00001 //--------------------------------------------------------------------------
00002 // Copyright (C) 2014-2017 Cisco and/or its affiliates. All rights reserved.
00003 //
00004 // This program is free software; you can redistribute it and/or modify it
00005 // under the terms of the GNU General Public License Version 2 as published
00006 // by the Free Software Foundation. You may not use, modify or distribute
00007 // this program under any other version of the GNU General Public License.
00008 //
00009 // This program is distributed in the hope that it will be useful, but
00010 // WITHOUT ANY WARRANTY; without even the implied warranty of
00011 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
00012 // General Public License for more details.
00013 //
00014 // You should have received a copy of the GNU General Public License along
00015 // with this program; if not, write to the Free Software Foundation, Inc.,
00016 // 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
00017 //--------------------------------------------------------------------------
00018
00019 // snort_module.cc author Russ Combs <rucombs@cisco.com>
00020
00021 #ifdef HAVE_CONFIG_H
00022 #include "config.h"
00023 #endif
00024
00025 #include "snort_module.h"
00026
00027 #include "framework/module.h"
00028 #include "framework/parameter.h"
00029 #include "log/messages.h"
00030 #include "main.h"
00031 #include "packet_io/sfdaq_config.h"
00032 #include "packet_io/trough.h"
00033 #include "parser/config_file.h"
00034 #include "parser/parser.h"
00035 #include "parser/parse_utils.h"
00036 #include "parser/vars.h"
00037
00038 #ifdef UNIT_TEST
00039 #include "catch/unit_test.h"
00040 #endif
00041
00042 #include "help.h"
00043 #include "shell.h"
00044 #include "snort_config.h"
00045 #include "thread_config.h"
00046
00047 using namespace std;
00048
00049 //-------------------------------------------------------------------------
00050 // commands
00051 //-------------------------------------------------------------------------
00052
00053 #ifdef SHELL
00054 static const Parameter s_reload[] =
00055 {
00056 { "filename", Parameter::PT_STRING, nullptr, nullptr,
00057 "name of file to load" },
00058
00059 { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr }
00060 };
00061
00062 static const Parameter s_delete[] =
00063 {
00064 { "inspector", Parameter::PT_STRING, nullptr, nullptr,
00065 "name of inspector to delete" },
00066
00067 { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr }
00068 };
00069
00070 static const Command snort_cmds[] =
00071 {
00072 { "show_plugins", main_dump_plugins, nullptr, "show available plugins" },
00073 { "delete_inspector", main_delete_inspector, s_delete, "delete an inspector from the default policy" },
00074 { "dump_stats", main_dump_stats, nullptr, "show summary statistics" },
00075 { "rotate_stats", main_rotate_stats, nullptr, "roll perfmonitor log files" },
00076 { "reload_config", main_reload_config, s_reload, "load new configuration" },
00077 { "reload_policy", main_reload_policy, s_reload, "reload part or all of the default policy" },
00078 { "reload_daq", main_reload_daq, nullptr, "reload daq module" },
00079 { "reload_hosts", main_reload_hosts, s_reload, "load a new hosts table" },
00080
00081 // FIXIT-M rewrite trough to permit updates on the fly
00082 //{ "process", main_process, nullptr, "process given pcap" },
00083
00084 { "pause", main_pause, nullptr, "suspend packet processing" },
00085 { "resume", main_resume, nullptr, "continue packet processing" },
00086 { "detach", main_detach, nullptr, "exit shell w/o shutdown" },
00087 { "quit", main_quit, nullptr, "shutdown and dump-stats" },
00088 { "help", main_help, nullptr, "this output" },
00089
00090 { nullptr, nullptr, nullptr, nullptr }
00091 };
00092 #endif
00093
00094 //-------------------------------------------------------------------------
00095 // why not
00096 //-------------------------------------------------------------------------
00097
00098 [[noreturn]] static void c2x(const char* s)
00099 {
00100 printf("'%c' = 0x%2.2X (%d)\n", s[0], s[0], s[0]);
00101 exit(0);
00102 }
00103
00104 [[noreturn]] static void x2c(unsigned x)
00105 {
00106 printf("0x%2.2X (%u) = '%c'\n", x, x, static_cast<char>(x));
00107 exit(0);
00108 }
00109
00110 [[noreturn]] static void x2s(const char* s)
00111 {
00112 bool inv;
00113 string out, in = "\"";
00114 in += s;
00115 in += "\"";
00116
00117 if ( parse_byte_code(in.c_str(), inv, out) )
00118 printf("%s = '%s'\n", s, out.c_str());
00119
00120 else
00121 printf("%s = '%s'\n", s, "error");
00122
00123 exit(0);
00124 }
00125
00126 //-------------------------------------------------------------------------
00127 // parameters
00128 //
00129 // users aren't used to seeing the standard help format for command line
00130 // args so the few cases where there is a default, we include it in the
00131 // help as well.
00132 //-------------------------------------------------------------------------
00133
00134 static const Parameter s_params[] =
00135 {
00136 { "-?", Parameter::PT_STRING, "(optional)", nullptr,
00137 "<option prefix> output matching command line option quick help (same as --help-options)" },
00138
00139 // FIXIT-M should use PluginManager::get_available_plugins(PT_LOGGER)
00140 // but plugins not yet loaded upon set
00141 { "-A", Parameter::PT_STRING, nullptr, nullptr,
00142 "<mode> set alert mode: none, cmg, or alert_*" },
00143
00144 { "-B", Parameter::PT_ADDR, nullptr, "255.255.255.255/32",
00145 "<mask> obfuscated IP addresses in alerts and packet dumps using CIDR mask" },
00146
00147 { "-C", Parameter::PT_IMPLIED, nullptr, nullptr,
00148 "print out payloads with character data only (no hex)" },
00149
00150 { "-c", Parameter::PT_STRING, nullptr, nullptr,
00151 "<conf> use this configuration" },
00152
00153 { "-D", Parameter::PT_IMPLIED, nullptr, nullptr,
00154 "run Snort in background (daemon) mode" },
00155
00156 { "-d", Parameter::PT_IMPLIED, nullptr, nullptr,
00157 "dump the Application Layer" },
00158
00159 { "-e", Parameter::PT_IMPLIED, nullptr, nullptr,
00160 "display the second layer header info" },
00161
00162 { "-f", Parameter::PT_IMPLIED, nullptr, nullptr,
00163 "turn off fflush() calls after binary log writes" },
00164
00165 { "-G", Parameter::PT_INT, "0:65535", nullptr,
00166 "<0xid> (same as --logid)" },
00167
00168 { "-g", Parameter::PT_STRING, nullptr, nullptr,
00169 "<gname> run snort gid as <gname> group (or gid) after initialization" },
00170
00171 { "-H", Parameter::PT_IMPLIED, nullptr, nullptr,
00172 "make hash tables deterministic" },
00173
00174 { "-i", Parameter::PT_STRING, nullptr, nullptr,
00175 "<iface>... list of interfaces" },
00176
00177 #ifdef SHELL
00178 { "-j", Parameter::PT_PORT, nullptr, nullptr,
00179 "<port> to listen for telnet connections" },
00180 #endif
00181
00182 { "-k", Parameter::PT_ENUM, "all|noip|notcp|noudp|noicmp|none", "all",
00183 "<mode> checksum mode; default is all" },
00184
00185 { "-L", Parameter::PT_STRING, nullptr, nullptr,
00186 "<mode> logging mode (none, dump, pcap, or log_*)" },
00187
00188 { "-l", Parameter::PT_STRING, nullptr, nullptr,
00189 "<logdir> log to this directory instead of current directory" },
00190
00191 { "-M", Parameter::PT_IMPLIED, nullptr, nullptr,
00192 "log messages to syslog (not alerts)" },
00193
00194 { "-m", Parameter::PT_INT, "0:", nullptr,
00195 "<umask> set umask = <umask>" },
00196
00197 { "-n", Parameter::PT_INT, "0:", nullptr,
00198 "<count> stop after count packets" },
00199
00200 { "-O", Parameter::PT_IMPLIED, nullptr, nullptr,
00201 "obfuscate the logged IP addresses" },
00202
00203 { "-Q", Parameter::PT_IMPLIED, nullptr, nullptr,
00204 "enable inline mode operation" },
00205
00206 { "-q", Parameter::PT_IMPLIED, nullptr, nullptr,
00207 "quiet mode - Don't show banner and status report" },
00208
00209 { "-R", Parameter::PT_STRING, nullptr, nullptr,
00210 "<rules> include this rules file in the default policy" },
00211
00212 { "-r", Parameter::PT_STRING, nullptr, nullptr,
00213 "<pcap>... (same as --pcap-list)" },
00214
00215 { "-S", Parameter::PT_STRING, nullptr, nullptr,
00216 "<x=v> set config variable x equal to value v" },
00217
00218 { "-s", Parameter::PT_INT, "68:65535", "1514",
00219 "<snap> (same as --snaplen); default is 1514" },
00220
00221 { "-T", Parameter::PT_IMPLIED, nullptr, nullptr,
00222 "test and report on the current Snort configuration" },
00223
00224 { "-t", Parameter::PT_STRING, nullptr, nullptr,
00225 "<dir> chroots process to <dir> after initialization" },
00226
00227 { "-U", Parameter::PT_IMPLIED, nullptr, nullptr,
00228 "use UTC for timestamps" },
00229
00230 { "-u", Parameter::PT_STRING, nullptr, nullptr,
00231 "<uname> run snort as <uname> or <uid> after initialization" },
00232
00233 { "-V", Parameter::PT_IMPLIED, nullptr, nullptr,
00234 "(same as --version)" },
00235
00236 { "-v", Parameter::PT_IMPLIED, nullptr, nullptr,
00237 "be verbose" },
00238
00239 { "-W", Parameter::PT_IMPLIED, nullptr, nullptr,
00240 "lists available interfaces" },
00241
00242 { "-X", Parameter::PT_IMPLIED, nullptr, nullptr,
00243 "dump the raw packet data starting at the link layer" },
00244
00245 { "-x", Parameter::PT_IMPLIED, nullptr, nullptr,
00246 "same as --pedantic" },
00247
00248 { "-y", Parameter::PT_IMPLIED, nullptr, nullptr,
00249 "include year in timestamp in the alert and log files" },
00250
00251 { "-z", Parameter::PT_INT, "0:", "1",
00252 "<count> maximum number of packet threads (same as --max-packet-threads); "
00253 "0 gets the number of CPU cores reported by the system; default is 1" },
00254
00255 { "--alert-before-pass", Parameter::PT_IMPLIED, nullptr, nullptr,
00256 "process alert, drop, sdrop, or reject before pass; "
00257 "default is pass before alert, drop,..." },
00258
00259 { "--bpf", Parameter::PT_STRING, nullptr, nullptr,
00260 "<filter options> are standard BPF options, as seen in TCPDump" },
00261
00262 { "--c2x", Parameter::PT_STRING, nullptr, nullptr,
00263 "output hex for given char (see also --x2c)" },
00264
00265 #ifdef SHELL
00266 { "--control-socket", Parameter::PT_STRING, nullptr, nullptr,
00267 "<file> to create unix socket" },
00268 #endif
00269
00270 { "--create-pidfile", Parameter::PT_IMPLIED, nullptr, nullptr,
00271 "create PID file, even when not in Daemon mode" },
00272
00273 { "--daq", Parameter::PT_STRING, nullptr, nullptr,
00274 "<type> select packet acquisition module (default is pcap)" },
00275
00276 { "--daq-dir", Parameter::PT_STRING, nullptr, nullptr,
00277 "<dir> tell snort where to find desired DAQ" },
00278
00279 { "--daq-list", Parameter::PT_IMPLIED, nullptr, nullptr,
00280 "list packet acquisition modules available in optional dir, default is static modules only" },
00281
00282 { "--daq-var", Parameter::PT_STRING, nullptr, nullptr,
00283 "<name=value> specify extra DAQ configuration variable" },
00284
00285 { "--dirty-pig", Parameter::PT_IMPLIED, nullptr, nullptr,
00286 "don't flush packets on shutdown" },
00287
00288 { "--dump-builtin-rules", Parameter::PT_STRING, "(optional)", nullptr,
00289 "[<module prefix>] output stub rules for selected modules" },
00290
00291 // FIXIT-L add --list-dynamic-rules like --list-builtin-rules
00292 { "--dump-dynamic-rules", Parameter::PT_IMPLIED, nullptr, nullptr,
00293 "output stub rules for all loaded rules libraries" },
00294
00295 { "--dump-defaults", Parameter::PT_STRING, "(optional)", nullptr,
00296 "[<module prefix>] output module defaults in Lua format" },
00297
00298 { "--dump-version", Parameter::PT_IMPLIED, nullptr, nullptr,
00299 "output the version, the whole version, and only the version" },
00300
00301 { "--enable-inline-test", Parameter::PT_IMPLIED, nullptr, nullptr,
00302 "enable Inline-Test Mode Operation" },
00303
00304 { "--gen-msg-map", Parameter::PT_IMPLIED, nullptr, nullptr,
00305 "dump builtin rules in gen-msg.map format for use by other tools" },
00306
00307 { "--help", Parameter::PT_IMPLIED, nullptr, nullptr,
00308 "list command line options" },
00309
00310 { "--help-commands", Parameter::PT_STRING, "(optional)", nullptr,
00311 "[<module prefix>] output matching commands" },
00312
00313 { "--help-config", Parameter::PT_STRING, "(optional)", nullptr,
00314 "[<module prefix>] output matching config options" },
00315
00316 { "--help-counts", Parameter::PT_STRING, "(optional)", nullptr,
00317 "[<module prefix>] output matching peg counts" },
00318
00319 { "--help-module", Parameter::PT_STRING, nullptr, nullptr,
00320 "<module> output description of given module" },
00321
00322 { "--help-modules", Parameter::PT_IMPLIED, nullptr, nullptr,
00323 "list all available modules with brief help" },
00324
00325 { "--help-options", Parameter::PT_STRING, "(optional)", nullptr,
00326 "[<option prefix>] output matching command line option quick help (same as -?)" },
00327
00328 { "--help-plugins", Parameter::PT_IMPLIED, nullptr, nullptr,
00329 "list all available plugins with brief help" },
00330
00331 { "--help-signals", Parameter::PT_IMPLIED, nullptr, nullptr,
00332 "dump available control signals" },
00333
00334 { "--id-offset", Parameter::PT_INT, "0:65535", "0",
00335 "offset to add to instance IDs when logging to files" },
00336
00337 { "--id-subdir", Parameter::PT_IMPLIED, nullptr, nullptr,
00338 "create/use instance subdirectories in logdir instead of instance filename prefix" },
00339
00340 { "--id-zero", Parameter::PT_IMPLIED, nullptr, nullptr,
00341 "use id prefix / subdirectory even with one packet thread" },
00342
00343 { "--list-buffers", Parameter::PT_IMPLIED, nullptr, nullptr,
00344 "output available inspection buffers" },
00345
00346 { "--list-builtin", Parameter::PT_STRING, "(optional)", nullptr,
00347 "[<module prefix>] output matching builtin rules" },
00348
00349 { "--list-gids", Parameter::PT_STRING, "(optional)", nullptr,
00350 "[<module prefix>] output matching generators" },
00351
00352 { "--list-modules", Parameter::PT_STRING, "(optional)", nullptr,
00353 "[<module type>] list all known modules of given type" },
00354
00355 { "--list-plugins", Parameter::PT_IMPLIED, nullptr, nullptr,
00356 "list all known plugins" },
00357
00358 { "--lua", Parameter::PT_STRING, nullptr, nullptr,
00359 "<chunk> extend/override conf with chunk; may be repeated" },
00360
00361 { "--logid", Parameter::PT_INT, "0:65535", nullptr,
00362 "<0xid> log Identifier to uniquely id events for multiple snorts (same as -G)" },
00363
00364 { "--markup", Parameter::PT_IMPLIED, nullptr, nullptr,
00365 "output help in asciidoc compatible format" },
00366
00367 { "--max-packet-threads", Parameter::PT_INT, "0:", "1",
00368 "<count> configure maximum number of packet threads (same as -z)" },
00369
00370 { "--mem-check", Parameter::PT_IMPLIED, nullptr, nullptr,
00371 "like -T but also compile search engines" },
00372
00373 { "--nostamps", Parameter::PT_IMPLIED, nullptr, nullptr,
00374 "don't include timestamps in log file names" },
00375
00376 { "--nolock-pidfile", Parameter::PT_IMPLIED, nullptr, nullptr,
00377 "do not try to lock Snort PID file" },
00378
00379 { "--pause", Parameter::PT_IMPLIED, nullptr, nullptr,
00380 "wait for resume/quit command before processing packets/terminating", },
00381
00382 { "--pcap-file", Parameter::PT_STRING, nullptr, nullptr,
00383 "<file> file that contains a list of pcaps to read - read mode is implied" },
00384
00385 { "--pcap-list", Parameter::PT_STRING, nullptr, nullptr,
00386 "<list> a space separated list of pcaps to read - read mode is implied" },
00387
00388 { "--pcap-dir", Parameter::PT_STRING, nullptr, nullptr,
00389 "<dir> a directory to recurse to look for pcaps - read mode is implied" },
00390
00391 { "--pcap-filter", Parameter::PT_STRING, nullptr, nullptr,
00392 "<filter> filter to apply when getting pcaps from file or directory" },
00393
00394 { "--pcap-loop", Parameter::PT_INT, "-1:", nullptr,
00395 "<count> read all pcaps <count> times; 0 will read until Snort is terminated" },
00396
00397 { "--pcap-no-filter", Parameter::PT_IMPLIED, nullptr, nullptr,
00398 "reset to use no filter when getting pcaps from file or directory" },
00399
00400 { "--pcap-reload", Parameter::PT_IMPLIED, nullptr, nullptr,
00401 "if reading multiple pcaps, reload snort config between pcaps" },
00402
00403 { "--pcap-show", Parameter::PT_IMPLIED, nullptr, nullptr,
00404 "print a line saying what pcap is currently being read" },
00405
00406 { "--pedantic", Parameter::PT_IMPLIED, nullptr, nullptr,
00407 "warnings are fatal" },
00408
00409 { "--plugin-path", Parameter::PT_STRING, nullptr, nullptr,
00410 "<path> where to find plugins" },
00411
00412 { "--process-all-events", Parameter::PT_IMPLIED, nullptr, nullptr,
00413 "process all action groups" },
00414
00415 { "--rule", Parameter::PT_STRING, nullptr, nullptr,
00416 "<rules> to be added to configuration; may be repeated" },
00417
00418 { "--rule-to-hex", Parameter::PT_IMPLIED, nullptr, nullptr,
00419 "output so rule header to stdout for text rule on stdin" },
00420
00421 { "--rule-to-text", Parameter::PT_IMPLIED, nullptr, nullptr,
00422 "output plain so rule header to stdout for text rule on stdin" },
00423
00424 { "--run-prefix", Parameter::PT_STRING, nullptr, nullptr,
00425 "<pfx> prepend this to each output file" },
00426
00427 { "--script-path", Parameter::PT_STRING, nullptr, nullptr,
00428 "<path> to a luajit script or directory containing luajit scripts" },
00429
00430 #ifdef SHELL
00431 { "--shell", Parameter::PT_IMPLIED, nullptr, nullptr,
00432 "enable the interactive command line", },
00433 #endif
00434
00435 #ifdef PIGLET
00436 { "--piglet", Parameter::PT_IMPLIED, nullptr, nullptr,
00437 "enable piglet test harness mode" },
00438 #endif
00439
00440 { "--show-plugins", Parameter::PT_IMPLIED, nullptr, nullptr,
00441 "list module and plugin versions", },
00442
00443 { "--skip", Parameter::PT_INT, "0:", nullptr,
00444 "<n> skip 1st n packets", },
00445
00446 { "--snaplen", Parameter::PT_INT, "68:65535", "1514",
00447 "<snap> set snaplen of packet (same as -s)", },
00448
00449 { "--stdin-rules", Parameter::PT_IMPLIED, nullptr, nullptr,
00450 "read rules from stdin until EOF or a line starting with END is read", },
00451
00452 { "--treat-drop-as-alert", Parameter::PT_IMPLIED, nullptr, nullptr,
00453 "converts drop, sdrop, and reject rules into alert rules during startup" },
00454
00455 { "--treat-drop-as-ignore", Parameter::PT_IMPLIED, nullptr, nullptr,
00456 "use drop, sdrop, and reject rules to ignore session traffic when not inline" },
00457
00458 #ifdef UNIT_TEST
00459 { "--catch-test", Parameter::PT_STRING, nullptr, nullptr,
00460 "comma separated list of cat unit test tags or 'all'" },
00461 #endif
00462 { "--version", Parameter::PT_IMPLIED, nullptr, nullptr,
00463 "show version number (same as -V)" },
00464
00465 { "--warn-all", Parameter::PT_IMPLIED, nullptr, nullptr,
00466 "enable all warnings" },
00467
00468 { "--warn-conf", Parameter::PT_IMPLIED, nullptr, nullptr,
00469 "warn about configuration issues" },
00470
00471 { "--warn-daq", Parameter::PT_IMPLIED, nullptr, nullptr,
00472 "warn about DAQ issues, usually related to mode" },
00473
00474 { "--warn-flowbits", Parameter::PT_IMPLIED, nullptr, nullptr,
00475 "warn about flowbits that are checked but not set and vice-versa" },
00476
00477 { "--warn-hosts", Parameter::PT_IMPLIED, nullptr, nullptr,
00478 "warn about host table issues" },
00479
00480 { "--warn-plugins", Parameter::PT_IMPLIED, nullptr, nullptr,
00481 "warn about issues that prevent plugins from loading" },
00482
00483 { "--warn-rules", Parameter::PT_IMPLIED, nullptr, nullptr,
00484 "warn about duplicate rules and rule parsing issues" },
00485
00486 { "--warn-scripts", Parameter::PT_IMPLIED, nullptr, nullptr,
00487 "warn about issues discovered while processing Lua scripts" },
00488
00489 { "--warn-symbols", Parameter::PT_IMPLIED, nullptr, nullptr,
00490 "warn about unknown symbols in your Lua config" },
00491
00492 { "--warn-vars", Parameter::PT_IMPLIED, nullptr, nullptr,
00493 "warn about variable definition and usage issues" },
00494
00495 { "--x2c", Parameter::PT_INT, nullptr, nullptr,
00496 "output ASCII char for given hex (see also --c2x)" },
00497
00498 { "--x2s", Parameter::PT_STRING, nullptr, nullptr,
00499 "output ASCII string for given byte code (see also --x2c)" },
00500
00501 { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr }
00502 };
00503
00504 //-------------------------------------------------------------------------
00505 // module
00506 //-------------------------------------------------------------------------
00507
00508 #define s_name "snort"
00509
00510 #ifdef SHELL
00511 #define s_help \
00512 "command line configuration and shell commands"
00513 #else
00514 #define s_help \
00515 "command line configuration"
00516 #endif
00517
00518 class SnortModule : public Module
00519 {
00520 public:
00521 SnortModule() : Module(s_name, s_help, s_params)
00522 { }
00523
00524 #ifdef SHELL
00525 const Command* get_commands() const override
00526 { return snort_cmds; }
00527 #endif
00528
00529 bool begin(const char*, int, SnortConfig*) override;
00530 bool set(const char*, Value&, SnortConfig*) override;
00531
00532 const PegInfo* get_pegs() const override
00533 { return proc_names; }
00534
00535 PegCount* get_counts() const override
00536 { return (PegCount*) &proc_stats; }
00537
00538 bool global_stats() const override
00539 { return true; }
00540
00541 void sum_stats(bool) override
00542 { } // accumulate externally
00543
00544 Usage get_usage() const override
00545 { return GLOBAL; }
00546
00547 private:
00548 int instance_id;
00549 };
00550
00551 bool SnortModule::begin(const char* fqn, int, SnortConfig*)
00552 {
00553 if (!strcmp(fqn, "snort"))
00554 instance_id = -1;
00555 return true;
00556 }
00557
00558 bool SnortModule::set(const char*, Value& v, SnortConfig* sc)
00559 {
00560 if ( v.is("-?") )
00561 help_options(sc, v.get_string());
00562
00563 else if ( v.is("-A") )
00564 sc->set_alert_mode(v.get_string());
00565
00566 else if ( v.is("-B") )
00567 sc->set_obfuscation_mask(v.get_string());
00568
00569 else if ( v.is("-C") )
00570 sc->set_dump_chars_only(true);
00571
00572 else if ( v.is("-c") )
00573 config_conf(v.get_string());
00574
00575 else if ( v.is("-D") )
00576 sc->set_daemon(true);
00577
00578 else if ( v.is("-d") )
00579 sc->set_dump_payload(true);
00580
00581 else if ( v.is("-e") )
00582 sc->set_decode_data_link(true);
00583
00584 else if ( v.is("-f") )
00585 sc->output_flags |= OUTPUT_FLAG__LINE_BUFFER;
00586
00587 else if ( v.is("-G") || v.is("--logid") )
00588 sc->event_log_id = v.get_long() << 16;
00589
00590 else if ( v.is("-g") )
00591 sc->set_gid(v.get_string());
00592
00593 else if ( v.is("-H") )
00594 sc->run_flags |= RUN_FLAG__STATIC_HASH;
00595
00596 else if ( v.is("-i") )
00597 {
00598 instance_id++;
00599 if (instance_id > 0)
00600 sc->daq_config->set_input_spec(v.get_string(), instance_id);
00601 else
00602 sc->daq_config->set_input_spec(v.get_string());
00603 }
00604
00605 #ifdef SHELL
00606 else if ( v.is("-j") )
00607 {
00608 sc->remote_control_port = v.get_long();
00609 sc->remote_control_socket.clear();
00610 }
00611 #endif
00612
00613 else if ( v.is("-k") )
00614 ConfigChecksumMode(v.get_string());
00615
00616 else if ( v.is("-L") )
00617 sc->set_log_mode(v.get_string());
00618
00619 else if ( v.is("-l") )
00620 sc->set_log_dir(v.get_string());
00621
00622 else if ( v.is("-M") )
00623 sc->enable_syslog();
00624
00625 else if ( v.is("-m") )
00626 sc->set_umask(v.get_string());
00627
00628 else if ( v.is("-n") )
00629 sc->pkt_cnt = v.get_long();
00630
00631 else if ( v.is("-O") )
00632 sc->set_obfuscate(true);
00633
00634 else if ( v.is("-Q") )
00635 sc->run_flags |= RUN_FLAG__INLINE;
00636
00637 else if ( v.is("-q") )
00638 sc->set_quiet(true);
00639
00640 else if ( v.is("-R") )
00641 {
00642 string s = "include ";
00643 s += v.get_string();
00644 parser_append_rules(s.c_str());
00645 }
00646 else if ( v.is("-r") || v.is("--pcap-list") )
00647 {
00648 Trough::add_source(Trough::SOURCE_LIST, v.get_string());
00649 sc->run_flags |= RUN_FLAG__READ;
00650 }
00651 else if ( v.is("-S") )
00652 config_set_var(sc, v.get_string());
00653
00654 else if ( v.is("-s") )
00655 sc->daq_config->set_mru_size(v.get_long());
00656
00657 else if ( v.is("-T") )
00658 sc->run_flags |= RUN_FLAG__TEST;
00659
00660 else if ( v.is("-t") )
00661 sc->set_chroot_dir(v.get_string());
00662
00663 else if ( v.is("-U") )
00664 sc->set_utc(true);
00665
00666 else if ( v.is("-u") )
00667 sc->set_uid(v.get_string());
00668
00669 else if ( v.is("-V") )
00670 help_version(sc);
00671
00672 else if ( v.is("-v") )
00673 sc->set_verbose(true);
00674
00675 else if ( v.is("-W") )
00676 list_interfaces(sc);
00677
00678 else if ( v.is("-X") )
00679 sc->set_dump_payload_verbose(true);
00680
00681 else if ( v.is("-x") || v.is("--pedantic") )
00682 sc->run_flags |= RUN_FLAG__CONF_ERROR_OUT;
00683
00684 else if ( v.is("-y") )
00685 sc->set_show_year(true);
00686
00687 else if ( v.is("-z") || v.is("--max-packet-threads") )
00688 ThreadConfig::set_instance_max(v.get_long());
00689
00690 else if ( v.is("--alert-before-pass") )
00691 sc->set_alert_before_pass(true);
00692
00693 else if ( v.is("--bpf") )
00694 sc->bpf_filter = v.get_string();
00695
00696 else if ( v.is("--c2x") )
00697 c2x(v.get_string());
00698
00699 #ifdef SHELL
00700 else if ( v.is("--control-socket") )
00701 {
00702 sc->remote_control_socket = v.get_string();
00703 sc->remote_control_port = 0;
00704 }
00705 #endif
00706
00707 else if ( v.is("--create-pidfile") )
00708 sc->set_create_pid_file(true);
00709
00710 else if ( v.is("--daq") )
00711 sc->daq_config->set_module_name(v.get_string());
00712
00713 else if ( v.is("--daq-dir") )
00714 sc->daq_config->add_module_dir(v.get_string());
00715
00716 else if ( v.is("--daq-list") )
00717 list_daqs(sc);
00718
00719 else if ( v.is("--daq-var") )
00720 {
00721 if (instance_id < 0)
00722 sc->daq_config->set_variable(v.get_string());
00723 else
00724 sc->daq_config->set_variable(v.get_string(), instance_id);
00725 }
00726
00727 else if ( v.is("--dirty-pig") )
00728 sc->set_dirty_pig(true);
00729
00730 else if ( v.is("--dump-builtin-rules") )
00731 dump_builtin_rules(sc, v.get_string());
00732
00733 else if ( v.is("--dump-dynamic-rules") )
00734 dump_dynamic_rules(sc, v.get_string());
00735
00736 else if ( v.is("--dump-defaults") )
00737 dump_defaults(sc, v.get_string());
00738
00739 else if ( v.is("--dump-version") )
00740 dump_version(sc);
00741
00742 else if ( v.is("--enable-inline-test") )
00743 sc->run_flags |= RUN_FLAG__INLINE_TEST;
00744
00745 else if ( v.is("--gen-msg-map") )
00746 dump_msg_map(sc, v.get_string());
00747
00748 else if ( v.is("--help") )
00749 help_basic(sc, v.get_string());
00750
00751 else if ( v.is("--help-commands") )
00752 help_commands(sc, v.get_string());
00753
00754 else if ( v.is("--help-config") )
00755 help_config(sc, v.get_string());
00756
00757 else if ( v.is("--help-counts") )
00758 help_counts(sc, v.get_string());
00759
00760 else if ( v.is("--help-module") )
00761 help_module(sc, v.get_string());
00762
00763 else if ( v.is("--help-modules") )
00764 help_modules(sc, v.get_string());
00765
00766 else if ( v.is("--help-options") )
00767 help_options(sc, v.get_string());
00768
00769 else if ( v.is("--help-plugins") )
00770 help_plugins(sc, v.get_string());
00771
00772 else if ( v.is("--help-signals") )
00773 help_signals(sc, v.get_string());
00774
00775 else if ( v.is("--id-offset") )
00776 sc->id_offset = v.get_long();
00777
00778 else if ( v.is("--id-subdir") )
00779 sc->id_subdir = true;
00780
00781 else if ( v.is("--id-zero") )
00782 sc->id_zero = true;
00783
00784 else if ( v.is("--list-buffers") )
00785 help_buffers(sc, v.get_string());
00786
00787 else if ( v.is("--list-builtin") )
00788 help_builtin(sc, v.get_string());
00789
00790 else if ( v.is("--list-gids") )
00791 help_gids(sc, v.get_string());
00792
00793 else if ( v.is("--list-modules") )
00794 list_modules(sc, v.get_string());
00795
00796 else if ( v.is("--list-plugins") )
00797 list_plugins(sc, v.get_string());
00798
00799 else if ( v.is("--lua") )
00800 sc->policy_map->get_shell()->set_overrides(v.get_string());
00801
00802 else if ( v.is("--markup") )
00803 config_markup(sc, v.get_string());
00804
00805 else if ( v.is("--mem-check") )
00806 sc->run_flags |= (RUN_FLAG__TEST | RUN_FLAG__MEM_CHECK);
00807
00808 else if ( v.is("--nostamps") )
00809 sc->set_no_logging_timestamps(true);
00810
00811 else if ( v.is("--nolock-pidfile") )
00812 sc->run_flags |= RUN_FLAG__NO_LOCK_PID_FILE;
00813
00814 else if ( v.is("--pause") )
00815 sc->run_flags |= RUN_FLAG__PAUSE;
00816
00817 else if ( v.is("--pcap-file") )
00818 {
00819 Trough::add_source(Trough::SOURCE_FILE_LIST, v.get_string());
00820 sc->run_flags |= RUN_FLAG__READ;
00821 }
00822 else if ( v.is("--pcap-dir") )
00823 {
00824 Trough::add_source(Trough::SOURCE_DIR, v.get_string());
00825 sc->run_flags |= RUN_FLAG__READ;
00826 }
00827 else if ( v.is("--pcap-filter") )
00828 Trough::set_filter(v.get_string());
00829
00830 else if ( v.is("--pcap-loop") )
00831 Trough::set_loop_count(v.get_long());
00832
00833 else if ( v.is("--pcap-no-filter") )
00834 Trough::set_filter(nullptr);
00835
00836 else if ( v.is("--pcap-reload") )
00837 sc->run_flags |= RUN_FLAG__PCAP_RELOAD;
00838
00839 else if ( v.is("--pcap-show") )
00840 sc->run_flags |= RUN_FLAG__PCAP_SHOW;
00841
00842 else if ( v.is("--plugin-path") )
00843 sc->set_plugin_path(v.get_string());
00844
00845 else if ( v.is("--process-all-events") )
00846 sc->set_process_all_events(true);
00847
00848 else if ( v.is("--rule") )
00849 parser_append_rules(v.get_string());
00850
00851 else if ( v.is("--rule-to-hex") )
00852 dump_rule_hex(sc, v.get_string());
00853
00854 else if ( v.is("--rule-to-text") )
00855 dump_rule_text(sc, v.get_string());
00856
00857 else if ( v.is("--run-prefix") )
00858 sc->run_prefix = v.get_string();
00859
00860 else if ( v.is("--script-path") )
00861 sc->add_script_path(v.get_string());
00862
00863 #ifdef SHELL
00864 else if ( v.is("--shell") )
00865 sc->run_flags |= RUN_FLAG__SHELL;
00866 #endif
00867
00868 #ifdef PIGLET
00869 else if ( v.is("--piglet") )
00870 sc->run_flags |= RUN_FLAG__PIGLET;
00871 #endif
00872
00873 else if ( v.is("--show-plugins") )
00874 sc->logging_flags |= LOGGING_FLAG__SHOW_PLUGINS;
00875
00876 else if ( v.is("--skip") )
00877 sc->pkt_skip = v.get_long();
00878
00879 else if ( v.is("--snaplen") )
00880 sc->daq_config->set_mru_size(v.get_long());
00881
00882 else if ( v.is("--stdin-rules") )
00883 sc->stdin_rules = true;
00884
00885 else if ( v.is("--treat-drop-as-alert") )
00886 sc->set_treat_drop_as_alert(true);
00887
00888 else if ( v.is("--treat-drop-as-ignore") )
00889 sc->set_treat_drop_as_ignore(true);
00890
00891 #ifdef UNIT_TEST
00892 else if ( v.is("--catch-test") )
00893 catch_set_filter(v.get_string());
00894 #endif
00895 else if ( v.is("--version") )
00896 help_version(sc);
00897
00898 else if ( v.is("--warn-all") )
00899 sc->warning_flags = 0xFFFFFFFF;
00900
00901 else if ( v.is("--warn-conf") )
00902 sc->warning_flags |= (1 << WARN_CONF);
00903
00904 else if ( v.is("--warn-daq") )
00905 sc->warning_flags |= (1 << WARN_DAQ);
00906
00907 else if ( v.is("--warn-flowbits") )
00908 sc->warning_flags |= (1 << WARN_FLOWBITS);
00909
00910 else if ( v.is("--warn-hosts") )
00911 sc->warning_flags |= (1 << WARN_HOSTS);
00912
00913 else if ( v.is("--warn-plugins") )
00914 sc->warning_flags |= (1 << WARN_PLUGINS);
00915
00916 else if ( v.is("--warn-rules") )
00917 sc->warning_flags |= (1 << WARN_RULES);
00918
00919 else if ( v.is("--warn-scripts") )
00920 sc->warning_flags |= (1 << WARN_SCRIPTS);
00921
00922 else if ( v.is("--warn-symbols") )
00923 sc->warning_flags |= (1 << WARN_SYMBOLS);
00924
00925 else if ( v.is("--warn-vars") )
00926 sc->warning_flags |= (1 << WARN_VARS);
00927
00928 else if ( v.is("--x2c") )
00929 x2c(v.get_long());
00930
00931 else if ( v.is("--x2s") )
00932 x2s(v.get_string());
00933
00934 return true;
00935 }
00936
00937 //-------------------------------------------------------------------------
00938 // singleton
00939 //-------------------------------------------------------------------------
00940
00941 static SnortModule* snort_module = nullptr;
00942
00943 Module* get_snort_module()
00944 {
00945 if ( !snort_module )
00946 snort_module = new SnortModule;
00947
00948 return snort_module;
00949 }
00950
END OF CODE