From: Stefan Schantl <stefan.schantl@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH 2/5] ids-functions.pl: Rework function write_modify_sids_file().
Date: Wed, 05 Jun 2019 20:56:33 +0200 [thread overview]
Message-ID: <20190605185636.9952-2-stefan.schantl@ipfire.org> (raw)
In-Reply-To: <20190605185636.9952-1-stefan.schantl@ipfire.org>
[-- Attachment #1: Type: text/plain, Size: 4295 bytes --]
Directly implement the logic to determine the used ruleset and if
IDS or IPS mode should be used into the function instead of pass those
details as arguments.
This helps to prevent from doing this stuff at several places again and again.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
---
config/cfgroot/ids-functions.pl | 15 +++++++++++----
html/cgi-bin/ids.cgi | 30 ++----------------------------
2 files changed, 13 insertions(+), 32 deletions(-)
diff --git a/config/cfgroot/ids-functions.pl b/config/cfgroot/ids-functions.pl
index e1caa6e58..94de1373c 100644
--- a/config/cfgroot/ids-functions.pl
+++ b/config/cfgroot/ids-functions.pl
@@ -729,8 +729,15 @@ sub write_used_rulefiles_file(@) {
#
## Function to generate and write the file for modify the ruleset.
#
-sub write_modify_sids_file($$) {
- my ($ruleaction,$rulefile) = @_;
+sub write_modify_sids_file() {
+ # Get configured settings.
+ my %idssettings=();
+ my %rulessettings=();
+ &General::readhash("$ids_settings_file", \%idssettings);
+ &General::readhash("$rules_settings_file", \%rulessettings);
+
+ # Gather the configured ruleset.
+ my $ruleset = $rulessettings{'RULES'};
# Open modify sid's file for writing.
open(FILE, ">$modify_sids_file") or die "Could not write to $modify_sids_file. $!\n";
@@ -739,7 +746,7 @@ sub write_modify_sids_file($$) {
print FILE "#Autogenerated file. Any custom changes will be overwritten!\n";
# Check if the traffic only should be monitored.
- unless($ruleaction eq "alert") {
+ unless($idssettings{'MONITOR_TRAFFIC_ONLY'} eq 'on') {
# Suricata is in IPS mode, which means that the rule actions have to be changed
# from 'alert' to 'drop', however not all rules should be changed. Some rules
# exist purely to set a flowbit which is used to convey other information, such
@@ -747,7 +754,7 @@ sub write_modify_sids_file($$) {
# malware in that file. Rules which fall into the first category should stay as
# alert since not all flows of that type contain malware.
- if($rulefile eq 'registered' or $rulefile eq 'subscripted' or $rulefile eq 'community') {
+ if($ruleset eq 'registered' or $ruleset eq 'subscripted' or $ruleset eq 'community') {
# These types of rulesfiles contain meta-data which gives the action that should
# be used when in IPS mode. Do the following:
#
diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi
index 1791e9beb..74f5ca223 100644
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
@@ -370,21 +370,8 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'save'}) {
# a new ruleset.
&working_notice("$Lang::tr{'ids working'}");
- &General::readhash("$IDS::ids_settings_file", \%idssettings);
-
- # Temporary variable to set the ruleaction.
- # Default is "drop" to use suricata as IPS.
- my $ruleaction="drop";
-
- # Check if the traffic only should be monitored.
- if($idssettings{'MONITOR_TRAFFIC_ONLY'} eq 'on') {
- # Switch the ruleaction to "alert".
- # Suricata acts as an IDS only.
- $ruleaction="alert";
- }
-
# Write the modify sid's file and pass the taken ruleaction.
- &IDS::write_modify_sids_file($ruleaction, $cgiparams{'RULES'});
+ &IDS::write_modify_sids_file();
# Call subfunction to download the ruleset.
if(&IDS::downloadruleset()) {
@@ -614,21 +601,8 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'save'}) {
# Generate file to store the home net.
&IDS::generate_home_net_file();
- # Temporary variable to set the ruleaction.
- # Default is "drop" to use suricata as IPS.
- my $ruleaction="drop";
-
- # Check if the traffic only should be monitored.
- if($cgiparams{'MONITOR_TRAFFIC_ONLY'} eq 'on') {
- # Switch the ruleaction to "alert".
- # Suricata acts as an IDS only.
- $ruleaction="alert";
- }
-
- &General::readhash("$IDS::rules_settings_file", \%rulessettings);
-
# Write the modify sid's file and pass the taken ruleaction.
- &IDS::write_modify_sids_file($ruleaction, $rulessettings{'RULES'});
+ &IDS::write_modify_sids_file();
# Check if "MONITOR_TRAFFIC_ONLY" has been changed.
if($cgiparams{'MONITOR_TRAFFIC_ONLY'} ne $oldidssettings{'MONITOR_TRAFFIC_ONLY'}) {
--
2.20.1
next prev parent reply other threads:[~2019-06-05 18:56 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-06-05 18:56 [PATCH 1/5] suricata: correct rule actions in IPS mode Stefan Schantl
2019-06-05 18:56 ` Stefan Schantl [this message]
2019-06-05 18:56 ` [PATCH 3/5] convert-snort: Adjust code to use changed modify_sids_file function Stefan Schantl
2019-06-05 18:56 ` [PATCH 4/5] convert-ids-modifysids-file: Adjust code to use changed write_modify_sids_file function Stefan Schantl
2019-06-05 18:56 ` [PATCH 5/5] Core 133: Add suricata related converters to the update Stefan Schantl
2019-06-05 20:34 ` [PATCH 1/5] suricata: correct rule actions in IPS mode Tim FitzGeorge
2019-06-06 7:53 ` Michael Tremer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190605185636.9952-2-stefan.schantl@ipfire.org \
--to=stefan.schantl@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox