mirror of https://github.com/OISF/suricata
cybersecurityidsintrusion-detection-systemintrusion-prevention-systemipsnetwork-monitornetwork-monitoringnsmsecuritysuricatathreat-hunting
You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
20a8b9dbe5
This patch introduces a unix command socket. JSON formatted messages
can be exchanged between suricata and a program connecting to a
dedicated socket.
The protocol is the following:
* Client connects to the socket
* It sends a version message: { "version": "$VERSION_ID" }
* Server answers with { "return": "OK|NOK" }
If server returns OK, the client is now allowed to send command.
The format of command is the following:
{
"command": "pcap-file",
"arguments": { "filename": "smtp-clean.pcap", "output-dir": "/tmp/out" }
}
The server will try to execute the "command" specified with the
(optional) provided "arguments".
The answer by server is the following:
{
"return": "OK|NOK",
"message": JSON_OBJECT or information string
}
A simple script is provided and is available under scripts/suricatasc. It
is not intended to be enterprise-grade tool but it is more a proof of
concept/example code. The first command line argument of suricatasc is
used to specify the socket to connect to.
Configuration of the feature is made in the YAML under the 'unix-command'
section:
unix-command:
enabled: yes
filename: custom.socket
The path specified in 'filename' is not absolute and is relative to the
state directory.
A new running mode called 'unix-socket' is also added.
When starting in this mode, only a unix socket manager
is started. When it receives a 'pcap-file' command, the manager
start a 'pcap-file' running mode which does not really leave at
the end of file but simply exit. The manager is then able to start
a new running mode with a new file.
To start this mode, Suricata must be started with the --unix-socket
option which has an optional argument which fix the file name of the
socket. The path is not absolute and is relative to the state directory.
THe 'pcap-file' command adds a file to the list of files to treat.
For each pcap file, a pcap file running mode is started and the output
directory is changed to what specified in the command. The running
mode specified in the 'runmode' YAML setting is used to select which
running mode must be use for the pcap file treatment.
This requires modification in suricata.c file where initialisation code
is now conditional to the fact 'unix-socket' mode is not used.
Two other commands exists to get info on the remaining tasks:
* pcap-file-number: return the number of files in the waiting queue
* pcap-file-list: return the list of waiting files
'pcap-file-list' returns a structured object as message. The
structure is the following:
{
'count': 2,
'files': ['file1.pcap', 'file2.pcap']
}
|
13 years ago | |
|---|---|---|
| benches | 16 years ago | |
| contrib | 13 years ago | |
| doc | 13 years ago | |
| libhtp | 13 years ago | |
| m4 | 16 years ago | |
| qa | 13 years ago | |
| rules | 13 years ago | |
| scripts | 13 years ago | |
| src | 13 years ago | |
| .gitignore | 15 years ago | |
| COPYING | 16 years ago | |
| ChangeLog | 13 years ago | |
| LICENSE | 16 years ago | |
| Makefile.am | 13 years ago | |
| Makefile.cvs | 16 years ago | |
| acsite.m4 | 16 years ago | |
| autogen.sh | 13 years ago | |
| classification.config | 15 years ago | |
| configure.ac | 13 years ago | |
| doxygen.cfg | 13 years ago | |
| mkinstalldirs | 16 years ago | |
| reference.config | 14 years ago | |
| suricata.yaml.in | 13 years ago | |
| threshold.config | 13 years ago | |