From e2b74390601118ebb899cd62cfe76424b83361a8 Mon Sep 17 00:00:00 2001
From: Stefan Schantl <stefan.schantl@ipfire.org>
Date: Sun, 24 Jul 2022 14:11:14 +0200
Subject: [PATCH] ids-functions.pl: Add generate_service_ports_file() function.

This function calls the subfunctions from the port helpers library file
to gather all the available services and to collect their used ports.

That details will be written to a yaml file which can be used by suricata
in various rules files.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
---
 config/cfgroot/ids-functions.pl | 37 +++++++++++++++++++++++++++++++++
 config/tor/ipfire-tor.rules     |  4 ++++
 2 files changed, 41 insertions(+)
 create mode 100644 config/tor/ipfire-tor.rules

diff --git a/config/cfgroot/ids-functions.pl b/config/cfgroot/ids-functions.pl
index d97431b4a3..88a0293841 100644
--- a/config/cfgroot/ids-functions.pl
+++ b/config/cfgroot/ids-functions.pl
@@ -27,6 +27,7 @@ package IDS;
 
 require '/var/ipfire/general-functions.pl';
 require "${General::swroot}/network-functions.pl";
+require "${General::swroot}/ids-ports-helper-lib.pl";
 require "${General::swroot}/suricata/ruleset-sources";
 
 # Load perl module to deal with Archives.
@@ -74,6 +75,9 @@ our $dns_servers_file = "$settingsdir/suricata-dns-servers.yaml";
 # File where the HTTP ports definition is stored.
 our $http_ports_file = "$settingsdir/suricata-http-ports.yaml";
 
+# File where the additional services and their ports are stored.
+our $service_ports_file = "$settingsdir/suricata-service-ports.yaml";
+
 # File which stores the configured IPS settings.
 our $ids_settings_file = "$settingsdir/settings";
 
@@ -1425,6 +1429,39 @@ sub generate_http_ports_file() {
 	close(FILE);
 }
 
+#
+## Function to create the file, which holds various services and their port details.
+#
+sub generate_service_ports_file() {
+	# Call function in helper library to get the services and ports.
+	my %services = &IDS::Ports::Helper::get_service_ports();
+
+	# Open file to store the services and their ports.
+	open(FILE, ">$service_ports_file") or die "Could not open $service_ports_file. $!\n";
+
+	# Print yaml header.
+	print FILE "%YAML 1.1\n";
+	print FILE "---\n\n";
+
+	# Print notice about autogenerated file.
+	print FILE "#Autogenerated file. Any custom changes will be overwritten!\n";
+
+	# Loop through the hash of services.
+	foreach my $service (keys %services) {
+		# Grab the port details for the current processed key.
+		my $ports = $services{$service};
+
+		# Convert the service into upper case format.
+		$service = uc($service);
+
+		# Print service and port details.
+		print FILE "$service:\t$ports\n";
+	}
+
+	# Close file handle.
+	close(FILE);
+}
+
 #
 ## Function to write the file that contains the rulefiles which are loaded by suricaa.
 ##
diff --git a/config/tor/ipfire-tor.rules b/config/tor/ipfire-tor.rules
new file mode 100644
index 0000000000..cd19a81f3f
--- /dev/null
+++ b/config/tor/ipfire-tor.rules
@@ -0,0 +1,4 @@
+pass http any !$HTTP_PORTS ->  $HOME_NET any (msg:"LOCAL No alerts for HTTP gzip decompression failed"; flowbits:noalert; flow:established; app-layer-event:http.gzip_decompression_failed; sid:998877010; rev:1;)
+pass tls $HOME_NET $TOR_RELAY_PORT -> $EXTERNAL_NET any (msg:"LOCAL No alerts for outgoing TLS traffic on tor port"; flowbits:noalert; flow:established; sid:998877011; rev:1;)
+pass tls $EXTERNAL_NET any -> $HOME_NET $TOR_RELAY_PORT (msg:"LOCAL No alerts for incomming TLS traffic on tor port"; flowbits:noalert; flow:established; sid:998877012; rev:1;)
+pass ip $EXTERNAL_NET any -> $HOME_NET $TOR_SOCKS_PORT (msg:"LOCAL No alerts for first Data in wrong direction"; flowbits:noalert; flow:established; app-layer-event:applayer_wrong_direction_first_data; sid:998877013; rev:1;)
-- 
2.39.5