mirror of
https://github.com/telekom-security/tpotce.git
synced 2025-07-02 01:27:27 -04:00
Suricata: use suricata-update for rule management
As a bonus we can now run "suricata-update" using docker-exec, triggering both a rule update and a Suricata rule reload.
This commit is contained in:
1
docker/suricata/dist/capture-filter.bpf
vendored
1
docker/suricata/dist/capture-filter.bpf
vendored
@ -1,4 +1,5 @@
|
||||
not (host sicherheitstacho.eu or community.sicherheitstacho.eu or listbot.sicherheitstacho.eu) and
|
||||
not (host rules.emergingthreats.net or rules.emergingthreatspro.com) and
|
||||
not (host deb.debian.org) and
|
||||
not (host ghcr.io) and
|
||||
not (host index.docker.io or docker.io)
|
||||
|
0
docker/suricata/dist/disable.conf
vendored
Normal file
0
docker/suricata/dist/disable.conf
vendored
Normal file
3
docker/suricata/dist/enable.conf
vendored
Normal file
3
docker/suricata/dist/enable.conf
vendored
Normal file
@ -0,0 +1,3 @@
|
||||
# Since honeypot traffic is usually low, we can afford to enable
|
||||
# all the rules that are normally disabled for performance reasons.
|
||||
re:.
|
0
docker/suricata/dist/modify.conf
vendored
Normal file
0
docker/suricata/dist/modify.conf
vendored
Normal file
71
docker/suricata/dist/suricata.yaml
vendored
71
docker/suricata/dist/suricata.yaml
vendored
@ -1061,7 +1061,7 @@ host-mode: auto
|
||||
# activated in live capture mode. You can use the filename variable to set
|
||||
# the file name of the socket.
|
||||
unix-command:
|
||||
enabled: no
|
||||
enabled: yes
|
||||
#filename: custom.socket
|
||||
|
||||
# Magic file. The extension .mgc is added to the value here.
|
||||
@ -1862,78 +1862,15 @@ napatech:
|
||||
## Configure Suricata to load Suricata-Update managed rules.
|
||||
##
|
||||
|
||||
#default-rule-path: /var/lib/suricata/rules
|
||||
default-rule-path: /etc/suricata/rules
|
||||
|
||||
default-rule-path: /var/lib/suricata/rules
|
||||
rule-files:
|
||||
- botcc.rules
|
||||
- botcc.portgrouped.rules
|
||||
- ciarmy.rules
|
||||
- compromised.rules
|
||||
- drop.rules
|
||||
- dshield.rules
|
||||
- emerging-activex.rules
|
||||
- emerging-adware_pup.rules
|
||||
- emerging-attack_response.rules
|
||||
- emerging-chat.rules
|
||||
- emerging-coinminer.rules
|
||||
- emerging-current_events.rules
|
||||
- emerging-dns.rules
|
||||
- emerging-dos.rules
|
||||
- emerging-exploit.rules
|
||||
- emerging-exploit_kit.rules
|
||||
- emerging-ftp.rules
|
||||
- emerging-games.rules
|
||||
- emerging-hunting.rules
|
||||
- emerging-icmp_info.rules
|
||||
- emerging-icmp.rules
|
||||
- emerging-imap.rules
|
||||
- emerging-inappropriate.rules
|
||||
- emerging-info.rules
|
||||
- emerging-ja3.rules
|
||||
- emerging-malware.rules
|
||||
- emerging-misc.rules
|
||||
- emerging-mobile_malware.rules
|
||||
- emerging-netbios.rules
|
||||
- emerging-p2p.rules
|
||||
- emerging-phishing.rules
|
||||
- emerging-policy.rules
|
||||
- emerging-pop3.rules
|
||||
- emerging-rpc.rules
|
||||
- emerging-scada.rules
|
||||
- emerging-scan.rules
|
||||
- emerging-shellcode.rules
|
||||
- emerging-smtp.rules
|
||||
- emerging-snmp.rules
|
||||
- emerging-sql.rules
|
||||
- emerging-telnet.rules
|
||||
- emerging-tftp.rules
|
||||
# - emerging-trojan.rules
|
||||
- emerging-user_agents.rules
|
||||
- emerging-voip.rules
|
||||
- emerging-web_client.rules
|
||||
- emerging-web_server.rules
|
||||
- emerging-web_specific_apps.rules
|
||||
- emerging-worm.rules
|
||||
- tor.rules
|
||||
- decoder-events.rules # available in suricata sources under rules dir
|
||||
- stream-events.rules # available in suricata sources under rules dir
|
||||
- http-events.rules # available in suricata sources under rules dir
|
||||
- smtp-events.rules # available in suricata sources under rules dir
|
||||
- dns-events.rules # available in suricata sources under rules dir
|
||||
- tls-events.rules # available in suricata sources under rules dir
|
||||
- modbus-events.rules # available in suricata sources under rules dir
|
||||
- app-layer-events.rules # available in suricata sources under rules dir
|
||||
- dnp3-events.rules # available in suricata sources under rules dir
|
||||
- ntp-events.rules # available in suricata sources under rules dir
|
||||
- ipsec-events.rules # available in suricata sources under rules dir
|
||||
- kerberos-events.rules # available in suricata sources under rules dir
|
||||
- suricata.rules
|
||||
|
||||
##
|
||||
## Auxiliary configuration files.
|
||||
##
|
||||
|
||||
classification-file: /etc/suricata/rules/classification.config
|
||||
classification-file: /var/lib/suricata/rules/classification.config
|
||||
reference-config-file: /etc/suricata/reference.config
|
||||
# threshold-file: /etc/suricata/threshold.config
|
||||
|
||||
|
29
docker/suricata/dist/update.sh
vendored
29
docker/suricata/dist/update.sh
vendored
@ -9,24 +9,6 @@ trap fuCLEANUP EXIT
|
||||
### Vars
|
||||
myOINKCODE="$1"
|
||||
|
||||
function fuDLRULES {
|
||||
### Check if args are present then download rules, if not throw error
|
||||
if [ "$myOINKCODE" != "" ] && [ "$myOINKCODE" == "OPEN" ];
|
||||
then
|
||||
echo "Downloading ET open ruleset."
|
||||
wget -q --tries=2 --timeout=2 https://rules.emergingthreats.net/open/suricata-5.0/emerging.rules.tar.gz -O /tmp/rules.tar.gz
|
||||
else
|
||||
if [ "$myOINKCODE" != "" ];
|
||||
then
|
||||
echo "Downloading ET pro ruleset with Oinkcode $myOINKCODE."
|
||||
wget -q --tries=2 --timeout=2 https://rules.emergingthreatspro.com/$myOINKCODE/suricata-5.0/etpro.rules.tar.gz -O /tmp/rules.tar.gz
|
||||
else
|
||||
echo "Usage: update.sh <[OPEN, OINKCODE]>"
|
||||
exit
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
# Check internet availability
|
||||
function fuCHECKINET () {
|
||||
mySITES=$1
|
||||
@ -46,9 +28,14 @@ for i in $mySITES;
|
||||
myCHECK=$(fuCHECKINET "rules.emergingthreatspro.com rules.emergingthreats.net")
|
||||
if [ "$myCHECK" == "0" ];
|
||||
then
|
||||
fuDLRULES 2>&1 > /dev/null
|
||||
tar xvfz /tmp/rules.tar.gz -C /etc/suricata/ 2>&1 > /dev/null
|
||||
sed -i s/^#alert/alert/ /etc/suricata/rules/*.rules 2>&1 > /dev/null
|
||||
if [ "$myOINKCODE" != "" ] && [ "$myOINKCODE" != "OPEN" ];
|
||||
then
|
||||
suricata-update -q enable-source et/pro secret-code=$myOINKCODE > /dev/null
|
||||
else
|
||||
# suricata-update uses et/open ruleset by default if not configured
|
||||
rm -f /var/lib/suricata/update/sources/et-pro.yaml 2>&1 > /dev/null
|
||||
fi
|
||||
suricata-update -q --no-test --no-reload > /dev/null
|
||||
echo "/etc/suricata/capture-filter.bpf"
|
||||
else
|
||||
echo "/etc/suricata/null.bpf"
|
||||
|
12
docker/suricata/dist/update.yaml
vendored
Normal file
12
docker/suricata/dist/update.yaml
vendored
Normal file
@ -0,0 +1,12 @@
|
||||
disable-conf: /etc/suricata/disable.conf
|
||||
enable-conf: /etc/suricata/enable.conf
|
||||
#drop-conf: /etc/suricata/drop.conf
|
||||
modify-conf: /etc/suricata/modify.conf
|
||||
|
||||
ignore:
|
||||
- "*deleted.rules"
|
||||
- "dhcp-events.rules" # DHCP is disabled in suricata.yaml
|
||||
- "files.rules" # file-store is disabled in suricata.yaml
|
||||
|
||||
reload-command: suricatasc -c ruleset-reload-rules
|
||||
|
Reference in New Issue
Block a user