tweaking

fix condition when no internet connection is available
check internet connection before download of rules and avoid errors
check internet connection before setting up capture filters (with FQDNs, resulted in endless restart of suricata) and unset capture filters if no internet connection is available

docker/suricata/Dockerfile

@@ -4,21 +4,20 @@ FROM alpine
 ADD dist/ /root/dist/
 
 # Install packages
-RUN apk -U upgrade && \
-    apk add bash \
-            ca-certificates \
-            file \
-            libcap \
-            procps \
-            wget && \
+RUN apk -U --no-cache add \
+                 ca-certificates \
+                 curl \
+                 file \
+                 libcap \
+                 wget && \
     apk -U add --repository http://dl-cdn.alpinelinux.org/alpine/edge/community \
-            suricata && \
+                 suricata && \
 
 # Setup user, groups and configs
     addgroup -g 2000 suri && \
     adduser -S -H -u 2000 -D -g 2000 suri && \
-    mv /root/dist/suricata.yaml /etc/suricata/suricata.yaml && \
-    mv /root/dist/capture-filter.bpf /etc/suricata/capture-filter.bpf && \
+    cp /root/dist/suricata.yaml /etc/suricata/suricata.yaml && \
+    cp /root/dist/*.bpf /etc/suricata/ && \
 
 # Download the latest EmergingThreats ruleset, replace rulebase and enable all rules
     cp /root/dist/update.sh /usr/bin/ && \
@@ -30,4 +29,4 @@ RUN apk -U upgrade && \
     rm -rf /var/cache/apk/*
 
 # Start suricata
-CMD update.sh $OINKCODE && exec suricata -v -F /etc/suricata/capture-filter.bpf -i $(/sbin/ip address | grep '^2: ' | awk '{ print $2 }' | tr -d [:punct:])
+CMD SURICATA_CAPTURE_FILTER=$(update.sh $OINKCODE) && exec suricata -v -F $SURICATA_CAPTURE_FILTER -i $(/sbin/ip address | grep '^2: ' | awk '{ print $2 }' | tr -d [:punct:])

docker/suricata/dist/update.sh

@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/ash
 
 # Let's ensure normal operation on exit or if interrupted ...
 function fuCLEANUP {
@@ -11,16 +11,15 @@ myOINKCODE="$1"
 
 function fuDLRULES {
 ### Check if args are present then download rules, if not throw error
-
 if [ "$myOINKCODE" != "" ] && [ "$myOINKCODE" == "OPEN" ];
   then
     echo "Downloading ET open ruleset."
-    wget --tries=2 --timeout=2 https://rules.emergingthreats.net/open/suricata-4.0/emerging.rules.tar.gz -O /tmp/rules.tar.gz
+    wget -q --tries=2 --timeout=2 https://rules.emergingthreats.net/open/suricata-4.0/emerging.rules.tar.gz -O /tmp/rules.tar.gz
   else
     if [ "$myOINKCODE" != "" ];
       then
 	echo "Downloading ET pro ruleset with Oinkcode $myOINKCODE."
-	wget --tries=2 --timeout=2 https://rules.emergingthreatspro.com/$myOINKCODE/suricata-4.0/etpro.rules.tar.gz -O /tmp/rules.tar.gz
+	wget -q --tries=2 --timeout=2 https://rules.emergingthreatspro.com/$myOINKCODE/suricata-4.0/etpro.rules.tar.gz -O /tmp/rules.tar.gz
       else	
         echo "Usage: update.sh <[OPEN, OINKCODE]>"
 	exit
@@ -28,9 +27,29 @@ if [ "$myOINKCODE" != "" ] && [ "$myOINKCODE" == "OPEN" ];
 fi
 }
 
-# Download rules
-fuDLRULES
+# Check internet availability 
+function fuCHECKINET () {
+mySITES=$1
+error=0
+for i in $mySITES;
+  do
+    curl --connect-timeout 5 -Is $i 2>&1 > /dev/null
+      if [ $? -ne 0 ];
+        then
+	  let error+=1
+      fi;
+  done;
+  echo $error
+}
 
-# Extract and enable all rules  
-tar xvfz /tmp/rules.tar.gz -C /etc/suricata/
-sed -i s/^#alert/alert/ /etc/suricata/rules/*.rules
+# Check for connectivity and download rules
+myCHECK=$(fuCHECKINET "rules.emergingthreatspro.com rules.emergingthreats.net")
+if [ "$myCHECK" == "0" ];
+  then
+    fuDLRULES 2>&1 > /dev/null
+    tar xvfz /tmp/rules.tar.gz -C /etc/suricata/ 2>&1 > /dev/null
+    sed -i s/^#alert/alert/ /etc/suricata/rules/*.rules 2>&1 > /dev/null
+    echo "/etc/suricata/capture-filter.bpf"
+  else
+    echo "/etc/suricata/null.bpf"
+fi