From 849fc8ea15a861a97f2e4d9c74804115fd15ecf5 Mon Sep 17 00:00:00 2001
From: Stefan Schantl <stefan.schantl@ipfire.org>
Date: Sun, 20 Mar 2022 18:08:49 +0100
Subject: [PATCH] ids-functions.pl: Drop oinkmaster related functions and
 declarations.

They are not longer needed and safely can be dropped.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
---
 config/cfgroot/ids-functions.pl | 113 --------------------------------
 1 file changed, 113 deletions(-)

diff --git a/config/cfgroot/ids-functions.pl b/config/cfgroot/ids-functions.pl
index e09fe04859..ff84e1ad38 100644
--- a/config/cfgroot/ids-functions.pl
+++ b/config/cfgroot/ids-functions.pl
@@ -77,12 +77,6 @@ our $dns_servers_file = "$settingsdir/suricata-dns-servers.yaml";
 # File where the HTTP ports definition is stored.
 our $http_ports_file = "$settingsdir/suricata-http-ports.yaml";
 
-# File which contains includes for provider specific rule modifications.
-our $oinkmaster_provider_includes_file = "$settingsdir/oinkmaster-provider-includes.conf";
-
-# File which contains wheater the rules should be changed.
-our $modify_sids_file = "$settingsdir/oinkmaster-modify-sids.conf";
-
 # File which stores the configured IPS settings.
 our $ids_settings_file = "$settingsdir/settings";
 
@@ -177,8 +171,6 @@ my %tr_app_layer_proto = (
 #
 sub check_and_create_filelayout() {
 	# Check if the files exist and if not, create them.
-	unless (-f "$oinkmaster_provider_includes_file") { &create_empty_file($oinkmaster_provider_includes_file); }
-	unless (-f "$modify_sids_file") { &create_empty_file($modify_sids_file); }
 	unless (-f "$suricata_used_providers_file") { &create_empty_file($suricata_used_providers_file); }
 	unless (-f "$suricata_default_rulefiles_file") { &create_empty_file($suricata_default_rulefiles_file); }
 	unless (-f "$ids_settings_file") { &create_empty_file($ids_settings_file); }
@@ -1062,65 +1054,6 @@ sub drop_dl_rulesfile ($) {
 	}
 }
 
-#
-## Tiny function to get/generate the full path and filename for the providers oinkmaster
-## modified sids file.
-#
-sub get_oinkmaster_provider_modified_sids_file ($) {
-	my ($provider) = @_;
-
-	# Generate the filename.
-	my $filename = "$settingsdir/oinkmaster-$provider-modified-sids.conf";
-
-	# Return the filename.
-	return $filename;
-}
-
-#
-## Function to directly altering the oinkmaster provider includes file.
-##
-## Requires tha acition "remove" or "add" and a provider handle.
-#
-sub alter_oinkmaster_provider_includes_file ($$) {
-	my ($action, $provider) = @_;
-
-	# Call function to get the path and name for the given providers
-	# oinkmaster modified sids file.
-	my $provider_modified_sids_file = &get_oinkmaster_provider_modified_sids_file($provider);
-
-	# Open the file for reading..
-	open (FILE, $oinkmaster_provider_includes_file) or die "Could not read $oinkmaster_provider_includes_file. $!\n";
-
-	# Read-in file content.
-	my @lines = <FILE>;
-
-	# Close file after reading.
-	close(FILE);
-
-	# Re-open the file for writing.
-	open(FILE, ">", $oinkmaster_provider_includes_file) or die "Could not write to $oinkmaster_provider_includes_file. $!\n";
-
-	# Loop through the file content.
-	foreach my $line (@lines) {
-		# Remove newlines.
-		chomp($line);
-
-		# Skip line if we found our given provider and the action should be remove.
-		next if (($line =~ /$provider/) && ($action eq "remove"));
-
-		# Write the read-in line back to the file.
-		print FILE "$line\n";
-	}
-
-	# Check if the file exists and add the provider if requested.
-	if ((-f $provider_modified_sids_file) && ($action eq "add")) {
-		print FILE "include $provider_modified_sids_file\n";
-	}
-
-	# Close file handle.
-	close(FILE);
-}
-
 #
 ## Function to read-in the given enabled or disables sids file.
 #
@@ -1661,52 +1594,6 @@ sub get_provider_ruleset_modifications_file($) {
 	return $filename;
 }
 
-#
-## Function to generate and write the file for modify the ruleset.
-#
-sub write_modify_sids_file() {
-	# Get configured settings.
-	my %idssettings=();
-	&General::readhash("$ids_settings_file", \%idssettings);
-
-	# Open modify sid's file for writing.
-	open(FILE, ">$modify_sids_file") or die "Could not write to $modify_sids_file. $!\n";
-
-	# Write file header.
-	print FILE "#Autogenerated file. Any custom changes will be overwritten!\n";
-
-	# Check if the traffic only should be monitored.
-	unless($idssettings{'MONITOR_TRAFFIC_ONLY'} eq 'on') {
-		# Suricata is in IPS mode, which means that the rule actions have to be changed
-		# from 'alert' to 'drop', however not all rules should be changed.  Some rules
-		# exist purely to set a flowbit which is used to convey other information, such
-		# as a specific type of file being downloaded, to other rulewhich then check for
-		# malware in that file.  Rules which fall into the first category should stay as
-		# alert since not all flows of that type contain malware.
-
-		# These types of rulesfiles contain meta-data which gives the action that should
-		# be used when in IPS mode.  Do the following:
-		#
-		# 1. Disable all rules and set the action to 'drop'
-		# 2. Set the action back to 'alert' if the rule contains 'flowbits:noalert;'
-		#    This should give rules not in the policy a reasonable default if the user
-		#    manually enables them.
-		# 3. Enable rules and set actions according to the meta-data strings.
-
-		my $policy = 'balanced';  # Placeholder to allow policy to be changed.
-
-			print FILE <<END;
-modifysid * "^#(?:alert|drop)(.+policy $policy-ips alert)" | "alert\${1}"
-modifysid * "^#(?:alert|drop)(.+policy $policy-ips drop)" | "drop\${1}"
-modifysid * "^(#?)(?:alert|drop)" | "\${1}drop"
-modifysid * "^(#?)drop(.+flowbits:noalert;)" | "\${1}alert\${2}"
-END
-		}
-
-	# Close file handle.
-	close(FILE);
-}
-
 #
 ## Function to get the subscription code of a configured provider.
 #
-- 
2.39.2