Project

General

Profile

Actions

Task #2693

open

tracking: libsuricata

Added by Victor Julien over 5 years ago. Updated 3 months ago.

Status:
In Progress
Priority:
Normal
Assignee:
Target version:
Effort:
high
Difficulty:
high
Label:

Description

This request came up at Suricon2018, but has come up before. The idea is to turn much of Suricata into a library that can be reused in other tools.

The first step would be to define some of the use cases we'd like to initially support so that an API could be designed for that.

Goals for 8.0:
- Allow a library user to replicate the Suricata application by exposing all functions needed by the current SuricataMain, or refactoring to allow this.
- Given replication of Suricata, allow the library user to register custom capture modes and output callbacks
- Allow the user to bring their own threads

General library challenges given we've been an application for so long:
- Command line parsing should be opt-in
- Loading the configuration file should be opt-in
- Registering signal handlers should be opt-in, but the functionality they provide should be exposed to the library user can easily call them
- A library should never fatal exit outside of extreme conditions, instead error codes must be ripple back to where the library user can decide what to do
- Global state should be non-existent. One could imagine where a user might want to have a "handle" on multiple discrete Suricata instances.

Future goals:
- Remove global state
- Improve developer experience. I imagine an interface where you bootstrap a Suricata "engine" and feed your own packets into
- Refactor modules to make them more usable outside the scope of Suricata? What modules would make sense here? Capture methods, just to get packets. Flow, to defrag, or TCP re-assembly if you already have your own packets.

Scope:
- Initially, the should be limited to code that Suricata uses itself. That is, Suricata the application is a user of the library. If Suricata the application does not use a module, it should be looked at closely if it belongs in the library, mainly for scope, QA, and support reasons.


Subtasks 6 (6 open0 closed)

Task #4682: tracking: clean up globals and thread localsNewActions
Task #4683: detect: remove sigmatch_table in favor of a dynamic storage optionIn ReviewPhilippe AntoineActions
Task #4684: libsuricata: define global context types for instance and per thread storageNewActions
Task #4698: Example program to bootstrap Suricata (an alternate main() for Suricata)AssignedJason IshActions
Task #6814: libsuricata: opt-in signal handlingAssignedJason IshActions
Task #6858: libsuricata: hook for flow expectation creationNewOISF DevActions

Related issues 13 (12 open1 closed)

Related to Suricata - Task #2685: SuriCon 2018 brainstormAssignedVictor JulienActions
Related to Suricata - Task #4097: Suricon 2020 brainstormAssignedVictor JulienActions
Related to Suricata - Task #4221: Build Suricata into a static and shared libraryClosedJason IshActions
Related to Suricata - Task #4429: libsuricata: Use cases with examplesNewJason IshActions
Related to Suricata - Task #4101: tracking: pluginsIn ProgressJason IshActions
Related to Suricata - Task #4704: unix-socket: separate functionality from the unix socket interfaceNewOISF DevActions
Related to Suricata - Task #4742: Make the auto-generated config.h not conflict with other config.h.AssignedJason IshActions
Related to Suricata - Task #5433: tracking: reduce number of public data structuresAssignedJason IshActions
Related to Suricata - Task #5488: Suricon 2022 brainstormAssignedVictor JulienActions
Related to Suricata - Task #2313: tracking: save & restore state when suricata restartsNewOISF DevActions
Related to Suricata - Bug #6754: libsuricata: restructure directory and files to allow for include files to be name spacedNewOISF DevActions
Related to Suricata - Task #6752: libsuricata: don't include autoconf.h from other includesNewOISF DevActions
Related to Suricata - Bug #6838: eve/filetypes: move from plugin api to eve apiIn ReviewJason IshActions
Actions #1

Updated by Victor Julien over 5 years ago

  • Related to Task #2685: SuriCon 2018 brainstorm added
Actions #2

Updated by Andreas Herz about 5 years ago

  • Assignee set to Community Ticket
Actions #3

Updated by Victor Julien about 4 years ago

  • Assignee changed from Community Ticket to OISF Dev
Actions #4

Updated by Victor Julien about 4 years ago

  • Description updated (diff)
Actions #5

Updated by Victor Julien about 4 years ago

One of the use cases that has been brought forward is to be able to integrate the Suricata detection and logging into OVS.

Actions #6

Updated by Victor Julien over 3 years ago

  • Related to Task #4097: Suricon 2020 brainstorm added
Actions #7

Updated by Victor Julien over 3 years ago

  • Tracker changed from Feature to Task
  • Subject changed from libsuricata to tracking: libsuricata
  • Status changed from New to Assigned
  • Assignee changed from OISF Dev to Jason Ish
  • Target version changed from TBD to 7.0.0-beta1
Actions #8

Updated by Jason Ish over 3 years ago

  • Related to Task #4221: Build Suricata into a static and shared library added
Actions #9

Updated by Jason Ish about 3 years ago

  • Related to Task #4429: libsuricata: Use cases with examples added
Actions #10

Updated by Jason Ish over 2 years ago

Actions #11

Updated by Jason Ish over 2 years ago

  • Related to Task #4704: unix-socket: separate functionality from the unix socket interface added
Actions #12

Updated by Jason Ish over 2 years ago

  • Related to Task #4742: Make the auto-generated config.h not conflict with other config.h. added
Actions #13

Updated by Jason Ish over 2 years ago

  • Status changed from Assigned to In Progress
Actions #14

Updated by Victor Julien almost 2 years ago

  • Related to Task #5433: tracking: reduce number of public data structures added
Actions #15

Updated by Victor Julien over 1 year ago

  • Target version changed from 7.0.0-beta1 to 8.0.0-beta1
Actions #16

Updated by Philippe Antoine over 1 year ago

Use cases :
- Have packets from some other source
- Have some already reassembled stream (SSL proxy)
- Have a very dynamic way to tell which packet which should be handled by this config/ruleset (complexity from global variables), have some way for tenants to remove certain categories, or have a finite set of precompiled rulesets and have a plugin be able to tell which ruleset should be used for each packet
- Have packet returned with metadata like the alerts it has

Idea to persist precompiled ruleset

Actions #17

Updated by Philippe Antoine over 1 year ago

  • Related to Task #5488: Suricon 2022 brainstorm added
Actions #18

Updated by Philippe Antoine over 1 year ago

  • Related to Task #2313: tracking: save & restore state when suricata restarts added
Actions #19

Updated by Jason Ish 4 months ago

  • Subtask #6752 added
Actions #20

Updated by Jason Ish 4 months ago

  • Related to Bug #6754: libsuricata: restructure directory and files to allow for include files to be name spaced added
Actions #21

Updated by Jason Ish 4 months ago

  • Subtask deleted (#6752)
Actions #22

Updated by Jason Ish 4 months ago

  • Related to Task #6752: libsuricata: don't include autoconf.h from other includes added
Actions #23

Updated by Jason Ish 4 months ago

  • Description updated (diff)
Actions #24

Updated by Jason Ish 4 months ago

  • Subtask #6814 added
Actions #25

Updated by Jason Ish 3 months ago

  • Related to Bug #6838: eve/filetypes: move from plugin api to eve api added
Actions #26

Updated by Victor Julien 3 months ago

  • Subtask #6858 added
Actions

Also available in: Atom PDF