upstream/suricata
1
0
Fork 0
mirror of https://github.com/OISF/suricata.git synced 2026-02-03 20:41:46 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions
suricata/doc/userguide/devguide/codebase/installation-from-git.rst
Todd Mortimer 9c324b796e http: Use libhtp-rs. 
Ticket: #2696

There are a lot of changes here, which are described below.

In general these changes are renaming constants to conform to the
libhtp-rs versions (which are generated by cbindgen); making all htp
types opaque and changing struct->member references to
htp_struct_member() function calls; and a handful of changes to offload
functionality onto libhtp-rs from suricata, such as URI normalization
and transaction cleanup.

Functions introduced to handle opaque htp_tx_t:
- tx->parsed_uri => htp_tx_parsed_uri(tx)
- tx->parsed_uri->path => htp_uri_path(htp_tx_parsed_uri(tx)
- tx->parsed_uri->hostname => htp_uri_hostname(htp_tx_parsed_uri(tx))
- htp_tx_get_user_data() => htp_tx_user_data(tx)
- htp_tx_is_http_2_upgrade(tx) convenience function introduced to detect response status 101
  and “Upgrade: h2c" header.

Functions introduced to handle opaque htp_tx_data_t:
- d->len => htp_tx_data_len()
- d->data => htp_tx_data_data()
- htp_tx_data_tx(data) function to get the htp_tx_t from the htp_tx_data_t
- htp_tx_data_is_empty(data) convenience function introduced to test if the data is empty.

Other changes:

Build libhtp-rs as a crate inside rust. Update autoconf to no longer
use libhtp as an external dependency. Remove HAVE_HTP feature defines
since they are no longer needed.

Make function arguments and return values const where possible

htp_tx_destroy(tx) will now free an incomplete transaction

htp_time_t replaced with standard struct timeval

Callbacks from libhtp now provide the htp_connp_t and the htp_tx_data_t
as separate arguments. This means the connection parser is no longer
fetched from the transaction inside callbacks.

SCHTPGenerateNormalizedUri() functionality moved inside libhtp-rs, which
now provides normalized URI values.
The normalized URI is available with accessor function: htp_tx_normalized_uri()
Configuration settings added to control the behaviour of the URI normalization:
- htp_config_set_normalized_uri_include_all()
- htp_config_set_plusspace_decode()
- htp_config_set_convert_lowercase()
- htp_config_set_double_decode_normalized_query()
- htp_config_set_double_decode_normalized_path()
- htp_config_set_backslash_convert_slashes()
- htp_config_set_bestfit_replacement_byte()
- htp_config_set_convert_lowercase()
- htp_config_set_nul_encoded_terminates()
- htp_config_set_nul_raw_terminates()
- htp_config_set_path_separators_compress()
- htp_config_set_path_separators_decode()
- htp_config_set_u_encoding_decode()
- htp_config_set_url_encoding_invalid_handling()
- htp_config_set_utf8_convert_bestfit()
- htp_config_set_normalized_uri_include_all()
- htp_config_set_plusspace_decode()
Constants related to configuring uri normalization:
- HTP_URL_DECODE_PRESERVE_PERCENT => HTP_URL_ENCODING_HANDLING_PRESERVE_PERCENT
- HTP_URL_DECODE_REMOVE_PERCENT => HTP_URL_ENCODING_HANDLING_REMOVE_PERCENT
- HTP_URL_DECODE_PROCESS_INVALID => HTP_URL_ENCODING_HANDLING_PROCESS_INVALID

htp_config_set_field_limits(soft_limit, hard_limit) changed to
htp_config_set_field_limit(limit) because libhtp didn't implement soft
limits.

libhtp logging API updated to provide HTP_LOG_CODE constants along with
the message. This eliminates the need to perform string matching on
message text to map log messages to HTTP_DECODER_EVENT values, and the
HTP_LOG_CODE values can be used directly. In support of this,
HTP_DECODER_EVENT values are mapped to their corresponding HTP_LOG_CODE
values.

New log events to describe additional anomalies:
HTP_LOG_CODE_REQUEST_TOO_MANY_LZMA_LAYERS
HTP_LOG_CODE_RESPONSE_TOO_MANY_LZMA_LAYERS
HTP_LOG_CODE_PROTOCOL_CONTAINS_EXTRA_DATA
HTP_LOG_CODE_CONTENT_LENGTH_EXTRA_DATA_START
HTP_LOG_CODE_CONTENT_LENGTH_EXTRA_DATA_END
HTP_LOG_CODE_SWITCHING_PROTO_WITH_CONTENT_LENGTH
HTP_LOG_CODE_DEFORMED_EOL
HTP_LOG_CODE_PARSER_STATE_ERROR
HTP_LOG_CODE_MISSING_OUTBOUND_TRANSACTION_DATA
HTP_LOG_CODE_MISSING_INBOUND_TRANSACTION_DATA
HTP_LOG_CODE_ZERO_LENGTH_DATA_CHUNKS
HTP_LOG_CODE_REQUEST_LINE_UNKNOWN_METHOD
HTP_LOG_CODE_REQUEST_LINE_UNKNOWN_METHOD_NO_PROTOCOL
HTP_LOG_CODE_REQUEST_LINE_UNKNOWN_METHOD_INVALID_PROTOCOL
HTP_LOG_CODE_REQUEST_LINE_NO_PROTOCOL
HTP_LOG_CODE_RESPONSE_LINE_INVALID_PROTOCOL
HTP_LOG_CODE_RESPONSE_LINE_INVALID_RESPONSE_STATUS
HTP_LOG_CODE_RESPONSE_BODY_INTERNAL_ERROR
HTP_LOG_CODE_REQUEST_BODY_DATA_CALLBACK_ERROR
HTP_LOG_CODE_RESPONSE_INVALID_EMPTY_NAME
HTP_LOG_CODE_REQUEST_INVALID_EMPTY_NAME
HTP_LOG_CODE_RESPONSE_INVALID_LWS_AFTER_NAME
HTP_LOG_CODE_RESPONSE_HEADER_NAME_NOT_TOKEN
HTP_LOG_CODE_REQUEST_INVALID_LWS_AFTER_NAME
HTP_LOG_CODE_LZMA_DECOMPRESSION_DISABLED
HTP_LOG_CODE_CONNECTION_ALREADY_OPEN
HTP_LOG_CODE_COMPRESSION_BOMB_DOUBLE_LZMA
HTP_LOG_CODE_INVALID_CONTENT_ENCODING
HTP_LOG_CODE_INVALID_GAP
HTP_LOG_CODE_ERROR

The new htp_log API supports consuming log messages more easily than
walking a list and tracking the current offset. Internally, libhtp-rs
now provides log messages as a queue of htp_log_t, which means the
application can simply call htp_conn_next_log() to fetch the next log
message until the queue is empty. Once the application is done with a
log message, they can call htp_log_free() to dispose of it.

Functions supporting htp_log_t:
htp_conn_next_log(conn) - Get the next log message
htp_log_message(log) - To get the text of the message
htp_log_code(log) - To get the HTP_LOG_CODE value
htp_log_free(log) - To free the htp_log_t
2025-04-04 02:35:12 +02:00

154 lines
3.4 KiB
ReStructuredText
Raw Permalink Blame History

.. _Installation from GIT:
Installation from GIT
=====================
Ubuntu Installation from GIT
----------------------------
This document will explain how to install and use the most recent code of
Suricata on Ubuntu. Installing from GIT on other operating systems is
basically the same, except that some commands are Ubuntu-specific
(like sudo and apt-get). In case you are using another operating system,
you should replace those commands with your OS-specific commands.
.. note::
These instructions were tested on Ubuntu 22.04.
Pre-installation requirements
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Before you can build Suricata for your system, run the following command
to ensure that you have everything you need for the installation.
.. code-block:: bash
sudo apt-get -y install libpcre2-dev build-essential autoconf \
automake libtool libpcap-dev libnet1-dev libyaml-0-2 libyaml-dev \
pkg-config zlib1g zlib1g-dev libcap-ng-dev libcap-ng0 make \
libmagic-dev libjansson-dev rustc cargo jq git-core
Add ``${HOME}/.cargo/bin`` to your path:
.. code-block:: bash
export PATH=$PATH:${HOME}/.cargo/bin
cargo install --force cbindgen
Depending on the current status of your system, it may take a while to
complete this process.
**IPS**
By default, Suricata works as an IDS. If you want to use it as an IDS and IPS
program, enter:
.. code-block:: bash
sudo apt-get -y install libnetfilter-queue-dev libnetfilter-queue1 \
libnfnetlink-dev libnfnetlink0
Suricata
~~~~~~~~
First, it is convenient to create a directory for Suricata.
Name it 'suricata' or 'oisf', for example. Open the terminal and enter:
.. code-block:: bash
mkdir suricata # mkdir oisf
Followed by:
.. code-block:: bash
cd suricata # cd oisf
Next, enter the following line in the terminal:
.. code-block:: bash
git clone https://github.com/OISF/suricata.git
cd suricata
Suricata-update is not bundled. Get it by doing:
.. code-block:: bash
./scripts/bundle.sh
Followed by:
.. code-block:: bash
./autogen.sh
To configure, please enter:
.. code-block:: bash
./configure
To compile, please enter:
.. code-block:: bash
make
To install Suricata, enter:
.. code-block:: bash
sudo make install
sudo ldconfig
Auto-setup
~~~~~~~~~~
You can also use the available auto-setup features of Suricata. Ex:
.. code-block:: bash
./configure && make && sudo make install-conf
*make install-conf*
would do the regular "make install" and then it would automatically
create/setup all the necessary directories and ``suricata.yaml`` for you.
.. code-block:: bash
./configure && make && make install-rules
*make install-rules*
would do the regular "make install" and then it would automatically download
and set-up the latest ruleset from Emerging Threats available for Suricata.
.. code-block:: bash
./configure && make && make install-full
*make install-full*
would combine everything mentioned above (install-conf and install-rules) -
and will present you with a ready to run (configured and set-up) Suricata.
Post installation
~~~~~~~~~~~~~~~~~
Please continue with :ref:`Basic setup`.
In case you have already created your Suricata directory and cloned the
repository in it, if you want to update your local repository with the
most recent code, please run:
.. code-block:: bash
cd suricata/suricata
next, enter:
.. code-block:: bash
git pull
After that, you should run *./autogen.sh* again.
Reference in a new issue View git blame Copy permalink