diff --git a/snort/Dockerfile b/snort/Dockerfile new file mode 100644 index 0000000..db9b490 --- /dev/null +++ b/snort/Dockerfile @@ -0,0 +1,75 @@ +FROM debian:stretch +MAINTAINER Jessie Frazelle + +RUN apt-get update && apt-get install -y \ + ca-certificates \ + libcrypt-ssleay-perl \ + libio-socket-ssl-perl \ + libpcap0.8 \ + libwww-perl \ + perl \ + zlib1g \ + --no-install-recommends \ + && rm -rf /var/lib/apt/lists/* + +ENV DAQ_VERSION 2.0.6 +ENV LIBDNET_VERSION 1.12 +ENV SNORT_VERSION 2.9.9.0 +ENV PULLEDPORK_VERSION 0.7.2 + +RUN buildDeps=' \ + curl \ + bison \ + build-essential \ + file \ + flex \ + libpcap-dev \ + libpcre3-dev \ + zlib1g-dev \ + ' \ + && set -x \ + && apt-get update && apt-get install -y $buildDeps --no-install-recommends \ + && rm -rf /var/lib/apt/lists/* \ + && curl -sSL "https://www.snort.org/downloads/snort/daq-${DAQ_VERSION}.tar.gz" -o /tmp/daq.tar.gz \ + && mkdir -p /usr/src/daq \ + && tar -xzf /tmp/daq.tar.gz -C /usr/src/daq --strip-components=1 \ + && rm /tmp/daq.tar.gz \ + && ( \ + cd /usr/src/daq \ + && ./configure \ + && make \ + && make install \ + ) \ + && curl -sSL "https://github.com/dugsong/libdnet/archive/libdnet-${LIBDNET_VERSION}.tar.gz" -o /tmp/libdnet.tar.gz \ + && mkdir -p /usr/src/libdnet \ + && tar -xzf /tmp/libdnet.tar.gz -C /usr/src/libdnet --strip-components=1 \ + && rm /tmp/libdnet.tar.gz \ + && ( \ + cd /usr/src/libdnet \ + && ./configure \ + --prefix=/usr \ + && make \ + && make install \ + ) \ + && curl -sSL "https://www.snort.org/downloads/snort/snort-${SNORT_VERSION}.tar.gz" -o /tmp/snort.tar.gz \ + && mkdir -p /usr/src/snort \ + && tar -xzf /tmp/snort.tar.gz -C /usr/src/snort --strip-components=1 \ + && rm /tmp/snort.tar.gz \ + && ( \ + cd /usr/src/snort \ + && ./configure \ + --enable-sourcefire \ + && make \ + && make install \ + ) \ + && curl -sSL "https://github.com/shirkdog/pulledpork/archive/${PULLEDPORK_VERSION}.tar.gz" -o /tmp/pulledpork.tar.gz \ + && mkdir -p /usr/src/pulledpork \ + && tar -xzf /tmp/pulledpork.tar.gz -C /usr/src/pulledpork --strip-components=1 \ + && rm /tmp/pulledpork.tar.gz \ + && apt-get purge -y --auto-remove $buildDeps + +COPY init.sh /usr/local/bin/init.sh +COPY update-rules.sh /usr/local/bin/update-rules.sh + +ENTRYPOINT ["/usr/local/bin/init.sh"] +CMD ["snort"] diff --git a/snort/init.sh b/snort/init.sh new file mode 100755 index 0000000..c20f057 --- /dev/null +++ b/snort/init.sh @@ -0,0 +1,32 @@ +#!/bin/bash +# +# Entry point script to make sure external volumes are properly prepped. +# Expects: +# -e INTERFACE - sniffing interface ON THE HOST +# -e INSTANCE - the name of the per-interface instance to support multiple configs per interface +# -e SENSOR_IP - the IP of the HOST +# -e OPTS - additional options to pass to snort +# -e HOMENET - to override HOME_NET setting in snort.conf +set -e +set -o pipefail + +if [[ "$1" == "snort" ]]; then + LOGDIR=/data/$INSTANCE/logs/$HOSTNAME + [ -d $LOGDIR ] || mkdir -p $LOGDIR + + CONFDIR=/usr/src/snort/etc + CONFIG=$CONFDIR/snort.conf + RULES=$CONFDIR/rules + + if [[ -z "$DISABLE_PULLEDPORK" ]]; then + /usr/local/bin/update-rules.sh + OPTS="$OPTS -S RULES_FILE=snort.$HOSTNAME.rules" + fi + + [[ -z "$HOMENET" ]] || OPTS="$OPTS -S HOME_NET=$HOMENET" + [[ -z "$SENSOR_IP" ]] || OPTS="$OPTS -S SENSOR_IP=$SENSOR_IP" + + exec snort -m 027 -d -l $LOGDIR $OPTS -c $CONFIG -i $INTERFACE +fi + +exec "$@" diff --git a/snort/update-rules.sh b/snort/update-rules.sh new file mode 100755 index 0000000..09448df --- /dev/null +++ b/snort/update-rules.sh @@ -0,0 +1,59 @@ +#! /bin/bash +# +# Wrapper script around pulledpork to update rules. +set -e +set -o pipefail + +PULLEDPORK_CONF="/usr/src/pulledpork/etc/pulledpork.conf" +ENABLESID_CONF="/usr/src/pulledpork/etc/enablesid.conf" +DISABLESID_CONF="/usr/src/pulledpork/etc/disablesid.conf" +DROPSID_CONF="/usr/src/pulledpork/etc/dropsid.conf" +MODIFYSID_CONF="/usr/src/pulledpork/etc/modifysid.conf" + +BLACKLIST_URL="http://www.talosintelligence.com/feeds/ip-filter.blf" +mkdir -p /usr/local/etc/snort/rules/iplists + +VRT_RULE_URL="https://www.snort.org/rules/|snortrules-snapshot.tar.gz" +ET_OPEN_RULE_URL="https://rules.emergingthreatspro.com/|emerging.rules.tar.gz" + +PP_ARGS="/usr/src/pulledpork/pulledpork.pl -c ${PULLEDPORK_CONF} -P" +PP_ARGS="${PP_ARGS} -u ${BLACKLIST_URL}|IPBLACKLIST|open" + +check_for_file() { + echo -n "Checking for file $1: " + if [[ -e "$1" ]]; then + echo "found." + return 0 + else + echo "not found." + return 1 + fi +} + +if [[ -z "${OINKCODE}" ]]; then + echo "warning: OINKCODE variable not set: using ET open rules." + RULE_URL=${ET_OPEN_RULE_URL} + OINKCODE="open" +else + RULE_URL=${VRT_RULE_URL} +fi +PP_ARGS="${PP_ARGS} -u ${RULE_URL}|${OINKCODE}" + +if check_for_file ${ENABLESID_CONF}; then + PP_ARGS="${PP_ARGS} -e ${ENABLESID_CONF}" +fi + +if check_for_file ${DISABLESID_CONF}; then + PP_ARGS="${PP_ARGS} -i ${DISABLESID_CONF}" +fi + +if check_for_file ${DROPSID_CONF}; then + PP_ARGS="${PP_ARGS} -b ${DROPSID_CONF}" +fi + +if check_for_file ${MODIFYSID_CONF}; then + PP_ARGS="${PP_ARGS} -M ${MODIFYSID_CONF}" +fi + +echo "Running ${PP_ARGS}." +${PP_ARGS}