From: Victor Julien <victor@inliniac.net>
Date: Mon, 4 Aug 2014 13:36:42 +0000 (+0200)
Subject: pcap-log: add option to honor pass rules
X-Git-Tag: suricata-2.1beta2~79
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=d44cb3f6fef8679c010a9d29f6de9b6f91dbe029;p=thirdparty%2Fsuricata.git

pcap-log: add option to honor pass rules

Add option (disabled by default) to honor pass rules. This means that
when a pass rule matches in a flow, it's packets are no longer stored
by the pcap-log module.
---

diff --git a/src/log-pcap.c b/src/log-pcap.c
index 87f654d46f..21d41e8bd3 100644
--- a/src/log-pcap.c
+++ b/src/log-pcap.c
@@ -72,6 +72,9 @@
 #define USE_STREAM_DEPTH_DISABLED       0
 #define USE_STREAM_DEPTH_ENABLED        1
 
+#define HONOR_PASS_RULES_DISABLED       0
+#define HONOR_PASS_RULES_ENABLED        1
+
 SC_ATOMIC_DECLARE(uint32_t, thread_cnt);
 
 typedef struct PcapFileName_ {
@@ -94,6 +97,7 @@ typedef struct PcapLogProfileData_ {
  */
 typedef struct PcapLogData_ {
     int use_stream_depth;       /**< use stream depth i.e. ignore packets that reach limit */
+    int honor_pass_rules;       /**< don't log if pass rules have matched */
     int is_private;             /**< TRUE if ctx is thread local */
     SCMutex plog_lock;
     uint64_t pkt_cnt;		    /**< total number of packets */
@@ -354,7 +358,8 @@ static TmEcode PcapLog (ThreadVars *t, Packet *p, void *thread_data, PacketQueue
     if ((p->flags & PKT_PSEUDO_STREAM_END) ||
         ((p->flags & PKT_STREAM_NOPCAPLOG) &&
          (pl->use_stream_depth == USE_STREAM_DEPTH_ENABLED)) ||
-        (IS_TUNNEL_PKT(p) && !IS_TUNNEL_ROOT_PKT(p)))
+        (IS_TUNNEL_PKT(p) && !IS_TUNNEL_ROOT_PKT(p)) ||
+        (pl->honor_pass_rules && (p->flags & PKT_NOPACKET_INSPECTION)))
     {
         return TM_ECODE_OK;
     }
@@ -682,6 +687,7 @@ static OutputCtx *PcapLogInitCtx(ConfNode *conf)
     pl->use_ringbuffer = RING_BUFFER_MODE_DISABLED;
     pl->timestamp_format = TS_FORMAT_SEC;
     pl->use_stream_depth = USE_STREAM_DEPTH_DISABLED;
+    pl->honor_pass_rules = HONOR_PASS_RULES_DISABLED;
 
     TAILQ_INIT(&pl->pcap_file_list);
 
@@ -847,6 +853,22 @@ static OutputCtx *PcapLogInitCtx(ConfNode *conf)
         }
     }
 
+    const char *honor_pass_rules = NULL;
+    if (conf != NULL) { /* To faciliate unit tests. */
+        honor_pass_rules = ConfNodeLookupChildValue(conf, "honor-pass-rules");
+    }
+    if (honor_pass_rules != NULL) {
+        if (ConfValIsFalse(honor_pass_rules)) {
+            pl->honor_pass_rules = HONOR_PASS_RULES_DISABLED;
+        } else if (ConfValIsTrue(honor_pass_rules)) {
+            pl->honor_pass_rules = HONOR_PASS_RULES_ENABLED;
+        } else {
+            SCLogError(SC_ERR_INVALID_ARGUMENT,
+                "log-pcap honor-pass-rules specified is invalid");
+            exit(EXIT_FAILURE);
+        }
+    }
+
     /* create the output ctx and send it back */
 
     OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx));
diff --git a/suricata.yaml.in b/suricata.yaml.in
index 3ea2811555..562085ed37 100644
--- a/suricata.yaml.in
+++ b/suricata.yaml.in
@@ -215,6 +215,7 @@ outputs:
       #sguil-base-dir: /nsm_data/
       #ts-format: usec # sec or usec second format (default) is filename.sec usec is filename.sec.usec
       use-stream-depth: no #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets
+      honor-pass-rules: no # If set to "yes", flows in which a pass rule matched will stopped being logged.
 
   # a full alerts log containing much information for signature writers
   # or for investigating suspected false positives.