ids-functions.pl: Introduce merge_classifications() function.

This function is used to merge the individual classification files
provided by the providers.

The result will be written to the classification.config which will be
used by the IDS.

Fixes #11884.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

diff --git a/config/cfgroot/ids-functions.pl b/config/cfgroot/ids-functions.pl
index 8ee56a07eae69fb85ca28778ac3e87d75c6a2e1d..f9bf07af3939dcc6deec438058067b91736481ee 100644 (file)
--- a/config/cfgroot/ids-functions.pl
+++ b/config/cfgroot/ids-functions.pl
@@ -80,6 +80,9 @@ our $ids_page_lock_file = "/tmp/ids_page_locked";
 # Location where the rulefiles are stored.
 our $rulespath = "/var/lib/suricata";
 
+# Location of the classification file.
+our $classification_file = "$rulespath/classification.config";
+
 # Location to store local rules. This file will not be touched.
 our $local_rules_file = "$rulespath/local.rules";
 
@@ -539,6 +542,71 @@ sub oinkmaster () {
        closelog();
 }
 
+#
+## Function to merge the classifications for a given amount of providers and write them
+## to the classifications file.
+#
+sub merge_classifications(@) {
+       my @providers = @_;
+
+       # Hash to store all collected classifications.
+       my %classifications = ();
+
+       # Loop through the given array of providers.
+       foreach my $provider (@providers) {
+               # Generate full path to classification file.
+               my $classification_file = "$tmp_directory/conf/$provider\-classification.config";
+
+               # Skip provider if no classification file exists.
+               next unless (-f "$classification_file");
+
+               # Open the classification file.
+               open(CLASSIFICATION, $classification_file) or die "Could not open file $classification_file. $!\n";
+
+               # Loop through the file content.
+               while(<CLASSIFICATION>) {
+                       # Parse the file and grab the classification details.
+                       if ($_ =~/.*config classification\: (.*)/) {
+                               # Split the grabbed details.
+                               my ($short_name, $short_desc, $priority) = split("\,", $1);
+
+                               # Check if the grabbed classification is allready known and the priority value is greater
+                               # than the stored one (which causes less priority in the IDS).
+                               if (($classifications{$short_name}) && ($classifications{$short_name}[1] >= $priority)) {
+                                       #Change the priority value to the stricter one.
+                                       $classifications{$short_name} = [ "$classifications{$short_name}[0]", "$priority" ];
+                               } else {
+                                       # Add the classification to the hash.
+                                       $classifications{$short_name} = [ "$short_desc", "$priority" ];
+                               }
+                       }
+               }
+
+               # Close the file.
+               close(CLASSIFICATION);
+       }
+
+       # Open classification file for writing.
+       open(FILE, ">", "$classification_file") or die "Could not write to $classification_file. $!\n";
+
+       # Print notice about autogenerated file.
+       print FILE "#Autogenerated file. Any custom changes will be overwritten!\n\n";
+
+       # Sort and loop through the hash of classifications.
+       foreach my $key (sort keys %classifications) {
+               # Assign some nice variable names for the items.
+               my $short_name = $key;
+               my $short_desc = $classifications{$key}[0];
+               my $priority = $classifications{$key}[1];
+
+               # Write the classification to the file.
+               print FILE "config classification: $short_name,$short_desc,$priority\n";
+       }
+
+       # Close file handle.
+       close(FILE);
+}
+
 #
 ## Function to do all the logging stuff if the downloading or updating of the ruleset fails.
 #