# File where the HTTP ports definition is stored.
our $http_ports_file = "$settingsdir/suricata-http-ports.yaml";
-# File which contains includes for provider specific rule modifications.
-our $oinkmaster_provider_includes_file = "$settingsdir/oinkmaster-provider-includes.conf";
-
-# File which contains wheater the rules should be changed.
-our $modify_sids_file = "$settingsdir/oinkmaster-modify-sids.conf";
-
# File which stores the configured IPS settings.
our $ids_settings_file = "$settingsdir/settings";
#
sub check_and_create_filelayout() {
# Check if the files exist and if not, create them.
- unless (-f "$oinkmaster_provider_includes_file") { &create_empty_file($oinkmaster_provider_includes_file); }
- unless (-f "$modify_sids_file") { &create_empty_file($modify_sids_file); }
unless (-f "$suricata_used_providers_file") { &create_empty_file($suricata_used_providers_file); }
unless (-f "$suricata_default_rulefiles_file") { &create_empty_file($suricata_default_rulefiles_file); }
unless (-f "$ids_settings_file") { &create_empty_file($ids_settings_file); }
}
}
-#
-## Tiny function to get/generate the full path and filename for the providers oinkmaster
-## modified sids file.
-#
-sub get_oinkmaster_provider_modified_sids_file ($) {
- my ($provider) = @_;
-
- # Generate the filename.
- my $filename = "$settingsdir/oinkmaster-$provider-modified-sids.conf";
-
- # Return the filename.
- return $filename;
-}
-
-#
-## Function to directly altering the oinkmaster provider includes file.
-##
-## Requires tha acition "remove" or "add" and a provider handle.
-#
-sub alter_oinkmaster_provider_includes_file ($$) {
- my ($action, $provider) = @_;
-
- # Call function to get the path and name for the given providers
- # oinkmaster modified sids file.
- my $provider_modified_sids_file = &get_oinkmaster_provider_modified_sids_file($provider);
-
- # Open the file for reading..
- open (FILE, $oinkmaster_provider_includes_file) or die "Could not read $oinkmaster_provider_includes_file. $!\n";
-
- # Read-in file content.
- my @lines = <FILE>;
-
- # Close file after reading.
- close(FILE);
-
- # Re-open the file for writing.
- open(FILE, ">", $oinkmaster_provider_includes_file) or die "Could not write to $oinkmaster_provider_includes_file. $!\n";
-
- # Loop through the file content.
- foreach my $line (@lines) {
- # Remove newlines.
- chomp($line);
-
- # Skip line if we found our given provider and the action should be remove.
- next if (($line =~ /$provider/) && ($action eq "remove"));
-
- # Write the read-in line back to the file.
- print FILE "$line\n";
- }
-
- # Check if the file exists and add the provider if requested.
- if ((-f $provider_modified_sids_file) && ($action eq "add")) {
- print FILE "include $provider_modified_sids_file\n";
- }
-
- # Close file handle.
- close(FILE);
-}
-
#
## Function to read-in the given enabled or disables sids file.
#
return $filename;
}
-#
-## Function to generate and write the file for modify the ruleset.
-#
-sub write_modify_sids_file() {
- # Get configured settings.
- my %idssettings=();
- &General::readhash("$ids_settings_file", \%idssettings);
-
- # Open modify sid's file for writing.
- open(FILE, ">$modify_sids_file") or die "Could not write to $modify_sids_file. $!\n";
-
- # Write file header.
- print FILE "#Autogenerated file. Any custom changes will be overwritten!\n";
-
- # Check if the traffic only should be monitored.
- unless($idssettings{'MONITOR_TRAFFIC_ONLY'} eq 'on') {
- # Suricata is in IPS mode, which means that the rule actions have to be changed
- # from 'alert' to 'drop', however not all rules should be changed. Some rules
- # exist purely to set a flowbit which is used to convey other information, such
- # as a specific type of file being downloaded, to other rulewhich then check for
- # malware in that file. Rules which fall into the first category should stay as
- # alert since not all flows of that type contain malware.
-
- # These types of rulesfiles contain meta-data which gives the action that should
- # be used when in IPS mode. Do the following:
- #
- # 1. Disable all rules and set the action to 'drop'
- # 2. Set the action back to 'alert' if the rule contains 'flowbits:noalert;'
- # This should give rules not in the policy a reasonable default if the user
- # manually enables them.
- # 3. Enable rules and set actions according to the meta-data strings.
-
- my $policy = 'balanced'; # Placeholder to allow policy to be changed.
-
- print FILE <<END;
-modifysid * "^#(?:alert|drop)(.+policy $policy-ips alert)" | "alert\${1}"
-modifysid * "^#(?:alert|drop)(.+policy $policy-ips drop)" | "drop\${1}"
-modifysid * "^(#?)(?:alert|drop)" | "\${1}drop"
-modifysid * "^(#?)drop(.+flowbits:noalert;)" | "\${1}alert\${2}"
-END
- }
-
- # Close file handle.
- close(FILE);
-}
-
#
## Function to get the subscription code of a configured provider.
#