unsupported provider.
Modify the write_used_rulefiles_file() function to skip the rulesfiles
of unsupported providers.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
supported anymore.
In this case the details about the file suffix is not available in the
ruleset-sources file anymore. In this case now the function tries to
enumerate the correct filename.
This allows to display the correct stats in the WUI and to extract and
use the downloaded ruleset of the provider until it got deleted by the
user.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Etags are used to itentify if an ressource has been changed
by sending a special request and an Etag value to the server.
If the ressource has changed the server will serve the new content
otherwise it will return the 304 (Not-Modified) code.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
rulefiles.
Suricata seems to struggle when using multiple and/or nested includes in
the same config section. This results in a only partially loaded
confguration where not all rulefiles are loaded and used.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
This function is going to replace the part which currently the
oinkmaster.pl script does.
It will read in the extracted ruleset, remove duplicates and alter the
rules to alert or drop in case they match. Also rules will be enabled or
disabled if the used requested this.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
This function is used to gather the modes of the configured providers
and return them as hash.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
The download script should not directly do the logging stuff.
It simply should download the files for the requested provider and
return an error code on fail.
The logging should be done at another place.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Remove the option and required code to download the rulesets
for all configured and enabled providers by just calling the downloader
function.
This cause a lot of troubles and if required, directly should be handled
by the processing script.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
When using the "If-Modified-Since" header, the server can be requested
if a modified version of the file can be served.
In case that is true, the file will be sent and stored by the downloader
function. If the file has not been touched since the last time, the
server will respond with the code "304" (Not modified).
This tells us, that the current stored file is the latest one (still up-to-date)
and we safely can skip the download attempt for this provider.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
This will help us to determine if all required perl modules and their
dependencies are avail and load-able.
It also prevents us from doubble loading modules and makes development
and maintainance more easy.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Even if the servers do not support HEAD requests, the remote filesize
(content_length) can be obtained from the connection headers.
This generic method works for all servers and therefore we do not need
the code for handle sourcefire servers in a different way anymore.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
These rulefiles are used by various providers as a kind of reference and
to store rules which have been taken out for correctness, performance
reasons or because of other reasons.
Fixes#12794.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Only extract rulefiles which are located in a rules directory and/or in the archive
root.
This prevents us from extracting experimental or binary rules etc. which
often are located in corresponding sub-directories.
Reference: #12794.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
In case a rulestarball contains several same-named rulefiles
they have been overwritten each time and so only contained the content
from the last extracted one.
Now the content of those files will be merged by appending the content
to the first extracted one for each time.
Fixes#12792.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
We are almost running as an unprivileged user and therfore have not
the permissions to do this.
This will save us a lot of confusion error messages.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
When adding a host to the whitelist set the bypass flag to
immediate take the load from the IDS.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
The "/var/ipfire/suricata/suricata-default-rules.yaml" file, now
dynamicall will be generated, based on the enabled application layer
protocols.
Only existing rulefiles for enabled app layer protocols will be loaded.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
This function call suricata to obtain a list of enabled application
layer protocols (application/protocol parsers).
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
directory.
If there are one, they safly can be removed because the *.config files
now live in a different folder.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
exists before returning the filename.
This will prevent from using and processing non existing files.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
determined.
If no timestamp could be grabbed for rulestarball of a given provider,
return N/A.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
