Home Verkennen Help
Inloggen
pandora-research
/
suricata
Volgen 1
Ster 0
Vork 0
Bestanden Kwesties 0 Pull-aanvragen 0 Wiki

Geen omschrijving

Aftakking: master
Aftakkingen Labels
suricata
ZIP TAR.GZ
Victor Julien 45eb038e63 smb: fix file reopening issue 2 jaren geleden
.github 64fab3be04 github-ci: non-root builder 2 jaren geleden
benches bab4b62376 Initial add of the files. 15 jaren geleden
contrib 6fcd2db043 tile: remove files 5 jaren geleden
doc 15c77be937 swf-decompression: Disable by default. 2 jaren geleden
ebpf b9351339a2 ebpf: fix gre encapsulation in xdp_lb 3 jaren geleden
etc 84f9ea7254 eve/schema: pgsql - allow flexible parameters list 2 jaren geleden
lua 5de77e3102 lua output: Update example script to match style of user doc examples 6 jaren geleden
python 537fd76787 suricatasc: add dataset-lookup command 2 jaren geleden
qa 34ee53e5ec cocci: remove action check as we no longer use macros 2 jaren geleden
rules 2bc5c46158 stream/rules: disable depth rule by default 2 jaren geleden
rust 45eb038e63 smb: fix file reopening issue 2 jaren geleden
scripts 62352ad030 src: fix remaining cppclean warnings 2 jaren geleden
src 9ed65907a7 fuzz/sigpcap: set pkt_src 2 jaren geleden
suricata-update 9a1d6af858 python: install without distutils 2 jaren geleden
.clang-format 6f77c722a2 devguide: move into userguide as last chapter 2 jaren geleden
.gitignore 6e3e8530a1 readthedocs: add configuration file 3 jaren geleden
.lgtm.yml 42a661f028 ci: adds CodeQL workflow and LGTM support 2 jaren geleden
.readthedocs.yaml 18b468742a readthedocs: enable all formats 2 jaren geleden
COPYING 413082afc0 GPL license sync with official gpl-2.0.txt 9 jaren geleden
ChangeLog 79a78611ad release: 7.0.0-beta1; update changelog 2 jaren geleden
LICENSE 413082afc0 GPL license sync with official gpl-2.0.txt 9 jaren geleden
Makefile.am 67af1504b3 devguide: drop use of mscgen script in builds/make 2 jaren geleden
Makefile.cvs bab4b62376 Initial add of the files. 15 jaren geleden
README.md 811b2cd334 doc: refresh main README; more accurate CI description 2 jaren geleden
acsite.m4 7691fc4f9e configure: check for u_int and friends 4 jaren geleden
autogen.sh 6f7e24d3f2 autogen/rust: remove Cargo.lock 6 jaren geleden
config.rpath 915aa9fc26 Add file needed for some autotools version. 11 jaren geleden
configure.ac addc9b301d version: require libhtp 0.5.42 2 jaren geleden
doxygen.cfg 54be743c48 prelude: remove the prelude output 3 jaren geleden
libsuricata-config.in dfd930a13e libsuricata-config: program to print build flags 3 jaren geleden
requirements.txt cd42c33195 scripts/bundle: use git instead of tar.gz 2 jaren geleden
suricata.yaml.in 15c77be937 swf-decompression: Disable by default. 2 jaren geleden
threshold.config 2e8678a5ff docs: replace redmine links and enforce https on oisf urls 6 jaren geleden

README.md

Suricata

Fuzzing Status codecov

Introduction

Suricata is a network IDS, IPS and NSM engine developed by the OISF and the Suricata community.

Installation

https://suricata.readthedocs.io/en/latest/install.html

User Guide

You can follow the Suricata user guide to get started.

Contributing

We're happily taking patches and other contributions. Please see https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Contributing for how to get started.

Suricata is a complex piece of software dealing with mostly untrusted input. Mishandling this input will have serious consequences:

  • in IPS mode a crash may knock a network offline;
  • in passive mode a compromise of the IDS may lead to loss of critical and confidential data;
  • missed detection may lead to undetected compromise of the network.

In other words, we think the stakes are pretty high, especially since in many common cases the IDS/IPS will be directly reachable by an attacker.

For this reason, we have developed a QA process that is quite extensive. A consequence is that contributing to Suricata can be a somewhat lengthy process.

On a high level, the steps are:

  1. Github-CI based checks. This runs automatically when a pull request is made.

  2. Review by devs from the team and community

  3. QA runs from private QA setups. These are private due to the nature of the test traffic.

Overview of Suricata's QA steps

OISF team members are able to submit builds to our private QA setup. It will run a series of build tests and a regression suite to confirm no existing features break.

The final QA runs takes a few hours minimally, and generally runs overnight. It currently runs:

  • extensive build tests on different OS', compilers, optimization levels, configure features
  • static code analysis using cppcheck, scan-build
  • runtime code analysis using valgrind, AddressSanitizer, LeakSanitizer
  • regression tests for past bugs
  • output validation of logging
  • unix socket testing
  • pcap based fuzz testing using ASAN and LSAN
  • traffic replay based IDS and IPS tests

Next to these tests, based on the type of code change further tests can be run manually:

  • traffic replay testing (multi-gigabit)
  • large pcap collection processing (multi-terabytes)
  • fuzz testing (might take multiple days or even weeks)
  • pcap based performance testing
  • live performance testing
  • various other manual tests based on evaluation of the proposed changes

It's important to realize that almost all of the tests above are used as acceptance tests. If something fails, it's up to you to address this in your code.

One step of the QA is currently run post-merge. We submit builds to the Coverity Scan program. Due to limitations of this (free) service, we can submit once a day max. Of course it can happen that after the merge the community will find issues. For both cases we request you to help address the issues as they may come up.

FAQ

Q: Will you accept my PR?

A: That depends on a number of things, including the code quality. With new features it also depends on whether the team and/or the community think the feature is useful, how much it affects other code and features, the risk of performance regressions, etc.

Q: When will my PR be merged?

A: It depends, if it's a major feature or considered a high risk change, it will probably go into the next major version.

Q: Why was my PR closed?

A: As documented in the Suricata Github workflow here https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Github_work_flow, we expect a new pull request for every change.

Normally, the team (or community) will give feedback on a pull request after which it is expected to be replaced by an improved PR. So look at the comments. If you disagree with the comments we can still discuss them in the closed PR.

If the PR was closed without comments it's likely due to QA failure. If the Github-CI checks failed, the PR should be fixed right away. No need for a discussion about it, unless you believe the QA failure is incorrect.

Q: the compiler/code analyser/tool is wrong, what now?

A: To assist in the automation of the QA, we're not accepting warnings or errors to stay. In some cases this could mean that we add a suppression if the tool supports that (e.g. valgrind, DrMemory). Some warnings can be disabled. In some exceptional cases the only 'solution' is to refactor the code to work around a static code checker limitation false positive. While frustrating, we prefer this over leaving warnings in the output. Warnings tend to get ignored and then increase risk of hiding other warnings.

Q: I think your QA test is wrong

A: If you really think it is, we can discuss how to improve it. But don't come to this conclusion too quickly, more often it's the code that turns out to be wrong.

Q: do you require signing of a contributor license agreement?

A: Yes, we do this to keep the ownership of Suricata in one hand: the Open Information Security Foundation. See http://suricata.io/about/open-source/ and http://suricata.io/about/contribution-agreement/