suricata
suricata.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2022 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  */
23 
24 #include "suricata-common.h"
25 
26 #if HAVE_GETOPT_H
27 #include <getopt.h>
28 #endif
29 
30 #if HAVE_SIGNAL_H
31 #include <signal.h>
32 #endif
33 #ifndef OS_WIN32
34 #ifdef HAVE_SYS_RESOURCE_H
35 // setrlimit
36 #include <sys/resource.h>
37 #endif
38 #endif
39 
40 #include "suricata.h"
41 
42 #include "conf.h"
43 #include "conf-yaml-loader.h"
44 
45 #include "decode.h"
46 #include "defrag.h"
47 #include "flow.h"
48 #include "stream-tcp.h"
49 #include "ippair.h"
50 
51 #include "detect.h"
52 #include "detect-parse.h"
53 #include "detect-engine.h"
54 #include "detect-engine-address.h"
55 #include "detect-engine-alert.h"
56 #include "detect-engine-port.h"
57 #include "detect-engine-tag.h"
58 #include "detect-engine-threshold.h"
59 #include "detect-fast-pattern.h"
60 
61 #include "datasets.h"
62 
63 #include "feature.h"
64 
65 #include "flow-bypass.h"
66 #include "flow-manager.h"
67 #include "flow-timeout.h"
68 #include "flow-worker.h"
69 
70 #include "flow-bit.h"
71 #include "host-bit.h"
72 #include "ippair-bit.h"
73 
74 #include "app-layer.h"
75 #include "app-layer-parser.h"
76 #include "app-layer-htp.h"
77 #include "app-layer-htp-range.h"
78 
79 #include "output.h"
80 #include "output-filestore.h"
81 
82 #include "respond-reject.h"
83 
84 #include "runmode-af-packet.h"
85 #include "runmode-af-xdp.h"
86 #include "runmode-netmap.h"
87 #include "runmode-unittests.h"
88 
89 #include "source-nfq.h"
90 #include "source-nfq-prototypes.h"
91 #include "source-nflog.h"
92 #include "source-ipfw.h"
93 #include "source-pcap.h"
94 #include "source-pcap-file.h"
95 #include "source-pcap-file-helper.h"
96 #include "source-pfring.h"
97 #include "source-erf-file.h"
98 #include "source-erf-dag.h"
99 #include "source-napatech.h"
100 #include "source-af-packet.h"
101 #include "source-af-xdp.h"
102 #include "source-netmap.h"
103 #include "source-dpdk.h"
104 #include "source-windivert.h"
105 #include "source-windivert-prototypes.h"
106 
107 #include "unix-manager.h"
108 
109 #include "util-classification-config.h"
110 #include "util-threshold-config.h"
111 #include "util-reference-config.h"
112 
113 #include "tmqh-packetpool.h"
114 #include "tm-queuehandlers.h"
115 
116 #include "util-byte.h"
117 #include "util-conf.h"
118 #include "util-coredump-config.h"
119 #include "util-cpu.h"
120 #include "util-daemon.h"
121 #include "util-device.h"
122 #include "util-dpdk.h"
123 #include "util-ebpf.h"
124 #include "util-exception-policy.h"
125 #include "util-host-os-info.h"
126 #include "util-hugepages.h"
127 #include "util-ioctl.h"
128 #include "util-landlock.h"
129 #include "util-luajit.h"
130 #include "util-macset.h"
131 #include "util-misc.h"
132 #include "util-mpm-hs.h"
133 #include "util-path.h"
134 #include "util-pidfile.h"
135 #include "util-plugin.h"
136 #include "util-privs.h"
137 #include "util-profiling.h"
138 #include "util-proto-name.h"
139 #include "util-running-modes.h"
140 #include "util-signal.h"
141 #include "util-time.h"
142 #include "util-validate.h"
143 #include "util-var-name.h"
144 #ifdef SYSTEMD_NOTIFY
145 #include "util-systemd.h"
146 #endif
147 
148 #ifdef WINDIVERT
149 #include "decode-sll.h"
150 #include "win32-syscall.h"
151 #endif
152 
153 /*
154  * we put this here, because we only use it here in main.
155  */
156 volatile sig_atomic_t sigint_count = 0;
157 volatile sig_atomic_t sighup_count = 0;
158 volatile sig_atomic_t sigterm_count = 0;
159 volatile sig_atomic_t sigusr2_count = 0;
160 
161 /*
162  * Flag to indicate if the engine is at the initialization
163  * or already processing packets. 3 stages: SURICATA_INIT,
164  * SURICATA_RUNTIME and SURICATA_FINALIZE
165  */
166 SC_ATOMIC_DECLARE(unsigned int, engine_stage);
167 
168 /* Max packets processed simultaneously per thread. */
169 #define DEFAULT_MAX_PENDING_PACKETS 1024
170 
171 /** suricata engine control flags */
172 volatile uint8_t suricata_ctl_flags = 0;
173 
174 /** Engine mode: inline (ENGINE_MODE_IPS) or just
175  * detection mode (ENGINE_MODE_IDS by default) */
176 static enum EngineMode g_engine_mode = ENGINE_MODE_UNKNOWN;
177 
178 /** Host mode: set if box is sniffing only
179  * or is a router */
180 uint8_t host_mode = SURI_HOST_IS_SNIFFER_ONLY;
181 
182 /** Maximum packets to simultaneously process. */
183 uint16_t max_pending_packets;
184 
185 /** global indicating if detection is enabled */
186 int g_detect_disabled = 0;
187 
188 /** set caps or not */
189 bool sc_set_caps = false;
190 
191 bool g_system = false;
192 
193 /** disable randomness to get reproducible results across runs */
194 #ifndef AFLFUZZ_NO_RANDOM
195 int g_disable_randomness = 0;
196 #else
197 int g_disable_randomness = 1;
198 #endif
199 
200 /** determine (without branching) if we include the vlan_ids when hashing or
201  * comparing flows */
202 uint16_t g_vlan_mask = 0xffff;
203 
204 /** determine (without branching) if we include the livedev ids when hashing or
205  * comparing flows */
206 uint16_t g_livedev_mask = 0xffff;
207 
208 /* flag to disable hashing almost globally, to be similar to disabling nss
209  * support */
210 bool g_disable_hashing = false;
211 
212 /* snapshot of the system's hugepages before system intitialization. */
213 SystemHugepageSnapshot *prerun_snap = NULL;
214 
215 /** add per-proto app-layer error counters for exception policies stats? disabled by default */
216 bool g_stats_eps_per_app_proto_errors = false;
217 
218 /** Suricata instance */
219 SCInstance suricata;
220 
221 int SuriHasSigFile(void)
222 {
223  return (suricata.sig_file != NULL);
224 }
225 
226 int EngineModeIsUnknown(void)
227 {
228  return (g_engine_mode == ENGINE_MODE_UNKNOWN);
229 }
230 
231 int EngineModeIsIPS(void)
232 {
233  DEBUG_VALIDATE_BUG_ON(g_engine_mode == ENGINE_MODE_UNKNOWN);
234  return (g_engine_mode == ENGINE_MODE_IPS);
235 }
236 
237 int EngineModeIsIDS(void)
238 {
239  DEBUG_VALIDATE_BUG_ON(g_engine_mode == ENGINE_MODE_UNKNOWN);
240  return (g_engine_mode == ENGINE_MODE_IDS);
241 }
242 
243 void EngineModeSetIPS(void)
244 {
245  g_engine_mode = ENGINE_MODE_IPS;
246 }
247 
248 void EngineModeSetIDS(void)
249 {
250  g_engine_mode = ENGINE_MODE_IDS;
251 }
252 
253 #ifdef UNITTESTS
254 int RunmodeIsUnittests(void)
255 {
256  if (suricata.run_mode == RUNMODE_UNITTEST)
257  return 1;
258 
259  return 0;
260 }
261 #endif
262 
263 int SCRunmodeGet(void)
264 {
265  return suricata.run_mode;
266 }
267 
268 void SCRunmodeSet(int run_mode)
269 {
270  suricata.run_mode = run_mode;
271 }
272 
273 /** signal handlers
274  *
275  * WARNING: don't use the SCLog* API in the handlers. The API is complex
276  * with memory allocation possibly happening, calls to syslog, json message
277  * construction, etc.
278  */
279 
280 #ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
281 static void SignalHandlerSigint(/*@unused@*/ int sig)
282 {
283  sigint_count = 1;
284 }
285 static void SignalHandlerSigterm(/*@unused@*/ int sig)
286 {
287  sigterm_count = 1;
288 }
289 #ifndef OS_WIN32
290 #if HAVE_LIBUNWIND
291 #define UNW_LOCAL_ONLY
292 #include <libunwind.h>
293 static void SignalHandlerUnexpected(int sig_num, siginfo_t *info, void *context)
294 {
295  char msg[SC_LOG_MAX_LOG_MSG_LEN];
296  unw_cursor_t cursor;
297  /* Restore defaults for signals to avoid loops */
298  signal(SIGABRT, SIG_DFL);
299  signal(SIGSEGV, SIG_DFL);
300  int r;
301  if ((r = unw_init_local(&cursor, (unw_context_t *)(context)) != 0)) {
302  SCLogError("unable to obtain stack trace: unw_init_local: %s", unw_strerror(r));
303  goto terminate;
304  }
305 
306  char *temp = msg;
307  int cw = snprintf(temp, SC_LOG_MAX_LOG_MSG_LEN - (temp - msg), "stacktrace:sig %d:", sig_num);
308  temp += cw;
309  r = 1;
310  while (r > 0) {
311  if (unw_is_signal_frame(&cursor) == 0) {
312  unw_word_t off;
313  char name[256];
314  if (unw_get_proc_name(&cursor, name, sizeof(name), &off) == UNW_ENOMEM) {
315  cw = snprintf(temp, SC_LOG_MAX_LOG_MSG_LEN - (temp - msg), "[unknown]:");
316  } else {
317  cw = snprintf(
318  temp, SC_LOG_MAX_LOG_MSG_LEN - (temp - msg), "%s+0x%08" PRIx64, name, off);
319  }
320  temp += cw;
321  }
322 
323  r = unw_step(&cursor);
324  if (r > 0) {
325  cw = snprintf(temp, SC_LOG_MAX_LOG_MSG_LEN - (temp - msg), ";");
326  temp += cw;
327  }
328  }
329  SCLogError("%s", msg);
330 
331 terminate:
332  // Propagate signal to watchers, if any
333  kill(getpid(), sig_num);
334 }
335 #undef UNW_LOCAL_ONLY
336 #endif /* HAVE_LIBUNWIND */
337 #endif /* !OS_WIN32 */
338 #endif
339 
340 #ifndef OS_WIN32
341 /**
342  * SIGUSR2 handler. Just set sigusr2_count. The main loop will act on
343  * it.
344  */
345 static void SignalHandlerSigusr2(int sig)
346 {
347  if (sigusr2_count < 2)
348  sigusr2_count++;
349 }
350 
351 /**
352  * SIGHUP handler. Just set sighup_count. The main loop will act on
353  * it.
354  */
355 static void SignalHandlerSigHup(/*@unused@*/ int sig)
356 {
357  sighup_count = 1;
358 }
359 #endif
360 
361 void GlobalsInitPreConfig(void)
362 {
363  TimeInit();
364  SupportFastPatternForSigMatchTypes();
365  SCThresholdConfGlobalInit();
366  SCProtoNameInit();
367  FrameConfigInit();
368 }
369 
370 void GlobalsDestroy(void)
371 {
372  SCInstance *suri = &suricata;
373  HostShutdown();
374  HTPFreeConfig();
375  HTPAtExitPrintStats();
376 
377  AppLayerHtpPrintStats();
378 
379  /* TODO this can do into it's own func */
380  DetectEngineCtx *de_ctx = DetectEngineGetCurrent();
381  if (de_ctx) {
382  DetectEngineMoveToFreeList(de_ctx);
383  DetectEngineDeReference(&de_ctx);
384  }
385  DetectEngineClearMaster();
386 
387  AppLayerDeSetup();
388  DatasetsSave();
389  DatasetsDestroy();
390  TagDestroyCtx();
391 
392  LiveDeviceListClean();
393  OutputDeregisterAll();
394  FeatureTrackingRelease();
395  SCProtoNameRelease();
396  TimeDeinit();
397  TmqhCleanup();
398  TmModuleRunDeInit();
399  ParseSizeDeinit();
400 
401 #ifdef HAVE_DPDK
402  DPDKCleanupEAL();
403 #endif
404 
405 #ifdef HAVE_AF_PACKET
406  AFPPeersListClean();
407 #endif
408 
409 #ifdef NFQ
410  NFQContextsClean();
411 #endif
412 
413 #ifdef BUILD_HYPERSCAN
414  MpmHSGlobalCleanup();
415 #endif
416 
417  ConfDeInit();
418 #ifdef HAVE_LUAJIT
419  LuajitFreeStatesPool();
420 #endif
421  DetectParseFreeRegexes();
422 
423  SCPidfileRemove(suri->pid_filename);
424  SCFree(suri->pid_filename);
425  suri->pid_filename = NULL;
426 
427  VarNameStoreDestroy();
428  SCLogDeInitLogModule();
429 }
430 
431 /**
432  * \brief Used to send OS specific notification of running threads
433  *
434  * \retval TmEcode TM_ECODE_OK on success; TM_ECODE_FAILED on failure.
435  */
436 static void OnNotifyRunning(void)
437 {
438 #ifdef SYSTEMD_NOTIFY
439  if (SystemDNotifyReady() < 0) {
440  SCLogWarning("failed to notify systemd");
441  }
442 #endif
443 }
444 
445 /** \brief make sure threads can stop the engine by calling this
446  * function. Purpose: pcap file mode needs to be able to tell the
447  * engine the file eof is reached. */
448 void EngineStop(void)
449 {
450  suricata_ctl_flags |= SURICATA_STOP;
451 }
452 
453 /**
454  * \brief Used to indicate that the current task is done.
455  *
456  * This is mainly used by pcap-file to tell it has finished
457  * to treat a pcap files when running in unix-socket mode.
458  */
459 void EngineDone(void)
460 {
461  suricata_ctl_flags |= SURICATA_DONE;
462 }
463 
464 static int SetBpfString(int argc, char *argv[])
465 {
466  char *bpf_filter = NULL;
467  uint32_t bpf_len = 0;
468  int tmpindex = 0;
469 
470  /* attempt to parse remaining args as bpf filter */
471  tmpindex = argc;
472  while(argv[tmpindex] != NULL) {
473  bpf_len+=strlen(argv[tmpindex]) + 1;
474  tmpindex++;
475  }
476 
477  if (bpf_len == 0)
478  return TM_ECODE_OK;
479 
480  bpf_filter = SCCalloc(1, bpf_len);
481  if (unlikely(bpf_filter == NULL))
482  return TM_ECODE_FAILED;
483 
484  tmpindex = optind;
485  while(argv[tmpindex] != NULL) {
486  strlcat(bpf_filter, argv[tmpindex],bpf_len);
487  if(argv[tmpindex + 1] != NULL) {
488  strlcat(bpf_filter," ", bpf_len);
489  }
490  tmpindex++;
491  }
492 
493  if(strlen(bpf_filter) > 0) {
494  if (ConfSetFinal("bpf-filter", bpf_filter) != 1) {
495  SCLogError("Failed to set bpf filter.");
496  SCFree(bpf_filter);
497  return TM_ECODE_FAILED;
498  }
499  }
500  SCFree(bpf_filter);
501 
502  return TM_ECODE_OK;
503 }
504 
505 static void SetBpfStringFromFile(char *filename)
506 {
507  char *bpf_filter = NULL;
508  char *bpf_comment_tmp = NULL;
509  char *bpf_comment_start = NULL;
510  uint32_t bpf_len = 0;
511  SCStat st;
512  FILE *fp = NULL;
513  size_t nm = 0;
514 
515  fp = fopen(filename, "r");
516  if (fp == NULL) {
517  SCLogError("Failed to open file %s", filename);
518  exit(EXIT_FAILURE);
519  }
520 
521  if (SCFstatFn(fileno(fp), &st) != 0) {
522  SCLogError("Failed to stat file %s", filename);
523  exit(EXIT_FAILURE);
524  }
525  bpf_len = st.st_size + 1;
526 
527  bpf_filter = SCCalloc(1, bpf_len);
528  if (unlikely(bpf_filter == NULL)) {
529  SCLogError("Failed to allocate buffer for bpf filter in file %s", filename);
530  exit(EXIT_FAILURE);
531  }
532 
533  nm = fread(bpf_filter, 1, bpf_len - 1, fp);
534  if ((ferror(fp) != 0) || (nm != (bpf_len - 1))) {
535  SCLogError("Failed to read complete BPF file %s", filename);
536  SCFree(bpf_filter);
537  fclose(fp);
538  exit(EXIT_FAILURE);
539  }
540  fclose(fp);
541  bpf_filter[nm] = '\0';
542 
543  if(strlen(bpf_filter) > 0) {
544  /*replace comments with space*/
545  bpf_comment_start = bpf_filter;
546  while((bpf_comment_tmp = strchr(bpf_comment_start, '#')) != NULL) {
547  while((*bpf_comment_tmp !='\0') &&
548  (*bpf_comment_tmp != '\r') && (*bpf_comment_tmp != '\n'))
549  {
550  *bpf_comment_tmp++ = ' ';
551  }
552  bpf_comment_start = bpf_comment_tmp;
553  }
554  /*remove remaining '\r' and '\n' */
555  while((bpf_comment_tmp = strchr(bpf_filter, '\r')) != NULL) {
556  *bpf_comment_tmp = ' ';
557  }
558  while((bpf_comment_tmp = strchr(bpf_filter, '\n')) != NULL) {
559  *bpf_comment_tmp = ' ';
560  }
561  /* cut trailing spaces */
562  while (strlen(bpf_filter) > 0 &&
563  bpf_filter[strlen(bpf_filter)-1] == ' ')
564  {
565  bpf_filter[strlen(bpf_filter)-1] = '\0';
566  }
567  if (strlen(bpf_filter) > 0) {
568  if (ConfSetFinal("bpf-filter", bpf_filter) != 1) {
569  SCFree(bpf_filter);
570  FatalError("failed to set bpf filter");
571  }
572  }
573  }
574  SCFree(bpf_filter);
575 }
576 
577 static void PrintUsage(const char *progname)
578 {
579 #ifdef REVISION
580  printf("%s %s (%s)\n", PROG_NAME, PROG_VER, xstr(REVISION));
581 #else
582  printf("%s %s\n", PROG_NAME, PROG_VER);
583 #endif
584  printf("USAGE: %s [OPTIONS] [BPF FILTER]\n\n", progname);
585  printf("\t-c <path> : path to configuration file\n");
586  printf("\t-T : test configuration file (use with -c)\n");
587  printf("\t-i <dev or ip> : run in pcap live mode\n");
588  printf("\t-F <bpf filter file> : bpf filter file\n");
589  printf("\t-r <path> : run in pcap file/offline mode\n");
590 #ifdef NFQ
591  printf("\t-q <qid[:qid]> : run in inline nfqueue mode (use colon to specify a range of queues)\n");
592 #endif /* NFQ */
593 #ifdef IPFW
594  printf("\t-d <divert port> : run in inline ipfw divert mode\n");
595 #endif /* IPFW */
596  printf("\t-s <path> : path to signature file loaded in addition to suricata.yaml settings (optional)\n");
597  printf("\t-S <path> : path to signature file loaded exclusively (optional)\n");
598  printf("\t-l <dir> : default log directory\n");
599 #ifndef OS_WIN32
600  printf("\t-D : run as daemon\n");
601 #else
602  printf("\t--service-install : install as service\n");
603  printf("\t--service-remove : remove service\n");
604  printf("\t--service-change-params : change service startup parameters\n");
605 #endif /* OS_WIN32 */
606  printf("\t-k [all|none] : force checksum check (all) or disabled it (none)\n");
607  printf("\t-V : display Suricata version\n");
608  printf("\t-v : be more verbose (use multiple times to increase verbosity)\n");
609 #ifdef UNITTESTS
610  printf("\t-u : run the unittests and exit\n");
611  printf("\t-U, --unittest-filter=REGEX : filter unittests with a regex\n");
612  printf("\t--list-unittests : list unit tests\n");
613  printf("\t--fatal-unittests : enable fatal failure on unittest error\n");
614  printf("\t--unittests-coverage : display unittest coverage report\n");
615 #endif /* UNITTESTS */
616  printf("\t--list-app-layer-protos : list supported app layer protocols\n");
617  printf("\t--list-keywords[=all|csv|<kword>] : list keywords implemented by the engine\n");
618  printf("\t--list-runmodes : list supported runmodes\n");
619  printf("\t--runmode <runmode_id> : specific runmode modification the engine should run. The argument\n"
620  "\t supplied should be the id for the runmode obtained by running\n"
621  "\t --list-runmodes\n");
622  printf("\t--engine-analysis : print reports on analysis of different sections in the engine and exit.\n"
623  "\t Please have a look at the conf parameter engine-analysis on what reports\n"
624  "\t can be printed\n");
625  printf("\t--pidfile <file> : write pid to this file\n");
626  printf("\t--init-errors-fatal : enable fatal failure on signature init error\n");
627  printf("\t--disable-detection : disable detection engine\n");
628  printf("\t--dump-config : show the running configuration\n");
629  printf("\t--dump-features : display provided features\n");
630  printf("\t--build-info : display build information\n");
631  printf("\t--pcap[=<dev>] : run in pcap mode, no value select interfaces from suricata.yaml\n");
632  printf("\t--pcap-file-continuous : when running in pcap mode with a directory, continue checking directory for pcaps until interrupted\n");
633  printf("\t--pcap-file-delete : when running in replay mode (-r with directory or file), will delete pcap files that have been processed when done\n");
634  printf("\t--pcap-file-recursive : will descend into subdirectories when running in replay mode (-r)\n");
635 #ifdef HAVE_PCAP_SET_BUFF
636  printf("\t--pcap-buffer-size : size of the pcap buffer value from 0 - %i\n",INT_MAX);
637 #endif /* HAVE_SET_PCAP_BUFF */
638 #ifdef HAVE_DPDK
639  printf("\t--dpdk : run in dpdk mode, uses interfaces from "
640  "suricata.yaml\n");
641 #endif
642 #ifdef HAVE_AF_PACKET
643  printf("\t--af-packet[=<dev>] : run in af-packet mode, no value select interfaces from suricata.yaml\n");
644 #endif
645 #ifdef HAVE_AF_XDP
646  printf("\t--af-xdp[=<dev>] : run in af-xdp mode, no value select "
647  "interfaces from suricata.yaml\n");
648 #endif
649 #ifdef HAVE_NETMAP
650  printf("\t--netmap[=<dev>] : run in netmap mode, no value select interfaces from suricata.yaml\n");
651 #endif
652 #ifdef HAVE_PFRING
653  printf("\t--pfring[=<dev>] : run in pfring mode, use interfaces from suricata.yaml\n");
654  printf("\t--pfring-int <dev> : run in pfring mode, use interface <dev>\n");
655  printf("\t--pfring-cluster-id <id> : pfring cluster id \n");
656  printf("\t--pfring-cluster-type <type> : pfring cluster type for PF_RING 4.1.2 and later cluster_round_robin|cluster_flow\n");
657 #endif /* HAVE_PFRING */
658  printf("\t--simulate-ips : force engine into IPS mode. Useful for QA\n");
659 #ifdef HAVE_LIBCAP_NG
660  printf("\t--user <user> : run suricata as this user after init\n");
661  printf("\t--group <group> : run suricata as this group after init\n");
662 #endif /* HAVE_LIBCAP_NG */
663  printf("\t--erf-in <path> : process an ERF file\n");
664 #ifdef HAVE_DAG
665  printf("\t--dag <dagX:Y> : process ERF records from DAG interface X, stream Y\n");
666 #endif
667 #ifdef HAVE_NAPATECH
668  printf("\t--napatech : run Napatech Streams using the API\n");
669 #endif
670 #ifdef BUILD_UNIX_SOCKET
671  printf("\t--unix-socket[=<file>] : use unix socket to control suricata work\n");
672 #endif
673 #ifdef WINDIVERT
674  printf("\t--windivert <filter> : run in inline WinDivert mode\n");
675  printf("\t--windivert-forward <filter> : run in inline WinDivert mode, as a gateway\n");
676 #endif
677 #ifdef HAVE_LIBNET11
678  printf("\t--reject-dev <dev> : send reject packets from this interface\n");
679 #endif
680  printf("\t--include <path> : additional configuration file\n");
681  printf("\t--set name=value : set a configuration value\n");
682  printf("\n");
683  printf("\nTo run the engine with default configuration on "
684  "interface eth0 with signature file \"signatures.rules\", run the "
685  "command as:\n\n%s -c suricata.yaml -s signatures.rules -i eth0 \n\n",
686  progname);
687 }
688 
689 static void PrintBuildInfo(void)
690 {
691  const char *bits;
692  const char *endian;
693  char features[2048] = "";
694  const char *tls;
695 
696  printf("This is %s version %s\n", PROG_NAME, GetProgramVersion());
697 #ifdef DEBUG
698  strlcat(features, "DEBUG ", sizeof(features));
699 #endif
700 #ifdef DEBUG_VALIDATION
701  strlcat(features, "DEBUG_VALIDATION ", sizeof(features));
702 #endif
703 #ifdef UNITTESTS
704  strlcat(features, "UNITTESTS ", sizeof(features));
705 #endif
706 #ifdef NFQ
707  strlcat(features, "NFQ ", sizeof(features));
708 #endif
709 #ifdef IPFW
710  strlcat(features, "IPFW ", sizeof(features));
711 #endif
712 #ifdef HAVE_PCAP_SET_BUFF
713  strlcat(features, "PCAP_SET_BUFF ", sizeof(features));
714 #endif
715 #ifdef HAVE_PFRING
716  strlcat(features, "PF_RING ", sizeof(features));
717 #endif
718 #ifdef HAVE_AF_PACKET
719  strlcat(features, "AF_PACKET ", sizeof(features));
720 #endif
721 #ifdef HAVE_NETMAP
722  strlcat(features, "NETMAP ", sizeof(features));
723 #endif
724 #ifdef HAVE_PACKET_FANOUT
725  strlcat(features, "HAVE_PACKET_FANOUT ", sizeof(features));
726 #endif
727 #ifdef HAVE_DAG
728  strlcat(features, "DAG ", sizeof(features));
729 #endif
730 #ifdef HAVE_LIBCAP_NG
731  strlcat(features, "LIBCAP_NG ", sizeof(features));
732 #endif
733 #ifdef HAVE_LIBNET11
734  strlcat(features, "LIBNET1.1 ", sizeof(features));
735 #endif
736 #ifdef HAVE_HTP_URI_NORMALIZE_HOOK
737  strlcat(features, "HAVE_HTP_URI_NORMALIZE_HOOK ", sizeof(features));
738 #endif
739 #ifdef PCRE2_HAVE_JIT
740  strlcat(features, "PCRE_JIT ", sizeof(features));
741 #endif
742  /* For compatibility, just say we have HAVE_NSS. */
743  strlcat(features, "HAVE_NSS ", sizeof(features));
744  /* HTTP2_DECOMPRESSION is not an optional feature in this major version */
745  strlcat(features, "HTTP2_DECOMPRESSION ", sizeof(features));
746 #ifdef HAVE_LUA
747  strlcat(features, "HAVE_LUA ", sizeof(features));
748 #endif
749 #ifdef HAVE_JA3
750  strlcat(features, "HAVE_JA3 ", sizeof(features));
751 #endif
752 #ifdef HAVE_JA4
753  strlcat(features, "HAVE_JA4 ", sizeof(features));
754 #endif
755 #ifdef HAVE_LUAJIT
756  strlcat(features, "HAVE_LUAJIT ", sizeof(features));
757 #endif
758  strlcat(features, "HAVE_LIBJANSSON ", sizeof(features));
759 #ifdef PROFILING
760  strlcat(features, "PROFILING ", sizeof(features));
761 #endif
762 #ifdef PROFILE_LOCKING
763  strlcat(features, "PROFILE_LOCKING ", sizeof(features));
764 #endif
765 #if defined(TLS_C11) || defined(TLS_GNU)
766  strlcat(features, "TLS ", sizeof(features));
767 #endif
768 #if defined(TLS_C11)
769  strlcat(features, "TLS_C11 ", sizeof(features));
770 #elif defined(TLS_GNU)
771  strlcat(features, "TLS_GNU ", sizeof(features));
772 #endif
773 #ifdef HAVE_MAGIC
774  strlcat(features, "MAGIC ", sizeof(features));
775 #endif
776  strlcat(features, "RUST ", sizeof(features));
777 #if defined(SC_ADDRESS_SANITIZER)
778  strlcat(features, "ASAN ", sizeof(features));
779 #endif
780 #if defined(HAVE_POPCNT64)
781  strlcat(features, "POPCNT64 ", sizeof(features));
782 #endif
783  if (strlen(features) == 0) {
784  strlcat(features, "none", sizeof(features));
785  }
786 
787  printf("Features: %s\n", features);
788 
789  /* SIMD stuff */
790  memset(features, 0x00, sizeof(features));
791 #if defined(__SSE4_2__)
792  strlcat(features, "SSE_4_2 ", sizeof(features));
793 #endif
794 #if defined(__SSE4_1__)
795  strlcat(features, "SSE_4_1 ", sizeof(features));
796 #endif
797 #if defined(__SSE3__)
798  strlcat(features, "SSE_3 ", sizeof(features));
799 #endif
800 #if defined(__SSE2__)
801  strlcat(features, "SSE_2 ", sizeof(features));
802 #endif
803  if (strlen(features) == 0) {
804  strlcat(features, "none", sizeof(features));
805  }
806  printf("SIMD support: %s\n", features);
807 
808  /* atomics stuff */
809  memset(features, 0x00, sizeof(features));
810 #if defined(__GCC_HAVE_SYNC_COMPARE_AND_SWAP_1)
811  strlcat(features, "1 ", sizeof(features));
812 #endif
813 #if defined(__GCC_HAVE_SYNC_COMPARE_AND_SWAP_2)
814  strlcat(features, "2 ", sizeof(features));
815 #endif
816 #if defined(__GCC_HAVE_SYNC_COMPARE_AND_SWAP_4)
817  strlcat(features, "4 ", sizeof(features));
818 #endif
819 #if defined(__GCC_HAVE_SYNC_COMPARE_AND_SWAP_8)
820  strlcat(features, "8 ", sizeof(features));
821 #endif
822 #if defined(__GCC_HAVE_SYNC_COMPARE_AND_SWAP_16)
823  strlcat(features, "16 ", sizeof(features));
824 #endif
825  if (strlen(features) == 0) {
826  strlcat(features, "none", sizeof(features));
827  } else {
828  strlcat(features, "byte(s)", sizeof(features));
829  }
830  printf("Atomic intrinsics: %s\n", features);
831 
832 #if __WORDSIZE == 64
833  bits = "64-bits";
834 #elif __WORDSIZE == 32
835  bits = "32-bits";
836 #else
837  bits = "<unknown>-bits";
838 #endif
839 
840 #if __BYTE_ORDER == __BIG_ENDIAN
841  endian = "Big-endian";
842 #elif __BYTE_ORDER == __LITTLE_ENDIAN
843  endian = "Little-endian";
844 #else
845  endian = "<unknown>-endian";
846 #endif
847 
848  printf("%s, %s architecture\n", bits, endian);
849 #ifdef __GNUC__
850  printf("GCC version %s, C version %"PRIiMAX"\n", __VERSION__, (intmax_t)__STDC_VERSION__);
851 #else
852  printf("C version %"PRIiMAX"\n", (intmax_t)__STDC_VERSION__);
853 #endif
854 
855 #if __SSP__ == 1
856  printf("compiled with -fstack-protector\n");
857 #endif
858 #if __SSP_ALL__ == 2
859  printf("compiled with -fstack-protector-all\n");
860 #endif
861 /*
862  * Workaround for special defines of _FORTIFY_SOURCE like
863  * FORTIFY_SOURCE=((defined __OPTIMIZE && OPTIMIZE > 0) ? 2 : 0)
864  * which is used by Gentoo for example and would result in the error
865  * 'defined' undeclared when _FORTIFY_SOURCE used via %d in printf func
866  *
867  */
868 #if _FORTIFY_SOURCE == 2
869  printf("compiled with _FORTIFY_SOURCE=2\n");
870 #elif _FORTIFY_SOURCE == 1
871  printf("compiled with _FORTIFY_SOURCE=1\n");
872 #elif _FORTIFY_SOURCE == 0
873  printf("compiled with _FORTIFY_SOURCE=0\n");
874 #endif
875 #ifdef CLS
876  printf("L1 cache line size (CLS)=%d\n", CLS);
877 #endif
878 #if defined(TLS_C11)
879  tls = "_Thread_local";
880 #elif defined(TLS_GNU)
881  tls = "__thread";
882 #else
883 #error "Unsupported thread local"
884 #endif
885  printf("thread local storage method: %s\n", tls);
886 
887  printf("compiled with %s, linked against %s\n",
888  HTP_VERSION_STRING_FULL, htp_get_version());
889  printf("\n");
890 #include "build-info.h"
891 }
892 
893 int coverage_unittests;
894 int g_ut_modules;
895 int g_ut_covered;
896 
897 void RegisterAllModules(void)
898 {
899  /* commanders */
900  TmModuleUnixManagerRegister();
901  /* managers */
902  TmModuleFlowManagerRegister();
903  TmModuleFlowRecyclerRegister();
904  TmModuleBypassedFlowManagerRegister();
905  /* nfq */
906  TmModuleReceiveNFQRegister();
907  TmModuleVerdictNFQRegister();
908  TmModuleDecodeNFQRegister();
909  /* ipfw */
910  TmModuleReceiveIPFWRegister();
911  TmModuleVerdictIPFWRegister();
912  TmModuleDecodeIPFWRegister();
913  /* pcap live */
914  TmModuleReceivePcapRegister();
915  TmModuleDecodePcapRegister();
916  /* pcap file */
917  TmModuleReceivePcapFileRegister();
918  TmModuleDecodePcapFileRegister();
919  /* af-packet */
920  TmModuleReceiveAFPRegister();
921  TmModuleDecodeAFPRegister();
922  /* af-xdp */
923  TmModuleReceiveAFXDPRegister();
924  TmModuleDecodeAFXDPRegister();
925  /* netmap */
926  TmModuleReceiveNetmapRegister();
927  TmModuleDecodeNetmapRegister();
928  /* pfring */
929  TmModuleReceivePfringRegister();
930  TmModuleDecodePfringRegister();
931  /* dag file */
932  TmModuleReceiveErfFileRegister();
933  TmModuleDecodeErfFileRegister();
934  /* dag live */
935  TmModuleReceiveErfDagRegister();
936  TmModuleDecodeErfDagRegister();
937  /* napatech */
938  TmModuleNapatechStreamRegister();
939  TmModuleNapatechDecodeRegister();
940 
941  /* flow worker */
942  TmModuleFlowWorkerRegister();
943  /* respond-reject */
944  TmModuleRespondRejectRegister();
945 
946  /* log api */
947  TmModuleLoggerRegister();
948  TmModuleStatsLoggerRegister();
949 
950  TmModuleDebugList();
951  /* nflog */
952  TmModuleReceiveNFLOGRegister();
953  TmModuleDecodeNFLOGRegister();
954 
955  /* windivert */
956  TmModuleReceiveWinDivertRegister();
957  TmModuleVerdictWinDivertRegister();
958  TmModuleDecodeWinDivertRegister();
959 
960  /* Dpdk */
961  TmModuleReceiveDPDKRegister();
962  TmModuleDecodeDPDKRegister();
963 }
964 
965 TmEcode SCLoadYamlConfig(void)
966 {
967  SCEnter();
968 
969  SCInstance *suri = &suricata;
970 
971  if (suri->conf_filename == NULL)
972  suri->conf_filename = DEFAULT_CONF_FILE;
973 
974  if (ConfYamlLoadFile(suri->conf_filename) != 0) {
975  /* Error already displayed. */
976  SCReturnInt(TM_ECODE_FAILED);
977  }
978 
979  if (suri->additional_configs) {
980  for (int i = 0; suri->additional_configs[i] != NULL; i++) {
981  SCLogConfig("Loading additional configuration file %s", suri->additional_configs[i]);
982  ConfYamlHandleInclude(ConfGetRootNode(), suri->additional_configs[i]);
983  }
984  }
985 
986  SCReturnInt(TM_ECODE_OK);
987 }
988 
989 static TmEcode ParseInterfacesList(const int runmode, char *pcap_dev)
990 {
991  SCEnter();
992 
993  /* run the selected runmode */
994  if (runmode == RUNMODE_PCAP_DEV) {
995  if (strlen(pcap_dev) == 0) {
996  int ret = LiveBuildDeviceList("pcap");
997  if (ret == 0) {
998  SCLogError("No interface found in config for pcap");
999  SCReturnInt(TM_ECODE_FAILED);
1000  }
1001  }
1002  } else if (runmode == RUNMODE_PFRING) {
1003  /* FIXME add backward compat support */
1004  /* iface has been set on command line */
1005  if (strlen(pcap_dev)) {
1006  if (ConfSetFinal("pfring.live-interface", pcap_dev) != 1) {
1007  SCLogError("Failed to set pfring.live-interface");
1008  SCReturnInt(TM_ECODE_FAILED);
1009  }
1010  } else {
1011  /* not an error condition if we have a 1.0 config */
1012  LiveBuildDeviceList("pfring");
1013  }
1014 #ifdef HAVE_DPDK
1015  } else if (runmode == RUNMODE_DPDK) {
1016  char iface_selector[] = "dpdk.interfaces";
1017  int ret = LiveBuildDeviceList(iface_selector);
1018  if (ret == 0) {
1019  SCLogError("No interface found in config for %s", iface_selector);
1020  SCReturnInt(TM_ECODE_FAILED);
1021  }
1022 #endif
1023 #ifdef HAVE_AF_PACKET
1024  } else if (runmode == RUNMODE_AFP_DEV) {
1025  /* iface has been set on command line */
1026  if (strlen(pcap_dev)) {
1027  if (ConfSetFinal("af-packet.live-interface", pcap_dev) != 1) {
1028  SCLogError("Failed to set af-packet.live-interface");
1029  SCReturnInt(TM_ECODE_FAILED);
1030  }
1031  } else {
1032  int ret = LiveBuildDeviceList("af-packet");
1033  if (ret == 0) {
1034  SCLogError("No interface found in config for af-packet");
1035  SCReturnInt(TM_ECODE_FAILED);
1036  }
1037  }
1038 #endif
1039 #ifdef HAVE_AF_XDP
1040  } else if (runmode == RUNMODE_AFXDP_DEV) {
1041  /* iface has been set on command line */
1042  if (strlen(pcap_dev)) {
1043  if (ConfSetFinal("af-xdp.live-interface", pcap_dev) != 1) {
1044  SCLogError("Failed to set af-xdp.live-interface");
1045  SCReturnInt(TM_ECODE_FAILED);
1046  }
1047  } else {
1048  int ret = LiveBuildDeviceList("af-xdp");
1049  if (ret == 0) {
1050  SCLogError("No interface found in config for af-xdp");
1051  SCReturnInt(TM_ECODE_FAILED);
1052  }
1053  }
1054 #endif
1055 #ifdef HAVE_NETMAP
1056  } else if (runmode == RUNMODE_NETMAP) {
1057  /* iface has been set on command line */
1058  if (strlen(pcap_dev)) {
1059  if (ConfSetFinal("netmap.live-interface", pcap_dev) != 1) {
1060  SCLogError("Failed to set netmap.live-interface");
1061  SCReturnInt(TM_ECODE_FAILED);
1062  }
1063  } else {
1064  int ret = LiveBuildDeviceList("netmap");
1065  if (ret == 0) {
1066  SCLogError("No interface found in config for netmap");
1067  SCReturnInt(TM_ECODE_FAILED);
1068  }
1069  }
1070 #endif
1071 #ifdef HAVE_NFLOG
1072  } else if (runmode == RUNMODE_NFLOG) {
1073  int ret = LiveBuildDeviceListCustom("nflog", "group");
1074  if (ret == 0) {
1075  SCLogError("No group found in config for nflog");
1076  SCReturnInt(TM_ECODE_FAILED);
1077  }
1078 #endif
1079  }
1080 
1081  SCReturnInt(TM_ECODE_OK);
1082 }
1083 
1084 static void SCInstanceInit(SCInstance *suri, const char *progname)
1085 {
1086  memset(suri, 0x00, sizeof(*suri));
1087 
1088  suri->progname = progname;
1089  suri->run_mode = RUNMODE_UNKNOWN;
1090 
1091  memset(suri->pcap_dev, 0, sizeof(suri->pcap_dev));
1092  suri->sig_file = NULL;
1093  suri->sig_file_exclusive = false;
1094  suri->pid_filename = NULL;
1095  suri->regex_arg = NULL;
1096 
1097  suri->keyword_info = NULL;
1098  suri->runmode_custom_mode = NULL;
1099 #ifndef OS_WIN32
1100  suri->user_name = NULL;
1101  suri->group_name = NULL;
1102  suri->do_setuid = false;
1103  suri->do_setgid = false;
1104 #endif /* OS_WIN32 */
1105  suri->userid = 0;
1106  suri->groupid = 0;
1107  suri->delayed_detect = 0;
1108  suri->daemon = 0;
1109  suri->offline = 0;
1110  suri->verbose = 0;
1111  /* use -1 as unknown */
1112  suri->checksum_validation = -1;
1113 #if HAVE_DETECT_DISABLED==1
1114  g_detect_disabled = suri->disabled_detect = 1;
1115 #else
1116  g_detect_disabled = suri->disabled_detect = 0;
1117 #endif
1118 }
1119 
1120 const char *GetDocURL(void)
1121 {
1122  const char *prog_ver = GetProgramVersion();
1123  if (strstr(prog_ver, "RELEASE") != NULL) {
1124  return DOC_URL "suricata-" PROG_VER;
1125  }
1126  return DOC_URL "latest";
1127 }
1128 
1129 /** \brief get string with program version
1130  *
1131  * Get the program version as passed to us from AC_INIT
1132  *
1133  * Add 'RELEASE' is no '-dev' in the version. Add the REVISION if passed
1134  * to us.
1135  *
1136  * Possible outputs:
1137  * release: '5.0.1 RELEASE'
1138  * dev with rev: '5.0.1-dev (64a789bbf 2019-10-18)'
1139  * dev w/o rev: '5.0.1-dev'
1140  */
1141 const char *GetProgramVersion(void)
1142 {
1143  if (strstr(PROG_VER, "-dev") == NULL) {
1144  return PROG_VER " RELEASE";
1145  } else {
1146 #ifdef REVISION
1147  return PROG_VER " (" xstr(REVISION) ")";
1148 #else
1149  return PROG_VER;
1150 #endif
1151  }
1152 }
1153 
1154 static TmEcode PrintVersion(void)
1155 {
1156  printf("This is %s version %s\n", PROG_NAME, GetProgramVersion());
1157  return TM_ECODE_OK;
1158 }
1159 
1160 static TmEcode LogVersion(SCInstance *suri)
1161 {
1162  const char *mode = suri->system ? "SYSTEM" : "USER";
1163  SCLogNotice("This is %s version %s running in %s mode",
1164  PROG_NAME, GetProgramVersion(), mode);
1165  return TM_ECODE_OK;
1166 }
1167 
1168 static void SCSetStartTime(SCInstance *suri)
1169 {
1170  memset(&suri->start_time, 0, sizeof(suri->start_time));
1171  gettimeofday(&suri->start_time, NULL);
1172 }
1173 
1174 static void SCPrintElapsedTime(struct timeval *start_time)
1175 {
1176  if (start_time == NULL)
1177  return;
1178  struct timeval end_time;
1179  memset(&end_time, 0, sizeof(end_time));
1180  gettimeofday(&end_time, NULL);
1181  uint64_t milliseconds = ((end_time.tv_sec - start_time->tv_sec) * 1000) +
1182  (((1000000 + end_time.tv_usec - start_time->tv_usec) / 1000) - 1000);
1183  SCLogInfo("time elapsed %.3fs", (float)milliseconds/(float)1000);
1184 }
1185 
1186 static int ParseCommandLineAfpacket(SCInstance *suri, const char *in_arg)
1187 {
1188 #ifdef HAVE_AF_PACKET
1189  if (suri->run_mode == RUNMODE_UNKNOWN) {
1190  suri->run_mode = RUNMODE_AFP_DEV;
1191  if (in_arg) {
1192  LiveRegisterDeviceName(in_arg);
1193  memset(suri->pcap_dev, 0, sizeof(suri->pcap_dev));
1194  strlcpy(suri->pcap_dev, in_arg, sizeof(suri->pcap_dev));
1195  }
1196  } else if (suri->run_mode == RUNMODE_AFP_DEV) {
1197  if (in_arg) {
1198  LiveRegisterDeviceName(in_arg);
1199  } else {
1200  SCLogInfo("Multiple af-packet option without interface on each is useless");
1201  }
1202  } else {
1203  SCLogError("more than one run mode "
1204  "has been specified");
1205  PrintUsage(suri->progname);
1206  return TM_ECODE_FAILED;
1207  }
1208  return TM_ECODE_OK;
1209 #else
1210  SCLogError("AF_PACKET not enabled. On Linux "
1211  "host, make sure to pass --enable-af-packet to "
1212  "configure when building.");
1213  return TM_ECODE_FAILED;
1214 #endif
1215 }
1216 
1217 static int ParseCommandLineAfxdp(SCInstance *suri, const char *in_arg)
1218 {
1219 #ifdef HAVE_AF_XDP
1220  if (suri->run_mode == RUNMODE_UNKNOWN) {
1221  suri->run_mode = RUNMODE_AFXDP_DEV;
1222  if (in_arg) {
1223  LiveRegisterDeviceName(in_arg);
1224  memset(suri->pcap_dev, 0, sizeof(suri->pcap_dev));
1225  strlcpy(suri->pcap_dev, in_arg, sizeof(suri->pcap_dev));
1226  }
1227  } else if (suri->run_mode == RUNMODE_AFXDP_DEV) {
1228  if (in_arg) {
1229  LiveRegisterDeviceName(in_arg);
1230  } else {
1231  SCLogInfo("Multiple af-xdp options without interface on each is useless");
1232  }
1233  } else {
1234  SCLogError("more than one run mode "
1235  "has been specified");
1236  PrintUsage(suri->progname);
1237  return TM_ECODE_FAILED;
1238  }
1239  return TM_ECODE_OK;
1240 #else
1241  SCLogError("AF_XDP not enabled. On Linux "
1242  "host, make sure correct libraries are installed,"
1243  " see documentation for information.");
1244  return TM_ECODE_FAILED;
1245 #endif
1246 }
1247 
1248 static int ParseCommandLineDpdk(SCInstance *suri, const char *in_arg)
1249 {
1250 #ifdef HAVE_DPDK
1251  if (suri->run_mode == RUNMODE_UNKNOWN) {
1252  suri->run_mode = RUNMODE_DPDK;
1253  } else if (suri->run_mode == RUNMODE_DPDK) {
1254  SCLogInfo("Multiple dpdk options have no effect on Suricata");
1255  } else {
1256  SCLogError("more than one run mode "
1257  "has been specified");
1258  PrintUsage(suri->progname);
1259  return TM_ECODE_FAILED;
1260  }
1261  return TM_ECODE_OK;
1262 #else
1263  SCLogError("DPDK not enabled. On Linux "
1264  "host, make sure to pass --enable-dpdk to "
1265  "configure when building.");
1266  return TM_ECODE_FAILED;
1267 #endif
1268 }
1269 
1270 static int ParseCommandLinePcapLive(SCInstance *suri, const char *in_arg)
1271 {
1272 #if defined(OS_WIN32) && !defined(HAVE_LIBWPCAP)
1273  /* If running on Windows without Npcap, bail early as live capture is not supported. */
1274  FatalError("Live capture not available. To support live capture compile against Npcap.");
1275 #endif
1276  memset(suri->pcap_dev, 0, sizeof(suri->pcap_dev));
1277 
1278  if (in_arg != NULL) {
1279  /* some windows shells require escaping of the \ in \Device. Otherwise
1280  * the backslashes are stripped. We put them back here. */
1281  if (strlen(in_arg) > 9 && strncmp(in_arg, "DeviceNPF", 9) == 0) {
1282  snprintf(suri->pcap_dev, sizeof(suri->pcap_dev), "\\Device\\NPF%s", in_arg+9);
1283  } else {
1284  strlcpy(suri->pcap_dev, in_arg, sizeof(suri->pcap_dev));
1285  PcapTranslateIPToDevice(suri->pcap_dev, sizeof(suri->pcap_dev));
1286  }
1287 
1288  if (strcmp(suri->pcap_dev, in_arg) != 0) {
1289  SCLogInfo("translated %s to pcap device %s", in_arg, suri->pcap_dev);
1290  } else if (strlen(suri->pcap_dev) > 0 && isdigit((unsigned char)suri->pcap_dev[0])) {
1291  SCLogError("failed to find a pcap device for IP %s", in_arg);
1292  return TM_ECODE_FAILED;
1293  }
1294  }
1295 
1296  if (suri->run_mode == RUNMODE_UNKNOWN) {
1297  suri->run_mode = RUNMODE_PCAP_DEV;
1298  if (in_arg) {
1299  LiveRegisterDeviceName(suri->pcap_dev);
1300  }
1301  } else if (suri->run_mode == RUNMODE_PCAP_DEV) {
1302  LiveRegisterDeviceName(suri->pcap_dev);
1303  } else {
1304  SCLogError("more than one run mode "
1305  "has been specified");
1306  PrintUsage(suri->progname);
1307  return TM_ECODE_FAILED;
1308  }
1309  return TM_ECODE_OK;
1310 }
1311 
1312 /**
1313  * Helper function to check if log directory is writable
1314  */
1315 static bool IsLogDirectoryWritable(const char* str)
1316 {
1317  if (access(str, W_OK) == 0)
1318  return true;
1319  return false;
1320 }
1321 
1322 extern int g_skip_prefilter;
1323 
1324 TmEcode SCParseCommandLine(int argc, char **argv)
1325 {
1326  SCInstance *suri = &suricata;
1327  int opt;
1328 
1329  int dump_config = 0;
1330  int dump_features = 0;
1331  int list_app_layer_protocols = 0;
1332  int list_unittests = 0;
1333  int list_runmodes = 0;
1334  int list_keywords = 0;
1335  int build_info = 0;
1336  int conf_test = 0;
1337  int engine_analysis = 0;
1338  int ret = TM_ECODE_OK;
1339 
1340 #ifdef UNITTESTS
1341  coverage_unittests = 0;
1342  g_ut_modules = 0;
1343  g_ut_covered = 0;
1344 #endif
1345 
1346  // clang-format off
1347  struct option long_opts[] = {
1348  {"dump-config", 0, &dump_config, 1},
1349  {"dump-features", 0, &dump_features, 1},
1350  {"pfring", optional_argument, 0, 0},
1351  {"pfring-int", required_argument, 0, 0},
1352  {"pfring-cluster-id", required_argument, 0, 0},
1353  {"pfring-cluster-type", required_argument, 0, 0},
1354 #ifdef HAVE_DPDK
1355  {"dpdk", 0, 0, 0},
1356 #endif
1357  {"af-packet", optional_argument, 0, 0},
1358  {"af-xdp", optional_argument, 0, 0},
1359  {"netmap", optional_argument, 0, 0},
1360  {"pcap", optional_argument, 0, 0},
1361  {"pcap-file-continuous", 0, 0, 0},
1362  {"pcap-file-delete", 0, 0, 0},
1363  {"pcap-file-recursive", 0, 0, 0},
1364  {"simulate-ips", 0, 0 , 0},
1365  {"no-random", 0, &g_disable_randomness, 1},
1366  {"strict-rule-keywords", optional_argument, 0, 0},
1367 
1368  {"capture-plugin", required_argument, 0, 0},
1369  {"capture-plugin-args", required_argument, 0, 0},
1370 
1371 #ifdef BUILD_UNIX_SOCKET
1372  {"unix-socket", optional_argument, 0, 0},
1373 #endif
1374  {"pcap-buffer-size", required_argument, 0, 0},
1375  {"unittest-filter", required_argument, 0, 'U'},
1376  {"list-app-layer-protos", 0, &list_app_layer_protocols, 1},
1377  {"list-unittests", 0, &list_unittests, 1},
1378  {"list-runmodes", 0, &list_runmodes, 1},
1379  {"list-keywords", optional_argument, &list_keywords, 1},
1380  {"runmode", required_argument, NULL, 0},
1381  {"engine-analysis", 0, &engine_analysis, 1},
1382 #ifdef OS_WIN32
1383  {"service-install", 0, 0, 0},
1384  {"service-remove", 0, 0, 0},
1385  {"service-change-params", 0, 0, 0},
1386 #endif /* OS_WIN32 */
1387  {"pidfile", required_argument, 0, 0},
1388  {"init-errors-fatal", 0, 0, 0},
1389  {"disable-detection", 0, 0, 0},
1390  {"disable-hashing", 0, 0, 0},
1391  {"fatal-unittests", 0, 0, 0},
1392  {"unittests-coverage", 0, &coverage_unittests, 1},
1393  {"user", required_argument, 0, 0},
1394  {"group", required_argument, 0, 0},
1395  {"erf-in", required_argument, 0, 0},
1396  {"dag", required_argument, 0, 0},
1397  {"napatech", 0, 0, 0},
1398  {"build-info", 0, &build_info, 1},
1399  {"data-dir", required_argument, 0, 0},
1400 #ifdef WINDIVERT
1401  {"windivert", required_argument, 0, 0},
1402  {"windivert-forward", required_argument, 0, 0},
1403 #endif
1404 #ifdef HAVE_LIBNET11
1405  {"reject-dev", required_argument, 0, 0},
1406 #endif
1407  {"set", required_argument, 0, 0},
1408 #ifdef HAVE_NFLOG
1409  {"nflog", optional_argument, 0, 0},
1410 #endif
1411  {"simulate-packet-flow-memcap", required_argument, 0, 0},
1412  {"simulate-applayer-error-at-offset-ts", required_argument, 0, 0},
1413  {"simulate-applayer-error-at-offset-tc", required_argument, 0, 0},
1414  {"simulate-packet-loss", required_argument, 0, 0},
1415  {"simulate-packet-tcp-reassembly-memcap", required_argument, 0, 0},
1416  {"simulate-packet-tcp-ssn-memcap", required_argument, 0, 0},
1417  {"simulate-packet-defrag-memcap", required_argument, 0, 0},
1418  {"simulate-alert-queue-realloc-failure", 0, 0, 0},
1419 
1420  {"qa-skip-prefilter", 0, &g_skip_prefilter, 1 },
1421 
1422  {"include", required_argument, 0, 0},
1423 
1424  {NULL, 0, NULL, 0}
1425  };
1426  // clang-format on
1427 
1428  /* getopt_long stores the option index here. */
1429  int option_index = 0;
1430 
1431  char short_opts[] = "c:TDhi:l:q:d:r:us:S:U:VF:vk:";
1432 
1433  while ((opt = getopt_long(argc, argv, short_opts, long_opts, &option_index)) != -1) {
1434  switch (opt) {
1435  case 0:
1436  if (strcmp((long_opts[option_index]).name , "pfring") == 0 ||
1437  strcmp((long_opts[option_index]).name , "pfring-int") == 0) {
1438 #ifdef HAVE_PFRING
1439  suri->run_mode = RUNMODE_PFRING;
1440  if (optarg != NULL) {
1441  memset(suri->pcap_dev, 0, sizeof(suri->pcap_dev));
1442  strlcpy(suri->pcap_dev, optarg,
1443  ((strlen(optarg) < sizeof(suri->pcap_dev)) ?
1444  (strlen(optarg) + 1) : sizeof(suri->pcap_dev)));
1445  LiveRegisterDeviceName(optarg);
1446  }
1447 #else
1448  SCLogError("PF_RING not enabled. Make sure "
1449  "to pass --enable-pfring to configure when building.");
1450  return TM_ECODE_FAILED;
1451 #endif /* HAVE_PFRING */
1452  }
1453  else if(strcmp((long_opts[option_index]).name , "pfring-cluster-id") == 0){
1454 #ifdef HAVE_PFRING
1455  if (ConfSetFinal("pfring.cluster-id", optarg) != 1) {
1456  SCLogError("failed to set pfring.cluster-id");
1457  return TM_ECODE_FAILED;
1458  }
1459 #else
1460  SCLogError("PF_RING not enabled. Make sure "
1461  "to pass --enable-pfring to configure when building.");
1462  return TM_ECODE_FAILED;
1463 #endif /* HAVE_PFRING */
1464  }
1465  else if(strcmp((long_opts[option_index]).name , "pfring-cluster-type") == 0){
1466 #ifdef HAVE_PFRING
1467  if (ConfSetFinal("pfring.cluster-type", optarg) != 1) {
1468  SCLogError("failed to set pfring.cluster-type");
1469  return TM_ECODE_FAILED;
1470  }
1471 #else
1472  SCLogError("PF_RING not enabled. Make sure "
1473  "to pass --enable-pfring to configure when building.");
1474  return TM_ECODE_FAILED;
1475 #endif /* HAVE_PFRING */
1476  }
1477  else if (strcmp((long_opts[option_index]).name , "capture-plugin") == 0){
1478  suri->run_mode = RUNMODE_PLUGIN;
1479  suri->capture_plugin_name = optarg;
1480  }
1481  else if (strcmp((long_opts[option_index]).name , "capture-plugin-args") == 0){
1482  suri->capture_plugin_args = optarg;
1483  } else if (strcmp((long_opts[option_index]).name, "dpdk") == 0) {
1484  if (ParseCommandLineDpdk(suri, optarg) != TM_ECODE_OK) {
1485  return TM_ECODE_FAILED;
1486  }
1487  } else if (strcmp((long_opts[option_index]).name, "af-packet") == 0) {
1488  if (ParseCommandLineAfpacket(suri, optarg) != TM_ECODE_OK) {
1489  return TM_ECODE_FAILED;
1490  }
1491  } else if (strcmp((long_opts[option_index]).name, "af-xdp") == 0) {
1492  if (ParseCommandLineAfxdp(suri, optarg) != TM_ECODE_OK) {
1493  return TM_ECODE_FAILED;
1494  }
1495  } else if (strcmp((long_opts[option_index]).name, "netmap") == 0) {
1496 #ifdef HAVE_NETMAP
1497  if (suri->run_mode == RUNMODE_UNKNOWN) {
1498  suri->run_mode = RUNMODE_NETMAP;
1499  if (optarg) {
1500  LiveRegisterDeviceName(optarg);
1501  memset(suri->pcap_dev, 0, sizeof(suri->pcap_dev));
1502  strlcpy(suri->pcap_dev, optarg,
1503  ((strlen(optarg) < sizeof(suri->pcap_dev)) ?
1504  (strlen(optarg) + 1) : sizeof(suri->pcap_dev)));
1505  }
1506  } else if (suri->run_mode == RUNMODE_NETMAP) {
1507  if (optarg) {
1508  LiveRegisterDeviceName(optarg);
1509  } else {
1510  SCLogInfo("Multiple netmap option without interface on each is useless");
1511  break;
1512  }
1513  } else {
1514  SCLogError("more than one run mode "
1515  "has been specified");
1516  PrintUsage(argv[0]);
1517  return TM_ECODE_FAILED;
1518  }
1519 #else
1520  SCLogError("NETMAP not enabled.");
1521  return TM_ECODE_FAILED;
1522 #endif
1523  } else if (strcmp((long_opts[option_index]).name, "nflog") == 0) {
1524 #ifdef HAVE_NFLOG
1525  if (suri->run_mode == RUNMODE_UNKNOWN) {
1526  suri->run_mode = RUNMODE_NFLOG;
1527  LiveBuildDeviceListCustom("nflog", "group");
1528  }
1529 #else
1530  SCLogError("NFLOG not enabled.");
1531  return TM_ECODE_FAILED;
1532 #endif /* HAVE_NFLOG */
1533  } else if (strcmp((long_opts[option_index]).name, "pcap") == 0) {
1534  if (ParseCommandLinePcapLive(suri, optarg) != TM_ECODE_OK) {
1535  return TM_ECODE_FAILED;
1536  }
1537  } else if (strcmp((long_opts[option_index]).name, "simulate-ips") == 0) {
1538  SCLogInfo("Setting IPS mode");
1539  EngineModeSetIPS();
1540  } else if (strcmp((long_opts[option_index]).name, "init-errors-fatal") == 0) {
1541  if (ConfSetFinal("engine.init-failure-fatal", "1") != 1) {
1542  SCLogError("failed to set engine init-failure-fatal");
1543  return TM_ECODE_FAILED;
1544  }
1545 #ifdef BUILD_UNIX_SOCKET
1546  } else if (strcmp((long_opts[option_index]).name , "unix-socket") == 0) {
1547  if (suri->run_mode == RUNMODE_UNKNOWN) {
1548  suri->run_mode = RUNMODE_UNIX_SOCKET;
1549  if (optarg) {
1550  if (ConfSetFinal("unix-command.filename", optarg) != 1) {
1551  SCLogError("failed to set unix-command.filename");
1552  return TM_ECODE_FAILED;
1553  }
1554 
1555  }
1556  } else {
1557  SCLogError("more than one run mode "
1558  "has been specified");
1559  PrintUsage(argv[0]);
1560  return TM_ECODE_FAILED;
1561  }
1562 #endif
1563  }
1564  else if(strcmp((long_opts[option_index]).name, "list-app-layer-protocols") == 0) {
1565  /* listing all supported app layer protocols */
1566  }
1567  else if(strcmp((long_opts[option_index]).name, "list-unittests") == 0) {
1568 #ifdef UNITTESTS
1569  suri->run_mode = RUNMODE_LIST_UNITTEST;
1570 #else
1571  SCLogError("unit tests not enabled. Make sure to pass --enable-unittests to "
1572  "configure when building");
1573  return TM_ECODE_FAILED;
1574 #endif /* UNITTESTS */
1575  } else if (strcmp((long_opts[option_index]).name, "list-runmodes") == 0) {
1576  suri->run_mode = RUNMODE_LIST_RUNMODES;
1577  return TM_ECODE_OK;
1578  } else if (strcmp((long_opts[option_index]).name, "list-keywords") == 0) {
1579  if (optarg) {
1580  if (strcmp("short",optarg)) {
1581  suri->keyword_info = optarg;
1582  }
1583  }
1584  } else if (strcmp((long_opts[option_index]).name, "runmode") == 0) {
1585  suri->runmode_custom_mode = optarg;
1586  } else if(strcmp((long_opts[option_index]).name, "engine-analysis") == 0) {
1587  // do nothing for now
1588  }
1589 #ifdef OS_WIN32
1590  else if(strcmp((long_opts[option_index]).name, "service-install") == 0) {
1591  suri->run_mode = RUNMODE_INSTALL_SERVICE;
1592  return TM_ECODE_OK;
1593  }
1594  else if(strcmp((long_opts[option_index]).name, "service-remove") == 0) {
1595  suri->run_mode = RUNMODE_REMOVE_SERVICE;
1596  return TM_ECODE_OK;
1597  }
1598  else if(strcmp((long_opts[option_index]).name, "service-change-params") == 0) {
1599  suri->run_mode = RUNMODE_CHANGE_SERVICE_PARAMS;
1600  return TM_ECODE_OK;
1601  }
1602 #endif /* OS_WIN32 */
1603  else if(strcmp((long_opts[option_index]).name, "pidfile") == 0) {
1604  suri->pid_filename = SCStrdup(optarg);
1605  if (suri->pid_filename == NULL) {
1606  SCLogError("strdup failed: %s", strerror(errno));
1607  return TM_ECODE_FAILED;
1608  }
1609  }
1610  else if(strcmp((long_opts[option_index]).name, "disable-detection") == 0) {
1611  g_detect_disabled = suri->disabled_detect = 1;
1612  } else if (strcmp((long_opts[option_index]).name, "disable-hashing") == 0) {
1613  g_disable_hashing = true;
1614  } else if (strcmp((long_opts[option_index]).name, "fatal-unittests") == 0) {
1615 #ifdef UNITTESTS
1616  unittests_fatal = 1;
1617 #else
1618  SCLogError("unit tests not enabled. Make sure to pass --enable-unittests to "
1619  "configure when building");
1620  return TM_ECODE_FAILED;
1621 #endif /* UNITTESTS */
1622  } else if (strcmp((long_opts[option_index]).name, "user") == 0) {
1623 #ifndef HAVE_LIBCAP_NG
1624  SCLogError("libcap-ng is required to"
1625  " drop privileges, but it was not compiled into Suricata.");
1626  return TM_ECODE_FAILED;
1627 #else
1628  suri->user_name = optarg;
1629  suri->do_setuid = true;
1630 #endif /* HAVE_LIBCAP_NG */
1631  } else if (strcmp((long_opts[option_index]).name, "group") == 0) {
1632 #ifndef HAVE_LIBCAP_NG
1633  SCLogError("libcap-ng is required to"
1634  " drop privileges, but it was not compiled into Suricata.");
1635  return TM_ECODE_FAILED;
1636 #else
1637  suri->group_name = optarg;
1638  suri->do_setgid = true;
1639 #endif /* HAVE_LIBCAP_NG */
1640  } else if (strcmp((long_opts[option_index]).name, "erf-in") == 0) {
1641  suri->run_mode = RUNMODE_ERF_FILE;
1642  if (ConfSetFinal("erf-file.file", optarg) != 1) {
1643  SCLogError("failed to set erf-file.file");
1644  return TM_ECODE_FAILED;
1645  }
1646  } else if (strcmp((long_opts[option_index]).name, "dag") == 0) {
1647 #ifdef HAVE_DAG
1648  if (suri->run_mode == RUNMODE_UNKNOWN) {
1649  suri->run_mode = RUNMODE_DAG;
1650  }
1651  else if (suri->run_mode != RUNMODE_DAG) {
1652  SCLogError("more than one run mode has been specified");
1653  PrintUsage(argv[0]);
1654  return TM_ECODE_FAILED;
1655  }
1656  LiveRegisterDeviceName(optarg);
1657 #else
1658  SCLogError("libdag and a DAG card are required"
1659  " to receive packets using --dag.");
1660  return TM_ECODE_FAILED;
1661 #endif /* HAVE_DAG */
1662  } else if (strcmp((long_opts[option_index]).name, "napatech") == 0) {
1663 #ifdef HAVE_NAPATECH
1664  suri->run_mode = RUNMODE_NAPATECH;
1665 #else
1666  SCLogError("libntapi and a Napatech adapter are required"
1667  " to capture packets using --napatech.");
1668  return TM_ECODE_FAILED;
1669 #endif /* HAVE_NAPATECH */
1670  } else if (strcmp((long_opts[option_index]).name, "pcap-buffer-size") == 0) {
1671 #ifdef HAVE_PCAP_SET_BUFF
1672  if (ConfSetFinal("pcap.buffer-size", optarg) != 1) {
1673  SCLogError("failed to set pcap-buffer-size");
1674  return TM_ECODE_FAILED;
1675  }
1676 #else
1677  SCLogError("The version of libpcap you have"
1678  " doesn't support setting buffer size.");
1679 #endif /* HAVE_PCAP_SET_BUFF */
1680  } else if (strcmp((long_opts[option_index]).name, "build-info") == 0) {
1681  suri->run_mode = RUNMODE_PRINT_BUILDINFO;
1682  return TM_ECODE_OK;
1683  } else if (strcmp((long_opts[option_index]).name, "windivert-forward") == 0) {
1684 #ifdef WINDIVERT
1685  if (suri->run_mode == RUNMODE_UNKNOWN) {
1686  suri->run_mode = RUNMODE_WINDIVERT;
1687  if (WinDivertRegisterQueue(true, optarg) == -1) {
1688  exit(EXIT_FAILURE);
1689  }
1690  } else if (suri->run_mode == RUNMODE_WINDIVERT) {
1691  if (WinDivertRegisterQueue(true, optarg) == -1) {
1692  exit(EXIT_FAILURE);
1693  }
1694  } else {
1695  SCLogError("more than one run mode "
1696  "has been specified");
1697  PrintUsage(argv[0]);
1698  exit(EXIT_FAILURE);
1699  }
1700  }
1701  else if(strcmp((long_opts[option_index]).name, "windivert") == 0) {
1702  if (suri->run_mode == RUNMODE_UNKNOWN) {
1703  suri->run_mode = RUNMODE_WINDIVERT;
1704  if (WinDivertRegisterQueue(false, optarg) == -1) {
1705  exit(EXIT_FAILURE);
1706  }
1707  } else if (suri->run_mode == RUNMODE_WINDIVERT) {
1708  if (WinDivertRegisterQueue(false, optarg) == -1) {
1709  exit(EXIT_FAILURE);
1710  }
1711  } else {
1712  SCLogError("more than one run mode "
1713  "has been specified");
1714  PrintUsage(argv[0]);
1715  exit(EXIT_FAILURE);
1716  }
1717 #else
1718  SCLogError("WinDivert not enabled. Make sure to pass --enable-windivert to "
1719  "configure when building.");
1720  return TM_ECODE_FAILED;
1721 #endif /* WINDIVERT */
1722  } else if(strcmp((long_opts[option_index]).name, "reject-dev") == 0) {
1723 #ifdef HAVE_LIBNET11
1724  BUG_ON(optarg == NULL); /* for static analysis */
1725  extern char *g_reject_dev;
1726  extern uint16_t g_reject_dev_mtu;
1727  g_reject_dev = optarg;
1728  int mtu = GetIfaceMTU(g_reject_dev);
1729  if (mtu > 0) {
1730  g_reject_dev_mtu = (uint16_t)mtu;
1731  }
1732 #else
1733  SCLogError("Libnet 1.1 support not enabled. Compile Suricata with libnet support.");
1734  return TM_ECODE_FAILED;
1735 #endif
1736  }
1737  else if (strcmp((long_opts[option_index]).name, "set") == 0) {
1738  if (optarg != NULL) {
1739  /* Quick validation. */
1740  char *val = strchr(optarg, '=');
1741  if (val == NULL) {
1742  FatalError("Invalid argument for --set, must be key=val.");
1743  }
1744  if (!ConfSetFromString(optarg, 1)) {
1745  FatalError("failed to set configuration value %s", optarg);
1746  }
1747  }
1748  }
1749  else if (strcmp((long_opts[option_index]).name, "pcap-file-continuous") == 0) {
1750  if (ConfSetFinal("pcap-file.continuous", "true") != 1) {
1751  SCLogError("Failed to set pcap-file.continuous");
1752  return TM_ECODE_FAILED;
1753  }
1754  }
1755  else if (strcmp((long_opts[option_index]).name, "pcap-file-delete") == 0) {
1756  if (ConfSetFinal("pcap-file.delete-when-done", "true") != 1) {
1757  SCLogError("Failed to set pcap-file.delete-when-done");
1758  return TM_ECODE_FAILED;
1759  }
1760  }
1761  else if (strcmp((long_opts[option_index]).name, "pcap-file-recursive") == 0) {
1762  if (ConfSetFinal("pcap-file.recursive", "true") != 1) {
1763  SCLogError("failed to set pcap-file.recursive");
1764  return TM_ECODE_FAILED;
1765  }
1766  }
1767  else if (strcmp((long_opts[option_index]).name, "data-dir") == 0) {
1768  if (optarg == NULL) {
1769  SCLogError("no option argument (optarg) for -d");
1770  return TM_ECODE_FAILED;
1771  }
1772 
1773  if (ConfigSetDataDirectory(optarg) != TM_ECODE_OK) {
1774  SCLogError("Failed to set data directory.");
1775  return TM_ECODE_FAILED;
1776  }
1777  if (ConfigCheckDataDirectory(optarg) != TM_ECODE_OK) {
1778  SCLogError("The data directory \"%s\""
1779  " supplied at the command-line (-d %s) doesn't "
1780  "exist. Shutting down the engine.",
1781  optarg, optarg);
1782  return TM_ECODE_FAILED;
1783  }
1784  suri->set_datadir = true;
1785  } else if (strcmp((long_opts[option_index]).name , "strict-rule-keywords") == 0){
1786  if (optarg == NULL) {
1787  suri->strict_rule_parsing_string = SCStrdup("all");
1788  } else {
1789  suri->strict_rule_parsing_string = SCStrdup(optarg);
1790  }
1791  if (suri->strict_rule_parsing_string == NULL) {
1792  FatalError("failed to duplicate 'strict' string");
1793  }
1794  } else if (strcmp((long_opts[option_index]).name, "include") == 0) {
1795  if (suri->additional_configs == NULL) {
1796  suri->additional_configs = SCCalloc(2, sizeof(char *));
1797  if (suri->additional_configs == NULL) {
1798  FatalError(
1799  "Failed to allocate memory for additional configuration files: %s",
1800  strerror(errno));
1801  }
1802  suri->additional_configs[0] = optarg;
1803  } else {
1804  for (int i = 0;; i++) {
1805  if (suri->additional_configs[i] == NULL) {
1806  const char **additional_configs =
1807  SCRealloc(suri->additional_configs, (i + 2) * sizeof(char *));
1808  if (additional_configs == NULL) {
1809  FatalError("Failed to allocate memory for additional configuration "
1810  "files: %s",
1811  strerror(errno));
1812  } else {
1813  suri->additional_configs = additional_configs;
1814  }
1815  suri->additional_configs[i] = optarg;
1816  suri->additional_configs[i + 1] = NULL;
1817  break;
1818  }
1819  }
1820  }
1821  } else {
1822  int r = ExceptionSimulationCommandLineParser(
1823  (long_opts[option_index]).name, optarg);
1824  if (r < 0)
1825  return TM_ECODE_FAILED;
1826  }
1827  break;
1828  case 'c':
1829  suri->conf_filename = optarg;
1830  break;
1831  case 'T':
1832  conf_test = 1;
1833  if (ConfSetFinal("engine.init-failure-fatal", "1") != 1) {
1834  SCLogError("failed to set engine init-failure-fatal");
1835  return TM_ECODE_FAILED;
1836  }
1837  break;
1838 #ifndef OS_WIN32
1839  case 'D':
1840  suri->daemon = 1;
1841  break;
1842 #endif /* OS_WIN32 */
1843  case 'h':
1844  suri->run_mode = RUNMODE_PRINT_USAGE;
1845  return TM_ECODE_OK;
1846  case 'i':
1847  if (optarg == NULL) {
1848  SCLogError("no option argument (optarg) for -i");
1849  return TM_ECODE_FAILED;
1850  }
1851 #ifdef HAVE_AF_PACKET
1852  if (ParseCommandLineAfpacket(suri, optarg) != TM_ECODE_OK) {
1853  return TM_ECODE_FAILED;
1854  }
1855 #else /* not afpacket */
1856  /* warn user if netmap or pf-ring are available */
1857 #if defined HAVE_PFRING || HAVE_NETMAP
1858  int i = 0;
1859 #ifdef HAVE_PFRING
1860  i++;
1861 #endif
1862 #ifdef HAVE_NETMAP
1863  i++;
1864 #endif
1865  SCLogWarning("faster capture "
1866  "option%s %s available:"
1867 #ifdef HAVE_PFRING
1868  " PF_RING (--pfring-int=%s)"
1869 #endif
1870 #ifdef HAVE_NETMAP
1871  " NETMAP (--netmap=%s)"
1872 #endif
1873  ". Use --pcap=%s to suppress this warning",
1874  i == 1 ? "" : "s", i == 1 ? "is" : "are"
1875 #ifdef HAVE_PFRING
1876  ,
1877  optarg
1878 #endif
1879 #ifdef HAVE_NETMAP
1880  ,
1881  optarg
1882 #endif
1883  ,
1884  optarg);
1885 #endif /* have faster methods */
1886  if (ParseCommandLinePcapLive(suri, optarg) != TM_ECODE_OK) {
1887  return TM_ECODE_FAILED;
1888  }
1889 #endif
1890  break;
1891  case 'l':
1892  if (optarg == NULL) {
1893  SCLogError("no option argument (optarg) for -l");
1894  return TM_ECODE_FAILED;
1895  }
1896 
1897  if (ConfigSetLogDirectory(optarg) != TM_ECODE_OK) {
1898  SCLogError("Failed to set log directory.");
1899  return TM_ECODE_FAILED;
1900  }
1901  if (ConfigCheckLogDirectoryExists(optarg) != TM_ECODE_OK) {
1902  SCLogError("The logging directory \"%s\""
1903  " supplied at the command-line (-l %s) doesn't "
1904  "exist. Shutting down the engine.",
1905  optarg, optarg);
1906  return TM_ECODE_FAILED;
1907  }
1908  if (!IsLogDirectoryWritable(optarg)) {
1909  SCLogError("The logging directory \"%s\""
1910  " supplied at the command-line (-l %s) is not "
1911  "writable. Shutting down the engine.",
1912  optarg, optarg);
1913  return TM_ECODE_FAILED;
1914  }
1915  suri->set_logdir = true;
1916 
1917  break;
1918  case 'q':
1919 #ifdef NFQ
1920  if (suri->run_mode == RUNMODE_UNKNOWN) {
1921  suri->run_mode = RUNMODE_NFQ;
1922  EngineModeSetIPS();
1923  if (NFQParseAndRegisterQueues(optarg) == -1)
1924  return TM_ECODE_FAILED;
1925  } else if (suri->run_mode == RUNMODE_NFQ) {
1926  if (NFQParseAndRegisterQueues(optarg) == -1)
1927  return TM_ECODE_FAILED;
1928  } else {
1929  SCLogError("more than one run mode "
1930  "has been specified");
1931  PrintUsage(argv[0]);
1932  return TM_ECODE_FAILED;
1933  }
1934 #else
1935  SCLogError("NFQUEUE not enabled. Make sure to pass --enable-nfqueue to configure when "
1936  "building.");
1937  return TM_ECODE_FAILED;
1938 #endif /* NFQ */
1939  break;
1940  case 'd':
1941 #ifdef IPFW
1942  if (suri->run_mode == RUNMODE_UNKNOWN) {
1943  suri->run_mode = RUNMODE_IPFW;
1944  EngineModeSetIPS();
1945  if (IPFWRegisterQueue(optarg) == -1)
1946  return TM_ECODE_FAILED;
1947  } else if (suri->run_mode == RUNMODE_IPFW) {
1948  if (IPFWRegisterQueue(optarg) == -1)
1949  return TM_ECODE_FAILED;
1950  } else {
1951  SCLogError("more than one run mode "
1952  "has been specified");
1953  PrintUsage(argv[0]);
1954  return TM_ECODE_FAILED;
1955  }
1956 #else
1957  SCLogError("IPFW not enabled. Make sure to pass --enable-ipfw to configure when "
1958  "building.");
1959  return TM_ECODE_FAILED;
1960 #endif /* IPFW */
1961  break;
1962  case 'r':
1963  BUG_ON(optarg == NULL); /* for static analysis */
1964  if (suri->run_mode == RUNMODE_UNKNOWN) {
1965  suri->run_mode = RUNMODE_PCAP_FILE;
1966  } else {
1967  SCLogError("more than one run mode "
1968  "has been specified");
1969  PrintUsage(argv[0]);
1970  return TM_ECODE_FAILED;
1971  }
1972  SCStat buf;
1973  if (SCStatFn(optarg, &buf) != 0) {
1974  SCLogError("pcap file '%s': %s", optarg, strerror(errno));
1975  return TM_ECODE_FAILED;
1976  }
1977  if (ConfSetFinal("pcap-file.file", optarg) != 1) {
1978  SCLogError("ERROR: Failed to set pcap-file.file\n");
1979  return TM_ECODE_FAILED;
1980  }
1981 
1982  break;
1983  case 's':
1984  if (suri->sig_file != NULL) {
1985  SCLogError("can't have multiple -s options or mix -s and -S.");
1986  return TM_ECODE_FAILED;
1987  }
1988  suri->sig_file = optarg;
1989  break;
1990  case 'S':
1991  if (suri->sig_file != NULL) {
1992  SCLogError("can't have multiple -S options or mix -s and -S.");
1993  return TM_ECODE_FAILED;
1994  }
1995  suri->sig_file = optarg;
1996  suri->sig_file_exclusive = true;
1997  break;
1998  case 'u':
1999 #ifdef UNITTESTS
2000  if (suri->run_mode == RUNMODE_UNKNOWN) {
2001  suri->run_mode = RUNMODE_UNITTEST;
2002  } else {
2003  SCLogError("more than one run mode has"
2004  " been specified");
2005  PrintUsage(argv[0]);
2006  return TM_ECODE_FAILED;
2007  }
2008 #else
2009  SCLogError("unit tests not enabled. Make sure to pass --enable-unittests to configure "
2010  "when building.");
2011  return TM_ECODE_FAILED;
2012 #endif /* UNITTESTS */
2013  break;
2014  case 'U':
2015 #ifdef UNITTESTS
2016  suri->regex_arg = optarg;
2017 
2018  if(strlen(suri->regex_arg) == 0)
2019  suri->regex_arg = NULL;
2020 #endif
2021  break;
2022  case 'V':
2023  suri->run_mode = RUNMODE_PRINT_VERSION;
2024  return TM_ECODE_OK;
2025  case 'F':
2026  if (optarg == NULL) {
2027  SCLogError("no option argument (optarg) for -F");
2028  return TM_ECODE_FAILED;
2029  }
2030 
2031  SetBpfStringFromFile(optarg);
2032  break;
2033  case 'v':
2034  suri->verbose++;
2035  break;
2036  case 'k':
2037  if (optarg == NULL) {
2038  SCLogError("no option argument (optarg) for -k");
2039  return TM_ECODE_FAILED;
2040  }
2041  if (!strcmp("all", optarg))
2042  suri->checksum_validation = 1;
2043  else if (!strcmp("none", optarg))
2044  suri->checksum_validation = 0;
2045  else {
2046  SCLogError("option '%s' invalid for -k", optarg);
2047  return TM_ECODE_FAILED;
2048  }
2049  break;
2050  default:
2051  PrintUsage(argv[0]);
2052  return TM_ECODE_FAILED;
2053  }
2054  }
2055 
2056  if (suri->disabled_detect && suri->sig_file != NULL) {
2057  SCLogError("can't use -s/-S when detection is disabled");
2058  return TM_ECODE_FAILED;
2059  }
2060 
2061  /* save the runmode from the command-line (if any) */
2062  suri->aux_run_mode = suri->run_mode;
2063 
2064  if (list_app_layer_protocols)
2065  suri->run_mode = RUNMODE_LIST_APP_LAYERS;
2066  if (list_keywords)
2067  suri->run_mode = RUNMODE_LIST_KEYWORDS;
2068  if (list_unittests)
2069  suri->run_mode = RUNMODE_LIST_UNITTEST;
2070  if (dump_config)
2071  suri->run_mode = RUNMODE_DUMP_CONFIG;
2072  if (dump_features)
2073  suri->run_mode = RUNMODE_DUMP_FEATURES;
2074  if (conf_test)
2075  suri->run_mode = RUNMODE_CONF_TEST;
2076  if (engine_analysis)
2077  suri->run_mode = RUNMODE_ENGINE_ANALYSIS;
2078 
2079  suri->offline = IsRunModeOffline(suri->run_mode);
2080  g_system = suri->system = IsRunModeSystem(suri->run_mode);
2081 
2082  ret = SetBpfString(optind, argv);
2083  if (ret != TM_ECODE_OK)
2084  return ret;
2085 
2086  return TM_ECODE_OK;
2087 }
2088 
2089 #ifdef OS_WIN32
2090 int WindowsInitService(int argc, char **argv)
2091 {
2092  if (SCRunningAsService()) {
2093  char path[MAX_PATH];
2094  char *p = NULL;
2095  strlcpy(path, argv[0], MAX_PATH);
2096  if ((p = strrchr(path, '\\'))) {
2097  *p = '\0';
2098  }
2099  if (!SetCurrentDirectory(path)) {
2100  SCLogError("Can't set current directory to: %s", path);
2101  return -1;
2102  }
2103  SCLogInfo("Current directory is set to: %s", path);
2104  SCServiceInit(argc, argv);
2105  }
2106 
2107  /* Windows socket subsystem initialization */
2108  WSADATA wsaData;
2109  if (0 != WSAStartup(MAKEWORD(2, 2), &wsaData)) {
2110  SCLogError("Can't initialize Windows sockets: %d", WSAGetLastError());
2111  return -1;
2112  }
2113 
2114  return 0;
2115 }
2116 #endif /* OS_WIN32 */
2117 
2118 static int MayDaemonize(SCInstance *suri)
2119 {
2120  if (suri->daemon == 1 && suri->pid_filename == NULL) {
2121  const char *pid_filename;
2122 
2123  if (ConfGet("pid-file", &pid_filename) == 1) {
2124  SCLogInfo("Use pid file %s from config file.", pid_filename);
2125  } else {
2126  pid_filename = DEFAULT_PID_FILENAME;
2127  }
2128  /* The pid file name may be in config memory, but is needed later. */
2129  suri->pid_filename = SCStrdup(pid_filename);
2130  if (suri->pid_filename == NULL) {
2131  SCLogError("strdup failed: %s", strerror(errno));
2132  return TM_ECODE_FAILED;
2133  }
2134  }
2135 
2136  if (suri->pid_filename != NULL && SCPidfileTestRunning(suri->pid_filename) != 0) {
2137  SCFree(suri->pid_filename);
2138  suri->pid_filename = NULL;
2139  return TM_ECODE_FAILED;
2140  }
2141 
2142  if (suri->daemon == 1) {
2143  Daemonize();
2144  }
2145 
2146  if (suri->pid_filename != NULL) {
2147  if (SCPidfileCreate(suri->pid_filename) != 0) {
2148  SCFree(suri->pid_filename);
2149  suri->pid_filename = NULL;
2150  SCLogError("Unable to create PID file, concurrent run of"
2151  " Suricata can occur.");
2152  SCLogError("PID file creation WILL be mandatory for daemon mode"
2153  " in future version");
2154  }
2155  }
2156 
2157  return TM_ECODE_OK;
2158 }
2159 
2160 /* Initialize the user and group Suricata is to run as. */
2161 static int InitRunAs(SCInstance *suri)
2162 {
2163 #ifndef OS_WIN32
2164  /* Try to get user/group to run suricata as if
2165  command line as not decide of that */
2166  if (!suri->do_setuid && !suri->do_setgid) {
2167  const char *id;
2168  if (ConfGet("run-as.user", &id) == 1) {
2169  suri->do_setuid = true;
2170  suri->user_name = id;
2171  }
2172  if (ConfGet("run-as.group", &id) == 1) {
2173  suri->do_setgid = true;
2174  suri->group_name = id;
2175  }
2176  }
2177  /* Get the suricata user ID to given user ID */
2178  if (suri->do_setuid) {
2179  SCGetUserID(suri->user_name, suri->group_name, &suri->userid, &suri->groupid);
2180  sc_set_caps = true;
2181  /* Get the suricata group ID to given group ID */
2182  } else if (suri->do_setgid) {
2183  SCGetGroupID(suri->group_name, &suri->groupid);
2184  sc_set_caps = true;
2185  }
2186 #endif
2187  return TM_ECODE_OK;
2188 }
2189 
2190 static int InitSignalHandler(SCInstance *suri)
2191 {
2192  /* registering signals we use */
2193 #ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
2194  UtilSignalHandlerSetup(SIGINT, SignalHandlerSigint);
2195  UtilSignalHandlerSetup(SIGTERM, SignalHandlerSigterm);
2196 #if HAVE_LIBUNWIND
2197  int enabled;
2198  if (ConfGetBool("logging.stacktrace-on-signal", &enabled) == 0) {
2199  enabled = 1;
2200  }
2201 
2202  if (enabled) {
2203  SCLogInfo("Preparing unexpected signal handling");
2204  struct sigaction stacktrace_action;
2205  memset(&stacktrace_action, 0, sizeof(stacktrace_action));
2206  stacktrace_action.sa_sigaction = SignalHandlerUnexpected;
2207  stacktrace_action.sa_flags = SA_SIGINFO;
2208  sigaction(SIGSEGV, &stacktrace_action, NULL);
2209  sigaction(SIGABRT, &stacktrace_action, NULL);
2210  }
2211 #endif /* HAVE_LIBUNWIND */
2212 #endif
2213 #ifndef OS_WIN32
2214  UtilSignalHandlerSetup(SIGHUP, SignalHandlerSigHup);
2215  UtilSignalHandlerSetup(SIGPIPE, SIG_IGN);
2216  UtilSignalHandlerSetup(SIGSYS, SIG_IGN);
2217 #endif /* OS_WIN32 */
2218 
2219  return TM_ECODE_OK;
2220 }
2221 
2222 /* initialization code for both the main modes and for
2223  * unix socket mode.
2224  *
2225  * Will be run once per pcap in unix-socket mode */
2226 void PreRunInit(const int runmode)
2227 {
2228  HttpRangeContainersInit();
2229  if (runmode == RUNMODE_UNIX_SOCKET)
2230  return;
2231 
2232  StatsInit();
2233 #ifdef PROFILE_RULES
2234  SCProfilingRulesGlobalInit();
2235 #endif
2236 #ifdef PROFILING
2237  SCProfilingKeywordsGlobalInit();
2238  SCProfilingPrefilterGlobalInit();
2239  SCProfilingSghsGlobalInit();
2240 #endif /* PROFILING */
2241 #ifdef PROFILE_RULES
2242  SCProfilingInit();
2243 #endif
2244  DefragInit();
2245  FlowInitConfig(FLOW_QUIET);
2246  IPPairInitConfig(FLOW_QUIET);
2247  StreamTcpInitConfig(STREAM_VERBOSE);
2248  AppLayerParserPostStreamSetup();
2249  AppLayerRegisterGlobalCounters();
2250  OutputFilestoreRegisterGlobalCounters();
2251 }
2252 
2253 /* tasks we need to run before packets start flowing,
2254  * but after we dropped privs */
2255 void PreRunPostPrivsDropInit(const int runmode)
2256 {
2257  StatsSetupPostConfigPreOutput();
2258  RunModeInitializeOutputs();
2259  DatasetsInit();
2260 
2261  if (runmode == RUNMODE_UNIX_SOCKET) {
2262  /* As the above did some necessary startup initialization, it
2263  * also setup some outputs where only one is allowed, so
2264  * deinitialize to the state that unix-mode does after every
2265  * pcap. */
2266  PostRunDeinit(RUNMODE_PCAP_FILE, NULL);
2267  return;
2268  }
2269 
2270  StatsSetupPostConfigPostOutput();
2271 }
2272 
2273 /* clean up / shutdown code for both the main modes and for
2274  * unix socket mode.
2275  *
2276  * Will be run once per pcap in unix-socket mode */
2277 void PostRunDeinit(const int runmode, struct timeval *start_time)
2278 {
2279  if (runmode == RUNMODE_UNIX_SOCKET)
2280  return;
2281 
2282  /* needed by FlowForceReassembly */
2283  PacketPoolInit();
2284 
2285  /* handle graceful shutdown of the flow engine, it's helper
2286  * threads and the packet threads */
2287  FlowDisableFlowManagerThread();
2288  TmThreadDisableReceiveThreads();
2289  FlowForceReassembly();
2290  TmThreadDisablePacketThreads();
2291  SCPrintElapsedTime(start_time);
2292  FlowDisableFlowRecyclerThread();
2293 
2294  /* kill the stats threads */
2295  TmThreadKillThreadsFamily(TVT_MGMT);
2296  TmThreadClearThreadsFamily(TVT_MGMT);
2297 
2298  /* kill packet threads -- already in 'disabled' state */
2299  TmThreadKillThreadsFamily(TVT_PPT);
2300  TmThreadClearThreadsFamily(TVT_PPT);
2301 
2302  PacketPoolDestroy();
2303 
2304  /* mgt and ppt threads killed, we can run non thread-safe
2305  * shutdown functions */
2306  StatsReleaseResources();
2307  DecodeUnregisterCounters();
2308  RunModeShutDown();
2309  FlowShutdown();
2310  IPPairShutdown();
2311  HostCleanup();
2312  StreamTcpFreeConfig(STREAM_VERBOSE);
2313  DefragDestroy();
2314  HttpRangeContainersDestroy();
2315 
2316  TmqResetQueues();
2317 #ifdef PROFILING
2318  if (profiling_rules_enabled)
2319  SCProfilingDump();
2320  SCProfilingDestroy();
2321 #endif
2322 }
2323 
2324 int SCStartInternalRunMode(int argc, char **argv)
2325 {
2326  SCInstance *suri = &suricata;
2327  /* Treat internal running mode */
2328  switch (suri->run_mode) {
2329  case RUNMODE_LIST_KEYWORDS:
2330  return ListKeywords(suri->keyword_info);
2331  case RUNMODE_LIST_APP_LAYERS:
2332  if (suri->conf_filename != NULL) {
2333  return ListAppLayerProtocols(suri->conf_filename);
2334  } else {
2335  return ListAppLayerProtocols(DEFAULT_CONF_FILE);
2336  }
2337  case RUNMODE_PRINT_VERSION:
2338  PrintVersion();
2339  return TM_ECODE_DONE;
2340  case RUNMODE_PRINT_BUILDINFO:
2341  PrintBuildInfo();
2342  return TM_ECODE_DONE;
2343  case RUNMODE_PRINT_USAGE:
2344  PrintUsage(argv[0]);
2345  return TM_ECODE_DONE;
2346  case RUNMODE_LIST_RUNMODES:
2347  RunModeListRunmodes();
2348  return TM_ECODE_DONE;
2349  case RUNMODE_LIST_UNITTEST:
2350  RunUnittests(1, suri->regex_arg);
2351  case RUNMODE_UNITTEST:
2352  RunUnittests(0, suri->regex_arg);
2353 #ifdef OS_WIN32
2354  case RUNMODE_INSTALL_SERVICE:
2355  if (SCServiceInstall(argc, argv)) {
2356  return TM_ECODE_FAILED;
2357  }
2358  SCLogInfo("Suricata service has been successfully installed.");
2359  return TM_ECODE_DONE;
2360  case RUNMODE_REMOVE_SERVICE:
2361  if (SCServiceRemove()) {
2362  return TM_ECODE_FAILED;
2363  }
2364  SCLogInfo("Suricata service has been successfully removed.");
2365  return TM_ECODE_DONE;
2366  case RUNMODE_CHANGE_SERVICE_PARAMS:
2367  if (SCServiceChangeParams(argc, argv)) {
2368  return TM_ECODE_FAILED;
2369  }
2370  SCLogInfo("Suricata service startup parameters has been successfully changed.");
2371  return TM_ECODE_DONE;
2372 #endif /* OS_WIN32 */
2373  default:
2374  /* simply continue for other running mode */
2375  break;
2376  }
2377  return TM_ECODE_OK;
2378 }
2379 
2380 int SCFinalizeRunMode(void)
2381 {
2382  SCInstance *suri = &suricata;
2383  switch (suri->run_mode) {
2384  case RUNMODE_UNKNOWN:
2385  PrintUsage(suri->progname);
2386  return TM_ECODE_FAILED;
2387  default:
2388  break;
2389  }
2390 
2391  if (!CheckValidDaemonModes(suri->daemon, suri->run_mode)) {
2392  return TM_ECODE_FAILED;
2393  }
2394 
2395  return TM_ECODE_OK;
2396 }
2397 
2398 static void SetupDelayedDetect(SCInstance *suri)
2399 {
2400  /* In offline mode delayed init of detect is a bad idea */
2401  if (suri->offline) {
2402  suri->delayed_detect = 0;
2403  } else {
2404  if (ConfGetBool("detect.delayed-detect", &suri->delayed_detect) != 1) {
2405  ConfNode *denode = NULL;
2406  ConfNode *decnf = ConfGetNode("detect-engine");
2407  if (decnf != NULL) {
2408  TAILQ_FOREACH(denode, &decnf->head, next) {
2409  if (strcmp(denode->val, "delayed-detect") == 0) {
2410  (void)ConfGetChildValueBool(denode, "delayed-detect", &suri->delayed_detect);
2411  }
2412  }
2413  }
2414  }
2415  }
2416 
2417  SCLogConfig("Delayed detect %s", suri->delayed_detect ? "enabled" : "disabled");
2418  if (suri->delayed_detect) {
2419  SCLogInfo("Packets will start being processed before signatures are active.");
2420  }
2421 
2422 }
2423 
2424 static int LoadSignatures(DetectEngineCtx *de_ctx, SCInstance *suri)
2425 {
2426  if (SigLoadSignatures(de_ctx, suri->sig_file, suri->sig_file_exclusive) < 0) {
2427  SCLogError("Loading signatures failed.");
2428  if (de_ctx->failure_fatal)
2429  return TM_ECODE_FAILED;
2430  }
2431 
2432  return TM_ECODE_OK;
2433 }
2434 
2435 static int ConfigGetCaptureValue(SCInstance *suri)
2436 {
2437  /* Pull the max pending packets from the config, if not found fall
2438  * back on a sane default. */
2439  intmax_t tmp_max_pending_packets;
2440  if (ConfGetInt("max-pending-packets", &tmp_max_pending_packets) != 1)
2441  tmp_max_pending_packets = DEFAULT_MAX_PENDING_PACKETS;
2442  if (tmp_max_pending_packets < 1 || tmp_max_pending_packets >= UINT16_MAX) {
2443  SCLogError("Maximum max-pending-packets setting is 65534 and must be greater than 0. "
2444  "Please check %s for errors",
2445  suri->conf_filename);
2446  return TM_ECODE_FAILED;
2447  } else {
2448  max_pending_packets = (uint16_t)tmp_max_pending_packets;
2449  }
2450 
2451  SCLogDebug("Max pending packets set to %" PRIu16, max_pending_packets);
2452 
2453  /* Pull the default packet size from the config, if not found fall
2454  * back on a sane default. */
2455  const char *temp_default_packet_size;
2456  if ((ConfGet("default-packet-size", &temp_default_packet_size)) != 1) {
2457  int lthread;
2458  int nlive;
2459  int strip_trailing_plus = 0;
2460  switch (suri->run_mode) {
2461 #ifdef WINDIVERT
2462  case RUNMODE_WINDIVERT: {
2463  /* by default, WinDivert collects from all devices */
2464  const int mtu = GetGlobalMTUWin32();
2465 
2466  if (mtu > 0) {
2467  /* SLL_HEADER_LEN is the longest header + 8 for VLAN */
2468  default_packet_size = mtu + SLL_HEADER_LEN + 8;
2469  break;
2470  }
2471  default_packet_size = DEFAULT_PACKET_SIZE;
2472  break;
2473  }
2474 #endif /* WINDIVERT */
2475  case RUNMODE_NETMAP:
2476  /* in netmap igb0+ has a special meaning, however the
2477  * interface really is igb0 */
2478  strip_trailing_plus = 1;
2479  /* fall through */
2480  case RUNMODE_PCAP_DEV:
2481  case RUNMODE_AFP_DEV:
2482  case RUNMODE_AFXDP_DEV:
2483  case RUNMODE_PFRING:
2484  nlive = LiveGetDeviceCount();
2485  for (lthread = 0; lthread < nlive; lthread++) {
2486  const char *live_dev = LiveGetDeviceName(lthread);
2487  char dev[128]; /* need to be able to support GUID names on Windows */
2488  (void)strlcpy(dev, live_dev, sizeof(dev));
2489 
2490  if (strip_trailing_plus) {
2491  size_t len = strlen(dev);
2492  if (len &&
2493  (dev[len-1] == '+' ||
2494  dev[len-1] == '^' ||
2495  dev[len-1] == '*'))
2496  {
2497  dev[len-1] = '\0';
2498  }
2499  }
2500  LiveDevice *ld = LiveGetDevice(dev);
2501  unsigned int iface_max_packet_size = GetIfaceMaxPacketSize(ld);
2502  if (iface_max_packet_size > default_packet_size)
2503  default_packet_size = iface_max_packet_size;
2504  }
2505  if (default_packet_size)
2506  break;
2507  /* fall through */
2508  default:
2509  default_packet_size = DEFAULT_PACKET_SIZE;
2510  }
2511  } else {
2512  if (ParseSizeStringU32(temp_default_packet_size, &default_packet_size) < 0) {
2513  SCLogError("Error parsing max-pending-packets "
2514  "from conf file - %s. Killing engine",
2515  temp_default_packet_size);
2516  return TM_ECODE_FAILED;
2517  }
2518  }
2519 
2520  SCLogDebug("Default packet size set to %"PRIu32, default_packet_size);
2521 
2522  return TM_ECODE_OK;
2523 }
2524 
2525 static void PostRunStartedDetectSetup(const SCInstance *suri)
2526 {
2527 #ifndef OS_WIN32
2528  /* registering signal handlers we use. We setup usr2 here, so that one
2529  * can't call it during the first sig load phase or while threads are still
2530  * starting up. */
2531  if (DetectEngineEnabled() && suri->delayed_detect == 0) {
2532  UtilSignalHandlerSetup(SIGUSR2, SignalHandlerSigusr2);
2533  UtilSignalUnblock(SIGUSR2);
2534  }
2535 #endif
2536  if (suri->delayed_detect) {
2537  /* force 'reload', this will load the rules and swap engines */
2538  DetectEngineReload(suri);
2539  SCLogNotice("Signature(s) loaded, Detect thread(s) activated.");
2540 #ifndef OS_WIN32
2541  UtilSignalHandlerSetup(SIGUSR2, SignalHandlerSigusr2);
2542  UtilSignalUnblock(SIGUSR2);
2543 #endif
2544  }
2545 }
2546 
2547 void PostConfLoadedDetectSetup(SCInstance *suri)
2548 {
2549  DetectEngineCtx *de_ctx = NULL;
2550  if (!suri->disabled_detect) {
2551  SetupDelayedDetect(suri);
2552  int mt_enabled = 0;
2553  (void)ConfGetBool("multi-detect.enabled", &mt_enabled);
2554  int default_tenant = 0;
2555  if (mt_enabled)
2556  (void)ConfGetBool("multi-detect.default", &default_tenant);
2557  if (DetectEngineMultiTenantSetup(suri->unix_socket_enabled) == -1) {
2558  FatalError("initializing multi-detect "
2559  "detection engine contexts failed.");
2560  }
2561  if (suri->delayed_detect && suri->run_mode != RUNMODE_CONF_TEST) {
2562  de_ctx = DetectEngineCtxInitStubForDD();
2563  } else if (mt_enabled && !default_tenant && suri->run_mode != RUNMODE_CONF_TEST) {
2564  de_ctx = DetectEngineCtxInitStubForMT();
2565  } else {
2566  de_ctx = DetectEngineCtxInit();
2567  }
2568  if (de_ctx == NULL) {
2569  FatalError("initializing detection engine failed.");
2570  }
2571 
2572  if (de_ctx->type == DETECT_ENGINE_TYPE_NORMAL) {
2573  if (LoadSignatures(de_ctx, suri) != TM_ECODE_OK)
2574  exit(EXIT_FAILURE);
2575  }
2576 
2577  gettimeofday(&de_ctx->last_reload, NULL);
2578  DetectEngineAddToMaster(de_ctx);
2579  DetectEngineBumpVersion();
2580  }
2581 }
2582 
2583 static void PostConfLoadedSetupHostMode(void)
2584 {
2585  const char *hostmode = NULL;
2586 
2587  if (ConfGet("host-mode", &hostmode) == 1) {
2588  if (!strcmp(hostmode, "router")) {
2589  host_mode = SURI_HOST_IS_ROUTER;
2590  } else if (!strcmp(hostmode, "sniffer-only")) {
2591  host_mode = SURI_HOST_IS_SNIFFER_ONLY;
2592  } else {
2593  if (strcmp(hostmode, "auto") != 0) {
2594  WarnInvalidConfEntry("host-mode", "%s", "auto");
2595  }
2596  if (EngineModeIsIPS()) {
2597  host_mode = SURI_HOST_IS_ROUTER;
2598  } else {
2599  host_mode = SURI_HOST_IS_SNIFFER_ONLY;
2600  }
2601  }
2602  } else {
2603  if (EngineModeIsIPS()) {
2604  host_mode = SURI_HOST_IS_ROUTER;
2605  SCLogInfo("No 'host-mode': suricata is in IPS mode, using "
2606  "default setting 'router'");
2607  } else {
2608  host_mode = SURI_HOST_IS_SNIFFER_ONLY;
2609  SCLogInfo("No 'host-mode': suricata is in IDS mode, using "
2610  "default setting 'sniffer-only'");
2611  }
2612  }
2613 }
2614 
2615 static void SetupUserMode(SCInstance *suri)
2616 {
2617  /* apply 'user mode' config updates here */
2618  if (suri->system == false) {
2619  if (suri->set_logdir == false) {
2620  /* override log dir to current work dir" */
2621  if (ConfigSetLogDirectory((char *)".") != TM_ECODE_OK) {
2622  FatalError("could not set USER mode logdir");
2623  }
2624  }
2625  if (suri->set_datadir == false) {
2626  /* override data dir to current work dir" */
2627  if (ConfigSetDataDirectory((char *)".") != TM_ECODE_OK) {
2628  FatalError("could not set USER mode datadir");
2629  }
2630  }
2631  }
2632 }
2633 
2634 /**
2635  * This function is meant to contain code that needs
2636  * to be run once the configuration has been loaded.
2637  */
2638 int PostConfLoadedSetup(SCInstance *suri)
2639 {
2640  /* do this as early as possible #1577 #1955 */
2641 #ifdef HAVE_LUAJIT
2642  if (LuajitSetupStatesPool() != 0) {
2643  SCReturnInt(TM_ECODE_FAILED);
2644  }
2645 #endif
2646 
2647  /* load the pattern matchers */
2648  MpmTableSetup();
2649  SpmTableSetup();
2650 
2651  int disable_offloading;
2652  if (ConfGetBool("capture.disable-offloading", &disable_offloading) == 0)
2653  disable_offloading = 1;
2654  if (disable_offloading) {
2655  LiveSetOffloadDisable();
2656  } else {
2657  LiveSetOffloadWarn();
2658  }
2659 
2660  if (suri->checksum_validation == -1) {
2661  const char *cv = NULL;
2662  if (ConfGet("capture.checksum-validation", &cv) == 1) {
2663  if (strcmp(cv, "none") == 0) {
2664  suri->checksum_validation = 0;
2665  } else if (strcmp(cv, "all") == 0) {
2666  suri->checksum_validation = 1;
2667  }
2668  }
2669  }
2670  switch (suri->checksum_validation) {
2671  case 0:
2672  ConfSet("stream.checksum-validation", "0");
2673  break;
2674  case 1:
2675  ConfSet("stream.checksum-validation", "1");
2676  break;
2677  }
2678 
2679  if (suri->runmode_custom_mode) {
2680  ConfSet("runmode", suri->runmode_custom_mode);
2681  }
2682 
2683  StorageInit();
2684 #ifdef HAVE_PACKET_EBPF
2685  if (suri->run_mode == RUNMODE_AFP_DEV) {
2686  EBPFRegisterExtension();
2687  LiveDevRegisterExtension();
2688  }
2689 #endif
2690  RegisterFlowBypassInfo();
2691 
2692  MacSetRegisterFlowStorage();
2693 
2694 #ifdef HAVE_PLUGINS
2695  SCPluginsLoad(suri->capture_plugin_name, suri->capture_plugin_args);
2696 #endif
2697 
2698  LiveDeviceFinalize(); // must be after EBPF extension registration
2699 
2700  if (RunModeEngineIsIPS(suricata.run_mode, suricata.runmode_custom_mode,
2701  suricata.capture_plugin_name) < 0) {
2702  FatalError("IPS mode setup failed");
2703  }
2704 
2705  if (EngineModeIsUnknown()) { // if still uninitialized, set the default
2706  SCLogInfo("Setting engine mode to IDS mode by default");
2707  EngineModeSetIDS();
2708  }
2709 
2710  SetMasterExceptionPolicy();
2711 
2712  ConfNode *eps = ConfGetNode("stats.exception-policy");
2713  if (eps != NULL) {
2714  if (ConfNodeChildValueIsTrue(eps, "per-app-proto-errors")) {
2715  g_stats_eps_per_app_proto_errors = true;
2716  }
2717  }
2718 
2719  /* Must occur prior to output mod registration
2720  and app layer setup. */
2721  FeatureTrackingRegister();
2722 
2723  AppLayerSetup();
2724 
2725  /* Suricata will use this umask if provided. By default it will use the
2726  umask passed on from the shell. */
2727  const char *custom_umask;
2728  if (ConfGet("umask", &custom_umask) == 1) {
2729  uint16_t mask;
2730  if (StringParseUint16(&mask, 8, (uint16_t)strlen(custom_umask), custom_umask) > 0) {
2731  umask((mode_t)mask);
2732  }
2733  }
2734 
2735 
2736  if (ConfigGetCaptureValue(suri) != TM_ECODE_OK) {
2737  SCReturnInt(TM_ECODE_FAILED);
2738  }
2739 
2740 #ifdef NFQ
2741  if (suri->run_mode == RUNMODE_NFQ)
2742  NFQInitConfig(false);
2743 #endif
2744 
2745  /* Load the Host-OS lookup. */
2746  SCHInfoLoadFromConfig();
2747 
2748  if (suri->run_mode == RUNMODE_ENGINE_ANALYSIS) {
2749  SCLogInfo("== Carrying out Engine Analysis ==");
2750  const char *temp = NULL;
2751  if (ConfGet("engine-analysis", &temp) == 0) {
2752  SCLogInfo("no engine-analysis parameter(s) defined in conf file. "
2753  "Please define/enable them in the conf to use this "
2754  "feature.");
2755  SCReturnInt(TM_ECODE_FAILED);
2756  }
2757  }
2758 
2759  /* hardcoded initialization code */
2760  SigTableSetup(); /* load the rule keywords */
2761  SigTableApplyStrictCommandLineOption(suri->strict_rule_parsing_string);
2762  TmqhSetup();
2763 
2764  TagInitCtx();
2765  PacketAlertTagInit();
2766  ThresholdInit();
2767  HostBitInitCtx();
2768  IPPairBitInitCtx();
2769 
2770  if (DetectAddressTestConfVars() < 0) {
2771  SCLogError(
2772  "basic address vars test failed. Please check %s for errors", suri->conf_filename);
2773  SCReturnInt(TM_ECODE_FAILED);
2774  }
2775  if (DetectPortTestConfVars() < 0) {
2776  SCLogError("basic port vars test failed. Please check %s for errors", suri->conf_filename);
2777  SCReturnInt(TM_ECODE_FAILED);
2778  }
2779 
2780  RegisterAllModules();
2781  AppLayerHtpNeedFileInspection();
2782 
2783  StorageFinalize();
2784 
2785  TmModuleRunInit();
2786 
2787  if (MayDaemonize(suri) != TM_ECODE_OK)
2788  SCReturnInt(TM_ECODE_FAILED);
2789 
2790  if (InitSignalHandler(suri) != TM_ECODE_OK)
2791  SCReturnInt(TM_ECODE_FAILED);
2792 
2793  /* Check for the existence of the default logging directory which we pick
2794  * from suricata.yaml. If not found, shut the engine down */
2795  suri->log_dir = ConfigGetLogDirectory();
2796 
2797  if (ConfigCheckLogDirectoryExists(suri->log_dir) != TM_ECODE_OK) {
2798  SCLogError("The logging directory \"%s\" "
2799  "supplied by %s (default-log-dir) doesn't exist. "
2800  "Shutting down the engine",
2801  suri->log_dir, suri->conf_filename);
2802  SCReturnInt(TM_ECODE_FAILED);
2803  }
2804  if (!IsLogDirectoryWritable(suri->log_dir)) {
2805  SCLogError("The logging directory \"%s\" "
2806  "supplied by %s (default-log-dir) is not writable. "
2807  "Shutting down the engine",
2808  suri->log_dir, suri->conf_filename);
2809  SCReturnInt(TM_ECODE_FAILED);
2810  }
2811 
2812  if (suri->disabled_detect) {
2813  SCLogConfig("detection engine disabled");
2814  /* disable raw reassembly */
2815  (void)ConfSetFinal("stream.reassembly.raw", "false");
2816  }
2817 
2818  HostInitConfig(HOST_VERBOSE);
2819 
2820  CoredumpLoadConfig();
2821 
2822  DecodeGlobalConfig();
2823 
2824  /* hostmode depends on engine mode being set */
2825  PostConfLoadedSetupHostMode();
2826 
2827  PreRunInit(suri->run_mode);
2828 
2829  SCReturnInt(TM_ECODE_OK);
2830 }
2831 
2832 void SuricataMainLoop(void)
2833 {
2834  SCInstance *suri = &suricata;
2835  while(1) {
2836  if (sigterm_count || sigint_count) {
2837  suricata_ctl_flags |= SURICATA_STOP;
2838  }
2839 
2840  if (suricata_ctl_flags & SURICATA_STOP) {
2841  SCLogNotice("Signal Received. Stopping engine.");
2842  break;
2843  }
2844 
2845  TmThreadCheckThreadState();
2846 
2847  if (sighup_count > 0) {
2848  OutputNotifyFileRotation();
2849  sighup_count--;
2850  }
2851 
2852  if (sigusr2_count > 0) {
2853  if (!(DetectEngineReloadIsStart())) {
2854  DetectEngineReloadStart();
2855  DetectEngineReload(suri);
2856  DetectEngineReloadSetIdle();
2857  sigusr2_count--;
2858  }
2859 
2860  } else if (DetectEngineReloadIsStart()) {
2861  DetectEngineReload(suri);
2862  DetectEngineReloadSetIdle();
2863  }
2864 
2865  usleep(10* 1000);
2866  }
2867 }
2868 
2869 /**
2870  * \brief Global initialization common to all runmodes.
2871  *
2872  * This can be used by fuzz targets.
2873  */
2874 
2875 int InitGlobal(void)
2876 {
2877  rs_init(&suricata_context);
2878 
2879  SC_ATOMIC_INIT(engine_stage);
2880 
2881  /* initialize the logging subsys */
2882  SCLogInitLogModule(NULL);
2883 
2884  SCSetThreadName("Suricata-Main");
2885 
2886  /* Ignore SIGUSR2 as early as possible. We redeclare interest
2887  * once we're done launching threads. The goal is to either die
2888  * completely or handle any and all SIGUSR2s correctly.
2889  */
2890 #ifndef OS_WIN32
2891  UtilSignalHandlerSetup(SIGUSR2, SIG_IGN);
2892  if (UtilSignalBlock(SIGUSR2)) {
2893  SCLogError("SIGUSR2 initialization error");
2894  return EXIT_FAILURE;
2895  }
2896 #endif
2897 
2898  ParseSizeInit();
2899  RunModeRegisterRunModes();
2900 
2901  /* Initialize the configuration module. */
2902  ConfInit();
2903 
2904  VarNameStoreInit();
2905 
2906  // zero all module storage
2907  memset(tmm_modules, 0, TMM_SIZE * sizeof(TmModule));
2908 
2909  return 0;
2910 }
2911 
2912 void SuricataPreInit(const char *progname)
2913 {
2914  SCInstanceInit(&suricata, progname);
2915 
2916  if (InitGlobal() != 0) {
2917  exit(EXIT_FAILURE);
2918  }
2919 }
2920 
2921 void SuricataInit(void)
2922 {
2923  /* Initializations for global vars, queues, etc (memsets, mutex init..) */
2924  GlobalsInitPreConfig();
2925 
2926  if (suricata.run_mode == RUNMODE_DUMP_CONFIG) {
2927  ConfDump();
2928  exit(EXIT_SUCCESS);
2929  }
2930 
2931  int tracking = 1;
2932  if (ConfGetBool("vlan.use-for-tracking", &tracking) == 1 && !tracking) {
2933  /* Ignore vlan_ids when comparing flows. */
2934  g_vlan_mask = 0x0000;
2935  }
2936  SCLogDebug("vlan tracking is %s", tracking == 1 ? "enabled" : "disabled");
2937  if (ConfGetBool("livedev.use-for-tracking", &tracking) == 1 && !tracking) {
2938  /* Ignore livedev id when comparing flows. */
2939  g_livedev_mask = 0x0000;
2940  }
2941  SetupUserMode(&suricata);
2942  InitRunAs(&suricata);
2943 
2944  /* Since our config is now loaded we can finish configurating the
2945  * logging module. */
2946  SCLogLoadConfig(suricata.daemon, suricata.verbose, suricata.userid, suricata.groupid);
2947 
2948  LogVersion(&suricata);
2949  UtilCpuPrintSummary();
2950  RunModeInitializeThreadSettings();
2951 
2952  if (suricata.run_mode == RUNMODE_CONF_TEST)
2953  SCLogInfo("Running suricata under test mode");
2954 
2955  if (ParseInterfacesList(suricata.aux_run_mode, suricata.pcap_dev) != TM_ECODE_OK) {
2956  exit(EXIT_FAILURE);
2957  }
2958 
2959  if (PostConfLoadedSetup(&suricata) != TM_ECODE_OK) {
2960  exit(EXIT_FAILURE);
2961  }
2962 
2963  SCDropMainThreadCaps(suricata.userid, suricata.groupid);
2964 
2965  /* Re-enable coredumps after privileges are dropped. */
2966  CoredumpEnable();
2967 
2968  if (suricata.run_mode != RUNMODE_UNIX_SOCKET && !suricata.disabled_detect) {
2969  suricata.unix_socket_enabled = ConfUnixSocketIsEnable();
2970  }
2971 
2972  PreRunPostPrivsDropInit(suricata.run_mode);
2973 
2974  LandlockSandboxing(&suricata);
2975 
2976  PostConfLoadedDetectSetup(&suricata);
2977  if (suricata.run_mode == RUNMODE_ENGINE_ANALYSIS) {
2978  goto out;
2979  } else if (suricata.run_mode == RUNMODE_CONF_TEST){
2980  SCLogNotice("Configuration provided was successfully loaded. Exiting.");
2981  goto out;
2982  } else if (suricata.run_mode == RUNMODE_DUMP_FEATURES) {
2983  FeatureDump();
2984  goto out;
2985  }
2986 
2987  if (suricata.run_mode == RUNMODE_DPDK)
2988  prerun_snap = SystemHugepageSnapshotCreate();
2989 
2990  SCSetStartTime(&suricata);
2991  RunModeDispatch(suricata.run_mode, suricata.runmode_custom_mode,
2992  suricata.capture_plugin_name, suricata.capture_plugin_args);
2993  if (suricata.run_mode != RUNMODE_UNIX_SOCKET) {
2994  UnixManagerThreadSpawnNonRunmode(suricata.unix_socket_enabled);
2995  }
2996 
2997  return;
2998 
2999 out:
3000  GlobalsDestroy();
3001  exit(EXIT_SUCCESS);
3002 }
3003 
3004 void SuricataShutdown(void)
3005 {
3006  /* Update the engine stage/status flag */
3007  SC_ATOMIC_SET(engine_stage, SURICATA_DEINIT);
3008 
3009  UnixSocketKillSocketThread();
3010  PostRunDeinit(suricata.run_mode, &suricata.start_time);
3011  /* kill remaining threads */
3012  TmThreadKillThreads();
3013 }
3014 
3015 void SuricataPostInit(void)
3016 {
3017  /* Wait till all the threads have been initialized */
3018  if (TmThreadWaitOnThreadInit() == TM_ECODE_FAILED) {
3019  SystemHugepageSnapshotDestroy(prerun_snap);
3020  FatalError("Engine initialization failed, "
3021  "aborting...");
3022  }
3023 
3024  int limit_nproc = 0;
3025  if (ConfGetBool("security.limit-noproc", &limit_nproc) == 0) {
3026  limit_nproc = 0;
3027  }
3028 
3029 #if defined(SC_ADDRESS_SANITIZER)
3030  if (limit_nproc) {
3031  SCLogWarning(
3032  "\"security.limit-noproc\" (setrlimit()) not set when using address sanitizer");
3033  limit_nproc = 0;
3034  }
3035 #endif
3036 
3037  if (limit_nproc) {
3038 #if defined(HAVE_SYS_RESOURCE_H)
3039 #ifdef linux
3040  if (geteuid() == 0) {
3041  SCLogWarning("setrlimit has no effet when running as root.");
3042  }
3043 #endif
3044  struct rlimit r = { 0, 0 };
3045  if (setrlimit(RLIMIT_NPROC, &r) != 0) {
3046  SCLogWarning("setrlimit failed to prevent process creation.");
3047  }
3048 #else
3049  SCLogWarning("setrlimit unavailable.");
3050 #endif
3051  }
3052 
3053  SC_ATOMIC_SET(engine_stage, SURICATA_RUNTIME);
3054  PacketPoolPostRunmodes();
3055 
3056  /* Un-pause all the paused threads */
3057  TmThreadContinueThreads();
3058 
3059  /* Must ensure all threads are fully operational before continuing with init process */
3060  if (TmThreadWaitOnThreadRunning() != TM_ECODE_OK) {
3061  SystemHugepageSnapshotDestroy(prerun_snap);
3062  exit(EXIT_FAILURE);
3063  }
3064 
3065  /* Print notice and send OS specific notification of threads in running state */
3066  OnNotifyRunning();
3067 
3068  PostRunStartedDetectSetup(&suricata);
3069  if (suricata.run_mode == RUNMODE_DPDK) { // only DPDK uses hpages at the moment
3070  SystemHugepageSnapshot *postrun_snap = SystemHugepageSnapshotCreate();
3071  SystemHugepageEvaluateHugepages(prerun_snap, postrun_snap);
3072  SystemHugepageSnapshotDestroy(prerun_snap);
3073  SystemHugepageSnapshotDestroy(postrun_snap);
3074  }
3075  SCPledge();
3076 }
RUNMODE_AFXDP_DEV
@ RUNMODE_AFXDP_DEV
Definition: runmodes.h:38
DefragDestroy
void DefragDestroy(void)
Definition: defrag.c:1119
util-byte.h
ConfGetInt
int ConfGetInt(const char *name, intmax_t *val)
Retrieve a configuration value as an integer.
Definition: conf.c:399
TmModuleUnixManagerRegister
void TmModuleUnixManagerRegister(void)
Definition: unix-manager.c:1294
StatsReleaseResources
void StatsReleaseResources(void)
Releases the resources allotted by the Stats API.
Definition: counters.c:1282
max_pending_packets
uint16_t max_pending_packets
Definition: suricata.c:183
SURI_HOST_IS_SNIFFER_ONLY
@ SURI_HOST_IS_SNIFFER_ONLY
Definition: suricata.h:115
source-nflog.h
TagInitCtx
void TagInitCtx(void)
Definition: detect-engine-tag.c:52
TmModuleReceiveIPFWRegister
void TmModuleReceiveIPFWRegister(void)
Registration Function for RecieveIPFW.
Definition: source-ipfw.c:154
flow-bypass.h
len
uint8_t len
Definition: app-layer-dnp3.h:2
SuricataMainLoop
void SuricataMainLoop(void)
Definition: suricata.c:2832
ExceptionSimulationCommandLineParser
int ExceptionSimulationCommandLineParser(const char *name, const char *arg)
Definition: util-exception-policy.c:316
ippair.h
g_livedev_mask
uint16_t g_livedev_mask
Definition: suricata.c:206
app-layer-htp-range.h
AppLayerHtpNeedFileInspection
void AppLayerHtpNeedFileInspection(void)
Sets a flag that informs the HTP app layer that some module in the engine needs the http request file...
Definition: app-layer-htp.c:516
SCInstance_::run_mode
enum RunModes run_mode
Definition: suricata.h:124
detect-engine.h
source-pcap.h
SCInstance_::groupid
uint32_t groupid
Definition: suricata.h:142
SCRunmodeGet
int SCRunmodeGet(void)
Get the current run mode.
Definition: suricata.c:263
RUNMODE_UNIX_SOCKET
@ RUNMODE_UNIX_SOCKET
Definition: runmodes.h:43
g_system
bool g_system
Definition: suricata.c:191
ConfNodeChildValueIsTrue
int ConfNodeChildValueIsTrue(const ConfNode *node, const char *key)
Test if a configuration node has a true value.
Definition: conf.c:859
win32-syscall.h
SCInstance_::daemon
int daemon
Definition: suricata.h:151
IPPairInitConfig
void IPPairInitConfig(bool quiet)
initialize the configuration
Definition: ippair.c:162
SCLogInitLogModule
void SCLogInitLogModule(SCLogInitData *sc_lid)
Initializes the logging module.
Definition: util-debug.c:1409
SLL_HEADER_LEN
#define SLL_HEADER_LEN
Definition: decode-sll.h:27
SCInstance_::checksum_validation
int checksum_validation
Definition: suricata.h:154
LiveDeviceListClean
int LiveDeviceListClean(void)
Definition: util-device.c:314
SCInstance_::do_setuid
bool do_setuid
Definition: suricata.h:138
DetectEngineDeReference
void DetectEngineDeReference(DetectEngineCtx **de_ctx)
Definition: detect-engine.c:4478
RUNMODE_UNITTEST
@ RUNMODE_UNITTEST
Definition: runmodes.h:41
StorageInit
void StorageInit(void)
Definition: util-storage.c:68
SCInstance_::start_time
struct timeval start_time
Definition: suricata.h:156
SC_ATOMIC_INIT
#define SC_ATOMIC_INIT(name)
wrapper for initializing an atomic variable.
Definition: util-atomic.h:314
prerun_snap
SystemHugepageSnapshot * prerun_snap
Definition: suricata.c:213
TmThreadContinueThreads
void TmThreadContinueThreads(void)
Unpauses all threads present in tv_root.
Definition: tm-threads.c:1907
source-pcap-file.h
SCInstance_::do_setgid
bool do_setgid
Definition: suricata.h:139
ConfNode_::val
char * val
Definition: conf.h:34
CLS
#define CLS
Definition: suricata-common.h:56
ConfGetBool
int ConfGetBool(const char *name, int *val)
Retrieve a configuration value as a boolean.
Definition: conf.c:483
RUNMODE_DPDK
@ RUNMODE_DPDK
Definition: runmodes.h:40
stream-tcp.h
DetectEngineCtx_::type
enum DetectEngineType type
Definition: detect.h:964
SigLoadSignatures
int SigLoadSignatures(DetectEngineCtx *de_ctx, char *sig_file, bool sig_file_exclusive)
Load signatures.
Definition: detect-engine-loader.c:287
runmode-af-packet.h
RUNMODE_UNKNOWN
@ RUNMODE_UNKNOWN
Definition: runmodes.h:28
SCInstance_::group_name
const char * group_name
Definition: suricata.h:137
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
SC_ATOMIC_SET
#define SC_ATOMIC_SET(name, val)
Set the value for the atomic variable.
Definition: util-atomic.h:386
runmode-unittests.h
TmqhSetup
void TmqhSetup(void)
Definition: tm-queuehandlers.c:39
RUNMODE_PRINT_BUILDINFO
@ RUNMODE_PRINT_BUILDINFO
Definition: runmodes.h:51
DetectEngineCtxInitStubForDD
DetectEngineCtx * DetectEngineCtxInitStubForDD(void)
Definition: detect-engine.c:2489
LiveDevRegisterExtension
void LiveDevRegisterExtension(void)
Definition: util-device.c:465
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
AppLayerHtpPrintStats
void AppLayerHtpPrintStats(void)
Definition: app-layer-htp.c:3071
util-hugepages.h
StatsSetupPostConfigPreOutput
void StatsSetupPostConfigPreOutput(void)
Definition: counters.c:905
SCInstance_::runmode_custom_mode
char * runmode_custom_mode
Definition: suricata.h:134
util-coredump-config.h
next
struct HtpBodyChunk_ * next
Definition: app-layer-htp.h:0
SigTableSetup
void SigTableSetup(void)
Definition: detect-engine-register.c:473
TmModuleReceiveNFQRegister
void TmModuleReceiveNFQRegister(void)
Definition: source-nfq.c:169
LiveBuildDeviceList
int LiveBuildDeviceList(const char *runmode)
Definition: util-device.c:274
RunModeShutDown
void RunModeShutDown(void)
Definition: runmodes.c:586
SuricataInit
void SuricataInit(void)
Definition: suricata.c:2921
TM_ECODE_DONE
@ TM_ECODE_DONE
Definition: tm-threads-common.h:86
SCProtoNameInit
void SCProtoNameInit(void)
Definition: util-proto-name.c:418
SuricataPostInit
void SuricataPostInit(void)
Definition: suricata.c:3015
ippair-bit.h
RunModeDispatch
void RunModeDispatch(int runmode, const char *custom_mode, const char *capture_plugin_name, const char *capture_plugin_args)
Definition: runmodes.c:415
ConfGetNode
ConfNode * ConfGetNode(const char *name)
Get a ConfNode by name.
Definition: conf.c:181
util-macset.h
RUNMODE_LIST_RUNMODES
@ RUNMODE_LIST_RUNMODES
Definition: runmodes.h:49
sigint_count
volatile sig_atomic_t sigint_count
Definition: suricata.c:156
SC_ATOMIC_DECLARE
SC_ATOMIC_DECLARE(unsigned int, engine_stage)
SCProfilingRulesGlobalInit
void SCProfilingRulesGlobalInit(void)
TmModuleRunDeInit
void TmModuleRunDeInit(void)
Definition: tm-modules.c:136
RegisterFlowBypassInfo
void RegisterFlowBypassInfo(void)
Definition: flow-util.c:230
SCSetThreadName
#define SCSetThreadName(n)
Definition: threads.h:303
SCRunmodeSet
void SCRunmodeSet(int run_mode)
Set the current run mode.
Definition: suricata.c:268
sc_set_caps
bool sc_set_caps
Definition: suricata.c:189
SCLogDeInitLogModule
void SCLogDeInitLogModule(void)
De-Initializes the logging module.
Definition: util-debug.c:1617
LiveDevice_
Definition: util-device.h:50
util-pidfile.h
TmModuleDecodeErfFileRegister
void TmModuleDecodeErfFileRegister(void)
Register the ERF file decoder module.
Definition: source-erf-file.c:98
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:839
StringParseUint16
int StringParseUint16(uint16_t *res, int base, size_t len, const char *str)
Definition: util-byte.c:337
DetectEngineReloadSetIdle
void DetectEngineReloadSetIdle(void)
Definition: detect-engine.c:2047
SCInstance_::userid
uint32_t userid
Definition: suricata.h:141
RUNMODE_ERF_FILE
@ RUNMODE_ERF_FILE
Definition: runmodes.h:35
source-windivert-prototypes.h
DetectEngineGetCurrent
DetectEngineCtx * DetectEngineGetCurrent(void)
Definition: detect-engine.c:3690
EngineModeIsUnknown
int EngineModeIsUnknown(void)
Definition: suricata.c:226
VarNameStoreInit
void VarNameStoreInit(void)
TmModuleFlowRecyclerRegister
void TmModuleFlowRecyclerRegister(void)
Definition: flow-manager.c:1250
g_skip_prefilter
int g_skip_prefilter
Definition: detect-engine-mpm.c:1050
Daemonize
void Daemonize(void)
Daemonize the process.
Definition: util-daemon.c:101
UtilSignalHandlerSetup
void UtilSignalHandlerSetup(int sig, void(*handler)(int))
Definition: util-signal.c:60
TAILQ_FOREACH
#define TAILQ_FOREACH(var, head, field)
Definition: queue.h:252
TmModuleDecodeAFPRegister
void TmModuleDecodeAFPRegister(void)
Registration Function for DecodeAFP.
Definition: source-af-packet.c:602
RUNMODE_NFLOG
@ RUNMODE_NFLOG
Definition: runmodes.h:33
TmModuleDecodeWinDivertRegister
void TmModuleDecodeWinDivertRegister(void)
Definition: source-windivert.c:74
SURICATA_STOP
#define SURICATA_STOP
Definition: suricata.h:89
FlowForceReassembly
void FlowForceReassembly(void)
Force reassembly for all the flows that have unprocessed segments.
Definition: flow-timeout.c:418
DetectEngineAddToMaster
int DetectEngineAddToMaster(DetectEngineCtx *de_ctx)
Definition: detect-engine.c:4502
TmModuleStatsLoggerRegister
void TmModuleStatsLoggerRegister(void)
Definition: output-stats.c:189
ConfYamlHandleInclude
int ConfYamlHandleInclude(ConfNode *parent, const char *filename)
Include a file in the configuration.
Definition: conf-yaml-loader.c:116
RegisterAllModules
void RegisterAllModules(void)
Definition: suricata.c:897
ENGINE_MODE_IPS
@ ENGINE_MODE_IPS
Definition: suricata.h:104
RUNMODE_PCAP_DEV
@ RUNMODE_PCAP_DEV
Definition: runmodes.h:29
DetectEngineMultiTenantSetup
int DetectEngineMultiTenantSetup(const bool unix_socket)
setup multi-detect / multi-tenancy
Definition: detect-engine.c:4139
flow-bit.h
SupportFastPatternForSigMatchTypes
void SupportFastPatternForSigMatchTypes(void)
Registers the keywords(SMs) that should be given fp support.
Definition: detect-fast-pattern.c:143
util-var-name.h
ConfDump
void ConfDump(void)
Dump configuration to stdout.
Definition: conf.c:751
suricata_context
const SuricataContext suricata_context
Definition: rust-context.c:25
SCParseCommandLine
TmEcode SCParseCommandLine(int argc, char **argv)
Definition: suricata.c:1324
SCPledge
#define SCPledge(...)
Definition: util-privs.h:99
CheckValidDaemonModes
int CheckValidDaemonModes(int daemon, int mode)
Check for a valid combination daemon/mode.
Definition: util-daemon.c:177
SCGetGroupID
void SCGetGroupID(const char *group_name, uint32_t *gid)
Function to get the group ID from the specified group name.
Definition: util-privs.c:213
ConfSetFinal
int ConfSetFinal(const char *name, const char *val)
Set a final configuration value.
Definition: conf.c:303
unittests_fatal
int unittests_fatal
Definition: util-unittest.c:52
TmThreadDisableReceiveThreads
void TmThreadDisableReceiveThreads(void)
Disable all threads having the specified TMs.
Definition: tm-threads.c:1353
StatsInit
void StatsInit(void)
Initializes the perf counter api. Things are hard coded currently. More work to be done when we imple...
Definition: counters.c:895
util-privs.h
PreRunInit
void PreRunInit(const int runmode)
Definition: suricata.c:2226
RUNMODE_LIST_KEYWORDS
@ RUNMODE_LIST_KEYWORDS
Definition: runmodes.h:47
SURICATA_DONE
#define SURICATA_DONE
Definition: suricata.h:91
MacSetRegisterFlowStorage
void MacSetRegisterFlowStorage(void)
Definition: util-macset.c:62
SuricataShutdown
void SuricataShutdown(void)
Definition: suricata.c:3004
SCInstance_::conf_filename
const char * conf_filename
Definition: suricata.h:160
GetIfaceMTU
int GetIfaceMTU(const char *dev)
output the link MTU
Definition: util-ioctl.c:81
RUNMODE_NAPATECH
@ RUNMODE_NAPATECH
Definition: runmodes.h:42
GlobalsInitPreConfig
void GlobalsInitPreConfig(void)
Definition: suricata.c:361
SURICATA_RUNTIME
@ SURICATA_RUNTIME
Definition: suricata.h:96
TmModuleReceiveNetmapRegister
void TmModuleReceiveNetmapRegister(void)
Definition: source-netmap.c:74
PacketPoolPostRunmodes
void PacketPoolPostRunmodes(void)
Set the max_pending_return_packets value.
Definition: tmqh-packetpool.c:464
NFQInitConfig
void NFQInitConfig(bool quiet)
To initialize the NFQ global configuration data.
Definition: source-nfq.c:206
TmModuleReceiveWinDivertRegister
void TmModuleReceiveWinDivertRegister(void)
Definition: source-windivert.c:61
SystemHugepageSnapshot
Definition: util-hugepages.h:44
TmModuleReceivePfringRegister
void TmModuleReceivePfringRegister(void)
Registration Function for ReceivePfring.
Definition: source-pfring.c:163
HOST_VERBOSE
#define HOST_VERBOSE
Definition: host.h:92
TM_ECODE_FAILED
@ TM_ECODE_FAILED
Definition: tm-threads-common.h:85
SCProfilingDestroy
void SCProfilingDestroy(void)
Free resources used by profiling.
Definition: util-profiling.c:263
IsRunModeOffline
bool IsRunModeOffline(enum RunModes run_mode_to_check)
Definition: runmodes.c:568
AFPPeersListClean
void AFPPeersListClean(void)
Clean the global peers list.
Definition: source-af-packet.c:584
RunModeInitializeOutputs
void RunModeInitializeOutputs(void)
Definition: runmodes.c:785
DetectPortTestConfVars
int DetectPortTestConfVars(void)
Definition: detect-engine-port.c:1106
SCThresholdConfGlobalInit
void SCThresholdConfGlobalInit(void)
Definition: util-threshold-config.c:96
DecodeUnregisterCounters
void DecodeUnregisterCounters(void)
Definition: decode.c:573
SCInstance_::capture_plugin_name
const char * capture_plugin_name
Definition: suricata.h:164
RUNMODE_DAG
@ RUNMODE_DAG
Definition: runmodes.h:36
HostBitInitCtx
void HostBitInitCtx(void)
Definition: host-bit.c:49
EngineMode
EngineMode
Definition: suricata.h:101
SCInstance_::set_datadir
bool set_datadir
Definition: suricata.h:146
TVT_MGMT
@ TVT_MGMT
Definition: tm-threads-common.h:92
tmqh-packetpool.h
g_ut_covered
int g_ut_covered
Definition: suricata.c:895
SCInstance_::capture_plugin_args
const char * capture_plugin_args
Definition: suricata.h:165
TmModuleLoggerRegister
void TmModuleLoggerRegister(void)
Definition: output.c:891
TmThreadDisablePacketThreads
void TmThreadDisablePacketThreads(void)
Disable all packet threads.
Definition: tm-threads.c:1483
host_mode
uint8_t host_mode
Definition: suricata.c:180
RUNMODE_NETMAP
@ RUNMODE_NETMAP
Definition: runmodes.h:39
RUNMODE_DUMP_FEATURES
@ RUNMODE_DUMP_FEATURES
Definition: runmodes.h:62
FeatureDump
void FeatureDump(void)
Definition: feature.c:144
PacketPoolInit
void PacketPoolInit(void)
Definition: tmqh-packetpool.c:246
TM_ECODE_OK
@ TM_ECODE_OK
Definition: tm-threads-common.h:84
AppLayerDeSetup
int AppLayerDeSetup(void)
De initializes the app layer.
Definition: app-layer.c:1047
strlcpy
size_t strlcpy(char *dst, const char *src, size_t siz)
Definition: util-strlcpyu.c:43
PcapTranslateIPToDevice
void PcapTranslateIPToDevice(char *pcap_dev, size_t len)
Definition: source-pcap.c:656
FlowDisableFlowRecyclerThread
void FlowDisableFlowRecyclerThread(void)
Used to disable flow recycler thread(s).
Definition: flow-manager.c:1177
ParseSizeInit
void ParseSizeInit(void)
Definition: util-misc.c:35
TmModuleDecodePcapFileRegister
void TmModuleDecodePcapFileRegister(void)
Definition: source-pcap-file.c:128
TmModuleBypassedFlowManagerRegister
void TmModuleBypassedFlowManagerRegister(void)
Definition: flow-bypass.c:222
IPPairShutdown
void IPPairShutdown(void)
shutdown the flow engine
Definition: ippair.c:296
source-erf-dag.h
util-signal.h
DetectParseFreeRegexes
void DetectParseFreeRegexes(void)
Definition: detect-parse.c:2694
TmModuleDecodeNFLOGRegister
void TmModuleDecodeNFLOGRegister(void)
Definition: source-nflog.c:55
ConfGet
int ConfGet(const char *name, const char **vptr)
Retrieve the value of a configuration node.
Definition: conf.c:335
NFQParseAndRegisterQueues
int NFQParseAndRegisterQueues(const char *queues)
Parses and adds Netfilter queue(s).
Definition: source-nfq.c:879
ConfGetRootNode
ConfNode * ConfGetRootNode(void)
Get the root configuration node.
Definition: conf.c:207
FlowInitConfig
void FlowInitConfig(bool quiet)
initialize the configuration
Definition: flow.c:522
AppLayerSetup
int AppLayerSetup(void)
Setup the app layer.
Definition: app-layer.c:1032
FeatureTrackingRegister
void FeatureTrackingRegister(void)
Definition: feature.c:152
TmModuleReceiveDPDKRegister
void TmModuleReceiveDPDKRegister(void)
Definition: source-dpdk.c:50
UnixManagerThreadSpawnNonRunmode
void UnixManagerThreadSpawnNonRunmode(const bool unix_socket_enabled)
Definition: unix-manager.c:1287
RunModeInitializeThreadSettings
void RunModeInitializeThreadSettings(void)
Definition: runmodes.c:977
StreamTcpInitConfig
void StreamTcpInitConfig(bool)
To initialize the stream global configuration data.
Definition: stream-tcp.c:463
ENGINE_MODE_UNKNOWN
@ ENGINE_MODE_UNKNOWN
Definition: suricata.h:102
app-layer-htp.h
SURI_HOST_IS_ROUTER
@ SURI_HOST_IS_ROUTER
Definition: suricata.h:116
IsRunModeSystem
bool IsRunModeSystem(enum RunModes run_mode_to_check)
Definition: runmodes.c:555
datasets.h
GetIfaceMaxPacketSize
int GetIfaceMaxPacketSize(LiveDevice *ld)
output max packet size for a link
Definition: util-ioctl.c:120
TmModuleDecodeNetmapRegister
void TmModuleDecodeNetmapRegister(void)
Registration Function for DecodeNetmap.
Definition: source-netmap.c:84
PreRunPostPrivsDropInit
void PreRunPostPrivsDropInit(const int runmode)
Definition: suricata.c:2255
feature.h
decode.h
util-device.h
DetectEngineMoveToFreeList
int DetectEngineMoveToFreeList(DetectEngineCtx *de_ctx)
Definition: detect-engine.c:4562
sigterm_count
volatile sig_atomic_t sigterm_count
Definition: suricata.c:158
source-nfq.h
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
TmThreadWaitOnThreadInit
TmEcode TmThreadWaitOnThreadInit(void)
Used to check if all threads have finished their initialization. On finding an un-initialized thread,...
Definition: tm-threads.c:1948
TmModuleVerdictNFQRegister
void TmModuleVerdictNFQRegister(void)
Definition: source-nfq.c:184
ConfYamlLoadFile
int ConfYamlLoadFile(const char *filename)
Load configuration from a YAML file.
Definition: conf-yaml-loader.c:475
RUNMODE_CONF_TEST
@ RUNMODE_CONF_TEST
Definition: runmodes.h:54
AppLayerRegisterGlobalCounters
void AppLayerRegisterGlobalCounters(void)
HACK to work around our broken unix manager (re)init loop.
Definition: app-layer.c:1110
RunModeListRunmodes
void RunModeListRunmodes(void)
Lists all registered runmodes.
Definition: runmodes.c:256
RUNMODE_PRINT_USAGE
@ RUNMODE_PRINT_USAGE
Definition: runmodes.h:52
strlcat
size_t strlcat(char *, const char *src, size_t siz)
Definition: util-strlcatu.c:45
RUNMODE_LIST_APP_LAYERS
@ RUNMODE_LIST_APP_LAYERS
Definition: runmodes.h:48
util-cpu.h
suricata
SCInstance suricata
Definition: suricata.c:219
SCInstance_::unix_socket_enabled
bool unix_socket_enabled
Definition: suricata.h:147
LiveSetOffloadDisable
void LiveSetOffloadDisable(void)
Definition: util-device.c:71
StatsSetupPostConfigPostOutput
void StatsSetupPostConfigPostOutput(void)
Definition: counters.c:910
EngineModeSetIDS
void EngineModeSetIDS(void)
Definition: suricata.c:248
SpmTableSetup
void SpmTableSetup(void)
Definition: util-spm.c:122
TmModuleReceiveAFPRegister
void TmModuleReceiveAFPRegister(void)
Registration Function for RecieveAFP.
Definition: source-af-packet.c:384
LiveBuildDeviceListCustom
int LiveBuildDeviceListCustom(const char *runmode, const char *itemname)
Definition: util-device.c:279
util-exception-policy.h
LiveGetDevice
LiveDevice * LiveGetDevice(const char *name)
Get a pointer to the device at idx.
Definition: util-device.c:248
UnixSocketKillSocketThread
void UnixSocketKillSocketThread(void)
Definition: unix-manager.c:1282
TmModuleVerdictIPFWRegister
void TmModuleVerdictIPFWRegister(void)
Registration Function for VerdictIPFW.
Definition: source-ipfw.c:175
flow-worker.h
g_stats_eps_per_app_proto_errors
bool g_stats_eps_per_app_proto_errors
Definition: suricata.c:216
HttpRangeContainersInit
void HttpRangeContainersInit(void)
Definition: app-layer-htp-range.c:150
util-reference-config.h
source-napatech.h
DetectEngineCtx_::last_reload
struct timeval last_reload
Definition: detect.h:1010
SCInstance_::delayed_detect
int delayed_detect
Definition: suricata.h:149
TmModuleVerdictWinDivertRegister
void TmModuleVerdictWinDivertRegister(void)
Definition: source-windivert.c:68
DetectEngineCtx_::failure_fatal
bool failure_fatal
Definition: detect.h:840
SCInstance_::progname
const char * progname
Definition: suricata.h:159
HostCleanup
void HostCleanup(void)
Cleanup the host engine.
Definition: host.c:336
SCEnter
#define SCEnter(...)
Definition: util-debug.h:271
FlowDisableFlowManagerThread
void FlowDisableFlowManagerThread(void)
Used to disable flow manager thread(s).
Definition: flow-manager.c:136
util-ebpf.h
SCInstance_::pcap_dev
char pcap_dev[128]
Definition: suricata.h:127
detect.h
UtilSignalUnblock
int UtilSignalUnblock(int signum)
Definition: util-signal.c:46
DetectEngineEnabled
int DetectEngineEnabled(void)
Check if detection is enabled.
Definition: detect-engine.c:3657
TmThreadClearThreadsFamily
void TmThreadClearThreadsFamily(int family)
Definition: tm-threads.c:1635
TVT_PPT
@ TVT_PPT
Definition: tm-threads-common.h:91
TmModuleRunInit
void TmModuleRunInit(void)
Definition: tm-modules.c:118
detect-engine-port.h
EngineModeSetIPS
void EngineModeSetIPS(void)
Definition: suricata.c:243
SURICATA_DEINIT
@ SURICATA_DEINIT
Definition: suricata.h:97
SCInstance_::user_name
const char * user_name
Definition: suricata.h:136
HTPAtExitPrintStats
void HTPAtExitPrintStats(void)
Print the stats of the HTTP requests.
Definition: app-layer-htp.c:2091
util-time.h
UtilSignalBlock
int UtilSignalBlock(int signum)
Definition: util-signal.c:29
SCProfilingPrefilterGlobalInit
void SCProfilingPrefilterGlobalInit(void)
Definition: util-profiling-prefilter.c:60
SCLogWarning
#define SCLogWarning(...)
Macro used to log WARNING messages.
Definition: util-debug.h:249
PostConfLoadedSetup
int PostConfLoadedSetup(SCInstance *suri)
Definition: suricata.c:2638
GetProgramVersion
const char * GetProgramVersion(void)
get string with program version
Definition: suricata.c:1141
engine_analysis
int engine_analysis
app-layer-parser.h
TmModuleReceivePcapFileRegister
void TmModuleReceivePcapFileRegister(void)
Definition: source-pcap-file.c:115
source-pfring.h
BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:300
runmode-netmap.h
CoredumpLoadConfig
int32_t CoredumpLoadConfig(void)
Configures the core dump size.
Definition: util-coredump-config.c:91
detect-engine-tag.h
IPFWRegisterQueue
int IPFWRegisterQueue(char *queue)
Add an IPFW divert.
Definition: source-ipfw.c:698
xstr
#define xstr(s)
Definition: suricata-common.h:290
util-profiling.h
ListAppLayerProtocols
int ListAppLayerProtocols(const char *conf_filename)
Definition: util-running-modes.c:43
SCInstance_::offline
int offline
Definition: suricata.h:152
DatasetsDestroy
void DatasetsDestroy(void)
Definition: datasets.c:988
UtilCpuPrintSummary
void UtilCpuPrintSummary(void)
Print a summary of CPUs detected (configured and online)
Definition: util-cpu.c:140
SystemDNotifyReady
int SystemDNotifyReady(void)
TmThreadKillThreads
void TmThreadKillThreads(void)
Definition: tm-threads.c:1563
OutputDeregisterAll
void OutputDeregisterAll(void)
Deregister all modules. Useful for a memory clean exit.
Definition: output.c:674
source-pcap-file-helper.h
PostConfLoadedDetectSetup
void PostConfLoadedDetectSetup(SCInstance *suri)
Definition: suricata.c:2547
EngineModeIsIDS
int EngineModeIsIDS(void)
Definition: suricata.c:237
util-systemd.h
TmModuleNapatechDecodeRegister
void TmModuleNapatechDecodeRegister(void)
Register the Napatech decoder module.
Definition: source-napatech.c:192
tmm_modules
TmModule tmm_modules[TMM_SIZE]
Definition: tm-modules.c:33
conf-yaml-loader.h
decode-sll.h
coverage_unittests
int coverage_unittests
Definition: suricata.c:893
RUNMODE_DUMP_CONFIG
@ RUNMODE_DUMP_CONFIG
Definition: runmodes.h:53
DatasetsSave
void DatasetsSave(void)
Definition: datasets.c:1066
detect-engine-alert.h
conf.h
util-landlock.h
source-ipfw.h
TMM_SIZE
@ TMM_SIZE
Definition: tm-threads-common.h:79
source-netmap.h
OutputNotifyFileRotation
void OutputNotifyFileRotation(void)
Notifies all registered file rotation notification flags.
Definition: output.c:744
StorageFinalize
int StorageFinalize(void)
Definition: util-storage.c:138
VarNameStoreDestroy
void VarNameStoreDestroy(void)
Definition: util-var-name.c:116
SCInstance_::verbose
int verbose
Definition: suricata.h:153
TmEcode
TmEcode
Definition: tm-threads-common.h:83
source-windivert.h
TmModuleFlowWorkerRegister
void TmModuleFlowWorkerRegister(void)
Definition: flow-worker.c:747
SCInstance_::aux_run_mode
enum RunModes aux_run_mode
Definition: suricata.h:125
util-plugin.h
SCInstance_::additional_configs
const char ** additional_configs
Definition: suricata.h:161
flow-timeout.h
DEFAULT_PID_FILENAME
#define DEFAULT_PID_FILENAME
Definition: suricata.h:83
sighup_count
volatile sig_atomic_t sighup_count
Definition: suricata.c:157
ConfigSetDataDirectory
TmEcode ConfigSetDataDirectory(char *name)
Definition: util-conf.c:66
TmModuleDecodeErfDagRegister
void TmModuleDecodeErfDagRegister(void)
Register the ERF file decoder module.
Definition: source-erf-dag.c:151
SCInstance_::set_logdir
bool set_logdir
Definition: suricata.h:145
SCDropMainThreadCaps
#define SCDropMainThreadCaps(...)
Definition: util-privs.h:90
TmModuleDebugList
void TmModuleDebugList(void)
Definition: tm-modules.c:35
TmModuleDecodeNFQRegister
void TmModuleDecodeNFQRegister(void)
Definition: source-nfq.c:192
util-proto-name.h
STREAM_VERBOSE
#define STREAM_VERBOSE
Definition: stream-tcp.h:35
defrag.h
SCProtoNameRelease
void SCProtoNameRelease(void)
Definition: util-proto-name.c:439
MpmTableSetup
void MpmTableSetup(void)
Definition: util-mpm.c:225
SCInstance_::log_dir
const char * log_dir
Definition: suricata.h:158
RunmodeIsUnittests
int RunmodeIsUnittests(void)
Definition: suricata.c:254
source-nfq-prototypes.h
SCPluginsLoad
void SCPluginsLoad(const char *capture_plugin_name, const char *capture_plugin_args)
SCLogInfo
#define SCLogInfo(...)
Macro used to log INFORMATIONAL messages.
Definition: util-debug.h:224
TmModuleReceiveNFLOGRegister
void TmModuleReceiveNFLOGRegister(void)
Definition: source-nflog.c:49
DEFAULT_PACKET_SIZE
#define DEFAULT_PACKET_SIZE
Definition: decode.h:677
WarnInvalidConfEntry
#define WarnInvalidConfEntry(param_name, format, value)
Generic API that can be used by all to log an invalid conf entry.
Definition: util-misc.h:35
util-host-os-info.h
TmModuleReceiveErfFileRegister
void TmModuleReceiveErfFileRegister(void)
Register the ERF file receiver (reader) module.
Definition: source-erf-file.c:80
TmModule_
Definition: tm-modules.h:44
SCRealloc
#define SCRealloc(ptr, sz)
Definition: util-mem.h:50
TmModuleDecodeAFXDPRegister
void TmModuleDecodeAFXDPRegister(void)
Registration Function for DecodeAFXDP.
Definition: source-af-xdp.c:92
default_packet_size
uint32_t default_packet_size
Definition: decode.c:76
tm-queuehandlers.h
SigTableApplyStrictCommandLineOption
void SigTableApplyStrictCommandLineOption(const char *str)
Definition: detect-parse.c:403
DETECT_ENGINE_TYPE_NORMAL
@ DETECT_ENGINE_TYPE_NORMAL
Definition: detect.h:826
PROG_NAME
#define PROG_NAME
Definition: suricata.h:70
TmThreadKillThreadsFamily
void TmThreadKillThreadsFamily(int family)
Definition: tm-threads.c:1534
detect-fast-pattern.h
FeatureTrackingRelease
void FeatureTrackingRelease(void)
Definition: feature.c:136
TmqhCleanup
void TmqhCleanup(void)
Clean up registration time allocs.
Definition: tm-queuehandlers.c:49
util-dpdk.h
util-conf.h
RUNMODE_PFRING
@ RUNMODE_PFRING
Definition: runmodes.h:31
StreamTcpFreeConfig
void StreamTcpFreeConfig(bool quiet)
Definition: stream-tcp.c:794
source-dpdk.h
flow-manager.h
DecodeGlobalConfig
void DecodeGlobalConfig(void)
Definition: decode.c:995
SCInstance_::strict_rule_parsing_string
char * strict_rule_parsing_string
Definition: suricata.h:162
SuriHasSigFile
int SuriHasSigFile(void)
Definition: suricata.c:221
suricata-common.h
DetectEngineCtxInitStubForMT
DetectEngineCtx * DetectEngineCtxInitStubForMT(void)
Definition: detect-engine.c:2484
util-path.h
util-daemon.h
LiveGetDeviceName
const char * LiveGetDeviceName(int number)
Get a pointer to the device name at idx.
Definition: util-device.c:184
FlowShutdown
void FlowShutdown(void)
shutdown the flow engine
Definition: flow.c:670
SCHInfoLoadFromConfig
void SCHInfoLoadFromConfig(void)
Load the host os policy information from the configuration.
Definition: util-host-os-info.c:335
DetectEngineBumpVersion
void DetectEngineBumpVersion(void)
Definition: detect-engine.c:3681
source-af-xdp.h
TmModuleFlowManagerRegister
void TmModuleFlowManagerRegister(void)
Definition: flow-manager.c:1236
SCStartInternalRunMode
int SCStartInternalRunMode(int argc, char **argv)
Definition: suricata.c:2324
SCPidfileTestRunning
int SCPidfileTestRunning(const char *pid_filename)
Check the Suricata pid file (used at the startup)
Definition: util-pidfile.c:105
HostShutdown
void HostShutdown(void)
shutdown the flow engine
Definition: host.c:299
DOC_URL
#define DOC_URL
Definition: suricata.h:85
SCFstatFn
#define SCFstatFn(fd, statbuf)
Definition: util-path.h:34
output-filestore.h
TmModuleDecodePfringRegister
void TmModuleDecodePfringRegister(void)
Registration Function for DecodePfring.
Definition: source-pfring.c:179
LiveSetOffloadWarn
void LiveSetOffloadWarn(void)
Definition: util-device.c:76
ParseSizeDeinit
void ParseSizeDeinit(void)
Definition: util-misc.c:54
util-classification-config.h
RunModeRegisterRunModes
void RunModeRegisterRunModes(void)
Register all runmodes in the engine.
Definition: runmodes.c:228
SCStrdup
#define SCStrdup(s)
Definition: util-mem.h:56
FatalError
#define FatalError(...)
Definition: util-debug.h:502
ConfGetChildValueBool
int ConfGetChildValueBool(const ConfNode *base, const char *name, int *val)
Definition: conf.c:501
SCProfilingDump
void SCProfilingDump(void)
Definition: util-profiling.c:289
TmModuleReceiveAFXDPRegister
void TmModuleReceiveAFXDPRegister(void)
Definition: source-af-xdp.c:78
EngineStop
void EngineStop(void)
make sure threads can stop the engine by calling this function. Purpose: pcap file mode needs to be a...
Definition: suricata.c:448
FrameConfigInit
void FrameConfigInit(void)
Definition: app-layer-frames.c:38
SCInstance_::sig_file
char * sig_file
Definition: suricata.h:128
ParseSizeStringU32
int ParseSizeStringU32(const char *size, uint32_t *res)
Definition: util-misc.c:181
TmModuleReceiveErfDagRegister
void TmModuleReceiveErfDagRegister(void)
Register the ERF file receiver (reader) module.
Definition: source-erf-dag.c:133
IPPairBitInitCtx
void IPPairBitInitCtx(void)
Definition: ippair-bit.c:49
ConfigSetLogDirectory
TmEcode ConfigSetLogDirectory(const char *name)
Definition: util-conf.c:33
util-validate.h
TmModuleDecodeIPFWRegister
void TmModuleDecodeIPFWRegister(void)
Registration Function for DecodeIPFW.
Definition: source-ipfw.c:190
source-af-packet.h
ConfUnixSocketIsEnable
int ConfUnixSocketIsEnable(void)
Definition: util-conf.c:136
RUNMODE_NFQ
@ RUNMODE_NFQ
Definition: runmodes.h:32
ConfSetFromString
int ConfSetFromString(const char *input, int final)
Set a configuration parameter from a string.
Definition: conf.c:249
SCLogConfig
struct SCLogConfig_ SCLogConfig
Holds the config state used by the logging api.
g_vlan_mask
uint16_t g_vlan_mask
Definition: suricata.c:202
ConfInit
void ConfInit(void)
Initialize the configuration system.
Definition: conf.c:120
DatasetsInit
int DatasetsInit(void)
Definition: datasets.c:854
ConfigGetLogDirectory
const char * ConfigGetLogDirectory(void)
Definition: util-conf.c:38
sigusr2_count
volatile sig_atomic_t sigusr2_count
Definition: suricata.c:159
SystemHugepageSnapshotDestroy
void SystemHugepageSnapshotDestroy(SystemHugepageSnapshot *s)
Definition: util-hugepages.c:304
RUNMODE_ENGINE_ANALYSIS
@ RUNMODE_ENGINE_ANALYSIS
Definition: runmodes.h:56
RUNMODE_PRINT_VERSION
@ RUNMODE_PRINT_VERSION
Definition: runmodes.h:50
TmModuleDecodePcapRegister
void TmModuleDecodePcapRegister(void)
Registration Function for DecodePcap.
Definition: source-pcap.c:153
util-running-modes.h
SCLoadYamlConfig
TmEcode SCLoadYamlConfig(void)
Definition: suricata.c:965
unix-manager.h
runmode-af-xdp.h
str
#define str(s)
Definition: suricata-common.h:291
ConfigCheckDataDirectory
TmEcode ConfigCheckDataDirectory(const char *data_dir)
Definition: util-conf.c:99
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:261
g_detect_disabled
int g_detect_disabled
Definition: suricata.c:186
DetectEngineReloadStart
int DetectEngineReloadStart(void)
Definition: detect-engine.c:2021
SCFree
#define SCFree(p)
Definition: util-mem.h:61
DEFAULT_CONF_FILE
#define DEFAULT_CONF_FILE
Definition: suricata.h:79
ConfNode_
Definition: conf.h:32
SC_LOG_MAX_LOG_MSG_LEN
#define SC_LOG_MAX_LOG_MSG_LEN
Definition: util-debug.h:84
AppLayerParserPostStreamSetup
void AppLayerParserPostStreamSetup(void)
Definition: app-layer-parser.c:261
TmModuleReceivePcapRegister
void TmModuleReceivePcapRegister(void)
Registration Function for ReceivePcap.
Definition: source-pcap.c:135
SCGetUserID
void SCGetUserID(const char *user_name, const char *group_name, uint32_t *uid, uint32_t *gid)
Function to get the user and group ID from the specified user name.
Definition: util-privs.c:146
util-ioctl.h
detect-parse.h
SCInstance_::system
bool system
Definition: suricata.h:144
SCInstance_::pid_filename
char * pid_filename
Definition: suricata.h:130
TmModuleRespondRejectRegister
void TmModuleRespondRejectRegister(void)
Definition: respond-reject.c:50
CoredumpEnable
void CoredumpEnable(void)
Enable coredumps on systems where coredumps can and need to be enabled.
Definition: util-coredump-config.c:58
RunUnittests
void RunUnittests(int list_unittests, const char *regex_arg)
Definition: runmode-unittests.c:229
source-erf-file.h
ConfigCheckLogDirectoryExists
TmEcode ConfigCheckLogDirectoryExists(const char *log_dir)
Definition: util-conf.c:56
TimeDeinit
void TimeDeinit(void)
Definition: util-time.c:87
PacketAlertTagInit
void PacketAlertTagInit(void)
Definition: detect-engine-alert.c:45
RunModeEngineIsIPS
int RunModeEngineIsIPS(int capture_mode, const char *runmode, const char *capture_plugin_name)
Definition: runmodes.c:385
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2494
RUNMODE_WINDIVERT
@ RUNMODE_WINDIVERT
Definition: runmodes.h:44
EngineModeIsIPS
int EngineModeIsIPS(void)
Definition: suricata.c:231
TmModuleNapatechStreamRegister
void TmModuleNapatechStreamRegister(void)
Register the Napatech receiver (reader) module.
Definition: source-napatech.c:174
SCProfilingKeywordsGlobalInit
void SCProfilingKeywordsGlobalInit(void)
Definition: util-profiling-keywords.c:60
suricata.h
EngineDone
void EngineDone(void)
Used to indicate that the current task is done.
Definition: suricata.c:459
FLOW_QUIET
#define FLOW_QUIET
Definition: flow.h:42
GetDocURL
const char * GetDocURL(void)
Definition: suricata.c:1120
util-mpm-hs.h
profiling_rules_enabled
int profiling_rules_enabled
PostRunDeinit
void PostRunDeinit(const int runmode, struct timeval *start_time)
Definition: suricata.c:2277
HostInitConfig
void HostInitConfig(bool quiet)
initialize the configuration
Definition: host.c:168
TmThreadWaitOnThreadRunning
TmEcode TmThreadWaitOnThreadRunning(void)
Waits for all threads to be in a running state.
Definition: tm-threads.c:1805
ConfDeInit
void ConfDeInit(void)
De-initializes the configuration system.
Definition: conf.c:693
HttpRangeContainersDestroy
void HttpRangeContainersDestroy(void)
Definition: app-layer-htp-range.c:183
ConfSet
int ConfSet(const char *name, const char *val)
Set a configuration value.
Definition: conf.c:224
SCLogLoadConfig
void SCLogLoadConfig(int daemon, int verbose, uint32_t userid, uint32_t groupid)
Definition: util-debug.c:1440
DetectEngineReload
int DetectEngineReload(const SCInstance *suri)
Reload the detection engine.
Definition: detect-engine.c:4629
DEFAULT_MAX_PENDING_PACKETS
#define DEFAULT_MAX_PENDING_PACKETS
Definition: suricata.c:169
SCInstance_
Definition: suricata.h:123
DetectEngineClearMaster
void DetectEngineClearMaster(void)
Definition: detect-engine.c:4602
SetMasterExceptionPolicy
void SetMasterExceptionPolicy(void)
Definition: util-exception-policy.c:59
TmThreadCheckThreadState
void TmThreadCheckThreadState(void)
Used to check the thread for certain conditions of failure.
Definition: tm-threads.c:1924
OutputFilestoreRegisterGlobalCounters
void OutputFilestoreRegisterGlobalCounters(void)
Definition: output-filestore.c:517
InitGlobal
int InitGlobal(void)
Global initialization common to all runmodes.
Definition: suricata.c:2875
SCInstance_::disabled_detect
int disabled_detect
Definition: suricata.h:150
LiveGetDeviceCount
int LiveGetDeviceCount(void)
Get the number of registered devices.
Definition: util-device.c:164
SystemHugepageSnapshotCreate
SystemHugepageSnapshot * SystemHugepageSnapshotCreate(void)
The function creates a snapshot of the system's hugepage usage per NUMA node and per hugepage size....
Definition: util-hugepages.c:323
SCProfilingSghsGlobalInit
void SCProfilingSghsGlobalInit(void)
Definition: util-profiling-rulegroups.c:63
SCPidfileCreate
int SCPidfileCreate(const char *pidfile)
Write a pid file (used at the startup) This commonly needed by the init scripts.
Definition: util-pidfile.c:42
LiveRegisterDeviceName
int LiveRegisterDeviceName(const char *dev)
Add a device for monitoring.
Definition: util-device.c:97
SCStatFn
#define SCStatFn(pathname, statbuf)
Definition: util-path.h:35
ENGINE_MODE_IDS
@ ENGINE_MODE_IDS
Definition: suricata.h:103
LiveDeviceFinalize
void LiveDeviceFinalize(void)
Definition: util-device.c:442
TmModuleDecodeDPDKRegister
void TmModuleDecodeDPDKRegister(void)
Registration Function for DecodeDPDK.
Definition: source-dpdk.c:64
SCInstance_::sig_file_exclusive
bool sig_file_exclusive
Definition: suricata.h:129
PROG_VER
#define PROG_VER
Definition: suricata.h:71
util-misc.h
PacketPoolDestroy
void PacketPoolDestroy(void)
Definition: tmqh-packetpool.c:277
HTPFreeConfig
void HTPFreeConfig(void)
Clears the HTTP server configuration memory used by HTP library.
Definition: app-layer-htp.c:2104
flow.h
LandlockSandboxing
void LandlockSandboxing(SCInstance *suri)
Definition: util-landlock.c:34
respond-reject.h
SCInstance_::regex_arg
char * regex_arg
Definition: suricata.h:131
ListKeywords
int ListKeywords(const char *keyword_info)
Definition: util-running-modes.c:32
SCLogNotice
#define SCLogNotice(...)
Macro used to log NOTICE messages.
Definition: util-debug.h:237
SuricataPreInit
void SuricataPreInit(const char *progname)
Definition: suricata.c:2912
util-luajit.h
msg
const char * msg
Definition: app-layer-htp.c:580
DPDKCleanupEAL
void DPDKCleanupEAL(void)
Definition: util-dpdk.c:28
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
RUNMODE_AFP_DEV
@ RUNMODE_AFP_DEV
Definition: runmodes.h:37
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:275
SCPidfileRemove
void SCPidfileRemove(const char *pid_filename)
Remove the pid file (used at the startup)
Definition: util-pidfile.c:83
ThresholdInit
void ThresholdInit(void)
Definition: detect-engine-threshold.c:81
TimeInit
void TimeInit(void)
Definition: util-time.c:79
RUNMODE_PCAP_FILE
@ RUNMODE_PCAP_FILE
Definition: runmodes.h:30
SCInstance_::keyword_info
char * keyword_info
Definition: suricata.h:133
RUNMODE_PLUGIN
@ RUNMODE_PLUGIN
Definition: runmodes.h:45
NFQContextsClean
void NFQContextsClean(void)
Clean global contexts. Must be called on exit.
Definition: source-nfq.c:1300
SystemHugepageEvaluateHugepages
void SystemHugepageEvaluateHugepages(SystemHugepageSnapshot *pre_s, SystemHugepageSnapshot *post_s)
The function compares two hugepage snapshots and prints out recommendations for hugepage configuratio...
Definition: util-hugepages.c:363
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:103
SCFinalizeRunMode
int SCFinalizeRunMode(void)
Definition: suricata.c:2380
SCStat
struct stat SCStat
Definition: util-path.h:33
SCProfilingInit
void SCProfilingInit(void)
Initialize profiling.
Definition: util-profiling.c:135
g_ut_modules
int g_ut_modules
Definition: suricata.c:894
detect-engine-address.h
RUNMODE_IPFW
@ RUNMODE_IPFW
Definition: runmodes.h:34
GlobalsDestroy
void GlobalsDestroy(void)
Definition: suricata.c:370
output.h
util-threshold-config.h
DefragInit
void DefragInit(void)
Definition: defrag.c:1099
DetectEngineReloadIsStart
int DetectEngineReloadIsStart(void)
Definition: detect-engine.c:2035
suricata_ctl_flags
volatile uint8_t suricata_ctl_flags
Definition: suricata.c:172
host-bit.h
detect-engine-threshold.h
RUNMODE_LIST_UNITTEST
@ RUNMODE_LIST_UNITTEST
Definition: runmodes.h:55
app-layer.h
TagDestroyCtx
void TagDestroyCtx(void)
Destroy tag context hash tables.
Definition: detect-engine-tag.c:72
DetectAddressTestConfVars
int DetectAddressTestConfVars(void)
Definition: detect-engine-address.c:1218
g_disable_randomness
int g_disable_randomness
Definition: suricata.c:195
geteuid
#define geteuid()
Definition: win32-misc.h:41
MpmHSGlobalCleanup
void MpmHSGlobalCleanup(void)
g_disable_hashing
bool g_disable_hashing
Definition: suricata.c:210
TmqResetQueues
void TmqResetQueues(void)
Definition: tm-queues.c:80