Merge pull request #1660 in SNORT/snort3 from ~BRASTULT/snort3:talos_tweak_fix to...

Squashed commit of the following:

commit 1e557dca3a03f375d932d3ba14bed27aea7957ad
Author: Brandon Stultz <brastult@cisco.com>
Date:   Sun Jun 30 19:12:46 2019 -0400

    talos.lua: various fixes for command line usage

    - lua: optionally include local.rules in talos tweak, set snaplen
    - main: move talos tweak settings to lua, set default pcap-filter
    - parser: fix -R by clearing includer when parsing s_aux_rules
    - packet_io: set default pcap-filter

diff --git a/lua/inline.lua b/lua/inline.lua
index 902334408a0ac22ed0b7051faa76868455d08111..90b3fe6a464fb54ae24c9ba9a017293bfdbdc072 100644 (file)
--- a/lua/inline.lua
+++ b/lua/inline.lua
@@ -13,7 +13,7 @@ daq =
         },
         {
             name = 'dump',
-            variables = { 'output = none' }
+            variables = { 'output=none' }
         },
     },
 }

diff --git a/lua/talos.lua b/lua/talos.lua
index c3262bc4b51f8fed0ba48e94ca8cb8d028bc4583..5a3630c192f09387acb4e8ecfd9cc222014a3893 100644 (file)
--- a/lua/talos.lua
+++ b/lua/talos.lua
@@ -1,8 +1,18 @@
 ---------------------------------------------------------------------------
 -- talos test tweaks
--- use with --talos or --tweaks talos -Q -q
+-- use with --talos or --tweaks talos
 ---------------------------------------------------------------------------
 
+function file_exists(name)
+    local f=io.open(name,'r')
+    if f~=nil then
+        io.close(f)
+        return true
+    else
+        return false
+    end
+end
+
 daq =
 {
     modules =
@@ -13,15 +23,22 @@ daq =
         },
         {
             name = 'dump',
-            variables = { 'output = none' }
+            variables = { 'output=none' }
         },
     },
+    snaplen = 65535
 }
 
 normalizer = { tcp = { ips = true } }
 
-ips.include = 'local.rules'
+snort = { }
+snort['-Q'] = true
+
+if file_exists('local.rules') then
+    snort['-R'] = 'local.rules'
+end
 
+alert_talos = { }
 alerts = { alert_with_interface_name = true }
 
 profiler =

diff --git a/src/main/snort_module.cc b/src/main/snort_module.cc
index be103cf51f0a131ef18ab8493a65ff91666f97ab..99539355518fd815c0fa5b9ff39aadfc64819f77 100644 (file)
--- a/src/main/snort_module.cc
+++ b/src/main/snort_module.cc
@@ -442,7 +442,7 @@ static const Parameter s_params[] =
     { "--pcap-dir", Parameter::PT_STRING, nullptr, nullptr,
       "<dir> a directory to recurse to look for pcaps - read mode is implied" },
 
-    { "--pcap-filter", Parameter::PT_STRING, nullptr, nullptr,
+    { "--pcap-filter", Parameter::PT_STRING, nullptr, "*.*cap*",
       "<filter> filter to apply when getting pcaps from file or directory" },
 
     { "--pcap-loop", Parameter::PT_INT, "0:max32", nullptr,
@@ -512,7 +512,7 @@ static const Parameter s_params[] =
       "read rules from stdin until EOF or a line starting with END is read", },
 
     { "--talos", Parameter::PT_IMPLIED, nullptr, nullptr,
-      "enable Talos inline rule test mode (same as --tweaks talos -Q -q)", },
+      "enable Talos tweak (same as --tweaks talos)", },
 
     { "--treat-drop-as-alert", Parameter::PT_IMPLIED, nullptr, nullptr,
       "converts drop, block, and reset rules into alert rules when loaded" },
@@ -987,11 +987,8 @@ bool SnortModule::set(const char*, Value& v, SnortConfig* sc)
         sc->stdin_rules = true;
 
     else if ( v.is("--talos") )
-    {
         sc->set_tweaks("talos");
-        sc->run_flags |= RUN_FLAG__INLINE;
-        sc->set_alert_mode("talos");
-    }
+
     else if ( v.is("--treat-drop-as-alert") )
         sc->set_treat_drop_as_alert(true);
 

diff --git a/src/packet_io/trough.cc b/src/packet_io/trough.cc
index 9bfcdd2ca06b60f5959d6d9a31fdcc385db0627f..9db030b79c28b0e7109715b5e985674b5ad4d0cc 100644 (file)
--- a/src/packet_io/trough.cc
+++ b/src/packet_io/trough.cc
@@ -38,7 +38,7 @@ using namespace snort;
 
 std::vector<struct Trough::PcapReadObject> Trough::pcap_object_list;
 std::vector<std::string> Trough::pcap_queue;
-std::string Trough::pcap_filter;
+std::string Trough::pcap_filter = "*.*cap*";
 std::vector<std::string>::const_iterator Trough::pcap_queue_iter;
 
 unsigned Trough::pcap_loop_count = 0;

diff --git a/src/parser/parser.cc b/src/parser/parser.cc
index a1d3f4d7112066a644c880be22920de58803fce9..54ffc5d3217bcba10face38b33e48971b249e7e7 100644 (file)
--- a/src/parser/parser.cc
+++ b/src/parser/parser.cc
@@ -374,6 +374,7 @@ void ParseRules(SnortConfig* sc)
 
         if ( !idx and !s_aux_rules.empty() )
         {
+            p->includer.clear();
             push_parse_location("W", "./", "rule args");
             ParseConfigString(sc, s_aux_rules.c_str());
             pop_parse_location();