webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-12 20:16:49 +02:00
Code Issues Packages Projects Releases Wiki Activity

ids-functions.pl: Drop oinkmaster related functions and declarations.

Browse Source 
They are not longer needed and safely can be dropped.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
This commit is contained in:
Stefan Schantl
2022-03-20 18:08:49 +01:00
parent 443ad51d1c
commit 849fc8ea15
1 changed files with 0 additions and 113 deletions
Download Patch File Download Diff File Expand all files Collapse all files

113
config/cfgroot/ids-functions.pl
View File

@@ -77,12 +77,6 @@ our $dns_servers_file = "$settingsdir/suricata-dns-servers.yaml";
# File where the HTTP ports definition is stored.
our $http_ports_file = "$settingsdir/suricata-http-ports.yaml";
# File which contains includes for provider specific rule modifications.
our $oinkmaster_provider_includes_file = "$settingsdir/oinkmaster-provider-includes.conf";
# File which contains wheater the rules should be changed.
our $modify_sids_file = "$settingsdir/oinkmaster-modify-sids.conf";
# File which stores the configured IPS settings.
our $ids_settings_file = "$settingsdir/settings";
@@ -177,8 +171,6 @@ my %tr_app_layer_proto = (
#
sub check_and_create_filelayout() {
# Check if the files exist and if not, create them.
unless (-f "$oinkmaster_provider_includes_file") { &create_empty_file($oinkmaster_provider_includes_file); }
unless (-f "$modify_sids_file") { &create_empty_file($modify_sids_file); }
unless (-f "$suricata_used_providers_file") { &create_empty_file($suricata_used_providers_file); }
unless (-f "$suricata_default_rulefiles_file") { &create_empty_file($suricata_default_rulefiles_file); }
unless (-f "$ids_settings_file") { &create_empty_file($ids_settings_file); }
@@ -1062,65 +1054,6 @@ sub drop_dl_rulesfile ($) {
}
}
#
## Tiny function to get/generate the full path and filename for the providers oinkmaster
## modified sids file.
#
sub get_oinkmaster_provider_modified_sids_file ($) {
my ($provider) = @_;
# Generate the filename.
my $filename = "$settingsdir/oinkmaster-$provider-modified-sids.conf";
# Return the filename.
return $filename;
}
#
## Function to directly altering the oinkmaster provider includes file.
##
## Requires tha acition "remove" or "add" and a provider handle.
#
sub alter_oinkmaster_provider_includes_file ($$) {
my ($action, $provider) = @_;
# Call function to get the path and name for the given providers
# oinkmaster modified sids file.
my $provider_modified_sids_file = &get_oinkmaster_provider_modified_sids_file($provider);
# Open the file for reading..
open (FILE, $oinkmaster_provider_includes_file) or die "Could not read $oinkmaster_provider_includes_file. $!\n";
# Read-in file content.
my @lines = <FILE>;
# Close file after reading.
close(FILE);
# Re-open the file for writing.
open(FILE, ">", $oinkmaster_provider_includes_file) or die "Could not write to $oinkmaster_provider_includes_file. $!\n";
# Loop through the file content.
foreach my $line (@lines) {
# Remove newlines.
chomp($line);
# Skip line if we found our given provider and the action should be remove.
next if (($line =~ /$provider/) && ($action eq "remove"));
# Write the read-in line back to the file.
print FILE "$line\n";
}
# Check if the file exists and add the provider if requested.
if ((-f $provider_modified_sids_file) && ($action eq "add")) {
print FILE "include $provider_modified_sids_file\n";
}
# Close file handle.
close(FILE);
}
#
## Function to read-in the given enabled or disables sids file.
#
@@ -1661,52 +1594,6 @@ sub get_provider_ruleset_modifications_file($) {
return $filename;
}
#
## Function to generate and write the file for modify the ruleset.
#
sub write_modify_sids_file() {
# Get configured settings.
my %idssettings=();
&General::readhash("$ids_settings_file", \%idssettings);
# Open modify sid's file for writing.
open(FILE, ">$modify_sids_file") or die "Could not write to $modify_sids_file. $!\n";
# Write file header.
print FILE "#Autogenerated file. Any custom changes will be overwritten!\n";
# Check if the traffic only should be monitored.
unless($idssettings{'MONITOR_TRAFFIC_ONLY'} eq 'on') {
# Suricata is in IPS mode, which means that the rule actions have to be changed
# from 'alert' to 'drop', however not all rules should be changed. Some rules
# exist purely to set a flowbit which is used to convey other information, such
# as a specific type of file being downloaded, to other rulewhich then check for
# malware in that file. Rules which fall into the first category should stay as
# alert since not all flows of that type contain malware.
# These types of rulesfiles contain meta-data which gives the action that should
# be used when in IPS mode. Do the following:
#
# 1. Disable all rules and set the action to 'drop'
# 2. Set the action back to 'alert' if the rule contains 'flowbits:noalert;'
# This should give rules not in the policy a reasonable default if the user
# manually enables them.
# 3. Enable rules and set actions according to the meta-data strings.
my $policy = 'balanced'; # Placeholder to allow policy to be changed.
print FILE <<END;
modifysid * "^#(?:alert|drop)(.+policy $policy-ips alert)" | "alert\${1}"
modifysid * "^#(?:alert|drop)(.+policy $policy-ips drop)" | "drop\${1}"
modifysid * "^(#?)(?:alert|drop)" | "\${1}drop"
modifysid * "^(#?)drop(.+flowbits:noalert;)" | "\${1}alert\${2}"
END
}
# Close file handle.
close(FILE);
}
#
## Function to get the subscription code of a configured provider.
#