Bump Suricata to 4.1.3

Build with Rust
Enable JA3
Enable more protocols
Improve payload logging
... and more.

README.md

@@ -78,6 +78,8 @@ Furthermore we use the following tools
   - For almost 5 years Ubuntu LTS versions were our distributions of choice. Last year we made a design choice for T-Pot to be closer to a rolling release model and thus allowing us to issue smaller changes and releases in a more timely manner. The distribution of choice is Debian (Sid / unstable) which will provide us with the latest advancements in a Debian based distribution.
 - **Include HoneyPy honeypot**
   - *HoneyPy* is now included in the NEXTGEN installation type
+- **Include Suricata 4.1.3**
+  - Building *Suricata 4.1.3* from scratch to enable JA3 and overall better protocol support.
 - **Update tools to the latest versions**
   - ELK Stack 6.6.2
   - CyberChef 8.27.0

docker/suricata/Dockerfile

@@ -4,20 +4,91 @@ FROM alpine
 ADD dist/ /root/dist/
 
 # Install packages
-RUN apk -U --no-cache add \
+RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
+    apk -U --no-cache add \
                  ca-certificates \
                  curl \
                  file \
-                 libcap \
+                 geoip \
-                 wget && \
+                 hiredis \
-    apk -U add --repository http://dl-cdn.alpinelinux.org/alpine/edge/community \
+                 jansson \
-                 suricata && \
+                 libcap-ng \
+                 libhtp \
+                 libmagic \
+                 libnet \
+                 libnetfilter_queue \
+                 libnfnetlink \
+                 libpcap \
+                 luajit \
+                 lz4-libs \
+                 musl \
+                 nspr \
+                 nss \
+                 pcre \
+                 yaml \
+                 wget \
+                 automake \
+                 autoconf \
+                 build-base \
+                 cargo \
+                 file-dev \
+                 geoip-dev \
+                 hiredis-dev \
+                 jansson-dev \
+                 libtool \
+                 libhtp-dev \
+                 libcap-ng-dev \
+                 luajit-dev \
+                 libpcap-dev \
+                 libnet-dev \
+                 libnetfilter_queue-dev \
+                 libnfnetlink-dev \
+                 lz4-dev \
+                 nss-dev \
+                 nspr-dev \
+                 pcre-dev \
+                 python2 \
+                 py2-pip \
+                 rust \
+                 yaml-dev && \
+
+# Upgrade pip, install virtualenv
+    pip install --no-cache-dir --upgrade pip && \
+    pip install --no-cache-dir suricata-update && \
+
+# Get and build Suricata
+    mkdir -p /opt/builder/ && \
+    wget https://www.openinfosecfoundation.org/download/suricata-4.1.3.tar.gz && \
+    tar xvfz suricata-4.1.3.tar.gz --strip-components=1 -C /opt/builder/ && \
+    rm suricata-4.1.3.tar.gz && \
+    cd /opt/builder && \
+    ./configure \
+	--prefix=/usr \
+	--sysconfdir=/etc \
+	--mandir=/usr/share/man \
+	--localstatedir=/var \
+	--enable-non-bundled-htp \
+	--enable-nfqueue \
+        --enable-rust \
+	--disable-gccmarch-native \
+	--enable-hiredis \
+	--enable-geoip \
+	--enable-gccprotect \
+	--enable-pie \
+	--enable-luajit && \
+    make && \
+    make check && \
+    make install && \
+    make install-full && \
 
 # Setup user, groups and configs
     addgroup -g 2000 suri && \
     adduser -S -H -u 2000 -D -g 2000 suri && \
+    chmod 644 /etc/suricata/*.config && \
     cp /root/dist/suricata.yaml /etc/suricata/suricata.yaml && \
     cp /root/dist/*.bpf /etc/suricata/ && \
+    mkdir -p /etc/suricata/rules && \
+    cp /opt/builder/rules/* /etc/suricata/rules/ && \
 
 # Download the latest EmergingThreats ruleset, replace rulebase and enable all rules
     cp /root/dist/update.sh /usr/bin/ && \
@@ -25,6 +96,32 @@ RUN apk -U --no-cache add \
     update.sh OPEN && \
 
 # Clean up
+    apk del --purge \
+                 automake \
+                 autoconf \
+                 build-base \
+                 cargo \
+                 file-dev \
+                 geoip-dev \
+                 hiredis-dev \
+                 jansson-dev \
+                 libtool \
+                 libhtp-dev \
+                 libcap-ng-dev \
+                 luajit-dev \
+                 libpcap-dev \
+                 libnet-dev \
+                 libnetfilter_queue-dev \
+                 libnfnetlink-dev \
+                 lz4-dev \
+                 nss-dev \
+                 nspr-dev \
+                 pcre-dev \
+                 python2 \
+                 py2-pip \
+                 rust \
+                 yaml-dev && \
+    rm -rf /opt/builder && \
     rm -rf /root/* && \
     rm -rf /var/cache/apk/*
 

docker/suricata/Dockerfile.backup

@@ -0,0 +1,33 @@
+FROM alpine
+
+# Include dist
+ADD dist/ /root/dist/
+
+# Install packages
+RUN apk -U --no-cache add \
+                 ca-certificates \
+                 curl \
+                 file \
+                 libcap \
+                 wget && \
+    apk -U add --repository http://dl-cdn.alpinelinux.org/alpine/edge/community \
+                 suricata && \
+
+# Setup user, groups and configs
+    addgroup -g 2000 suri && \
+    adduser -S -H -u 2000 -D -g 2000 suri && \
+    cp /root/dist/suricata.yaml /etc/suricata/suricata.yaml && \
+    cp /root/dist/*.bpf /etc/suricata/ && \
+
+# Download the latest EmergingThreats ruleset, replace rulebase and enable all rules
+    cp /root/dist/update.sh /usr/bin/ && \
+    chmod 755 /usr/bin/update.sh && \
+    update.sh OPEN && \
+
+# Clean up
+    rm -rf /root/* && \
+    rm -rf /var/cache/apk/*
+
+# Start suricata
+STOPSIGNAL SIGINT
+CMD SURICATA_CAPTURE_FILTER=$(update.sh $OINKCODE) && exec suricata -v -F $SURICATA_CAPTURE_FILTER -i $(/sbin/ip address | grep '^2: ' | awk '{ print $2 }' | tr -d [:punct:])

docker/suricata/docker-compose.yml.backup

@@ -0,0 +1,20 @@
+version: '2.3'
+
+services:
+
+# Suricata service
+  suricata:
+    build: .
+    container_name: suricata
+    restart: always
+    environment:
+    # For ET Pro ruleset replace "OPEN" with your OINKCODE
+     - OINKCODE=OPEN
+    network_mode: "host"
+    cap_add:
+     - NET_ADMIN
+     - SYS_NICE
+     - NET_RAW
+    image: "dtagdevsec/suricata:1903"
+    volumes:
+     - /data/suricata/log:/var/log/suricata