Merge cbcf7871ec into 04e44dfd43

Cleaning up
Avoid exposing ENVs - Thanks @ Kevin Setz
2026-03-03 14:43:04 +00:00 · 2026-01-16 20:22:22 +01:00 · 2026-01-16 19:52:12 +01:00 · 2026-01-16 19:13:23 +01:00
2 changed files with 21 additions and 10 deletions
--- a/docker/suricata/Dockerfile
+++ b/docker/suricata/Dockerfile
@ -20,10 +20,10 @@ RUN apk --no-cache -U upgrade && \
    cp /root/dist/*.yaml /etc/suricata/ && \
    cp /root/dist/*.conf /etc/suricata/ && \
    cp /root/dist/*.bpf /etc/suricata/ && \
-    cp /root/dist/update.sh /usr/bin/ && \
+    cp /root/dist/entrypoint.sh /usr/bin/ && \
    chmod 644 /etc/suricata/*.config && \
    chmod 755 -R /var/lib/suricata && \
-    chmod 755 /usr/bin/update.sh && \
+    chmod 755 /usr/bin/entrypoint.sh && \
    chown -R root:suri /tmp /run && \
 #
 # Download the latest EmergingThreats OPEN ruleset
@ -37,4 +37,4 @@ RUN apk --no-cache -U upgrade && \
 #
 # Start suricata
 STOPSIGNAL SIGINT
-CMD SURICATA_CAPTURE_FILTER=$(update.sh $OINKCODE) && exec suricata -v -F $SURICATA_CAPTURE_FILTER -i $(ip route | grep "^default" | awk '{ print $5 }')
+ENTRYPOINT ["entrypoint.sh"]
--- a/docker/suricata/dist/entrypoint.sh
+++ b/docker/suricata/dist/entrypoint.sh
@ -1,4 +1,5 @@
 #!/bin/ash
 set -eo pipefail
 # Let's ensure normal operation on exit or if interrupted ...
 function fuCLEANUP {
@ -7,7 +8,7 @@ function fuCLEANUP {
 trap fuCLEANUP EXIT
 ### Vars
-myOINKCODE="$1"
+myOINKCODE="${OINKCODE}"
 # Check internet availability 
 function fuCHECKINET () {
@ -15,7 +16,7 @@ mySITES=$1
 error=0
 for i in $mySITES;
  do
-    curl --connect-timeout 5 -Is $i 2>&1 > /dev/null
+    curl --connect-timeout 5 -Is "$i" 2>&1 > /dev/null
      if [ $? -ne 0 ];
        then
 	  let error+=1
@ -28,17 +29,17 @@ for i in $mySITES;
 myCHECK=$(fuCHECKINET "rules.emergingthreatspro.com rules.emergingthreats.net")
 if [ "$myCHECK" == "0" ];
  then
-    if [ "$myOINKCODE" != "" ] && [ "$myOINKCODE" != "OPEN" ];
+    if [ "${myOINKCODE}" != "" ] && [ "${myOINKCODE}" != "OPEN" ];
      then
-        suricata-update -q enable-source et/pro secret-code=$myOINKCODE > /dev/null
+        suricata-update -q enable-source et/pro secret-code="${myOINKCODE}"
      else
        # suricata-update uses et/open ruleset by default if not configured
        rm -f /var/lib/suricata/update/sources/et-pro.yaml 2>&1 > /dev/null
    fi
-    suricata-update -q --no-test --no-reload > /dev/null
+    suricata-update -q --no-test --no-reload
-    echo "/etc/suricata/capture-filter.bpf"
+    SURICATA_CAPTURE_FILTER="/etc/suricata/capture-filter.bpf"
  else
-    echo "/etc/suricata/null.bpf"
+    SURICATA_CAPTURE_FILTER="/etc/suricata/null.bpf"
 fi
 # Download rules via URL
@ -57,3 +58,13 @@ if [ "$FROMURL" != "" ] ; then
    done
    IFS=$SAVEIFS
 fi
 # Determine IF
 myIF="$(ip route | grep "^default" | awk '{ print $5 }')"
 # Info
 echo "- Capture filter: ${SURICATA_CAPTURE_FILTER}"
 echo "- Interface: ${myIF}"
 # Run Suricata
 exec suricata -v -F "${SURICATA_CAPTURE_FILTER}" -i "${myIF}"
Author	SHA1	Message	Date
dz	bbea85d71f	Merge `cbcf7871ec` into `04e44dfd43`	2026-01-16 20:22:22 +01:00
t3chn0m4g3	04e44dfd43	Cleaning up	2026-01-16 19:52:12 +01:00
t3chn0m4g3	4128490151	Avoid exposing ENVs - Thanks @ Kevin Setz	2026-01-16 19:13:23 +01:00