You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

History

Jason Ish 9d5158594f util-device: break into public and private definitions util-device.h exposes some details that are particularly problematic for C++, even when wrapped in 'extern "C"'. To address this, break the header into public and private parts. The public part exposes LiveDevice as an opaque data structure, while the private header has the actual definition. The idea is that only Suricata C source files should include the private header, it should not be re-included in any other header file. And this is the header library users should use, however we don't enforce it with tecnical means, a library user could still include the private header, but the clue there is in the name.		3 months ago
..
Makefile.am	pf-ring: add as plugin	1 year ago
README.md	pf-ring: add as plugin	1 year ago
plugin.c	plugins: check version for all plugins	4 months ago
runmode-pfring.c	rust/conf: use generated bindings to SCConf API	3 months ago
runmode-pfring.h	pf-ring: add as plugin	1 year ago
source-pfring.c	util-device: break into public and private definitions	3 months ago
source-pfring.h	pf-ring: add as plugin	1 year ago

README.md

PF_RING Plugin Capture Plugin

Building

To build this plugin, built Suricata with the --enable-pfring and optionally the --with-libpfring-includes and --with-libpfring-libraries command line options.

Running

/usr/local/suricata/bin/suricata \
    --set plugins.0=/usr/local/lib/suricata/pfring.so \
    --capture-plugin=pfring-plugin \
    --set pfring.0.interface=eno1

--set plugins.0=/usr/local/lib/suricata/pfring.so

This command line option tells Suricata about this plugin. This could also be done in suricata.yaml with the following section:

plugins:
  - /usr/local/lib/suricata/pfring.so

--capture-plugin=pfring-plugin

This is the option that tells Suricata to use a plugin for capture, much like --pcap tells Suricata to use libpcap or --af-packet tells Suricata to use AF_PACKET. Here we are telling it to look for a loaded plugin of the name pfring-plugin to provide the capture method.

--set pfring.0.interface=eno1

This is just overriding the interface name in the example pfring configuration found in the default suricata.yaml, which this plugin knows how to read already as its based off the PF_RING support in Suricata proper.

There is another command line option --capture-plugin-args to pass arbitrary data on the command line a capture plugin, but this plugin does not yet handle data provided through this command line parameter.