From 74cc8f5a3ddafb065dffd885222246842fc8304c Mon Sep 17 00:00:00 2001
From: Stefan Schantl <stefan.schantl@ipfire.org>
Date: Tue, 25 Dec 2018 18:40:34 +0100
Subject: [PATCH] ids-functions.pl: Introduce function write_modify_sids_file()

This function is used to write the corresponding file which
tells oinkmaster to alter the whole ruleset and finally
switches suricata into an IPS or IDS.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
---
 config/cfgroot/ids-functions.pl | 22 ++++++++++++++++++++++
 html/cgi-bin/ids.cgi            | 19 +++++++++----------
 2 files changed, 31 insertions(+), 10 deletions(-)

diff --git a/config/cfgroot/ids-functions.pl b/config/cfgroot/ids-functions.pl
index 1b445ab24f..55786c157c 100644
--- a/config/cfgroot/ids-functions.pl
+++ b/config/cfgroot/ids-functions.pl
@@ -687,4 +687,26 @@ sub write_used_rulefiles_file(@) {
 	close(FILE);
 }
 
+#
+## Function to generate and write the file for modify the ruleset.
+#
+sub write_modify_sids_file($) {
+	my ($ruleaction) = @_;
+
+	# Open modify sid's file for writing.
+	open(FILE, ">$IDS::modify_sids_file") or die "Could not write to $IDS::modify_sids_file. $!\n";
+
+	# Write file header.
+	print FILE "#Autogenerated file. Any custom changes will be overwritten!\n";
+
+	# Check if the traffic only should be monitored.
+	unless($ruleaction eq "alert") {
+		# Tell oinkmaster to switch all rules from alert to drop.
+		print FILE "modifysid \* \"alert\" \| \"drop\"\n";
+	}
+
+	# Close file handle.
+	close(FILE);
+}
+
 1;
diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi
index 6a5dce8027..c5fa93ce7b 100644
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
@@ -527,20 +527,19 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'save'}) {
 	# Generate file to store the home net.
 	&IDS::generate_home_net_file();
 
-	# Open modify sid's file for writing.
-	open(FILE, ">$IDS::modify_sids_file") or die "Could not write to $IDS::modify_sids_file. $!\n";
-
-	# Write file header.
-	print FILE "#Autogenerated file. Any custom changes will be overwritten!\n";
+	# Temporary variable to set the ruleaction.
+	# Default is "drop" to use suricata as IPS.
+	my $ruleaction="drop";
 
 	# Check if the traffic only should be monitored.
-	unless($cgiparams{'MONITOR_TRAFFIC_ONLY'} eq 'on') {
-		# Tell oinkmaster to switch all rules from alert to drop.
-		print FILE "modifysid \* \"alert\" \| \"drop\"\n";
+	if($cgiparams{'MONITOR_TRAFFIC_ONLY'} eq 'on') {
+		# Switch the ruleaction to "alert".
+		# Suricata acts as an IDS only.
+		$ruleaction="alert";
 	}
 
-	# Close file handle.
-	close(FILE);
+	# Write the modify sid's file and pass the taken ruleaction.
+	&IDS::write_modify_sids_file($ruleaction);
 
 	# Check if "MONITOR_TRAFFIC_ONLY" has been changed.
 	if($cgiparams{'MONITOR_TRAFFIC_ONLY'} ne $oldidssettings{'MONITOR_TRAFFIC_ONLY'}) {
-- 
2.39.2