# not a GNU package. You can remove this line, if
# have all needed files, that a GNU package needs
AUTOMAKE_OPTIONS = foreign 1.4
ACLOCAL_AMFLAGS = -I m4
EXTRA_DIST = ChangeLog COPYING LICENSE suricata.yaml.in \
classification.config threshold.config \
reference.config
unix-manager: add unix command socket and associated script
This patch introduces a unix command socket. JSON formatted messages
can be exchanged between suricata and a program connecting to a
dedicated socket.
The protocol is the following:
* Client connects to the socket
* It sends a version message: { "version": "$VERSION_ID" }
* Server answers with { "return": "OK|NOK" }
If server returns OK, the client is now allowed to send command.
The format of command is the following:
{
"command": "pcap-file",
"arguments": { "filename": "smtp-clean.pcap", "output-dir": "/tmp/out" }
}
The server will try to execute the "command" specified with the
(optional) provided "arguments".
The answer by server is the following:
{
"return": "OK|NOK",
"message": JSON_OBJECT or information string
}
A simple script is provided and is available under scripts/suricatasc. It
is not intended to be enterprise-grade tool but it is more a proof of
concept/example code. The first command line argument of suricatasc is
used to specify the socket to connect to.
Configuration of the feature is made in the YAML under the 'unix-command'
section:
unix-command:
enabled: yes
filename: custom.socket
The path specified in 'filename' is not absolute and is relative to the
state directory.
A new running mode called 'unix-socket' is also added.
When starting in this mode, only a unix socket manager
is started. When it receives a 'pcap-file' command, the manager
start a 'pcap-file' running mode which does not really leave at
the end of file but simply exit. The manager is then able to start
a new running mode with a new file.
To start this mode, Suricata must be started with the --unix-socket
option which has an optional argument which fix the file name of the
socket. The path is not absolute and is relative to the state directory.
THe 'pcap-file' command adds a file to the list of files to treat.
For each pcap file, a pcap file running mode is started and the output
directory is changed to what specified in the command. The running
mode specified in the 'runmode' YAML setting is used to select which
running mode must be use for the pcap file treatment.
This requires modification in suricata.c file where initialisation code
is now conditional to the fact 'unix-socket' mode is not used.
Two other commands exists to get info on the remaining tasks:
* pcap-file-number: return the number of files in the waiting queue
* pcap-file-list: return the list of waiting files
'pcap-file-list' returns a structured object as message. The
structure is the following:
{
'count': 2,
'files': ['file1.pcap', 'file2.pcap']
}
13 years ago
SUBDIRS = $( HTP_DIR) src qa rules doc contrib scripts
CLEANFILES = stamp-h[ 0-9] *
install-data-am :
@echo "Run 'make install-conf' if you want to install initial configuration files. Or 'make install-full' to install configuration and rules" ;
install-full : install install -conf install -rules
install-conf :
install -d " $( DESTDIR) $( e_sysconfdir) "
@test -e " $( DESTDIR) $( e_sysconfdir) /suricata.yaml " || install -m 600 " $( top_srcdir) /suricata.yaml " " $( DESTDIR) $( e_sysconfdir) "
@test -e " $( DESTDIR) $( e_sysconfdir) /classification.config " || install -m 600 " $( top_srcdir) /classification.config " " $( DESTDIR) $( e_sysconfdir) "
@test -e " $( DESTDIR) $( e_sysconfdir) /reference.config " || install -m 600 " $( top_srcdir) /reference.config " " $( DESTDIR) $( e_sysconfdir) "
@test -e " $( DESTDIR) $( e_sysconfdir) /threshold.config " || install -m 600 " $( top_srcdir) /threshold.config " " $( DESTDIR) $( e_sysconfdir) "
install -d " $( DESTDIR) $( e_logfilesdir) "
install -d " $( DESTDIR) $( e_logcertsdir) "
install -d " $( DESTDIR) $( e_rundir) "
install -m 770 -d " $( DESTDIR) $( e_localstatedir) "
install-rules :
install -d " $( DESTDIR) $( e_sysconfrulesdir) "
i f H A V E _ F E T C H _ C O M M A N D
i f H A V E _ W G E T _ C O M M A N D
$( HAVE_WGET) -qO - http://rules.emergingthreats.net/open/suricata-2.0/emerging.rules.tar.gz | tar -x -z -C " $( DESTDIR) $( e_sysconfdir) " -f -
e l s e
$( HAVE_CURL) -s http://rules.emergingthreats.net/open/suricata-2.0/emerging.rules.tar.gz | tar -x -z -C " $( DESTDIR) $( e_sysconfdir) " -f -
e n d i f
e l s e
@echo "UNABLE to load ruleset wget or curl are not installed on system."
e n d i f
@test -e " $( DESTDIR) $( e_sysconfrulesdir) decoder-events.rules " || install -m 600 " $( top_srcdir) /rules/decoder-events.rules " " $( DESTDIR) $( e_sysconfrulesdir) "
@test -e " $( DESTDIR) $( e_sysconfrulesdir) stream-events.rules " || install -m 600 " $( top_srcdir) /rules/stream-events.rules " " $( DESTDIR) $( e_sysconfrulesdir) "
@test -e " $( DESTDIR) $( e_sysconfrulesdir) smtp-events.rules " || install -m 600 " $( top_srcdir) /rules/smtp-events.rules " " $( DESTDIR) $( e_sysconfrulesdir) "
@test -e " $( DESTDIR) $( e_sysconfrulesdir) http-events.rules " || install -m 600 " $( top_srcdir) /rules/http-events.rules " " $( DESTDIR) $( e_sysconfrulesdir) "
@test -e " $( DESTDIR) $( e_sysconfrulesdir) dns-events.rules " || install -m 600 " $( top_srcdir) /rules/dns-events.rules " " $( DESTDIR) $( e_sysconfrulesdir) "
@test -e " $( DESTDIR) $( e_sysconfrulesdir) modbus-events.rules " || install -m 600 " $( top_srcdir) /rules/modbus-events.rules " " $( DESTDIR) $( e_sysconfrulesdir) "
@echo ""
@echo " You can now start suricata by running as root something like ' $( DESTDIR) $( bindir) /suricata -c $( DESTDIR) $( e_sysconfdir) /suricata.yaml -i eth0'. "
@echo ""
@echo "If a library like libhtp.so is not found, you can run suricata with:"
@echo "'LD_LIBRARY_PATH=" $( DESTDIR) $( prefix) /lib" " $( DESTDIR) $( bindir) /suricata" -c " $( DESTDIR) $( e_sysconfdir) /suricata.yaml" -i eth0'."
@echo ""
@echo "While rules are installed now, it's highly recommended to use a rule manager for maintaining rules."
@echo "The two most common are Oinkmaster and Pulledpork. For a guide see:"
@echo "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Rule_Management_with_Oinkmaster"
