Hello, everyone
Question:
How to use libsuricata to build a detect engine? Is there any example or guidence?
Background:
I build libsuricata lib to use it detect some new applayer packet
After write a tcp server receiving network packet, detect these bytes by copy the code from ut, I find it will crash finaly,
If i call InitGlobal() in suricata.c, it will crash later.
So how to use libsuricata?
This work is under active development so you are best to look at the relevant pull requests for more information, however we’re probably not where you need it to be yet.
Thats not to say others haven’t done this, but from a supported perspective its not there. You might want to look at this PR: libsuricata: make the Suricata application a user of the Suricata library - v4 by jasonish · Pull Request #10578 · OISF/suricata · GitHub
Thanks, I modified some global init part, paste the code of ut into detection thread, it seems works now.
But here comes the second question:
I add two different detection buffer on one custom tcp applaye, append 20,000 signatures to a detection context.
when matching applayer packet, SigMatchSignatures take 15,000 us, I retest http header with 20,000 signatures, but it only take 150 us, Any idea what to do to accelarate the match process?
Did you implement MPM for your new buffer?
Thanks ! seems MPM is problem here, I read the code of src/detect-http-uri.c, I guess ’ DetectAppLayerMpmRegister will register the mpm engine.
But I still can’t get how this match process , and where it init the mpm engine.
Any ideal of how this “magic” happened? Which file to read about this processing?