Hello, I am interested at extracting the core functionality of suricata, and so am looking at the make file, to hopefully understand what is being installed and in what order and thus what things I can remove.
Right now I’m trying to understand what is being called first.
The first things I see in the command line when executing make is:
But there is no mention of “libhtp” in the makefile at the root of the project
Any help appreciated!
$(HTP_DIR) in SUBDIRS is what will cause the Makefile to recurse into libhtp/. Its a variable as there is a way to build against libhtp installed separately, but this is normally not done.
You can do this to install into a “fake” location to see whats there:
make install DESTDIR="$(pwd)/fakeroot"
then look at fakeroot. This is what packaging tools generally do to avoid installing the files on the system before they can pick and choose what to install, or reorganize as needed.
Thanks.
Can I ask, how about packet collection? Is this done through pcap? Which directories contain the code for the packet collection and threading?
PCAP is one way to collect packets - either files or network. The default on Linux is AF_PACKET though, and there are some others. Look in the src/ directory files starting with source-.
As for threading, look at files with thread in the name, as well as the runmode files which more or less do the setup for a capture method.
There is also some dev guide stuff on our wiki, while dated could still be useful:
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricata_Developers_Guide
And in the source code, checkout the src/devguide directory. I don’t think we have those published yet, but there is a start of more up to date development documentation.