suricata运行模式

1.与运行模式相关数据结构

typedef struct RunMode_ {

    /* the runmode type */

    int runmode;

    const char *name;

    const char *description;

    /* runmode function */

    int (*RunModeFunc)(void);

} RunMode;

typedef struct RunModes_ {

    int no_of_runmodes;

    RunMode *runmodes;

} RunModes;

static RunModes runmodes[RUNMODE_USER_MAX];

/* Run mode */

enum RunModes {

    RUNMODE_UNKNOWN = 0,

    RUNMODE_PCAP_DEV,

    RUNMODE_PCAP_FILE,

    RUNMODE_PFRING,

    RUNMODE_NFQ,

    RUNMODE_NFLOG,

    RUNMODE_IPFW,

    RUNMODE_ERF_FILE,

    RUNMODE_DAG,

    RUNMODE_AFP_DEV,

    RUNMODE_NETMAP,

    RUNMODE_TILERA_MPIPE,

    RUNMODE_UNITTEST,

    RUNMODE_NAPATECH,

    RUNMODE_UNIX_SOCKET,

    RUNMODE_WINDIVERT,

    RUNMODE_USER_MAX, /* Last standard running mode */

    RUNMODE_LIST_KEYWORDS,

    RUNMODE_LIST_APP_LAYERS,

    RUNMODE_LIST_RUNMODES,

    RUNMODE_PRINT_VERSION,

    RUNMODE_PRINT_BUILDINFO,

    RUNMODE_PRINT_USAGE,

    RUNMODE_DUMP_CONFIG, /*将从配置文件加载的配置转储到终端并退出*/

    RUNMODE_CONF_TEST,

    RUNMODE_LIST_UNITTEST,

    RUNMODE_ENGINE_ANALYSIS,

#ifdef OS_WIN32

    RUNMODE_INSTALL_SERVICE,

    RUNMODE_REMOVE_SERVICE,

    RUNMODE_CHANGE_SERVICE_PARAMS,

#endif

    RUNMODE_MAX,

};

2.运行模式注册

void RunModeRegisterRunModes(void)

{

    memset(runmodes, 0, sizeof(runmodes));

    RunModeIdsPcapRegister();

    RunModeFilePcapRegister();

    RunModeIdsPfringRegister();

    RunModeIpsNFQRegister();

    RunModeIpsIPFWRegister();

    RunModeErfFileRegister();

    RunModeErfDagRegister();

    RunModeNapatechRegister();

    RunModeIdsAFPRegister();

    RunModeIdsNetmapRegister();

    RunModeIdsNflogRegister();

    RunModeTileMpipeRegister();

    RunModeUnixSocketRegister();

    RunModeIpsWinDivertRegister();

#ifdef UNITTESTS

    UtRunModeRegister();

#endif

    return;

}

这里以RunModeIdsPcapRegister()注册为例进行说明：

void RunModeIdsPcapRegister(void)

{

    RunModeRegisterNewRunMode(RUNMODE_PCAP_DEV, "single",

                              "Single threaded pcap live mode",

                              RunModeIdsPcapSingle);

    default_mode = "autofp";

    RunModeRegisterNewRunMode(RUNMODE_PCAP_DEV, "autofp",

                              "Multi threaded pcap live mode.  Packets from "

                              "each flow are assigned to a single detect thread, "

                              "unlike \"pcap_live_auto\" where packets from "

                              "the same flow can be processed by any detect "

                              "thread",

                              RunModeIdsPcapAutoFp);

    RunModeRegisterNewRunMode(RUNMODE_PCAP_DEV, "workers",

                              "Workers pcap live mode, each thread does all"

                              " tasks from acquisition to logging",

                              RunModeIdsPcapWorkers);

    return;

}

主要注册函数为RunModeRegisterNewRunMode，该函数接收四个参数：

runmode ：运行模式。

name ：此特定运行模式类型的自定义模式。在每个运行模式类型中，每个自定义名称都是主键(single/autofp/worker)。

description： 此运行模式的说明。

RunModeFunc： 要为此运行模式运行的函数。