mirror of
https://github.com/telekom-security/tpotce.git
synced 2025-10-26 18:24:45 +00:00
620a909657
PROBLEM (see #487) - ET rule files start with the "emerging-*" prefix; - ETPRO rule files do not start with that prefix. SOLUTION Concatenate all rule files, with the exception of "*disabled.rules", into a single rule file at "/etc/suricata/rules/tpotce.rules" I have left as-is the "sed" command that enables all commented-out rules. Since that is usually done for performance reasons, maybe it could be turned into a configuration option like the OINKCODE. Another thing worth considering is to use "suricata-update" instead: https://suricata-update.readthedocs.io/en/latest/quickstart.html
70 lines
2 KiB
Bash
Executable file
70 lines
2 KiB
Bash
Executable file
#!/bin/ash
|
|
|
|
# Let's ensure normal operation on exit or if interrupted ...
|
|
function fuCLEANUP {
|
|
exit 0
|
|
}
|
|
trap fuCLEANUP EXIT
|
|
|
|
### Vars
|
|
myOINKCODE="$1"
|
|
|
|
function fuDLRULES {
|
|
### Check if args are present then download rules, if not throw error
|
|
if [ "$myOINKCODE" != "" ] && [ "$myOINKCODE" == "OPEN" ];
|
|
then
|
|
echo "Downloading ET open ruleset."
|
|
wget -q --tries=2 --timeout=2 https://rules.emergingthreats.net/open/suricata-5.0/emerging.rules.tar.gz -O /tmp/rules.tar.gz
|
|
else
|
|
if [ "$myOINKCODE" != "" ];
|
|
then
|
|
echo "Downloading ET pro ruleset with Oinkcode $myOINKCODE."
|
|
wget -q --tries=2 --timeout=2 https://rules.emergingthreatspro.com/$myOINKCODE/suricata-5.0/etpro.rules.tar.gz -O /tmp/rules.tar.gz
|
|
else
|
|
echo "Usage: update.sh <[OPEN, OINKCODE]>"
|
|
exit
|
|
fi
|
|
fi
|
|
}
|
|
|
|
function fuENRULES {
|
|
# Cleanup old files and extract new files.
|
|
rm -rf /tmp/rules /tmp/tpotce.rules
|
|
tar xfz /tmp/rules.tar.gz -C /tmp/ 2>&1 > /dev/null
|
|
# Create the new ruleset by:
|
|
# - looping through rule files, except deleted ones;
|
|
# - enabling all disabled rules (performance should be OK);
|
|
# - removing unnecessary empty/comment lines.
|
|
ls /tmp/rules/*.rules | grep -v deleted.rules | while read f;
|
|
do
|
|
cat $f | sed "s/^#alert/alert/" | grep -Ev "^(#|$)" >> /tmp/tpotce.rules
|
|
done
|
|
# Copy the new ruleset and config to where they belong.
|
|
cp -f /tmp/tpotce.rules /tmp/rules/classification.config /etc/suricata/rules
|
|
}
|
|
|
|
# Check internet availability
|
|
function fuCHECKINET () {
|
|
mySITES=$1
|
|
error=0
|
|
for i in $mySITES;
|
|
do
|
|
curl --connect-timeout 5 -Is $i 2>&1 > /dev/null
|
|
if [ $? -ne 0 ];
|
|
then
|
|
let error+=1
|
|
fi;
|
|
done;
|
|
echo $error
|
|
}
|
|
|
|
# Check for connectivity and download rules
|
|
myCHECK=$(fuCHECKINET "rules.emergingthreatspro.com rules.emergingthreats.net")
|
|
if [ "$myCHECK" == "0" ];
|
|
then
|
|
fuDLRULES 2>&1 > /dev/null
|
|
fuENRULES 2>&1 > /dev/null
|
|
echo "/etc/suricata/capture-filter.bpf"
|
|
else
|
|
echo "/etc/suricata/null.bpf"
|
|
fi
|