forked from osmocom/wireshark
Snort: without explicit disable, expand preference to switch off
Change-Id: I5fd3b0cc6f19c4c873aaaae8c9e257a8b53a8419 Reviewed-on: https://code.wireshark.org/review/19489 Petri-Dish: Martin Mathieson <martin.r.mathieson@googlemail.com> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Martin Mathieson <martin.r.mathieson@googlemail.com>
This commit is contained in:
parent
b380013051
commit
b358b870b3
|
@ -114,11 +114,12 @@ static expert_field ei_snort_content_not_matched = EI_INIT;
|
||||||
|
|
||||||
/* Where to look for alerts. */
|
/* Where to look for alerts. */
|
||||||
enum alerts_source {
|
enum alerts_source {
|
||||||
|
FromNowhere, /* disabled */
|
||||||
FromRunningSnort,
|
FromRunningSnort,
|
||||||
FromUserComments /* see https://blog.packet-foo.com/2015/08/verifying-iocs-with-snort-and-tracewrangler/ */
|
FromUserComments /* see https://blog.packet-foo.com/2015/08/verifying-iocs-with-snort-and-tracewrangler/ */
|
||||||
};
|
};
|
||||||
/* By default schoose to run Snort to look for alerts */
|
/* By default, dissector is effectively disabled */
|
||||||
static gint pref_snort_alerts_source = (gint)FromRunningSnort;
|
static gint pref_snort_alerts_source = (gint)FromNowhere;
|
||||||
|
|
||||||
/* Snort binary and config file */
|
/* Snort binary and config file */
|
||||||
#ifndef _WIN32
|
#ifndef _WIN32
|
||||||
|
@ -961,8 +962,13 @@ snort_dissector(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data
|
||||||
{
|
{
|
||||||
Alerts_t *alerts;
|
Alerts_t *alerts;
|
||||||
|
|
||||||
|
/* If not looking for alerts, return quickly */
|
||||||
|
if (pref_snort_alerts_source == FromNowhere) {
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
/* Are we looking for alerts in user comments? */
|
/* Are we looking for alerts in user comments? */
|
||||||
if (pref_snort_alerts_source == FromUserComments) {
|
else if (pref_snort_alerts_source == FromUserComments) {
|
||||||
/* Look for user comments containing alerts */
|
/* Look for user comments containing alerts */
|
||||||
const char *alert_string = get_user_comment_string(tree);
|
const char *alert_string = get_user_comment_string(tree);
|
||||||
if (alert_string) {
|
if (alert_string) {
|
||||||
|
@ -1078,8 +1084,10 @@ static void snort_start(void)
|
||||||
};
|
};
|
||||||
|
|
||||||
/* Nothing to do if not enabled, but registered init function gets called anyway */
|
/* Nothing to do if not enabled, but registered init function gets called anyway */
|
||||||
if (!proto_is_protocol_enabled(find_protocol_by_id(proto_snort)))
|
if ((pref_snort_alerts_source == FromNowhere) ||
|
||||||
|
!proto_is_protocol_enabled(find_protocol_by_id(proto_snort))) {
|
||||||
return;
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
/* Create tree mapping packet_number -> Alerts_t*. It will get recreated when packet list is reloaded */
|
/* Create tree mapping packet_number -> Alerts_t*. It will get recreated when packet list is reloaded */
|
||||||
current_session.alerts_tree = wmem_tree_new_autoreset(wmem_epan_scope(), wmem_file_scope());
|
current_session.alerts_tree = wmem_tree_new_autoreset(wmem_epan_scope(), wmem_file_scope());
|
||||||
|
@ -1286,8 +1294,9 @@ proto_register_snort(void)
|
||||||
};
|
};
|
||||||
|
|
||||||
static const enum_val_t alerts_source_vals[] = {
|
static const enum_val_t alerts_source_vals[] = {
|
||||||
{"from-running-snort", "From running Snort", FromRunningSnort},
|
{"from-nowhere", "Not looking for Snort alerts", FromNowhere},
|
||||||
{"from-user-comments", "From user comments", FromUserComments},
|
{"from-running-snort", "From running Snort", FromRunningSnort},
|
||||||
|
{"from-user-comments", "From user comments", FromUserComments},
|
||||||
{NULL, NULL, -1}
|
{NULL, NULL, -1}
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -1304,9 +1313,6 @@ proto_register_snort(void)
|
||||||
|
|
||||||
proto_snort = proto_register_protocol("Snort Alerts", "Snort", "snort");
|
proto_snort = proto_register_protocol("Snort Alerts", "Snort", "snort");
|
||||||
|
|
||||||
/* Disable snort by default */
|
|
||||||
proto_disable_by_default(proto_snort);
|
|
||||||
|
|
||||||
proto_register_field_array(proto_snort, hf, array_length(hf));
|
proto_register_field_array(proto_snort, hf, array_length(hf));
|
||||||
proto_register_subtree_array(ett, array_length(ett));
|
proto_register_subtree_array(ett, array_length(ett));
|
||||||
|
|
||||||
|
|
|
@ -701,7 +701,7 @@ static gboolean parse_rule(SnortConfig_t *snort_config, char *line, const char *
|
||||||
gboolean in_quotes = FALSE;
|
gboolean in_quotes = FALSE;
|
||||||
int options_start_index = 0, options_index = 0, colon_offset = 0;
|
int options_start_index = 0, options_index = 0, colon_offset = 0;
|
||||||
char c;
|
char c;
|
||||||
int length;
|
int length = 0; /* CID 1398227 (bogus - read_token() always sets it) */
|
||||||
Rule_t *rule = NULL;
|
Rule_t *rule = NULL;
|
||||||
|
|
||||||
/* Rule will begin with alert */
|
/* Rule will begin with alert */
|
||||||
|
|
Loading…
Reference in New Issue