Snort: without explicit disable, expand preference to switch off

Change-Id: I5fd3b0cc6f19c4c873aaaae8c9e257a8b53a8419
Reviewed-on: https://code.wireshark.org/review/19489
Petri-Dish: Martin Mathieson <martin.r.mathieson@googlemail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Martin Mathieson <martin.r.mathieson@googlemail.com>

epan/dissectors/packet-snort.c

@@ -114,11 +114,12 @@ static expert_field ei_snort_content_not_matched = EI_INIT;
 
 /* Where to look for alerts. */
 enum alerts_source {
+    FromNowhere,      /* disabled */
     FromRunningSnort,
     FromUserComments  /* see https://blog.packet-foo.com/2015/08/verifying-iocs-with-snort-and-tracewrangler/ */
 };
-/* By default schoose to run Snort to look for alerts */
+/* By default, dissector is effectively disabled */
-static gint pref_snort_alerts_source = (gint)FromRunningSnort;
+static gint pref_snort_alerts_source = (gint)FromNowhere;
 
 /* Snort binary and config file */
 #ifndef _WIN32
@@ -961,8 +962,13 @@ snort_dissector(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data
 {
     Alerts_t *alerts;
 
+    /* If not looking for alerts, return quickly */
+    if (pref_snort_alerts_source == FromNowhere) {
+        return 0;
+    }
+
     /* Are we looking for alerts in user comments? */
-    if (pref_snort_alerts_source == FromUserComments) {
+    else if (pref_snort_alerts_source == FromUserComments) {
         /* Look for user comments containing alerts */
         const char *alert_string = get_user_comment_string(tree);
         if (alert_string) {
@@ -1078,8 +1084,10 @@ static void snort_start(void)
     };
 
     /* Nothing to do if not enabled, but registered init function gets called anyway */
-    if (!proto_is_protocol_enabled(find_protocol_by_id(proto_snort)))
+    if ((pref_snort_alerts_source == FromNowhere) ||
+        !proto_is_protocol_enabled(find_protocol_by_id(proto_snort))) {
         return;
+    }
 
     /* Create tree mapping packet_number -> Alerts_t*.  It will get recreated when packet list is reloaded */
     current_session.alerts_tree = wmem_tree_new_autoreset(wmem_epan_scope(), wmem_file_scope());
@@ -1286,8 +1294,9 @@ proto_register_snort(void)
     };
 
     static const enum_val_t alerts_source_vals[] = {
-        {"from-running-snort",      "From running Snort",     FromRunningSnort},
+        {"from-nowhere",            "Not looking for Snort alerts", FromNowhere},
-        {"from-user-comments",      "From user comments",     FromUserComments},
+        {"from-running-snort",      "From running Snort",           FromRunningSnort},
+        {"from-user-comments",      "From user comments",           FromUserComments},
         {NULL, NULL, -1}
     };
 
@@ -1304,9 +1313,6 @@ proto_register_snort(void)
 
     proto_snort = proto_register_protocol("Snort Alerts", "Snort", "snort");
 
-    /* Disable snort by default */
-    proto_disable_by_default(proto_snort);
-
     proto_register_field_array(proto_snort, hf, array_length(hf));
     proto_register_subtree_array(ett, array_length(ett));
 

epan/dissectors/snort-config.c

@@ -701,7 +701,7 @@ static gboolean parse_rule(SnortConfig_t *snort_config, char *line, const char *
     gboolean in_quotes = FALSE;
     int options_start_index = 0, options_index = 0, colon_offset = 0;
     char c;
-    int length;
+    int length = 0; /*  CID 1398227 (bogus - read_token() always sets it) */
     Rule_t *rule = NULL;
 
     /* Rule will begin with alert */