pcap: read directories recursively

author James Dutrisac <jamesdutrisac@users.noreply.github.com>

Tue, 28 Jul 2020 17:09:48 +0000 (13:09 -0400)

committer Victor Julien <victor@inliniac.net>

Tue, 4 Aug 2020 12:28:46 +0000 (14:28 +0200)
author James Dutrisac <jamesdutrisac@users.noreply.github.com>
Tue, 28 Jul 2020 17:09:48 +0000 (13:09 -0400)
committer Victor Julien <victor@inliniac.net>
Tue, 4 Aug 2020 12:28:46 +0000 (14:28 +0200)
diff --git a/src/source-pcap-file-directory-helper.h b/src/source-pcap-file-directory-helper.h

index bc416db2bdc90522e881d128d856d3421d449c4d..6e32c044d83baca5493c64e78199b019bf71350d 100644 (file)
--- a/src/source-pcap-file-directory-helper.h
+++ b/src/source-pcap-file-directory-helper.h
@@ -43,6 +43,8 @@ typedef struct PcapFileDirectoryVars_
      DIR *directory;
      PcapFileFileVars *current_file;
      bool should_loop;
+    bool should_recurse;
+    uint8_t cur_dir_depth;
      time_t delay;
      time_t poll_interval;
  
diff --git a/src/source-pcap-file.c b/src/source-pcap-file.c

index 2ec57cfd7f17ba3798d8875271639d680eb97684..e3d88bb8ffdaeb9fc9a2101c5bebef49a2b031cf 100644 (file)
--- a/src/source-pcap-file.c
+++ b/src/source-pcap-file.c
@@ -290,11 +290,24 @@ TmEcode ReceivePcapFileThreadInit(ThreadVars *tv, const void *initdata, void **d
              CleanupPcapFileThreadVars(ptv);
              SCReturnInt(TM_ECODE_OK);
          }
+        pv->cur_dir_depth = 0;
+
+        int should_recurse;
+        pv->should_recurse = false;
+        if (ConfGetBool("pcap-file.recursive", &should_recurse) == 1) {
+            pv->should_recurse = (should_recurse == 1);
+        }
  
          int should_loop = 0;
          pv->should_loop = false;
          if (ConfGetBool("pcap-file.continuous", &should_loop) == 1) {
-            pv->should_loop = should_loop == 1;
+            pv->should_loop = (should_loop == 1);
+        }
+
+        if (pv->should_recurse == true && pv->should_loop == true) {
+            SCLogError(SC_ERR_INVALID_ARGUMENT, "Error, --pcap-file-continuous and --pcap-file-recursive "
+                                                "cannot be used together.");
+            SCReturnInt(TM_ECODE_FAILED);
          }
  
          pv->delay = 30;
diff --git a/src/suricata.c b/src/suricata.c

index 41e1109e4929cda70cb5d2f39fc344f1751e4718..e771009e3f0f384519c0f785f9982b9c48a06867 100644 (file)
--- a/src/suricata.c
+++ b/src/suricata.c
@@ -598,6 +598,7 @@ static void PrintUsage(const char *progname)
      printf("\t--pcap[=<dev>]                       : run in pcap mode, no value select interfaces from suricata.yaml\n");
      printf("\t--pcap-file-continuous               : when running in pcap mode with a directory, continue checking directory for pcaps until interrupted\n");
      printf("\t--pcap-file-delete                   : when running in replay mode (-r with directory or file), will delete pcap files that have been processed when done\n");
+    printf("\t--pcap-file-recursive                : will descend into subdirectories when running in replay mode (-r)\n");
  #ifdef HAVE_PCAP_SET_BUFF
      printf("\t--pcap-buffer-size                   : size of the pcap buffer value from 0 - %i\n",INT_MAX);
  #endif /* HAVE_SET_PCAP_BUFF */
@@ -1195,6 +1196,7 @@ static TmEcode ParseCommandLine(int argc, char** argv, SCInstance *suri)
          {"pcap", optional_argument, 0, 0},
          {"pcap-file-continuous", 0, 0, 0},
          {"pcap-file-delete", 0, 0, 0},
+        {"pcap-file-recursive", 0, 0, 0},
          {"simulate-ips", 0, 0 , 0},
          {"no-random", 0, &g_disable_randomness, 1},
          {"strict-rule-keywords", optional_argument, 0, 0},
@@ -1570,6 +1572,12 @@ static TmEcode ParseCommandLine(int argc, char** argv, SCInstance *suri)
                      return TM_ECODE_FAILED;
                  }
              }
+            else if (strcmp((long_opts[option_index]).name, "pcap-file-recursive") == 0) {
+                if (ConfSetFinal("pcap-file.recursive", "true") != 1) {
+                    SCLogError(SC_ERR_CMD_LINE, "ERROR: Failed to set pcap-file.recursive");
+                    return TM_ECODE_FAILED;
+                }
+            }
              else if (strcmp((long_opts[option_index]).name, "data-dir") == 0) {
                  if (optarg == NULL) {
                      SCLogError(SC_ERR_INITIALIZATION, "no option argument (optarg) for -d");
diff --git a/src/util-error.c b/src/util-error.c

index bc56addd8dcb497589cbc736e3a45a752486e2c8..8cb634af9815b0d7fc985f02ae4d582697431e73 100644 (file)
--- a/src/util-error.c
+++ b/src/util-error.c
@@ -372,6 +372,7 @@ const char * SCErrorToString(SCError err)
          CASE_CODE (SC_WARN_ERSPAN_CONFIG);
          CASE_CODE (SC_WARN_HASSH_DISABLED);
          CASE_CODE (SC_WARN_FILESTORE_CONFIG);
+        CASE_CODE (SC_WARN_PATH_READ_ERROR);
  
          CASE_CODE (SC_ERR_MAX);
      }
diff --git a/src/util-error.h b/src/util-error.h

index 6df9c20faf3d6fba703b887ff25f9c812458799a..d3260af10e6a694b9224edd8762c29a9efa602b1 100644 (file)
--- a/src/util-error.h
+++ b/src/util-error.h
@@ -362,6 +362,7 @@ typedef enum {
      SC_WARN_ERSPAN_CONFIG,
      SC_WARN_HASSH_DISABLED,
      SC_WARN_FILESTORE_CONFIG,
+    SC_WARN_PATH_READ_ERROR,
  
      SC_ERR_MAX
  } SCError;
author	James Dutrisac <jamesdutrisac@users.noreply.github.com>
	Tue, 28 Jul 2020 17:09:48 +0000 (13:09 -0400)
committer	Victor Julien <victor@inliniac.net>
	Tue, 4 Aug 2020 12:28:46 +0000 (14:28 +0200)
src/source-pcap-file-directory-helper.h		patch \| blob \| blame \| history
src/source-pcap-file.c		patch \| blob \| blame \| history
src/suricata.c		patch \| blob \| blame \| history
src/util-error.c		patch \| blob \| blame \| history
src/util-error.h		patch \| blob \| blame \| history