Merge pull request #727 from adepasquale/suricata-update

Suricata: use suricata-update for rule management

docker/suricata/Dockerfile

@@ -17,13 +17,15 @@ RUN apk -U --no-cache add \
     addgroup -g 2000 suri && \
     adduser -S -H -u 2000 -D -g 2000 suri && \
     chmod 644 /etc/suricata/*.config && \
-    cp /root/dist/suricata.yaml /etc/suricata/suricata.yaml && \
+    cp /root/dist/*.yaml /etc/suricata/ && \
+    cp /root/dist/*.conf /etc/suricata/ && \
     cp /root/dist/*.bpf /etc/suricata/ && \
 #
-# Download the latest EmergingThreats ruleset, replace rulebase and enable all rules
+# Download the latest EmergingThreats OPEN ruleset
     cp /root/dist/update.sh /usr/bin/ && \
     chmod 755 /usr/bin/update.sh && \
-    update.sh OPEN && \
+    suricata-update update-sources && \
+    suricata-update --no-reload && \
 #
 # Clean up
     rm -rf /root/* && \

docker/suricata/Dockerfile.from.source

@@ -59,8 +59,7 @@ RUN    apk -U add \
                libhtp \
                libhtp-dev && \
 #
-# Upgrade pip, install suricata-update to meet deps, however we will not be using it 
-# to reduce image (no python needed) and use the update script.
+# Upgrade pip, install suricata-update to meet deps
     pip3 install --no-cache-dir --upgrade pip && \
     pip3 install --no-cache-dir suricata-update && \
 #
@@ -93,15 +92,17 @@ RUN    apk -U add \
     addgroup -g 2000 suri && \
     adduser -S -H -u 2000 -D -g 2000 suri && \
     chmod 644 /etc/suricata/*.config && \
-    cp /root/dist/suricata.yaml /etc/suricata/suricata.yaml && \
+    cp /root/dist/*.yaml /etc/suricata/ && \
+    cp /root/dist/*.conf /etc/suricata/ && \
     cp /root/dist/*.bpf /etc/suricata/ && \
     mkdir -p /etc/suricata/rules && \
     cp /opt/builder/rules/* /etc/suricata/rules/ && \
 #
-# Download the latest EmergingThreats ruleset, replace rulebase and enable all rules
+# Download the latest EmergingThreats OPEN ruleset
     cp /root/dist/update.sh /usr/bin/ && \
     chmod 755 /usr/bin/update.sh && \
-    update.sh OPEN && \
+    suricata-update update-sources && \
+    suricata-update --no-reload && \
 #
 # Clean up
     apk del --purge \
@@ -126,8 +127,6 @@ RUN    apk -U add \
                  nss-dev \
                  nspr-dev \
                  pcre-dev \
-		 python3 \
-                 rust \
                  yaml-dev && \
     rm -rf /opt/builder && \
     rm -rf /root/* && \

docker/suricata/dist/capture-filter.bpf

@@ -1,4 +1,5 @@
 not (host sicherheitstacho.eu or community.sicherheitstacho.eu or listbot.sicherheitstacho.eu) and
+not (host rules.emergingthreats.net or rules.emergingthreatspro.com) and
 not (host deb.debian.org) and
 not (host ghcr.io) and
 not (host index.docker.io or docker.io)

docker/suricata/dist/enable.conf

@@ -0,0 +1,3 @@
+# Since honeypot traffic is usually low, we can afford to enable
+# all the rules that are normally disabled for performance reasons.
+re:.

docker/suricata/dist/suricata.yaml

@@ -1061,7 +1061,7 @@ host-mode: auto
 # activated in live capture mode. You can use the filename variable to set
 # the file name of the socket.
 unix-command:
-  enabled: no
+  enabled: yes
   #filename: custom.socket
 
 # Magic file. The extension .mgc is added to the value here.
@@ -1862,78 +1862,15 @@ napatech:
 ## Configure Suricata to load Suricata-Update managed rules.
 ##
 
-#default-rule-path: /var/lib/suricata/rules
-default-rule-path: /etc/suricata/rules
-
+default-rule-path: /var/lib/suricata/rules
 rule-files:
- - botcc.rules
- - botcc.portgrouped.rules
- - ciarmy.rules
- - compromised.rules
- - drop.rules
- - dshield.rules
- - emerging-activex.rules
- - emerging-adware_pup.rules
- - emerging-attack_response.rules
- - emerging-chat.rules
- - emerging-coinminer.rules
- - emerging-current_events.rules
- - emerging-dns.rules
- - emerging-dos.rules
- - emerging-exploit.rules
- - emerging-exploit_kit.rules
- - emerging-ftp.rules
- - emerging-games.rules
- - emerging-hunting.rules
- - emerging-icmp_info.rules
- - emerging-icmp.rules
- - emerging-imap.rules
- - emerging-inappropriate.rules
- - emerging-info.rules
- - emerging-ja3.rules
- - emerging-malware.rules
- - emerging-misc.rules
- - emerging-mobile_malware.rules
- - emerging-netbios.rules
- - emerging-p2p.rules
- - emerging-phishing.rules
- - emerging-policy.rules
- - emerging-pop3.rules
- - emerging-rpc.rules
- - emerging-scada.rules
- - emerging-scan.rules
- - emerging-shellcode.rules
- - emerging-smtp.rules
- - emerging-snmp.rules
- - emerging-sql.rules
- - emerging-telnet.rules
- - emerging-tftp.rules
-# - emerging-trojan.rules
- - emerging-user_agents.rules
- - emerging-voip.rules
- - emerging-web_client.rules
- - emerging-web_server.rules
- - emerging-web_specific_apps.rules
- - emerging-worm.rules
- - tor.rules
- - decoder-events.rules # available in suricata sources under rules dir
- - stream-events.rules  # available in suricata sources under rules dir
- - http-events.rules    # available in suricata sources under rules dir
- - smtp-events.rules    # available in suricata sources under rules dir
- - dns-events.rules     # available in suricata sources under rules dir
- - tls-events.rules     # available in suricata sources under rules dir
- - modbus-events.rules  # available in suricata sources under rules dir
- - app-layer-events.rules  # available in suricata sources under rules dir
- - dnp3-events.rules       # available in suricata sources under rules dir
- - ntp-events.rules       # available in suricata sources under rules dir
- - ipsec-events.rules       # available in suricata sources under rules dir
- - kerberos-events.rules       # available in suricata sources under rules dir
+ - suricata.rules
 
 ##
 ## Auxiliary configuration files.
 ##
 
-classification-file: /etc/suricata/rules/classification.config
+classification-file: /var/lib/suricata/rules/classification.config
 reference-config-file: /etc/suricata/reference.config
 # threshold-file: /etc/suricata/threshold.config
 

docker/suricata/dist/update.sh

@@ -9,24 +9,6 @@ trap fuCLEANUP EXIT
 ### Vars
 myOINKCODE="$1"
 
-function fuDLRULES {
-### Check if args are present then download rules, if not throw error
-if [ "$myOINKCODE" != "" ] && [ "$myOINKCODE" == "OPEN" ];
-  then
-    echo "Downloading ET open ruleset."
-    wget -q --tries=2 --timeout=2 https://rules.emergingthreats.net/open/suricata-5.0/emerging.rules.tar.gz -O /tmp/rules.tar.gz
-  else
-    if [ "$myOINKCODE" != "" ];
-      then
-	echo "Downloading ET pro ruleset with Oinkcode $myOINKCODE."
-	wget -q --tries=2 --timeout=2 https://rules.emergingthreatspro.com/$myOINKCODE/suricata-5.0/etpro.rules.tar.gz -O /tmp/rules.tar.gz
-      else	
-        echo "Usage: update.sh <[OPEN, OINKCODE]>"
-	exit
-    fi	
-fi
-}
-
 # Check internet availability 
 function fuCHECKINET () {
 mySITES=$1
@@ -46,9 +28,14 @@ for i in $mySITES;
 myCHECK=$(fuCHECKINET "rules.emergingthreatspro.com rules.emergingthreats.net")
 if [ "$myCHECK" == "0" ];
   then
-    fuDLRULES 2>&1 > /dev/null
-    tar xvfz /tmp/rules.tar.gz -C /etc/suricata/ 2>&1 > /dev/null
-    sed -i s/^#alert/alert/ /etc/suricata/rules/*.rules 2>&1 > /dev/null
+    if [ "$myOINKCODE" != "" ] && [ "$myOINKCODE" != "OPEN" ];
+      then
+        suricata-update -q enable-source et/pro secret-code=$myOINKCODE > /dev/null
+      else
+        # suricata-update uses et/open ruleset by default if not configured
+        rm -f /var/lib/suricata/update/sources/et-pro.yaml 2>&1 > /dev/null
+    fi
+    suricata-update -q --no-test --no-reload > /dev/null
     echo "/etc/suricata/capture-filter.bpf"
   else
     echo "/etc/suricata/null.bpf"

docker/suricata/dist/update.yaml

@@ -0,0 +1,12 @@
+disable-conf: /etc/suricata/disable.conf
+enable-conf: /etc/suricata/enable.conf
+#drop-conf: /etc/suricata/drop.conf
+modify-conf: /etc/suricata/modify.conf
+
+ignore:
+  - "*deleted.rules"
+  - "dhcp-events.rules"  # DHCP is disabled in suricata.yaml
+  - "files.rules"  # file-store is disabled in suricata.yaml
+
+reload-command: suricatasc -c ruleset-reload-rules
+