[1/3] ids-functions.pl: Generate ipset based whitelist.
Commit Message
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
---
config/cfgroot/ids-functions.pl | 68 ++++++++++++++++-----------------
1 file changed, 33 insertions(+), 35 deletions(-)
@@ -90,7 +90,7 @@ our $sid_msg_file = "$rulespath/sid-msg.map";
our $local_rules_file = "$rulespath/local.rules";
# File which contains the rules to whitelist addresses on suricata.
-our $whitelist_file = "$rulespath/whitelist.rules";
+our $whitelist_file = "$settingsdir/whitelist.conf";
# File which contains a list of all supported ruleset sources.
# (Sourcefire, Emergingthreads, etc..)
@@ -125,7 +125,7 @@ my @cron_intervals = ('off', 'daily', 'weekly' );
my @http_ports = ('80', '81');
# Array which contains a list of rulefiles which always will be included if they exist.
-my @static_included_rulefiles = ('local.rules', 'whitelist.rules');
+my @static_included_rulefiles = ('local.rules');
# Array which contains a list of allways enabled application layer protocols.
my @static_enabled_app_layer_protos = ('app-layer', 'decoder', 'files', 'stream');
@@ -1199,9 +1199,6 @@ sub _cleanup_rulesdir() {
# We only want files.
next unless (-f "$rulespath/$file");
- # Skip rules file for whitelisted hosts.
- next if ("$rulespath/$file" eq $whitelist_file);
-
# Skip rules file with local rules.
next if ("$rulespath/$file" eq $local_rules_file);
@@ -1707,46 +1704,47 @@ sub get_suricata_enabled_app_layer_protos() {
#
sub generate_ignore_file() {
my %ignored = ();
+ my @ignored_addresses = ();
- # SID range 1000000-1999999 Reserved for Local Use
- # Put your custom rules in this range to avoid conflicts
- my $sid = 1500000;
+ # Name of the ipset.
+ my $list = "IPSWHITELIST";
# Read-in ignoredfile.
&General::readhasharray($IDS::ignored_file, \%ignored);
- # Open ignorefile for writing.
- open(FILE, ">$IDS::whitelist_file") or die "Could not write to $IDS::whitelist_file. $!\n";
+ # Loop through the entire hash and add the enabled addresses to
+ # the array of ignored addresses..
+ while ( (my $key) = each %ignored) {
+ my $address = $ignored{$key}[0];
+ my $remark = $ignored{$key}[1];
+ my $status = $ignored{$key}[2];
+
+ # Check if the status of the entry is "enabled".
+ if ($status eq "enabled") {
+ # Check if the address/network is valid.
+ if ((&General::validip($address)) || (&General::validipandmask($address))) {
+ # Add the address to the array of ignored addresses.
+ push(@ignored_addresses, $address);
+ }
+ }
+ }
- # Config file header.
- print FILE "# Autogenerated file.\n";
- print FILE "# All user modifications will be overwritten.\n\n";
+ # Open the the whitelist file for writing.
+ open(FILE, ">", "$whitelist_file") or die "Could not write to $whitelist_file. $!\n";
- # Add all user defined addresses to the whitelist.
- #
- # Check if the hash contains any elements.
- if (keys (%ignored)) {
- # Loop through the entire hash and write the host/network
- # and remark to the ignore file.
- while ( (my $key) = each %ignored) {
- my $address = $ignored{$key}[0];
- my $remark = $ignored{$key}[1];
- my $status = $ignored{$key}[2];
-
- # Check if the status of the entry is "enabled".
- if ($status eq "enabled") {
- # Check if the address/network is valid.
- if ((&General::validip($address)) || (&General::validipandmask($address))) {
- # Write rule line to the file to pass any traffic from this IP
- print FILE "pass ip $address any -> any any (msg:\"pass all traffic from/to $address\"\; bypass; sid:$sid\;)\n";
-
- # Increment sid.
- $sid++;
- }
- }
+ # Check if the array of ignored addresses contains any elements.
+ if(@ignored_addresses) {
+ # Write file header.
+ print FILE "create $list hash:net family inet -exist\n";
+ print FILE "flush $list\n";
+
+ # Loop through the array of ignored addresses.
+ foreach my $address (@ignored_addresses) {
+ print FILE "add $list $address\n";
}
}
+ # Close filehandle.
close(FILE);
}