From bb39fac4370be88ff3b4abddaca6e7423733796c Mon Sep 17 00:00:00 2001 From: Stefan Schantl Date: Sun, 19 Dec 2021 15:32:52 +0100 Subject: [PATCH] ids-functions.pl: Add get_suricata_enable_app_layer_protos(). This function call suricata to obtain a list of enabled application layer protocols (application/protocol parsers). Signed-off-by: Stefan Schantl --- config/cfgroot/ids-functions.pl | 47 ++++++++++++++++++++++++++++++++- 1 file changed, 46 insertions(+), 1 deletion(-) diff --git a/config/cfgroot/ids-functions.pl b/config/cfgroot/ids-functions.pl index 2869bcdc44..35c75dddc0 100644 --- a/config/cfgroot/ids-functions.pl +++ b/config/cfgroot/ids-functions.pl @@ -122,7 +122,10 @@ my @cron_intervals = ('off', 'daily', 'weekly' ); my @http_ports = ('80', '81'); # Array which contains a list of rulefiles which always will be included if they exist. -my @static_included_rulefiles = ('local.rules', 'whitelist.rules' ); +my @static_included_rulefiles = ('local.rules', 'whitelist.rules'); + +# Array which contains a list of allways enabled application layer protocols. +my @static_enabled_app_layer_protos = ('app-layer', 'decoder', 'files', 'stream'); # Hash which allows to convert the download type (dl_type) to a file suffix. my %dl_type_to_suffix = ( @@ -1572,6 +1575,48 @@ sub get_suricata_version($) { } } +# +## Function to get the enabled application layer protocols. +# +sub get_suricata_enabled_app_layer_protos() { + # Array to store and return the enabled app layer protos. + my @enabled_app_layer_protos = (); + + # Execute piped suricata command and return the list of + # enabled application layer protocols. + open(SURICATA, "suricata --list-app-layer-protos |") or die "Could not execute program: $!"; + + # Grab and store the list of enabled application layer protocols. + my @output = ; + + # Close pipe. + close(SURICATA); + + # Merge allways enabled static application layers protocols array. + @enabled_app_layer_protos = @static_enabled_app_layer_protos; + + # Loop through the array which contains the output of suricata. + foreach my $line (@output) { + # Skip header line which starts with "===". + next if ($line =~ /^\s*=/); + + # Skip info or warning lines. + next if ($line =~ /\s*--/); + + # Remove newlines. + chomp($line); + + # Add enabled app layer proto to the array. + push(@enabled_app_layer_protos, $line); + } + + # Sort the array. + @enabled_app_layer_protos = sort(@enabled_app_layer_protos); + + # Return the array. + return @enabled_app_layer_protos; +} + # ## Function to generate the rules file with whitelisted addresses. # -- 2.39.5