When running ./setup-app-layer.sh require the protocol name to
start with a capital letter so it looks somewhat like a proper
name. This will help give better function names.
For example:
./setup-app-layer.sh IRC
./setup-app-layer.sh Irc
will create function names starting with IRC or Irc. But we do
not want function names to start with "irc".
Gcc 4.6 will warning with -Wshadow for a local variable
named "index" as <strings.h> has a function named "index".
Newer versions of gcc handle this case.
setup-app-layer.sh sets up an application layer detector and
parser template.
setup-app-layer-logger.sh sets up a JSON application layer
transaction logger for an application parser that has
already been provisioned.
setup-app-layer-detect.sh sets up a keyword for performing
content inspections on buffers created by the application
layer.
Simplify creation of a new detect module by creating a copy of the
detect template. It sets the name and registers it in the build
system. Finally it's registration function is called.
Arguments:
- tenant id (int)
- name of handler (string)
- traffic id related to handler (int, optional)
Examples:
- register-tenant-handler 1 vlan 1111
- register-tenant-handler 8 pcap
Allow for an optional 'tenant id' argument to pcap-file. This will
allow us to force the pcap to be inspected by this tenant.
If ommited it's 0, which means it's disabled.
Make available to live mode and unix socket mode.
register-tenant:
Loads a new YAML, does basic validation.
Loads a new detection engine
Loads rules
Add new de_ctx to master store and stores tenant id in the de_ctx so
we can look it up by tenant id later.
unregister-tenant:
Gets the de_ctx, moves it to the freelist
Removes config
Introduce DetectEngineGetByTenantId, which gets a reference to the
detect engine by tenant id.
Add -c flag to run command given as argument and return the raw
JSON result. For example, it is possible to run something like.
$ suricatasc -c "iface-stat eth0"
{'message': {'pkts': 17838352, 'drop': 0, 'invalid-checksums': 1}, 'return': 'OK'}
'make install' install now suricatasc script and Python module to
the system. The suricatasc client module can now be used in other
Python projects by using 'import suricatasc'.
A transformation was needed for distribution of a module and a script.
Module in src directory is now containing most of the code and the
script only handle argument parsing and the creation of a unix socket
client through 'suricatasc' module.
The goal of this commit is to be able to use suricatasc has a library
and and program. This is done by putting all active code in class and
adding a Python magic to detect when file is used as a program.
This patch adds commandline parsing and help to suricatasc. It also
adds a verbose mode (-v) where the send and received JSON object are
shown. This should ease development of unix socket client.
This patch adds a 'conf-get' command which get the configuration
value from suricata. Argument of the command is the name of the
variable to fetch.
The command syntax is the following:
{
"command": "conf-get",
"arguments": { "variable":value}
}
This patch factorize the recv code and uses the new 'command-list'
to get the list of existing commands from suricata. This allows
suricatasc to be able to call any new command if this command does
not require an argument.
This patch adds two commands to unix-command. 'iface-list' displays
the list of interface which are sniffed by Suricata and 'iface-stat'
display the available statistics for a single interface. For now,
this is the number of packets and the number of invalid checksums.
Jason Ish
Victor Julien
Alexander Gozman
Eric Leblond
Noam Meltzer