aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
main-8.0.x
main
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.4
suricata-7.0.15
suricata-8.0.3
suricata-7.0.14
suricata-8.0.2
suricata-7.0.13
suricata-8.0.1
suricata-7.0.12
suricata-8.0.0
suricata-7.0.11
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '841f2b21e6'
${ noResults }
suricata/doc/userguide
History
Lukas Sismis e0f2cdf7c3 hs: prune stale MPM cache files 
Hyperscan MPM can cache the compiled contexts to files.
This however grows as rulesets change and leads to bloating
the system. This addition prunes the stale cache files based
on their modified file timestamp.

Part of this work incorporates new model for MPM cache stats
to split it out from the cache save function and aggregate
cache-related stats in one place (newly added pruning).

Ticket: 7893
(cherry picked from commit 15c83be61a)

hs: suppress TOCTOU stat use

To explain a bit more the TOCTOU issue found, we can consider
a case where Suricata starts to prune, yet externally somebody also
starts erasing cache files.
Right after Suricata checks the file age with the stat function,
somebody may delete or update the file of our interest.

Suricata aging decision doesn't reflect the actual state of the file.
This commit additionally adds a check for noent failure of the unlink operation
(considered as a success). The code can still delete a file that is recently
updated but was considered stale.

In the documentation-following deployments this should not happen anyway as
one cache folder should only be used by a single Suricata instance (and within
Suricata instance only one thread handles cache eviction).
Additionally, the `stat` and `unlink` command are immediatelly followed, making
this scenario extra unlikely.

Additional comment in the code explains problems of using fstat and potential
issues on Windows.

Ticket: 8244
(cherry picked from commit 0fe0390a2f)

hs/cache: cleaner and more detailed output

Reduce logging level of a minor informational message.

Split tracking of pruning by age and by version and log those
separately, where the logging only appears if something has been
removed.

Ticket: 8323
(cherry picked from commit 569ba3d26f)

hs: remove redundant file handle in HSLoadCache

HSLoadCache opened the cache file but never used the resulting handle
for reading. The actual read was done by HSReadStream which opened
the same file independently.

Removed the unused fopen/fclose pair and flattened the control flow.

Ticket: 8326
(cherry picked from commit d754b28717)

hs: use binary mode for cache file I/O

HSSaveCache wrote serialized Hyperscan databases using text mode ("w")
while HSReadStream already read them with binary mode ("rb").
Matched file reading modes to the binary format and simplified
write-size check.

Ticket: 8326
(cherry picked from commit 0cdc77b707)

hs: warn about the same cache directory

This is especially relevant for multi-instance simultaneous setups
as we might risk read/write races.

(cherry picked from commit 56c1552c3e)

hs: validate cached database against current HS installation

After deserializing a cached Hyperscan database, verify that its
version, CPU features, and mode match the current Hyperscan
installation by comparing hs_database_info output against a
reference database. Reject loading incompatible caches.

Ticket: 8326
(cherry picked from commit 2e7b12dda4)

hs: include HS platform info in cache file hash

Hash Hyperscan installation info (version, CPU features, mode)
into the cache filename. A Hyperscan upgrade or platform change
would now produce a different filename, so stale caches from an
older installation are never opened.

Ticket: 8326
(cherry picked from commit d640719413)

hs: address coverity warning in a reference string

Move the locking mechanism outside of the getter function and hold the
lock until the reference string is no longer reused.

** CID 1682023:       Concurrent data access violations  (MISSING_LOCK)
/src/util-mpm-hs-cache.c: 139           in HSGetReferenceDbInfo()

(cherry picked from commit 6ec9e5c957)
 		1 month ago
..
3rd-party-integration
_static doc/userguide: avoid horizontal scroll on rtd 3 years ago
appendix doc: adjust for master to main rename 7 months ago
capture-hardware doc/af-packet: document disable-hwtimestamp option 4 months ago
configuration doc/stream: explain absent reassembly.depth means unlimited 2 months ago
devguide devguide: add chapter about exception policies 2 months ago
file-extraction doc/file-extraction: fix highlight syntax 2 years ago
firewall doc/userguide: add ips chapter; add concept 7 months ago
install doc: adjust for master to main rename 7 months ago
ips doc/userguide: add ips chapter; add concept 7 months ago
licenses
lua doc/lualib: fix wrong tuple section markdown in flowlib 8 months ago
manpages userguide/suricatactl: use suricata community page 1 year ago
output userguide: fix Deprecations, warn about syslog 2 months ago
partials doc/suricatasc: Mentioned get-flow-stats-by-id cmd 9 months ago
performance hs: prune stale MPM cache files 1 month ago
plugins doc/ndpi: move ndpi docs to new plugins section 1 year ago
reputation doc: spelling 3 years ago
rule-management doc/reload: Expand rule-reload discussion 10 months ago
rules doc: be more precise for decompress transforms 2 months ago
upgrade doc/upgrade: note about dns address swap on responses 11 months ago
.gitignore doc/userguide: generate eve documentation 2 years ago
Makefile.am userguide/Makefile: don't add "install" to EXTRA_DIST 2 months ago
Makefile.sphinx
README.md devguide: move into userguide as last chapter 4 years ago
acknowledgements.rst doc: Add missing contributors to ack file 11 months ago
command-line-options.rst
conf.py docs: fix deprecated inclusion of rtd theme path 8 months ago
convert.py doc/optimization: move "convert.py" to Python3 3 years ago
docutils.conf doc: add docutils.conf to disable smart quotes 3 years ago
generate-evedoc.sh doc/userguide: generate eve documentation 2 years ago
index.rst doc/userguide: add a known issues page 6 months ago
initscripts.rst
install.rst docs: use correct suricata version mentions 3 months ago
known-issues.rst doc/userguide: add a known issues page 6 months ago
make-sense-alerts.rst
public-data-sets.rst doc: add more public datasets 2 months ago
quickstart.rst af-packet: remove use-mmap option 1 year ago
requirements.txt docs: adjust readthedocs config to new options 3 years ago
security.rst doc: fix typo /var/run/suricata in file permissions docs. 6 months ago
support-status.rst devguide: make 'contributing' a chapter 2 years ago
unix-socket.rst doc: adjust for master to main rename 7 months ago
upgrade.rst hs: prune stale MPM cache files 1 month ago
verifying-source-files.rst docs: use correct suricata version mentions 3 months ago
what-is-suricata.rst

README.md

Suricata User Guide

This directory contains the Suricata Guide. The Suricata Developer's guide is included as a chapter of the Guide. The Sphinx Document Generator is used to build the documentation. For a primer os reStructuredText see the reStructuredText Primer.

Verifying Changes

There are a number of output formats to choose from when making the source documentation locally (e.g. html, pdf, man).

The documentation source can be built with make -f Makefile.sphinx html. Substitute the 'html' word for desired output format.

There are different application dependencies based on the output desired.