原理:
Suricata 源码说到底也是一个makefile项目,Code 是绝对可以编译的,本质上还是模拟 make 命令,然后使用GDB调试c程序。
有一个视频: https://www.bilibili.com/video/BV1Aw4m1U7Mo/?vd_source=b6d10e8288ab2f9afe2227a94446a6c3
c_cpp_properties.json:
实际上这部分是关于 代码悬停提示,智能提示这一方面的,
关于includepath和browse ->path的介绍有一个视频:https://www.bilibili.com/video/BV1Hm411r7nq/?vd_source=b6d10e8288ab2f9afe2227a94446a6c3
{
"configurations": [
{
"name": "daxian-2023-12-24",
"includePath": [
"${workspaceFolder}/**",
"/usr/include/**",
"/usr/local/include/**",
"/usr/include/netinet/**"
],
"defines": [],
"compilerPath": "/usr/bin/g++",
"cStandard": "c17",
"cppStandard": "c++17",
"intelliSenseMode": "gcc-x64",
"browse": {
"path": [
"${workspaceFolder}",
"/usr/include/netinet"
],
"limitSymbolsToIncludedHeaders": true,
"databaseFilename": ""
},
"configurationProvider": "ms-vscode.makefile-tools"
}
],
"version": 4
}
settings.json
这其实和编译无关,涉及到一些 vsocode 的配置
{
"window.zoomLevel": 0.5,
"files.exclude": {
"**/.exe": true //排除尾缀为.exe的文件不在编辑器左边的目录菜单中显示
},
// "C_Cpp.intelliSenseEngine": "Tag Parser",/*或者是default模式(默认也是这个)*/
"C_Cpp.exclusionPolicy": "checkFilesAndFolders",
"C_Cpp.default.intelliSenseMode": "gcc-x64",
"C_Cpp.default.compilerPath": "/usr/bin/g++",
"C_Cpp.default.cppStandard": "c++17",
"debug.onTaskErrors": "abort",
"files.associations": {
"iostream": "cpp",
"suricata-common.h": "c",
"cstdlib": "c",
"array": "c",
"istream": "c",
"ostream": "c",
"tuple": "c",
"type_traits": "c",
"utility": "c",
"fstream": "c",
"streambuf": "c",
"queue.h": "c",
"deque": "c",
"string": "c",
"unordered_map": "c",
"vector": "c",
"string_view": "c",
"initializer_list": "c",
"functional": "c",
"threads.h": "c",
"threadvars.h": "c",
"util-lua.h": "c",
"util-lua-http.h": "c",
"detect-threshold.h": "c",
"*.tcc": "c",
"numeric": "c",
"sstream": "c",
"detect-engine-register.h": "c",
"detect-engine-build.h": "c"
},
"C_Cpp.errorSquiggles": "enabled",
"workbench.editor.wrapTabs": false,/*选项卡是否换行*/
"editor.wordWrap": "off",/*编辑区域是自动换行*/
// "editor.renderWhitespace": "all"/*让空格显示为点 selection*/
}
tasks.json
执行编译任务, ctrl+b执行编译任务,会选择第一个make
{
"version": "2.0.0",
"tasks": [
{
"label": "build_suricata",
"type": "shell",
"command": "make", //suricata编译
"problemMatcher": [
"$gcc"
],
"group": {
"kind": "build",
"isDefault": true
},
"presentation": {
"echo": true,
"reveal": "always",
"focus": false,
"panel": "dedicated",
"showReuseMessage": false,
"clear": true
}
},
//下面是C++的不予理会
{
"type": "shell", //或者是process 区别找文档
"label": "C/C++: g++ build active file", //任务标签
"command": "/usr/bin/g++",
"args": [
"-g",
"-Wall",
"-std=c++17",
"${fileDirname}/*.cpp",
"-o",
"${fileDirname}/${fileBasenameNoExtension}"
],
"detail": "compiler: /usr/bin/g++",
"group": {
"kind": "build",
"isDefault": true
},
"presentation": {
"echo": true,
"reveal": "always", //是否将集成终端面板置于前面
"focus": true, //是否获得焦点
"panel": "dedicated",
"showReuseMessage": false, //控制是否显示"终端将被任务重用,按任意键关闭它"消息
"clear": true // 运行前清除终端
},
"problemMatcher": [
"$gcc"
]
},
],
"options": {
"shell": {
"executable": "/bin/bash",
"args": [
"-c"
]
},
"env": {
"PATH": "/usr/bin:${env:PATH}"
}
}
}
//官方文档:https://code.visualstudio.com/docs/editor/tasks
launch.json
make 以后不用make install的
make编译之后会在src/.libs/下生成临时的可执行程序, gdb可以调试这个程序,args是执行调试时候加入的参数,--runmode single是只有一个处理线程的模式,(参照suricata的运行模式,要注意不是任何情况下都有single模式的),这里读入的流量是从pcap文件中拿到的(这个文件是通过wireshark抓包工具得到的),关于这些参数在这里
{
"version": "0.2.0",
"configurations": [
{
"type": "cppdbg",
"request": "launch",
"name": "DeBug_suricata",
"program": "${workspaceFolder}/src/.libs/suricata",
// "program": "/usr/local/bin/suricata", //make install 后可执行程序的安装位置
"args": [
"--runmode",
"single",
"-r",
"/home/daxian/ping.pcap",
"-vvvv",
"-c",
"/home/daxian/Desktop/zs/suricata-6.0.8/suricata.yaml",
"-l",
"/home/daxian/Desktop/zs/suricata-log-dir",
"-S",
"/home/daxian/Desktop/zs/rules/test.rules",
"-k",
"none"
// "-i",
// "ens33",
// "--list-keywords=csv",
// "--list-app-layer-protos"
],
"stopAtEntry": false,
"cwd": "${workspaceFolder}",
"environment": [],
"externalConsole": false,
"MIMode": "gdb",
"miDebuggerPath": "/usr/bin/gdb",
"preLaunchTask": "build_suricata"
},
//下面是c++的 不予理会
{
"name": "g++ - Build and debug active file",
"type": "cppdbg",
"request": "launch",
"program": "${fileDirname}/${fileBasenameNoExtension}",
"args": [],
"stopAtEntry": false,
"cwd": "${workspaceFolder}",
"environment": [],
"externalConsole": false,
"MIMode": "gdb",
"miDebuggerPath": "/usr/bin/gdb",
"setupCommands": [
{
"description": "Enable pretty-printing for gdb",
"text": "-enable-pretty-printing",
"ignoreFailures": true
}
],
"preLaunchTask": "C/C++: g++ build active file"
},
]
}