suricata
suricata.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2022 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  */
23 
24 #include "suricata-common.h"
25 
26 #if HAVE_GETOPT_H
27 #include <getopt.h>
28 #endif
29 
30 #if HAVE_SIGNAL_H
31 #include <signal.h>
32 #endif
33 
34 #include "suricata.h"
35 #include "decode.h"
36 #include "feature.h"
37 #include "detect.h"
38 #include "packet-queue.h"
39 #include "threads.h"
40 #include "threadvars.h"
41 #include "flow-worker.h"
42 
43 #include "util-atomic.h"
44 #include "util-spm.h"
45 #include "util-cpu.h"
46 #include "util-action.h"
47 #include "util-pidfile.h"
48 #include "util-ioctl.h"
49 #include "util-device.h"
50 #include "util-misc.h"
51 #include "util-running-modes.h"
52 
53 #include "detect-engine.h"
54 #include "detect-parse.h"
55 #include "detect-fast-pattern.h"
56 #include "detect-engine-tag.h"
57 #include "detect-engine-threshold.h"
58 #include "detect-engine-address.h"
59 #include "detect-engine-port.h"
60 #include "detect-engine-mpm.h"
61 
62 #include "tm-queuehandlers.h"
63 #include "tm-queues.h"
64 #include "tm-threads.h"
65 
66 #include "tmqh-flow.h"
67 
68 #include "conf.h"
69 #include "conf-yaml-loader.h"
70 
71 #include "app-layer-htp-range.h"
72 #include "datasets.h"
73 
74 #include "stream-tcp.h"
75 
76 #include "source-nfq.h"
77 #include "source-nfq-prototypes.h"
78 
79 #include "source-nflog.h"
80 
81 #include "source-ipfw.h"
82 
83 #include "source-pcap.h"
84 #include "source-pcap-file.h"
85 #include "source-pcap-file-helper.h"
86 
87 #include "source-pfring.h"
88 
89 #include "source-erf-file.h"
90 #include "source-erf-dag.h"
91 #include "source-napatech.h"
92 
93 #include "source-af-packet.h"
94 #include "source-netmap.h"
95 
96 #include "source-dpdk.h"
97 
98 #include "source-windivert.h"
99 #include "source-windivert-prototypes.h"
100 
101 #include "respond-reject.h"
102 
103 #include "flow.h"
104 #include "flow-timeout.h"
105 #include "flow-manager.h"
106 #include "flow-bypass.h"
107 #include "flow-var.h"
108 #include "flow-bit.h"
109 #include "pkt-var.h"
110 #include "host-bit.h"
111 
112 #include "ippair.h"
113 #include "ippair-bit.h"
114 
115 #include "host.h"
116 #include "unix-manager.h"
117 
118 #include "app-layer.h"
119 #include "app-layer-parser.h"
120 #include "app-layer-register.h"
121 #include "app-layer-htp.h"
122 #include "app-layer-ssl.h"
123 #include "app-layer-ssh.h"
124 #include "app-layer-ftp.h"
125 #include "app-layer-smtp.h"
126 #include "app-layer-enip.h"
127 #include "app-layer-dnp3.h"
128 #include "app-layer-smb.h"
129 #include "app-layer-htp-file.h"
130 
131 #include "output-filestore.h"
132 
133 #include "util-ebpf.h"
134 #include "util-radix-tree.h"
135 #include "util-host-os-info.h"
136 #include "util-cidr.h"
137 #include "util-unittest.h"
138 #include "util-unittest-helper.h"
139 #include "util-time.h"
140 #include "util-rule-vars.h"
141 #include "util-classification-config.h"
142 #include "util-threshold-config.h"
143 #include "util-reference-config.h"
144 #include "util-profiling.h"
145 #include "util-magic.h"
146 #include "util-signal.h"
147 
148 #include "util-coredump-config.h"
149 
150 #include "util-decode-mime.h"
151 
152 #include "defrag.h"
153 
154 #include "runmodes.h"
155 #include "runmode-unittests.h"
156 
157 #include "util-debug.h"
158 #include "util-error.h"
159 #include "util-daemon.h"
160 #include "util-byte.h"
161 #include "reputation.h"
162 
163 #include "output.h"
164 
165 #include "util-privs.h"
166 
167 #include "tmqh-packetpool.h"
168 
169 #include "util-proto-name.h"
170 #include "util-mpm-hs.h"
171 #include "util-storage.h"
172 #include "host-storage.h"
173 
174 #include "util-lua.h"
175 
176 #include "util-plugin.h"
177 
178 #include "util-dpdk.h"
179 #include "util-exception-policy.h"
180 
181 #include "rust.h"
182 
183 /*
184  * we put this here, because we only use it here in main.
185  */
186 volatile sig_atomic_t sigint_count = 0;
187 volatile sig_atomic_t sighup_count = 0;
188 volatile sig_atomic_t sigterm_count = 0;
189 volatile sig_atomic_t sigusr2_count = 0;
190 
191 /*
192  * Flag to indicate if the engine is at the initialization
193  * or already processing packets. 3 stages: SURICATA_INIT,
194  * SURICATA_RUNTIME and SURICATA_FINALIZE
195  */
196 SC_ATOMIC_DECLARE(unsigned int, engine_stage);
197 
198 /* Max packets processed simultaniously per thread. */
199 #define DEFAULT_MAX_PENDING_PACKETS 1024
200 
201 /** suricata engine control flags */
202 volatile uint8_t suricata_ctl_flags = 0;
203 
204 /** Run mode selected */
205 int run_mode = RUNMODE_UNKNOWN;
206 
207 /** Engine mode: inline (ENGINE_MODE_IPS) or just
208  * detection mode (ENGINE_MODE_IDS by default) */
209 static enum EngineMode g_engine_mode = ENGINE_MODE_IDS;
210 
211 /** Host mode: set if box is sniffing only
212  * or is a router */
213 uint8_t host_mode = SURI_HOST_IS_SNIFFER_ONLY;
214 
215 /** Maximum packets to simultaneously process. */
216 intmax_t max_pending_packets;
217 
218 /** global indicating if detection is enabled */
219 int g_detect_disabled = 0;
220 
221 /** set caps or not */
222 int sc_set_caps = FALSE;
223 
224 /** highest mtu of the interfaces we monitor */
225 int g_default_mtu = 0;
226 
227 bool g_system = false;
228 
229 /** disable randomness to get reproducible results accross runs */
230 #ifndef AFLFUZZ_NO_RANDOM
231 int g_disable_randomness = 0;
232 #else
233 int g_disable_randomness = 1;
234 #endif
235 
236 /** determine (without branching) if we include the vlan_ids when hashing or
237  * comparing flows */
238 uint16_t g_vlan_mask = 0xffff;
239 
240 /* flag to disable hashing almost globally, to be similar to disabling nss
241  * support */
242 bool g_disable_hashing = false;
243 
244 /** Suricata instance */
245 SCInstance suricata;
246 
247 int SuriHasSigFile(void)
248 {
249  return (suricata.sig_file != NULL);
250 }
251 
252 int EngineModeIsIPS(void)
253 {
254  return (g_engine_mode == ENGINE_MODE_IPS);
255 }
256 
257 int EngineModeIsIDS(void)
258 {
259  return (g_engine_mode == ENGINE_MODE_IDS);
260 }
261 
262 void EngineModeSetIPS(void)
263 {
264  g_engine_mode = ENGINE_MODE_IPS;
265 }
266 
267 void EngineModeSetIDS(void)
268 {
269  g_engine_mode = ENGINE_MODE_IDS;
270 }
271 
272 #ifdef UNITTESTS
273 int RunmodeIsUnittests(void)
274 {
275  if (run_mode == RUNMODE_UNITTEST)
276  return 1;
277 
278  return 0;
279 }
280 #endif
281 
282 int RunmodeGetCurrent(void)
283 {
284  return run_mode;
285 }
286 
287 /** signal handlers
288  *
289  * WARNING: don't use the SCLog* API in the handlers. The API is complex
290  * with memory allocation possibly happening, calls to syslog, json message
291  * construction, etc.
292  */
293 
294 #ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
295 static void SignalHandlerSigint(/*@unused@*/ int sig)
296 {
297  sigint_count = 1;
298 }
299 static void SignalHandlerSigterm(/*@unused@*/ int sig)
300 {
301  sigterm_count = 1;
302 }
303 #ifndef OS_WIN32
304 #if HAVE_LIBUNWIND
305 #define UNW_LOCAL_ONLY
306 #include <libunwind.h>
307 static void SignalHandlerUnexpected(int sig_num, siginfo_t *info, void *context)
308 {
309  char msg[SC_LOG_MAX_LOG_MSG_LEN];
310  unw_cursor_t cursor;
311  /* Restore defaults for signals to avoid loops */
312  signal(SIGABRT, SIG_DFL);
313  signal(SIGSEGV, SIG_DFL);
314  int r;
315  if ((r = unw_init_local(&cursor, (unw_context_t *)(context)) != 0)) {
316  fprintf(stderr, "unable to obtain stack trace: unw_init_local: %s\n", unw_strerror(r));
317  goto terminate;
318  }
319 
320  char *temp = msg;
321  int cw = snprintf(temp, SC_LOG_MAX_LOG_MSG_LEN - (temp - msg), "stacktrace:sig %d:", sig_num);
322  temp += cw;
323  r = 1;
324  while (r > 0) {
325  if (unw_is_signal_frame(&cursor) == 0) {
326  unw_word_t off;
327  char name[256];
328  if (unw_get_proc_name(&cursor, name, sizeof(name), &off) == UNW_ENOMEM) {
329  cw = snprintf(temp, SC_LOG_MAX_LOG_MSG_LEN - (temp - msg), "[unknown]:");
330  } else {
331  cw = snprintf(
332  temp, SC_LOG_MAX_LOG_MSG_LEN - (temp - msg), "%s+0x%08" PRIx64, name, off);
333  }
334  temp += cw;
335  }
336 
337  r = unw_step(&cursor);
338  if (r > 0) {
339  cw = snprintf(temp, SC_LOG_MAX_LOG_MSG_LEN - (temp - msg), ";");
340  temp += cw;
341  }
342  }
343  SCLogError(SC_ERR_SIGNAL, "%s", msg);
344 
345 terminate:
346  // Propagate signal to watchers, if any
347  kill(getpid(), sig_num);
348 }
349 #undef UNW_LOCAL_ONLY
350 #endif /* HAVE_LIBUNWIND */
351 #endif /* !OS_WIN32 */
352 #endif
353 
354 #ifndef OS_WIN32
355 /**
356  * SIGUSR2 handler. Just set sigusr2_count. The main loop will act on
357  * it.
358  */
359 static void SignalHandlerSigusr2(int sig)
360 {
361  if (sigusr2_count < 2)
362  sigusr2_count++;
363 }
364 
365 /**
366  * SIGHUP handler. Just set sighup_count. The main loop will act on
367  * it.
368  */
369 static void SignalHandlerSigHup(/*@unused@*/ int sig)
370 {
371  sighup_count = 1;
372 }
373 #endif
374 
375 void GlobalsInitPreConfig(void)
376 {
377  TimeInit();
378  SupportFastPatternForSigMatchTypes();
379  SCThresholdConfGlobalInit();
380  SCProtoNameInit();
381 }
382 
383 static void GlobalsDestroy(SCInstance *suri)
384 {
385  HostShutdown();
386  HTPFreeConfig();
387  HTPAtExitPrintStats();
388 
389  AppLayerHtpPrintStats();
390 
391  /* TODO this can do into it's own func */
392  DetectEngineCtx *de_ctx = DetectEngineGetCurrent();
393  if (de_ctx) {
394  DetectEngineMoveToFreeList(de_ctx);
395  DetectEngineDeReference(&de_ctx);
396  }
397  DetectEnginePruneFreeList();
398 
399  AppLayerDeSetup();
400  DatasetsSave();
401  DatasetsDestroy();
402  HttpRangeContainersDestroy();
403  TagDestroyCtx();
404 
405  LiveDeviceListClean();
406  OutputDeregisterAll();
407  FeatureTrackingRelease();
408  SCProtoNameRelease();
409  TimeDeinit();
410  if (!suri->disabled_detect) {
411  SCReferenceConfDeinit();
412  SCClassConfDeinit();
413  }
414  TmqhCleanup();
415  TmModuleRunDeInit();
416  ParseSizeDeinit();
417 
418 #ifdef HAVE_DPDK
419  DPDKCleanupEAL();
420 #endif
421 
422 #ifdef HAVE_AF_PACKET
423  AFPPeersListClean();
424 #endif
425 
426 #ifdef NFQ
427  NFQContextsClean();
428 #endif
429 
430 #ifdef BUILD_HYPERSCAN
431  MpmHSGlobalCleanup();
432 #endif
433 
434  ConfDeInit();
435 #ifdef HAVE_LUAJIT
436  LuajitFreeStatesPool();
437 #endif
438  SCLogDeInitLogModule();
439  DetectParseFreeRegexes();
440  SCThresholdConfGlobalFree();
441 
442  SCPidfileRemove(suri->pid_filename);
443  SCFree(suri->pid_filename);
444  suri->pid_filename = NULL;
445 }
446 
447 /** \brief make sure threads can stop the engine by calling this
448  * function. Purpose: pcap file mode needs to be able to tell the
449  * engine the file eof is reached. */
450 void EngineStop(void)
451 {
452  suricata_ctl_flags |= SURICATA_STOP;
453 }
454 
455 /**
456  * \brief Used to indicate that the current task is done.
457  *
458  * This is mainly used by pcap-file to tell it has finished
459  * to treat a pcap files when running in unix-socket mode.
460  */
461 void EngineDone(void)
462 {
463  suricata_ctl_flags |= SURICATA_DONE;
464 }
465 
466 static int SetBpfString(int argc, char *argv[])
467 {
468  char *bpf_filter = NULL;
469  uint32_t bpf_len = 0;
470  int tmpindex = 0;
471 
472  /* attempt to parse remaining args as bpf filter */
473  tmpindex = argc;
474  while(argv[tmpindex] != NULL) {
475  bpf_len+=strlen(argv[tmpindex]) + 1;
476  tmpindex++;
477  }
478 
479  if (bpf_len == 0)
480  return TM_ECODE_OK;
481 
482  if (EngineModeIsIPS()) {
483  SCLogError(SC_ERR_NOT_SUPPORTED,
484  "BPF filter not available in IPS mode."
485  " Use firewall filtering if possible.");
486  return TM_ECODE_FAILED;
487  }
488 
489  bpf_filter = SCMalloc(bpf_len);
490  if (unlikely(bpf_filter == NULL))
491  return TM_ECODE_OK;
492  memset(bpf_filter, 0x00, bpf_len);
493 
494  tmpindex = optind;
495  while(argv[tmpindex] != NULL) {
496  strlcat(bpf_filter, argv[tmpindex],bpf_len);
497  if(argv[tmpindex + 1] != NULL) {
498  strlcat(bpf_filter," ", bpf_len);
499  }
500  tmpindex++;
501  }
502 
503  if(strlen(bpf_filter) > 0) {
504  if (ConfSetFinal("bpf-filter", bpf_filter) != 1) {
505  SCLogError(SC_ERR_FATAL, "Failed to set bpf filter.");
506  SCFree(bpf_filter);
507  return TM_ECODE_FAILED;
508  }
509  }
510  SCFree(bpf_filter);
511 
512  return TM_ECODE_OK;
513 }
514 
515 static void SetBpfStringFromFile(char *filename)
516 {
517  char *bpf_filter = NULL;
518  char *bpf_comment_tmp = NULL;
519  char *bpf_comment_start = NULL;
520  uint32_t bpf_len = 0;
521 #ifdef OS_WIN32
522  struct _stat st;
523 #else
524  struct stat st;
525 #endif /* OS_WIN32 */
526  FILE *fp = NULL;
527  size_t nm = 0;
528 
529  if (EngineModeIsIPS()) {
530  FatalError(SC_ERR_FATAL,
531  "BPF filter not available in IPS mode."
532  " Use firewall filtering if possible.");
533  }
534 
535  fp = fopen(filename, "r");
536  if (fp == NULL) {
537  SCLogError(SC_ERR_FOPEN, "Failed to open file %s", filename);
538  exit(EXIT_FAILURE);
539  }
540 
541 #ifdef OS_WIN32
542  if (_fstat(_fileno(fp), &st) != 0) {
543 #else
544  if (fstat(fileno(fp), &st) != 0) {
545 #endif /* OS_WIN32 */
546  SCLogError(SC_ERR_FOPEN, "Failed to stat file %s", filename);
547  exit(EXIT_FAILURE);
548  }
549  bpf_len = st.st_size + 1;
550 
551  bpf_filter = SCMalloc(bpf_len * sizeof(char));
552  if (unlikely(bpf_filter == NULL)) {
553  SCLogError(SC_ERR_MEM_ALLOC, "Failed to allocate buffer for bpf filter in file %s", filename);
554  exit(EXIT_FAILURE);
555  }
556  memset(bpf_filter, 0x00, bpf_len);
557 
558  nm = fread(bpf_filter, 1, bpf_len - 1, fp);
559  if ((ferror(fp) != 0) || (nm != (bpf_len - 1))) {
560  SCLogError(SC_ERR_BPF, "Failed to read complete BPF file %s", filename);
561  SCFree(bpf_filter);
562  fclose(fp);
563  exit(EXIT_FAILURE);
564  }
565  fclose(fp);
566  bpf_filter[nm] = '\0';
567 
568  if(strlen(bpf_filter) > 0) {
569  /*replace comments with space*/
570  bpf_comment_start = bpf_filter;
571  while((bpf_comment_tmp = strchr(bpf_comment_start, '#')) != NULL) {
572  while((*bpf_comment_tmp !='\0') &&
573  (*bpf_comment_tmp != '\r') && (*bpf_comment_tmp != '\n'))
574  {
575  *bpf_comment_tmp++ = ' ';
576  }
577  bpf_comment_start = bpf_comment_tmp;
578  }
579  /*remove remaining '\r' and '\n' */
580  while((bpf_comment_tmp = strchr(bpf_filter, '\r')) != NULL) {
581  *bpf_comment_tmp = ' ';
582  }
583  while((bpf_comment_tmp = strchr(bpf_filter, '\n')) != NULL) {
584  *bpf_comment_tmp = ' ';
585  }
586  /* cut trailing spaces */
587  while (strlen(bpf_filter) > 0 &&
588  bpf_filter[strlen(bpf_filter)-1] == ' ')
589  {
590  bpf_filter[strlen(bpf_filter)-1] = '\0';
591  }
592  if (strlen(bpf_filter) > 0) {
593  if(ConfSetFinal("bpf-filter", bpf_filter) != 1) {
594  SCLogError(SC_ERR_FOPEN, "ERROR: Failed to set bpf filter!");
595  SCFree(bpf_filter);
596  exit(EXIT_FAILURE);
597  }
598  }
599  }
600  SCFree(bpf_filter);
601 }
602 
603 static void PrintUsage(const char *progname)
604 {
605 #ifdef REVISION
606  printf("%s %s (%s)\n", PROG_NAME, PROG_VER, xstr(REVISION));
607 #else
608  printf("%s %s\n", PROG_NAME, PROG_VER);
609 #endif
610  printf("USAGE: %s [OPTIONS] [BPF FILTER]\n\n", progname);
611  printf("\t-c <path> : path to configuration file\n");
612  printf("\t-T : test configuration file (use with -c)\n");
613  printf("\t-i <dev or ip> : run in pcap live mode\n");
614  printf("\t-F <bpf filter file> : bpf filter file\n");
615  printf("\t-r <path> : run in pcap file/offline mode\n");
616 #ifdef NFQ
617  printf("\t-q <qid[:qid]> : run in inline nfqueue mode (use colon to specify a range of queues)\n");
618 #endif /* NFQ */
619 #ifdef IPFW
620  printf("\t-d <divert port> : run in inline ipfw divert mode\n");
621 #endif /* IPFW */
622  printf("\t-s <path> : path to signature file loaded in addition to suricata.yaml settings (optional)\n");
623  printf("\t-S <path> : path to signature file loaded exclusively (optional)\n");
624  printf("\t-l <dir> : default log directory\n");
625 #ifndef OS_WIN32
626  printf("\t-D : run as daemon\n");
627 #else
628  printf("\t--service-install : install as service\n");
629  printf("\t--service-remove : remove service\n");
630  printf("\t--service-change-params : change service startup parameters\n");
631 #endif /* OS_WIN32 */
632  printf("\t-k [all|none] : force checksum check (all) or disabled it (none)\n");
633  printf("\t-V : display Suricata version\n");
634  printf("\t-v : be more verbose (use multiple times to increase verbosity)\n");
635 #ifdef UNITTESTS
636  printf("\t-u : run the unittests and exit\n");
637  printf("\t-U, --unittest-filter=REGEX : filter unittests with a regex\n");
638  printf("\t--list-unittests : list unit tests\n");
639  printf("\t--fatal-unittests : enable fatal failure on unittest error\n");
640  printf("\t--unittests-coverage : display unittest coverage report\n");
641 #endif /* UNITTESTS */
642  printf("\t--list-app-layer-protos : list supported app layer protocols\n");
643  printf("\t--list-keywords[=all|csv|<kword>] : list keywords implemented by the engine\n");
644  printf("\t--list-runmodes : list supported runmodes\n");
645  printf("\t--runmode <runmode_id> : specific runmode modification the engine should run. The argument\n"
646  "\t supplied should be the id for the runmode obtained by running\n"
647  "\t --list-runmodes\n");
648  printf("\t--engine-analysis : print reports on analysis of different sections in the engine and exit.\n"
649  "\t Please have a look at the conf parameter engine-analysis on what reports\n"
650  "\t can be printed\n");
651  printf("\t--pidfile <file> : write pid to this file\n");
652  printf("\t--init-errors-fatal : enable fatal failure on signature init error\n");
653  printf("\t--disable-detection : disable detection engine\n");
654  printf("\t--dump-config : show the running configuration\n");
655  printf("\t--dump-features : display provided features\n");
656  printf("\t--build-info : display build information\n");
657  printf("\t--pcap[=<dev>] : run in pcap mode, no value select interfaces from suricata.yaml\n");
658  printf("\t--pcap-file-continuous : when running in pcap mode with a directory, continue checking directory for pcaps until interrupted\n");
659  printf("\t--pcap-file-delete : when running in replay mode (-r with directory or file), will delete pcap files that have been processed when done\n");
660  printf("\t--pcap-file-recursive : will descend into subdirectories when running in replay mode (-r)\n");
661 #ifdef HAVE_PCAP_SET_BUFF
662  printf("\t--pcap-buffer-size : size of the pcap buffer value from 0 - %i\n",INT_MAX);
663 #endif /* HAVE_SET_PCAP_BUFF */
664 #ifdef HAVE_DPDK
665  printf("\t--dpdk : run in dpdk mode, uses interfaces from "
666  "suricata.yaml\n");
667 #endif
668 #ifdef HAVE_AF_PACKET
669  printf("\t--af-packet[=<dev>] : run in af-packet mode, no value select interfaces from suricata.yaml\n");
670 #endif
671 #ifdef HAVE_NETMAP
672  printf("\t--netmap[=<dev>] : run in netmap mode, no value select interfaces from suricata.yaml\n");
673 #endif
674 #ifdef HAVE_PFRING
675  printf("\t--pfring[=<dev>] : run in pfring mode, use interfaces from suricata.yaml\n");
676  printf("\t--pfring-int <dev> : run in pfring mode, use interface <dev>\n");
677  printf("\t--pfring-cluster-id <id> : pfring cluster id \n");
678  printf("\t--pfring-cluster-type <type> : pfring cluster type for PF_RING 4.1.2 and later cluster_round_robin|cluster_flow\n");
679 #endif /* HAVE_PFRING */
680  printf("\t--simulate-ips : force engine into IPS mode. Useful for QA\n");
681 #ifdef HAVE_LIBCAP_NG
682  printf("\t--user <user> : run suricata as this user after init\n");
683  printf("\t--group <group> : run suricata as this group after init\n");
684 #endif /* HAVE_LIBCAP_NG */
685  printf("\t--erf-in <path> : process an ERF file\n");
686 #ifdef HAVE_DAG
687  printf("\t--dag <dagX:Y> : process ERF records from DAG interface X, stream Y\n");
688 #endif
689 #ifdef HAVE_NAPATECH
690  printf("\t--napatech : run Napatech Streams using the API\n");
691 #endif
692 #ifdef BUILD_UNIX_SOCKET
693  printf("\t--unix-socket[=<file>] : use unix socket to control suricata work\n");
694 #endif
695 #ifdef WINDIVERT
696  printf("\t--windivert <filter> : run in inline WinDivert mode\n");
697  printf("\t--windivert-forward <filter> : run in inline WinDivert mode, as a gateway\n");
698 #endif
699 #ifdef HAVE_LIBNET11
700  printf("\t--reject-dev <dev> : send reject packets from this interface\n");
701 #endif
702  printf("\t--set name=value : set a configuration value\n");
703  printf("\n");
704  printf("\nTo run the engine with default configuration on "
705  "interface eth0 with signature file \"signatures.rules\", run the "
706  "command as:\n\n%s -c suricata.yaml -s signatures.rules -i eth0 \n\n",
707  progname);
708 }
709 
710 static void PrintBuildInfo(void)
711 {
712  const char *bits = "<unknown>-bits";
713  const char *endian = "<unknown>-endian";
714  char features[2048] = "";
715  const char *tls;
716 
717  printf("This is %s version %s\n", PROG_NAME, GetProgramVersion());
718 
719 #ifdef DEBUG
720  strlcat(features, "DEBUG ", sizeof(features));
721 #endif
722 #ifdef DEBUG_VALIDATION
723  strlcat(features, "DEBUG_VALIDATION ", sizeof(features));
724 #endif
725 #ifdef UNITTESTS
726  strlcat(features, "UNITTESTS ", sizeof(features));
727 #endif
728 #ifdef NFQ
729  strlcat(features, "NFQ ", sizeof(features));
730 #endif
731 #ifdef IPFW
732  strlcat(features, "IPFW ", sizeof(features));
733 #endif
734 #ifdef HAVE_PCAP_SET_BUFF
735  strlcat(features, "PCAP_SET_BUFF ", sizeof(features));
736 #endif
737 #ifdef HAVE_PFRING
738  strlcat(features, "PF_RING ", sizeof(features));
739 #endif
740 #ifdef HAVE_AF_PACKET
741  strlcat(features, "AF_PACKET ", sizeof(features));
742 #endif
743 #ifdef HAVE_NETMAP
744  strlcat(features, "NETMAP ", sizeof(features));
745 #endif
746 #ifdef HAVE_PACKET_FANOUT
747  strlcat(features, "HAVE_PACKET_FANOUT ", sizeof(features));
748 #endif
749 #ifdef HAVE_DAG
750  strlcat(features, "DAG ", sizeof(features));
751 #endif
752 #ifdef HAVE_LIBCAP_NG
753  strlcat(features, "LIBCAP_NG ", sizeof(features));
754 #endif
755 #ifdef HAVE_LIBNET11
756  strlcat(features, "LIBNET1.1 ", sizeof(features));
757 #endif
758 #ifdef HAVE_HTP_URI_NORMALIZE_HOOK
759  strlcat(features, "HAVE_HTP_URI_NORMALIZE_HOOK ", sizeof(features));
760 #endif
761 #ifdef PCRE2_HAVE_JIT
762  strlcat(features, "PCRE_JIT ", sizeof(features));
763 #endif
764  /* For compatibility, just say we have HAVE_NSS. */
765  strlcat(features, "HAVE_NSS ", sizeof(features));
766  /* HTTP2_DECOMPRESSION is not an optional feature in this major version */
767  strlcat(features, "HTTP2_DECOMPRESSION ", sizeof(features));
768 #ifdef HAVE_LUA
769  strlcat(features, "HAVE_LUA ", sizeof(features));
770 #endif
771 #ifdef HAVE_LUAJIT
772  strlcat(features, "HAVE_LUAJIT ", sizeof(features));
773 #endif
774  strlcat(features, "HAVE_LIBJANSSON ", sizeof(features));
775 #ifdef PROFILING
776  strlcat(features, "PROFILING ", sizeof(features));
777 #endif
778 #ifdef PROFILE_LOCKING
779  strlcat(features, "PROFILE_LOCKING ", sizeof(features));
780 #endif
781 #if defined(TLS_C11) || defined(TLS_GNU)
782  strlcat(features, "TLS ", sizeof(features));
783 #endif
784 #if defined(TLS_C11)
785  strlcat(features, "TLS_C11 ", sizeof(features));
786 #elif defined(TLS_GNU)
787  strlcat(features, "TLS_GNU ", sizeof(features));
788 #endif
789 #ifdef HAVE_MAGIC
790  strlcat(features, "MAGIC ", sizeof(features));
791 #endif
792  strlcat(features, "RUST ", sizeof(features));
793  if (strlen(features) == 0) {
794  strlcat(features, "none", sizeof(features));
795  }
796 
797  printf("Features: %s\n", features);
798 
799  /* SIMD stuff */
800  memset(features, 0x00, sizeof(features));
801 #if defined(__SSE4_2__)
802  strlcat(features, "SSE_4_2 ", sizeof(features));
803 #endif
804 #if defined(__SSE4_1__)
805  strlcat(features, "SSE_4_1 ", sizeof(features));
806 #endif
807 #if defined(__SSE3__)
808  strlcat(features, "SSE_3 ", sizeof(features));
809 #endif
810  if (strlen(features) == 0) {
811  strlcat(features, "none", sizeof(features));
812  }
813  printf("SIMD support: %s\n", features);
814 
815  /* atomics stuff */
816  memset(features, 0x00, sizeof(features));
817 #if defined(__GCC_HAVE_SYNC_COMPARE_AND_SWAP_1)
818  strlcat(features, "1 ", sizeof(features));
819 #endif
820 #if defined(__GCC_HAVE_SYNC_COMPARE_AND_SWAP_2)
821  strlcat(features, "2 ", sizeof(features));
822 #endif
823 #if defined(__GCC_HAVE_SYNC_COMPARE_AND_SWAP_4)
824  strlcat(features, "4 ", sizeof(features));
825 #endif
826 #if defined(__GCC_HAVE_SYNC_COMPARE_AND_SWAP_8)
827  strlcat(features, "8 ", sizeof(features));
828 #endif
829 #if defined(__GCC_HAVE_SYNC_COMPARE_AND_SWAP_16)
830  strlcat(features, "16 ", sizeof(features));
831 #endif
832  if (strlen(features) == 0) {
833  strlcat(features, "none", sizeof(features));
834  } else {
835  strlcat(features, "byte(s)", sizeof(features));
836  }
837  printf("Atomic intrinsics: %s\n", features);
838 
839 #if __WORDSIZE == 64
840  bits = "64-bits";
841 #elif __WORDSIZE == 32
842  bits = "32-bits";
843 #endif
844 
845 #if __BYTE_ORDER == __BIG_ENDIAN
846  endian = "Big-endian";
847 #elif __BYTE_ORDER == __LITTLE_ENDIAN
848  endian = "Little-endian";
849 #endif
850 
851  printf("%s, %s architecture\n", bits, endian);
852 #ifdef __GNUC__
853  printf("GCC version %s, C version %"PRIiMAX"\n", __VERSION__, (intmax_t)__STDC_VERSION__);
854 #else
855  printf("C version %"PRIiMAX"\n", (intmax_t)__STDC_VERSION__);
856 #endif
857 
858 #if __SSP__ == 1
859  printf("compiled with -fstack-protector\n");
860 #endif
861 #if __SSP_ALL__ == 2
862  printf("compiled with -fstack-protector-all\n");
863 #endif
864 /*
865  * Workaround for special defines of _FORTIFY_SOURCE like
866  * FORTIFY_SOURCE=((defined __OPTIMIZE && OPTIMIZE > 0) ? 2 : 0)
867  * which is used by Gentoo for example and would result in the error
868  * 'defined' undeclared when _FORTIFY_SOURCE used via %d in printf func
869  *
870  */
871 #if _FORTIFY_SOURCE == 2
872  printf("compiled with _FORTIFY_SOURCE=2\n");
873 #elif _FORTIFY_SOURCE == 1
874  printf("compiled with _FORTIFY_SOURCE=1\n");
875 #elif _FORTIFY_SOURCE == 0
876  printf("compiled with _FORTIFY_SOURCE=0\n");
877 #endif
878 #ifdef CLS
879  printf("L1 cache line size (CLS)=%d\n", CLS);
880 #endif
881 #if defined(TLS_C11)
882  tls = "_Thread_local";
883 #elif defined(TLS_GNU)
884  tls = "__thread";
885 #else
886 #error "Unsupported thread local"
887 #endif
888  printf("thread local storage method: %s\n", tls);
889 
890  printf("compiled with %s, linked against %s\n",
891  HTP_VERSION_STRING_FULL, htp_get_version());
892  printf("\n");
893 #include "build-info.h"
894 }
895 
896 int coverage_unittests;
897 int g_ut_modules;
898 int g_ut_covered;
899 
900 void RegisterAllModules(void)
901 {
902  // zero all module storage
903  memset(tmm_modules, 0, TMM_SIZE * sizeof(TmModule));
904 
905  /* commanders */
906  TmModuleUnixManagerRegister();
907  /* managers */
908  TmModuleFlowManagerRegister();
909  TmModuleFlowRecyclerRegister();
910  TmModuleBypassedFlowManagerRegister();
911  /* nfq */
912  TmModuleReceiveNFQRegister();
913  TmModuleVerdictNFQRegister();
914  TmModuleDecodeNFQRegister();
915  /* ipfw */
916  TmModuleReceiveIPFWRegister();
917  TmModuleVerdictIPFWRegister();
918  TmModuleDecodeIPFWRegister();
919  /* pcap live */
920  TmModuleReceivePcapRegister();
921  TmModuleDecodePcapRegister();
922  /* pcap file */
923  TmModuleReceivePcapFileRegister();
924  TmModuleDecodePcapFileRegister();
925  /* af-packet */
926  TmModuleReceiveAFPRegister();
927  TmModuleDecodeAFPRegister();
928  /* netmap */
929  TmModuleReceiveNetmapRegister();
930  TmModuleDecodeNetmapRegister();
931  /* pfring */
932  TmModuleReceivePfringRegister();
933  TmModuleDecodePfringRegister();
934  /* dag file */
935  TmModuleReceiveErfFileRegister();
936  TmModuleDecodeErfFileRegister();
937  /* dag live */
938  TmModuleReceiveErfDagRegister();
939  TmModuleDecodeErfDagRegister();
940  /* napatech */
941  TmModuleNapatechStreamRegister();
942  TmModuleNapatechDecodeRegister();
943 
944  /* flow worker */
945  TmModuleFlowWorkerRegister();
946  /* respond-reject */
947  TmModuleRespondRejectRegister();
948 
949  /* log api */
950  TmModuleLoggerRegister();
951  TmModuleStatsLoggerRegister();
952 
953  TmModuleDebugList();
954  /* nflog */
955  TmModuleReceiveNFLOGRegister();
956  TmModuleDecodeNFLOGRegister();
957 
958  /* windivert */
959  TmModuleReceiveWinDivertRegister();
960  TmModuleVerdictWinDivertRegister();
961  TmModuleDecodeWinDivertRegister();
962 
963  /* Dpdk */
964  TmModuleReceiveDPDKRegister();
965  TmModuleDecodeDPDKRegister();
966 }
967 
968 static TmEcode LoadYamlConfig(SCInstance *suri)
969 {
970  SCEnter();
971 
972  if (suri->conf_filename == NULL)
973  suri->conf_filename = DEFAULT_CONF_FILE;
974 
975  if (ConfYamlLoadFile(suri->conf_filename) != 0) {
976  /* Error already displayed. */
977  SCReturnInt(TM_ECODE_FAILED);
978  }
979 
980  SCReturnInt(TM_ECODE_OK);
981 }
982 
983 static TmEcode ParseInterfacesList(const int runmode, char *pcap_dev)
984 {
985  SCEnter();
986 
987  /* run the selected runmode */
988  if (runmode == RUNMODE_PCAP_DEV) {
989  if (strlen(pcap_dev) == 0) {
990  int ret = LiveBuildDeviceList("pcap");
991  if (ret == 0) {
992  SCLogError(SC_ERR_INITIALIZATION, "No interface found in config for pcap");
993  SCReturnInt(TM_ECODE_FAILED);
994  }
995  }
996  } else if (runmode == RUNMODE_PFRING) {
997  /* FIXME add backward compat support */
998  /* iface has been set on command line */
999  if (strlen(pcap_dev)) {
1000  if (ConfSetFinal("pfring.live-interface", pcap_dev) != 1) {
1001  SCLogError(SC_ERR_INITIALIZATION, "Failed to set pfring.live-interface");
1002  SCReturnInt(TM_ECODE_FAILED);
1003  }
1004  } else {
1005  /* not an error condition if we have a 1.0 config */
1006  LiveBuildDeviceList("pfring");
1007  }
1008 #ifdef HAVE_DPDK
1009  } else if (runmode == RUNMODE_DPDK) {
1010  char iface_selector[] = "dpdk.interfaces";
1011  int ret = LiveBuildDeviceList(iface_selector);
1012  if (ret == 0) {
1013  SCLogError(
1014  SC_ERR_INITIALIZATION, "No interface found in config for %s", iface_selector);
1015  SCReturnInt(TM_ECODE_FAILED);
1016  }
1017 #endif
1018 #ifdef HAVE_AF_PACKET
1019  } else if (runmode == RUNMODE_AFP_DEV) {
1020  /* iface has been set on command line */
1021  if (strlen(pcap_dev)) {
1022  if (ConfSetFinal("af-packet.live-interface", pcap_dev) != 1) {
1023  SCLogError(SC_ERR_INITIALIZATION, "Failed to set af-packet.live-interface");
1024  SCReturnInt(TM_ECODE_FAILED);
1025  }
1026  } else {
1027  int ret = LiveBuildDeviceList("af-packet");
1028  if (ret == 0) {
1029  SCLogError(SC_ERR_INITIALIZATION, "No interface found in config for af-packet");
1030  SCReturnInt(TM_ECODE_FAILED);
1031  }
1032  }
1033 #endif
1034 #ifdef HAVE_NETMAP
1035  } else if (runmode == RUNMODE_NETMAP) {
1036  /* iface has been set on command line */
1037  if (strlen(pcap_dev)) {
1038  if (ConfSetFinal("netmap.live-interface", pcap_dev) != 1) {
1039  SCLogError(SC_ERR_INITIALIZATION, "Failed to set netmap.live-interface");
1040  SCReturnInt(TM_ECODE_FAILED);
1041  }
1042  } else {
1043  int ret = LiveBuildDeviceList("netmap");
1044  if (ret == 0) {
1045  SCLogError(SC_ERR_INITIALIZATION, "No interface found in config for netmap");
1046  SCReturnInt(TM_ECODE_FAILED);
1047  }
1048  }
1049 #endif
1050 #ifdef HAVE_NFLOG
1051  } else if (runmode == RUNMODE_NFLOG) {
1052  int ret = LiveBuildDeviceListCustom("nflog", "group");
1053  if (ret == 0) {
1054  SCLogError(SC_ERR_INITIALIZATION, "No group found in config for nflog");
1055  SCReturnInt(TM_ECODE_FAILED);
1056  }
1057 #endif
1058  }
1059 
1060  SCReturnInt(TM_ECODE_OK);
1061 }
1062 
1063 static void SCInstanceInit(SCInstance *suri, const char *progname)
1064 {
1065  memset(suri, 0x00, sizeof(*suri));
1066 
1067  suri->progname = progname;
1068  suri->run_mode = RUNMODE_UNKNOWN;
1069 
1070  memset(suri->pcap_dev, 0, sizeof(suri->pcap_dev));
1071  suri->sig_file = NULL;
1072  suri->sig_file_exclusive = FALSE;
1073  suri->pid_filename = NULL;
1074  suri->regex_arg = NULL;
1075 
1076  suri->keyword_info = NULL;
1077  suri->runmode_custom_mode = NULL;
1078 #ifndef OS_WIN32
1079  suri->user_name = NULL;
1080  suri->group_name = NULL;
1081  suri->do_setuid = FALSE;
1082  suri->do_setgid = FALSE;
1083 #endif /* OS_WIN32 */
1084  suri->userid = 0;
1085  suri->groupid = 0;
1086  suri->delayed_detect = 0;
1087  suri->daemon = 0;
1088  suri->offline = 0;
1089  suri->verbose = 0;
1090  /* use -1 as unknown */
1091  suri->checksum_validation = -1;
1092 #if HAVE_DETECT_DISABLED==1
1093  g_detect_disabled = suri->disabled_detect = 1;
1094 #else
1095  g_detect_disabled = suri->disabled_detect = 0;
1096 #endif
1097 }
1098 
1099 const char *GetDocURL(void)
1100 {
1101  const char *prog_ver = GetProgramVersion();
1102  if (strstr(prog_ver, "RELEASE") != NULL) {
1103  return DOC_URL "suricata-" PROG_VER;
1104  }
1105  return DOC_URL "latest";
1106 }
1107 
1108 /** \brief get string with program version
1109  *
1110  * Get the program version as passed to us from AC_INIT
1111  *
1112  * Add 'RELEASE' is no '-dev' in the version. Add the REVISION if passed
1113  * to us.
1114  *
1115  * Possible outputs:
1116  * release: '5.0.1 RELEASE'
1117  * dev with rev: '5.0.1-dev (64a789bbf 2019-10-18)'
1118  * dev w/o rev: '5.0.1-dev'
1119  */
1120 const char *GetProgramVersion(void)
1121 {
1122  if (strstr(PROG_VER, "-dev") == NULL) {
1123  return PROG_VER " RELEASE";
1124  } else {
1125 #ifdef REVISION
1126  return PROG_VER " (" xstr(REVISION) ")";
1127 #else
1128  return PROG_VER;
1129 #endif
1130  }
1131 }
1132 
1133 static TmEcode PrintVersion(void)
1134 {
1135  printf("This is %s version %s\n", PROG_NAME, GetProgramVersion());
1136  return TM_ECODE_OK;
1137 }
1138 
1139 static TmEcode LogVersion(SCInstance *suri)
1140 {
1141  const char *mode = suri->system ? "SYSTEM" : "USER";
1142  SCLogNotice("This is %s version %s running in %s mode",
1143  PROG_NAME, GetProgramVersion(), mode);
1144  return TM_ECODE_OK;
1145 }
1146 
1147 static void SCSetStartTime(SCInstance *suri)
1148 {
1149  memset(&suri->start_time, 0, sizeof(suri->start_time));
1150  gettimeofday(&suri->start_time, NULL);
1151 }
1152 
1153 static void SCPrintElapsedTime(struct timeval *start_time)
1154 {
1155  if (start_time == NULL)
1156  return;
1157  struct timeval end_time;
1158  memset(&end_time, 0, sizeof(end_time));
1159  gettimeofday(&end_time, NULL);
1160  uint64_t milliseconds = ((end_time.tv_sec - start_time->tv_sec) * 1000) +
1161  (((1000000 + end_time.tv_usec - start_time->tv_usec) / 1000) - 1000);
1162  SCLogInfo("time elapsed %.3fs", (float)milliseconds/(float)1000);
1163 }
1164 
1165 static int ParseCommandLineAfpacket(SCInstance *suri, const char *in_arg)
1166 {
1167 #ifdef HAVE_AF_PACKET
1168  if (suri->run_mode == RUNMODE_UNKNOWN) {
1169  suri->run_mode = RUNMODE_AFP_DEV;
1170  if (in_arg) {
1171  LiveRegisterDeviceName(in_arg);
1172  memset(suri->pcap_dev, 0, sizeof(suri->pcap_dev));
1173  strlcpy(suri->pcap_dev, in_arg, sizeof(suri->pcap_dev));
1174  }
1175  } else if (suri->run_mode == RUNMODE_AFP_DEV) {
1176  if (in_arg) {
1177  LiveRegisterDeviceName(in_arg);
1178  } else {
1179  SCLogInfo("Multiple af-packet option without interface on each is useless");
1180  }
1181  } else {
1182  SCLogError(SC_ERR_MULTIPLE_RUN_MODE, "more than one run mode "
1183  "has been specified");
1184  PrintUsage(suri->progname);
1185  return TM_ECODE_FAILED;
1186  }
1187  return TM_ECODE_OK;
1188 #else
1189  SCLogError(SC_ERR_NO_AF_PACKET,"AF_PACKET not enabled. On Linux "
1190  "host, make sure to pass --enable-af-packet to "
1191  "configure when building.");
1192  return TM_ECODE_FAILED;
1193 #endif
1194 }
1195 
1196 static int ParseCommandLineDpdk(SCInstance *suri, const char *in_arg)
1197 {
1198 #ifdef HAVE_DPDK
1199  if (suri->run_mode == RUNMODE_UNKNOWN) {
1200  suri->run_mode = RUNMODE_DPDK;
1201  } else if (suri->run_mode == RUNMODE_DPDK) {
1202  SCLogInfo("Multiple dpdk options have no effect on Suricata");
1203  } else {
1204  SCLogError(SC_ERR_MULTIPLE_RUN_MODE, "more than one run mode "
1205  "has been specified");
1206  PrintUsage(suri->progname);
1207  return TM_ECODE_FAILED;
1208  }
1209  return TM_ECODE_OK;
1210 #else
1211  SCLogError(SC_ERR_NO_DPDK, "DPDK not enabled. On Linux "
1212  "host, make sure to pass --enable-dpdk to "
1213  "configure when building.");
1214  return TM_ECODE_FAILED;
1215 #endif
1216 }
1217 
1218 static int ParseCommandLinePcapLive(SCInstance *suri, const char *in_arg)
1219 {
1220 #if defined(OS_WIN32) && !defined(HAVE_LIBWPCAP)
1221  /* If running on Windows without Npcap, bail early as live capture is not supported. */
1222  FatalError(SC_ERR_FATAL,
1223  "Live capture not available. To support live capture compile against Npcap.");
1224 #endif
1225  memset(suri->pcap_dev, 0, sizeof(suri->pcap_dev));
1226 
1227  if (in_arg != NULL) {
1228  /* some windows shells require escaping of the \ in \Device. Otherwise
1229  * the backslashes are stripped. We put them back here. */
1230  if (strlen(in_arg) > 9 && strncmp(in_arg, "DeviceNPF", 9) == 0) {
1231  snprintf(suri->pcap_dev, sizeof(suri->pcap_dev), "\\Device\\NPF%s", in_arg+9);
1232  } else {
1233  strlcpy(suri->pcap_dev, in_arg, sizeof(suri->pcap_dev));
1234  PcapTranslateIPToDevice(suri->pcap_dev, sizeof(suri->pcap_dev));
1235  }
1236 
1237  if (strcmp(suri->pcap_dev, in_arg) != 0) {
1238  SCLogInfo("translated %s to pcap device %s", in_arg, suri->pcap_dev);
1239  } else if (strlen(suri->pcap_dev) > 0 && isdigit((unsigned char)suri->pcap_dev[0])) {
1240  SCLogError(SC_ERR_PCAP_TRANSLATE, "failed to find a pcap device for IP %s", in_arg);
1241  return TM_ECODE_FAILED;
1242  }
1243  }
1244 
1245  if (suri->run_mode == RUNMODE_UNKNOWN) {
1246  suri->run_mode = RUNMODE_PCAP_DEV;
1247  if (in_arg) {
1248  LiveRegisterDeviceName(suri->pcap_dev);
1249  }
1250  } else if (suri->run_mode == RUNMODE_PCAP_DEV) {
1251  LiveRegisterDeviceName(suri->pcap_dev);
1252  } else {
1253  SCLogError(SC_ERR_MULTIPLE_RUN_MODE, "more than one run mode "
1254  "has been specified");
1255  PrintUsage(suri->progname);
1256  return TM_ECODE_FAILED;
1257  }
1258  return TM_ECODE_OK;
1259 }
1260 
1261 /**
1262  * Helper function to check if log directory is writable
1263  */
1264 static bool IsLogDirectoryWritable(const char* str)
1265 {
1266  if (access(str, W_OK) == 0)
1267  return true;
1268  return false;
1269 }
1270 
1271 static TmEcode ParseCommandLine(int argc, char** argv, SCInstance *suri)
1272 {
1273  int opt;
1274 
1275  int dump_config = 0;
1276  int dump_features = 0;
1277  int list_app_layer_protocols = 0;
1278  int list_unittests = 0;
1279  int list_runmodes = 0;
1280  int list_keywords = 0;
1281  int build_info = 0;
1282  int conf_test = 0;
1283  int engine_analysis = 0;
1284  int ret = TM_ECODE_OK;
1285 
1286 #ifdef UNITTESTS
1287  coverage_unittests = 0;
1288  g_ut_modules = 0;
1289  g_ut_covered = 0;
1290 #endif
1291 
1292  // clang-format off
1293  struct option long_opts[] = {
1294  {"dump-config", 0, &dump_config, 1},
1295  {"dump-features", 0, &dump_features, 1},
1296  {"pfring", optional_argument, 0, 0},
1297  {"pfring-int", required_argument, 0, 0},
1298  {"pfring-cluster-id", required_argument, 0, 0},
1299  {"pfring-cluster-type", required_argument, 0, 0},
1300 #ifdef HAVE_DPDK
1301  {"dpdk", 0, 0, 0},
1302 #endif
1303  {"af-packet", optional_argument, 0, 0},
1304  {"netmap", optional_argument, 0, 0},
1305  {"pcap", optional_argument, 0, 0},
1306  {"pcap-file-continuous", 0, 0, 0},
1307  {"pcap-file-delete", 0, 0, 0},
1308  {"pcap-file-recursive", 0, 0, 0},
1309  {"simulate-ips", 0, 0 , 0},
1310  {"no-random", 0, &g_disable_randomness, 1},
1311  {"strict-rule-keywords", optional_argument, 0, 0},
1312 
1313  {"capture-plugin", required_argument, 0, 0},
1314  {"capture-plugin-args", required_argument, 0, 0},
1315 
1316 #ifdef BUILD_UNIX_SOCKET
1317  {"unix-socket", optional_argument, 0, 0},
1318 #endif
1319  {"pcap-buffer-size", required_argument, 0, 0},
1320  {"unittest-filter", required_argument, 0, 'U'},
1321  {"list-app-layer-protos", 0, &list_app_layer_protocols, 1},
1322  {"list-unittests", 0, &list_unittests, 1},
1323  {"list-runmodes", 0, &list_runmodes, 1},
1324  {"list-keywords", optional_argument, &list_keywords, 1},
1325  {"runmode", required_argument, NULL, 0},
1326  {"engine-analysis", 0, &engine_analysis, 1},
1327 #ifdef OS_WIN32
1328  {"service-install", 0, 0, 0},
1329  {"service-remove", 0, 0, 0},
1330  {"service-change-params", 0, 0, 0},
1331 #endif /* OS_WIN32 */
1332  {"pidfile", required_argument, 0, 0},
1333  {"init-errors-fatal", 0, 0, 0},
1334  {"disable-detection", 0, 0, 0},
1335  {"disable-hashing", 0, 0, 0},
1336  {"fatal-unittests", 0, 0, 0},
1337  {"unittests-coverage", 0, &coverage_unittests, 1},
1338  {"user", required_argument, 0, 0},
1339  {"group", required_argument, 0, 0},
1340  {"erf-in", required_argument, 0, 0},
1341  {"dag", required_argument, 0, 0},
1342  {"napatech", 0, 0, 0},
1343  {"build-info", 0, &build_info, 1},
1344  {"data-dir", required_argument, 0, 0},
1345 #ifdef WINDIVERT
1346  {"windivert", required_argument, 0, 0},
1347  {"windivert-forward", required_argument, 0, 0},
1348 #endif
1349 #ifdef HAVE_LIBNET11
1350  {"reject-dev", required_argument, 0, 0},
1351 #endif
1352  {"set", required_argument, 0, 0},
1353 #ifdef HAVE_NFLOG
1354  {"nflog", optional_argument, 0, 0},
1355 #endif
1356  {"simulate-packet-flow-memcap", required_argument, 0, 0},
1357  {"simulate-applayer-error-at-offset-ts", required_argument, 0, 0},
1358  {"simulate-applayer-error-at-offset-tc", required_argument, 0, 0},
1359  {"simulate-packet-loss", required_argument, 0, 0},
1360  {"simulate-packet-tcp-reassembly-memcap", required_argument, 0, 0},
1361  {"simulate-packet-tcp-ssn-memcap", required_argument, 0, 0},
1362  {"simulate-packet-defrag-memcap", required_argument, 0, 0},
1363 
1364  {NULL, 0, NULL, 0}
1365  };
1366  // clang-format on
1367 
1368  /* getopt_long stores the option index here. */
1369  int option_index = 0;
1370 
1371  char short_opts[] = "c:TDhi:l:q:d:r:us:S:U:VF:vk:";
1372 
1373  while ((opt = getopt_long(argc, argv, short_opts, long_opts, &option_index)) != -1) {
1374  switch (opt) {
1375  case 0:
1376  if (strcmp((long_opts[option_index]).name , "pfring") == 0 ||
1377  strcmp((long_opts[option_index]).name , "pfring-int") == 0) {
1378 #ifdef HAVE_PFRING
1379  suri->run_mode = RUNMODE_PFRING;
1380  if (optarg != NULL) {
1381  memset(suri->pcap_dev, 0, sizeof(suri->pcap_dev));
1382  strlcpy(suri->pcap_dev, optarg,
1383  ((strlen(optarg) < sizeof(suri->pcap_dev)) ?
1384  (strlen(optarg) + 1) : sizeof(suri->pcap_dev)));
1385  LiveRegisterDeviceName(optarg);
1386  }
1387 #else
1388  SCLogError(SC_ERR_NO_PF_RING,"PF_RING not enabled. Make sure "
1389  "to pass --enable-pfring to configure when building.");
1390  return TM_ECODE_FAILED;
1391 #endif /* HAVE_PFRING */
1392  }
1393  else if(strcmp((long_opts[option_index]).name , "pfring-cluster-id") == 0){
1394 #ifdef HAVE_PFRING
1395  if (ConfSetFinal("pfring.cluster-id", optarg) != 1) {
1396  fprintf(stderr, "ERROR: Failed to set pfring.cluster-id.\n");
1397  return TM_ECODE_FAILED;
1398  }
1399 #else
1400  SCLogError(SC_ERR_NO_PF_RING,"PF_RING not enabled. Make sure "
1401  "to pass --enable-pfring to configure when building.");
1402  return TM_ECODE_FAILED;
1403 #endif /* HAVE_PFRING */
1404  }
1405  else if(strcmp((long_opts[option_index]).name , "pfring-cluster-type") == 0){
1406 #ifdef HAVE_PFRING
1407  if (ConfSetFinal("pfring.cluster-type", optarg) != 1) {
1408  fprintf(stderr, "ERROR: Failed to set pfring.cluster-type.\n");
1409  return TM_ECODE_FAILED;
1410  }
1411 #else
1412  SCLogError(SC_ERR_NO_PF_RING,"PF_RING not enabled. Make sure "
1413  "to pass --enable-pfring to configure when building.");
1414  return TM_ECODE_FAILED;
1415 #endif /* HAVE_PFRING */
1416  }
1417  else if (strcmp((long_opts[option_index]).name , "capture-plugin") == 0){
1418  suri->run_mode = RUNMODE_PLUGIN;
1419  suri->capture_plugin_name = optarg;
1420  }
1421  else if (strcmp((long_opts[option_index]).name , "capture-plugin-args") == 0){
1422  suri->capture_plugin_args = optarg;
1423  } else if (strcmp((long_opts[option_index]).name, "dpdk") == 0) {
1424  if (ParseCommandLineDpdk(suri, optarg) != TM_ECODE_OK) {
1425  return TM_ECODE_FAILED;
1426  }
1427  } else if (strcmp((long_opts[option_index]).name, "af-packet") == 0) {
1428  if (ParseCommandLineAfpacket(suri, optarg) != TM_ECODE_OK) {
1429  return TM_ECODE_FAILED;
1430  }
1431  } else if (strcmp((long_opts[option_index]).name, "netmap") == 0) {
1432 #ifdef HAVE_NETMAP
1433  if (suri->run_mode == RUNMODE_UNKNOWN) {
1434  suri->run_mode = RUNMODE_NETMAP;
1435  if (optarg) {
1436  LiveRegisterDeviceName(optarg);
1437  memset(suri->pcap_dev, 0, sizeof(suri->pcap_dev));
1438  strlcpy(suri->pcap_dev, optarg,
1439  ((strlen(optarg) < sizeof(suri->pcap_dev)) ?
1440  (strlen(optarg) + 1) : sizeof(suri->pcap_dev)));
1441  }
1442  } else if (suri->run_mode == RUNMODE_NETMAP) {
1443  if (optarg) {
1444  LiveRegisterDeviceName(optarg);
1445  } else {
1446  SCLogInfo("Multiple netmap option without interface on each is useless");
1447  break;
1448  }
1449  } else {
1450  SCLogError(SC_ERR_MULTIPLE_RUN_MODE, "more than one run mode "
1451  "has been specified");
1452  PrintUsage(argv[0]);
1453  return TM_ECODE_FAILED;
1454  }
1455 #else
1456  SCLogError(SC_ERR_NO_NETMAP, "NETMAP not enabled.");
1457  return TM_ECODE_FAILED;
1458 #endif
1459  } else if (strcmp((long_opts[option_index]).name, "nflog") == 0) {
1460 #ifdef HAVE_NFLOG
1461  if (suri->run_mode == RUNMODE_UNKNOWN) {
1462  suri->run_mode = RUNMODE_NFLOG;
1463  LiveBuildDeviceListCustom("nflog", "group");
1464  }
1465 #else
1466  SCLogError(SC_ERR_NFLOG_NOSUPPORT, "NFLOG not enabled.");
1467  return TM_ECODE_FAILED;
1468 #endif /* HAVE_NFLOG */
1469  } else if (strcmp((long_opts[option_index]).name, "pcap") == 0) {
1470  if (ParseCommandLinePcapLive(suri, optarg) != TM_ECODE_OK) {
1471  return TM_ECODE_FAILED;
1472  }
1473  } else if (strcmp((long_opts[option_index]).name, "simulate-ips") == 0) {
1474  SCLogInfo("Setting IPS mode");
1475  EngineModeSetIPS();
1476  } else if (strcmp((long_opts[option_index]).name, "init-errors-fatal") == 0) {
1477  if (ConfSetFinal("engine.init-failure-fatal", "1") != 1) {
1478  fprintf(stderr, "ERROR: Failed to set engine init-failure-fatal.\n");
1479  return TM_ECODE_FAILED;
1480  }
1481 #ifdef BUILD_UNIX_SOCKET
1482  } else if (strcmp((long_opts[option_index]).name , "unix-socket") == 0) {
1483  if (suri->run_mode == RUNMODE_UNKNOWN) {
1484  suri->run_mode = RUNMODE_UNIX_SOCKET;
1485  if (optarg) {
1486  if (ConfSetFinal("unix-command.filename", optarg) != 1) {
1487  fprintf(stderr, "ERROR: Failed to set unix-command.filename.\n");
1488  return TM_ECODE_FAILED;
1489  }
1490 
1491  }
1492  } else {
1493  SCLogError(SC_ERR_MULTIPLE_RUN_MODE, "more than one run mode "
1494  "has been specified");
1495  PrintUsage(argv[0]);
1496  return TM_ECODE_FAILED;
1497  }
1498 #endif
1499  }
1500  else if(strcmp((long_opts[option_index]).name, "list-app-layer-protocols") == 0) {
1501  /* listing all supported app layer protocols */
1502  }
1503  else if(strcmp((long_opts[option_index]).name, "list-unittests") == 0) {
1504 #ifdef UNITTESTS
1505  suri->run_mode = RUNMODE_LIST_UNITTEST;
1506 #else
1507  fprintf(stderr, "ERROR: Unit tests not enabled. Make sure to pass --enable-unittests to configure when building.\n");
1508  return TM_ECODE_FAILED;
1509 #endif /* UNITTESTS */
1510  } else if (strcmp((long_opts[option_index]).name, "list-runmodes") == 0) {
1511  suri->run_mode = RUNMODE_LIST_RUNMODES;
1512  return TM_ECODE_OK;
1513  } else if (strcmp((long_opts[option_index]).name, "list-keywords") == 0) {
1514  if (optarg) {
1515  if (strcmp("short",optarg)) {
1516  suri->keyword_info = optarg;
1517  }
1518  }
1519  } else if (strcmp((long_opts[option_index]).name, "runmode") == 0) {
1520  suri->runmode_custom_mode = optarg;
1521  } else if(strcmp((long_opts[option_index]).name, "engine-analysis") == 0) {
1522  // do nothing for now
1523  }
1524 #ifdef OS_WIN32
1525  else if(strcmp((long_opts[option_index]).name, "service-install") == 0) {
1526  suri->run_mode = RUNMODE_INSTALL_SERVICE;
1527  return TM_ECODE_OK;
1528  }
1529  else if(strcmp((long_opts[option_index]).name, "service-remove") == 0) {
1530  suri->run_mode = RUNMODE_REMOVE_SERVICE;
1531  return TM_ECODE_OK;
1532  }
1533  else if(strcmp((long_opts[option_index]).name, "service-change-params") == 0) {
1534  suri->run_mode = RUNMODE_CHANGE_SERVICE_PARAMS;
1535  return TM_ECODE_OK;
1536  }
1537 #endif /* OS_WIN32 */
1538  else if(strcmp((long_opts[option_index]).name, "pidfile") == 0) {
1539  suri->pid_filename = SCStrdup(optarg);
1540  if (suri->pid_filename == NULL) {
1541  SCLogError(SC_ERR_MEM_ALLOC, "strdup failed: %s",
1542  strerror(errno));
1543  return TM_ECODE_FAILED;
1544  }
1545  }
1546  else if(strcmp((long_opts[option_index]).name, "disable-detection") == 0) {
1547  g_detect_disabled = suri->disabled_detect = 1;
1548  } else if (strcmp((long_opts[option_index]).name, "disable-hashing") == 0) {
1549  g_disable_hashing = true;
1550  } else if (strcmp((long_opts[option_index]).name, "fatal-unittests") == 0) {
1551 #ifdef UNITTESTS
1552  unittests_fatal = 1;
1553 #else
1554  fprintf(stderr, "ERROR: Unit tests not enabled. Make sure to pass --enable-unittests to configure when building.\n");
1555  return TM_ECODE_FAILED;
1556 #endif /* UNITTESTS */
1557  } else if (strcmp((long_opts[option_index]).name, "user") == 0) {
1558 #ifndef HAVE_LIBCAP_NG
1559  SCLogError(SC_ERR_LIBCAP_NG_REQUIRED, "libcap-ng is required to"
1560  " drop privileges, but it was not compiled into Suricata.");
1561  return TM_ECODE_FAILED;
1562 #else
1563  suri->user_name = optarg;
1564  suri->do_setuid = TRUE;
1565 #endif /* HAVE_LIBCAP_NG */
1566  } else if (strcmp((long_opts[option_index]).name, "group") == 0) {
1567 #ifndef HAVE_LIBCAP_NG
1568  SCLogError(SC_ERR_LIBCAP_NG_REQUIRED, "libcap-ng is required to"
1569  " drop privileges, but it was not compiled into Suricata.");
1570  return TM_ECODE_FAILED;
1571 #else
1572  suri->group_name = optarg;
1573  suri->do_setgid = TRUE;
1574 #endif /* HAVE_LIBCAP_NG */
1575  } else if (strcmp((long_opts[option_index]).name, "erf-in") == 0) {
1576  suri->run_mode = RUNMODE_ERF_FILE;
1577  if (ConfSetFinal("erf-file.file", optarg) != 1) {
1578  fprintf(stderr, "ERROR: Failed to set erf-file.file\n");
1579  return TM_ECODE_FAILED;
1580  }
1581  } else if (strcmp((long_opts[option_index]).name, "dag") == 0) {
1582 #ifdef HAVE_DAG
1583  if (suri->run_mode == RUNMODE_UNKNOWN) {
1584  suri->run_mode = RUNMODE_DAG;
1585  }
1586  else if (suri->run_mode != RUNMODE_DAG) {
1587  SCLogError(SC_ERR_MULTIPLE_RUN_MODE,
1588  "more than one run mode has been specified");
1589  PrintUsage(argv[0]);
1590  return TM_ECODE_FAILED;
1591  }
1592  LiveRegisterDeviceName(optarg);
1593 #else
1594  SCLogError(SC_ERR_DAG_REQUIRED, "libdag and a DAG card are required"
1595  " to receive packets using --dag.");
1596  return TM_ECODE_FAILED;
1597 #endif /* HAVE_DAG */
1598  } else if (strcmp((long_opts[option_index]).name, "napatech") == 0) {
1599 #ifdef HAVE_NAPATECH
1600  suri->run_mode = RUNMODE_NAPATECH;
1601 #else
1602  SCLogError(SC_ERR_NAPATECH_REQUIRED, "libntapi and a Napatech adapter are required"
1603  " to capture packets using --napatech.");
1604  return TM_ECODE_FAILED;
1605 #endif /* HAVE_NAPATECH */
1606  } else if (strcmp((long_opts[option_index]).name, "pcap-buffer-size") == 0) {
1607 #ifdef HAVE_PCAP_SET_BUFF
1608  if (ConfSetFinal("pcap.buffer-size", optarg) != 1) {
1609  fprintf(stderr, "ERROR: Failed to set pcap-buffer-size.\n");
1610  return TM_ECODE_FAILED;
1611  }
1612 #else
1613  SCLogError(SC_ERR_NO_PCAP_SET_BUFFER_SIZE, "The version of libpcap you have"
1614  " doesn't support setting buffer size.");
1615 #endif /* HAVE_PCAP_SET_BUFF */
1616  } else if (strcmp((long_opts[option_index]).name, "build-info") == 0) {
1617  suri->run_mode = RUNMODE_PRINT_BUILDINFO;
1618  return TM_ECODE_OK;
1619  } else if (strcmp((long_opts[option_index]).name, "windivert-forward") == 0) {
1620 #ifdef WINDIVERT
1621  if (suri->run_mode == RUNMODE_UNKNOWN) {
1622  suri->run_mode = RUNMODE_WINDIVERT;
1623  if (WinDivertRegisterQueue(true, optarg) == -1) {
1624  exit(EXIT_FAILURE);
1625  }
1626  } else if (suri->run_mode == RUNMODE_WINDIVERT) {
1627  if (WinDivertRegisterQueue(true, optarg) == -1) {
1628  exit(EXIT_FAILURE);
1629  }
1630  } else {
1631  SCLogError(SC_ERR_MULTIPLE_RUN_MODE, "more than one run mode "
1632  "has been specified");
1633  PrintUsage(argv[0]);
1634  exit(EXIT_FAILURE);
1635  }
1636  }
1637  else if(strcmp((long_opts[option_index]).name, "windivert") == 0) {
1638  if (suri->run_mode == RUNMODE_UNKNOWN) {
1639  suri->run_mode = RUNMODE_WINDIVERT;
1640  if (WinDivertRegisterQueue(false, optarg) == -1) {
1641  exit(EXIT_FAILURE);
1642  }
1643  } else if (suri->run_mode == RUNMODE_WINDIVERT) {
1644  if (WinDivertRegisterQueue(false, optarg) == -1) {
1645  exit(EXIT_FAILURE);
1646  }
1647  } else {
1648  SCLogError(SC_ERR_MULTIPLE_RUN_MODE, "more than one run mode "
1649  "has been specified");
1650  PrintUsage(argv[0]);
1651  exit(EXIT_FAILURE);
1652  }
1653 #else
1654  SCLogError(SC_ERR_WINDIVERT_NOSUPPORT,"WinDivert not enabled. Make sure to pass --enable-windivert to configure when building.");
1655  return TM_ECODE_FAILED;
1656 #endif /* WINDIVERT */
1657  } else if(strcmp((long_opts[option_index]).name, "reject-dev") == 0) {
1658 #ifdef HAVE_LIBNET11
1659  BUG_ON(optarg == NULL); /* for static analysis */
1660  extern char *g_reject_dev;
1661  extern uint16_t g_reject_dev_mtu;
1662  g_reject_dev = optarg;
1663  int mtu = GetIfaceMTU(g_reject_dev);
1664  if (mtu > 0) {
1665  g_reject_dev_mtu = (uint16_t)mtu;
1666  }
1667 #else
1668  SCLogError(SC_ERR_LIBNET_NOT_ENABLED,
1669  "Libnet 1.1 support not enabled. Compile Suricata with libnet support.");
1670  return TM_ECODE_FAILED;
1671 #endif
1672  }
1673  else if (strcmp((long_opts[option_index]).name, "set") == 0) {
1674  if (optarg != NULL) {
1675  /* Quick validation. */
1676  char *val = strchr(optarg, '=');
1677  if (val == NULL) {
1678  FatalError(SC_ERR_FATAL,
1679  "Invalid argument for --set, must be key=val.");
1680  }
1681  if (!ConfSetFromString(optarg, 1)) {
1682  fprintf(stderr, "Failed to set configuration value %s.",
1683  optarg);
1684  exit(EXIT_FAILURE);
1685  }
1686  }
1687  }
1688  else if (strcmp((long_opts[option_index]).name, "pcap-file-continuous") == 0) {
1689  if (ConfSetFinal("pcap-file.continuous", "true") != 1) {
1690  SCLogError(SC_ERR_CMD_LINE, "Failed to set pcap-file.continuous");
1691  return TM_ECODE_FAILED;
1692  }
1693  }
1694  else if (strcmp((long_opts[option_index]).name, "pcap-file-delete") == 0) {
1695  if (ConfSetFinal("pcap-file.delete-when-done", "true") != 1) {
1696  SCLogError(SC_ERR_CMD_LINE, "Failed to set pcap-file.delete-when-done");
1697  return TM_ECODE_FAILED;
1698  }
1699  }
1700  else if (strcmp((long_opts[option_index]).name, "pcap-file-recursive") == 0) {
1701  if (ConfSetFinal("pcap-file.recursive", "true") != 1) {
1702  SCLogError(SC_ERR_CMD_LINE, "ERROR: Failed to set pcap-file.recursive");
1703  return TM_ECODE_FAILED;
1704  }
1705  }
1706  else if (strcmp((long_opts[option_index]).name, "data-dir") == 0) {
1707  if (optarg == NULL) {
1708  SCLogError(SC_ERR_INITIALIZATION, "no option argument (optarg) for -d");
1709  return TM_ECODE_FAILED;
1710  }
1711 
1712  if (ConfigSetDataDirectory(optarg) != TM_ECODE_OK) {
1713  SCLogError(SC_ERR_FATAL, "Failed to set data directory.");
1714  return TM_ECODE_FAILED;
1715  }
1716  if (ConfigCheckDataDirectory(optarg) != TM_ECODE_OK) {
1717  SCLogError(SC_ERR_LOGDIR_CMDLINE, "The data directory \"%s\""
1718  " supplied at the commandline (-d %s) doesn't "
1719  "exist. Shutting down the engine.", optarg, optarg);
1720  return TM_ECODE_FAILED;
1721  }
1722  suri->set_datadir = true;
1723  } else if (strcmp((long_opts[option_index]).name , "strict-rule-keywords") == 0){
1724  if (optarg == NULL) {
1725  suri->strict_rule_parsing_string = SCStrdup("all");
1726  } else {
1727  suri->strict_rule_parsing_string = SCStrdup(optarg);
1728  }
1729  if (suri->strict_rule_parsing_string == NULL) {
1730  FatalError(SC_ERR_MEM_ALLOC, "failed to duplicate 'strict' string");
1731  }
1732  } else {
1733  int r = ExceptionSimulationCommandlineParser(
1734  (long_opts[option_index]).name, optarg);
1735  if (r < 0)
1736  return TM_ECODE_FAILED;
1737  }
1738  break;
1739  case 'c':
1740  suri->conf_filename = optarg;
1741  break;
1742  case 'T':
1743  SCLogInfo("Running suricata under test mode");
1744  conf_test = 1;
1745  if (ConfSetFinal("engine.init-failure-fatal", "1") != 1) {
1746  fprintf(stderr, "ERROR: Failed to set engine init-failure-fatal.\n");
1747  return TM_ECODE_FAILED;
1748  }
1749  break;
1750 #ifndef OS_WIN32
1751  case 'D':
1752  suri->daemon = 1;
1753  break;
1754 #endif /* OS_WIN32 */
1755  case 'h':
1756  suri->run_mode = RUNMODE_PRINT_USAGE;
1757  return TM_ECODE_OK;
1758  case 'i':
1759  if (optarg == NULL) {
1760  SCLogError(SC_ERR_INITIALIZATION, "no option argument (optarg) for -i");
1761  return TM_ECODE_FAILED;
1762  }
1763 #ifdef HAVE_AF_PACKET
1764  if (ParseCommandLineAfpacket(suri, optarg) != TM_ECODE_OK) {
1765  return TM_ECODE_FAILED;
1766  }
1767 #else /* not afpacket */
1768  /* warn user if netmap or pf-ring are available */
1769 #if defined HAVE_PFRING || HAVE_NETMAP
1770  int i = 0;
1771 #ifdef HAVE_PFRING
1772  i++;
1773 #endif
1774 #ifdef HAVE_NETMAP
1775  i++;
1776 #endif
1777  SCLogWarning(SC_WARN_FASTER_CAPTURE_AVAILABLE, "faster capture "
1778  "option%s %s available:"
1779 #ifdef HAVE_PFRING
1780  " PF_RING (--pfring-int=%s)"
1781 #endif
1782 #ifdef HAVE_NETMAP
1783  " NETMAP (--netmap=%s)"
1784 #endif
1785  ". Use --pcap=%s to suppress this warning",
1786  i == 1 ? "" : "s", i == 1 ? "is" : "are"
1787 #ifdef HAVE_PFRING
1788  , optarg
1789 #endif
1790 #ifdef HAVE_NETMAP
1791  , optarg
1792 #endif
1793  , optarg
1794  );
1795 #endif /* have faster methods */
1796  if (ParseCommandLinePcapLive(suri, optarg) != TM_ECODE_OK) {
1797  return TM_ECODE_FAILED;
1798  }
1799 #endif
1800  break;
1801  case 'l':
1802  if (optarg == NULL) {
1803  SCLogError(SC_ERR_INITIALIZATION, "no option argument (optarg) for -l");
1804  return TM_ECODE_FAILED;
1805  }
1806 
1807  if (ConfigSetLogDirectory(optarg) != TM_ECODE_OK) {
1808  SCLogError(SC_ERR_FATAL, "Failed to set log directory.");
1809  return TM_ECODE_FAILED;
1810  }
1811  if (ConfigCheckLogDirectoryExists(optarg) != TM_ECODE_OK) {
1812  SCLogError(SC_ERR_LOGDIR_CMDLINE, "The logging directory \"%s\""
1813  " supplied at the commandline (-l %s) doesn't "
1814  "exist. Shutting down the engine.", optarg, optarg);
1815  return TM_ECODE_FAILED;
1816  }
1817  if (!IsLogDirectoryWritable(optarg)) {
1818  SCLogError(SC_ERR_LOGDIR_CMDLINE, "The logging directory \"%s\""
1819  " supplied at the commandline (-l %s) is not "
1820  "writable. Shutting down the engine.", optarg, optarg);
1821  return TM_ECODE_FAILED;
1822  }
1823  suri->set_logdir = true;
1824 
1825  break;
1826  case 'q':
1827 #ifdef NFQ
1828  if (suri->run_mode == RUNMODE_UNKNOWN) {
1829  suri->run_mode = RUNMODE_NFQ;
1830  EngineModeSetIPS();
1831  if (NFQParseAndRegisterQueues(optarg) == -1)
1832  return TM_ECODE_FAILED;
1833  } else if (suri->run_mode == RUNMODE_NFQ) {
1834  if (NFQParseAndRegisterQueues(optarg) == -1)
1835  return TM_ECODE_FAILED;
1836  } else {
1837  SCLogError(SC_ERR_MULTIPLE_RUN_MODE, "more than one run mode "
1838  "has been specified");
1839  PrintUsage(argv[0]);
1840  return TM_ECODE_FAILED;
1841  }
1842 #else
1843  SCLogError(SC_ERR_NFQ_NOSUPPORT,"NFQUEUE not enabled. Make sure to pass --enable-nfqueue to configure when building.");
1844  return TM_ECODE_FAILED;
1845 #endif /* NFQ */
1846  break;
1847  case 'd':
1848 #ifdef IPFW
1849  if (suri->run_mode == RUNMODE_UNKNOWN) {
1850  suri->run_mode = RUNMODE_IPFW;
1851  EngineModeSetIPS();
1852  if (IPFWRegisterQueue(optarg) == -1)
1853  return TM_ECODE_FAILED;
1854  } else if (suri->run_mode == RUNMODE_IPFW) {
1855  if (IPFWRegisterQueue(optarg) == -1)
1856  return TM_ECODE_FAILED;
1857  } else {
1858  SCLogError(SC_ERR_MULTIPLE_RUN_MODE, "more than one run mode "
1859  "has been specified");
1860  PrintUsage(argv[0]);
1861  return TM_ECODE_FAILED;
1862  }
1863 #else
1864  SCLogError(SC_ERR_IPFW_NOSUPPORT,"IPFW not enabled. Make sure to pass --enable-ipfw to configure when building.");
1865  return TM_ECODE_FAILED;
1866 #endif /* IPFW */
1867  break;
1868  case 'r':
1869  BUG_ON(optarg == NULL); /* for static analysis */
1870  if (suri->run_mode == RUNMODE_UNKNOWN) {
1871  suri->run_mode = RUNMODE_PCAP_FILE;
1872  } else {
1873  SCLogError(SC_ERR_MULTIPLE_RUN_MODE, "more than one run mode "
1874  "has been specified");
1875  PrintUsage(argv[0]);
1876  return TM_ECODE_FAILED;
1877  }
1878 #ifdef OS_WIN32
1879  struct _stat buf;
1880  if(_stat(optarg, &buf) != 0) {
1881 #else
1882  struct stat buf;
1883  if (stat(optarg, &buf) != 0) {
1884 #endif /* OS_WIN32 */
1885  SCLogError(SC_ERR_INITIALIZATION, "ERROR: Pcap file does not exist\n");
1886  return TM_ECODE_FAILED;
1887  }
1888  if (ConfSetFinal("pcap-file.file", optarg) != 1) {
1889  SCLogError(SC_ERR_INITIALIZATION, "ERROR: Failed to set pcap-file.file\n");
1890  return TM_ECODE_FAILED;
1891  }
1892 
1893  break;
1894  case 's':
1895  if (suri->sig_file != NULL) {
1896  SCLogError(SC_ERR_CMD_LINE, "can't have multiple -s options or mix -s and -S.");
1897  return TM_ECODE_FAILED;
1898  }
1899  suri->sig_file = optarg;
1900  break;
1901  case 'S':
1902  if (suri->sig_file != NULL) {
1903  SCLogError(SC_ERR_CMD_LINE, "can't have multiple -S options or mix -s and -S.");
1904  return TM_ECODE_FAILED;
1905  }
1906  suri->sig_file = optarg;
1907  suri->sig_file_exclusive = TRUE;
1908  break;
1909  case 'u':
1910 #ifdef UNITTESTS
1911  if (suri->run_mode == RUNMODE_UNKNOWN) {
1912  suri->run_mode = RUNMODE_UNITTEST;
1913  } else {
1914  SCLogError(SC_ERR_MULTIPLE_RUN_MODE, "more than one run mode has"
1915  " been specified");
1916  PrintUsage(argv[0]);
1917  return TM_ECODE_FAILED;
1918  }
1919 #else
1920  fprintf(stderr, "ERROR: Unit tests not enabled. Make sure to pass --enable-unittests to configure when building.\n");
1921  return TM_ECODE_FAILED;
1922 #endif /* UNITTESTS */
1923  break;
1924  case 'U':
1925 #ifdef UNITTESTS
1926  suri->regex_arg = optarg;
1927 
1928  if(strlen(suri->regex_arg) == 0)
1929  suri->regex_arg = NULL;
1930 #endif
1931  break;
1932  case 'V':
1933  suri->run_mode = RUNMODE_PRINT_VERSION;
1934  return TM_ECODE_OK;
1935  case 'F':
1936  if (optarg == NULL) {
1937  SCLogError(SC_ERR_INITIALIZATION, "no option argument (optarg) for -F");
1938  return TM_ECODE_FAILED;
1939  }
1940 
1941  SetBpfStringFromFile(optarg);
1942  break;
1943  case 'v':
1944  suri->verbose++;
1945  break;
1946  case 'k':
1947  if (optarg == NULL) {
1948  SCLogError(SC_ERR_INITIALIZATION, "no option argument (optarg) for -k");
1949  return TM_ECODE_FAILED;
1950  }
1951  if (!strcmp("all", optarg))
1952  suri->checksum_validation = 1;
1953  else if (!strcmp("none", optarg))
1954  suri->checksum_validation = 0;
1955  else {
1956  SCLogError(SC_ERR_INITIALIZATION, "option '%s' invalid for -k", optarg);
1957  return TM_ECODE_FAILED;
1958  }
1959  break;
1960  default:
1961  PrintUsage(argv[0]);
1962  return TM_ECODE_FAILED;
1963  }
1964  }
1965 
1966  if (suri->disabled_detect && suri->sig_file != NULL) {
1967  SCLogError(SC_ERR_INITIALIZATION, "can't use -s/-S when detection is disabled");
1968  return TM_ECODE_FAILED;
1969  }
1970 
1971  /* save the runmode from the commandline (if any) */
1972  suri->aux_run_mode = suri->run_mode;
1973 
1974  if (list_app_layer_protocols)
1975  suri->run_mode = RUNMODE_LIST_APP_LAYERS;
1976  if (list_keywords)
1977  suri->run_mode = RUNMODE_LIST_KEYWORDS;
1978  if (list_unittests)
1979  suri->run_mode = RUNMODE_LIST_UNITTEST;
1980  if (dump_config)
1981  suri->run_mode = RUNMODE_DUMP_CONFIG;
1982  if (dump_features)
1983  suri->run_mode = RUNMODE_DUMP_FEATURES;
1984  if (conf_test)
1985  suri->run_mode = RUNMODE_CONF_TEST;
1986  if (engine_analysis)
1987  suri->run_mode = RUNMODE_ENGINE_ANALYSIS;
1988 
1989  suri->offline = IsRunModeOffline(suri->run_mode);
1990  g_system = suri->system = IsRunModeSystem(suri->run_mode);
1991 
1992  ret = SetBpfString(optind, argv);
1993  if (ret != TM_ECODE_OK)
1994  return ret;
1995 
1996  return TM_ECODE_OK;
1997 }
1998 
1999 #ifdef OS_WIN32
2000 static int WindowsInitService(int argc, char **argv)
2001 {
2002  if (SCRunningAsService()) {
2003  char path[MAX_PATH];
2004  char *p = NULL;
2005  strlcpy(path, argv[0], MAX_PATH);
2006  if ((p = strrchr(path, '\\'))) {
2007  *p = '\0';
2008  }
2009  if (!SetCurrentDirectory(path)) {
2010  SCLogError(SC_ERR_FATAL, "Can't set current directory to: %s", path);
2011  return -1;
2012  }
2013  SCLogInfo("Current directory is set to: %s", path);
2014  SCServiceInit(argc, argv);
2015  }
2016 
2017  /* Windows socket subsystem initialization */
2018  WSADATA wsaData;
2019  if (0 != WSAStartup(MAKEWORD(2, 2), &wsaData)) {
2020  SCLogError(SC_ERR_FATAL, "Can't initialize Windows sockets: %d", WSAGetLastError());
2021  return -1;
2022  }
2023 
2024  return 0;
2025 }
2026 #endif /* OS_WIN32 */
2027 
2028 static int MayDaemonize(SCInstance *suri)
2029 {
2030  if (suri->daemon == 1 && suri->pid_filename == NULL) {
2031  const char *pid_filename;
2032 
2033  if (ConfGet("pid-file", &pid_filename) == 1) {
2034  SCLogInfo("Use pid file %s from config file.", pid_filename);
2035  } else {
2036  pid_filename = DEFAULT_PID_FILENAME;
2037  }
2038  /* The pid file name may be in config memory, but is needed later. */
2039  suri->pid_filename = SCStrdup(pid_filename);
2040  if (suri->pid_filename == NULL) {
2041  SCLogError(SC_ERR_MEM_ALLOC, "strdup failed: %s", strerror(errno));
2042  return TM_ECODE_FAILED;
2043  }
2044  }
2045 
2046  if (suri->pid_filename != NULL && SCPidfileTestRunning(suri->pid_filename) != 0) {
2047  SCFree(suri->pid_filename);
2048  suri->pid_filename = NULL;
2049  return TM_ECODE_FAILED;
2050  }
2051 
2052  if (suri->daemon == 1) {
2053  Daemonize();
2054  }
2055 
2056  if (suri->pid_filename != NULL) {
2057  if (SCPidfileCreate(suri->pid_filename) != 0) {
2058  SCFree(suri->pid_filename);
2059  suri->pid_filename = NULL;
2060  SCLogError(SC_ERR_PIDFILE_DAEMON,
2061  "Unable to create PID file, concurrent run of"
2062  " Suricata can occur.");
2063  SCLogError(SC_ERR_PIDFILE_DAEMON,
2064  "PID file creation WILL be mandatory for daemon mode"
2065  " in future version");
2066  }
2067  }
2068 
2069  return TM_ECODE_OK;
2070 }
2071 
2072 /* Initialize the user and group Suricata is to run as. */
2073 static int InitRunAs(SCInstance *suri)
2074 {
2075 #ifndef OS_WIN32
2076  /* Try to get user/group to run suricata as if
2077  command line as not decide of that */
2078  if (suri->do_setuid == FALSE && suri->do_setgid == FALSE) {
2079  const char *id;
2080  if (ConfGet("run-as.user", &id) == 1) {
2081  suri->do_setuid = TRUE;
2082  suri->user_name = id;
2083  }
2084  if (ConfGet("run-as.group", &id) == 1) {
2085  suri->do_setgid = TRUE;
2086  suri->group_name = id;
2087  }
2088  }
2089  /* Get the suricata user ID to given user ID */
2090  if (suri->do_setuid == TRUE) {
2091  if (SCGetUserID(suri->user_name, suri->group_name,
2092  &suri->userid, &suri->groupid) != 0) {
2093  SCLogError(SC_ERR_UID_FAILED, "failed in getting user ID");
2094  return TM_ECODE_FAILED;
2095  }
2096 
2097  sc_set_caps = TRUE;
2098  /* Get the suricata group ID to given group ID */
2099  } else if (suri->do_setgid == TRUE) {
2100  if (SCGetGroupID(suri->group_name, &suri->groupid) != 0) {
2101  SCLogError(SC_ERR_GID_FAILED, "failed in getting group ID");
2102  return TM_ECODE_FAILED;
2103  }
2104 
2105  sc_set_caps = TRUE;
2106  }
2107 #endif
2108  return TM_ECODE_OK;
2109 }
2110 
2111 static int InitSignalHandler(SCInstance *suri)
2112 {
2113  /* registering signals we use */
2114 #ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
2115  UtilSignalHandlerSetup(SIGINT, SignalHandlerSigint);
2116  UtilSignalHandlerSetup(SIGTERM, SignalHandlerSigterm);
2117 #if HAVE_LIBUNWIND
2118  int enabled;
2119  if (ConfGetBool("logging.stacktrace-on-signal", &enabled) == 0) {
2120  enabled = 1;
2121  }
2122 
2123  if (enabled) {
2124  SCLogInfo("Preparing unexpected signal handling");
2125  struct sigaction stacktrace_action;
2126  memset(&stacktrace_action, 0, sizeof(stacktrace_action));
2127  stacktrace_action.sa_sigaction = SignalHandlerUnexpected;
2128  stacktrace_action.sa_flags = SA_SIGINFO;
2129  sigaction(SIGSEGV, &stacktrace_action, NULL);
2130  sigaction(SIGABRT, &stacktrace_action, NULL);
2131  }
2132 #endif /* HAVE_LIBUNWIND */
2133 #endif
2134 #ifndef OS_WIN32
2135  UtilSignalHandlerSetup(SIGHUP, SignalHandlerSigHup);
2136  UtilSignalHandlerSetup(SIGPIPE, SIG_IGN);
2137  UtilSignalHandlerSetup(SIGSYS, SIG_IGN);
2138 #endif /* OS_WIN32 */
2139 
2140  return TM_ECODE_OK;
2141 }
2142 
2143 /* initialization code for both the main modes and for
2144  * unix socket mode.
2145  *
2146  * Will be run once per pcap in unix-socket mode */
2147 void PreRunInit(const int runmode)
2148 {
2149  HttpRangeContainersInit();
2150  if (runmode == RUNMODE_UNIX_SOCKET)
2151  return;
2152 
2153  StatsInit();
2154 #ifdef PROFILING
2155  SCProfilingRulesGlobalInit();
2156  SCProfilingKeywordsGlobalInit();
2157  SCProfilingPrefilterGlobalInit();
2158  SCProfilingSghsGlobalInit();
2159  SCProfilingInit();
2160 #endif /* PROFILING */
2161  DefragInit();
2162  FlowInitConfig(FLOW_QUIET);
2163  IPPairInitConfig(FLOW_QUIET);
2164  StreamTcpInitConfig(STREAM_VERBOSE);
2165  AppLayerParserPostStreamSetup();
2166  AppLayerRegisterGlobalCounters();
2167  OutputFilestoreRegisterGlobalCounters();
2168 }
2169 
2170 /* tasks we need to run before packets start flowing,
2171  * but after we dropped privs */
2172 void PreRunPostPrivsDropInit(const int runmode)
2173 {
2174  StatsSetupPostConfigPreOutput();
2175  RunModeInitializeOutputs();
2176  DatasetsInit();
2177 
2178  if (runmode == RUNMODE_UNIX_SOCKET) {
2179  /* As the above did some necessary startup initialization, it
2180  * also setup some outputs where only one is allowed, so
2181  * deinitialize to the state that unix-mode does after every
2182  * pcap. */
2183  PostRunDeinit(RUNMODE_PCAP_FILE, NULL);
2184  return;
2185  }
2186 
2187  StatsSetupPostConfigPostOutput();
2188 }
2189 
2190 /* clean up / shutdown code for both the main modes and for
2191  * unix socket mode.
2192  *
2193  * Will be run once per pcap in unix-socket mode */
2194 void PostRunDeinit(const int runmode, struct timeval *start_time)
2195 {
2196  if (runmode == RUNMODE_UNIX_SOCKET)
2197  return;
2198 
2199  /* needed by FlowForceReassembly */
2200  PacketPoolInit();
2201 
2202  /* handle graceful shutdown of the flow engine, it's helper
2203  * threads and the packet threads */
2204  FlowDisableFlowManagerThread();
2205  TmThreadDisableReceiveThreads();
2206  FlowForceReassembly();
2207  TmThreadDisablePacketThreads();
2208  SCPrintElapsedTime(start_time);
2209  FlowDisableFlowRecyclerThread();
2210 
2211  /* kill the stats threads */
2212  TmThreadKillThreadsFamily(TVT_MGMT);
2213  TmThreadClearThreadsFamily(TVT_MGMT);
2214 
2215  /* kill packet threads -- already in 'disabled' state */
2216  TmThreadKillThreadsFamily(TVT_PPT);
2217  TmThreadClearThreadsFamily(TVT_PPT);
2218 
2219  PacketPoolDestroy();
2220 
2221  /* mgt and ppt threads killed, we can run non thread-safe
2222  * shutdown functions */
2223  StatsReleaseResources();
2224  DecodeUnregisterCounters();
2225  RunModeShutDown();
2226  FlowShutdown();
2227  IPPairShutdown();
2228  HostCleanup();
2229  StreamTcpFreeConfig(STREAM_VERBOSE);
2230  DefragDestroy();
2231 
2232  TmqResetQueues();
2233 #ifdef PROFILING
2234  if (profiling_rules_enabled)
2235  SCProfilingDump();
2236  SCProfilingDestroy();
2237 #endif
2238 }
2239 
2240 
2241 static int StartInternalRunMode(SCInstance *suri, int argc, char **argv)
2242 {
2243  /* Treat internal running mode */
2244  switch(suri->run_mode) {
2245  case RUNMODE_LIST_KEYWORDS:
2246  return ListKeywords(suri->keyword_info);
2247  case RUNMODE_LIST_APP_LAYERS:
2248  if (suri->conf_filename != NULL) {
2249  return ListAppLayerProtocols(suri->conf_filename);
2250  } else {
2251  return ListAppLayerProtocols(DEFAULT_CONF_FILE);
2252  }
2253  case RUNMODE_PRINT_VERSION:
2254  PrintVersion();
2255  return TM_ECODE_DONE;
2256  case RUNMODE_PRINT_BUILDINFO:
2257  PrintBuildInfo();
2258  return TM_ECODE_DONE;
2259  case RUNMODE_PRINT_USAGE:
2260  PrintUsage(argv[0]);
2261  return TM_ECODE_DONE;
2262  case RUNMODE_LIST_RUNMODES:
2263  RunModeListRunmodes();
2264  return TM_ECODE_DONE;
2265  case RUNMODE_LIST_UNITTEST:
2266  RunUnittests(1, suri->regex_arg);
2267  case RUNMODE_UNITTEST:
2268  RunUnittests(0, suri->regex_arg);
2269 #ifdef OS_WIN32
2270  case RUNMODE_INSTALL_SERVICE:
2271  if (SCServiceInstall(argc, argv)) {
2272  return TM_ECODE_FAILED;
2273  }
2274  SCLogInfo("Suricata service has been successfuly installed.");
2275  return TM_ECODE_DONE;
2276  case RUNMODE_REMOVE_SERVICE:
2277  if (SCServiceRemove(argc, argv)) {
2278  return TM_ECODE_FAILED;
2279  }
2280  SCLogInfo("Suricata service has been successfuly removed.");
2281  return TM_ECODE_DONE;
2282  case RUNMODE_CHANGE_SERVICE_PARAMS:
2283  if (SCServiceChangeParams(argc, argv)) {
2284  return TM_ECODE_FAILED;
2285  }
2286  SCLogInfo("Suricata service startup parameters has been successfuly changed.");
2287  return TM_ECODE_DONE;
2288 #endif /* OS_WIN32 */
2289  default:
2290  /* simply continue for other running mode */
2291  break;
2292  }
2293  return TM_ECODE_OK;
2294 }
2295 
2296 static int FinalizeRunMode(SCInstance *suri, char **argv)
2297 {
2298  switch (suri->run_mode) {
2299  case RUNMODE_UNKNOWN:
2300  PrintUsage(argv[0]);
2301  return TM_ECODE_FAILED;
2302  default:
2303  break;
2304  }
2305  /* Set the global run mode and offline flag. */
2306  run_mode = suri->run_mode;
2307 
2308  if (!CheckValidDaemonModes(suri->daemon, suri->run_mode)) {
2309  return TM_ECODE_FAILED;
2310  }
2311 
2312  return TM_ECODE_OK;
2313 }
2314 
2315 static void SetupDelayedDetect(SCInstance *suri)
2316 {
2317  /* In offline mode delayed init of detect is a bad idea */
2318  if (suri->offline) {
2319  suri->delayed_detect = 0;
2320  } else {
2321  if (ConfGetBool("detect.delayed-detect", &suri->delayed_detect) != 1) {
2322  ConfNode *denode = NULL;
2323  ConfNode *decnf = ConfGetNode("detect-engine");
2324  if (decnf != NULL) {
2325  TAILQ_FOREACH(denode, &decnf->head, next) {
2326  if (strcmp(denode->val, "delayed-detect") == 0) {
2327  (void)ConfGetChildValueBool(denode, "delayed-detect", &suri->delayed_detect);
2328  }
2329  }
2330  }
2331  }
2332  }
2333 
2334  SCLogConfig("Delayed detect %s", suri->delayed_detect ? "enabled" : "disabled");
2335  if (suri->delayed_detect) {
2336  SCLogInfo("Packets will start being processed before signatures are active.");
2337  }
2338 
2339 }
2340 
2341 static int LoadSignatures(DetectEngineCtx *de_ctx, SCInstance *suri)
2342 {
2343  if (SigLoadSignatures(de_ctx, suri->sig_file, suri->sig_file_exclusive) < 0) {
2344  SCLogError(SC_ERR_NO_RULES_LOADED, "Loading signatures failed.");
2345  if (de_ctx->failure_fatal)
2346  return TM_ECODE_FAILED;
2347  }
2348 
2349  return TM_ECODE_OK;
2350 }
2351 
2352 static int ConfigGetCaptureValue(SCInstance *suri)
2353 {
2354  /* Pull the max pending packets from the config, if not found fall
2355  * back on a sane default. */
2356  if (ConfGetInt("max-pending-packets", &max_pending_packets) != 1)
2357  max_pending_packets = DEFAULT_MAX_PENDING_PACKETS;
2358  if (max_pending_packets >= 65535) {
2359  SCLogError(SC_ERR_INVALID_YAML_CONF_ENTRY,
2360  "Maximum max-pending-packets setting is 65534. "
2361  "Please check %s for errors", suri->conf_filename);
2362  return TM_ECODE_FAILED;
2363  }
2364 
2365  SCLogDebug("Max pending packets set to %"PRIiMAX, max_pending_packets);
2366 
2367  /* Pull the default packet size from the config, if not found fall
2368  * back on a sane default. */
2369  const char *temp_default_packet_size;
2370  if ((ConfGet("default-packet-size", &temp_default_packet_size)) != 1) {
2371  int mtu = 0;
2372  int lthread;
2373  int nlive;
2374  int strip_trailing_plus = 0;
2375  switch (suri->run_mode) {
2376 #ifdef WINDIVERT
2377  case RUNMODE_WINDIVERT:
2378  /* by default, WinDivert collects from all devices */
2379  mtu = GetGlobalMTUWin32();
2380 
2381  if (mtu > 0) {
2382  g_default_mtu = mtu;
2383  /* SLL_HEADER_LEN is the longest header + 8 for VLAN */
2384  default_packet_size = mtu + SLL_HEADER_LEN + 8;
2385  break;
2386  }
2387 
2388  g_default_mtu = DEFAULT_MTU;
2389  default_packet_size = DEFAULT_PACKET_SIZE;
2390  break;
2391 #endif /* WINDIVERT */
2392  case RUNMODE_NETMAP:
2393  /* in netmap igb0+ has a special meaning, however the
2394  * interface really is igb0 */
2395  strip_trailing_plus = 1;
2396  /* fall through */
2397  case RUNMODE_PCAP_DEV:
2398  case RUNMODE_AFP_DEV:
2399  case RUNMODE_PFRING:
2400  nlive = LiveGetDeviceNameCount();
2401  for (lthread = 0; lthread < nlive; lthread++) {
2402  const char *live_dev = LiveGetDeviceNameName(lthread);
2403  char dev[128]; /* need to be able to support GUID names on Windows */
2404  (void)strlcpy(dev, live_dev, sizeof(dev));
2405 
2406  if (strip_trailing_plus) {
2407  size_t len = strlen(dev);
2408  if (len &&
2409  (dev[len-1] == '+' ||
2410  dev[len-1] == '^' ||
2411  dev[len-1] == '*'))
2412  {
2413  dev[len-1] = '\0';
2414  }
2415  }
2416  mtu = GetIfaceMTU(dev);
2417  g_default_mtu = MAX(mtu, g_default_mtu);
2418 
2419  unsigned int iface_max_packet_size = GetIfaceMaxPacketSize(dev);
2420  if (iface_max_packet_size > default_packet_size)
2421  default_packet_size = iface_max_packet_size;
2422  }
2423  if (default_packet_size)
2424  break;
2425  /* fall through */
2426  default:
2427  g_default_mtu = DEFAULT_MTU;
2428  default_packet_size = DEFAULT_PACKET_SIZE;
2429  }
2430  } else {
2431  if (ParseSizeStringU32(temp_default_packet_size, &default_packet_size) < 0) {
2432  SCLogError(SC_ERR_SIZE_PARSE, "Error parsing max-pending-packets "
2433  "from conf file - %s. Killing engine",
2434  temp_default_packet_size);
2435  return TM_ECODE_FAILED;
2436  }
2437  }
2438 
2439  SCLogDebug("Default packet size set to %"PRIu32, default_packet_size);
2440 
2441  return TM_ECODE_OK;
2442 }
2443 
2444 static void PostRunStartedDetectSetup(const SCInstance *suri)
2445 {
2446 #ifndef OS_WIN32
2447  /* registering signal handlers we use. We setup usr2 here, so that one
2448  * can't call it during the first sig load phase or while threads are still
2449  * starting up. */
2450  if (DetectEngineEnabled() && suri->delayed_detect == 0) {
2451  UtilSignalHandlerSetup(SIGUSR2, SignalHandlerSigusr2);
2452  UtilSignalUnblock(SIGUSR2);
2453  }
2454 #endif
2455  if (suri->delayed_detect) {
2456  /* force 'reload', this will load the rules and swap engines */
2457  DetectEngineReload(suri);
2458  SCLogNotice("Signature(s) loaded, Detect thread(s) activated.");
2459 #ifndef OS_WIN32
2460  UtilSignalHandlerSetup(SIGUSR2, SignalHandlerSigusr2);
2461  UtilSignalUnblock(SIGUSR2);
2462 #endif
2463  }
2464 }
2465 
2466 void PostConfLoadedDetectSetup(SCInstance *suri)
2467 {
2468  DetectEngineCtx *de_ctx = NULL;
2469  if (!suri->disabled_detect) {
2470  SCClassConfInit();
2471  SCReferenceConfInit();
2472  SetupDelayedDetect(suri);
2473  int mt_enabled = 0;
2474  (void)ConfGetBool("multi-detect.enabled", &mt_enabled);
2475  int default_tenant = 0;
2476  if (mt_enabled)
2477  (void)ConfGetBool("multi-detect.default", &default_tenant);
2478  if (DetectEngineMultiTenantSetup() == -1) {
2479  FatalError(SC_ERR_FATAL, "initializing multi-detect "
2480  "detection engine contexts failed.");
2481  }
2482  if (suri->delayed_detect && suri->run_mode != RUNMODE_CONF_TEST) {
2483  de_ctx = DetectEngineCtxInitStubForDD();
2484  } else if (mt_enabled && !default_tenant && suri->run_mode != RUNMODE_CONF_TEST) {
2485  de_ctx = DetectEngineCtxInitStubForMT();
2486  } else {
2487  de_ctx = DetectEngineCtxInit();
2488  }
2489  if (de_ctx == NULL) {
2490  FatalError(SC_ERR_FATAL, "initializing detection engine "
2491  "context failed.");
2492  }
2493 
2494  if (de_ctx->type == DETECT_ENGINE_TYPE_NORMAL) {
2495  if (LoadSignatures(de_ctx, suri) != TM_ECODE_OK)
2496  exit(EXIT_FAILURE);
2497  }
2498 
2499  gettimeofday(&de_ctx->last_reload, NULL);
2500  DetectEngineAddToMaster(de_ctx);
2501  DetectEngineBumpVersion();
2502  }
2503 }
2504 
2505 static int PostDeviceFinalizedSetup(SCInstance *suri)
2506 {
2507  SCEnter();
2508 
2509 #ifdef HAVE_AF_PACKET
2510  if (suri->run_mode == RUNMODE_AFP_DEV) {
2511  if (AFPRunModeIsIPS()) {
2512  SCLogInfo("AF_PACKET: Setting IPS mode");
2513  EngineModeSetIPS();
2514  }
2515  }
2516 #endif
2517 #ifdef HAVE_NETMAP
2518  if (suri->run_mode == RUNMODE_NETMAP) {
2519  if (NetmapRunModeIsIPS()) {
2520  SCLogInfo("Netmap: Setting IPS mode");
2521  EngineModeSetIPS();
2522  }
2523  }
2524 #endif
2525 
2526  SCReturnInt(TM_ECODE_OK);
2527 }
2528 
2529 static void PostConfLoadedSetupHostMode(void)
2530 {
2531  const char *hostmode = NULL;
2532 
2533  if (ConfGet("host-mode", &hostmode) == 1) {
2534  if (!strcmp(hostmode, "router")) {
2535  host_mode = SURI_HOST_IS_ROUTER;
2536  } else if (!strcmp(hostmode, "sniffer-only")) {
2537  host_mode = SURI_HOST_IS_SNIFFER_ONLY;
2538  } else {
2539  if (strcmp(hostmode, "auto") != 0) {
2540  WarnInvalidConfEntry("host-mode", "%s", "auto");
2541  }
2542  if (EngineModeIsIPS()) {
2543  host_mode = SURI_HOST_IS_ROUTER;
2544  } else {
2545  host_mode = SURI_HOST_IS_SNIFFER_ONLY;
2546  }
2547  }
2548  } else {
2549  if (EngineModeIsIPS()) {
2550  host_mode = SURI_HOST_IS_ROUTER;
2551  SCLogInfo("No 'host-mode': suricata is in IPS mode, using "
2552  "default setting 'router'");
2553  } else {
2554  host_mode = SURI_HOST_IS_SNIFFER_ONLY;
2555  SCLogInfo("No 'host-mode': suricata is in IDS mode, using "
2556  "default setting 'sniffer-only'");
2557  }
2558  }
2559 }
2560 
2561 static void SetupUserMode(SCInstance *suri)
2562 {
2563  /* apply 'user mode' config updates here */
2564  if (suri->system == false) {
2565  if (suri->set_logdir == false) {
2566  /* override log dir to current work dir" */
2567  if (ConfigSetLogDirectory((char *)".") != TM_ECODE_OK) {
2568  FatalError(SC_ERR_LOGDIR_CONFIG, "could not set USER mode logdir");
2569  }
2570  }
2571  if (suri->set_datadir == false) {
2572  /* override data dir to current work dir" */
2573  if (ConfigSetDataDirectory((char *)".") != TM_ECODE_OK) {
2574  FatalError(SC_ERR_LOGDIR_CONFIG, "could not set USER mode datadir");
2575  }
2576  }
2577  }
2578 }
2579 
2580 /**
2581  * This function is meant to contain code that needs
2582  * to be run once the configuration has been loaded.
2583  */
2584 int PostConfLoadedSetup(SCInstance *suri)
2585 {
2586  /* do this as early as possible #1577 #1955 */
2587 #ifdef HAVE_LUAJIT
2588  if (LuajitSetupStatesPool() != 0) {
2589  SCReturnInt(TM_ECODE_FAILED);
2590  }
2591 #endif
2592 
2593  /* load the pattern matchers */
2594  MpmTableSetup();
2595  SpmTableSetup();
2596 
2597  int disable_offloading;
2598  if (ConfGetBool("capture.disable-offloading", &disable_offloading) == 0)
2599  disable_offloading = 1;
2600  if (disable_offloading) {
2601  LiveSetOffloadDisable();
2602  } else {
2603  LiveSetOffloadWarn();
2604  }
2605 
2606  if (suri->checksum_validation == -1) {
2607  const char *cv = NULL;
2608  if (ConfGet("capture.checksum-validation", &cv) == 1) {
2609  if (strcmp(cv, "none") == 0) {
2610  suri->checksum_validation = 0;
2611  } else if (strcmp(cv, "all") == 0) {
2612  suri->checksum_validation = 1;
2613  }
2614  }
2615  }
2616  switch (suri->checksum_validation) {
2617  case 0:
2618  ConfSet("stream.checksum-validation", "0");
2619  break;
2620  case 1:
2621  ConfSet("stream.checksum-validation", "1");
2622  break;
2623  }
2624 
2625  if (suri->runmode_custom_mode) {
2626  ConfSet("runmode", suri->runmode_custom_mode);
2627  }
2628 
2629  StorageInit();
2630 #ifdef HAVE_PACKET_EBPF
2631  if (suri->run_mode == RUNMODE_AFP_DEV) {
2632  EBPFRegisterExtension();
2633  LiveDevRegisterExtension();
2634  }
2635 #endif
2636  RegisterFlowBypassInfo();
2637 
2638  MacSetRegisterFlowStorage();
2639 
2640  AppLayerSetup();
2641 
2642  /* Suricata will use this umask if provided. By default it will use the
2643  umask passed on from the shell. */
2644  const char *custom_umask;
2645  if (ConfGet("umask", &custom_umask) == 1) {
2646  uint16_t mask;
2647  if (StringParseUint16(&mask, 8, (uint16_t)strlen(custom_umask), custom_umask) > 0) {
2648  umask((mode_t)mask);
2649  }
2650  }
2651 
2652 
2653  if (ConfigGetCaptureValue(suri) != TM_ECODE_OK) {
2654  SCReturnInt(TM_ECODE_FAILED);
2655  }
2656 
2657 #ifdef NFQ
2658  if (suri->run_mode == RUNMODE_NFQ)
2659  NFQInitConfig(false);
2660 #endif
2661 
2662  /* Load the Host-OS lookup. */
2663  SCHInfoLoadFromConfig();
2664 
2665  if (suri->run_mode == RUNMODE_ENGINE_ANALYSIS) {
2666  SCLogInfo("== Carrying out Engine Analysis ==");
2667  const char *temp = NULL;
2668  if (ConfGet("engine-analysis", &temp) == 0) {
2669  SCLogInfo("no engine-analysis parameter(s) defined in conf file. "
2670  "Please define/enable them in the conf to use this "
2671  "feature.");
2672  SCReturnInt(TM_ECODE_FAILED);
2673  }
2674  }
2675 
2676  /* hardcoded initialization code */
2677  SigTableSetup(); /* load the rule keywords */
2678  SigTableApplyStrictCommandlineOption(suri->strict_rule_parsing_string);
2679  TmqhSetup();
2680 
2681  TagInitCtx();
2682  PacketAlertTagInit();
2683  ThresholdInit();
2684  HostBitInitCtx();
2685  IPPairBitInitCtx();
2686 
2687  if (DetectAddressTestConfVars() < 0) {
2688  SCLogError(SC_ERR_INVALID_YAML_CONF_ENTRY,
2689  "basic address vars test failed. Please check %s for errors",
2690  suri->conf_filename);
2691  SCReturnInt(TM_ECODE_FAILED);
2692  }
2693  if (DetectPortTestConfVars() < 0) {
2694  SCLogError(SC_ERR_INVALID_YAML_CONF_ENTRY,
2695  "basic port vars test failed. Please check %s for errors",
2696  suri->conf_filename);
2697  SCReturnInt(TM_ECODE_FAILED);
2698  }
2699 
2700  FeatureTrackingRegister(); /* must occur prior to output mod registration */
2701  RegisterAllModules();
2702 #ifdef HAVE_PLUGINS
2703  SCPluginsLoad(suri->capture_plugin_name, suri->capture_plugin_args);
2704 #endif
2705  AppLayerHtpNeedFileInspection();
2706 
2707  StorageFinalize();
2708 
2709  TmModuleRunInit();
2710 
2711  if (MayDaemonize(suri) != TM_ECODE_OK)
2712  SCReturnInt(TM_ECODE_FAILED);
2713 
2714  if (InitSignalHandler(suri) != TM_ECODE_OK)
2715  SCReturnInt(TM_ECODE_FAILED);
2716 
2717  /* Check for the existance of the default logging directory which we pick
2718  * from suricata.yaml. If not found, shut the engine down */
2719  suri->log_dir = ConfigGetLogDirectory();
2720 
2721  if (ConfigCheckLogDirectoryExists(suri->log_dir) != TM_ECODE_OK) {
2722  SCLogError(SC_ERR_LOGDIR_CONFIG, "The logging directory \"%s\" "
2723  "supplied by %s (default-log-dir) doesn't exist. "
2724  "Shutting down the engine", suri->log_dir, suri->conf_filename);
2725  SCReturnInt(TM_ECODE_FAILED);
2726  }
2727  if (!IsLogDirectoryWritable(suri->log_dir)) {
2728  SCLogError(SC_ERR_LOGDIR_CONFIG, "The logging directory \"%s\" "
2729  "supplied by %s (default-log-dir) is not writable. "
2730  "Shutting down the engine", suri->log_dir, suri->conf_filename);
2731  SCReturnInt(TM_ECODE_FAILED);
2732  }
2733 
2734  if (suri->disabled_detect) {
2735  SCLogConfig("detection engine disabled");
2736  /* disable raw reassembly */
2737  (void)ConfSetFinal("stream.reassembly.raw", "false");
2738  }
2739 
2740  HostInitConfig(HOST_VERBOSE);
2741 
2742  CoredumpLoadConfig();
2743 
2744  DecodeGlobalConfig();
2745 
2746  LiveDeviceFinalize();
2747 
2748  /* set engine mode if L2 IPS */
2749  if (PostDeviceFinalizedSetup(suri) != TM_ECODE_OK) {
2750  exit(EXIT_FAILURE);
2751  }
2752 
2753  /* hostmode depends on engine mode being set */
2754  PostConfLoadedSetupHostMode();
2755 
2756  PreRunInit(suri->run_mode);
2757 
2758  SCReturnInt(TM_ECODE_OK);
2759 }
2760 
2761 static void SuricataMainLoop(SCInstance *suri)
2762 {
2763  while(1) {
2764  if (sigterm_count || sigint_count) {
2765  suricata_ctl_flags |= SURICATA_STOP;
2766  }
2767 
2768  if (suricata_ctl_flags & SURICATA_STOP) {
2769  SCLogNotice("Signal Received. Stopping engine.");
2770  break;
2771  }
2772 
2773  TmThreadCheckThreadState();
2774 
2775  if (sighup_count > 0) {
2776  OutputNotifyFileRotation();
2777  sighup_count--;
2778  }
2779 
2780  if (sigusr2_count > 0) {
2781  if (!(DetectEngineReloadIsStart())) {
2782  DetectEngineReloadStart();
2783  DetectEngineReload(suri);
2784  DetectEngineReloadSetIdle();
2785  sigusr2_count--;
2786  }
2787 
2788  } else if (DetectEngineReloadIsStart()) {
2789  DetectEngineReload(suri);
2790  DetectEngineReloadSetIdle();
2791  }
2792 
2793  usleep(10* 1000);
2794  }
2795 }
2796 
2797 /**
2798  * \brief Global initialization common to all runmodes.
2799  *
2800  * This can be used by fuzz targets.
2801  */
2802 
2803 int InitGlobal(void) {
2804  rs_init(&suricata_context);
2805 
2806  SC_ATOMIC_INIT(engine_stage);
2807 
2808  /* initialize the logging subsys */
2809  SCLogInitLogModule(NULL);
2810 
2811  SCSetThreadName("Suricata-Main");
2812 
2813  /* Ignore SIGUSR2 as early as possble. We redeclare interest
2814  * once we're done launching threads. The goal is to either die
2815  * completely or handle any and all SIGUSR2s correctly.
2816  */
2817 #ifndef OS_WIN32
2818  UtilSignalHandlerSetup(SIGUSR2, SIG_IGN);
2819  if (UtilSignalBlock(SIGUSR2)) {
2820  SCLogError(SC_ERR_INITIALIZATION, "SIGUSR2 initialization error");
2821  return EXIT_FAILURE;
2822  }
2823 #endif
2824 
2825  ParseSizeInit();
2826  RunModeRegisterRunModes();
2827 
2828  /* Initialize the configuration module. */
2829  ConfInit();
2830 
2831  return 0;
2832 }
2833 
2834 int SuricataMain(int argc, char **argv)
2835 {
2836  SCInstanceInit(&suricata, argv[0]);
2837 
2838  if (InitGlobal() != 0) {
2839  exit(EXIT_FAILURE);
2840  }
2841 
2842 #ifdef OS_WIN32
2843  /* service initialization */
2844  if (WindowsInitService(argc, argv) != 0) {
2845  exit(EXIT_FAILURE);
2846  }
2847 #endif /* OS_WIN32 */
2848 
2849  if (ParseCommandLine(argc, argv, &suricata) != TM_ECODE_OK) {
2850  exit(EXIT_FAILURE);
2851  }
2852 
2853  if (FinalizeRunMode(&suricata, argv) != TM_ECODE_OK) {
2854  exit(EXIT_FAILURE);
2855  }
2856 
2857  switch (StartInternalRunMode(&suricata, argc, argv)) {
2858  case TM_ECODE_DONE:
2859  exit(EXIT_SUCCESS);
2860  case TM_ECODE_FAILED:
2861  exit(EXIT_FAILURE);
2862  }
2863 
2864  /* Initializations for global vars, queues, etc (memsets, mutex init..) */
2865  GlobalsInitPreConfig();
2866 
2867  /* Load yaml configuration file if provided. */
2868  if (LoadYamlConfig(&suricata) != TM_ECODE_OK) {
2869  exit(EXIT_FAILURE);
2870  }
2871 
2872  if (suricata.run_mode == RUNMODE_DUMP_CONFIG) {
2873  ConfDump();
2874  exit(EXIT_SUCCESS);
2875  }
2876 
2877  int vlan_tracking = 1;
2878  if (ConfGetBool("vlan.use-for-tracking", &vlan_tracking) == 1 && !vlan_tracking) {
2879  /* Ignore vlan_ids when comparing flows. */
2880  g_vlan_mask = 0x0000;
2881  }
2882  SCLogDebug("vlan tracking is %s", vlan_tracking == 1 ? "enabled" : "disabled");
2883 
2884  SetupUserMode(&suricata);
2885  InitRunAs(&suricata);
2886 
2887  /* Since our config is now loaded we can finish configurating the
2888  * logging module. */
2889  SCLogLoadConfig(suricata.daemon, suricata.verbose, suricata.userid, suricata.groupid);
2890 
2891  LogVersion(&suricata);
2892  UtilCpuPrintSummary();
2893 
2894  if (ParseInterfacesList(suricata.aux_run_mode, suricata.pcap_dev) != TM_ECODE_OK) {
2895  exit(EXIT_FAILURE);
2896  }
2897 
2898  if (PostConfLoadedSetup(&suricata) != TM_ECODE_OK) {
2899  exit(EXIT_FAILURE);
2900  }
2901 
2902  SCDropMainThreadCaps(suricata.userid, suricata.groupid);
2903 
2904  /* Re-enable coredumps after privileges are dropped. */
2905  CoredumpEnable();
2906 
2907  PreRunPostPrivsDropInit(suricata.run_mode);
2908 
2909  PostConfLoadedDetectSetup(&suricata);
2910  if (suricata.run_mode == RUNMODE_ENGINE_ANALYSIS) {
2911  goto out;
2912  } else if (suricata.run_mode == RUNMODE_CONF_TEST){
2913  SCLogNotice("Configuration provided was successfully loaded. Exiting.");
2914  goto out;
2915  } else if (suricata.run_mode == RUNMODE_DUMP_FEATURES) {
2916  FeatureDump();
2917  goto out;
2918  }
2919 
2920  SCSetStartTime(&suricata);
2921  RunModeDispatch(suricata.run_mode, suricata.runmode_custom_mode,
2922  suricata.capture_plugin_name, suricata.capture_plugin_args);
2923  if (suricata.run_mode != RUNMODE_UNIX_SOCKET) {
2924  UnixManagerThreadSpawnNonRunmode();
2925  }
2926 
2927  /* Wait till all the threads have been initialized */
2928  if (TmThreadWaitOnThreadInit() == TM_ECODE_FAILED) {
2929  FatalError(SC_ERR_FATAL, "Engine initialization failed, "
2930  "aborting...");
2931  }
2932 
2933  SC_ATOMIC_SET(engine_stage, SURICATA_RUNTIME);
2934  PacketPoolPostRunmodes();
2935 
2936  /* Un-pause all the paused threads */
2937  TmThreadContinueThreads();
2938 
2939  PostRunStartedDetectSetup(&suricata);
2940 
2941  SCPledge();
2942  SuricataMainLoop(&suricata);
2943 
2944  /* Update the engine stage/status flag */
2945  SC_ATOMIC_SET(engine_stage, SURICATA_DEINIT);
2946 
2947  UnixSocketKillSocketThread();
2948  PostRunDeinit(suricata.run_mode, &suricata.start_time);
2949  /* kill remaining threads */
2950  TmThreadKillThreads();
2951 
2952 out:
2953  GlobalsDestroy(&suricata);
2954 
2955  exit(EXIT_SUCCESS);
2956 }
DefragDestroy
void DefragDestroy(void)
Definition: defrag.c:1075
util-byte.h
host.h
tm-threads.h
ConfGetInt
int ConfGetInt(const char *name, intmax_t *val)
Retrieve a configuration value as an integer.
Definition: conf.c:392
TmModuleUnixManagerRegister
void TmModuleUnixManagerRegister(void)
Definition: unix-manager.c:1259
profiling_rules_enabled
int profiling_rules_enabled
Definition: util-profiling-rules.c:81
source-nflog.h
TagInitCtx
void TagInitCtx(void)
Definition: detect-engine-tag.c:51
TmModuleReceiveIPFWRegister
void TmModuleReceiveIPFWRegister(void)
Registration Function for RecieveIPFW.
Definition: source-ipfw.c:151
flow-bypass.h
len
uint8_t len
Definition: app-layer-dnp3.h:2
SCReferenceConfDeinit
void SCReferenceConfDeinit(void)
Definition: util-reference-config.c:77
ippair.h
app-layer-htp-range.h
AppLayerHtpNeedFileInspection
void AppLayerHtpNeedFileInspection(void)
Sets a flag that informs the HTP app layer that some module in the engine needs the http request file...
Definition: app-layer-htp.c:503
SCInstance_::run_mode
enum RunModes run_mode
Definition: suricata.h:124
detect-engine.h
source-pcap.h
SCInstance_::groupid
uint32_t groupid
Definition: suricata.h:142
RUNMODE_UNIX_SOCKET
@ RUNMODE_UNIX_SOCKET
Definition: runmodes.h:42
g_system
bool g_system
Definition: suricata.c:227
SCReferenceConfInit
void SCReferenceConfInit(void)
Definition: util-reference-config.c:56
host-storage.h
SCInstance_::daemon
int daemon
Definition: suricata.h:150
max_pending_packets
intmax_t max_pending_packets
Definition: suricata.c:216
app-layer-ssh.h
IPPairInitConfig
void IPPairInitConfig(bool quiet)
initialize the configuration
Definition: ippair.c:169
SCLogInitLogModule
void SCLogInitLogModule(SCLogInitData *sc_lid)
Initializes the logging module.
Definition: util-debug.c:1294
SLL_HEADER_LEN
#define SLL_HEADER_LEN
Definition: decode-sll.h:27
SCInstance_::checksum_validation
int checksum_validation
Definition: suricata.h:153
SC_ERR_DAG_REQUIRED
@ SC_ERR_DAG_REQUIRED
Definition: util-error.h:201
app-layer-register.h
SC_ERR_WINDIVERT_NOSUPPORT
@ SC_ERR_WINDIVERT_NOSUPPORT
Definition: util-error.h:346
DetectEngineDeReference
void DetectEngineDeReference(DetectEngineCtx **de_ctx)
Definition: detect-engine.c:4298
RUNMODE_UNITTEST
@ RUNMODE_UNITTEST
Definition: runmodes.h:40
StorageInit
void StorageInit(void)
Definition: util-storage.c:67
SCInstance_::start_time
struct timeval start_time
Definition: suricata.h:155
SC_ATOMIC_INIT
#define SC_ATOMIC_INIT(name)
wrapper for initializing an atomic variable.
Definition: util-atomic.h:315
SCThresholdConfGlobalFree
void SCThresholdConfGlobalFree(void)
Definition: util-threshold-config.c:158
source-pcap-file.h
AFPPeersListClean
void AFPPeersListClean()
Clean the global peers list.
Definition: source-af-packet.c:579
ConfNode_::val
char * val
Definition: conf.h:34
CLS
#define CLS
Definition: suricata-common.h:45
ConfGetBool
int ConfGetBool(const char *name, int *val)
Retrieve a configuration value as an boolen.
Definition: conf.c:472
RUNMODE_DPDK
@ RUNMODE_DPDK
Definition: runmodes.h:39
stream-tcp.h
DetectEngineCtx_::type
enum DetectEngineType type
Definition: detect.h:928
DetectEnginePruneFreeList
void DetectEnginePruneFreeList(void)
Definition: detect-engine.c:4389
RUNMODE_UNKNOWN
@ RUNMODE_UNKNOWN
Definition: runmodes.h:28
SCInstance_::group_name
const char * group_name
Definition: suricata.h:137
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
SC_ATOMIC_SET
#define SC_ATOMIC_SET(name, val)
Set the value for the atomic variable.
Definition: util-atomic.h:387
runmode-unittests.h
SigTableApplyStrictCommandlineOption
void SigTableApplyStrictCommandlineOption(const char *str)
Definition: detect-parse.c:306
TmqhSetup
void TmqhSetup(void)
Definition: tm-queuehandlers.c:39
SC_ERR_GID_FAILED
@ SC_ERR_GID_FAILED
Definition: util-error.h:188
RUNMODE_PRINT_BUILDINFO
@ RUNMODE_PRINT_BUILDINFO
Definition: runmodes.h:50
DetectEngineCtxInitStubForDD
DetectEngineCtx * DetectEngineCtxInitStubForDD(void)
Definition: detect-engine.c:2395
LiveDevRegisterExtension
void LiveDevRegisterExtension(void)
Definition: util-device.c:493
SC_ERR_NFQ_NOSUPPORT
@ SC_ERR_NFQ_NOSUPPORT
Definition: util-error.h:97
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:298
AppLayerHtpPrintStats
void AppLayerHtpPrintStats(void)
Definition: app-layer-htp.c:2983
StatsSetupPostConfigPreOutput
void StatsSetupPostConfigPreOutput(void)
Definition: counters.c:890
SCInstance_::runmode_custom_mode
char * runmode_custom_mode
Definition: suricata.h:134
util-coredump-config.h
next
struct HtpBodyChunk_ * next
Definition: app-layer-htp.h:0
SigTableSetup
void SigTableSetup(void)
Definition: detect-engine-register.c:445
TmModuleReceiveNFQRegister
void TmModuleReceiveNFQRegister(void)
Definition: source-nfq.c:168
LiveBuildDeviceList
int LiveBuildDeviceList(const char *runmode)
Definition: util-device.c:308
util-lua.h
RunModeShutDown
void RunModeShutDown(void)
Definition: runmodes.c:549
TM_ECODE_DONE
@ TM_ECODE_DONE
Definition: tm-threads-common.h:84
DEFAULT_MTU
#define DEFAULT_MTU
Definition: decode.h:661
SCProtoNameInit
void SCProtoNameInit(void)
Definition: util-proto-name.c:418
ippair-bit.h
RunModeDispatch
void RunModeDispatch(int runmode, const char *custom_mode, const char *capture_plugin_name, const char *capture_plugin_args)
Definition: runmodes.c:291
SC_ERR_NOT_SUPPORTED
@ SC_ERR_NOT_SUPPORTED
Definition: util-error.h:257
ConfGetNode
ConfNode * ConfGetNode(const char *name)
Get a ConfNode by name.
Definition: conf.c:175
threads.h
RUNMODE_LIST_RUNMODES
@ RUNMODE_LIST_RUNMODES
Definition: runmodes.h:48
sigint_count
volatile sig_atomic_t sigint_count
Definition: suricata.c:186
SC_ATOMIC_DECLARE
SC_ATOMIC_DECLARE(unsigned int, engine_stage)
TmModuleRunDeInit
void TmModuleRunDeInit(void)
Definition: tm-modules.c:146
RegisterFlowBypassInfo
void RegisterFlowBypassInfo(void)
Definition: flow-util.c:238
SCSetThreadName
#define SCSetThreadName(n)
Definition: threads.h:308
SC_ERR_NO_PCAP_SET_BUFFER_SIZE
@ SC_ERR_NO_PCAP_SET_BUFFER_SIZE
Definition: util-error.h:59
SCLogDeInitLogModule
void SCLogDeInitLogModule(void)
De-Initializes the logging module.
Definition: util-debug.c:1508
util-pidfile.h
TmModuleDecodeErfFileRegister
void TmModuleDecodeErfFileRegister(void)
Register the ERF file decoder module.
Definition: source-erf-file.c:98
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:794
StringParseUint16
int StringParseUint16(uint16_t *res, int base, size_t len, const char *str)
Definition: util-byte.c:336
DetectEngineReloadSetIdle
void DetectEngineReloadSetIdle(void)
Definition: detect-engine.c:1917
SCInstance_::userid
uint32_t userid
Definition: suricata.h:141
RUNMODE_ERF_FILE
@ RUNMODE_ERF_FILE
Definition: runmodes.h:35
source-windivert-prototypes.h
SC_ERR_IPFW_NOSUPPORT
@ SC_ERR_IPFW_NOSUPPORT
Definition: util-error.h:109
DetectEngineGetCurrent
DetectEngineCtx * DetectEngineGetCurrent(void)
Definition: detect-engine.c:3601
TmModuleFlowRecyclerRegister
void TmModuleFlowRecyclerRegister(void)
Definition: flow-manager.c:1292
packet-queue.h
Daemonize
void Daemonize(void)
Daemonize the process.
Definition: util-daemon.c:101
UtilSignalHandlerSetup
void UtilSignalHandlerSetup(int sig, void(*handler)(int))
Definition: util-signal.c:60
TAILQ_FOREACH
#define TAILQ_FOREACH(var, head, field)
Definition: queue.h:253
TmModuleDecodeAFPRegister
void TmModuleDecodeAFPRegister(void)
Registration Function for DecodeAFP.
Definition: source-af-packet.c:597
RUNMODE_NFLOG
@ RUNMODE_NFLOG
Definition: runmodes.h:33
TmModuleDecodeWinDivertRegister
void TmModuleDecodeWinDivertRegister(void)
Definition: source-windivert.c:74
SURICATA_STOP
#define SURICATA_STOP
Definition: suricata.h:90
FlowForceReassembly
void FlowForceReassembly(void)
Force reassembly for all the flows that have unprocessed segments.
Definition: flow-timeout.c:424
DetectEngineAddToMaster
int DetectEngineAddToMaster(DetectEngineCtx *de_ctx)
Definition: detect-engine.c:4322
TmModuleStatsLoggerRegister
void TmModuleStatsLoggerRegister(void)
Definition: output-stats.c:197
RegisterAllModules
void RegisterAllModules(void)
Definition: suricata.c:900
ENGINE_MODE_IPS
@ ENGINE_MODE_IPS
Definition: suricata.h:104
SCGetUserID
int SCGetUserID(const char *user_name, const char *group_name, uint32_t *uid, uint32_t *gid)
Function to get the user and group ID from the specified user name.
Definition: util-privs.c:149
RUNMODE_PCAP_DEV
@ RUNMODE_PCAP_DEV
Definition: runmodes.h:29
flow-bit.h
SupportFastPatternForSigMatchTypes
void SupportFastPatternForSigMatchTypes(void)
Registers the keywords(SMs) that should be given fp support.
Definition: detect-fast-pattern.c:144
ConfDump
void ConfDump(void)
Dump configuration to stdout.
Definition: conf.c:735
suricata_context
const SuricataContext suricata_context
Definition: rust-context.c:25
rust.h
SCPledge
#define SCPledge(...)
Definition: util-privs.h:100
CheckValidDaemonModes
int CheckValidDaemonModes(int daemon, int mode)
Check for a valid combination daemon/mode.
Definition: util-daemon.c:171
SCClassConfDeinit
void SCClassConfDeinit(void)
Definition: util-classification-config.c:85
LiveGetDeviceNameName
const char * LiveGetDeviceNameName(int number)
Get a pointer to the pre device name at idx.
Definition: util-device.c:218
ConfSetFinal
int ConfSetFinal(const char *name, const char *val)
Set a final configuration value.
Definition: conf.c:298
unittests_fatal
int unittests_fatal
Definition: util-unittest.c:52
TmThreadDisableReceiveThreads
void TmThreadDisableReceiveThreads(void)
Disable all threads having the specified TMs.
Definition: tm-threads.c:1328
StatsInit
void StatsInit(void)
Initializes the perf counter api. Things are hard coded currently. More work to be done when we imple...
Definition: counters.c:878
util-privs.h
PreRunInit
void PreRunInit(const int runmode)
Definition: suricata.c:2147
RUNMODE_LIST_KEYWORDS
@ RUNMODE_LIST_KEYWORDS
Definition: runmodes.h:46
SURICATA_DONE
#define SURICATA_DONE
Definition: suricata.h:92
MacSetRegisterFlowStorage
void MacSetRegisterFlowStorage(void)
Definition: util-macset.c:61
SCInstance_::conf_filename
const char * conf_filename
Definition: suricata.h:159
ExceptionSimulationCommandlineParser
int ExceptionSimulationCommandlineParser(const char *name, const char *arg)
Definition: util-exception-policy.c:110
RUNMODE_NAPATECH
@ RUNMODE_NAPATECH
Definition: runmodes.h:41
GlobalsInitPreConfig
void GlobalsInitPreConfig(void)
Definition: suricata.c:375
TmModuleReceiveNetmapRegister
void TmModuleReceiveNetmapRegister(void)
Definition: source-netmap.c:74
PacketPoolPostRunmodes
void PacketPoolPostRunmodes(void)
Set the max_pending_return_packets value.
Definition: tmqh-packetpool.c:512
NFQInitConfig
void NFQInitConfig(bool quiet)
To initialize the NFQ global configuration data.
Definition: source-nfq.c:205
TmModuleReceiveWinDivertRegister
void TmModuleReceiveWinDivertRegister(void)
Definition: source-windivert.c:61
app-layer-ftp.h
MAX
#define MAX(x, y)
Definition: suricata-common.h:376
TmModuleReceivePfringRegister
void TmModuleReceivePfringRegister(void)
Registration Function for RecievePfring.
Definition: source-pfring.c:162
HOST_VERBOSE
#define HOST_VERBOSE
Definition: host.h:92
TM_ECODE_FAILED
@ TM_ECODE_FAILED
Definition: tm-threads-common.h:83
SCProfilingDestroy
void SCProfilingDestroy(void)
Free resources used by profiling.
Definition: util-profiling.c:268
IsRunModeOffline
bool IsRunModeOffline(enum RunModes run_mode_to_check)
Definition: runmodes.c:531
RunModeInitializeOutputs
void RunModeInitializeOutputs(void)
Definition: runmodes.c:749
DetectPortTestConfVars
int DetectPortTestConfVars(void)
Definition: detect-engine-port.c:1169
SCThresholdConfGlobalInit
void SCThresholdConfGlobalInit(void)
Definition: util-threshold-config.c:106
DecodeUnregisterCounters
void DecodeUnregisterCounters(void)
Definition: decode.c:513
SCInstance_::capture_plugin_name
const char * capture_plugin_name
Definition: suricata.h:162
SURI_HOST_IS_SNIFFER_ONLY
@ SURI_HOST_IS_SNIFFER_ONLY
Definition: suricata.h:114
RUNMODE_DAG
@ RUNMODE_DAG
Definition: runmodes.h:36
HostBitInitCtx
void HostBitInitCtx(void)
Definition: host-bit.c:49
EngineMode
EngineMode
Definition: suricata.h:102
SCInstance_::set_datadir
bool set_datadir
Definition: suricata.h:146
tmqh-packetpool.h
g_ut_covered
int g_ut_covered
Definition: suricata.c:898
util-unittest.h
SCInstance_::capture_plugin_args
const char * capture_plugin_args
Definition: suricata.h:163
TmModuleLoggerRegister
void TmModuleLoggerRegister(void)
Definition: output.c:1020
SURI_HOST_IS_ROUTER
@ SURI_HOST_IS_ROUTER
Definition: suricata.h:115
TmThreadDisablePacketThreads
void TmThreadDisablePacketThreads(void)
Disable all packet threads.
Definition: tm-threads.c:1460
host_mode
uint8_t host_mode
Definition: suricata.c:213
RUNMODE_NETMAP
@ RUNMODE_NETMAP
Definition: runmodes.h:38
util-unittest-helper.h
RUNMODE_DUMP_FEATURES
@ RUNMODE_DUMP_FEATURES
Definition: runmodes.h:61
FeatureDump
void FeatureDump(void)
Definition: feature.c:142
PacketPoolInit
void PacketPoolInit(void)
Definition: tmqh-packetpool.c:302
TM_ECODE_OK
@ TM_ECODE_OK
Definition: tm-threads-common.h:82
AppLayerDeSetup
int AppLayerDeSetup(void)
De initializes the app layer.
Definition: app-layer.c:970
TmThreadContinueThreads
void TmThreadContinueThreads()
Unpauses all threads present in tv_root.
Definition: tm-threads.c:1782
strlcpy
size_t strlcpy(char *dst, const char *src, size_t siz)
Definition: util-strlcpyu.c:43
app-layer-htp-file.h
PcapTranslateIPToDevice
void PcapTranslateIPToDevice(char *pcap_dev, size_t len)
Definition: source-pcap.c:651
FlowDisableFlowRecyclerThread
void FlowDisableFlowRecyclerThread(void)
Used to disable flow recycler thread(s).
Definition: flow-manager.c:1216
ParseSizeInit
void ParseSizeInit(void)
Definition: util-misc.c:35
GetIfaceMaxPacketSize
int GetIfaceMaxPacketSize(const char *pcap_dev)
output max packet size for a link
Definition: util-ioctl.c:132
TmModuleDecodePcapFileRegister
void TmModuleDecodePcapFileRegister(void)
Definition: source-pcap-file.c:125
TmModuleBypassedFlowManagerRegister
void TmModuleBypassedFlowManagerRegister(void)
Definition: flow-bypass.c:214
IPPairShutdown
void IPPairShutdown(void)
shutdown the flow engine
Definition: ippair.c:303
source-erf-dag.h
util-signal.h
DetectParseFreeRegexes
void DetectParseFreeRegexes(void)
Definition: detect-parse.c:2495
SC_ERR_UID_FAILED
@ SC_ERR_UID_FAILED
Definition: util-error.h:187
SC_ERR_SIZE_PARSE
@ SC_ERR_SIZE_PARSE
Definition: util-error.h:230
TmModuleDecodeNFLOGRegister
void TmModuleDecodeNFLOGRegister(void)
Definition: source-nflog.c:55
ConfGet
int ConfGet(const char *name, const char **vptr)
Retrieve the value of a configuration node.
Definition: conf.c:330
NFQParseAndRegisterQueues
int NFQParseAndRegisterQueues(const char *queues)
Parses and adds Netfilter queue(s).
Definition: source-nfq.c:863
FlowInitConfig
void FlowInitConfig(bool quiet)
initialize the configuration
Definition: flow.c:523
AppLayerSetup
int AppLayerSetup(void)
Setup the app layer.
Definition: app-layer.c:955
FeatureTrackingRegister
void FeatureTrackingRegister(void)
Definition: feature.c:150
TmModuleReceiveDPDKRegister
void TmModuleReceiveDPDKRegister(void)
Definition: source-dpdk.c:47
StreamTcpInitConfig
void StreamTcpInitConfig(bool)
To initialize the stream global configuration data.
Definition: stream-tcp.c:359
util-cidr.h
app-layer-htp.h
UnixManagerThreadSpawnNonRunmode
void UnixManagerThreadSpawnNonRunmode(void)
Definition: unix-manager.c:1252
IsRunModeSystem
bool IsRunModeSystem(enum RunModes run_mode_to_check)
Definition: runmodes.c:518
datasets.h
TmModuleDecodeNetmapRegister
void TmModuleDecodeNetmapRegister(void)
Registration Function for DecodeNetmap.
Definition: source-netmap.c:84
PreRunPostPrivsDropInit
void PreRunPostPrivsDropInit(const int runmode)
Definition: suricata.c:2172
feature.h
decode.h
util-device.h
util-debug.h
DetectEngineMoveToFreeList
int DetectEngineMoveToFreeList(DetectEngineCtx *de_ctx)
Definition: detect-engine.c:4338
sigterm_count
volatile sig_atomic_t sigterm_count
Definition: suricata.c:188
run_mode
int run_mode
Definition: suricata.c:205
source-nfq.h
SC_ERR_CMD_LINE
@ SC_ERR_CMD_LINE
Definition: util-error.h:227
util-error.h
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
TmThreadWaitOnThreadInit
TmEcode TmThreadWaitOnThreadInit(void)
Used to check if all threads have finished their initialization. On finding an un-initialized thread,...
Definition: tm-threads.c:1823
TmModuleVerdictNFQRegister
void TmModuleVerdictNFQRegister(void)
Definition: source-nfq.c:183
ConfYamlLoadFile
int ConfYamlLoadFile(const char *filename)
Load configuration from a YAML file.
Definition: conf-yaml-loader.c:440
RUNMODE_CONF_TEST
@ RUNMODE_CONF_TEST
Definition: runmodes.h:53
AppLayerRegisterGlobalCounters
void AppLayerRegisterGlobalCounters(void)
HACK to work around our broken unix manager (re)init loop.
Definition: app-layer.c:1034
RunModeListRunmodes
void RunModeListRunmodes(void)
Lists all registered runmodes.
Definition: runmodes.c:248
RUNMODE_PRINT_USAGE
@ RUNMODE_PRINT_USAGE
Definition: runmodes.h:51
strlcat
size_t strlcat(char *, const char *src, size_t siz)
Definition: util-strlcatu.c:45
RUNMODE_LIST_APP_LAYERS
@ RUNMODE_LIST_APP_LAYERS
Definition: runmodes.h:47
util-cpu.h
suricata
SCInstance suricata
Definition: suricata.c:245
LiveSetOffloadDisable
void LiveSetOffloadDisable(void)
Definition: util-device.c:70
app-layer-dnp3.h
StatsSetupPostConfigPostOutput
void StatsSetupPostConfigPostOutput(void)
Definition: counters.c:895
TVT_MGMT
@ TVT_MGMT
Definition: tm-threads-common.h:90
EngineModeSetIDS
void EngineModeSetIDS(void)
Definition: suricata.c:267
SpmTableSetup
void SpmTableSetup(void)
Definition: util-spm.c:123
TmModuleReceiveAFPRegister
void TmModuleReceiveAFPRegister(void)
Registration Function for RecieveAFP.
Definition: source-af-packet.c:379
LiveBuildDeviceListCustom
int LiveBuildDeviceListCustom(const char *runmode, const char *itemname)
Definition: util-device.c:313
util-exception-policy.h
UnixSocketKillSocketThread
void UnixSocketKillSocketThread(void)
Definition: unix-manager.c:1247
TmModuleVerdictIPFWRegister
void TmModuleVerdictIPFWRegister(void)
Registration Function for VerdictIPFW.
Definition: source-ipfw.c:172
flow-worker.h
SigLoadSignatures
int SigLoadSignatures(DetectEngineCtx *de_ctx, char *sig_file, int sig_file_exclusive)
Load signatures.
Definition: detect-engine-loader.c:282
HttpRangeContainersInit
void HttpRangeContainersInit(void)
Definition: app-layer-htp-range.c:150
util-reference-config.h
source-napatech.h
DetectEngineCtx_::last_reload
struct timeval last_reload
Definition: detect.h:974
SCInstance_::delayed_detect
int delayed_detect
Definition: suricata.h:148
TmModuleVerdictWinDivertRegister
void TmModuleVerdictWinDivertRegister(void)
Definition: source-windivert.c:68
SCInstance_::progname
const char * progname
Definition: suricata.h:158
HostCleanup
void HostCleanup(void)
Cleanup the host engine.
Definition: host.c:343
SCEnter
#define SCEnter(...)
Definition: util-debug.h:300
FlowDisableFlowManagerThread
void FlowDisableFlowManagerThread(void)
Used to disable flow manager thread(s).
Definition: flow-manager.c:147
detect-engine-mpm.h
util-ebpf.h
SCInstance_::pcap_dev
char pcap_dev[128]
Definition: suricata.h:127
detect.h
SuricataMain
int SuricataMain(int argc, char **argv)
Definition: suricata.c:2834
UtilSignalUnblock
int UtilSignalUnblock(int signum)
Definition: util-signal.c:46
DetectEngineEnabled
int DetectEngineEnabled(void)
Check if detection is enabled.
Definition: detect-engine.c:3568
pkt-var.h
TmThreadClearThreadsFamily
void TmThreadClearThreadsFamily(int family)
Definition: tm-threads.c:1610
SC_ERR_PIDFILE_DAEMON
@ SC_ERR_PIDFILE_DAEMON
Definition: util-error.h:186
TmModuleRunInit
void TmModuleRunInit(void)
Definition: tm-modules.c:128
detect-engine-port.h
EngineModeSetIPS
void EngineModeSetIPS(void)
Definition: suricata.c:262
util-atomic.h
SCInstance_::user_name
const char * user_name
Definition: suricata.h:136
HTPAtExitPrintStats
void HTPAtExitPrintStats(void)
Print the stats of the HTTP requests.
Definition: app-layer-htp.c:2021
util-time.h
UtilSignalBlock
int UtilSignalBlock(int signum)
Definition: util-signal.c:29
SCProfilingPrefilterGlobalInit
void SCProfilingPrefilterGlobalInit(void)
Definition: util-profiling-prefilter.c:63
PostConfLoadedSetup
int PostConfLoadedSetup(SCInstance *suri)
Definition: suricata.c:2584
GetProgramVersion
const char * GetProgramVersion(void)
get string with program version
Definition: suricata.c:1120
engine_analysis
int engine_analysis
app-layer-parser.h
SC_ERR_LIBCAP_NG_REQUIRED
@ SC_ERR_LIBCAP_NG_REQUIRED
Definition: util-error.h:190
TRUE
#define TRUE
Definition: suricata-common.h:33
SCGetGroupID
int SCGetGroupID(const char *group_name, uint32_t *gid)
Function to get the group ID from the specified group name.
Definition: util-privs.c:213
TmModuleReceivePcapFileRegister
void TmModuleReceivePcapFileRegister(void)
Definition: source-pcap-file.c:112
source-pfring.h
BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:281
CoredumpLoadConfig
int32_t CoredumpLoadConfig(void)
Configures the core dump size.
Definition: util-coredump-config.c:85
detect-engine-tag.h
IPFWRegisterQueue
int IPFWRegisterQueue(char *queue)
Add an IPFW divert.
Definition: source-ipfw.c:703
xstr
#define xstr(s)
Definition: suricata-common.h:271
util-profiling.h
util-rule-vars.h
FALSE
#define FALSE
Definition: suricata-common.h:34
AFPRunModeIsIPS
int AFPRunModeIsIPS()
Definition: runmode-af-packet.c:693
ListAppLayerProtocols
int ListAppLayerProtocols(const char *conf_filename)
Definition: util-running-modes.c:42
SCInstance_::offline
int offline
Definition: suricata.h:151
DatasetsDestroy
void DatasetsDestroy(void)
Definition: datasets.c:743
UtilCpuPrintSummary
void UtilCpuPrintSummary(void)
Print a summary of CPUs detected (configured and online)
Definition: util-cpu.c:169
TmThreadKillThreads
void TmThreadKillThreads(void)
Definition: tm-threads.c:1538
SC_ERR_FOPEN
@ SC_ERR_FOPEN
Definition: util-error.h:74
OutputDeregisterAll
void OutputDeregisterAll(void)
Deregister all modules. Useful for a memory clean exit.
Definition: output.c:801
source-pcap-file-helper.h
PostConfLoadedDetectSetup
void PostConfLoadedDetectSetup(SCInstance *suri)
Definition: suricata.c:2466
EngineModeIsIDS
int EngineModeIsIDS(void)
Definition: suricata.c:257
TmModuleNapatechDecodeRegister
void TmModuleNapatechDecodeRegister(void)
Register the Napatech decoder module.
Definition: source-napatech.c:161
tmm_modules
TmModule tmm_modules[TMM_SIZE]
Definition: tm-modules.c:33
conf-yaml-loader.h
SC_WARN_FASTER_CAPTURE_AVAILABLE
@ SC_WARN_FASTER_CAPTURE_AVAILABLE
Definition: util-error.h:308
coverage_unittests
int coverage_unittests
Definition: suricata.c:896
RUNMODE_DUMP_CONFIG
@ RUNMODE_DUMP_CONFIG
Definition: runmodes.h:52
SURICATA_DEINIT
@ SURICATA_DEINIT
Definition: suricata.h:98
DatasetsSave
void DatasetsSave(void)
Definition: datasets.c:790
conf.h
source-ipfw.h
TMM_SIZE
@ TMM_SIZE
Definition: tm-threads-common.h:77
source-netmap.h
OutputNotifyFileRotation
void OutputNotifyFileRotation(void)
Notifies all registered file rotation notification flags.
Definition: output.c:872
util-magic.h
StorageFinalize
int StorageFinalize(void)
Definition: util-storage.c:139
SCInstance_::verbose
int verbose
Definition: suricata.h:152
util-radix-tree.h
TmEcode
TmEcode
Definition: tm-threads-common.h:81
source-windivert.h
TmModuleFlowWorkerRegister
void TmModuleFlowWorkerRegister(void)
Definition: flow-worker.c:651
SCInstance_::aux_run_mode
enum RunModes aux_run_mode
Definition: suricata.h:125
LiveGetDeviceNameCount
int LiveGetDeviceNameCount(void)
Get the number of pre registered devices.
Definition: util-device.c:198
util-plugin.h
flow-timeout.h
DEFAULT_PID_FILENAME
#define DEFAULT_PID_FILENAME
Definition: suricata.h:84
reputation.h
util-action.h
sighup_count
volatile sig_atomic_t sighup_count
Definition: suricata.c:187
ConfigSetDataDirectory
TmEcode ConfigSetDataDirectory(char *name)
Definition: util-conf.c:68
TmModuleDecodeErfDagRegister
void TmModuleDecodeErfDagRegister(void)
Register the ERF file decoder module.
Definition: source-erf-dag.c:151
SCInstance_::set_logdir
bool set_logdir
Definition: suricata.h:145
SCDropMainThreadCaps
#define SCDropMainThreadCaps(...)
Definition: util-privs.h:38
TmModuleDebugList
void TmModuleDebugList(void)
Definition: tm-modules.c:35
TmModuleDecodeNFQRegister
void TmModuleDecodeNFQRegister(void)
Definition: source-nfq.c:191
util-proto-name.h
STREAM_VERBOSE
#define STREAM_VERBOSE
Definition: stream-tcp.h:33
defrag.h
SCProtoNameRelease
void SCProtoNameRelease(void)
Definition: util-proto-name.c:439
MpmTableSetup
void MpmTableSetup(void)
Definition: util-mpm.c:215
SCInstance_::log_dir
const char * log_dir
Definition: suricata.h:157
runmodes.h
RunmodeIsUnittests
int RunmodeIsUnittests(void)
Definition: suricata.c:273
source-nfq-prototypes.h
SCPluginsLoad
void SCPluginsLoad(const char *capture_plugin_name, const char *capture_plugin_args)
SCLogInfo
#define SCLogInfo(...)
Macro used to log INFORMATIONAL messages.
Definition: util-debug.h:217
TmModuleReceiveNFLOGRegister
void TmModuleReceiveNFLOGRegister(void)
Definition: source-nflog.c:49
SC_ERR_INVALID_YAML_CONF_ENTRY
@ SC_ERR_INVALID_YAML_CONF_ENTRY
Definition: util-error.h:169
SURICATA_RUNTIME
@ SURICATA_RUNTIME
Definition: suricata.h:97
DEFAULT_PACKET_SIZE
#define DEFAULT_PACKET_SIZE
Definition: decode.h:664
WarnInvalidConfEntry
#define WarnInvalidConfEntry(param_name, format, value)
Generic API that can be used by all to log an invalid conf entry.
Definition: util-misc.h:37
util-host-os-info.h
TmModuleReceiveErfFileRegister
void TmModuleReceiveErfFileRegister(void)
Register the ERF file receiver (reader) module.
Definition: source-erf-file.c:80
TmModule_
Definition: tm-modules.h:43
default_packet_size
uint32_t default_packet_size
Definition: decode.c:72
tm-queuehandlers.h
DETECT_ENGINE_TYPE_NORMAL
@ DETECT_ENGINE_TYPE_NORMAL
Definition: detect.h:781
PROG_NAME
#define PROG_NAME
Definition: suricata.h:71
TmThreadKillThreadsFamily
void TmThreadKillThreadsFamily(int family)
Definition: tm-threads.c:1509
detect-fast-pattern.h
FeatureTrackingRelease
void FeatureTrackingRelease(void)
Definition: feature.c:134
app-layer-enip.h
TmqhCleanup
void TmqhCleanup(void)
Clean up registration time allocs.
Definition: tm-queuehandlers.c:49
util-dpdk.h
RUNMODE_PFRING
@ RUNMODE_PFRING
Definition: runmodes.h:31
StreamTcpFreeConfig
void StreamTcpFreeConfig(bool quiet)
Definition: stream-tcp.c:666
source-dpdk.h
SC_ERR_NO_RULES_LOADED
@ SC_ERR_NO_RULES_LOADED
Definition: util-error.h:73
flow-manager.h
DecodeGlobalConfig
void DecodeGlobalConfig(void)
Definition: decode.c:833
SCInstance_::strict_rule_parsing_string
char * strict_rule_parsing_string
Definition: suricata.h:160
SuriHasSigFile
int SuriHasSigFile(void)
Definition: suricata.c:247
suricata-common.h
g_default_mtu
int g_default_mtu
Definition: suricata.c:225
sc_set_caps
int sc_set_caps
Definition: suricata.c:222
DetectEngineCtxInitStubForMT
DetectEngineCtx * DetectEngineCtxInitStubForMT(void)
Definition: detect-engine.c:2390
tm-queues.h
util-daemon.h
FlowShutdown
void FlowShutdown(void)
shutdown the flow engine
Definition: flow.c:670
SCHInfoLoadFromConfig
void SCHInfoLoadFromConfig(void)
Load the host os policy information from the configuration.
Definition: util-host-os-info.c:335
DetectEngineBumpVersion
void DetectEngineBumpVersion(void)
Definition: detect-engine.c:3592
util-decode-mime.h
SC_ERR_PCAP_TRANSLATE
@ SC_ERR_PCAP_TRANSLATE
Definition: util-error.h:233
TmModuleFlowManagerRegister
void TmModuleFlowManagerRegister(void)
Definition: flow-manager.c:1278
util-spm.h
SCPidfileTestRunning
int SCPidfileTestRunning(const char *pid_filename)
Check the Suricata pid file (used at the startup)
Definition: util-pidfile.c:105
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:257
HostShutdown
void HostShutdown(void)
shutdown the flow engine
Definition: host.c:306
DOC_URL
#define DOC_URL
Definition: suricata.h:86
output-filestore.h
TmModuleDecodePfringRegister
void TmModuleDecodePfringRegister(void)
Registration Function for DecodePfring.
Definition: source-pfring.c:178
LiveSetOffloadWarn
void LiveSetOffloadWarn(void)
Definition: util-device.c:75
ParseSizeDeinit
void ParseSizeDeinit(void)
Definition: util-misc.c:55
util-classification-config.h
RunModeRegisterRunModes
void RunModeRegisterRunModes(void)
Register all runmodes in the engine.
Definition: runmodes.c:221
SCStrdup
#define SCStrdup(s)
Definition: util-mem.h:56
FatalError
#define FatalError(x,...)
Definition: util-debug.h:532
ConfGetChildValueBool
int ConfGetChildValueBool(const ConfNode *base, const char *name, int *val)
Definition: conf.c:485
SCProfilingDump
void SCProfilingDump(void)
Definition: util-profiling.c:294
EngineStop
void EngineStop(void)
make sure threads can stop the engine by calling this function. Purpose: pcap file mode needs to be a...
Definition: suricata.c:450
SCInstance_::sig_file
char * sig_file
Definition: suricata.h:128
SC_ERR_NO_AF_PACKET
@ SC_ERR_NO_AF_PACKET
Definition: util-error.h:225
ParseSizeStringU32
int ParseSizeStringU32(const char *size, uint32_t *res)
Definition: util-misc.c:183
SC_ERR_BPF
@ SC_ERR_BPF
Definition: util-error.h:157
TmModuleReceiveErfDagRegister
void TmModuleReceiveErfDagRegister(void)
Register the ERF file receiver (reader) module.
Definition: source-erf-dag.c:133
DetectEngineMultiTenantSetup
int DetectEngineMultiTenantSetup(void)
setup multi-detect / multi-tenancy
Definition: detect-engine.c:3973
IPPairBitInitCtx
void IPPairBitInitCtx(void)
Definition: ippair-bit.c:49
SCClassConfInit
void SCClassConfInit(void)
Definition: util-classification-config.c:64
RunmodeGetCurrent
int RunmodeGetCurrent(void)
Definition: suricata.c:282
ConfigSetLogDirectory
TmEcode ConfigSetLogDirectory(const char *name)
Definition: util-conf.c:30
threadvars.h
TmModuleDecodeIPFWRegister
void TmModuleDecodeIPFWRegister(void)
Registration Function for DecodeIPFW.
Definition: source-ipfw.c:187
source-af-packet.h
RUNMODE_NFQ
@ RUNMODE_NFQ
Definition: runmodes.h:32
ConfSetFromString
int ConfSetFromString(const char *input, int final)
Set a configuration parameter from a string.
Definition: conf.c:244
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
SCLogConfig
struct SCLogConfig_ SCLogConfig
Holds the config state used by the logging api.
g_vlan_mask
uint16_t g_vlan_mask
Definition: suricata.c:238
ConfInit
void ConfInit(void)
Initialize the configuration system.
Definition: conf.c:113
DatasetsInit
int DatasetsInit(void)
Definition: datasets.c:632
sigusr2_count
volatile sig_atomic_t sigusr2_count
Definition: suricata.c:189
RUNMODE_ENGINE_ANALYSIS
@ RUNMODE_ENGINE_ANALYSIS
Definition: runmodes.h:55
RUNMODE_PRINT_VERSION
@ RUNMODE_PRINT_VERSION
Definition: runmodes.h:49
TmModuleDecodePcapRegister
void TmModuleDecodePcapRegister(void)
Registration Function for DecodePcap.
Definition: source-pcap.c:148
util-running-modes.h
unix-manager.h
LiveDeviceListClean
int LiveDeviceListClean()
Definition: util-device.c:348
str
#define str(s)
Definition: suricata-common.h:272
ConfigCheckDataDirectory
TmEcode ConfigCheckDataDirectory(const char *data_dir)
Definition: util-conf.c:101
SCInstance_::sig_file_exclusive
int sig_file_exclusive
Definition: suricata.h:129
g_detect_disabled
int g_detect_disabled
Definition: suricata.c:219
ConfigGetLogDirectory
const char * ConfigGetLogDirectory()
Definition: util-conf.c:35
DetectEngineReloadStart
int DetectEngineReloadStart(void)
Definition: detect-engine.c:1891
SC_ERR_NO_NETMAP
@ SC_ERR_NO_NETMAP
Definition: util-error.h:294
SCLogWarning
#define SCLogWarning(err_code,...)
Macro used to log WARNING messages.
Definition: util-debug.h:244
SCFree
#define SCFree(p)
Definition: util-mem.h:61
DEFAULT_CONF_FILE
#define DEFAULT_CONF_FILE
Definition: suricata.h:80
ConfNode_
Definition: conf.h:32
SC_LOG_MAX_LOG_MSG_LEN
#define SC_LOG_MAX_LOG_MSG_LEN
Definition: util-debug.h:86
AppLayerParserPostStreamSetup
void AppLayerParserPostStreamSetup(void)
Definition: app-layer-parser.c:282
SC_ERR_FATAL
@ SC_ERR_FATAL
Definition: util-error.h:203
TmModuleReceivePcapRegister
void TmModuleReceivePcapRegister(void)
Registration Function for ReceivePcap.
Definition: source-pcap.c:131
util-ioctl.h
detect-parse.h
SCInstance_::system
bool system
Definition: suricata.h:144
SCInstance_::pid_filename
char * pid_filename
Definition: suricata.h:130
TmModuleRespondRejectRegister
void TmModuleRespondRejectRegister(void)
Definition: respond-reject.c:49
CoredumpEnable
void CoredumpEnable(void)
Enable coredumps on systems where coredumps can and need to be enabled.
Definition: util-coredump-config.c:53
RunUnittests
void RunUnittests(int list_unittests, const char *regex_arg)
Definition: runmode-unittests.c:219
source-erf-file.h
ConfigCheckLogDirectoryExists
TmEcode ConfigCheckLogDirectoryExists(const char *log_dir)
Definition: util-conf.c:53
TimeDeinit
void TimeDeinit(void)
Definition: util-time.c:85
PacketAlertTagInit
void PacketAlertTagInit(void)
Definition: detect-engine-alert.c:37
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2400
tmqh-flow.h
RUNMODE_WINDIVERT
@ RUNMODE_WINDIVERT
Definition: runmodes.h:43
SCProfilingRulesGlobalInit
void SCProfilingRulesGlobalInit(void)
Definition: util-profiling-rules.c:114
EngineModeIsIPS
int EngineModeIsIPS(void)
Definition: suricata.c:252
SC_ERR_MEM_ALLOC
@ SC_ERR_MEM_ALLOC
Definition: util-error.h:31
TmModuleNapatechStreamRegister
void TmModuleNapatechStreamRegister(void)
Register the Napatech receiver (reader) module.
Definition: source-napatech.c:129
SCProfilingKeywordsGlobalInit
void SCProfilingKeywordsGlobalInit(void)
Definition: util-profiling-keywords.c:69
suricata.h
SC_ERR_NFLOG_NOSUPPORT
@ SC_ERR_NFLOG_NOSUPPORT
Definition: util-error.h:278
EngineDone
void EngineDone(void)
Used to indicate that the current task is done.
Definition: suricata.c:461
FLOW_QUIET
#define FLOW_QUIET
Definition: flow.h:43
app-layer-smb.h
GetDocURL
const char * GetDocURL(void)
Definition: suricata.c:1099
util-mpm-hs.h
SC_ERR_LOGDIR_CMDLINE
@ SC_ERR_LOGDIR_CMDLINE
Definition: util-error.h:147
PostRunDeinit
void PostRunDeinit(const int runmode, struct timeval *start_time)
Definition: suricata.c:2194
HostInitConfig
void HostInitConfig(bool quiet)
initialize the configuration
Definition: host.c:175
ConfDeInit
void ConfDeInit(void)
De-initializes the configuration system.
Definition: conf.c:677
SC_ERR_NO_DPDK
@ SC_ERR_NO_DPDK
Definition: util-error.h:372
HttpRangeContainersDestroy
void HttpRangeContainersDestroy(void)
Definition: app-layer-htp-range.c:185
SC_ERR_LIBNET_NOT_ENABLED
@ SC_ERR_LIBNET_NOT_ENABLED
Definition: util-error.h:178
NFQContextsClean
void NFQContextsClean()
Clean global contexts. Must be called on exit.
Definition: source-nfq.c:1277
ConfSet
int ConfSet(const char *name, const char *val)
Set a configuration value.
Definition: conf.c:219
SCLogLoadConfig
void SCLogLoadConfig(int daemon, int verbose, uint32_t userid, uint32_t groupid)
Definition: util-debug.c:1327
DetectEngineReload
int DetectEngineReload(const SCInstance *suri)
Reload the detection engine.
Definition: detect-engine.c:4428
SCInstance_::do_setgid
uint8_t do_setgid
Definition: suricata.h:139
DEFAULT_MAX_PENDING_PACKETS
#define DEFAULT_MAX_PENDING_PACKETS
Definition: suricata.c:199
SCInstance_
Definition: suricata.h:123
TmThreadCheckThreadState
void TmThreadCheckThreadState(void)
Used to check the thread for certain conditions of failure.
Definition: tm-threads.c:1799
OutputFilestoreRegisterGlobalCounters
void OutputFilestoreRegisterGlobalCounters(void)
Definition: output-filestore.c:535
InitGlobal
int InitGlobal(void)
Global initialization common to all runmodes.
Definition: suricata.c:2803
SC_ERR_INITIALIZATION
@ SC_ERR_INITIALIZATION
Definition: util-error.h:75
SCInstance_::disabled_detect
int disabled_detect
Definition: suricata.h:149
app-layer-smtp.h
SCProfilingSghsGlobalInit
void SCProfilingSghsGlobalInit(void)
Definition: util-profiling-rulegroups.c:71
SCPidfileCreate
int SCPidfileCreate(const char *pidfile)
Write a pid file (used at the startup) This commonly needed by the init scripts.
Definition: util-pidfile.c:41
LiveRegisterDeviceName
int LiveRegisterDeviceName(const char *dev)
Add a device for monitoring.
Definition: util-device.c:96
ENGINE_MODE_IDS
@ ENGINE_MODE_IDS
Definition: suricata.h:103
LiveDeviceFinalize
void LiveDeviceFinalize(void)
Definition: util-device.c:470
TmModuleDecodeDPDKRegister
void TmModuleDecodeDPDKRegister(void)
Registration Function for DecodeDPDK.
Definition: source-dpdk.c:61
PROG_VER
#define PROG_VER
Definition: suricata.h:72
util-misc.h
PacketPoolDestroy
void PacketPoolDestroy(void)
Definition: tmqh-packetpool.c:335
HTPFreeConfig
void HTPFreeConfig(void)
Clears the HTTP server configuration memory used by HTP library.
Definition: app-layer-htp.c:2034
TVT_PPT
@ TVT_PPT
Definition: tm-threads-common.h:89
flow.h
respond-reject.h
SCInstance_::regex_arg
char * regex_arg
Definition: suricata.h:131
ListKeywords
int ListKeywords(const char *keyword_info)
Definition: util-running-modes.c:32
SCLogNotice
#define SCLogNotice(...)
Macro used to log NOTICE messages.
Definition: util-debug.h:232
msg
const char * msg
Definition: app-layer-htp.c:562
DPDKCleanupEAL
void DPDKCleanupEAL(void)
Definition: util-dpdk.c:27
SC_ERR_SIGNAL
@ SC_ERR_SIGNAL
Definition: util-error.h:378
StatsReleaseResources
void StatsReleaseResources()
Releases the resources alloted by the Stats API.
Definition: counters.c:1269
RUNMODE_AFP_DEV
@ RUNMODE_AFP_DEV
Definition: runmodes.h:37
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:304
SCPidfileRemove
void SCPidfileRemove(const char *pid_filename)
Remove the pid file (used at the startup)
Definition: util-pidfile.c:83
flow-var.h
SC_ERR_NAPATECH_REQUIRED
@ SC_ERR_NAPATECH_REQUIRED
Definition: util-error.h:249
ThresholdInit
void ThresholdInit(void)
Definition: detect-engine-threshold.c:80
TimeInit
void TimeInit(void)
Definition: util-time.c:77
RUNMODE_PCAP_FILE
@ RUNMODE_PCAP_FILE
Definition: runmodes.h:30
SCInstance_::keyword_info
char * keyword_info
Definition: suricata.h:133
RUNMODE_PLUGIN
@ RUNMODE_PLUGIN
Definition: runmodes.h:44
SC_ERR_LOGDIR_CONFIG
@ SC_ERR_LOGDIR_CONFIG
Definition: util-error.h:146
SC_ERR_MULTIPLE_RUN_MODE
@ SC_ERR_MULTIPLE_RUN_MODE
Definition: util-error.h:156
SCInstance_::do_setuid
uint8_t do_setuid
Definition: suricata.h:138
app-layer-ssl.h
NetmapRunModeIsIPS
int NetmapRunModeIsIPS(void)
SCProfilingInit
void SCProfilingInit(void)
Initialize profiling.
Definition: util-profiling.c:140
g_ut_modules
int g_ut_modules
Definition: suricata.c:897
detect-engine-address.h
RUNMODE_IPFW
@ RUNMODE_IPFW
Definition: runmodes.h:34
output.h
util-storage.h
DetectEngineCtx_::failure_fatal
int failure_fatal
Definition: detect.h:796
util-threshold-config.h
DefragInit
void DefragInit(void)
Definition: defrag.c:1054
DetectEngineReloadIsStart
int DetectEngineReloadIsStart(void)
Definition: detect-engine.c:1905
suricata_ctl_flags
volatile uint8_t suricata_ctl_flags
Definition: suricata.c:202
host-bit.h
detect-engine-threshold.h
SC_ERR_NO_PF_RING
@ SC_ERR_NO_PF_RING
Definition: util-error.h:60
RUNMODE_LIST_UNITTEST
@ RUNMODE_LIST_UNITTEST
Definition: runmodes.h:54
app-layer.h
TagDestroyCtx
void TagDestroyCtx(void)
Destroy tag context hash tables.
Definition: detect-engine-tag.c:71
DetectAddressTestConfVars
int DetectAddressTestConfVars(void)
Definition: detect-engine-address.c:1235
g_disable_randomness
int g_disable_randomness
Definition: suricata.c:231
GetIfaceMTU
int GetIfaceMTU(const char *pcap_dev)
output the link MTU
Definition: util-ioctl.c:91
MpmHSGlobalCleanup
void MpmHSGlobalCleanup(void)
g_disable_hashing
bool g_disable_hashing
Definition: suricata.c:242
TmqResetQueues
void TmqResetQueues(void)
Definition: tm-queues.c:80