Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine developed by the OISF and the Suricata community.

cybersecurity ids intrusion-detection-system intrusion-prevention-system ips network-monitor network-monitoring nsm security suricata threat-hunting

You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

Go to file

Victor Julien 70c16f50e7 flow-manager: optimize hash walking Until now the flow manager would walk the entire flow hash table on an interval. It would thus touch all flows, leading to a lot of memory and cache pressure. In scenario's where the number of tracked flows run into the hundreds on thousands, and the memory used can run into many hundreds of megabytes or even gigabytes, this would lead to serious performance degradation. This patch introduces a new approach. A timestamp per flow bucket (hash row) is maintained by the flow manager. It holds the timestamp of the earliest possible timeout of a flow in the list. The hash walk skips rows with timestamps beyond the current time. As the timestamp depends on the flows in the hash row's list, and on the 'state' of each flow in the list, any addition of a flow or changing of a flow's state invalidates the timestamp. The flow manager then has to walk the list again to set a new timestamp. A utility function FlowUpdateState is introduced to change Flow states, taking care of the bucket timestamp invalidation while at it. Empty flow buckets use a special value so that we don't have to take the flow bucket lock to find out the bucket is empty. This patch also adds more performance counters: flow_mgr.flows_checked \| Total \| 929 flow_mgr.flows_notimeout \| Total \| 391 flow_mgr.flows_timeout \| Total \| 538 flow_mgr.flows_removed \| Total \| 277 flow_mgr.flows_timeout_inuse \| Total \| 261 flow_mgr.rows_checked \| Total \| 1000000 flow_mgr.rows_skipped \| Total \| 998835 flow_mgr.rows_empty \| Total \| 290 flow_mgr.rows_maxlen \| Total \| 2 flow_mgr.flows_checked: number of flows checked for timeout in the last pass flow_mgr.flows_notimeout: number of flows out of flow_mgr.flows_checked that didn't time out flow_mgr.flows_timeout: number of out of flow_mgr.flows_checked that did reach the time out flow_mgr.flows_removed: number of flows out of flow_mgr.flows_timeout that were really removed flow_mgr.flows_timeout_inuse: number of flows out of flow_mgr.flows_timeout that were still in use or needed work flow_mgr.rows_checked: hash table rows checked flow_mgr.rows_skipped: hash table rows skipped because non of the flows would time out anyway The counters below are only relating to rows that were not skipped. flow_mgr.rows_empty: empty hash rows flow_mgr.rows_maxlen: max number of flows per hash row. Best to keep low, so increase hash-size if needed. flow_mgr.rows_busy: row skipped because it was locked by another thread		10 years ago
benches	Initial add of the files.	17 years ago
contrib	suri-graphite: add ouput to file option	11 years ago
doc	Fix make distcheck on CentOS 5.11	11 years ago
lua	output-lua: add SCPacketTimeString	12 years ago
m4	Prelude plugin: add detection in configure script	17 years ago
qa	coccinelle: add siginit test	10 years ago
rules	defrag: use frag_pkt_too_large instead of frag_too_large	10 years ago
scripts	setup-app-layer-logger.sh: update for logging changes	10 years ago
src	flow-manager: optimize hash walking	10 years ago
.gitignore	gitignore: update to hide more local files	10 years ago
.travis.yml	travis: set CFLAGS to error on cc warnings	10 years ago
COPYING	GPL license sync with official gpl-2.0.txt	11 years ago
ChangeLog	Update Changelog for 3.1.2	10 years ago
LICENSE	GPL license sync with official gpl-2.0.txt	11 years ago
Makefile.am	build: install app-layer-events.rules	10 years ago
Makefile.cvs	Initial add of the files.	17 years ago
README.md	readme: initial readme for github	10 years ago
acsite.m4	Added C99 defs/macros to acsite.m4 for CentOS	17 years ago
autogen.sh	OpenBSD 5.2 build fixes, Unit test fix.	14 years ago
classification.config	Import of classification.config	16 years ago
config.rpath	Add file needed for some autotools version.	13 years ago
configure.ac	configure: set correct cppflags for enabled nfqueue	10 years ago
doxygen.cfg	doxygen: define UNITTESTS to generate test framework docs	10 years ago
reference.config	Update reference.config	12 years ago
suricata.yaml.in	offloading: make disabling offloading configurable	10 years ago
threshold.config	threshold: improve comments of shipped threshold.config, add links to wiki.	14 years ago

README.md

======== Suricata

Introduction

Suricata is a network IDS, IPS and NSM engine.

Installation

https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricata_Installation

User Guide

https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricata_User_Guide

Contributing

We're happily taking patches and other contributions. Please see https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Contributing for how to get started.

Suricata is a complex piece of software dealing with mostly untrusted input. Mishandling this input will have serious consequences: in IPS mode a crash may knock a network offline; in passive mode a compromise of the IDS may lead to loss of critical and confidential data; missed detection may lead to undetected compromise of the network. In other words, we think the stakes are pretty high, especially since in many common cases the IDS/IPS will be directly reachable by an attacker.

For this reason, we have developed a QA process that is quite extensive. A consequence is that contributing to Suricata can be a somewhat lengthy process.

On a high level, the steps are:

Travis-CI based build & unit testing. This runs automatically when a pull request is made.
Review by devs from the team and community
QA runs

Overview of Suricata's QA steps

Trusted devs and core team members are able to submit builds to our (semi) public Buildbot instance. It will run a series of build tests and a regression suite to confirm no existing features break.

The final QA run takes a few hours minimally, and is started by Victor. It currently runs:

extensive build tests on different OS', compilers, optimization levels, configure features
static code analysis using cppcheck, scan-build
runtime code analysis using valgrind, DrMemory, AddressSanitizer, LeakSanitizer
regression tests for past bugs
output validation of logging
unix socket testing
pcap based fuzz testing using ASAN and LSAN

Next to these tests, based on the type of code change further tests can be run manually:

traffic replay testing (multi-gigabit)
large pcap collection processing (multi-terabytes)
AFL based fuzz testing (might take multiple days or even weeks)
pcap based performance testing
live performance testing
various other manual tests based on evaluation of the proposed changes

It's important to realize that almost all of the tests above are used as acceptance tests. If something fails, it's up to you to address this in your code.

One step of the QA is currently run post-merge. We submit builds to the Coverity Scan program. Due to limitations of this (free) service, we can submit once a day max. Of course it can happen that after the merge the community will find issues. For both cases we request you to help address the issues as they may come up.

FAQ

Q: Will you accept my PR?

A: That depends on a number of things, including the code quality. With new features it also depends on whether the team and/or the community think the feature is useful, how much it affects other code and features, the risk of performance regressions, etc.

Q: When will my PR be merged?

A: It depends, if it's a major feature or considered a high risk change, it will probably go into the next major version.

Q: Why was my PR closed?

A: As documented in the Suricata Github workflow here https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Github_work_flow, we expect a new pull request for every change.

Normally, the team (or community) will give feedback on a pull request after which it is expected to be replaced by an improved PR. So look at the comments. If you disagree with the comments we can still discuss them in the closed PR.

If the PR was closed without comments it's likely due to QA failure. If the Travis-CI check failed, the PR should be fixed right away. No need for a discussion about it, unless you believe the QA failure is incorrect.

Q: the compiler/code analyser/tool is wrong, what now?

A: to assist in the automation of the QA, we're not accepting warnings or errors to stay. In some cases this could mean that we add a suppression if the tool supports that (e.g. valgrind, DrMemory). Some warnings can be disabled. In some exceptional cases the only 'solution' is to refactor the code to work around a static code checker limitation false positive. While frusterating, we prefer this over leaving warnings in the output. Warnings tend to get ignored and then increase risk of hiding other warnings.

Q: I think your QA test is wrong

A: If you really think it is, we can discuss how to improve it. But don't come to this conclusion to quickly, moreoften it's the code that turns out to be wrong.

Q: do you require signing of a contributor license agreement?

A: Yes, we do this to keep the ownership of Suricata in one hand: the Open Information Security Foundation. See http://suricata-ids.org/about/open-source/ and http://suricata-ids.org/about/contribution-agreement/