suricata
suricata.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2022 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  */
23 
24 #include "suricata-common.h"
25 
26 #if HAVE_GETOPT_H
27 #include <getopt.h>
28 #endif
29 
30 #if HAVE_SIGNAL_H
31 #include <signal.h>
32 #endif
33 #ifndef OS_WIN32
34 #ifdef HAVE_SYS_RESOURCE_H
35 // setrlimit
36 #include <sys/resource.h>
37 #endif
38 #endif
39 
40 #include "suricata.h"
41 
42 #include "conf.h"
43 #include "conf-yaml-loader.h"
44 
45 #include "decode.h"
46 #include "defrag.h"
47 #include "flow.h"
48 #include "stream-tcp.h"
49 #include "ippair.h"
50 
51 #include "detect.h"
52 #include "detect-parse.h"
53 #include "detect-engine.h"
54 #include "detect-engine-address.h"
55 #include "detect-engine-alert.h"
56 #include "detect-engine-port.h"
57 #include "detect-engine-tag.h"
58 #include "detect-engine-threshold.h"
59 #include "detect-fast-pattern.h"
60 
61 #include "datasets.h"
62 
63 #include "feature.h"
64 
65 #include "flow-bypass.h"
66 #include "flow-manager.h"
67 #include "flow-timeout.h"
68 #include "flow-worker.h"
69 
70 #include "flow-bit.h"
71 #include "host-bit.h"
72 #include "ippair-bit.h"
73 
74 #include "app-layer.h"
75 #include "app-layer-parser.h"
76 #include "app-layer-htp.h"
77 #include "app-layer-htp-range.h"
78 
79 #include "output.h"
80 #include "output-filestore.h"
81 
82 #include "respond-reject.h"
83 
84 #include "runmode-af-packet.h"
85 #include "runmode-af-xdp.h"
86 #include "runmode-netmap.h"
87 #include "runmode-unittests.h"
88 
89 #include "source-nfq.h"
90 #include "source-nfq-prototypes.h"
91 #include "source-nflog.h"
92 #include "source-ipfw.h"
93 #include "source-pcap.h"
94 #include "source-pcap-file.h"
95 #include "source-pcap-file-helper.h"
96 #include "source-erf-file.h"
97 #include "source-erf-dag.h"
98 #include "source-af-packet.h"
99 #include "source-af-xdp.h"
100 #include "source-netmap.h"
101 #include "source-dpdk.h"
102 #include "source-windivert.h"
103 #include "source-windivert-prototypes.h"
104 
105 #include "unix-manager.h"
106 
107 #include "util-classification-config.h"
108 #include "util-threshold-config.h"
109 #include "util-reference-config.h"
110 
111 #include "tmqh-packetpool.h"
112 #include "tm-queuehandlers.h"
113 
114 #include "util-byte.h"
115 #include "util-conf.h"
116 #include "util-coredump-config.h"
117 #include "util-cpu.h"
118 #include "util-daemon.h"
119 #include "util-device.h"
120 #include "util-dpdk.h"
121 #include "util-ebpf.h"
122 #include "util-exception-policy.h"
123 #include "util-host-os-info.h"
124 #include "util-hugepages.h"
125 #include "util-ioctl.h"
126 #include "util-landlock.h"
127 #include "util-macset.h"
128 #include "util-misc.h"
129 #include "util-mpm-hs.h"
130 #include "util-path.h"
131 #include "util-pidfile.h"
132 #include "util-plugin.h"
133 #include "util-privs.h"
134 #include "util-profiling.h"
135 #include "util-proto-name.h"
136 #include "util-running-modes.h"
137 #include "util-signal.h"
138 #include "util-time.h"
139 #include "util-validate.h"
140 #include "util-var-name.h"
141 #ifdef SYSTEMD_NOTIFY
142 #include "util-systemd.h"
143 #endif
144 
145 #ifdef WINDIVERT
146 #include "decode-sll.h"
147 #include "win32-syscall.h"
148 #endif
149 
150 /*
151  * we put this here, because we only use it here in main.
152  */
153 volatile sig_atomic_t sigint_count = 0;
154 volatile sig_atomic_t sighup_count = 0;
155 volatile sig_atomic_t sigterm_count = 0;
156 volatile sig_atomic_t sigusr2_count = 0;
157 
158 /*
159  * Flag to indicate if the engine is at the initialization
160  * or already processing packets. 3 stages: SURICATA_INIT,
161  * SURICATA_RUNTIME and SURICATA_FINALIZE
162  */
163 SC_ATOMIC_DECLARE(unsigned int, engine_stage);
164 
165 /* Max packets processed simultaneously per thread. */
166 #define DEFAULT_MAX_PENDING_PACKETS 1024
167 
168 /** suricata engine control flags */
169 volatile uint8_t suricata_ctl_flags = 0;
170 
171 /** Engine mode: inline (ENGINE_MODE_IPS) or just
172  * detection mode (ENGINE_MODE_IDS by default) */
173 static enum EngineMode g_engine_mode = ENGINE_MODE_UNKNOWN;
174 
175 /** Host mode: set if box is sniffing only
176  * or is a router */
177 uint8_t host_mode = SURI_HOST_IS_SNIFFER_ONLY;
178 
179 /** Maximum packets to simultaneously process. */
180 uint32_t max_pending_packets;
181 
182 /** global indicating if detection is enabled */
183 int g_detect_disabled = 0;
184 
185 /** set caps or not */
186 bool sc_set_caps = false;
187 
188 bool g_system = false;
189 
190 /** disable randomness to get reproducible results across runs */
191 #ifndef AFLFUZZ_NO_RANDOM
192 int g_disable_randomness = 0;
193 #else
194 int g_disable_randomness = 1;
195 #endif
196 
197 /** determine (without branching) if we include the vlan_ids when hashing or
198  * comparing flows */
199 uint16_t g_vlan_mask = 0xffff;
200 
201 /** determine (without branching) if we include the livedev ids when hashing or
202  * comparing flows */
203 uint16_t g_livedev_mask = 0xffff;
204 
205 /** determine (without branching) if we include the recursion levels when hashing or
206  * comparing flows */
207 uint8_t g_recurlvl_mask = 0xff;
208 
209 /* flag to disable hashing almost globally, to be similar to disabling nss
210  * support */
211 bool g_disable_hashing = false;
212 
213 /* snapshot of the system's hugepages before system intitialization. */
214 SystemHugepageSnapshot *prerun_snap = NULL;
215 
216 /** add per-proto app-layer error counters for exception policies stats? disabled by default */
217 bool g_stats_eps_per_app_proto_errors = false;
218 
219 /** Suricata instance */
220 SCInstance suricata;
221 
222 int SuriHasSigFile(void)
223 {
224  return (suricata.sig_file != NULL);
225 }
226 
227 int EngineModeIsUnknown(void)
228 {
229  return (g_engine_mode == ENGINE_MODE_UNKNOWN);
230 }
231 
232 int EngineModeIsIPS(void)
233 {
234  DEBUG_VALIDATE_BUG_ON(g_engine_mode == ENGINE_MODE_UNKNOWN);
235  return (g_engine_mode == ENGINE_MODE_IPS);
236 }
237 
238 int EngineModeIsIDS(void)
239 {
240  DEBUG_VALIDATE_BUG_ON(g_engine_mode == ENGINE_MODE_UNKNOWN);
241  return (g_engine_mode == ENGINE_MODE_IDS);
242 }
243 
244 void EngineModeSetIPS(void)
245 {
246  g_engine_mode = ENGINE_MODE_IPS;
247 }
248 
249 void EngineModeSetIDS(void)
250 {
251  g_engine_mode = ENGINE_MODE_IDS;
252 }
253 
254 #ifdef UNITTESTS
255 int RunmodeIsUnittests(void)
256 {
257  if (suricata.run_mode == RUNMODE_UNITTEST)
258  return 1;
259 
260  return 0;
261 }
262 #endif
263 
264 int SCRunmodeGet(void)
265 {
266  return suricata.run_mode;
267 }
268 
269 void SCRunmodeSet(int run_mode)
270 {
271  suricata.run_mode = run_mode;
272 }
273 
274 /** signal handlers
275  *
276  * WARNING: don't use the SCLog* API in the handlers. The API is complex
277  * with memory allocation possibly happening, calls to syslog, json message
278  * construction, etc.
279  */
280 
281 #ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
282 static void SignalHandlerSigint(/*@unused@*/ int sig)
283 {
284  sigint_count = 1;
285 }
286 static void SignalHandlerSigterm(/*@unused@*/ int sig)
287 {
288  sigterm_count = 1;
289 }
290 #ifndef OS_WIN32
291 #if HAVE_LIBUNWIND
292 #define UNW_LOCAL_ONLY
293 #include <libunwind.h>
294 static void SignalHandlerUnexpected(int sig_num, siginfo_t *info, void *context)
295 {
296  char msg[SC_LOG_MAX_LOG_MSG_LEN];
297  unw_cursor_t cursor;
298  /* Restore defaults for signals to avoid loops */
299  signal(SIGABRT, SIG_DFL);
300  signal(SIGSEGV, SIG_DFL);
301  int r;
302  if ((r = unw_init_local(&cursor, (unw_context_t *)(context)) != 0)) {
303  SCLogError("unable to obtain stack trace: unw_init_local: %s", unw_strerror(r));
304  goto terminate;
305  }
306 
307  char *temp = msg;
308  int cw = snprintf(temp, SC_LOG_MAX_LOG_MSG_LEN - (temp - msg), "stacktrace:sig %d:", sig_num);
309  temp += cw;
310  r = 1;
311  while (r > 0) {
312  if (unw_is_signal_frame(&cursor) == 0) {
313  unw_word_t off;
314  char name[256];
315  if (unw_get_proc_name(&cursor, name, sizeof(name), &off) == UNW_ENOMEM) {
316  cw = snprintf(temp, SC_LOG_MAX_LOG_MSG_LEN - (temp - msg), "[unknown]:");
317  } else {
318  cw = snprintf(
319  temp, SC_LOG_MAX_LOG_MSG_LEN - (temp - msg), "%s+0x%08" PRIx64, name, off);
320  }
321  temp += cw;
322  }
323 
324  r = unw_step(&cursor);
325  if (r > 0) {
326  cw = snprintf(temp, SC_LOG_MAX_LOG_MSG_LEN - (temp - msg), ";");
327  temp += cw;
328  }
329  }
330  SCLogError("%s", msg);
331 
332 terminate:
333  // Propagate signal to watchers, if any
334  kill(getpid(), sig_num);
335 }
336 #undef UNW_LOCAL_ONLY
337 #endif /* HAVE_LIBUNWIND */
338 #endif /* !OS_WIN32 */
339 #endif
340 
341 #ifndef OS_WIN32
342 /**
343  * SIGUSR2 handler. Just set sigusr2_count. The main loop will act on
344  * it.
345  */
346 static void SignalHandlerSigusr2(int sig)
347 {
348  if (sigusr2_count < 2)
349  sigusr2_count++;
350 }
351 
352 /**
353  * SIGHUP handler. Just set sighup_count. The main loop will act on
354  * it.
355  */
356 static void SignalHandlerSigHup(/*@unused@*/ int sig)
357 {
358  sighup_count = 1;
359 }
360 #endif
361 
362 void GlobalsInitPreConfig(void)
363 {
364  TimeInit();
365  SupportFastPatternForSigMatchTypes();
366  SCThresholdConfGlobalInit();
367  SCProtoNameInit();
368 }
369 
370 void GlobalsDestroy(void)
371 {
372  SCInstance *suri = &suricata;
373  ThresholdDestroy();
374  HostShutdown();
375  HTPFreeConfig();
376  HTPAtExitPrintStats();
377 
378  AppLayerHtpPrintStats();
379 
380  /* TODO this can do into it's own func */
381  DetectEngineCtx *de_ctx = DetectEngineGetCurrent();
382  if (de_ctx) {
383  DetectEngineMoveToFreeList(de_ctx);
384  DetectEngineDeReference(&de_ctx);
385  }
386  DetectEngineClearMaster();
387 
388  AppLayerDeSetup();
389  DatasetsSave();
390  DatasetsDestroy();
391  OutputTxShutdown();
392  TagDestroyCtx();
393 
394  LiveDeviceListClean();
395  OutputDeregisterAll();
396  FeatureTrackingRelease();
397  SCProtoNameRelease();
398  TimeDeinit();
399  SigTableCleanup();
400  TmqhCleanup();
401  TmModuleRunDeInit();
402  ParseSizeDeinit();
403 
404 #ifdef HAVE_DPDK
405  DPDKCleanupEAL();
406 #endif
407 
408 #ifdef HAVE_AF_PACKET
409  AFPPeersListClean();
410 #endif
411 
412 #ifdef NFQ
413  NFQContextsClean();
414 #endif
415 
416 #ifdef BUILD_HYPERSCAN
417  MpmHSGlobalCleanup();
418 #endif
419 
420  ConfDeInit();
421 
422  DetectParseFreeRegexes();
423 
424  SCPidfileRemove(suri->pid_filename);
425  SCFree(suri->pid_filename);
426  suri->pid_filename = NULL;
427 
428  VarNameStoreDestroy();
429  SCLogDeInitLogModule();
430 }
431 
432 /**
433  * \brief Used to send OS specific notification of running threads
434  *
435  * \retval TmEcode TM_ECODE_OK on success; TM_ECODE_FAILED on failure.
436  */
437 static void OnNotifyRunning(void)
438 {
439 #ifdef SYSTEMD_NOTIFY
440  if (SystemDNotifyReady() < 0) {
441  SCLogWarning("failed to notify systemd");
442  }
443 #endif
444 }
445 
446 /** \brief make sure threads can stop the engine by calling this
447  * function. Purpose: pcap file mode needs to be able to tell the
448  * engine the file eof is reached. */
449 void EngineStop(void)
450 {
451  suricata_ctl_flags |= SURICATA_STOP;
452 }
453 
454 /**
455  * \brief Used to indicate that the current task is done.
456  *
457  * This is mainly used by pcap-file to tell it has finished
458  * to treat a pcap files when running in unix-socket mode.
459  */
460 void EngineDone(void)
461 {
462  suricata_ctl_flags |= SURICATA_DONE;
463 }
464 
465 static int SetBpfString(int argc, char *argv[])
466 {
467  char *bpf_filter = NULL;
468  uint32_t bpf_len = 0;
469  int tmpindex = 0;
470 
471  /* attempt to parse remaining args as bpf filter */
472  tmpindex = argc;
473  while(argv[tmpindex] != NULL) {
474  bpf_len+=strlen(argv[tmpindex]) + 1;
475  tmpindex++;
476  }
477 
478  if (bpf_len == 0)
479  return TM_ECODE_OK;
480 
481  bpf_filter = SCCalloc(1, bpf_len);
482  if (unlikely(bpf_filter == NULL))
483  return TM_ECODE_FAILED;
484 
485  tmpindex = optind;
486  while(argv[tmpindex] != NULL) {
487  strlcat(bpf_filter, argv[tmpindex],bpf_len);
488  if(argv[tmpindex + 1] != NULL) {
489  strlcat(bpf_filter," ", bpf_len);
490  }
491  tmpindex++;
492  }
493 
494  if(strlen(bpf_filter) > 0) {
495  if (ConfSetFinal("bpf-filter", bpf_filter) != 1) {
496  SCLogError("Failed to set bpf filter.");
497  SCFree(bpf_filter);
498  return TM_ECODE_FAILED;
499  }
500  }
501  SCFree(bpf_filter);
502 
503  return TM_ECODE_OK;
504 }
505 
506 static void SetBpfStringFromFile(char *filename)
507 {
508  char *bpf_filter = NULL;
509  char *bpf_comment_tmp = NULL;
510  char *bpf_comment_start = NULL;
511  size_t bpf_len = 0;
512  SCStat st;
513  FILE *fp = NULL;
514  size_t nm = 0;
515 
516  fp = fopen(filename, "r");
517  if (fp == NULL) {
518  SCLogError("Failed to open file %s", filename);
519  exit(EXIT_FAILURE);
520  }
521 
522  if (SCFstatFn(fileno(fp), &st) != 0) {
523  SCLogError("Failed to stat file %s", filename);
524  exit(EXIT_FAILURE);
525  }
526  // st.st_size is signed on Windows
527  bpf_len = ((size_t)(st.st_size)) + 1;
528 
529  bpf_filter = SCCalloc(1, bpf_len);
530  if (unlikely(bpf_filter == NULL)) {
531  SCLogError("Failed to allocate buffer for bpf filter in file %s", filename);
532  exit(EXIT_FAILURE);
533  }
534 
535  nm = fread(bpf_filter, 1, bpf_len - 1, fp);
536  if ((ferror(fp) != 0) || (nm != (bpf_len - 1))) {
537  SCLogError("Failed to read complete BPF file %s", filename);
538  SCFree(bpf_filter);
539  fclose(fp);
540  exit(EXIT_FAILURE);
541  }
542  fclose(fp);
543  bpf_filter[nm] = '\0';
544 
545  if(strlen(bpf_filter) > 0) {
546  /*replace comments with space*/
547  bpf_comment_start = bpf_filter;
548  while((bpf_comment_tmp = strchr(bpf_comment_start, '#')) != NULL) {
549  while((*bpf_comment_tmp !='\0') &&
550  (*bpf_comment_tmp != '\r') && (*bpf_comment_tmp != '\n'))
551  {
552  *bpf_comment_tmp++ = ' ';
553  }
554  bpf_comment_start = bpf_comment_tmp;
555  }
556  /*remove remaining '\r' and '\n' */
557  while((bpf_comment_tmp = strchr(bpf_filter, '\r')) != NULL) {
558  *bpf_comment_tmp = ' ';
559  }
560  while((bpf_comment_tmp = strchr(bpf_filter, '\n')) != NULL) {
561  *bpf_comment_tmp = ' ';
562  }
563  /* cut trailing spaces */
564  while (strlen(bpf_filter) > 0 &&
565  bpf_filter[strlen(bpf_filter)-1] == ' ')
566  {
567  bpf_filter[strlen(bpf_filter)-1] = '\0';
568  }
569  if (strlen(bpf_filter) > 0) {
570  if (ConfSetFinal("bpf-filter", bpf_filter) != 1) {
571  SCFree(bpf_filter);
572  FatalError("failed to set bpf filter");
573  }
574  }
575  }
576  SCFree(bpf_filter);
577 }
578 
579 static void PrintUsage(const char *progname)
580 {
581 #ifdef REVISION
582  printf("%s %s (%s)\n", PROG_NAME, PROG_VER, xstr(REVISION));
583 #else
584  printf("%s %s\n", PROG_NAME, PROG_VER);
585 #endif
586  printf("USAGE: %s [OPTIONS] [BPF FILTER]\n\n", progname);
587  printf("\t-c <path> : path to configuration file\n");
588  printf("\t-T : test configuration file (use with -c)\n");
589  printf("\t-i <dev or ip> : run in pcap live mode\n");
590  printf("\t-F <bpf filter file> : bpf filter file\n");
591  printf("\t-r <path> : run in pcap file/offline mode\n");
592 #ifdef NFQ
593  printf("\t-q <qid[:qid]> : run in inline nfqueue mode (use colon to specify a range of queues)\n");
594 #endif /* NFQ */
595 #ifdef IPFW
596  printf("\t-d <divert port> : run in inline ipfw divert mode\n");
597 #endif /* IPFW */
598  printf("\t-s <path> : path to signature file loaded in addition to suricata.yaml settings (optional)\n");
599  printf("\t-S <path> : path to signature file loaded exclusively (optional)\n");
600  printf("\t-l <dir> : default log directory\n");
601 #ifndef OS_WIN32
602  printf("\t-D : run as daemon\n");
603 #else
604  printf("\t--service-install : install as service\n");
605  printf("\t--service-remove : remove service\n");
606  printf("\t--service-change-params : change service startup parameters\n");
607 #endif /* OS_WIN32 */
608  printf("\t-k [all|none] : force checksum check (all) or disabled it (none)\n");
609  printf("\t-V : display Suricata version\n");
610  printf("\t-v : be more verbose (use multiple times to increase verbosity)\n");
611 #ifdef UNITTESTS
612  printf("\t-u : run the unittests and exit\n");
613  printf("\t-U, --unittest-filter=REGEX : filter unittests with a regex\n");
614  printf("\t--list-unittests : list unit tests\n");
615  printf("\t--fatal-unittests : enable fatal failure on unittest error\n");
616  printf("\t--unittests-coverage : display unittest coverage report\n");
617 #endif /* UNITTESTS */
618  printf("\t--list-app-layer-protos : list supported app layer protocols\n");
619  printf("\t--list-keywords[=all|csv|<kword>] : list keywords implemented by the engine\n");
620  printf("\t--list-runmodes : list supported runmodes\n");
621  printf("\t--runmode <runmode_id> : specific runmode modification the engine should run. The argument\n"
622  "\t supplied should be the id for the runmode obtained by running\n"
623  "\t --list-runmodes\n");
624  printf("\t--engine-analysis : print reports on analysis of different sections in the engine and exit.\n"
625  "\t Please have a look at the conf parameter engine-analysis on what reports\n"
626  "\t can be printed\n");
627  printf("\t--pidfile <file> : write pid to this file\n");
628  printf("\t--init-errors-fatal : enable fatal failure on signature init error\n");
629  printf("\t--disable-detection : disable detection engine\n");
630  printf("\t--dump-config : show the running configuration\n");
631  printf("\t--dump-features : display provided features\n");
632  printf("\t--build-info : display build information\n");
633  printf("\t--pcap[=<dev>] : run in pcap mode, no value select interfaces from suricata.yaml\n");
634  printf("\t--pcap-file-continuous : when running in pcap mode with a directory, continue checking directory for pcaps until interrupted\n");
635  printf("\t--pcap-file-delete : when running in replay mode (-r with directory or file), will delete pcap files that have been processed when done\n");
636  printf("\t--pcap-file-recursive : will descend into subdirectories when running in replay mode (-r)\n");
637  printf("\t--pcap-file-buffer-size : set read buffer size (setvbuf)\n");
638 #ifdef HAVE_PCAP_SET_BUFF
639  printf("\t--pcap-buffer-size : size of the pcap buffer value from 0 - %i\n",INT_MAX);
640 #endif /* HAVE_SET_PCAP_BUFF */
641 #ifdef HAVE_DPDK
642  printf("\t--dpdk : run in dpdk mode, uses interfaces from "
643  "suricata.yaml\n");
644 #endif
645 #ifdef HAVE_AF_PACKET
646  printf("\t--af-packet[=<dev>] : run in af-packet mode, no value select interfaces from suricata.yaml\n");
647 #endif
648 #ifdef HAVE_AF_XDP
649  printf("\t--af-xdp[=<dev>] : run in af-xdp mode, no value select "
650  "interfaces from suricata.yaml\n");
651 #endif
652 #ifdef HAVE_NETMAP
653  printf("\t--netmap[=<dev>] : run in netmap mode, no value select interfaces from suricata.yaml\n");
654 #endif
655 #ifdef HAVE_PFRING
656  printf("\t--pfring[=<dev>] : run in pfring mode, use interfaces from suricata.yaml\n");
657  printf("\t--pfring-int <dev> : run in pfring mode, use interface <dev>\n");
658  printf("\t--pfring-cluster-id <id> : pfring cluster id \n");
659  printf("\t--pfring-cluster-type <type> : pfring cluster type for PF_RING 4.1.2 and later cluster_round_robin|cluster_flow\n");
660 #endif /* HAVE_PFRING */
661  printf("\t--simulate-ips : force engine into IPS mode. Useful for QA\n");
662 #ifdef HAVE_LIBCAP_NG
663  printf("\t--user <user> : run suricata as this user after init\n");
664  printf("\t--group <group> : run suricata as this group after init\n");
665 #endif /* HAVE_LIBCAP_NG */
666  printf("\t--erf-in <path> : process an ERF file\n");
667 #ifdef HAVE_DAG
668  printf("\t--dag <dagX:Y> : process ERF records from DAG interface X, stream Y\n");
669 #endif
670 #ifdef BUILD_UNIX_SOCKET
671  printf("\t--unix-socket[=<file>] : use unix socket to control suricata work\n");
672 #endif
673 #ifdef WINDIVERT
674  printf("\t--windivert <filter> : run in inline WinDivert mode\n");
675  printf("\t--windivert-forward <filter> : run in inline WinDivert mode, as a gateway\n");
676 #endif
677 #ifdef HAVE_LIBNET11
678  printf("\t--reject-dev <dev> : send reject packets from this interface\n");
679 #endif
680  printf("\t--include <path> : additional configuration file\n");
681  printf("\t--set name=value : set a configuration value\n");
682  printf("\n");
683  printf("\nTo run the engine with default configuration on "
684  "interface eth0 with signature file \"signatures.rules\", run the "
685  "command as:\n\n%s -c suricata.yaml -s signatures.rules -i eth0 \n\n",
686  progname);
687 }
688 
689 static void PrintBuildInfo(void)
690 {
691  const char *bits;
692  const char *endian;
693  char features[2048] = "";
694  const char *tls;
695 
696  printf("This is %s version %s\n", PROG_NAME, GetProgramVersion());
697 #ifdef DEBUG
698  strlcat(features, "DEBUG ", sizeof(features));
699 #endif
700 #ifdef DEBUG_VALIDATION
701  strlcat(features, "DEBUG_VALIDATION ", sizeof(features));
702 #endif
703 #ifdef UNITTESTS
704  strlcat(features, "UNITTESTS ", sizeof(features));
705 #endif
706 #ifdef NFQ
707  strlcat(features, "NFQ ", sizeof(features));
708 #endif
709 #ifdef IPFW
710  strlcat(features, "IPFW ", sizeof(features));
711 #endif
712 #ifdef HAVE_PCAP_SET_BUFF
713  strlcat(features, "PCAP_SET_BUFF ", sizeof(features));
714 #endif
715 #ifdef HAVE_PFRING
716  strlcat(features, "PF_RING ", sizeof(features));
717 #endif
718 #ifdef HAVE_NAPATECH
719  strlcat(features, "NAPATECH ", sizeof(features));
720 #endif
721 #ifdef HAVE_AF_PACKET
722  strlcat(features, "AF_PACKET ", sizeof(features));
723 #endif
724 #ifdef HAVE_NETMAP
725  strlcat(features, "NETMAP ", sizeof(features));
726 #endif
727 #ifdef HAVE_PACKET_FANOUT
728  strlcat(features, "HAVE_PACKET_FANOUT ", sizeof(features));
729 #endif
730 #ifdef HAVE_DAG
731  strlcat(features, "DAG ", sizeof(features));
732 #endif
733 #ifdef HAVE_LIBCAP_NG
734  strlcat(features, "LIBCAP_NG ", sizeof(features));
735 #endif
736 #ifdef HAVE_LIBNET11
737  strlcat(features, "LIBNET1.1 ", sizeof(features));
738 #endif
739 #ifdef HAVE_HTP_URI_NORMALIZE_HOOK
740  strlcat(features, "HAVE_HTP_URI_NORMALIZE_HOOK ", sizeof(features));
741 #endif
742 #ifdef PCRE2_HAVE_JIT
743  strlcat(features, "PCRE_JIT ", sizeof(features));
744 #endif
745  /* For compatibility, just say we have HAVE_NSS. */
746  strlcat(features, "HAVE_NSS ", sizeof(features));
747  /* HTTP2_DECOMPRESSION is not an optional feature in this major version */
748  strlcat(features, "HTTP2_DECOMPRESSION ", sizeof(features));
749  /* Lua is now vendored in and always available. */
750  strlcat(features, "HAVE_LUA ", sizeof(features));
751 #ifdef HAVE_JA3
752  strlcat(features, "HAVE_JA3 ", sizeof(features));
753 #endif
754 #ifdef HAVE_JA4
755  strlcat(features, "HAVE_JA4 ", sizeof(features));
756 #endif
757  strlcat(features, "HAVE_LIBJANSSON ", sizeof(features));
758 #ifdef PROFILING
759  strlcat(features, "PROFILING ", sizeof(features));
760 #endif
761 #ifdef PROFILE_LOCKING
762  strlcat(features, "PROFILE_LOCKING ", sizeof(features));
763 #endif
764 #if defined(TLS_C11) || defined(TLS_GNU)
765  strlcat(features, "TLS ", sizeof(features));
766 #endif
767 #if defined(TLS_C11)
768  strlcat(features, "TLS_C11 ", sizeof(features));
769 #elif defined(TLS_GNU)
770  strlcat(features, "TLS_GNU ", sizeof(features));
771 #endif
772 #ifdef HAVE_MAGIC
773  strlcat(features, "MAGIC ", sizeof(features));
774 #endif
775  strlcat(features, "RUST ", sizeof(features));
776 #if defined(SC_ADDRESS_SANITIZER)
777  strlcat(features, "ASAN ", sizeof(features));
778 #endif
779 #if defined(HAVE_POPCNT64)
780  strlcat(features, "POPCNT64 ", sizeof(features));
781 #endif
782  if (strlen(features) == 0) {
783  strlcat(features, "none", sizeof(features));
784  }
785 
786  printf("Features: %s\n", features);
787 
788  /* SIMD stuff */
789  memset(features, 0x00, sizeof(features));
790 #if defined(__SSE4_2__)
791  strlcat(features, "SSE_4_2 ", sizeof(features));
792 #endif
793 #if defined(__SSE4_1__)
794  strlcat(features, "SSE_4_1 ", sizeof(features));
795 #endif
796 #if defined(__SSE3__)
797  strlcat(features, "SSE_3 ", sizeof(features));
798 #endif
799 #if defined(__SSE2__)
800  strlcat(features, "SSE_2 ", sizeof(features));
801 #endif
802  if (strlen(features) == 0) {
803  strlcat(features, "none", sizeof(features));
804  }
805  printf("SIMD support: %s\n", features);
806 
807  /* atomics stuff */
808  memset(features, 0x00, sizeof(features));
809 #if defined(__GCC_HAVE_SYNC_COMPARE_AND_SWAP_1)
810  strlcat(features, "1 ", sizeof(features));
811 #endif
812 #if defined(__GCC_HAVE_SYNC_COMPARE_AND_SWAP_2)
813  strlcat(features, "2 ", sizeof(features));
814 #endif
815 #if defined(__GCC_HAVE_SYNC_COMPARE_AND_SWAP_4)
816  strlcat(features, "4 ", sizeof(features));
817 #endif
818 #if defined(__GCC_HAVE_SYNC_COMPARE_AND_SWAP_8)
819  strlcat(features, "8 ", sizeof(features));
820 #endif
821 #if defined(__GCC_HAVE_SYNC_COMPARE_AND_SWAP_16)
822  strlcat(features, "16 ", sizeof(features));
823 #endif
824  if (strlen(features) == 0) {
825  strlcat(features, "none", sizeof(features));
826  } else {
827  strlcat(features, "byte(s)", sizeof(features));
828  }
829  printf("Atomic intrinsics: %s\n", features);
830 
831 #if __WORDSIZE == 64
832  bits = "64-bits";
833 #elif __WORDSIZE == 32
834  bits = "32-bits";
835 #else
836  bits = "<unknown>-bits";
837 #endif
838 
839 #if __BYTE_ORDER == __BIG_ENDIAN
840  endian = "Big-endian";
841 #elif __BYTE_ORDER == __LITTLE_ENDIAN
842  endian = "Little-endian";
843 #else
844  endian = "<unknown>-endian";
845 #endif
846 
847  printf("%s, %s architecture\n", bits, endian);
848 #ifdef __GNUC__
849  printf("GCC version %s, C version %"PRIiMAX"\n", __VERSION__, (intmax_t)__STDC_VERSION__);
850 #else
851  printf("C version %"PRIiMAX"\n", (intmax_t)__STDC_VERSION__);
852 #endif
853 
854 #if __SSP__ == 1
855  printf("compiled with -fstack-protector\n");
856 #endif
857 #if __SSP_ALL__ == 2
858  printf("compiled with -fstack-protector-all\n");
859 #endif
860 /*
861  * Workaround for special defines of _FORTIFY_SOURCE like
862  * FORTIFY_SOURCE=((defined __OPTIMIZE && OPTIMIZE > 0) ? 2 : 0)
863  * which is used by Gentoo for example and would result in the error
864  * 'defined' undeclared when _FORTIFY_SOURCE used via %d in printf func
865  *
866  */
867 #if _FORTIFY_SOURCE == 2
868  printf("compiled with _FORTIFY_SOURCE=2\n");
869 #elif _FORTIFY_SOURCE == 1
870  printf("compiled with _FORTIFY_SOURCE=1\n");
871 #elif _FORTIFY_SOURCE == 0
872  printf("compiled with _FORTIFY_SOURCE=0\n");
873 #endif
874 #ifdef CLS
875  printf("L1 cache line size (CLS)=%d\n", CLS);
876 #endif
877 #if defined(TLS_C11)
878  tls = "_Thread_local";
879 #elif defined(TLS_GNU)
880  tls = "__thread";
881 #else
882 #error "Unsupported thread local"
883 #endif
884  printf("thread local storage method: %s\n", tls);
885 
886  printf("compiled with %s, linked against %s\n",
887  HTP_VERSION_STRING_FULL, htp_get_version());
888  printf("\n");
889 #include "build-info.h"
890 }
891 
892 int coverage_unittests;
893 int g_ut_modules;
894 int g_ut_covered;
895 
896 void RegisterAllModules(void)
897 {
898  /* commanders */
899  TmModuleUnixManagerRegister();
900  /* managers */
901  TmModuleFlowManagerRegister();
902  TmModuleFlowRecyclerRegister();
903  TmModuleBypassedFlowManagerRegister();
904  /* nfq */
905  TmModuleReceiveNFQRegister();
906  TmModuleVerdictNFQRegister();
907  TmModuleDecodeNFQRegister();
908  /* ipfw */
909  TmModuleReceiveIPFWRegister();
910  TmModuleVerdictIPFWRegister();
911  TmModuleDecodeIPFWRegister();
912  /* pcap live */
913  TmModuleReceivePcapRegister();
914  TmModuleDecodePcapRegister();
915  /* pcap file */
916  TmModuleReceivePcapFileRegister();
917  TmModuleDecodePcapFileRegister();
918  /* af-packet */
919  TmModuleReceiveAFPRegister();
920  TmModuleDecodeAFPRegister();
921  /* af-xdp */
922  TmModuleReceiveAFXDPRegister();
923  TmModuleDecodeAFXDPRegister();
924  /* netmap */
925  TmModuleReceiveNetmapRegister();
926  TmModuleDecodeNetmapRegister();
927  /* dag file */
928  TmModuleReceiveErfFileRegister();
929  TmModuleDecodeErfFileRegister();
930  /* dag live */
931  TmModuleReceiveErfDagRegister();
932  TmModuleDecodeErfDagRegister();
933 
934  /* flow worker */
935  TmModuleFlowWorkerRegister();
936  /* respond-reject */
937  TmModuleRespondRejectRegister();
938 
939  /* log api */
940  TmModuleLoggerRegister();
941  TmModuleStatsLoggerRegister();
942 
943  TmModuleDebugList();
944  /* nflog */
945  TmModuleReceiveNFLOGRegister();
946  TmModuleDecodeNFLOGRegister();
947 
948  /* windivert */
949  TmModuleReceiveWinDivertRegister();
950  TmModuleVerdictWinDivertRegister();
951  TmModuleDecodeWinDivertRegister();
952 
953  /* Dpdk */
954  TmModuleReceiveDPDKRegister();
955  TmModuleDecodeDPDKRegister();
956 }
957 
958 TmEcode SCLoadYamlConfig(void)
959 {
960  SCEnter();
961 
962  SCInstance *suri = &suricata;
963 
964  if (suri->conf_filename == NULL)
965  suri->conf_filename = DEFAULT_CONF_FILE;
966 
967  if (ConfYamlLoadFile(suri->conf_filename) != 0) {
968  /* Error already displayed. */
969  SCReturnInt(TM_ECODE_FAILED);
970  }
971 
972  if (suri->additional_configs) {
973  for (int i = 0; suri->additional_configs[i] != NULL; i++) {
974  SCLogConfig("Loading additional configuration file %s", suri->additional_configs[i]);
975  ConfYamlHandleInclude(ConfGetRootNode(), suri->additional_configs[i]);
976  }
977  }
978 
979  SCReturnInt(TM_ECODE_OK);
980 }
981 
982 static TmEcode ParseInterfacesList(const int runmode, char *pcap_dev)
983 {
984  SCEnter();
985 
986  /* run the selected runmode */
987  if (runmode == RUNMODE_PCAP_DEV) {
988  if (strlen(pcap_dev) == 0) {
989  int ret = LiveBuildDeviceList("pcap");
990  if (ret == 0) {
991  SCLogError("No interface found in config for pcap");
992  SCReturnInt(TM_ECODE_FAILED);
993  }
994  }
995  } else if (runmode == RUNMODE_PLUGIN) {
996  if (strcmp(suricata.capture_plugin_name, "pfring") == 0) {
997  /* Special handling for pfring. */
998  if (strlen(pcap_dev)) {
999  if (ConfSetFinal("pfring.live-interface", pcap_dev) != 1) {
1000  SCLogError("Failed to set pfring.live-interface");
1001  SCReturnInt(TM_ECODE_FAILED);
1002  }
1003  }
1004  }
1005 #ifdef HAVE_DPDK
1006  } else if (runmode == RUNMODE_DPDK) {
1007  char iface_selector[] = "dpdk.interfaces";
1008  int ret = LiveBuildDeviceList(iface_selector);
1009  if (ret == 0) {
1010  SCLogError("No interface found in config for %s", iface_selector);
1011  SCReturnInt(TM_ECODE_FAILED);
1012  }
1013 #endif
1014 #ifdef HAVE_AF_PACKET
1015  } else if (runmode == RUNMODE_AFP_DEV) {
1016  /* iface has been set on command line */
1017  if (strlen(pcap_dev)) {
1018  if (ConfSetFinal("af-packet.live-interface", pcap_dev) != 1) {
1019  SCLogError("Failed to set af-packet.live-interface");
1020  SCReturnInt(TM_ECODE_FAILED);
1021  }
1022  } else {
1023  int ret = LiveBuildDeviceList("af-packet");
1024  if (ret == 0) {
1025  SCLogError("No interface found in config for af-packet");
1026  SCReturnInt(TM_ECODE_FAILED);
1027  }
1028  }
1029 #endif
1030 #ifdef HAVE_AF_XDP
1031  } else if (runmode == RUNMODE_AFXDP_DEV) {
1032  /* iface has been set on command line */
1033  if (strlen(pcap_dev)) {
1034  if (ConfSetFinal("af-xdp.live-interface", pcap_dev) != 1) {
1035  SCLogError("Failed to set af-xdp.live-interface");
1036  SCReturnInt(TM_ECODE_FAILED);
1037  }
1038  } else {
1039  int ret = LiveBuildDeviceList("af-xdp");
1040  if (ret == 0) {
1041  SCLogError("No interface found in config for af-xdp");
1042  SCReturnInt(TM_ECODE_FAILED);
1043  }
1044  }
1045 #endif
1046 #ifdef HAVE_NETMAP
1047  } else if (runmode == RUNMODE_NETMAP) {
1048  /* iface has been set on command line */
1049  if (strlen(pcap_dev)) {
1050  if (ConfSetFinal("netmap.live-interface", pcap_dev) != 1) {
1051  SCLogError("Failed to set netmap.live-interface");
1052  SCReturnInt(TM_ECODE_FAILED);
1053  }
1054  } else {
1055  int ret = LiveBuildDeviceList("netmap");
1056  if (ret == 0) {
1057  SCLogError("No interface found in config for netmap");
1058  SCReturnInt(TM_ECODE_FAILED);
1059  }
1060  }
1061 #endif
1062 #ifdef HAVE_NFLOG
1063  } else if (runmode == RUNMODE_NFLOG) {
1064  int ret = LiveBuildDeviceListCustom("nflog", "group");
1065  if (ret == 0) {
1066  SCLogError("No group found in config for nflog");
1067  SCReturnInt(TM_ECODE_FAILED);
1068  }
1069 #endif
1070  }
1071 
1072  SCReturnInt(TM_ECODE_OK);
1073 }
1074 
1075 static void SCInstanceInit(SCInstance *suri, const char *progname)
1076 {
1077  memset(suri, 0x00, sizeof(*suri));
1078 
1079  suri->progname = progname;
1080  suri->run_mode = RUNMODE_UNKNOWN;
1081 
1082  memset(suri->pcap_dev, 0, sizeof(suri->pcap_dev));
1083  suri->sig_file = NULL;
1084  suri->sig_file_exclusive = false;
1085  suri->pid_filename = NULL;
1086  suri->regex_arg = NULL;
1087 
1088  suri->keyword_info = NULL;
1089  suri->runmode_custom_mode = NULL;
1090 #ifndef OS_WIN32
1091  suri->user_name = NULL;
1092  suri->group_name = NULL;
1093  suri->do_setuid = false;
1094  suri->do_setgid = false;
1095 #endif /* OS_WIN32 */
1096  suri->userid = 0;
1097  suri->groupid = 0;
1098  suri->delayed_detect = 0;
1099  suri->daemon = 0;
1100  suri->offline = 0;
1101  suri->verbose = 0;
1102  /* use -1 as unknown */
1103  suri->checksum_validation = -1;
1104 #if HAVE_DETECT_DISABLED==1
1105  g_detect_disabled = suri->disabled_detect = 1;
1106 #else
1107  g_detect_disabled = suri->disabled_detect = 0;
1108 #endif
1109 }
1110 
1111 const char *GetDocURL(void)
1112 {
1113  const char *prog_ver = GetProgramVersion();
1114  if (strstr(prog_ver, "RELEASE") != NULL) {
1115  return DOC_URL "suricata-" PROG_VER;
1116  }
1117  return DOC_URL "latest";
1118 }
1119 
1120 /** \brief get string with program version
1121  *
1122  * Get the program version as passed to us from AC_INIT
1123  *
1124  * Add 'RELEASE' is no '-dev' in the version. Add the REVISION if passed
1125  * to us.
1126  *
1127  * Possible outputs:
1128  * release: '5.0.1 RELEASE'
1129  * dev with rev: '5.0.1-dev (64a789bbf 2019-10-18)'
1130  * dev w/o rev: '5.0.1-dev'
1131  */
1132 const char *GetProgramVersion(void)
1133 {
1134  if (strstr(PROG_VER, "-dev") == NULL) {
1135  return PROG_VER " RELEASE";
1136  } else {
1137 #ifdef REVISION
1138  return PROG_VER " (" xstr(REVISION) ")";
1139 #else
1140  return PROG_VER;
1141 #endif
1142  }
1143 }
1144 
1145 static TmEcode PrintVersion(void)
1146 {
1147  printf("This is %s version %s\n", PROG_NAME, GetProgramVersion());
1148  return TM_ECODE_OK;
1149 }
1150 
1151 static TmEcode LogVersion(SCInstance *suri)
1152 {
1153  const char *mode = suri->system ? "SYSTEM" : "USER";
1154  SCLogNotice("This is %s version %s running in %s mode",
1155  PROG_NAME, GetProgramVersion(), mode);
1156  return TM_ECODE_OK;
1157 }
1158 
1159 static void SCSetStartTime(SCInstance *suri)
1160 {
1161  memset(&suri->start_time, 0, sizeof(suri->start_time));
1162  gettimeofday(&suri->start_time, NULL);
1163 }
1164 
1165 static void SCPrintElapsedTime(struct timeval *start_time)
1166 {
1167  if (start_time == NULL)
1168  return;
1169  struct timeval end_time;
1170  memset(&end_time, 0, sizeof(end_time));
1171  gettimeofday(&end_time, NULL);
1172  uint64_t milliseconds = ((end_time.tv_sec - start_time->tv_sec) * 1000) +
1173  (((1000000 + end_time.tv_usec - start_time->tv_usec) / 1000) - 1000);
1174  SCLogInfo("time elapsed %.3fs", (float)milliseconds/(float)1000);
1175 }
1176 
1177 static int ParseCommandLineAfpacket(SCInstance *suri, const char *in_arg)
1178 {
1179 #ifdef HAVE_AF_PACKET
1180  if (suri->run_mode == RUNMODE_UNKNOWN) {
1181  suri->run_mode = RUNMODE_AFP_DEV;
1182  if (in_arg) {
1183  LiveRegisterDeviceName(in_arg);
1184  memset(suri->pcap_dev, 0, sizeof(suri->pcap_dev));
1185  strlcpy(suri->pcap_dev, in_arg, sizeof(suri->pcap_dev));
1186  }
1187  } else if (suri->run_mode == RUNMODE_AFP_DEV) {
1188  if (in_arg) {
1189  LiveRegisterDeviceName(in_arg);
1190  } else {
1191  SCLogInfo("Multiple af-packet option without interface on each is useless");
1192  }
1193  } else {
1194  SCLogError("more than one run mode "
1195  "has been specified");
1196  PrintUsage(suri->progname);
1197  return TM_ECODE_FAILED;
1198  }
1199  return TM_ECODE_OK;
1200 #else
1201  SCLogError("AF_PACKET not enabled. On Linux "
1202  "host, make sure to pass --enable-af-packet to "
1203  "configure when building.");
1204  return TM_ECODE_FAILED;
1205 #endif
1206 }
1207 
1208 static int ParseCommandLineAfxdp(SCInstance *suri, const char *in_arg)
1209 {
1210 #ifdef HAVE_AF_XDP
1211  if (suri->run_mode == RUNMODE_UNKNOWN) {
1212  suri->run_mode = RUNMODE_AFXDP_DEV;
1213  if (in_arg) {
1214  LiveRegisterDeviceName(in_arg);
1215  memset(suri->pcap_dev, 0, sizeof(suri->pcap_dev));
1216  strlcpy(suri->pcap_dev, in_arg, sizeof(suri->pcap_dev));
1217  }
1218  } else if (suri->run_mode == RUNMODE_AFXDP_DEV) {
1219  if (in_arg) {
1220  LiveRegisterDeviceName(in_arg);
1221  } else {
1222  SCLogInfo("Multiple af-xdp options without interface on each is useless");
1223  }
1224  } else {
1225  SCLogError("more than one run mode "
1226  "has been specified");
1227  PrintUsage(suri->progname);
1228  return TM_ECODE_FAILED;
1229  }
1230  return TM_ECODE_OK;
1231 #else
1232  SCLogError("AF_XDP not enabled. On Linux "
1233  "host, make sure correct libraries are installed,"
1234  " see documentation for information.");
1235  return TM_ECODE_FAILED;
1236 #endif
1237 }
1238 
1239 static int ParseCommandLineDpdk(SCInstance *suri, const char *in_arg)
1240 {
1241 #ifdef HAVE_DPDK
1242  if (suri->run_mode == RUNMODE_UNKNOWN) {
1243  suri->run_mode = RUNMODE_DPDK;
1244  } else if (suri->run_mode == RUNMODE_DPDK) {
1245  SCLogInfo("Multiple dpdk options have no effect on Suricata");
1246  } else {
1247  SCLogError("more than one run mode "
1248  "has been specified");
1249  PrintUsage(suri->progname);
1250  return TM_ECODE_FAILED;
1251  }
1252  return TM_ECODE_OK;
1253 #else
1254  SCLogError("DPDK not enabled. On Linux "
1255  "host, make sure to pass --enable-dpdk to "
1256  "configure when building.");
1257  return TM_ECODE_FAILED;
1258 #endif
1259 }
1260 
1261 static int ParseCommandLinePcapLive(SCInstance *suri, const char *in_arg)
1262 {
1263 #if defined(OS_WIN32) && !defined(HAVE_LIBWPCAP)
1264  /* If running on Windows without Npcap, bail early as live capture is not supported. */
1265  FatalError("Live capture not available. To support live capture compile against Npcap.");
1266 #endif
1267  memset(suri->pcap_dev, 0, sizeof(suri->pcap_dev));
1268 
1269  if (in_arg != NULL) {
1270  /* some windows shells require escaping of the \ in \Device. Otherwise
1271  * the backslashes are stripped. We put them back here. */
1272  if (strlen(in_arg) > 9 && strncmp(in_arg, "DeviceNPF", 9) == 0) {
1273  snprintf(suri->pcap_dev, sizeof(suri->pcap_dev), "\\Device\\NPF%s", in_arg+9);
1274  } else {
1275  strlcpy(suri->pcap_dev, in_arg, sizeof(suri->pcap_dev));
1276  PcapTranslateIPToDevice(suri->pcap_dev, sizeof(suri->pcap_dev));
1277  }
1278 
1279  if (strcmp(suri->pcap_dev, in_arg) != 0) {
1280  SCLogInfo("translated %s to pcap device %s", in_arg, suri->pcap_dev);
1281  } else if (strlen(suri->pcap_dev) > 0 && isdigit((unsigned char)suri->pcap_dev[0])) {
1282  SCLogError("failed to find a pcap device for IP %s", in_arg);
1283  return TM_ECODE_FAILED;
1284  }
1285  }
1286 
1287  if (suri->run_mode == RUNMODE_UNKNOWN) {
1288  suri->run_mode = RUNMODE_PCAP_DEV;
1289  if (in_arg) {
1290  LiveRegisterDeviceName(suri->pcap_dev);
1291  }
1292  } else if (suri->run_mode == RUNMODE_PCAP_DEV) {
1293  LiveRegisterDeviceName(suri->pcap_dev);
1294  } else {
1295  SCLogError("more than one run mode "
1296  "has been specified");
1297  PrintUsage(suri->progname);
1298  return TM_ECODE_FAILED;
1299  }
1300  return TM_ECODE_OK;
1301 }
1302 
1303 /**
1304  * Helper function to check if log directory is writable
1305  */
1306 static bool IsLogDirectoryWritable(const char* str)
1307 {
1308  if (access(str, W_OK) == 0)
1309  return true;
1310  return false;
1311 }
1312 
1313 extern int g_skip_prefilter;
1314 
1315 TmEcode SCParseCommandLine(int argc, char **argv)
1316 {
1317  SCInstance *suri = &suricata;
1318  int opt;
1319 
1320  int dump_config = 0;
1321  int dump_features = 0;
1322  int list_app_layer_protocols = 0;
1323  int list_unittests = 0;
1324  int list_runmodes = 0;
1325  int list_keywords = 0;
1326  int build_info = 0;
1327  int conf_test = 0;
1328  int engine_analysis = 0;
1329  int ret = TM_ECODE_OK;
1330 
1331 #ifdef UNITTESTS
1332  coverage_unittests = 0;
1333  g_ut_modules = 0;
1334  g_ut_covered = 0;
1335 #endif
1336 
1337  // clang-format off
1338  struct option long_opts[] = {
1339  {"dump-config", 0, &dump_config, 1},
1340  {"dump-features", 0, &dump_features, 1},
1341  {"pfring", optional_argument, 0, 0},
1342  {"pfring-int", required_argument, 0, 0},
1343  {"pfring-cluster-id", required_argument, 0, 0},
1344  {"pfring-cluster-type", required_argument, 0, 0},
1345 #ifdef HAVE_DPDK
1346  {"dpdk", 0, 0, 0},
1347 #endif
1348  {"af-packet", optional_argument, 0, 0},
1349  {"af-xdp", optional_argument, 0, 0},
1350  {"netmap", optional_argument, 0, 0},
1351  {"pcap", optional_argument, 0, 0},
1352  {"pcap-file-continuous", 0, 0, 0},
1353  {"pcap-file-delete", 0, 0, 0},
1354  {"pcap-file-recursive", 0, 0, 0},
1355  {"pcap-file-buffer-size", required_argument, 0, 0},
1356  {"simulate-ips", 0, 0 , 0},
1357  {"no-random", 0, &g_disable_randomness, 1},
1358  {"strict-rule-keywords", optional_argument, 0, 0},
1359 
1360  {"capture-plugin", required_argument, 0, 0},
1361  {"capture-plugin-args", required_argument, 0, 0},
1362 
1363 #ifdef BUILD_UNIX_SOCKET
1364  {"unix-socket", optional_argument, 0, 0},
1365 #endif
1366  {"pcap-buffer-size", required_argument, 0, 0},
1367  {"unittest-filter", required_argument, 0, 'U'},
1368  {"list-app-layer-protos", 0, &list_app_layer_protocols, 1},
1369  {"list-unittests", 0, &list_unittests, 1},
1370  {"list-runmodes", 0, &list_runmodes, 1},
1371  {"list-keywords", optional_argument, &list_keywords, 1},
1372  {"runmode", required_argument, NULL, 0},
1373  {"engine-analysis", 0, &engine_analysis, 1},
1374 #ifdef OS_WIN32
1375  {"service-install", 0, 0, 0},
1376  {"service-remove", 0, 0, 0},
1377  {"service-change-params", 0, 0, 0},
1378 #endif /* OS_WIN32 */
1379  {"pidfile", required_argument, 0, 0},
1380  {"init-errors-fatal", 0, 0, 0},
1381  {"disable-detection", 0, 0, 0},
1382  {"disable-hashing", 0, 0, 0},
1383  {"fatal-unittests", 0, 0, 0},
1384  {"unittests-coverage", 0, &coverage_unittests, 1},
1385  {"user", required_argument, 0, 0},
1386  {"group", required_argument, 0, 0},
1387  {"erf-in", required_argument, 0, 0},
1388  {"dag", required_argument, 0, 0},
1389  {"build-info", 0, &build_info, 1},
1390  {"data-dir", required_argument, 0, 0},
1391 #ifdef WINDIVERT
1392  {"windivert", required_argument, 0, 0},
1393  {"windivert-forward", required_argument, 0, 0},
1394 #endif
1395 #ifdef HAVE_LIBNET11
1396  {"reject-dev", required_argument, 0, 0},
1397 #endif
1398  {"set", required_argument, 0, 0},
1399 #ifdef HAVE_NFLOG
1400  {"nflog", optional_argument, 0, 0},
1401 #endif
1402  {"simulate-packet-flow-memcap", required_argument, 0, 0},
1403  {"simulate-applayer-error-at-offset-ts", required_argument, 0, 0},
1404  {"simulate-applayer-error-at-offset-tc", required_argument, 0, 0},
1405  {"simulate-packet-loss", required_argument, 0, 0},
1406  {"simulate-packet-tcp-reassembly-memcap", required_argument, 0, 0},
1407  {"simulate-packet-tcp-ssn-memcap", required_argument, 0, 0},
1408  {"simulate-packet-defrag-memcap", required_argument, 0, 0},
1409  {"simulate-alert-queue-realloc-failure", 0, 0, 0},
1410 
1411  {"qa-skip-prefilter", 0, &g_skip_prefilter, 1 },
1412 
1413  {"include", required_argument, 0, 0},
1414 
1415  {NULL, 0, NULL, 0}
1416  };
1417  // clang-format on
1418 
1419  /* getopt_long stores the option index here. */
1420  int option_index = 0;
1421 
1422  char short_opts[] = "c:TDhi:l:q:d:r:us:S:U:VF:vk:";
1423 
1424  while ((opt = getopt_long(argc, argv, short_opts, long_opts, &option_index)) != -1) {
1425  switch (opt) {
1426  case 0:
1427  if (strcmp((long_opts[option_index]).name , "pfring") == 0 ||
1428  strcmp((long_opts[option_index]).name , "pfring-int") == 0) {
1429 #ifdef HAVE_PFRING
1430  /* TODO: Which plugin? */
1431  suri->run_mode = RUNMODE_PLUGIN;
1432  suri->capture_plugin_name = "pfring";
1433  if (optarg != NULL) {
1434  memset(suri->pcap_dev, 0, sizeof(suri->pcap_dev));
1435  strlcpy(suri->pcap_dev, optarg,
1436  ((strlen(optarg) < sizeof(suri->pcap_dev)) ?
1437  (strlen(optarg) + 1) : sizeof(suri->pcap_dev)));
1438  LiveRegisterDeviceName(optarg);
1439  }
1440 #else
1441  SCLogError("PF_RING not enabled. Make sure "
1442  "to pass --enable-pfring to configure when building.");
1443  return TM_ECODE_FAILED;
1444 #endif /* HAVE_PFRING */
1445  }
1446  else if(strcmp((long_opts[option_index]).name , "pfring-cluster-id") == 0){
1447 #ifdef HAVE_PFRING
1448  if (ConfSetFinal("pfring.cluster-id", optarg) != 1) {
1449  SCLogError("failed to set pfring.cluster-id");
1450  return TM_ECODE_FAILED;
1451  }
1452 #else
1453  SCLogError("PF_RING not enabled. Make sure "
1454  "to pass --enable-pfring to configure when building.");
1455  return TM_ECODE_FAILED;
1456 #endif /* HAVE_PFRING */
1457  }
1458  else if(strcmp((long_opts[option_index]).name , "pfring-cluster-type") == 0){
1459 #ifdef HAVE_PFRING
1460  if (ConfSetFinal("pfring.cluster-type", optarg) != 1) {
1461  SCLogError("failed to set pfring.cluster-type");
1462  return TM_ECODE_FAILED;
1463  }
1464 #else
1465  SCLogError("PF_RING not enabled. Make sure "
1466  "to pass --enable-pfring to configure when building.");
1467  return TM_ECODE_FAILED;
1468 #endif /* HAVE_PFRING */
1469  }
1470  else if (strcmp((long_opts[option_index]).name , "capture-plugin") == 0){
1471  suri->run_mode = RUNMODE_PLUGIN;
1472  suri->capture_plugin_name = optarg;
1473  }
1474  else if (strcmp((long_opts[option_index]).name , "capture-plugin-args") == 0){
1475  suri->capture_plugin_args = optarg;
1476  } else if (strcmp((long_opts[option_index]).name, "dpdk") == 0) {
1477  if (ParseCommandLineDpdk(suri, optarg) != TM_ECODE_OK) {
1478  return TM_ECODE_FAILED;
1479  }
1480  } else if (strcmp((long_opts[option_index]).name, "af-packet") == 0) {
1481  if (ParseCommandLineAfpacket(suri, optarg) != TM_ECODE_OK) {
1482  return TM_ECODE_FAILED;
1483  }
1484  } else if (strcmp((long_opts[option_index]).name, "af-xdp") == 0) {
1485  if (ParseCommandLineAfxdp(suri, optarg) != TM_ECODE_OK) {
1486  return TM_ECODE_FAILED;
1487  }
1488  } else if (strcmp((long_opts[option_index]).name, "netmap") == 0) {
1489 #ifdef HAVE_NETMAP
1490  if (suri->run_mode == RUNMODE_UNKNOWN) {
1491  suri->run_mode = RUNMODE_NETMAP;
1492  if (optarg) {
1493  LiveRegisterDeviceName(optarg);
1494  memset(suri->pcap_dev, 0, sizeof(suri->pcap_dev));
1495  strlcpy(suri->pcap_dev, optarg,
1496  ((strlen(optarg) < sizeof(suri->pcap_dev)) ?
1497  (strlen(optarg) + 1) : sizeof(suri->pcap_dev)));
1498  }
1499  } else if (suri->run_mode == RUNMODE_NETMAP) {
1500  if (optarg) {
1501  LiveRegisterDeviceName(optarg);
1502  } else {
1503  SCLogInfo("Multiple netmap option without interface on each is useless");
1504  break;
1505  }
1506  } else {
1507  SCLogError("more than one run mode "
1508  "has been specified");
1509  PrintUsage(argv[0]);
1510  return TM_ECODE_FAILED;
1511  }
1512 #else
1513  SCLogError("NETMAP not enabled.");
1514  return TM_ECODE_FAILED;
1515 #endif
1516  } else if (strcmp((long_opts[option_index]).name, "nflog") == 0) {
1517 #ifdef HAVE_NFLOG
1518  if (suri->run_mode == RUNMODE_UNKNOWN) {
1519  suri->run_mode = RUNMODE_NFLOG;
1520  LiveBuildDeviceListCustom("nflog", "group");
1521  }
1522 #else
1523  SCLogError("NFLOG not enabled.");
1524  return TM_ECODE_FAILED;
1525 #endif /* HAVE_NFLOG */
1526  } else if (strcmp((long_opts[option_index]).name, "pcap") == 0) {
1527  if (ParseCommandLinePcapLive(suri, optarg) != TM_ECODE_OK) {
1528  return TM_ECODE_FAILED;
1529  }
1530  } else if (strcmp((long_opts[option_index]).name, "simulate-ips") == 0) {
1531  SCLogInfo("Setting IPS mode");
1532  EngineModeSetIPS();
1533  } else if (strcmp((long_opts[option_index]).name, "init-errors-fatal") == 0) {
1534  if (ConfSetFinal("engine.init-failure-fatal", "1") != 1) {
1535  SCLogError("failed to set engine init-failure-fatal");
1536  return TM_ECODE_FAILED;
1537  }
1538 #ifdef BUILD_UNIX_SOCKET
1539  } else if (strcmp((long_opts[option_index]).name , "unix-socket") == 0) {
1540  if (suri->run_mode == RUNMODE_UNKNOWN) {
1541  suri->run_mode = RUNMODE_UNIX_SOCKET;
1542  if (optarg) {
1543  if (ConfSetFinal("unix-command.filename", optarg) != 1) {
1544  SCLogError("failed to set unix-command.filename");
1545  return TM_ECODE_FAILED;
1546  }
1547 
1548  }
1549  } else {
1550  SCLogError("more than one run mode "
1551  "has been specified");
1552  PrintUsage(argv[0]);
1553  return TM_ECODE_FAILED;
1554  }
1555 #endif
1556  }
1557  else if(strcmp((long_opts[option_index]).name, "list-app-layer-protocols") == 0) {
1558  /* listing all supported app layer protocols */
1559  }
1560  else if(strcmp((long_opts[option_index]).name, "list-unittests") == 0) {
1561 #ifdef UNITTESTS
1562  suri->run_mode = RUNMODE_LIST_UNITTEST;
1563 #else
1564  SCLogError("unit tests not enabled. Make sure to pass --enable-unittests to "
1565  "configure when building");
1566  return TM_ECODE_FAILED;
1567 #endif /* UNITTESTS */
1568  } else if (strcmp((long_opts[option_index]).name, "list-runmodes") == 0) {
1569  suri->run_mode = RUNMODE_LIST_RUNMODES;
1570  return TM_ECODE_OK;
1571  } else if (strcmp((long_opts[option_index]).name, "list-keywords") == 0) {
1572  if (optarg) {
1573  if (strcmp("short", optarg) != 0) {
1574  suri->keyword_info = optarg;
1575  }
1576  }
1577  } else if (strcmp((long_opts[option_index]).name, "runmode") == 0) {
1578  suri->runmode_custom_mode = optarg;
1579  } else if(strcmp((long_opts[option_index]).name, "engine-analysis") == 0) {
1580  // do nothing for now
1581  }
1582 #ifdef OS_WIN32
1583  else if(strcmp((long_opts[option_index]).name, "service-install") == 0) {
1584  suri->run_mode = RUNMODE_INSTALL_SERVICE;
1585  return TM_ECODE_OK;
1586  }
1587  else if(strcmp((long_opts[option_index]).name, "service-remove") == 0) {
1588  suri->run_mode = RUNMODE_REMOVE_SERVICE;
1589  return TM_ECODE_OK;
1590  }
1591  else if(strcmp((long_opts[option_index]).name, "service-change-params") == 0) {
1592  suri->run_mode = RUNMODE_CHANGE_SERVICE_PARAMS;
1593  return TM_ECODE_OK;
1594  }
1595 #endif /* OS_WIN32 */
1596  else if(strcmp((long_opts[option_index]).name, "pidfile") == 0) {
1597  suri->pid_filename = SCStrdup(optarg);
1598  if (suri->pid_filename == NULL) {
1599  SCLogError("strdup failed: %s", strerror(errno));
1600  return TM_ECODE_FAILED;
1601  }
1602  }
1603  else if(strcmp((long_opts[option_index]).name, "disable-detection") == 0) {
1604  g_detect_disabled = suri->disabled_detect = 1;
1605  } else if (strcmp((long_opts[option_index]).name, "disable-hashing") == 0) {
1606  g_disable_hashing = true;
1607  // for rust
1608  SCDisableHashing();
1609  } else if (strcmp((long_opts[option_index]).name, "fatal-unittests") == 0) {
1610 #ifdef UNITTESTS
1611  unittests_fatal = 1;
1612 #else
1613  SCLogError("unit tests not enabled. Make sure to pass --enable-unittests to "
1614  "configure when building");
1615  return TM_ECODE_FAILED;
1616 #endif /* UNITTESTS */
1617  } else if (strcmp((long_opts[option_index]).name, "user") == 0) {
1618 #ifndef HAVE_LIBCAP_NG
1619  SCLogError("libcap-ng is required to"
1620  " drop privileges, but it was not compiled into Suricata.");
1621  return TM_ECODE_FAILED;
1622 #else
1623  suri->user_name = optarg;
1624  suri->do_setuid = true;
1625 #endif /* HAVE_LIBCAP_NG */
1626  } else if (strcmp((long_opts[option_index]).name, "group") == 0) {
1627 #ifndef HAVE_LIBCAP_NG
1628  SCLogError("libcap-ng is required to"
1629  " drop privileges, but it was not compiled into Suricata.");
1630  return TM_ECODE_FAILED;
1631 #else
1632  suri->group_name = optarg;
1633  suri->do_setgid = true;
1634 #endif /* HAVE_LIBCAP_NG */
1635  } else if (strcmp((long_opts[option_index]).name, "erf-in") == 0) {
1636  suri->run_mode = RUNMODE_ERF_FILE;
1637  if (ConfSetFinal("erf-file.file", optarg) != 1) {
1638  SCLogError("failed to set erf-file.file");
1639  return TM_ECODE_FAILED;
1640  }
1641  } else if (strcmp((long_opts[option_index]).name, "dag") == 0) {
1642 #ifdef HAVE_DAG
1643  if (suri->run_mode == RUNMODE_UNKNOWN) {
1644  suri->run_mode = RUNMODE_DAG;
1645  }
1646  else if (suri->run_mode != RUNMODE_DAG) {
1647  SCLogError("more than one run mode has been specified");
1648  PrintUsage(argv[0]);
1649  return TM_ECODE_FAILED;
1650  }
1651  LiveRegisterDeviceName(optarg);
1652 #else
1653  SCLogError("libdag and a DAG card are required"
1654  " to receive packets using --dag.");
1655  return TM_ECODE_FAILED;
1656 #endif /* HAVE_DAG */
1657  } else if (strcmp((long_opts[option_index]).name, "napatech") == 0) {
1658 #ifdef HAVE_NAPATECH
1659  suri->run_mode = RUNMODE_PLUGIN;
1660 #else
1661  SCLogError("libntapi and a Napatech adapter are required"
1662  " to capture packets using --napatech.");
1663  return TM_ECODE_FAILED;
1664 #endif /* HAVE_NAPATECH */
1665  } else if (strcmp((long_opts[option_index]).name, "pcap-buffer-size") == 0) {
1666 #ifdef HAVE_PCAP_SET_BUFF
1667  if (ConfSetFinal("pcap.buffer-size", optarg) != 1) {
1668  SCLogError("failed to set pcap-buffer-size");
1669  return TM_ECODE_FAILED;
1670  }
1671 #else
1672  SCLogError("The version of libpcap you have"
1673  " doesn't support setting buffer size.");
1674 #endif /* HAVE_PCAP_SET_BUFF */
1675  } else if (strcmp((long_opts[option_index]).name, "build-info") == 0) {
1676  suri->run_mode = RUNMODE_PRINT_BUILDINFO;
1677  return TM_ECODE_OK;
1678  } else if (strcmp((long_opts[option_index]).name, "windivert-forward") == 0) {
1679 #ifdef WINDIVERT
1680  if (suri->run_mode == RUNMODE_UNKNOWN) {
1681  suri->run_mode = RUNMODE_WINDIVERT;
1682  if (WinDivertRegisterQueue(true, optarg) == -1) {
1683  exit(EXIT_FAILURE);
1684  }
1685  } else if (suri->run_mode == RUNMODE_WINDIVERT) {
1686  if (WinDivertRegisterQueue(true, optarg) == -1) {
1687  exit(EXIT_FAILURE);
1688  }
1689  } else {
1690  SCLogError("more than one run mode "
1691  "has been specified");
1692  PrintUsage(argv[0]);
1693  exit(EXIT_FAILURE);
1694  }
1695  }
1696  else if(strcmp((long_opts[option_index]).name, "windivert") == 0) {
1697  if (suri->run_mode == RUNMODE_UNKNOWN) {
1698  suri->run_mode = RUNMODE_WINDIVERT;
1699  if (WinDivertRegisterQueue(false, optarg) == -1) {
1700  exit(EXIT_FAILURE);
1701  }
1702  } else if (suri->run_mode == RUNMODE_WINDIVERT) {
1703  if (WinDivertRegisterQueue(false, optarg) == -1) {
1704  exit(EXIT_FAILURE);
1705  }
1706  } else {
1707  SCLogError("more than one run mode "
1708  "has been specified");
1709  PrintUsage(argv[0]);
1710  exit(EXIT_FAILURE);
1711  }
1712 #else
1713  SCLogError("WinDivert not enabled. Make sure to pass --enable-windivert to "
1714  "configure when building.");
1715  return TM_ECODE_FAILED;
1716 #endif /* WINDIVERT */
1717  } else if(strcmp((long_opts[option_index]).name, "reject-dev") == 0) {
1718 #ifdef HAVE_LIBNET11
1719  BUG_ON(optarg == NULL); /* for static analysis */
1720  extern char *g_reject_dev;
1721  extern uint16_t g_reject_dev_mtu;
1722  g_reject_dev = optarg;
1723  int mtu = GetIfaceMTU(g_reject_dev);
1724  if (mtu > 0) {
1725  g_reject_dev_mtu = (uint16_t)mtu;
1726  }
1727 #else
1728  SCLogError("Libnet 1.1 support not enabled. Compile Suricata with libnet support.");
1729  return TM_ECODE_FAILED;
1730 #endif
1731  }
1732  else if (strcmp((long_opts[option_index]).name, "set") == 0) {
1733  if (optarg != NULL) {
1734  /* Quick validation. */
1735  char *val = strchr(optarg, '=');
1736  if (val == NULL) {
1737  FatalError("Invalid argument for --set, must be key=val.");
1738  }
1739  if (!ConfSetFromString(optarg, 1)) {
1740  FatalError("failed to set configuration value %s", optarg);
1741  }
1742  }
1743  }
1744  else if (strcmp((long_opts[option_index]).name, "pcap-file-continuous") == 0) {
1745  if (ConfSetFinal("pcap-file.continuous", "true") != 1) {
1746  SCLogError("Failed to set pcap-file.continuous");
1747  return TM_ECODE_FAILED;
1748  }
1749  }
1750  else if (strcmp((long_opts[option_index]).name, "pcap-file-delete") == 0) {
1751  if (ConfSetFinal("pcap-file.delete-when-done", "true") != 1) {
1752  SCLogError("Failed to set pcap-file.delete-when-done");
1753  return TM_ECODE_FAILED;
1754  }
1755  }
1756  else if (strcmp((long_opts[option_index]).name, "pcap-file-recursive") == 0) {
1757  if (ConfSetFinal("pcap-file.recursive", "true") != 1) {
1758  SCLogError("failed to set pcap-file.recursive");
1759  return TM_ECODE_FAILED;
1760  }
1761  } else if (strcmp((long_opts[option_index]).name, "pcap-file-buffer-size") == 0) {
1762  if (ConfSetFinal("pcap-file.buffer-size", optarg) != 1) {
1763  SCLogError("failed to set pcap-file.buffer-size");
1764  return TM_ECODE_FAILED;
1765  }
1766  } else if (strcmp((long_opts[option_index]).name, "data-dir") == 0) {
1767  if (optarg == NULL) {
1768  SCLogError("no option argument (optarg) for -d");
1769  return TM_ECODE_FAILED;
1770  }
1771 
1772  if (ConfigSetDataDirectory(optarg) != TM_ECODE_OK) {
1773  SCLogError("Failed to set data directory.");
1774  return TM_ECODE_FAILED;
1775  }
1776  if (ConfigCheckDataDirectory(optarg) != TM_ECODE_OK) {
1777  SCLogError("The data directory \"%s\""
1778  " supplied at the command-line (-d %s) doesn't "
1779  "exist. Shutting down the engine.",
1780  optarg, optarg);
1781  return TM_ECODE_FAILED;
1782  }
1783  suri->set_datadir = true;
1784  } else if (strcmp((long_opts[option_index]).name, "strict-rule-keywords") == 0) {
1785  if (optarg == NULL) {
1786  suri->strict_rule_parsing_string = SCStrdup("all");
1787  } else {
1788  suri->strict_rule_parsing_string = SCStrdup(optarg);
1789  }
1790  if (suri->strict_rule_parsing_string == NULL) {
1791  FatalError("failed to duplicate 'strict' string");
1792  }
1793  } else if (strcmp((long_opts[option_index]).name, "include") == 0) {
1794  if (suri->additional_configs == NULL) {
1795  suri->additional_configs = SCCalloc(2, sizeof(char *));
1796  if (suri->additional_configs == NULL) {
1797  FatalError(
1798  "Failed to allocate memory for additional configuration files: %s",
1799  strerror(errno));
1800  }
1801  suri->additional_configs[0] = optarg;
1802  } else {
1803  for (int i = 0;; i++) {
1804  if (suri->additional_configs[i] == NULL) {
1805  const char **additional_configs =
1806  SCRealloc(suri->additional_configs, (i + 2) * sizeof(char *));
1807  if (additional_configs == NULL) {
1808  FatalError("Failed to allocate memory for additional configuration "
1809  "files: %s",
1810  strerror(errno));
1811  } else {
1812  suri->additional_configs = additional_configs;
1813  }
1814  suri->additional_configs[i] = optarg;
1815  suri->additional_configs[i + 1] = NULL;
1816  break;
1817  }
1818  }
1819  }
1820  } else {
1821  int r = ExceptionSimulationCommandLineParser(
1822  (long_opts[option_index]).name, optarg);
1823  if (r < 0)
1824  return TM_ECODE_FAILED;
1825  }
1826  break;
1827  case 'c':
1828  suri->conf_filename = optarg;
1829  break;
1830  case 'T':
1831  conf_test = 1;
1832  if (ConfSetFinal("engine.init-failure-fatal", "1") != 1) {
1833  SCLogError("failed to set engine init-failure-fatal");
1834  return TM_ECODE_FAILED;
1835  }
1836  break;
1837 #ifndef OS_WIN32
1838  case 'D':
1839  suri->daemon = 1;
1840  break;
1841 #endif /* OS_WIN32 */
1842  case 'h':
1843  suri->run_mode = RUNMODE_PRINT_USAGE;
1844  return TM_ECODE_OK;
1845  case 'i':
1846  if (optarg == NULL) {
1847  SCLogError("no option argument (optarg) for -i");
1848  return TM_ECODE_FAILED;
1849  }
1850 #ifdef HAVE_AF_PACKET
1851  if (ParseCommandLineAfpacket(suri, optarg) != TM_ECODE_OK) {
1852  return TM_ECODE_FAILED;
1853  }
1854 #else /* not afpacket */
1855  /* warn user if netmap is available */
1856 #if defined HAVE_NETMAP
1857  int i = 0;
1858 #ifdef HAVE_NETMAP
1859  i++;
1860 #endif
1861  SCLogWarning("faster capture "
1862  "option%s %s available:"
1863 #ifdef HAVE_NETMAP
1864  " NETMAP (--netmap=%s)"
1865 #endif
1866  ". Use --pcap=%s to suppress this warning",
1867  i == 1 ? "" : "s", i == 1 ? "is" : "are"
1868 #ifdef HAVE_NETMAP
1869  ,
1870  optarg
1871 #endif
1872  ,
1873  optarg);
1874 #endif /* have faster methods */
1875  if (ParseCommandLinePcapLive(suri, optarg) != TM_ECODE_OK) {
1876  return TM_ECODE_FAILED;
1877  }
1878 #endif
1879  break;
1880  case 'l':
1881  if (optarg == NULL) {
1882  SCLogError("no option argument (optarg) for -l");
1883  return TM_ECODE_FAILED;
1884  }
1885 
1886  if (ConfigSetLogDirectory(optarg) != TM_ECODE_OK) {
1887  SCLogError("Failed to set log directory.");
1888  return TM_ECODE_FAILED;
1889  }
1890  if (ConfigCheckLogDirectoryExists(optarg) != TM_ECODE_OK) {
1891  SCLogError("The logging directory \"%s\""
1892  " supplied at the command-line (-l %s) doesn't "
1893  "exist. Shutting down the engine.",
1894  optarg, optarg);
1895  return TM_ECODE_FAILED;
1896  }
1897  if (!IsLogDirectoryWritable(optarg)) {
1898  SCLogError("The logging directory \"%s\""
1899  " supplied at the command-line (-l %s) is not "
1900  "writable. Shutting down the engine.",
1901  optarg, optarg);
1902  return TM_ECODE_FAILED;
1903  }
1904  suri->set_logdir = true;
1905 
1906  break;
1907  case 'q':
1908 #ifdef NFQ
1909  if (suri->run_mode == RUNMODE_UNKNOWN) {
1910  suri->run_mode = RUNMODE_NFQ;
1911  EngineModeSetIPS();
1912  if (NFQParseAndRegisterQueues(optarg) == -1)
1913  return TM_ECODE_FAILED;
1914  } else if (suri->run_mode == RUNMODE_NFQ) {
1915  if (NFQParseAndRegisterQueues(optarg) == -1)
1916  return TM_ECODE_FAILED;
1917  } else {
1918  SCLogError("more than one run mode "
1919  "has been specified");
1920  PrintUsage(argv[0]);
1921  return TM_ECODE_FAILED;
1922  }
1923 #else
1924  SCLogError("NFQUEUE not enabled. Make sure to pass --enable-nfqueue to configure when "
1925  "building.");
1926  return TM_ECODE_FAILED;
1927 #endif /* NFQ */
1928  break;
1929  case 'd':
1930 #ifdef IPFW
1931  if (suri->run_mode == RUNMODE_UNKNOWN) {
1932  suri->run_mode = RUNMODE_IPFW;
1933  EngineModeSetIPS();
1934  if (IPFWRegisterQueue(optarg) == -1)
1935  return TM_ECODE_FAILED;
1936  } else if (suri->run_mode == RUNMODE_IPFW) {
1937  if (IPFWRegisterQueue(optarg) == -1)
1938  return TM_ECODE_FAILED;
1939  } else {
1940  SCLogError("more than one run mode "
1941  "has been specified");
1942  PrintUsage(argv[0]);
1943  return TM_ECODE_FAILED;
1944  }
1945 #else
1946  SCLogError("IPFW not enabled. Make sure to pass --enable-ipfw to configure when "
1947  "building.");
1948  return TM_ECODE_FAILED;
1949 #endif /* IPFW */
1950  break;
1951  case 'r':
1952  BUG_ON(optarg == NULL); /* for static analysis */
1953  if (suri->run_mode == RUNMODE_UNKNOWN) {
1954  suri->run_mode = RUNMODE_PCAP_FILE;
1955  } else {
1956  SCLogError("more than one run mode "
1957  "has been specified");
1958  PrintUsage(argv[0]);
1959  return TM_ECODE_FAILED;
1960  }
1961  SCStat buf;
1962  if (SCStatFn(optarg, &buf) != 0) {
1963  SCLogError("pcap file '%s': %s", optarg, strerror(errno));
1964  return TM_ECODE_FAILED;
1965  }
1966  if (ConfSetFinal("pcap-file.file", optarg) != 1) {
1967  SCLogError("ERROR: Failed to set pcap-file.file\n");
1968  return TM_ECODE_FAILED;
1969  }
1970 
1971  break;
1972  case 's':
1973  if (suri->sig_file != NULL) {
1974  SCLogError("can't have multiple -s options or mix -s and -S.");
1975  return TM_ECODE_FAILED;
1976  }
1977  suri->sig_file = optarg;
1978  break;
1979  case 'S':
1980  if (suri->sig_file != NULL) {
1981  SCLogError("can't have multiple -S options or mix -s and -S.");
1982  return TM_ECODE_FAILED;
1983  }
1984  suri->sig_file = optarg;
1985  suri->sig_file_exclusive = true;
1986  break;
1987  case 'u':
1988 #ifdef UNITTESTS
1989  if (suri->run_mode == RUNMODE_UNKNOWN) {
1990  suri->run_mode = RUNMODE_UNITTEST;
1991  } else {
1992  SCLogError("more than one run mode has"
1993  " been specified");
1994  PrintUsage(argv[0]);
1995  return TM_ECODE_FAILED;
1996  }
1997 #else
1998  SCLogError("unit tests not enabled. Make sure to pass --enable-unittests to configure "
1999  "when building.");
2000  return TM_ECODE_FAILED;
2001 #endif /* UNITTESTS */
2002  break;
2003  case 'U':
2004 #ifdef UNITTESTS
2005  suri->regex_arg = optarg;
2006 
2007  if(strlen(suri->regex_arg) == 0)
2008  suri->regex_arg = NULL;
2009 #endif
2010  break;
2011  case 'V':
2012  suri->run_mode = RUNMODE_PRINT_VERSION;
2013  return TM_ECODE_OK;
2014  case 'F':
2015  if (optarg == NULL) {
2016  SCLogError("no option argument (optarg) for -F");
2017  return TM_ECODE_FAILED;
2018  }
2019 
2020  SetBpfStringFromFile(optarg);
2021  break;
2022  case 'v':
2023  suri->verbose++;
2024  break;
2025  case 'k':
2026  if (optarg == NULL) {
2027  SCLogError("no option argument (optarg) for -k");
2028  return TM_ECODE_FAILED;
2029  }
2030  if (!strcmp("all", optarg))
2031  suri->checksum_validation = 1;
2032  else if (!strcmp("none", optarg))
2033  suri->checksum_validation = 0;
2034  else {
2035  SCLogError("option '%s' invalid for -k", optarg);
2036  return TM_ECODE_FAILED;
2037  }
2038  break;
2039  default:
2040  PrintUsage(argv[0]);
2041  return TM_ECODE_FAILED;
2042  }
2043  }
2044 
2045  if (suri->disabled_detect && suri->sig_file != NULL) {
2046  SCLogError("can't use -s/-S when detection is disabled");
2047  return TM_ECODE_FAILED;
2048  }
2049 
2050  /* save the runmode from the command-line (if any) */
2051  suri->aux_run_mode = suri->run_mode;
2052 
2053  if (list_app_layer_protocols)
2054  suri->run_mode = RUNMODE_LIST_APP_LAYERS;
2055  if (list_keywords)
2056  suri->run_mode = RUNMODE_LIST_KEYWORDS;
2057  if (list_unittests)
2058  suri->run_mode = RUNMODE_LIST_UNITTEST;
2059  if (dump_config)
2060  suri->run_mode = RUNMODE_DUMP_CONFIG;
2061  if (dump_features)
2062  suri->run_mode = RUNMODE_DUMP_FEATURES;
2063  if (conf_test)
2064  suri->run_mode = RUNMODE_CONF_TEST;
2065  if (engine_analysis)
2066  suri->run_mode = RUNMODE_ENGINE_ANALYSIS;
2067 
2068  suri->offline = IsRunModeOffline(suri->run_mode);
2069  g_system = suri->system = IsRunModeSystem(suri->run_mode);
2070 
2071  ret = SetBpfString(optind, argv);
2072  if (ret != TM_ECODE_OK)
2073  return ret;
2074 
2075  return TM_ECODE_OK;
2076 }
2077 
2078 #ifdef OS_WIN32
2079 int WindowsInitService(int argc, char **argv)
2080 {
2081  if (SCRunningAsService()) {
2082  char path[MAX_PATH];
2083  char *p = NULL;
2084  strlcpy(path, argv[0], MAX_PATH);
2085  if ((p = strrchr(path, '\\'))) {
2086  *p = '\0';
2087  }
2088  if (!SetCurrentDirectory(path)) {
2089  SCLogError("Can't set current directory to: %s", path);
2090  return -1;
2091  }
2092  SCLogInfo("Current directory is set to: %s", path);
2093  SCServiceInit(argc, argv);
2094  }
2095 
2096  /* Windows socket subsystem initialization */
2097  WSADATA wsaData;
2098  if (0 != WSAStartup(MAKEWORD(2, 2), &wsaData)) {
2099  SCLogError("Can't initialize Windows sockets: %d", WSAGetLastError());
2100  return -1;
2101  }
2102 
2103  return 0;
2104 }
2105 #endif /* OS_WIN32 */
2106 
2107 static int MayDaemonize(SCInstance *suri)
2108 {
2109  if (suri->daemon == 1 && suri->pid_filename == NULL) {
2110  const char *pid_filename;
2111 
2112  if (ConfGet("pid-file", &pid_filename) == 1) {
2113  SCLogInfo("Use pid file %s from config file.", pid_filename);
2114  } else {
2115  pid_filename = DEFAULT_PID_FILENAME;
2116  }
2117  /* The pid file name may be in config memory, but is needed later. */
2118  suri->pid_filename = SCStrdup(pid_filename);
2119  if (suri->pid_filename == NULL) {
2120  SCLogError("strdup failed: %s", strerror(errno));
2121  return TM_ECODE_FAILED;
2122  }
2123  }
2124 
2125  if (suri->pid_filename != NULL && SCPidfileTestRunning(suri->pid_filename) != 0) {
2126  SCFree(suri->pid_filename);
2127  suri->pid_filename = NULL;
2128  return TM_ECODE_FAILED;
2129  }
2130 
2131  if (suri->daemon == 1) {
2132  Daemonize();
2133  }
2134 
2135  if (suri->pid_filename != NULL) {
2136  if (SCPidfileCreate(suri->pid_filename) != 0) {
2137  SCFree(suri->pid_filename);
2138  suri->pid_filename = NULL;
2139  SCLogError("Unable to create PID file, concurrent run of"
2140  " Suricata can occur.");
2141  SCLogError("PID file creation WILL be mandatory for daemon mode"
2142  " in future version");
2143  }
2144  }
2145 
2146  return TM_ECODE_OK;
2147 }
2148 
2149 /* Initialize the user and group Suricata is to run as. */
2150 static int InitRunAs(SCInstance *suri)
2151 {
2152 #ifndef OS_WIN32
2153  /* Try to get user/group to run suricata as if
2154  command line as not decide of that */
2155  if (!suri->do_setuid && !suri->do_setgid) {
2156  const char *id;
2157  if (ConfGet("run-as.user", &id) == 1) {
2158  suri->do_setuid = true;
2159  suri->user_name = id;
2160  }
2161  if (ConfGet("run-as.group", &id) == 1) {
2162  suri->do_setgid = true;
2163  suri->group_name = id;
2164  }
2165  }
2166  /* Get the suricata user ID to given user ID */
2167  if (suri->do_setuid) {
2168  SCGetUserID(suri->user_name, suri->group_name, &suri->userid, &suri->groupid);
2169  sc_set_caps = true;
2170  /* Get the suricata group ID to given group ID */
2171  } else if (suri->do_setgid) {
2172  SCGetGroupID(suri->group_name, &suri->groupid);
2173  sc_set_caps = true;
2174  }
2175 #endif
2176  return TM_ECODE_OK;
2177 }
2178 
2179 static int InitSignalHandler(SCInstance *suri)
2180 {
2181  /* registering signals we use */
2182 #ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
2183  UtilSignalHandlerSetup(SIGINT, SignalHandlerSigint);
2184  UtilSignalHandlerSetup(SIGTERM, SignalHandlerSigterm);
2185 #if HAVE_LIBUNWIND
2186  int enabled;
2187  if (ConfGetBool("logging.stacktrace-on-signal", &enabled) == 0) {
2188  enabled = 1;
2189  }
2190 
2191  if (enabled) {
2192  SCLogInfo("Preparing unexpected signal handling");
2193  struct sigaction stacktrace_action;
2194  memset(&stacktrace_action, 0, sizeof(stacktrace_action));
2195  stacktrace_action.sa_sigaction = SignalHandlerUnexpected;
2196  stacktrace_action.sa_flags = SA_SIGINFO;
2197  sigaction(SIGSEGV, &stacktrace_action, NULL);
2198  sigaction(SIGABRT, &stacktrace_action, NULL);
2199  }
2200 #endif /* HAVE_LIBUNWIND */
2201 #endif
2202 #ifndef OS_WIN32
2203  UtilSignalHandlerSetup(SIGHUP, SignalHandlerSigHup);
2204  UtilSignalHandlerSetup(SIGPIPE, SIG_IGN);
2205  UtilSignalHandlerSetup(SIGSYS, SIG_IGN);
2206 #endif /* OS_WIN32 */
2207 
2208  return TM_ECODE_OK;
2209 }
2210 
2211 /* initialization code for both the main modes and for
2212  * unix socket mode.
2213  *
2214  * Will be run once per pcap in unix-socket mode */
2215 void PreRunInit(const int runmode)
2216 {
2217  if (runmode == RUNMODE_UNIX_SOCKET)
2218  return;
2219 
2220  StatsInit();
2221 #ifdef PROFILE_RULES
2222  SCProfilingRulesGlobalInit();
2223 #endif
2224 #ifdef PROFILING
2225  SCProfilingKeywordsGlobalInit();
2226  SCProfilingPrefilterGlobalInit();
2227  SCProfilingSghsGlobalInit();
2228 #endif /* PROFILING */
2229 #ifdef PROFILE_RULES
2230  SCProfilingInit();
2231 #endif
2232  DefragInit();
2233  FlowInitConfig(FLOW_QUIET);
2234  IPPairInitConfig(FLOW_QUIET);
2235  StreamTcpInitConfig(STREAM_VERBOSE);
2236  AppLayerParserPostStreamSetup();
2237  AppLayerRegisterGlobalCounters();
2238  OutputFilestoreRegisterGlobalCounters();
2239  HttpRangeContainersInit();
2240 }
2241 
2242 /* tasks we need to run before packets start flowing,
2243  * but after we dropped privs */
2244 void PreRunPostPrivsDropInit(const int runmode)
2245 {
2246  if (runmode == RUNMODE_UNIX_SOCKET) {
2247  return;
2248  }
2249 
2250  StatsSetupPostConfigPreOutput();
2251  RunModeInitializeOutputs();
2252  DatasetsInit();
2253  StatsSetupPostConfigPostOutput();
2254 }
2255 
2256 /** \brief clean up / shutdown code for packet modes
2257  *
2258  * Shuts down packet modes, so regular packet runmodes and the
2259  * per pcap mode in the unix socket. */
2260 void PostRunDeinit(const int runmode, struct timeval *start_time)
2261 {
2262  if (runmode == RUNMODE_UNIX_SOCKET)
2263  return;
2264 
2265  TmThreadsUnsealThreads();
2266 
2267  /* needed by FlowWorkToDoCleanup */
2268  PacketPoolInit();
2269 
2270  /* handle graceful shutdown of the flow engine, it's helper
2271  * threads and the packet threads */
2272  FlowDisableFlowManagerThread();
2273  TmThreadDisableReceiveThreads();
2274  FlowWorkToDoCleanup();
2275  TmThreadDisablePacketThreads();
2276  SCPrintElapsedTime(start_time);
2277  FlowDisableFlowRecyclerThread();
2278 
2279  /* kill the stats threads */
2280  TmThreadKillThreadsFamily(TVT_MGMT);
2281  TmThreadClearThreadsFamily(TVT_MGMT);
2282 
2283  /* kill packet threads -- already in 'disabled' state */
2284  TmThreadKillThreadsFamily(TVT_PPT);
2285  TmThreadClearThreadsFamily(TVT_PPT);
2286 
2287  PacketPoolDestroy();
2288 
2289  /* mgt and ppt threads killed, we can run non thread-safe
2290  * shutdown functions */
2291  StatsReleaseResources();
2292  DecodeUnregisterCounters();
2293  RunModeShutDown();
2294  FlowShutdown();
2295  IPPairShutdown();
2296  HostCleanup();
2297  StreamTcpFreeConfig(STREAM_VERBOSE);
2298  DefragDestroy();
2299  HttpRangeContainersDestroy();
2300 
2301  TmqResetQueues();
2302 #ifdef PROFILING
2303  if (profiling_packets_enabled)
2304  SCProfilingDump();
2305  SCProfilingDestroy();
2306 #endif
2307 }
2308 
2309 int SCStartInternalRunMode(int argc, char **argv)
2310 {
2311  SCInstance *suri = &suricata;
2312  /* Treat internal running mode */
2313  switch (suri->run_mode) {
2314  case RUNMODE_LIST_KEYWORDS:
2315  return ListKeywords(suri->keyword_info);
2316  case RUNMODE_LIST_APP_LAYERS:
2317  if (suri->conf_filename != NULL) {
2318  return ListAppLayerProtocols(suri->conf_filename);
2319  } else {
2320  return ListAppLayerProtocols(DEFAULT_CONF_FILE);
2321  }
2322  case RUNMODE_PRINT_VERSION:
2323  PrintVersion();
2324  return TM_ECODE_DONE;
2325  case RUNMODE_PRINT_BUILDINFO:
2326  PrintBuildInfo();
2327  return TM_ECODE_DONE;
2328  case RUNMODE_PRINT_USAGE:
2329  PrintUsage(argv[0]);
2330  return TM_ECODE_DONE;
2331  case RUNMODE_LIST_RUNMODES:
2332  RunModeListRunmodes();
2333  return TM_ECODE_DONE;
2334  case RUNMODE_LIST_UNITTEST:
2335  RunUnittests(1, suri->regex_arg);
2336  case RUNMODE_UNITTEST:
2337  RunUnittests(0, suri->regex_arg);
2338 #ifdef OS_WIN32
2339  case RUNMODE_INSTALL_SERVICE:
2340  if (SCServiceInstall(argc, argv)) {
2341  return TM_ECODE_FAILED;
2342  }
2343  SCLogInfo("Suricata service has been successfully installed.");
2344  return TM_ECODE_DONE;
2345  case RUNMODE_REMOVE_SERVICE:
2346  if (SCServiceRemove()) {
2347  return TM_ECODE_FAILED;
2348  }
2349  SCLogInfo("Suricata service has been successfully removed.");
2350  return TM_ECODE_DONE;
2351  case RUNMODE_CHANGE_SERVICE_PARAMS:
2352  if (SCServiceChangeParams(argc, argv)) {
2353  return TM_ECODE_FAILED;
2354  }
2355  SCLogInfo("Suricata service startup parameters has been successfully changed.");
2356  return TM_ECODE_DONE;
2357 #endif /* OS_WIN32 */
2358  default:
2359  /* simply continue for other running mode */
2360  break;
2361  }
2362  return TM_ECODE_OK;
2363 }
2364 
2365 int SCFinalizeRunMode(void)
2366 {
2367  SCInstance *suri = &suricata;
2368  switch (suri->run_mode) {
2369  case RUNMODE_UNKNOWN:
2370  PrintUsage(suri->progname);
2371  return TM_ECODE_FAILED;
2372  default:
2373  break;
2374  }
2375 
2376  if (!CheckValidDaemonModes(suri->daemon, suri->run_mode)) {
2377  return TM_ECODE_FAILED;
2378  }
2379 
2380  return TM_ECODE_OK;
2381 }
2382 
2383 static void SetupDelayedDetect(SCInstance *suri)
2384 {
2385  /* In offline mode delayed init of detect is a bad idea */
2386  if (suri->offline) {
2387  suri->delayed_detect = 0;
2388  } else {
2389  if (ConfGetBool("detect.delayed-detect", &suri->delayed_detect) != 1) {
2390  ConfNode *denode = NULL;
2391  ConfNode *decnf = ConfGetNode("detect-engine");
2392  if (decnf != NULL) {
2393  TAILQ_FOREACH(denode, &decnf->head, next) {
2394  if (strcmp(denode->val, "delayed-detect") == 0) {
2395  (void)ConfGetChildValueBool(denode, "delayed-detect", &suri->delayed_detect);
2396  }
2397  }
2398  }
2399  }
2400  }
2401 
2402  SCLogConfig("Delayed detect %s", suri->delayed_detect ? "enabled" : "disabled");
2403  if (suri->delayed_detect) {
2404  SCLogInfo("Packets will start being processed before signatures are active.");
2405  }
2406 
2407 }
2408 
2409 static int LoadSignatures(DetectEngineCtx *de_ctx, SCInstance *suri)
2410 {
2411  if (SigLoadSignatures(de_ctx, suri->sig_file, suri->sig_file_exclusive) < 0) {
2412  SCLogError("Loading signatures failed.");
2413  if (de_ctx->failure_fatal)
2414  return TM_ECODE_FAILED;
2415  }
2416 
2417  return TM_ECODE_OK;
2418 }
2419 
2420 static int ConfigGetCaptureValue(SCInstance *suri)
2421 {
2422  /* Pull the max pending packets from the config, if not found fall
2423  * back on a sane default. */
2424  intmax_t tmp_max_pending_packets;
2425  if (ConfGetInt("max-pending-packets", &tmp_max_pending_packets) != 1)
2426  tmp_max_pending_packets = DEFAULT_MAX_PENDING_PACKETS;
2427  if (tmp_max_pending_packets < 1 || tmp_max_pending_packets > 2147483648) {
2428  SCLogError("Maximum max-pending-packets setting is 2147483648 and must be greater than 0. "
2429  "Please check %s for errors",
2430  suri->conf_filename);
2431  return TM_ECODE_FAILED;
2432  } else {
2433  max_pending_packets = (uint32_t)tmp_max_pending_packets;
2434  }
2435 
2436  SCLogDebug("Max pending packets set to %" PRIu32, max_pending_packets);
2437 
2438  /* Pull the default packet size from the config, if not found fall
2439  * back on a sane default. */
2440  const char *temp_default_packet_size;
2441  if ((ConfGet("default-packet-size", &temp_default_packet_size)) != 1) {
2442  int lthread;
2443  int nlive;
2444  int strip_trailing_plus = 0;
2445  switch (suri->run_mode) {
2446 #ifdef WINDIVERT
2447  case RUNMODE_WINDIVERT: {
2448  /* by default, WinDivert collects from all devices */
2449  const int mtu = GetGlobalMTUWin32();
2450 
2451  if (mtu > 0) {
2452  /* SLL_HEADER_LEN is the longest header + 8 for VLAN */
2453  default_packet_size = mtu + SLL_HEADER_LEN + 8;
2454  break;
2455  }
2456  default_packet_size = DEFAULT_PACKET_SIZE;
2457  break;
2458  }
2459 #endif /* WINDIVERT */
2460  case RUNMODE_NETMAP:
2461  /* in netmap igb0+ has a special meaning, however the
2462  * interface really is igb0 */
2463  strip_trailing_plus = 1;
2464  /* fall through */
2465  case RUNMODE_PLUGIN:
2466  case RUNMODE_PCAP_DEV:
2467  case RUNMODE_AFP_DEV:
2468  case RUNMODE_AFXDP_DEV:
2469  nlive = LiveGetDeviceCount();
2470  for (lthread = 0; lthread < nlive; lthread++) {
2471  const char *live_dev = LiveGetDeviceName(lthread);
2472  char dev[128]; /* need to be able to support GUID names on Windows */
2473  (void)strlcpy(dev, live_dev, sizeof(dev));
2474 
2475  if (strip_trailing_plus) {
2476  size_t len = strlen(dev);
2477  if (len &&
2478  (dev[len-1] == '+' ||
2479  dev[len-1] == '^' ||
2480  dev[len-1] == '*'))
2481  {
2482  dev[len-1] = '\0';
2483  }
2484  }
2485  LiveDevice *ld = LiveGetDevice(dev);
2486  unsigned int iface_max_packet_size = GetIfaceMaxPacketSize(ld);
2487  if (iface_max_packet_size > default_packet_size)
2488  default_packet_size = iface_max_packet_size;
2489  }
2490  if (default_packet_size)
2491  break;
2492  /* fall through */
2493  default:
2494  default_packet_size = DEFAULT_PACKET_SIZE;
2495  }
2496  } else {
2497  if (ParseSizeStringU32(temp_default_packet_size, &default_packet_size) < 0) {
2498  SCLogError("Error parsing max-pending-packets "
2499  "from conf file - %s. Killing engine",
2500  temp_default_packet_size);
2501  return TM_ECODE_FAILED;
2502  }
2503  }
2504 
2505  SCLogDebug("Default packet size set to %"PRIu32, default_packet_size);
2506 
2507  return TM_ECODE_OK;
2508 }
2509 
2510 static void PostRunStartedDetectSetup(const SCInstance *suri)
2511 {
2512 #ifndef OS_WIN32
2513  /* registering signal handlers we use. We setup usr2 here, so that one
2514  * can't call it during the first sig load phase or while threads are still
2515  * starting up. */
2516  if (DetectEngineEnabled() && suri->delayed_detect == 0) {
2517  UtilSignalHandlerSetup(SIGUSR2, SignalHandlerSigusr2);
2518  UtilSignalUnblock(SIGUSR2);
2519  }
2520 #endif
2521  if (suri->delayed_detect) {
2522  /* force 'reload', this will load the rules and swap engines */
2523  DetectEngineReload(suri);
2524  SCLogNotice("Signature(s) loaded, Detect thread(s) activated.");
2525 #ifndef OS_WIN32
2526  UtilSignalHandlerSetup(SIGUSR2, SignalHandlerSigusr2);
2527  UtilSignalUnblock(SIGUSR2);
2528 #endif
2529  }
2530 }
2531 
2532 void PostConfLoadedDetectSetup(SCInstance *suri)
2533 {
2534  DetectEngineCtx *de_ctx = NULL;
2535  if (!suri->disabled_detect) {
2536  SetupDelayedDetect(suri);
2537  int mt_enabled = 0;
2538  (void)ConfGetBool("multi-detect.enabled", &mt_enabled);
2539  int default_tenant = 0;
2540  if (mt_enabled)
2541  (void)ConfGetBool("multi-detect.default", &default_tenant);
2542  if (DetectEngineMultiTenantSetup(suri->unix_socket_enabled) == -1) {
2543  FatalError("initializing multi-detect "
2544  "detection engine contexts failed.");
2545  }
2546  if (suri->delayed_detect && suri->run_mode != RUNMODE_CONF_TEST) {
2547  de_ctx = DetectEngineCtxInitStubForDD();
2548  } else if (mt_enabled && !default_tenant && suri->run_mode != RUNMODE_CONF_TEST) {
2549  de_ctx = DetectEngineCtxInitStubForMT();
2550  } else {
2551  de_ctx = DetectEngineCtxInit();
2552  }
2553  if (de_ctx == NULL) {
2554  FatalError("initializing detection engine failed.");
2555  }
2556 
2557  if (de_ctx->type == DETECT_ENGINE_TYPE_NORMAL) {
2558  if (LoadSignatures(de_ctx, suri) != TM_ECODE_OK)
2559  exit(EXIT_FAILURE);
2560  }
2561 
2562  gettimeofday(&de_ctx->last_reload, NULL);
2563  DetectEngineAddToMaster(de_ctx);
2564  DetectEngineBumpVersion();
2565  }
2566 }
2567 
2568 static void PostConfLoadedSetupHostMode(void)
2569 {
2570  const char *hostmode = NULL;
2571 
2572  if (ConfGet("host-mode", &hostmode) == 1) {
2573  if (!strcmp(hostmode, "router")) {
2574  host_mode = SURI_HOST_IS_ROUTER;
2575  } else if (!strcmp(hostmode, "sniffer-only")) {
2576  host_mode = SURI_HOST_IS_SNIFFER_ONLY;
2577  } else {
2578  if (strcmp(hostmode, "auto") != 0) {
2579  WarnInvalidConfEntry("host-mode", "%s", "auto");
2580  }
2581  if (EngineModeIsIPS()) {
2582  host_mode = SURI_HOST_IS_ROUTER;
2583  } else {
2584  host_mode = SURI_HOST_IS_SNIFFER_ONLY;
2585  }
2586  }
2587  } else {
2588  if (EngineModeIsIPS()) {
2589  host_mode = SURI_HOST_IS_ROUTER;
2590  SCLogInfo("No 'host-mode': suricata is in IPS mode, using "
2591  "default setting 'router'");
2592  } else {
2593  host_mode = SURI_HOST_IS_SNIFFER_ONLY;
2594  SCLogInfo("No 'host-mode': suricata is in IDS mode, using "
2595  "default setting 'sniffer-only'");
2596  }
2597  }
2598 }
2599 
2600 static void SetupUserMode(SCInstance *suri)
2601 {
2602  /* apply 'user mode' config updates here */
2603  if (!suri->system) {
2604  if (!suri->set_logdir) {
2605  /* override log dir to current work dir" */
2606  if (ConfigSetLogDirectory((char *)".") != TM_ECODE_OK) {
2607  FatalError("could not set USER mode logdir");
2608  }
2609  }
2610  if (!suri->set_datadir) {
2611  /* override data dir to current work dir" */
2612  if (ConfigSetDataDirectory((char *)".") != TM_ECODE_OK) {
2613  FatalError("could not set USER mode datadir");
2614  }
2615  }
2616  }
2617 }
2618 
2619 /**
2620  * This function is meant to contain code that needs
2621  * to be run once the configuration has been loaded.
2622  */
2623 int PostConfLoadedSetup(SCInstance *suri)
2624 {
2625  /* load the pattern matchers */
2626  MpmTableSetup();
2627  SpmTableSetup();
2628 
2629  int disable_offloading;
2630  if (ConfGetBool("capture.disable-offloading", &disable_offloading) == 0)
2631  disable_offloading = 1;
2632  if (disable_offloading) {
2633  LiveSetOffloadDisable();
2634  } else {
2635  LiveSetOffloadWarn();
2636  }
2637 
2638  if (suri->checksum_validation == -1) {
2639  const char *cv = NULL;
2640  if (ConfGet("capture.checksum-validation", &cv) == 1) {
2641  if (strcmp(cv, "none") == 0) {
2642  suri->checksum_validation = 0;
2643  } else if (strcmp(cv, "all") == 0) {
2644  suri->checksum_validation = 1;
2645  }
2646  }
2647  }
2648  switch (suri->checksum_validation) {
2649  case 0:
2650  ConfSet("stream.checksum-validation", "0");
2651  break;
2652  case 1:
2653  ConfSet("stream.checksum-validation", "1");
2654  break;
2655  }
2656 
2657  if (suri->runmode_custom_mode) {
2658  ConfSet("runmode", suri->runmode_custom_mode);
2659  }
2660 
2661  StorageInit();
2662 #ifdef HAVE_PACKET_EBPF
2663  if (suri->run_mode == RUNMODE_AFP_DEV) {
2664  EBPFRegisterExtension();
2665  LiveDevRegisterExtension();
2666  }
2667 #endif
2668  RegisterFlowBypassInfo();
2669 
2670  MacSetRegisterFlowStorage();
2671 
2672  SigTableInit();
2673 
2674 #ifdef HAVE_PLUGINS
2675  SCPluginsLoad(suri->capture_plugin_name, suri->capture_plugin_args);
2676 #endif
2677 
2678  LiveDeviceFinalize(); // must be after EBPF extension registration
2679 
2680  if (RunModeEngineIsIPS(suricata.run_mode, suricata.runmode_custom_mode,
2681  suricata.capture_plugin_name) < 0) {
2682  FatalError("IPS mode setup failed");
2683  }
2684 
2685  if (EngineModeIsUnknown()) { // if still uninitialized, set the default
2686  SCLogInfo("Setting engine mode to IDS mode by default");
2687  EngineModeSetIDS();
2688  }
2689 
2690  SetMasterExceptionPolicy();
2691 
2692  ConfNode *eps = ConfGetNode("stats.exception-policy");
2693  if (eps != NULL) {
2694  if (ConfNodeChildValueIsTrue(eps, "per-app-proto-errors")) {
2695  g_stats_eps_per_app_proto_errors = true;
2696  }
2697  }
2698 
2699  /* Must occur prior to output mod registration
2700  and app layer setup. */
2701  FeatureTrackingRegister();
2702 
2703  AppLayerSetup();
2704 
2705  /* Suricata will use this umask if provided. By default it will use the
2706  umask passed on from the shell. */
2707  const char *custom_umask;
2708  if (ConfGet("umask", &custom_umask) == 1) {
2709  uint16_t mask;
2710  if (StringParseUint16(&mask, 8, (uint16_t)strlen(custom_umask), custom_umask) > 0) {
2711  umask((mode_t)mask);
2712  }
2713  }
2714 
2715 
2716  if (ConfigGetCaptureValue(suri) != TM_ECODE_OK) {
2717  SCReturnInt(TM_ECODE_FAILED);
2718  }
2719 
2720 #ifdef NFQ
2721  if (suri->run_mode == RUNMODE_NFQ)
2722  NFQInitConfig(false);
2723 #endif
2724 
2725  /* Load the Host-OS lookup. */
2726  SCHInfoLoadFromConfig();
2727 
2728  if (suri->run_mode == RUNMODE_ENGINE_ANALYSIS) {
2729  SCLogInfo("== Carrying out Engine Analysis ==");
2730  const char *temp = NULL;
2731  if (ConfGet("engine-analysis", &temp) == 0) {
2732  SCLogInfo("no engine-analysis parameter(s) defined in conf file. "
2733  "Please define/enable them in the conf to use this "
2734  "feature.");
2735  SCReturnInt(TM_ECODE_FAILED);
2736  }
2737  }
2738 
2739  /* hardcoded initialization code */
2740  SigTableSetup(); /* load the rule keywords */
2741  SigTableApplyStrictCommandLineOption(suri->strict_rule_parsing_string);
2742  TmqhSetup();
2743 
2744  TagInitCtx();
2745  PacketAlertTagInit();
2746  ThresholdInit();
2747  HostBitInitCtx();
2748  IPPairBitInitCtx();
2749 
2750  if (DetectAddressTestConfVars() < 0) {
2751  SCLogError(
2752  "basic address vars test failed. Please check %s for errors", suri->conf_filename);
2753  SCReturnInt(TM_ECODE_FAILED);
2754  }
2755  if (DetectPortTestConfVars() < 0) {
2756  SCLogError("basic port vars test failed. Please check %s for errors", suri->conf_filename);
2757  SCReturnInt(TM_ECODE_FAILED);
2758  }
2759 
2760  RegisterAllModules();
2761  AppLayerHtpNeedFileInspection();
2762 
2763  StorageFinalize();
2764 
2765  TmModuleRunInit();
2766 
2767  if (MayDaemonize(suri) != TM_ECODE_OK)
2768  SCReturnInt(TM_ECODE_FAILED);
2769 
2770  if (InitSignalHandler(suri) != TM_ECODE_OK)
2771  SCReturnInt(TM_ECODE_FAILED);
2772 
2773  /* Check for the existence of the default logging directory which we pick
2774  * from suricata.yaml. If not found, shut the engine down */
2775  suri->log_dir = ConfigGetLogDirectory();
2776 
2777  if (ConfigCheckLogDirectoryExists(suri->log_dir) != TM_ECODE_OK) {
2778  SCLogError("The logging directory \"%s\" "
2779  "supplied by %s (default-log-dir) doesn't exist. "
2780  "Shutting down the engine",
2781  suri->log_dir, suri->conf_filename);
2782  SCReturnInt(TM_ECODE_FAILED);
2783  }
2784  if (!IsLogDirectoryWritable(suri->log_dir)) {
2785  SCLogError("The logging directory \"%s\" "
2786  "supplied by %s (default-log-dir) is not writable. "
2787  "Shutting down the engine",
2788  suri->log_dir, suri->conf_filename);
2789  SCReturnInt(TM_ECODE_FAILED);
2790  }
2791 
2792  if (suri->disabled_detect) {
2793  SCLogConfig("detection engine disabled");
2794  /* disable raw reassembly */
2795  (void)ConfSetFinal("stream.reassembly.raw", "false");
2796  }
2797 
2798  HostInitConfig(HOST_VERBOSE);
2799 
2800  CoredumpLoadConfig();
2801 
2802  DecodeGlobalConfig();
2803 
2804  /* hostmode depends on engine mode being set */
2805  PostConfLoadedSetupHostMode();
2806 
2807  PreRunInit(suri->run_mode);
2808 
2809  SCReturnInt(TM_ECODE_OK);
2810 }
2811 
2812 void SuricataMainLoop(void)
2813 {
2814  SCInstance *suri = &suricata;
2815  while(1) {
2816  if (sigterm_count || sigint_count) {
2817  suricata_ctl_flags |= SURICATA_STOP;
2818  }
2819 
2820  if (suricata_ctl_flags & SURICATA_STOP) {
2821  SCLogNotice("Signal Received. Stopping engine.");
2822  break;
2823  }
2824 
2825  TmThreadCheckThreadState();
2826 
2827  if (sighup_count > 0) {
2828  OutputNotifyFileRotation();
2829  sighup_count--;
2830  }
2831 
2832  if (sigusr2_count > 0) {
2833  if (!(DetectEngineReloadIsStart())) {
2834  DetectEngineReloadStart();
2835  DetectEngineReload(suri);
2836  DetectEngineReloadSetIdle();
2837  sigusr2_count--;
2838  }
2839 
2840  } else if (DetectEngineReloadIsStart()) {
2841  DetectEngineReload(suri);
2842  DetectEngineReloadSetIdle();
2843  }
2844 
2845  usleep(10* 1000);
2846  }
2847 }
2848 
2849 /**
2850  * \brief Global initialization common to all runmodes.
2851  *
2852  * This can be used by fuzz targets.
2853  */
2854 
2855 int InitGlobal(void)
2856 {
2857  rs_init(&suricata_context);
2858 
2859  SC_ATOMIC_INIT(engine_stage);
2860 
2861  /* initialize the logging subsys */
2862  SCLogInitLogModule(NULL);
2863 
2864  SCSetThreadName("Suricata-Main");
2865 
2866  /* Ignore SIGUSR2 as early as possible. We redeclare interest
2867  * once we're done launching threads. The goal is to either die
2868  * completely or handle any and all SIGUSR2s correctly.
2869  */
2870 #ifndef OS_WIN32
2871  UtilSignalHandlerSetup(SIGUSR2, SIG_IGN);
2872  if (UtilSignalBlock(SIGUSR2)) {
2873  SCLogError("SIGUSR2 initialization error");
2874  return EXIT_FAILURE;
2875  }
2876 #endif
2877 
2878  ParseSizeInit();
2879  RunModeRegisterRunModes();
2880 
2881  /* Initialize the configuration module. */
2882  ConfInit();
2883 
2884  VarNameStoreInit();
2885 
2886  // zero all module storage
2887  memset(tmm_modules, 0, TMM_SIZE * sizeof(TmModule));
2888 
2889  return 0;
2890 }
2891 
2892 void SuricataPreInit(const char *progname)
2893 {
2894  SCInstanceInit(&suricata, progname);
2895 
2896  if (InitGlobal() != 0) {
2897  exit(EXIT_FAILURE);
2898  }
2899 }
2900 
2901 void SuricataInit(void)
2902 {
2903  /* Initializations for global vars, queues, etc (memsets, mutex init..) */
2904  GlobalsInitPreConfig();
2905 
2906  if (suricata.run_mode == RUNMODE_DUMP_CONFIG) {
2907  ConfDump();
2908  exit(EXIT_SUCCESS);
2909  }
2910 
2911  int tracking = 1;
2912  if (ConfGetBool("vlan.use-for-tracking", &tracking) == 1 && !tracking) {
2913  /* Ignore vlan_ids when comparing flows. */
2914  g_vlan_mask = 0x0000;
2915  }
2916  SCLogDebug("vlan tracking is %s", tracking == 1 ? "enabled" : "disabled");
2917  if (ConfGetBool("livedev.use-for-tracking", &tracking) == 1 && !tracking) {
2918  /* Ignore livedev id when comparing flows. */
2919  g_livedev_mask = 0x0000;
2920  }
2921  if (ConfGetBool("decoder.recursion-level.use-for-tracking", &tracking) == 1 && !tracking) {
2922  /* Ignore recursion level when comparing flows. */
2923  g_recurlvl_mask = 0x00;
2924  }
2925  SetupUserMode(&suricata);
2926  InitRunAs(&suricata);
2927 
2928  /* Since our config is now loaded we can finish configurating the
2929  * logging module. */
2930  SCLogLoadConfig(suricata.daemon, suricata.verbose, suricata.userid, suricata.groupid);
2931 
2932  LogVersion(&suricata);
2933  UtilCpuPrintSummary();
2934  RunModeInitializeThreadSettings();
2935 
2936  if (suricata.run_mode == RUNMODE_CONF_TEST)
2937  SCLogInfo("Running suricata under test mode");
2938 
2939  if (ParseInterfacesList(suricata.aux_run_mode, suricata.pcap_dev) != TM_ECODE_OK) {
2940  exit(EXIT_FAILURE);
2941  }
2942 
2943  if (PostConfLoadedSetup(&suricata) != TM_ECODE_OK) {
2944  exit(EXIT_FAILURE);
2945  }
2946 
2947  SCDropMainThreadCaps(suricata.userid, suricata.groupid);
2948 
2949  /* Re-enable coredumps after privileges are dropped. */
2950  CoredumpEnable();
2951 
2952  if (suricata.run_mode != RUNMODE_UNIX_SOCKET && !suricata.disabled_detect) {
2953  suricata.unix_socket_enabled = ConfUnixSocketIsEnable();
2954  }
2955 
2956  PreRunPostPrivsDropInit(suricata.run_mode);
2957 
2958  LandlockSandboxing(&suricata);
2959 
2960  PostConfLoadedDetectSetup(&suricata);
2961  if (suricata.run_mode == RUNMODE_ENGINE_ANALYSIS) {
2962  goto out;
2963  } else if (suricata.run_mode == RUNMODE_CONF_TEST){
2964  SCLogNotice("Configuration provided was successfully loaded. Exiting.");
2965  goto out;
2966  } else if (suricata.run_mode == RUNMODE_DUMP_FEATURES) {
2967  FeatureDump();
2968  goto out;
2969  }
2970 
2971  if (suricata.run_mode == RUNMODE_DPDK)
2972  prerun_snap = SystemHugepageSnapshotCreate();
2973 
2974  SCSetStartTime(&suricata);
2975  if (suricata.run_mode != RUNMODE_UNIX_SOCKET) {
2976  UnixManagerThreadSpawnNonRunmode(suricata.unix_socket_enabled);
2977  }
2978  RunModeDispatch(suricata.run_mode, suricata.runmode_custom_mode, suricata.capture_plugin_name,
2979  suricata.capture_plugin_args);
2980  return;
2981 
2982 out:
2983  GlobalsDestroy();
2984  exit(EXIT_SUCCESS);
2985 }
2986 
2987 void SuricataShutdown(void)
2988 {
2989  /* Update the engine stage/status flag */
2990  SC_ATOMIC_SET(engine_stage, SURICATA_DEINIT);
2991 
2992  UnixSocketKillSocketThread();
2993  PostRunDeinit(suricata.run_mode, &suricata.start_time);
2994  /* kill remaining threads */
2995  TmThreadKillThreads();
2996 }
2997 
2998 void SuricataPostInit(void)
2999 {
3000  /* Wait till all the threads have been initialized */
3001  if (TmThreadWaitOnThreadInit() == TM_ECODE_FAILED) {
3002  SystemHugepageSnapshotDestroy(prerun_snap);
3003  FatalError("Engine initialization failed, "
3004  "aborting...");
3005  }
3006 
3007  int limit_nproc = 0;
3008  if (ConfGetBool("security.limit-noproc", &limit_nproc) == 0) {
3009  limit_nproc = 0;
3010  }
3011 
3012 #if defined(SC_ADDRESS_SANITIZER)
3013  if (limit_nproc) {
3014  SCLogWarning(
3015  "\"security.limit-noproc\" (setrlimit()) not set when using address sanitizer");
3016  limit_nproc = 0;
3017  }
3018 #endif
3019 
3020  if (limit_nproc) {
3021 #if defined(HAVE_SYS_RESOURCE_H)
3022 #ifdef linux
3023  if (geteuid() == 0) {
3024  SCLogWarning("setrlimit has no effect when running as root.");
3025  }
3026 #endif
3027  struct rlimit r = { 0, 0 };
3028  if (setrlimit(RLIMIT_NPROC, &r) != 0) {
3029  SCLogWarning("setrlimit failed to prevent process creation.");
3030  }
3031 #else
3032  SCLogWarning("setrlimit unavailable.");
3033 #endif
3034  }
3035 
3036  SC_ATOMIC_SET(engine_stage, SURICATA_RUNTIME);
3037  PacketPoolPostRunmodes();
3038 
3039  /* Un-pause all the paused threads */
3040  TmThreadContinueThreads();
3041 
3042  /* Must ensure all threads are fully operational before continuing with init process */
3043  if (TmThreadWaitOnThreadRunning() != TM_ECODE_OK) {
3044  SystemHugepageSnapshotDestroy(prerun_snap);
3045  exit(EXIT_FAILURE);
3046  }
3047 
3048  /* Print notice and send OS specific notification of threads in running state */
3049  OnNotifyRunning();
3050 
3051  PostRunStartedDetectSetup(&suricata);
3052  if (suricata.run_mode == RUNMODE_DPDK) { // only DPDK uses hpages at the moment
3053  SystemHugepageSnapshot *postrun_snap = SystemHugepageSnapshotCreate();
3054  SystemHugepageEvaluateHugepages(prerun_snap, postrun_snap);
3055  SystemHugepageSnapshotDestroy(prerun_snap);
3056  SystemHugepageSnapshotDestroy(postrun_snap);
3057  }
3058  SCPledge();
3059 }
RUNMODE_AFXDP_DEV
@ RUNMODE_AFXDP_DEV
Definition: runmodes.h:37
DefragDestroy
void DefragDestroy(void)
Definition: defrag.c:1133
util-byte.h
ConfGetInt
int ConfGetInt(const char *name, intmax_t *val)
Retrieve a configuration value as an integer.
Definition: conf.c:399
TmModuleUnixManagerRegister
void TmModuleUnixManagerRegister(void)
Definition: unix-manager.c:1289
StatsReleaseResources
void StatsReleaseResources(void)
Releases the resources allotted by the Stats API.
Definition: counters.c:1262
source-nflog.h
TagInitCtx
void TagInitCtx(void)
Definition: detect-engine-tag.c:52
TmModuleReceiveIPFWRegister
void TmModuleReceiveIPFWRegister(void)
Registration Function for RecieveIPFW.
Definition: source-ipfw.c:150
flow-bypass.h
len
uint8_t len
Definition: app-layer-dnp3.h:2
SuricataMainLoop
void SuricataMainLoop(void)
Definition: suricata.c:2812
ExceptionSimulationCommandLineParser
int ExceptionSimulationCommandLineParser(const char *name, const char *arg)
Definition: util-exception-policy.c:316
ippair.h
g_livedev_mask
uint16_t g_livedev_mask
Definition: suricata.c:203
app-layer-htp-range.h
AppLayerHtpNeedFileInspection
void AppLayerHtpNeedFileInspection(void)
Sets a flag that informs the HTP app layer that some module in the engine needs the http request file...
Definition: app-layer-htp.c:496
SCInstance_::run_mode
enum RunModes run_mode
Definition: suricata.h:124
detect-engine.h
source-pcap.h
SCInstance_::groupid
uint32_t groupid
Definition: suricata.h:142
SCRunmodeGet
int SCRunmodeGet(void)
Get the current run mode.
Definition: suricata.c:264
RUNMODE_UNIX_SOCKET
@ RUNMODE_UNIX_SOCKET
Definition: runmodes.h:41
g_system
bool g_system
Definition: suricata.c:188
ConfNodeChildValueIsTrue
int ConfNodeChildValueIsTrue(const ConfNode *node, const char *key)
Test if a configuration node has a true value.
Definition: conf.c:854
win32-syscall.h
SCInstance_::daemon
int daemon
Definition: suricata.h:151
IPPairInitConfig
void IPPairInitConfig(bool quiet)
initialize the configuration
Definition: ippair.c:162
SCLogInitLogModule
void SCLogInitLogModule(SCLogInitData *sc_lid)
Initializes the logging module.
Definition: util-debug.c:1390
SLL_HEADER_LEN
#define SLL_HEADER_LEN
Definition: decode-sll.h:27
SCInstance_::checksum_validation
int checksum_validation
Definition: suricata.h:154
LiveDeviceListClean
int LiveDeviceListClean(void)
Definition: util-device.c:314
SCInstance_::do_setuid
bool do_setuid
Definition: suricata.h:138
DetectEngineDeReference
void DetectEngineDeReference(DetectEngineCtx **de_ctx)
Definition: detect-engine.c:4693
RUNMODE_UNITTEST
@ RUNMODE_UNITTEST
Definition: runmodes.h:40
StorageInit
void StorageInit(void)
Definition: util-storage.c:70
SCInstance_::start_time
struct timeval start_time
Definition: suricata.h:157
SC_ATOMIC_INIT
#define SC_ATOMIC_INIT(name)
wrapper for initializing an atomic variable.
Definition: util-atomic.h:314
prerun_snap
SystemHugepageSnapshot * prerun_snap
Definition: suricata.c:214
TmThreadContinueThreads
void TmThreadContinueThreads(void)
Unpauses all threads present in tv_root.
Definition: tm-threads.c:1908
source-pcap-file.h
SCInstance_::do_setgid
bool do_setgid
Definition: suricata.h:139
ConfNode_::val
char * val
Definition: conf.h:34
CLS
#define CLS
Definition: suricata-common.h:61
ConfGetBool
int ConfGetBool(const char *name, int *val)
Retrieve a configuration value as a boolean.
Definition: conf.c:482
RUNMODE_DPDK
@ RUNMODE_DPDK
Definition: runmodes.h:39
stream-tcp.h
DetectEngineCtx_::type
enum DetectEngineType type
Definition: detect.h:979
SigLoadSignatures
int SigLoadSignatures(DetectEngineCtx *de_ctx, char *sig_file, bool sig_file_exclusive)
Load signatures.
Definition: detect-engine-loader.c:285
runmode-af-packet.h
RUNMODE_UNKNOWN
@ RUNMODE_UNKNOWN
Definition: runmodes.h:28
SCInstance_::group_name
const char * group_name
Definition: suricata.h:137
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
SC_ATOMIC_SET
#define SC_ATOMIC_SET(name, val)
Set the value for the atomic variable.
Definition: util-atomic.h:386
runmode-unittests.h
TmqhSetup
void TmqhSetup(void)
Definition: tm-queuehandlers.c:39
RUNMODE_PRINT_BUILDINFO
@ RUNMODE_PRINT_BUILDINFO
Definition: runmodes.h:49
DetectEngineCtxInitStubForDD
DetectEngineCtx * DetectEngineCtxInitStubForDD(void)
Definition: detect-engine.c:2654
LiveDevRegisterExtension
void LiveDevRegisterExtension(void)
Definition: util-device.c:465
OutputTxShutdown
void OutputTxShutdown(void)
Definition: output-tx.c:666
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
AppLayerHtpPrintStats
void AppLayerHtpPrintStats(void)
Definition: app-layer-htp.c:2641
util-hugepages.h
StatsSetupPostConfigPreOutput
void StatsSetupPostConfigPreOutput(void)
Definition: counters.c:885
SCInstance_::runmode_custom_mode
char * runmode_custom_mode
Definition: suricata.h:134
util-coredump-config.h
next
struct HtpBodyChunk_ * next
Definition: app-layer-htp.h:0
SigTableSetup
void SigTableSetup(void)
Definition: detect-engine-register.c:504
TmModuleReceiveNFQRegister
void TmModuleReceiveNFQRegister(void)
Definition: source-nfq.c:169
LiveBuildDeviceList
int LiveBuildDeviceList(const char *runmode)
Definition: util-device.c:274
RunModeShutDown
void RunModeShutDown(void)
Definition: runmodes.c:562
SuricataInit
void SuricataInit(void)
Definition: suricata.c:2901
TM_ECODE_DONE
@ TM_ECODE_DONE
Definition: tm-threads-common.h:82
SCProtoNameInit
void SCProtoNameInit(void)
Definition: util-proto-name.c:417
SuricataPostInit
void SuricataPostInit(void)
Definition: suricata.c:2998
ippair-bit.h
RunModeDispatch
void RunModeDispatch(int runmode, const char *custom_mode, const char *capture_plugin_name, const char *capture_plugin_args)
Definition: runmodes.c:392
ConfGetNode
ConfNode * ConfGetNode(const char *name)
Get a ConfNode by name.
Definition: conf.c:181
util-macset.h
RUNMODE_LIST_RUNMODES
@ RUNMODE_LIST_RUNMODES
Definition: runmodes.h:47
sigint_count
volatile sig_atomic_t sigint_count
Definition: suricata.c:153
SC_ATOMIC_DECLARE
SC_ATOMIC_DECLARE(unsigned int, engine_stage)
TmModuleRunDeInit
void TmModuleRunDeInit(void)
Definition: tm-modules.c:119
TmThreadsUnsealThreads
void TmThreadsUnsealThreads(void)
Definition: tm-threads.c:2099
RegisterFlowBypassInfo
void RegisterFlowBypassInfo(void)
Definition: flow-util.c:230
SCSetThreadName
#define SCSetThreadName(n)
Definition: threads.h:303
SCRunmodeSet
void SCRunmodeSet(int run_mode)
Set the current run mode.
Definition: suricata.c:269
sc_set_caps
bool sc_set_caps
Definition: suricata.c:186
SCLogDeInitLogModule
void SCLogDeInitLogModule(void)
De-Initializes the logging module.
Definition: util-debug.c:1597
LiveDevice_
Definition: util-device.h:50
util-pidfile.h
TmModuleDecodeErfFileRegister
void TmModuleDecodeErfFileRegister(void)
Register the ERF file decoder module.
Definition: source-erf-file.c:98
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:855
StringParseUint16
int StringParseUint16(uint16_t *res, int base, size_t len, const char *str)
Definition: util-byte.c:337
SigTableInit
void SigTableInit(void)
Definition: detect-engine-register.c:492
DetectEngineReloadSetIdle
void DetectEngineReloadSetIdle(void)
Definition: detect-engine.c:2120
SCInstance_::userid
uint32_t userid
Definition: suricata.h:141
RUNMODE_ERF_FILE
@ RUNMODE_ERF_FILE
Definition: runmodes.h:34
source-windivert-prototypes.h
DetectEngineGetCurrent
DetectEngineCtx * DetectEngineGetCurrent(void)
Definition: detect-engine.c:3902
EngineModeIsUnknown
int EngineModeIsUnknown(void)
Definition: suricata.c:227
VarNameStoreInit
void VarNameStoreInit(void)
TmModuleFlowRecyclerRegister
void TmModuleFlowRecyclerRegister(void)
Definition: flow-manager.c:1303
g_skip_prefilter
int g_skip_prefilter
Definition: detect-engine-mpm.c:1072
SURICATA_RUNTIME
@ SURICATA_RUNTIME
Definition: suricata.h:96
Daemonize
void Daemonize(void)
Daemonize the process.
Definition: util-daemon.c:101
UtilSignalHandlerSetup
void UtilSignalHandlerSetup(int sig, void(*handler)(int))
Definition: util-signal.c:60
TAILQ_FOREACH
#define TAILQ_FOREACH(var, head, field)
Definition: queue.h:252
TmModuleDecodeAFPRegister
void TmModuleDecodeAFPRegister(void)
Registration Function for DecodeAFP.
Definition: source-af-packet.c:601
RUNMODE_NFLOG
@ RUNMODE_NFLOG
Definition: runmodes.h:32
TmModuleDecodeWinDivertRegister
void TmModuleDecodeWinDivertRegister(void)
Definition: source-windivert.c:74
SURICATA_STOP
#define SURICATA_STOP
Definition: suricata.h:89
DetectEngineAddToMaster
int DetectEngineAddToMaster(DetectEngineCtx *de_ctx)
Definition: detect-engine.c:4717
TmModuleStatsLoggerRegister
void TmModuleStatsLoggerRegister(void)
Definition: output-stats.c:169
ConfYamlHandleInclude
int ConfYamlHandleInclude(ConfNode *parent, const char *filename)
Include a file in the configuration.
Definition: conf-yaml-loader.c:114
RegisterAllModules
void RegisterAllModules(void)
Definition: suricata.c:896
ENGINE_MODE_IPS
@ ENGINE_MODE_IPS
Definition: suricata.h:104
RUNMODE_PCAP_DEV
@ RUNMODE_PCAP_DEV
Definition: runmodes.h:29
DetectEngineMultiTenantSetup
int DetectEngineMultiTenantSetup(const bool unix_socket)
setup multi-detect / multi-tenancy
Definition: detect-engine.c:4354
flow-bit.h
SupportFastPatternForSigMatchTypes
void SupportFastPatternForSigMatchTypes(void)
Registers the keywords(SMs) that should be given fp support.
Definition: detect-fast-pattern.c:142
util-var-name.h
ConfDump
void ConfDump(void)
Dump configuration to stdout.
Definition: conf.c:746
suricata_context
const SuricataContext suricata_context
Definition: rust-context.c:25
SCParseCommandLine
TmEcode SCParseCommandLine(int argc, char **argv)
Definition: suricata.c:1315
SCPledge
#define SCPledge(...)
Definition: util-privs.h:99
CheckValidDaemonModes
int CheckValidDaemonModes(int daemon, int mode)
Check for a valid combination daemon/mode.
Definition: util-daemon.c:177
SCGetGroupID
void SCGetGroupID(const char *group_name, uint32_t *gid)
Function to get the group ID from the specified group name.
Definition: util-privs.c:208
ConfSetFinal
int ConfSetFinal(const char *name, const char *val)
Set a final configuration value.
Definition: conf.c:303
unittests_fatal
int unittests_fatal
Definition: util-unittest.c:52
TmThreadDisableReceiveThreads
void TmThreadDisableReceiveThreads(void)
Disable all threads having the specified TMs.
Definition: tm-threads.c:1358
StatsInit
void StatsInit(void)
Initializes the perf counter api. Things are hard coded currently. More work to be done when we imple...
Definition: counters.c:875
util-privs.h
PreRunInit
void PreRunInit(const int runmode)
Definition: suricata.c:2215
RUNMODE_LIST_KEYWORDS
@ RUNMODE_LIST_KEYWORDS
Definition: runmodes.h:45
SURICATA_DONE
#define SURICATA_DONE
Definition: suricata.h:91
MacSetRegisterFlowStorage
void MacSetRegisterFlowStorage(void)
Definition: util-macset.c:62
SuricataShutdown
void SuricataShutdown(void)
Definition: suricata.c:2987
SCInstance_::conf_filename
const char * conf_filename
Definition: suricata.h:161
GetIfaceMTU
int GetIfaceMTU(const char *dev)
output the link MTU
Definition: util-ioctl.c:81
GlobalsInitPreConfig
void GlobalsInitPreConfig(void)
Definition: suricata.c:362
TmModuleReceiveNetmapRegister
void TmModuleReceiveNetmapRegister(void)
Definition: source-netmap.c:74
PacketPoolPostRunmodes
void PacketPoolPostRunmodes(void)
Set the max_pending_return_packets value.
Definition: tmqh-packetpool.c:459
NFQInitConfig
void NFQInitConfig(bool quiet)
To initialize the NFQ global configuration data.
Definition: source-nfq.c:206
TmModuleReceiveWinDivertRegister
void TmModuleReceiveWinDivertRegister(void)
Definition: source-windivert.c:61
SystemHugepageSnapshot
Definition: util-hugepages.h:44
REVISION
#define REVISION
Definition: suricata-common.h:53
HOST_VERBOSE
#define HOST_VERBOSE
Definition: host.h:92
TM_ECODE_FAILED
@ TM_ECODE_FAILED
Definition: tm-threads-common.h:81
SCProfilingDestroy
void SCProfilingDestroy(void)
Free resources used by profiling.
Definition: util-profiling.c:276
IsRunModeOffline
bool IsRunModeOffline(enum RunModes run_mode_to_check)
Definition: runmodes.c:544
AFPPeersListClean
void AFPPeersListClean(void)
Clean the global peers list.
Definition: source-af-packet.c:583
RunModeInitializeOutputs
void RunModeInitializeOutputs(void)
Definition: runmodes.c:751
DetectPortTestConfVars
int DetectPortTestConfVars(void)
Definition: detect-engine-port.c:1106
SCThresholdConfGlobalInit
void SCThresholdConfGlobalInit(void)
Definition: util-threshold-config.c:102
DecodeUnregisterCounters
void DecodeUnregisterCounters(void)
Definition: decode.c:576
SURI_HOST_IS_SNIFFER_ONLY
@ SURI_HOST_IS_SNIFFER_ONLY
Definition: suricata.h:115
SCInstance_::capture_plugin_name
const char * capture_plugin_name
Definition: suricata.h:165
RUNMODE_DAG
@ RUNMODE_DAG
Definition: runmodes.h:35
HostBitInitCtx
void HostBitInitCtx(void)
Definition: host-bit.c:49
EngineMode
EngineMode
Definition: suricata.h:101
SCInstance_::set_datadir
bool set_datadir
Definition: suricata.h:146
tmqh-packetpool.h
g_ut_covered
int g_ut_covered
Definition: suricata.c:894
SCInstance_::capture_plugin_args
const char * capture_plugin_args
Definition: suricata.h:166
g_recurlvl_mask
uint8_t g_recurlvl_mask
Definition: suricata.c:207
TmModuleLoggerRegister
void TmModuleLoggerRegister(void)
Definition: output.c:848
TmThreadDisablePacketThreads
void TmThreadDisablePacketThreads(void)
Disable all packet threads.
Definition: tm-threads.c:1487
host_mode
uint8_t host_mode
Definition: suricata.c:177
RUNMODE_NETMAP
@ RUNMODE_NETMAP
Definition: runmodes.h:38
RUNMODE_DUMP_FEATURES
@ RUNMODE_DUMP_FEATURES
Definition: runmodes.h:60
FeatureDump
void FeatureDump(void)
Definition: feature.c:144
PacketPoolInit
void PacketPoolInit(void)
Definition: tmqh-packetpool.c:244
TM_ECODE_OK
@ TM_ECODE_OK
Definition: tm-threads-common.h:80
AppLayerDeSetup
int AppLayerDeSetup(void)
De initializes the app layer.
Definition: app-layer.c:1094
strlcpy
size_t strlcpy(char *dst, const char *src, size_t siz)
Definition: util-strlcpyu.c:43
PcapTranslateIPToDevice
void PcapTranslateIPToDevice(char *pcap_dev, size_t len)
Definition: source-pcap.c:656
FlowDisableFlowRecyclerThread
void FlowDisableFlowRecyclerThread(void)
Used to disable flow recycler thread(s).
Definition: flow-manager.c:1231
ParseSizeInit
void ParseSizeInit(void)
Definition: util-misc.c:35
TmModuleDecodePcapFileRegister
void TmModuleDecodePcapFileRegister(void)
Definition: source-pcap-file.c:129
TmModuleBypassedFlowManagerRegister
void TmModuleBypassedFlowManagerRegister(void)
Definition: flow-bypass.c:218
IPPairShutdown
void IPPairShutdown(void)
shutdown the flow engine
Definition: ippair.c:293
source-erf-dag.h
util-signal.h
DetectParseFreeRegexes
void DetectParseFreeRegexes(void)
Definition: detect-parse.c:2780
TmModuleDecodeNFLOGRegister
void TmModuleDecodeNFLOGRegister(void)
Definition: source-nflog.c:55
ConfGet
int ConfGet(const char *name, const char **vptr)
Retrieve the value of a configuration node.
Definition: conf.c:335
NFQParseAndRegisterQueues
int NFQParseAndRegisterQueues(const char *queues)
Parses and adds Netfilter queue(s).
Definition: source-nfq.c:879
ConfGetRootNode
ConfNode * ConfGetRootNode(void)
Get the root configuration node.
Definition: conf.c:207
FlowInitConfig
void FlowInitConfig(bool quiet)
initialize the configuration
Definition: flow.c:518
AppLayerSetup
int AppLayerSetup(void)
Setup the app layer.
Definition: app-layer.c:1077
FeatureTrackingRegister
void FeatureTrackingRegister(void)
Definition: feature.c:152
TmModuleReceiveDPDKRegister
void TmModuleReceiveDPDKRegister(void)
Definition: source-dpdk.c:50
UnixManagerThreadSpawnNonRunmode
void UnixManagerThreadSpawnNonRunmode(const bool unix_socket_enabled)
Definition: unix-manager.c:1283
RunModeInitializeThreadSettings
void RunModeInitializeThreadSettings(void)
Definition: runmodes.c:936
StreamTcpInitConfig
void StreamTcpInitConfig(bool)
To initialize the stream global configuration data.
Definition: stream-tcp.c:488
ENGINE_MODE_UNKNOWN
@ ENGINE_MODE_UNKNOWN
Definition: suricata.h:102
app-layer-htp.h
IsRunModeSystem
bool IsRunModeSystem(enum RunModes run_mode_to_check)
Definition: runmodes.c:531
datasets.h
GetIfaceMaxPacketSize
int GetIfaceMaxPacketSize(LiveDevice *ld)
output max packet size for a link
Definition: util-ioctl.c:120
TmModuleDecodeNetmapRegister
void TmModuleDecodeNetmapRegister(void)
Registration Function for DecodeNetmap.
Definition: source-netmap.c:84
PreRunPostPrivsDropInit
void PreRunPostPrivsDropInit(const int runmode)
Definition: suricata.c:2244
feature.h
decode.h
util-device.h
SigTableCleanup
void SigTableCleanup(void)
Definition: detect-engine-register.c:458
DetectEngineMoveToFreeList
int DetectEngineMoveToFreeList(DetectEngineCtx *de_ctx)
Definition: detect-engine.c:4777
sigterm_count
volatile sig_atomic_t sigterm_count
Definition: suricata.c:155
source-nfq.h
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:18
TmThreadWaitOnThreadInit
TmEcode TmThreadWaitOnThreadInit(void)
Used to check if all threads have finished their initialization. On finding an un-initialized thread,...
Definition: tm-threads.c:1947
TmModuleVerdictNFQRegister
void TmModuleVerdictNFQRegister(void)
Definition: source-nfq.c:184
ConfYamlLoadFile
int ConfYamlLoadFile(const char *filename)
Load configuration from a YAML file.
Definition: conf-yaml-loader.c:476
RUNMODE_CONF_TEST
@ RUNMODE_CONF_TEST
Definition: runmodes.h:52
AppLayerRegisterGlobalCounters
void AppLayerRegisterGlobalCounters(void)
HACK to work around our broken unix manager (re)init loop.
Definition: app-layer.c:1158
RunModeListRunmodes
void RunModeListRunmodes(void)
Lists all registered runmodes.
Definition: runmodes.c:243
RUNMODE_PRINT_USAGE
@ RUNMODE_PRINT_USAGE
Definition: runmodes.h:50
strlcat
size_t strlcat(char *, const char *src, size_t siz)
Definition: util-strlcatu.c:45
RUNMODE_LIST_APP_LAYERS
@ RUNMODE_LIST_APP_LAYERS
Definition: runmodes.h:46
util-cpu.h
suricata
SCInstance suricata
Definition: suricata.c:220
SCInstance_::unix_socket_enabled
bool unix_socket_enabled
Definition: suricata.h:147
LiveSetOffloadDisable
void LiveSetOffloadDisable(void)
Definition: util-device.c:71
StatsSetupPostConfigPostOutput
void StatsSetupPostConfigPostOutput(void)
Definition: counters.c:890
EngineModeSetIDS
void EngineModeSetIDS(void)
Definition: suricata.c:249
SpmTableSetup
void SpmTableSetup(void)
Definition: util-spm.c:122
TmModuleReceiveAFPRegister
void TmModuleReceiveAFPRegister(void)
Registration Function for RecieveAFP.
Definition: source-af-packet.c:383
LiveBuildDeviceListCustom
int LiveBuildDeviceListCustom(const char *runmode, const char *itemname)
Definition: util-device.c:279
util-exception-policy.h
LiveGetDevice
LiveDevice * LiveGetDevice(const char *name)
Get a pointer to the device at idx.
Definition: util-device.c:248
UnixSocketKillSocketThread
void UnixSocketKillSocketThread(void)
Definition: unix-manager.c:1279
TmModuleVerdictIPFWRegister
void TmModuleVerdictIPFWRegister(void)
Registration Function for VerdictIPFW.
Definition: source-ipfw.c:171
flow-worker.h
g_stats_eps_per_app_proto_errors
bool g_stats_eps_per_app_proto_errors
Definition: suricata.c:217
HttpRangeContainersInit
void HttpRangeContainersInit(void)
Definition: app-layer-htp-range.c:171
util-reference-config.h
DetectEngineCtx_::last_reload
struct timeval last_reload
Definition: detect.h:1025
SCInstance_::delayed_detect
int delayed_detect
Definition: suricata.h:149
TmModuleVerdictWinDivertRegister
void TmModuleVerdictWinDivertRegister(void)
Definition: source-windivert.c:68
DetectEngineCtx_::failure_fatal
bool failure_fatal
Definition: detect.h:856
SCInstance_::progname
const char * progname
Definition: suricata.h:160
HostCleanup
void HostCleanup(void)
Cleanup the host engine.
Definition: host.c:332
SCEnter
#define SCEnter(...)
Definition: util-debug.h:271
FlowDisableFlowManagerThread
void FlowDisableFlowManagerThread(void)
Used to disable flow manager thread(s).
Definition: flow-manager.c:132
util-ebpf.h
SCInstance_::pcap_dev
char pcap_dev[128]
Definition: suricata.h:127
TVT_PPT
@ TVT_PPT
Definition: tm-threads-common.h:87
detect.h
SURICATA_DEINIT
@ SURICATA_DEINIT
Definition: suricata.h:97
UtilSignalUnblock
int UtilSignalUnblock(int signum)
Definition: util-signal.c:46
DetectEngineEnabled
int DetectEngineEnabled(void)
Check if detection is enabled.
Definition: detect-engine.c:3869
TmThreadClearThreadsFamily
void TmThreadClearThreadsFamily(int family)
Definition: tm-threads.c:1638
TmModuleRunInit
void TmModuleRunInit(void)
Definition: tm-modules.c:104
detect-engine-port.h
EngineModeSetIPS
void EngineModeSetIPS(void)
Definition: suricata.c:244
SCInstance_::user_name
const char * user_name
Definition: suricata.h:136
HTPAtExitPrintStats
void HTPAtExitPrintStats(void)
Print the stats of the HTTP requests.
Definition: app-layer-htp.c:1651
util-time.h
UtilSignalBlock
int UtilSignalBlock(int signum)
Definition: util-signal.c:29
SCProfilingPrefilterGlobalInit
void SCProfilingPrefilterGlobalInit(void)
Definition: util-profiling-prefilter.c:61
ThresholdDestroy
void ThresholdDestroy(void)
Definition: detect-engine-threshold.c:71
SCLogWarning
#define SCLogWarning(...)
Macro used to log WARNING messages.
Definition: util-debug.h:249
PostConfLoadedSetup
int PostConfLoadedSetup(SCInstance *suri)
Definition: suricata.c:2623
GetProgramVersion
const char * GetProgramVersion(void)
get string with program version
Definition: suricata.c:1132
engine_analysis
int engine_analysis
app-layer-parser.h
TmModuleReceivePcapFileRegister
void TmModuleReceivePcapFileRegister(void)
Definition: source-pcap-file.c:116
BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:309
runmode-netmap.h
CoredumpLoadConfig
int32_t CoredumpLoadConfig(void)
Configures the core dump size.
Definition: util-coredump-config.c:90
detect-engine-tag.h
IPFWRegisterQueue
int IPFWRegisterQueue(char *queue)
Add an IPFW divert.
Definition: source-ipfw.c:698
xstr
#define xstr(s)
Definition: suricata-common.h:299
util-profiling.h
ListAppLayerProtocols
int ListAppLayerProtocols(const char *conf_filename)
Definition: util-running-modes.c:44
SCInstance_::offline
int offline
Definition: suricata.h:152
DatasetsDestroy
void DatasetsDestroy(void)
Definition: datasets.c:684
UtilCpuPrintSummary
void UtilCpuPrintSummary(void)
Print a summary of CPUs detected (configured and online)
Definition: util-cpu.c:140
profiling_packets_enabled
int profiling_packets_enabled
Definition: util-profiling.c:94
SystemDNotifyReady
int SystemDNotifyReady(void)
TmThreadKillThreads
void TmThreadKillThreads(void)
Definition: tm-threads.c:1566
OutputDeregisterAll
void OutputDeregisterAll(void)
Deregister all modules. Useful for a memory clean exit.
Definition: output.c:632
source-pcap-file-helper.h
PostConfLoadedDetectSetup
void PostConfLoadedDetectSetup(SCInstance *suri)
Definition: suricata.c:2532
EngineModeIsIDS
int EngineModeIsIDS(void)
Definition: suricata.c:238
util-systemd.h
tmm_modules
TmModule tmm_modules[TMM_SIZE]
Definition: tm-modules.c:29
conf-yaml-loader.h
decode-sll.h
coverage_unittests
int coverage_unittests
Definition: suricata.c:892
RUNMODE_DUMP_CONFIG
@ RUNMODE_DUMP_CONFIG
Definition: runmodes.h:51
DatasetsSave
void DatasetsSave(void)
Definition: datasets.c:762
detect-engine-alert.h
conf.h
util-landlock.h
source-ipfw.h
TMM_SIZE
@ TMM_SIZE
Definition: tm-threads-common.h:75
source-netmap.h
OutputNotifyFileRotation
void OutputNotifyFileRotation(void)
Notifies all registered file rotation notification flags.
Definition: output.c:704
StorageFinalize
int StorageFinalize(void)
Definition: util-storage.c:140
VarNameStoreDestroy
void VarNameStoreDestroy(void)
Definition: util-var-name.c:116
SCInstance_::verbose
int verbose
Definition: suricata.h:153
TmEcode
TmEcode
Definition: tm-threads-common.h:79
source-windivert.h
TmModuleFlowWorkerRegister
void TmModuleFlowWorkerRegister(void)
Definition: flow-worker.c:797
SCInstance_::aux_run_mode
enum RunModes aux_run_mode
Definition: suricata.h:125
name
const char * name
Definition: tm-threads.c:2081
max_pending_packets
uint32_t max_pending_packets
Definition: suricata.c:180
util-plugin.h
SCInstance_::additional_configs
const char ** additional_configs
Definition: suricata.h:162
flow-timeout.h
DEFAULT_PID_FILENAME
#define DEFAULT_PID_FILENAME
Definition: suricata.h:83
sighup_count
volatile sig_atomic_t sighup_count
Definition: suricata.c:154
ConfigSetDataDirectory
TmEcode ConfigSetDataDirectory(char *name)
Definition: util-conf.c:66
TmModuleDecodeErfDagRegister
void TmModuleDecodeErfDagRegister(void)
Register the ERF file decoder module.
Definition: source-erf-dag.c:151
SCInstance_::set_logdir
bool set_logdir
Definition: suricata.h:145
SCDropMainThreadCaps
#define SCDropMainThreadCaps(...)
Definition: util-privs.h:90
TmModuleDebugList
void TmModuleDebugList(void)
Definition: tm-modules.c:31
TmModuleDecodeNFQRegister
void TmModuleDecodeNFQRegister(void)
Definition: source-nfq.c:192
util-proto-name.h
STREAM_VERBOSE
#define STREAM_VERBOSE
Definition: stream-tcp.h:35
defrag.h
SCProtoNameRelease
void SCProtoNameRelease(void)
Definition: util-proto-name.c:438
MpmTableSetup
void MpmTableSetup(void)
Definition: util-mpm.c:224
SCInstance_::log_dir
const char * log_dir
Definition: suricata.h:159
RunmodeIsUnittests
int RunmodeIsUnittests(void)
Definition: suricata.c:255
source-nfq-prototypes.h
SCPluginsLoad
void SCPluginsLoad(const char *capture_plugin_name, const char *capture_plugin_args)
SCLogInfo
#define SCLogInfo(...)
Macro used to log INFORMATIONAL messages.
Definition: util-debug.h:224
TmModuleReceiveNFLOGRegister
void TmModuleReceiveNFLOGRegister(void)
Definition: source-nflog.c:49
DEFAULT_PACKET_SIZE
#define DEFAULT_PACKET_SIZE
Definition: decode.h:668
WarnInvalidConfEntry
#define WarnInvalidConfEntry(param_name, format, value)
Generic API that can be used by all to log an invalid conf entry.
Definition: util-misc.h:35
util-host-os-info.h
TmModuleReceiveErfFileRegister
void TmModuleReceiveErfFileRegister(void)
Register the ERF file receiver (reader) module.
Definition: source-erf-file.c:80
TmModule_
Definition: tm-modules.h:43
SCRealloc
#define SCRealloc(ptr, sz)
Definition: util-mem.h:50
TmModuleDecodeAFXDPRegister
void TmModuleDecodeAFXDPRegister(void)
Registration Function for DecodeAFXDP.
Definition: source-af-xdp.c:91
default_packet_size
uint32_t default_packet_size
Definition: decode.c:77
tm-queuehandlers.h
SigTableApplyStrictCommandLineOption
void SigTableApplyStrictCommandLineOption(const char *str)
Definition: detect-parse.c:418
DETECT_ENGINE_TYPE_NORMAL
@ DETECT_ENGINE_TYPE_NORMAL
Definition: detect.h:837
PROG_NAME
#define PROG_NAME
Definition: suricata.h:70
TmThreadKillThreadsFamily
void TmThreadKillThreadsFamily(int family)
Definition: tm-threads.c:1537
detect-fast-pattern.h
FeatureTrackingRelease
void FeatureTrackingRelease(void)
Definition: feature.c:136
TmqhCleanup
void TmqhCleanup(void)
Clean up registration time allocs.
Definition: tm-queuehandlers.c:49
util-dpdk.h
util-conf.h
StreamTcpFreeConfig
void StreamTcpFreeConfig(bool quiet)
Definition: stream-tcp.c:859
source-dpdk.h
flow-manager.h
DecodeGlobalConfig
void DecodeGlobalConfig(void)
Definition: decode.c:1004
SCInstance_::strict_rule_parsing_string
char * strict_rule_parsing_string
Definition: suricata.h:163
SuriHasSigFile
int SuriHasSigFile(void)
Definition: suricata.c:222
suricata-common.h
DetectEngineCtxInitStubForMT
DetectEngineCtx * DetectEngineCtxInitStubForMT(void)
Definition: detect-engine.c:2649
util-path.h
util-daemon.h
LiveGetDeviceName
const char * LiveGetDeviceName(int number)
Get a pointer to the device name at idx.
Definition: util-device.c:184
FlowShutdown
void FlowShutdown(void)
shutdown the flow engine
Definition: flow.c:665
SCHInfoLoadFromConfig
void SCHInfoLoadFromConfig(void)
Load the host os policy information from the configuration.
Definition: util-host-os-info.c:281
DetectEngineBumpVersion
void DetectEngineBumpVersion(void)
Definition: detect-engine.c:3893
source-af-xdp.h
TmModuleFlowManagerRegister
void TmModuleFlowManagerRegister(void)
Definition: flow-manager.c:1289
SCStartInternalRunMode
int SCStartInternalRunMode(int argc, char **argv)
Definition: suricata.c:2309
SCPidfileTestRunning
int SCPidfileTestRunning(const char *pid_filename)
Check the Suricata pid file (used at the startup)
Definition: util-pidfile.c:105
HostShutdown
void HostShutdown(void)
shutdown the flow engine
Definition: host.c:296
DOC_URL
#define DOC_URL
Definition: suricata.h:85
SCFstatFn
#define SCFstatFn(fd, statbuf)
Definition: util-path.h:34
output-filestore.h
LiveSetOffloadWarn
void LiveSetOffloadWarn(void)
Definition: util-device.c:76
ParseSizeDeinit
void ParseSizeDeinit(void)
Definition: util-misc.c:54
util-classification-config.h
RunModeRegisterRunModes
void RunModeRegisterRunModes(void)
Register all runmodes in the engine.
Definition: runmodes.c:218
SCStrdup
#define SCStrdup(s)
Definition: util-mem.h:56
FatalError
#define FatalError(...)
Definition: util-debug.h:502
ConfGetChildValueBool
int ConfGetChildValueBool(const ConfNode *base, const char *name, int *val)
Definition: conf.c:500
SCProfilingDump
void SCProfilingDump(void)
Definition: util-profiling.c:311
TmModuleReceiveAFXDPRegister
void TmModuleReceiveAFXDPRegister(void)
Definition: source-af-xdp.c:77
EngineStop
void EngineStop(void)
make sure threads can stop the engine by calling this function. Purpose: pcap file mode needs to be a...
Definition: suricata.c:449
SCInstance_::sig_file
char * sig_file
Definition: suricata.h:128
ParseSizeStringU32
int ParseSizeStringU32(const char *size, uint32_t *res)
Definition: util-misc.c:173
TmModuleReceiveErfDagRegister
void TmModuleReceiveErfDagRegister(void)
Register the ERF file receiver (reader) module.
Definition: source-erf-dag.c:133
IPPairBitInitCtx
void IPPairBitInitCtx(void)
Definition: ippair-bit.c:49
ConfigSetLogDirectory
TmEcode ConfigSetLogDirectory(const char *name)
Definition: util-conf.c:33
util-validate.h
TmModuleDecodeIPFWRegister
void TmModuleDecodeIPFWRegister(void)
Registration Function for DecodeIPFW.
Definition: source-ipfw.c:186
source-af-packet.h
ConfUnixSocketIsEnable
int ConfUnixSocketIsEnable(void)
Definition: util-conf.c:136
RUNMODE_NFQ
@ RUNMODE_NFQ
Definition: runmodes.h:31
ConfSetFromString
int ConfSetFromString(const char *input, int final)
Set a configuration parameter from a string.
Definition: conf.c:249
SCLogConfig
struct SCLogConfig_ SCLogConfig
Holds the config state used by the logging api.
g_vlan_mask
uint16_t g_vlan_mask
Definition: suricata.c:199
ConfInit
void ConfInit(void)
Initialize the configuration system.
Definition: conf.c:120
DatasetsInit
int DatasetsInit(void)
Definition: datasets.c:550
ConfigGetLogDirectory
const char * ConfigGetLogDirectory(void)
Definition: util-conf.c:38
sigusr2_count
volatile sig_atomic_t sigusr2_count
Definition: suricata.c:156
SystemHugepageSnapshotDestroy
void SystemHugepageSnapshotDestroy(SystemHugepageSnapshot *s)
Definition: util-hugepages.c:304
RUNMODE_ENGINE_ANALYSIS
@ RUNMODE_ENGINE_ANALYSIS
Definition: runmodes.h:54
RUNMODE_PRINT_VERSION
@ RUNMODE_PRINT_VERSION
Definition: runmodes.h:48
TmModuleDecodePcapRegister
void TmModuleDecodePcapRegister(void)
Registration Function for DecodePcap.
Definition: source-pcap.c:153
util-running-modes.h
SCLoadYamlConfig
TmEcode SCLoadYamlConfig(void)
Definition: suricata.c:958
unix-manager.h
runmode-af-xdp.h
str
#define str(s)
Definition: suricata-common.h:300
ConfigCheckDataDirectory
TmEcode ConfigCheckDataDirectory(const char *data_dir)
Definition: util-conf.c:99
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:261
g_detect_disabled
int g_detect_disabled
Definition: suricata.c:183
DetectEngineReloadStart
int DetectEngineReloadStart(void)
Definition: detect-engine.c:2094
SCFree
#define SCFree(p)
Definition: util-mem.h:61
DEFAULT_CONF_FILE
#define DEFAULT_CONF_FILE
Definition: suricata.h:79
ConfNode_
Definition: conf.h:32
SC_LOG_MAX_LOG_MSG_LEN
#define SC_LOG_MAX_LOG_MSG_LEN
Definition: util-debug.h:84
AppLayerParserPostStreamSetup
void AppLayerParserPostStreamSetup(void)
Definition: app-layer-parser.c:260
TmModuleReceivePcapRegister
void TmModuleReceivePcapRegister(void)
Registration Function for ReceivePcap.
Definition: source-pcap.c:135
SCGetUserID
void SCGetUserID(const char *user_name, const char *group_name, uint32_t *uid, uint32_t *gid)
Function to get the user and group ID from the specified user name.
Definition: util-privs.c:141
util-ioctl.h
detect-parse.h
SCInstance_::system
bool system
Definition: suricata.h:144
SCInstance_::pid_filename
char * pid_filename
Definition: suricata.h:130
TmModuleRespondRejectRegister
void TmModuleRespondRejectRegister(void)
Definition: respond-reject.c:50
CoredumpEnable
void CoredumpEnable(void)
Enable coredumps on systems where coredumps can and need to be enabled.
Definition: util-coredump-config.c:57
RunUnittests
void RunUnittests(int list_unittests, const char *regex_arg)
Definition: runmode-unittests.c:229
source-erf-file.h
ConfigCheckLogDirectoryExists
TmEcode ConfigCheckLogDirectoryExists(const char *log_dir)
Definition: util-conf.c:56
TimeDeinit
void TimeDeinit(void)
Definition: util-time.c:87
PacketAlertTagInit
void PacketAlertTagInit(void)
Definition: detect-engine-alert.c:45
RunModeEngineIsIPS
int RunModeEngineIsIPS(int capture_mode, const char *runmode, const char *capture_plugin_name)
Definition: runmodes.c:362
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2659
RUNMODE_WINDIVERT
@ RUNMODE_WINDIVERT
Definition: runmodes.h:42
EngineModeIsIPS
int EngineModeIsIPS(void)
Definition: suricata.c:232
SCProfilingKeywordsGlobalInit
void SCProfilingKeywordsGlobalInit(void)
Definition: util-profiling-keywords.c:61
suricata.h
EngineDone
void EngineDone(void)
Used to indicate that the current task is done.
Definition: suricata.c:460
FLOW_QUIET
#define FLOW_QUIET
Definition: flow.h:43
GetDocURL
const char * GetDocURL(void)
Definition: suricata.c:1111
util-mpm-hs.h
PostRunDeinit
void PostRunDeinit(const int runmode, struct timeval *start_time)
clean up / shutdown code for packet modes
Definition: suricata.c:2260
HostInitConfig
void HostInitConfig(bool quiet)
initialize the configuration
Definition: host.c:168
TmThreadWaitOnThreadRunning
TmEcode TmThreadWaitOnThreadRunning(void)
Waits for all threads to be in a running state.
Definition: tm-threads.c:1839
ConfDeInit
void ConfDeInit(void)
De-initializes the configuration system.
Definition: conf.c:688
HttpRangeContainersDestroy
void HttpRangeContainersDestroy(void)
Definition: app-layer-htp-range.c:204
ConfSet
int ConfSet(const char *name, const char *val)
Set a configuration value.
Definition: conf.c:224
SCLogLoadConfig
void SCLogLoadConfig(int daemon, int verbose, uint32_t userid, uint32_t groupid)
Definition: util-debug.c:1420
DetectEngineReload
int DetectEngineReload(const SCInstance *suri)
Reload the detection engine.
Definition: detect-engine.c:4844
DEFAULT_MAX_PENDING_PACKETS
#define DEFAULT_MAX_PENDING_PACKETS
Definition: suricata.c:166
SCInstance_
Definition: suricata.h:123
DetectEngineClearMaster
void DetectEngineClearMaster(void)
Definition: detect-engine.c:4817
SetMasterExceptionPolicy
void SetMasterExceptionPolicy(void)
Definition: util-exception-policy.c:59
TmThreadCheckThreadState
void TmThreadCheckThreadState(void)
Used to check the thread for certain conditions of failure.
Definition: tm-threads.c:1924
OutputFilestoreRegisterGlobalCounters
void OutputFilestoreRegisterGlobalCounters(void)
Definition: output-filestore.c:516
InitGlobal
int InitGlobal(void)
Global initialization common to all runmodes.
Definition: suricata.c:2855
SCInstance_::disabled_detect
int disabled_detect
Definition: suricata.h:150
LiveGetDeviceCount
int LiveGetDeviceCount(void)
Get the number of registered devices.
Definition: util-device.c:164
SystemHugepageSnapshotCreate
SystemHugepageSnapshot * SystemHugepageSnapshotCreate(void)
The function creates a snapshot of the system's hugepage usage per NUMA node and per hugepage size....
Definition: util-hugepages.c:323
SURI_HOST_IS_ROUTER
@ SURI_HOST_IS_ROUTER
Definition: suricata.h:116
SCProfilingSghsGlobalInit
void SCProfilingSghsGlobalInit(void)
Definition: util-profiling-rulegroups.c:64
SCPidfileCreate
int SCPidfileCreate(const char *pidfile)
Write a pid file (used at the startup) This commonly needed by the init scripts.
Definition: util-pidfile.c:42
LiveRegisterDeviceName
int LiveRegisterDeviceName(const char *dev)
Add a device for monitoring.
Definition: util-device.c:97
SCStatFn
#define SCStatFn(pathname, statbuf)
Definition: util-path.h:35
ENGINE_MODE_IDS
@ ENGINE_MODE_IDS
Definition: suricata.h:103
LiveDeviceFinalize
void LiveDeviceFinalize(void)
Definition: util-device.c:442
TmModuleDecodeDPDKRegister
void TmModuleDecodeDPDKRegister(void)
Registration Function for DecodeDPDK.
Definition: source-dpdk.c:64
SCInstance_::sig_file_exclusive
bool sig_file_exclusive
Definition: suricata.h:129
PROG_VER
#define PROG_VER
Definition: suricata.h:71
util-misc.h
PacketPoolDestroy
void PacketPoolDestroy(void)
Definition: tmqh-packetpool.c:274
HTPFreeConfig
void HTPFreeConfig(void)
Clears the HTTP server configuration memory used by HTP library.
Definition: app-layer-htp.c:1664
flow.h
LandlockSandboxing
void LandlockSandboxing(SCInstance *suri)
Definition: util-landlock.c:35
respond-reject.h
SCInstance_::regex_arg
char * regex_arg
Definition: suricata.h:131
ListKeywords
int ListKeywords(const char *keyword_info)
Definition: util-running-modes.c:32
SCLogNotice
#define SCLogNotice(...)
Macro used to log NOTICE messages.
Definition: util-debug.h:237
SuricataPreInit
void SuricataPreInit(const char *progname)
Definition: suricata.c:2892
msg
const char * msg
Definition: app-layer-htp.c:559
DPDKCleanupEAL
void DPDKCleanupEAL(void)
Definition: util-dpdk.c:28
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
RUNMODE_AFP_DEV
@ RUNMODE_AFP_DEV
Definition: runmodes.h:36
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:275
SCPidfileRemove
void SCPidfileRemove(const char *pid_filename)
Remove the pid file (used at the startup)
Definition: util-pidfile.c:83
TVT_MGMT
@ TVT_MGMT
Definition: tm-threads-common.h:88
ThresholdInit
void ThresholdInit(void)
Definition: detect-engine-threshold.c:66
TimeInit
void TimeInit(void)
Definition: util-time.c:79
RUNMODE_PCAP_FILE
@ RUNMODE_PCAP_FILE
Definition: runmodes.h:30
SCInstance_::keyword_info
char * keyword_info
Definition: suricata.h:133
RUNMODE_PLUGIN
@ RUNMODE_PLUGIN
Definition: runmodes.h:43
NFQContextsClean
void NFQContextsClean(void)
Clean global contexts. Must be called on exit.
Definition: source-nfq.c:1300
SystemHugepageEvaluateHugepages
void SystemHugepageEvaluateHugepages(SystemHugepageSnapshot *pre_s, SystemHugepageSnapshot *post_s)
The function compares two hugepage snapshots and prints out recommendations for hugepage configuratio...
Definition: util-hugepages.c:363
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:102
SCFinalizeRunMode
int SCFinalizeRunMode(void)
Definition: suricata.c:2365
SCStat
struct stat SCStat
Definition: util-path.h:33
SCProfilingInit
void SCProfilingInit(void)
Initialize profiling.
Definition: util-profiling.c:133
g_ut_modules
int g_ut_modules
Definition: suricata.c:893
detect-engine-address.h
RUNMODE_IPFW
@ RUNMODE_IPFW
Definition: runmodes.h:33
GlobalsDestroy
void GlobalsDestroy(void)
Definition: suricata.c:370
output.h
util-threshold-config.h
DefragInit
void DefragInit(void)
Definition: defrag.c:1113
DetectEngineReloadIsStart
int DetectEngineReloadIsStart(void)
Definition: detect-engine.c:2108
suricata_ctl_flags
volatile uint8_t suricata_ctl_flags
Definition: suricata.c:169
host-bit.h
detect-engine-threshold.h
RUNMODE_LIST_UNITTEST
@ RUNMODE_LIST_UNITTEST
Definition: runmodes.h:53
app-layer.h
TagDestroyCtx
void TagDestroyCtx(void)
Destroy tag context hash tables.
Definition: detect-engine-tag.c:72
DetectAddressTestConfVars
int DetectAddressTestConfVars(void)
Definition: detect-engine-address.c:1217
g_disable_randomness
int g_disable_randomness
Definition: suricata.c:192
geteuid
#define geteuid()
Definition: win32-misc.h:41
FlowWorkToDoCleanup
void FlowWorkToDoCleanup(void)
Clean up all the flows that have unprocessed segments and have some work to do in the detection engin...
Definition: flow-timeout.c:425
MpmHSGlobalCleanup
void MpmHSGlobalCleanup(void)
g_disable_hashing
bool g_disable_hashing
Definition: suricata.c:211
TmqResetQueues
void TmqResetQueues(void)
Definition: tm-queues.c:80