suricata
suricata.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2025 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  */
23 
24 #include "suricata-common.h"
25 
26 #if HAVE_GETOPT_H
27 #include <getopt.h>
28 #endif
29 
30 #if HAVE_SIGNAL_H
31 #include <signal.h>
32 #endif
33 #ifndef OS_WIN32
34 #ifdef HAVE_SYS_RESOURCE_H
35 // setrlimit
36 #include <sys/resource.h>
37 #endif
38 #endif
39 
40 #include "suricata.h"
41 
42 #include "conf.h"
43 #include "conf-yaml-loader.h"
44 
45 #include "decode.h"
46 #include "defrag.h"
47 #include "flow.h"
48 #include "stream-tcp.h"
49 #include "ippair.h"
50 
51 #include "detect.h"
52 #include "detect-parse.h"
53 #include "detect-engine.h"
54 #include "detect-engine-address.h"
55 #include "detect-engine-alert.h"
56 #include "detect-engine-port.h"
57 #include "detect-engine-tag.h"
58 #include "detect-engine-threshold.h"
59 #include "detect-fast-pattern.h"
60 
61 #include "datasets.h"
62 
63 #include "feature.h"
64 
65 #include "flow-bypass.h"
66 #include "flow-manager.h"
67 #include "flow-timeout.h"
68 #include "flow-worker.h"
69 
70 #include "flow-bit.h"
71 #include "host-bit.h"
72 #include "ippair-bit.h"
73 
74 #include "app-layer.h"
75 #include "app-layer-parser.h"
76 #include "app-layer-htp.h"
77 #include "app-layer-htp-range.h"
78 
79 #include "output.h"
80 #include "output-filestore.h"
81 
82 #include "respond-reject.h"
83 
84 #include "runmode-af-packet.h"
85 #include "runmode-af-xdp.h"
86 #include "runmode-netmap.h"
87 #include "runmode-unittests.h"
88 
89 #include "source-nfq.h"
90 #include "source-nfq-prototypes.h"
91 #include "source-nflog.h"
92 #include "source-ipfw.h"
93 #include "source-lib.h"
94 #include "source-pcap.h"
95 #include "source-pcap-file.h"
96 #include "source-pcap-file-helper.h"
97 #include "source-erf-file.h"
98 #include "source-erf-dag.h"
99 #include "source-af-packet.h"
100 #include "source-af-xdp.h"
101 #include "source-netmap.h"
102 #include "source-dpdk.h"
103 #include "source-windivert.h"
104 #include "source-windivert-prototypes.h"
105 
106 #include "unix-manager.h"
107 
108 #include "util-classification-config.h"
109 #include "util-threshold-config.h"
110 #include "util-reference-config.h"
111 
112 #include "tmqh-packetpool.h"
113 #include "tm-queuehandlers.h"
114 
115 #include "util-affinity.h"
116 #include "util-byte.h"
117 #include "util-conf.h"
118 #include "util-coredump-config.h"
119 #include "util-cpu.h"
120 #include "util-daemon.h"
121 #include "util-device-private.h"
122 #include "util-dpdk.h"
123 #include "util-ebpf.h"
124 #include "util-enum.h"
125 #include "util-exception-policy.h"
126 #include "util-host-os-info.h"
127 #include "util-hugepages.h"
128 #include "util-ioctl.h"
129 #include "util-landlock.h"
130 #include "util-macset.h"
131 #include "util-flow-rate.h"
132 #include "util-misc.h"
133 #include "util-mpm-hs.h"
134 #include "util-path.h"
135 #include "util-pidfile.h"
136 #include "util-plugin.h"
137 #include "util-privs.h"
138 #include "util-profiling.h"
139 #include "util-proto-name.h"
140 #include "util-running-modes.h"
141 #include "util-signal.h"
142 #include "util-time.h"
143 #include "util-validate.h"
144 #include "util-var-name.h"
145 #ifdef SYSTEMD_NOTIFY
146 #include "util-systemd.h"
147 #endif
148 
149 #ifdef WINDIVERT
150 #include "decode-sll.h"
151 #include "win32-syscall.h"
152 #endif
153 
154 /*
155  * we put this here, because we only use it here in main.
156  */
157 volatile sig_atomic_t sigint_count = 0;
158 volatile sig_atomic_t sighup_count = 0;
159 volatile sig_atomic_t sigterm_count = 0;
160 volatile sig_atomic_t sigusr2_count = 0;
161 
162 /*
163  * Flag to indicate if the engine is at the initialization
164  * or already processing packets. 3 stages: SURICATA_INIT,
165  * SURICATA_RUNTIME and SURICATA_FINALIZE
166  */
167 SC_ATOMIC_DECLARE(unsigned int, engine_stage);
168 
169 /* Max packets processed simultaneously per thread. */
170 #define DEFAULT_MAX_PENDING_PACKETS 1024
171 
172 /* Maximum number of v's supported */
173 #define VERBOSE_MAX (SC_LOG_DEBUG - SC_LOG_NOTICE)
174 
175 /** suricata engine control flags */
176 volatile uint8_t suricata_ctl_flags = 0;
177 
178 /** Engine mode: inline (ENGINE_MODE_IPS) or just
179  * detection mode (ENGINE_MODE_IDS by default) */
180 static enum EngineMode g_engine_mode = ENGINE_MODE_UNKNOWN;
181 
182 /** Host mode: set if box is sniffing only
183  * or is a router */
184 uint8_t host_mode = SURI_HOST_IS_SNIFFER_ONLY;
185 
186 /** Maximum packets to simultaneously process. */
187 uint32_t max_pending_packets;
188 
189 /** global indicating if detection is enabled */
190 int g_detect_disabled = 0;
191 
192 /** set caps or not */
193 bool sc_set_caps = false;
194 
195 bool g_system = false;
196 
197 /** disable randomness to get reproducible results across runs */
198 #ifndef AFLFUZZ_NO_RANDOM
199 int g_disable_randomness = 0;
200 #else
201 int g_disable_randomness = 1;
202 #endif
203 
204 /** determine (without branching) if we include the vlan_ids when hashing or
205  * comparing flows */
206 uint16_t g_vlan_mask = 0xffff;
207 
208 /** determine (without branching) if we include the livedev ids when hashing or
209  * comparing flows */
210 uint16_t g_livedev_mask = 0xffff;
211 
212 /** determine (without branching) if we include the recursion levels when hashing or
213  * comparing flows */
214 uint8_t g_recurlvl_mask = 0xff;
215 
216 /* flag to disable hashing almost globally, to be similar to disabling nss
217  * support */
218 bool g_disable_hashing = false;
219 
220 /* snapshot of the system's hugepages before system initialization. */
221 SystemHugepageSnapshot *prerun_snap = NULL;
222 
223 /** add per-proto app-layer error counters for exception policies stats? disabled by default */
224 bool g_stats_eps_per_app_proto_errors = false;
225 
226 /** Suricata instance */
227 SCInstance suricata;
228 
229 int SuriHasSigFile(void)
230 {
231  return (suricata.sig_file != NULL);
232 }
233 
234 int EngineModeIsUnknown(void)
235 {
236  return (g_engine_mode == ENGINE_MODE_UNKNOWN);
237 }
238 
239 bool EngineModeIsFirewall(void)
240 {
241  DEBUG_VALIDATE_BUG_ON(g_engine_mode == ENGINE_MODE_UNKNOWN);
242  return (g_engine_mode == ENGINE_MODE_FIREWALL);
243 }
244 
245 /* this returns true for firewall mode as well */
246 int EngineModeIsIPS(void)
247 {
248  DEBUG_VALIDATE_BUG_ON(g_engine_mode == ENGINE_MODE_UNKNOWN);
249  return (g_engine_mode >= ENGINE_MODE_IPS);
250 }
251 
252 int EngineModeIsIDS(void)
253 {
254  DEBUG_VALIDATE_BUG_ON(g_engine_mode == ENGINE_MODE_UNKNOWN);
255  return (g_engine_mode == ENGINE_MODE_IDS);
256 }
257 
258 void EngineModeSetFirewall(void)
259 {
260  g_engine_mode = ENGINE_MODE_FIREWALL;
261 }
262 
263 void EngineModeSetIPS(void)
264 {
265  g_engine_mode = ENGINE_MODE_IPS;
266 }
267 
268 void EngineModeSetIDS(void)
269 {
270  g_engine_mode = ENGINE_MODE_IDS;
271 }
272 
273 #ifdef UNITTESTS
274 int RunmodeIsUnittests(void)
275 {
276  if (suricata.run_mode == RUNMODE_UNITTEST)
277  return 1;
278 
279  return 0;
280 }
281 #endif
282 
283 SCRunMode SCRunmodeGet(void)
284 {
285  return suricata.run_mode;
286 }
287 
288 void SCRunmodeSet(SCRunMode run_mode)
289 {
290  suricata.run_mode = run_mode;
291 }
292 
293 void SCEnableDefaultSignalHandlers(void)
294 {
295  suricata.install_signal_handlers = true;
296 }
297 
298 /** signal handlers
299  *
300  * WARNING: don't use the SCLog* API in the handlers. The API is complex
301  * with memory allocation possibly happening, calls to syslog, json message
302  * construction, etc.
303  */
304 
305 #ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
306 static void SignalHandlerSigint(/*@unused@*/ int sig)
307 {
308  sigint_count = 1;
309 }
310 static void SignalHandlerSigterm(/*@unused@*/ int sig)
311 {
312  sigterm_count = 1;
313 }
314 #ifndef OS_WIN32
315 #if HAVE_LIBUNWIND
316 #define UNW_LOCAL_ONLY
317 #include <libunwind.h>
318 static void SignalHandlerUnexpected(int sig_num, siginfo_t *info, void *context)
319 {
320  char msg[SC_LOG_MAX_LOG_MSG_LEN];
321  unw_cursor_t cursor;
322  /* Restore defaults for signals to avoid loops */
323  signal(SIGABRT, SIG_DFL);
324  signal(SIGSEGV, SIG_DFL);
325  int r;
326  if ((r = unw_init_local(&cursor, (unw_context_t *)(context)) != 0)) {
327  SCLogError("unable to obtain stack trace: unw_init_local: %s", unw_strerror(r));
328  goto terminate;
329  }
330 
331  char *temp = msg;
332  int cw = snprintf(temp, SC_LOG_MAX_LOG_MSG_LEN - (temp - msg), "stacktrace:sig %d:", sig_num);
333  temp += cw;
334  r = 1;
335  while (r > 0) {
336  if (unw_is_signal_frame(&cursor) == 0) {
337  unw_word_t off;
338  char name[256];
339  if (unw_get_proc_name(&cursor, name, sizeof(name), &off) == UNW_ENOMEM) {
340  cw = snprintf(temp, SC_LOG_MAX_LOG_MSG_LEN - (temp - msg), "[unknown]:");
341  } else {
342  cw = snprintf(
343  temp, SC_LOG_MAX_LOG_MSG_LEN - (temp - msg), "%s+0x%08" PRIx64, name, off);
344  }
345  temp += cw;
346  }
347 
348  r = unw_step(&cursor);
349  if (r > 0) {
350  cw = snprintf(temp, SC_LOG_MAX_LOG_MSG_LEN - (temp - msg), ";");
351  temp += cw;
352  }
353  }
354  SCLogError("%s", msg);
355 
356 terminate:
357  // Propagate signal to watchers, if any
358  kill(getpid(), sig_num);
359 }
360 #undef UNW_LOCAL_ONLY
361 #endif /* HAVE_LIBUNWIND */
362 #endif /* !OS_WIN32 */
363 #endif
364 
365 #ifndef OS_WIN32
366 /**
367  * SIGUSR2 handler. Just set sigusr2_count. The main loop will act on
368  * it.
369  */
370 static void SignalHandlerSigusr2(int sig)
371 {
372  if (sigusr2_count < 2)
373  sigusr2_count++;
374 }
375 
376 /**
377  * SIGHUP handler. Just set sighup_count. The main loop will act on
378  * it.
379  */
380 static void SignalHandlerSigHup(/*@unused@*/ int sig)
381 {
382  sighup_count = 1;
383 }
384 #endif
385 
386 void GlobalsInitPreConfig(void)
387 {
388  TimeInit();
389  SupportFastPatternForSigMatchTypes();
390  SCThresholdConfGlobalInit();
391  SCProtoNameInit();
392 }
393 
394 void GlobalsDestroy(void)
395 {
396  SCInstance *suri = &suricata;
397  ThresholdDestroy();
398  HostShutdown();
399  HTPFreeConfig();
400  HTPAtExitPrintStats();
401 
402  AppLayerHtpPrintStats();
403 
404  /* TODO this can do into it's own func */
405  DetectEngineCtx *de_ctx = DetectEngineGetCurrent();
406  if (de_ctx) {
407  DetectEngineMoveToFreeList(de_ctx);
408  DetectEngineDeReference(&de_ctx);
409  }
410  DetectEngineClearMaster();
411 
412  AppLayerDeSetup();
413  DatasetsSave();
414  DatasetsDestroy();
415  OutputTxShutdown();
416  TagDestroyCtx();
417 
418  LiveDeviceListClean();
419  OutputDeregisterAll();
420  FeatureTrackingRelease();
421  SCProtoNameRelease();
422  TimeDeinit();
423  SigTableCleanup();
424  TmqhCleanup();
425  TmModuleRunDeInit();
426  ParseSizeDeinit();
427  DatalinkTableDeinit();
428 
429 #ifdef HAVE_DPDK
430  DPDKCleanupEAL();
431 #endif
432 
433 #ifdef HAVE_AF_PACKET
434  AFPPeersListClean();
435 #endif
436 
437 #ifdef NFQ
438  NFQContextsClean();
439 #endif
440 
441 #ifdef BUILD_HYPERSCAN
442  MpmHSGlobalCleanup();
443 #endif
444 
445  SCConfDeInit();
446 
447  DetectParseFreeRegexes();
448 
449  SCPidfileRemove(suri->pid_filename);
450  SCFree(suri->pid_filename);
451  suri->pid_filename = NULL;
452 
453  VarNameStoreDestroy();
454  SCLogDeInitLogModule();
455 }
456 
457 /**
458  * \brief Used to send OS specific notification of running threads
459  *
460  * \retval TmEcode TM_ECODE_OK on success; TM_ECODE_FAILED on failure.
461  */
462 static void OnNotifyRunning(void)
463 {
464 #ifdef SYSTEMD_NOTIFY
465  if (SystemDNotifyReady() < 0) {
466  SCLogWarning("failed to notify systemd");
467  }
468 #endif
469 }
470 
471 /** \brief make sure threads can stop the engine by calling this
472  * function. Purpose: pcap file mode needs to be able to tell the
473  * engine the file eof is reached. */
474 void EngineStop(void)
475 {
476  suricata_ctl_flags |= SURICATA_STOP;
477 }
478 
479 /**
480  * \brief Used to indicate that the current task is done.
481  *
482  * This is mainly used by pcap-file to tell it has finished
483  * to treat a pcap files when running in unix-socket mode.
484  */
485 void EngineDone(void)
486 {
487  suricata_ctl_flags |= SURICATA_DONE;
488 }
489 
490 static int SetBpfString(int argc, char *argv[])
491 {
492  char *bpf_filter = NULL;
493  uint32_t bpf_len = 0;
494  int tmpindex = 0;
495 
496  /* attempt to parse remaining args as bpf filter */
497  tmpindex = argc;
498  while(argv[tmpindex] != NULL) {
499  bpf_len+=strlen(argv[tmpindex]) + 1;
500  tmpindex++;
501  }
502 
503  if (bpf_len == 0)
504  return TM_ECODE_OK;
505 
506  bpf_filter = SCCalloc(1, bpf_len);
507  if (unlikely(bpf_filter == NULL))
508  return TM_ECODE_FAILED;
509 
510  tmpindex = optind;
511  while(argv[tmpindex] != NULL) {
512  strlcat(bpf_filter, argv[tmpindex],bpf_len);
513  if(argv[tmpindex + 1] != NULL) {
514  strlcat(bpf_filter," ", bpf_len);
515  }
516  tmpindex++;
517  }
518 
519  if(strlen(bpf_filter) > 0) {
520  if (SCConfSetFinal("bpf-filter", bpf_filter) != 1) {
521  SCLogError("Failed to set bpf filter.");
522  SCFree(bpf_filter);
523  return TM_ECODE_FAILED;
524  }
525  }
526  SCFree(bpf_filter);
527 
528  return TM_ECODE_OK;
529 }
530 
531 static void SetBpfStringFromFile(char *filename)
532 {
533  char *bpf_filter = NULL;
534  char *bpf_comment_tmp = NULL;
535  char *bpf_comment_start = NULL;
536  size_t bpf_len = 0;
537  SCStat st;
538  FILE *fp = NULL;
539  size_t nm = 0;
540 
541  fp = fopen(filename, "r");
542  if (fp == NULL) {
543  SCLogError("Failed to open file %s", filename);
544  exit(EXIT_FAILURE);
545  }
546 
547  if (SCFstatFn(fileno(fp), &st) != 0) {
548  SCLogError("Failed to stat file %s", filename);
549  exit(EXIT_FAILURE);
550  }
551  // st.st_size is signed on Windows
552  bpf_len = ((size_t)(st.st_size)) + 1;
553 
554  bpf_filter = SCCalloc(1, bpf_len);
555  if (unlikely(bpf_filter == NULL)) {
556  SCLogError("Failed to allocate buffer for bpf filter in file %s", filename);
557  exit(EXIT_FAILURE);
558  }
559 
560  nm = fread(bpf_filter, 1, bpf_len - 1, fp);
561  if ((ferror(fp) != 0) || (nm != (bpf_len - 1))) {
562  SCLogError("Failed to read complete BPF file %s", filename);
563  SCFree(bpf_filter);
564  fclose(fp);
565  exit(EXIT_FAILURE);
566  }
567  fclose(fp);
568  bpf_filter[nm] = '\0';
569 
570  if(strlen(bpf_filter) > 0) {
571  /*replace comments with space*/
572  bpf_comment_start = bpf_filter;
573  while((bpf_comment_tmp = strchr(bpf_comment_start, '#')) != NULL) {
574  while((*bpf_comment_tmp !='\0') &&
575  (*bpf_comment_tmp != '\r') && (*bpf_comment_tmp != '\n'))
576  {
577  *bpf_comment_tmp++ = ' ';
578  }
579  bpf_comment_start = bpf_comment_tmp;
580  }
581  /*remove remaining '\r' and '\n' */
582  while((bpf_comment_tmp = strchr(bpf_filter, '\r')) != NULL) {
583  *bpf_comment_tmp = ' ';
584  }
585  while((bpf_comment_tmp = strchr(bpf_filter, '\n')) != NULL) {
586  *bpf_comment_tmp = ' ';
587  }
588  /* cut trailing spaces */
589  while (strlen(bpf_filter) > 0 &&
590  bpf_filter[strlen(bpf_filter)-1] == ' ')
591  {
592  bpf_filter[strlen(bpf_filter)-1] = '\0';
593  }
594  if (strlen(bpf_filter) > 0) {
595  if (SCConfSetFinal("bpf-filter", bpf_filter) != 1) {
596  SCFree(bpf_filter);
597  FatalError("failed to set bpf filter");
598  }
599  }
600  }
601  SCFree(bpf_filter);
602 }
603 
604 static void PrintUsage(const char *progname)
605 {
606 #ifdef REVISION
607  printf("%s %s (%s)\n", PROG_NAME, PROG_VER, xstr(REVISION));
608 #else
609  printf("%s %s\n", PROG_NAME, PROG_VER);
610 #endif
611  printf("USAGE: %s [OPTIONS] [BPF FILTER]\n\n", progname);
612 
613  printf("\n General:\n");
614  printf("\t-v : be more verbose (use multiple times to "
615  "increase verbosity)\n");
616  printf("\t-c <path> : path to configuration file\n");
617  printf("\t-l <dir> : default log directory\n");
618  printf("\t--include <path> : additional configuration file\n");
619  printf("\t--set name=value : set a configuration value\n");
620  printf("\t--pidfile <file> : write pid to this file\n");
621  printf("\t-T : test configuration file (use with -c)\n");
622  printf("\t--init-errors-fatal : enable fatal failure on signature init "
623  "error\n");
624 #ifndef OS_WIN32
625  printf("\t-D : run as daemon\n");
626 #else
627  printf("\t--service-install : install as service\n");
628  printf("\t--service-remove : remove service\n");
629  printf("\t--service-change-params : change service startup parameters\n");
630 #endif /* OS_WIN32 */
631 #ifdef HAVE_LIBCAP_NG
632  printf("\t--user <user> : run suricata as this user after init\n");
633  printf("\t--group <group> : run suricata as this group after init\n");
634 #endif /* HAVE_LIBCAP_NG */
635 #ifdef BUILD_UNIX_SOCKET
636  printf("\t--unix-socket[=<file>] : use unix socket to control suricata work\n");
637 #endif
638  printf("\t--runmode <runmode_id> : specific runmode modification the engine should run. The argument\n"
639  "\t supplied should be the id for the runmode obtained by running\n"
640  "\t --list-runmodes\n");
641 
642  printf("\n Capture and IPS:\n");
643 
644  printf("\t-F <bpf filter file> : bpf filter file\n");
645  printf("\t-k [all|none] : force checksum check (all) or disabled it "
646  "(none)\n");
647  printf("\t-i <dev or ip> : run in pcap live mode\n");
648  printf("\t--pcap[=<dev>] : run in pcap mode, no value select interfaces "
649  "from suricata.yaml\n");
650 #ifdef HAVE_PCAP_SET_BUFF
651  printf("\t--pcap-buffer-size : size of the pcap buffer value from 0 - %i\n",INT_MAX);
652 #endif /* HAVE_SET_PCAP_BUFF */
653 #ifdef NFQ
654  printf("\t-q <qid[:qid]> : run in inline nfqueue mode (use colon to "
655  "specify a range of queues)\n");
656 #endif /* NFQ */
657 #ifdef IPFW
658  printf("\t-d <divert port> : run in inline ipfw divert mode\n");
659 #endif /* IPFW */
660 #ifdef HAVE_AF_PACKET
661  printf("\t--af-packet[=<dev>] : run in af-packet mode, no value select interfaces from suricata.yaml\n");
662 #endif
663 #ifdef HAVE_AF_XDP
664  printf("\t--af-xdp[=<dev>] : run in af-xdp mode, no value select "
665  "interfaces from suricata.yaml\n");
666 #endif
667 #ifdef HAVE_NETMAP
668  printf("\t--netmap[=<dev>] : run in netmap mode, no value select interfaces from suricata.yaml\n");
669 #endif
670 #ifdef HAVE_PFRING
671  printf("\t--pfring[=<dev>] : run in pfring mode, use interfaces from suricata.yaml\n");
672  printf("\t--pfring-int <dev> : run in pfring mode, use interface <dev>\n");
673  printf("\t--pfring-cluster-id <id> : pfring cluster id \n");
674  printf("\t--pfring-cluster-type <type> : pfring cluster type for PF_RING 4.1.2 and later cluster_round_robin|cluster_flow\n");
675 #endif /* HAVE_PFRING */
676 #ifdef HAVE_DPDK
677  printf("\t--dpdk : run in dpdk mode, uses interfaces from "
678  "suricata.yaml\n");
679 #endif
680 #ifdef HAVE_DAG
681  printf("\t--dag <dagX:Y> : process ERF records from DAG interface X, stream Y\n");
682 #endif
683 #ifdef WINDIVERT
684  printf("\t--windivert <filter> : run in inline WinDivert mode\n");
685  printf("\t--windivert-forward <filter> : run in inline WinDivert mode, as a gateway\n");
686 #endif
687 #ifdef HAVE_LIBNET11
688  printf("\t--reject-dev <dev> : send reject packets from this interface\n");
689 #endif
690 
691  printf("\n Capture Files:\n");
692  printf("\t-r <path> : run in pcap file/offline mode\n");
693  printf("\t--pcap-file-continuous : when running in pcap mode with a directory, "
694  "continue checking directory for pcaps until interrupted\n");
695  printf("\t--pcap-file-delete : when running in replay mode (-r with "
696  "directory or file), will delete pcap files that have been processed when done\n");
697  printf("\t--pcap-file-recursive : will descend into subdirectories when running "
698  "in replay mode (-r)\n");
699  printf("\t--pcap-file-buffer-size : set read buffer size (setvbuf)\n");
700  printf("\t--erf-in <path> : process an ERF file\n");
701 
702  printf("\n Detection:\n");
703  printf("\t-s <path> : path to signature file loaded in addition to "
704  "suricata.yaml settings (optional)\n");
705  printf("\t-S <path> : path to signature file loaded exclusively "
706  "(optional)\n");
707  printf("\t--disable-detection : disable detection engine\n");
708  printf("\t--engine-analysis : print reports on analysis of different "
709  "sections in the engine and exit.\n"
710  "\t Please have a look at the conf parameter "
711  "engine-analysis on what reports\n"
712  "\t can be printed\n");
713 
714  printf("\n Firewall:\n");
715  printf("\t--firewall : enable firewall mode\n");
716  printf("\t--firewall-rules-exclusive=<path> : path to firewall rule file loaded "
717  "exclusively\n");
718 
719  printf("\n Info:\n");
720  printf("\t-V : display Suricata version\n");
721  printf("\t--list-keywords[=all|csv|<kword>] : list keywords implemented by the engine\n");
722  printf("\t--list-runmodes : list supported runmodes\n");
723  printf("\t--list-app-layer-protos : list supported app layer protocols\n");
724  printf("\t--list-rule-protos : list supported rule protocols\n");
725  printf("\t--list-app-layer-hooks : list supported app layer hooks for use in "
726  "rules\n");
727  printf("\t--list-app-layer-frames : list supported app layer frames for use with "
728  "'frame' keyword\n");
729  printf("\t--dump-config : show the running configuration\n");
730  printf("\t--dump-features : display provided features\n");
731  printf("\t--build-info : display build information\n");
732 
733  printf("\n Testing:\n");
734  printf("\t--simulate-ips : force engine into IPS mode. Useful for QA\n");
735 #ifdef UNITTESTS
736  printf("\t-u : run the unittests and exit\n");
737  printf("\t-U=REGEX, --unittest-filter=REGEX : filter unittests with a pcre compatible "
738  "regex\n");
739  printf("\t--list-unittests : list unit tests\n");
740  printf("\t--fatal-unittests : enable fatal failure on unittest error\n");
741  printf("\t--unittests-coverage : display unittest coverage report\n");
742 #endif /* UNITTESTS */
743  printf("\n");
744  printf("\nTo run " PROG_NAME " with default configuration on "
745  "interface eth0 with signature file \"signatures.rules\", run the "
746  "command as:\n\n%s -c suricata.yaml -s signatures.rules -i eth0 \n\n",
747  progname);
748 }
749 
750 static void PrintBuildInfo(void)
751 {
752  const char *bits;
753  const char *endian;
754  /* If all current features are enabled, features string would be 341 characters long */
755  char features[2048] = "";
756  const char *tls;
757 
758  printf("This is %s version %s\n", PROG_NAME, GetProgramVersion());
759 #ifdef DEBUG
760  strlcat(features, "DEBUG ", sizeof(features));
761 #endif
762 #ifdef DEBUG_VALIDATION
763  strlcat(features, "DEBUG_VALIDATION ", sizeof(features));
764 #endif
765 #ifdef QA_SIMULATION
766  strlcat(features, "QA_SIMULATION ", sizeof(features));
767 #endif
768 #ifdef UNITTESTS
769  strlcat(features, "UNITTESTS ", sizeof(features));
770 #endif
771 #ifdef NFQ
772  strlcat(features, "NFQ ", sizeof(features));
773 #endif
774 #ifdef IPFW
775  strlcat(features, "IPFW ", sizeof(features));
776 #endif
777 #ifdef HAVE_PCAP_SET_BUFF
778  strlcat(features, "PCAP_SET_BUFF ", sizeof(features));
779 #endif
780 #ifdef HAVE_PFRING
781  strlcat(features, "PF_RING ", sizeof(features));
782 #endif
783 #ifdef HAVE_NAPATECH
784  strlcat(features, "NAPATECH ", sizeof(features));
785 #endif
786 #ifdef HAVE_AF_PACKET
787  strlcat(features, "AF_PACKET ", sizeof(features));
788 #endif
789 #ifdef HAVE_NETMAP
790  strlcat(features, "NETMAP ", sizeof(features));
791 #endif
792 #ifdef HAVE_PACKET_FANOUT
793  strlcat(features, "HAVE_PACKET_FANOUT ", sizeof(features));
794 #endif
795 #ifdef HAVE_DAG
796  strlcat(features, "DAG ", sizeof(features));
797 #endif
798 #ifdef HAVE_LIBCAP_NG
799  strlcat(features, "LIBCAP_NG ", sizeof(features));
800 #endif
801 #ifdef HAVE_LIBNET11
802  strlcat(features, "LIBNET1.1 ", sizeof(features));
803 #endif
804  strlcat(features, "HAVE_HTP_URI_NORMALIZE_HOOK ", sizeof(features));
805 #ifdef PCRE2_HAVE_JIT
806  strlcat(features, "PCRE_JIT ", sizeof(features));
807 #endif
808  /* For compatibility, just say we have HAVE_NSS. */
809  strlcat(features, "HAVE_NSS ", sizeof(features));
810  /* HTTP2_DECOMPRESSION is not an optional feature in this major version */
811  strlcat(features, "HTTP2_DECOMPRESSION ", sizeof(features));
812  /* Lua is now vendored in and always available. */
813  strlcat(features, "HAVE_LUA ", sizeof(features));
814 #ifdef HAVE_JA3
815  strlcat(features, "HAVE_JA3 ", sizeof(features));
816 #endif
817 #ifdef HAVE_JA4
818  strlcat(features, "HAVE_JA4 ", sizeof(features));
819 #endif
820  strlcat(features, "HAVE_LIBJANSSON ", sizeof(features));
821 #ifdef PROFILING
822  strlcat(features, "PROFILING ", sizeof(features));
823 #endif
824 #ifdef PROFILE_LOCKING
825  strlcat(features, "PROFILE_LOCKING ", sizeof(features));
826 #endif
827 #ifdef BUILD_UNIX_SOCKET
828  strlcat(features, "UNIX_SOCKET ", sizeof(features));
829 #endif
830 #if defined(TLS_C11) || defined(TLS_GNU)
831  strlcat(features, "TLS ", sizeof(features));
832 #endif
833 #if defined(TLS_C11)
834  strlcat(features, "TLS_C11 ", sizeof(features));
835 #elif defined(TLS_GNU)
836  strlcat(features, "TLS_GNU ", sizeof(features));
837 #endif
838 #ifdef HAVE_MAGIC
839  strlcat(features, "MAGIC ", sizeof(features));
840 #endif
841  strlcat(features, "RUST ", sizeof(features));
842 #if defined(SC_ADDRESS_SANITIZER)
843  strlcat(features, "ASAN ", sizeof(features));
844 #endif
845 #if defined(HAVE_POPCNT64)
846  strlcat(features, "POPCNT64 ", sizeof(features));
847 #endif
848  if (strlen(features) == 0) {
849  strlcat(features, "none", sizeof(features));
850  }
851 
852  printf("Features: %s\n", features);
853 
854  /* SIMD stuff */
855  memset(features, 0x00, sizeof(features));
856 #if defined(__SSE4_2__)
857  strlcat(features, "SSE_4_2 ", sizeof(features));
858 #endif
859 #if defined(__SSE4_1__)
860  strlcat(features, "SSE_4_1 ", sizeof(features));
861 #endif
862 #if defined(__SSE3__)
863  strlcat(features, "SSE_3 ", sizeof(features));
864 #endif
865 #if defined(__SSE2__)
866  strlcat(features, "SSE_2 ", sizeof(features));
867 #endif
868  if (strlen(features) == 0) {
869  strlcat(features, "none", sizeof(features));
870  }
871  printf("SIMD support: %s\n", features);
872 
873  /* atomics stuff */
874  memset(features, 0x00, sizeof(features));
875 #if defined(__GCC_HAVE_SYNC_COMPARE_AND_SWAP_1)
876  strlcat(features, "1 ", sizeof(features));
877 #endif
878 #if defined(__GCC_HAVE_SYNC_COMPARE_AND_SWAP_2)
879  strlcat(features, "2 ", sizeof(features));
880 #endif
881 #if defined(__GCC_HAVE_SYNC_COMPARE_AND_SWAP_4)
882  strlcat(features, "4 ", sizeof(features));
883 #endif
884 #if defined(__GCC_HAVE_SYNC_COMPARE_AND_SWAP_8)
885  strlcat(features, "8 ", sizeof(features));
886 #endif
887 #if defined(__GCC_HAVE_SYNC_COMPARE_AND_SWAP_16)
888  strlcat(features, "16 ", sizeof(features));
889 #endif
890  if (strlen(features) == 0) {
891  strlcat(features, "none", sizeof(features));
892  } else {
893  strlcat(features, "byte(s)", sizeof(features));
894  }
895  printf("Atomic intrinsics: %s\n", features);
896 
897 #if __WORDSIZE == 64
898  bits = "64-bits";
899 #elif __WORDSIZE == 32
900  bits = "32-bits";
901 #else
902  bits = "<unknown>-bits";
903 #endif
904 
905 #if __BYTE_ORDER == __BIG_ENDIAN
906  endian = "Big-endian";
907 #elif __BYTE_ORDER == __LITTLE_ENDIAN
908  endian = "Little-endian";
909 #else
910  endian = "<unknown>-endian";
911 #endif
912 
913  printf("%s, %s architecture\n", bits, endian);
914 #ifdef __GNUC__
915  printf("GCC version %s, C version %"PRIiMAX"\n", __VERSION__, (intmax_t)__STDC_VERSION__);
916 #else
917  printf("C version %"PRIiMAX"\n", (intmax_t)__STDC_VERSION__);
918 #endif
919 
920 #if __SSP__ == 1
921  printf("compiled with -fstack-protector\n");
922 #endif
923 #if __SSP_ALL__ == 2
924  printf("compiled with -fstack-protector-all\n");
925 #endif
926 /*
927  * Workaround for special defines of _FORTIFY_SOURCE like
928  * FORTIFY_SOURCE=((defined __OPTIMIZE && OPTIMIZE > 0) ? 2 : 0)
929  * which is used by Gentoo for example and would result in the error
930  * 'defined' undeclared when _FORTIFY_SOURCE used via %d in printf func
931  *
932  */
933 #if _FORTIFY_SOURCE == 2
934  printf("compiled with _FORTIFY_SOURCE=2\n");
935 #elif _FORTIFY_SOURCE == 1
936  printf("compiled with _FORTIFY_SOURCE=1\n");
937 #elif _FORTIFY_SOURCE == 0
938  printf("compiled with _FORTIFY_SOURCE=0\n");
939 #endif
940 #ifdef CLS
941  printf("L1 cache line size (CLS)=%d\n", CLS);
942 #endif
943 #if defined(TLS_C11)
944  tls = "_Thread_local";
945 #elif defined(TLS_GNU)
946  tls = "__thread";
947 #else
948 #error "Unsupported thread local"
949 #endif
950  printf("thread local storage method: %s\n", tls);
951 
952  printf("compiled with %s\n", htp_get_version());
953  printf("\n");
954 #include "build-info.h"
955 }
956 
957 int coverage_unittests;
958 int g_ut_modules;
959 int g_ut_covered;
960 
961 void RegisterAllModules(void)
962 {
963  /* commanders */
964  TmModuleUnixManagerRegister();
965  /* managers */
966  TmModuleFlowManagerRegister();
967  TmModuleFlowRecyclerRegister();
968  TmModuleBypassedFlowManagerRegister();
969  /* nfq */
970  TmModuleReceiveNFQRegister();
971  TmModuleVerdictNFQRegister();
972  TmModuleDecodeNFQRegister();
973  /* ipfw */
974  TmModuleReceiveIPFWRegister();
975  TmModuleVerdictIPFWRegister();
976  TmModuleDecodeIPFWRegister();
977  /* pcap live */
978  TmModuleReceivePcapRegister();
979  TmModuleDecodePcapRegister();
980  /* pcap file */
981  TmModuleReceivePcapFileRegister();
982  TmModuleDecodePcapFileRegister();
983  /* af-packet */
984  TmModuleReceiveAFPRegister();
985  TmModuleDecodeAFPRegister();
986  /* af-xdp */
987  TmModuleReceiveAFXDPRegister();
988  TmModuleDecodeAFXDPRegister();
989  /* netmap */
990  TmModuleReceiveNetmapRegister();
991  TmModuleDecodeNetmapRegister();
992  /* dag file */
993  TmModuleReceiveErfFileRegister();
994  TmModuleDecodeErfFileRegister();
995  /* dag live */
996  TmModuleReceiveErfDagRegister();
997  TmModuleDecodeErfDagRegister();
998 
999  /* flow worker */
1000  TmModuleFlowWorkerRegister();
1001  /* respond-reject */
1002  TmModuleRespondRejectRegister();
1003 
1004  /* log api */
1005  TmModuleLoggerRegister();
1006  TmModuleStatsLoggerRegister();
1007 
1008  TmModuleDebugList();
1009  /* nflog */
1010  TmModuleReceiveNFLOGRegister();
1011  TmModuleDecodeNFLOGRegister();
1012 
1013  /* windivert */
1014  TmModuleReceiveWinDivertRegister();
1015  TmModuleVerdictWinDivertRegister();
1016  TmModuleDecodeWinDivertRegister();
1017 
1018  /* Dpdk */
1019  TmModuleReceiveDPDKRegister();
1020  TmModuleDecodeDPDKRegister();
1021 
1022  /* Library */
1023  TmModuleDecodeLibRegister();
1024 }
1025 
1026 TmEcode SCLoadYamlConfig(void)
1027 {
1028  SCEnter();
1029 
1030  SCInstance *suri = &suricata;
1031 
1032  if (suri->conf_filename == NULL)
1033  suri->conf_filename = DEFAULT_CONF_FILE;
1034 
1035  if (SCConfYamlLoadFile(suri->conf_filename) != 0) {
1036  /* Error already displayed. */
1037  SCReturnInt(TM_ECODE_FAILED);
1038  }
1039 
1040  if (suri->additional_configs) {
1041  for (int i = 0; suri->additional_configs[i] != NULL; i++) {
1042  SCLogConfig("Loading additional configuration file %s", suri->additional_configs[i]);
1043  SCConfYamlHandleInclude(SCConfGetRootNode(), suri->additional_configs[i]);
1044  }
1045  }
1046 
1047  SCReturnInt(TM_ECODE_OK);
1048 }
1049 
1050 static TmEcode ParseInterfacesList(const int runmode, char *pcap_dev)
1051 {
1052  SCEnter();
1053 
1054  /* run the selected runmode */
1055  if (runmode == RUNMODE_PCAP_DEV) {
1056  if (strlen(pcap_dev) == 0) {
1057  int ret = LiveBuildDeviceList("pcap");
1058  if (ret == 0) {
1059  SCLogError("No interface found in config for pcap");
1060  SCReturnInt(TM_ECODE_FAILED);
1061  }
1062  }
1063  } else if (runmode == RUNMODE_PLUGIN) {
1064  if (strcmp(suricata.capture_plugin_name, "pfring") == 0) {
1065  /* Special handling for pfring. */
1066  if (strlen(pcap_dev)) {
1067  if (SCConfSetFinal("pfring.live-interface", pcap_dev) != 1) {
1068  SCLogError("Failed to set pfring.live-interface");
1069  SCReturnInt(TM_ECODE_FAILED);
1070  }
1071  }
1072  }
1073 #ifdef HAVE_DPDK
1074  } else if (runmode == RUNMODE_DPDK) {
1075  char iface_selector[] = "dpdk.interfaces";
1076  int ret = LiveBuildDeviceList(iface_selector);
1077  if (ret == 0) {
1078  SCLogError("No interface found in config for %s", iface_selector);
1079  SCReturnInt(TM_ECODE_FAILED);
1080  }
1081 #endif
1082 #ifdef HAVE_AF_PACKET
1083  } else if (runmode == RUNMODE_AFP_DEV) {
1084  /* iface has been set on command line */
1085  if (strlen(pcap_dev)) {
1086  if (SCConfSetFinal("af-packet.live-interface", pcap_dev) != 1) {
1087  SCLogError("Failed to set af-packet.live-interface");
1088  SCReturnInt(TM_ECODE_FAILED);
1089  }
1090  } else {
1091  int ret = LiveBuildDeviceList("af-packet");
1092  if (ret == 0) {
1093  SCLogError("No interface found in config for af-packet");
1094  SCReturnInt(TM_ECODE_FAILED);
1095  }
1096  }
1097 #endif
1098 #ifdef HAVE_AF_XDP
1099  } else if (runmode == RUNMODE_AFXDP_DEV) {
1100  /* iface has been set on command line */
1101  if (strlen(pcap_dev)) {
1102  if (SCConfSetFinal("af-xdp.live-interface", pcap_dev) != 1) {
1103  SCLogError("Failed to set af-xdp.live-interface");
1104  SCReturnInt(TM_ECODE_FAILED);
1105  }
1106  } else {
1107  int ret = LiveBuildDeviceList("af-xdp");
1108  if (ret == 0) {
1109  SCLogError("No interface found in config for af-xdp");
1110  SCReturnInt(TM_ECODE_FAILED);
1111  }
1112  }
1113 #endif
1114 #ifdef HAVE_NETMAP
1115  } else if (runmode == RUNMODE_NETMAP) {
1116  /* iface has been set on command line */
1117  if (strlen(pcap_dev)) {
1118  if (SCConfSetFinal("netmap.live-interface", pcap_dev) != 1) {
1119  SCLogError("Failed to set netmap.live-interface");
1120  SCReturnInt(TM_ECODE_FAILED);
1121  }
1122  } else {
1123  int ret = LiveBuildDeviceList("netmap");
1124  if (ret == 0) {
1125  SCLogError("No interface found in config for netmap");
1126  SCReturnInt(TM_ECODE_FAILED);
1127  }
1128  }
1129 #endif
1130 #ifdef HAVE_NFLOG
1131  } else if (runmode == RUNMODE_NFLOG) {
1132  int ret = LiveBuildDeviceListCustom("nflog", "group");
1133  if (ret == 0) {
1134  SCLogError("No group found in config for nflog");
1135  SCReturnInt(TM_ECODE_FAILED);
1136  }
1137 #endif
1138  }
1139 
1140  SCReturnInt(TM_ECODE_OK);
1141 }
1142 
1143 static void SCInstanceInit(SCInstance *suri, const char *progname)
1144 {
1145  memset(suri, 0x00, sizeof(*suri));
1146 
1147  suri->progname = progname;
1148  suri->run_mode = RUNMODE_UNKNOWN;
1149 
1150  memset(suri->pcap_dev, 0, sizeof(suri->pcap_dev));
1151  suri->sig_file = NULL;
1152  suri->sig_file_exclusive = false;
1153  suri->pid_filename = NULL;
1154  suri->regex_arg = NULL;
1155 
1156  suri->keyword_info = NULL;
1157  suri->runmode_custom_mode = NULL;
1158 #ifndef OS_WIN32
1159  suri->user_name = NULL;
1160  suri->group_name = NULL;
1161  suri->do_setuid = false;
1162  suri->do_setgid = false;
1163 #endif /* OS_WIN32 */
1164  suri->userid = 0;
1165  suri->groupid = 0;
1166  suri->delayed_detect = 0;
1167  suri->daemon = 0;
1168  suri->offline = 0;
1169  suri->verbose = 0;
1170  /* use -1 as unknown */
1171  suri->checksum_validation = -1;
1172 #if HAVE_DETECT_DISABLED==1
1173  g_detect_disabled = suri->disabled_detect = 1;
1174 #else
1175  g_detect_disabled = suri->disabled_detect = 0;
1176 #endif
1177 }
1178 
1179 const char *GetDocURL(void)
1180 {
1181  const char *prog_ver = GetProgramVersion();
1182  if (strstr(prog_ver, "RELEASE") != NULL) {
1183  return DOC_URL "suricata-" PROG_VER;
1184  }
1185  return DOC_URL "latest";
1186 }
1187 
1188 /** \brief get string with program version
1189  *
1190  * Get the program version as passed to us from AC_INIT
1191  *
1192  * Add 'RELEASE' is no '-dev' in the version. Add the REVISION if passed
1193  * to us.
1194  *
1195  * Possible outputs:
1196  * release: '5.0.1 RELEASE'
1197  * dev with rev: '5.0.1-dev (64a789bbf 2019-10-18)'
1198  * dev w/o rev: '5.0.1-dev'
1199  */
1200 const char *GetProgramVersion(void)
1201 {
1202  if (strstr(PROG_VER, "-dev") == NULL) {
1203  return PROG_VER " RELEASE";
1204  } else {
1205 #ifdef REVISION
1206  return PROG_VER " (" xstr(REVISION) ")";
1207 #else
1208  return PROG_VER;
1209 #endif
1210  }
1211 }
1212 
1213 static TmEcode PrintVersion(void)
1214 {
1215  printf("This is %s version %s\n", PROG_NAME, GetProgramVersion());
1216  return TM_ECODE_OK;
1217 }
1218 
1219 static TmEcode LogVersion(SCInstance *suri)
1220 {
1221  const char *mode = suri->system ? "SYSTEM" : "USER";
1222  SCLogNotice("This is %s version %s running in %s mode",
1223  PROG_NAME, GetProgramVersion(), mode);
1224  return TM_ECODE_OK;
1225 }
1226 
1227 static void SCSetStartTime(SCInstance *suri)
1228 {
1229  memset(&suri->start_time, 0, sizeof(suri->start_time));
1230  gettimeofday(&suri->start_time, NULL);
1231 }
1232 
1233 static void SCPrintElapsedTime(struct timeval *start_time)
1234 {
1235  if (start_time == NULL)
1236  return;
1237  struct timeval end_time;
1238  memset(&end_time, 0, sizeof(end_time));
1239  gettimeofday(&end_time, NULL);
1240  uint64_t milliseconds = ((end_time.tv_sec - start_time->tv_sec) * 1000) +
1241  (((1000000 + end_time.tv_usec - start_time->tv_usec) / 1000) - 1000);
1242  SCLogInfo("time elapsed %.3fs", (float)milliseconds/(float)1000);
1243 }
1244 
1245 static int ParseCommandLineAfpacket(SCInstance *suri, const char *in_arg)
1246 {
1247 #ifdef HAVE_AF_PACKET
1248  if (suri->run_mode == RUNMODE_UNKNOWN) {
1249  suri->run_mode = RUNMODE_AFP_DEV;
1250  if (in_arg) {
1251  LiveRegisterDeviceName(in_arg);
1252  memset(suri->pcap_dev, 0, sizeof(suri->pcap_dev));
1253  strlcpy(suri->pcap_dev, in_arg, sizeof(suri->pcap_dev));
1254  }
1255  } else if (suri->run_mode == RUNMODE_AFP_DEV) {
1256  if (in_arg) {
1257  LiveRegisterDeviceName(in_arg);
1258  } else {
1259  SCLogInfo("Multiple af-packet option without interface on each is useless");
1260  }
1261  } else {
1262  SCLogError("more than one run mode "
1263  "has been specified");
1264  PrintUsage(suri->progname);
1265  return TM_ECODE_FAILED;
1266  }
1267  return TM_ECODE_OK;
1268 #else
1269  SCLogError("AF_PACKET not enabled. On Linux "
1270  "host, make sure to pass --enable-af-packet to "
1271  "configure when building.");
1272  return TM_ECODE_FAILED;
1273 #endif
1274 }
1275 
1276 static int ParseCommandLineAfxdp(SCInstance *suri, const char *in_arg)
1277 {
1278 #ifdef HAVE_AF_XDP
1279  if (suri->run_mode == RUNMODE_UNKNOWN) {
1280  suri->run_mode = RUNMODE_AFXDP_DEV;
1281  if (in_arg) {
1282  LiveRegisterDeviceName(in_arg);
1283  memset(suri->pcap_dev, 0, sizeof(suri->pcap_dev));
1284  strlcpy(suri->pcap_dev, in_arg, sizeof(suri->pcap_dev));
1285  }
1286  } else if (suri->run_mode == RUNMODE_AFXDP_DEV) {
1287  if (in_arg) {
1288  LiveRegisterDeviceName(in_arg);
1289  } else {
1290  SCLogInfo("Multiple af-xdp options without interface on each is useless");
1291  }
1292  } else {
1293  SCLogError("more than one run mode "
1294  "has been specified");
1295  PrintUsage(suri->progname);
1296  return TM_ECODE_FAILED;
1297  }
1298  return TM_ECODE_OK;
1299 #else
1300  SCLogError("AF_XDP not enabled. On Linux "
1301  "host, make sure correct libraries are installed,"
1302  " see documentation for information.");
1303  return TM_ECODE_FAILED;
1304 #endif
1305 }
1306 
1307 static int ParseCommandLineDpdk(SCInstance *suri, const char *in_arg)
1308 {
1309 #ifdef HAVE_DPDK
1310  if (suri->run_mode == RUNMODE_UNKNOWN) {
1311  suri->run_mode = RUNMODE_DPDK;
1312  } else if (suri->run_mode == RUNMODE_DPDK) {
1313  SCLogInfo("Multiple dpdk options have no effect on Suricata");
1314  } else {
1315  SCLogError("more than one run mode "
1316  "has been specified");
1317  PrintUsage(suri->progname);
1318  return TM_ECODE_FAILED;
1319  }
1320  return TM_ECODE_OK;
1321 #else
1322  SCLogError("DPDK not enabled. On Linux "
1323  "host, make sure to pass --enable-dpdk to "
1324  "configure when building.");
1325  return TM_ECODE_FAILED;
1326 #endif
1327 }
1328 
1329 static int ParseCommandLinePcapLive(SCInstance *suri, const char *in_arg)
1330 {
1331 #if defined(OS_WIN32) && !defined(HAVE_LIBWPCAP)
1332  /* If running on Windows without Npcap, bail early as live capture is not supported. */
1333  FatalError("Live capture not available. To support live capture compile against Npcap.");
1334 #endif
1335  memset(suri->pcap_dev, 0, sizeof(suri->pcap_dev));
1336 
1337  if (in_arg != NULL) {
1338  /* some windows shells require escaping of the \ in \Device. Otherwise
1339  * the backslashes are stripped. We put them back here. */
1340  if (strlen(in_arg) > 9 && strncmp(in_arg, "DeviceNPF", 9) == 0) {
1341  snprintf(suri->pcap_dev, sizeof(suri->pcap_dev), "\\Device\\NPF%s", in_arg+9);
1342  } else {
1343  strlcpy(suri->pcap_dev, in_arg, sizeof(suri->pcap_dev));
1344  PcapTranslateIPToDevice(suri->pcap_dev, sizeof(suri->pcap_dev));
1345  }
1346 
1347  if (strcmp(suri->pcap_dev, in_arg) != 0) {
1348  SCLogInfo("translated %s to pcap device %s", in_arg, suri->pcap_dev);
1349  } else if (strlen(suri->pcap_dev) > 0 && isdigit((unsigned char)suri->pcap_dev[0])) {
1350  SCLogError("failed to find a pcap device for IP %s", in_arg);
1351  return TM_ECODE_FAILED;
1352  }
1353  }
1354 
1355  if (suri->run_mode == RUNMODE_UNKNOWN) {
1356  suri->run_mode = RUNMODE_PCAP_DEV;
1357  if (in_arg) {
1358  LiveRegisterDeviceName(suri->pcap_dev);
1359  }
1360  } else if (suri->run_mode == RUNMODE_PCAP_DEV) {
1361  LiveRegisterDeviceName(suri->pcap_dev);
1362  } else {
1363  SCLogError("more than one run mode "
1364  "has been specified");
1365  PrintUsage(suri->progname);
1366  return TM_ECODE_FAILED;
1367  }
1368  return TM_ECODE_OK;
1369 }
1370 
1371 /**
1372  * Helper function to check if log directory is writable
1373  */
1374 static bool IsLogDirectoryWritable(const char* str)
1375 {
1376  if (access(str, W_OK) == 0)
1377  return true;
1378  return false;
1379 }
1380 
1381 extern int g_skip_prefilter;
1382 
1383 TmEcode SCParseCommandLine(int argc, char **argv)
1384 {
1385  SCInstance *suri = &suricata;
1386  int opt;
1387 
1388  int dump_config = 0;
1389  int dump_features = 0;
1390  int list_app_layer_protocols = 0;
1391  int list_rule_protocols = 0;
1392  int list_app_layer_hooks = 0;
1393  int list_app_layer_frames = 0;
1394  int list_unittests = 0;
1395  int list_runmodes = 0;
1396  int list_keywords = 0;
1397  int build_info = 0;
1398  int conf_test = 0;
1399  int engine_analysis = 0;
1400  int ret = TM_ECODE_OK;
1401  int is_firewall = 0;
1402 
1403 #ifdef UNITTESTS
1404  coverage_unittests = 0;
1405  g_ut_modules = 0;
1406  g_ut_covered = 0;
1407 #endif
1408 
1409  // clang-format off
1410  struct option long_opts[] = {
1411  {"help", 0, 0, 0},
1412  {"dump-config", 0, &dump_config, 1},
1413  {"dump-features", 0, &dump_features, 1},
1414  {"pfring", optional_argument, 0, 0},
1415  {"pfring-int", required_argument, 0, 0},
1416  {"pfring-cluster-id", required_argument, 0, 0},
1417  {"pfring-cluster-type", required_argument, 0, 0},
1418 #ifdef HAVE_DPDK
1419  {"dpdk", 0, 0, 0},
1420 #endif
1421  {"af-packet", optional_argument, 0, 0},
1422  {"af-xdp", optional_argument, 0, 0},
1423  {"netmap", optional_argument, 0, 0},
1424  {"pcap", optional_argument, 0, 0},
1425  {"pcap-file-continuous", 0, 0, 0},
1426  {"pcap-file-delete", 0, 0, 0},
1427  {"pcap-file-recursive", 0, 0, 0},
1428  {"pcap-file-buffer-size", required_argument, 0, 0},
1429  {"simulate-ips", 0, 0 , 0},
1430  {"no-random", 0, &g_disable_randomness, 1},
1431  {"strict-rule-keywords", optional_argument, 0, 0},
1432 
1433  {"capture-plugin", required_argument, 0, 0},
1434  {"capture-plugin-args", required_argument, 0, 0},
1435 
1436 #ifdef BUILD_UNIX_SOCKET
1437  {"unix-socket", optional_argument, 0, 0},
1438 #endif
1439  {"pcap-buffer-size", required_argument, 0, 0},
1440  {"unittest-filter", required_argument, 0, 'U'},
1441  {"list-app-layer-protos", 0, &list_app_layer_protocols, 1},
1442  {"list-rule-protos", 0, &list_rule_protocols, 1},
1443  {"list-app-layer-hooks", 0, &list_app_layer_hooks, 1},
1444  {"list-app-layer-frames", 0, &list_app_layer_frames, 1},
1445  {"list-unittests", 0, &list_unittests, 1},
1446  {"list-runmodes", 0, &list_runmodes, 1},
1447  {"list-keywords", optional_argument, &list_keywords, 1},
1448  {"runmode", required_argument, NULL, 0},
1449  {"engine-analysis", 0, &engine_analysis, 1},
1450 #ifdef OS_WIN32
1451  {"service-install", 0, 0, 0},
1452  {"service-remove", 0, 0, 0},
1453  {"service-change-params", 0, 0, 0},
1454 #endif /* OS_WIN32 */
1455  {"pidfile", required_argument, 0, 0},
1456  {"init-errors-fatal", 0, 0, 0},
1457  {"disable-detection", 0, 0, 0},
1458  {"disable-hashing", 0, 0, 0},
1459  {"fatal-unittests", 0, 0, 0},
1460  {"unittests-coverage", 0, &coverage_unittests, 1},
1461  {"user", required_argument, 0, 0},
1462  {"group", required_argument, 0, 0},
1463  {"erf-in", required_argument, 0, 0},
1464  {"dag", required_argument, 0, 0},
1465  {"build-info", 0, &build_info, 1},
1466  {"data-dir", required_argument, 0, 0},
1467 #ifdef WINDIVERT
1468  {"windivert", required_argument, 0, 0},
1469  {"windivert-forward", required_argument, 0, 0},
1470 #endif
1471 #ifdef HAVE_LIBNET11
1472  {"reject-dev", required_argument, 0, 0},
1473 #endif
1474  {"set", required_argument, 0, 0},
1475 #ifdef HAVE_NFLOG
1476  {"nflog", optional_argument, 0, 0},
1477 #endif
1478  {"simulate-packet-flow-memcap", required_argument, 0, 0},
1479  {"simulate-applayer-error-at-offset-ts", required_argument, 0, 0},
1480  {"simulate-applayer-error-at-offset-tc", required_argument, 0, 0},
1481  {"simulate-packet-loss", required_argument, 0, 0},
1482  {"simulate-packet-tcp-reassembly-memcap", required_argument, 0, 0},
1483  {"simulate-packet-tcp-ssn-memcap", required_argument, 0, 0},
1484  {"simulate-packet-defrag-memcap", required_argument, 0, 0},
1485  {"simulate-alert-queue-realloc-failure", 0, 0, 0},
1486 
1487  {"qa-skip-prefilter", 0, &g_skip_prefilter, 1 },
1488 
1489  {"firewall", 0, &is_firewall, 1 },
1490  {"firewall-rules-exclusive", required_argument, 0, 0},
1491 
1492  {"include", required_argument, 0, 0},
1493 
1494  {NULL, 0, NULL, 0}
1495  };
1496  // clang-format on
1497 
1498  /* getopt_long stores the option index here. */
1499  int option_index = 0;
1500 
1501  char short_opts[] = "c:TDhi:l:q:d:r:us:S:U:VF:vk:";
1502 
1503  while ((opt = getopt_long(argc, argv, short_opts, long_opts, &option_index)) != -1) {
1504  switch (opt) {
1505  case 0:
1506  if (strcmp((long_opts[option_index]).name, "help") == 0) {
1507  suri->run_mode = RUNMODE_PRINT_USAGE;
1508  return TM_ECODE_OK;
1509  } else if (strcmp((long_opts[option_index]).name, "pfring") == 0 ||
1510  strcmp((long_opts[option_index]).name, "pfring-int") == 0) {
1511 #ifdef HAVE_PFRING
1512  /* TODO: Which plugin? */
1513  suri->run_mode = RUNMODE_PLUGIN;
1514  suri->capture_plugin_name = "pfring";
1515  if (optarg != NULL) {
1516  memset(suri->pcap_dev, 0, sizeof(suri->pcap_dev));
1517  strlcpy(suri->pcap_dev, optarg,
1518  ((strlen(optarg) < sizeof(suri->pcap_dev)) ?
1519  (strlen(optarg) + 1) : sizeof(suri->pcap_dev)));
1520  LiveRegisterDeviceName(optarg);
1521  }
1522 #else
1523  SCLogError("PF_RING not enabled. Make sure "
1524  "to pass --enable-pfring to configure when building.");
1525  return TM_ECODE_FAILED;
1526 #endif /* HAVE_PFRING */
1527  } else if (strcmp((long_opts[option_index]).name, "pfring-cluster-id") == 0) {
1528 #ifdef HAVE_PFRING
1529  if (SCConfSetFinal("pfring.cluster-id", optarg) != 1) {
1530  SCLogError("failed to set pfring.cluster-id");
1531  return TM_ECODE_FAILED;
1532  }
1533 #else
1534  SCLogError("PF_RING not enabled. Make sure "
1535  "to pass --enable-pfring to configure when building.");
1536  return TM_ECODE_FAILED;
1537 #endif /* HAVE_PFRING */
1538  } else if (strcmp((long_opts[option_index]).name, "pfring-cluster-type") == 0) {
1539 #ifdef HAVE_PFRING
1540  if (SCConfSetFinal("pfring.cluster-type", optarg) != 1) {
1541  SCLogError("failed to set pfring.cluster-type");
1542  return TM_ECODE_FAILED;
1543  }
1544 #else
1545  SCLogError("PF_RING not enabled. Make sure "
1546  "to pass --enable-pfring to configure when building.");
1547  return TM_ECODE_FAILED;
1548 #endif /* HAVE_PFRING */
1549  } else if (strcmp((long_opts[option_index]).name, "capture-plugin") == 0) {
1550  suri->run_mode = RUNMODE_PLUGIN;
1551  suri->capture_plugin_name = optarg;
1552  } else if (strcmp((long_opts[option_index]).name, "capture-plugin-args") == 0) {
1553  suri->capture_plugin_args = optarg;
1554  } else if (strcmp((long_opts[option_index]).name, "dpdk") == 0) {
1555  if (ParseCommandLineDpdk(suri, optarg) != TM_ECODE_OK) {
1556  return TM_ECODE_FAILED;
1557  }
1558  } else if (strcmp((long_opts[option_index]).name, "af-packet") == 0) {
1559  if (ParseCommandLineAfpacket(suri, optarg) != TM_ECODE_OK) {
1560  return TM_ECODE_FAILED;
1561  }
1562  } else if (strcmp((long_opts[option_index]).name, "af-xdp") == 0) {
1563  if (ParseCommandLineAfxdp(suri, optarg) != TM_ECODE_OK) {
1564  return TM_ECODE_FAILED;
1565  }
1566  } else if (strcmp((long_opts[option_index]).name, "netmap") == 0) {
1567 #ifdef HAVE_NETMAP
1568  if (suri->run_mode == RUNMODE_UNKNOWN) {
1569  suri->run_mode = RUNMODE_NETMAP;
1570  if (optarg) {
1571  LiveRegisterDeviceName(optarg);
1572  memset(suri->pcap_dev, 0, sizeof(suri->pcap_dev));
1573  strlcpy(suri->pcap_dev, optarg,
1574  ((strlen(optarg) < sizeof(suri->pcap_dev)) ?
1575  (strlen(optarg) + 1) : sizeof(suri->pcap_dev)));
1576  }
1577  } else if (suri->run_mode == RUNMODE_NETMAP) {
1578  if (optarg) {
1579  LiveRegisterDeviceName(optarg);
1580  } else {
1581  SCLogInfo("Multiple netmap option without interface on each is useless");
1582  break;
1583  }
1584  } else {
1585  SCLogError("more than one run mode "
1586  "has been specified");
1587  PrintUsage(argv[0]);
1588  return TM_ECODE_FAILED;
1589  }
1590 #else
1591  SCLogError("NETMAP not enabled.");
1592  return TM_ECODE_FAILED;
1593 #endif
1594  } else if (strcmp((long_opts[option_index]).name, "nflog") == 0) {
1595 #ifdef HAVE_NFLOG
1596  if (suri->run_mode == RUNMODE_UNKNOWN) {
1597  suri->run_mode = RUNMODE_NFLOG;
1598  LiveBuildDeviceListCustom("nflog", "group");
1599  }
1600 #else
1601  SCLogError("NFLOG not enabled.");
1602  return TM_ECODE_FAILED;
1603 #endif /* HAVE_NFLOG */
1604  } else if (strcmp((long_opts[option_index]).name, "pcap") == 0) {
1605  if (ParseCommandLinePcapLive(suri, optarg) != TM_ECODE_OK) {
1606  return TM_ECODE_FAILED;
1607  }
1608  } else if (strcmp((long_opts[option_index]).name, "simulate-ips") == 0) {
1609  SCLogInfo("Setting IPS mode");
1610  EngineModeSetIPS();
1611  } else if (strcmp((long_opts[option_index]).name, "init-errors-fatal") == 0) {
1612  if (SCConfSetFinal("engine.init-failure-fatal", "1") != 1) {
1613  SCLogError("failed to set engine init-failure-fatal");
1614  return TM_ECODE_FAILED;
1615  }
1616 #ifdef BUILD_UNIX_SOCKET
1617  } else if (strcmp((long_opts[option_index]).name , "unix-socket") == 0) {
1618  if (suri->run_mode == RUNMODE_UNKNOWN) {
1619  suri->run_mode = RUNMODE_UNIX_SOCKET;
1620  if (optarg) {
1621  if (SCConfSetFinal("unix-command.filename", optarg) != 1) {
1622  SCLogError("failed to set unix-command.filename");
1623  return TM_ECODE_FAILED;
1624  }
1625  }
1626  } else {
1627  SCLogError("more than one run mode "
1628  "has been specified");
1629  PrintUsage(argv[0]);
1630  return TM_ECODE_FAILED;
1631  }
1632 #endif
1633  }
1634  else if(strcmp((long_opts[option_index]).name, "list-app-layer-protocols") == 0) {
1635  /* listing all supported app layer protocols */
1636  } else if (strcmp((long_opts[option_index]).name, "list-app-layer-hooks") == 0) {
1637  /* listing all supported app layer hooks */
1638  } else if (strcmp((long_opts[option_index]).name, "list-unittests") == 0) {
1639 #ifdef UNITTESTS
1640  suri->run_mode = RUNMODE_LIST_UNITTEST;
1641 #else
1642  SCLogError("unit tests not enabled. Make sure to pass --enable-unittests to "
1643  "configure when building");
1644  return TM_ECODE_FAILED;
1645 #endif /* UNITTESTS */
1646  } else if (strcmp((long_opts[option_index]).name, "list-runmodes") == 0) {
1647  suri->run_mode = RUNMODE_LIST_RUNMODES;
1648  return TM_ECODE_OK;
1649  } else if (strcmp((long_opts[option_index]).name, "list-keywords") == 0) {
1650  if (optarg) {
1651  if (strcmp("short", optarg) != 0) {
1652  suri->keyword_info = optarg;
1653  }
1654  }
1655  } else if (strcmp((long_opts[option_index]).name, "runmode") == 0) {
1656  suri->runmode_custom_mode = optarg;
1657  } else if (strcmp((long_opts[option_index]).name, "engine-analysis") == 0) {
1658  // do nothing for now
1659  }
1660 #ifdef OS_WIN32
1661  else if (strcmp((long_opts[option_index]).name, "service-install") == 0) {
1662  suri->run_mode = RUNMODE_INSTALL_SERVICE;
1663  return TM_ECODE_OK;
1664  } else if (strcmp((long_opts[option_index]).name, "service-remove") == 0) {
1665  suri->run_mode = RUNMODE_REMOVE_SERVICE;
1666  return TM_ECODE_OK;
1667  } else if (strcmp((long_opts[option_index]).name, "service-change-params") == 0) {
1668  suri->run_mode = RUNMODE_CHANGE_SERVICE_PARAMS;
1669  return TM_ECODE_OK;
1670  }
1671 #endif /* OS_WIN32 */
1672  else if (strcmp((long_opts[option_index]).name, "pidfile") == 0) {
1673  suri->pid_filename = SCStrdup(optarg);
1674  if (suri->pid_filename == NULL) {
1675  SCLogError("strdup failed: %s", strerror(errno));
1676  return TM_ECODE_FAILED;
1677  }
1678  } else if (strcmp((long_opts[option_index]).name, "disable-detection") == 0) {
1679  g_detect_disabled = suri->disabled_detect = 1;
1680  } else if (strcmp((long_opts[option_index]).name, "disable-hashing") == 0) {
1681  g_disable_hashing = true;
1682  // for rust
1683  SCDisableHashing();
1684  } else if (strcmp((long_opts[option_index]).name, "fatal-unittests") == 0) {
1685 #ifdef UNITTESTS
1686  unittests_fatal = 1;
1687 #else
1688  SCLogError("unit tests not enabled. Make sure to pass --enable-unittests to "
1689  "configure when building");
1690  return TM_ECODE_FAILED;
1691 #endif /* UNITTESTS */
1692  } else if (strcmp((long_opts[option_index]).name, "user") == 0) {
1693 #ifndef HAVE_LIBCAP_NG
1694  SCLogError("libcap-ng is required to"
1695  " drop privileges, but it was not compiled into Suricata.");
1696  return TM_ECODE_FAILED;
1697 #else
1698  suri->user_name = optarg;
1699  suri->do_setuid = true;
1700 #endif /* HAVE_LIBCAP_NG */
1701  } else if (strcmp((long_opts[option_index]).name, "group") == 0) {
1702 #ifndef HAVE_LIBCAP_NG
1703  SCLogError("libcap-ng is required to"
1704  " drop privileges, but it was not compiled into Suricata.");
1705  return TM_ECODE_FAILED;
1706 #else
1707  suri->group_name = optarg;
1708  suri->do_setgid = true;
1709 #endif /* HAVE_LIBCAP_NG */
1710  } else if (strcmp((long_opts[option_index]).name, "erf-in") == 0) {
1711  suri->run_mode = RUNMODE_ERF_FILE;
1712  if (SCConfSetFinal("erf-file.file", optarg) != 1) {
1713  SCLogError("failed to set erf-file.file");
1714  return TM_ECODE_FAILED;
1715  }
1716  } else if (strcmp((long_opts[option_index]).name, "dag") == 0) {
1717 #ifdef HAVE_DAG
1718  if (suri->run_mode == RUNMODE_UNKNOWN) {
1719  suri->run_mode = RUNMODE_DAG;
1720  }
1721  else if (suri->run_mode != RUNMODE_DAG) {
1722  SCLogError("more than one run mode has been specified");
1723  PrintUsage(argv[0]);
1724  return TM_ECODE_FAILED;
1725  }
1726  LiveRegisterDeviceName(optarg);
1727 #else
1728  SCLogError("libdag and a DAG card are required"
1729  " to receive packets using --dag.");
1730  return TM_ECODE_FAILED;
1731 #endif /* HAVE_DAG */
1732  } else if (strcmp((long_opts[option_index]).name, "napatech") == 0) {
1733 #ifdef HAVE_NAPATECH
1734  suri->run_mode = RUNMODE_PLUGIN;
1735 #else
1736  SCLogError("libntapi and a Napatech adapter are required"
1737  " to capture packets using --napatech.");
1738  return TM_ECODE_FAILED;
1739 #endif /* HAVE_NAPATECH */
1740  } else if (strcmp((long_opts[option_index]).name, "pcap-buffer-size") == 0) {
1741 #ifdef HAVE_PCAP_SET_BUFF
1742  if (SCConfSetFinal("pcap.buffer-size", optarg) != 1) {
1743  SCLogError("failed to set pcap-buffer-size");
1744  return TM_ECODE_FAILED;
1745  }
1746 #else
1747  SCLogError("The version of libpcap you have"
1748  " doesn't support setting buffer size.");
1749 #endif /* HAVE_PCAP_SET_BUFF */
1750  } else if (strcmp((long_opts[option_index]).name, "build-info") == 0) {
1751  suri->run_mode = RUNMODE_PRINT_BUILDINFO;
1752  return TM_ECODE_OK;
1753  } else if (strcmp((long_opts[option_index]).name, "windivert-forward") == 0) {
1754 #ifdef WINDIVERT
1755  if (suri->run_mode == RUNMODE_UNKNOWN) {
1756  suri->run_mode = RUNMODE_WINDIVERT;
1757  if (WinDivertRegisterQueue(true, optarg) == -1) {
1758  exit(EXIT_FAILURE);
1759  }
1760  } else if (suri->run_mode == RUNMODE_WINDIVERT) {
1761  if (WinDivertRegisterQueue(true, optarg) == -1) {
1762  exit(EXIT_FAILURE);
1763  }
1764  } else {
1765  SCLogError("more than one run mode "
1766  "has been specified");
1767  PrintUsage(argv[0]);
1768  exit(EXIT_FAILURE);
1769  }
1770  }
1771  else if(strcmp((long_opts[option_index]).name, "windivert") == 0) {
1772  if (suri->run_mode == RUNMODE_UNKNOWN) {
1773  suri->run_mode = RUNMODE_WINDIVERT;
1774  if (WinDivertRegisterQueue(false, optarg) == -1) {
1775  exit(EXIT_FAILURE);
1776  }
1777  } else if (suri->run_mode == RUNMODE_WINDIVERT) {
1778  if (WinDivertRegisterQueue(false, optarg) == -1) {
1779  exit(EXIT_FAILURE);
1780  }
1781  } else {
1782  SCLogError("more than one run mode "
1783  "has been specified");
1784  PrintUsage(argv[0]);
1785  exit(EXIT_FAILURE);
1786  }
1787 #else
1788  SCLogError("WinDivert not enabled. Make sure to pass --enable-windivert to "
1789  "configure when building.");
1790  return TM_ECODE_FAILED;
1791 #endif /* WINDIVERT */
1792  } else if(strcmp((long_opts[option_index]).name, "reject-dev") == 0) {
1793 #ifdef HAVE_LIBNET11
1794  BUG_ON(optarg == NULL); /* for static analysis */
1795  extern char *g_reject_dev;
1796  extern uint16_t g_reject_dev_mtu;
1797  g_reject_dev = optarg;
1798  int mtu = GetIfaceMTU(g_reject_dev);
1799  if (mtu > 0) {
1800  g_reject_dev_mtu = (uint16_t)mtu;
1801  }
1802 #else
1803  SCLogError("Libnet 1.1 support not enabled. Compile Suricata with libnet support.");
1804  return TM_ECODE_FAILED;
1805 #endif
1806  }
1807  else if (strcmp((long_opts[option_index]).name, "set") == 0) {
1808  if (optarg != NULL) {
1809  /* Quick validation. */
1810  char *val = strchr(optarg, '=');
1811  if (val == NULL) {
1812  FatalError("Invalid argument for --set, must be key=val.");
1813  }
1814  if (!SCConfSetFromString(optarg, 1)) {
1815  FatalError("failed to set configuration value %s", optarg);
1816  }
1817  }
1818  }
1819  else if (strcmp((long_opts[option_index]).name, "pcap-file-continuous") == 0) {
1820  if (SCConfSetFinal("pcap-file.continuous", "true") != 1) {
1821  SCLogError("Failed to set pcap-file.continuous");
1822  return TM_ECODE_FAILED;
1823  }
1824  }
1825  else if (strcmp((long_opts[option_index]).name, "pcap-file-delete") == 0) {
1826  if (SCConfSetFinal("pcap-file.delete-when-done", "true") != 1) {
1827  SCLogError("Failed to set pcap-file.delete-when-done");
1828  return TM_ECODE_FAILED;
1829  }
1830  }
1831  else if (strcmp((long_opts[option_index]).name, "pcap-file-recursive") == 0) {
1832  if (SCConfSetFinal("pcap-file.recursive", "true") != 1) {
1833  SCLogError("failed to set pcap-file.recursive");
1834  return TM_ECODE_FAILED;
1835  }
1836  } else if (strcmp((long_opts[option_index]).name, "pcap-file-buffer-size") == 0) {
1837  if (SCConfSetFinal("pcap-file.buffer-size", optarg) != 1) {
1838  SCLogError("failed to set pcap-file.buffer-size");
1839  return TM_ECODE_FAILED;
1840  }
1841  } else if (strcmp((long_opts[option_index]).name, "data-dir") == 0) {
1842  if (optarg == NULL) {
1843  SCLogError("no option argument (optarg) for -d");
1844  return TM_ECODE_FAILED;
1845  }
1846 
1847  if (ConfigSetDataDirectory(optarg) != TM_ECODE_OK) {
1848  SCLogError("Failed to set data directory.");
1849  return TM_ECODE_FAILED;
1850  }
1851  if (ConfigCheckDataDirectory(optarg) != TM_ECODE_OK) {
1852  SCLogError("The data directory \"%s\""
1853  " supplied at the command-line (-d %s) doesn't "
1854  "exist. Shutting down the engine.",
1855  optarg, optarg);
1856  return TM_ECODE_FAILED;
1857  }
1858  suri->set_datadir = true;
1859  } else if (strcmp((long_opts[option_index]).name, "strict-rule-keywords") == 0) {
1860  if (optarg == NULL) {
1861  suri->strict_rule_parsing_string = SCStrdup("all");
1862  } else {
1863  suri->strict_rule_parsing_string = SCStrdup(optarg);
1864  }
1865  if (suri->strict_rule_parsing_string == NULL) {
1866  FatalError("failed to duplicate 'strict' string");
1867  }
1868  } else if (strcmp((long_opts[option_index]).name, "include") == 0) {
1869  if (suri->additional_configs == NULL) {
1870  suri->additional_configs = SCCalloc(2, sizeof(char *));
1871  if (suri->additional_configs == NULL) {
1872  FatalError(
1873  "Failed to allocate memory for additional configuration files: %s",
1874  strerror(errno));
1875  }
1876  suri->additional_configs[0] = optarg;
1877  } else {
1878  for (int i = 0;; i++) {
1879  if (suri->additional_configs[i] == NULL) {
1880  const char **additional_configs =
1881  SCRealloc(suri->additional_configs, (i + 2) * sizeof(char *));
1882  if (additional_configs == NULL) {
1883  FatalError("Failed to allocate memory for additional configuration "
1884  "files: %s",
1885  strerror(errno));
1886  } else {
1887  suri->additional_configs = additional_configs;
1888  }
1889  suri->additional_configs[i] = optarg;
1890  suri->additional_configs[i + 1] = NULL;
1891  break;
1892  }
1893  }
1894  }
1895  } else if (strcmp((long_opts[option_index]).name, "firewall-rules-exclusive") == 0) {
1896  if (suri->firewall_rule_file != NULL) {
1897  SCLogError("can't have multiple --firewall-rules-exclusive options");
1898  return TM_ECODE_FAILED;
1899  }
1900  suri->firewall_rule_file = optarg;
1901  suri->firewall_rule_file_exclusive = true;
1902  suri->is_firewall = true;
1903  } else {
1904  int r = ExceptionSimulationCommandLineParser(
1905  (long_opts[option_index]).name, optarg);
1906  if (r < 0)
1907  return TM_ECODE_FAILED;
1908  }
1909  break;
1910  case 'c':
1911  suri->conf_filename = optarg;
1912  break;
1913  case 'T':
1914  conf_test = 1;
1915  if (SCConfSetFinal("engine.init-failure-fatal", "1") != 1) {
1916  SCLogError("failed to set engine init-failure-fatal");
1917  return TM_ECODE_FAILED;
1918  }
1919  break;
1920 #ifndef OS_WIN32
1921  case 'D':
1922  suri->daemon = 1;
1923  break;
1924 #endif /* OS_WIN32 */
1925  case 'h':
1926  suri->run_mode = RUNMODE_PRINT_USAGE;
1927  return TM_ECODE_OK;
1928  case 'i':
1929  if (optarg == NULL) {
1930  SCLogError("no option argument (optarg) for -i");
1931  return TM_ECODE_FAILED;
1932  }
1933 #ifdef HAVE_AF_PACKET
1934  if (ParseCommandLineAfpacket(suri, optarg) != TM_ECODE_OK) {
1935  return TM_ECODE_FAILED;
1936  }
1937 #else /* not afpacket */
1938  /* warn user if netmap is available */
1939 #if defined HAVE_NETMAP
1940  int i = 0;
1941 #ifdef HAVE_NETMAP
1942  i++;
1943 #endif
1944  SCLogWarning("faster capture "
1945  "option%s %s available:"
1946 #ifdef HAVE_NETMAP
1947  " NETMAP (--netmap=%s)"
1948 #endif
1949  ". Use --pcap=%s to suppress this warning",
1950  i == 1 ? "" : "s", i == 1 ? "is" : "are"
1951 #ifdef HAVE_NETMAP
1952  ,
1953  optarg
1954 #endif
1955  ,
1956  optarg);
1957 #endif /* have faster methods */
1958  if (ParseCommandLinePcapLive(suri, optarg) != TM_ECODE_OK) {
1959  return TM_ECODE_FAILED;
1960  }
1961 #endif
1962  break;
1963  case 'l':
1964  if (optarg == NULL) {
1965  SCLogError("no option argument (optarg) for -l");
1966  return TM_ECODE_FAILED;
1967  }
1968 
1969  if (ConfigSetLogDirectory(optarg) != TM_ECODE_OK) {
1970  SCLogError("Failed to set log directory.");
1971  return TM_ECODE_FAILED;
1972  }
1973  if (ConfigCheckLogDirectoryExists(optarg) != TM_ECODE_OK) {
1974  SCLogError("The logging directory \"%s\""
1975  " supplied at the command-line (-l %s) doesn't "
1976  "exist. Shutting down the engine.",
1977  optarg, optarg);
1978  return TM_ECODE_FAILED;
1979  }
1980  if (!IsLogDirectoryWritable(optarg)) {
1981  SCLogError("The logging directory \"%s\""
1982  " supplied at the command-line (-l %s) is not "
1983  "writable. Shutting down the engine.",
1984  optarg, optarg);
1985  return TM_ECODE_FAILED;
1986  }
1987  suri->set_logdir = true;
1988 
1989  break;
1990  case 'q':
1991 #ifdef NFQ
1992  if (suri->run_mode == RUNMODE_UNKNOWN) {
1993  suri->run_mode = RUNMODE_NFQ;
1994  EngineModeSetIPS();
1995  if (NFQParseAndRegisterQueues(optarg) == -1)
1996  return TM_ECODE_FAILED;
1997  } else if (suri->run_mode == RUNMODE_NFQ) {
1998  if (NFQParseAndRegisterQueues(optarg) == -1)
1999  return TM_ECODE_FAILED;
2000  } else {
2001  SCLogError("more than one run mode "
2002  "has been specified");
2003  PrintUsage(argv[0]);
2004  return TM_ECODE_FAILED;
2005  }
2006 #else
2007  SCLogError("NFQUEUE not enabled. Make sure to pass --enable-nfqueue to configure when "
2008  "building.");
2009  return TM_ECODE_FAILED;
2010 #endif /* NFQ */
2011  break;
2012  case 'd':
2013 #ifdef IPFW
2014  if (suri->run_mode == RUNMODE_UNKNOWN) {
2015  suri->run_mode = RUNMODE_IPFW;
2016  EngineModeSetIPS();
2017  if (IPFWRegisterQueue(optarg) == -1)
2018  return TM_ECODE_FAILED;
2019  } else if (suri->run_mode == RUNMODE_IPFW) {
2020  if (IPFWRegisterQueue(optarg) == -1)
2021  return TM_ECODE_FAILED;
2022  } else {
2023  SCLogError("more than one run mode "
2024  "has been specified");
2025  PrintUsage(argv[0]);
2026  return TM_ECODE_FAILED;
2027  }
2028 #else
2029  SCLogError("IPFW not enabled. Make sure to pass --enable-ipfw to configure when "
2030  "building.");
2031  return TM_ECODE_FAILED;
2032 #endif /* IPFW */
2033  break;
2034  case 'r':
2035  BUG_ON(optarg == NULL); /* for static analysis */
2036  if (suri->run_mode == RUNMODE_UNKNOWN) {
2037  suri->run_mode = RUNMODE_PCAP_FILE;
2038  } else {
2039  SCLogError("more than one run mode "
2040  "has been specified");
2041  PrintUsage(argv[0]);
2042  return TM_ECODE_FAILED;
2043  }
2044  SCStat buf;
2045  if (SCStatFn(optarg, &buf) != 0) {
2046  SCLogError("pcap file '%s': %s", optarg, strerror(errno));
2047  return TM_ECODE_FAILED;
2048  }
2049  if (SCConfSetFinal("pcap-file.file", optarg) != 1) {
2050  SCLogError("ERROR: Failed to set pcap-file.file\n");
2051  return TM_ECODE_FAILED;
2052  }
2053 
2054  break;
2055  case 's':
2056  if (suri->sig_file != NULL) {
2057  SCLogError("can't have multiple -s options or mix -s and -S.");
2058  return TM_ECODE_FAILED;
2059  }
2060  suri->sig_file = optarg;
2061  break;
2062  case 'S':
2063  if (suri->sig_file != NULL) {
2064  SCLogError("can't have multiple -S options or mix -s and -S.");
2065  return TM_ECODE_FAILED;
2066  }
2067  suri->sig_file = optarg;
2068  suri->sig_file_exclusive = true;
2069  break;
2070  case 'u':
2071 #ifdef UNITTESTS
2072  if (suri->run_mode == RUNMODE_UNKNOWN) {
2073  suri->run_mode = RUNMODE_UNITTEST;
2074  } else {
2075  SCLogError("more than one run mode has"
2076  " been specified");
2077  PrintUsage(argv[0]);
2078  return TM_ECODE_FAILED;
2079  }
2080 #else
2081  SCLogError("unit tests not enabled. Make sure to pass --enable-unittests to configure "
2082  "when building.");
2083  return TM_ECODE_FAILED;
2084 #endif /* UNITTESTS */
2085  break;
2086  case 'U':
2087 #ifdef UNITTESTS
2088  suri->regex_arg = optarg;
2089 
2090  if(strlen(suri->regex_arg) == 0)
2091  suri->regex_arg = NULL;
2092 #endif
2093  break;
2094  case 'V':
2095  suri->run_mode = RUNMODE_PRINT_VERSION;
2096  return TM_ECODE_OK;
2097  case 'F':
2098  if (optarg == NULL) {
2099  SCLogError("no option argument (optarg) for -F");
2100  return TM_ECODE_FAILED;
2101  }
2102 
2103  SetBpfStringFromFile(optarg);
2104  break;
2105  case 'v': {
2106  static bool ignore_extra = false;
2107  if (suri->verbose < VERBOSE_MAX)
2108  suri->verbose++;
2109  else if (!ignore_extra) {
2110  SCLogNotice("extraneous verbose option(s) ignored");
2111  ignore_extra = true;
2112  }
2113  } break;
2114  case 'k':
2115  if (optarg == NULL) {
2116  SCLogError("no option argument (optarg) for -k");
2117  return TM_ECODE_FAILED;
2118  }
2119  if (!strcmp("all", optarg))
2120  suri->checksum_validation = 1;
2121  else if (!strcmp("none", optarg))
2122  suri->checksum_validation = 0;
2123  else {
2124  SCLogError("option '%s' invalid for -k", optarg);
2125  return TM_ECODE_FAILED;
2126  }
2127  break;
2128  default:
2129  PrintUsage(argv[0]);
2130  return TM_ECODE_FAILED;
2131  }
2132  }
2133 
2134  if (is_firewall) {
2135  suri->is_firewall = true;
2136  }
2137 
2138  if (suri->disabled_detect && (suri->sig_file != NULL || suri->firewall_rule_file != NULL)) {
2139  SCLogError("can't use -s/-S or --firewall-rules-exclusive when detection is disabled");
2140  return TM_ECODE_FAILED;
2141  }
2142 
2143  /* save the runmode from the command-line (if any) */
2144  suri->aux_run_mode = suri->run_mode;
2145 
2146  if (list_app_layer_protocols)
2147  suri->run_mode = RUNMODE_LIST_APP_LAYERS;
2148  if (list_rule_protocols)
2149  suri->run_mode = RUNMODE_LIST_RULE_PROTOS;
2150  if (list_app_layer_hooks)
2151  suri->run_mode = RUNMODE_LIST_APP_LAYER_HOOKS;
2152  if (list_app_layer_frames)
2153  suri->run_mode = RUNMODE_LIST_APP_LAYER_FRAMES;
2154  if (list_keywords)
2155  suri->run_mode = RUNMODE_LIST_KEYWORDS;
2156  if (list_unittests)
2157  suri->run_mode = RUNMODE_LIST_UNITTEST;
2158  if (dump_config)
2159  suri->run_mode = RUNMODE_DUMP_CONFIG;
2160  if (dump_features)
2161  suri->run_mode = RUNMODE_DUMP_FEATURES;
2162  if (conf_test)
2163  suri->run_mode = RUNMODE_CONF_TEST;
2164  if (engine_analysis)
2165  suri->run_mode = RUNMODE_ENGINE_ANALYSIS;
2166 
2167  suri->offline = IsRunModeOffline(suri->run_mode);
2168  g_system = suri->system = IsRunModeSystem(suri->run_mode);
2169 
2170  ret = SetBpfString(optind, argv);
2171  if (ret != TM_ECODE_OK)
2172  return ret;
2173 
2174  return TM_ECODE_OK;
2175 }
2176 
2177 #ifdef OS_WIN32
2178 int WindowsInitService(int argc, char **argv)
2179 {
2180  if (SCRunningAsService()) {
2181  char path[MAX_PATH];
2182  char *p = NULL;
2183  strlcpy(path, argv[0], MAX_PATH);
2184  if ((p = strrchr(path, '\\'))) {
2185  *p = '\0';
2186  }
2187  if (!SetCurrentDirectory(path)) {
2188  SCLogError("Can't set current directory to: %s", path);
2189  return -1;
2190  }
2191  SCLogInfo("Current directory is set to: %s", path);
2192  SCServiceInit(argc, argv);
2193  }
2194 
2195  /* Windows socket subsystem initialization */
2196  WSADATA wsaData;
2197  if (0 != WSAStartup(MAKEWORD(2, 2), &wsaData)) {
2198  SCLogError("Can't initialize Windows sockets: %d", WSAGetLastError());
2199  return -1;
2200  }
2201 
2202  return 0;
2203 }
2204 #endif /* OS_WIN32 */
2205 
2206 static int MayDaemonize(SCInstance *suri)
2207 {
2208  if (suri->daemon == 1 && suri->pid_filename == NULL) {
2209  const char *pid_filename;
2210 
2211  if (SCConfGet("pid-file", &pid_filename) == 1) {
2212  SCLogInfo("Use pid file %s from config file.", pid_filename);
2213  } else {
2214  pid_filename = DEFAULT_PID_FILENAME;
2215  }
2216  /* The pid file name may be in config memory, but is needed later. */
2217  suri->pid_filename = SCStrdup(pid_filename);
2218  if (suri->pid_filename == NULL) {
2219  SCLogError("strdup failed: %s", strerror(errno));
2220  return TM_ECODE_FAILED;
2221  }
2222  }
2223 
2224  if (suri->pid_filename != NULL && SCPidfileTestRunning(suri->pid_filename) != 0) {
2225  SCFree(suri->pid_filename);
2226  suri->pid_filename = NULL;
2227  return TM_ECODE_FAILED;
2228  }
2229 
2230  if (suri->daemon == 1) {
2231  Daemonize();
2232  }
2233 
2234  if (suri->pid_filename != NULL) {
2235  if (SCPidfileCreate(suri->pid_filename) != 0) {
2236  SCFree(suri->pid_filename);
2237  suri->pid_filename = NULL;
2238  SCLogError("Unable to create PID file, concurrent run of"
2239  " Suricata can occur.");
2240  SCLogError("PID file creation WILL be mandatory for daemon mode"
2241  " in future version");
2242  }
2243  }
2244 
2245  return TM_ECODE_OK;
2246 }
2247 
2248 /* Initialize the user and group Suricata is to run as. */
2249 static int InitRunAs(SCInstance *suri)
2250 {
2251 #ifndef OS_WIN32
2252  /* Try to get user/group to run suricata as if
2253  command line as not decide of that */
2254  if (!suri->do_setuid && !suri->do_setgid) {
2255  const char *id;
2256  if (SCConfGet("run-as.user", &id) == 1) {
2257  suri->do_setuid = true;
2258  suri->user_name = id;
2259  }
2260  if (SCConfGet("run-as.group", &id) == 1) {
2261  suri->do_setgid = true;
2262  suri->group_name = id;
2263  }
2264  }
2265  /* Get the suricata user ID to given user ID */
2266  if (suri->do_setuid) {
2267  SCGetUserID(suri->user_name, suri->group_name, &suri->userid, &suri->groupid);
2268  sc_set_caps = true;
2269  /* Get the suricata group ID to given group ID */
2270  } else if (suri->do_setgid) {
2271  SCGetGroupID(suri->group_name, &suri->groupid);
2272  sc_set_caps = true;
2273  }
2274 #endif
2275  return TM_ECODE_OK;
2276 }
2277 
2278 static int InitSignalHandler(SCInstance *suri)
2279 {
2280  /* registering signals we use */
2281 #ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
2282  UtilSignalHandlerSetup(SIGINT, SignalHandlerSigint);
2283  UtilSignalHandlerSetup(SIGTERM, SignalHandlerSigterm);
2284 #if HAVE_LIBUNWIND
2285  int enabled;
2286  if (SCConfGetBool("logging.stacktrace-on-signal", &enabled) == 0) {
2287  enabled = 1;
2288  }
2289 
2290  if (enabled) {
2291  SCLogInfo("Preparing unexpected signal handling");
2292  struct sigaction stacktrace_action;
2293  memset(&stacktrace_action, 0, sizeof(stacktrace_action));
2294  stacktrace_action.sa_sigaction = SignalHandlerUnexpected;
2295  stacktrace_action.sa_flags = SA_SIGINFO;
2296  sigaction(SIGSEGV, &stacktrace_action, NULL);
2297  sigaction(SIGABRT, &stacktrace_action, NULL);
2298  }
2299 #endif /* HAVE_LIBUNWIND */
2300 #endif
2301 #ifndef OS_WIN32
2302  UtilSignalHandlerSetup(SIGHUP, SignalHandlerSigHup);
2303  UtilSignalHandlerSetup(SIGPIPE, SIG_IGN);
2304  UtilSignalHandlerSetup(SIGSYS, SIG_IGN);
2305 #endif /* OS_WIN32 */
2306 
2307  return TM_ECODE_OK;
2308 }
2309 
2310 /* initialization code for both the main modes and for
2311  * unix socket mode.
2312  *
2313  * Will be run once per pcap in unix-socket mode */
2314 void PreRunInit(const int runmode)
2315 {
2316  if (runmode == RUNMODE_UNIX_SOCKET)
2317  return;
2318 
2319  StatsInit();
2320 #ifdef PROFILE_RULES
2321  SCProfilingRulesGlobalInit();
2322 #endif
2323 #ifdef PROFILING
2324  SCProfilingKeywordsGlobalInit();
2325  SCProfilingPrefilterGlobalInit();
2326  SCProfilingSghsGlobalInit();
2327 #endif /* PROFILING */
2328 #ifdef PROFILE_RULES
2329  SCProfilingInit();
2330 #endif
2331  DefragInit();
2332  FlowInitConfig(FLOW_QUIET);
2333  IPPairInitConfig(FLOW_QUIET);
2334  StreamTcpInitConfig(STREAM_VERBOSE);
2335  AppLayerParserPostStreamSetup();
2336  AppLayerRegisterGlobalCounters();
2337  OutputFilestoreRegisterGlobalCounters();
2338  ThresholdRegisterGlobalCounters();
2339  HttpRangeContainersInit();
2340 }
2341 
2342 /* tasks we need to run before packets start flowing,
2343  * but after we dropped privs */
2344 void PreRunPostPrivsDropInit(const int runmode)
2345 {
2346  if (runmode == RUNMODE_UNIX_SOCKET) {
2347  return;
2348  }
2349 
2350  StatsSetupPostConfigPreOutput();
2351  RunModeInitializeOutputs();
2352  DatasetsInit();
2353  StatsSetupPostConfigPostOutput();
2354 }
2355 
2356 /** \brief clean up / shutdown code for packet modes
2357  *
2358  * Shuts down packet modes, so regular packet runmodes and the
2359  * per pcap mode in the unix socket. */
2360 void PostRunDeinit(const int runmode, struct timeval *start_time)
2361 {
2362  if (runmode == RUNMODE_UNIX_SOCKET)
2363  return;
2364 
2365  TmThreadsUnsealThreads();
2366 
2367  /* needed by FlowWorkToDoCleanup */
2368  PacketPoolInit();
2369 
2370  /* handle graceful shutdown of the flow engine, it's helper
2371  * threads and the packet threads */
2372  FlowDisableFlowManagerThread();
2373  /* disable capture */
2374  TmThreadDisableReceiveThreads();
2375  /* tell relevant packet threads to enter flow timeout loop */
2376  TmThreadDisablePacketThreads(
2377  THV_REQ_FLOW_LOOP, THV_FLOW_LOOP, (TM_FLAG_RECEIVE_TM | TM_FLAG_FLOWWORKER_TM));
2378  /* run cleanup on the flow hash */
2379  FlowWorkToDoCleanup();
2380  /* gracefully shut down all packet threads */
2381  TmThreadDisablePacketThreads(THV_KILL, THV_RUNNING_DONE, TM_FLAG_PACKET_ALL);
2382  SCPrintElapsedTime(start_time);
2383  FlowDisableFlowRecyclerThread();
2384 
2385  /* kill the stats threads */
2386  TmThreadKillThreadsFamily(TVT_MGMT);
2387  TmThreadClearThreadsFamily(TVT_MGMT);
2388 
2389  /* kill packet threads -- already in 'disabled' state */
2390  TmThreadKillThreadsFamily(TVT_PPT);
2391  TmThreadClearThreadsFamily(TVT_PPT);
2392 
2393  PacketPoolDestroy();
2394 
2395  /* mgt and ppt threads killed, we can run non thread-safe
2396  * shutdown functions */
2397  StatsReleaseResources();
2398  DecodeUnregisterCounters();
2399  RunModeShutDown();
2400  FlowShutdown();
2401  IPPairShutdown();
2402  HostCleanup();
2403  StreamTcpFreeConfig(STREAM_VERBOSE);
2404  DefragDestroy();
2405  HttpRangeContainersDestroy();
2406 #ifdef HAVE_HWLOC
2407  TopologyDestroy();
2408 #endif /* HAVE_HWLOC */
2409 
2410  TmqResetQueues();
2411 #ifdef PROFILING
2412  if (profiling_packets_enabled)
2413  SCProfilingDump();
2414  SCProfilingDestroy();
2415 #endif
2416 }
2417 
2418 int SCStartInternalRunMode(int argc, char **argv)
2419 {
2420  SCInstance *suri = &suricata;
2421  /* Treat internal running mode */
2422  switch (suri->run_mode) {
2423  case RUNMODE_LIST_KEYWORDS:
2424  return ListKeywords(suri->keyword_info);
2425  case RUNMODE_LIST_RULE_PROTOS:
2426  if (suri->conf_filename != NULL) {
2427  return ListRuleProtocols(suri->conf_filename);
2428  } else {
2429  return ListRuleProtocols(DEFAULT_CONF_FILE);
2430  }
2431  case RUNMODE_LIST_APP_LAYERS:
2432  if (suri->conf_filename != NULL) {
2433  return ListAppLayerProtocols(suri->conf_filename);
2434  } else {
2435  return ListAppLayerProtocols(DEFAULT_CONF_FILE);
2436  }
2437  case RUNMODE_LIST_APP_LAYER_HOOKS:
2438  if (suri->conf_filename != NULL) {
2439  return ListAppLayerHooks(suri->conf_filename);
2440  } else {
2441  return ListAppLayerHooks(DEFAULT_CONF_FILE);
2442  }
2443  case RUNMODE_LIST_APP_LAYER_FRAMES:
2444  if (suri->conf_filename != NULL) {
2445  return ListAppLayerFrames(suri->conf_filename);
2446  } else {
2447  return ListAppLayerFrames(DEFAULT_CONF_FILE);
2448  }
2449  case RUNMODE_PRINT_VERSION:
2450  PrintVersion();
2451  return TM_ECODE_DONE;
2452  case RUNMODE_PRINT_BUILDINFO:
2453  PrintBuildInfo();
2454  return TM_ECODE_DONE;
2455  case RUNMODE_PRINT_USAGE:
2456  PrintUsage(argv[0]);
2457  return TM_ECODE_DONE;
2458  case RUNMODE_LIST_RUNMODES:
2459  RunModeListRunmodes();
2460  return TM_ECODE_DONE;
2461  case RUNMODE_LIST_UNITTEST:
2462  RunUnittests(1, suri->regex_arg);
2463  case RUNMODE_UNITTEST:
2464  RunUnittests(0, suri->regex_arg);
2465 #ifdef OS_WIN32
2466  case RUNMODE_INSTALL_SERVICE:
2467  if (SCServiceInstall(argc, argv)) {
2468  return TM_ECODE_FAILED;
2469  }
2470  SCLogInfo("Suricata service has been successfully installed.");
2471  return TM_ECODE_DONE;
2472  case RUNMODE_REMOVE_SERVICE:
2473  if (SCServiceRemove()) {
2474  return TM_ECODE_FAILED;
2475  }
2476  SCLogInfo("Suricata service has been successfully removed.");
2477  return TM_ECODE_DONE;
2478  case RUNMODE_CHANGE_SERVICE_PARAMS:
2479  if (SCServiceChangeParams(argc, argv)) {
2480  return TM_ECODE_FAILED;
2481  }
2482  SCLogInfo("Suricata service startup parameters has been successfully changed.");
2483  return TM_ECODE_DONE;
2484 #endif /* OS_WIN32 */
2485  default:
2486  /* simply continue for other running mode */
2487  break;
2488  }
2489  return TM_ECODE_OK;
2490 }
2491 
2492 int SCFinalizeRunMode(void)
2493 {
2494  SCInstance *suri = &suricata;
2495  switch (suri->run_mode) {
2496  case RUNMODE_UNKNOWN:
2497  PrintUsage(suri->progname);
2498  return TM_ECODE_FAILED;
2499  default:
2500  break;
2501  }
2502 
2503  if (!CheckValidDaemonModes(suri->daemon, suri->run_mode)) {
2504  return TM_ECODE_FAILED;
2505  }
2506 
2507  return TM_ECODE_OK;
2508 }
2509 
2510 static void SetupDelayedDetect(SCInstance *suri)
2511 {
2512  /* In offline mode delayed init of detect is a bad idea */
2513  if (suri->offline) {
2514  suri->delayed_detect = 0;
2515  } else {
2516  if (SCConfGetBool("detect.delayed-detect", &suri->delayed_detect) != 1) {
2517  SCConfNode *denode = NULL;
2518  SCConfNode *decnf = SCConfGetNode("detect-engine");
2519  if (decnf != NULL) {
2520  TAILQ_FOREACH(denode, &decnf->head, next) {
2521  if (strcmp(denode->val, "delayed-detect") == 0) {
2522  (void)SCConfGetChildValueBool(
2523  denode, "delayed-detect", &suri->delayed_detect);
2524  }
2525  }
2526  }
2527  }
2528  }
2529 
2530  SCLogConfig("Delayed detect %s", suri->delayed_detect ? "enabled" : "disabled");
2531  if (suri->delayed_detect) {
2532  SCLogInfo("Packets will start being processed before signatures are active.");
2533  }
2534 
2535 }
2536 
2537 static int LoadSignatures(DetectEngineCtx *de_ctx, SCInstance *suri)
2538 {
2539  de_ctx->firewall_rule_file_exclusive = suri->firewall_rule_file;
2540 
2541  if (SigLoadSignatures(de_ctx, suri->sig_file, suri->sig_file_exclusive) < 0) {
2542  SCLogError("Loading signatures failed.");
2543  if (de_ctx->failure_fatal)
2544  return TM_ECODE_FAILED;
2545  }
2546 
2547  return TM_ECODE_OK;
2548 }
2549 
2550 static int ConfigGetCaptureValue(SCInstance *suri)
2551 {
2552  /* Pull the max pending packets from the config, if not found fall
2553  * back on a sane default. */
2554  intmax_t tmp_max_pending_packets;
2555  if (SCConfGetInt("max-pending-packets", &tmp_max_pending_packets) != 1)
2556  tmp_max_pending_packets = DEFAULT_MAX_PENDING_PACKETS;
2557  if (tmp_max_pending_packets < 1 || tmp_max_pending_packets > 2147483648) {
2558  SCLogError("Maximum max-pending-packets setting is 2147483648 and must be greater than 0. "
2559  "Please check %s for errors",
2560  suri->conf_filename);
2561  return TM_ECODE_FAILED;
2562  } else {
2563  max_pending_packets = (uint32_t)tmp_max_pending_packets;
2564  }
2565 
2566  SCLogDebug("Max pending packets set to %" PRIu32, max_pending_packets);
2567 
2568  /* Pull the default packet size from the config, if not found fall
2569  * back on a sane default. */
2570  const char *temp_default_packet_size;
2571  if ((SCConfGet("default-packet-size", &temp_default_packet_size)) != 1) {
2572  int lthread;
2573  int nlive;
2574  int strip_trailing_plus = 0;
2575  switch (suri->run_mode) {
2576  case RUNMODE_AFP_DEV:
2577  /* For AF_PACKET we delay setting the
2578  * default-packet-size until we know more about the
2579  * configuration. */
2580  break;
2581 #ifdef WINDIVERT
2582  case RUNMODE_WINDIVERT: {
2583  /* by default, WinDivert collects from all devices */
2584  const int mtu = GetGlobalMTUWin32();
2585 
2586  if (mtu > 0) {
2587  /* SLL_HEADER_LEN is the longest header + 8 for VLAN */
2588  default_packet_size = mtu + SLL_HEADER_LEN + 8;
2589  break;
2590  }
2591  default_packet_size = DEFAULT_PACKET_SIZE;
2592  break;
2593  }
2594 #endif /* WINDIVERT */
2595  case RUNMODE_NETMAP:
2596  /* in netmap igb0+ has a special meaning, however the
2597  * interface really is igb0 */
2598  strip_trailing_plus = 1;
2599  /* fall through */
2600  case RUNMODE_PLUGIN:
2601  case RUNMODE_PCAP_DEV:
2602  case RUNMODE_AFXDP_DEV:
2603  nlive = LiveGetDeviceCount();
2604  for (lthread = 0; lthread < nlive; lthread++) {
2605  const char *live_dev = LiveGetDeviceName(lthread);
2606  char dev[128]; /* need to be able to support GUID names on Windows */
2607  (void)strlcpy(dev, live_dev, sizeof(dev));
2608 
2609  if (strip_trailing_plus) {
2610  size_t len = strlen(dev);
2611  if (len &&
2612  (dev[len-1] == '+' ||
2613  dev[len-1] == '^' ||
2614  dev[len-1] == '*'))
2615  {
2616  dev[len-1] = '\0';
2617  }
2618  }
2619  LiveDevice *ld = LiveGetDevice(dev);
2620  unsigned int iface_max_packet_size = GetIfaceMaxPacketSize(ld);
2621  if (iface_max_packet_size > default_packet_size)
2622  default_packet_size = iface_max_packet_size;
2623  }
2624  if (default_packet_size)
2625  break;
2626  /* fall through */
2627  default:
2628  default_packet_size = DEFAULT_PACKET_SIZE;
2629  }
2630  } else {
2631  if (ParseSizeStringU32(temp_default_packet_size, &default_packet_size) < 0) {
2632  SCLogError("Error parsing max-pending-packets "
2633  "from conf file - %s. Killing engine",
2634  temp_default_packet_size);
2635  return TM_ECODE_FAILED;
2636  }
2637  }
2638 
2639  SCLogDebug("Default packet size set to %"PRIu32, default_packet_size);
2640 
2641  return TM_ECODE_OK;
2642 }
2643 
2644 static void PostRunStartedDetectSetup(const SCInstance *suri)
2645 {
2646 #ifndef OS_WIN32
2647  /* registering signal handlers we use. We setup usr2 here, so that one
2648  * can't call it during the first sig load phase or while threads are still
2649  * starting up. */
2650  if (DetectEngineEnabled() && suri->delayed_detect == 0) {
2651  UtilSignalHandlerSetup(SIGUSR2, SignalHandlerSigusr2);
2652  UtilSignalUnblock(SIGUSR2);
2653  }
2654 #endif
2655  if (suri->delayed_detect) {
2656  /* force 'reload', this will load the rules and swap engines */
2657  DetectEngineReload(suri);
2658  SCLogNotice("Signature(s) loaded, Detect thread(s) activated.");
2659 #ifndef OS_WIN32
2660  UtilSignalHandlerSetup(SIGUSR2, SignalHandlerSigusr2);
2661  UtilSignalUnblock(SIGUSR2);
2662 #endif
2663  }
2664 }
2665 
2666 void PostConfLoadedDetectSetup(SCInstance *suri)
2667 {
2668  DetectEngineCtx *de_ctx = NULL;
2669  if (!suri->disabled_detect) {
2670  SetupDelayedDetect(suri);
2671  int mt_enabled = 0;
2672  (void)SCConfGetBool("multi-detect.enabled", &mt_enabled);
2673  int default_tenant = 0;
2674  if (mt_enabled)
2675  (void)SCConfGetBool("multi-detect.default", &default_tenant);
2676  if (DetectEngineMultiTenantSetup(suri->unix_socket_enabled) == -1) {
2677  FatalError("initializing multi-detect "
2678  "detection engine contexts failed.");
2679  }
2680  if (suri->delayed_detect && suri->run_mode != RUNMODE_CONF_TEST) {
2681  de_ctx = DetectEngineCtxInitStubForDD();
2682  } else if (mt_enabled && !default_tenant && suri->run_mode != RUNMODE_CONF_TEST) {
2683  de_ctx = DetectEngineCtxInitStubForMT();
2684  } else {
2685  de_ctx = DetectEngineCtxInit();
2686  }
2687  if (de_ctx == NULL) {
2688  FatalError("initializing detection engine failed.");
2689  }
2690 
2691  if (de_ctx->type == DETECT_ENGINE_TYPE_NORMAL) {
2692  if (LoadSignatures(de_ctx, suri) != TM_ECODE_OK)
2693  exit(EXIT_FAILURE);
2694  }
2695 
2696  gettimeofday(&de_ctx->last_reload, NULL);
2697  DetectEngineAddToMaster(de_ctx);
2698  DetectEngineBumpVersion();
2699  DetectEngineMpmCacheService(
2700  DETECT_ENGINE_MPM_CACHE_OP_SAVE | DETECT_ENGINE_MPM_CACHE_OP_PRUNE);
2701  }
2702 }
2703 
2704 static void PostConfLoadedSetupHostMode(void)
2705 {
2706  const char *hostmode = NULL;
2707 
2708  if (SCConfGet("host-mode", &hostmode) == 1) {
2709  if (!strcmp(hostmode, "router")) {
2710  host_mode = SURI_HOST_IS_ROUTER;
2711  } else if (!strcmp(hostmode, "sniffer-only")) {
2712  host_mode = SURI_HOST_IS_SNIFFER_ONLY;
2713  } else {
2714  if (strcmp(hostmode, "auto") != 0) {
2715  WarnInvalidConfEntry("host-mode", "%s", "auto");
2716  }
2717  if (EngineModeIsIPS()) {
2718  host_mode = SURI_HOST_IS_ROUTER;
2719  } else {
2720  host_mode = SURI_HOST_IS_SNIFFER_ONLY;
2721  }
2722  }
2723  } else {
2724  if (EngineModeIsIPS()) {
2725  host_mode = SURI_HOST_IS_ROUTER;
2726  SCLogInfo("No 'host-mode': suricata is in IPS mode, using "
2727  "default setting 'router'");
2728  } else {
2729  host_mode = SURI_HOST_IS_SNIFFER_ONLY;
2730  SCLogInfo("No 'host-mode': suricata is in IDS mode, using "
2731  "default setting 'sniffer-only'");
2732  }
2733  }
2734 }
2735 
2736 static void SetupUserMode(SCInstance *suri)
2737 {
2738  /* apply 'user mode' config updates here */
2739  if (!suri->system) {
2740  if (!suri->set_logdir) {
2741  /* override log dir to current work dir" */
2742  if (ConfigSetLogDirectory((char *)".") != TM_ECODE_OK) {
2743  FatalError("could not set USER mode logdir");
2744  }
2745  }
2746  if (!suri->set_datadir) {
2747  /* override data dir to current work dir" */
2748  if (ConfigSetDataDirectory((char *)".") != TM_ECODE_OK) {
2749  FatalError("could not set USER mode datadir");
2750  }
2751  }
2752  }
2753 }
2754 
2755 /**
2756  * This function is meant to contain code that needs
2757  * to be run once the configuration has been loaded.
2758  */
2759 int PostConfLoadedSetup(SCInstance *suri)
2760 {
2761  int cnf_firewall_enabled = 0;
2762  if (SCConfGetBool("firewall.enabled", &cnf_firewall_enabled) == 1) {
2763  if (cnf_firewall_enabled == 1) {
2764  suri->is_firewall = true;
2765  } else {
2766  if (suri->is_firewall) {
2767  FatalError("firewall mode enabled through commandline, but disabled in config");
2768  }
2769  }
2770  }
2771  if (suri->is_firewall) {
2772  SCLogWarning("firewall mode is EXPERIMENTAL and subject to change");
2773  EngineModeSetFirewall();
2774  }
2775 
2776  /* load the pattern matchers */
2777  MpmTableSetup();
2778  SpmTableSetup();
2779 
2780  int disable_offloading;
2781  if (SCConfGetBool("capture.disable-offloading", &disable_offloading) == 0)
2782  disable_offloading = 1;
2783  if (disable_offloading) {
2784  LiveSetOffloadDisable();
2785  } else {
2786  LiveSetOffloadWarn();
2787  }
2788 
2789  if (suri->checksum_validation == -1) {
2790  const char *cv = NULL;
2791  if (SCConfGet("capture.checksum-validation", &cv) == 1) {
2792  if (strcmp(cv, "none") == 0) {
2793  suri->checksum_validation = 0;
2794  } else if (strcmp(cv, "all") == 0) {
2795  suri->checksum_validation = 1;
2796  }
2797  }
2798  }
2799  switch (suri->checksum_validation) {
2800  case 0:
2801  SCConfSet("stream.checksum-validation", "0");
2802  break;
2803  case 1:
2804  SCConfSet("stream.checksum-validation", "1");
2805  break;
2806  }
2807 
2808  if (suri->runmode_custom_mode) {
2809  SCConfSet("runmode", suri->runmode_custom_mode);
2810  }
2811 
2812  StorageInit();
2813 #ifdef HAVE_PACKET_EBPF
2814  if (suri->run_mode == RUNMODE_AFP_DEV) {
2815  EBPFRegisterExtension();
2816  LiveDevRegisterExtension();
2817  }
2818 #endif
2819  RegisterFlowBypassInfo();
2820 
2821  MacSetRegisterFlowStorage();
2822  FlowRateRegisterFlowStorage();
2823 
2824  SigTableInit();
2825 
2826 #ifdef HAVE_PLUGINS
2827  SCPluginsLoad(suri->capture_plugin_name, suri->capture_plugin_args);
2828 #endif
2829 
2830  LiveDeviceFinalize(); // must be after EBPF extension registration
2831 
2832  if (RunModeEngineIsIPS(suricata.run_mode, suricata.runmode_custom_mode,
2833  suricata.capture_plugin_name) < 0) {
2834  FatalError("IPS mode setup failed");
2835  }
2836 
2837  if (EngineModeIsUnknown()) { // if still uninitialized, set the default
2838  SCLogInfo("Setting engine mode to IDS mode by default");
2839  EngineModeSetIDS();
2840  }
2841 
2842  SetMasterExceptionPolicy();
2843 
2844  SCConfNode *eps = SCConfGetNode("stats.exception-policy");
2845  if (eps != NULL) {
2846  if (SCConfNodeChildValueIsTrue(eps, "per-app-proto-errors")) {
2847  g_stats_eps_per_app_proto_errors = true;
2848  }
2849  }
2850 
2851  /* Must occur prior to output mod registration
2852  and app layer setup. */
2853  FeatureTrackingRegister();
2854 
2855  AppLayerSetup();
2856 
2857  /* Suricata will use this umask if provided. By default it will use the
2858  umask passed on from the shell. */
2859  const char *custom_umask;
2860  if (SCConfGet("umask", &custom_umask) == 1) {
2861  uint16_t mask;
2862  if (StringParseUint16(&mask, 8, (uint16_t)strlen(custom_umask), custom_umask) > 0) {
2863  umask((mode_t)mask);
2864  }
2865  }
2866 
2867  if (ConfigGetCaptureValue(suri) != TM_ECODE_OK) {
2868  SCReturnInt(TM_ECODE_FAILED);
2869  }
2870 
2871 #ifdef NFQ
2872  if (suri->run_mode == RUNMODE_NFQ)
2873  NFQInitConfig(false);
2874 #endif
2875 
2876  /* Load the Host-OS lookup. */
2877  SCHInfoLoadFromConfig();
2878 
2879  if (suri->run_mode == RUNMODE_ENGINE_ANALYSIS) {
2880  SCLogInfo("== Carrying out Engine Analysis ==");
2881  const char *temp = NULL;
2882  if (SCConfGet("engine-analysis", &temp) == 0) {
2883  SCLogInfo("no engine-analysis parameter(s) defined in conf file. "
2884  "Please define/enable them in the conf to use this "
2885  "feature.");
2886  SCReturnInt(TM_ECODE_FAILED);
2887  }
2888  }
2889 
2890  /* hardcoded initialization code */
2891  SigTableSetup(); /* load the rule keywords */
2892  SigTableApplyStrictCommandLineOption(suri->strict_rule_parsing_string);
2893  TmqhSetup();
2894 
2895  TagInitCtx();
2896  PacketAlertTagInit();
2897  ThresholdInit();
2898  HostBitInitCtx();
2899  IPPairBitInitCtx();
2900 
2901  if (DetectAddressTestConfVars() < 0) {
2902  SCLogError(
2903  "basic address vars test failed. Please check %s for errors", suri->conf_filename);
2904  SCReturnInt(TM_ECODE_FAILED);
2905  }
2906  if (DetectPortTestConfVars() < 0) {
2907  SCLogError("basic port vars test failed. Please check %s for errors", suri->conf_filename);
2908  SCReturnInt(TM_ECODE_FAILED);
2909  }
2910 
2911  RegisterAllModules();
2912  AppLayerHtpNeedFileInspection();
2913 
2914  StorageFinalize();
2915 
2916  TmModuleRunInit();
2917 
2918  if (MayDaemonize(suri) != TM_ECODE_OK)
2919  SCReturnInt(TM_ECODE_FAILED);
2920 
2921  if (suri->install_signal_handlers) {
2922  if (InitSignalHandler(suri) != TM_ECODE_OK)
2923  SCReturnInt(TM_ECODE_FAILED);
2924  }
2925 
2926  /* Check for the existence of the default logging directory which we pick
2927  * from suricata.yaml. If not found, shut the engine down */
2928  suri->log_dir = SCConfigGetLogDirectory();
2929 
2930  if (ConfigCheckLogDirectoryExists(suri->log_dir) != TM_ECODE_OK) {
2931  SCLogError("The logging directory \"%s\" "
2932  "supplied by %s (default-log-dir) doesn't exist. "
2933  "Shutting down the engine",
2934  suri->log_dir, suri->conf_filename);
2935  SCReturnInt(TM_ECODE_FAILED);
2936  }
2937  if (!IsLogDirectoryWritable(suri->log_dir)) {
2938  SCLogError("The logging directory \"%s\" "
2939  "supplied by %s (default-log-dir) is not writable. "
2940  "Shutting down the engine",
2941  suri->log_dir, suri->conf_filename);
2942  SCReturnInt(TM_ECODE_FAILED);
2943  }
2944 
2945  if (suri->disabled_detect) {
2946  SCLogConfig("detection engine disabled");
2947  /* disable raw reassembly */
2948  (void)SCConfSetFinal("stream.reassembly.raw", "false");
2949  }
2950 
2951  HostInitConfig(HOST_VERBOSE);
2952 
2953  CoredumpLoadConfig();
2954 
2955  DecodeGlobalConfig();
2956 
2957  /* hostmode depends on engine mode being set */
2958  PostConfLoadedSetupHostMode();
2959 
2960  PreRunInit(suri->run_mode);
2961 
2962  SCReturnInt(TM_ECODE_OK);
2963 }
2964 
2965 void SuricataMainLoop(void)
2966 {
2967  SCInstance *suri = &suricata;
2968  while(1) {
2969  if (sigterm_count || sigint_count) {
2970  suricata_ctl_flags |= SURICATA_STOP;
2971  }
2972 
2973  if (suricata_ctl_flags & SURICATA_STOP) {
2974  SCLogNotice("Signal Received. Stopping engine.");
2975  break;
2976  }
2977 
2978  TmThreadCheckThreadState();
2979 
2980  if (sighup_count > 0) {
2981  OutputNotifyFileRotation();
2982  sighup_count--;
2983  }
2984 
2985  if (sigusr2_count > 0) {
2986  if (!(DetectEngineReloadIsStart())) {
2987  DetectEngineReloadStart();
2988  DetectEngineReload(suri);
2989  DetectEngineReloadSetIdle();
2990  sigusr2_count--;
2991  }
2992 
2993  } else if (DetectEngineReloadIsStart()) {
2994  DetectEngineReload(suri);
2995  DetectEngineReloadSetIdle();
2996  }
2997 
2998  usleep(10* 1000);
2999  }
3000 }
3001 
3002 /**
3003  * \brief Global initialization common to all runmodes.
3004  *
3005  * This can be used by fuzz targets.
3006  */
3007 
3008 int InitGlobal(void)
3009 {
3010  SC_ATOMIC_INIT(engine_stage);
3011 
3012  /* initialize the logging subsys */
3013  SCLogInitLogModule(NULL);
3014 
3015  SCSetThreadName("Suricata-Main");
3016 
3017  /* Ignore SIGUSR2 as early as possible. We redeclare interest
3018  * once we're done launching threads. The goal is to either die
3019  * completely or handle any and all SIGUSR2s correctly.
3020  */
3021 #ifndef OS_WIN32
3022  UtilSignalHandlerSetup(SIGUSR2, SIG_IGN);
3023  if (UtilSignalBlock(SIGUSR2)) {
3024  SCLogError("SIGUSR2 initialization error");
3025  return EXIT_FAILURE;
3026  }
3027 #endif
3028 
3029  ParseSizeInit();
3030  RunModeRegisterRunModes();
3031 
3032  /* Initialize the configuration module. */
3033  SCConfInit();
3034  DatalinkTableInit();
3035 
3036  VarNameStoreInit();
3037 
3038  // zero all module storage
3039  memset(tmm_modules, 0, TMM_SIZE * sizeof(TmModule));
3040 
3041  return 0;
3042 }
3043 
3044 void SuricataPreInit(const char *progname)
3045 {
3046  SCInstanceInit(&suricata, progname);
3047 
3048  if (InitGlobal() != 0) {
3049  exit(EXIT_FAILURE);
3050  }
3051 }
3052 
3053 void SuricataInit(void)
3054 {
3055  /* Initializations for global vars, queues, etc (memsets, mutex init..) */
3056  GlobalsInitPreConfig();
3057 
3058  if (suricata.run_mode == RUNMODE_DUMP_CONFIG) {
3059  SCConfDump();
3060  exit(EXIT_SUCCESS);
3061  }
3062 
3063  int tracking = 1;
3064  if (SCConfGetBool("vlan.use-for-tracking", &tracking) == 1 && !tracking) {
3065  /* Ignore vlan_ids when comparing flows. */
3066  g_vlan_mask = 0x0000;
3067  }
3068  SCLogDebug("vlan tracking is %s", tracking == 1 ? "enabled" : "disabled");
3069  if (SCConfGetBool("livedev.use-for-tracking", &tracking) == 1 && !tracking) {
3070  /* Ignore livedev id when comparing flows. */
3071  g_livedev_mask = 0x0000;
3072  }
3073  if (SCConfGetBool("decoder.recursion-level.use-for-tracking", &tracking) == 1 && !tracking) {
3074  /* Ignore recursion level when comparing flows. */
3075  g_recurlvl_mask = 0x00;
3076  }
3077  SetupUserMode(&suricata);
3078  InitRunAs(&suricata);
3079 
3080  /* Since our config is now loaded we can finish configuring the
3081  * logging module. */
3082  SCLogLoadConfig(suricata.daemon, suricata.verbose, suricata.userid, suricata.groupid);
3083 
3084  LogVersion(&suricata);
3085  UtilCpuPrintSummary();
3086  RunModeInitializeThreadSettings();
3087 
3088  if (suricata.run_mode == RUNMODE_CONF_TEST)
3089  SCLogInfo("Running suricata under test mode");
3090 
3091  if (suricata.verbose) {
3092  SCLogInfo(
3093  "Running with verbose level %s", SCLogLevel2Name(suricata.verbose + SC_LOG_NOTICE));
3094  }
3095 
3096  if (ParseInterfacesList(suricata.aux_run_mode, suricata.pcap_dev) != TM_ECODE_OK) {
3097  exit(EXIT_FAILURE);
3098  }
3099 
3100  if (PostConfLoadedSetup(&suricata) != TM_ECODE_OK) {
3101  exit(EXIT_FAILURE);
3102  }
3103 
3104  SCDropMainThreadCaps(suricata.userid, suricata.groupid);
3105 
3106  /* Re-enable coredumps after privileges are dropped. */
3107  CoredumpEnable();
3108 
3109  if (suricata.run_mode != RUNMODE_UNIX_SOCKET && !suricata.disabled_detect) {
3110  suricata.unix_socket_enabled = ConfUnixSocketIsEnable();
3111  }
3112 
3113  PreRunPostPrivsDropInit(suricata.run_mode);
3114 
3115  SCOnLoggingReady();
3116 
3117  LandlockSandboxing(&suricata);
3118 
3119  PostConfLoadedDetectSetup(&suricata);
3120  if (suricata.run_mode == RUNMODE_ENGINE_ANALYSIS) {
3121  goto out;
3122  } else if (suricata.run_mode == RUNMODE_CONF_TEST){
3123  SCLogNotice("Configuration provided was successfully loaded. Exiting.");
3124  goto out;
3125  } else if (suricata.run_mode == RUNMODE_DUMP_FEATURES) {
3126  FeatureDump();
3127  goto out;
3128  }
3129 
3130  if (suricata.run_mode == RUNMODE_DPDK)
3131  prerun_snap = SystemHugepageSnapshotCreate();
3132 
3133  SCSetStartTime(&suricata);
3134  if (suricata.run_mode != RUNMODE_UNIX_SOCKET) {
3135  UnixManagerThreadSpawnNonRunmode(suricata.unix_socket_enabled);
3136  }
3137  RunModeDispatch(suricata.run_mode, suricata.runmode_custom_mode, suricata.capture_plugin_name,
3138  suricata.capture_plugin_args);
3139  return;
3140 
3141 out:
3142  GlobalsDestroy();
3143  exit(EXIT_SUCCESS);
3144 }
3145 
3146 void SuricataShutdown(void)
3147 {
3148  /* Update the engine stage/status flag */
3149  SC_ATOMIC_SET(engine_stage, SURICATA_DEINIT);
3150 
3151  UnixSocketKillSocketThread();
3152  PostRunDeinit(suricata.run_mode, &suricata.start_time);
3153  /* kill remaining threads */
3154  TmThreadKillThreads();
3155 }
3156 
3157 void SuricataPostInit(void)
3158 {
3159  /* Wait till all the threads have been initialized */
3160  if (TmThreadWaitOnThreadInit() == TM_ECODE_FAILED) {
3161  SystemHugepageSnapshotDestroy(prerun_snap);
3162  FatalError("Engine initialization failed, "
3163  "aborting...");
3164  }
3165 
3166  int limit_nproc = 0;
3167  if (SCConfGetBool("security.limit-noproc", &limit_nproc) == 0) {
3168  limit_nproc = 0;
3169  }
3170 
3171 #if defined(SC_ADDRESS_SANITIZER)
3172  if (limit_nproc) {
3173  SCLogWarning(
3174  "\"security.limit-noproc\" (setrlimit()) not set when using address sanitizer");
3175  limit_nproc = 0;
3176  }
3177 #endif
3178 
3179  if (limit_nproc) {
3180 #if defined(HAVE_SYS_RESOURCE_H)
3181 #ifdef linux
3182  if (geteuid() == 0) {
3183  SCLogWarning("setrlimit has no effect when running as root.");
3184  }
3185 #endif
3186  struct rlimit r = { 0, 0 };
3187  if (setrlimit(RLIMIT_NPROC, &r) != 0) {
3188  SCLogWarning("setrlimit failed to prevent process creation.");
3189  }
3190 #else
3191  SCLogWarning("setrlimit unavailable.");
3192 #endif
3193  }
3194 
3195  SC_ATOMIC_SET(engine_stage, SURICATA_RUNTIME);
3196  PacketPoolPostRunmodes();
3197 
3198  /* pledge before allowing threads to continue to avoid an issue with pcap file directory mode,
3199  * see ticket #8300. */
3200  SCPledge();
3201 
3202  /* Un-pause all the paused threads */
3203  TmThreadContinueThreads();
3204 
3205  /* Must ensure all threads are fully operational before continuing with init process */
3206  if (TmThreadWaitOnThreadRunning() != TM_ECODE_OK) {
3207  SystemHugepageSnapshotDestroy(prerun_snap);
3208  exit(EXIT_FAILURE);
3209  }
3210 
3211  /* Print notice and send OS specific notification of threads in running state */
3212  OnNotifyRunning();
3213 
3214  PostRunStartedDetectSetup(&suricata);
3215  if (suricata.run_mode == RUNMODE_DPDK) { // only DPDK uses hpages at the moment
3216  SystemHugepageSnapshot *postrun_snap = SystemHugepageSnapshotCreate();
3217  SystemHugepageEvaluateHugepages(prerun_snap, postrun_snap);
3218  SystemHugepageSnapshotDestroy(prerun_snap);
3219  SystemHugepageSnapshotDestroy(postrun_snap);
3220  }
3221 }
RUNMODE_LIST_APP_LAYERS
@ RUNMODE_LIST_APP_LAYERS
Definition: runmodes.h:47
SCRunMode
enum SCRunModes SCRunMode
RUNMODE_ENGINE_ANALYSIS
@ RUNMODE_ENGINE_ANALYSIS
Definition: runmodes.h:58
util-device-private.h
DefragDestroy
void DefragDestroy(void)
Definition: defrag.c:1129
util-byte.h
SCInstance_::is_firewall
bool is_firewall
Definition: suricata.h:145
TmModuleUnixManagerRegister
void TmModuleUnixManagerRegister(void)
Definition: unix-manager.c:1289
StatsReleaseResources
void StatsReleaseResources(void)
Releases the resources allotted by the Stats API.
Definition: counters.c:1386
DETECT_ENGINE_MPM_CACHE_OP_PRUNE
#define DETECT_ENGINE_MPM_CACHE_OP_PRUNE
Definition: detect.h:1757
source-nflog.h
TagInitCtx
void TagInitCtx(void)
Definition: detect-engine-tag.c:52
TmModuleReceiveIPFWRegister
void TmModuleReceiveIPFWRegister(void)
Registration Function for RecieveIPFW.
Definition: source-ipfw.c:151
flow-bypass.h
len
uint8_t len
Definition: app-layer-dnp3.h:2
SuricataMainLoop
void SuricataMainLoop(void)
Definition: suricata.c:2965
ExceptionSimulationCommandLineParser
int ExceptionSimulationCommandLineParser(const char *name, const char *arg)
Definition: util-exception-policy.c:395
SCInstance_::run_mode
enum SCRunModes run_mode
Definition: suricata.h:134
ippair.h
g_livedev_mask
uint16_t g_livedev_mask
Definition: suricata.c:210
SCInstance_::firewall_rule_file
char * firewall_rule_file
Definition: suricata.h:142
RUNMODE_AFXDP_DEV
@ RUNMODE_AFXDP_DEV
Definition: runmodes.h:37
app-layer-htp-range.h
AppLayerHtpNeedFileInspection
void AppLayerHtpNeedFileInspection(void)
Sets a flag that informs the HTP app layer that some module in the engine needs the http request file...
Definition: app-layer-htp.c:579
detect-engine.h
source-pcap.h
SCInstance_::groupid
uint32_t groupid
Definition: suricata.h:156
g_system
bool g_system
Definition: suricata.c:195
TmThreadDisablePacketThreads
void TmThreadDisablePacketThreads(const uint16_t set, const uint16_t check, const uint8_t module_flags)
Disable all packet threads.
Definition: tm-threads.c:1540
win32-syscall.h
SCInstance_::aux_run_mode
enum SCRunModes aux_run_mode
Definition: suricata.h:135
SCInstance_::daemon
int daemon
Definition: suricata.h:167
IPPairInitConfig
void IPPairInitConfig(bool quiet)
initialize the configuration
Definition: ippair.c:162
SCLogInitLogModule
void SCLogInitLogModule(SCLogInitData *sc_lid)
Initializes the logging module.
Definition: util-debug.c:1396
SLL_HEADER_LEN
#define SLL_HEADER_LEN
Definition: decode-sll.h:27
SCInstance_::checksum_validation
int checksum_validation
Definition: suricata.h:170
SCEnableDefaultSignalHandlers
void SCEnableDefaultSignalHandlers(void)
Enable default signal handlers.
Definition: suricata.c:293
LiveDeviceListClean
int LiveDeviceListClean(void)
Definition: util-device.c:334
SCInstance_::do_setuid
bool do_setuid
Definition: suricata.h:152
DetectEngineDeReference
void DetectEngineDeReference(DetectEngineCtx **de_ctx)
Definition: detect-engine.c:4696
StorageInit
void StorageInit(void)
Definition: util-storage.c:70
SCInstance_::start_time
struct timeval start_time
Definition: suricata.h:173
IsRunModeOffline
bool IsRunModeOffline(enum SCRunModes run_mode_to_check)
Definition: runmodes.c:557
SC_ATOMIC_INIT
#define SC_ATOMIC_INIT(name)
wrapper for initializing an atomic variable.
Definition: util-atomic.h:314
prerun_snap
SystemHugepageSnapshot * prerun_snap
Definition: suricata.c:221
TmThreadContinueThreads
void TmThreadContinueThreads(void)
Unpauses all threads present in tv_root.
Definition: tm-threads.c:1972
RUNMODE_NFLOG
@ RUNMODE_NFLOG
Definition: runmodes.h:32
source-pcap-file.h
SCInstance_::do_setgid
bool do_setgid
Definition: suricata.h:153
CLS
#define CLS
Definition: suricata-common.h:69
SURI_HOST_IS_SNIFFER_ONLY
@ SURI_HOST_IS_SNIFFER_ONLY
Definition: suricata.h:125
stream-tcp.h
DetectEngineCtx_::type
enum DetectEngineType type
Definition: detect.h:1054
SigLoadSignatures
int SigLoadSignatures(DetectEngineCtx *de_ctx, char *sig_file, bool sig_file_exclusive)
Load signatures.
Definition: detect-engine-loader.c:372
runmode-af-packet.h
SCInstance_::group_name
const char * group_name
Definition: suricata.h:151
DetectEngineCtx_::firewall_rule_file_exclusive
const char * firewall_rule_file_exclusive
Definition: detect.h:1145
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
SC_ATOMIC_SET
#define SC_ATOMIC_SET(name, val)
Set the value for the atomic variable.
Definition: util-atomic.h:386
runmode-unittests.h
RUNMODE_UNKNOWN
@ RUNMODE_UNKNOWN
Definition: runmodes.h:28
TmqhSetup
void TmqhSetup(void)
Definition: tm-queuehandlers.c:39
RUNMODE_LIST_APP_LAYER_FRAMES
@ RUNMODE_LIST_APP_LAYER_FRAMES
Definition: runmodes.h:50
SCConfGetRootNode
SCConfNode * SCConfGetRootNode(void)
Get the root configuration node.
Definition: conf.c:223
ENGINE_MODE_FIREWALL
@ ENGINE_MODE_FIREWALL
Definition: suricata.h:111
DetectEngineCtxInitStubForDD
DetectEngineCtx * DetectEngineCtxInitStubForDD(void)
Definition: detect-engine.c:2640
LiveDevRegisterExtension
void LiveDevRegisterExtension(void)
Definition: util-device.c:485
OutputTxShutdown
void OutputTxShutdown(void)
Definition: output-tx.c:667
THV_FLOW_LOOP
#define THV_FLOW_LOOP
Definition: threadvars.h:48
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:282
AppLayerHtpPrintStats
void AppLayerHtpPrintStats(void)
Definition: app-layer-htp.c:2426
util-hugepages.h
StatsSetupPostConfigPreOutput
void StatsSetupPostConfigPreOutput(void)
Definition: counters.c:971
SCInstance_::runmode_custom_mode
char * runmode_custom_mode
Definition: suricata.h:148
util-coredump-config.h
next
struct HtpBodyChunk_ * next
Definition: app-layer-htp.h:0
SigTableSetup
void SigTableSetup(void)
Definition: detect-engine-register.c:528
name
const char * name
Definition: detect-engine-proto.c:48
TmModuleReceiveNFQRegister
void TmModuleReceiveNFQRegister(void)
Definition: source-nfq.c:170
DetectEngineMpmCacheService
void DetectEngineMpmCacheService(uint32_t op_flags)
Definition: detect-engine.c:2484
LiveBuildDeviceList
int LiveBuildDeviceList(const char *runmode)
Definition: util-device.c:294
RunModeShutDown
void RunModeShutDown(void)
Definition: runmodes.c:575
SuricataInit
void SuricataInit(void)
Definition: suricata.c:3053
TM_ECODE_DONE
@ TM_ECODE_DONE
Definition: tm-threads-common.h:83
SCProtoNameInit
void SCProtoNameInit(void)
Definition: util-proto-name.c:414
SuricataPostInit
void SuricataPostInit(void)
Definition: suricata.c:3157
ippair-bit.h
RunModeDispatch
void RunModeDispatch(int runmode, const char *custom_mode, const char *capture_plugin_name, const char *capture_plugin_args)
Definition: runmodes.c:405
util-macset.h
sigint_count
volatile sig_atomic_t sigint_count
Definition: suricata.c:157
SC_ATOMIC_DECLARE
SC_ATOMIC_DECLARE(unsigned int, engine_stage)
RUNMODE_NFQ
@ RUNMODE_NFQ
Definition: runmodes.h:31
TmModuleRunDeInit
void TmModuleRunDeInit(void)
Definition: tm-modules.c:119
TmThreadsUnsealThreads
void TmThreadsUnsealThreads(void)
Definition: tm-threads.c:2163
RegisterFlowBypassInfo
void RegisterFlowBypassInfo(void)
Definition: flow-util.c:240
SCSetThreadName
#define SCSetThreadName(n)
Definition: threads.h:305
SCConfYamlHandleInclude
int SCConfYamlHandleInclude(SCConfNode *parent, const char *filename)
Include a file in the configuration.
Definition: conf-yaml-loader.c:115
sc_set_caps
bool sc_set_caps
Definition: suricata.c:193
SCLogDeInitLogModule
void SCLogDeInitLogModule(void)
De-Initializes the logging module.
Definition: util-debug.c:1600
LiveDevice_
Definition: util-device-private.h:32
util-pidfile.h
TmModuleDecodeErfFileRegister
void TmModuleDecodeErfFileRegister(void)
Register the ERF file decoder module.
Definition: source-erf-file.c:98
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:933
StringParseUint16
int StringParseUint16(uint16_t *res, int base, size_t len, const char *str)
Definition: util-byte.c:296
SigTableInit
void SigTableInit(void)
Definition: detect-engine-register.c:516
DetectEngineReloadSetIdle
void DetectEngineReloadSetIdle(void)
Definition: detect-engine.c:1914
SCInstance_::userid
uint32_t userid
Definition: suricata.h:155
source-windivert-prototypes.h
SCConfGet
int SCConfGet(const char *name, const char **vptr)
Retrieve the value of a configuration node.
Definition: conf.c:351
DetectEngineGetCurrent
DetectEngineCtx * DetectEngineGetCurrent(void)
Definition: detect-engine.c:3894
EngineModeIsUnknown
int EngineModeIsUnknown(void)
Definition: suricata.c:234
VarNameStoreInit
void VarNameStoreInit(void)
TmModuleFlowRecyclerRegister
void TmModuleFlowRecyclerRegister(void)
Definition: flow-manager.c:1313
g_skip_prefilter
int g_skip_prefilter
Definition: detect-engine-mpm.c:1121
SCConfNodeChildValueIsTrue
int SCConfNodeChildValueIsTrue(const SCConfNode *node, const char *key)
Test if a configuration node has a true value.
Definition: conf.c:899
Daemonize
void Daemonize(void)
Daemonize the process.
Definition: util-daemon.c:101
UtilSignalHandlerSetup
void UtilSignalHandlerSetup(int sig, void(*handler)(int))
Definition: util-signal.c:60
TAILQ_FOREACH
#define TAILQ_FOREACH(var, head, field)
Definition: queue.h:252
TmModuleDecodeAFPRegister
void TmModuleDecodeAFPRegister(void)
Registration Function for DecodeAFP.
Definition: source-af-packet.c:599
TmModuleDecodeWinDivertRegister
void TmModuleDecodeWinDivertRegister(void)
Definition: source-windivert.c:75
SURICATA_STOP
#define SURICATA_STOP
Definition: suricata.h:94
DetectEngineAddToMaster
int DetectEngineAddToMaster(DetectEngineCtx *de_ctx)
Definition: detect-engine.c:4720
SCConfGetChildValueBool
int SCConfGetChildValueBool(const SCConfNode *base, const char *name, int *val)
Definition: conf.c:516
TmModuleStatsLoggerRegister
void TmModuleStatsLoggerRegister(void)
Definition: output-stats.c:169
RegisterAllModules
void RegisterAllModules(void)
Definition: suricata.c:961
ENGINE_MODE_IPS
@ ENGINE_MODE_IPS
Definition: suricata.h:110
DetectEngineMultiTenantSetup
int DetectEngineMultiTenantSetup(const bool unix_socket)
setup multi-detect / multi-tenancy
Definition: detect-engine.c:4354
flow-bit.h
SC_LOG_NOTICE
@ SC_LOG_NOTICE
Definition: util-debug.h:40
SupportFastPatternForSigMatchTypes
void SupportFastPatternForSigMatchTypes(void)
Registers the keywords(SMs) that should be given fp support.
Definition: detect-fast-pattern.c:142
util-var-name.h
SCParseCommandLine
TmEcode SCParseCommandLine(int argc, char **argv)
Definition: suricata.c:1383
SCPledge
#define SCPledge(...)
Definition: util-privs.h:99
CheckValidDaemonModes
int CheckValidDaemonModes(int daemon, int mode)
Check for a valid combination daemon/mode.
Definition: util-daemon.c:177
SCGetGroupID
void SCGetGroupID(const char *group_name, uint32_t *gid)
Function to get the group ID from the specified group name.
Definition: util-privs.c:210
SCConfGetBool
int SCConfGetBool(const char *name, int *val)
Retrieve a configuration value as a boolean.
Definition: conf.c:498
unittests_fatal
int unittests_fatal
Definition: util-unittest.c:52
TmThreadDisableReceiveThreads
void TmThreadDisableReceiveThreads(void)
Disable all threads having the specified TMs.
Definition: tm-threads.c:1388
StatsInit
void StatsInit(void)
Initializes the perf counter api. Things are hard coded currently. More work to be done when we imple...
Definition: counters.c:961
util-privs.h
PreRunInit
void PreRunInit(const int runmode)
Definition: suricata.c:2314
SURICATA_DONE
#define SURICATA_DONE
Definition: suricata.h:96
MacSetRegisterFlowStorage
void MacSetRegisterFlowStorage(void)
Definition: util-macset.c:61
EngineModeSetFirewall
void EngineModeSetFirewall(void)
Definition: suricata.c:258
SuricataShutdown
void SuricataShutdown(void)
Definition: suricata.c:3146
SCInstance_::conf_filename
const char * conf_filename
Definition: suricata.h:177
GetIfaceMTU
int GetIfaceMTU(const char *dev)
output the link MTU
Definition: util-ioctl.c:82
GlobalsInitPreConfig
void GlobalsInitPreConfig(void)
Definition: suricata.c:386
TmModuleReceiveNetmapRegister
void TmModuleReceiveNetmapRegister(void)
Definition: source-netmap.c:75
PacketPoolPostRunmodes
void PacketPoolPostRunmodes(void)
Set the max_pending_return_packets value.
Definition: tmqh-packetpool.c:450
NFQInitConfig
void NFQInitConfig(bool quiet)
To initialize the NFQ global configuration data.
Definition: source-nfq.c:208
TmModuleReceiveWinDivertRegister
void TmModuleReceiveWinDivertRegister(void)
Definition: source-windivert.c:61
SystemHugepageSnapshot
Definition: util-hugepages.h:44
EngineModeIsFirewall
bool EngineModeIsFirewall(void)
Definition: suricata.c:239
REVISION
#define REVISION
Definition: suricata-common.h:61
HOST_VERBOSE
#define HOST_VERBOSE
Definition: host.h:92
TM_ECODE_FAILED
@ TM_ECODE_FAILED
Definition: tm-threads-common.h:82
SCProfilingDestroy
void SCProfilingDestroy(void)
Free resources used by profiling.
Definition: util-profiling.c:276
AFPPeersListClean
void AFPPeersListClean(void)
Clean the global peers list.
Definition: source-af-packet.c:581
RunModeInitializeOutputs
void RunModeInitializeOutputs(void)
Definition: runmodes.c:768
DetectPortTestConfVars
int DetectPortTestConfVars(void)
Definition: detect-engine-port.c:1062
SCThresholdConfGlobalInit
void SCThresholdConfGlobalInit(void)
Definition: util-threshold-config.c:102
DecodeUnregisterCounters
void DecodeUnregisterCounters(void)
Definition: decode.c:608
SCInstance_::capture_plugin_name
const char * capture_plugin_name
Definition: suricata.h:181
SCConfYamlLoadFile
int SCConfYamlLoadFile(const char *filename)
Load configuration from a YAML file.
Definition: conf-yaml-loader.c:489
HostBitInitCtx
void HostBitInitCtx(void)
Definition: host-bit.c:49
EngineMode
EngineMode
Definition: suricata.h:106
SCInstance_::set_datadir
bool set_datadir
Definition: suricata.h:160
tmqh-packetpool.h
IsRunModeSystem
bool IsRunModeSystem(enum SCRunModes run_mode_to_check)
Definition: runmodes.c:544
g_ut_covered
int g_ut_covered
Definition: suricata.c:959
SCInstance_::capture_plugin_args
const char * capture_plugin_args
Definition: suricata.h:182
g_recurlvl_mask
uint8_t g_recurlvl_mask
Definition: suricata.c:214
ThresholdRegisterGlobalCounters
void ThresholdRegisterGlobalCounters(void)
Definition: detect-engine-threshold.c:130
TmModuleLoggerRegister
void TmModuleLoggerRegister(void)
Definition: output.c:924
host_mode
uint8_t host_mode
Definition: suricata.c:184
FeatureDump
void FeatureDump(void)
Definition: feature.c:139
PacketPoolInit
void PacketPoolInit(void)
Definition: tmqh-packetpool.c:235
TM_ECODE_OK
@ TM_ECODE_OK
Definition: tm-threads-common.h:81
AppLayerDeSetup
int AppLayerDeSetup(void)
De initializes the app layer.
Definition: app-layer.c:1100
RUNMODE_LIST_APP_LAYER_HOOKS
@ RUNMODE_LIST_APP_LAYER_HOOKS
Definition: runmodes.h:49
RUNMODE_UNIX_SOCKET
@ RUNMODE_UNIX_SOCKET
Definition: runmodes.h:42
strlcpy
size_t strlcpy(char *dst, const char *src, size_t siz)
Definition: util-strlcpyu.c:43
PcapTranslateIPToDevice
void PcapTranslateIPToDevice(char *pcap_dev, size_t len)
Definition: source-pcap.c:651
FlowDisableFlowRecyclerThread
void FlowDisableFlowRecyclerThread(void)
Used to disable flow recycler thread(s).
Definition: flow-manager.c:1241
SCRunmodeSet
void SCRunmodeSet(SCRunMode run_mode)
Set the current run mode.
Definition: suricata.c:288
ParseSizeInit
void ParseSizeInit(void)
Definition: util-misc.c:36
TmModuleDecodePcapFileRegister
void TmModuleDecodePcapFileRegister(void)
Definition: source-pcap-file.c:130
TmModuleBypassedFlowManagerRegister
void TmModuleBypassedFlowManagerRegister(void)
Definition: flow-bypass.c:220
IPPairShutdown
void IPPairShutdown(void)
shutdown the flow engine
Definition: ippair.c:290
source-erf-dag.h
THV_RUNNING_DONE
#define THV_RUNNING_DONE
Definition: threadvars.h:46
SCConfInit
void SCConfInit(void)
Initialize the configuration system.
Definition: conf.c:121
util-signal.h
DetectParseFreeRegexes
void DetectParseFreeRegexes(void)
Definition: detect-parse.c:3521
SCConfDump
void SCConfDump(void)
Dump configuration to stdout.
Definition: conf.c:792
TmModuleDecodeNFLOGRegister
void TmModuleDecodeNFLOGRegister(void)
Definition: source-nflog.c:55
NFQParseAndRegisterQueues
int NFQParseAndRegisterQueues(const char *queues)
Parses and adds Netfilter queue(s).
Definition: source-nfq.c:881
RUNMODE_NETMAP
@ RUNMODE_NETMAP
Definition: runmodes.h:38
FlowInitConfig
void FlowInitConfig(bool quiet)
initialize the configuration
Definition: flow.c:571
AppLayerSetup
int AppLayerSetup(void)
Setup the app layer.
Definition: app-layer.c:1083
SURI_HOST_IS_ROUTER
@ SURI_HOST_IS_ROUTER
Definition: suricata.h:126
FeatureTrackingRegister
void FeatureTrackingRegister(void)
Definition: feature.c:147
TmModuleReceiveDPDKRegister
void TmModuleReceiveDPDKRegister(void)
Definition: source-dpdk.c:51
UnixManagerThreadSpawnNonRunmode
void UnixManagerThreadSpawnNonRunmode(const bool unix_socket_enabled)
Definition: unix-manager.c:1283
RunModeInitializeThreadSettings
void RunModeInitializeThreadSettings(void)
Definition: runmodes.c:953
StreamTcpInitConfig
void StreamTcpInitConfig(bool)
To initialize the stream global configuration data.
Definition: stream-tcp.c:498
ENGINE_MODE_UNKNOWN
@ ENGINE_MODE_UNKNOWN
Definition: suricata.h:107
app-layer-htp.h
util-flow-rate.h
datasets.h
GetIfaceMaxPacketSize
int GetIfaceMaxPacketSize(LiveDevice *ld)
output max packet size for a link
Definition: util-ioctl.c:121
SCRunmodeGet
SCRunMode SCRunmodeGet(void)
Get the current run mode.
Definition: suricata.c:283
TmModuleDecodeNetmapRegister
void TmModuleDecodeNetmapRegister(void)
Registration Function for DecodeNetmap.
Definition: source-netmap.c:85
PreRunPostPrivsDropInit
void PreRunPostPrivsDropInit(const int runmode)
Definition: suricata.c:2344
feature.h
decode.h
SigTableCleanup
void SigTableCleanup(void)
Definition: detect-engine-register.c:476
DetectEngineMoveToFreeList
int DetectEngineMoveToFreeList(DetectEngineCtx *de_ctx)
Definition: detect-engine.c:4780
sigterm_count
volatile sig_atomic_t sigterm_count
Definition: suricata.c:159
source-nfq.h
TVT_PPT
@ TVT_PPT
Definition: tm-threads-common.h:88
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:19
TmThreadWaitOnThreadInit
TmEcode TmThreadWaitOnThreadInit(void)
Used to check if all threads have finished their initialization. On finding an un-initialized thread,...
Definition: tm-threads.c:2011
SCLogLevel2Name
const char * SCLogLevel2Name(const SCLogLevel lvl)
Definition: util-debug.c:1071
TmModuleVerdictNFQRegister
void TmModuleVerdictNFQRegister(void)
Definition: source-nfq.c:185
AppLayerRegisterGlobalCounters
void AppLayerRegisterGlobalCounters(void)
HACK to work around our broken unix manager (re)init loop.
Definition: app-layer.c:1164
RunModeListRunmodes
void RunModeListRunmodes(void)
Lists all registered runmodes.
Definition: runmodes.c:256
strlcat
size_t strlcat(char *, const char *src, size_t siz)
Definition: util-strlcatu.c:45
util-cpu.h
suricata
SCInstance suricata
Definition: suricata.c:227
SCInstance_::unix_socket_enabled
bool unix_socket_enabled
Definition: suricata.h:161
LiveSetOffloadDisable
void LiveSetOffloadDisable(void)
Definition: util-device.c:77
StatsSetupPostConfigPostOutput
void StatsSetupPostConfigPostOutput(void)
Definition: counters.c:976
EngineModeSetIDS
void EngineModeSetIDS(void)
Definition: suricata.c:268
RUNMODE_LIST_KEYWORDS
@ RUNMODE_LIST_KEYWORDS
Definition: runmodes.h:46
SpmTableSetup
void SpmTableSetup(void)
Definition: util-spm.c:131
TmModuleReceiveAFPRegister
void TmModuleReceiveAFPRegister(void)
Registration Function for RecieveAFP.
Definition: source-af-packet.c:381
RUNMODE_UNITTEST
@ RUNMODE_UNITTEST
Definition: runmodes.h:41
LiveBuildDeviceListCustom
int LiveBuildDeviceListCustom(const char *runmode, const char *itemname)
Definition: util-device.c:299
util-exception-policy.h
LiveGetDevice
LiveDevice * LiveGetDevice(const char *name)
Get a pointer to the device at idx.
Definition: util-device.c:268
UnixSocketKillSocketThread
void UnixSocketKillSocketThread(void)
Definition: unix-manager.c:1279
TmModuleVerdictIPFWRegister
void TmModuleVerdictIPFWRegister(void)
Registration Function for VerdictIPFW.
Definition: source-ipfw.c:172
flow-worker.h
SCConfGetInt
int SCConfGetInt(const char *name, intmax_t *val)
Retrieve a configuration value as an integer.
Definition: conf.c:415
g_stats_eps_per_app_proto_errors
bool g_stats_eps_per_app_proto_errors
Definition: suricata.c:224
HttpRangeContainersInit
void HttpRangeContainersInit(void)
Definition: app-layer-htp-range.c:172
util-reference-config.h
DetectEngineCtx_::last_reload
struct timeval last_reload
Definition: detect.h:1100
SCInstance_::delayed_detect
int delayed_detect
Definition: suricata.h:165
TmModuleVerdictWinDivertRegister
void TmModuleVerdictWinDivertRegister(void)
Definition: source-windivert.c:68
DetectEngineCtx_::failure_fatal
bool failure_fatal
Definition: detect.h:934
SCInstance_::progname
const char * progname
Definition: suricata.h:176
HostCleanup
void HostCleanup(void)
Cleanup the host engine.
Definition: host.c:332
SCEnter
#define SCEnter(...)
Definition: util-debug.h:284
FlowDisableFlowManagerThread
void FlowDisableFlowManagerThread(void)
Used to disable flow manager thread(s).
Definition: flow-manager.c:133
RUNMODE_DAG
@ RUNMODE_DAG
Definition: runmodes.h:35
util-ebpf.h
SCInstance_::pcap_dev
char pcap_dev[128]
Definition: suricata.h:137
detect.h
util-affinity.h
UtilSignalUnblock
int UtilSignalUnblock(int signum)
Definition: util-signal.c:46
DetectEngineEnabled
int DetectEngineEnabled(void)
Check if detection is enabled.
Definition: detect-engine.c:3861
TmThreadClearThreadsFamily
void TmThreadClearThreadsFamily(int family)
Definition: tm-threads.c:1681
THV_KILL
#define THV_KILL
Definition: threadvars.h:40
THV_REQ_FLOW_LOOP
#define THV_REQ_FLOW_LOOP
Definition: threadvars.h:47
FlowRateRegisterFlowStorage
void FlowRateRegisterFlowStorage(void)
Definition: util-flow-rate.c:60
TmModuleRunInit
void TmModuleRunInit(void)
Definition: tm-modules.c:104
detect-engine-port.h
EngineModeSetIPS
void EngineModeSetIPS(void)
Definition: suricata.c:263
SCInstance_::user_name
const char * user_name
Definition: suricata.h:150
HTPAtExitPrintStats
void HTPAtExitPrintStats(void)
Print the stats of the HTTP requests.
Definition: app-layer-htp.c:1582
util-time.h
UtilSignalBlock
int UtilSignalBlock(int signum)
Definition: util-signal.c:29
SCProfilingPrefilterGlobalInit
void SCProfilingPrefilterGlobalInit(void)
Definition: util-profiling-prefilter.c:61
ThresholdDestroy
void ThresholdDestroy(void)
Definition: detect-engine-threshold.c:139
SCLogWarning
#define SCLogWarning(...)
Macro used to log WARNING messages.
Definition: util-debug.h:262
PostConfLoadedSetup
int PostConfLoadedSetup(SCInstance *suri)
Definition: suricata.c:2759
GetProgramVersion
const char * GetProgramVersion(void)
get string with program version
Definition: suricata.c:1200
engine_analysis
int engine_analysis
app-layer-parser.h
TmModuleReceivePcapFileRegister
void TmModuleReceivePcapFileRegister(void)
Definition: source-pcap-file.c:117
BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:317
runmode-netmap.h
CoredumpLoadConfig
int32_t CoredumpLoadConfig(void)
Configures the core dump size.
Definition: util-coredump-config.c:95
detect-engine-tag.h
IPFWRegisterQueue
int IPFWRegisterQueue(char *queue)
Add an IPFW divert.
Definition: source-ipfw.c:700
xstr
#define xstr(s)
Definition: suricata-common.h:307
util-profiling.h
ListAppLayerHooks
int ListAppLayerHooks(const char *conf_filename)
Definition: util-running-modes.c:83
ListAppLayerProtocols
int ListAppLayerProtocols(const char *conf_filename)
Definition: util-running-modes.c:46
SCInstance_::offline
int offline
Definition: suricata.h:168
DatasetsDestroy
void DatasetsDestroy(void)
Definition: datasets.c:774
UtilCpuPrintSummary
void UtilCpuPrintSummary(void)
Print a summary of CPUs detected (configured and online)
Definition: util-cpu.c:140
profiling_packets_enabled
int profiling_packets_enabled
Definition: util-profiling.c:94
SystemDNotifyReady
int SystemDNotifyReady(void)
TmThreadKillThreads
void TmThreadKillThreads(void)
Definition: tm-threads.c:1627
OutputDeregisterAll
void OutputDeregisterAll(void)
Deregister all modules. Useful for a memory clean exit.
Definition: output.c:657
source-pcap-file-helper.h
PostConfLoadedDetectSetup
void PostConfLoadedDetectSetup(SCInstance *suri)
Definition: suricata.c:2666
EngineModeIsIDS
int EngineModeIsIDS(void)
Definition: suricata.c:252
RUNMODE_PLUGIN
@ RUNMODE_PLUGIN
Definition: runmodes.h:44
util-systemd.h
tmm_modules
TmModule tmm_modules[TMM_SIZE]
Definition: tm-modules.c:29
conf-yaml-loader.h
SURICATA_DEINIT
@ SURICATA_DEINIT
Definition: suricata.h:102
decode-sll.h
SCConfigGetLogDirectory
const char * SCConfigGetLogDirectory(void)
Definition: util-conf.c:38
coverage_unittests
int coverage_unittests
Definition: suricata.c:957
DatasetsSave
void DatasetsSave(void)
Definition: datasets.c:852
detect-engine-alert.h
conf.h
util-landlock.h
source-ipfw.h
TMM_SIZE
@ TMM_SIZE
Definition: tm-threads-common.h:76
source-netmap.h
OutputNotifyFileRotation
void OutputNotifyFileRotation(void)
Notifies all registered file rotation notification flags.
Definition: output.c:734
RUNMODE_WINDIVERT
@ RUNMODE_WINDIVERT
Definition: runmodes.h:43
StorageFinalize
int StorageFinalize(void)
Definition: util-storage.c:140
VarNameStoreDestroy
void VarNameStoreDestroy(void)
Definition: util-var-name.c:116
SCInstance_::verbose
int verbose
Definition: suricata.h:169
source-lib.h
TmEcode
TmEcode
Definition: tm-threads-common.h:80
source-windivert.h
TmModuleFlowWorkerRegister
void TmModuleFlowWorkerRegister(void)
Definition: flow-worker.c:817
max_pending_packets
uint32_t max_pending_packets
Definition: suricata.c:187
util-plugin.h
SCInstance_::additional_configs
const char ** additional_configs
Definition: suricata.h:178
flow-timeout.h
DEFAULT_PID_FILENAME
#define DEFAULT_PID_FILENAME
Definition: suricata.h:88
RUNMODE_AFP_DEV
@ RUNMODE_AFP_DEV
Definition: runmodes.h:36
sighup_count
volatile sig_atomic_t sighup_count
Definition: suricata.c:158
ConfigSetDataDirectory
TmEcode ConfigSetDataDirectory(char *name)
Definition: util-conf.c:66
TmModuleDecodeErfDagRegister
void TmModuleDecodeErfDagRegister(void)
Register the ERF file decoder module.
Definition: source-erf-dag.c:151
SCInstance_::set_logdir
bool set_logdir
Definition: suricata.h:159
SCDropMainThreadCaps
#define SCDropMainThreadCaps(...)
Definition: util-privs.h:90
TmModuleDebugList
void TmModuleDebugList(void)
Definition: tm-modules.c:31
TmModuleDecodeNFQRegister
void TmModuleDecodeNFQRegister(void)
Definition: source-nfq.c:194
util-proto-name.h
STREAM_VERBOSE
#define STREAM_VERBOSE
Definition: stream-tcp.h:35
defrag.h
SCProtoNameRelease
void SCProtoNameRelease(void)
Definition: util-proto-name.c:435
MpmTableSetup
void MpmTableSetup(void)
Definition: util-mpm.c:224
SCInstance_::log_dir
const char * log_dir
Definition: suricata.h:175
RunmodeIsUnittests
int RunmodeIsUnittests(void)
Definition: suricata.c:274
source-nfq-prototypes.h
SCPluginsLoad
void SCPluginsLoad(const char *capture_plugin_name, const char *capture_plugin_args)
SCLogInfo
#define SCLogInfo(...)
Macro used to log INFORMATIONAL messages.
Definition: util-debug.h:232
TmModuleReceiveNFLOGRegister
void TmModuleReceiveNFLOGRegister(void)
Definition: source-nflog.c:49
DEFAULT_PACKET_SIZE
#define DEFAULT_PACKET_SIZE
Definition: decode.h:699
WarnInvalidConfEntry
#define WarnInvalidConfEntry(param_name, format, value)
Generic API that can be used by all to log an invalid conf entry.
Definition: util-misc.h:35
TM_FLAG_RECEIVE_TM
#define TM_FLAG_RECEIVE_TM
Definition: tm-modules.h:32
util-host-os-info.h
TmModuleReceiveErfFileRegister
void TmModuleReceiveErfFileRegister(void)
Register the ERF file receiver (reader) module.
Definition: source-erf-file.c:80
SCConfSetFromString
int SCConfSetFromString(const char *input, int final)
Set a configuration parameter from a string.
Definition: conf.c:265
RUNMODE_PRINT_USAGE
@ RUNMODE_PRINT_USAGE
Definition: runmodes.h:54
SCConfSetFinal
int SCConfSetFinal(const char *name, const char *val)
Set a final configuration value.
Definition: conf.c:319
TmModule_
Definition: tm-modules.h:47
SCRealloc
#define SCRealloc(ptr, sz)
Definition: util-mem.h:50
TmModuleDecodeAFXDPRegister
void TmModuleDecodeAFXDPRegister(void)
Registration Function for DecodeAFXDP.
Definition: source-af-xdp.c:91
default_packet_size
uint32_t default_packet_size
Definition: decode.c:77
tm-queuehandlers.h
SigTableApplyStrictCommandLineOption
void SigTableApplyStrictCommandLineOption(const char *str)
Definition: detect-parse.c:343
DETECT_ENGINE_TYPE_NORMAL
@ DETECT_ENGINE_TYPE_NORMAL
Definition: detect.h:903
PROG_NAME
#define PROG_NAME
Definition: suricata.h:75
TmThreadKillThreadsFamily
void TmThreadKillThreadsFamily(int family)
Definition: tm-threads.c:1598
detect-fast-pattern.h
FeatureTrackingRelease
void FeatureTrackingRelease(void)
Definition: feature.c:131
TmqhCleanup
void TmqhCleanup(void)
Clean up registration time allocs.
Definition: tm-queuehandlers.c:49
util-dpdk.h
util-conf.h
StreamTcpFreeConfig
void StreamTcpFreeConfig(bool quiet)
Definition: stream-tcp.c:869
source-dpdk.h
flow-manager.h
DecodeGlobalConfig
void DecodeGlobalConfig(void)
Definition: decode.c:1071
SCInstance_::strict_rule_parsing_string
char * strict_rule_parsing_string
Definition: suricata.h:179
SuriHasSigFile
int SuriHasSigFile(void)
Definition: suricata.c:229
suricata-common.h
DetectEngineCtxInitStubForMT
DetectEngineCtx * DetectEngineCtxInitStubForMT(void)
Definition: detect-engine.c:2635
util-path.h
util-daemon.h
LiveGetDeviceName
const char * LiveGetDeviceName(int number)
Get a pointer to the device name at idx.
Definition: util-device.c:204
VERBOSE_MAX
#define VERBOSE_MAX
Definition: suricata.c:173
FlowShutdown
void FlowShutdown(void)
shutdown the flow engine
Definition: flow.c:715
SCHInfoLoadFromConfig
void SCHInfoLoadFromConfig(void)
Load the host os policy information from the configuration.
Definition: util-host-os-info.c:281
DetectEngineBumpVersion
void DetectEngineBumpVersion(void)
Definition: detect-engine.c:3885
source-af-xdp.h
TmModuleFlowManagerRegister
void TmModuleFlowManagerRegister(void)
Definition: flow-manager.c:1299
SCStartInternalRunMode
int SCStartInternalRunMode(int argc, char **argv)
Definition: suricata.c:2418
SCPidfileTestRunning
int SCPidfileTestRunning(const char *pid_filename)
Check the Suricata pid file (used at the startup)
Definition: util-pidfile.c:105
HostShutdown
void HostShutdown(void)
shutdown the flow engine
Definition: host.c:296
DOC_URL
#define DOC_URL
Definition: suricata.h:90
SCFstatFn
#define SCFstatFn(fd, statbuf)
Definition: util-path.h:34
output-filestore.h
LiveSetOffloadWarn
void LiveSetOffloadWarn(void)
Definition: util-device.c:82
ParseSizeDeinit
void ParseSizeDeinit(void)
Definition: util-misc.c:55
util-classification-config.h
SCConfDeInit
void SCConfDeInit(void)
De-initializes the configuration system.
Definition: conf.c:734
RunModeRegisterRunModes
void RunModeRegisterRunModes(void)
Register all runmodes in the engine.
Definition: runmodes.c:231
ListRuleProtocols
int ListRuleProtocols(const char *conf_filename)
Definition: util-running-modes.c:59
SCStrdup
#define SCStrdup(s)
Definition: util-mem.h:56
FatalError
#define FatalError(...)
Definition: util-debug.h:517
SCProfilingDump
void SCProfilingDump(void)
Definition: util-profiling.c:311
TmModuleReceiveAFXDPRegister
void TmModuleReceiveAFXDPRegister(void)
Definition: source-af-xdp.c:77
EngineStop
void EngineStop(void)
make sure threads can stop the engine by calling this function. Purpose: pcap file mode needs to be a...
Definition: suricata.c:474
SCInstance_::sig_file
char * sig_file
Definition: suricata.h:138
RUNMODE_PRINT_VERSION
@ RUNMODE_PRINT_VERSION
Definition: runmodes.h:52
ParseSizeStringU32
int ParseSizeStringU32(const char *size, uint32_t *res)
Definition: util-misc.c:174
TmModuleReceiveErfDagRegister
void TmModuleReceiveErfDagRegister(void)
Register the ERF file receiver (reader) module.
Definition: source-erf-dag.c:133
IPPairBitInitCtx
void IPPairBitInitCtx(void)
Definition: ippair-bit.c:49
ConfigSetLogDirectory
TmEcode ConfigSetLogDirectory(const char *name)
Definition: util-conf.c:33
util-validate.h
TmModuleDecodeIPFWRegister
void TmModuleDecodeIPFWRegister(void)
Registration Function for DecodeIPFW.
Definition: source-ipfw.c:188
source-af-packet.h
ConfUnixSocketIsEnable
int ConfUnixSocketIsEnable(void)
Definition: util-conf.c:136
TM_FLAG_PACKET_ALL
#define TM_FLAG_PACKET_ALL
Definition: tm-modules.h:40
SCLogConfig
struct SCLogConfig_ SCLogConfig
Holds the config state used by the logging api.
DETECT_ENGINE_MPM_CACHE_OP_SAVE
#define DETECT_ENGINE_MPM_CACHE_OP_SAVE
Definition: detect.h:1758
g_vlan_mask
uint16_t g_vlan_mask
Definition: suricata.c:206
RUNMODE_ERF_FILE
@ RUNMODE_ERF_FILE
Definition: runmodes.h:34
DatasetsInit
int DatasetsInit(void)
Definition: datasets.c:622
RUNMODE_DUMP_CONFIG
@ RUNMODE_DUMP_CONFIG
Definition: runmodes.h:55
sigusr2_count
volatile sig_atomic_t sigusr2_count
Definition: suricata.c:160
SystemHugepageSnapshotDestroy
void SystemHugepageSnapshotDestroy(SystemHugepageSnapshot *s)
Definition: util-hugepages.c:304
TmModuleDecodePcapRegister
void TmModuleDecodePcapRegister(void)
Registration Function for DecodePcap.
Definition: source-pcap.c:153
util-running-modes.h
SCLoadYamlConfig
TmEcode SCLoadYamlConfig(void)
Definition: suricata.c:1026
unix-manager.h
runmode-af-xdp.h
str
#define str(s)
Definition: suricata-common.h:308
ConfigCheckDataDirectory
TmEcode ConfigCheckDataDirectory(const char *data_dir)
Definition: util-conf.c:99
SCConfGetNode
SCConfNode * SCConfGetNode(const char *name)
Get a SCConfNode by name.
Definition: conf.c:182
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:274
g_detect_disabled
int g_detect_disabled
Definition: suricata.c:190
DetectEngineReloadStart
int DetectEngineReloadStart(void)
Definition: detect-engine.c:1888
SCFree
#define SCFree(p)
Definition: util-mem.h:61
TopologyDestroy
void TopologyDestroy(void)
DEFAULT_CONF_FILE
#define DEFAULT_CONF_FILE
Definition: suricata.h:84
SC_LOG_MAX_LOG_MSG_LEN
#define SC_LOG_MAX_LOG_MSG_LEN
Definition: util-debug.h:92
AppLayerParserPostStreamSetup
void AppLayerParserPostStreamSetup(void)
Definition: app-layer-parser.c:272
TmModuleReceivePcapRegister
void TmModuleReceivePcapRegister(void)
Registration Function for ReceivePcap.
Definition: source-pcap.c:135
RUNMODE_DPDK
@ RUNMODE_DPDK
Definition: runmodes.h:39
SCGetUserID
void SCGetUserID(const char *user_name, const char *group_name, uint32_t *uid, uint32_t *gid)
Function to get the user and group ID from the specified user name.
Definition: util-privs.c:143
util-ioctl.h
detect-parse.h
RUNMODE_PCAP_DEV
@ RUNMODE_PCAP_DEV
Definition: runmodes.h:29
SCInstance_::system
bool system
Definition: suricata.h:158
SCInstance_::pid_filename
char * pid_filename
Definition: suricata.h:140
SCInstance_::install_signal_handlers
bool install_signal_handlers
Definition: suricata.h:163
TmModuleRespondRejectRegister
void TmModuleRespondRejectRegister(void)
Definition: respond-reject.c:50
CoredumpEnable
void CoredumpEnable(void)
Enable coredumps on systems where coredumps can and need to be enabled.
Definition: util-coredump-config.c:62
RunUnittests
void RunUnittests(int list_unittests, const char *regex_arg)
Definition: runmode-unittests.c:239
source-erf-file.h
ConfigCheckLogDirectoryExists
TmEcode ConfigCheckLogDirectoryExists(const char *log_dir)
Definition: util-conf.c:56
SCConfSet
int SCConfSet(const char *name, const char *val)
Set a configuration value.
Definition: conf.c:240
TimeDeinit
void TimeDeinit(void)
Definition: util-time.c:87
PacketAlertTagInit
void PacketAlertTagInit(void)
Definition: detect-engine-alert.c:47
RunModeEngineIsIPS
int RunModeEngineIsIPS(int capture_mode, const char *runmode, const char *capture_plugin_name)
Definition: runmodes.c:375
SURICATA_RUNTIME
@ SURICATA_RUNTIME
Definition: suricata.h:101
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2645
TVT_MGMT
@ TVT_MGMT
Definition: tm-threads-common.h:89
SCOnLoggingReady
void SCOnLoggingReady(void)
Invokes all registered logging ready callbacks.
Definition: output.c:777
TmModuleDecodeLibRegister
void TmModuleDecodeLibRegister(void)
register a "Decode" module for suricata as a library.
Definition: source-lib.c:107
EngineModeIsIPS
int EngineModeIsIPS(void)
Definition: suricata.c:246
ListAppLayerFrames
int ListAppLayerFrames(const char *conf_filename)
Definition: util-running-modes.c:133
SCProfilingKeywordsGlobalInit
void SCProfilingKeywordsGlobalInit(void)
Definition: util-profiling-keywords.c:61
suricata.h
EngineDone
void EngineDone(void)
Used to indicate that the current task is done.
Definition: suricata.c:485
SCInstance_::firewall_rule_file_exclusive
bool firewall_rule_file_exclusive
Definition: suricata.h:143
FLOW_QUIET
#define FLOW_QUIET
Definition: flow.h:43
GetDocURL
const char * GetDocURL(void)
Definition: suricata.c:1179
util-mpm-hs.h
PostRunDeinit
void PostRunDeinit(const int runmode, struct timeval *start_time)
clean up / shutdown code for packet modes
Definition: suricata.c:2360
HostInitConfig
void HostInitConfig(bool quiet)
initialize the configuration
Definition: host.c:168
TmThreadWaitOnThreadRunning
TmEcode TmThreadWaitOnThreadRunning(void)
Waits for all threads to be in a running state.
Definition: tm-threads.c:1903
HttpRangeContainersDestroy
void HttpRangeContainersDestroy(void)
Definition: app-layer-htp-range.c:205
RUNMODE_CONF_TEST
@ RUNMODE_CONF_TEST
Definition: runmodes.h:56
SCLogLoadConfig
void SCLogLoadConfig(int daemon, int verbose, uint32_t userid, uint32_t groupid)
Definition: util-debug.c:1426
DetectEngineReload
int DetectEngineReload(const SCInstance *suri)
Reload the detection engine.
Definition: detect-engine.c:4847
DEFAULT_MAX_PENDING_PACKETS
#define DEFAULT_MAX_PENDING_PACKETS
Definition: suricata.c:170
SCInstance_
Definition: suricata.h:133
DetectEngineClearMaster
void DetectEngineClearMaster(void)
Definition: detect-engine.c:4820
SetMasterExceptionPolicy
void SetMasterExceptionPolicy(void)
Definition: util-exception-policy.c:65
TmThreadCheckThreadState
void TmThreadCheckThreadState(void)
Used to check the thread for certain conditions of failure.
Definition: tm-threads.c:1988
OutputFilestoreRegisterGlobalCounters
void OutputFilestoreRegisterGlobalCounters(void)
Definition: output-filestore.c:537
InitGlobal
int InitGlobal(void)
Global initialization common to all runmodes.
Definition: suricata.c:3008
SCInstance_::disabled_detect
int disabled_detect
Definition: suricata.h:166
LiveGetDeviceCount
int LiveGetDeviceCount(void)
Get the number of registered devices.
Definition: util-device.c:170
SystemHugepageSnapshotCreate
SystemHugepageSnapshot * SystemHugepageSnapshotCreate(void)
The function creates a snapshot of the system's hugepage usage per NUMA node and per hugepage size....
Definition: util-hugepages.c:323
SCProfilingSghsGlobalInit
void SCProfilingSghsGlobalInit(void)
Definition: util-profiling-rulegroups.c:61
RUNMODE_LIST_RULE_PROTOS
@ RUNMODE_LIST_RULE_PROTOS
Definition: runmodes.h:48
SCPidfileCreate
int SCPidfileCreate(const char *pidfile)
Write a pid file (used at the startup) This commonly needed by the init scripts.
Definition: util-pidfile.c:42
LiveRegisterDeviceName
int LiveRegisterDeviceName(const char *dev)
Add a device for monitoring.
Definition: util-device.c:103
SCStatFn
#define SCStatFn(pathname, statbuf)
Definition: util-path.h:35
ENGINE_MODE_IDS
@ ENGINE_MODE_IDS
Definition: suricata.h:108
LiveDeviceFinalize
void LiveDeviceFinalize(void)
Definition: util-device.c:462
TmModuleDecodeDPDKRegister
void TmModuleDecodeDPDKRegister(void)
Registration Function for DecodeDPDK.
Definition: source-dpdk.c:65
SCInstance_::sig_file_exclusive
bool sig_file_exclusive
Definition: suricata.h:139
PROG_VER
#define PROG_VER
Definition: suricata.h:76
util-misc.h
PacketPoolDestroy
void PacketPoolDestroy(void)
Definition: tmqh-packetpool.c:265
HTPFreeConfig
void HTPFreeConfig(void)
Clears the HTTP server configuration memory used by HTP library.
Definition: app-layer-htp.c:1595
flow.h
LandlockSandboxing
void LandlockSandboxing(SCInstance *suri)
Definition: util-landlock.c:36
respond-reject.h
SCInstance_::regex_arg
char * regex_arg
Definition: suricata.h:141
ListKeywords
int ListKeywords(const char *keyword_info)
Definition: util-running-modes.c:34
SCLogNotice
#define SCLogNotice(...)
Macro used to log NOTICE messages.
Definition: util-debug.h:250
SuricataPreInit
void SuricataPreInit(const char *progname)
Definition: suricata.c:3044
RUNMODE_PCAP_FILE
@ RUNMODE_PCAP_FILE
Definition: runmodes.h:30
DPDKCleanupEAL
void DPDKCleanupEAL(void)
Definition: util-dpdk.c:30
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
util-enum.h
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:288
RUNMODE_PRINT_BUILDINFO
@ RUNMODE_PRINT_BUILDINFO
Definition: runmodes.h:53
SCConfNode_
Definition: conf.h:37
SCPidfileRemove
void SCPidfileRemove(const char *pid_filename)
Remove the pid file (used at the startup)
Definition: util-pidfile.c:83
SCConfNode_::val
char * val
Definition: conf.h:39
ThresholdInit
void ThresholdInit(void)
Definition: detect-engine-threshold.c:123
TimeInit
void TimeInit(void)
Definition: util-time.c:79
SCInstance_::keyword_info
char * keyword_info
Definition: suricata.h:147
RUNMODE_LIST_UNITTEST
@ RUNMODE_LIST_UNITTEST
Definition: runmodes.h:57
NFQContextsClean
void NFQContextsClean(void)
Clean global contexts. Must be called on exit.
Definition: source-nfq.c:1303
SystemHugepageEvaluateHugepages
void SystemHugepageEvaluateHugepages(SystemHugepageSnapshot *pre_s, SystemHugepageSnapshot *post_s)
The function compares two hugepage snapshots and prints out recommendations for hugepage configuratio...
Definition: util-hugepages.c:363
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:102
SCFinalizeRunMode
int SCFinalizeRunMode(void)
Definition: suricata.c:2492
SCStat
struct stat SCStat
Definition: util-path.h:33
SCProfilingInit
void SCProfilingInit(void)
Initialize profiling.
Definition: util-profiling.c:133
g_ut_modules
int g_ut_modules
Definition: suricata.c:958
detect-engine-address.h
GlobalsDestroy
void GlobalsDestroy(void)
Definition: suricata.c:394
output.h
util-threshold-config.h
DefragInit
void DefragInit(void)
Definition: defrag.c:1109
DetectEngineReloadIsStart
int DetectEngineReloadIsStart(void)
Definition: detect-engine.c:1902
suricata_ctl_flags
volatile uint8_t suricata_ctl_flags
Definition: suricata.c:176
RUNMODE_IPFW
@ RUNMODE_IPFW
Definition: runmodes.h:33
host-bit.h
detect-engine-threshold.h
TM_FLAG_FLOWWORKER_TM
#define TM_FLAG_FLOWWORKER_TM
Definition: tm-modules.h:34
RUNMODE_LIST_RUNMODES
@ RUNMODE_LIST_RUNMODES
Definition: runmodes.h:51
app-layer.h
TagDestroyCtx
void TagDestroyCtx(void)
Destroy tag context hash tables.
Definition: detect-engine-tag.c:72
DetectAddressTestConfVars
int DetectAddressTestConfVars(void)
Definition: detect-engine-address.c:1218
g_disable_randomness
int g_disable_randomness
Definition: suricata.c:199
geteuid
#define geteuid()
Definition: win32-misc.h:41
FlowWorkToDoCleanup
void FlowWorkToDoCleanup(void)
Clean up all the flows that have unprocessed segments and have some work to do in the detection engin...
Definition: flow-timeout.c:422
MpmHSGlobalCleanup
void MpmHSGlobalCleanup(void)
RUNMODE_DUMP_FEATURES
@ RUNMODE_DUMP_FEATURES
Definition: runmodes.h:64
g_disable_hashing
bool g_disable_hashing
Definition: suricata.c:218
TmqResetQueues
void TmqResetQueues(void)
Definition: tm-queues.c:80