tpotce/docker/suricata/dist/update.sh

#!/bin/ash

# Let's ensure normal operation on exit or if interrupted ...
function fuCLEANUP {
  exit 0
}
trap fuCLEANUP EXIT

### Vars
myOINKCODE="$1"

function fuDLRULES {
### Check if args are present then download rules, if not throw error
if [ "$myOINKCODE" != "" ] && [ "$myOINKCODE" == "OPEN" ];
  then
    echo "Downloading ET open ruleset."
    wget -q --tries=2 --timeout=2 https://rules.emergingthreats.net/open/suricata-5.0/emerging.rules.tar.gz -O /tmp/rules.tar.gz
  else
    if [ "$myOINKCODE" != "" ];
      then
	echo "Downloading ET pro ruleset with Oinkcode $myOINKCODE."
	wget -q --tries=2 --timeout=2 https://rules.emergingthreatspro.com/$myOINKCODE/suricata-5.0/etpro.rules.tar.gz -O /tmp/rules.tar.gz
      else	
        echo "Usage: update.sh <[OPEN, OINKCODE]>"
	exit
    fi	
fi
}

function fuENRULES {
  # Cleanup old files and extract new files.
  rm -rf /tmp/rules /tmp/tpotce.rules
  tar xfz /tmp/rules.tar.gz -C /tmp/ 2>&1 > /dev/null
  # Create the new ruleset by:
  # - looping through rule files, except deleted ones;
  # - enabling all disabled rules (performance should be OK);
  # - removing unnecessary empty/comment lines.
  ls /tmp/rules/*.rules | grep -v deleted.rules | while read f;
    do
      cat $f | sed "s/^#alert/alert/" | grep -Ev "^(#|$)" >> /tmp/tpotce.rules
    done
  # Copy the new ruleset and config to where they belong.
  cp -f /tmp/tpotce.rules /tmp/rules/classification.config /etc/suricata/rules
}

# Check internet availability 
function fuCHECKINET () {
mySITES=$1
error=0
for i in $mySITES;
  do
    curl --connect-timeout 5 -Is $i 2>&1 > /dev/null
      if [ $? -ne 0 ];
        then
	  let error+=1
      fi;
  done;
  echo $error
}

# Check for connectivity and download rules
myCHECK=$(fuCHECKINET "rules.emergingthreatspro.com rules.emergingthreats.net")
if [ "$myCHECK" == "0" ];
  then
    fuDLRULES 2>&1 > /dev/null
    fuENRULES 2>&1 > /dev/null
    echo "/etc/suricata/capture-filter.bpf"
  else
    echo "/etc/suricata/null.bpf"
fi
tweaking fix condition when no internet connection is available check internet connection before download of rules and avoid errors check internet connection before setting up capture filters (with FQDNs, resulted in endless restart of suricata) and unset capture filters if no internet connection is available 2018-05-23 13:02:19 +00:00			`#!/bin/ash`
include docker repos ... skip emobility since it is a dev repo 2017-10-13 18:58:14 +00:00
			`# Let's ensure normal operation on exit or if interrupted ...`
			`function fuCLEANUP {`
			`exit 0`
			`}`
			`trap fuCLEANUP EXIT`

update logrotating, cleanup.sh, add Suricata ET Pro support, tweaking 2018-03-30 16:41:46 +00:00			`### Vars`
			`myOINKCODE="$1"`

			`function fuDLRULES {`
			`### Check if args are present then download rules, if not throw error`
			`if [ "$myOINKCODE" != "" ] && [ "$myOINKCODE" == "OPEN" ];`
			`then`
			`echo "Downloading ET open ruleset."`
Bump Suricata to 5.0.0 2019-10-22 15:20:23 +00:00			`wget -q --tries=2 --timeout=2 https://rules.emergingthreats.net/open/suricata-5.0/emerging.rules.tar.gz -O /tmp/rules.tar.gz`
update logrotating, cleanup.sh, add Suricata ET Pro support, tweaking 2018-03-30 16:41:46 +00:00			`else`
			`if [ "$myOINKCODE" != "" ];`
			`then`
			`echo "Downloading ET pro ruleset with Oinkcode $myOINKCODE."`
Bump Suricata to 5.0.0 2019-10-22 15:20:23 +00:00			`wget -q --tries=2 --timeout=2 https://rules.emergingthreatspro.com/$myOINKCODE/suricata-5.0/etpro.rules.tar.gz -O /tmp/rules.tar.gz`
update logrotating, cleanup.sh, add Suricata ET Pro support, tweaking 2018-03-30 16:41:46 +00:00			`else`
			`echo "Usage: update.sh <[OPEN, OINKCODE]>"`
			`exit`
			`fi`
			`fi`
			`}`

Suricata: improve setup/config for ETPRO ruleset PROBLEM (see #487) - ET rule files start with the "emerging-" prefix; - ETPRO rule files do not start with that prefix. SOLUTION Concatenate all rule files, with the exception of "disabled.rules", into a single rule file at "/etc/suricata/rules/tpotce.rules" I have left as-is the "sed" command that enables all commented-out rules. Since that is usually done for performance reasons, maybe it could be turned into a configuration option like the OINKCODE. Another thing worth considering is to use "suricata-update" instead: https://suricata-update.readthedocs.io/en/latest/quickstart.html 2020-11-25 14:12:18 +00:00			`function fuENRULES {`
			`# Cleanup old files and extract new files.`
			`rm -rf /tmp/rules /tmp/tpotce.rules`
			`tar xfz /tmp/rules.tar.gz -C /tmp/ 2>&1 > /dev/null`
			`# Create the new ruleset by:`
			`# - looping through rule files, except deleted ones;`
			`# - enabling all disabled rules (performance should be OK);`
			`# - removing unnecessary empty/comment lines.`
			`ls /tmp/rules/*.rules \| grep -v deleted.rules \| while read f;`
			`do`
			`cat $f \| sed "s/^#alert/alert/" \| grep -Ev "^(#\|$)" >> /tmp/tpotce.rules`
			`done`
			`# Copy the new ruleset and config to where they belong.`
			`cp -f /tmp/tpotce.rules /tmp/rules/classification.config /etc/suricata/rules`
			`}`

tweaking fix condition when no internet connection is available check internet connection before download of rules and avoid errors check internet connection before setting up capture filters (with FQDNs, resulted in endless restart of suricata) and unset capture filters if no internet connection is available 2018-05-23 13:02:19 +00:00			`# Check internet availability`
			`function fuCHECKINET () {`
			`mySITES=$1`
			`error=0`
			`for i in $mySITES;`
			`do`
			`curl --connect-timeout 5 -Is $i 2>&1 > /dev/null`
			`if [ $? -ne 0 ];`
			`then`
			`let error+=1`
			`fi;`
			`done;`
			`echo $error`
			`}`
update logrotating, cleanup.sh, add Suricata ET Pro support, tweaking 2018-03-30 16:41:46 +00:00
tweaking fix condition when no internet connection is available check internet connection before download of rules and avoid errors check internet connection before setting up capture filters (with FQDNs, resulted in endless restart of suricata) and unset capture filters if no internet connection is available 2018-05-23 13:02:19 +00:00			`# Check for connectivity and download rules`
			`myCHECK=$(fuCHECKINET "rules.emergingthreatspro.com rules.emergingthreats.net")`
			`if [ "$myCHECK" == "0" ];`
			`then`
			`fuDLRULES 2>&1 > /dev/null`
Suricata: improve setup/config for ETPRO ruleset PROBLEM (see #487) - ET rule files start with the "emerging-" prefix; - ETPRO rule files do not start with that prefix. SOLUTION Concatenate all rule files, with the exception of "disabled.rules", into a single rule file at "/etc/suricata/rules/tpotce.rules" I have left as-is the "sed" command that enables all commented-out rules. Since that is usually done for performance reasons, maybe it could be turned into a configuration option like the OINKCODE. Another thing worth considering is to use "suricata-update" instead: https://suricata-update.readthedocs.io/en/latest/quickstart.html 2020-11-25 14:12:18 +00:00			`fuENRULES 2>&1 > /dev/null`
tweaking fix condition when no internet connection is available check internet connection before download of rules and avoid errors check internet connection before setting up capture filters (with FQDNs, resulted in endless restart of suricata) and unset capture filters if no internet connection is available 2018-05-23 13:02:19 +00:00			`echo "/etc/suricata/capture-filter.bpf"`
			`else`
			`echo "/etc/suricata/null.bpf"`
			`fi`