From 0101becd997d3ac477b567688de2d4674a816c66 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Wed, 3 Feb 2021 16:25:47 +0100
Subject: [PATCH] IDPS: make sure rule overwrites use unique config sections.
 closes https://github.com/opnsense/core/issues/4667

We might consider a unique constraint as well, but since duplicates themselves don't hurt that much, this might be good enough.
---
 src/opnsense/scripts/suricata/installRules.py            | 1 -
 src/opnsense/scripts/suricata/lib/rulecache.py           | 4 ++--
 src/opnsense/service/templates/OPNsense/IDS/rules.config | 3 ++-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/opnsense/scripts/suricata/installRules.py b/src/opnsense/scripts/suricata/installRules.py
index 55afd1edb..92afda3c3 100755
--- a/src/opnsense/scripts/suricata/installRules.py
+++ b/src/opnsense/scripts/suricata/installRules.py
@@ -41,7 +41,6 @@ if __name__ == '__main__':
     rule_target_dir = ('%s../opnsense.rules' % rule_source_directory)
     rule_yaml_list = ('%s../installed_rules.yaml' % rule_source_directory)
 
-    rule_config_fn = ('%s../rules.config' % rule_source_directory)
     # parse OPNsense rule config
     rule_updates = RuleCache.list_local_changes()
 
diff --git a/src/opnsense/scripts/suricata/lib/rulecache.py b/src/opnsense/scripts/suricata/lib/rulecache.py
index 404cfbd8b..85e02739e 100755
--- a/src/opnsense/scripts/suricata/lib/rulecache.py
+++ b/src/opnsense/scripts/suricata/lib/rulecache.py
@@ -110,8 +110,8 @@ class RuleCache(object):
             cnf = ConfigParser()
             cnf.read(rule_config_fn)
             for section in cnf.sections():
-                if section[0:5] == 'rule_':
-                    sid = section[5:]
+                if section[0:5] == 'rule_' and cnf.has_option(section, 'sid'):
+                    sid = cnf.get(section, 'sid')
                     # mark rule policies as __manual__ so we can filter them easily
                     rule_updates[sid] = {'mtime': policy_config_mtime, 'policy_id': None, 'policy': "__manual__"}
                     for rule_item in cnf.items(section):
diff --git a/src/opnsense/service/templates/OPNsense/IDS/rules.config b/src/opnsense/service/templates/OPNsense/IDS/rules.config
index 5626e0992..4f640c42f 100644
--- a/src/opnsense/service/templates/OPNsense/IDS/rules.config
+++ b/src/opnsense/service/templates/OPNsense/IDS/rules.config
@@ -5,9 +5,10 @@
 #
 {% if helpers.exists('OPNsense.IDS.rules.rule') %}
 {%      for rule in helpers.toList('OPNsense.IDS.rules.rule') %}
-[rule_{{rule.sid|default('0')}}]
+[rule_{{rule['@uuid']|replace('-', '')}}]
 enabled={{ rule.enabled|default('0') }}
 action={{ rule.action|default('') }}
+sid={{ rule.sid|default('0') }}
 
 {%      endfor %}
 {% endif %}