diff --git a/docker/suricata/Dockerfile b/docker/suricata/Dockerfile index 00f9e53d..334b6427 100644 --- a/docker/suricata/Dockerfile +++ b/docker/suricata/Dockerfile @@ -4,21 +4,20 @@ FROM alpine ADD dist/ /root/dist/ # Install packages -RUN apk -U upgrade && \ - apk add bash \ - ca-certificates \ - file \ - libcap \ - procps \ - wget && \ +RUN apk -U --no-cache add \ + ca-certificates \ + curl \ + file \ + libcap \ + wget && \ apk -U add --repository http://dl-cdn.alpinelinux.org/alpine/edge/community \ - suricata && \ + suricata && \ # Setup user, groups and configs addgroup -g 2000 suri && \ adduser -S -H -u 2000 -D -g 2000 suri && \ - mv /root/dist/suricata.yaml /etc/suricata/suricata.yaml && \ - mv /root/dist/capture-filter.bpf /etc/suricata/capture-filter.bpf && \ + cp /root/dist/suricata.yaml /etc/suricata/suricata.yaml && \ + cp /root/dist/*.bpf /etc/suricata/ && \ # Download the latest EmergingThreats ruleset, replace rulebase and enable all rules cp /root/dist/update.sh /usr/bin/ && \ @@ -30,4 +29,4 @@ RUN apk -U upgrade && \ rm -rf /var/cache/apk/* # Start suricata -CMD update.sh $OINKCODE && exec suricata -v -F /etc/suricata/capture-filter.bpf -i $(/sbin/ip address | grep '^2: ' | awk '{ print $2 }' | tr -d [:punct:]) +CMD SURICATA_CAPTURE_FILTER=$(update.sh $OINKCODE) && exec suricata -v -F $SURICATA_CAPTURE_FILTER -i $(/sbin/ip address | grep '^2: ' | awk '{ print $2 }' | tr -d [:punct:]) diff --git a/docker/suricata/dist/null.bpf b/docker/suricata/dist/null.bpf new file mode 100644 index 00000000..e69de29b diff --git a/docker/suricata/dist/update.sh b/docker/suricata/dist/update.sh index 20b7dbbf..bb4e5c4a 100755 --- a/docker/suricata/dist/update.sh +++ b/docker/suricata/dist/update.sh @@ -1,4 +1,4 @@ -#!/bin/bash +#!/bin/ash # Let's ensure normal operation on exit or if interrupted ... function fuCLEANUP { @@ -11,16 +11,15 @@ myOINKCODE="$1" function fuDLRULES { ### Check if args are present then download rules, if not throw error - if [ "$myOINKCODE" != "" ] && [ "$myOINKCODE" == "OPEN" ]; then echo "Downloading ET open ruleset." - wget --tries=2 --timeout=2 https://rules.emergingthreats.net/open/suricata-4.0/emerging.rules.tar.gz -O /tmp/rules.tar.gz + wget -q --tries=2 --timeout=2 https://rules.emergingthreats.net/open/suricata-4.0/emerging.rules.tar.gz -O /tmp/rules.tar.gz else if [ "$myOINKCODE" != "" ]; then echo "Downloading ET pro ruleset with Oinkcode $myOINKCODE." - wget --tries=2 --timeout=2 https://rules.emergingthreatspro.com/$myOINKCODE/suricata-4.0/etpro.rules.tar.gz -O /tmp/rules.tar.gz + wget -q --tries=2 --timeout=2 https://rules.emergingthreatspro.com/$myOINKCODE/suricata-4.0/etpro.rules.tar.gz -O /tmp/rules.tar.gz else echo "Usage: update.sh <[OPEN, OINKCODE]>" exit @@ -28,9 +27,29 @@ if [ "$myOINKCODE" != "" ] && [ "$myOINKCODE" == "OPEN" ]; fi } -# Download rules -fuDLRULES +# Check internet availability +function fuCHECKINET () { +mySITES=$1 +error=0 +for i in $mySITES; + do + curl --connect-timeout 5 -Is $i 2>&1 > /dev/null + if [ $? -ne 0 ]; + then + let error+=1 + fi; + done; + echo $error +} -# Extract and enable all rules -tar xvfz /tmp/rules.tar.gz -C /etc/suricata/ -sed -i s/^#alert/alert/ /etc/suricata/rules/*.rules +# Check for connectivity and download rules +myCHECK=$(fuCHECKINET "rules.emergingthreatspro.com rules.emergingthreats.net") +if [ "$myCHECK" == "0" ]; + then + fuDLRULES 2>&1 > /dev/null + tar xvfz /tmp/rules.tar.gz -C /etc/suricata/ 2>&1 > /dev/null + sed -i s/^#alert/alert/ /etc/suricata/rules/*.rules 2>&1 > /dev/null + echo "/etc/suricata/capture-filter.bpf" + else + echo "/etc/suricata/null.bpf" +fi