From 87a27e4f2b1964cd472edc56600de5dbb36f964b Mon Sep 17 00:00:00 2001 From: Andrea De Pasquale Date: Thu, 26 Nov 2020 18:10:16 +0100 Subject: [PATCH] Suricata: use suricata-update for rule management As a bonus we can now run "suricata-update" using docker-exec, triggering both a rule update and a Suricata rule reload. --- docker/suricata/Dockerfile | 8 +-- docker/suricata/Dockerfile.from.source | 13 +++-- docker/suricata/dist/capture-filter.bpf | 1 + docker/suricata/dist/disable.conf | 0 docker/suricata/dist/enable.conf | 3 ++ docker/suricata/dist/modify.conf | 0 docker/suricata/dist/suricata.yaml | 71 ++----------------------- docker/suricata/dist/update.sh | 29 +++------- docker/suricata/dist/update.yaml | 12 +++++ 9 files changed, 39 insertions(+), 98 deletions(-) create mode 100644 docker/suricata/dist/disable.conf create mode 100644 docker/suricata/dist/enable.conf create mode 100644 docker/suricata/dist/modify.conf create mode 100644 docker/suricata/dist/update.yaml diff --git a/docker/suricata/Dockerfile b/docker/suricata/Dockerfile index 6d8166e0..ae26908a 100644 --- a/docker/suricata/Dockerfile +++ b/docker/suricata/Dockerfile @@ -17,13 +17,15 @@ RUN apk -U --no-cache add \ addgroup -g 2000 suri && \ adduser -S -H -u 2000 -D -g 2000 suri && \ chmod 644 /etc/suricata/*.config && \ - cp /root/dist/suricata.yaml /etc/suricata/suricata.yaml && \ + cp /root/dist/*.yaml /etc/suricata/ && \ + cp /root/dist/*.conf /etc/suricata/ && \ cp /root/dist/*.bpf /etc/suricata/ && \ # -# Download the latest EmergingThreats ruleset, replace rulebase and enable all rules +# Download the latest EmergingThreats OPEN ruleset cp /root/dist/update.sh /usr/bin/ && \ chmod 755 /usr/bin/update.sh && \ - update.sh OPEN && \ + suricata-update update-sources && \ + suricata-update --no-reload && \ # # Clean up rm -rf /root/* && \ diff --git a/docker/suricata/Dockerfile.from.source b/docker/suricata/Dockerfile.from.source index 6dcfe1f8..97edc894 100644 --- a/docker/suricata/Dockerfile.from.source +++ b/docker/suricata/Dockerfile.from.source @@ -59,8 +59,7 @@ RUN apk -U add \ libhtp \ libhtp-dev && \ # -# Upgrade pip, install suricata-update to meet deps, however we will not be using it -# to reduce image (no python needed) and use the update script. +# Upgrade pip, install suricata-update to meet deps pip3 install --no-cache-dir --upgrade pip && \ pip3 install --no-cache-dir suricata-update && \ # @@ -93,15 +92,17 @@ RUN apk -U add \ addgroup -g 2000 suri && \ adduser -S -H -u 2000 -D -g 2000 suri && \ chmod 644 /etc/suricata/*.config && \ - cp /root/dist/suricata.yaml /etc/suricata/suricata.yaml && \ + cp /root/dist/*.yaml /etc/suricata/ && \ + cp /root/dist/*.conf /etc/suricata/ && \ cp /root/dist/*.bpf /etc/suricata/ && \ mkdir -p /etc/suricata/rules && \ cp /opt/builder/rules/* /etc/suricata/rules/ && \ # -# Download the latest EmergingThreats ruleset, replace rulebase and enable all rules +# Download the latest EmergingThreats OPEN ruleset cp /root/dist/update.sh /usr/bin/ && \ chmod 755 /usr/bin/update.sh && \ - update.sh OPEN && \ + suricata-update update-sources && \ + suricata-update --no-reload && \ # # Clean up apk del --purge \ @@ -126,8 +127,6 @@ RUN apk -U add \ nss-dev \ nspr-dev \ pcre-dev \ - python3 \ - rust \ yaml-dev && \ rm -rf /opt/builder && \ rm -rf /root/* && \ diff --git a/docker/suricata/dist/capture-filter.bpf b/docker/suricata/dist/capture-filter.bpf index e2daeec9..582729ca 100644 --- a/docker/suricata/dist/capture-filter.bpf +++ b/docker/suricata/dist/capture-filter.bpf @@ -1,4 +1,5 @@ not (host sicherheitstacho.eu or community.sicherheitstacho.eu or listbot.sicherheitstacho.eu) and +not (host rules.emergingthreats.net or rules.emergingthreatspro.com) and not (host deb.debian.org) and not (host ghcr.io) and not (host index.docker.io or docker.io) diff --git a/docker/suricata/dist/disable.conf b/docker/suricata/dist/disable.conf new file mode 100644 index 00000000..e69de29b diff --git a/docker/suricata/dist/enable.conf b/docker/suricata/dist/enable.conf new file mode 100644 index 00000000..2a0a3dc0 --- /dev/null +++ b/docker/suricata/dist/enable.conf @@ -0,0 +1,3 @@ +# Since honeypot traffic is usually low, we can afford to enable +# all the rules that are normally disabled for performance reasons. +re:. diff --git a/docker/suricata/dist/modify.conf b/docker/suricata/dist/modify.conf new file mode 100644 index 00000000..e69de29b diff --git a/docker/suricata/dist/suricata.yaml b/docker/suricata/dist/suricata.yaml index dfca0b49..0bf81036 100644 --- a/docker/suricata/dist/suricata.yaml +++ b/docker/suricata/dist/suricata.yaml @@ -1061,7 +1061,7 @@ host-mode: auto # activated in live capture mode. You can use the filename variable to set # the file name of the socket. unix-command: - enabled: no + enabled: yes #filename: custom.socket # Magic file. The extension .mgc is added to the value here. @@ -1862,78 +1862,15 @@ napatech: ## Configure Suricata to load Suricata-Update managed rules. ## -#default-rule-path: /var/lib/suricata/rules -default-rule-path: /etc/suricata/rules - +default-rule-path: /var/lib/suricata/rules rule-files: - - botcc.rules - - botcc.portgrouped.rules - - ciarmy.rules - - compromised.rules - - drop.rules - - dshield.rules - - emerging-activex.rules - - emerging-adware_pup.rules - - emerging-attack_response.rules - - emerging-chat.rules - - emerging-coinminer.rules - - emerging-current_events.rules - - emerging-dns.rules - - emerging-dos.rules - - emerging-exploit.rules - - emerging-exploit_kit.rules - - emerging-ftp.rules - - emerging-games.rules - - emerging-hunting.rules - - emerging-icmp_info.rules - - emerging-icmp.rules - - emerging-imap.rules - - emerging-inappropriate.rules - - emerging-info.rules - - emerging-ja3.rules - - emerging-malware.rules - - emerging-misc.rules - - emerging-mobile_malware.rules - - emerging-netbios.rules - - emerging-p2p.rules - - emerging-phishing.rules - - emerging-policy.rules - - emerging-pop3.rules - - emerging-rpc.rules - - emerging-scada.rules - - emerging-scan.rules - - emerging-shellcode.rules - - emerging-smtp.rules - - emerging-snmp.rules - - emerging-sql.rules - - emerging-telnet.rules - - emerging-tftp.rules -# - emerging-trojan.rules - - emerging-user_agents.rules - - emerging-voip.rules - - emerging-web_client.rules - - emerging-web_server.rules - - emerging-web_specific_apps.rules - - emerging-worm.rules - - tor.rules - - decoder-events.rules # available in suricata sources under rules dir - - stream-events.rules # available in suricata sources under rules dir - - http-events.rules # available in suricata sources under rules dir - - smtp-events.rules # available in suricata sources under rules dir - - dns-events.rules # available in suricata sources under rules dir - - tls-events.rules # available in suricata sources under rules dir - - modbus-events.rules # available in suricata sources under rules dir - - app-layer-events.rules # available in suricata sources under rules dir - - dnp3-events.rules # available in suricata sources under rules dir - - ntp-events.rules # available in suricata sources under rules dir - - ipsec-events.rules # available in suricata sources under rules dir - - kerberos-events.rules # available in suricata sources under rules dir + - suricata.rules ## ## Auxiliary configuration files. ## -classification-file: /etc/suricata/rules/classification.config +classification-file: /var/lib/suricata/rules/classification.config reference-config-file: /etc/suricata/reference.config # threshold-file: /etc/suricata/threshold.config diff --git a/docker/suricata/dist/update.sh b/docker/suricata/dist/update.sh index fcb5d21a..c9ca30ad 100755 --- a/docker/suricata/dist/update.sh +++ b/docker/suricata/dist/update.sh @@ -9,24 +9,6 @@ trap fuCLEANUP EXIT ### Vars myOINKCODE="$1" -function fuDLRULES { -### Check if args are present then download rules, if not throw error -if [ "$myOINKCODE" != "" ] && [ "$myOINKCODE" == "OPEN" ]; - then - echo "Downloading ET open ruleset." - wget -q --tries=2 --timeout=2 https://rules.emergingthreats.net/open/suricata-5.0/emerging.rules.tar.gz -O /tmp/rules.tar.gz - else - if [ "$myOINKCODE" != "" ]; - then - echo "Downloading ET pro ruleset with Oinkcode $myOINKCODE." - wget -q --tries=2 --timeout=2 https://rules.emergingthreatspro.com/$myOINKCODE/suricata-5.0/etpro.rules.tar.gz -O /tmp/rules.tar.gz - else - echo "Usage: update.sh <[OPEN, OINKCODE]>" - exit - fi -fi -} - # Check internet availability function fuCHECKINET () { mySITES=$1 @@ -46,9 +28,14 @@ for i in $mySITES; myCHECK=$(fuCHECKINET "rules.emergingthreatspro.com rules.emergingthreats.net") if [ "$myCHECK" == "0" ]; then - fuDLRULES 2>&1 > /dev/null - tar xvfz /tmp/rules.tar.gz -C /etc/suricata/ 2>&1 > /dev/null - sed -i s/^#alert/alert/ /etc/suricata/rules/*.rules 2>&1 > /dev/null + if [ "$myOINKCODE" != "" ] && [ "$myOINKCODE" != "OPEN" ]; + then + suricata-update -q enable-source et/pro secret-code=$myOINKCODE > /dev/null + else + # suricata-update uses et/open ruleset by default if not configured + rm -f /var/lib/suricata/update/sources/et-pro.yaml 2>&1 > /dev/null + fi + suricata-update -q --no-test --no-reload > /dev/null echo "/etc/suricata/capture-filter.bpf" else echo "/etc/suricata/null.bpf" diff --git a/docker/suricata/dist/update.yaml b/docker/suricata/dist/update.yaml new file mode 100644 index 00000000..8780931c --- /dev/null +++ b/docker/suricata/dist/update.yaml @@ -0,0 +1,12 @@ +disable-conf: /etc/suricata/disable.conf +enable-conf: /etc/suricata/enable.conf +#drop-conf: /etc/suricata/drop.conf +modify-conf: /etc/suricata/modify.conf + +ignore: + - "*deleted.rules" + - "dhcp-events.rules" # DHCP is disabled in suricata.yaml + - "files.rules" # file-store is disabled in suricata.yaml + +reload-command: suricatasc -c ruleset-reload-rules +