Go to the documentation of this file.
34 #ifdef HAVE_SYS_RESOURCE_H
36 #include <sys/resource.h>
145 #ifdef SYSTEMD_NOTIFY
170 #define DEFAULT_MAX_PENDING_PACKETS 1024
173 #define VERBOSE_MAX (SC_LOG_DEBUG - SC_LOG_NOTICE)
198 #ifndef AFLFUZZ_NO_RANDOM
323 #ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
324 static void SignalHandlerSigint(
int sig)
328 static void SignalHandlerSigterm(
int sig)
334 #define UNW_LOCAL_ONLY
335 #include <libunwind.h>
336 static void SignalHandlerUnexpected(
int sig_num, siginfo_t *info,
void *context)
341 signal(SIGABRT, SIG_DFL);
342 signal(SIGSEGV, SIG_DFL);
344 if ((r = unw_init_local(&cursor, (unw_context_t *)(context)) != 0)) {
345 SCLogError(
"unable to obtain stack trace: unw_init_local: %s", unw_strerror(r));
354 if (unw_is_signal_frame(&cursor) == 0) {
357 if (unw_get_proc_name(&cursor,
name,
sizeof(
name), &off) == UNW_ENOMEM) {
366 r = unw_step(&cursor);
376 kill(getpid(), sig_num);
378 #undef UNW_LOCAL_ONLY
388 static void SignalHandlerSigusr2(
int sig)
398 static void SignalHandlerSigHup(
int sig)
451 #ifdef HAVE_AF_PACKET
459 #ifdef BUILD_HYPERSCAN
480 static void OnNotifyRunning(
void)
482 #ifdef SYSTEMD_NOTIFY
508 static int SetBpfString(
int argc,
char *argv[])
510 char *bpf_filter = NULL;
511 uint32_t bpf_len = 0;
516 while(argv[tmpindex] != NULL) {
517 bpf_len+=strlen(argv[tmpindex]) + 1;
529 while(argv[tmpindex] != NULL) {
530 strlcat(bpf_filter, argv[tmpindex],bpf_len);
531 if(argv[tmpindex + 1] != NULL) {
532 strlcat(bpf_filter,
" ", bpf_len);
537 if(strlen(bpf_filter) > 0) {
549 static void SetBpfStringFromFile(
char *filename)
551 char *bpf_filter = NULL;
552 char *bpf_comment_tmp = NULL;
553 char *bpf_comment_start = NULL;
559 fp = fopen(filename,
"r");
561 SCLogError(
"Failed to open file %s", filename);
566 SCLogError(
"Failed to stat file %s", filename);
570 bpf_len = ((size_t)(st.st_size)) + 1;
574 SCLogError(
"Failed to allocate buffer for bpf filter in file %s", filename);
578 nm = fread(bpf_filter, 1, bpf_len - 1, fp);
579 if ((ferror(fp) != 0) || (nm != (bpf_len - 1))) {
580 SCLogError(
"Failed to read complete BPF file %s", filename);
587 bpf_filter[nm] =
'\0';
589 if(strlen(bpf_filter) > 0) {
591 bpf_comment_start = bpf_filter;
592 while((bpf_comment_tmp = strchr(bpf_comment_start,
'#')) != NULL) {
593 while((*bpf_comment_tmp !=
'\0') &&
594 (*bpf_comment_tmp !=
'\r') && (*bpf_comment_tmp !=
'\n'))
596 *bpf_comment_tmp++ =
' ';
598 bpf_comment_start = bpf_comment_tmp;
601 while((bpf_comment_tmp = strchr(bpf_filter,
'\r')) != NULL) {
602 *bpf_comment_tmp =
' ';
604 while((bpf_comment_tmp = strchr(bpf_filter,
'\n')) != NULL) {
605 *bpf_comment_tmp =
' ';
608 while (strlen(bpf_filter) > 0 &&
609 bpf_filter[strlen(bpf_filter)-1] ==
' ')
611 bpf_filter[strlen(bpf_filter)-1] =
'\0';
613 if (strlen(bpf_filter) > 0) {
623 static void PrintUsage(
const char *progname)
630 printf(
"USAGE: %s [OPTIONS] [BPF FILTER]\n\n", progname);
632 printf(
"\n General:\n");
633 printf(
"\t-v : be more verbose (use multiple times to "
634 "increase verbosity)\n");
635 printf(
"\t-c <path> : path to configuration file\n");
636 printf(
"\t-l <dir> : default log directory\n");
637 printf(
"\t--include <path> : additional configuration file\n");
638 printf(
"\t--set name=value : set a configuration value\n");
639 printf(
"\t--pidfile <file> : write pid to this file\n");
640 printf(
"\t-T : test configuration file (use with -c)\n");
641 printf(
"\t--init-errors-fatal : enable fatal failure on signature init "
644 printf(
"\t-D : run as daemon\n");
646 printf(
"\t--service-install : install as service\n");
647 printf(
"\t--service-remove : remove service\n");
648 printf(
"\t--service-change-params : change service startup parameters\n");
650 #ifdef HAVE_LIBCAP_NG
651 printf(
"\t--user <user> : run suricata as this user after init\n");
652 printf(
"\t--group <group> : run suricata as this group after init\n");
654 #ifdef BUILD_UNIX_SOCKET
655 printf(
"\t--unix-socket[=<file>] : use unix socket to control suricata work\n");
657 printf(
"\t--runmode <runmode_id> : specific runmode modification the engine should run. The argument\n"
658 "\t supplied should be the id for the runmode obtained by running\n"
659 "\t --list-runmodes\n");
660 printf(
"\t--plugin <path> : load plugin in addition to config\n");
662 printf(
"\n Capture and IPS:\n");
664 printf(
"\t-F <bpf filter file> : bpf filter file\n");
665 printf(
"\t-k [all|none] : force checksum check (all) or disabled it "
667 printf(
"\t-i <dev or ip> : run in pcap live mode\n");
668 printf(
"\t--pcap[=<dev>] : run in pcap mode, no value select interfaces "
669 "from suricata.yaml\n");
670 #ifdef HAVE_PCAP_SET_BUFF
671 printf(
"\t--pcap-buffer-size : size of the pcap buffer value from 0 - %i\n",INT_MAX);
674 printf(
"\t-q <qid[:qid]> : run in inline nfqueue mode (use colon to "
675 "specify a range of queues)\n");
678 printf(
"\t-d <divert port> : run in inline ipfw divert mode\n");
680 #ifdef HAVE_AF_PACKET
681 printf(
"\t--af-packet[=<dev>] : run in af-packet mode, no value select interfaces from suricata.yaml\n");
684 printf(
"\t--af-xdp[=<dev>] : run in af-xdp mode, no value select "
685 "interfaces from suricata.yaml\n");
688 printf(
"\t--netmap[=<dev>] : run in netmap mode, no value select interfaces from suricata.yaml\n");
691 printf(
"\t--pfring[=<dev>] : run in pfring mode, use interfaces from suricata.yaml\n");
692 printf(
"\t--pfring-int <dev> : run in pfring mode, use interface <dev>\n");
693 printf(
"\t--pfring-cluster-id <id> : pfring cluster id \n");
694 printf(
"\t--pfring-cluster-type <type> : pfring cluster type for PF_RING 4.1.2 and later cluster_round_robin|cluster_flow\n");
697 printf(
"\t--dpdk : run in dpdk mode, uses interfaces from "
701 printf(
"\t--dag <dagX:Y> : process ERF records from DAG interface X, stream Y\n");
704 printf(
"\t--windivert <filter> : run in inline WinDivert mode\n");
705 printf(
"\t--windivert-forward <filter> : run in inline WinDivert mode, as a gateway\n");
708 printf(
"\t--reject-dev <dev> : send reject packets from this interface\n");
711 printf(
"\n Capture Files:\n");
712 printf(
"\t-r <path> : run in pcap file/offline mode\n");
713 printf(
"\t--pcap-file-continuous : when running in pcap mode with a directory, "
714 "continue checking directory for pcaps until interrupted\n");
715 printf(
"\t--pcap-file-delete : when running in replay mode (-r with "
716 "directory or file), will delete pcap files that have been processed when done\n");
717 printf(
"\t--pcap-file-recursive : will descend into subdirectories when running "
718 "in replay mode (-r)\n");
719 printf(
"\t--pcap-file-buffer-size : set read buffer size (setvbuf)\n");
720 printf(
"\t--erf-in <path> : process an ERF file\n");
722 printf(
"\n Detection:\n");
723 printf(
"\t-s <path> : path to signature file loaded in addition to "
724 "suricata.yaml settings (optional)\n");
725 printf(
"\t-S <path> : path to signature file loaded exclusively "
727 printf(
"\t--disable-detection : disable detection engine\n");
728 printf(
"\t--engine-analysis : print reports on analysis of different "
729 "sections in the engine and exit.\n"
730 "\t Please have a look at the conf parameter "
731 "engine-analysis on what reports\n"
732 "\t can be printed\n");
734 printf(
"\n Firewall:\n");
735 printf(
"\t--firewall : enable firewall mode\n");
736 printf(
"\t--firewall-rules-exclusive=<path> : path to firewall rule file loaded "
739 printf(
"\n Info:\n");
740 printf(
"\t-V : display Suricata version\n");
741 printf(
"\t--list-keywords[=all|csv|<kword>] : list keywords implemented by the engine\n");
742 printf(
"\t--list-runmodes : list supported runmodes\n");
743 printf(
"\t--list-app-layer-protos : list supported app layer protocols\n");
744 printf(
"\t--list-rule-protos : list supported rule protocols\n");
745 printf(
"\t--list-app-layer-hooks : list supported app layer hooks for use in "
747 printf(
"\t--list-app-layer-frames : list supported app layer frames for use with "
748 "'frame' keyword\n");
749 printf(
"\t--dump-config : show the running configuration\n");
750 printf(
"\t--dump-features : display provided features\n");
751 printf(
"\t--build-info : display build information\n");
753 printf(
"\n Testing:\n");
754 printf(
"\t--simulate-ips : force engine into IPS mode. Useful for QA\n");
756 printf(
"\t-u : run the unittests and exit\n");
757 printf(
"\t-U=REGEX, --unittest-filter=REGEX : filter unittests with a pcre compatible "
759 printf(
"\t--list-unittests : list unit tests\n");
760 printf(
"\t--fatal-unittests : enable fatal failure on unittest error\n");
761 printf(
"\t--unittests-coverage : display unittest coverage report\n");
764 printf(
"\nTo run " PROG_NAME " with default configuration on "
765 "interface eth0 with signature file \"signatures.rules\", run the "
766 "command as:\n\n%s -c suricata.yaml -s signatures.rules -i eth0 \n\n",
770 static void PrintBuildInfo(
void)
775 char features[2048] =
"";
780 strlcat(features,
"DEBUG ",
sizeof(features));
782 #ifdef DEBUG_VALIDATION
783 strlcat(features,
"DEBUG_VALIDATION ",
sizeof(features));
786 strlcat(features,
"QA_SIMULATION ",
sizeof(features));
789 strlcat(features,
"UNITTESTS ",
sizeof(features));
792 strlcat(features,
"NFQ ",
sizeof(features));
795 strlcat(features,
"IPFW ",
sizeof(features));
797 #ifdef HAVE_PCAP_SET_BUFF
798 strlcat(features,
"PCAP_SET_BUFF ",
sizeof(features));
801 strlcat(features,
"PF_RING ",
sizeof(features));
804 strlcat(features,
"NAPATECH ",
sizeof(features));
806 #ifdef HAVE_AF_PACKET
807 strlcat(features,
"AF_PACKET ",
sizeof(features));
810 strlcat(features,
"NETMAP ",
sizeof(features));
812 #ifdef HAVE_PACKET_FANOUT
813 strlcat(features,
"HAVE_PACKET_FANOUT ",
sizeof(features));
816 strlcat(features,
"DAG ",
sizeof(features));
818 #ifdef HAVE_LIBCAP_NG
819 strlcat(features,
"LIBCAP_NG ",
sizeof(features));
822 strlcat(features,
"LIBNET1.1 ",
sizeof(features));
824 strlcat(features,
"HAVE_HTP_URI_NORMALIZE_HOOK ",
sizeof(features));
825 #ifdef PCRE2_HAVE_JIT
826 strlcat(features,
"PCRE_JIT ",
sizeof(features));
829 strlcat(features,
"HAVE_NSS ",
sizeof(features));
831 strlcat(features,
"HTTP2_DECOMPRESSION ",
sizeof(features));
833 strlcat(features,
"HAVE_LUA ",
sizeof(features));
835 strlcat(features,
"HAVE_JA3 ",
sizeof(features));
838 strlcat(features,
"HAVE_JA4 ",
sizeof(features));
840 strlcat(features,
"HAVE_LIBJANSSON ",
sizeof(features));
842 strlcat(features,
"PROFILING ",
sizeof(features));
844 #ifdef HAVE_PACKET_EBPF
845 strlcat(features,
"EBPF ",
sizeof(features));
847 #ifdef PROFILE_LOCKING
848 strlcat(features,
"PROFILE_LOCKING ",
sizeof(features));
850 #ifdef BUILD_UNIX_SOCKET
851 strlcat(features,
"UNIX_SOCKET ",
sizeof(features));
853 #if defined(TLS_C11) || defined(TLS_GNU)
854 strlcat(features,
"TLS ",
sizeof(features));
857 strlcat(features,
"TLS_C11 ",
sizeof(features));
858 #elif defined(TLS_GNU)
859 strlcat(features,
"TLS_GNU ",
sizeof(features));
862 strlcat(features,
"MAGIC ",
sizeof(features));
864 strlcat(features,
"RUST ",
sizeof(features));
865 #if defined(SC_ADDRESS_SANITIZER)
866 strlcat(features,
"ASAN ",
sizeof(features));
868 #if defined(FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION)
869 strlcat(features,
"FUZZ ",
sizeof(features));
871 #if defined(HAVE_POPCNT64)
872 strlcat(features,
"POPCNT64 ",
sizeof(features));
874 if (strlen(features) == 0) {
875 strlcat(features,
"none",
sizeof(features));
878 printf(
"Features: %s\n", features);
881 memset(features, 0x00,
sizeof(features));
882 #if defined(__SSE4_2__)
883 strlcat(features,
"SSE_4_2 ",
sizeof(features));
885 #if defined(__SSE4_1__)
886 strlcat(features,
"SSE_4_1 ",
sizeof(features));
888 #if defined(__SSE3__)
889 strlcat(features,
"SSE_3 ",
sizeof(features));
891 #if defined(__SSE2__)
892 strlcat(features,
"SSE_2 ",
sizeof(features));
894 if (strlen(features) == 0) {
895 strlcat(features,
"none",
sizeof(features));
897 printf(
"SIMD support: %s\n", features);
900 memset(features, 0x00,
sizeof(features));
901 #if defined(__GCC_HAVE_SYNC_COMPARE_AND_SWAP_1)
902 strlcat(features,
"1 ",
sizeof(features));
904 #if defined(__GCC_HAVE_SYNC_COMPARE_AND_SWAP_2)
905 strlcat(features,
"2 ",
sizeof(features));
907 #if defined(__GCC_HAVE_SYNC_COMPARE_AND_SWAP_4)
908 strlcat(features,
"4 ",
sizeof(features));
910 #if defined(__GCC_HAVE_SYNC_COMPARE_AND_SWAP_8)
911 strlcat(features,
"8 ",
sizeof(features));
913 #if defined(__GCC_HAVE_SYNC_COMPARE_AND_SWAP_16)
914 strlcat(features,
"16 ",
sizeof(features));
916 if (strlen(features) == 0) {
917 strlcat(features,
"none",
sizeof(features));
919 strlcat(features,
"byte(s)",
sizeof(features));
921 printf(
"Atomic intrinsics: %s\n", features);
925 #elif __WORDSIZE == 32
928 bits =
"<unknown>-bits";
931 #if __BYTE_ORDER == __BIG_ENDIAN
932 endian =
"Big-endian";
933 #elif __BYTE_ORDER == __LITTLE_ENDIAN
934 endian =
"Little-endian";
936 endian =
"<unknown>-endian";
939 printf(
"%s, %s architecture\n", bits, endian);
941 printf(
"GCC version %s, C version %"PRIiMAX
"\n", __VERSION__, (intmax_t)__STDC_VERSION__);
943 printf(
"C version %"PRIiMAX
"\n", (intmax_t)__STDC_VERSION__);
947 printf(
"compiled with -fstack-protector\n");
950 printf(
"compiled with -fstack-protector-all\n");
959 #if _FORTIFY_SOURCE == 2
960 printf(
"compiled with _FORTIFY_SOURCE=2\n");
961 #elif _FORTIFY_SOURCE == 1
962 printf(
"compiled with _FORTIFY_SOURCE=1\n");
963 #elif _FORTIFY_SOURCE == 0
964 printf(
"compiled with _FORTIFY_SOURCE=0\n");
967 printf(
"L1 cache line size (CLS)=%d\n",
CLS);
970 tls =
"_Thread_local";
971 #elif defined(TLS_GNU)
974 #error "Unsupported thread local"
976 printf(
"thread local storage method: %s\n", tls);
978 printf(
"compiled with %s\n", htp_get_version());
980 #include "build-info.h"
1076 static TmEcode ParseInterfacesList(
const int runmode,
char *pcap_dev)
1082 if (strlen(pcap_dev) == 0) {
1085 SCLogError(
"No interface found in config for pcap");
1092 if (strlen(pcap_dev)) {
1094 SCLogError(
"Failed to set pfring.live-interface");
1101 char iface_selector[] =
"dpdk.interfaces";
1104 SCLogError(
"No interface found in config for %s", iface_selector);
1108 #ifdef HAVE_AF_PACKET
1111 if (strlen(pcap_dev)) {
1113 SCLogError(
"Failed to set af-packet.live-interface");
1119 SCLogError(
"No interface found in config for af-packet");
1127 if (strlen(pcap_dev)) {
1129 SCLogError(
"Failed to set af-xdp.live-interface");
1135 SCLogError(
"No interface found in config for af-xdp");
1143 if (strlen(pcap_dev)) {
1145 SCLogError(
"Failed to set netmap.live-interface");
1151 SCLogError(
"No interface found in config for netmap");
1160 SCLogError(
"No group found in config for nflog");
1169 static void SCInstanceInit(
SCInstance *suri,
const char *progname)
1171 memset(suri, 0x00,
sizeof(*suri));
1198 #if HAVE_DETECT_DISABLED==1
1208 if (strstr(prog_ver,
"RELEASE") != NULL) {
1228 if (strstr(
PROG_VER,
"-dev") == NULL) {
1239 static TmEcode PrintVersion(
void)
1247 const char *mode = suri->
system ?
"SYSTEM" :
"USER";
1248 SCLogNotice(
"This is %s version %s running in %s mode",
1259 static void SCPrintElapsedTime(
struct timeval *start_time)
1261 if (start_time == NULL)
1263 struct timeval end_time;
1264 memset(&end_time, 0,
sizeof(end_time));
1265 gettimeofday(&end_time, NULL);
1266 uint64_t milliseconds = ((end_time.tv_sec - start_time->tv_sec) * 1000) +
1267 (((1000000 + end_time.tv_usec - start_time->tv_usec) / 1000) - 1000);
1268 SCLogInfo(
"time elapsed %.3fs", (
float)milliseconds/(
float)1000);
1271 static int ParseCommandLineAfpacket(
SCInstance *suri,
const char *in_arg)
1273 #ifdef HAVE_AF_PACKET
1285 SCLogInfo(
"Multiple af-packet option without interface on each is useless");
1289 "has been specified");
1295 SCLogError(
"AF_PACKET not enabled. On Linux "
1296 "host, make sure to pass --enable-af-packet to "
1297 "configure when building.");
1302 static int ParseCommandLineAfxdp(
SCInstance *suri,
const char *in_arg)
1316 SCLogInfo(
"Multiple af-xdp options without interface on each is useless");
1320 "has been specified");
1327 "host, make sure correct libraries are installed,"
1328 " see documentation for information.");
1333 static int ParseCommandLineDpdk(
SCInstance *suri,
const char *in_arg)
1339 SCLogInfo(
"Multiple dpdk options have no effect on Suricata");
1342 "has been specified");
1349 "host, make sure to pass --enable-dpdk to "
1350 "configure when building.");
1355 static int ParseCommandLinePcapLive(
SCInstance *suri,
const char *in_arg)
1357 #if defined(OS_WIN32) && !defined(HAVE_LIBWPCAP)
1359 FatalError(
"Live capture not available. To support live capture compile against Npcap.");
1363 if (in_arg != NULL) {
1366 if (strlen(in_arg) > 9 && strncmp(in_arg,
"DeviceNPF", 9) == 0) {
1367 snprintf(suri->
pcap_dev,
sizeof(suri->
pcap_dev),
"\\Device\\NPF%s", in_arg+9);
1373 if (strcmp(suri->
pcap_dev, in_arg) != 0) {
1375 }
else if (strlen(suri->
pcap_dev) > 0 && isdigit((
unsigned char)suri->
pcap_dev[0])) {
1376 SCLogError(
"failed to find a pcap device for IP %s", in_arg);
1390 "has been specified");
1400 static bool IsLogDirectoryWritable(
const char*
str)
1402 return access(
str, W_OK) == 0;
1411 static void AddCommandLineOptionValue(
1412 const char ***values,
const char *value,
const char *description)
1414 if (*values == NULL) {
1415 *values =
SCCalloc(2,
sizeof(
char *));
1416 if (*values == NULL) {
1417 FatalError(
"Failed to allocate memory for %s: %s", description, strerror(errno));
1419 (*values)[0] = value;
1421 for (
int i = 0;; i++) {
1422 if ((*values)[i] == NULL) {
1423 const char **new_values =
SCRealloc(*values, (i + 2) *
sizeof(
char *));
1424 if (new_values == NULL) {
1426 "Failed to allocate memory for %s: %s", description, strerror(errno));
1428 *values = new_values;
1429 (*values)[i] = value;
1430 (*values)[i + 1] = NULL;
1444 int dump_config = 0;
1445 int dump_features = 0;
1446 int list_app_layer_protocols = 0;
1447 int list_rule_protocols = 0;
1448 int list_app_layer_hooks = 0;
1449 int list_app_layer_frames = 0;
1450 int list_unittests = 0;
1451 int list_runmodes = 0;
1452 int list_keywords = 0;
1457 int is_firewall = 0;
1466 struct option long_opts[] = {
1468 {
"dump-config", 0, &dump_config, 1},
1469 {
"dump-features", 0, &dump_features, 1},
1470 {
"pfring", optional_argument, 0, 0},
1471 {
"pfring-int", required_argument, 0, 0},
1472 {
"pfring-cluster-id", required_argument, 0, 0},
1473 {
"pfring-cluster-type", required_argument, 0, 0},
1477 {
"af-packet", optional_argument, 0, 0},
1478 {
"af-xdp", optional_argument, 0, 0},
1479 {
"netmap", optional_argument, 0, 0},
1480 {
"pcap", optional_argument, 0, 0},
1481 {
"pcap-file-continuous", 0, 0, 0},
1482 {
"pcap-file-delete", 0, 0, 0},
1483 {
"pcap-file-recursive", 0, 0, 0},
1484 {
"pcap-file-buffer-size", required_argument, 0, 0},
1485 {
"simulate-ips", 0, 0 , 0},
1487 {
"strict-rule-keywords", optional_argument, 0, 0},
1489 {
"plugin", required_argument, 0, 0},
1490 {
"capture-plugin", required_argument, 0, 0},
1491 {
"capture-plugin-args", required_argument, 0, 0},
1493 #ifdef BUILD_UNIX_SOCKET
1494 {
"unix-socket", optional_argument, 0, 0},
1496 {
"pcap-buffer-size", required_argument, 0, 0},
1497 {
"unittest-filter", required_argument, 0,
'U'},
1498 {
"list-app-layer-protos", 0, &list_app_layer_protocols, 1},
1499 {
"list-rule-protos", 0, &list_rule_protocols, 1},
1500 {
"list-app-layer-hooks", 0, &list_app_layer_hooks, 1},
1501 {
"list-app-layer-frames", 0, &list_app_layer_frames, 1},
1502 {
"list-unittests", 0, &list_unittests, 1},
1503 {
"list-runmodes", 0, &list_runmodes, 1},
1504 {
"list-keywords", optional_argument, &list_keywords, 1},
1505 {
"runmode", required_argument, NULL, 0},
1508 {
"service-install", 0, 0, 0},
1509 {
"service-remove", 0, 0, 0},
1510 {
"service-change-params", 0, 0, 0},
1512 {
"pidfile", required_argument, 0, 0},
1513 {
"init-errors-fatal", 0, 0, 0},
1514 {
"disable-detection", 0, 0, 0},
1515 {
"disable-hashing", 0, 0, 0},
1516 {
"fatal-unittests", 0, 0, 0},
1518 {
"user", required_argument, 0, 0},
1519 {
"group", required_argument, 0, 0},
1520 {
"erf-in", required_argument, 0, 0},
1521 {
"dag", required_argument, 0, 0},
1522 {
"build-info", 0, &build_info, 1},
1523 {
"data-dir", required_argument, 0, 0},
1525 {
"windivert", required_argument, 0, 0},
1526 {
"windivert-forward", required_argument, 0, 0},
1528 #ifdef HAVE_LIBNET11
1529 {
"reject-dev", required_argument, 0, 0},
1531 {
"set", required_argument, 0, 0},
1533 {
"nflog", optional_argument, 0, 0},
1535 {
"simulate-packet-flow-memcap", required_argument, 0, 0},
1536 {
"simulate-applayer-error-at-offset-ts", required_argument, 0, 0},
1537 {
"simulate-applayer-error-at-offset-tc", required_argument, 0, 0},
1538 {
"simulate-packet-loss", required_argument, 0, 0},
1539 {
"simulate-packet-tcp-reassembly-memcap", required_argument, 0, 0},
1540 {
"simulate-packet-tcp-ssn-memcap", required_argument, 0, 0},
1541 {
"simulate-packet-defrag-memcap", required_argument, 0, 0},
1542 {
"simulate-alert-queue-realloc-failure", 0, 0, 0},
1546 {
"firewall", 0, &is_firewall, 1 },
1547 {
"firewall-rules-exclusive", required_argument, 0, 0},
1549 {
"include", required_argument, 0, 0},
1556 int option_index = 0;
1558 char short_opts[] =
"c:TDhi:l:q:d:r:us:S:U:VF:vk:";
1560 while ((opt = getopt_long(argc, argv, short_opts, long_opts, &option_index)) != -1) {
1563 if (strcmp((long_opts[option_index]).
name,
"help") == 0) {
1566 }
else if (strcmp((long_opts[option_index]).
name,
"pfring") == 0 ||
1567 strcmp((long_opts[option_index]).
name,
"pfring-int") == 0) {
1572 if (optarg != NULL) {
1575 ((strlen(optarg) <
sizeof(suri->
pcap_dev)) ?
1576 (strlen(optarg) + 1) :
sizeof(suri->
pcap_dev)));
1581 "to pass --enable-pfring to configure when building.");
1584 }
else if (strcmp((long_opts[option_index]).
name,
"pfring-cluster-id") == 0) {
1587 SCLogError(
"failed to set pfring.cluster-id");
1592 "to pass --enable-pfring to configure when building.");
1595 }
else if (strcmp((long_opts[option_index]).
name,
"pfring-cluster-type") == 0) {
1598 SCLogError(
"failed to set pfring.cluster-type");
1603 "to pass --enable-pfring to configure when building.");
1606 }
else if (strcmp((long_opts[option_index]).
name,
"plugin") == 0) {
1608 }
else if (strcmp((long_opts[option_index]).
name,
"capture-plugin") == 0) {
1611 }
else if (strcmp((long_opts[option_index]).
name,
"capture-plugin-args") == 0) {
1613 }
else if (strcmp((long_opts[option_index]).
name,
"dpdk") == 0) {
1614 if (ParseCommandLineDpdk(suri, optarg) !=
TM_ECODE_OK) {
1617 }
else if (strcmp((long_opts[option_index]).
name,
"af-packet") == 0) {
1618 if (ParseCommandLineAfpacket(suri, optarg) !=
TM_ECODE_OK) {
1621 }
else if (strcmp((long_opts[option_index]).
name,
"af-xdp") == 0) {
1622 if (ParseCommandLineAfxdp(suri, optarg) !=
TM_ECODE_OK) {
1625 }
else if (strcmp((long_opts[option_index]).
name,
"netmap") == 0) {
1633 ((strlen(optarg) <
sizeof(suri->
pcap_dev)) ?
1634 (strlen(optarg) + 1) :
sizeof(suri->
pcap_dev)));
1640 SCLogInfo(
"Multiple netmap option without interface on each is useless");
1645 "has been specified");
1646 PrintUsage(argv[0]);
1653 }
else if (strcmp((long_opts[option_index]).
name,
"nflog") == 0) {
1663 }
else if (strcmp((long_opts[option_index]).
name,
"pcap") == 0) {
1664 if (ParseCommandLinePcapLive(suri, optarg) !=
TM_ECODE_OK) {
1667 }
else if (strcmp((long_opts[option_index]).
name,
"simulate-ips") == 0) {
1670 }
else if (strcmp((long_opts[option_index]).
name,
"init-errors-fatal") == 0) {
1672 SCLogError(
"failed to set engine init-failure-fatal");
1675 #ifdef BUILD_UNIX_SOCKET
1676 }
else if (strcmp((long_opts[option_index]).
name ,
"unix-socket") == 0) {
1681 SCLogError(
"failed to set unix-command.filename");
1687 "has been specified");
1688 PrintUsage(argv[0]);
1693 else if(strcmp((long_opts[option_index]).
name,
"list-app-layer-protocols") == 0) {
1695 }
else if (strcmp((long_opts[option_index]).
name,
"list-app-layer-hooks") == 0) {
1697 }
else if (strcmp((long_opts[option_index]).
name,
"list-unittests") == 0) {
1701 SCLogError(
"unit tests not enabled. Make sure to pass --enable-unittests to "
1702 "configure when building");
1705 }
else if (strcmp((long_opts[option_index]).
name,
"list-runmodes") == 0) {
1708 }
else if (strcmp((long_opts[option_index]).
name,
"list-keywords") == 0) {
1710 if (strcmp(
"short", optarg) != 0) {
1714 }
else if (strcmp((long_opts[option_index]).
name,
"runmode") == 0) {
1716 }
else if (strcmp((long_opts[option_index]).
name,
"engine-analysis") == 0) {
1720 else if (strcmp((long_opts[option_index]).
name,
"service-install") == 0) {
1721 suri->
run_mode = RUNMODE_INSTALL_SERVICE;
1723 }
else if (strcmp((long_opts[option_index]).
name,
"service-remove") == 0) {
1724 suri->
run_mode = RUNMODE_REMOVE_SERVICE;
1726 }
else if (strcmp((long_opts[option_index]).
name,
"service-change-params") == 0) {
1727 suri->
run_mode = RUNMODE_CHANGE_SERVICE_PARAMS;
1731 else if (strcmp((long_opts[option_index]).
name,
"pidfile") == 0) {
1734 SCLogError(
"strdup failed: %s", strerror(errno));
1737 }
else if (strcmp((long_opts[option_index]).
name,
"disable-detection") == 0) {
1739 }
else if (strcmp((long_opts[option_index]).
name,
"disable-hashing") == 0) {
1743 }
else if (strcmp((long_opts[option_index]).
name,
"fatal-unittests") == 0) {
1747 SCLogError(
"unit tests not enabled. Make sure to pass --enable-unittests to "
1748 "configure when building");
1751 }
else if (strcmp((long_opts[option_index]).
name,
"user") == 0) {
1752 #ifndef HAVE_LIBCAP_NG
1754 " drop privileges, but it was not compiled into Suricata.");
1760 }
else if (strcmp((long_opts[option_index]).
name,
"group") == 0) {
1761 #ifndef HAVE_LIBCAP_NG
1763 " drop privileges, but it was not compiled into Suricata.");
1769 }
else if (strcmp((long_opts[option_index]).
name,
"erf-in") == 0) {
1775 }
else if (strcmp((long_opts[option_index]).
name,
"dag") == 0) {
1781 SCLogError(
"more than one run mode has been specified");
1782 PrintUsage(argv[0]);
1787 SCLogError(
"libdag and a DAG card are required"
1788 " to receive packets using --dag.");
1791 }
else if (strcmp((long_opts[option_index]).
name,
"napatech") == 0) {
1792 #ifdef HAVE_NAPATECH
1795 SCLogError(
"libntapi and a Napatech adapter are required"
1796 " to capture packets using --napatech.");
1799 }
else if (strcmp((long_opts[option_index]).
name,
"pcap-buffer-size") == 0) {
1800 #ifdef HAVE_PCAP_SET_BUFF
1802 SCLogError(
"failed to set pcap-buffer-size");
1807 " doesn't support setting buffer size.");
1809 }
else if (strcmp((long_opts[option_index]).
name,
"build-info") == 0) {
1812 }
else if (strcmp((long_opts[option_index]).
name,
"windivert-forward") == 0) {
1816 if (WinDivertRegisterQueue(
true, optarg) == -1) {
1820 if (WinDivertRegisterQueue(
true, optarg) == -1) {
1825 "has been specified");
1826 PrintUsage(argv[0]);
1830 else if(strcmp((long_opts[option_index]).
name,
"windivert") == 0) {
1833 if (WinDivertRegisterQueue(
false, optarg) == -1) {
1837 if (WinDivertRegisterQueue(
false, optarg) == -1) {
1842 "has been specified");
1843 PrintUsage(argv[0]);
1847 SCLogError(
"WinDivert not enabled. Make sure to pass --enable-windivert to "
1848 "configure when building.");
1851 }
else if(strcmp((long_opts[option_index]).
name,
"reject-dev") == 0) {
1852 #ifdef HAVE_LIBNET11
1854 extern char *g_reject_dev;
1855 extern uint16_t g_reject_dev_mtu;
1856 g_reject_dev = optarg;
1859 g_reject_dev_mtu = (uint16_t)mtu;
1862 SCLogError(
"Libnet 1.1 support not enabled. Compile Suricata with libnet support.");
1866 else if (strcmp((long_opts[option_index]).
name,
"set") == 0) {
1867 if (optarg != NULL) {
1869 char *val = strchr(optarg,
'=');
1871 FatalError(
"Invalid argument for --set, must be key=val.");
1874 FatalError(
"failed to set configuration value %s", optarg);
1878 else if (strcmp((long_opts[option_index]).
name,
"pcap-file-continuous") == 0) {
1880 SCLogError(
"Failed to set pcap-file.continuous");
1884 else if (strcmp((long_opts[option_index]).
name,
"pcap-file-delete") == 0) {
1886 SCLogError(
"Failed to set pcap-file.delete-when-done");
1890 else if (strcmp((long_opts[option_index]).
name,
"pcap-file-recursive") == 0) {
1892 SCLogError(
"failed to set pcap-file.recursive");
1895 }
else if (strcmp((long_opts[option_index]).
name,
"pcap-file-buffer-size") == 0) {
1897 SCLogError(
"failed to set pcap-file.buffer-size");
1900 }
else if (strcmp((long_opts[option_index]).
name,
"data-dir") == 0) {
1901 if (optarg == NULL) {
1902 SCLogError(
"no option argument (optarg) for -d");
1912 " supplied at the command-line (-d %s) doesn't "
1913 "exist. Shutting down the engine.",
1918 }
else if (strcmp((long_opts[option_index]).
name,
"strict-rule-keywords") == 0) {
1919 if (optarg == NULL) {
1925 FatalError(
"failed to duplicate 'strict' string");
1927 }
else if (strcmp((long_opts[option_index]).
name,
"include") == 0) {
1928 AddCommandLineOptionValue(
1930 }
else if (strcmp((long_opts[option_index]).
name,
"firewall-rules-exclusive") == 0) {
1932 SCLogError(
"can't have multiple --firewall-rules-exclusive options");
1940 (long_opts[option_index]).
name, optarg);
1951 SCLogError(
"failed to set engine init-failure-fatal");
1964 if (optarg == NULL) {
1965 SCLogError(
"no option argument (optarg) for -i");
1968 #ifdef HAVE_AF_PACKET
1969 if (ParseCommandLineAfpacket(suri, optarg) !=
TM_ECODE_OK) {
1974 #if defined HAVE_NETMAP
1980 "option%s %s available:"
1982 " NETMAP (--netmap=%s)"
1984 ". Use --pcap=%s to suppress this warning",
1985 i == 1 ?
"" :
"s", i == 1 ?
"is" :
"are"
1993 if (ParseCommandLinePcapLive(suri, optarg) !=
TM_ECODE_OK) {
1999 if (optarg == NULL) {
2000 SCLogError(
"no option argument (optarg) for -l");
2010 " supplied at the command-line (-l %s) doesn't "
2011 "exist. Shutting down the engine.",
2015 if (!IsLogDirectoryWritable(optarg)) {
2017 " supplied at the command-line (-l %s) is not "
2018 "writable. Shutting down the engine.",
2037 "has been specified");
2038 PrintUsage(argv[0]);
2042 SCLogError(
"NFQUEUE not enabled. Make sure to pass --enable-nfqueue to configure when "
2059 "has been specified");
2060 PrintUsage(argv[0]);
2064 SCLogError(
"IPFW not enabled. Make sure to pass --enable-ipfw to configure when "
2075 "has been specified");
2076 PrintUsage(argv[0]);
2081 SCLogError(
"pcap file '%s': %s", optarg, strerror(errno));
2085 SCLogError(
"ERROR: Failed to set pcap-file.file\n");
2092 SCLogError(
"can't have multiple -s options or mix -s and -S.");
2099 SCLogError(
"can't have multiple -S options or mix -s and -S.");
2112 PrintUsage(argv[0]);
2116 SCLogError(
"unit tests not enabled. Make sure to pass --enable-unittests to configure "
2133 if (optarg == NULL) {
2134 SCLogError(
"no option argument (optarg) for -F");
2138 SetBpfStringFromFile(optarg);
2141 static bool ignore_extra =
false;
2144 else if (!ignore_extra) {
2145 SCLogNotice(
"extraneous verbose option(s) ignored");
2146 ignore_extra =
true;
2150 if (optarg == NULL) {
2151 SCLogError(
"no option argument (optarg) for -k");
2154 if (!strcmp(
"all", optarg))
2156 else if (!strcmp(
"none", optarg))
2159 SCLogError(
"option '%s' invalid for -k", optarg);
2164 PrintUsage(argv[0]);
2174 SCLogError(
"can't use -s/-S or --firewall-rules-exclusive when detection is disabled");
2181 if (list_app_layer_protocols)
2183 if (list_rule_protocols)
2185 if (list_app_layer_hooks)
2187 if (list_app_layer_frames)
2205 ret = SetBpfString(optind, argv);
2213 int WindowsInitService(
int argc,
char **argv)
2215 if (SCRunningAsService()) {
2216 char path[MAX_PATH];
2218 strlcpy(path, argv[0], MAX_PATH);
2219 if ((
p = strrchr(path,
'\\'))) {
2222 if (!SetCurrentDirectory(path)) {
2223 SCLogError(
"Can't set current directory to: %s", path);
2226 SCLogInfo(
"Current directory is set to: %s", path);
2227 SCServiceInit(argc, argv);
2232 if (0 != WSAStartup(MAKEWORD(2, 2), &wsaData)) {
2233 SCLogError(
"Can't initialize Windows sockets: %d", WSAGetLastError());
2244 const char *pid_filename;
2247 SCLogInfo(
"Use pid file %s from config file.", pid_filename);
2254 SCLogError(
"strdup failed: %s", strerror(errno));
2273 SCLogError(
"Unable to create PID file, concurrent run of"
2274 " Suricata can occur.");
2275 SCLogError(
"PID file creation WILL be mandatory for daemon mode"
2276 " in future version");
2291 if (
SCConfGet(
"run-as.user", &
id) == 1) {
2295 if (
SCConfGet(
"run-as.group", &
id) == 1) {
2313 static int InitSignalHandler(
SCInstance *suri)
2316 #ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
2321 if (
SCConfGetBool(
"logging.stacktrace-on-signal", &enabled) == 0) {
2326 SCLogInfo(
"Preparing unexpected signal handling");
2327 struct sigaction stacktrace_action;
2328 memset(&stacktrace_action, 0,
sizeof(stacktrace_action));
2329 stacktrace_action.sa_sigaction = SignalHandlerUnexpected;
2330 stacktrace_action.sa_flags = SA_SIGINFO;
2331 sigaction(SIGSEGV, &stacktrace_action, NULL);
2332 sigaction(SIGABRT, &stacktrace_action, NULL);
2355 #ifdef PROFILE_RULES
2356 SCProfilingRulesGlobalInit();
2363 #ifdef PROFILE_RULES
2417 SCPrintElapsedTime(start_time);
2491 PrintUsage(argv[0]);
2501 case RUNMODE_INSTALL_SERVICE:
2502 if (SCServiceInstall(argc, argv)) {
2505 SCLogInfo(
"Suricata service has been successfully installed.");
2507 case RUNMODE_REMOVE_SERVICE:
2508 if (SCServiceRemove()) {
2511 SCLogInfo(
"Suricata service has been successfully removed.");
2513 case RUNMODE_CHANGE_SERVICE_PARAMS:
2514 if (SCServiceChangeParams(argc, argv)) {
2517 SCLogInfo(
"Suricata service startup parameters has been successfully changed.");
2534 SCLogError(
"Please specify a runmode or capture option. "
2535 "Use --list-runmodes to see available runmodes.");
2550 static void SetupDelayedDetect(
SCInstance *suri)
2559 if (decnf != NULL) {
2561 if (strcmp(denode->
val,
"delayed-detect") == 0) {
2572 SCLogInfo(
"Packets will start being processed before signatures are active.");
2590 static int ConfigGetCaptureValue(
SCInstance *suri)
2594 intmax_t tmp_max_pending_packets;
2595 if (
SCConfGetInt(
"max-pending-packets", &tmp_max_pending_packets) != 1)
2597 if (tmp_max_pending_packets < 1 || tmp_max_pending_packets > 2147483648) {
2598 SCLogError(
"Maximum max-pending-packets setting is 2147483648 and must be greater than 0. "
2599 "Please check %s for errors",
2610 const char *temp_default_packet_size;
2611 if ((
SCConfGetNonNull(
"default-packet-size", &temp_default_packet_size)) != 1) {
2614 int strip_trailing_plus = 0;
2624 const int mtu = GetGlobalMTUWin32();
2638 strip_trailing_plus = 1;
2644 for (lthread = 0; lthread < nlive; lthread++) {
2647 (void)
strlcpy(dev, live_dev,
sizeof(dev));
2649 if (strip_trailing_plus) {
2650 size_t len = strlen(dev);
2652 (dev[
len-1] ==
'+' ||
2653 dev[
len-1] ==
'^' ||
2672 SCLogError(
"Error parsing max-pending-packets "
2673 "from conf file - %s. Killing engine",
2674 temp_default_packet_size);
2684 static void PostRunStartedDetectSetup(
const SCInstance *suri)
2698 SCLogNotice(
"Signature(s) loaded, Detect thread(s) activated.");
2710 SetupDelayedDetect(suri);
2713 int default_tenant = 0;
2715 (void)
SCConfGetBool(
"multi-detect.default", &default_tenant);
2718 "detection engine contexts failed.");
2728 FatalError(
"initializing detection engine failed.");
2744 static void PostConfLoadedSetupHostMode(
void)
2746 const char *hostmode = NULL;
2749 if (!strcmp(hostmode,
"router")) {
2751 }
else if (!strcmp(hostmode,
"bridge")) {
2753 }
else if (!strcmp(hostmode,
"sniffer-only")) {
2756 if (strcmp(hostmode,
"auto") != 0) {
2777 SCLogInfo(
"No 'host-mode': suricata is in IPS mode, using "
2778 "default setting 'router'");
2782 SCLogInfo(
"No 'host-mode': suricata is in IDS mode, using "
2783 "default setting 'sniffer-only'");
2795 FatalError(
"could not set USER mode logdir");
2801 FatalError(
"could not set USER mode datadir");
2813 int cnf_firewall_enabled = 0;
2814 if (
SCConfGetBool(
"firewall.enabled", &cnf_firewall_enabled) == 1) {
2815 if (cnf_firewall_enabled == 1) {
2819 FatalError(
"firewall mode enabled through commandline, but disabled in config");
2824 SCLogWarning(
"firewall mode is EXPERIMENTAL and subject to change");
2832 int disable_offloading;
2833 if (
SCConfGetBool(
"capture.disable-offloading", &disable_offloading) == 0)
2834 disable_offloading = 1;
2835 if (disable_offloading) {
2842 const char *cv = NULL;
2844 if (strcmp(cv,
"none") == 0) {
2846 }
else if (strcmp(cv,
"all") == 0) {
2853 SCConfSet(
"stream.checksum-validation",
"0");
2856 SCConfSet(
"stream.checksum-validation",
"1");
2865 #ifdef HAVE_PACKET_EBPF
2867 EBPFRegisterExtension();
2890 SCLogInfo(
"Setting engine mode to IDS mode by default");
2911 const char *custom_umask;
2914 if (
StringParseUint16(&mask, 8, (uint16_t)strlen(custom_umask), custom_umask) > 0) {
2915 umask((mode_t)mask);
2932 SCLogInfo(
"== Carrying out Engine Analysis ==");
2933 const char *temp = NULL;
2934 if (
SCConfGet(
"engine-analysis", &temp) == 0) {
2935 SCLogInfo(
"no engine-analysis parameter(s) defined in conf file. "
2936 "Please define/enable them in the conf to use this "
2955 "basic address vars test failed. Please check %s for errors", suri->
conf_filename);
2984 "supplied by %s (default-log-dir) doesn't exist. "
2985 "Shutting down the engine",
2989 if (!IsLogDirectoryWritable(suri->
log_dir)) {
2991 "supplied by %s (default-log-dir) is not writable. "
2992 "Shutting down the engine",
3010 PostConfLoadedSetupHostMode();
3077 return EXIT_FAILURE;
3100 SCInstanceInit(&
suricata, progname);
3118 if (
SCConfGetBool(
"vlan.use-for-tracking", &tracking) == 1 && !tracking) {
3122 SCLogDebug(
"vlan tracking is %s", tracking == 1 ?
"enabled" :
"disabled");
3123 if (
SCConfGetBool(
"livedev.use-for-tracking", &tracking) == 1 && !tracking) {
3127 if (
SCConfGetBool(
"decoder.recursion-level.use-for-tracking", &tracking) == 1 && !tracking) {
3143 SCLogInfo(
"Running suricata under test mode");
3177 SCLogNotice(
"Configuration provided was successfully loaded. Exiting.");
3220 int limit_nproc = 0;
3221 if (
SCConfGetBool(
"security.limit-noproc", &limit_nproc) == 0) {
3225 #if defined(SC_ADDRESS_SANITIZER)
3228 "\"security.limit-noproc\" (setrlimit()) not set when using address sanitizer");
3234 #if defined(HAVE_SYS_RESOURCE_H) && defined(RLIMIT_NPROC)
3237 SCLogWarning(
"setrlimit has no effect when running as root.");
3240 struct rlimit r = { 0, 0 };
3241 if (setrlimit(RLIMIT_NPROC, &r) != 0) {
3242 SCLogWarning(
"setrlimit failed to prevent process creation.");
3268 PostRunStartedDetectSetup(&
suricata);
@ RUNMODE_LIST_APP_LAYERS
enum SCRunModes SCRunMode
@ RUNMODE_ENGINE_ANALYSIS
void TmModuleUnixManagerRegister(void)
void StatsReleaseResources(void)
Releases the resources allotted by the Stats API.
#define DETECT_ENGINE_MPM_CACHE_OP_PRUNE
void TmModuleReceiveIPFWRegister(void)
Registration Function for RecieveIPFW.
void SuricataMainLoop(void)
int ExceptionSimulationCommandLineParser(const char *name, const char *arg)
char * firewall_rule_file
void AppLayerHtpNeedFileInspection(void)
Sets a flag that informs the HTP app layer that some module in the engine needs the http request file...
void TmThreadDisablePacketThreads(const uint16_t set, const uint16_t check, const uint8_t module_flags)
Disable all packet threads.
enum SCRunModes aux_run_mode
void IPPairInitConfig(bool quiet)
initialize the configuration
void SCLogInitLogModule(SCLogInitData *sc_lid)
Initializes the logging module.
void EngineModeSetIPS(const enum EngineHostMode mode)
void SCEnableDefaultSignalHandlers(void)
Enable default signal handlers.
int LiveDeviceListClean(void)
void DetectEngineDeReference(DetectEngineCtx **de_ctx)
struct timeval start_time
bool IsRunModeOffline(enum SCRunModes run_mode_to_check)
#define SC_ATOMIC_INIT(name)
wrapper for initializing an atomic variable.
SystemHugepageSnapshot * prerun_snap
void TmThreadContinueThreads(void)
Unpauses all threads present in tv_root.
enum DetectEngineType type
int SigLoadSignatures(DetectEngineCtx *de_ctx, char *sig_file, bool sig_file_exclusive)
Load signatures.
const char * firewall_rule_file_exclusive
#define SC_ATOMIC_SET(name, val)
Set the value for the atomic variable.
@ RUNMODE_LIST_APP_LAYER_FRAMES
SCConfNode * SCConfGetRootNode(void)
Get the root configuration node.
DetectEngineCtx * DetectEngineCtxInitStubForDD(void)
void LiveDevRegisterExtension(void)
void OutputTxShutdown(void)
void AppLayerHtpPrintStats(void)
void StatsSetupPostConfigPreOutput(void)
char * runmode_custom_mode
struct HtpBodyChunk_ * next
void TmModuleReceiveNFQRegister(void)
void DetectEngineMpmCacheService(uint32_t op_flags)
int LiveBuildDeviceList(const char *runmode)
void RunModeShutDown(void)
void SCProtoNameInit(void)
void SuricataPostInit(void)
void RunModeDispatch(int runmode, const char *custom_mode, const char *capture_plugin_name, const char *capture_plugin_args)
volatile sig_atomic_t sigint_count
SC_ATOMIC_DECLARE(unsigned int, engine_stage)
void TmModuleRunDeInit(void)
void TmThreadsUnsealThreads(void)
void RegisterFlowBypassInfo(void)
#define SCSetThreadName(n)
int SCConfYamlHandleInclude(SCConfNode *parent, const char *filename)
Include a file in the configuration.
void SCLogDeInitLogModule(void)
De-Initializes the logging module.
void TmModuleDecodeErfFileRegister(void)
Register the ERF file decoder module.
main detection engine ctx
int StringParseUint16(uint16_t *res, int base, size_t len, const char *str)
void DetectEngineReloadSetIdle(void)
void DatalinkTableDeinit(void)
int SCConfGet(const char *name, const char **vptr)
Retrieve the value of a configuration node.
DetectEngineCtx * DetectEngineGetCurrent(void)
int EngineModeIsUnknown(void)
void VarNameStoreInit(void)
void TmModuleFlowRecyclerRegister(void)
int SCConfNodeChildValueIsTrue(const SCConfNode *node, const char *key)
Test if a configuration node has a true value.
void DatalinkTableInit(void)
void Daemonize(void)
Daemonize the process.
void UtilSignalHandlerSetup(int sig, void(*handler)(int))
#define TAILQ_FOREACH(var, head, field)
void EngineModeSetFirewall(const enum EngineHostMode mode)
void TmModuleDecodeAFPRegister(void)
Registration Function for DecodeAFP.
void TmModuleDecodeWinDivertRegister(void)
void UtilCpuEnableSparcMisalignEmulation(void)
Handle memory access miss align on SPARC processors.
int DetectEngineAddToMaster(DetectEngineCtx *de_ctx)
int SCConfGetChildValueBool(const SCConfNode *base, const char *name, int *val)
void TmModuleStatsLoggerRegister(void)
void RegisterAllModules(void)
int DetectEngineMultiTenantSetup(const bool unix_socket)
setup multi-detect / multi-tenancy
void SupportFastPatternForSigMatchTypes(void)
Registers the keywords(SMs) that should be given fp support.
bool EngineHostModeIsSniffer(void)
TmEcode SCParseCommandLine(int argc, char **argv)
int CheckValidDaemonModes(int daemon, int mode)
Check for a valid combination daemon/mode.
void SCGetGroupID(const char *group_name, uint32_t *gid)
Function to get the group ID from the specified group name.
int SCConfGetBool(const char *name, int *val)
Retrieve a configuration value as a boolean.
enum EngineHostMode g_engine_host_mode
void TmThreadDisableReceiveThreads(void)
Disable all threads having the specified TMs.
void StatsInit(void)
Initializes the perf counter api. Things are hard coded currently. More work to be done when we imple...
void PreRunInit(const int runmode)
void MacSetRegisterFlowStorage(void)
void SuricataShutdown(void)
const char * conf_filename
int GetIfaceMTU(const char *dev)
output the link MTU
void GlobalsInitPreConfig(void)
void TmModuleReceiveNetmapRegister(void)
void PacketPoolPostRunmodes(void)
Set the max_pending_return_packets value.
void NFQInitConfig(bool quiet)
To initialize the NFQ global configuration data.
void TmModuleReceiveWinDivertRegister(void)
bool EngineModeIsFirewall(void)
void SCProfilingDestroy(void)
Free resources used by profiling.
void AFPPeersListClean(void)
Clean the global peers list.
void RunModeInitializeOutputs(void)
int DetectPortTestConfVars(void)
void SCThresholdConfGlobalInit(void)
void DecodeUnregisterCounters(void)
const char * capture_plugin_name
int SCConfYamlLoadFile(const char *filename)
Load configuration from a YAML file.
void HostBitInitCtx(void)
bool IsRunModeSystem(enum SCRunModes run_mode_to_check)
const char * capture_plugin_args
void ThresholdRegisterGlobalCounters(void)
void TmModuleLoggerRegister(void)
void PacketPoolInit(void)
int AppLayerDeSetup(void)
De initializes the app layer.
@ RUNMODE_LIST_APP_LAYER_HOOKS
size_t strlcpy(char *dst, const char *src, size_t siz)
void PcapTranslateIPToDevice(char *pcap_dev, size_t len)
void FlowDisableFlowRecyclerThread(void)
Used to disable flow recycler thread(s).
void SCRunmodeSet(SCRunMode run_mode)
Set the current run mode.
void TmModuleDecodePcapFileRegister(void)
void TmModuleBypassedFlowManagerRegister(void)
void IPPairShutdown(void)
shutdown the flow engine
void SCConfInit(void)
Initialize the configuration system.
void DetectParseFreeRegexes(void)
void SCConfDump(void)
Dump configuration to stdout.
void TmModuleDecodeNFLOGRegister(void)
int NFQParseAndRegisterQueues(const char *queues)
Parses and adds Netfilter queue(s).
void FlowInitConfig(bool quiet)
initialize the configuration
int AppLayerSetup(void)
Setup the app layer.
void FeatureTrackingRegister(void)
void TmModuleReceiveDPDKRegister(void)
void UnixManagerThreadSpawnNonRunmode(const bool unix_socket_enabled)
void RunModeInitializeThreadSettings(void)
void StreamTcpInitConfig(bool)
To initialize the stream global configuration data.
int GetIfaceMaxPacketSize(LiveDevice *ld)
output max packet size for a link
SCRunMode SCRunmodeGet(void)
Get the current run mode.
void TmModuleDecodeNetmapRegister(void)
Registration Function for DecodeNetmap.
void PreRunPostPrivsDropInit(const int runmode)
void SigTableCleanup(void)
int DetectEngineMoveToFreeList(DetectEngineCtx *de_ctx)
volatile sig_atomic_t sigterm_count
TmEcode TmThreadWaitOnThreadInit(void)
Used to check if all threads have finished their initialization. On finding an un-initialized thread,...
const char * SCLogLevel2Name(const SCLogLevel lvl)
void TmModuleVerdictNFQRegister(void)
void AppLayerRegisterGlobalCounters(void)
HACK to work around our broken unix manager (re)init loop.
int SCFinalizeRunMode(int argc)
void RunModeListRunmodes(void)
Lists all registered runmodes.
size_t strlcat(char *, const char *src, size_t siz)
void LiveSetOffloadDisable(void)
void StatsSetupPostConfigPostOutput(void)
void EngineModeSetIDS(void)
void TmModuleReceiveAFPRegister(void)
Registration Function for RecieveAFP.
int LiveBuildDeviceListCustom(const char *runmode, const char *itemname)
LiveDevice * LiveGetDevice(const char *name)
Get a pointer to the device at idx.
void UnixSocketKillSocketThread(void)
void TmModuleVerdictIPFWRegister(void)
Registration Function for VerdictIPFW.
int SCConfGetInt(const char *name, intmax_t *val)
Retrieve a configuration value as an integer.
bool g_stats_eps_per_app_proto_errors
void HttpRangeContainersInit(void)
struct timeval last_reload
void TmModuleVerdictWinDivertRegister(void)
void HostCleanup(void)
Cleanup the host engine.
void FlowDisableFlowManagerThread(void)
Used to disable flow manager thread(s).
int SCConfGetNonNull(const char *name, const char **vptr)
Retrieve the non-null value of a configuration node.
int UtilSignalUnblock(int signum)
int DetectEngineEnabled(void)
Check if detection is enabled.
void TmThreadClearThreadsFamily(int family)
#define THV_REQ_FLOW_LOOP
void FlowRateRegisterFlowStorage(void)
void TmModuleRunInit(void)
void HTPAtExitPrintStats(void)
Print the stats of the HTTP requests.
int UtilSignalBlock(int signum)
void SCProfilingPrefilterGlobalInit(void)
void ThresholdDestroy(void)
#define SCLogWarning(...)
Macro used to log WARNING messages.
int PostConfLoadedSetup(SCInstance *suri)
const char * GetProgramVersion(void)
get string with program version
void TmModuleReceivePcapFileRegister(void)
int32_t CoredumpLoadConfig(void)
Configures the core dump size.
int IPFWRegisterQueue(char *queue)
Add an IPFW divert.
int ListAppLayerHooks(const char *conf_filename)
int ListAppLayerProtocols(const char *conf_filename)
void DatasetsDestroy(void)
void UtilCpuPrintSummary(void)
Print a summary of CPUs detected (configured and online)
int profiling_packets_enabled
int SystemDNotifyReady(void)
void TmThreadKillThreads(void)
void OutputDeregisterAll(void)
Deregister all modules. Useful for a memory clean exit.
void PostConfLoadedDetectSetup(SCInstance *suri)
int EngineModeIsIDS(void)
TmModule tmm_modules[TMM_SIZE]
const char * SCConfigGetLogDirectory(void)
void OutputNotifyFileRotation(void)
Notifies all registered file rotation notification flags.
void VarNameStoreDestroy(void)
void TmModuleFlowWorkerRegister(void)
uint32_t max_pending_packets
const char ** additional_configs
#define DEFAULT_PID_FILENAME
volatile sig_atomic_t sighup_count
TmEcode ConfigSetDataDirectory(char *name)
void TmModuleDecodeErfDagRegister(void)
Register the ERF file decoder module.
#define SCDropMainThreadCaps(...)
void TmModuleDebugList(void)
void TmModuleDecodeNFQRegister(void)
void SCProtoNameRelease(void)
int RunmodeIsUnittests(void)
#define SCLogInfo(...)
Macro used to log INFORMATIONAL messages.
void TmModuleReceiveNFLOGRegister(void)
#define DEFAULT_PACKET_SIZE
#define WarnInvalidConfEntry(param_name, format, value)
Generic API that can be used by all to log an invalid conf entry.
#define TM_FLAG_RECEIVE_TM
void TmModuleReceiveErfFileRegister(void)
Register the ERF file receiver (reader) module.
int SCConfSetFromString(const char *input, int final)
Set a configuration parameter from a string.
int SCConfSetFinal(const char *name, const char *val)
Set a final configuration value.
#define SCRealloc(ptr, sz)
void TmModuleDecodeAFXDPRegister(void)
Registration Function for DecodeAFXDP.
uint32_t default_packet_size
void SigTableApplyStrictCommandLineOption(const char *str)
@ DETECT_ENGINE_TYPE_NORMAL
void TmThreadKillThreadsFamily(int family)
void FeatureTrackingRelease(void)
void TmqhCleanup(void)
Clean up registration time allocs.
void StreamTcpFreeConfig(bool quiet)
void DecodeGlobalConfig(void)
char * strict_rule_parsing_string
DetectEngineCtx * DetectEngineCtxInitStubForMT(void)
const char * LiveGetDeviceName(int number)
Get a pointer to the device name at idx.
void FlowShutdown(void)
shutdown the flow engine
void SCHInfoLoadFromConfig(void)
Load the host os policy information from the configuration.
void DetectEngineBumpVersion(void)
void TmModuleFlowManagerRegister(void)
int SCStartInternalRunMode(int argc, char **argv)
int SCPidfileTestRunning(const char *pid_filename)
Check the Suricata pid file (used at the startup)
void HostShutdown(void)
shutdown the flow engine
#define SCFstatFn(fd, statbuf)
void LiveSetOffloadWarn(void)
void ParseSizeDeinit(void)
void SCConfDeInit(void)
De-initializes the configuration system.
void RunModeRegisterRunModes(void)
Register all runmodes in the engine.
int ListRuleProtocols(const char *conf_filename)
void SCProfilingDump(void)
void TmModuleReceiveAFXDPRegister(void)
void EngineStop(void)
make sure threads can stop the engine by calling this function. Purpose: pcap file mode needs to be a...
int ParseSizeStringU32(const char *size, uint32_t *res)
bool EngineHostModeIsBridge(void)
void TmModuleReceiveErfDagRegister(void)
Register the ERF file receiver (reader) module.
void IPPairBitInitCtx(void)
TmEcode ConfigSetLogDirectory(const char *name)
void TmModuleDecodeIPFWRegister(void)
Registration Function for DecodeIPFW.
int ConfUnixSocketIsEnable(void)
#define TM_FLAG_PACKET_ALL
struct SCLogConfig_ SCLogConfig
Holds the config state used by the logging api.
#define DETECT_ENGINE_MPM_CACHE_OP_SAVE
volatile sig_atomic_t sigusr2_count
void SystemHugepageSnapshotDestroy(SystemHugepageSnapshot *s)
void TmModuleDecodePcapRegister(void)
Registration Function for DecodePcap.
TmEcode SCLoadYamlConfig(void)
TmEcode ConfigCheckDataDirectory(const char *data_dir)
SCConfNode * SCConfGetNode(const char *name)
Get a SCConfNode by name.
#define SCLogError(...)
Macro used to log ERROR messages.
int DetectEngineReloadStart(void)
void TopologyDestroy(void)
#define DEFAULT_CONF_FILE
#define SC_LOG_MAX_LOG_MSG_LEN
void AppLayerParserPostStreamSetup(void)
void TmModuleReceivePcapRegister(void)
Registration Function for ReceivePcap.
void SCGetUserID(const char *user_name, const char *group_name, uint32_t *uid, uint32_t *gid)
Function to get the user and group ID from the specified user name.
bool install_signal_handlers
void TmModuleRespondRejectRegister(void)
void CoredumpEnable(void)
Enable coredumps on systems where coredumps can and need to be enabled.
void RunUnittests(int list_unittests, const char *regex_arg)
TmEcode ConfigCheckLogDirectoryExists(const char *log_dir)
int SCConfSet(const char *name, const char *val)
Set a configuration value.
void PacketAlertTagInit(void)
int RunModeEngineIsIPS(int capture_mode, const char *runmode, const char *capture_plugin_name)
DetectEngineCtx * DetectEngineCtxInit(void)
void SCOnLoggingReady(void)
Invokes all registered logging ready callbacks.
void TmModuleDecodeLibRegister(void)
register a "Decode" module for suricata as a library.
int EngineModeIsIPS(void)
int ListAppLayerFrames(const char *conf_filename)
void SCProfilingKeywordsGlobalInit(void)
void EngineDone(void)
Used to indicate that the current task is done.
bool firewall_rule_file_exclusive
const char * GetDocURL(void)
void PostRunDeinit(const int runmode, struct timeval *start_time)
clean up / shutdown code for packet modes
void HostInitConfig(bool quiet)
initialize the configuration
TmEcode TmThreadWaitOnThreadRunning(void)
Waits for all threads to be in a running state.
void HttpRangeContainersDestroy(void)
void SCLogLoadConfig(int daemon, int verbose, uint32_t userid, uint32_t groupid)
int DetectEngineReload(const SCInstance *suri)
Reload the detection engine.
#define DEFAULT_MAX_PENDING_PACKETS
void DetectEngineClearMaster(void)
void SetMasterExceptionPolicy(void)
void TmThreadCheckThreadState(void)
Used to check the thread for certain conditions of failure.
void OutputFilestoreRegisterGlobalCounters(void)
int InitGlobal(void)
Global initialization common to all runmodes.
int LiveGetDeviceCount(void)
Get the number of registered devices.
SystemHugepageSnapshot * SystemHugepageSnapshotCreate(void)
The function creates a snapshot of the system's hugepage usage per NUMA node and per hugepage size....
void SCProfilingSghsGlobalInit(void)
@ RUNMODE_LIST_RULE_PROTOS
int SCPidfileCreate(const char *pidfile)
Write a pid file (used at the startup) This commonly needed by the init scripts.
int LiveRegisterDeviceName(const char *dev)
Add a device for monitoring.
#define SCStatFn(pathname, statbuf)
void LiveDeviceFinalize(void)
void TmModuleDecodeDPDKRegister(void)
Registration Function for DecodeDPDK.
void PacketPoolDestroy(void)
void HTPFreeConfig(void)
Clears the HTTP server configuration memory used by HTP library.
void LandlockSandboxing(SCInstance *suri)
int ListKeywords(const char *keyword_info)
#define SCLogNotice(...)
Macro used to log NOTICE messages.
void SuricataPreInit(const char *progname)
const char ** additional_plugins
void DPDKCleanupEAL(void)
@ RUNMODE_PRINT_BUILDINFO
void SCPidfileRemove(const char *pid_filename)
Remove the pid file (used at the startup)
void NFQContextsClean(void)
Clean global contexts. Must be called on exit.
void SystemHugepageEvaluateHugepages(SystemHugepageSnapshot *pre_s, SystemHugepageSnapshot *post_s)
The function compares two hugepage snapshots and prints out recommendations for hugepage configuratio...
#define DEBUG_VALIDATE_BUG_ON(exp)
void SCProfilingInit(void)
Initialize profiling.
void GlobalsDestroy(void)
@ ENGINE_HOST_IS_SNIFFER_ONLY
int DetectEngineReloadIsStart(void)
int SCStorageFinalize(void)
volatile uint8_t suricata_ctl_flags
#define TM_FLAG_FLOWWORKER_TM
void TagDestroyCtx(void)
Destroy tag context hash tables.
int DetectAddressTestConfVars(void)
void FlowWorkToDoCleanup(void)
Clean up all the flows that have unprocessed segments and have some work to do in the detection engin...
void MpmHSGlobalCleanup(void)
void SCPluginsLoad(const char *capture_plugin_name, const char *capture_plugin_args, const char **additional_plugins)
void TmqResetQueues(void)