From 38fce345cfe0191ee1c8b7530c2e0634354c7160 Mon Sep 17 00:00:00 2001
From: Marco Ochse <t3chn0m4g3@gmail.com>
Date: Wed, 23 May 2018 13:02:19 +0000
Subject: [PATCH] tweaking

fix condition when no internet connection is available
check internet connection before download of rules and avoid errors
check internet connection before setting up capture filters (with FQDNs, resulted in endless restart of suricata) and unset capture filters if no internet connection is available
---
 docker/suricata/Dockerfile     | 21 +++++++++----------
 docker/suricata/dist/null.bpf  |  0
 docker/suricata/dist/update.sh | 37 +++++++++++++++++++++++++---------
 3 files changed, 38 insertions(+), 20 deletions(-)
 create mode 100644 docker/suricata/dist/null.bpf

diff --git a/docker/suricata/Dockerfile b/docker/suricata/Dockerfile
index 00f9e53d..334b6427 100644
--- a/docker/suricata/Dockerfile
+++ b/docker/suricata/Dockerfile
@@ -4,21 +4,20 @@ FROM alpine
 ADD dist/ /root/dist/
 
 # Install packages
-RUN apk -U upgrade && \
-    apk add bash \
-            ca-certificates \
-            file \
-            libcap \
-            procps \
-            wget && \
+RUN apk -U --no-cache add \
+                 ca-certificates \
+                 curl \
+                 file \
+                 libcap \
+                 wget && \
     apk -U add --repository http://dl-cdn.alpinelinux.org/alpine/edge/community \
-            suricata && \
+                 suricata && \
 
 # Setup user, groups and configs
     addgroup -g 2000 suri && \
     adduser -S -H -u 2000 -D -g 2000 suri && \
-    mv /root/dist/suricata.yaml /etc/suricata/suricata.yaml && \
-    mv /root/dist/capture-filter.bpf /etc/suricata/capture-filter.bpf && \
+    cp /root/dist/suricata.yaml /etc/suricata/suricata.yaml && \
+    cp /root/dist/*.bpf /etc/suricata/ && \
 
 # Download the latest EmergingThreats ruleset, replace rulebase and enable all rules
     cp /root/dist/update.sh /usr/bin/ && \
@@ -30,4 +29,4 @@ RUN apk -U upgrade && \
     rm -rf /var/cache/apk/*
 
 # Start suricata
-CMD update.sh $OINKCODE && exec suricata -v -F /etc/suricata/capture-filter.bpf -i $(/sbin/ip address | grep '^2: ' | awk '{ print $2 }' | tr -d [:punct:])
+CMD SURICATA_CAPTURE_FILTER=$(update.sh $OINKCODE) && exec suricata -v -F $SURICATA_CAPTURE_FILTER -i $(/sbin/ip address | grep '^2: ' | awk '{ print $2 }' | tr -d [:punct:])
diff --git a/docker/suricata/dist/null.bpf b/docker/suricata/dist/null.bpf
new file mode 100644
index 00000000..e69de29b
diff --git a/docker/suricata/dist/update.sh b/docker/suricata/dist/update.sh
index 20b7dbbf..bb4e5c4a 100755
--- a/docker/suricata/dist/update.sh
+++ b/docker/suricata/dist/update.sh
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/ash
 
 # Let's ensure normal operation on exit or if interrupted ...
 function fuCLEANUP {
@@ -11,16 +11,15 @@ myOINKCODE="$1"
 
 function fuDLRULES {
 ### Check if args are present then download rules, if not throw error
-
 if [ "$myOINKCODE" != "" ] && [ "$myOINKCODE" == "OPEN" ];
   then
     echo "Downloading ET open ruleset."
-    wget --tries=2 --timeout=2 https://rules.emergingthreats.net/open/suricata-4.0/emerging.rules.tar.gz -O /tmp/rules.tar.gz
+    wget -q --tries=2 --timeout=2 https://rules.emergingthreats.net/open/suricata-4.0/emerging.rules.tar.gz -O /tmp/rules.tar.gz
   else
     if [ "$myOINKCODE" != "" ];
       then
 	echo "Downloading ET pro ruleset with Oinkcode $myOINKCODE."
-	wget --tries=2 --timeout=2 https://rules.emergingthreatspro.com/$myOINKCODE/suricata-4.0/etpro.rules.tar.gz -O /tmp/rules.tar.gz
+	wget -q --tries=2 --timeout=2 https://rules.emergingthreatspro.com/$myOINKCODE/suricata-4.0/etpro.rules.tar.gz -O /tmp/rules.tar.gz
       else	
         echo "Usage: update.sh <[OPEN, OINKCODE]>"
 	exit
@@ -28,9 +27,29 @@ if [ "$myOINKCODE" != "" ] && [ "$myOINKCODE" == "OPEN" ];
 fi
 }
 
-# Download rules
-fuDLRULES
+# Check internet availability 
+function fuCHECKINET () {
+mySITES=$1
+error=0
+for i in $mySITES;
+  do
+    curl --connect-timeout 5 -Is $i 2>&1 > /dev/null
+      if [ $? -ne 0 ];
+        then
+	  let error+=1
+      fi;
+  done;
+  echo $error
+}
 
-# Extract and enable all rules  
-tar xvfz /tmp/rules.tar.gz -C /etc/suricata/
-sed -i s/^#alert/alert/ /etc/suricata/rules/*.rules
+# Check for connectivity and download rules
+myCHECK=$(fuCHECKINET "rules.emergingthreatspro.com rules.emergingthreats.net")
+if [ "$myCHECK" == "0" ];
+  then
+    fuDLRULES 2>&1 > /dev/null
+    tar xvfz /tmp/rules.tar.gz -C /etc/suricata/ 2>&1 > /dev/null
+    sed -i s/^#alert/alert/ /etc/suricata/rules/*.rules 2>&1 > /dev/null
+    echo "/etc/suricata/capture-filter.bpf"
+  else
+    echo "/etc/suricata/null.bpf"
+fi