diff --git a/config/cfgroot/ids-functions.pl b/config/cfgroot/ids-functions.pl index e1caa6e58..94de1373c 100644 --- a/config/cfgroot/ids-functions.pl +++ b/config/cfgroot/ids-functions.pl @@ -729,8 +729,15 @@ sub write_used_rulefiles_file(@) { # ## Function to generate and write the file for modify the ruleset. # -sub write_modify_sids_file($$) { - my ($ruleaction,$rulefile) = @_; +sub write_modify_sids_file() { + # Get configured settings. + my %idssettings=(); + my %rulessettings=(); + &General::readhash("$ids_settings_file", \%idssettings); + &General::readhash("$rules_settings_file", \%rulessettings); + + # Gather the configured ruleset. + my $ruleset = $rulessettings{'RULES'}; # Open modify sid's file for writing. open(FILE, ">$modify_sids_file") or die "Could not write to $modify_sids_file. $!\n"; @@ -739,7 +746,7 @@ sub write_modify_sids_file($$) { print FILE "#Autogenerated file. Any custom changes will be overwritten!\n"; # Check if the traffic only should be monitored. - unless($ruleaction eq "alert") { + unless($idssettings{'MONITOR_TRAFFIC_ONLY'} eq 'on') { # Suricata is in IPS mode, which means that the rule actions have to be changed # from 'alert' to 'drop', however not all rules should be changed. Some rules # exist purely to set a flowbit which is used to convey other information, such @@ -747,7 +754,7 @@ sub write_modify_sids_file($$) { # malware in that file. Rules which fall into the first category should stay as # alert since not all flows of that type contain malware. - if($rulefile eq 'registered' or $rulefile eq 'subscripted' or $rulefile eq 'community') { + if($ruleset eq 'registered' or $ruleset eq 'subscripted' or $ruleset eq 'community') { # These types of rulesfiles contain meta-data which gives the action that should # be used when in IPS mode. Do the following: # diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi index 1791e9beb..74f5ca223 100644 --- a/html/cgi-bin/ids.cgi +++ b/html/cgi-bin/ids.cgi @@ -370,21 +370,8 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'save'}) { # a new ruleset. &working_notice("$Lang::tr{'ids working'}"); - &General::readhash("$IDS::ids_settings_file", \%idssettings); - - # Temporary variable to set the ruleaction. - # Default is "drop" to use suricata as IPS. - my $ruleaction="drop"; - - # Check if the traffic only should be monitored. - if($idssettings{'MONITOR_TRAFFIC_ONLY'} eq 'on') { - # Switch the ruleaction to "alert". - # Suricata acts as an IDS only. - $ruleaction="alert"; - } - # Write the modify sid's file and pass the taken ruleaction. - &IDS::write_modify_sids_file($ruleaction, $cgiparams{'RULES'}); + &IDS::write_modify_sids_file(); # Call subfunction to download the ruleset. if(&IDS::downloadruleset()) { @@ -614,21 +601,8 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'save'}) { # Generate file to store the home net. &IDS::generate_home_net_file(); - # Temporary variable to set the ruleaction. - # Default is "drop" to use suricata as IPS. - my $ruleaction="drop"; - - # Check if the traffic only should be monitored. - if($cgiparams{'MONITOR_TRAFFIC_ONLY'} eq 'on') { - # Switch the ruleaction to "alert". - # Suricata acts as an IDS only. - $ruleaction="alert"; - } - - &General::readhash("$IDS::rules_settings_file", \%rulessettings); - # Write the modify sid's file and pass the taken ruleaction. - &IDS::write_modify_sids_file($ruleaction, $rulessettings{'RULES'}); + &IDS::write_modify_sids_file(); # Check if "MONITOR_TRAFFIC_ONLY" has been changed. if($cgiparams{'MONITOR_TRAFFIC_ONLY'} ne $oldidssettings{'MONITOR_TRAFFIC_ONLY'}) {