our $settingsdir = "${General::swroot}/suricata";
# File where the main file for providers ruleset inclusion exists.
-our $suricata_used_providers_file = "$settingsdir/suricata-used-providers.yaml";
-
-# File for static ruleset inclusions.
-our $suricata_default_rulefiles_file = "$settingsdir/suricata-default-rules.yaml";
+our $suricata_used_rulesfiles_file = "$settingsdir/suricata-used-rulesfiles.yaml";
# File where the addresses of the homenet are stored.
our $homenet_file = "$settingsdir/suricata-homenet.yaml";
# File where the HTTP ports definition is stored.
our $http_ports_file = "$settingsdir/suricata-http-ports.yaml";
-# File which contains includes for provider specific rule modifications.
-our $oinkmaster_provider_includes_file = "$settingsdir/oinkmaster-provider-includes.conf";
-
-# File which contains wheater the rules should be changed.
-our $modify_sids_file = "$settingsdir/oinkmaster-modify-sids.conf";
-
# File which stores the configured IPS settings.
our $ids_settings_file = "$settingsdir/settings";
# File which stores the configured settings for whitelisted addresses.
our $ignored_file = "$settingsdir/ignored";
+# File which stores HTTP Etags for providers which supports them
+# for cache management.
+our $etags_file = "$settingsdir/etags";
+
# Location where the downloaded rulesets are stored.
our $dl_rules_path = "/var/tmp";
#
sub check_and_create_filelayout() {
# Check if the files exist and if not, create them.
- unless (-f "$oinkmaster_provider_includes_file") { &create_empty_file($oinkmaster_provider_includes_file); }
- unless (-f "$modify_sids_file") { &create_empty_file($modify_sids_file); }
- unless (-f "$suricata_used_providers_file") { &create_empty_file($suricata_used_providers_file); }
- unless (-f "$suricata_default_rulefiles_file") { &create_empty_file($suricata_default_rulefiles_file); }
+ unless (-f "$suricata_used_rulesfiles_file") { &create_empty_file($suricata_used_rulesfiles_file); }
unless (-f "$ids_settings_file") { &create_empty_file($ids_settings_file); }
unless (-f "$providers_settings_file") { &create_empty_file($providers_settings_file); }
unless (-f "$whitelist_file" ) { &create_empty_file($whitelist_file); }
return @enabled_providers;
}
+#
+## Function to get a hash of provider handles and their configured modes (IDS/IPS).
+#
+sub get_providers_mode () {
+ my %used_providers = ();
+
+ # Hash to store the providers and their configured modes.
+ my %providers_mode = ();
+
+ # Read-in the providers config file.
+ &General::readhasharray("$providers_settings_file", \%used_providers);
+
+ # Loop through the hash of used_providers.
+ foreach my $id (keys %used_providers) {
+ # Skip disabled providers.
+ next unless ($used_providers{$id}[3] eq "enabled");
+
+ # Grab the provider handle.
+ my $provider = "$used_providers{$id}[0]";
+
+ # Grab the provider mode.
+ my $mode = "$used_providers{$id}[4]";
+
+ # Fall back to IDS if no mode could be obtained.
+ unless($mode) {
+ $mode = "IDS";
+ }
+
+ # Add details to provider_modes hash.
+ $providers_mode{$provider} = $mode;
+ }
+
+ # Return the hash.
+ return %providers_mode;
+}
+
#
## Function for checking if at least 300MB of free disk space are available
## on the "/var" partition.
$request->header( 'If-Modified-Since' => "$http_date" );
}
+ # Read-in Etags file for known Etags if the file is present.
+ my %etags = ();
+ &General::readhash("$etags_file", \%etags) if (-f $etags_file);
+
+ # Check if an Etag for the current provider is stored.
+ if ($etags{$provider}) {
+ # Grab the stored tag.
+ my $etag = $etags{$provider};
+
+ # Add an "If-None-Match header to the request to ask the server if the
+ # file has been modified.
+ $request->header( 'If-None-Match' => $etag );
+ }
+
my $dl_attempt = 1;
my $response;
# Get the remote size of the downloaded file.
my $remote_filesize = $headers->content_length;
+ # Grab the Etag from response it the server provides one.
+ if ($response->header('Etag')) {
+ # Add the Etag to the etags hash.
+ $etags{$provider} = $response->header('Etag');
+
+ # Write the etags file.
+ &General::writehash($etags_file, \%etags);
+ }
+
# Perform stat on the tmpfile.
my $stat = stat($tmpfile);
&extractruleset($provider);
}
- # Establish the connection to the syslog service.
- openlog('oinkmaster', 'cons,pid', 'user');
-
- # Call oinkmaster to generate ruleset.
- open(OINKMASTER, "/usr/local/bin/oinkmaster.pl -s -u dir://$tmp_rules_directory -C $settingsdir/oinkmaster.conf -o $rulespath 2>&1 |") or die "Could not execute oinkmaster $!\n";
-
- # Log output of oinkmaster to syslog.
- while(<OINKMASTER>) {
- # The syslog function works best with an array based input,
- # so generate one before passing the message details to syslog.
- my @syslog = ("INFO", "$_");
-
- # Send the log message.
- syslog(@syslog);
- }
-
- # Close the pipe to oinkmaster process.
- close(OINKMASTER);
-
- # Close the log handle.
- closelog();
+ # Call function to process the ruleset and do all modifications.
+ &process_ruleset(@enabled_providers);
# Call function to merge the classification files.
&merge_classifications(@enabled_providers);
&cleanup_tmp_directory();
}
+#
+## Function to alter the ruleset.
+#
+sub process_ruleset(@) {
+ my (@providers) = @_;
+
+ # Hash to store the configured provider modes.
+ my %providers_mode = &get_providers_mode();
+
+ # Array to store the extracted rulefile from the temporary rules directory.
+ my @extracted_rulefiles;
+
+ # Get names of the extracted raw rulefiles.
+ opendir(DIR, $tmp_rules_directory) or die "Could not read from $tmp_rules_directory. $!\n";
+ while (my $file = readdir(DIR)) {
+ # Ignore single and double dotted files.
+ next if $file =~ /^\.\.?$/;
+
+ # Add file to the array of extracted files.
+ push(@extracted_rulefiles, $file);
+ }
+
+ # Close directory handle.
+ closedir(DIR);
+
+ # Loop through the array of providers.
+ foreach my $provider (@providers) {
+ # Hash to store the obtained SIDs and REV of each provider.
+ my %rules = ();
+
+ # Hash which holds modifications to apply to the rules.
+ my %modifications = ();
+
+ # Loop through the array of extraced rulefiles.
+ foreach my $file (@extracted_rulefiles) {
+ # Skip file if it does not belong to the current processed provider.
+ next unless ($file =~ m/^$provider/);
+
+ # Open the rulefile.
+ open(FILE, "$tmp_rules_directory/$file") or die "Could not read $tmp_rules_directory/$file. $!\n";
+
+ # Loop through the file content.
+ while (my $line = <FILE>) {
+ # Skip blank lines.
+ next if ($line =~ /^\s*$/);
+
+ # Call function to get the sid and rev of the rule.
+ my ($sid, $rev) = &_get_sid_and_rev($line);
+
+ # Skip rule if a sid with a higher rev already has added to the rules hash.
+ next if ($rev le $rules{$sid});
+
+ # Add the new or rule with higher rev to the hash of rules.
+ $rules{$sid} = $rev;
+ }
+
+ # Close file handle.
+ close(FILE);
+ }
+
+ # Get filename which contains the ruleset modifications for this provider.
+ my $modification_file = &get_provider_ruleset_modifications_file($provider);
+
+ # Read file which holds the modifications of the ruleset for the current provider.
+ &General::readhash($modification_file, \%modifications) if (-f $modification_file);
+
+ # Loop again through the array of extracted rulesfiles.
+ foreach my $file (@extracted_rulefiles) {
+ # Skip the file if it does not belong to the current provider.
+ next unless ($file =~ m/^$provider/);
+
+ # Open the rulefile for writing.
+ open(RULEFILE, ">", "$rulespath/$file") or die "Could not write to file $rulespath/$file. $!\n";
+
+ # Open the rulefile for reading.
+ open(TMP_RULEFILE, "$tmp_rules_directory/$file") or die "Could not read $tmp_rules_directory/$file. $!\n";
+
+ # Loop through the raw temporary rulefile.
+ while (my $line = <TMP_RULEFILE>) {
+ # Get the sid and rev of the rule.
+ my ($sid, $rev) = &_get_sid_and_rev($line);
+
+ # Check if the current rule is obsoleted by a newer one.
+ #
+ # In this case the rev number in the rules hash is higher than the current one.
+ next if ($rev lt $rules{$sid});
+
+ # Check if the rule should be enabled or disabled.
+ if ($modifications{$sid} eq "enabled") {
+ # Drop the # at the start of the line.
+ $line =~ s/^\#//;
+ } elsif ($modifications{$sid} eq "disabled") {
+ # Add a # at the start of the line to disable the rule.
+ $line = "#$line" unless ($line =~ /^#/);
+ }
+
+ # Check if the Provider is set so IPS mode.
+ if ($providers_mode{$provider} eq "IPS") {
+ # Replacements for sourcefire rules.
+ $line =~ s/^#\s*(?:alert|drop)(.+policy balanced-ips alert)/alert${1}/;
+ $line =~ s/^#\s*(?:alert|drop)(.+policy balanced-ips drop)/drop${1}/;
+
+ # Replacements for generic rules.
+ $line =~ s/^(#?)\s*(?:alert|drop)/${1}drop/;
+ $line =~ s/^(#?)\s*drop(.+flowbits:noalert;)/${1}alert${2}/;
+ }
+
+ # Write line / rule to the target rule file.
+ print RULEFILE "$line";
+ }
+
+ # Close filehandles.
+ close(RULEFILE);
+ close(TMP_RULEFILE);
+ }
+ }
+}
+
#
## Function to merge the classifications for a given amount of providers and write them
## to the classifications file.
return $rulesfile;
}
+#
+## Private function to obtain the sid and rev of a rule.
+#
+## Returns an array with the sid as first and the rev as second value.
+#
+sub _get_sid_and_rev ($) {
+ my ($line) = @_;
+
+ my @ret;
+
+ # Use regex to obtain the sid and rev.
+ if ($line =~ m/.*sid:\s*(.*?);.*rev:\s*(.*?);/) {
+ # Add the sid and rev to the array.
+ push(@ret, $1);
+ push(@ret, $2);
+ }
+
+ # Return the array.
+ return @ret;
+}
+
#
## Tiny function to delete the stored ruleset file or tarball for a given provider.
#
}
}
-#
-## Tiny function to get/generate the full path and filename for the providers oinkmaster
-## modified sids file.
-#
-sub get_oinkmaster_provider_modified_sids_file ($) {
- my ($provider) = @_;
-
- # Generate the filename.
- my $filename = "$settingsdir/oinkmaster-$provider-modified-sids.conf";
-
- # Return the filename.
- return $filename;
-}
-
-#
-## Function to directly altering the oinkmaster provider includes file.
-##
-## Requires tha acition "remove" or "add" and a provider handle.
-#
-sub alter_oinkmaster_provider_includes_file ($$) {
- my ($action, $provider) = @_;
-
- # Call function to get the path and name for the given providers
- # oinkmaster modified sids file.
- my $provider_modified_sids_file = &get_oinkmaster_provider_modified_sids_file($provider);
-
- # Open the file for reading..
- open (FILE, $oinkmaster_provider_includes_file) or die "Could not read $oinkmaster_provider_includes_file. $!\n";
-
- # Read-in file content.
- my @lines = <FILE>;
-
- # Close file after reading.
- close(FILE);
-
- # Re-open the file for writing.
- open(FILE, ">", $oinkmaster_provider_includes_file) or die "Could not write to $oinkmaster_provider_includes_file. $!\n";
-
- # Loop through the file content.
- foreach my $line (@lines) {
- # Remove newlines.
- chomp($line);
-
- # Skip line if we found our given provider and the action should be remove.
- next if (($line =~ /$provider/) && ($action eq "remove"));
-
- # Write the read-in line back to the file.
- print FILE "$line\n";
- }
-
- # Check if the file exists and add the provider if requested.
- if ((-f $provider_modified_sids_file) && ($action eq "add")) {
- print FILE "include $provider_modified_sids_file\n";
- }
-
- # Close file handle.
- close(FILE);
-}
-
#
## Function to read-in the given enabled or disables sids file.
#
}
#
-## Function to generate and write the file for used rulefiles file for a given provider.
-##
-## The function requires as first argument a provider handle, and as second an array with files.
-#
-sub write_used_provider_rulefiles_file($@) {
- my ($provider, @files) = @_;
-
- # Get the path and file for the provider specific used rulefiles file.
- my $used_provider_rulesfile_file = &get_used_provider_rulesfile_file($provider);
-
- # Open file for used rulefiles.
- open (FILE, ">", "$used_provider_rulesfile_file") or die "Could not write to $used_provider_rulesfile_file. $!\n";
-
- # Write yaml header to the file.
- print FILE "%YAML 1.1\n";
- print FILE "---\n\n";
-
- # Write header to file.
- print FILE "#Autogenerated file. Any custom changes will be overwritten!\n";
-
- # Loop through the array of given files.
- foreach my $file (@files) {
- # Check if the given filename exists and write it to the file of used rulefiles.
- if(-f "$rulespath/$file") {
- print FILE " - $file\n";
- }
- }
-
- # Close file after writing.
- close(FILE);
-}
-
-#
-## Function to write the main file for provider rulesfiles inclusions.
+## Function to write the file that contains the rulefiles which are loaded by suricaa.
##
-## This function requires an array of provider handles.
+## This function requires an array of used provider handles.
#
-sub write_main_used_rulefiles_file (@) {
+sub write_used_rulefiles_file (@) {
my (@providers) = @_;
- # Call function to write the static rulefiles file.
- &_write_default_rulefiles_file();
-
- # Open file for used rulefils inclusion.
- open (FILE, ">", "$suricata_used_providers_file") or die "Could not write to $suricata_used_providers_file. $!\n";
-
- # Write yaml header to the file.
- print FILE "%YAML 1.1\n";
- print FILE "---\n\n";
-
- # Write header to file.
- print FILE "#Autogenerated file. Any custom changes will be overwritten!\n";
-
- # Loop through the list of given providers.
- foreach my $provider (@providers) {
- # Call function to get the providers used rulefiles file.
- my $filename = &get_used_provider_rulesfile_file($provider);
-
- # Check if the file exists and write it into the used rulefiles file.
- if (-f $filename) {
- # Print the provider to the file.
- print FILE "include\: $filename\n";
- }
- }
-
- # Close the filehandle after writing.
- close(FILE);
-}
-
-sub _write_default_rulefiles_file () {
- # Get enabled application layer protocols.
+ # Get the enabled application layer protocols.
my @enabled_app_layer_protos = &get_suricata_enabled_app_layer_protos();
- # Open file.
- open (FILE, ">", $suricata_default_rulefiles_file) or die "Could not write to $suricata_default_rulefiles_file. $!\n";
+ # Open the file.
+ open (FILE, ">", $suricata_used_rulesfiles_file) or die "Could not write to $suricata_used_rulesfiles_file. $!\n";
- # Write yaml header to the file.
print FILE "%YAML 1.1\n";
print FILE "---\n\n";
}
}
+ # Loop through the array of enabled providers.
+ foreach my $provider (@providers) {
+ # Get the used rulefile for this provider.
+ my @used_rulesfiles = &get_provider_used_rulesfiles($provider);
+
+ # Check if there are
+ if(@used_rulesfiles) {
+ # Add notice to the file.
+ print FILE "\n#Used Rulesfiles for provider $provider.\n";
+
+ # Loop through the array of used rulefiles.
+ foreach my $enabled_rulesfile (@used_rulesfiles) {
+ # Generate name and full path to the rulesfile.
+ my $rulesfile = "$rulespath/$enabled_rulesfile";
+
+ # Write the ruelsfile name to the file.
+ print FILE " - $rulesfile\n";
+ }
+ }
+ }
+
# Close the file handle
close(FILE);
}
#
-## Tiny function to generate the full path and name for the used_provider_rulesfile file of a given provider.
+## Tiny function to generate the full path and name for the file which stores the used rulefiles of a given provider.
#
-sub get_used_provider_rulesfile_file ($) {
+sub get_provider_used_rulesfiles_file ($) {
my ($provider) = @_;
- my $filename = "$settingsdir/suricata\-$provider\-used\-rulefiles.yaml";
+ my $filename = "$settingsdir/$provider\-used\-rulesfiles";
# Return the gernerated file.
return $filename;
}
#
-## Function to generate and write the file for modify the ruleset.
+## Tiny function to generate the full path and name for the file which stores the modifications of a ruleset.
#
-sub write_modify_sids_file() {
- # Get configured settings.
- my %idssettings=();
- &General::readhash("$ids_settings_file", \%idssettings);
-
- # Open modify sid's file for writing.
- open(FILE, ">$modify_sids_file") or die "Could not write to $modify_sids_file. $!\n";
-
- # Write file header.
- print FILE "#Autogenerated file. Any custom changes will be overwritten!\n";
+sub get_provider_ruleset_modifications_file($) {
+ my ($provider) = @_;
- # Check if the traffic only should be monitored.
- unless($idssettings{'MONITOR_TRAFFIC_ONLY'} eq 'on') {
- # Suricata is in IPS mode, which means that the rule actions have to be changed
- # from 'alert' to 'drop', however not all rules should be changed. Some rules
- # exist purely to set a flowbit which is used to convey other information, such
- # as a specific type of file being downloaded, to other rulewhich then check for
- # malware in that file. Rules which fall into the first category should stay as
- # alert since not all flows of that type contain malware.
-
- # These types of rulesfiles contain meta-data which gives the action that should
- # be used when in IPS mode. Do the following:
- #
- # 1. Disable all rules and set the action to 'drop'
- # 2. Set the action back to 'alert' if the rule contains 'flowbits:noalert;'
- # This should give rules not in the policy a reasonable default if the user
- # manually enables them.
- # 3. Enable rules and set actions according to the meta-data strings.
-
- my $policy = 'balanced'; # Placeholder to allow policy to be changed.
-
- print FILE <<END;
-modifysid * "^#(?:alert|drop)(.+policy $policy-ips alert)" | "alert\${1}"
-modifysid * "^#(?:alert|drop)(.+policy $policy-ips drop)" | "drop\${1}"
-modifysid * "^(#?)(?:alert|drop)" | "\${1}drop"
-modifysid * "^(#?)drop(.+flowbits:noalert;)" | "\${1}alert\${2}"
-END
- }
+ my $filename = "$settingsdir/$provider\-modifications";
- # Close file handle.
- close(FILE);
+ # Return the filename.
+ return $filename;
}
#
#
## Function to get the used rules files of a given provider.
#
-sub read_used_provider_rulesfiles($) {
+sub get_provider_used_rulesfiles($) {
my ($provider) = @_;
+ # Hash to store the used rulefiles of the provider.
+ my %provider_rulefiles = ();
+
# Array to store the used rulefiles.
my @used_rulesfiles = ();
- # Get the used rulesefile file for the provider.
- my $rulesfile_file = &get_used_provider_rulesfile_file($provider);
-
- # Check if the a used rulesfile exists for this provider.
- if (-f $rulesfile_file) {
- # Open the file or used rulefiles and read-in content.
- open(FILE, $rulesfile_file) or die "Could not open $rulesfile_file. $!\n";
-
- while (<FILE>) {
- # Assign the current line to a nice variable.
- my $line = $_;
-
- # Remove newlines.
- chomp($line);
-
- # Skip comments.
- next if ($line =~ /\#/);
+ # Get the filename which contains the used rulefiles for this provider.
+ my $used_rulesfiles_file = &get_provider_used_rulesfiles_file($provider);
- # Skip blank lines.
- next if ($line =~ /^\s*$/);
+ # Read-in file, if it exists.
+ &General::readhash("$used_rulesfiles_file", \%provider_rulefiles) if (-f $used_rulesfiles_file);
- # Gather the rulefile.
- if ($line =~ /.*- (.*)/) {
- my $rulefile = $1;
+ # Loop through the hash of rulefiles which does the provider offer.
+ foreach my $rulefile (keys %provider_rulefiles) {
+ # Skip disabled rulefiles.
+ next unless($provider_rulefiles{$rulefile} eq "enabled");
- # Add the rulefile to the array of used rulesfiles.
- push(@used_rulesfiles, $rulefile);
- }
- }
+ # The General::readhash function does not allow dots as
+ # key value and limits the key "string" to the part before
+ # the dot, in case it contains one.
+ #
+ # So add the file extension for the rules file manually again.
+ $rulefile = "$rulefile.rules";
- # Close the file.
- close(FILE);
+ # Add the enabled rulefile to the array of enabled rulefiles.
+ push(@used_rulesfiles, $rulefile);
}
# Return the array of used rulesfiles.