Alex-Devera/tpotce
1
0
Fork 0
mirror of https://github.com/telekom-security/tpotce.git synced 2025-04-20 06:02:24 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Bump Suricata to 4.1.3

Browse source 
Build with Rust
Enable JA3
Enable more protocols
Improve payload logging
... and more.
This commit is contained in:
t3chn0m4g3 2019-03-26 16:26:47 +00:00
parent b5d45bc539
commit c7e9015a5a
5 changed files with 624 additions and 257 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
README.md
View file

@ -78,6 +78,8 @@ Furthermore we use the following tools
- For almost 5 years Ubuntu LTS versions were our distributions of choice. Last year we made a design choice for T-Pot to be closer to a rolling release model and thus allowing us to issue smaller changes and releases in a more timely manner. The distribution of choice is Debian (Sid / unstable) which will provide us with the latest advancements in a Debian based distribution.
- **Include HoneyPy honeypot**
- *HoneyPy* is now included in the NEXTGEN installation type
- **Include Suricata 4.1.3**
- Building *Suricata 4.1.3* from scratch to enable JA3 and overall better protocol support.
- **Update tools to the latest versions**
- ELK Stack 6.6.2
- CyberChef 8.27.0

107
docker/suricata/Dockerfile
View file

@ -4,20 +4,91 @@ FROM alpine
ADD dist/ /root/dist/
# Install packages
RUN apk -U --no-cache add \
RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
apk -U --no-cache add \
ca-certificates \
curl \
file \
libcap \
wget && \
apk -U add --repository http://dl-cdn.alpinelinux.org/alpine/edge/community \
suricata && \
geoip \
hiredis \
jansson \
libcap-ng \
libhtp \
libmagic \
libnet \
libnetfilter_queue \
libnfnetlink \
libpcap \
luajit \
lz4-libs \
musl \
nspr \
nss \
pcre \
yaml \
wget \
automake \
autoconf \
build-base \
cargo \
file-dev \
geoip-dev \
hiredis-dev \
jansson-dev \
libtool \
libhtp-dev \
libcap-ng-dev \
luajit-dev \
libpcap-dev \
libnet-dev \
libnetfilter_queue-dev \
libnfnetlink-dev \
lz4-dev \
nss-dev \
nspr-dev \
pcre-dev \
python2 \
py2-pip \
rust \
yaml-dev && \
# Upgrade pip, install virtualenv
pip install --no-cache-dir --upgrade pip && \
pip install --no-cache-dir suricata-update && \
# Get and build Suricata
mkdir -p /opt/builder/ && \
wget https://www.openinfosecfoundation.org/download/suricata-4.1.3.tar.gz && \
tar xvfz suricata-4.1.3.tar.gz --strip-components=1 -C /opt/builder/ && \
rm suricata-4.1.3.tar.gz && \
cd /opt/builder && \
./configure \
--prefix=/usr \
--sysconfdir=/etc \
--mandir=/usr/share/man \
--localstatedir=/var \
--enable-non-bundled-htp \
--enable-nfqueue \
--enable-rust \
--disable-gccmarch-native \
--enable-hiredis \
--enable-geoip \
--enable-gccprotect \
--enable-pie \
--enable-luajit && \
make && \
make check && \
make install && \
make install-full && \
# Setup user, groups and configs
addgroup -g 2000 suri && \
adduser -S -H -u 2000 -D -g 2000 suri && \
chmod 644 /etc/suricata/*.config && \
cp /root/dist/suricata.yaml /etc/suricata/suricata.yaml && \
cp /root/dist/*.bpf /etc/suricata/ && \
mkdir -p /etc/suricata/rules && \
cp /opt/builder/rules/* /etc/suricata/rules/ && \
# Download the latest EmergingThreats ruleset, replace rulebase and enable all rules
cp /root/dist/update.sh /usr/bin/ && \
@ -25,6 +96,32 @@ RUN apk -U --no-cache add \
update.sh OPEN && \
# Clean up
apk del --purge \
automake \
autoconf \
build-base \
cargo \
file-dev \
geoip-dev \
hiredis-dev \
jansson-dev \
libtool \
libhtp-dev \
libcap-ng-dev \
luajit-dev \
libpcap-dev \
libnet-dev \
libnetfilter_queue-dev \
libnfnetlink-dev \
lz4-dev \
nss-dev \
nspr-dev \
pcre-dev \
python2 \
py2-pip \
rust \
yaml-dev && \
rm -rf /opt/builder && \
rm -rf /root/* && \
rm -rf /var/cache/apk/*

33
docker/suricata/Dockerfile.backup Normal file
View file

@ -0,0 +1,33 @@
FROM alpine
# Include dist
ADD dist/ /root/dist/
# Install packages
RUN apk -U --no-cache add \
ca-certificates \
curl \
file \
libcap \
wget && \
apk -U add --repository http://dl-cdn.alpinelinux.org/alpine/edge/community \
suricata && \
# Setup user, groups and configs
addgroup -g 2000 suri && \
adduser -S -H -u 2000 -D -g 2000 suri && \
cp /root/dist/suricata.yaml /etc/suricata/suricata.yaml && \
cp /root/dist/*.bpf /etc/suricata/ && \
# Download the latest EmergingThreats ruleset, replace rulebase and enable all rules
cp /root/dist/update.sh /usr/bin/ && \
chmod 755 /usr/bin/update.sh && \
update.sh OPEN && \
# Clean up
rm -rf /root/* && \
rm -rf /var/cache/apk/*
# Start suricata
STOPSIGNAL SIGINT
CMD SURICATA_CAPTURE_FILTER=$(update.sh $OINKCODE) && exec suricata -v -F $SURICATA_CAPTURE_FILTER -i $(/sbin/ip address | grep '^2: ' | awk '{ print $2 }' | tr -d [:punct:])

719
docker/suricata/dist/suricata.yaml vendored
View file

File diff suppressed because it is too large Load diff

20
docker/suricata/docker-compose.yml.backup Normal file
View file

@ -0,0 +1,20 @@
version: '2.3'
services:
# Suricata service
suricata:
build: .
container_name: suricata
restart: always
environment:
# For ET Pro ruleset replace "OPEN" with your OINKCODE
- OINKCODE=OPEN
network_mode: "host"
cap_add:
- NET_ADMIN
- SYS_NICE
- NET_RAW
image: "dtagdevsec/suricata:1903"
volumes:
- /data/suricata/log:/var/log/suricata