IDPS: make sure rule overwrites use unique config sections. closes https://github.com/opnsense/core/issues/4667

We might consider a unique constraint as well, but since duplicates themselves don't hurt that much, this might be good enough.

src/opnsense/scripts/suricata/installRules.py

@@ -41,7 +41,6 @@ if __name__ == '__main__':
     rule_target_dir = ('%s../opnsense.rules' % rule_source_directory)
     rule_yaml_list = ('%s../installed_rules.yaml' % rule_source_directory)
 
-    rule_config_fn = ('%s../rules.config' % rule_source_directory)
     # parse OPNsense rule config
     rule_updates = RuleCache.list_local_changes()
 

src/opnsense/scripts/suricata/lib/rulecache.py

@@ -110,8 +110,8 @@ class RuleCache(object):
             cnf = ConfigParser()
             cnf.read(rule_config_fn)
             for section in cnf.sections():
-                if section[0:5] == 'rule_':
-                    sid = section[5:]
+                if section[0:5] == 'rule_' and cnf.has_option(section, 'sid'):
+                    sid = cnf.get(section, 'sid')
                     # mark rule policies as __manual__ so we can filter them easily
                     rule_updates[sid] = {'mtime': policy_config_mtime, 'policy_id': None, 'policy': "__manual__"}
                     for rule_item in cnf.items(section):

src/opnsense/service/templates/OPNsense/IDS/rules.config

@@ -5,9 +5,10 @@
 #
 {% if helpers.exists('OPNsense.IDS.rules.rule') %}
 {%      for rule in helpers.toList('OPNsense.IDS.rules.rule') %}
-[rule_{{rule.sid|default('0')}}]
+[rule_{{rule['@uuid']|replace('-', '')}}]
 enabled={{ rule.enabled|default('0') }}
 action={{ rule.action|default('') }}
+sid={{ rule.sid|default('0') }}
 
 {%      endfor %}
 {% endif %}