From ac35e91deef0773b737f3763aab32e618677d591 Mon Sep 17 00:00:00 2001 From: Ad Schellevis Date: Sun, 15 Jul 2018 21:33:12 +0200 Subject: [PATCH] IDS, cleanup previously installed rules, which are known in the configuration but don't exist anymore in the definitions (uninstalled). Manually installed rules will remain untouched by this change. closes https://github.com/opnsense/core/pull/2448 --- src/opnsense/scripts/suricata/rule-updater.py | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/src/opnsense/scripts/suricata/rule-updater.py b/src/opnsense/scripts/suricata/rule-updater.py index 2b7ee353c..cca3ea6ec 100755 --- a/src/opnsense/scripts/suricata/rule-updater.py +++ b/src/opnsense/scripts/suricata/rule-updater.py @@ -76,11 +76,9 @@ if __name__ == '__main__': download_proto = str(rule['source']['url']).split(':')[0].lower() if dl.is_supported(url=rule['source']['url']): if rule['filename'] not in enabled_rulefiles: - try: - # remove configurable but unselected file - os.remove(('%s/%s' % (rule_source_directory, rule['filename'])).replace('//', '/')) - except OSError: - pass + full_path = ('%s/%s' % (rule_source_directory, rule['filename'])).replace('//', '/') + if os.path.isfile(full_path): + os.remove(full_path) else: input_filter = enabled_rulefiles[rule['filename']]['filter'] if ('username' in rule['source'] and 'password' in rule['source']): @@ -97,3 +95,10 @@ if __name__ == '__main__': headers=rule['http_headers'], version=remote_hash) else: syslog.syslog(syslog.LOG_INFO, 'download skipped %s, same version' % rule['filename']) + + # cleanup: match all installed rulesets against the configured ones and remove uninstalled rules + md_filenames = map(lambda x:x['filename'], md.list_rules(rule_properties)) + for filename in enabled_rulefiles: + full_path = ('%s/%s' % (rule_source_directory, filename)).replace('//', '/') + if filename not in md_filenames and os.path.isfile(full_path): + os.remove(full_path)