From: Shanmugam S (shanms) Date: Tue, 2 Mar 2021 05:49:36 +0000 (+0000) Subject: Merge pull request #2769 in SNORT/snort3 from ~PUNEETKU/snort3:pkt_cp_chry_pk to... X-Git-Tag: 3.1.2.0~21 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=56323bdabace13c66af3e6c574b96d3d43cd08ca;p=thirdparty%2Fsnort3.git Merge pull request #2769 in SNORT/snort3 from ~PUNEETKU/snort3:pkt_cp_chry_pk to master Squashed commit of the following: commit 491324ec7ff4267206c353402e932a0fc91a0323 Author: Puneeth Kumar C V Date: Fri Feb 19 00:32:34 2021 -0500 packet_capture: add group filter for packet capture --- diff --git a/src/network_inspectors/packet_capture/capture_module.cc b/src/network_inspectors/packet_capture/capture_module.cc index 33e8afa4d..71d39e1d7 100644 --- a/src/network_inspectors/packet_capture/capture_module.cc +++ b/src/network_inspectors/packet_capture/capture_module.cc @@ -45,12 +45,26 @@ static const Parameter s_capture[] = { "filter", Parameter::PT_STRING, nullptr, nullptr, "bpf filter to use for packet dump" }, + { "group", Parameter::PT_INT, "-1:32767", "-1", + "group filter to use for the packet dump" }, + + { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr } +}; + +static const Parameter capture_params[] = +{ + { "filter", Parameter::PT_STRING, nullptr, nullptr, + "bpf filter to use for packet dump" }, + + { "group", Parameter::PT_INT, "-1:32767", "-1", + "group filter to use for the packet dump" }, + { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr } }; static const Command cap_cmds[] = { - { "enable", enable, &s_capture[1], "dump raw packets"}, + { "enable", enable, capture_params, "dump raw packets"}, { "disable", disable, nullptr, "stop packet dump"}, { nullptr, nullptr, nullptr, nullptr } }; @@ -71,12 +85,13 @@ THREAD_LOCAL ProfileStats cap_prof_stats; class PacketCaptureDebug : public AnalyzerCommand { public: - PacketCaptureDebug(const char* f); + PacketCaptureDebug(const char* f, const int16_t g); bool execute(Analyzer&, void**) override; const char* stringify() override { return "PACKET_CAPTURE_DEBUG"; } private: bool enable = false; std::string filter; + int16_t group = -1; }; // ----------------------------------------------------------------------------- @@ -84,13 +99,14 @@ private: // ----------------------------------------------------------------------------- static int enable(lua_State* L) { - main_broadcast_command(new PacketCaptureDebug(lua_tostring(L, 1)), true); + main_broadcast_command(new PacketCaptureDebug(lua_tostring(L, 1), + luaL_optint(L, 2, 0)), true); return 0; } static int disable(lua_State*) { - main_broadcast_command(new PacketCaptureDebug(nullptr), true); + main_broadcast_command(new PacketCaptureDebug(nullptr, -1), true); return 0; } @@ -98,11 +114,12 @@ static int disable(lua_State*) // non-static functions // ----------------------------------------------------------------------------- -PacketCaptureDebug::PacketCaptureDebug(const char* f) +PacketCaptureDebug::PacketCaptureDebug(const char* f, const int16_t g) { if (f) { filter = f; + group = g; enable = true; } } @@ -110,7 +127,7 @@ PacketCaptureDebug::PacketCaptureDebug(const char* f) bool PacketCaptureDebug::execute(Analyzer&, void**) { if (enable) - packet_capture_enable(filter); + packet_capture_enable(filter, group); else packet_capture_disable(); @@ -119,7 +136,10 @@ bool PacketCaptureDebug::execute(Analyzer&, void**) CaptureModule::CaptureModule() : Module(CAPTURE_NAME, CAPTURE_HELP, s_capture) -{ config.enabled = false; } +{ + config.enabled = false; + config.group = -1; +} bool CaptureModule::set(const char*, Value& v, SnortConfig*) { @@ -129,6 +149,9 @@ bool CaptureModule::set(const char*, Value& v, SnortConfig*) else if ( v.is("filter") ) config.filter = v.get_string(); + else if ( v.is("group") ) + config.group = v.get_int16(); + else return false; diff --git a/src/network_inspectors/packet_capture/capture_module.h b/src/network_inspectors/packet_capture/capture_module.h index 1daf04fc5..014d927b0 100644 --- a/src/network_inspectors/packet_capture/capture_module.h +++ b/src/network_inspectors/packet_capture/capture_module.h @@ -29,6 +29,7 @@ struct CaptureConfig { bool enabled; + int16_t group; std::string filter; }; diff --git a/src/network_inspectors/packet_capture/packet_capture.cc b/src/network_inspectors/packet_capture/packet_capture.cc index d90256217..16d5e3e98 100644 --- a/src/network_inspectors/packet_capture/packet_capture.cc +++ b/src/network_inspectors/packet_capture/packet_capture.cc @@ -108,12 +108,13 @@ static bool open_pcap_dumper() } // for unit test -static void _packet_capture_enable(const string& f) +static void _packet_capture_enable(const string& f, const int16_t g = -1) { if ( !config.enabled ) { config.filter = f; config.enabled = true; + config.group = g; } } @@ -121,6 +122,7 @@ static void _packet_capture_enable(const string& f) static void _packet_capture_disable() { config.enabled = false; + config.group = -1; LogMessage("Packet capture disabled\n"); } @@ -128,10 +130,10 @@ static void _packet_capture_disable() // non-static functions // ----------------------------------------------------------------------------- -void packet_capture_enable(const string& f) +void packet_capture_enable(const string& f, const int16_t g) { - _packet_capture_enable(f); + _packet_capture_enable(f, g); if ( !capture_initialized() ) { @@ -209,6 +211,11 @@ void PacketCapture::eval(Packet* p) if ( config.enabled ) { + if ( (config.group != -1) and + !((config.group == p->pkth->ingress_group) or + (config.group == p->pkth->egress_group)) ) + return; + if ( !capture_initialized() ) if ( !capture_init() ) return; @@ -495,6 +502,8 @@ TEST_CASE("bpf filter", "[PacketCapture]") p_non_match.pktlen = sizeof(match); daq_hdr.pktlen = sizeof(match); + daq_hdr.ingress_group = -1; + daq_hdr.egress_group = -1; CaptureModule mod; MockPacketCapture cap(&mod); diff --git a/src/network_inspectors/packet_capture/packet_capture.h b/src/network_inspectors/packet_capture/packet_capture.h index 36370f741..550b08fd7 100644 --- a/src/network_inspectors/packet_capture/packet_capture.h +++ b/src/network_inspectors/packet_capture/packet_capture.h @@ -22,7 +22,7 @@ #include -void packet_capture_enable(const std::string&); +void packet_capture_enable(const std::string&, const int16_t g = -1); void packet_capture_disable(); #endif