From b953677b0d05202f69bb2ef06e9b628c39ea37f2 Mon Sep 17 00:00:00 2001 From: Stefan Schantl Date: Mon, 29 Mar 2021 16:51:18 +0200 Subject: [PATCH] ids-functions.pl: Rework oinkmaster() function. Rework the function to work with the latest changes and multiple providers. The function now does the following: * Extract the stored rules tarballs for all enabled providers. * Copy rules files for enabled providers which provide plain files. * Still calls oinkmaster to set up the rules and modify them. * Calls the merge functions for classification and sid to msg files. Signed-off-by: Stefan Schantl --- config/cfgroot/ids-functions.pl | 66 +++++++++++++++++++++++++++++++-- 1 file changed, 63 insertions(+), 3 deletions(-) diff --git a/config/cfgroot/ids-functions.pl b/config/cfgroot/ids-functions.pl index e5c1910439..daa0044931 100644 --- a/config/cfgroot/ids-functions.pl +++ b/config/cfgroot/ids-functions.pl @@ -512,15 +512,61 @@ sub extractruleset ($) { } # -## A tiny wrapper function to call the oinkmaster script. +## A wrapper function to call the oinkmaster script, setup the rules structues and +## call the functions to merge the additional config files. (classification, sid-msg, etc.). # sub oinkmaster () { + # Load perl module for file copying. + use File::Copy; + + # Hash to store the used providers. + my %used_providers = (); + + # Array to store the enabled providers. + my @enabled_providers = (); + # Check if the files in rulesdir have the correct permissions. &_check_rulesdir_permissions(); - # Cleanup the rules directory before filling it with the new rulest. + # Cleanup the rules directory before filling it with the new rulests. &_cleanup_rulesdir(); + # Read-in the providers config file. + &General::readhasharray("$providers_settings_file", \%used_providers); + + # Loop through the hash of used_providers. + foreach my $id (keys %used_providers) { + # Skip disabled providers. + next unless ($used_providers{$id}[3] eq "enabled"); + + # Grab the provider handle. + my $provider = "$used_providers{$id}[0]"; + + # Add the provider handle to the array of enabled providers. + push(@enabled_providers, $provider); + + # Omit the type (dl_type) of the stored ruleset. + my $type = $IDS::Ruleset::Providers{$provider}{'dl_type'}; + + # Handle the different ruleset types. + if ($type eq "archive") { + # Call the extractruleset function. + &extractruleset($provider); + } elsif ($type eq "plain") { + # Generate filename and full path for the stored rulesfile. + my $dl_rulesfile = &_get_dl_rulesfile($provider); + + # Generate destination filename an full path. + my $destination = "$tmp_rules_directory/$provider\-ruleset.rules"; + + # Copy the file into the temporary rules directory. + copy($dl_rulesfile, $destination); + } else { + # Skip unknown type. + next; + } + } + # Load perl module to talk to the kernel syslog. use Sys::Syslog qw(:DEFAULT setlogsock); @@ -528,7 +574,7 @@ sub oinkmaster () { openlog('oinkmaster', 'cons,pid', 'user'); # Call oinkmaster to generate ruleset. - open(OINKMASTER, "/usr/local/bin/oinkmaster.pl -s -u file://$rulestarball -C $settingsdir/oinkmaster.conf -o $rulespath 2>&1 |") or die "Could not execute oinkmaster $!\n"; + open(OINKMASTER, "/usr/local/bin/oinkmaster.pl -s -u dir://$tmp_rules_directory -C $settingsdir/oinkmaster.conf -o $rulespath 2>&1 |") or die "Could not execute oinkmaster $!\n"; # Log output of oinkmaster to syslog. while() { @@ -545,6 +591,20 @@ sub oinkmaster () { # Close the log handle. closelog(); + + use Data::Dumper; + + print Dumper \@enabled_providers; + + # Call function to merge the classification files. + &merge_classifications(@enabled_providers); + + # Call function to merge the sid to message mapping files. + &merge_sid_msg(@enabled_providers); + + # Cleanup temporary directory. + # XXX - not implemented yet. + # &cleanup_tmp_directory(); } # -- 2.39.2