suricata
suricata.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2022 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  */
23 
24 #include "suricata-common.h"
25 
26 #if HAVE_GETOPT_H
27 #include <getopt.h>
28 #endif
29 
30 #if HAVE_SIGNAL_H
31 #include <signal.h>
32 #endif
33 #ifndef OS_WIN32
34 #ifdef HAVE_SYS_RESOURCE_H
35 // setrlimit
36 #include <sys/resource.h>
37 #endif
38 #endif
39 
40 #include "suricata.h"
41 
42 #include "conf.h"
43 #include "conf-yaml-loader.h"
44 
45 #include "decode.h"
46 #include "defrag.h"
47 #include "flow.h"
48 #include "stream-tcp.h"
49 #include "ippair.h"
50 
51 #include "detect.h"
52 #include "detect-parse.h"
53 #include "detect-engine.h"
54 #include "detect-engine-address.h"
55 #include "detect-engine-alert.h"
56 #include "detect-engine-port.h"
57 #include "detect-engine-tag.h"
58 #include "detect-engine-threshold.h"
59 #include "detect-fast-pattern.h"
60 
61 #include "datasets.h"
62 
63 #include "feature.h"
64 
65 #include "flow-bypass.h"
66 #include "flow-manager.h"
67 #include "flow-timeout.h"
68 #include "flow-worker.h"
69 
70 #include "flow-bit.h"
71 #include "host-bit.h"
72 #include "ippair-bit.h"
73 
74 #include "app-layer.h"
75 #include "app-layer-parser.h"
76 #include "app-layer-htp.h"
77 #include "app-layer-htp-range.h"
78 
79 #include "output.h"
80 #include "output-filestore.h"
81 
82 #include "respond-reject.h"
83 
84 #include "runmode-af-packet.h"
85 #include "runmode-af-xdp.h"
86 #include "runmode-netmap.h"
87 #include "runmode-unittests.h"
88 
89 #include "source-nfq.h"
90 #include "source-nfq-prototypes.h"
91 #include "source-nflog.h"
92 #include "source-ipfw.h"
93 #include "source-pcap.h"
94 #include "source-pcap-file.h"
95 #include "source-pcap-file-helper.h"
96 #include "source-erf-file.h"
97 #include "source-erf-dag.h"
98 #include "source-napatech.h"
99 #include "source-af-packet.h"
100 #include "source-af-xdp.h"
101 #include "source-netmap.h"
102 #include "source-dpdk.h"
103 #include "source-windivert.h"
104 #include "source-windivert-prototypes.h"
105 
106 #include "unix-manager.h"
107 
108 #include "util-classification-config.h"
109 #include "util-threshold-config.h"
110 #include "util-reference-config.h"
111 
112 #include "tmqh-packetpool.h"
113 #include "tm-queuehandlers.h"
114 
115 #include "util-byte.h"
116 #include "util-conf.h"
117 #include "util-coredump-config.h"
118 #include "util-cpu.h"
119 #include "util-daemon.h"
120 #include "util-device.h"
121 #include "util-dpdk.h"
122 #include "util-ebpf.h"
123 #include "util-exception-policy.h"
124 #include "util-host-os-info.h"
125 #include "util-hugepages.h"
126 #include "util-ioctl.h"
127 #include "util-landlock.h"
128 #include "util-macset.h"
129 #include "util-misc.h"
130 #include "util-mpm-hs.h"
131 #include "util-path.h"
132 #include "util-pidfile.h"
133 #include "util-plugin.h"
134 #include "util-privs.h"
135 #include "util-profiling.h"
136 #include "util-proto-name.h"
137 #include "util-running-modes.h"
138 #include "util-signal.h"
139 #include "util-time.h"
140 #include "util-validate.h"
141 #include "util-var-name.h"
142 #ifdef SYSTEMD_NOTIFY
143 #include "util-systemd.h"
144 #endif
145 
146 #ifdef WINDIVERT
147 #include "decode-sll.h"
148 #include "win32-syscall.h"
149 #endif
150 
151 /*
152  * we put this here, because we only use it here in main.
153  */
154 volatile sig_atomic_t sigint_count = 0;
155 volatile sig_atomic_t sighup_count = 0;
156 volatile sig_atomic_t sigterm_count = 0;
157 volatile sig_atomic_t sigusr2_count = 0;
158 
159 /*
160  * Flag to indicate if the engine is at the initialization
161  * or already processing packets. 3 stages: SURICATA_INIT,
162  * SURICATA_RUNTIME and SURICATA_FINALIZE
163  */
164 SC_ATOMIC_DECLARE(unsigned int, engine_stage);
165 
166 /* Max packets processed simultaneously per thread. */
167 #define DEFAULT_MAX_PENDING_PACKETS 1024
168 
169 /** suricata engine control flags */
170 volatile uint8_t suricata_ctl_flags = 0;
171 
172 /** Engine mode: inline (ENGINE_MODE_IPS) or just
173  * detection mode (ENGINE_MODE_IDS by default) */
174 static enum EngineMode g_engine_mode = ENGINE_MODE_UNKNOWN;
175 
176 /** Host mode: set if box is sniffing only
177  * or is a router */
178 uint8_t host_mode = SURI_HOST_IS_SNIFFER_ONLY;
179 
180 /** Maximum packets to simultaneously process. */
181 uint16_t max_pending_packets;
182 
183 /** global indicating if detection is enabled */
184 int g_detect_disabled = 0;
185 
186 /** set caps or not */
187 bool sc_set_caps = false;
188 
189 bool g_system = false;
190 
191 /** disable randomness to get reproducible results across runs */
192 #ifndef AFLFUZZ_NO_RANDOM
193 int g_disable_randomness = 0;
194 #else
195 int g_disable_randomness = 1;
196 #endif
197 
198 /** determine (without branching) if we include the vlan_ids when hashing or
199  * comparing flows */
200 uint16_t g_vlan_mask = 0xffff;
201 
202 /** determine (without branching) if we include the livedev ids when hashing or
203  * comparing flows */
204 uint16_t g_livedev_mask = 0xffff;
205 
206 /* flag to disable hashing almost globally, to be similar to disabling nss
207  * support */
208 bool g_disable_hashing = false;
209 
210 /* snapshot of the system's hugepages before system intitialization. */
211 SystemHugepageSnapshot *prerun_snap = NULL;
212 
213 /** add per-proto app-layer error counters for exception policies stats? disabled by default */
214 bool g_stats_eps_per_app_proto_errors = false;
215 
216 /** Suricata instance */
217 SCInstance suricata;
218 
219 int SuriHasSigFile(void)
220 {
221  return (suricata.sig_file != NULL);
222 }
223 
224 int EngineModeIsUnknown(void)
225 {
226  return (g_engine_mode == ENGINE_MODE_UNKNOWN);
227 }
228 
229 int EngineModeIsIPS(void)
230 {
231  DEBUG_VALIDATE_BUG_ON(g_engine_mode == ENGINE_MODE_UNKNOWN);
232  return (g_engine_mode == ENGINE_MODE_IPS);
233 }
234 
235 int EngineModeIsIDS(void)
236 {
237  DEBUG_VALIDATE_BUG_ON(g_engine_mode == ENGINE_MODE_UNKNOWN);
238  return (g_engine_mode == ENGINE_MODE_IDS);
239 }
240 
241 void EngineModeSetIPS(void)
242 {
243  g_engine_mode = ENGINE_MODE_IPS;
244 }
245 
246 void EngineModeSetIDS(void)
247 {
248  g_engine_mode = ENGINE_MODE_IDS;
249 }
250 
251 #ifdef UNITTESTS
252 int RunmodeIsUnittests(void)
253 {
254  if (suricata.run_mode == RUNMODE_UNITTEST)
255  return 1;
256 
257  return 0;
258 }
259 #endif
260 
261 int SCRunmodeGet(void)
262 {
263  return suricata.run_mode;
264 }
265 
266 void SCRunmodeSet(int run_mode)
267 {
268  suricata.run_mode = run_mode;
269 }
270 
271 /** signal handlers
272  *
273  * WARNING: don't use the SCLog* API in the handlers. The API is complex
274  * with memory allocation possibly happening, calls to syslog, json message
275  * construction, etc.
276  */
277 
278 #ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
279 static void SignalHandlerSigint(/*@unused@*/ int sig)
280 {
281  sigint_count = 1;
282 }
283 static void SignalHandlerSigterm(/*@unused@*/ int sig)
284 {
285  sigterm_count = 1;
286 }
287 #ifndef OS_WIN32
288 #if HAVE_LIBUNWIND
289 #define UNW_LOCAL_ONLY
290 #include <libunwind.h>
291 static void SignalHandlerUnexpected(int sig_num, siginfo_t *info, void *context)
292 {
293  char msg[SC_LOG_MAX_LOG_MSG_LEN];
294  unw_cursor_t cursor;
295  /* Restore defaults for signals to avoid loops */
296  signal(SIGABRT, SIG_DFL);
297  signal(SIGSEGV, SIG_DFL);
298  int r;
299  if ((r = unw_init_local(&cursor, (unw_context_t *)(context)) != 0)) {
300  SCLogError("unable to obtain stack trace: unw_init_local: %s", unw_strerror(r));
301  goto terminate;
302  }
303 
304  char *temp = msg;
305  int cw = snprintf(temp, SC_LOG_MAX_LOG_MSG_LEN - (temp - msg), "stacktrace:sig %d:", sig_num);
306  temp += cw;
307  r = 1;
308  while (r > 0) {
309  if (unw_is_signal_frame(&cursor) == 0) {
310  unw_word_t off;
311  char name[256];
312  if (unw_get_proc_name(&cursor, name, sizeof(name), &off) == UNW_ENOMEM) {
313  cw = snprintf(temp, SC_LOG_MAX_LOG_MSG_LEN - (temp - msg), "[unknown]:");
314  } else {
315  cw = snprintf(
316  temp, SC_LOG_MAX_LOG_MSG_LEN - (temp - msg), "%s+0x%08" PRIx64, name, off);
317  }
318  temp += cw;
319  }
320 
321  r = unw_step(&cursor);
322  if (r > 0) {
323  cw = snprintf(temp, SC_LOG_MAX_LOG_MSG_LEN - (temp - msg), ";");
324  temp += cw;
325  }
326  }
327  SCLogError("%s", msg);
328 
329 terminate:
330  // Propagate signal to watchers, if any
331  kill(getpid(), sig_num);
332 }
333 #undef UNW_LOCAL_ONLY
334 #endif /* HAVE_LIBUNWIND */
335 #endif /* !OS_WIN32 */
336 #endif
337 
338 #ifndef OS_WIN32
339 /**
340  * SIGUSR2 handler. Just set sigusr2_count. The main loop will act on
341  * it.
342  */
343 static void SignalHandlerSigusr2(int sig)
344 {
345  if (sigusr2_count < 2)
346  sigusr2_count++;
347 }
348 
349 /**
350  * SIGHUP handler. Just set sighup_count. The main loop will act on
351  * it.
352  */
353 static void SignalHandlerSigHup(/*@unused@*/ int sig)
354 {
355  sighup_count = 1;
356 }
357 #endif
358 
359 void GlobalsInitPreConfig(void)
360 {
361  TimeInit();
362  SupportFastPatternForSigMatchTypes();
363  SCThresholdConfGlobalInit();
364  SCProtoNameInit();
365  FrameConfigInit();
366 }
367 
368 void GlobalsDestroy(void)
369 {
370  SCInstance *suri = &suricata;
371  ThresholdDestroy();
372  HostShutdown();
373  HTPFreeConfig();
374  HTPAtExitPrintStats();
375 
376  AppLayerHtpPrintStats();
377 
378  /* TODO this can do into it's own func */
379  DetectEngineCtx *de_ctx = DetectEngineGetCurrent();
380  if (de_ctx) {
381  DetectEngineMoveToFreeList(de_ctx);
382  DetectEngineDeReference(&de_ctx);
383  }
384  DetectEngineClearMaster();
385 
386  AppLayerDeSetup();
387  DatasetsSave();
388  DatasetsDestroy();
389  TagDestroyCtx();
390 
391  LiveDeviceListClean();
392  OutputDeregisterAll();
393  FeatureTrackingRelease();
394  SCProtoNameRelease();
395  TimeDeinit();
396  SigTableCleanup();
397  TmqhCleanup();
398  TmModuleRunDeInit();
399  ParseSizeDeinit();
400 
401 #ifdef HAVE_DPDK
402  DPDKCleanupEAL();
403 #endif
404 
405 #ifdef HAVE_AF_PACKET
406  AFPPeersListClean();
407 #endif
408 
409 #ifdef NFQ
410  NFQContextsClean();
411 #endif
412 
413 #ifdef BUILD_HYPERSCAN
414  MpmHSGlobalCleanup();
415 #endif
416 
417  ConfDeInit();
418 
419  DetectParseFreeRegexes();
420 
421  SCPidfileRemove(suri->pid_filename);
422  SCFree(suri->pid_filename);
423  suri->pid_filename = NULL;
424 
425  VarNameStoreDestroy();
426  SCLogDeInitLogModule();
427 }
428 
429 /**
430  * \brief Used to send OS specific notification of running threads
431  *
432  * \retval TmEcode TM_ECODE_OK on success; TM_ECODE_FAILED on failure.
433  */
434 static void OnNotifyRunning(void)
435 {
436 #ifdef SYSTEMD_NOTIFY
437  if (SystemDNotifyReady() < 0) {
438  SCLogWarning("failed to notify systemd");
439  }
440 #endif
441 }
442 
443 /** \brief make sure threads can stop the engine by calling this
444  * function. Purpose: pcap file mode needs to be able to tell the
445  * engine the file eof is reached. */
446 void EngineStop(void)
447 {
448  suricata_ctl_flags |= SURICATA_STOP;
449 }
450 
451 /**
452  * \brief Used to indicate that the current task is done.
453  *
454  * This is mainly used by pcap-file to tell it has finished
455  * to treat a pcap files when running in unix-socket mode.
456  */
457 void EngineDone(void)
458 {
459  suricata_ctl_flags |= SURICATA_DONE;
460 }
461 
462 static int SetBpfString(int argc, char *argv[])
463 {
464  char *bpf_filter = NULL;
465  uint32_t bpf_len = 0;
466  int tmpindex = 0;
467 
468  /* attempt to parse remaining args as bpf filter */
469  tmpindex = argc;
470  while(argv[tmpindex] != NULL) {
471  bpf_len+=strlen(argv[tmpindex]) + 1;
472  tmpindex++;
473  }
474 
475  if (bpf_len == 0)
476  return TM_ECODE_OK;
477 
478  bpf_filter = SCCalloc(1, bpf_len);
479  if (unlikely(bpf_filter == NULL))
480  return TM_ECODE_FAILED;
481 
482  tmpindex = optind;
483  while(argv[tmpindex] != NULL) {
484  strlcat(bpf_filter, argv[tmpindex],bpf_len);
485  if(argv[tmpindex + 1] != NULL) {
486  strlcat(bpf_filter," ", bpf_len);
487  }
488  tmpindex++;
489  }
490 
491  if(strlen(bpf_filter) > 0) {
492  if (ConfSetFinal("bpf-filter", bpf_filter) != 1) {
493  SCLogError("Failed to set bpf filter.");
494  SCFree(bpf_filter);
495  return TM_ECODE_FAILED;
496  }
497  }
498  SCFree(bpf_filter);
499 
500  return TM_ECODE_OK;
501 }
502 
503 static void SetBpfStringFromFile(char *filename)
504 {
505  char *bpf_filter = NULL;
506  char *bpf_comment_tmp = NULL;
507  char *bpf_comment_start = NULL;
508  uint32_t bpf_len = 0;
509  SCStat st;
510  FILE *fp = NULL;
511  size_t nm = 0;
512 
513  fp = fopen(filename, "r");
514  if (fp == NULL) {
515  SCLogError("Failed to open file %s", filename);
516  exit(EXIT_FAILURE);
517  }
518 
519  if (SCFstatFn(fileno(fp), &st) != 0) {
520  SCLogError("Failed to stat file %s", filename);
521  exit(EXIT_FAILURE);
522  }
523  bpf_len = st.st_size + 1;
524 
525  bpf_filter = SCCalloc(1, bpf_len);
526  if (unlikely(bpf_filter == NULL)) {
527  SCLogError("Failed to allocate buffer for bpf filter in file %s", filename);
528  exit(EXIT_FAILURE);
529  }
530 
531  nm = fread(bpf_filter, 1, bpf_len - 1, fp);
532  if ((ferror(fp) != 0) || (nm != (bpf_len - 1))) {
533  SCLogError("Failed to read complete BPF file %s", filename);
534  SCFree(bpf_filter);
535  fclose(fp);
536  exit(EXIT_FAILURE);
537  }
538  fclose(fp);
539  bpf_filter[nm] = '\0';
540 
541  if(strlen(bpf_filter) > 0) {
542  /*replace comments with space*/
543  bpf_comment_start = bpf_filter;
544  while((bpf_comment_tmp = strchr(bpf_comment_start, '#')) != NULL) {
545  while((*bpf_comment_tmp !='\0') &&
546  (*bpf_comment_tmp != '\r') && (*bpf_comment_tmp != '\n'))
547  {
548  *bpf_comment_tmp++ = ' ';
549  }
550  bpf_comment_start = bpf_comment_tmp;
551  }
552  /*remove remaining '\r' and '\n' */
553  while((bpf_comment_tmp = strchr(bpf_filter, '\r')) != NULL) {
554  *bpf_comment_tmp = ' ';
555  }
556  while((bpf_comment_tmp = strchr(bpf_filter, '\n')) != NULL) {
557  *bpf_comment_tmp = ' ';
558  }
559  /* cut trailing spaces */
560  while (strlen(bpf_filter) > 0 &&
561  bpf_filter[strlen(bpf_filter)-1] == ' ')
562  {
563  bpf_filter[strlen(bpf_filter)-1] = '\0';
564  }
565  if (strlen(bpf_filter) > 0) {
566  if (ConfSetFinal("bpf-filter", bpf_filter) != 1) {
567  SCFree(bpf_filter);
568  FatalError("failed to set bpf filter");
569  }
570  }
571  }
572  SCFree(bpf_filter);
573 }
574 
575 static void PrintUsage(const char *progname)
576 {
577 #ifdef REVISION
578  printf("%s %s (%s)\n", PROG_NAME, PROG_VER, xstr(REVISION));
579 #else
580  printf("%s %s\n", PROG_NAME, PROG_VER);
581 #endif
582  printf("USAGE: %s [OPTIONS] [BPF FILTER]\n\n", progname);
583  printf("\t-c <path> : path to configuration file\n");
584  printf("\t-T : test configuration file (use with -c)\n");
585  printf("\t-i <dev or ip> : run in pcap live mode\n");
586  printf("\t-F <bpf filter file> : bpf filter file\n");
587  printf("\t-r <path> : run in pcap file/offline mode\n");
588 #ifdef NFQ
589  printf("\t-q <qid[:qid]> : run in inline nfqueue mode (use colon to specify a range of queues)\n");
590 #endif /* NFQ */
591 #ifdef IPFW
592  printf("\t-d <divert port> : run in inline ipfw divert mode\n");
593 #endif /* IPFW */
594  printf("\t-s <path> : path to signature file loaded in addition to suricata.yaml settings (optional)\n");
595  printf("\t-S <path> : path to signature file loaded exclusively (optional)\n");
596  printf("\t-l <dir> : default log directory\n");
597 #ifndef OS_WIN32
598  printf("\t-D : run as daemon\n");
599 #else
600  printf("\t--service-install : install as service\n");
601  printf("\t--service-remove : remove service\n");
602  printf("\t--service-change-params : change service startup parameters\n");
603 #endif /* OS_WIN32 */
604  printf("\t-k [all|none] : force checksum check (all) or disabled it (none)\n");
605  printf("\t-V : display Suricata version\n");
606  printf("\t-v : be more verbose (use multiple times to increase verbosity)\n");
607 #ifdef UNITTESTS
608  printf("\t-u : run the unittests and exit\n");
609  printf("\t-U, --unittest-filter=REGEX : filter unittests with a regex\n");
610  printf("\t--list-unittests : list unit tests\n");
611  printf("\t--fatal-unittests : enable fatal failure on unittest error\n");
612  printf("\t--unittests-coverage : display unittest coverage report\n");
613 #endif /* UNITTESTS */
614  printf("\t--list-app-layer-protos : list supported app layer protocols\n");
615  printf("\t--list-keywords[=all|csv|<kword>] : list keywords implemented by the engine\n");
616  printf("\t--list-runmodes : list supported runmodes\n");
617  printf("\t--runmode <runmode_id> : specific runmode modification the engine should run. The argument\n"
618  "\t supplied should be the id for the runmode obtained by running\n"
619  "\t --list-runmodes\n");
620  printf("\t--engine-analysis : print reports on analysis of different sections in the engine and exit.\n"
621  "\t Please have a look at the conf parameter engine-analysis on what reports\n"
622  "\t can be printed\n");
623  printf("\t--pidfile <file> : write pid to this file\n");
624  printf("\t--init-errors-fatal : enable fatal failure on signature init error\n");
625  printf("\t--disable-detection : disable detection engine\n");
626  printf("\t--dump-config : show the running configuration\n");
627  printf("\t--dump-features : display provided features\n");
628  printf("\t--build-info : display build information\n");
629  printf("\t--pcap[=<dev>] : run in pcap mode, no value select interfaces from suricata.yaml\n");
630  printf("\t--pcap-file-continuous : when running in pcap mode with a directory, continue checking directory for pcaps until interrupted\n");
631  printf("\t--pcap-file-delete : when running in replay mode (-r with directory or file), will delete pcap files that have been processed when done\n");
632  printf("\t--pcap-file-recursive : will descend into subdirectories when running in replay mode (-r)\n");
633 #ifdef HAVE_PCAP_SET_BUFF
634  printf("\t--pcap-buffer-size : size of the pcap buffer value from 0 - %i\n",INT_MAX);
635 #endif /* HAVE_SET_PCAP_BUFF */
636 #ifdef HAVE_DPDK
637  printf("\t--dpdk : run in dpdk mode, uses interfaces from "
638  "suricata.yaml\n");
639 #endif
640 #ifdef HAVE_AF_PACKET
641  printf("\t--af-packet[=<dev>] : run in af-packet mode, no value select interfaces from suricata.yaml\n");
642 #endif
643 #ifdef HAVE_AF_XDP
644  printf("\t--af-xdp[=<dev>] : run in af-xdp mode, no value select "
645  "interfaces from suricata.yaml\n");
646 #endif
647 #ifdef HAVE_NETMAP
648  printf("\t--netmap[=<dev>] : run in netmap mode, no value select interfaces from suricata.yaml\n");
649 #endif
650 #ifdef HAVE_PFRING
651  printf("\t--pfring[=<dev>] : run in pfring mode, use interfaces from suricata.yaml\n");
652  printf("\t--pfring-int <dev> : run in pfring mode, use interface <dev>\n");
653  printf("\t--pfring-cluster-id <id> : pfring cluster id \n");
654  printf("\t--pfring-cluster-type <type> : pfring cluster type for PF_RING 4.1.2 and later cluster_round_robin|cluster_flow\n");
655 #endif /* HAVE_PFRING */
656  printf("\t--simulate-ips : force engine into IPS mode. Useful for QA\n");
657 #ifdef HAVE_LIBCAP_NG
658  printf("\t--user <user> : run suricata as this user after init\n");
659  printf("\t--group <group> : run suricata as this group after init\n");
660 #endif /* HAVE_LIBCAP_NG */
661  printf("\t--erf-in <path> : process an ERF file\n");
662 #ifdef HAVE_DAG
663  printf("\t--dag <dagX:Y> : process ERF records from DAG interface X, stream Y\n");
664 #endif
665 #ifdef HAVE_NAPATECH
666  printf("\t--napatech : run Napatech Streams using the API\n");
667 #endif
668 #ifdef BUILD_UNIX_SOCKET
669  printf("\t--unix-socket[=<file>] : use unix socket to control suricata work\n");
670 #endif
671 #ifdef WINDIVERT
672  printf("\t--windivert <filter> : run in inline WinDivert mode\n");
673  printf("\t--windivert-forward <filter> : run in inline WinDivert mode, as a gateway\n");
674 #endif
675 #ifdef HAVE_LIBNET11
676  printf("\t--reject-dev <dev> : send reject packets from this interface\n");
677 #endif
678  printf("\t--include <path> : additional configuration file\n");
679  printf("\t--set name=value : set a configuration value\n");
680  printf("\n");
681  printf("\nTo run the engine with default configuration on "
682  "interface eth0 with signature file \"signatures.rules\", run the "
683  "command as:\n\n%s -c suricata.yaml -s signatures.rules -i eth0 \n\n",
684  progname);
685 }
686 
687 static void PrintBuildInfo(void)
688 {
689  const char *bits;
690  const char *endian;
691  char features[2048] = "";
692  const char *tls;
693 
694  printf("This is %s version %s\n", PROG_NAME, GetProgramVersion());
695 #ifdef DEBUG
696  strlcat(features, "DEBUG ", sizeof(features));
697 #endif
698 #ifdef DEBUG_VALIDATION
699  strlcat(features, "DEBUG_VALIDATION ", sizeof(features));
700 #endif
701 #ifdef UNITTESTS
702  strlcat(features, "UNITTESTS ", sizeof(features));
703 #endif
704 #ifdef NFQ
705  strlcat(features, "NFQ ", sizeof(features));
706 #endif
707 #ifdef IPFW
708  strlcat(features, "IPFW ", sizeof(features));
709 #endif
710 #ifdef HAVE_PCAP_SET_BUFF
711  strlcat(features, "PCAP_SET_BUFF ", sizeof(features));
712 #endif
713 #ifdef HAVE_PFRING
714  strlcat(features, "PF_RING ", sizeof(features));
715 #endif
716 #ifdef HAVE_AF_PACKET
717  strlcat(features, "AF_PACKET ", sizeof(features));
718 #endif
719 #ifdef HAVE_NETMAP
720  strlcat(features, "NETMAP ", sizeof(features));
721 #endif
722 #ifdef HAVE_PACKET_FANOUT
723  strlcat(features, "HAVE_PACKET_FANOUT ", sizeof(features));
724 #endif
725 #ifdef HAVE_DAG
726  strlcat(features, "DAG ", sizeof(features));
727 #endif
728 #ifdef HAVE_LIBCAP_NG
729  strlcat(features, "LIBCAP_NG ", sizeof(features));
730 #endif
731 #ifdef HAVE_LIBNET11
732  strlcat(features, "LIBNET1.1 ", sizeof(features));
733 #endif
734 #ifdef HAVE_HTP_URI_NORMALIZE_HOOK
735  strlcat(features, "HAVE_HTP_URI_NORMALIZE_HOOK ", sizeof(features));
736 #endif
737 #ifdef PCRE2_HAVE_JIT
738  strlcat(features, "PCRE_JIT ", sizeof(features));
739 #endif
740  /* For compatibility, just say we have HAVE_NSS. */
741  strlcat(features, "HAVE_NSS ", sizeof(features));
742  /* HTTP2_DECOMPRESSION is not an optional feature in this major version */
743  strlcat(features, "HTTP2_DECOMPRESSION ", sizeof(features));
744  /* Lua is now vendored in and always available. */
745  strlcat(features, "HAVE_LUA ", sizeof(features));
746 #ifdef HAVE_JA3
747  strlcat(features, "HAVE_JA3 ", sizeof(features));
748 #endif
749 #ifdef HAVE_JA4
750  strlcat(features, "HAVE_JA4 ", sizeof(features));
751 #endif
752  strlcat(features, "HAVE_LIBJANSSON ", sizeof(features));
753 #ifdef PROFILING
754  strlcat(features, "PROFILING ", sizeof(features));
755 #endif
756 #ifdef PROFILE_LOCKING
757  strlcat(features, "PROFILE_LOCKING ", sizeof(features));
758 #endif
759 #if defined(TLS_C11) || defined(TLS_GNU)
760  strlcat(features, "TLS ", sizeof(features));
761 #endif
762 #if defined(TLS_C11)
763  strlcat(features, "TLS_C11 ", sizeof(features));
764 #elif defined(TLS_GNU)
765  strlcat(features, "TLS_GNU ", sizeof(features));
766 #endif
767 #ifdef HAVE_MAGIC
768  strlcat(features, "MAGIC ", sizeof(features));
769 #endif
770  strlcat(features, "RUST ", sizeof(features));
771 #if defined(SC_ADDRESS_SANITIZER)
772  strlcat(features, "ASAN ", sizeof(features));
773 #endif
774 #if defined(HAVE_POPCNT64)
775  strlcat(features, "POPCNT64 ", sizeof(features));
776 #endif
777  if (strlen(features) == 0) {
778  strlcat(features, "none", sizeof(features));
779  }
780 
781  printf("Features: %s\n", features);
782 
783  /* SIMD stuff */
784  memset(features, 0x00, sizeof(features));
785 #if defined(__SSE4_2__)
786  strlcat(features, "SSE_4_2 ", sizeof(features));
787 #endif
788 #if defined(__SSE4_1__)
789  strlcat(features, "SSE_4_1 ", sizeof(features));
790 #endif
791 #if defined(__SSE3__)
792  strlcat(features, "SSE_3 ", sizeof(features));
793 #endif
794 #if defined(__SSE2__)
795  strlcat(features, "SSE_2 ", sizeof(features));
796 #endif
797  if (strlen(features) == 0) {
798  strlcat(features, "none", sizeof(features));
799  }
800  printf("SIMD support: %s\n", features);
801 
802  /* atomics stuff */
803  memset(features, 0x00, sizeof(features));
804 #if defined(__GCC_HAVE_SYNC_COMPARE_AND_SWAP_1)
805  strlcat(features, "1 ", sizeof(features));
806 #endif
807 #if defined(__GCC_HAVE_SYNC_COMPARE_AND_SWAP_2)
808  strlcat(features, "2 ", sizeof(features));
809 #endif
810 #if defined(__GCC_HAVE_SYNC_COMPARE_AND_SWAP_4)
811  strlcat(features, "4 ", sizeof(features));
812 #endif
813 #if defined(__GCC_HAVE_SYNC_COMPARE_AND_SWAP_8)
814  strlcat(features, "8 ", sizeof(features));
815 #endif
816 #if defined(__GCC_HAVE_SYNC_COMPARE_AND_SWAP_16)
817  strlcat(features, "16 ", sizeof(features));
818 #endif
819  if (strlen(features) == 0) {
820  strlcat(features, "none", sizeof(features));
821  } else {
822  strlcat(features, "byte(s)", sizeof(features));
823  }
824  printf("Atomic intrinsics: %s\n", features);
825 
826 #if __WORDSIZE == 64
827  bits = "64-bits";
828 #elif __WORDSIZE == 32
829  bits = "32-bits";
830 #else
831  bits = "<unknown>-bits";
832 #endif
833 
834 #if __BYTE_ORDER == __BIG_ENDIAN
835  endian = "Big-endian";
836 #elif __BYTE_ORDER == __LITTLE_ENDIAN
837  endian = "Little-endian";
838 #else
839  endian = "<unknown>-endian";
840 #endif
841 
842  printf("%s, %s architecture\n", bits, endian);
843 #ifdef __GNUC__
844  printf("GCC version %s, C version %"PRIiMAX"\n", __VERSION__, (intmax_t)__STDC_VERSION__);
845 #else
846  printf("C version %"PRIiMAX"\n", (intmax_t)__STDC_VERSION__);
847 #endif
848 
849 #if __SSP__ == 1
850  printf("compiled with -fstack-protector\n");
851 #endif
852 #if __SSP_ALL__ == 2
853  printf("compiled with -fstack-protector-all\n");
854 #endif
855 /*
856  * Workaround for special defines of _FORTIFY_SOURCE like
857  * FORTIFY_SOURCE=((defined __OPTIMIZE && OPTIMIZE > 0) ? 2 : 0)
858  * which is used by Gentoo for example and would result in the error
859  * 'defined' undeclared when _FORTIFY_SOURCE used via %d in printf func
860  *
861  */
862 #if _FORTIFY_SOURCE == 2
863  printf("compiled with _FORTIFY_SOURCE=2\n");
864 #elif _FORTIFY_SOURCE == 1
865  printf("compiled with _FORTIFY_SOURCE=1\n");
866 #elif _FORTIFY_SOURCE == 0
867  printf("compiled with _FORTIFY_SOURCE=0\n");
868 #endif
869 #ifdef CLS
870  printf("L1 cache line size (CLS)=%d\n", CLS);
871 #endif
872 #if defined(TLS_C11)
873  tls = "_Thread_local";
874 #elif defined(TLS_GNU)
875  tls = "__thread";
876 #else
877 #error "Unsupported thread local"
878 #endif
879  printf("thread local storage method: %s\n", tls);
880 
881  printf("compiled with %s, linked against %s\n",
882  HTP_VERSION_STRING_FULL, htp_get_version());
883  printf("\n");
884 #include "build-info.h"
885 }
886 
887 int coverage_unittests;
888 int g_ut_modules;
889 int g_ut_covered;
890 
891 void RegisterAllModules(void)
892 {
893  /* commanders */
894  TmModuleUnixManagerRegister();
895  /* managers */
896  TmModuleFlowManagerRegister();
897  TmModuleFlowRecyclerRegister();
898  TmModuleBypassedFlowManagerRegister();
899  /* nfq */
900  TmModuleReceiveNFQRegister();
901  TmModuleVerdictNFQRegister();
902  TmModuleDecodeNFQRegister();
903  /* ipfw */
904  TmModuleReceiveIPFWRegister();
905  TmModuleVerdictIPFWRegister();
906  TmModuleDecodeIPFWRegister();
907  /* pcap live */
908  TmModuleReceivePcapRegister();
909  TmModuleDecodePcapRegister();
910  /* pcap file */
911  TmModuleReceivePcapFileRegister();
912  TmModuleDecodePcapFileRegister();
913  /* af-packet */
914  TmModuleReceiveAFPRegister();
915  TmModuleDecodeAFPRegister();
916  /* af-xdp */
917  TmModuleReceiveAFXDPRegister();
918  TmModuleDecodeAFXDPRegister();
919  /* netmap */
920  TmModuleReceiveNetmapRegister();
921  TmModuleDecodeNetmapRegister();
922  /* dag file */
923  TmModuleReceiveErfFileRegister();
924  TmModuleDecodeErfFileRegister();
925  /* dag live */
926  TmModuleReceiveErfDagRegister();
927  TmModuleDecodeErfDagRegister();
928  /* napatech */
929  TmModuleNapatechStreamRegister();
930  TmModuleNapatechDecodeRegister();
931 
932  /* flow worker */
933  TmModuleFlowWorkerRegister();
934  /* respond-reject */
935  TmModuleRespondRejectRegister();
936 
937  /* log api */
938  TmModuleLoggerRegister();
939  TmModuleStatsLoggerRegister();
940 
941  TmModuleDebugList();
942  /* nflog */
943  TmModuleReceiveNFLOGRegister();
944  TmModuleDecodeNFLOGRegister();
945 
946  /* windivert */
947  TmModuleReceiveWinDivertRegister();
948  TmModuleVerdictWinDivertRegister();
949  TmModuleDecodeWinDivertRegister();
950 
951  /* Dpdk */
952  TmModuleReceiveDPDKRegister();
953  TmModuleDecodeDPDKRegister();
954 }
955 
956 TmEcode SCLoadYamlConfig(void)
957 {
958  SCEnter();
959 
960  SCInstance *suri = &suricata;
961 
962  if (suri->conf_filename == NULL)
963  suri->conf_filename = DEFAULT_CONF_FILE;
964 
965  if (ConfYamlLoadFile(suri->conf_filename) != 0) {
966  /* Error already displayed. */
967  SCReturnInt(TM_ECODE_FAILED);
968  }
969 
970  if (suri->additional_configs) {
971  for (int i = 0; suri->additional_configs[i] != NULL; i++) {
972  SCLogConfig("Loading additional configuration file %s", suri->additional_configs[i]);
973  ConfYamlHandleInclude(ConfGetRootNode(), suri->additional_configs[i]);
974  }
975  }
976 
977  SCReturnInt(TM_ECODE_OK);
978 }
979 
980 static TmEcode ParseInterfacesList(const int runmode, char *pcap_dev)
981 {
982  SCEnter();
983 
984  /* run the selected runmode */
985  if (runmode == RUNMODE_PCAP_DEV) {
986  if (strlen(pcap_dev) == 0) {
987  int ret = LiveBuildDeviceList("pcap");
988  if (ret == 0) {
989  SCLogError("No interface found in config for pcap");
990  SCReturnInt(TM_ECODE_FAILED);
991  }
992  }
993  } else if (runmode == RUNMODE_PLUGIN) {
994  if (strcmp(suricata.capture_plugin_name, "pfring") == 0) {
995  /* Special handling for pfring. */
996  if (strlen(pcap_dev)) {
997  if (ConfSetFinal("pfring.live-interface", pcap_dev) != 1) {
998  SCLogError("Failed to set pfring.live-interface");
999  SCReturnInt(TM_ECODE_FAILED);
1000  }
1001  }
1002  }
1003 #ifdef HAVE_DPDK
1004  } else if (runmode == RUNMODE_DPDK) {
1005  char iface_selector[] = "dpdk.interfaces";
1006  int ret = LiveBuildDeviceList(iface_selector);
1007  if (ret == 0) {
1008  SCLogError("No interface found in config for %s", iface_selector);
1009  SCReturnInt(TM_ECODE_FAILED);
1010  }
1011 #endif
1012 #ifdef HAVE_AF_PACKET
1013  } else if (runmode == RUNMODE_AFP_DEV) {
1014  /* iface has been set on command line */
1015  if (strlen(pcap_dev)) {
1016  if (ConfSetFinal("af-packet.live-interface", pcap_dev) != 1) {
1017  SCLogError("Failed to set af-packet.live-interface");
1018  SCReturnInt(TM_ECODE_FAILED);
1019  }
1020  } else {
1021  int ret = LiveBuildDeviceList("af-packet");
1022  if (ret == 0) {
1023  SCLogError("No interface found in config for af-packet");
1024  SCReturnInt(TM_ECODE_FAILED);
1025  }
1026  }
1027 #endif
1028 #ifdef HAVE_AF_XDP
1029  } else if (runmode == RUNMODE_AFXDP_DEV) {
1030  /* iface has been set on command line */
1031  if (strlen(pcap_dev)) {
1032  if (ConfSetFinal("af-xdp.live-interface", pcap_dev) != 1) {
1033  SCLogError("Failed to set af-xdp.live-interface");
1034  SCReturnInt(TM_ECODE_FAILED);
1035  }
1036  } else {
1037  int ret = LiveBuildDeviceList("af-xdp");
1038  if (ret == 0) {
1039  SCLogError("No interface found in config for af-xdp");
1040  SCReturnInt(TM_ECODE_FAILED);
1041  }
1042  }
1043 #endif
1044 #ifdef HAVE_NETMAP
1045  } else if (runmode == RUNMODE_NETMAP) {
1046  /* iface has been set on command line */
1047  if (strlen(pcap_dev)) {
1048  if (ConfSetFinal("netmap.live-interface", pcap_dev) != 1) {
1049  SCLogError("Failed to set netmap.live-interface");
1050  SCReturnInt(TM_ECODE_FAILED);
1051  }
1052  } else {
1053  int ret = LiveBuildDeviceList("netmap");
1054  if (ret == 0) {
1055  SCLogError("No interface found in config for netmap");
1056  SCReturnInt(TM_ECODE_FAILED);
1057  }
1058  }
1059 #endif
1060 #ifdef HAVE_NFLOG
1061  } else if (runmode == RUNMODE_NFLOG) {
1062  int ret = LiveBuildDeviceListCustom("nflog", "group");
1063  if (ret == 0) {
1064  SCLogError("No group found in config for nflog");
1065  SCReturnInt(TM_ECODE_FAILED);
1066  }
1067 #endif
1068  }
1069 
1070  SCReturnInt(TM_ECODE_OK);
1071 }
1072 
1073 static void SCInstanceInit(SCInstance *suri, const char *progname)
1074 {
1075  memset(suri, 0x00, sizeof(*suri));
1076 
1077  suri->progname = progname;
1078  suri->run_mode = RUNMODE_UNKNOWN;
1079 
1080  memset(suri->pcap_dev, 0, sizeof(suri->pcap_dev));
1081  suri->sig_file = NULL;
1082  suri->sig_file_exclusive = false;
1083  suri->pid_filename = NULL;
1084  suri->regex_arg = NULL;
1085 
1086  suri->keyword_info = NULL;
1087  suri->runmode_custom_mode = NULL;
1088 #ifndef OS_WIN32
1089  suri->user_name = NULL;
1090  suri->group_name = NULL;
1091  suri->do_setuid = false;
1092  suri->do_setgid = false;
1093 #endif /* OS_WIN32 */
1094  suri->userid = 0;
1095  suri->groupid = 0;
1096  suri->delayed_detect = 0;
1097  suri->daemon = 0;
1098  suri->offline = 0;
1099  suri->verbose = 0;
1100  /* use -1 as unknown */
1101  suri->checksum_validation = -1;
1102 #if HAVE_DETECT_DISABLED==1
1103  g_detect_disabled = suri->disabled_detect = 1;
1104 #else
1105  g_detect_disabled = suri->disabled_detect = 0;
1106 #endif
1107 }
1108 
1109 const char *GetDocURL(void)
1110 {
1111  const char *prog_ver = GetProgramVersion();
1112  if (strstr(prog_ver, "RELEASE") != NULL) {
1113  return DOC_URL "suricata-" PROG_VER;
1114  }
1115  return DOC_URL "latest";
1116 }
1117 
1118 /** \brief get string with program version
1119  *
1120  * Get the program version as passed to us from AC_INIT
1121  *
1122  * Add 'RELEASE' is no '-dev' in the version. Add the REVISION if passed
1123  * to us.
1124  *
1125  * Possible outputs:
1126  * release: '5.0.1 RELEASE'
1127  * dev with rev: '5.0.1-dev (64a789bbf 2019-10-18)'
1128  * dev w/o rev: '5.0.1-dev'
1129  */
1130 const char *GetProgramVersion(void)
1131 {
1132  if (strstr(PROG_VER, "-dev") == NULL) {
1133  return PROG_VER " RELEASE";
1134  } else {
1135 #ifdef REVISION
1136  return PROG_VER " (" xstr(REVISION) ")";
1137 #else
1138  return PROG_VER;
1139 #endif
1140  }
1141 }
1142 
1143 static TmEcode PrintVersion(void)
1144 {
1145  printf("This is %s version %s\n", PROG_NAME, GetProgramVersion());
1146  return TM_ECODE_OK;
1147 }
1148 
1149 static TmEcode LogVersion(SCInstance *suri)
1150 {
1151  const char *mode = suri->system ? "SYSTEM" : "USER";
1152  SCLogNotice("This is %s version %s running in %s mode",
1153  PROG_NAME, GetProgramVersion(), mode);
1154  return TM_ECODE_OK;
1155 }
1156 
1157 static void SCSetStartTime(SCInstance *suri)
1158 {
1159  memset(&suri->start_time, 0, sizeof(suri->start_time));
1160  gettimeofday(&suri->start_time, NULL);
1161 }
1162 
1163 static void SCPrintElapsedTime(struct timeval *start_time)
1164 {
1165  if (start_time == NULL)
1166  return;
1167  struct timeval end_time;
1168  memset(&end_time, 0, sizeof(end_time));
1169  gettimeofday(&end_time, NULL);
1170  uint64_t milliseconds = ((end_time.tv_sec - start_time->tv_sec) * 1000) +
1171  (((1000000 + end_time.tv_usec - start_time->tv_usec) / 1000) - 1000);
1172  SCLogInfo("time elapsed %.3fs", (float)milliseconds/(float)1000);
1173 }
1174 
1175 static int ParseCommandLineAfpacket(SCInstance *suri, const char *in_arg)
1176 {
1177 #ifdef HAVE_AF_PACKET
1178  if (suri->run_mode == RUNMODE_UNKNOWN) {
1179  suri->run_mode = RUNMODE_AFP_DEV;
1180  if (in_arg) {
1181  LiveRegisterDeviceName(in_arg);
1182  memset(suri->pcap_dev, 0, sizeof(suri->pcap_dev));
1183  strlcpy(suri->pcap_dev, in_arg, sizeof(suri->pcap_dev));
1184  }
1185  } else if (suri->run_mode == RUNMODE_AFP_DEV) {
1186  if (in_arg) {
1187  LiveRegisterDeviceName(in_arg);
1188  } else {
1189  SCLogInfo("Multiple af-packet option without interface on each is useless");
1190  }
1191  } else {
1192  SCLogError("more than one run mode "
1193  "has been specified");
1194  PrintUsage(suri->progname);
1195  return TM_ECODE_FAILED;
1196  }
1197  return TM_ECODE_OK;
1198 #else
1199  SCLogError("AF_PACKET not enabled. On Linux "
1200  "host, make sure to pass --enable-af-packet to "
1201  "configure when building.");
1202  return TM_ECODE_FAILED;
1203 #endif
1204 }
1205 
1206 static int ParseCommandLineAfxdp(SCInstance *suri, const char *in_arg)
1207 {
1208 #ifdef HAVE_AF_XDP
1209  if (suri->run_mode == RUNMODE_UNKNOWN) {
1210  suri->run_mode = RUNMODE_AFXDP_DEV;
1211  if (in_arg) {
1212  LiveRegisterDeviceName(in_arg);
1213  memset(suri->pcap_dev, 0, sizeof(suri->pcap_dev));
1214  strlcpy(suri->pcap_dev, in_arg, sizeof(suri->pcap_dev));
1215  }
1216  } else if (suri->run_mode == RUNMODE_AFXDP_DEV) {
1217  if (in_arg) {
1218  LiveRegisterDeviceName(in_arg);
1219  } else {
1220  SCLogInfo("Multiple af-xdp options without interface on each is useless");
1221  }
1222  } else {
1223  SCLogError("more than one run mode "
1224  "has been specified");
1225  PrintUsage(suri->progname);
1226  return TM_ECODE_FAILED;
1227  }
1228  return TM_ECODE_OK;
1229 #else
1230  SCLogError("AF_XDP not enabled. On Linux "
1231  "host, make sure correct libraries are installed,"
1232  " see documentation for information.");
1233  return TM_ECODE_FAILED;
1234 #endif
1235 }
1236 
1237 static int ParseCommandLineDpdk(SCInstance *suri, const char *in_arg)
1238 {
1239 #ifdef HAVE_DPDK
1240  if (suri->run_mode == RUNMODE_UNKNOWN) {
1241  suri->run_mode = RUNMODE_DPDK;
1242  } else if (suri->run_mode == RUNMODE_DPDK) {
1243  SCLogInfo("Multiple dpdk options have no effect on Suricata");
1244  } else {
1245  SCLogError("more than one run mode "
1246  "has been specified");
1247  PrintUsage(suri->progname);
1248  return TM_ECODE_FAILED;
1249  }
1250  return TM_ECODE_OK;
1251 #else
1252  SCLogError("DPDK not enabled. On Linux "
1253  "host, make sure to pass --enable-dpdk to "
1254  "configure when building.");
1255  return TM_ECODE_FAILED;
1256 #endif
1257 }
1258 
1259 static int ParseCommandLinePcapLive(SCInstance *suri, const char *in_arg)
1260 {
1261 #if defined(OS_WIN32) && !defined(HAVE_LIBWPCAP)
1262  /* If running on Windows without Npcap, bail early as live capture is not supported. */
1263  FatalError("Live capture not available. To support live capture compile against Npcap.");
1264 #endif
1265  memset(suri->pcap_dev, 0, sizeof(suri->pcap_dev));
1266 
1267  if (in_arg != NULL) {
1268  /* some windows shells require escaping of the \ in \Device. Otherwise
1269  * the backslashes are stripped. We put them back here. */
1270  if (strlen(in_arg) > 9 && strncmp(in_arg, "DeviceNPF", 9) == 0) {
1271  snprintf(suri->pcap_dev, sizeof(suri->pcap_dev), "\\Device\\NPF%s", in_arg+9);
1272  } else {
1273  strlcpy(suri->pcap_dev, in_arg, sizeof(suri->pcap_dev));
1274  PcapTranslateIPToDevice(suri->pcap_dev, sizeof(suri->pcap_dev));
1275  }
1276 
1277  if (strcmp(suri->pcap_dev, in_arg) != 0) {
1278  SCLogInfo("translated %s to pcap device %s", in_arg, suri->pcap_dev);
1279  } else if (strlen(suri->pcap_dev) > 0 && isdigit((unsigned char)suri->pcap_dev[0])) {
1280  SCLogError("failed to find a pcap device for IP %s", in_arg);
1281  return TM_ECODE_FAILED;
1282  }
1283  }
1284 
1285  if (suri->run_mode == RUNMODE_UNKNOWN) {
1286  suri->run_mode = RUNMODE_PCAP_DEV;
1287  if (in_arg) {
1288  LiveRegisterDeviceName(suri->pcap_dev);
1289  }
1290  } else if (suri->run_mode == RUNMODE_PCAP_DEV) {
1291  LiveRegisterDeviceName(suri->pcap_dev);
1292  } else {
1293  SCLogError("more than one run mode "
1294  "has been specified");
1295  PrintUsage(suri->progname);
1296  return TM_ECODE_FAILED;
1297  }
1298  return TM_ECODE_OK;
1299 }
1300 
1301 /**
1302  * Helper function to check if log directory is writable
1303  */
1304 static bool IsLogDirectoryWritable(const char* str)
1305 {
1306  if (access(str, W_OK) == 0)
1307  return true;
1308  return false;
1309 }
1310 
1311 extern int g_skip_prefilter;
1312 
1313 TmEcode SCParseCommandLine(int argc, char **argv)
1314 {
1315  SCInstance *suri = &suricata;
1316  int opt;
1317 
1318  int dump_config = 0;
1319  int dump_features = 0;
1320  int list_app_layer_protocols = 0;
1321  int list_unittests = 0;
1322  int list_runmodes = 0;
1323  int list_keywords = 0;
1324  int build_info = 0;
1325  int conf_test = 0;
1326  int engine_analysis = 0;
1327  int ret = TM_ECODE_OK;
1328 
1329 #ifdef UNITTESTS
1330  coverage_unittests = 0;
1331  g_ut_modules = 0;
1332  g_ut_covered = 0;
1333 #endif
1334 
1335  // clang-format off
1336  struct option long_opts[] = {
1337  {"dump-config", 0, &dump_config, 1},
1338  {"dump-features", 0, &dump_features, 1},
1339  {"pfring", optional_argument, 0, 0},
1340  {"pfring-int", required_argument, 0, 0},
1341  {"pfring-cluster-id", required_argument, 0, 0},
1342  {"pfring-cluster-type", required_argument, 0, 0},
1343 #ifdef HAVE_DPDK
1344  {"dpdk", 0, 0, 0},
1345 #endif
1346  {"af-packet", optional_argument, 0, 0},
1347  {"af-xdp", optional_argument, 0, 0},
1348  {"netmap", optional_argument, 0, 0},
1349  {"pcap", optional_argument, 0, 0},
1350  {"pcap-file-continuous", 0, 0, 0},
1351  {"pcap-file-delete", 0, 0, 0},
1352  {"pcap-file-recursive", 0, 0, 0},
1353  {"simulate-ips", 0, 0 , 0},
1354  {"no-random", 0, &g_disable_randomness, 1},
1355  {"strict-rule-keywords", optional_argument, 0, 0},
1356 
1357  {"capture-plugin", required_argument, 0, 0},
1358  {"capture-plugin-args", required_argument, 0, 0},
1359 
1360 #ifdef BUILD_UNIX_SOCKET
1361  {"unix-socket", optional_argument, 0, 0},
1362 #endif
1363  {"pcap-buffer-size", required_argument, 0, 0},
1364  {"unittest-filter", required_argument, 0, 'U'},
1365  {"list-app-layer-protos", 0, &list_app_layer_protocols, 1},
1366  {"list-unittests", 0, &list_unittests, 1},
1367  {"list-runmodes", 0, &list_runmodes, 1},
1368  {"list-keywords", optional_argument, &list_keywords, 1},
1369  {"runmode", required_argument, NULL, 0},
1370  {"engine-analysis", 0, &engine_analysis, 1},
1371 #ifdef OS_WIN32
1372  {"service-install", 0, 0, 0},
1373  {"service-remove", 0, 0, 0},
1374  {"service-change-params", 0, 0, 0},
1375 #endif /* OS_WIN32 */
1376  {"pidfile", required_argument, 0, 0},
1377  {"init-errors-fatal", 0, 0, 0},
1378  {"disable-detection", 0, 0, 0},
1379  {"disable-hashing", 0, 0, 0},
1380  {"fatal-unittests", 0, 0, 0},
1381  {"unittests-coverage", 0, &coverage_unittests, 1},
1382  {"user", required_argument, 0, 0},
1383  {"group", required_argument, 0, 0},
1384  {"erf-in", required_argument, 0, 0},
1385  {"dag", required_argument, 0, 0},
1386  {"napatech", 0, 0, 0},
1387  {"build-info", 0, &build_info, 1},
1388  {"data-dir", required_argument, 0, 0},
1389 #ifdef WINDIVERT
1390  {"windivert", required_argument, 0, 0},
1391  {"windivert-forward", required_argument, 0, 0},
1392 #endif
1393 #ifdef HAVE_LIBNET11
1394  {"reject-dev", required_argument, 0, 0},
1395 #endif
1396  {"set", required_argument, 0, 0},
1397 #ifdef HAVE_NFLOG
1398  {"nflog", optional_argument, 0, 0},
1399 #endif
1400  {"simulate-packet-flow-memcap", required_argument, 0, 0},
1401  {"simulate-applayer-error-at-offset-ts", required_argument, 0, 0},
1402  {"simulate-applayer-error-at-offset-tc", required_argument, 0, 0},
1403  {"simulate-packet-loss", required_argument, 0, 0},
1404  {"simulate-packet-tcp-reassembly-memcap", required_argument, 0, 0},
1405  {"simulate-packet-tcp-ssn-memcap", required_argument, 0, 0},
1406  {"simulate-packet-defrag-memcap", required_argument, 0, 0},
1407  {"simulate-alert-queue-realloc-failure", 0, 0, 0},
1408 
1409  {"qa-skip-prefilter", 0, &g_skip_prefilter, 1 },
1410 
1411  {"include", required_argument, 0, 0},
1412 
1413  {NULL, 0, NULL, 0}
1414  };
1415  // clang-format on
1416 
1417  /* getopt_long stores the option index here. */
1418  int option_index = 0;
1419 
1420  char short_opts[] = "c:TDhi:l:q:d:r:us:S:U:VF:vk:";
1421 
1422  while ((opt = getopt_long(argc, argv, short_opts, long_opts, &option_index)) != -1) {
1423  switch (opt) {
1424  case 0:
1425  if (strcmp((long_opts[option_index]).name , "pfring") == 0 ||
1426  strcmp((long_opts[option_index]).name , "pfring-int") == 0) {
1427 #ifdef HAVE_PFRING
1428  /* TODO: Which plugin? */
1429  suri->run_mode = RUNMODE_PLUGIN;
1430  suri->capture_plugin_name = "pfring";
1431  if (optarg != NULL) {
1432  memset(suri->pcap_dev, 0, sizeof(suri->pcap_dev));
1433  strlcpy(suri->pcap_dev, optarg,
1434  ((strlen(optarg) < sizeof(suri->pcap_dev)) ?
1435  (strlen(optarg) + 1) : sizeof(suri->pcap_dev)));
1436  LiveRegisterDeviceName(optarg);
1437  }
1438 #else
1439  SCLogError("PF_RING not enabled. Make sure "
1440  "to pass --enable-pfring to configure when building.");
1441  return TM_ECODE_FAILED;
1442 #endif /* HAVE_PFRING */
1443  }
1444  else if(strcmp((long_opts[option_index]).name , "pfring-cluster-id") == 0){
1445 #ifdef HAVE_PFRING
1446  if (ConfSetFinal("pfring.cluster-id", optarg) != 1) {
1447  SCLogError("failed to set pfring.cluster-id");
1448  return TM_ECODE_FAILED;
1449  }
1450 #else
1451  SCLogError("PF_RING not enabled. Make sure "
1452  "to pass --enable-pfring to configure when building.");
1453  return TM_ECODE_FAILED;
1454 #endif /* HAVE_PFRING */
1455  }
1456  else if(strcmp((long_opts[option_index]).name , "pfring-cluster-type") == 0){
1457 #ifdef HAVE_PFRING
1458  if (ConfSetFinal("pfring.cluster-type", optarg) != 1) {
1459  SCLogError("failed to set pfring.cluster-type");
1460  return TM_ECODE_FAILED;
1461  }
1462 #else
1463  SCLogError("PF_RING not enabled. Make sure "
1464  "to pass --enable-pfring to configure when building.");
1465  return TM_ECODE_FAILED;
1466 #endif /* HAVE_PFRING */
1467  }
1468  else if (strcmp((long_opts[option_index]).name , "capture-plugin") == 0){
1469  suri->run_mode = RUNMODE_PLUGIN;
1470  suri->capture_plugin_name = optarg;
1471  }
1472  else if (strcmp((long_opts[option_index]).name , "capture-plugin-args") == 0){
1473  suri->capture_plugin_args = optarg;
1474  } else if (strcmp((long_opts[option_index]).name, "dpdk") == 0) {
1475  if (ParseCommandLineDpdk(suri, optarg) != TM_ECODE_OK) {
1476  return TM_ECODE_FAILED;
1477  }
1478  } else if (strcmp((long_opts[option_index]).name, "af-packet") == 0) {
1479  if (ParseCommandLineAfpacket(suri, optarg) != TM_ECODE_OK) {
1480  return TM_ECODE_FAILED;
1481  }
1482  } else if (strcmp((long_opts[option_index]).name, "af-xdp") == 0) {
1483  if (ParseCommandLineAfxdp(suri, optarg) != TM_ECODE_OK) {
1484  return TM_ECODE_FAILED;
1485  }
1486  } else if (strcmp((long_opts[option_index]).name, "netmap") == 0) {
1487 #ifdef HAVE_NETMAP
1488  if (suri->run_mode == RUNMODE_UNKNOWN) {
1489  suri->run_mode = RUNMODE_NETMAP;
1490  if (optarg) {
1491  LiveRegisterDeviceName(optarg);
1492  memset(suri->pcap_dev, 0, sizeof(suri->pcap_dev));
1493  strlcpy(suri->pcap_dev, optarg,
1494  ((strlen(optarg) < sizeof(suri->pcap_dev)) ?
1495  (strlen(optarg) + 1) : sizeof(suri->pcap_dev)));
1496  }
1497  } else if (suri->run_mode == RUNMODE_NETMAP) {
1498  if (optarg) {
1499  LiveRegisterDeviceName(optarg);
1500  } else {
1501  SCLogInfo("Multiple netmap option without interface on each is useless");
1502  break;
1503  }
1504  } else {
1505  SCLogError("more than one run mode "
1506  "has been specified");
1507  PrintUsage(argv[0]);
1508  return TM_ECODE_FAILED;
1509  }
1510 #else
1511  SCLogError("NETMAP not enabled.");
1512  return TM_ECODE_FAILED;
1513 #endif
1514  } else if (strcmp((long_opts[option_index]).name, "nflog") == 0) {
1515 #ifdef HAVE_NFLOG
1516  if (suri->run_mode == RUNMODE_UNKNOWN) {
1517  suri->run_mode = RUNMODE_NFLOG;
1518  LiveBuildDeviceListCustom("nflog", "group");
1519  }
1520 #else
1521  SCLogError("NFLOG not enabled.");
1522  return TM_ECODE_FAILED;
1523 #endif /* HAVE_NFLOG */
1524  } else if (strcmp((long_opts[option_index]).name, "pcap") == 0) {
1525  if (ParseCommandLinePcapLive(suri, optarg) != TM_ECODE_OK) {
1526  return TM_ECODE_FAILED;
1527  }
1528  } else if (strcmp((long_opts[option_index]).name, "simulate-ips") == 0) {
1529  SCLogInfo("Setting IPS mode");
1530  EngineModeSetIPS();
1531  } else if (strcmp((long_opts[option_index]).name, "init-errors-fatal") == 0) {
1532  if (ConfSetFinal("engine.init-failure-fatal", "1") != 1) {
1533  SCLogError("failed to set engine init-failure-fatal");
1534  return TM_ECODE_FAILED;
1535  }
1536 #ifdef BUILD_UNIX_SOCKET
1537  } else if (strcmp((long_opts[option_index]).name , "unix-socket") == 0) {
1538  if (suri->run_mode == RUNMODE_UNKNOWN) {
1539  suri->run_mode = RUNMODE_UNIX_SOCKET;
1540  if (optarg) {
1541  if (ConfSetFinal("unix-command.filename", optarg) != 1) {
1542  SCLogError("failed to set unix-command.filename");
1543  return TM_ECODE_FAILED;
1544  }
1545 
1546  }
1547  } else {
1548  SCLogError("more than one run mode "
1549  "has been specified");
1550  PrintUsage(argv[0]);
1551  return TM_ECODE_FAILED;
1552  }
1553 #endif
1554  }
1555  else if(strcmp((long_opts[option_index]).name, "list-app-layer-protocols") == 0) {
1556  /* listing all supported app layer protocols */
1557  }
1558  else if(strcmp((long_opts[option_index]).name, "list-unittests") == 0) {
1559 #ifdef UNITTESTS
1560  suri->run_mode = RUNMODE_LIST_UNITTEST;
1561 #else
1562  SCLogError("unit tests not enabled. Make sure to pass --enable-unittests to "
1563  "configure when building");
1564  return TM_ECODE_FAILED;
1565 #endif /* UNITTESTS */
1566  } else if (strcmp((long_opts[option_index]).name, "list-runmodes") == 0) {
1567  suri->run_mode = RUNMODE_LIST_RUNMODES;
1568  return TM_ECODE_OK;
1569  } else if (strcmp((long_opts[option_index]).name, "list-keywords") == 0) {
1570  if (optarg) {
1571  if (strcmp("short",optarg)) {
1572  suri->keyword_info = optarg;
1573  }
1574  }
1575  } else if (strcmp((long_opts[option_index]).name, "runmode") == 0) {
1576  suri->runmode_custom_mode = optarg;
1577  } else if(strcmp((long_opts[option_index]).name, "engine-analysis") == 0) {
1578  // do nothing for now
1579  }
1580 #ifdef OS_WIN32
1581  else if(strcmp((long_opts[option_index]).name, "service-install") == 0) {
1582  suri->run_mode = RUNMODE_INSTALL_SERVICE;
1583  return TM_ECODE_OK;
1584  }
1585  else if(strcmp((long_opts[option_index]).name, "service-remove") == 0) {
1586  suri->run_mode = RUNMODE_REMOVE_SERVICE;
1587  return TM_ECODE_OK;
1588  }
1589  else if(strcmp((long_opts[option_index]).name, "service-change-params") == 0) {
1590  suri->run_mode = RUNMODE_CHANGE_SERVICE_PARAMS;
1591  return TM_ECODE_OK;
1592  }
1593 #endif /* OS_WIN32 */
1594  else if(strcmp((long_opts[option_index]).name, "pidfile") == 0) {
1595  suri->pid_filename = SCStrdup(optarg);
1596  if (suri->pid_filename == NULL) {
1597  SCLogError("strdup failed: %s", strerror(errno));
1598  return TM_ECODE_FAILED;
1599  }
1600  }
1601  else if(strcmp((long_opts[option_index]).name, "disable-detection") == 0) {
1602  g_detect_disabled = suri->disabled_detect = 1;
1603  } else if (strcmp((long_opts[option_index]).name, "disable-hashing") == 0) {
1604  g_disable_hashing = true;
1605  } else if (strcmp((long_opts[option_index]).name, "fatal-unittests") == 0) {
1606 #ifdef UNITTESTS
1607  unittests_fatal = 1;
1608 #else
1609  SCLogError("unit tests not enabled. Make sure to pass --enable-unittests to "
1610  "configure when building");
1611  return TM_ECODE_FAILED;
1612 #endif /* UNITTESTS */
1613  } else if (strcmp((long_opts[option_index]).name, "user") == 0) {
1614 #ifndef HAVE_LIBCAP_NG
1615  SCLogError("libcap-ng is required to"
1616  " drop privileges, but it was not compiled into Suricata.");
1617  return TM_ECODE_FAILED;
1618 #else
1619  suri->user_name = optarg;
1620  suri->do_setuid = true;
1621 #endif /* HAVE_LIBCAP_NG */
1622  } else if (strcmp((long_opts[option_index]).name, "group") == 0) {
1623 #ifndef HAVE_LIBCAP_NG
1624  SCLogError("libcap-ng is required to"
1625  " drop privileges, but it was not compiled into Suricata.");
1626  return TM_ECODE_FAILED;
1627 #else
1628  suri->group_name = optarg;
1629  suri->do_setgid = true;
1630 #endif /* HAVE_LIBCAP_NG */
1631  } else if (strcmp((long_opts[option_index]).name, "erf-in") == 0) {
1632  suri->run_mode = RUNMODE_ERF_FILE;
1633  if (ConfSetFinal("erf-file.file", optarg) != 1) {
1634  SCLogError("failed to set erf-file.file");
1635  return TM_ECODE_FAILED;
1636  }
1637  } else if (strcmp((long_opts[option_index]).name, "dag") == 0) {
1638 #ifdef HAVE_DAG
1639  if (suri->run_mode == RUNMODE_UNKNOWN) {
1640  suri->run_mode = RUNMODE_DAG;
1641  }
1642  else if (suri->run_mode != RUNMODE_DAG) {
1643  SCLogError("more than one run mode has been specified");
1644  PrintUsage(argv[0]);
1645  return TM_ECODE_FAILED;
1646  }
1647  LiveRegisterDeviceName(optarg);
1648 #else
1649  SCLogError("libdag and a DAG card are required"
1650  " to receive packets using --dag.");
1651  return TM_ECODE_FAILED;
1652 #endif /* HAVE_DAG */
1653  } else if (strcmp((long_opts[option_index]).name, "napatech") == 0) {
1654 #ifdef HAVE_NAPATECH
1655  suri->run_mode = RUNMODE_NAPATECH;
1656 #else
1657  SCLogError("libntapi and a Napatech adapter are required"
1658  " to capture packets using --napatech.");
1659  return TM_ECODE_FAILED;
1660 #endif /* HAVE_NAPATECH */
1661  } else if (strcmp((long_opts[option_index]).name, "pcap-buffer-size") == 0) {
1662 #ifdef HAVE_PCAP_SET_BUFF
1663  if (ConfSetFinal("pcap.buffer-size", optarg) != 1) {
1664  SCLogError("failed to set pcap-buffer-size");
1665  return TM_ECODE_FAILED;
1666  }
1667 #else
1668  SCLogError("The version of libpcap you have"
1669  " doesn't support setting buffer size.");
1670 #endif /* HAVE_PCAP_SET_BUFF */
1671  } else if (strcmp((long_opts[option_index]).name, "build-info") == 0) {
1672  suri->run_mode = RUNMODE_PRINT_BUILDINFO;
1673  return TM_ECODE_OK;
1674  } else if (strcmp((long_opts[option_index]).name, "windivert-forward") == 0) {
1675 #ifdef WINDIVERT
1676  if (suri->run_mode == RUNMODE_UNKNOWN) {
1677  suri->run_mode = RUNMODE_WINDIVERT;
1678  if (WinDivertRegisterQueue(true, optarg) == -1) {
1679  exit(EXIT_FAILURE);
1680  }
1681  } else if (suri->run_mode == RUNMODE_WINDIVERT) {
1682  if (WinDivertRegisterQueue(true, optarg) == -1) {
1683  exit(EXIT_FAILURE);
1684  }
1685  } else {
1686  SCLogError("more than one run mode "
1687  "has been specified");
1688  PrintUsage(argv[0]);
1689  exit(EXIT_FAILURE);
1690  }
1691  }
1692  else if(strcmp((long_opts[option_index]).name, "windivert") == 0) {
1693  if (suri->run_mode == RUNMODE_UNKNOWN) {
1694  suri->run_mode = RUNMODE_WINDIVERT;
1695  if (WinDivertRegisterQueue(false, optarg) == -1) {
1696  exit(EXIT_FAILURE);
1697  }
1698  } else if (suri->run_mode == RUNMODE_WINDIVERT) {
1699  if (WinDivertRegisterQueue(false, optarg) == -1) {
1700  exit(EXIT_FAILURE);
1701  }
1702  } else {
1703  SCLogError("more than one run mode "
1704  "has been specified");
1705  PrintUsage(argv[0]);
1706  exit(EXIT_FAILURE);
1707  }
1708 #else
1709  SCLogError("WinDivert not enabled. Make sure to pass --enable-windivert to "
1710  "configure when building.");
1711  return TM_ECODE_FAILED;
1712 #endif /* WINDIVERT */
1713  } else if(strcmp((long_opts[option_index]).name, "reject-dev") == 0) {
1714 #ifdef HAVE_LIBNET11
1715  BUG_ON(optarg == NULL); /* for static analysis */
1716  extern char *g_reject_dev;
1717  extern uint16_t g_reject_dev_mtu;
1718  g_reject_dev = optarg;
1719  int mtu = GetIfaceMTU(g_reject_dev);
1720  if (mtu > 0) {
1721  g_reject_dev_mtu = (uint16_t)mtu;
1722  }
1723 #else
1724  SCLogError("Libnet 1.1 support not enabled. Compile Suricata with libnet support.");
1725  return TM_ECODE_FAILED;
1726 #endif
1727  }
1728  else if (strcmp((long_opts[option_index]).name, "set") == 0) {
1729  if (optarg != NULL) {
1730  /* Quick validation. */
1731  char *val = strchr(optarg, '=');
1732  if (val == NULL) {
1733  FatalError("Invalid argument for --set, must be key=val.");
1734  }
1735  if (!ConfSetFromString(optarg, 1)) {
1736  FatalError("failed to set configuration value %s", optarg);
1737  }
1738  }
1739  }
1740  else if (strcmp((long_opts[option_index]).name, "pcap-file-continuous") == 0) {
1741  if (ConfSetFinal("pcap-file.continuous", "true") != 1) {
1742  SCLogError("Failed to set pcap-file.continuous");
1743  return TM_ECODE_FAILED;
1744  }
1745  }
1746  else if (strcmp((long_opts[option_index]).name, "pcap-file-delete") == 0) {
1747  if (ConfSetFinal("pcap-file.delete-when-done", "true") != 1) {
1748  SCLogError("Failed to set pcap-file.delete-when-done");
1749  return TM_ECODE_FAILED;
1750  }
1751  }
1752  else if (strcmp((long_opts[option_index]).name, "pcap-file-recursive") == 0) {
1753  if (ConfSetFinal("pcap-file.recursive", "true") != 1) {
1754  SCLogError("failed to set pcap-file.recursive");
1755  return TM_ECODE_FAILED;
1756  }
1757  }
1758  else if (strcmp((long_opts[option_index]).name, "data-dir") == 0) {
1759  if (optarg == NULL) {
1760  SCLogError("no option argument (optarg) for -d");
1761  return TM_ECODE_FAILED;
1762  }
1763 
1764  if (ConfigSetDataDirectory(optarg) != TM_ECODE_OK) {
1765  SCLogError("Failed to set data directory.");
1766  return TM_ECODE_FAILED;
1767  }
1768  if (ConfigCheckDataDirectory(optarg) != TM_ECODE_OK) {
1769  SCLogError("The data directory \"%s\""
1770  " supplied at the command-line (-d %s) doesn't "
1771  "exist. Shutting down the engine.",
1772  optarg, optarg);
1773  return TM_ECODE_FAILED;
1774  }
1775  suri->set_datadir = true;
1776  } else if (strcmp((long_opts[option_index]).name , "strict-rule-keywords") == 0){
1777  if (optarg == NULL) {
1778  suri->strict_rule_parsing_string = SCStrdup("all");
1779  } else {
1780  suri->strict_rule_parsing_string = SCStrdup(optarg);
1781  }
1782  if (suri->strict_rule_parsing_string == NULL) {
1783  FatalError("failed to duplicate 'strict' string");
1784  }
1785  } else if (strcmp((long_opts[option_index]).name, "include") == 0) {
1786  if (suri->additional_configs == NULL) {
1787  suri->additional_configs = SCCalloc(2, sizeof(char *));
1788  if (suri->additional_configs == NULL) {
1789  FatalError(
1790  "Failed to allocate memory for additional configuration files: %s",
1791  strerror(errno));
1792  }
1793  suri->additional_configs[0] = optarg;
1794  } else {
1795  for (int i = 0;; i++) {
1796  if (suri->additional_configs[i] == NULL) {
1797  const char **additional_configs =
1798  SCRealloc(suri->additional_configs, (i + 2) * sizeof(char *));
1799  if (additional_configs == NULL) {
1800  FatalError("Failed to allocate memory for additional configuration "
1801  "files: %s",
1802  strerror(errno));
1803  } else {
1804  suri->additional_configs = additional_configs;
1805  }
1806  suri->additional_configs[i] = optarg;
1807  suri->additional_configs[i + 1] = NULL;
1808  break;
1809  }
1810  }
1811  }
1812  } else {
1813  int r = ExceptionSimulationCommandLineParser(
1814  (long_opts[option_index]).name, optarg);
1815  if (r < 0)
1816  return TM_ECODE_FAILED;
1817  }
1818  break;
1819  case 'c':
1820  suri->conf_filename = optarg;
1821  break;
1822  case 'T':
1823  conf_test = 1;
1824  if (ConfSetFinal("engine.init-failure-fatal", "1") != 1) {
1825  SCLogError("failed to set engine init-failure-fatal");
1826  return TM_ECODE_FAILED;
1827  }
1828  break;
1829 #ifndef OS_WIN32
1830  case 'D':
1831  suri->daemon = 1;
1832  break;
1833 #endif /* OS_WIN32 */
1834  case 'h':
1835  suri->run_mode = RUNMODE_PRINT_USAGE;
1836  return TM_ECODE_OK;
1837  case 'i':
1838  if (optarg == NULL) {
1839  SCLogError("no option argument (optarg) for -i");
1840  return TM_ECODE_FAILED;
1841  }
1842 #ifdef HAVE_AF_PACKET
1843  if (ParseCommandLineAfpacket(suri, optarg) != TM_ECODE_OK) {
1844  return TM_ECODE_FAILED;
1845  }
1846 #else /* not afpacket */
1847  /* warn user if netmap is available */
1848 #if defined HAVE_NETMAP
1849  int i = 0;
1850 #ifdef HAVE_NETMAP
1851  i++;
1852 #endif
1853  SCLogWarning("faster capture "
1854  "option%s %s available:"
1855 #ifdef HAVE_NETMAP
1856  " NETMAP (--netmap=%s)"
1857 #endif
1858  ". Use --pcap=%s to suppress this warning",
1859  i == 1 ? "" : "s", i == 1 ? "is" : "are"
1860 #ifdef HAVE_NETMAP
1861  ,
1862  optarg
1863 #endif
1864  ,
1865  optarg);
1866 #endif /* have faster methods */
1867  if (ParseCommandLinePcapLive(suri, optarg) != TM_ECODE_OK) {
1868  return TM_ECODE_FAILED;
1869  }
1870 #endif
1871  break;
1872  case 'l':
1873  if (optarg == NULL) {
1874  SCLogError("no option argument (optarg) for -l");
1875  return TM_ECODE_FAILED;
1876  }
1877 
1878  if (ConfigSetLogDirectory(optarg) != TM_ECODE_OK) {
1879  SCLogError("Failed to set log directory.");
1880  return TM_ECODE_FAILED;
1881  }
1882  if (ConfigCheckLogDirectoryExists(optarg) != TM_ECODE_OK) {
1883  SCLogError("The logging directory \"%s\""
1884  " supplied at the command-line (-l %s) doesn't "
1885  "exist. Shutting down the engine.",
1886  optarg, optarg);
1887  return TM_ECODE_FAILED;
1888  }
1889  if (!IsLogDirectoryWritable(optarg)) {
1890  SCLogError("The logging directory \"%s\""
1891  " supplied at the command-line (-l %s) is not "
1892  "writable. Shutting down the engine.",
1893  optarg, optarg);
1894  return TM_ECODE_FAILED;
1895  }
1896  suri->set_logdir = true;
1897 
1898  break;
1899  case 'q':
1900 #ifdef NFQ
1901  if (suri->run_mode == RUNMODE_UNKNOWN) {
1902  suri->run_mode = RUNMODE_NFQ;
1903  EngineModeSetIPS();
1904  if (NFQParseAndRegisterQueues(optarg) == -1)
1905  return TM_ECODE_FAILED;
1906  } else if (suri->run_mode == RUNMODE_NFQ) {
1907  if (NFQParseAndRegisterQueues(optarg) == -1)
1908  return TM_ECODE_FAILED;
1909  } else {
1910  SCLogError("more than one run mode "
1911  "has been specified");
1912  PrintUsage(argv[0]);
1913  return TM_ECODE_FAILED;
1914  }
1915 #else
1916  SCLogError("NFQUEUE not enabled. Make sure to pass --enable-nfqueue to configure when "
1917  "building.");
1918  return TM_ECODE_FAILED;
1919 #endif /* NFQ */
1920  break;
1921  case 'd':
1922 #ifdef IPFW
1923  if (suri->run_mode == RUNMODE_UNKNOWN) {
1924  suri->run_mode = RUNMODE_IPFW;
1925  EngineModeSetIPS();
1926  if (IPFWRegisterQueue(optarg) == -1)
1927  return TM_ECODE_FAILED;
1928  } else if (suri->run_mode == RUNMODE_IPFW) {
1929  if (IPFWRegisterQueue(optarg) == -1)
1930  return TM_ECODE_FAILED;
1931  } else {
1932  SCLogError("more than one run mode "
1933  "has been specified");
1934  PrintUsage(argv[0]);
1935  return TM_ECODE_FAILED;
1936  }
1937 #else
1938  SCLogError("IPFW not enabled. Make sure to pass --enable-ipfw to configure when "
1939  "building.");
1940  return TM_ECODE_FAILED;
1941 #endif /* IPFW */
1942  break;
1943  case 'r':
1944  BUG_ON(optarg == NULL); /* for static analysis */
1945  if (suri->run_mode == RUNMODE_UNKNOWN) {
1946  suri->run_mode = RUNMODE_PCAP_FILE;
1947  } else {
1948  SCLogError("more than one run mode "
1949  "has been specified");
1950  PrintUsage(argv[0]);
1951  return TM_ECODE_FAILED;
1952  }
1953  SCStat buf;
1954  if (SCStatFn(optarg, &buf) != 0) {
1955  SCLogError("pcap file '%s': %s", optarg, strerror(errno));
1956  return TM_ECODE_FAILED;
1957  }
1958  if (ConfSetFinal("pcap-file.file", optarg) != 1) {
1959  SCLogError("ERROR: Failed to set pcap-file.file\n");
1960  return TM_ECODE_FAILED;
1961  }
1962 
1963  break;
1964  case 's':
1965  if (suri->sig_file != NULL) {
1966  SCLogError("can't have multiple -s options or mix -s and -S.");
1967  return TM_ECODE_FAILED;
1968  }
1969  suri->sig_file = optarg;
1970  break;
1971  case 'S':
1972  if (suri->sig_file != NULL) {
1973  SCLogError("can't have multiple -S options or mix -s and -S.");
1974  return TM_ECODE_FAILED;
1975  }
1976  suri->sig_file = optarg;
1977  suri->sig_file_exclusive = true;
1978  break;
1979  case 'u':
1980 #ifdef UNITTESTS
1981  if (suri->run_mode == RUNMODE_UNKNOWN) {
1982  suri->run_mode = RUNMODE_UNITTEST;
1983  } else {
1984  SCLogError("more than one run mode has"
1985  " been specified");
1986  PrintUsage(argv[0]);
1987  return TM_ECODE_FAILED;
1988  }
1989 #else
1990  SCLogError("unit tests not enabled. Make sure to pass --enable-unittests to configure "
1991  "when building.");
1992  return TM_ECODE_FAILED;
1993 #endif /* UNITTESTS */
1994  break;
1995  case 'U':
1996 #ifdef UNITTESTS
1997  suri->regex_arg = optarg;
1998 
1999  if(strlen(suri->regex_arg) == 0)
2000  suri->regex_arg = NULL;
2001 #endif
2002  break;
2003  case 'V':
2004  suri->run_mode = RUNMODE_PRINT_VERSION;
2005  return TM_ECODE_OK;
2006  case 'F':
2007  if (optarg == NULL) {
2008  SCLogError("no option argument (optarg) for -F");
2009  return TM_ECODE_FAILED;
2010  }
2011 
2012  SetBpfStringFromFile(optarg);
2013  break;
2014  case 'v':
2015  suri->verbose++;
2016  break;
2017  case 'k':
2018  if (optarg == NULL) {
2019  SCLogError("no option argument (optarg) for -k");
2020  return TM_ECODE_FAILED;
2021  }
2022  if (!strcmp("all", optarg))
2023  suri->checksum_validation = 1;
2024  else if (!strcmp("none", optarg))
2025  suri->checksum_validation = 0;
2026  else {
2027  SCLogError("option '%s' invalid for -k", optarg);
2028  return TM_ECODE_FAILED;
2029  }
2030  break;
2031  default:
2032  PrintUsage(argv[0]);
2033  return TM_ECODE_FAILED;
2034  }
2035  }
2036 
2037  if (suri->disabled_detect && suri->sig_file != NULL) {
2038  SCLogError("can't use -s/-S when detection is disabled");
2039  return TM_ECODE_FAILED;
2040  }
2041 
2042  /* save the runmode from the command-line (if any) */
2043  suri->aux_run_mode = suri->run_mode;
2044 
2045  if (list_app_layer_protocols)
2046  suri->run_mode = RUNMODE_LIST_APP_LAYERS;
2047  if (list_keywords)
2048  suri->run_mode = RUNMODE_LIST_KEYWORDS;
2049  if (list_unittests)
2050  suri->run_mode = RUNMODE_LIST_UNITTEST;
2051  if (dump_config)
2052  suri->run_mode = RUNMODE_DUMP_CONFIG;
2053  if (dump_features)
2054  suri->run_mode = RUNMODE_DUMP_FEATURES;
2055  if (conf_test)
2056  suri->run_mode = RUNMODE_CONF_TEST;
2057  if (engine_analysis)
2058  suri->run_mode = RUNMODE_ENGINE_ANALYSIS;
2059 
2060  suri->offline = IsRunModeOffline(suri->run_mode);
2061  g_system = suri->system = IsRunModeSystem(suri->run_mode);
2062 
2063  ret = SetBpfString(optind, argv);
2064  if (ret != TM_ECODE_OK)
2065  return ret;
2066 
2067  return TM_ECODE_OK;
2068 }
2069 
2070 #ifdef OS_WIN32
2071 int WindowsInitService(int argc, char **argv)
2072 {
2073  if (SCRunningAsService()) {
2074  char path[MAX_PATH];
2075  char *p = NULL;
2076  strlcpy(path, argv[0], MAX_PATH);
2077  if ((p = strrchr(path, '\\'))) {
2078  *p = '\0';
2079  }
2080  if (!SetCurrentDirectory(path)) {
2081  SCLogError("Can't set current directory to: %s", path);
2082  return -1;
2083  }
2084  SCLogInfo("Current directory is set to: %s", path);
2085  SCServiceInit(argc, argv);
2086  }
2087 
2088  /* Windows socket subsystem initialization */
2089  WSADATA wsaData;
2090  if (0 != WSAStartup(MAKEWORD(2, 2), &wsaData)) {
2091  SCLogError("Can't initialize Windows sockets: %d", WSAGetLastError());
2092  return -1;
2093  }
2094 
2095  return 0;
2096 }
2097 #endif /* OS_WIN32 */
2098 
2099 static int MayDaemonize(SCInstance *suri)
2100 {
2101  if (suri->daemon == 1 && suri->pid_filename == NULL) {
2102  const char *pid_filename;
2103 
2104  if (ConfGet("pid-file", &pid_filename) == 1) {
2105  SCLogInfo("Use pid file %s from config file.", pid_filename);
2106  } else {
2107  pid_filename = DEFAULT_PID_FILENAME;
2108  }
2109  /* The pid file name may be in config memory, but is needed later. */
2110  suri->pid_filename = SCStrdup(pid_filename);
2111  if (suri->pid_filename == NULL) {
2112  SCLogError("strdup failed: %s", strerror(errno));
2113  return TM_ECODE_FAILED;
2114  }
2115  }
2116 
2117  if (suri->pid_filename != NULL && SCPidfileTestRunning(suri->pid_filename) != 0) {
2118  SCFree(suri->pid_filename);
2119  suri->pid_filename = NULL;
2120  return TM_ECODE_FAILED;
2121  }
2122 
2123  if (suri->daemon == 1) {
2124  Daemonize();
2125  }
2126 
2127  if (suri->pid_filename != NULL) {
2128  if (SCPidfileCreate(suri->pid_filename) != 0) {
2129  SCFree(suri->pid_filename);
2130  suri->pid_filename = NULL;
2131  SCLogError("Unable to create PID file, concurrent run of"
2132  " Suricata can occur.");
2133  SCLogError("PID file creation WILL be mandatory for daemon mode"
2134  " in future version");
2135  }
2136  }
2137 
2138  return TM_ECODE_OK;
2139 }
2140 
2141 /* Initialize the user and group Suricata is to run as. */
2142 static int InitRunAs(SCInstance *suri)
2143 {
2144 #ifndef OS_WIN32
2145  /* Try to get user/group to run suricata as if
2146  command line as not decide of that */
2147  if (!suri->do_setuid && !suri->do_setgid) {
2148  const char *id;
2149  if (ConfGet("run-as.user", &id) == 1) {
2150  suri->do_setuid = true;
2151  suri->user_name = id;
2152  }
2153  if (ConfGet("run-as.group", &id) == 1) {
2154  suri->do_setgid = true;
2155  suri->group_name = id;
2156  }
2157  }
2158  /* Get the suricata user ID to given user ID */
2159  if (suri->do_setuid) {
2160  SCGetUserID(suri->user_name, suri->group_name, &suri->userid, &suri->groupid);
2161  sc_set_caps = true;
2162  /* Get the suricata group ID to given group ID */
2163  } else if (suri->do_setgid) {
2164  SCGetGroupID(suri->group_name, &suri->groupid);
2165  sc_set_caps = true;
2166  }
2167 #endif
2168  return TM_ECODE_OK;
2169 }
2170 
2171 static int InitSignalHandler(SCInstance *suri)
2172 {
2173  /* registering signals we use */
2174 #ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
2175  UtilSignalHandlerSetup(SIGINT, SignalHandlerSigint);
2176  UtilSignalHandlerSetup(SIGTERM, SignalHandlerSigterm);
2177 #if HAVE_LIBUNWIND
2178  int enabled;
2179  if (ConfGetBool("logging.stacktrace-on-signal", &enabled) == 0) {
2180  enabled = 1;
2181  }
2182 
2183  if (enabled) {
2184  SCLogInfo("Preparing unexpected signal handling");
2185  struct sigaction stacktrace_action;
2186  memset(&stacktrace_action, 0, sizeof(stacktrace_action));
2187  stacktrace_action.sa_sigaction = SignalHandlerUnexpected;
2188  stacktrace_action.sa_flags = SA_SIGINFO;
2189  sigaction(SIGSEGV, &stacktrace_action, NULL);
2190  sigaction(SIGABRT, &stacktrace_action, NULL);
2191  }
2192 #endif /* HAVE_LIBUNWIND */
2193 #endif
2194 #ifndef OS_WIN32
2195  UtilSignalHandlerSetup(SIGHUP, SignalHandlerSigHup);
2196  UtilSignalHandlerSetup(SIGPIPE, SIG_IGN);
2197  UtilSignalHandlerSetup(SIGSYS, SIG_IGN);
2198 #endif /* OS_WIN32 */
2199 
2200  return TM_ECODE_OK;
2201 }
2202 
2203 /* initialization code for both the main modes and for
2204  * unix socket mode.
2205  *
2206  * Will be run once per pcap in unix-socket mode */
2207 void PreRunInit(const int runmode)
2208 {
2209  HttpRangeContainersInit();
2210  if (runmode == RUNMODE_UNIX_SOCKET)
2211  return;
2212 
2213  StatsInit();
2214 #ifdef PROFILE_RULES
2215  SCProfilingRulesGlobalInit();
2216 #endif
2217 #ifdef PROFILING
2218  SCProfilingKeywordsGlobalInit();
2219  SCProfilingPrefilterGlobalInit();
2220  SCProfilingSghsGlobalInit();
2221 #endif /* PROFILING */
2222 #ifdef PROFILE_RULES
2223  SCProfilingInit();
2224 #endif
2225  DefragInit();
2226  FlowInitConfig(FLOW_QUIET);
2227  IPPairInitConfig(FLOW_QUIET);
2228  StreamTcpInitConfig(STREAM_VERBOSE);
2229  AppLayerParserPostStreamSetup();
2230  AppLayerRegisterGlobalCounters();
2231  OutputFilestoreRegisterGlobalCounters();
2232 }
2233 
2234 /* tasks we need to run before packets start flowing,
2235  * but after we dropped privs */
2236 void PreRunPostPrivsDropInit(const int runmode)
2237 {
2238  StatsSetupPostConfigPreOutput();
2239  RunModeInitializeOutputs();
2240  DatasetsInit();
2241 
2242  if (runmode == RUNMODE_UNIX_SOCKET) {
2243  /* As the above did some necessary startup initialization, it
2244  * also setup some outputs where only one is allowed, so
2245  * deinitialize to the state that unix-mode does after every
2246  * pcap. */
2247  PostRunDeinit(RUNMODE_PCAP_FILE, NULL);
2248  return;
2249  }
2250 
2251  StatsSetupPostConfigPostOutput();
2252 }
2253 
2254 /* clean up / shutdown code for both the main modes and for
2255  * unix socket mode.
2256  *
2257  * Will be run once per pcap in unix-socket mode */
2258 void PostRunDeinit(const int runmode, struct timeval *start_time)
2259 {
2260  if (runmode == RUNMODE_UNIX_SOCKET)
2261  return;
2262 
2263  /* needed by FlowWorkToDoCleanup */
2264  PacketPoolInit();
2265 
2266  /* handle graceful shutdown of the flow engine, it's helper
2267  * threads and the packet threads */
2268  FlowDisableFlowManagerThread();
2269  TmThreadDisableReceiveThreads();
2270  FlowWorkToDoCleanup();
2271  TmThreadDisablePacketThreads();
2272  SCPrintElapsedTime(start_time);
2273  FlowDisableFlowRecyclerThread();
2274 
2275  /* kill the stats threads */
2276  TmThreadKillThreadsFamily(TVT_MGMT);
2277  TmThreadClearThreadsFamily(TVT_MGMT);
2278 
2279  /* kill packet threads -- already in 'disabled' state */
2280  TmThreadKillThreadsFamily(TVT_PPT);
2281  TmThreadClearThreadsFamily(TVT_PPT);
2282 
2283  PacketPoolDestroy();
2284 
2285  /* mgt and ppt threads killed, we can run non thread-safe
2286  * shutdown functions */
2287  StatsReleaseResources();
2288  DecodeUnregisterCounters();
2289  RunModeShutDown();
2290  FlowShutdown();
2291  IPPairShutdown();
2292  HostCleanup();
2293  StreamTcpFreeConfig(STREAM_VERBOSE);
2294  DefragDestroy();
2295  HttpRangeContainersDestroy();
2296 
2297  TmqResetQueues();
2298 #ifdef PROFILING
2299  if (profiling_rules_enabled)
2300  SCProfilingDump();
2301  SCProfilingDestroy();
2302 #endif
2303 }
2304 
2305 int SCStartInternalRunMode(int argc, char **argv)
2306 {
2307  SCInstance *suri = &suricata;
2308  /* Treat internal running mode */
2309  switch (suri->run_mode) {
2310  case RUNMODE_LIST_KEYWORDS:
2311  return ListKeywords(suri->keyword_info);
2312  case RUNMODE_LIST_APP_LAYERS:
2313  if (suri->conf_filename != NULL) {
2314  return ListAppLayerProtocols(suri->conf_filename);
2315  } else {
2316  return ListAppLayerProtocols(DEFAULT_CONF_FILE);
2317  }
2318  case RUNMODE_PRINT_VERSION:
2319  PrintVersion();
2320  return TM_ECODE_DONE;
2321  case RUNMODE_PRINT_BUILDINFO:
2322  PrintBuildInfo();
2323  return TM_ECODE_DONE;
2324  case RUNMODE_PRINT_USAGE:
2325  PrintUsage(argv[0]);
2326  return TM_ECODE_DONE;
2327  case RUNMODE_LIST_RUNMODES:
2328  RunModeListRunmodes();
2329  return TM_ECODE_DONE;
2330  case RUNMODE_LIST_UNITTEST:
2331  RunUnittests(1, suri->regex_arg);
2332  case RUNMODE_UNITTEST:
2333  RunUnittests(0, suri->regex_arg);
2334 #ifdef OS_WIN32
2335  case RUNMODE_INSTALL_SERVICE:
2336  if (SCServiceInstall(argc, argv)) {
2337  return TM_ECODE_FAILED;
2338  }
2339  SCLogInfo("Suricata service has been successfully installed.");
2340  return TM_ECODE_DONE;
2341  case RUNMODE_REMOVE_SERVICE:
2342  if (SCServiceRemove()) {
2343  return TM_ECODE_FAILED;
2344  }
2345  SCLogInfo("Suricata service has been successfully removed.");
2346  return TM_ECODE_DONE;
2347  case RUNMODE_CHANGE_SERVICE_PARAMS:
2348  if (SCServiceChangeParams(argc, argv)) {
2349  return TM_ECODE_FAILED;
2350  }
2351  SCLogInfo("Suricata service startup parameters has been successfully changed.");
2352  return TM_ECODE_DONE;
2353 #endif /* OS_WIN32 */
2354  default:
2355  /* simply continue for other running mode */
2356  break;
2357  }
2358  return TM_ECODE_OK;
2359 }
2360 
2361 int SCFinalizeRunMode(void)
2362 {
2363  SCInstance *suri = &suricata;
2364  switch (suri->run_mode) {
2365  case RUNMODE_UNKNOWN:
2366  PrintUsage(suri->progname);
2367  return TM_ECODE_FAILED;
2368  default:
2369  break;
2370  }
2371 
2372  if (!CheckValidDaemonModes(suri->daemon, suri->run_mode)) {
2373  return TM_ECODE_FAILED;
2374  }
2375 
2376  return TM_ECODE_OK;
2377 }
2378 
2379 static void SetupDelayedDetect(SCInstance *suri)
2380 {
2381  /* In offline mode delayed init of detect is a bad idea */
2382  if (suri->offline) {
2383  suri->delayed_detect = 0;
2384  } else {
2385  if (ConfGetBool("detect.delayed-detect", &suri->delayed_detect) != 1) {
2386  ConfNode *denode = NULL;
2387  ConfNode *decnf = ConfGetNode("detect-engine");
2388  if (decnf != NULL) {
2389  TAILQ_FOREACH(denode, &decnf->head, next) {
2390  if (strcmp(denode->val, "delayed-detect") == 0) {
2391  (void)ConfGetChildValueBool(denode, "delayed-detect", &suri->delayed_detect);
2392  }
2393  }
2394  }
2395  }
2396  }
2397 
2398  SCLogConfig("Delayed detect %s", suri->delayed_detect ? "enabled" : "disabled");
2399  if (suri->delayed_detect) {
2400  SCLogInfo("Packets will start being processed before signatures are active.");
2401  }
2402 
2403 }
2404 
2405 static int LoadSignatures(DetectEngineCtx *de_ctx, SCInstance *suri)
2406 {
2407  if (SigLoadSignatures(de_ctx, suri->sig_file, suri->sig_file_exclusive) < 0) {
2408  SCLogError("Loading signatures failed.");
2409  if (de_ctx->failure_fatal)
2410  return TM_ECODE_FAILED;
2411  }
2412 
2413  return TM_ECODE_OK;
2414 }
2415 
2416 static int ConfigGetCaptureValue(SCInstance *suri)
2417 {
2418  /* Pull the max pending packets from the config, if not found fall
2419  * back on a sane default. */
2420  intmax_t tmp_max_pending_packets;
2421  if (ConfGetInt("max-pending-packets", &tmp_max_pending_packets) != 1)
2422  tmp_max_pending_packets = DEFAULT_MAX_PENDING_PACKETS;
2423  if (tmp_max_pending_packets < 1 || tmp_max_pending_packets >= UINT16_MAX) {
2424  SCLogError("Maximum max-pending-packets setting is 65534 and must be greater than 0. "
2425  "Please check %s for errors",
2426  suri->conf_filename);
2427  return TM_ECODE_FAILED;
2428  } else {
2429  max_pending_packets = (uint16_t)tmp_max_pending_packets;
2430  }
2431 
2432  SCLogDebug("Max pending packets set to %" PRIu16, max_pending_packets);
2433 
2434  /* Pull the default packet size from the config, if not found fall
2435  * back on a sane default. */
2436  const char *temp_default_packet_size;
2437  if ((ConfGet("default-packet-size", &temp_default_packet_size)) != 1) {
2438  int lthread;
2439  int nlive;
2440  int strip_trailing_plus = 0;
2441  switch (suri->run_mode) {
2442 #ifdef WINDIVERT
2443  case RUNMODE_WINDIVERT: {
2444  /* by default, WinDivert collects from all devices */
2445  const int mtu = GetGlobalMTUWin32();
2446 
2447  if (mtu > 0) {
2448  /* SLL_HEADER_LEN is the longest header + 8 for VLAN */
2449  default_packet_size = mtu + SLL_HEADER_LEN + 8;
2450  break;
2451  }
2452  default_packet_size = DEFAULT_PACKET_SIZE;
2453  break;
2454  }
2455 #endif /* WINDIVERT */
2456  case RUNMODE_NETMAP:
2457  /* in netmap igb0+ has a special meaning, however the
2458  * interface really is igb0 */
2459  strip_trailing_plus = 1;
2460  /* fall through */
2461  case RUNMODE_PLUGIN:
2462  case RUNMODE_PCAP_DEV:
2463  case RUNMODE_AFP_DEV:
2464  case RUNMODE_AFXDP_DEV:
2465  nlive = LiveGetDeviceCount();
2466  for (lthread = 0; lthread < nlive; lthread++) {
2467  const char *live_dev = LiveGetDeviceName(lthread);
2468  char dev[128]; /* need to be able to support GUID names on Windows */
2469  (void)strlcpy(dev, live_dev, sizeof(dev));
2470 
2471  if (strip_trailing_plus) {
2472  size_t len = strlen(dev);
2473  if (len &&
2474  (dev[len-1] == '+' ||
2475  dev[len-1] == '^' ||
2476  dev[len-1] == '*'))
2477  {
2478  dev[len-1] = '\0';
2479  }
2480  }
2481  LiveDevice *ld = LiveGetDevice(dev);
2482  unsigned int iface_max_packet_size = GetIfaceMaxPacketSize(ld);
2483  if (iface_max_packet_size > default_packet_size)
2484  default_packet_size = iface_max_packet_size;
2485  }
2486  if (default_packet_size)
2487  break;
2488  /* fall through */
2489  default:
2490  default_packet_size = DEFAULT_PACKET_SIZE;
2491  }
2492  } else {
2493  if (ParseSizeStringU32(temp_default_packet_size, &default_packet_size) < 0) {
2494  SCLogError("Error parsing max-pending-packets "
2495  "from conf file - %s. Killing engine",
2496  temp_default_packet_size);
2497  return TM_ECODE_FAILED;
2498  }
2499  }
2500 
2501  SCLogDebug("Default packet size set to %"PRIu32, default_packet_size);
2502 
2503  return TM_ECODE_OK;
2504 }
2505 
2506 static void PostRunStartedDetectSetup(const SCInstance *suri)
2507 {
2508 #ifndef OS_WIN32
2509  /* registering signal handlers we use. We setup usr2 here, so that one
2510  * can't call it during the first sig load phase or while threads are still
2511  * starting up. */
2512  if (DetectEngineEnabled() && suri->delayed_detect == 0) {
2513  UtilSignalHandlerSetup(SIGUSR2, SignalHandlerSigusr2);
2514  UtilSignalUnblock(SIGUSR2);
2515  }
2516 #endif
2517  if (suri->delayed_detect) {
2518  /* force 'reload', this will load the rules and swap engines */
2519  DetectEngineReload(suri);
2520  SCLogNotice("Signature(s) loaded, Detect thread(s) activated.");
2521 #ifndef OS_WIN32
2522  UtilSignalHandlerSetup(SIGUSR2, SignalHandlerSigusr2);
2523  UtilSignalUnblock(SIGUSR2);
2524 #endif
2525  }
2526 }
2527 
2528 void PostConfLoadedDetectSetup(SCInstance *suri)
2529 {
2530  DetectEngineCtx *de_ctx = NULL;
2531  if (!suri->disabled_detect) {
2532  SetupDelayedDetect(suri);
2533  int mt_enabled = 0;
2534  (void)ConfGetBool("multi-detect.enabled", &mt_enabled);
2535  int default_tenant = 0;
2536  if (mt_enabled)
2537  (void)ConfGetBool("multi-detect.default", &default_tenant);
2538  if (DetectEngineMultiTenantSetup(suri->unix_socket_enabled) == -1) {
2539  FatalError("initializing multi-detect "
2540  "detection engine contexts failed.");
2541  }
2542  if (suri->delayed_detect && suri->run_mode != RUNMODE_CONF_TEST) {
2543  de_ctx = DetectEngineCtxInitStubForDD();
2544  } else if (mt_enabled && !default_tenant && suri->run_mode != RUNMODE_CONF_TEST) {
2545  de_ctx = DetectEngineCtxInitStubForMT();
2546  } else {
2547  de_ctx = DetectEngineCtxInit();
2548  }
2549  if (de_ctx == NULL) {
2550  FatalError("initializing detection engine failed.");
2551  }
2552 
2553  if (de_ctx->type == DETECT_ENGINE_TYPE_NORMAL) {
2554  if (LoadSignatures(de_ctx, suri) != TM_ECODE_OK)
2555  exit(EXIT_FAILURE);
2556  }
2557 
2558  gettimeofday(&de_ctx->last_reload, NULL);
2559  DetectEngineAddToMaster(de_ctx);
2560  DetectEngineBumpVersion();
2561  }
2562 }
2563 
2564 static void PostConfLoadedSetupHostMode(void)
2565 {
2566  const char *hostmode = NULL;
2567 
2568  if (ConfGet("host-mode", &hostmode) == 1) {
2569  if (!strcmp(hostmode, "router")) {
2570  host_mode = SURI_HOST_IS_ROUTER;
2571  } else if (!strcmp(hostmode, "sniffer-only")) {
2572  host_mode = SURI_HOST_IS_SNIFFER_ONLY;
2573  } else {
2574  if (strcmp(hostmode, "auto") != 0) {
2575  WarnInvalidConfEntry("host-mode", "%s", "auto");
2576  }
2577  if (EngineModeIsIPS()) {
2578  host_mode = SURI_HOST_IS_ROUTER;
2579  } else {
2580  host_mode = SURI_HOST_IS_SNIFFER_ONLY;
2581  }
2582  }
2583  } else {
2584  if (EngineModeIsIPS()) {
2585  host_mode = SURI_HOST_IS_ROUTER;
2586  SCLogInfo("No 'host-mode': suricata is in IPS mode, using "
2587  "default setting 'router'");
2588  } else {
2589  host_mode = SURI_HOST_IS_SNIFFER_ONLY;
2590  SCLogInfo("No 'host-mode': suricata is in IDS mode, using "
2591  "default setting 'sniffer-only'");
2592  }
2593  }
2594 }
2595 
2596 static void SetupUserMode(SCInstance *suri)
2597 {
2598  /* apply 'user mode' config updates here */
2599  if (suri->system == false) {
2600  if (suri->set_logdir == false) {
2601  /* override log dir to current work dir" */
2602  if (ConfigSetLogDirectory((char *)".") != TM_ECODE_OK) {
2603  FatalError("could not set USER mode logdir");
2604  }
2605  }
2606  if (suri->set_datadir == false) {
2607  /* override data dir to current work dir" */
2608  if (ConfigSetDataDirectory((char *)".") != TM_ECODE_OK) {
2609  FatalError("could not set USER mode datadir");
2610  }
2611  }
2612  }
2613 }
2614 
2615 /**
2616  * This function is meant to contain code that needs
2617  * to be run once the configuration has been loaded.
2618  */
2619 int PostConfLoadedSetup(SCInstance *suri)
2620 {
2621  /* load the pattern matchers */
2622  MpmTableSetup();
2623  SpmTableSetup();
2624 
2625  int disable_offloading;
2626  if (ConfGetBool("capture.disable-offloading", &disable_offloading) == 0)
2627  disable_offloading = 1;
2628  if (disable_offloading) {
2629  LiveSetOffloadDisable();
2630  } else {
2631  LiveSetOffloadWarn();
2632  }
2633 
2634  if (suri->checksum_validation == -1) {
2635  const char *cv = NULL;
2636  if (ConfGet("capture.checksum-validation", &cv) == 1) {
2637  if (strcmp(cv, "none") == 0) {
2638  suri->checksum_validation = 0;
2639  } else if (strcmp(cv, "all") == 0) {
2640  suri->checksum_validation = 1;
2641  }
2642  }
2643  }
2644  switch (suri->checksum_validation) {
2645  case 0:
2646  ConfSet("stream.checksum-validation", "0");
2647  break;
2648  case 1:
2649  ConfSet("stream.checksum-validation", "1");
2650  break;
2651  }
2652 
2653  if (suri->runmode_custom_mode) {
2654  ConfSet("runmode", suri->runmode_custom_mode);
2655  }
2656 
2657  StorageInit();
2658 #ifdef HAVE_PACKET_EBPF
2659  if (suri->run_mode == RUNMODE_AFP_DEV) {
2660  EBPFRegisterExtension();
2661  LiveDevRegisterExtension();
2662  }
2663 #endif
2664  RegisterFlowBypassInfo();
2665 
2666  MacSetRegisterFlowStorage();
2667 
2668 #ifdef HAVE_PLUGINS
2669  SCPluginsLoad(suri->capture_plugin_name, suri->capture_plugin_args);
2670 #endif
2671 
2672  LiveDeviceFinalize(); // must be after EBPF extension registration
2673 
2674  if (RunModeEngineIsIPS(suricata.run_mode, suricata.runmode_custom_mode,
2675  suricata.capture_plugin_name) < 0) {
2676  FatalError("IPS mode setup failed");
2677  }
2678 
2679  if (EngineModeIsUnknown()) { // if still uninitialized, set the default
2680  SCLogInfo("Setting engine mode to IDS mode by default");
2681  EngineModeSetIDS();
2682  }
2683 
2684  SetMasterExceptionPolicy();
2685 
2686  ConfNode *eps = ConfGetNode("stats.exception-policy");
2687  if (eps != NULL) {
2688  if (ConfNodeChildValueIsTrue(eps, "per-app-proto-errors")) {
2689  g_stats_eps_per_app_proto_errors = true;
2690  }
2691  }
2692 
2693  /* Must occur prior to output mod registration
2694  and app layer setup. */
2695  FeatureTrackingRegister();
2696 
2697  AppLayerSetup();
2698 
2699  /* Suricata will use this umask if provided. By default it will use the
2700  umask passed on from the shell. */
2701  const char *custom_umask;
2702  if (ConfGet("umask", &custom_umask) == 1) {
2703  uint16_t mask;
2704  if (StringParseUint16(&mask, 8, (uint16_t)strlen(custom_umask), custom_umask) > 0) {
2705  umask((mode_t)mask);
2706  }
2707  }
2708 
2709 
2710  if (ConfigGetCaptureValue(suri) != TM_ECODE_OK) {
2711  SCReturnInt(TM_ECODE_FAILED);
2712  }
2713 
2714 #ifdef NFQ
2715  if (suri->run_mode == RUNMODE_NFQ)
2716  NFQInitConfig(false);
2717 #endif
2718 
2719  /* Load the Host-OS lookup. */
2720  SCHInfoLoadFromConfig();
2721 
2722  if (suri->run_mode == RUNMODE_ENGINE_ANALYSIS) {
2723  SCLogInfo("== Carrying out Engine Analysis ==");
2724  const char *temp = NULL;
2725  if (ConfGet("engine-analysis", &temp) == 0) {
2726  SCLogInfo("no engine-analysis parameter(s) defined in conf file. "
2727  "Please define/enable them in the conf to use this "
2728  "feature.");
2729  SCReturnInt(TM_ECODE_FAILED);
2730  }
2731  }
2732 
2733  /* hardcoded initialization code */
2734  SigTableSetup(); /* load the rule keywords */
2735  SigTableApplyStrictCommandLineOption(suri->strict_rule_parsing_string);
2736  TmqhSetup();
2737 
2738  TagInitCtx();
2739  PacketAlertTagInit();
2740  ThresholdInit();
2741  HostBitInitCtx();
2742  IPPairBitInitCtx();
2743 
2744  if (DetectAddressTestConfVars() < 0) {
2745  SCLogError(
2746  "basic address vars test failed. Please check %s for errors", suri->conf_filename);
2747  SCReturnInt(TM_ECODE_FAILED);
2748  }
2749  if (DetectPortTestConfVars() < 0) {
2750  SCLogError("basic port vars test failed. Please check %s for errors", suri->conf_filename);
2751  SCReturnInt(TM_ECODE_FAILED);
2752  }
2753 
2754  RegisterAllModules();
2755  AppLayerHtpNeedFileInspection();
2756 
2757  StorageFinalize();
2758 
2759  TmModuleRunInit();
2760 
2761  if (MayDaemonize(suri) != TM_ECODE_OK)
2762  SCReturnInt(TM_ECODE_FAILED);
2763 
2764  if (InitSignalHandler(suri) != TM_ECODE_OK)
2765  SCReturnInt(TM_ECODE_FAILED);
2766 
2767  /* Check for the existence of the default logging directory which we pick
2768  * from suricata.yaml. If not found, shut the engine down */
2769  suri->log_dir = ConfigGetLogDirectory();
2770 
2771  if (ConfigCheckLogDirectoryExists(suri->log_dir) != TM_ECODE_OK) {
2772  SCLogError("The logging directory \"%s\" "
2773  "supplied by %s (default-log-dir) doesn't exist. "
2774  "Shutting down the engine",
2775  suri->log_dir, suri->conf_filename);
2776  SCReturnInt(TM_ECODE_FAILED);
2777  }
2778  if (!IsLogDirectoryWritable(suri->log_dir)) {
2779  SCLogError("The logging directory \"%s\" "
2780  "supplied by %s (default-log-dir) is not writable. "
2781  "Shutting down the engine",
2782  suri->log_dir, suri->conf_filename);
2783  SCReturnInt(TM_ECODE_FAILED);
2784  }
2785 
2786  if (suri->disabled_detect) {
2787  SCLogConfig("detection engine disabled");
2788  /* disable raw reassembly */
2789  (void)ConfSetFinal("stream.reassembly.raw", "false");
2790  }
2791 
2792  HostInitConfig(HOST_VERBOSE);
2793 
2794  CoredumpLoadConfig();
2795 
2796  DecodeGlobalConfig();
2797 
2798  /* hostmode depends on engine mode being set */
2799  PostConfLoadedSetupHostMode();
2800 
2801  PreRunInit(suri->run_mode);
2802 
2803  SCReturnInt(TM_ECODE_OK);
2804 }
2805 
2806 void SuricataMainLoop(void)
2807 {
2808  SCInstance *suri = &suricata;
2809  while(1) {
2810  if (sigterm_count || sigint_count) {
2811  suricata_ctl_flags |= SURICATA_STOP;
2812  }
2813 
2814  if (suricata_ctl_flags & SURICATA_STOP) {
2815  SCLogNotice("Signal Received. Stopping engine.");
2816  break;
2817  }
2818 
2819  TmThreadCheckThreadState();
2820 
2821  if (sighup_count > 0) {
2822  OutputNotifyFileRotation();
2823  sighup_count--;
2824  }
2825 
2826  if (sigusr2_count > 0) {
2827  if (!(DetectEngineReloadIsStart())) {
2828  DetectEngineReloadStart();
2829  DetectEngineReload(suri);
2830  DetectEngineReloadSetIdle();
2831  sigusr2_count--;
2832  }
2833 
2834  } else if (DetectEngineReloadIsStart()) {
2835  DetectEngineReload(suri);
2836  DetectEngineReloadSetIdle();
2837  }
2838 
2839  usleep(10* 1000);
2840  }
2841 }
2842 
2843 /**
2844  * \brief Global initialization common to all runmodes.
2845  *
2846  * This can be used by fuzz targets.
2847  */
2848 
2849 int InitGlobal(void)
2850 {
2851  rs_init(&suricata_context);
2852 
2853  SC_ATOMIC_INIT(engine_stage);
2854 
2855  /* initialize the logging subsys */
2856  SCLogInitLogModule(NULL);
2857 
2858  SCSetThreadName("Suricata-Main");
2859 
2860  /* Ignore SIGUSR2 as early as possible. We redeclare interest
2861  * once we're done launching threads. The goal is to either die
2862  * completely or handle any and all SIGUSR2s correctly.
2863  */
2864 #ifndef OS_WIN32
2865  UtilSignalHandlerSetup(SIGUSR2, SIG_IGN);
2866  if (UtilSignalBlock(SIGUSR2)) {
2867  SCLogError("SIGUSR2 initialization error");
2868  return EXIT_FAILURE;
2869  }
2870 #endif
2871 
2872  ParseSizeInit();
2873  RunModeRegisterRunModes();
2874 
2875  /* Initialize the configuration module. */
2876  ConfInit();
2877 
2878  VarNameStoreInit();
2879 
2880  // zero all module storage
2881  memset(tmm_modules, 0, TMM_SIZE * sizeof(TmModule));
2882 
2883  return 0;
2884 }
2885 
2886 void SuricataPreInit(const char *progname)
2887 {
2888  SCInstanceInit(&suricata, progname);
2889 
2890  if (InitGlobal() != 0) {
2891  exit(EXIT_FAILURE);
2892  }
2893 }
2894 
2895 void SuricataInit(void)
2896 {
2897  /* Initializations for global vars, queues, etc (memsets, mutex init..) */
2898  GlobalsInitPreConfig();
2899 
2900  if (suricata.run_mode == RUNMODE_DUMP_CONFIG) {
2901  ConfDump();
2902  exit(EXIT_SUCCESS);
2903  }
2904 
2905  int tracking = 1;
2906  if (ConfGetBool("vlan.use-for-tracking", &tracking) == 1 && !tracking) {
2907  /* Ignore vlan_ids when comparing flows. */
2908  g_vlan_mask = 0x0000;
2909  }
2910  SCLogDebug("vlan tracking is %s", tracking == 1 ? "enabled" : "disabled");
2911  if (ConfGetBool("livedev.use-for-tracking", &tracking) == 1 && !tracking) {
2912  /* Ignore livedev id when comparing flows. */
2913  g_livedev_mask = 0x0000;
2914  }
2915  SetupUserMode(&suricata);
2916  InitRunAs(&suricata);
2917 
2918  /* Since our config is now loaded we can finish configurating the
2919  * logging module. */
2920  SCLogLoadConfig(suricata.daemon, suricata.verbose, suricata.userid, suricata.groupid);
2921 
2922  LogVersion(&suricata);
2923  UtilCpuPrintSummary();
2924  RunModeInitializeThreadSettings();
2925 
2926  if (suricata.run_mode == RUNMODE_CONF_TEST)
2927  SCLogInfo("Running suricata under test mode");
2928 
2929  if (ParseInterfacesList(suricata.aux_run_mode, suricata.pcap_dev) != TM_ECODE_OK) {
2930  exit(EXIT_FAILURE);
2931  }
2932 
2933  if (PostConfLoadedSetup(&suricata) != TM_ECODE_OK) {
2934  exit(EXIT_FAILURE);
2935  }
2936 
2937  SCDropMainThreadCaps(suricata.userid, suricata.groupid);
2938 
2939  /* Re-enable coredumps after privileges are dropped. */
2940  CoredumpEnable();
2941 
2942  if (suricata.run_mode != RUNMODE_UNIX_SOCKET && !suricata.disabled_detect) {
2943  suricata.unix_socket_enabled = ConfUnixSocketIsEnable();
2944  }
2945 
2946  PreRunPostPrivsDropInit(suricata.run_mode);
2947 
2948  LandlockSandboxing(&suricata);
2949 
2950  PostConfLoadedDetectSetup(&suricata);
2951  if (suricata.run_mode == RUNMODE_ENGINE_ANALYSIS) {
2952  goto out;
2953  } else if (suricata.run_mode == RUNMODE_CONF_TEST){
2954  SCLogNotice("Configuration provided was successfully loaded. Exiting.");
2955  goto out;
2956  } else if (suricata.run_mode == RUNMODE_DUMP_FEATURES) {
2957  FeatureDump();
2958  goto out;
2959  }
2960 
2961  if (suricata.run_mode == RUNMODE_DPDK)
2962  prerun_snap = SystemHugepageSnapshotCreate();
2963 
2964  SCSetStartTime(&suricata);
2965  RunModeDispatch(suricata.run_mode, suricata.runmode_custom_mode,
2966  suricata.capture_plugin_name, suricata.capture_plugin_args);
2967  if (suricata.run_mode != RUNMODE_UNIX_SOCKET) {
2968  UnixManagerThreadSpawnNonRunmode(suricata.unix_socket_enabled);
2969  }
2970 
2971  return;
2972 
2973 out:
2974  GlobalsDestroy();
2975  exit(EXIT_SUCCESS);
2976 }
2977 
2978 void SuricataShutdown(void)
2979 {
2980  /* Update the engine stage/status flag */
2981  SC_ATOMIC_SET(engine_stage, SURICATA_DEINIT);
2982 
2983  UnixSocketKillSocketThread();
2984  PostRunDeinit(suricata.run_mode, &suricata.start_time);
2985  /* kill remaining threads */
2986  TmThreadKillThreads();
2987 }
2988 
2989 void SuricataPostInit(void)
2990 {
2991  /* Wait till all the threads have been initialized */
2992  if (TmThreadWaitOnThreadInit() == TM_ECODE_FAILED) {
2993  SystemHugepageSnapshotDestroy(prerun_snap);
2994  FatalError("Engine initialization failed, "
2995  "aborting...");
2996  }
2997 
2998  int limit_nproc = 0;
2999  if (ConfGetBool("security.limit-noproc", &limit_nproc) == 0) {
3000  limit_nproc = 0;
3001  }
3002 
3003 #if defined(SC_ADDRESS_SANITIZER)
3004  if (limit_nproc) {
3005  SCLogWarning(
3006  "\"security.limit-noproc\" (setrlimit()) not set when using address sanitizer");
3007  limit_nproc = 0;
3008  }
3009 #endif
3010 
3011  if (limit_nproc) {
3012 #if defined(HAVE_SYS_RESOURCE_H)
3013 #ifdef linux
3014  if (geteuid() == 0) {
3015  SCLogWarning("setrlimit has no effet when running as root.");
3016  }
3017 #endif
3018  struct rlimit r = { 0, 0 };
3019  if (setrlimit(RLIMIT_NPROC, &r) != 0) {
3020  SCLogWarning("setrlimit failed to prevent process creation.");
3021  }
3022 #else
3023  SCLogWarning("setrlimit unavailable.");
3024 #endif
3025  }
3026 
3027  SC_ATOMIC_SET(engine_stage, SURICATA_RUNTIME);
3028  PacketPoolPostRunmodes();
3029 
3030  /* Un-pause all the paused threads */
3031  TmThreadContinueThreads();
3032 
3033  /* Must ensure all threads are fully operational before continuing with init process */
3034  if (TmThreadWaitOnThreadRunning() != TM_ECODE_OK) {
3035  SystemHugepageSnapshotDestroy(prerun_snap);
3036  exit(EXIT_FAILURE);
3037  }
3038 
3039  /* Print notice and send OS specific notification of threads in running state */
3040  OnNotifyRunning();
3041 
3042  PostRunStartedDetectSetup(&suricata);
3043  if (suricata.run_mode == RUNMODE_DPDK) { // only DPDK uses hpages at the moment
3044  SystemHugepageSnapshot *postrun_snap = SystemHugepageSnapshotCreate();
3045  SystemHugepageEvaluateHugepages(prerun_snap, postrun_snap);
3046  SystemHugepageSnapshotDestroy(prerun_snap);
3047  SystemHugepageSnapshotDestroy(postrun_snap);
3048  }
3049  SCPledge();
3050 }
RUNMODE_AFXDP_DEV
@ RUNMODE_AFXDP_DEV
Definition: runmodes.h:37
DefragDestroy
void DefragDestroy(void)
Definition: defrag.c:1133
util-byte.h
ConfGetInt
int ConfGetInt(const char *name, intmax_t *val)
Retrieve a configuration value as an integer.
Definition: conf.c:399
TmModuleUnixManagerRegister
void TmModuleUnixManagerRegister(void)
Definition: unix-manager.c:1289
StatsReleaseResources
void StatsReleaseResources(void)
Releases the resources allotted by the Stats API.
Definition: counters.c:1272
max_pending_packets
uint16_t max_pending_packets
Definition: suricata.c:181
source-nflog.h
TagInitCtx
void TagInitCtx(void)
Definition: detect-engine-tag.c:52
TmModuleReceiveIPFWRegister
void TmModuleReceiveIPFWRegister(void)
Registration Function for RecieveIPFW.
Definition: source-ipfw.c:150
flow-bypass.h
len
uint8_t len
Definition: app-layer-dnp3.h:2
SuricataMainLoop
void SuricataMainLoop(void)
Definition: suricata.c:2806
ExceptionSimulationCommandLineParser
int ExceptionSimulationCommandLineParser(const char *name, const char *arg)
Definition: util-exception-policy.c:316
ippair.h
g_livedev_mask
uint16_t g_livedev_mask
Definition: suricata.c:204
app-layer-htp-range.h
AppLayerHtpNeedFileInspection
void AppLayerHtpNeedFileInspection(void)
Sets a flag that informs the HTP app layer that some module in the engine needs the http request file...
Definition: app-layer-htp.c:501
SCInstance_::run_mode
enum RunModes run_mode
Definition: suricata.h:124
detect-engine.h
source-pcap.h
SCInstance_::groupid
uint32_t groupid
Definition: suricata.h:142
SCRunmodeGet
int SCRunmodeGet(void)
Get the current run mode.
Definition: suricata.c:261
RUNMODE_UNIX_SOCKET
@ RUNMODE_UNIX_SOCKET
Definition: runmodes.h:42
g_system
bool g_system
Definition: suricata.c:189
ConfNodeChildValueIsTrue
int ConfNodeChildValueIsTrue(const ConfNode *node, const char *key)
Test if a configuration node has a true value.
Definition: conf.c:854
win32-syscall.h
SCInstance_::daemon
int daemon
Definition: suricata.h:151
IPPairInitConfig
void IPPairInitConfig(bool quiet)
initialize the configuration
Definition: ippair.c:162
SCLogInitLogModule
void SCLogInitLogModule(SCLogInitData *sc_lid)
Initializes the logging module.
Definition: util-debug.c:1390
SLL_HEADER_LEN
#define SLL_HEADER_LEN
Definition: decode-sll.h:27
SCInstance_::checksum_validation
int checksum_validation
Definition: suricata.h:154
LiveDeviceListClean
int LiveDeviceListClean(void)
Definition: util-device.c:314
SCInstance_::do_setuid
bool do_setuid
Definition: suricata.h:138
DetectEngineDeReference
void DetectEngineDeReference(DetectEngineCtx **de_ctx)
Definition: detect-engine.c:4563
RUNMODE_UNITTEST
@ RUNMODE_UNITTEST
Definition: runmodes.h:40
StorageInit
void StorageInit(void)
Definition: util-storage.c:68
SCInstance_::start_time
struct timeval start_time
Definition: suricata.h:156
SC_ATOMIC_INIT
#define SC_ATOMIC_INIT(name)
wrapper for initializing an atomic variable.
Definition: util-atomic.h:314
prerun_snap
SystemHugepageSnapshot * prerun_snap
Definition: suricata.c:211
TmThreadContinueThreads
void TmThreadContinueThreads(void)
Unpauses all threads present in tv_root.
Definition: tm-threads.c:1913
source-pcap-file.h
SCInstance_::do_setgid
bool do_setgid
Definition: suricata.h:139
ConfNode_::val
char * val
Definition: conf.h:34
CLS
#define CLS
Definition: suricata-common.h:56
ConfGetBool
int ConfGetBool(const char *name, int *val)
Retrieve a configuration value as a boolean.
Definition: conf.c:482
RUNMODE_DPDK
@ RUNMODE_DPDK
Definition: runmodes.h:39
stream-tcp.h
DetectEngineCtx_::type
enum DetectEngineType type
Definition: detect.h:959
SigLoadSignatures
int SigLoadSignatures(DetectEngineCtx *de_ctx, char *sig_file, bool sig_file_exclusive)
Load signatures.
Definition: detect-engine-loader.c:287
runmode-af-packet.h
RUNMODE_UNKNOWN
@ RUNMODE_UNKNOWN
Definition: runmodes.h:28
SCInstance_::group_name
const char * group_name
Definition: suricata.h:137
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
SC_ATOMIC_SET
#define SC_ATOMIC_SET(name, val)
Set the value for the atomic variable.
Definition: util-atomic.h:386
runmode-unittests.h
TmqhSetup
void TmqhSetup(void)
Definition: tm-queuehandlers.c:39
SURI_HOST_IS_SNIFFER_ONLY
@ SURI_HOST_IS_SNIFFER_ONLY
Definition: suricata.h:115
RUNMODE_PRINT_BUILDINFO
@ RUNMODE_PRINT_BUILDINFO
Definition: runmodes.h:50
DetectEngineCtxInitStubForDD
DetectEngineCtx * DetectEngineCtxInitStubForDD(void)
Definition: detect-engine.c:2553
LiveDevRegisterExtension
void LiveDevRegisterExtension(void)
Definition: util-device.c:465
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
AppLayerHtpPrintStats
void AppLayerHtpPrintStats(void)
Definition: app-layer-htp.c:2625
util-hugepages.h
StatsSetupPostConfigPreOutput
void StatsSetupPostConfigPreOutput(void)
Definition: counters.c:895
SCInstance_::runmode_custom_mode
char * runmode_custom_mode
Definition: suricata.h:134
util-coredump-config.h
next
struct HtpBodyChunk_ * next
Definition: app-layer-htp.h:0
SigTableSetup
void SigTableSetup(void)
Definition: detect-engine-register.c:462
TmModuleReceiveNFQRegister
void TmModuleReceiveNFQRegister(void)
Definition: source-nfq.c:169
LiveBuildDeviceList
int LiveBuildDeviceList(const char *runmode)
Definition: util-device.c:274
RunModeShutDown
void RunModeShutDown(void)
Definition: runmodes.c:566
SuricataInit
void SuricataInit(void)
Definition: suricata.c:2895
TM_ECODE_DONE
@ TM_ECODE_DONE
Definition: tm-threads-common.h:84
SCProtoNameInit
void SCProtoNameInit(void)
Definition: util-proto-name.c:417
SuricataPostInit
void SuricataPostInit(void)
Definition: suricata.c:2989
ippair-bit.h
RunModeDispatch
void RunModeDispatch(int runmode, const char *custom_mode, const char *capture_plugin_name, const char *capture_plugin_args)
Definition: runmodes.c:397
ConfGetNode
ConfNode * ConfGetNode(const char *name)
Get a ConfNode by name.
Definition: conf.c:181
util-macset.h
RUNMODE_LIST_RUNMODES
@ RUNMODE_LIST_RUNMODES
Definition: runmodes.h:48
sigint_count
volatile sig_atomic_t sigint_count
Definition: suricata.c:154
SC_ATOMIC_DECLARE
SC_ATOMIC_DECLARE(unsigned int, engine_stage)
SCProfilingRulesGlobalInit
void SCProfilingRulesGlobalInit(void)
TmModuleRunDeInit
void TmModuleRunDeInit(void)
Definition: tm-modules.c:136
RegisterFlowBypassInfo
void RegisterFlowBypassInfo(void)
Definition: flow-util.c:229
SCSetThreadName
#define SCSetThreadName(n)
Definition: threads.h:303
SCRunmodeSet
void SCRunmodeSet(int run_mode)
Set the current run mode.
Definition: suricata.c:266
sc_set_caps
bool sc_set_caps
Definition: suricata.c:187
SCLogDeInitLogModule
void SCLogDeInitLogModule(void)
De-Initializes the logging module.
Definition: util-debug.c:1597
LiveDevice_
Definition: util-device.h:50
util-pidfile.h
TmModuleDecodeErfFileRegister
void TmModuleDecodeErfFileRegister(void)
Register the ERF file decoder module.
Definition: source-erf-file.c:98
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:841
StringParseUint16
int StringParseUint16(uint16_t *res, int base, size_t len, const char *str)
Definition: util-byte.c:337
DetectEngineReloadSetIdle
void DetectEngineReloadSetIdle(void)
Definition: detect-engine.c:2065
SCInstance_::userid
uint32_t userid
Definition: suricata.h:141
RUNMODE_ERF_FILE
@ RUNMODE_ERF_FILE
Definition: runmodes.h:34
source-windivert-prototypes.h
DetectEngineGetCurrent
DetectEngineCtx * DetectEngineGetCurrent(void)
Definition: detect-engine.c:3775
EngineModeIsUnknown
int EngineModeIsUnknown(void)
Definition: suricata.c:224
VarNameStoreInit
void VarNameStoreInit(void)
TmModuleFlowRecyclerRegister
void TmModuleFlowRecyclerRegister(void)
Definition: flow-manager.c:1285
g_skip_prefilter
int g_skip_prefilter
Definition: detect-engine-mpm.c:1072
Daemonize
void Daemonize(void)
Daemonize the process.
Definition: util-daemon.c:101
UtilSignalHandlerSetup
void UtilSignalHandlerSetup(int sig, void(*handler)(int))
Definition: util-signal.c:60
TAILQ_FOREACH
#define TAILQ_FOREACH(var, head, field)
Definition: queue.h:252
TmModuleDecodeAFPRegister
void TmModuleDecodeAFPRegister(void)
Registration Function for DecodeAFP.
Definition: source-af-packet.c:601
RUNMODE_NFLOG
@ RUNMODE_NFLOG
Definition: runmodes.h:32
TmModuleDecodeWinDivertRegister
void TmModuleDecodeWinDivertRegister(void)
Definition: source-windivert.c:74
SURICATA_STOP
#define SURICATA_STOP
Definition: suricata.h:89
DetectEngineAddToMaster
int DetectEngineAddToMaster(DetectEngineCtx *de_ctx)
Definition: detect-engine.c:4587
TmModuleStatsLoggerRegister
void TmModuleStatsLoggerRegister(void)
Definition: output-stats.c:189
ConfYamlHandleInclude
int ConfYamlHandleInclude(ConfNode *parent, const char *filename)
Include a file in the configuration.
Definition: conf-yaml-loader.c:114
RegisterAllModules
void RegisterAllModules(void)
Definition: suricata.c:891
ENGINE_MODE_IPS
@ ENGINE_MODE_IPS
Definition: suricata.h:104
RUNMODE_PCAP_DEV
@ RUNMODE_PCAP_DEV
Definition: runmodes.h:29
DetectEngineMultiTenantSetup
int DetectEngineMultiTenantSetup(const bool unix_socket)
setup multi-detect / multi-tenancy
Definition: detect-engine.c:4224
flow-bit.h
SupportFastPatternForSigMatchTypes
void SupportFastPatternForSigMatchTypes(void)
Registers the keywords(SMs) that should be given fp support.
Definition: detect-fast-pattern.c:142
util-var-name.h
ConfDump
void ConfDump(void)
Dump configuration to stdout.
Definition: conf.c:746
suricata_context
const SuricataContext suricata_context
Definition: rust-context.c:25
SCParseCommandLine
TmEcode SCParseCommandLine(int argc, char **argv)
Definition: suricata.c:1313
SCPledge
#define SCPledge(...)
Definition: util-privs.h:99
CheckValidDaemonModes
int CheckValidDaemonModes(int daemon, int mode)
Check for a valid combination daemon/mode.
Definition: util-daemon.c:177
SCGetGroupID
void SCGetGroupID(const char *group_name, uint32_t *gid)
Function to get the group ID from the specified group name.
Definition: util-privs.c:208
ConfSetFinal
int ConfSetFinal(const char *name, const char *val)
Set a final configuration value.
Definition: conf.c:303
unittests_fatal
int unittests_fatal
Definition: util-unittest.c:52
TmThreadDisableReceiveThreads
void TmThreadDisableReceiveThreads(void)
Disable all threads having the specified TMs.
Definition: tm-threads.c:1347
StatsInit
void StatsInit(void)
Initializes the perf counter api. Things are hard coded currently. More work to be done when we imple...
Definition: counters.c:885
util-privs.h
PreRunInit
void PreRunInit(const int runmode)
Definition: suricata.c:2207
RUNMODE_LIST_KEYWORDS
@ RUNMODE_LIST_KEYWORDS
Definition: runmodes.h:46
SURICATA_DONE
#define SURICATA_DONE
Definition: suricata.h:91
MacSetRegisterFlowStorage
void MacSetRegisterFlowStorage(void)
Definition: util-macset.c:62
SuricataShutdown
void SuricataShutdown(void)
Definition: suricata.c:2978
SCInstance_::conf_filename
const char * conf_filename
Definition: suricata.h:160
GetIfaceMTU
int GetIfaceMTU(const char *dev)
output the link MTU
Definition: util-ioctl.c:81
RUNMODE_NAPATECH
@ RUNMODE_NAPATECH
Definition: runmodes.h:41
GlobalsInitPreConfig
void GlobalsInitPreConfig(void)
Definition: suricata.c:359
TmModuleReceiveNetmapRegister
void TmModuleReceiveNetmapRegister(void)
Definition: source-netmap.c:74
PacketPoolPostRunmodes
void PacketPoolPostRunmodes(void)
Set the max_pending_return_packets value.
Definition: tmqh-packetpool.c:460
NFQInitConfig
void NFQInitConfig(bool quiet)
To initialize the NFQ global configuration data.
Definition: source-nfq.c:206
TmModuleReceiveWinDivertRegister
void TmModuleReceiveWinDivertRegister(void)
Definition: source-windivert.c:61
SystemHugepageSnapshot
Definition: util-hugepages.h:44
HOST_VERBOSE
#define HOST_VERBOSE
Definition: host.h:92
TM_ECODE_FAILED
@ TM_ECODE_FAILED
Definition: tm-threads-common.h:83
SCProfilingDestroy
void SCProfilingDestroy(void)
Free resources used by profiling.
Definition: util-profiling.c:273
IsRunModeOffline
bool IsRunModeOffline(enum RunModes run_mode_to_check)
Definition: runmodes.c:548
AFPPeersListClean
void AFPPeersListClean(void)
Clean the global peers list.
Definition: source-af-packet.c:583
RunModeInitializeOutputs
void RunModeInitializeOutputs(void)
Definition: runmodes.c:765
DetectPortTestConfVars
int DetectPortTestConfVars(void)
Definition: detect-engine-port.c:1106
SCThresholdConfGlobalInit
void SCThresholdConfGlobalInit(void)
Definition: util-threshold-config.c:102
DecodeUnregisterCounters
void DecodeUnregisterCounters(void)
Definition: decode.c:576
SCInstance_::capture_plugin_name
const char * capture_plugin_name
Definition: suricata.h:164
RUNMODE_DAG
@ RUNMODE_DAG
Definition: runmodes.h:35
HostBitInitCtx
void HostBitInitCtx(void)
Definition: host-bit.c:49
EngineMode
EngineMode
Definition: suricata.h:101
SCInstance_::set_datadir
bool set_datadir
Definition: suricata.h:146
tmqh-packetpool.h
g_ut_covered
int g_ut_covered
Definition: suricata.c:889
SCInstance_::capture_plugin_args
const char * capture_plugin_args
Definition: suricata.h:165
TmModuleLoggerRegister
void TmModuleLoggerRegister(void)
Definition: output.c:892
TmThreadDisablePacketThreads
void TmThreadDisablePacketThreads(void)
Disable all packet threads.
Definition: tm-threads.c:1476
host_mode
uint8_t host_mode
Definition: suricata.c:178
RUNMODE_NETMAP
@ RUNMODE_NETMAP
Definition: runmodes.h:38
RUNMODE_DUMP_FEATURES
@ RUNMODE_DUMP_FEATURES
Definition: runmodes.h:61
FeatureDump
void FeatureDump(void)
Definition: feature.c:144
PacketPoolInit
void PacketPoolInit(void)
Definition: tmqh-packetpool.c:244
TM_ECODE_OK
@ TM_ECODE_OK
Definition: tm-threads-common.h:82
AppLayerDeSetup
int AppLayerDeSetup(void)
De initializes the app layer.
Definition: app-layer.c:1046
strlcpy
size_t strlcpy(char *dst, const char *src, size_t siz)
Definition: util-strlcpyu.c:43
PcapTranslateIPToDevice
void PcapTranslateIPToDevice(char *pcap_dev, size_t len)
Definition: source-pcap.c:656
FlowDisableFlowRecyclerThread
void FlowDisableFlowRecyclerThread(void)
Used to disable flow recycler thread(s).
Definition: flow-manager.c:1213
ParseSizeInit
void ParseSizeInit(void)
Definition: util-misc.c:35
TmModuleDecodePcapFileRegister
void TmModuleDecodePcapFileRegister(void)
Definition: source-pcap-file.c:128
TmModuleBypassedFlowManagerRegister
void TmModuleBypassedFlowManagerRegister(void)
Definition: flow-bypass.c:222
IPPairShutdown
void IPPairShutdown(void)
shutdown the flow engine
Definition: ippair.c:293
source-erf-dag.h
util-signal.h
DetectParseFreeRegexes
void DetectParseFreeRegexes(void)
Definition: detect-parse.c:2661
TmModuleDecodeNFLOGRegister
void TmModuleDecodeNFLOGRegister(void)
Definition: source-nflog.c:55
ConfGet
int ConfGet(const char *name, const char **vptr)
Retrieve the value of a configuration node.
Definition: conf.c:335
NFQParseAndRegisterQueues
int NFQParseAndRegisterQueues(const char *queues)
Parses and adds Netfilter queue(s).
Definition: source-nfq.c:879
ConfGetRootNode
ConfNode * ConfGetRootNode(void)
Get the root configuration node.
Definition: conf.c:207
FlowInitConfig
void FlowInitConfig(bool quiet)
initialize the configuration
Definition: flow.c:530
AppLayerSetup
int AppLayerSetup(void)
Setup the app layer.
Definition: app-layer.c:1031
FeatureTrackingRegister
void FeatureTrackingRegister(void)
Definition: feature.c:152
TmModuleReceiveDPDKRegister
void TmModuleReceiveDPDKRegister(void)
Definition: source-dpdk.c:50
UnixManagerThreadSpawnNonRunmode
void UnixManagerThreadSpawnNonRunmode(const bool unix_socket_enabled)
Definition: unix-manager.c:1283
RunModeInitializeThreadSettings
void RunModeInitializeThreadSettings(void)
Definition: runmodes.c:950
StreamTcpInitConfig
void StreamTcpInitConfig(bool)
To initialize the stream global configuration data.
Definition: stream-tcp.c:461
ENGINE_MODE_UNKNOWN
@ ENGINE_MODE_UNKNOWN
Definition: suricata.h:102
app-layer-htp.h
IsRunModeSystem
bool IsRunModeSystem(enum RunModes run_mode_to_check)
Definition: runmodes.c:535
datasets.h
GetIfaceMaxPacketSize
int GetIfaceMaxPacketSize(LiveDevice *ld)
output max packet size for a link
Definition: util-ioctl.c:120
TmModuleDecodeNetmapRegister
void TmModuleDecodeNetmapRegister(void)
Registration Function for DecodeNetmap.
Definition: source-netmap.c:84
PreRunPostPrivsDropInit
void PreRunPostPrivsDropInit(const int runmode)
Definition: suricata.c:2236
feature.h
decode.h
util-device.h
SURICATA_DEINIT
@ SURICATA_DEINIT
Definition: suricata.h:97
SigTableCleanup
void SigTableCleanup(void)
Definition: detect-engine-register.c:453
DetectEngineMoveToFreeList
int DetectEngineMoveToFreeList(DetectEngineCtx *de_ctx)
Definition: detect-engine.c:4647
sigterm_count
volatile sig_atomic_t sigterm_count
Definition: suricata.c:156
source-nfq.h
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
TmThreadWaitOnThreadInit
TmEcode TmThreadWaitOnThreadInit(void)
Used to check if all threads have finished their initialization. On finding an un-initialized thread,...
Definition: tm-threads.c:1952
TmModuleVerdictNFQRegister
void TmModuleVerdictNFQRegister(void)
Definition: source-nfq.c:184
ConfYamlLoadFile
int ConfYamlLoadFile(const char *filename)
Load configuration from a YAML file.
Definition: conf-yaml-loader.c:473
RUNMODE_CONF_TEST
@ RUNMODE_CONF_TEST
Definition: runmodes.h:53
AppLayerRegisterGlobalCounters
void AppLayerRegisterGlobalCounters(void)
HACK to work around our broken unix manager (re)init loop.
Definition: app-layer.c:1109
RunModeListRunmodes
void RunModeListRunmodes(void)
Lists all registered runmodes.
Definition: runmodes.c:245
RUNMODE_PRINT_USAGE
@ RUNMODE_PRINT_USAGE
Definition: runmodes.h:51
strlcat
size_t strlcat(char *, const char *src, size_t siz)
Definition: util-strlcatu.c:45
RUNMODE_LIST_APP_LAYERS
@ RUNMODE_LIST_APP_LAYERS
Definition: runmodes.h:47
util-cpu.h
suricata
SCInstance suricata
Definition: suricata.c:217
SCInstance_::unix_socket_enabled
bool unix_socket_enabled
Definition: suricata.h:147
LiveSetOffloadDisable
void LiveSetOffloadDisable(void)
Definition: util-device.c:71
StatsSetupPostConfigPostOutput
void StatsSetupPostConfigPostOutput(void)
Definition: counters.c:900
TVT_MGMT
@ TVT_MGMT
Definition: tm-threads-common.h:90
EngineModeSetIDS
void EngineModeSetIDS(void)
Definition: suricata.c:246
SpmTableSetup
void SpmTableSetup(void)
Definition: util-spm.c:122
TmModuleReceiveAFPRegister
void TmModuleReceiveAFPRegister(void)
Registration Function for RecieveAFP.
Definition: source-af-packet.c:383
LiveBuildDeviceListCustom
int LiveBuildDeviceListCustom(const char *runmode, const char *itemname)
Definition: util-device.c:279
util-exception-policy.h
LiveGetDevice
LiveDevice * LiveGetDevice(const char *name)
Get a pointer to the device at idx.
Definition: util-device.c:248
UnixSocketKillSocketThread
void UnixSocketKillSocketThread(void)
Definition: unix-manager.c:1279
TmModuleVerdictIPFWRegister
void TmModuleVerdictIPFWRegister(void)
Registration Function for VerdictIPFW.
Definition: source-ipfw.c:171
flow-worker.h
g_stats_eps_per_app_proto_errors
bool g_stats_eps_per_app_proto_errors
Definition: suricata.c:214
HttpRangeContainersInit
void HttpRangeContainersInit(void)
Definition: app-layer-htp-range.c:149
util-reference-config.h
source-napatech.h
DetectEngineCtx_::last_reload
struct timeval last_reload
Definition: detect.h:1005
SCInstance_::delayed_detect
int delayed_detect
Definition: suricata.h:149
TmModuleVerdictWinDivertRegister
void TmModuleVerdictWinDivertRegister(void)
Definition: source-windivert.c:68
DetectEngineCtx_::failure_fatal
bool failure_fatal
Definition: detect.h:842
SCInstance_::progname
const char * progname
Definition: suricata.h:159
HostCleanup
void HostCleanup(void)
Cleanup the host engine.
Definition: host.c:332
SCEnter
#define SCEnter(...)
Definition: util-debug.h:271
FlowDisableFlowManagerThread
void FlowDisableFlowManagerThread(void)
Used to disable flow manager thread(s).
Definition: flow-manager.c:130
util-ebpf.h
SCInstance_::pcap_dev
char pcap_dev[128]
Definition: suricata.h:127
detect.h
UtilSignalUnblock
int UtilSignalUnblock(int signum)
Definition: util-signal.c:46
DetectEngineEnabled
int DetectEngineEnabled(void)
Check if detection is enabled.
Definition: detect-engine.c:3742
TmThreadClearThreadsFamily
void TmThreadClearThreadsFamily(int family)
Definition: tm-threads.c:1625
TmModuleRunInit
void TmModuleRunInit(void)
Definition: tm-modules.c:118
detect-engine-port.h
EngineModeSetIPS
void EngineModeSetIPS(void)
Definition: suricata.c:241
SCInstance_::user_name
const char * user_name
Definition: suricata.h:136
HTPAtExitPrintStats
void HTPAtExitPrintStats(void)
Print the stats of the HTTP requests.
Definition: app-layer-htp.c:1647
util-time.h
UtilSignalBlock
int UtilSignalBlock(int signum)
Definition: util-signal.c:29
SCProfilingPrefilterGlobalInit
void SCProfilingPrefilterGlobalInit(void)
Definition: util-profiling-prefilter.c:61
ThresholdDestroy
void ThresholdDestroy(void)
Definition: detect-engine-threshold.c:71
SCLogWarning
#define SCLogWarning(...)
Macro used to log WARNING messages.
Definition: util-debug.h:249
PostConfLoadedSetup
int PostConfLoadedSetup(SCInstance *suri)
Definition: suricata.c:2619
GetProgramVersion
const char * GetProgramVersion(void)
get string with program version
Definition: suricata.c:1130
engine_analysis
int engine_analysis
app-layer-parser.h
TmModuleReceivePcapFileRegister
void TmModuleReceivePcapFileRegister(void)
Definition: source-pcap-file.c:115
BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:300
runmode-netmap.h
CoredumpLoadConfig
int32_t CoredumpLoadConfig(void)
Configures the core dump size.
Definition: util-coredump-config.c:90
detect-engine-tag.h
IPFWRegisterQueue
int IPFWRegisterQueue(char *queue)
Add an IPFW divert.
Definition: source-ipfw.c:698
xstr
#define xstr(s)
Definition: suricata-common.h:290
util-profiling.h
ListAppLayerProtocols
int ListAppLayerProtocols(const char *conf_filename)
Definition: util-running-modes.c:43
SCInstance_::offline
int offline
Definition: suricata.h:152
DatasetsDestroy
void DatasetsDestroy(void)
Definition: datasets.c:993
UtilCpuPrintSummary
void UtilCpuPrintSummary(void)
Print a summary of CPUs detected (configured and online)
Definition: util-cpu.c:140
SystemDNotifyReady
int SystemDNotifyReady(void)
TmThreadKillThreads
void TmThreadKillThreads(void)
Definition: tm-threads.c:1555
OutputDeregisterAll
void OutputDeregisterAll(void)
Deregister all modules. Useful for a memory clean exit.
Definition: output.c:675
source-pcap-file-helper.h
PostConfLoadedDetectSetup
void PostConfLoadedDetectSetup(SCInstance *suri)
Definition: suricata.c:2528
EngineModeIsIDS
int EngineModeIsIDS(void)
Definition: suricata.c:235
util-systemd.h
TmModuleNapatechDecodeRegister
void TmModuleNapatechDecodeRegister(void)
Register the Napatech decoder module.
Definition: source-napatech.c:192
tmm_modules
TmModule tmm_modules[TMM_SIZE]
Definition: tm-modules.c:33
conf-yaml-loader.h
decode-sll.h
coverage_unittests
int coverage_unittests
Definition: suricata.c:887
RUNMODE_DUMP_CONFIG
@ RUNMODE_DUMP_CONFIG
Definition: runmodes.h:52
DatasetsSave
void DatasetsSave(void)
Definition: datasets.c:1071
detect-engine-alert.h
conf.h
util-landlock.h
source-ipfw.h
TMM_SIZE
@ TMM_SIZE
Definition: tm-threads-common.h:77
source-netmap.h
OutputNotifyFileRotation
void OutputNotifyFileRotation(void)
Notifies all registered file rotation notification flags.
Definition: output.c:745
StorageFinalize
int StorageFinalize(void)
Definition: util-storage.c:138
VarNameStoreDestroy
void VarNameStoreDestroy(void)
Definition: util-var-name.c:116
SCInstance_::verbose
int verbose
Definition: suricata.h:153
TmEcode
TmEcode
Definition: tm-threads-common.h:81
source-windivert.h
TmModuleFlowWorkerRegister
void TmModuleFlowWorkerRegister(void)
Definition: flow-worker.c:771
SCInstance_::aux_run_mode
enum RunModes aux_run_mode
Definition: suricata.h:125
util-plugin.h
SCInstance_::additional_configs
const char ** additional_configs
Definition: suricata.h:161
flow-timeout.h
DEFAULT_PID_FILENAME
#define DEFAULT_PID_FILENAME
Definition: suricata.h:83
sighup_count
volatile sig_atomic_t sighup_count
Definition: suricata.c:155
ConfigSetDataDirectory
TmEcode ConfigSetDataDirectory(char *name)
Definition: util-conf.c:66
TmModuleDecodeErfDagRegister
void TmModuleDecodeErfDagRegister(void)
Register the ERF file decoder module.
Definition: source-erf-dag.c:151
SCInstance_::set_logdir
bool set_logdir
Definition: suricata.h:145
SCDropMainThreadCaps
#define SCDropMainThreadCaps(...)
Definition: util-privs.h:90
TmModuleDebugList
void TmModuleDebugList(void)
Definition: tm-modules.c:35
TmModuleDecodeNFQRegister
void TmModuleDecodeNFQRegister(void)
Definition: source-nfq.c:192
util-proto-name.h
STREAM_VERBOSE
#define STREAM_VERBOSE
Definition: stream-tcp.h:35
defrag.h
SCProtoNameRelease
void SCProtoNameRelease(void)
Definition: util-proto-name.c:438
MpmTableSetup
void MpmTableSetup(void)
Definition: util-mpm.c:225
SCInstance_::log_dir
const char * log_dir
Definition: suricata.h:158
RunmodeIsUnittests
int RunmodeIsUnittests(void)
Definition: suricata.c:252
source-nfq-prototypes.h
SCPluginsLoad
void SCPluginsLoad(const char *capture_plugin_name, const char *capture_plugin_args)
SCLogInfo
#define SCLogInfo(...)
Macro used to log INFORMATIONAL messages.
Definition: util-debug.h:224
TmModuleReceiveNFLOGRegister
void TmModuleReceiveNFLOGRegister(void)
Definition: source-nflog.c:49
DEFAULT_PACKET_SIZE
#define DEFAULT_PACKET_SIZE
Definition: decode.h:674
WarnInvalidConfEntry
#define WarnInvalidConfEntry(param_name, format, value)
Generic API that can be used by all to log an invalid conf entry.
Definition: util-misc.h:35
util-host-os-info.h
TmModuleReceiveErfFileRegister
void TmModuleReceiveErfFileRegister(void)
Register the ERF file receiver (reader) module.
Definition: source-erf-file.c:80
TmModule_
Definition: tm-modules.h:44
SCRealloc
#define SCRealloc(ptr, sz)
Definition: util-mem.h:50
TmModuleDecodeAFXDPRegister
void TmModuleDecodeAFXDPRegister(void)
Registration Function for DecodeAFXDP.
Definition: source-af-xdp.c:91
default_packet_size
uint32_t default_packet_size
Definition: decode.c:77
tm-queuehandlers.h
SigTableApplyStrictCommandLineOption
void SigTableApplyStrictCommandLineOption(const char *str)
Definition: detect-parse.c:392
DETECT_ENGINE_TYPE_NORMAL
@ DETECT_ENGINE_TYPE_NORMAL
Definition: detect.h:823
PROG_NAME
#define PROG_NAME
Definition: suricata.h:70
TmThreadKillThreadsFamily
void TmThreadKillThreadsFamily(int family)
Definition: tm-threads.c:1526
detect-fast-pattern.h
FeatureTrackingRelease
void FeatureTrackingRelease(void)
Definition: feature.c:136
TmqhCleanup
void TmqhCleanup(void)
Clean up registration time allocs.
Definition: tm-queuehandlers.c:49
util-dpdk.h
util-conf.h
StreamTcpFreeConfig
void StreamTcpFreeConfig(bool quiet)
Definition: stream-tcp.c:792
source-dpdk.h
flow-manager.h
DecodeGlobalConfig
void DecodeGlobalConfig(void)
Definition: decode.c:999
SCInstance_::strict_rule_parsing_string
char * strict_rule_parsing_string
Definition: suricata.h:162
SuriHasSigFile
int SuriHasSigFile(void)
Definition: suricata.c:219
suricata-common.h
DetectEngineCtxInitStubForMT
DetectEngineCtx * DetectEngineCtxInitStubForMT(void)
Definition: detect-engine.c:2548
util-path.h
util-daemon.h
LiveGetDeviceName
const char * LiveGetDeviceName(int number)
Get a pointer to the device name at idx.
Definition: util-device.c:184
FlowShutdown
void FlowShutdown(void)
shutdown the flow engine
Definition: flow.c:677
SCHInfoLoadFromConfig
void SCHInfoLoadFromConfig(void)
Load the host os policy information from the configuration.
Definition: util-host-os-info.c:331
DetectEngineBumpVersion
void DetectEngineBumpVersion(void)
Definition: detect-engine.c:3766
source-af-xdp.h
TmModuleFlowManagerRegister
void TmModuleFlowManagerRegister(void)
Definition: flow-manager.c:1271
SCStartInternalRunMode
int SCStartInternalRunMode(int argc, char **argv)
Definition: suricata.c:2305
SCPidfileTestRunning
int SCPidfileTestRunning(const char *pid_filename)
Check the Suricata pid file (used at the startup)
Definition: util-pidfile.c:105
HostShutdown
void HostShutdown(void)
shutdown the flow engine
Definition: host.c:296
DOC_URL
#define DOC_URL
Definition: suricata.h:85
SCFstatFn
#define SCFstatFn(fd, statbuf)
Definition: util-path.h:34
output-filestore.h
LiveSetOffloadWarn
void LiveSetOffloadWarn(void)
Definition: util-device.c:76
ParseSizeDeinit
void ParseSizeDeinit(void)
Definition: util-misc.c:54
SURI_HOST_IS_ROUTER
@ SURI_HOST_IS_ROUTER
Definition: suricata.h:116
util-classification-config.h
RunModeRegisterRunModes
void RunModeRegisterRunModes(void)
Register all runmodes in the engine.
Definition: runmodes.c:219
SCStrdup
#define SCStrdup(s)
Definition: util-mem.h:56
FatalError
#define FatalError(...)
Definition: util-debug.h:502
ConfGetChildValueBool
int ConfGetChildValueBool(const ConfNode *base, const char *name, int *val)
Definition: conf.c:500
SCProfilingDump
void SCProfilingDump(void)
Definition: util-profiling.c:299
TmModuleReceiveAFXDPRegister
void TmModuleReceiveAFXDPRegister(void)
Definition: source-af-xdp.c:77
EngineStop
void EngineStop(void)
make sure threads can stop the engine by calling this function. Purpose: pcap file mode needs to be a...
Definition: suricata.c:446
FrameConfigInit
void FrameConfigInit(void)
Definition: app-layer-frames.c:38
SCInstance_::sig_file
char * sig_file
Definition: suricata.h:128
ParseSizeStringU32
int ParseSizeStringU32(const char *size, uint32_t *res)
Definition: util-misc.c:173
TmModuleReceiveErfDagRegister
void TmModuleReceiveErfDagRegister(void)
Register the ERF file receiver (reader) module.
Definition: source-erf-dag.c:133
IPPairBitInitCtx
void IPPairBitInitCtx(void)
Definition: ippair-bit.c:49
ConfigSetLogDirectory
TmEcode ConfigSetLogDirectory(const char *name)
Definition: util-conf.c:33
util-validate.h
TmModuleDecodeIPFWRegister
void TmModuleDecodeIPFWRegister(void)
Registration Function for DecodeIPFW.
Definition: source-ipfw.c:186
source-af-packet.h
ConfUnixSocketIsEnable
int ConfUnixSocketIsEnable(void)
Definition: util-conf.c:136
RUNMODE_NFQ
@ RUNMODE_NFQ
Definition: runmodes.h:31
ConfSetFromString
int ConfSetFromString(const char *input, int final)
Set a configuration parameter from a string.
Definition: conf.c:249
SCLogConfig
struct SCLogConfig_ SCLogConfig
Holds the config state used by the logging api.
g_vlan_mask
uint16_t g_vlan_mask
Definition: suricata.c:200
ConfInit
void ConfInit(void)
Initialize the configuration system.
Definition: conf.c:120
DatasetsInit
int DatasetsInit(void)
Definition: datasets.c:859
ConfigGetLogDirectory
const char * ConfigGetLogDirectory(void)
Definition: util-conf.c:38
sigusr2_count
volatile sig_atomic_t sigusr2_count
Definition: suricata.c:157
SystemHugepageSnapshotDestroy
void SystemHugepageSnapshotDestroy(SystemHugepageSnapshot *s)
Definition: util-hugepages.c:304
RUNMODE_ENGINE_ANALYSIS
@ RUNMODE_ENGINE_ANALYSIS
Definition: runmodes.h:55
RUNMODE_PRINT_VERSION
@ RUNMODE_PRINT_VERSION
Definition: runmodes.h:49
TmModuleDecodePcapRegister
void TmModuleDecodePcapRegister(void)
Registration Function for DecodePcap.
Definition: source-pcap.c:153
util-running-modes.h
SCLoadYamlConfig
TmEcode SCLoadYamlConfig(void)
Definition: suricata.c:956
unix-manager.h
runmode-af-xdp.h
str
#define str(s)
Definition: suricata-common.h:291
ConfigCheckDataDirectory
TmEcode ConfigCheckDataDirectory(const char *data_dir)
Definition: util-conf.c:99
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:261
g_detect_disabled
int g_detect_disabled
Definition: suricata.c:184
DetectEngineReloadStart
int DetectEngineReloadStart(void)
Definition: detect-engine.c:2039
SCFree
#define SCFree(p)
Definition: util-mem.h:61
DEFAULT_CONF_FILE
#define DEFAULT_CONF_FILE
Definition: suricata.h:79
ConfNode_
Definition: conf.h:32
SC_LOG_MAX_LOG_MSG_LEN
#define SC_LOG_MAX_LOG_MSG_LEN
Definition: util-debug.h:84
AppLayerParserPostStreamSetup
void AppLayerParserPostStreamSetup(void)
Definition: app-layer-parser.c:256
TmModuleReceivePcapRegister
void TmModuleReceivePcapRegister(void)
Registration Function for ReceivePcap.
Definition: source-pcap.c:135
SCGetUserID
void SCGetUserID(const char *user_name, const char *group_name, uint32_t *uid, uint32_t *gid)
Function to get the user and group ID from the specified user name.
Definition: util-privs.c:141
util-ioctl.h
detect-parse.h
SCInstance_::system
bool system
Definition: suricata.h:144
SCInstance_::pid_filename
char * pid_filename
Definition: suricata.h:130
TmModuleRespondRejectRegister
void TmModuleRespondRejectRegister(void)
Definition: respond-reject.c:50
CoredumpEnable
void CoredumpEnable(void)
Enable coredumps on systems where coredumps can and need to be enabled.
Definition: util-coredump-config.c:57
RunUnittests
void RunUnittests(int list_unittests, const char *regex_arg)
Definition: runmode-unittests.c:229
source-erf-file.h
ConfigCheckLogDirectoryExists
TmEcode ConfigCheckLogDirectoryExists(const char *log_dir)
Definition: util-conf.c:56
TimeDeinit
void TimeDeinit(void)
Definition: util-time.c:87
PacketAlertTagInit
void PacketAlertTagInit(void)
Definition: detect-engine-alert.c:45
RunModeEngineIsIPS
int RunModeEngineIsIPS(int capture_mode, const char *runmode, const char *capture_plugin_name)
Definition: runmodes.c:367
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2558
RUNMODE_WINDIVERT
@ RUNMODE_WINDIVERT
Definition: runmodes.h:43
EngineModeIsIPS
int EngineModeIsIPS(void)
Definition: suricata.c:229
TmModuleNapatechStreamRegister
void TmModuleNapatechStreamRegister(void)
Register the Napatech receiver (reader) module.
Definition: source-napatech.c:174
SCProfilingKeywordsGlobalInit
void SCProfilingKeywordsGlobalInit(void)
Definition: util-profiling-keywords.c:61
suricata.h
EngineDone
void EngineDone(void)
Used to indicate that the current task is done.
Definition: suricata.c:457
FLOW_QUIET
#define FLOW_QUIET
Definition: flow.h:43
GetDocURL
const char * GetDocURL(void)
Definition: suricata.c:1109
util-mpm-hs.h
profiling_rules_enabled
int profiling_rules_enabled
PostRunDeinit
void PostRunDeinit(const int runmode, struct timeval *start_time)
Definition: suricata.c:2258
HostInitConfig
void HostInitConfig(bool quiet)
initialize the configuration
Definition: host.c:168
SURICATA_RUNTIME
@ SURICATA_RUNTIME
Definition: suricata.h:96
TmThreadWaitOnThreadRunning
TmEcode TmThreadWaitOnThreadRunning(void)
Waits for all threads to be in a running state.
Definition: tm-threads.c:1844
ConfDeInit
void ConfDeInit(void)
De-initializes the configuration system.
Definition: conf.c:688
HttpRangeContainersDestroy
void HttpRangeContainersDestroy(void)
Definition: app-layer-htp-range.c:182
ConfSet
int ConfSet(const char *name, const char *val)
Set a configuration value.
Definition: conf.c:224
SCLogLoadConfig
void SCLogLoadConfig(int daemon, int verbose, uint32_t userid, uint32_t groupid)
Definition: util-debug.c:1420
DetectEngineReload
int DetectEngineReload(const SCInstance *suri)
Reload the detection engine.
Definition: detect-engine.c:4714
DEFAULT_MAX_PENDING_PACKETS
#define DEFAULT_MAX_PENDING_PACKETS
Definition: suricata.c:167
SCInstance_
Definition: suricata.h:123
DetectEngineClearMaster
void DetectEngineClearMaster(void)
Definition: detect-engine.c:4687
SetMasterExceptionPolicy
void SetMasterExceptionPolicy(void)
Definition: util-exception-policy.c:59
TmThreadCheckThreadState
void TmThreadCheckThreadState(void)
Used to check the thread for certain conditions of failure.
Definition: tm-threads.c:1929
OutputFilestoreRegisterGlobalCounters
void OutputFilestoreRegisterGlobalCounters(void)
Definition: output-filestore.c:517
InitGlobal
int InitGlobal(void)
Global initialization common to all runmodes.
Definition: suricata.c:2849
SCInstance_::disabled_detect
int disabled_detect
Definition: suricata.h:150
LiveGetDeviceCount
int LiveGetDeviceCount(void)
Get the number of registered devices.
Definition: util-device.c:164
SystemHugepageSnapshotCreate
SystemHugepageSnapshot * SystemHugepageSnapshotCreate(void)
The function creates a snapshot of the system's hugepage usage per NUMA node and per hugepage size....
Definition: util-hugepages.c:323
SCProfilingSghsGlobalInit
void SCProfilingSghsGlobalInit(void)
Definition: util-profiling-rulegroups.c:64
SCPidfileCreate
int SCPidfileCreate(const char *pidfile)
Write a pid file (used at the startup) This commonly needed by the init scripts.
Definition: util-pidfile.c:42
LiveRegisterDeviceName
int LiveRegisterDeviceName(const char *dev)
Add a device for monitoring.
Definition: util-device.c:97
SCStatFn
#define SCStatFn(pathname, statbuf)
Definition: util-path.h:35
ENGINE_MODE_IDS
@ ENGINE_MODE_IDS
Definition: suricata.h:103
LiveDeviceFinalize
void LiveDeviceFinalize(void)
Definition: util-device.c:442
TmModuleDecodeDPDKRegister
void TmModuleDecodeDPDKRegister(void)
Registration Function for DecodeDPDK.
Definition: source-dpdk.c:64
SCInstance_::sig_file_exclusive
bool sig_file_exclusive
Definition: suricata.h:129
PROG_VER
#define PROG_VER
Definition: suricata.h:71
util-misc.h
PacketPoolDestroy
void PacketPoolDestroy(void)
Definition: tmqh-packetpool.c:275
HTPFreeConfig
void HTPFreeConfig(void)
Clears the HTTP server configuration memory used by HTP library.
Definition: app-layer-htp.c:1660
TVT_PPT
@ TVT_PPT
Definition: tm-threads-common.h:89
flow.h
LandlockSandboxing
void LandlockSandboxing(SCInstance *suri)
Definition: util-landlock.c:34
respond-reject.h
SCInstance_::regex_arg
char * regex_arg
Definition: suricata.h:131
ListKeywords
int ListKeywords(const char *keyword_info)
Definition: util-running-modes.c:32
SCLogNotice
#define SCLogNotice(...)
Macro used to log NOTICE messages.
Definition: util-debug.h:237
SuricataPreInit
void SuricataPreInit(const char *progname)
Definition: suricata.c:2886
msg
const char * msg
Definition: app-layer-htp.c:564
DPDKCleanupEAL
void DPDKCleanupEAL(void)
Definition: util-dpdk.c:28
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
RUNMODE_AFP_DEV
@ RUNMODE_AFP_DEV
Definition: runmodes.h:36
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:275
SCPidfileRemove
void SCPidfileRemove(const char *pid_filename)
Remove the pid file (used at the startup)
Definition: util-pidfile.c:83
ThresholdInit
void ThresholdInit(void)
Definition: detect-engine-threshold.c:66
TimeInit
void TimeInit(void)
Definition: util-time.c:79
RUNMODE_PCAP_FILE
@ RUNMODE_PCAP_FILE
Definition: runmodes.h:30
SCInstance_::keyword_info
char * keyword_info
Definition: suricata.h:133
RUNMODE_PLUGIN
@ RUNMODE_PLUGIN
Definition: runmodes.h:44
NFQContextsClean
void NFQContextsClean(void)
Clean global contexts. Must be called on exit.
Definition: source-nfq.c:1300
SystemHugepageEvaluateHugepages
void SystemHugepageEvaluateHugepages(SystemHugepageSnapshot *pre_s, SystemHugepageSnapshot *post_s)
The function compares two hugepage snapshots and prints out recommendations for hugepage configuratio...
Definition: util-hugepages.c:363
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:102
SCFinalizeRunMode
int SCFinalizeRunMode(void)
Definition: suricata.c:2361
SCStat
struct stat SCStat
Definition: util-path.h:33
SCProfilingInit
void SCProfilingInit(void)
Initialize profiling.
Definition: util-profiling.c:136
g_ut_modules
int g_ut_modules
Definition: suricata.c:888
detect-engine-address.h
RUNMODE_IPFW
@ RUNMODE_IPFW
Definition: runmodes.h:33
GlobalsDestroy
void GlobalsDestroy(void)
Definition: suricata.c:368
output.h
util-threshold-config.h
DefragInit
void DefragInit(void)
Definition: defrag.c:1113
DetectEngineReloadIsStart
int DetectEngineReloadIsStart(void)
Definition: detect-engine.c:2053
suricata_ctl_flags
volatile uint8_t suricata_ctl_flags
Definition: suricata.c:170
host-bit.h
detect-engine-threshold.h
RUNMODE_LIST_UNITTEST
@ RUNMODE_LIST_UNITTEST
Definition: runmodes.h:54
app-layer.h
TagDestroyCtx
void TagDestroyCtx(void)
Destroy tag context hash tables.
Definition: detect-engine-tag.c:72
DetectAddressTestConfVars
int DetectAddressTestConfVars(void)
Definition: detect-engine-address.c:1217
g_disable_randomness
int g_disable_randomness
Definition: suricata.c:193
geteuid
#define geteuid()
Definition: win32-misc.h:41
FlowWorkToDoCleanup
void FlowWorkToDoCleanup(void)
Clean up all the flows that have unprocessed segments and have some work to do in the detection engin...
Definition: flow-timeout.c:416
MpmHSGlobalCleanup
void MpmHSGlobalCleanup(void)
g_disable_hashing
bool g_disable_hashing
Definition: suricata.c:208
TmqResetQueues
void TmqResetQueues(void)
Definition: tm-queues.c:80