From 2d5c498860fc77ba1be8bce14f49598cf06e4016 Mon Sep 17 00:00:00 2001
From: t3chn0m4g3 <t3chn0m4g3@gmail.com>
Date: Fri, 4 Mar 2016 21:47:14 +0100
Subject: [PATCH] tweaking, persistence

---
 installer/data/upstart/elasticpot.conf | 15 +++++++++------
 installer/data/upstart/elk.conf        |  3 ++-
 installer/data/upstart/emobility.conf  | 21 ++++++++++++---------
 installer/data/upstart/glastopf.conf   | 12 +++++++++---
 installer/data/upstart/honeytrap.conf  | 17 +++++++++++------
 installer/data/upstart/suricata.conf   | 21 ++++++++++++---------
 6 files changed, 55 insertions(+), 34 deletions(-)

diff --git a/installer/data/upstart/elasticpot.conf b/installer/data/upstart/elasticpot.conf
index ac80ee85..95cb8436 100644
--- a/installer/data/upstart/elasticpot.conf
+++ b/installer/data/upstart/elasticpot.conf
@@ -2,7 +2,7 @@
 # T-Pot                                                #
 # Elasticpot upstart script                            #
 #                                                      #
-# v16.03.4 by ms/mo, DTAG, 2016-02-08                  #
+# v16.03.5 by ms/mo, DTAG, 2016-03-03                  #
 ########################################################
 
 description "ElasticPot"
@@ -16,11 +16,14 @@ pre-start script
   if [ "$myCID" != "" ];
     then docker rm -v $myCID;
   fi
-  # Remove any data from previous container
-  rm -rf /data/elasticpot/* || true
-  mkdir -p /data/elasticpot/log
-  chmod 760 /data/elasticpot -R
-  chown tpot:tpot /data/elasticpot -R
+  # Remove any data from previous container if persistence is not enabled 
+  if ! [ -f /data/persistence.on ];
+    then
+      rm -rf /data/elasticpot/* || true
+      mkdir -p /data/elasticpot/log
+      chmod 760 /data/elasticpot -R
+      chown tpot:tpot /data/elasticpot -R
+  fi
 end script
 script
   /usr/bin/docker run --name elasticpot --rm=true -v /data/elasticpot:/data/elasticpot -v /data/ews:/data/ews -p 9200:9200 dtagdevsec/elasticpot:latest1603
diff --git a/installer/data/upstart/elk.conf b/installer/data/upstart/elk.conf
index e5bc89f6..ac57b6c0 100644
--- a/installer/data/upstart/elk.conf
+++ b/installer/data/upstart/elk.conf
@@ -2,7 +2,7 @@
 # T-Pot                                                #
 # ELK upstart script                                   #
 #                                                      #
-# v16.03.3 by mo, DTAG, 2016-02-08                     #
+# v16.03.4 by mo, DTAG, 2016-03-04                     #
 ########################################################
 
 description "ELK"
@@ -16,6 +16,7 @@ pre-start script
   if [ "$myCID" != "" ];
     then docker rm -v $myCID;
   fi
+  # ELK data will be kept for <= 90 days, check /etc/crontab for curator modification
 end script
 script
   /usr/bin/docker run --name=elk -v /data:/data -p 127.0.0.1:64296:8080 --rm=true dtagdevsec/elk:latest1603
diff --git a/installer/data/upstart/emobility.conf b/installer/data/upstart/emobility.conf
index f24ef41a..8e49654f 100644
--- a/installer/data/upstart/emobility.conf
+++ b/installer/data/upstart/emobility.conf
@@ -1,8 +1,8 @@
 ########################################################
-# T-Pot Community Edition                              #
-# Conpot upstart script                                #
+# T-Pot                                                #
+# eMobility upstart script                             #
 #                                                      #
-# v0.50 by msbeiti, DTAG, 2015-08-05                   #
+# v16.03.1 by ms / mo, DTAG, 2016-03-03                #
 ########################################################
 
 description "emobility"
@@ -16,12 +16,15 @@ pre-start script
   if [ "$myCID" != "" ];
     then docker rm $myCID;
   fi
- # Remove any data from previous container
-  rm -rf /data/emobility/* || true
-  rm /data/ews/emobility/ews.json || true
-  mkdir -p /data/emobility/log /data/ews/emobility
-  chmod 760 /data/emobility -R
-  chown tpot:tpot /data/emobility -R
+  # Remove any data from previous container if persistence is not enabled 
+  if ! [ -f /data/persistence.on ];
+    then
+      rm -rf /data/emobility/* || true
+      rm /data/ews/emobility/ews.json || true
+      mkdir -p /data/emobility/log /data/ews/emobility
+      chmod 760 /data/emobility -R
+      chown tpot:tpot /data/emobility -R
+  fi
 end script
 script
   # Delayed start to avoid rapid respawning
diff --git a/installer/data/upstart/glastopf.conf b/installer/data/upstart/glastopf.conf
index a20fc7de..ce26abdd 100644
--- a/installer/data/upstart/glastopf.conf
+++ b/installer/data/upstart/glastopf.conf
@@ -2,7 +2,7 @@
 # T-Pot                                                #
 # Glastopf upstart script                              #
 #                                                      #
-# v16.03.3 by mo, DTAG, 2016-02-08                     #
+# v16.03.4 by mo, DTAG, 2016-03-04                     #
 ########################################################
 
 description "Glastopf"
@@ -16,8 +16,14 @@ pre-start script
   if [ "$myCID" != "" ];
     then docker rm -v $myCID;
   fi
-  # Remove any data from previous container
-  rm -rf /data/glastopf/* || true
+  # Remove any data from previous container if persistence is not enabled 
+  if ! [ -f /data/persistence.on ];
+    then
+      rm -rf /data/glastopf/* || true
+      mkdir -p /data/glastopf
+      chmod 760 /data/glastopf -R
+      chown tpot:tpot /data/glastopf -R
+  fi
 end script
 script
   /usr/bin/docker run --name glastopf --rm=true -v /data/glastopf:/data/glastopf -v /data/ews:/data/ews -p 80:80 dtagdevsec/glastopf:latest1603
diff --git a/installer/data/upstart/honeytrap.conf b/installer/data/upstart/honeytrap.conf
index cfdcd28f..ff5f80e4 100644
--- a/installer/data/upstart/honeytrap.conf
+++ b/installer/data/upstart/honeytrap.conf
@@ -2,7 +2,7 @@
 # T-Pot                                                #
 # Honeytrap upstart script                             #
 #                                                      #
-# v16.03.7 by mo, DTAG, 2016-02-08                     #
+# v16.03.8 by mo, DTAG, 2016-03-04                     #
 ########################################################
 
 description "Honeytrap"
@@ -16,11 +16,15 @@ pre-start script
   if [ "$myCID" != "" ];
     then docker rm -v $myCID;
   fi
-  # Remove any data from previous container
-  rm -rf /data/honeytrap/* || true
-  mkdir -p /data/honeytrap/log/ /data/honeytrap/attacks/ /data/honeytrap/downloads/
-  chmod 760 /data/honeytrap/ -R
-  chown tpot:tpot /data/honeytrap/ -R
+  # Remove any data from previous container if persistence is not enabled 
+  if ! [ -f /data/persistence.on ];
+    then
+      rm -rf /data/honeytrap/* || true
+      mkdir -p /data/honeytrap/log/ /data/honeytrap/attacks/ /data/honeytrap/downloads/
+      chmod 760 /data/honeytrap/ -R
+      chown tpot:tpot /data/honeytrap/ -R
+  fi
+  # Enable NFQ chain 
   /sbin/iptables -w -A INPUT -p tcp --syn -m state --state NEW -j NFQUEUE
 end script
 script
@@ -31,5 +35,6 @@ post-start script
   sleep 2
 end script
 post-stop script
+  # Drop NFQ chain
   /sbin/iptables -w -D INPUT -p tcp --syn -m state --state NEW -j NFQUEUE
 end script
diff --git a/installer/data/upstart/suricata.conf b/installer/data/upstart/suricata.conf
index fc1fda16..1fd1c5f1 100644
--- a/installer/data/upstart/suricata.conf
+++ b/installer/data/upstart/suricata.conf
@@ -2,7 +2,7 @@
 # T-Pot                                                #
 # Suricata upstart script                              #
 #                                                      #
-# v16.03.2 by mo, DTAG, 2016-02-08                     #
+# v16.03.3 by mo, DTAG, 2016-03-04                     #
 ########################################################
 
 description "Suricata"
@@ -16,21 +16,24 @@ pre-start script
   if [ "$myCID" != "" ];
     then docker rm -v $myCID;
   fi
-  # Remove any data from previous container
-  rm -rf /data/suricata/* || true
-  mkdir -p /data/suricata/log
-  chmod 760 -R /data/suricata
-  chown tpot:tpot -R /data/suricata
+  # Remove any data from previous container if persistence is not enabled 
+  if ! [ -f /data/persistence.on ];
+    then
+      rm -rf /data/suricata/* || true
+      mkdir -p /data/suricata/log
+      chmod 760 -R /data/suricata
+      chown tpot:tpot -R /data/suricata
+  fi
+  # Get IF, disable offloading, enable promiscious mode
   myIF=$(route | grep default | awk '{ print $8 }')
   /sbin/ethtool --offload $myIF rx off tx off
   /sbin/ethtool -K $myIF gso off gro off
   /sbin/ip link set $myIF promisc on
 end script
 script
-  # Delayed start to avoid rapid respawning
-  sleep 2
   /usr/bin/docker run --name suricata --cap-add=NET_ADMIN --net=host --rm=true -v /data/suricata:/data/suricata dtagdevsec/suricata:latest1603
 end script
 post-start script
-  sleep $(((RANDOM % 5)+5))
+  # Delay next start to avoid rapid respawning
+  sleep 2
 end script