From patchwork Mon Feb 9 14:23:19 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Schantl X-Patchwork-Id: 9494 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature ECDSA (secp384r1 raw public key) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R12" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4f8n741YY0z3wpn for ; Mon, 09 Feb 2026 14:26:08 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [IPv6:2001:678:b28::201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail02.haj.ipfire.org", Issuer "E8" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4f8n736x2xz5gn for ; Mon, 09 Feb 2026 14:26:07 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [IPv6:::1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4f8n700mthz33t5 for ; Mon, 09 Feb 2026 14:26:04 +0000 (UTC) X-Original-To: development@lists.ipfire.org Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature ECDSA (secp384r1 raw public key) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R12" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4f8n6w744fz2xdr for ; Mon, 09 Feb 2026 14:26:00 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4f8n6v2Tvgzvw; Mon, 09 Feb 2026 14:25:59 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1770647159; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=cZWh7dC1f2f/mhSWlqObCFveASKT8V+yOrOWswsA8bQ=; b=pJVfxMgoCseyHD4NQG3GybyRXdy1A27jcOG0Lqv8Ck4V+Mbq80OMfeQPqUQ535i2DuBc9a iVlpOmm4VgHiXjAQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1770647159; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=cZWh7dC1f2f/mhSWlqObCFveASKT8V+yOrOWswsA8bQ=; b=rHBRMbbN3sXCqM97nw8EY+H0Qh51pm2oXHdXbv2iffLf8NNUBemd9yZI84qbr8IkX+xRK0 WoFguAoHL97A+xQ23b/C6bvq+PoiGfqS8c8zb/4/EQb3ZlMgWN36YEdxjHjgBSSv43wzly HvMxS5B+0d3A92PapKsNh8hn278whLQXNvEG9aSGXxdR7w/GqME8hakWsiorypsw9Aurxi hYL9VF+19E8+cH3nzcR+PyuYXEUo3Uf3fXnEVqLxvv+rsVz0Wl87okhst4mEwwJamEVulr 1qcUGiK9rfi2itF/iIUWul+7T80si1oC6XWVaKYm0/RlnveWqwQj8l2ng5rDXQ== From: Stefan Schantl To: development@lists.ipfire.org Cc: Stefan Schantl Subject: [PATCH 1/4] ruleset-sources: Add details about rule sid and info URL Date: Mon, 9 Feb 2026 15:23:19 +0100 Message-ID: <20260209142322.2481-1-stefan.schantl@ipfire.org> Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: MIME-Version: 1.0 Signed-off-by: Stefan Schantl --- config/suricata/ruleset-sources | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/config/suricata/ruleset-sources b/config/suricata/ruleset-sources index af65648af..5b9073d85 100644 --- a/config/suricata/ruleset-sources +++ b/config/suricata/ruleset-sources @@ -13,6 +13,8 @@ package IDS::Ruleset; # requires_subscription => "True/False" - If some kind of registration code is required in order to download the ruleset. # dl_url => The download URL to grab the ruleset. # dl_type => "archive/plain" - To specify, if the downloaded file is a packed archive or a plain text file. +# sid_range => The sid range which the provider uses for it's rules, specified as an array. "[start sid, stop sid]" +# sid_info_url => An URL which provides additional information about a rule based on it's sid. # }, # Hash which contains the supported ruleset providers. @@ -25,6 +27,8 @@ our %Providers = ( requires_subscription => "True", dl_url => "https://www.snort.org/rules/snortrules-snapshot-29200.tar.gz?oinkcode=", dl_type => "archive", + sid_range => ["1", "1000000"], + sid_info_url => "https://www.snort.org/rule_docs/1-", }, # Ruleset for registered sourcefire users with a valid subscription. @@ -35,6 +39,8 @@ our %Providers = ( requires_subscription => "True", dl_url => "https://www.snort.org/rules/snortrules-snapshot-29200.tar.gz?oinkcode=", dl_type => "archive", + sid_range => ["1", "1000000"], + sid_info_url => "https://www.snort.org/rule_docs/1-", }, # Community rules from sourcefire. @@ -45,6 +51,8 @@ our %Providers = ( requires_subscription => "False", dl_url => "https://www.snort.org/downloads/community/community-rules.tar.gz", dl_type => "archive", + sid_range => ["1", "1000000"], + sid_info_url => "https://www.snort.org/rule_docs/1-", }, # Emerging threats community rules. @@ -55,6 +63,8 @@ our %Providers = ( requires_subscription => "False", dl_url => "https://rules.emergingthreats.net/open/suricata-5.0/emerging.rules.tar.gz", dl_type => "archive", + sid_range => ["2000000", "2999999"], + sid_info_url => "https://threatintel.proofpoint.com/sid/", }, # Emerging threats Pro rules. @@ -65,6 +75,8 @@ our %Providers = ( requires_subscription => "True", dl_url => "https://rules.emergingthreatspro.com//suricata-5.0/etpro.rules.tar.gz", dl_type => "archive", + sid_range => ["2000000", "2999999"], + sid_info_url => "https://threatintel.proofpoint.com/sid/", }, # Abuse.ch SSLBL Blacklist rules. @@ -72,6 +84,7 @@ our %Providers = ( summary => "Abuse.ch SSLBL Blacklist Rules", website => "https://sslbl.abuse.ch/", tr_string => "sslbl blacklist rules", + sid_range => ["902200000", "902299999"], }, # Etnetera Aggressive Blacklist. @@ -82,6 +95,7 @@ our %Providers = ( requires_subscription => "False", dl_url => "https://security.etnetera.cz/feeds/etn_aggressive.rules", dl_type => "plain", + sid_range => ["500000", "599999"], }, # OISF Traffic ID rules. @@ -92,6 +106,7 @@ our %Providers = ( requires_subscription => "False", dl_url => "https://openinfosecfoundation.org/rules/trafficid/trafficid.rules", dl_type => "plain", + sid_range => ["300000000", "301000000"], }, # Positive Technologies Attack Detection Team rules. @@ -99,6 +114,7 @@ our %Providers = ( summary => "PT Attack Detection Team Rules", website => "https://github.com/ptresearch/AttackDetection", tr_string => "attack detection team rules", + sid_range => ["10000000", "11999999"], }, # Secureworks Security rules. @@ -130,6 +146,7 @@ our %Providers = ( requires_subscription => "False", dl_url => "https://threatfox.abuse.ch/downloads/threatfox_suricata.rules", dl_type => "plain", + sid_range => ["91000000", "91999999"], }, # Travis B. Green hunting rules. @@ -140,6 +157,7 @@ our %Providers = ( requires_subscription => "False", dl_url => "https://raw.githubusercontent.com/travisbgreen/hunting-rules/master/hunting.rules", dl_type => "plain", + sid_range => ["2610000", "2619999"], }, ipfire_dbl => { @@ -149,5 +167,6 @@ our %Providers = ( requires_subscription => "False", dl_url => "https://dbl.ipfire.org/lists/suricata.tar.gz", dl_type => "archive", + sid_range => ["406000000", "406999999"], }, ); From patchwork Mon Feb 9 14:23:20 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Schantl X-Patchwork-Id: 9497 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail01.haj.ipfire.org", Issuer "R12" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4f8n754bnfz3xld for ; Mon, 09 Feb 2026 14:26:09 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [IPv6:2001:678:b28::201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail02.haj.ipfire.org", Issuer "E8" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4f8n752KJ8z5h7 for ; Mon, 09 Feb 2026 14:26:09 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [IPv6:::1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4f8n712CvYz33gL for ; Mon, 09 Feb 2026 14:26:05 +0000 (UTC) X-Original-To: development@lists.ipfire.org Received: from mail01.ipfire.org (mail01.haj.ipfire.org [IPv6:2001:678:b28::25]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature ECDSA (secp384r1 raw public key) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R12" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4f8n6y1qylz333y for ; Mon, 09 Feb 2026 14:26:02 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4f8n6w4x8cz3vs; Mon, 09 Feb 2026 14:26:00 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1770647161; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=18lPQuHxBNklSxI2jEk6YRGE8P3gIXF9mTQixw0YfZ0=; b=H6obX6OCKxW496hEFj4EvvrcSgRCSW14ECJBjHUxPIecnaeX5zyi4RJ6wZbjuLfGftULvH X/iiNqSdOHR7jiDQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1770647161; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=18lPQuHxBNklSxI2jEk6YRGE8P3gIXF9mTQixw0YfZ0=; b=sG/DdFF8KU57ieH2KlKRHb9PgMWbSu7vFshQ0EJkp50FUz9O57hiGn9Cq194v/Md0kdGxV HsAFbcKAMYxs7iC6IO0Nz587zCM58+LnMgVoewFARAqMIlW/IjJSZPu63sXx1JzYTwwyzy 79rxK/db7rVhDCjkFZsHgQNTHQWJh94s5E51+XtJ7+/Ro7XD1chPMsB7ARHShToU7UnLrR wDOxfiKhFCdF6qW6R1CutR2XA9Bsf3rJKJaU6D12UBRFYlyDOjMGHA7t8VI6QKH3l1zGeg /JTV9hcUjYmYdc45WhbtcjfkVgTPpT3zr+PcduNGaS/Xge4snibvWAwZAxt4KQ== From: Stefan Schantl To: development@lists.ipfire.org Cc: Stefan Schantl Subject: [PATCH 2/4] ids-functions.pl: Add function to get the provider by a given rule id Date: Mon, 9 Feb 2026 15:23:20 +0100 Message-ID: <20260209142322.2481-2-stefan.schantl@ipfire.org> In-Reply-To: <20260209142322.2481-1-stefan.schantl@ipfire.org> References: <20260209142322.2481-1-stefan.schantl@ipfire.org> Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: MIME-Version: 1.0 Signed-off-by: Stefan Schantl --- config/cfgroot/ids-functions.pl | 80 +++++++++++++++++++++++++++++++++ 1 file changed, 80 insertions(+) diff --git a/config/cfgroot/ids-functions.pl b/config/cfgroot/ids-functions.pl index bede5fca0..0271ef4fc 100644 --- a/config/cfgroot/ids-functions.pl +++ b/config/cfgroot/ids-functions.pl @@ -1829,4 +1829,84 @@ sub generate_report_generator_config() { close(FILE); } +# +## Function to get the provider handle by a given rule sid. +# +sub get_provider_by_sid ($) { + my ($sid) = @_; + + # Get all known ruleset providers. + my @ruleset_providers = &get_ruleset_providers(); + + # Temporary hash to store found ranges. + my %tmphash = (); + my @tmparray; + + # Loop through the array of known providers. + foreach my $provider (@ruleset_providers) { + # Skip provider if no sid range is specified. + next unless ($IDS::Ruleset::Providers{$provider}{"sid_range"}); + + # Grab and the dereference the sid range. + my @sid_range = @{ $IDS::Ruleset::Providers{$provider}{"sid_range"} }; + + # Check if the given sid is in the range of the current processed provider. + next unless (&is_sid_in_range($sid, \@sid_range)); + + # Assign some nice human-readable values. + my $start = $sid_range[0]; + my $end = $sid_range[1]; + + # Calculate the sid range. + my $range = $end - $start; + + # Assign the found provider and it's range to the temporary hash. + $tmphash{$range} = $provider; + } + + # Sort the ranges of the found providers and store them in a temporary + # array - This is neccessary in case more than one range has been found. + @tmparray = sort (keys %tmphash); + + # Return if nothing has been found. + return unless(@tmparray); + + # The first element of the temporary array contains our smalles sid range + # which the given sid has to belong - grab the stored handle. + my $handle = $tmphash{$tmparray[0]}; + + # Return the obtained handle. + return $handle; +} + +# +## Function to check if a given single sid is in a given range. +# +sub is_sid_in_range($\@) { + my ($sid, $range_ref) = @_; + + # Deref the array ref and assig to array. + my @range = @{ $range_ref }; + + # Assign some nice human-readable values. + my $range_start = $range[0]; + my $range_stop = $range[1]; + + # Early exit in case the range has been passed the + # wrong way around. + return undef if ($range_start > $range_stop); + + # Return if the given sid is lower than the start one. + return if ($sid < $range_start); + + # Return if the given sid is higher than the max range. + return if ($sid > $range_stop); + + # Return True if the given sid is lower or equals the max range. + return 1 if ($sid <= $range_stop); + + # If we got here, something strange happend. + return undef; +} + 1; From patchwork Mon Feb 9 14:23:21 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Schantl X-Patchwork-Id: 9495 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail01.haj.ipfire.org", Issuer "R12" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4f8n752BBzz3xGR for ; Mon, 09 Feb 2026 14:26:09 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail02.haj.ipfire.org", Issuer "E8" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4f8n75072zz5gw for ; Mon, 09 Feb 2026 14:26:09 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [IPv6:::1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4f8n706pRQz349h for ; Mon, 09 Feb 2026 14:26:04 +0000 (UTC) X-Original-To: development@lists.ipfire.org Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail01.haj.ipfire.org", Issuer "R12" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4f8n6x6kYTz333G for ; Mon, 09 Feb 2026 14:26:01 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4f8n6x2l4Fzvw; Mon, 09 Feb 2026 14:26:01 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1770647161; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=cNAkDY6hHk1Bu/ucNTBDkw6jdqkmSRYIlaGc8tGiUtI=; b=EYXWSxgYxocaqKEXDWVL2pbUA8VjiFi27ntvSZhm5/Tva/SsUXGzRqf9+D8ksXiubpYRc0 YTvPNiQB2iFjqbAg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1770647161; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=cNAkDY6hHk1Bu/ucNTBDkw6jdqkmSRYIlaGc8tGiUtI=; b=t7xR6NXTHztKGR8vRMEJroGPN0A28kuJOIcExW/PFOUWSGdzwUsEoAtwgelfdSmuBAyfw5 CEFe6qY4CiZ2WIF29lHbPAhMrpt5N+kv8tnw735FiIh8Z4JTig50HiK2OQQCU+QG/6rwoO t3ifSsn9Dl+IxLFrFwH6MoViBU8jl4ba3VVvREYxDY2na+lOICkHQYxsVuhsXwkXd0s90d jU+Er5V/nuHlphvmnD0XROD4D4dpjkgebdfBJBsHpTNVLlYinmVJd60Mv5lm3C3ctJbRX7 Kbdo3vCWZjpzX/bVeumGYVlGzZXCoU6UK7vC4UDeyQlu9uzc4Wv0Fwj2D4jQTA== From: Stefan Schantl To: development@lists.ipfire.org Cc: Stefan Schantl Subject: [PATCH 3/4] ids-functions.pl: Add function to get the info url for a given rule id Date: Mon, 9 Feb 2026 15:23:21 +0100 Message-ID: <20260209142322.2481-3-stefan.schantl@ipfire.org> In-Reply-To: <20260209142322.2481-1-stefan.schantl@ipfire.org> References: <20260209142322.2481-1-stefan.schantl@ipfire.org> Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: MIME-Version: 1.0 Signed-off-by: Stefan Schantl --- config/cfgroot/ids-functions.pl | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/config/cfgroot/ids-functions.pl b/config/cfgroot/ids-functions.pl index 0271ef4fc..93d1acdee 100644 --- a/config/cfgroot/ids-functions.pl +++ b/config/cfgroot/ids-functions.pl @@ -1909,4 +1909,29 @@ sub is_sid_in_range($\@) { return undef; } +# +## Function to get the sid info url in case it is defined +# +sub get_sid_info_url($) { + my ($sid) = @_; + + # Call function to get the provider for this rule id. + my $provider = &get_provider_by_sid($sid); + + # Exit if no provder could be determined. + return unless($provider); + + # Exit if no info URL is known for the provider. + return unless($IDS::Ruleset::Providers{$provider}{"sid_info_url"}); + + # Grab the URL for the given provider. + my $info_url = $IDS::Ruleset::Providers{$provider}{"sid_info_url"}; + + # Replace the placeholder with the given sid. + $info_url =~ s/\/$sid/g; + + # Return the URL. + return $info_url; +} + 1; From patchwork Mon Feb 9 14:23:22 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Schantl X-Patchwork-Id: 9496 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail01.haj.ipfire.org", Issuer "R12" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4f8n7547Mpz3wpn for ; Mon, 09 Feb 2026 14:26:09 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail02.haj.ipfire.org", Issuer "E8" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4f8n7524rdz5gb for ; Mon, 09 Feb 2026 14:26:09 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [IPv6:::1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4f8n711ZN9z34Cb for ; Mon, 09 Feb 2026 14:26:05 +0000 (UTC) X-Original-To: development@lists.ipfire.org Received: from mail01.ipfire.org (mail01.haj.ipfire.org [IPv6:2001:678:b28::25]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail01.haj.ipfire.org", Issuer "R12" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4f8n6y2TqNz334V for ; Mon, 09 Feb 2026 14:26:02 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4f8n6x6lBBz5Xb; Mon, 09 Feb 2026 14:26:01 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1770647162; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=/04vFsR1J3XpzWpYMxPXcvSVJjU4GFHPyhZBTFujl+4=; b=mKTV+fNrpwP9PfJ6MI6+jSq19EvhvBf/c7fsqDqD6vmqEvpYDMs8zHrl+i3XgnAZor/HtS gxa9yCdsQJaURWAw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1770647162; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=/04vFsR1J3XpzWpYMxPXcvSVJjU4GFHPyhZBTFujl+4=; b=phm6zjpSEUc4fByep0MZB/fbRWZNOFcJ+R2I/6gByscdDRuLNka9ngnF1kQ2QGSSL9TNwC 4G2eQE94G81Cq9p7bjRKZrO/h94MztCFjMl6W0azmKeer7DnOgpKFjqvcI48wgHP0RNaIA 5+i/BheLZBaS56MEvN1mhwHoXqGzeLn3qWEbCxwgv1e9P1BW+kCaEho4yfdzqsqZgMT8Hs 3/JQNMBpGWa6GGn0vFx5CXd+1RwTT6uWvIbep6mxaT0Rb6lk9/LpXj0Mt3UjZxSKreK+WD XKNj02TXywlE+wR5IvP+mtOcIQk9TMPrppx0bvRbGMKUIHyYAmfYGuctcuokiw== From: Stefan Schantl To: development@lists.ipfire.org Cc: Stefan Schantl Subject: [PATCH 4/4] logs.cgi/ids.dat: Use new mechanic to obtain sid info url's Date: Mon, 9 Feb 2026 15:23:22 +0100 Message-ID: <20260209142322.2481-4-stefan.schantl@ipfire.org> In-Reply-To: <20260209142322.2481-1-stefan.schantl@ipfire.org> References: <20260209142322.2481-1-stefan.schantl@ipfire.org> Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: MIME-Version: 1.0 Signed-off-by: Stefan Schantl --- html/cgi-bin/logs.cgi/ids.dat | 26 ++++++++++++++++---------- 1 file changed, 16 insertions(+), 10 deletions(-) diff --git a/html/cgi-bin/logs.cgi/ids.dat b/html/cgi-bin/logs.cgi/ids.dat index deebced21..ef224e3e6 100644 --- a/html/cgi-bin/logs.cgi/ids.dat +++ b/html/cgi-bin/logs.cgi/ids.dat @@ -22,6 +22,7 @@ use strict; my $report_generator_binary = "/usr/bin/suricata-report-generator"; require '/var/ipfire/general-functions.pl'; +require "${General::swroot}/ids-functions.pl"; require "${General::swroot}/lang.pl"; require "${General::swroot}/header.pl"; @@ -389,21 +390,26 @@ print < END ; - if ($sid eq "n/a") { - print $sid; - } elsif ($sid < 1000000) { - # Link to sourcefire if the the rule sid is less than 1000000. - print "$sid\n"; - } elsif ($sid >= 2000000 and $sid < 3000000) { - # Link to emergingthreats if the rule sid is between 2000000 and 3000000. - print "$sid\n"; + + # Check if an valid sid has been found. + if ($sid ne "n/a") { + # Try to get the info url for the sid. + my $info_url = &IDS::get_sid_info_url($sid); + + # Check if an url has been obtained. + if ($info_url) { + print "$sid\n"; + } else { + # No external link available. + print $sid; + } } else { # No external link for user defined rules print $sid; } print <