aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Added inline mode support on Windows

Browse Source
remotes/origin/master-1.0.x
Jan Jezek 16 years ago committed by Victor Julien
parent 6d39ffc2be
commit 366671a8ce
4 changed files with 148 additions and 11 deletions
Show Stats Download Patch File Download Diff File

24
configure.in
Unescape Escape View File

@ -313,6 +313,10 @@ AC_INIT(configure.in)
CFLAGS="$CFLAGS -DNFQ"
#libnfnetlink
case $host in
*-*-mingw32*)
;;
*)
AC_ARG_WITH(libnfnetlink_includes,
[ --with-libnfnetlink-includes=DIR libnfnetlink include directory],
[with_libnfnetlink_includes="$withval"],[with_libnfnetlink_includes=no])
@ -343,6 +347,8 @@ AC_INIT(configure.in)
echo
exit
fi
;;
esac
#libnetfilter_queue
AC_ARG_WITH(libnetfilter_queue_includes,
@ -365,7 +371,25 @@ AC_INIT(configure.in)
#LDFLAGS="${LDFLAGS} -lnetfilter_queue"
NFQ=""
case $host in
*-*-mingw32*)
AC_CHECK_LIB(netfilter_queue, nfq_open,, NFQ="no",-lws2_32)
AC_ARG_WITH(netfilterforwin_includes,
[ --with-netfilterforwin-includes=DIR netfilterforwin include directory],
[with_netfilterforwin_includes="$withval"],[with_netfilterforwin_includes=no])
if test "$with_netfilterforwin_includes" != "no"; then
CPPFLAGS="${CPPFLAGS} -I${with_netfilterforwin_includes}"
else
CPPFLAGS="${CPPFLAGS} -I../../netfilterforwin"
fi
;;
*)
AC_CHECK_LIB(netfilter_queue, nfq_open,, NFQ="no",)
;;
esac
if test "$NFQ" = "no"; then
echo

70
doc/INSTALL.WINDOWS
Unescape Escape View File

@ -1,8 +1,9 @@
WIN32
=====
This file describes how to build and run Suricata on Windows. Currently
Windows XP and above are supported.
This section describes how to build and run Suricata on Windows. Currently
Windows XP and above are supported and only in the IDS pcap mode. You will need to download and install 7zip (www.7-zip.org) to extract these files.
Preparing the build environment
===============================
1. Setup MinGW environment from http://mingw.org
@ -79,7 +80,7 @@ the following packages to c:\mingw (use newer versions if you like):
- Copy includes to c:/mingw/include and libs (.a) to c:/mingw/lib
- Rename libwpcap to libpcap
8. Get and compile Suricata
7. Get and compile Suricata
git clone git://phalanx.openinfosecfoundation.org/oisf.git
cd oisf
@ -91,16 +92,69 @@ the following packages to c:\mingw (use newer versions if you like):
./autogen.sh
./configure CFLAGS="-DYAML_DECLARE_STATIC"
# add --enable-nfqueue as parameter to configure to enable inline mode
make
If everything goes well, you'll end up with suricata.exe in src/.lib. To test it
you will need libpcre-0.dll ,libz-1.dll, and pthreadGC2.dll which you already have somewhere
under c:/mingw or c:/msys. To try it out:
you will need libpcre-0.dll, libz-1.dll, and pthreadGC2.dll which you already have somewhere
under c:/mingw or c:/msys. To prepare the runtime environment:
- copy the executable and the DLLs to a dedicated directory
- get there classification.config and suricata.yaml
- edit suricata.yaml (at least set the directories correctly)
PCAP Mode
=========
Make sure you have winpcap runtime and driver installed and then:
- determine your eth device UUID in the registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\
- now cross your fingers and do:
suricata.exe -c suricata.yaml -i \DEVICE\NPF_{your device uuid}
suricata.exe -c suricata.yaml -i \DEVICE\{your device uuid}
Inline Mode
===========
You need to downoad, compile and install netfilterforwin (the netfilter.sys
driver and Windows port of the libnetfilter_queue library):
1. Download and install Windows Driver Kit from Microsoft
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=36a2630f-5d56-43b5-b996-7633f2ec14ff
2. Download netfilterforwin
http://sourceforge.net/projects/netfilterforwin/
Unpack it so the netfilterforwin directory (omit the version from its name)
is beside the oisf directory.
3. Compile the driver
- Open the build environment from you Start menu:
Start->All Programs->windows Driver Kits->WDK xxxx.yyyy.z->Build Environments
->Windows Server 2003->x86 Free Build Environment
(or the one which is proper for your system)
- cd to netfilterforwin/netfilter
- enter command:
nmake
4. Install the driver
- copy inf/* files and the freshly built netfilter.sys to a separate directory
- open network connecions
- right-click an interface, select properties
- click install...
- select service
- click add
- click 'have disk...'
- browse to the directory with the inf files and netfilter.sys, select netfilter.inf anc click ok
- confirm everything
You should have the driver installed now.
5. Run Suricata in inline mode:
suricata.exe -c suricata.yaml -q 0

53
src/source-nfq.c
Unescape Escape View File

@ -196,8 +196,9 @@ static int NFQCallBack(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg,
TmEcode NFQInitThread(NFQThreadVars *nfq_t, uint16_t queue_num, uint32_t queue_maxlen)
{
#ifndef OS_WIN32
struct timeval tv;
#endif
nfq_t->queue_num = queue_num;
SCLogDebug("opening library handle");
@ -268,6 +269,7 @@ TmEcode NFQInitThread(NFQThreadVars *nfq_t, uint16_t queue_num, uint32_t queue_m
}
#endif /* HAVE_NFQ_MAXLEN */
#ifndef OS_WIN32
/* set netlink buffer size to a decent value */
nfnl_rcvbufsiz(nfq_nfnlh(nfq_t->h), queue_maxlen * 1500);
SCLogInfo("setting nfnl bufsize to %" PRId32 "", queue_maxlen * 1500);
@ -286,6 +288,12 @@ TmEcode NFQInitThread(NFQThreadVars *nfq_t, uint16_t queue_num, uint32_t queue_m
SCLogDebug("nfq_t->h %p, nfq_t->nh %p, nfq_t->qh %p, nfq_t->fd %" PRId32 "",
nfq_t->h, nfq_t->nh, nfq_t->qh, nfq_t->fd);
#else /* OS_WIN32 */
SCMutexInit(&nfq_t->mutex_qh, NULL);
nfq_t->ovr.hEvent = CreateEvent(NULL, FALSE, FALSE, NULL);
nfq_t->fd = nfq_fd(nfq_t->h);
SCLogDebug("nfq_t->h %p, nfq_t->qh %p, nfq_t->fd %p", nfq_t->h, nfq_t->qh, nfq_t->fd);
#endif /* OS_WIN32 */
return TM_ECODE_OK;
}
@ -293,9 +301,11 @@ TmEcode ReceiveNFQThreadInit(ThreadVars *tv, void *initdata, void **data) {
SCMutexLock(&nfq_init_lock);
SCLogDebug("starting... will bind to queuenum %" PRIu32 "", receive_queue_num);
#ifndef OS_WIN32
sigset_t sigs;
sigfillset(&sigs);
pthread_sigmask(SIG_BLOCK, &sigs, NULL);
#endif /* OS_WIN32 */
NFQThreadVars *ntv = &nfq_t[receive_queue_num];
@ -354,10 +364,49 @@ void NFQRecvPkt(NFQThreadVars *t) {
int rv, ret;
char buf[70000];
#ifdef OS_WIN32
static int timeouted = 0;
if (timeouted) {
if (WaitForSingleObject(t->ovr.hEvent, 1000) == WAIT_TIMEOUT) {
rv = -1;
errno = EINTR;
goto process_rv;
}
timeouted = 0;
}
read_packet_again:
if (!ReadFile(t->fd, buf, sizeof(buf), (DWORD*)&rv, &t->ovr)) {
if (GetLastError() != ERROR_IO_PENDING) {
rv = -1;
errno = EIO;
} else {
if (WaitForSingleObject(t->ovr.hEvent, 1000) == WAIT_TIMEOUT) {
rv = -1;
errno = EINTR;
timeouted = 1;
} else {
/* We needn't to call GetOverlappedResult() because it always fail with our error code ERROR_MORE_DATA. */
goto read_packet_again;
}
}
}
process_rv:
#else /* OS_WIN32 */
/* XXX what happens on rv == 0? */
rv = recv(t->fd, buf, sizeof(buf), 0);
#endif /* OS_WIN32 */
if (rv < 0) {
if (errno == EINTR || errno == EWOULDBLOCK) {
if (errno == EINTR
#ifndef OS_WIN32
|| errno == EWOULDBLOCK
#endif
) {
/* no error on timeout */
} else {
#ifdef COUNTERS

12
src/source-nfq.h
Unescape Escape View File

@ -6,7 +6,11 @@
#ifdef NFQ
#include "threads.h"
#ifdef OS_WIN32
#include <netfilter/netfilter.h>
#else
#include <linux/netfilter.h> /* for NF_ACCEPT */
#endif
#include <libnetfilter_queue/libnetfilter_queue.h>
#define NFQ_MAX_QUEUE 16
@ -27,13 +31,19 @@ typedef struct NFQPacketVars_
typedef struct NFQThreadVars_
{
struct nfq_handle *h;
#ifndef OS_WIN32
struct nfnl_handle *nh;
int fd;
#else
HANDLE fd;
OVERLAPPED ovr;
#endif
/* 2 threads deal with the queue handle, so add a mutex */
struct nfq_q_handle *qh;
SCMutex mutex_qh;
/* this one should be not changing after init */
uint16_t queue_num;
int fd;
#ifdef DBG_PERF
int dbg_maxreadsize;
#endif /* DBG_PERF */

Write Preview
Loading…
Cancel
Save