webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-14 13:02:58 +02:00
Code Issues Packages Projects Releases Wiki Activity

ids-functions.pl: Rework function for modify-sid file to be more

Browse Source 
generic.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
This commit is contained in:
Stefan Schantl
2021-03-31 10:49:19 +02:00
parent 16b2d281ce
commit aac869c47e
1 changed files with 9 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
config/cfgroot/ids-functions.pl
View File

@@ -1214,12 +1214,7 @@ sub write_used_rulefiles_file(@) {
sub write_modify_sids_file() {
# Get configured settings.
my %idssettings=();
my %rulessettings=();
&General::readhash("$ids_settings_file", \%idssettings);
&General::readhash("$rules_settings_file", \%rulessettings);
# Gather the configured ruleset.
my $ruleset = $rulessettings{'RULES'};
# Open modify sid's file for writing.
open(FILE, ">$modify_sids_file") or die "Could not write to $modify_sids_file. $!\n";
@@ -1236,33 +1231,24 @@ sub write_modify_sids_file() {
# malware in that file. Rules which fall into the first category should stay as
# alert since not all flows of that type contain malware.
if($ruleset eq 'registered' or $ruleset eq 'subscripted' or $ruleset eq 'community') {
# These types of rulesfiles contain meta-data which gives the action that should
# be used when in IPS mode. Do the following:
#
# 1. Disable all rules and set the action to 'drop'
# 2. Set the action back to 'alert' if the rule contains 'flowbits:noalert;'
# This should give rules not in the policy a reasonable default if the user
# manually enables them.
# 3. Enable rules and set actions according to the meta-data strings.
# These types of rulesfiles contain meta-data which gives the action that should
# be used when in IPS mode. Do the following:
#
# 1. Disable all rules and set the action to 'drop'
# 2. Set the action back to 'alert' if the rule contains 'flowbits:noalert;'
# This should give rules not in the policy a reasonable default if the user
# manually enables them.
# 3. Enable rules and set actions according to the meta-data strings.
my $policy = 'balanced'; # Placeholder to allow policy to be changed.
my $policy = 'balanced'; # Placeholder to allow policy to be changed.
print FILE <<END;
modifysid * "^#?(?:alert|drop)" | "#drop"
modifysid * "^#drop(.+flowbits:noalert;)" | "#alert\${1}"
modifysid * "^#(?:alert|drop)(.+policy $policy-ips alert)" | "alert\${1}"
modifysid * "^#(?:alert|drop)(.+policy $policy-ips drop)" | "drop\${1}"
END
} else {
# These rulefiles don't have the metadata, so set rules to 'drop' unless they
# contain the string 'flowbits:noalert;'.
print FILE <<END;
modifysid * "^(#?)(?:alert|drop)" | "\${1}drop"
modifysid * "^(#?)drop(.+flowbits:noalert;)" | "\${1}alert\${2}"
END
}
}
# Close file handle.
close(FILE);