From: Russ Combs (rucombs) Date: Thu, 4 Jul 2019 18:21:22 +0000 (-0400) Subject: Merge pull request #1660 in SNORT/snort3 from ~BRASTULT/snort3:talos_tweak_fix to... X-Git-Tag: 3.0.0-258~9 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1e60d88df5d3017e4b29a1ee0c353b2e3e3c1c13;p=thirdparty%2Fsnort3.git Merge pull request #1660 in SNORT/snort3 from ~BRASTULT/snort3:talos_tweak_fix to master Squashed commit of the following: commit 1e557dca3a03f375d932d3ba14bed27aea7957ad Author: Brandon Stultz Date: Sun Jun 30 19:12:46 2019 -0400 talos.lua: various fixes for command line usage - lua: optionally include local.rules in talos tweak, set snaplen - main: move talos tweak settings to lua, set default pcap-filter - parser: fix -R by clearing includer when parsing s_aux_rules - packet_io: set default pcap-filter --- diff --git a/lua/inline.lua b/lua/inline.lua index 902334408..90b3fe6a4 100644 --- a/lua/inline.lua +++ b/lua/inline.lua @@ -13,7 +13,7 @@ daq = }, { name = 'dump', - variables = { 'output = none' } + variables = { 'output=none' } }, }, } diff --git a/lua/talos.lua b/lua/talos.lua index c3262bc4b..5a3630c19 100644 --- a/lua/talos.lua +++ b/lua/talos.lua @@ -1,8 +1,18 @@ --------------------------------------------------------------------------- -- talos test tweaks --- use with --talos or --tweaks talos -Q -q +-- use with --talos or --tweaks talos --------------------------------------------------------------------------- +function file_exists(name) + local f=io.open(name,'r') + if f~=nil then + io.close(f) + return true + else + return false + end +end + daq = { modules = @@ -13,15 +23,22 @@ daq = }, { name = 'dump', - variables = { 'output = none' } + variables = { 'output=none' } }, }, + snaplen = 65535 } normalizer = { tcp = { ips = true } } -ips.include = 'local.rules' +snort = { } +snort['-Q'] = true + +if file_exists('local.rules') then + snort['-R'] = 'local.rules' +end +alert_talos = { } alerts = { alert_with_interface_name = true } profiler = diff --git a/src/main/snort_module.cc b/src/main/snort_module.cc index be103cf51..995393555 100644 --- a/src/main/snort_module.cc +++ b/src/main/snort_module.cc @@ -442,7 +442,7 @@ static const Parameter s_params[] = { "--pcap-dir", Parameter::PT_STRING, nullptr, nullptr, " a directory to recurse to look for pcaps - read mode is implied" }, - { "--pcap-filter", Parameter::PT_STRING, nullptr, nullptr, + { "--pcap-filter", Parameter::PT_STRING, nullptr, "*.*cap*", " filter to apply when getting pcaps from file or directory" }, { "--pcap-loop", Parameter::PT_INT, "0:max32", nullptr, @@ -512,7 +512,7 @@ static const Parameter s_params[] = "read rules from stdin until EOF or a line starting with END is read", }, { "--talos", Parameter::PT_IMPLIED, nullptr, nullptr, - "enable Talos inline rule test mode (same as --tweaks talos -Q -q)", }, + "enable Talos tweak (same as --tweaks talos)", }, { "--treat-drop-as-alert", Parameter::PT_IMPLIED, nullptr, nullptr, "converts drop, block, and reset rules into alert rules when loaded" }, @@ -987,11 +987,8 @@ bool SnortModule::set(const char*, Value& v, SnortConfig* sc) sc->stdin_rules = true; else if ( v.is("--talos") ) - { sc->set_tweaks("talos"); - sc->run_flags |= RUN_FLAG__INLINE; - sc->set_alert_mode("talos"); - } + else if ( v.is("--treat-drop-as-alert") ) sc->set_treat_drop_as_alert(true); diff --git a/src/packet_io/trough.cc b/src/packet_io/trough.cc index 9bfcdd2ca..9db030b79 100644 --- a/src/packet_io/trough.cc +++ b/src/packet_io/trough.cc @@ -38,7 +38,7 @@ using namespace snort; std::vector Trough::pcap_object_list; std::vector Trough::pcap_queue; -std::string Trough::pcap_filter; +std::string Trough::pcap_filter = "*.*cap*"; std::vector::const_iterator Trough::pcap_queue_iter; unsigned Trough::pcap_loop_count = 0; diff --git a/src/parser/parser.cc b/src/parser/parser.cc index a1d3f4d71..54ffc5d32 100644 --- a/src/parser/parser.cc +++ b/src/parser/parser.cc @@ -374,6 +374,7 @@ void ParseRules(SnortConfig* sc) if ( !idx and !s_aux_rules.empty() ) { + p->includer.clear(); push_parse_location("W", "./", "rule args"); ParseConfigString(sc, s_aux_rules.c_str()); pop_parse_location();