suricata.8.0.0/suricata_8h_source.html

/* Copyright (C) 2007-2014 Open Information Security Foundation

 *

 * You can copy, redistribute or modify this Program under the terms of

 * the GNU General Public License version 2 as published by the Free

 * Software Foundation.

 *

 * This program is distributed in the hope that it will be useful,

 * but WITHOUT ANY WARRANTY; without even the implied warranty of

 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

 * GNU General Public License for more details.

 *

 * You should have received a copy of the GNU General Public License

 * version 2 along with this program; if not, write to the Free Software

 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA

 * 02110-1301, USA.

 */


/** \mainpage Doxygen documentation

 *

 * \section intro_sec Introduction

 *

 * The Suricata Engine is an Open Source Next Generation Intrusion Detection

 * and Prevention Engine. This engine is not intended to just replace or

 * emulate the existing tools in the industry, but will bring new ideas and

 * technologies to the field.

 *

 * \section dev_doc Developer documentation

 *

 * You've reach the automatically generated documentation of Suricata. This

 * document contains information about architecture and code structure. It

 * is attended for developers wanting to understand or contribute to Suricata.

 *

 * \subsection modules Modules

 *

 * Documentation is generate from comments placed in all parts of the code.

 * But you will also find some groups describing specific functional parts:

 *  - \ref decode

 *  - \ref httplayer

 *  - \ref sigstate

 *  - \ref threshold

 *

 * \section archi Architecture

 *

 * \subsection datastruct Data structures

 *

 * Regarding matching, there is three main data structures which are:

 *  - ::Packet: Data relative to an individual packet with information about

 *  linked structure such as the ::Flow the ::Packet belongs to.

 *  - ::Flow: Information about a flow for example a TCP session

 *

 *  \subsection runmode Running mode

 *

 *  Suricata is multithreaded and running modes define how the different

 *  threads are working together. You can see util-runmodes.c for example

 *  of running mode.

 */


/**

 * \file

 *

 * \author Victor Julien <victor@inliniac.net>

 */


#ifndef SURICATA_SURICATA_H

#define SURICATA_SURICATA_H


#ifdef __cplusplus

extern "C"

{

#endif


#include "suricata-common.h"


/* the name of our binary */

#define PROG_NAME "Suricata"

#define PROG_VER PACKAGE_VERSION


/* workaround SPlint error (don't know __gnuc_va_list) */

#ifdef S_SPLINT_S

#  include <err.h>

#  define CONFIG_DIR "/etc/suricata"

#endif


#define DEFAULT_CONF_FILE CONFIG_DIR "/suricata.yaml"


#define DEFAULT_PID_DIR LOCAL_STATE_DIR "/run/"

#define DEFAULT_PID_BASENAME "suricata.pid"

#define DEFAULT_PID_FILENAME DEFAULT_PID_DIR DEFAULT_PID_BASENAME


#define DOC_URL "https://docs.suricata.io/en/"

const char *GetDocURL(void);


/* runtime engine control flags */

#define SURICATA_STOP    (1 << 0)   /**< gracefully stop the engine: process all

                                     outstanding packets first */

#define SURICATA_DONE    (1 << 2)   /**< packets capture ended */


/* Engine stage/status*/

enum {

    SURICATA_INIT = 0,

    SURICATA_RUNTIME,

    SURICATA_DEINIT

};


/* Engine is acting as */


enum EngineMode {

    ENGINE_MODE_UNKNOWN,

    ENGINE_MODE_IDS,

    /* order matters, we need to be able to do IPS is true for >= ENGINE_MODE_IPS */

    ENGINE_MODE_IPS,

    ENGINE_MODE_FIREWALL,

};


/* superset of IPS mode */

void EngineModeSetFirewall(void);

void EngineModeSetIPS(void);

void EngineModeSetIDS(void);

int EngineModeIsUnknown(void);

bool EngineModeIsFirewall(void);

int EngineModeIsIPS(void);

int EngineModeIsIDS(void);


/* Box is acting as router */

enum {

    SURI_HOST_IS_SNIFFER_ONLY,

    SURI_HOST_IS_ROUTER,

};


#define IS_SURI_HOST_MODE_SNIFFER_ONLY(host_mode) ((host_mode) == SURI_HOST_IS_SNIFFER_ONLY)


#include "runmodes.h"


typedef struct SCInstance_ {

    enum SCRunModes run_mode;

    enum SCRunModes aux_run_mode;


    char pcap_dev[128];

    char *sig_file;

    bool sig_file_exclusive;

    char *pid_filename;

    char *regex_arg;

    char *firewall_rule_file;

    bool firewall_rule_file_exclusive;

    /* is firewall mode enabled */

    bool is_firewall;


    char *keyword_info;

    char *runmode_custom_mode;

#ifndef OS_WIN32

    const char *user_name;

    const char *group_name;

    bool do_setuid;

    bool do_setgid;

#endif /* OS_WIN32 */

    uint32_t userid;

    uint32_t groupid;


    bool system;

    bool set_logdir;

    bool set_datadir;

    bool unix_socket_enabled;


    bool install_signal_handlers; /**< Install default signal handlers */


    int delayed_detect;

    int disabled_detect;

    int daemon;

    int offline;

    int verbose;

    int checksum_validation;

    int output_flush_interval;


    struct timeval start_time;


    const char *log_dir;

    const char *progname; /**< pointer to argv[0] */

    const char *conf_filename;

    const char **additional_configs;

    char *strict_rule_parsing_string;


    const char *capture_plugin_name;

    const char *capture_plugin_args;

} SCInstance;


/* memset to zeros, and mutex init! */

void GlobalsInitPreConfig(void);


extern volatile uint8_t suricata_ctl_flags;

extern int g_disable_randomness;

extern uint16_t g_vlan_mask;

extern uint16_t g_livedev_mask;

extern uint8_t g_recurlvl_mask;


/* Flag to disable hashing (almost) globally. */

extern bool g_disable_hashing;


void EngineStop(void);

void EngineDone(void);


#ifdef UNITTESTS

int RunmodeIsUnittests(void);

#else

#define RunmodeIsUnittests() 0

#endif


/**

 * \brief Get the current run mode.

 */

SCRunMode SCRunmodeGet(void);


/**

 * \brief Set the current run mode.

 *

 * Mainly exposed outside of suricata.c as a unit-test helper.

 */

void SCRunmodeSet(SCRunMode run_mode);


/**

 * \brief Enable default signal handlers.

 */

void SCEnableDefaultSignalHandlers(void);


int SuriHasSigFile(void);


void SuricataPreInit(const char *progname);

void SuricataInit(void);

void SuricataPostInit(void);

void SuricataMainLoop(void);

void SuricataShutdown(void);

int InitGlobal(void);

void GlobalsDestroy(void);

int PostConfLoadedSetup(SCInstance *suri);

void PostConfLoadedDetectSetup(SCInstance *suri);

int SCFinalizeRunMode(void);

TmEcode SCParseCommandLine(int argc, char **argv);

int SCStartInternalRunMode(int argc, char **argv);

TmEcode SCLoadYamlConfig(void);


void PreRunInit(const int runmode);

void PreRunPostPrivsDropInit(const int runmode);

void PostRunDeinit(const int runmode, struct timeval *start_time);

void RegisterAllModules(void);


#ifdef OS_WIN32

int WindowsInitService(int argc, char **argv);

#endif


const char *GetProgramVersion(void);


#ifdef __cplusplus

}

#endif


#endif /* SURICATA_SURICATA_H */

runmodes.h

SCRunModes
SCRunModes
Definition runmodes.h:27

SCRunMode
enum SCRunModes SCRunMode

SCInstance_
Definition suricata.h:133

SCInstance_::do_setuid
bool do_setuid
Definition suricata.h:152

SCInstance_::start_time
struct timeval start_time
Definition suricata.h:173

SCInstance_::runmode_custom_mode
char * runmode_custom_mode
Definition suricata.h:148

SCInstance_::sig_file
char * sig_file
Definition suricata.h:138

SCInstance_::group_name
const char * group_name
Definition suricata.h:151

SCInstance_::checksum_validation
int checksum_validation
Definition suricata.h:170

SCInstance_::is_firewall
bool is_firewall
Definition suricata.h:145

SCInstance_::capture_plugin_args
const char * capture_plugin_args
Definition suricata.h:182

SCInstance_::strict_rule_parsing_string
char * strict_rule_parsing_string
Definition suricata.h:179

SCInstance_::firewall_rule_file
char * firewall_rule_file
Definition suricata.h:142

SCInstance_::sig_file_exclusive
bool sig_file_exclusive
Definition suricata.h:139

SCInstance_::run_mode
enum SCRunModes run_mode
Definition suricata.h:134

SCInstance_::capture_plugin_name
const char * capture_plugin_name
Definition suricata.h:181

SCInstance_::progname
const char * progname
Definition suricata.h:176

SCInstance_::userid
uint32_t userid
Definition suricata.h:155

SCInstance_::regex_arg
char * regex_arg
Definition suricata.h:141

SCInstance_::set_logdir
bool set_logdir
Definition suricata.h:159

SCInstance_::do_setgid
bool do_setgid
Definition suricata.h:153

SCInstance_::system
bool system
Definition suricata.h:158

SCInstance_::user_name
const char * user_name
Definition suricata.h:150

SCInstance_::firewall_rule_file_exclusive
bool firewall_rule_file_exclusive
Definition suricata.h:143

SCInstance_::daemon
int daemon
Definition suricata.h:167

SCInstance_::additional_configs
const char ** additional_configs
Definition suricata.h:178

SCInstance_::conf_filename
const char * conf_filename
Definition suricata.h:177

SCInstance_::aux_run_mode
enum SCRunModes aux_run_mode
Definition suricata.h:135

SCInstance_::unix_socket_enabled
bool unix_socket_enabled
Definition suricata.h:161

SCInstance_::set_datadir
bool set_datadir
Definition suricata.h:160

SCInstance_::output_flush_interval
int output_flush_interval
Definition suricata.h:171

SCInstance_::pcap_dev
char pcap_dev[128]
Definition suricata.h:137

SCInstance_::log_dir
const char * log_dir
Definition suricata.h:175

SCInstance_::groupid
uint32_t groupid
Definition suricata.h:156

SCInstance_::keyword_info
char * keyword_info
Definition suricata.h:147

SCInstance_::pid_filename
char * pid_filename
Definition suricata.h:140

SCInstance_::disabled_detect
int disabled_detect
Definition suricata.h:166

SCInstance_::offline
int offline
Definition suricata.h:168

SCInstance_::verbose
int verbose
Definition suricata.h:169

SCInstance_::install_signal_handlers
bool install_signal_handlers
Definition suricata.h:163

SCInstance_::delayed_detect
int delayed_detect
Definition suricata.h:165

suricata-common.h

EngineDone
void EngineDone(void)
Used to indicate that the current task is done.
Definition suricata.c:481

SuricataInit
void SuricataInit(void)
Definition suricata.c:3012

g_livedev_mask
uint16_t g_livedev_mask
Definition suricata.c:206

PostRunDeinit
void PostRunDeinit(const int runmode, struct timeval *start_time)
clean up / shutdown code for packet modes
Definition suricata.c:2331

InitGlobal
int InitGlobal(void)
Global initialization common to all runmodes.
Definition suricata.c:2965

SCInstance
struct SCInstance_ SCInstance

PostConfLoadedDetectSetup
void PostConfLoadedDetectSetup(SCInstance *suri)
Definition suricata.c:2625

SCEnableDefaultSignalHandlers
void SCEnableDefaultSignalHandlers(void)
Enable default signal handlers.
Definition suricata.c:289

EngineModeSetFirewall
void EngineModeSetFirewall(void)
Definition suricata.c:254

PreRunInit
void PreRunInit(const int runmode)
Definition suricata.c:2286

PreRunPostPrivsDropInit
void PreRunPostPrivsDropInit(const int runmode)
Definition suricata.c:2315

EngineMode
EngineMode
Definition suricata.h:106

ENGINE_MODE_IDS
@ ENGINE_MODE_IDS
Definition suricata.h:108

ENGINE_MODE_FIREWALL
@ ENGINE_MODE_FIREWALL
Definition suricata.h:111

ENGINE_MODE_UNKNOWN
@ ENGINE_MODE_UNKNOWN
Definition suricata.h:107

ENGINE_MODE_IPS
@ ENGINE_MODE_IPS
Definition suricata.h:110

g_disable_hashing
bool g_disable_hashing
Definition suricata.c:214

SuricataShutdown
void SuricataShutdown(void)
Definition suricata.c:3100

SCLoadYamlConfig
TmEcode SCLoadYamlConfig(void)
Definition suricata.c:1012

EngineModeIsFirewall
bool EngineModeIsFirewall(void)
Definition suricata.c:235

g_recurlvl_mask
uint8_t g_recurlvl_mask
Definition suricata.c:210

EngineModeIsIPS
int EngineModeIsIPS(void)
Definition suricata.c:242

SCRunmodeGet
SCRunMode SCRunmodeGet(void)
Get the current run mode.
Definition suricata.c:279

SCFinalizeRunMode
int SCFinalizeRunMode(void)
Definition suricata.c:2451

suricata_ctl_flags
volatile uint8_t suricata_ctl_flags
Definition suricata.c:172

EngineModeIsUnknown
int EngineModeIsUnknown(void)
Definition suricata.c:230

EngineModeSetIDS
void EngineModeSetIDS(void)
Definition suricata.c:264

SURI_HOST_IS_SNIFFER_ONLY
@ SURI_HOST_IS_SNIFFER_ONLY
Definition suricata.h:125

SURI_HOST_IS_ROUTER
@ SURI_HOST_IS_ROUTER
Definition suricata.h:126

EngineModeSetIPS
void EngineModeSetIPS(void)
Definition suricata.c:259

SCStartInternalRunMode
int SCStartInternalRunMode(int argc, char **argv)
Definition suricata.c:2389

g_vlan_mask
uint16_t g_vlan_mask
Definition suricata.c:202

SuriHasSigFile
int SuriHasSigFile(void)
Definition suricata.c:225

g_disable_randomness
int g_disable_randomness
Definition suricata.c:195

GlobalsDestroy
void GlobalsDestroy(void)
Definition suricata.c:390

EngineStop
void EngineStop(void)
make sure threads can stop the engine by calling this function. Purpose: pcap file mode needs to be a...
Definition suricata.c:470

SCRunmodeSet
void SCRunmodeSet(SCRunMode run_mode)
Set the current run mode.
Definition suricata.c:284

SCParseCommandLine
TmEcode SCParseCommandLine(int argc, char **argv)
Definition suricata.c:1369

SuricataMainLoop
void SuricataMainLoop(void)
Definition suricata.c:2922

RegisterAllModules
void RegisterAllModules(void)
Definition suricata.c:947

SuricataPreInit
void SuricataPreInit(const char *progname)
Definition suricata.c:3003

GetDocURL
const char * GetDocURL(void)
Definition suricata.c:1165

SuricataPostInit
void SuricataPostInit(void)
Definition suricata.c:3111

GlobalsInitPreConfig
void GlobalsInitPreConfig(void)
Definition suricata.c:382

SURICATA_DEINIT
@ SURICATA_DEINIT
Definition suricata.h:102

SURICATA_RUNTIME
@ SURICATA_RUNTIME
Definition suricata.h:101

SURICATA_INIT
@ SURICATA_INIT
Definition suricata.h:100

GetProgramVersion
const char * GetProgramVersion(void)
get string with program version
Definition suricata.c:1186

EngineModeIsIDS
int EngineModeIsIDS(void)
Definition suricata.c:248

RunmodeIsUnittests
int RunmodeIsUnittests(void)
Definition suricata.c:270

PostConfLoadedSetup
int PostConfLoadedSetup(SCInstance *suri)
Definition suricata.c:2716

TmEcode
TmEcode
Definition tm-threads-common.h:80