From: Tom DeCanio <decanio.tom@gmail.com>
Date: Mon, 5 Oct 2015 22:34:55 +0000 (-0700)
Subject: file-store: add force-filestore configuration option to enable writing all
X-Git-Tag: suricata-3.0.1RC1~159
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=559747e325cf89f01e4b8bb659bb6f92a5275139;p=thirdparty%2Fsuricata.git

file-store: add force-filestore configuration option to enable writing all
            extracted files to filesystem.
---

diff --git a/src/log-file.c b/src/log-file.c
index 0c41e38d29..d95c4310ac 100644
--- a/src/log-file.c
+++ b/src/log-file.c
@@ -416,6 +416,12 @@ static OutputCtx *LogFileLogInitCtx(ConfNode *conf)
     output_ctx->data = logfile_ctx;
     output_ctx->DeInit = LogFileLogDeInitCtx;
 
+    const char *force_filestore = ConfNodeLookupChildValue(conf, "force-filestore");
+    if (force_filestore != NULL && ConfValIsTrue(force_filestore)) {
+        FileForceFilestoreEnable();
+        SCLogInfo("forcing filestore of all files");
+    }
+
     const char *force_magic = ConfNodeLookupChildValue(conf, "force-magic");
     if (force_magic != NULL && ConfValIsTrue(force_magic)) {
         FileForceMagicEnable();
diff --git a/src/log-filestore.c b/src/log-filestore.c
index 4244b9a44f..5069ec8579 100644
--- a/src/log-filestore.c
+++ b/src/log-filestore.c
@@ -458,6 +458,12 @@ static OutputCtx *LogFilestoreLogInitCtx(ConfNode *conf)
         }
     }
 
+    const char *force_filestore = ConfNodeLookupChildValue(conf, "force-filestore");
+    if (force_filestore != NULL && ConfValIsTrue(force_filestore)) {
+        FileForceFilestoreEnable();
+        SCLogInfo("forcing filestore of all files");
+    }
+
     const char *force_magic = ConfNodeLookupChildValue(conf, "force-magic");
     if (force_magic != NULL && ConfValIsTrue(force_magic)) {
         FileForceMagicEnable();
diff --git a/src/output-json-file.c b/src/output-json-file.c
index 32f3a9435c..c3932cac3c 100644
--- a/src/output-json-file.c
+++ b/src/output-json-file.c
@@ -260,6 +260,12 @@ OutputCtx *OutputFileLogInitSub(ConfNode *conf, OutputCtx *parent_ctx)
     output_file_ctx->file_ctx = ojc->file_ctx;
 
     if (conf) {
+        const char *force_filestore = ConfNodeLookupChildValue(conf, "force-filestore");
+        if (force_filestore != NULL && ConfValIsTrue(force_filestore)) {
+            FileForceFilestoreEnable();
+            SCLogInfo("forcing filestore of all files");
+        }
+
         const char *force_magic = ConfNodeLookupChildValue(conf, "force-magic");
         if (force_magic != NULL && ConfValIsTrue(force_magic)) {
             FileForceMagicEnable();
diff --git a/src/util-file.c b/src/util-file.c
index 16a7bd40fe..38ea1b8d42 100644
--- a/src/util-file.c
+++ b/src/util-file.c
@@ -36,6 +36,11 @@
 #include "app-layer-parser.h"
 #include "util-validate.h"
 
+/** \brief switch to force filestore on all files
+ *         regardless of the rules.
+ */
+static int g_file_force_filestore = 0;
+
 /** \brief switch to force magic checks on all files
  *         regardless of the rules.
  */
@@ -55,6 +60,11 @@ static int g_file_force_tracking = 0;
 static void FileFree(File *);
 static void FileDataFree(FileData *);
 
+void FileForceFilestoreEnable(void)
+{
+    g_file_force_filestore = 1;
+}
+
 void FileForceMagicEnable(void)
 {
     g_file_force_magic = 1;
@@ -65,6 +75,11 @@ void FileForceMd5Enable(void)
     g_file_force_md5 = 1;
 }
 
+int FileForceFilestore(void)
+{
+    return g_file_force_filestore;
+}
+
 int FileForceMagic(void)
 {
     return g_file_force_magic;
@@ -534,7 +549,7 @@ File *FileOpenFile(FileContainer *ffc, uint8_t *name,
         SCReturnPtr(NULL, "File");
     }
 
-    if (flags & FILE_STORE) {
+    if (flags & FILE_STORE || g_file_force_filestore) {
         FileStore(ff);
     } else if (flags & FILE_NOSTORE) {
         SCLogDebug("not storing this file");
diff --git a/src/util-file.h b/src/util-file.h
index 8f322a99d7..6d02d395d1 100644
--- a/src/util-file.h
+++ b/src/util-file.h
@@ -172,6 +172,8 @@ void FileDisableStoringForTransaction(Flow *f, uint8_t direction, uint64_t tx_id
 void FlowFileDisableStoringForTransaction(struct Flow_ *f, uint64_t tx_id);
 void FilePrune(FileContainer *ffc);
 
+void FileForceFilestoreEnable(void);
+int FileForceFilestore(void);
 
 void FileDisableMagic(Flow *f, uint8_t);
 void FileForceMagicEnable(void);
diff --git a/suricata.yaml.in b/suricata.yaml.in
index 3a6841947d..1f35e13072 100644
--- a/suricata.yaml.in
+++ b/suricata.yaml.in
@@ -349,6 +349,7 @@ outputs:
       log-dir: files    # directory to store the files
       force-magic: no   # force logging magic on all stored files
       force-md5: no     # force logging of md5 checksums
+      force-filestore: no # force storing of all files
       #waldo: file.waldo # waldo file to store the file_id across runs
 
   # output module to log files tracked in a easily parsable json format