Task #2313
opentracking: save & restore state when suricata restarts
Added by Victor Julien almost 7 years ago. Updated almost 2 years ago.
Description
Much requested feature: save state at exit and restore the state when suricata starts up
Relatively easy for some things: flows, stream tracking, but hard for others: stream reassembly, etc.
Updated by Victor Julien almost 7 years ago
- Related to Task #2309: SuriCon 2017 brainstorm added
Updated by Victor Julien over 6 years ago
- Effort set to high
- Difficulty set to medium
Updated by Danny Browning about 6 years ago
One approach: * For things we wish to serialize, define them in rust (e.g. https://github.com/OISF/suricata/blob/master/src/flow.h#L325) * Use rust serde (msgpack or rson) to do serialize/deserialize of the state
In attempting to define an approach for this, most methods of doing serde approaches in c/c++ do not have a compatible license, while serde, serde-msgpack, and serde-ron do have compatible licenses.
Previously this approach would not have worked, because rust support was optional, but now that rust is required, defining core structures in rust will not create problems from a compilation/usage standpoint. With serde-derive, we can easily define which attributes we want to store off. One complication is suricata specific structures, such as SC_ATOMIC_DECLARE, and how we would populate the value. For anything not wrapped with suricata specific structures, we could also sub structure it to make serde support easier. Flow could consist of a sub structure FlowSave (name TBD) that is handled with serde.
One other benefit to a more standard format is the ability to "inject" data at portions of the pipeline. For cards doing layer 4 extraction, we may be able to skip acquire and decode.
Updated by Danny Browning almost 6 years ago
Because of the size of this feature, it should be split into smaller, easier to accomplish pieces, such as saving flowbits.
This would provide a proof of concept implementation that could be extended to the harder pieces of suricata to serialize, as additional serialization is warranted.
Updated by Victor Julien almost 6 years ago
- Status changed from New to Assigned
- Assignee changed from Anonymous to Danny Browning
Agreed, lets make this a tracking ticket. New tickets can set to be related to this one.
Updated by Victor Julien almost 6 years ago
- Related to Task #2685: SuriCon 2018 brainstorm added
Updated by Victor Julien about 5 years ago
- Tracker changed from Feature to Task
- Subject changed from save & restore state when suricata restarts to tracking: save & restore state when suricata restarts
- Status changed from Assigned to New
- Assignee changed from Danny Browning to OISF Dev
Updated by Andreas Herz almost 5 years ago
we will create an additional issue for tracking the thresholds in between suricata restarts.
It can be helpful as well for elephant flows and bypassing them again after a restart.
Updated by Jason Ish almost 4 years ago
- Related to Feature #4138: A stable flow ID for dump/restore of state as well as state synchronization added
Updated by Philippe Antoine almost 2 years ago
- Related to Task #5488: Suricon 2022 brainstorm added
Updated by Philippe Antoine almost 2 years ago
- Related to Task #2693: tracking: libsuricata added