ids.cgi: Re-add code to save the ruleset.

The manually enabled or disabled rules by the user now will be written
to own config files, which will be used by oinkmaster to keep these rules
in the same state after a rules update has been performed.

In short words, if you adjust your ruleset, the changes will not be lost
again if you perform an update of your ruleset.

* Grabbing and storing the cgi values now in an own hash (%cgiparams)
* Introducing oinkmaster config files for enabled and disabled rules.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi
index daf9b341b512fe5e1e7b96efbe25b19a26b1218b..40d4b88876dc7ceca7cac669ccc0315128372888 100644 (file)
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
@@ -36,6 +36,7 @@ my %mainsettings = ();
 &General::readhash("/srv/web/ipfire/html/themes/".$mainsettings{'THEME'}."/include/colors.txt", \%color);
 
 my %snortsettings=();
+my %cgiparams=();
 my %checked=();
 my %selected=();
 my %netsettings=();
@@ -57,7 +58,8 @@ $snortsettings{'OINKCODE'} = '';
 $snortsettings{'INSTALLDATE'} = '';
 $snortsettings{'FILE'} = '';
 
-&Header::getcgihash(\%snortsettings, {'wantfile' => 1, 'filevar' => 'FH'});
+#Get GUI values
+&Header::getcgihash(\%cgiparams);
 
 my $snortrulepath = "/etc/snort/rules";
 my $restartsnortrequired = 0;
@@ -98,6 +100,83 @@ opendir(DIR, $snortrulepath) or die $!;
 
 closedir(DIR);
 
+# Save ruleset.
+if ($cgiparams{'RULESET'} eq $Lang::tr{'update'}) {
+       my $enabled_sids_file = "${General::swroot}/snort/oinkmaster-enabled-sids.conf";
+       my $disabled_sids_file = "${General::swroot}/snort/oinkmaster-disabled-sids.conf";
+
+       # Arrays to store sid which should be added to the corresponding files.
+       my @enabled_sids;
+       my @disabled_sids;
+
+       # Loop through the hash of snortrules.
+       foreach my $rulefile(keys %snortrules) {
+               # Loop through the single rules of the rulefile.
+               foreach my $sid (keys %{$snortrules{$rulefile}}) {
+                       # Check if there exists a key in the cgiparams hash for this sid.
+                       if (exists($cgiparams{$sid})) {
+                               # Look if the rule is disabled.
+                               if ($snortrules{$rulefile}{$sid}{'State'} eq "off") {
+                                       # Check if the state has been set to 'on'.
+                                       if ($cgiparams{$sid} eq "on") {
+                                               # Add the sid to the enabled_sids array.
+                                               push(@enabled_sids, $sid);
+
+                                               # Drop item from cgiparams hash.
+                                               delete $cgiparams{$sid};
+                                       }
+                               }
+                       } else {
+                               # Look if the rule is enabled.
+                               if ($snortrules{$rulefile}{$sid}{'State'} eq "on") {
+                                       # Check if the state is 'on' and should be disabled.
+                                       # In this case there is no entry
+                                       # for the sid in the cgiparams hash.
+                                       # Add it to the disabled_sids array.
+                                       push(@disabled_sids, $sid);
+
+                                       # Drop item from cgiparams hash.
+                                       delete $cgiparams{$sid};
+                               }
+                       }
+               }
+       }
+
+       # Check if the enabled_sids array contains any sid's.
+       if (@enabled_sids) {
+               # Open enabled sid's file for writing.
+               open(FILE, ">$enabled_sids_file") or die "Could not write to $enabled_sids_file. $!\n";
+
+               # Write header to file.
+               print FILE "#Autogenerated file. Any custom changes will be overwritten!\n";
+
+               # Loop through the array of enabled sids and write them to the file.
+               foreach my $sid (@enabled_sids) {
+                       print FILE "enable_sid $sid\n";
+               }
+
+               # Close file after writing.
+               close(FILE);
+       }
+
+       # Check if the enabled_sids array contains any sid's.
+       if (@disabled_sids) {
+                # Open disabled sid's file for writing.
+                open(FILE, ">$disabled_sids_file") or die "Could not write to $disabled_sids_file. $!\n";
+
+                # Write header to file.
+                print FILE "#Autogenerated file. Any custom changes will be overwritten!\n";
+
+                # Loop through the array of disabled sids and write them to the file.
+                foreach my $sid (@disabled_sids) {
+                        print FILE "disable_sid $sid\n";
+                }
+
+                # Close file after writing.
+                close(FILE);
+        }
+}
+
 if ($snortsettings{'OINKCODE'} ne "") {
        $errormessage = $Lang::tr{'invalid input for oink code'} unless ($snortsettings{'OINKCODE'} =~ /^[a-z0-9]+$/);
 }
@@ -340,6 +419,8 @@ if ($results ne '') {
 &Header::closebox();
 
 &Header::openbox('100%', 'LEFT', $Lang::tr{'intrusion detection system rules'});
+       print"<form method='POST' action='$ENV{'SCRIPT_NAME'}'>\n";
+
        # Output display table for rule files
        print "<table width='100%'>\n";
 
@@ -352,7 +433,7 @@ if ($results ne '') {
                my $rulechecked = '';
 
                # Check if rule file is enabled
-               if ($snortrules{$rulefile}{"State"} eq 'Enabled') {
+               if ($snortrules{$rulefile}{"State"} eq 'On') {
                        $rulechecked = 'CHECKED';
                }
 
@@ -400,7 +481,7 @@ if ($results ne '') {
                        }
 
                        # Set rule state
-                       if ($snortrules{$rulefile}{$sid}{'State'} eq 'Enabled') {
+                       if ($snortrules{$rulefile}{$sid}{'State'} eq 'on') {
                                $ruledefchecked = 'CHECKED';
                        }
 
@@ -432,11 +513,12 @@ if ($results ne '') {
 print <<END
 <table width='100%'>
 <tr>
-       <td width='100%' align='right'><input type='submit' name='ACTION' value='$Lang::tr{'update'}'>
+       <td width='100%' align='right'><input type='submit' name='RULESET' value='$Lang::tr{'update'}'>
                &nbsp; <!-- space for future online help link -->
        </td>
 </tr>
 </table>
+</form>
 END
 ;
 &Header::closebox();
@@ -512,10 +594,10 @@ sub readrulesfile ($) {
                                # Grab status of the rule. Check if ruleline starts with a "dash".
                                if ($line =~ /^\#/) {
                                        # If yes, the rule is disabled.
-                                       $snortrules{$rulefile}{$sid}{'State'} = "Disabled";
+                                       $snortrules{$rulefile}{$sid}{'State'} = "off";
                                } else {
                                        # Otherwise the rule is enabled.
-                                       $snortrules{$rulefile}{$sid}{'State'} = "Enabled";
+                                       $snortrules{$rulefile}{$sid}{'State'} = "on";
                                }
                        }
                }