From: Stefan Schantl <stefan.schantl@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH 1/3] ids-functions.pl: Generate ipset based whitelist.
Date: Wed, 06 Apr 2022 21:12:43 +0200 [thread overview]
Message-ID: <20220406191245.4218-1-stefan.schantl@ipfire.org> (raw)
[-- Attachment #1: Type: text/plain, Size: 4312 bytes --]
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
---
config/cfgroot/ids-functions.pl | 68 ++++++++++++++++-----------------
1 file changed, 33 insertions(+), 35 deletions(-)
diff --git a/config/cfgroot/ids-functions.pl b/config/cfgroot/ids-functions.pl
index 94dccc8ae..d8ce5d0a0 100644
--- a/config/cfgroot/ids-functions.pl
+++ b/config/cfgroot/ids-functions.pl
@@ -90,7 +90,7 @@ our $sid_msg_file = "$rulespath/sid-msg.map";
our $local_rules_file = "$rulespath/local.rules";
# File which contains the rules to whitelist addresses on suricata.
-our $whitelist_file = "$rulespath/whitelist.rules";
+our $whitelist_file = "$settingsdir/whitelist.conf";
# File which contains a list of all supported ruleset sources.
# (Sourcefire, Emergingthreads, etc..)
@@ -125,7 +125,7 @@ my @cron_intervals = ('off', 'daily', 'weekly' );
my @http_ports = ('80', '81');
# Array which contains a list of rulefiles which always will be included if they exist.
-my @static_included_rulefiles = ('local.rules', 'whitelist.rules');
+my @static_included_rulefiles = ('local.rules');
# Array which contains a list of allways enabled application layer protocols.
my @static_enabled_app_layer_protos = ('app-layer', 'decoder', 'files', 'stream');
@@ -1199,9 +1199,6 @@ sub _cleanup_rulesdir() {
# We only want files.
next unless (-f "$rulespath/$file");
- # Skip rules file for whitelisted hosts.
- next if ("$rulespath/$file" eq $whitelist_file);
-
# Skip rules file with local rules.
next if ("$rulespath/$file" eq $local_rules_file);
@@ -1707,46 +1704,47 @@ sub get_suricata_enabled_app_layer_protos() {
#
sub generate_ignore_file() {
my %ignored = ();
+ my @ignored_addresses = ();
- # SID range 1000000-1999999 Reserved for Local Use
- # Put your custom rules in this range to avoid conflicts
- my $sid = 1500000;
+ # Name of the ipset.
+ my $list = "IPSWHITELIST";
# Read-in ignoredfile.
&General::readhasharray($IDS::ignored_file, \%ignored);
- # Open ignorefile for writing.
- open(FILE, ">$IDS::whitelist_file") or die "Could not write to $IDS::whitelist_file. $!\n";
+ # Loop through the entire hash and add the enabled addresses to
+ # the array of ignored addresses..
+ while ( (my $key) = each %ignored) {
+ my $address = $ignored{$key}[0];
+ my $remark = $ignored{$key}[1];
+ my $status = $ignored{$key}[2];
+
+ # Check if the status of the entry is "enabled".
+ if ($status eq "enabled") {
+ # Check if the address/network is valid.
+ if ((&General::validip($address)) || (&General::validipandmask($address))) {
+ # Add the address to the array of ignored addresses.
+ push(@ignored_addresses, $address);
+ }
+ }
+ }
- # Config file header.
- print FILE "# Autogenerated file.\n";
- print FILE "# All user modifications will be overwritten.\n\n";
+ # Open the the whitelist file for writing.
+ open(FILE, ">", "$whitelist_file") or die "Could not write to $whitelist_file. $!\n";
- # Add all user defined addresses to the whitelist.
- #
- # Check if the hash contains any elements.
- if (keys (%ignored)) {
- # Loop through the entire hash and write the host/network
- # and remark to the ignore file.
- while ( (my $key) = each %ignored) {
- my $address = $ignored{$key}[0];
- my $remark = $ignored{$key}[1];
- my $status = $ignored{$key}[2];
-
- # Check if the status of the entry is "enabled".
- if ($status eq "enabled") {
- # Check if the address/network is valid.
- if ((&General::validip($address)) || (&General::validipandmask($address))) {
- # Write rule line to the file to pass any traffic from this IP
- print FILE "pass ip $address any -> any any (msg:\"pass all traffic from/to $address\"\; bypass; sid:$sid\;)\n";
-
- # Increment sid.
- $sid++;
- }
- }
+ # Check if the array of ignored addresses contains any elements.
+ if(@ignored_addresses) {
+ # Write file header.
+ print FILE "create $list hash:net family inet -exist\n";
+ print FILE "flush $list\n";
+
+ # Loop through the array of ignored addresses.
+ foreach my $address (@ignored_addresses) {
+ print FILE "add $list $address\n";
}
}
+ # Close filehandle.
close(FILE);
}
--
2.30.2
next reply other threads:[~2022-04-06 19:12 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-06 19:12 Stefan Schantl [this message]
2022-04-06 19:12 ` [PATCH 2/3] suricata: Handle ipset based whitelist in initscript Stefan Schantl
2022-04-06 19:12 ` [PATCH 3/3] rules.pl: Prevent from cleanup the IPSWHITELIST set Stefan Schantl
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220406191245.4218-1-stefan.schantl@ipfire.org \
--to=stefan.schantl@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox