Suricata: use suricata-update for rule management

As a bonus we can now run "suricata-update" using docker-exec,
triggering both a rule update and a Suricata rule reload.

docker/suricata/dist/capture-filter.bpf

@@ -1,4 +1,5 @@
 not (host sicherheitstacho.eu or community.sicherheitstacho.eu or listbot.sicherheitstacho.eu) and
+not (host rules.emergingthreats.net or rules.emergingthreatspro.com) and
 not (host deb.debian.org) and
 not (host ghcr.io) and
 not (host index.docker.io or docker.io)

docker/suricata/dist/enable.conf

@@ -0,0 +1,3 @@
+# Since honeypot traffic is usually low, we can afford to enable
+# all the rules that are normally disabled for performance reasons.
+re:.

docker/suricata/dist/suricata.yaml

@@ -1061,7 +1061,7 @@ host-mode: auto
 # activated in live capture mode. You can use the filename variable to set
 # the file name of the socket.
 unix-command:
-  enabled: no
+  enabled: yes
   #filename: custom.socket
 
 # Magic file. The extension .mgc is added to the value here.
@@ -1862,78 +1862,15 @@ napatech:
 ## Configure Suricata to load Suricata-Update managed rules.
 ##
 
-#default-rule-path: /var/lib/suricata/rules
-default-rule-path: /etc/suricata/rules
-
+default-rule-path: /var/lib/suricata/rules
 rule-files:
- - botcc.rules
- - botcc.portgrouped.rules
- - ciarmy.rules
- - compromised.rules
- - drop.rules
- - dshield.rules
- - emerging-activex.rules
- - emerging-adware_pup.rules
- - emerging-attack_response.rules
- - emerging-chat.rules
- - emerging-coinminer.rules
- - emerging-current_events.rules
- - emerging-dns.rules
- - emerging-dos.rules
- - emerging-exploit.rules
- - emerging-exploit_kit.rules
- - emerging-ftp.rules
- - emerging-games.rules
- - emerging-hunting.rules
- - emerging-icmp_info.rules
- - emerging-icmp.rules
- - emerging-imap.rules
- - emerging-inappropriate.rules
- - emerging-info.rules
- - emerging-ja3.rules
- - emerging-malware.rules
- - emerging-misc.rules
- - emerging-mobile_malware.rules
- - emerging-netbios.rules
- - emerging-p2p.rules
- - emerging-phishing.rules
- - emerging-policy.rules
- - emerging-pop3.rules
- - emerging-rpc.rules
- - emerging-scada.rules
- - emerging-scan.rules
- - emerging-shellcode.rules
- - emerging-smtp.rules
- - emerging-snmp.rules
- - emerging-sql.rules
- - emerging-telnet.rules
- - emerging-tftp.rules
-# - emerging-trojan.rules
- - emerging-user_agents.rules
- - emerging-voip.rules
- - emerging-web_client.rules
- - emerging-web_server.rules
- - emerging-web_specific_apps.rules
- - emerging-worm.rules
- - tor.rules
- - decoder-events.rules # available in suricata sources under rules dir
- - stream-events.rules  # available in suricata sources under rules dir
- - http-events.rules    # available in suricata sources under rules dir
- - smtp-events.rules    # available in suricata sources under rules dir
- - dns-events.rules     # available in suricata sources under rules dir
- - tls-events.rules     # available in suricata sources under rules dir
- - modbus-events.rules  # available in suricata sources under rules dir
- - app-layer-events.rules  # available in suricata sources under rules dir
- - dnp3-events.rules       # available in suricata sources under rules dir
- - ntp-events.rules       # available in suricata sources under rules dir
- - ipsec-events.rules       # available in suricata sources under rules dir
- - kerberos-events.rules       # available in suricata sources under rules dir
+ - suricata.rules
 
 ##
 ## Auxiliary configuration files.
 ##
 
-classification-file: /etc/suricata/rules/classification.config
+classification-file: /var/lib/suricata/rules/classification.config
 reference-config-file: /etc/suricata/reference.config
 # threshold-file: /etc/suricata/threshold.config
 

docker/suricata/dist/update.sh

@@ -9,24 +9,6 @@ trap fuCLEANUP EXIT
 ### Vars
 myOINKCODE="$1"
 
-function fuDLRULES {
-### Check if args are present then download rules, if not throw error
-if [ "$myOINKCODE" != "" ] && [ "$myOINKCODE" == "OPEN" ];
-  then
-    echo "Downloading ET open ruleset."
-    wget -q --tries=2 --timeout=2 https://rules.emergingthreats.net/open/suricata-5.0/emerging.rules.tar.gz -O /tmp/rules.tar.gz
-  else
-    if [ "$myOINKCODE" != "" ];
-      then
-	echo "Downloading ET pro ruleset with Oinkcode $myOINKCODE."
-	wget -q --tries=2 --timeout=2 https://rules.emergingthreatspro.com/$myOINKCODE/suricata-5.0/etpro.rules.tar.gz -O /tmp/rules.tar.gz
-      else	
-        echo "Usage: update.sh <[OPEN, OINKCODE]>"
-	exit
-    fi	
-fi
-}
-
 # Check internet availability 
 function fuCHECKINET () {
 mySITES=$1
@@ -46,9 +28,14 @@ for i in $mySITES;
 myCHECK=$(fuCHECKINET "rules.emergingthreatspro.com rules.emergingthreats.net")
 if [ "$myCHECK" == "0" ];
   then
-    fuDLRULES 2>&1 > /dev/null
-    tar xvfz /tmp/rules.tar.gz -C /etc/suricata/ 2>&1 > /dev/null
-    sed -i s/^#alert/alert/ /etc/suricata/rules/*.rules 2>&1 > /dev/null
+    if [ "$myOINKCODE" != "" ] && [ "$myOINKCODE" != "OPEN" ];
+      then
+        suricata-update -q enable-source et/pro secret-code=$myOINKCODE > /dev/null
+      else
+        # suricata-update uses et/open ruleset by default if not configured
+        rm -f /var/lib/suricata/update/sources/et-pro.yaml 2>&1 > /dev/null
+    fi
+    suricata-update -q --no-test --no-reload > /dev/null
     echo "/etc/suricata/capture-filter.bpf"
   else
     echo "/etc/suricata/null.bpf"

docker/suricata/dist/update.yaml

@@ -0,0 +1,12 @@
+disable-conf: /etc/suricata/disable.conf
+enable-conf: /etc/suricata/enable.conf
+#drop-conf: /etc/suricata/drop.conf
+modify-conf: /etc/suricata/modify.conf
+
+ignore:
+  - "*deleted.rules"
+  - "dhcp-events.rules"  # DHCP is disabled in suricata.yaml
+  - "files.rules"  # file-store is disabled in suricata.yaml
+
+reload-command: suricatasc -c ruleset-reload-rules
+