[PATCH 2/5] ids-functions.pl: Rework function write_modify_sids_file().

Stefan Schantl stefan.schantl at ipfire.org
Wed Jun 5 19:56:33 BST 2019


Directly implement the logic to determine the used ruleset and if
IDS or IPS mode should be used into the function instead of pass those
details as arguments.

This helps to prevent from doing this stuff at several places again and again.

Signed-off-by: Stefan Schantl <stefan.schantl at ipfire.org>
---
 config/cfgroot/ids-functions.pl | 15 +++++++++++----
 html/cgi-bin/ids.cgi            | 30 ++----------------------------
 2 files changed, 13 insertions(+), 32 deletions(-)

diff --git a/config/cfgroot/ids-functions.pl b/config/cfgroot/ids-functions.pl
index e1caa6e58..94de1373c 100644
--- a/config/cfgroot/ids-functions.pl
+++ b/config/cfgroot/ids-functions.pl
@@ -729,8 +729,15 @@ sub write_used_rulefiles_file(@) {
 #
 ## Function to generate and write the file for modify the ruleset.
 #
-sub write_modify_sids_file($$) {
-	my ($ruleaction,$rulefile) = @_;
+sub write_modify_sids_file() {
+	# Get configured settings.
+	my %idssettings=();
+	my %rulessettings=();
+	&General::readhash("$ids_settings_file", \%idssettings);
+	&General::readhash("$rules_settings_file", \%rulessettings);
+
+	# Gather the configured ruleset.
+	my $ruleset = $rulessettings{'RULES'};
 
 	# Open modify sid's file for writing.
 	open(FILE, ">$modify_sids_file") or die "Could not write to $modify_sids_file. $!\n";
@@ -739,7 +746,7 @@ sub write_modify_sids_file($$) {
 	print FILE "#Autogenerated file. Any custom changes will be overwritten!\n";
 
 	# Check if the traffic only should be monitored.
-	unless($ruleaction eq "alert") {
+	unless($idssettings{'MONITOR_TRAFFIC_ONLY'} eq 'on') {
 		# Suricata is in IPS mode, which means that the rule actions have to be changed
 		# from 'alert' to 'drop', however not all rules should be changed.  Some rules
 		# exist purely to set a flowbit which is used to convey other information, such
@@ -747,7 +754,7 @@ sub write_modify_sids_file($$) {
 		# malware in that file.  Rules which fall into the first category should stay as
 		# alert since not all flows of that type contain malware.
 
-		if($rulefile eq 'registered' or $rulefile eq 'subscripted' or $rulefile eq 'community') {
+		if($ruleset eq 'registered' or $ruleset eq 'subscripted' or $ruleset eq 'community') {
 			# These types of rulesfiles contain meta-data which gives the action that should
 			# be used when in IPS mode.  Do the following:
 			#
diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi
index 1791e9beb..74f5ca223 100644
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
@@ -370,21 +370,8 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'save'}) {
 				# a new ruleset.
 				&working_notice("$Lang::tr{'ids working'}");
 
-				&General::readhash("$IDS::ids_settings_file", \%idssettings);
-
-				# Temporary variable to set the ruleaction.
-				# Default is "drop" to use suricata as IPS.
-				my $ruleaction="drop";
-
-				# Check if the traffic only should be monitored.
-				if($idssettings{'MONITOR_TRAFFIC_ONLY'} eq 'on') {
-					# Switch the ruleaction to "alert".
-					# Suricata acts as an IDS only.
-					$ruleaction="alert";
-				}
-
 				# Write the modify sid's file and pass the taken ruleaction.
-				&IDS::write_modify_sids_file($ruleaction, $cgiparams{'RULES'});
+				&IDS::write_modify_sids_file();
 
 				# Call subfunction to download the ruleset.
 				if(&IDS::downloadruleset()) {
@@ -614,21 +601,8 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'save'}) {
 	# Generate file to store the home net.
 	&IDS::generate_home_net_file();
 
-	# Temporary variable to set the ruleaction.
-	# Default is "drop" to use suricata as IPS.
-	my $ruleaction="drop";
-
-	# Check if the traffic only should be monitored.
-	if($cgiparams{'MONITOR_TRAFFIC_ONLY'} eq 'on') {
-		# Switch the ruleaction to "alert".
-		# Suricata acts as an IDS only.
-		$ruleaction="alert";
-	}
-
-	&General::readhash("$IDS::rules_settings_file", \%rulessettings);
-
 	# Write the modify sid's file and pass the taken ruleaction.
-	&IDS::write_modify_sids_file($ruleaction, $rulessettings{'RULES'});
+	&IDS::write_modify_sids_file();
 
 	# Check if "MONITOR_TRAFFIC_ONLY" has been changed.
 	if($cgiparams{'MONITOR_TRAFFIC_ONLY'} ne $oldidssettings{'MONITOR_TRAFFIC_ONLY'}) {
-- 
2.20.1



More information about the Development mailing list