[Oisf-devel] Debugging Suricata

Eric Leblond eric at regit.org
Thu Aug 1 09:16:37 UTC 2013


Hi,

Le mercredi 31 juillet 2013 à 10:26 -0700, Anil Joshi a écrit :
> Hi ALL,
> 
> 
> I am all new to suricata.
> 
> Actually want it want to know and debug about suricata is how it gets
> the packet and how it matches signature against packet data.

Look at src/source-*c file for capture.

Detection is basically made inside src/detect.c

> Can anyone please suggest me how to start that i mean whwre is the
> starting code in suricata and how can i debug it with suricata running
> (i mean packet is coming to suricata and i can see the code which is
> running at that particular moment).

But seriously speaking I don't think that these information can really
help you. Signature matching is a really complex process and reading the
code will provide you answers to all your questions if and only if you
are a supernatural being.

One way to apprehend things could be to start suricata on a small pcap
file (in simple running mode to avoid multithread complexity) in gdb.
Then you put a breakpoint in Packet capture and follow the execution to
understand what happen.

BR,
--
Eric

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20130801/2ec36758/attachment.pgp>


More information about the Oisf-devel mailing list