# Arrays to store which rulefiles have been enabled and will be used.
my @enabled_rulefiles;
- # Hash to store the user-enabled and disabled sids.
- my %enabled_disabled_sids;
-
# Store if a restart of suricata is required.
my $suricata_restart_required;
}
}
- # Read-in the files for enabled/disabled sids.
- # This will be done by calling the read_enabled_disabled_sids_file function two times
- # and merge the returned hashes together into the enabled_disabled_sids hash.
- %enabled_disabled_sids = (
- &read_enabled_disabled_sids_file($IDS::disabled_sids_file),
- &read_enabled_disabled_sids_file($IDS::enabled_sids_file));
+ # Open oinkmaster main include file for provider modifications.
+ open(OINKM_INCL_FILE, ">", "$IDS::oinkmaster_provider_includes_file") or die "Could not open $IDS::oinkmaster_provider_includes_file. $!\n";
- # Loop through the hash of idsrules.
- foreach my $rulefile (keys %idsrules) {
- # Loop through the single rules of the rulefile.
- foreach my $sid (keys %{$idsrules{$rulefile}}) {
- # Skip the current sid if it is not numeric.
- next unless ($sid =~ /\d+/ );
-
- # Check if there exists a key in the cgiparams hash for this sid.
- if (exists($cgiparams{$sid})) {
- # Look if the rule is disabled.
- if ($idsrules{$rulefile}{$sid}{'State'} eq "off") {
- # Check if the state has been set to 'on'.
- if ($cgiparams{$sid} eq "on") {
- # Add/Modify the sid to/in the enabled_disabled_sids hash.
- $enabled_disabled_sids{$sid} = "enabled";
+ # Print file header and notice about autogenerated file.
+ print OINKM_INCL_FILE "#Autogenerated file. Any custom changes will be overwritten!\n";
+
+ # Get enabled providers.
+ my @enabled_providers = &IDS::get_enabled_providers();
+
+ # Loop through the array of enabled providers.
+ foreach my $provider (@enabled_providers) {
+ # Hash to store the used-enabled and disabled sids.
+ my %enabled_disabled_sids;
+
+ # Generate modified sids file name for the current processed provider.
+ my $providers_modified_sids_file = "$IDS::settingsdir/oinkmaster-$provider-modified-sids.conf";
+
+ # Check if a modified sids file for this provider exists.
+ if (-f $providers_modified_sids_file) {
+ # Read-in the file for enabled/disabled sids.
+ %enabled_disabled_sids = &read_enabled_disabled_sids_file($providers_modified_sids_file);
+ }
+
+ # Loop through the hash of idsrules.
+ foreach my $rulefile (keys %idsrules) {
+ # Split the rulefile to get the vendor.
+ my @filename_parts = split(/-/, $rulefile);
+
+ # Assign rulefile vendor.
+ my $rulefile_vendor = @filename_parts[0];
+
+ # Skip the rulefile if the vendor is not our current processed provider.
+ next unless ($rulefile_vendor eq $provider);
+
+ # Loop through the single rules of the rulefile.
+ foreach my $sid (keys %{$idsrules{$rulefile}}) {
+ # Skip the current sid if it is not numeric.
+ next unless ($sid =~ /\d+/ );
+
+ # Check if there exists a key in the cgiparams hash for this sid.
+ if (exists($cgiparams{$sid})) {
+ # Look if the rule is disabled.
+ if ($idsrules{$rulefile}{$sid}{'State'} eq "off") {
+ # Check if the state has been set to 'on'.
+ if ($cgiparams{$sid} eq "on") {
+ # Add/Modify the sid to/in the enabled_disabled_sids hash.
+ $enabled_disabled_sids{$sid} = "enabled";
+
+ # Drop item from cgiparams hash.
+ delete $cgiparams{$rulefile}{$sid};
+ }
+ }
+ } else {
+ # Look if the rule is enabled.
+ if ($idsrules{$rulefile}{$sid}{'State'} eq "on") {
+ # Check if the state is 'on' and should be disabled.
+ # In this case there is no entry
+ # for the sid in the cgiparams hash.
+ # Add/Modify it to/in the enabled_disabled_sids hash.
+ $enabled_disabled_sids{$sid} = "disabled";
# Drop item from cgiparams hash.
delete $cgiparams{$rulefile}{$sid};
}
}
- } else {
- # Look if the rule is enabled.
- if ($idsrules{$rulefile}{$sid}{'State'} eq "on") {
- # Check if the state is 'on' and should be disabled.
- # In this case there is no entry
- # for the sid in the cgiparams hash.
- # Add/Modify it to/in the enabled_disabled_sids hash.
- $enabled_disabled_sids{$sid} = "disabled";
-
- # Drop item from cgiparams hash.
- delete $cgiparams{$rulefile}{$sid};
- }
}
}
- }
- # Open enabled sid's file for writing.
- open(ENABLED_FILE, ">$IDS::enabled_sids_file") or die "Could not write to $IDS::enabled_sids_file. $!\n";
-
- # Open disabled sid's file for writing.
- open(DISABLED_FILE, ">$IDS::disabled_sids_file") or die "Could not write to $IDS::disabled_sids_file. $!\n";
-
- # Write header to the files.
- print ENABLED_FILE "#Autogenerated file. Any custom changes will be overwritten!\n";
- print DISABLED_FILE "#Autogenerated file. Any custom changes will be overwritten!\n";
-
- # Check if the hash for enabled/disabled files contains any entries.
- if (%enabled_disabled_sids) {
- # Loop through the hash.
- foreach my $sid (keys %enabled_disabled_sids) {
- # Check if the sid is enabled.
- if ($enabled_disabled_sids{$sid} eq "enabled") {
- # Print the sid to the enabled_sids file.
- print ENABLED_FILE "enablesid $sid\n";
- # Check if the sid is disabled.
- } elsif ($enabled_disabled_sids{$sid} eq "disabled") {
- # Print the sid to the disabled_sids file.
- print DISABLED_FILE "disablesid $sid\n";
- # Something strange happende - skip the current sid.
- } else {
- next;
+ # Check if the hash for enabled/disabled sids contains any entries.
+ if (%enabled_disabled_sids) {
+ # Open providers modified sids file for writing.
+ open(PROVIDER_MOD_FILE, ">$providers_modified_sids_file") or die "Could not write to $providers_modified_sids_file. $!\n";
+
+ # Write header to the files.
+ print PROVIDER_MOD_FILE "#Autogenerated file. Any custom changes will be overwritten!\n";
+
+ # Loop through the hash.
+ foreach my $sid (keys %enabled_disabled_sids) {
+ # Check if the sid is enabled.
+ if ($enabled_disabled_sids{$sid} eq "enabled") {
+ # Print the sid to the enabled_sids file.
+ print PROVIDER_MOD_FILE "enablesid $sid\n";
+ # Check if the sid is disabled.
+ } elsif ($enabled_disabled_sids{$sid} eq "disabled") {
+ # Print the sid to the disabled_sids file.
+ print PROVIDER_MOD_FILE "disablesid $sid\n";
+ # Something strange happende - skip the current sid.
+ } else {
+ next;
+ }
}
+
+ # Close file handle for the providers modified sids file.
+ close(PROVIDER_MOD_FILE);
+
+ # Add the file to the oinkmasters include file.
+ print OINKM_INCL_FILE "include $providers_modified_sids_file\n";
}
}
- # Close file for enabled_sids after writing.
- close(ENABLED_FILE);
-
- # Close file for disabled_sids after writing.
- close(DISABLED_FILE);
+ # Close the file handle after writing.
+ close(OINKM_INCL_FILE);
# Handle enabled / disabled rulefiles.
#
- # Get enabled providers.
- my @enabled_providers = &IDS::get_enabled_providers();
# Loop through the array of enabled providers.
foreach my $provider(@enabled_providers) {