Bump Suricata to 5.0.0

2025-07-01 20:42:11 +00:00 · 2019-10-22 15:20:23 +00:00 · 2019-10-22 15:20:23 +00:00 · 78135df9e7
commit 78135df9e7
parent 3d85ca94f1
3 changed files with 138 additions and 175 deletions
--- a/docker/suricata/Dockerfile
+++ b/docker/suricata/Dockerfile
@ -5,7 +5,7 @@ ADD dist/ /root/dist/
 #
 # Install packages
 #RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
-RUN    apk -U --no-cache add \
+RUN    apk -U add \
                 ca-certificates \
                 curl \
                 file \
@ -13,8 +13,8 @@ RUN    apk -U --no-cache add \
                 hiredis \
                 jansson \
                 libcap-ng \
                 libhtp \
                 libmagic \
 		 libmaxminddb \
                 libnet \
                 libnetfilter_queue \
                 libnfnetlink \
@ -36,9 +36,9 @@ RUN    apk -U --no-cache add \
                 hiredis-dev \
                 jansson-dev \
                 libtool \
                 libhtp-dev \
                 libcap-ng-dev \
                 luajit-dev \
 		 libmaxminddb-dev \
                 libpcap-dev \
                 libnet-dev \
                 libnetfilter_queue-dev \
@ -47,20 +47,25 @@ RUN    apk -U --no-cache add \
                 nss-dev \
                 nspr-dev \
                 pcre-dev \
-                 python2 \
+                 python3 \
                 py2-pip \
                 rust \
                 yaml-dev && \
 #
-# Upgrade pip, install virtualenv
+# We need latest libhtp[-dev] which is only available in community
-    pip install --no-cache-dir --upgrade pip && \
+    apk -U add --repository=http://dl-cdn.alpinelinux.org/alpine/edge/community \
-    pip install --no-cache-dir suricata-update && \
+               libhtp \
               libhtp-dev && \
 #
 # Upgrade pip, install suricata-update to meet deps, however we will not be using it 
 # to reduce image (no python needed) and use the update script.
    pip3 install --no-cache-dir --upgrade pip && \
    pip3 install --no-cache-dir suricata-update && \
 #
 # Get and build Suricata
    mkdir -p /opt/builder/ && \
-    wget https://www.openinfosecfoundation.org/download/suricata-4.1.4.tar.gz && \
+    wget https://www.openinfosecfoundation.org/download/suricata-5.0.0.tar.gz && \
-    tar xvfz suricata-4.1.4.tar.gz --strip-components=1 -C /opt/builder/ && \
+    tar xvfz suricata-5.0.0.tar.gz --strip-components=1 -C /opt/builder/ && \
-    rm suricata-4.1.4.tar.gz && \
+    rm suricata-5.0.0.tar.gz && \
    cd /opt/builder && \
    ./configure \
 	--prefix=/usr \
@ -110,6 +115,7 @@ RUN    apk -U --no-cache add \
                 libcap-ng-dev \
                 luajit-dev \
                 libpcap-dev \
 		 libmaxminddb-dev \
                 libnet-dev \
                 libnetfilter_queue-dev \
                 libnfnetlink-dev \
@ -117,12 +123,12 @@ RUN    apk -U --no-cache add \
                 nss-dev \
                 nspr-dev \
                 pcre-dev \
-                 python2 \
+		 python3 \
                 py2-pip \
                 rust \
                 yaml-dev && \
    rm -rf /opt/builder && \
    rm -rf /root/* && \
    rm -rf /tmp/* && \
    rm -rf /var/cache/apk/*
 #
 # Start suricata
--- a/docker/suricata/dist/suricata.yaml
+++ b/docker/suricata/dist/suricata.yaml
@ -44,6 +44,7 @@ vars:
    MODBUS_PORTS: 502
    FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
    FTP_PORTS: 21
    VXLAN_PORTS: 4789
 ##
 ## Step 2: select outputs to enable
@ -154,6 +155,40 @@ outputs:
            # Enable the logging of tagged packets for rules using the
            # "tag" keyword.
            tagged-packets: yes
        - anomaly:
            # Anomaly log records describe unexpected conditions such
            # as truncated packets, packets with invalid IP/UDP/TCP
            # length values, and other events that render the packet
            # invalid for further processing or describe unexpected
            # behavior on an established stream. Networks which
            # experience high occurrences of anomalies may experience
            # packet processing degradation.
            #
            # Anomalies are reported for the following:
            # 1. Decode: Values and conditions that are detected while
            # decoding individual packets. This includes invalid or
            # unexpected values for low-level protocol lengths as well
            # as stream related events (TCP 3-way handshake issues,
            # unexpected sequence number, etc).
            # 2. Stream: This includes stream related events (TCP
            # 3-way handshake issues, unexpected sequence number,
            # etc).
            # 3. Application layer: These denote application layer
            # specific conditions that are unexpected, invalid or are
            # unexpected given the application monitoring state.
            #
            # By default, anomaly logging is disabled. When anomaly
            # logging is enabled, applayer anomaly reporting is
            # enabled.
            enabled: yes
            #
            # Choose one or more types of anomaly logging and whether to enable
            # logging of the packet header for packet anomalies.
            types:
              # decode: no
              # stream: no
              # applayer: yes
            #packethdr: no
        - http:
            extended: yes     # enable this for extended logging information
            # custom allows additional http fields to be included in eve-log
@ -162,16 +197,14 @@ outputs:
        - dns:
            # This configuration uses the new DNS logging format,
            # the old configuration is still available:
-            # http://suricata.readthedocs.io/en/latest/configuration/suricata-yaml.html#eve-extensible-event-format
+            # https://suricata.readthedocs.io/en/latest/output/eve/eve-json-output.html#dns-v1-format
-            # Use version 2 logging with the new format:
+
-            # DNS answers will be logged in one single event
+            # As of Suricata 5.0, version 2 of the eve dns output
-            # rather than an event for each of it.
+            # format is the default.
            # Without setting a version the version
            # will fallback to 1 for backwards compatibility.
            version: 2
            # Enable/disable this logger. Default: enabled.
-            #enabled: no
+            #enabled: yes
            # Control logging of requests and responses:
            # - requests: enable logging of DNS queries
@ -186,8 +219,8 @@ outputs:
            # Default: all
            #formats: [detailed, grouped]
-            # Answer types to log.
+            # Types to log, based on the query type.
-            # Default: all
+            # Default: all.
            #types: [a, aaaa, cname, mx, ns, ptr, txt]
        - tls:
            extended: yes     # enable this for extended logging information
@ -196,7 +229,7 @@ outputs:
            #session-resumption: no
            # custom allows to control which tls fields that are included
            # in eve-log
-            custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, ja3]
+            custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, ja3, ja3s]
        - files:
            force-magic: yes   # force logging magic on all logged files
            # force logging of checksums, available hash functions are md5,
@ -220,11 +253,15 @@ outputs:
            md5: [body, subject]
        - dnp3
        - ftp
        - rdp
        - nfs
        - smb
        - tftp
        - ikev2
        - krb5
        - snmp
        - sip
        - dhcp:
            # DHCP logging requires Rust.
            enabled: no
@ -248,47 +285,11 @@ outputs:
        # flowints.
        #- metadata
-  # alert output for use with Barnyard2
+  # deprecated - unified2 alert format for use with Barnyard2
  - unified2-alert:
      enabled: no
-      filename: unified2.alert
+      # for further options see:
-
+      # https://suricata.readthedocs.io/en/suricata-5.0.0/configuration/suricata-yaml.html#alert-output-for-use-with-barnyard2-unified2-alert
      # File size limit.  Can be specified in kb, mb, gb.  Just a number
      # is parsed as bytes.
      #limit: 32mb
      # By default unified2 log files have the file creation time (in
      # unix epoch format) appended to the filename. Set this to yes to
      # disable this behaviour.
      #nostamp: no
      # Sensor ID field of unified2 alerts.
      #sensor-id: 0
      # Include payload of packets related to alerts. Defaults to true, set to
      # false if payload is not required.
      #payload: yes
      # HTTP X-Forwarded-For support by adding the unified2 extra header or
      # overwriting the source or destination IP address (depending on flow
      # direction) with the one reported in the X-Forwarded-For HTTP header.
      # This is helpful when reviewing alerts for traffic that is being reverse
      # or forward proxied.
      xff:
        enabled: yes
        # Two operation modes are available, "extra-data" and "overwrite". Note
        # that in the "overwrite" mode, if the reported IP address in the HTTP
        # X-Forwarded-For header is of a different version of the packet
        # received, it will fall-back to "extra-data" mode.
        mode: extra-data
        # Two proxy deployments are supported, "reverse" and "forward". In
        # a "reverse" deployment the IP address used is the last one, in a
        # "forward" deployment the first IP address is used.
        deployment: reverse
        # Header name where the actual IP address will be reported, if more
        # than one IP address is present, the last IP address will be the
        # one taken into consideration.
        header: X-Forwarded-For
  # a line based log of HTTP requests (no alerts)
  - http-log:
@ -318,14 +319,6 @@ outputs:
      enabled: no
      #certs-log-dir: certs # directory to store the certificates files
  # a line based log of DNS requests and/or replies (no alerts)
  # Note: not available when Rust is enabled (--enable-rust).
  - dns-log:
      enabled: no
      filename: dns.log
      append: yes
      #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
  # Packet log... log packets in pcap format. 3 modes of operation: "normal"
  # "multi" and "sguil".
  #
@ -423,12 +416,11 @@ outputs:
      #level: Info ## possible levels: Emergency, Alert, Critical,
                   ## Error, Warning, Notice, Info, Debug
-  # a line based information for dropped packets in IPS mode
+  # deprecated a line based information for dropped packets in IPS mode
  - drop:
      enabled: no
-      filename: drop.log
+      # further options documented at:
-      append: yes
+      # https://suricata.readthedocs.io/en/suricata-5.0.0/configuration/suricata-yaml.html#drop-log-a-line-based-information-for-dropped-packets
      #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
  # Output module for storing files on disk. Files are stored in a
  # directory names consisting of the first 2 characters of the
@ -446,6 +438,7 @@ outputs:
  #
  # To prune the filestore directory see the "suricatactl filestore
  # prune" command which can delete files over a certain age.
  - file-store:
      version: 2
      enabled: no
@ -495,51 +488,11 @@ outputs:
        # one taken into consideration.
        header: X-Forwarded-For
-  # output module to store extracted files to disk (old style, deprecated)
+  # deprecated - file-store v1
  #
  # The files are stored to the log-dir in a format "file.<id>" where <id> is
  # an incrementing number starting at 1. For each file "file.<id>" a meta
  # file "file.<id>.meta" is created. Before they are finalized, they will
  # have a ".tmp" suffix to indicate that they are still being processed.
  #
  # If include-pid is yes, then the files are instead "file.<pid>.<id>", with
  # meta files named as "file.<pid>.<id>.meta"
  #
  # File extraction depends on a lot of things to be fully done:
  # - file-store stream-depth. For optimal results, set this to 0 (unlimited)
  # - http request / response body sizes. Again set to 0 for optimal results.
  # - rules that contain the "filestore" keyword.
  - file-store:
      enabled: no       # set to yes to enable
      log-dir: files    # directory to store the files
      force-magic: no   # force logging magic on all stored files
      # force logging of checksums, available hash functions are md5,
      # sha1 and sha256
      #force-hash: [md5]
      force-filestore: no # force storing of all files
      # override global stream-depth for sessions in which we want to
      # perform file extraction. Set to 0 for unlimited.
      #stream-depth: 0
      #waldo: file.waldo # waldo file to store the file_id across runs
      # uncomment to disable meta file writing
      #write-meta: no
      # uncomment the following variable to define how many files can
      # remain open for filestore by Suricata. Default value is 0 which
      # means files get closed after each write
      #max-open-files: 1000
      include-pid: no # set to yes to include pid in file names
  # output module to log files tracked in a easily parsable JSON format
  - file-log:
      enabled: no
-      filename: files-json.log
+      # further options documented at:
-      append: yes
+      # https://suricata.readthedocs.io/en/suricata-5.0.0/file-extraction/file-extraction.html#file-store-version-1
      #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
      force-magic: no   # force logging magic on all logged files
      # force logging of checksums, available hash functions are md5,
      # sha1 and sha256
      #force-hash: [md5]
  # Log TCP data after stream normalization
  # 2 types: file or dir. File logs into a single logfile. Dir creates
@ -771,6 +724,8 @@ app-layer:
  protocols:
    krb5:
      enabled: yes
    snmp:
      enabled: yes
    ikev2:
      enabled: yes
    tls:
@ -800,6 +755,8 @@ app-layer:
    ftp:
      enabled: yes
      # memcap: 64mb
    rdp:
      enabled: yes
    ssh:
      enabled: yes
    smtp:
@ -832,8 +789,6 @@ app-layer:
        content-inspect-window: 4096
    imap:
      enabled: detection-only
    msn:
      enabled: detection-only
    # Note: --enable-rust is required for full SMB1/2 support. W/o rust
    # only minimal SMB1 support is available.
    smb:
@ -869,7 +824,8 @@ app-layer:
          dp: 53
    http:
      enabled: yes
-      # memcap: 64mb
+      # memcap:                   Maximum memory capacity for http
      #                           Default is unlimited, value can be such as 64mb
      # default-config:           Used when no server-config matches
      #   personality:            List of personalities used by default
@ -877,37 +833,15 @@ app-layer:
      #                           by http_client_body & pcre /P option.
      #   response-body-limit:    Limit reassembly of response body for inspection
      #                           by file_data, http_server_body & pcre /Q option.
      #   double-decode-path:     Double decode path section of the URI
      #   double-decode-query:    Double decode query section of the URI
      #   response-body-decompress-layer-limit:
      #                           Limit to how many layers of compression will be
      #                           decompressed. Defaults to 2.
      #
      #   For advanced options, see the user guide
      # server-config:            List of server configurations to use if address matches
      #   address:                List of IP addresses or networks for this block
      #   personalitiy:           List of personalities used by this block
      #   request-body-limit:     Limit reassembly of request body for inspection
      #                           by http_client_body & pcre /P option.
      #   response-body-limit:    Limit reassembly of response body for inspection
      #                           by file_data, http_server_body & pcre /Q option.
      #   double-decode-path:     Double decode path section of the URI
      #   double-decode-query:    Double decode query section of the URI
      #
-      #   uri-include-all:        Include all parts of the URI. By default the
+      #                           Then, all the fields from default-config can be overloaded
      #                           'scheme', username/password, hostname and port
      #                           are excluded. Setting this option to true adds
      #                           all of them to the normalized uri as inspected
      #                           by http_uri, urilen, pcre with /U and the other
      #                           keywords that inspect the normalized uri.
      #                           Note that this does not affect http_raw_uri.
      #                           Also, note that including all was the default in
      #                           1.4 and 2.0beta1.
      #
      #   meta-field-limit:       Hard size limit for request and response size
      #                           limits. Applies to request line and headers,
      #                           response line and headers. Does not apply to
      #                           request or response bodies. Default is 18k.
      #                           If this limit is reached an event is raised.
      #
      # Currently Available Personalities:
      #   Minimal, Generic, IDS (default), IIS_4_0, IIS_5_0, IIS_5_1, IIS_6_0,
@ -1027,6 +961,11 @@ app-layer:
    dhcp:
      enabled: no
    # SIP, disabled by default.
    sip:
      enabled: yes
 # Limit for the maximum number of asn1 frames to decode (default 256)
 asn1-max-frames: 256
@ -1565,7 +1504,7 @@ profiling:
    limit: 10
    # output to json
-    json: yes
+    json: no
  # per keyword profiling
  keywords:
@ -1814,32 +1753,45 @@ napatech:
    #   a range of streams (e.g. streams: ["0-3"])
    streams: ["0-3"]
-# Tilera mpipe configuration. for use on Tilera TILE-Gx.
+    # When auto-config is enabled the streams will be created and assigned
-mpipe:
+    # automatically to the NUMA node where the thread resides.  If cpu-affinity
    # is enabled in the threading section.  Then the streams will be created
    # according to the number of worker threads specified in the worker cpu set.
    # Otherwise, the streams array is used to define the streams.
    #
    # This option cannot be used simultaneous with "use-all-streams".
    #
    auto-config: yes
-  # Load balancing modes: "static", "dynamic", "sticky", or "round-robin".
+    # Ports indicates which napatech ports are to be used in auto-config mode.
-  load-balance: dynamic
+    # these are the port ID's of the ports that will be merged prior to the
    # traffic being distributed to the streams.
    #
    # This can be specified in any of the following ways:
    #
    #   a list of individual ports (e.g. ports: [0,1,2,3])
    #
    #   a range of ports (e.g. ports: [0-3])
    #
    #   "all" to indicate that all ports are to be merged together
    #   (e.g. ports: [all])
    #
    # This has no effect if auto-config is disabled.
    #
    ports: [all]
-  # Number of Packets in each ingress packet queue. Must be 128, 512, 2028 or 65536
+    # When auto-config is enabled the hashmode specifies the algorithm for
-  iqueue-packets: 2048
+    # determining to which stream a given packet is to be delivered.
-
+    # This can be any valid Napatech NTPL hashmode command.
-  # List of interfaces we will listen on.
+    #
-  inputs:
+    # The most common hashmode commands are:  hash2tuple, hash2tuplesorted,
-  - interface: xgbe2
+    # hash5tuple, hash5tuplesorted and roundrobin.
-  - interface: xgbe3
+    #
-  - interface: xgbe4
+    # See Napatech NTPL documentation other hashmodes and details on their use.
-
+    #
-
+    # This has no effect if auto-config is disabled.
-  # Relative weight of memory for packets of each mPipe buffer size.
+    #
-  stack:
+    hashmode: hash5tuplesorted
    size128: 0
    size256: 9
    size512: 0
    size1024: 0
    size1664: 7
    size4096: 0
    size10386: 0
    size16384: 0
 ##
 ## Configure Suricata to load Suricata-Update managed rules.
@ -1870,29 +1822,34 @@ rule-files:
 - drop.rules
 - dshield.rules
 - emerging-activex.rules
 - emerging-adware_pup.rules
 - emerging-attack_response.rules
 - emerging-chat.rules
 - emerging-coinminer.rules
 - emerging-current_events.rules
 - emerging-dns.rules
 - emerging-dos.rules
 - emerging-exploit.rules
 - emerging-exploit_kit.rules
 - emerging-ftp.rules
 - emerging-games.rules
 - emerging-hunting.rules
 - emerging-icmp_info.rules
 - emerging-icmp.rules
 - emerging-imap.rules
 - emerging-inappropriate.rules
 - emerging-info.rules
 - emerging-ja3.rules
 - emerging-malware.rules
 - emerging-misc.rules
 - emerging-mobile_malware.rules
 - emerging-netbios.rules
 - emerging-p2p.rules
 - emerging-phishing.rules
 - emerging-policy.rules
 - emerging-pop3.rules
 - emerging-rpc.rules
 - emerging-scada.rules
 #- emerging-scada_special.rules
 - emerging-scan.rules
 - emerging-shellcode.rules
 - emerging-smtp.rules
@ -1900,7 +1857,7 @@ rule-files:
 - emerging-sql.rules
 - emerging-telnet.rules
 - emerging-tftp.rules
- - emerging-trojan.rules
+# - emerging-trojan.rules
 - emerging-user_agents.rules
 - emerging-voip.rules
 - emerging-web_client.rules
--- a/docker/suricata/dist/update.sh
+++ b/docker/suricata/dist/update.sh
@ -14,12 +14,12 @@ function fuDLRULES {
 if [ "$myOINKCODE" != "" ] && [ "$myOINKCODE" == "OPEN" ];
  then
    echo "Downloading ET open ruleset."
-    wget -q --tries=2 --timeout=2 https://rules.emergingthreats.net/open/suricata-4.0/emerging.rules.tar.gz -O /tmp/rules.tar.gz
+    wget -q --tries=2 --timeout=2 https://rules.emergingthreats.net/open/suricata-5.0/emerging.rules.tar.gz -O /tmp/rules.tar.gz
  else
    if [ "$myOINKCODE" != "" ];
      then
 	echo "Downloading ET pro ruleset with Oinkcode $myOINKCODE."
-	wget -q --tries=2 --timeout=2 https://rules.emergingthreatspro.com/$myOINKCODE/suricata-4.0/etpro.rules.tar.gz -O /tmp/rules.tar.gz
+	wget -q --tries=2 --timeout=2 https://rules.emergingthreatspro.com/$myOINKCODE/suricata-5.0/etpro.rules.tar.gz -O /tmp/rules.tar.gz
      else	
        echo "Usage: update.sh <[OPEN, OINKCODE]>"
 	exit