Alex-Devera/tpotce
1
0
Fork 0
mirror of https://github.com/telekom-security/tpotce.git synced 2026-01-17 19:19:33 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Avoid exposing ENVs - Thanks @ Kevin Setz

Browse source
This commit is contained in:
t3chn0m4g3 2026-01-16 19:13:23 +01:00
parent 39193ecd98
commit 4128490151
2 changed files with 22 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
docker/suricata/Dockerfile
View file

@ -20,10 +20,10 @@ RUN apk --no-cache -U upgrade && \
cp /root/dist/*.yaml /etc/suricata/ && \
cp /root/dist/*.conf /etc/suricata/ && \
cp /root/dist/*.bpf /etc/suricata/ && \
cp /root/dist/update.sh /usr/bin/ && \
cp /root/dist/entrypoint.sh /usr/bin/ && \
chmod 644 /etc/suricata/*.config && \
chmod 755 -R /var/lib/suricata && \
chmod 755 /usr/bin/update.sh && \
chmod 755 /usr/bin/entrypoint.sh && \
chown -R root:suri /tmp /run && \
#
# Download the latest EmergingThreats OPEN ruleset
@ -37,4 +37,4 @@ RUN apk --no-cache -U upgrade && \
#
# Start suricata
STOPSIGNAL SIGINT
CMD SURICATA_CAPTURE_FILTER=$(update.sh $OINKCODE) && exec suricata -v -F $SURICATA_CAPTURE_FILTER -i $(ip route | grep "^default" | awk '{ print $5 }')
ENTRYPOINT ["entrypoint.sh"]

26
docker/suricata/dist/update.sh → docker/suricata/dist/entrypoint.sh vendored
View file

@ -1,4 +1,5 @@
#!/bin/ash
set -eo pipefail
# Let's ensure normal operation on exit or if interrupted ...
function fuCLEANUP {
@ -7,7 +8,7 @@ function fuCLEANUP {
trap fuCLEANUP EXIT
### Vars
myOINKCODE="$1"
myOINKCODE="${OINKCODE}"
# Check internet availability
function fuCHECKINET () {
@ -15,7 +16,7 @@ mySITES=$1
error=0
for i in $mySITES;
do
curl --connect-timeout 5 -Is $i 2>&1 > /dev/null
curl --connect-timeout 5 -Is "$i" 2>&1 > /dev/null
if [ $? -ne 0 ];
then
let error+=1
@ -28,17 +29,17 @@ for i in $mySITES;
myCHECK=$(fuCHECKINET "rules.emergingthreatspro.com rules.emergingthreats.net")
if [ "$myCHECK" == "0" ];
then
if [ "$myOINKCODE" != "" ] && [ "$myOINKCODE" != "OPEN" ];
if [ "${myOINKCODE}" != "" ] && [ "${myOINKCODE}" != "OPEN" ];
then
suricata-update -q enable-source et/pro secret-code=$myOINKCODE > /dev/null
suricata-update -q enable-source et/pro secret-code="${myOINKCODE}"
else
# suricata-update uses et/open ruleset by default if not configured
rm -f /var/lib/suricata/update/sources/et-pro.yaml 2>&1 > /dev/null
fi
suricata-update -q --no-test --no-reload > /dev/null
echo "/etc/suricata/capture-filter.bpf"
suricata-update -q --no-test --no-reload
SURICATA_CAPTURE_FILTER="/etc/suricata/capture-filter.bpf"
else
echo "/etc/suricata/null.bpf"
SURICATA_CAPTURE_FILTER="/etc/suricata/null.bpf"
fi
# Download rules via URL
@ -57,3 +58,14 @@ if [ "$FROMURL" != "" ] ; then
done
IFS=$SAVEIFS
fi
# Determine IF
myIF="$(ip route | grep "^default" | awk '{ print $5 }')"
# Info
echo "- Oinkcode: ${myOINKCODE}"
echo "- Capture filter: ${SURICATA_CAPTURE_FILTER}"
echo "- Interface: ${myIF}"
# Run Suricata
exec suricata -v -F "${SURICATA_CAPTURE_FILTER}" -i "${myIF}"