Alex-Devera/tpotce
1
0
Fork 0
mirror of https://github.com/telekom-security/tpotce.git synced 2025-07-01 04:22:11 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Bump Suricata to 5.0.0

Browse source
This commit is contained in:
t3chn0m4g3 2019-10-22 15:20:23 +00:00
parent 3d85ca94f1
commit 78135df9e7
3 changed files with 138 additions and 175 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

32
docker/suricata/Dockerfile
View file

@ -5,7 +5,7 @@ ADD dist/ /root/dist/
#
# Install packages
#RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
RUN apk -U --no-cache add \
RUN apk -U add \
ca-certificates \
curl \
file \
@ -13,8 +13,8 @@ RUN apk -U --no-cache add \
hiredis \
jansson \
libcap-ng \
libhtp \
libmagic \
libmaxminddb \
libnet \
libnetfilter_queue \
libnfnetlink \
@ -36,9 +36,9 @@ RUN apk -U --no-cache add \
hiredis-dev \
jansson-dev \
libtool \
libhtp-dev \
libcap-ng-dev \
luajit-dev \
libmaxminddb-dev \
libpcap-dev \
libnet-dev \
libnetfilter_queue-dev \
@ -47,20 +47,25 @@ RUN apk -U --no-cache add \
nss-dev \
nspr-dev \
pcre-dev \
python2 \
py2-pip \
python3 \
rust \
yaml-dev && \
#
# Upgrade pip, install virtualenv
pip install --no-cache-dir --upgrade pip && \
pip install --no-cache-dir suricata-update && \
# We need latest libhtp[-dev] which is only available in community
apk -U add --repository=http://dl-cdn.alpinelinux.org/alpine/edge/community \
libhtp \
libhtp-dev && \
#
# Upgrade pip, install suricata-update to meet deps, however we will not be using it
# to reduce image (no python needed) and use the update script.
pip3 install --no-cache-dir --upgrade pip && \
pip3 install --no-cache-dir suricata-update && \
#
# Get and build Suricata
mkdir -p /opt/builder/ && \
wget https://www.openinfosecfoundation.org/download/suricata-4.1.4.tar.gz && \
tar xvfz suricata-4.1.4.tar.gz --strip-components=1 -C /opt/builder/ && \
rm suricata-4.1.4.tar.gz && \
wget https://www.openinfosecfoundation.org/download/suricata-5.0.0.tar.gz && \
tar xvfz suricata-5.0.0.tar.gz --strip-components=1 -C /opt/builder/ && \
rm suricata-5.0.0.tar.gz && \
cd /opt/builder && \
./configure \
--prefix=/usr \
@ -110,6 +115,7 @@ RUN apk -U --no-cache add \
libcap-ng-dev \
luajit-dev \
libpcap-dev \
libmaxminddb-dev \
libnet-dev \
libnetfilter_queue-dev \
libnfnetlink-dev \
@ -117,12 +123,12 @@ RUN apk -U --no-cache add \
nss-dev \
nspr-dev \
pcre-dev \
python2 \
py2-pip \
python3 \
rust \
yaml-dev && \
rm -rf /opt/builder && \
rm -rf /root/* && \
rm -rf /tmp/* && \
rm -rf /var/cache/apk/*
#
# Start suricata

277
docker/suricata/dist/suricata.yaml vendored
View file

@ -44,6 +44,7 @@ vars:
MODBUS_PORTS: 502
FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
FTP_PORTS: 21
VXLAN_PORTS: 4789
##
## Step 2: select outputs to enable
@ -154,6 +155,40 @@ outputs:
# Enable the logging of tagged packets for rules using the
# "tag" keyword.
tagged-packets: yes
- anomaly:
# Anomaly log records describe unexpected conditions such
# as truncated packets, packets with invalid IP/UDP/TCP
# length values, and other events that render the packet
# invalid for further processing or describe unexpected
# behavior on an established stream. Networks which
# experience high occurrences of anomalies may experience
# packet processing degradation.
#
# Anomalies are reported for the following:
# 1. Decode: Values and conditions that are detected while
# decoding individual packets. This includes invalid or
# unexpected values for low-level protocol lengths as well
# as stream related events (TCP 3-way handshake issues,
# unexpected sequence number, etc).
# 2. Stream: This includes stream related events (TCP
# 3-way handshake issues, unexpected sequence number,
# etc).
# 3. Application layer: These denote application layer
# specific conditions that are unexpected, invalid or are
# unexpected given the application monitoring state.
#
# By default, anomaly logging is disabled. When anomaly
# logging is enabled, applayer anomaly reporting is
# enabled.
enabled: yes
#
# Choose one or more types of anomaly logging and whether to enable
# logging of the packet header for packet anomalies.
types:
# decode: no
# stream: no
# applayer: yes
#packethdr: no
- http:
extended: yes # enable this for extended logging information
# custom allows additional http fields to be included in eve-log
@ -162,16 +197,14 @@ outputs:
- dns:
# This configuration uses the new DNS logging format,
# the old configuration is still available:
# http://suricata.readthedocs.io/en/latest/configuration/suricata-yaml.html#eve-extensible-event-format
# Use version 2 logging with the new format:
# DNS answers will be logged in one single event
# rather than an event for each of it.
# Without setting a version the version
# will fallback to 1 for backwards compatibility.
# https://suricata.readthedocs.io/en/latest/output/eve/eve-json-output.html#dns-v1-format
# As of Suricata 5.0, version 2 of the eve dns output
# format is the default.
version: 2
# Enable/disable this logger. Default: enabled.
#enabled: no
#enabled: yes
# Control logging of requests and responses:
# - requests: enable logging of DNS queries
@ -186,8 +219,8 @@ outputs:
# Default: all
#formats: [detailed, grouped]
# Answer types to log.
# Default: all
# Types to log, based on the query type.
# Default: all.
#types: [a, aaaa, cname, mx, ns, ptr, txt]
- tls:
extended: yes # enable this for extended logging information
@ -196,7 +229,7 @@ outputs:
#session-resumption: no
# custom allows to control which tls fields that are included
# in eve-log
custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, ja3]
custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, ja3, ja3s]
- files:
force-magic: yes # force logging magic on all logged files
# force logging of checksums, available hash functions are md5,
@ -220,11 +253,15 @@ outputs:
md5: [body, subject]
- dnp3
- ftp
- rdp
- nfs
- smb
- tftp
- ikev2
- krb5
- snmp
- sip
- dhcp:
# DHCP logging requires Rust.
enabled: no
@ -248,47 +285,11 @@ outputs:
# flowints.
#- metadata
# alert output for use with Barnyard2
# deprecated - unified2 alert format for use with Barnyard2
- unified2-alert:
enabled: no
filename: unified2.alert
# File size limit. Can be specified in kb, mb, gb. Just a number
# is parsed as bytes.
#limit: 32mb
# By default unified2 log files have the file creation time (in
# unix epoch format) appended to the filename. Set this to yes to
# disable this behaviour.
#nostamp: no
# Sensor ID field of unified2 alerts.
#sensor-id: 0
# Include payload of packets related to alerts. Defaults to true, set to
# false if payload is not required.
#payload: yes
# HTTP X-Forwarded-For support by adding the unified2 extra header or
# overwriting the source or destination IP address (depending on flow
# direction) with the one reported in the X-Forwarded-For HTTP header.
# This is helpful when reviewing alerts for traffic that is being reverse
# or forward proxied.
xff:
enabled: yes
# Two operation modes are available, "extra-data" and "overwrite". Note
# that in the "overwrite" mode, if the reported IP address in the HTTP
# X-Forwarded-For header is of a different version of the packet
# received, it will fall-back to "extra-data" mode.
mode: extra-data
# Two proxy deployments are supported, "reverse" and "forward". In
# a "reverse" deployment the IP address used is the last one, in a
# "forward" deployment the first IP address is used.
deployment: reverse
# Header name where the actual IP address will be reported, if more
# than one IP address is present, the last IP address will be the
# one taken into consideration.
header: X-Forwarded-For
# for further options see:
# https://suricata.readthedocs.io/en/suricata-5.0.0/configuration/suricata-yaml.html#alert-output-for-use-with-barnyard2-unified2-alert
# a line based log of HTTP requests (no alerts)
- http-log:
@ -318,14 +319,6 @@ outputs:
enabled: no
#certs-log-dir: certs # directory to store the certificates files
# a line based log of DNS requests and/or replies (no alerts)
# Note: not available when Rust is enabled (--enable-rust).
- dns-log:
enabled: no
filename: dns.log
append: yes
#filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
# Packet log... log packets in pcap format. 3 modes of operation: "normal"
# "multi" and "sguil".
#
@ -423,12 +416,11 @@ outputs:
#level: Info ## possible levels: Emergency, Alert, Critical,
## Error, Warning, Notice, Info, Debug
# a line based information for dropped packets in IPS mode
# deprecated a line based information for dropped packets in IPS mode
- drop:
enabled: no
filename: drop.log
append: yes
#filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
# further options documented at:
# https://suricata.readthedocs.io/en/suricata-5.0.0/configuration/suricata-yaml.html#drop-log-a-line-based-information-for-dropped-packets
# Output module for storing files on disk. Files are stored in a
# directory names consisting of the first 2 characters of the
@ -446,6 +438,7 @@ outputs:
#
# To prune the filestore directory see the "suricatactl filestore
# prune" command which can delete files over a certain age.
- file-store:
version: 2
enabled: no
@ -495,51 +488,11 @@ outputs:
# one taken into consideration.
header: X-Forwarded-For
# output module to store extracted files to disk (old style, deprecated)
#
# The files are stored to the log-dir in a format "file.<id>" where <id> is
# an incrementing number starting at 1. For each file "file.<id>" a meta
# file "file.<id>.meta" is created. Before they are finalized, they will
# have a ".tmp" suffix to indicate that they are still being processed.
#
# If include-pid is yes, then the files are instead "file.<pid>.<id>", with
# meta files named as "file.<pid>.<id>.meta"
#
# File extraction depends on a lot of things to be fully done:
# - file-store stream-depth. For optimal results, set this to 0 (unlimited)
# - http request / response body sizes. Again set to 0 for optimal results.
# - rules that contain the "filestore" keyword.
# deprecated - file-store v1
- file-store:
enabled: no # set to yes to enable
log-dir: files # directory to store the files
force-magic: no # force logging magic on all stored files
# force logging of checksums, available hash functions are md5,
# sha1 and sha256
#force-hash: [md5]
force-filestore: no # force storing of all files
# override global stream-depth for sessions in which we want to
# perform file extraction. Set to 0 for unlimited.
#stream-depth: 0
#waldo: file.waldo # waldo file to store the file_id across runs
# uncomment to disable meta file writing
#write-meta: no
# uncomment the following variable to define how many files can
# remain open for filestore by Suricata. Default value is 0 which
# means files get closed after each write
#max-open-files: 1000
include-pid: no # set to yes to include pid in file names
# output module to log files tracked in a easily parsable JSON format
- file-log:
enabled: no
filename: files-json.log
append: yes
#filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
force-magic: no # force logging magic on all logged files
# force logging of checksums, available hash functions are md5,
# sha1 and sha256
#force-hash: [md5]
# further options documented at:
# https://suricata.readthedocs.io/en/suricata-5.0.0/file-extraction/file-extraction.html#file-store-version-1
# Log TCP data after stream normalization
# 2 types: file or dir. File logs into a single logfile. Dir creates
@ -771,6 +724,8 @@ app-layer:
protocols:
krb5:
enabled: yes
snmp:
enabled: yes
ikev2:
enabled: yes
tls:
@ -800,6 +755,8 @@ app-layer:
ftp:
enabled: yes
# memcap: 64mb
rdp:
enabled: yes
ssh:
enabled: yes
smtp:
@ -832,8 +789,6 @@ app-layer:
content-inspect-window: 4096
imap:
enabled: detection-only
msn:
enabled: detection-only
# Note: --enable-rust is required for full SMB1/2 support. W/o rust
# only minimal SMB1 support is available.
smb:
@ -869,7 +824,8 @@ app-layer:
dp: 53
http:
enabled: yes
# memcap: 64mb
# memcap: Maximum memory capacity for http
# Default is unlimited, value can be such as 64mb
# default-config: Used when no server-config matches
# personality: List of personalities used by default
@ -877,37 +833,15 @@ app-layer:
# by http_client_body & pcre /P option.
# response-body-limit: Limit reassembly of response body for inspection
# by file_data, http_server_body & pcre /Q option.
# double-decode-path: Double decode path section of the URI
# double-decode-query: Double decode query section of the URI
# response-body-decompress-layer-limit:
# Limit to how many layers of compression will be
# decompressed. Defaults to 2.
#
# For advanced options, see the user guide
# server-config: List of server configurations to use if address matches
# address: List of IP addresses or networks for this block
# personalitiy: List of personalities used by this block
# request-body-limit: Limit reassembly of request body for inspection
# by http_client_body & pcre /P option.
# response-body-limit: Limit reassembly of response body for inspection
# by file_data, http_server_body & pcre /Q option.
# double-decode-path: Double decode path section of the URI
# double-decode-query: Double decode query section of the URI
#
# uri-include-all: Include all parts of the URI. By default the
# 'scheme', username/password, hostname and port
# are excluded. Setting this option to true adds
# all of them to the normalized uri as inspected
# by http_uri, urilen, pcre with /U and the other
# keywords that inspect the normalized uri.
# Note that this does not affect http_raw_uri.
# Also, note that including all was the default in
# 1.4 and 2.0beta1.
#
# meta-field-limit: Hard size limit for request and response size
# limits. Applies to request line and headers,
# response line and headers. Does not apply to
# request or response bodies. Default is 18k.
# If this limit is reached an event is raised.
# Then, all the fields from default-config can be overloaded
#
# Currently Available Personalities:
# Minimal, Generic, IDS (default), IIS_4_0, IIS_5_0, IIS_5_1, IIS_6_0,
@ -1027,6 +961,11 @@ app-layer:
dhcp:
enabled: no
# SIP, disabled by default.
sip:
enabled: yes
# Limit for the maximum number of asn1 frames to decode (default 256)
asn1-max-frames: 256
@ -1565,7 +1504,7 @@ profiling:
limit: 10
# output to json
json: yes
json: no
# per keyword profiling
keywords:
@ -1814,32 +1753,45 @@ napatech:
# a range of streams (e.g. streams: ["0-3"])
streams: ["0-3"]
# Tilera mpipe configuration. for use on Tilera TILE-Gx.
mpipe:
# When auto-config is enabled the streams will be created and assigned
# automatically to the NUMA node where the thread resides. If cpu-affinity
# is enabled in the threading section. Then the streams will be created
# according to the number of worker threads specified in the worker cpu set.
# Otherwise, the streams array is used to define the streams.
#
# This option cannot be used simultaneous with "use-all-streams".
#
auto-config: yes
# Load balancing modes: "static", "dynamic", "sticky", or "round-robin".
load-balance: dynamic
# Ports indicates which napatech ports are to be used in auto-config mode.
# these are the port ID's of the ports that will be merged prior to the
# traffic being distributed to the streams.
#
# This can be specified in any of the following ways:
#
# a list of individual ports (e.g. ports: [0,1,2,3])
#
# a range of ports (e.g. ports: [0-3])
#
# "all" to indicate that all ports are to be merged together
# (e.g. ports: [all])
#
# This has no effect if auto-config is disabled.
#
ports: [all]
# Number of Packets in each ingress packet queue. Must be 128, 512, 2028 or 65536
iqueue-packets: 2048
# List of interfaces we will listen on.
inputs:
- interface: xgbe2
- interface: xgbe3
- interface: xgbe4
# Relative weight of memory for packets of each mPipe buffer size.
stack:
size128: 0
size256: 9
size512: 0
size1024: 0
size1664: 7
size4096: 0
size10386: 0
size16384: 0
# When auto-config is enabled the hashmode specifies the algorithm for
# determining to which stream a given packet is to be delivered.
# This can be any valid Napatech NTPL hashmode command.
#
# The most common hashmode commands are: hash2tuple, hash2tuplesorted,
# hash5tuple, hash5tuplesorted and roundrobin.
#
# See Napatech NTPL documentation other hashmodes and details on their use.
#
# This has no effect if auto-config is disabled.
#
hashmode: hash5tuplesorted
##
## Configure Suricata to load Suricata-Update managed rules.
@ -1870,29 +1822,34 @@ rule-files:
- drop.rules
- dshield.rules
- emerging-activex.rules
- emerging-adware_pup.rules
- emerging-attack_response.rules
- emerging-chat.rules
- emerging-coinminer.rules
- emerging-current_events.rules
- emerging-dns.rules
- emerging-dos.rules
- emerging-exploit.rules
- emerging-exploit_kit.rules
- emerging-ftp.rules
- emerging-games.rules
- emerging-hunting.rules
- emerging-icmp_info.rules
- emerging-icmp.rules
- emerging-imap.rules
- emerging-inappropriate.rules
- emerging-info.rules
- emerging-ja3.rules
- emerging-malware.rules
- emerging-misc.rules
- emerging-mobile_malware.rules
- emerging-netbios.rules
- emerging-p2p.rules
- emerging-phishing.rules
- emerging-policy.rules
- emerging-pop3.rules
- emerging-rpc.rules
- emerging-scada.rules
#- emerging-scada_special.rules
- emerging-scan.rules
- emerging-shellcode.rules
- emerging-smtp.rules
@ -1900,7 +1857,7 @@ rule-files:
- emerging-sql.rules
- emerging-telnet.rules
- emerging-tftp.rules
- emerging-trojan.rules
# - emerging-trojan.rules
- emerging-user_agents.rules
- emerging-voip.rules
- emerging-web_client.rules

4
docker/suricata/dist/update.sh vendored
View file

@ -14,12 +14,12 @@ function fuDLRULES {
if [ "$myOINKCODE" != "" ] && [ "$myOINKCODE" == "OPEN" ];
then
echo "Downloading ET open ruleset."
wget -q --tries=2 --timeout=2 https://rules.emergingthreats.net/open/suricata-4.0/emerging.rules.tar.gz -O /tmp/rules.tar.gz
wget -q --tries=2 --timeout=2 https://rules.emergingthreats.net/open/suricata-5.0/emerging.rules.tar.gz -O /tmp/rules.tar.gz
else
if [ "$myOINKCODE" != "" ];
then
echo "Downloading ET pro ruleset with Oinkcode $myOINKCODE."
wget -q --tries=2 --timeout=2 https://rules.emergingthreatspro.com/$myOINKCODE/suricata-4.0/etpro.rules.tar.gz -O /tmp/rules.tar.gz
wget -q --tries=2 --timeout=2 https://rules.emergingthreatspro.com/$myOINKCODE/suricata-5.0/etpro.rules.tar.gz -O /tmp/rules.tar.gz
else
echo "Usage: update.sh <[OPEN, OINKCODE]>"
exit