ids-functions.pl: Add generate_service_ports_file() function.

This function calls the subfunctions from the port helpers library file
to gather all the available services and to collect their used ports.

That details will be written to a yaml file which can be used by suricata
in various rules files.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

diff --git a/config/cfgroot/ids-functions.pl b/config/cfgroot/ids-functions.pl
index d97431b4a3dd82c45f93b007c0e5b24784e31296..88a0293841e9dd18a5a92209a33c55623e73bd62 100644 (file)
--- a/config/cfgroot/ids-functions.pl
+++ b/config/cfgroot/ids-functions.pl
@@ -27,6 +27,7 @@ package IDS;
 
 require '/var/ipfire/general-functions.pl';
 require "${General::swroot}/network-functions.pl";
+require "${General::swroot}/ids-ports-helper-lib.pl";
 require "${General::swroot}/suricata/ruleset-sources";
 
 # Load perl module to deal with Archives.
@@ -74,6 +75,9 @@ our $dns_servers_file = "$settingsdir/suricata-dns-servers.yaml";
 # File where the HTTP ports definition is stored.
 our $http_ports_file = "$settingsdir/suricata-http-ports.yaml";
 
+# File where the additional services and their ports are stored.
+our $service_ports_file = "$settingsdir/suricata-service-ports.yaml";
+
 # File which stores the configured IPS settings.
 our $ids_settings_file = "$settingsdir/settings";
 
@@ -1425,6 +1429,39 @@ sub generate_http_ports_file() {
        close(FILE);
 }
 
+#
+## Function to create the file, which holds various services and their port details.
+#
+sub generate_service_ports_file() {
+       # Call function in helper library to get the services and ports.
+       my %services = &IDS::Ports::Helper::get_service_ports();
+
+       # Open file to store the services and their ports.
+       open(FILE, ">$service_ports_file") or die "Could not open $service_ports_file. $!\n";
+
+       # Print yaml header.
+       print FILE "%YAML 1.1\n";
+       print FILE "---\n\n";
+
+       # Print notice about autogenerated file.
+       print FILE "#Autogenerated file. Any custom changes will be overwritten!\n";
+
+       # Loop through the hash of services.
+       foreach my $service (keys %services) {
+               # Grab the port details for the current processed key.
+               my $ports = $services{$service};
+
+               # Convert the service into upper case format.
+               $service = uc($service);
+
+               # Print service and port details.
+               print FILE "$service:\t$ports\n";
+       }
+
+       # Close file handle.
+       close(FILE);
+}
+
 #
 ## Function to write the file that contains the rulefiles which are loaded by suricaa.
 ##

diff --git a/config/tor/ipfire-tor.rules b/config/tor/ipfire-tor.rules
new file mode 100644 (file)
index 0000000..cd19a81
--- /dev/null
+++ b/config/tor/ipfire-tor.rules
@@ -0,0 +1,4 @@
+pass http any !$HTTP_PORTS ->  $HOME_NET any (msg:"LOCAL No alerts for HTTP gzip decompression failed"; flowbits:noalert; flow:established; app-layer-event:http.gzip_decompression_failed; sid:998877010; rev:1;)
+pass tls $HOME_NET $TOR_RELAY_PORT -> $EXTERNAL_NET any (msg:"LOCAL No alerts for outgoing TLS traffic on tor port"; flowbits:noalert; flow:established; sid:998877011; rev:1;)
+pass tls $EXTERNAL_NET any -> $HOME_NET $TOR_RELAY_PORT (msg:"LOCAL No alerts for incomming TLS traffic on tor port"; flowbits:noalert; flow:established; sid:998877012; rev:1;)
+pass ip $EXTERNAL_NET any -> $HOME_NET $TOR_SOCKS_PORT (msg:"LOCAL No alerts for first Data in wrong direction"; flowbits:noalert; flow:established; app-layer-event:applayer_wrong_direction_first_data; sid:998877013; rev:1;)