file-store: add force-filestore configuration option to enable writing all

            extracted files to filesystem.

diff --git a/src/log-file.c b/src/log-file.c
index 0c41e38d298c83a261613f0386822f8fb55c1e3f..d95c4310acb79ad0a0135fbd3d4e8bfdfcd6fe0e 100644 (file)
--- a/src/log-file.c
+++ b/src/log-file.c
@@ -416,6 +416,12 @@ static OutputCtx *LogFileLogInitCtx(ConfNode *conf)
     output_ctx->data = logfile_ctx;
     output_ctx->DeInit = LogFileLogDeInitCtx;
 
+    const char *force_filestore = ConfNodeLookupChildValue(conf, "force-filestore");
+    if (force_filestore != NULL && ConfValIsTrue(force_filestore)) {
+        FileForceFilestoreEnable();
+        SCLogInfo("forcing filestore of all files");
+    }
+
     const char *force_magic = ConfNodeLookupChildValue(conf, "force-magic");
     if (force_magic != NULL && ConfValIsTrue(force_magic)) {
         FileForceMagicEnable();

diff --git a/src/log-filestore.c b/src/log-filestore.c
index 4244b9a44fa55d87b650a590473e52a83a0c0aa5..5069ec85792152c3616f966f8ca2bf052eaa5225 100644 (file)
--- a/src/log-filestore.c
+++ b/src/log-filestore.c
@@ -458,6 +458,12 @@ static OutputCtx *LogFilestoreLogInitCtx(ConfNode *conf)
         }
     }
 
+    const char *force_filestore = ConfNodeLookupChildValue(conf, "force-filestore");
+    if (force_filestore != NULL && ConfValIsTrue(force_filestore)) {
+        FileForceFilestoreEnable();
+        SCLogInfo("forcing filestore of all files");
+    }
+
     const char *force_magic = ConfNodeLookupChildValue(conf, "force-magic");
     if (force_magic != NULL && ConfValIsTrue(force_magic)) {
         FileForceMagicEnable();

diff --git a/src/output-json-file.c b/src/output-json-file.c
index 32f3a9435c7f13ec66270d238fc7a7ebd8c76a5f..c3932cac3c6b41b2ddaad381e23e5ba0a3d3a66e 100644 (file)
--- a/src/output-json-file.c
+++ b/src/output-json-file.c
@@ -260,6 +260,12 @@ OutputCtx *OutputFileLogInitSub(ConfNode *conf, OutputCtx *parent_ctx)
     output_file_ctx->file_ctx = ojc->file_ctx;
 
     if (conf) {
+        const char *force_filestore = ConfNodeLookupChildValue(conf, "force-filestore");
+        if (force_filestore != NULL && ConfValIsTrue(force_filestore)) {
+            FileForceFilestoreEnable();
+            SCLogInfo("forcing filestore of all files");
+        }
+
         const char *force_magic = ConfNodeLookupChildValue(conf, "force-magic");
         if (force_magic != NULL && ConfValIsTrue(force_magic)) {
             FileForceMagicEnable();

diff --git a/src/util-file.c b/src/util-file.c
index 16a7bd40fe51d5702b7b2bf9426bd34548b733a7..38ea1b8d4279d4682a0f580c09f03fb0047eb62a 100644 (file)
--- a/src/util-file.c
+++ b/src/util-file.c
@@ -36,6 +36,11 @@
 #include "app-layer-parser.h"
 #include "util-validate.h"
 
+/** \brief switch to force filestore on all files
+ *         regardless of the rules.
+ */
+static int g_file_force_filestore = 0;
+
 /** \brief switch to force magic checks on all files
  *         regardless of the rules.
  */
@@ -55,6 +60,11 @@ static int g_file_force_tracking = 0;
 static void FileFree(File *);
 static void FileDataFree(FileData *);
 
+void FileForceFilestoreEnable(void)
+{
+    g_file_force_filestore = 1;
+}
+
 void FileForceMagicEnable(void)
 {
     g_file_force_magic = 1;
@@ -65,6 +75,11 @@ void FileForceMd5Enable(void)
     g_file_force_md5 = 1;
 }
 
+int FileForceFilestore(void)
+{
+    return g_file_force_filestore;
+}
+
 int FileForceMagic(void)
 {
     return g_file_force_magic;
@@ -534,7 +549,7 @@ File *FileOpenFile(FileContainer *ffc, uint8_t *name,
         SCReturnPtr(NULL, "File");
     }
 
-    if (flags & FILE_STORE) {
+    if (flags & FILE_STORE || g_file_force_filestore) {
         FileStore(ff);
     } else if (flags & FILE_NOSTORE) {
         SCLogDebug("not storing this file");

diff --git a/src/util-file.h b/src/util-file.h
index 8f322a99d7d0d99fdf08b7cb88985b9d6108f2ac..6d02d395d1f17a5799dfba04df77a9a7eb6a9dc0 100644 (file)
--- a/src/util-file.h
+++ b/src/util-file.h
@@ -172,6 +172,8 @@ void FileDisableStoringForTransaction(Flow *f, uint8_t direction, uint64_t tx_id
 void FlowFileDisableStoringForTransaction(struct Flow_ *f, uint64_t tx_id);
 void FilePrune(FileContainer *ffc);
 
+void FileForceFilestoreEnable(void);
+int FileForceFilestore(void);
 
 void FileDisableMagic(Flow *f, uint8_t);
 void FileForceMagicEnable(void);

diff --git a/suricata.yaml.in b/suricata.yaml.in
index 3a6841947dee4348718125ca81c76828cf54b02b..1f35e130727c96e6727ddb6a25798654bc5f88cb 100644 (file)
--- a/suricata.yaml.in
+++ b/suricata.yaml.in
@@ -349,6 +349,7 @@ outputs:
       log-dir: files    # directory to store the files
       force-magic: no   # force logging magic on all stored files
       force-md5: no     # force logging of md5 checksums
+      force-filestore: no # force storing of all files
       #waldo: file.waldo # waldo file to store the file_id across runs
 
   # output module to log files tracked in a easily parsable json format