ids-functions.pl: Add get_suricata_enable_app_layer_protos().

This function call suricata to obtain a list of enabled application layer protocols (application/protocol parsers). Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
2026-04-22 00:42:59 +02:00 · 2021-12-19 15:32:52 +01:00
parent 9e9d89ae37
commit bb39fac437
1 changed files with 46 additions and 1 deletions
--- a/config/cfgroot/ids-functions.pl
+++ b/config/cfgroot/ids-functions.pl
@@ -122,7 +122,10 @@ my @cron_intervals = ('off', 'daily', 'weekly' );
 my @http_ports = ('80', '81');

 # Array which contains a list of rulefiles which always will be included if they exist.
-my @static_included_rulefiles = ('local.rules', 'whitelist.rules' );
+my @static_included_rulefiles = ('local.rules', 'whitelist.rules');
+
+# Array which contains a list of allways enabled application layer protocols.
+my @static_enabled_app_layer_protos = ('app-layer', 'decoder', 'files', 'stream');

 # Hash which allows to convert the download type (dl_type) to a file suffix.
 my %dl_type_to_suffix = (
@@ -1572,6 +1575,48 @@ sub get_suricata_version($) {
 	}
 }

+#
+## Function to get the enabled application layer protocols.
+#
+sub get_suricata_enabled_app_layer_protos() {
+	# Array to store and return the enabled app layer protos.
+	my @enabled_app_layer_protos = ();
+
+	# Execute piped suricata command and return the list of
+	# enabled application layer protocols.
+	open(SURICATA, "suricata --list-app-layer-protos |") or die "Could not execute program: $!";
+
+	# Grab and store the list of enabled application layer protocols.
+	my @output = <SURICATA>;
+
+	# Close pipe.
+	close(SURICATA);
+
+	# Merge allways enabled static application layers protocols array.
+	@enabled_app_layer_protos = @static_enabled_app_layer_protos;
+
+	# Loop through the array which contains the output of suricata.
+	foreach my $line (@output) {
+		# Skip header line which starts with "===".
+		next if ($line =~ /^\s*=/);
+
+		# Skip info or warning lines.
+		next if ($line =~ /\s*--/);
+
+		# Remove newlines.
+		chomp($line);
+
+		# Add enabled app layer proto to the array.
+		push(@enabled_app_layer_protos, $line);
+	}
+
+	# Sort the array.
+	@enabled_app_layer_protos = sort(@enabled_app_layer_protos);
+
+	# Return the array.
+	return @enabled_app_layer_protos;
+}
+
 #
 ## Function to generate the rules file with whitelisted addresses.
 #