From: James Dutrisac <jamesdutrisac@users.noreply.github.com>
Date: Tue, 28 Jul 2020 17:09:48 +0000 (-0400)
Subject: pcap: read directories recursively
X-Git-Tag: suricata-6.0.0-beta1~40
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=db5b73d9d6ababe66c4a437c4fadc37aadb575fa;p=thirdparty%2Fsuricata.git

pcap: read directories recursively

Describe Changes
- Added ability to recursively read pcap directories
- src/suricata.c: addition of new command line parameter
    --pcap-file-recursive
- src/source-pcap-file.c: parsing of the command line argument
- src/source-pcap-file-directory-helper.h: two thread vars tracking
    directory depth and should recurse
- src/util-error.c / src/util-error.h:
   Added new warning code "SC_WARN_PATH_READ_ERROR"
- Redmine ticket: https://redmine.openinfosecfoundation.org/issues/2363

Ticket: #2363
---

diff --git a/src/source-pcap-file-directory-helper.h b/src/source-pcap-file-directory-helper.h
index bc416db2bd..6e32c044d8 100644
--- a/src/source-pcap-file-directory-helper.h
+++ b/src/source-pcap-file-directory-helper.h
@@ -43,6 +43,8 @@ typedef struct PcapFileDirectoryVars_
     DIR *directory;
     PcapFileFileVars *current_file;
     bool should_loop;
+    bool should_recurse;
+    uint8_t cur_dir_depth;
     time_t delay;
     time_t poll_interval;
 
diff --git a/src/source-pcap-file.c b/src/source-pcap-file.c
index 2ec57cfd7f..e3d88bb8ff 100644
--- a/src/source-pcap-file.c
+++ b/src/source-pcap-file.c
@@ -290,11 +290,24 @@ TmEcode ReceivePcapFileThreadInit(ThreadVars *tv, const void *initdata, void **d
             CleanupPcapFileThreadVars(ptv);
             SCReturnInt(TM_ECODE_OK);
         }
+        pv->cur_dir_depth = 0;
+
+        int should_recurse;
+        pv->should_recurse = false;
+        if (ConfGetBool("pcap-file.recursive", &should_recurse) == 1) {
+            pv->should_recurse = (should_recurse == 1);
+        }
 
         int should_loop = 0;
         pv->should_loop = false;
         if (ConfGetBool("pcap-file.continuous", &should_loop) == 1) {
-            pv->should_loop = should_loop == 1;
+            pv->should_loop = (should_loop == 1);
+        }
+
+        if (pv->should_recurse == true && pv->should_loop == true) {
+            SCLogError(SC_ERR_INVALID_ARGUMENT, "Error, --pcap-file-continuous and --pcap-file-recursive "
+                                                "cannot be used together.");
+            SCReturnInt(TM_ECODE_FAILED);
         }
 
         pv->delay = 30;
diff --git a/src/suricata.c b/src/suricata.c
index 41e1109e49..e771009e3f 100644
--- a/src/suricata.c
+++ b/src/suricata.c
@@ -598,6 +598,7 @@ static void PrintUsage(const char *progname)
     printf("\t--pcap[=<dev>]                       : run in pcap mode, no value select interfaces from suricata.yaml\n");
     printf("\t--pcap-file-continuous               : when running in pcap mode with a directory, continue checking directory for pcaps until interrupted\n");
     printf("\t--pcap-file-delete                   : when running in replay mode (-r with directory or file), will delete pcap files that have been processed when done\n");
+    printf("\t--pcap-file-recursive                : will descend into subdirectories when running in replay mode (-r)\n");
 #ifdef HAVE_PCAP_SET_BUFF
     printf("\t--pcap-buffer-size                   : size of the pcap buffer value from 0 - %i\n",INT_MAX);
 #endif /* HAVE_SET_PCAP_BUFF */
@@ -1195,6 +1196,7 @@ static TmEcode ParseCommandLine(int argc, char** argv, SCInstance *suri)
         {"pcap", optional_argument, 0, 0},
         {"pcap-file-continuous", 0, 0, 0},
         {"pcap-file-delete", 0, 0, 0},
+        {"pcap-file-recursive", 0, 0, 0},
         {"simulate-ips", 0, 0 , 0},
         {"no-random", 0, &g_disable_randomness, 1},
         {"strict-rule-keywords", optional_argument, 0, 0},
@@ -1570,6 +1572,12 @@ static TmEcode ParseCommandLine(int argc, char** argv, SCInstance *suri)
                     return TM_ECODE_FAILED;
                 }
             }
+            else if (strcmp((long_opts[option_index]).name, "pcap-file-recursive") == 0) {
+                if (ConfSetFinal("pcap-file.recursive", "true") != 1) {
+                    SCLogError(SC_ERR_CMD_LINE, "ERROR: Failed to set pcap-file.recursive");
+                    return TM_ECODE_FAILED;
+                }
+            }
             else if (strcmp((long_opts[option_index]).name, "data-dir") == 0) {
                 if (optarg == NULL) {
                     SCLogError(SC_ERR_INITIALIZATION, "no option argument (optarg) for -d");
diff --git a/src/util-error.c b/src/util-error.c
index bc56addd8d..8cb634af98 100644
--- a/src/util-error.c
+++ b/src/util-error.c
@@ -372,6 +372,7 @@ const char * SCErrorToString(SCError err)
         CASE_CODE (SC_WARN_ERSPAN_CONFIG);
         CASE_CODE (SC_WARN_HASSH_DISABLED);
         CASE_CODE (SC_WARN_FILESTORE_CONFIG);
+        CASE_CODE (SC_WARN_PATH_READ_ERROR);
 
         CASE_CODE (SC_ERR_MAX);
     }
diff --git a/src/util-error.h b/src/util-error.h
index 6df9c20faf..d3260af10e 100644
--- a/src/util-error.h
+++ b/src/util-error.h
@@ -362,6 +362,7 @@ typedef enum {
     SC_WARN_ERSPAN_CONFIG,
     SC_WARN_HASSH_DISABLED,
     SC_WARN_FILESTORE_CONFIG,
+    SC_WARN_PATH_READ_ERROR,
 
     SC_ERR_MAX
 } SCError;