datasets: parse defaults section from yaml

Datasets can now have a global defaults setting in suricata.yaml. In
case the settings for memcap and hashsize are not find in the yaml or
rule, this shall be the fallback.

Example:

datasets:
  defaults:
    memcap: 100mb
    hashsize: 2048
  ua-seen:
    type: string
    load: datasets.csv

diff --git a/src/datasets.c b/src/datasets.c
index b237d870372bf2c6c7483f93abca6d4589ba8ce7..c870207c44f948d9648737805260f92ced9e2e7b 100644 (file)
--- a/src/datasets.c
+++ b/src/datasets.c
@@ -49,6 +49,7 @@ static inline void DatasetUnlockData(THashData *d)
     THashDataUnlock(d);
 }
 static bool DatasetIsStatic(const char *save, const char *load);
+static void GetDefaultMemcap(uint64_t *memcap, uint32_t *hashsize);
 
 enum DatasetTypes DatasetGetTypeFromString(const char *s)
 {
@@ -423,6 +424,8 @@ Dataset *DatasetFind(const char *name, enum DatasetTypes type)
 Dataset *DatasetGet(const char *name, enum DatasetTypes type, const char *save, const char *load,
         uint64_t memcap, uint32_t hashsize)
 {
+    uint64_t default_memcap = 0;
+    uint32_t default_hashsize = 0;
     if (strlen(name) > DATASET_NAME_MAX_LEN) {
         return NULL;
     }
@@ -491,6 +494,7 @@ Dataset *DatasetGet(const char *name, enum DatasetTypes type, const char *save,
     char cnf_name[128];
     snprintf(cnf_name, sizeof(cnf_name), "datasets.%s.hash", name);
 
+    GetDefaultMemcap(&default_memcap, &default_hashsize);
     switch (type) {
         case DATASET_TYPE_MD5:
             set->hash = THashInit(cnf_name, sizeof(Md5Type), Md5StrSet, Md5StrFree, Md5StrHash,
@@ -597,11 +601,37 @@ void DatasetPostReloadCleanup(void)
     SCMutexUnlock(&sets_lock);
 }
 
+static void GetDefaultMemcap(uint64_t *memcap, uint32_t *hashsize)
+{
+    const char *str = NULL;
+    if (ConfGetValue("datasets.defaults.memcap", &str) == 1) {
+        if (ParseSizeStringU64(str, memcap) < 0) {
+            SCLogWarning(SC_ERR_INVALID_VALUE,
+                    "memcap value cannot be deduced: %s,"
+                    " resetting to default",
+                    str);
+            *memcap = 0;
+        }
+    }
+    if (ConfGetValue("datasets.defaults.hashsize", &str) == 1) {
+        if (ParseSizeStringU32(str, hashsize) < 0) {
+            SCLogWarning(SC_ERR_INVALID_VALUE,
+                    "hashsize value cannot be deduced: %s,"
+                    " resetting to default",
+                    str);
+            *hashsize = 0;
+        }
+    }
+}
+
 int DatasetsInit(void)
 {
     SCLogDebug("datasets start");
     int n = 0;
     ConfNode *datasets = ConfGetNode("datasets");
+    uint64_t default_memcap = 0;
+    uint32_t default_hashsize = 0;
+    GetDefaultMemcap(&default_memcap, &default_hashsize);
     if (datasets != NULL) {
         int list_pos = 0;
         ConfNode *iter = NULL;

diff --git a/suricata.yaml.in b/suricata.yaml.in
index 74e7a5b3906a32d905941c7fb6b0b007541bf56f..0ea4cdec7d4519a9d437006a5a484619a196db49 100644 (file)
--- a/suricata.yaml.in
+++ b/suricata.yaml.in
@@ -969,6 +969,13 @@ app-layer:
 # Limit for the maximum number of asn1 frames to decode (default 256)
 asn1-max-frames: 256
 
+# Datasets default settings
+# datasets:
+#   # Default fallback memcap and hashsize values for datasets in case these
+#   # were not explicitly defined.
+#   defaults:
+#     memcap: 100mb
+#     hashsize: 2048
 
 ##############################################################################
 ##