Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org --- config/cfgroot/ids-functions.pl | 68 ++++++++++++++++----------------- 1 file changed, 33 insertions(+), 35 deletions(-)

diff --git a/config/cfgroot/ids-functions.pl b/config/cfgroot/ids-functions.pl index 94dccc8ae..d8ce5d0a0 100644 --- a/config/cfgroot/ids-functions.pl +++ b/config/cfgroot/ids-functions.pl @@ -90,7 +90,7 @@ our $sid_msg_file = "$rulespath/sid-msg.map"; our $local_rules_file = "$rulespath/local.rules";

# File which contains the rules to whitelist addresses on suricata. -our $whitelist_file = "$rulespath/whitelist.rules"; +our $whitelist_file = "$settingsdir/whitelist.conf";

# File which contains a list of all supported ruleset sources. # (Sourcefire, Emergingthreads, etc..) @@ -125,7 +125,7 @@ my @cron_intervals = ('off', 'daily', 'weekly' ); my @http_ports = ('80', '81');

# Array which contains a list of rulefiles which always will be included if they exist. -my @static_included_rulefiles = ('local.rules', 'whitelist.rules'); +my @static_included_rulefiles = ('local.rules');

# Array which contains a list of allways enabled application layer protocols. my @static_enabled_app_layer_protos = ('app-layer', 'decoder', 'files', 'stream'); @@ -1199,9 +1199,6 @@ sub _cleanup_rulesdir() { # We only want files. next unless (-f "$rulespath/$file");

- # Skip rules file for whitelisted hosts. - next if ("$rulespath/$file" eq $whitelist_file); - # Skip rules file with local rules. next if ("$rulespath/$file" eq $local_rules_file);

@@ -1707,46 +1704,47 @@ sub get_suricata_enabled_app_layer_protos() { # sub generate_ignore_file() { my %ignored = (); + my @ignored_addresses = ();

- # SID range 1000000-1999999 Reserved for Local Use - # Put your custom rules in this range to avoid conflicts - my $sid = 1500000; + # Name of the ipset. + my $list = "IPSWHITELIST";

# Read-in ignoredfile. &General::readhasharray($IDS::ignored_file, %ignored);

- # Open ignorefile for writing. - open(FILE, ">$IDS::whitelist_file") or die "Could not write to $IDS::whitelist_file. $!\n"; + # Loop through the entire hash and add the enabled addresses to + # the array of ignored addresses.. + while ( (my $key) = each %ignored) { + my $address = $ignored{$key}[0]; + my $remark = $ignored{$key}[1]; + my $status = $ignored{$key}[2]; + + # Check if the status of the entry is "enabled". + if ($status eq "enabled") { + # Check if the address/network is valid. + if ((&General::validip($address)) || (&General::validipandmask($address))) { + # Add the address to the array of ignored addresses. + push(@ignored_addresses, $address); + } + } + }

- # Config file header. - print FILE "# Autogenerated file.\n"; - print FILE "# All user modifications will be overwritten.\n\n"; + # Open the the whitelist file for writing. + open(FILE, ">", "$whitelist_file") or die "Could not write to $whitelist_file. $!\n";

- # Add all user defined addresses to the whitelist. - # - # Check if the hash contains any elements. - if (keys (%ignored)) { - # Loop through the entire hash and write the host/network - # and remark to the ignore file. - while ( (my $key) = each %ignored) { - my $address = $ignored{$key}[0]; - my $remark = $ignored{$key}[1]; - my $status = $ignored{$key}[2]; - - # Check if the status of the entry is "enabled". - if ($status eq "enabled") { - # Check if the address/network is valid. - if ((&General::validip($address)) || (&General::validipandmask($address))) { - # Write rule line to the file to pass any traffic from this IP - print FILE "pass ip $address any -> any any (msg:"pass all traffic from/to $address"; bypass; sid:$sid;)\n"; - - # Increment sid. - $sid++; - } - } + # Check if the array of ignored addresses contains any elements. + if(@ignored_addresses) { + # Write file header. + print FILE "create $list hash:net family inet -exist\n"; + print FILE "flush $list\n"; + + # Loop through the array of ignored addresses. + foreach my $address (@ignored_addresses) { + print FILE "add $list $address\n"; } }

+ # Close filehandle. close(FILE); }