IDS/IPS support request headers in ruleset metadata, to support additional authentication methods (besides oink codes in the url)

<headers>
       <Token>%%myruleset.mytoken%%</Token>
    </headers>

src/opnsense/scripts/suricata/lib/downloader.py

@@ -1,5 +1,5 @@
 """
-    Copyright (c) 2015 Ad Schellevis <ad@opnsense.org>
+    Copyright (c) 2015-2018 Ad Schellevis <ad@opnsense.org>
     All rights reserved.
 
     Redistribution and use in source and binary forms, with or without
@@ -110,12 +110,14 @@ class Downloader(object):
         else:
             return src.read()
 
-    def download(self, proto, url, url_filename, filename, input_filter, auth = None):
+    def download(self, proto, url, url_filename, filename, input_filter, auth = None, headers=None):
         """ download ruleset file
             :param proto: protocol (http,https)
             :param url: download url
             :param filename: target filename
             :param input_filter: filter to use on received data before save
+            :param auth: authentication
+            :param headers: headers to send
         """
         if proto in ('http', 'https'):
             frm_url = url.replace('//', '/').replace(':/', '://')
@@ -126,6 +128,8 @@ class Downloader(object):
                 req_opts['stream'] = True
                 if auth is not None:
                     req_opts['auth'] = auth
+                if headers is not None:
+                    req_opts['headers'] = headers
                 req = requests.get(**req_opts)
 
                 if req.status_code == 200:

src/opnsense/scripts/suricata/lib/metadata.py

@@ -82,6 +82,10 @@ class Metadata(object):
                 if rule_xml.find('files') is None:
                     syslog.syslog(syslog.LOG_ERR, 'suricata metadata missing files  @ %s' % filename)
                 else:
+                    http_headers = dict()
+                    if rule_xml.find('headers') is not None:
+                        for header in rule_xml.find('headers'):
+                            http_headers[header.tag] = header.text.strip()
                     for rule_filename in rule_xml.find('files'):
                         if 'documentation_url' in rule_filename.attrib:
                             documentation_url = rule_filename.attrib['documentation_url']
@@ -93,6 +97,7 @@ class Metadata(object):
                         metadata_record['documentation_url'] = documentation_url
                         metadata_record['source'] = src_location.attrib
                         metadata_record['filename'] = rule_filename.text.strip()
+                        metadata_record['http_headers'] = http_headers
                         # for an archive, define file to extract
                         metadata_record['url_filename'] = None
                         if 'url' in rule_filename.attrib and rule_filename.attrib['url'].startswith('inline::'):

src/opnsense/scripts/suricata/rule-updater.py

@@ -1,7 +1,7 @@
 #!/usr/local/bin/python2.7
 
 """
-    Copyright (c) 2015 Ad Schellevis <ad@opnsense.org>
+    Copyright (c) 2015-2018 Ad Schellevis <ad@opnsense.org>
     All rights reserved.
 
     Redistribution and use in source and binary forms, with or without
@@ -87,4 +87,5 @@ if __name__ == '__main__':
                     else:
                         auth = None
                     dl.download(proto=download_proto, url=rule['url'], url_filename=rule['url_filename'],
-                                filename=rule['filename'], input_filter=input_filter, auth=auth)
+                                filename=rule['filename'], input_filter=input_filter, auth=auth,
+                                headers=rule['http_headers'])