From patchwork Thu Jun 6 04:56:33 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Schantl X-Patchwork-Id: 2285 Return-Path: Received: from mail01.ipfire.org (mail01.i.ipfire.org [172.28.1.200]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail01.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web07.i.ipfire.org (Postfix) with ESMTPS id 3BD7E88895A for ; Wed, 5 Jun 2019 19:56:51 +0100 (BST) Received: from mail01.i.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id 45Jyh25QtPz5NKbH; Wed, 5 Jun 2019 19:56:50 +0100 (BST) Received: from tuxedo.stevee (212095005248.public.telering.at [212.95.5.248]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 45Jygt4NPtz5NKZx; Wed, 5 Jun 2019 19:56:42 +0100 (BST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201904rsa; t=1559761002; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=j7DyYbtobriCsGef0ZwQlnNBPVlSrJlch54WhkTvIDI=; b=ariTuaRgpjRAVvByC5Jf+tj4b0E3Vkcs8V9x8A4+Wy1cl0Ye334vVOpGoZ1PfhK+by2PBf PUKDCP5O5cviq1HorFHBwGLCnrbp65Xf1QOSaH+KbcyGMhKc6BGOrGJCXvQ4gNfS3xZoCd dru5dXtdhNMTR2NOhH87QtJq61UjjCe2Nx6TWBFDSp5V7+hDSprsEZS7Gkwcq6vurcpNr9 /yiVJ8Xj1rKew3z5PaZtpfdwa4SvWA4tQQjb0DyLkSEksZFxRX0+QEKHOtz+h6VLBgmqu4 UqRY8Q0wIxE/xF+8hR312jcX5+sdm3NLFYvxlt7I1z+Q/QsUCeTucqdFRT/zjg== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=201904ed25519; t=1559761002; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=j7DyYbtobriCsGef0ZwQlnNBPVlSrJlch54WhkTvIDI=; b=BRM+0VTKEY7OaNRcDx1nkHpUuOBwMoX6GAtKR+qT43oIa5aebPSIaTWMfpk7xwbDs03hAQ 7vEQPT6LmPzAaRDA== From: Stefan Schantl To: development@lists.ipfire.org Subject: [PATCH 2/5] ids-functions.pl: Rework function write_modify_sids_file(). Date: Wed, 5 Jun 2019 20:56:33 +0200 Message-Id: <20190605185636.9952-2-stefan.schantl@ipfire.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20190605185636.9952-1-stefan.schantl@ipfire.org> References: <20190605185636.9952-1-stefan.schantl@ipfire.org> MIME-Version: 1.0 Authentication-Results: mail01.ipfire.org; auth=pass smtp.auth=stevee smtp.mailfrom=stefan.schantl@ipfire.org X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" X-Spam: Yes Directly implement the logic to determine the used ruleset and if IDS or IPS mode should be used into the function instead of pass those details as arguments. This helps to prevent from doing this stuff at several places again and again. Signed-off-by: Stefan Schantl --- config/cfgroot/ids-functions.pl | 15 +++++++++++---- html/cgi-bin/ids.cgi | 30 ++---------------------------- 2 files changed, 13 insertions(+), 32 deletions(-) diff --git a/config/cfgroot/ids-functions.pl b/config/cfgroot/ids-functions.pl index e1caa6e58..94de1373c 100644 --- a/config/cfgroot/ids-functions.pl +++ b/config/cfgroot/ids-functions.pl @@ -729,8 +729,15 @@ sub write_used_rulefiles_file(@) { # ## Function to generate and write the file for modify the ruleset. # -sub write_modify_sids_file($$) { - my ($ruleaction,$rulefile) = @_; +sub write_modify_sids_file() { + # Get configured settings. + my %idssettings=(); + my %rulessettings=(); + &General::readhash("$ids_settings_file", \%idssettings); + &General::readhash("$rules_settings_file", \%rulessettings); + + # Gather the configured ruleset. + my $ruleset = $rulessettings{'RULES'}; # Open modify sid's file for writing. open(FILE, ">$modify_sids_file") or die "Could not write to $modify_sids_file. $!\n"; @@ -739,7 +746,7 @@ sub write_modify_sids_file($$) { print FILE "#Autogenerated file. Any custom changes will be overwritten!\n"; # Check if the traffic only should be monitored. - unless($ruleaction eq "alert") { + unless($idssettings{'MONITOR_TRAFFIC_ONLY'} eq 'on') { # Suricata is in IPS mode, which means that the rule actions have to be changed # from 'alert' to 'drop', however not all rules should be changed. Some rules # exist purely to set a flowbit which is used to convey other information, such @@ -747,7 +754,7 @@ sub write_modify_sids_file($$) { # malware in that file. Rules which fall into the first category should stay as # alert since not all flows of that type contain malware. - if($rulefile eq 'registered' or $rulefile eq 'subscripted' or $rulefile eq 'community') { + if($ruleset eq 'registered' or $ruleset eq 'subscripted' or $ruleset eq 'community') { # These types of rulesfiles contain meta-data which gives the action that should # be used when in IPS mode. Do the following: # diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi index 1791e9beb..74f5ca223 100644 --- a/html/cgi-bin/ids.cgi +++ b/html/cgi-bin/ids.cgi @@ -370,21 +370,8 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'save'}) { # a new ruleset. &working_notice("$Lang::tr{'ids working'}"); - &General::readhash("$IDS::ids_settings_file", \%idssettings); - - # Temporary variable to set the ruleaction. - # Default is "drop" to use suricata as IPS. - my $ruleaction="drop"; - - # Check if the traffic only should be monitored. - if($idssettings{'MONITOR_TRAFFIC_ONLY'} eq 'on') { - # Switch the ruleaction to "alert". - # Suricata acts as an IDS only. - $ruleaction="alert"; - } - # Write the modify sid's file and pass the taken ruleaction. - &IDS::write_modify_sids_file($ruleaction, $cgiparams{'RULES'}); + &IDS::write_modify_sids_file(); # Call subfunction to download the ruleset. if(&IDS::downloadruleset()) { @@ -614,21 +601,8 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'save'}) { # Generate file to store the home net. &IDS::generate_home_net_file(); - # Temporary variable to set the ruleaction. - # Default is "drop" to use suricata as IPS. - my $ruleaction="drop"; - - # Check if the traffic only should be monitored. - if($cgiparams{'MONITOR_TRAFFIC_ONLY'} eq 'on') { - # Switch the ruleaction to "alert". - # Suricata acts as an IDS only. - $ruleaction="alert"; - } - - &General::readhash("$IDS::rules_settings_file", \%rulessettings); - # Write the modify sid's file and pass the taken ruleaction. - &IDS::write_modify_sids_file($ruleaction, $rulessettings{'RULES'}); + &IDS::write_modify_sids_file(); # Check if "MONITOR_TRAFFIC_ONLY" has been changed. if($cgiparams{'MONITOR_TRAFFIC_ONLY'} ne $oldidssettings{'MONITOR_TRAFFIC_ONLY'}) {