pcap-log: add option to honor pass rules

Add option (disabled by default) to honor pass rules. This means that
when a pass rule matches in a flow, it's packets are no longer stored
by the pcap-log module.

diff --git a/src/log-pcap.c b/src/log-pcap.c
index 87f654d46fe042bbcd84084272c0a47dddf4e1c3..21d41e8bd3b1d71b69b57316c53cb91471cdba8a 100644 (file)
--- a/src/log-pcap.c
+++ b/src/log-pcap.c
@@ -72,6 +72,9 @@
 #define USE_STREAM_DEPTH_DISABLED       0
 #define USE_STREAM_DEPTH_ENABLED        1
 
+#define HONOR_PASS_RULES_DISABLED       0
+#define HONOR_PASS_RULES_ENABLED        1
+
 SC_ATOMIC_DECLARE(uint32_t, thread_cnt);
 
 typedef struct PcapFileName_ {
@@ -94,6 +97,7 @@ typedef struct PcapLogProfileData_ {
  */
 typedef struct PcapLogData_ {
     int use_stream_depth;       /**< use stream depth i.e. ignore packets that reach limit */
+    int honor_pass_rules;       /**< don't log if pass rules have matched */
     int is_private;             /**< TRUE if ctx is thread local */
     SCMutex plog_lock;
     uint64_t pkt_cnt;              /**< total number of packets */
@@ -354,7 +358,8 @@ static TmEcode PcapLog (ThreadVars *t, Packet *p, void *thread_data, PacketQueue
     if ((p->flags & PKT_PSEUDO_STREAM_END) ||
         ((p->flags & PKT_STREAM_NOPCAPLOG) &&
          (pl->use_stream_depth == USE_STREAM_DEPTH_ENABLED)) ||
-        (IS_TUNNEL_PKT(p) && !IS_TUNNEL_ROOT_PKT(p)))
+        (IS_TUNNEL_PKT(p) && !IS_TUNNEL_ROOT_PKT(p)) ||
+        (pl->honor_pass_rules && (p->flags & PKT_NOPACKET_INSPECTION)))
     {
         return TM_ECODE_OK;
     }
@@ -682,6 +687,7 @@ static OutputCtx *PcapLogInitCtx(ConfNode *conf)
     pl->use_ringbuffer = RING_BUFFER_MODE_DISABLED;
     pl->timestamp_format = TS_FORMAT_SEC;
     pl->use_stream_depth = USE_STREAM_DEPTH_DISABLED;
+    pl->honor_pass_rules = HONOR_PASS_RULES_DISABLED;
 
     TAILQ_INIT(&pl->pcap_file_list);
 
@@ -847,6 +853,22 @@ static OutputCtx *PcapLogInitCtx(ConfNode *conf)
         }
     }
 
+    const char *honor_pass_rules = NULL;
+    if (conf != NULL) { /* To faciliate unit tests. */
+        honor_pass_rules = ConfNodeLookupChildValue(conf, "honor-pass-rules");
+    }
+    if (honor_pass_rules != NULL) {
+        if (ConfValIsFalse(honor_pass_rules)) {
+            pl->honor_pass_rules = HONOR_PASS_RULES_DISABLED;
+        } else if (ConfValIsTrue(honor_pass_rules)) {
+            pl->honor_pass_rules = HONOR_PASS_RULES_ENABLED;
+        } else {
+            SCLogError(SC_ERR_INVALID_ARGUMENT,
+                "log-pcap honor-pass-rules specified is invalid");
+            exit(EXIT_FAILURE);
+        }
+    }
+
     /* create the output ctx and send it back */
 
     OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx));

diff --git a/suricata.yaml.in b/suricata.yaml.in
index 3ea28115558699bc858c3d66be581028a4d1d33d..562085ed37676908e1b521fdf8a3bce79c49b1cc 100644 (file)
--- a/suricata.yaml.in
+++ b/suricata.yaml.in
@@ -215,6 +215,7 @@ outputs:
       #sguil-base-dir: /nsm_data/
       #ts-format: usec # sec or usec second format (default) is filename.sec usec is filename.sec.usec
       use-stream-depth: no #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets
+      honor-pass-rules: no # If set to "yes", flows in which a pass rule matched will stopped being logged.
 
   # a full alerts log containing much information for signature writers
   # or for investigating suspected false positives.