task is done.
bool firewall_rule_file_exclusive
const char * GetDocURL(void)
void PostRunDeinit(const int runmode, struct timeval *start_time)
clean up / shutdown code for packet modes
void HostInitConfig(bool quiet)
initialize the configuration
TmEcode TmThreadWaitOnThreadRunning(void)
Waits for all threads to be in a running state.
void HttpRangeContainersDestroy(void)
void SCLogLoadConfig(int daemon, int verbose, uint32_t userid, uint32_t groupid)
int DetectEngineReload(const SCInstance *suri)
Reload the detection engine.
#define DEFAULT_MAX_PENDING_PACKETS
void DetectEngineClearMaster(void)
void SetMasterExceptionPolicy(void)
void TmThreadCheckThreadState(void)
Used to check the thread for certain conditions of failure.
void OutputFilestoreRegisterGlobalCounters(void)
int InitGlobal(void)
Global initialization common to all runmodes.
int LiveGetDeviceCount(void)
Get the number of registered devices.
SystemHugepageSnapshot * SystemHugepageSnapshotCreate(void)
The function creates a snapshot of the system's hugepage usage per NUMA node and per hugepage size....
void SCProfilingSghsGlobalInit(void)
int SCPidfileCreate(const char *pidfile)
Write a pid file (used at the startup) This commonly needed by the init scripts.
int LiveRegisterDeviceName(const char *dev)
Add a device for monitoring.
#define SCStatFn(pathname, statbuf)
void LiveDeviceFinalize(void)
void TmModuleDecodeDPDKRegister(void)
Registration Function for DecodeDPDK.
void PacketPoolDestroy(void)
void HTPFreeConfig(void)
Clears the HTTP server configuration memory used by HTP library.
void LandlockSandboxing(SCInstance *suri)
int ListKeywords(const char *keyword_info)
#define SCLogNotice(...)
Macro used to log NOTICE messages.
void SuricataPreInit(const char *progname)
void DPDKCleanupEAL(void)
@ RUNMODE_PRINT_BUILDINFO
void SCPidfileRemove(const char *pid_filename)
Remove the pid file (used at the startup)
void NFQContextsClean(void)
Clean global contexts. Must be called on exit.
void SystemHugepageEvaluateHugepages(SystemHugepageSnapshot *pre_s, SystemHugepageSnapshot *post_s)
The function compares two hugepage snapshots and prints out recommendations for hugepage configuratio...
#define DEBUG_VALIDATE_BUG_ON(exp)
int SCFinalizeRunMode(void)
void SCProfilingInit(void)
Initialize profiling.
void GlobalsDestroy(void)
int DetectEngineReloadIsStart(void)
volatile uint8_t suricata_ctl_flags
#define TM_FLAG_FLOWWORKER_TM
void TagDestroyCtx(void)
Destroy tag context hash tables.
int DetectAddressTestConfVars(void)
void FlowWorkToDoCleanup(void)
Clean up all the flows that have unprocessed segments and have some work to do in the detection engin...
void MpmHSGlobalCleanup(void)
void TmqResetQueues(void)