webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-27 03:07:43 +02:00
Code Issues Packages Projects Releases Wiki Activity

suricata: correct rule actions in IPS mode

Browse Source 
In IPS mode rule actions need to be have the action 'drop' for the
protection to work, however this is not appropriate for all rules.
Modify the generator for oinkmaster-modify-sids.conf to leave
rules with the action 'alert' here this is appropriate.  Also add
a script to be run on update to correct existing downloaded rules.

Fixes #12086

Signed-off-by: Tim FitzGeorge <ipfr@tfitzgeorge.me.uk>
Tested-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This commit is contained in:
Tim FitzGeorge
2019-06-05 20:56:32 +02:00
committed by Michael Tremer
parent 9734a58faf
commit a5ba473c15
6 changed files with 148 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
html/cgi-bin/ids.cgi
View File

@@ -359,7 +359,7 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'save'}) {
$errormessage = "$Lang::tr{'could not download latest updates'} - $Lang::tr{'system is offline'}";
}
# Check if enought free disk space is availabe.
# Check if enough free disk space is availabe.
if(&IDS::checkdiskspace()) {
$errormessage = "$Lang::tr{'not enough disk space'}";
}
@@ -370,6 +370,22 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'save'}) {
# a new ruleset.
&working_notice("$Lang::tr{'ids working'}");
&General::readhash("$IDS::ids_settings_file", \%idssettings);
# Temporary variable to set the ruleaction.
# Default is "drop" to use suricata as IPS.
my $ruleaction="drop";
# Check if the traffic only should be monitored.
if($idssettings{'MONITOR_TRAFFIC_ONLY'} eq 'on') {
# Switch the ruleaction to "alert".
# Suricata acts as an IDS only.
$ruleaction="alert";
}
# Write the modify sid's file and pass the taken ruleaction.
&IDS::write_modify_sids_file($ruleaction, $cgiparams{'RULES'});
# Call subfunction to download the ruleset.
if(&IDS::downloadruleset()) {
$errormessage = $Lang::tr{'could not download latest updates'};
@@ -609,8 +625,10 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'save'}) {
$ruleaction="alert";
}
&General::readhash("$IDS::rules_settings_file", \%rulessettings);
# Write the modify sid's file and pass the taken ruleaction.
&IDS::write_modify_sids_file($ruleaction);
&IDS::write_modify_sids_file($ruleaction, $rulessettings{'RULES'});
# Check if "MONITOR_TRAFFIC_ONLY" has been changed.
if($cgiparams{'MONITOR_TRAFFIC_ONLY'} ne $oldidssettings{'MONITOR_TRAFFIC_ONLY'}) {