update logrotating, cleanup.sh, add Suricata ET Pro support, tweaking

Author: t3chn0m4g3

bin/clean.sh

@@ -66,6 +66,14 @@ chown tpot:tpot $myCOWRIETTYLOGS $myCOWRIEDL $myDIONAEABI $myDIONAEABIN $myHONEY
 logrotate -s $mySTATUS $myCONF
 }
 
+# Let's create a function to clean up and prepare ciscoasa data
+fuCISCOASA () {
+  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/ciscoasa/*; fi
+  mkdir -p /data/ciscoasa/log
+  chmod 760 /data/ciscoasa -R
+  chown tpot:tpot /data/ciscoasa -R
+}
+
 # Let's create a function to clean up and prepare conpot data
 fuCONPOT () {
   if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/conpot/*; fi
@@ -124,6 +132,14 @@ fuGLASTOPF () {
   chown tpot:tpot /data/glastopf -R
 }
 
+# Let's create a function to clean up and prepare heralding data
+fuHERALDING () {
+  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/heralding/*; fi
+  mkdir -p /data/heralding/log
+  chmod 760 /data/heralding -R
+  chown tpot:tpot /data/heralding -R
+}
+
 # Let's create a function to clean up and prepare honeytrap data
 fuHONEYTRAP () {
   if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/honeytrap/*; fi
@@ -210,13 +226,15 @@ if [ "$myPERSISTENCE" = "on" ];
     fuLOGROTATE
   else
     echo "Cleaning up and preparing data folders."
+    fuCISCOASA
     fuCONPOT
     fuCOWRIE
     fuDIONAEA
     fuELASTICPOT
     fuELK
     fuEMOBILITY
     fuGLASTOPF
+    fuHERALDING
     fuHONEYTRAP
     fuMAILONEY
     fuNGINX

docker/suricata/Dockerfile

@@ -1,13 +1,17 @@
 FROM alpine
-MAINTAINER MO
 
 # Include dist
 ADD dist/ /root/dist/
 
 # Install packages
 RUN apk -U upgrade && \
-    apk add bash ca-certificates file procps wget && \
-    apk -U add --repository https://dl-cdn.alpinelinux.org/alpine/edge/community \
+    apk add bash \
+            ca-certificates \
+            file \
+            libcap \
+            procps \
+            wget && \
+    apk -U add --repository http://dl-cdn.alpinelinux.org/alpine/edge/community \
             suricata && \
 
 # Setup user, groups and configs
@@ -18,12 +22,12 @@ RUN apk -U upgrade && \
 
 # Download the latest EmergingThreats ruleset, replace rulebase and enable all rules
     cp /root/dist/update.sh /usr/bin/ && \
-    chmod u+x /usr/bin/update.sh && \
-    update.sh && \
+    chmod 755 /usr/bin/update.sh && \
+    update.sh OPEN && \
 
 # Clean up
     rm -rf /root/* && \
     rm -rf /var/cache/apk/*
 
 # Start suricata
-CMD update.sh && suricata -v -F /etc/suricata/capture-filter.bpf -i $(/sbin/ip address | grep '^2: ' | awk '{ print $2 }' | tr -d [:punct:])
+CMD update.sh $OINKCODE && suricata -v -F /etc/suricata/capture-filter.bpf -i $(/sbin/ip address | grep '^2: ' | awk '{ print $2 }' | tr -d [:punct:])

docker/suricata/dist/update.sh

@@ -6,8 +6,31 @@ function fuCLEANUP {
 }
 trap fuCLEANUP EXIT
 
-# Download the latest EmergingThreats ruleset, replace rulebase and enable all rules
-cd /tmp
-wget --tries=2 --timeout=2 https://rules.emergingthreats.net/open/suricata-4.0/emerging.rules.tar.gz
-tar xvfz emerging.rules.tar.gz -C /etc/suricata/
+### Vars
+myOINKCODE="$1"
+
+function fuDLRULES {
+### Check if args are present then download rules, if not throw error
+
+if [ "$myOINKCODE" != "" ] && [ "$myOINKCODE" == "OPEN" ];
+  then
+    echo "Downloading ET open ruleset."
+    wget --tries=2 --timeout=2 https://rules.emergingthreats.net/open/suricata-4.0/emerging.rules.tar.gz -O /tmp/rules.tar.gz
+  else
+    if [ "$myOINKCODE" != "" ];
+      then
+	echo "Downloading ET pro ruleset with Oinkcode $myOINKCODE."
+	wget --tries=2 --timeout=2 https://rules.emergingthreatspro.com/$myOINKCODE/suricata-4.0/etpro.rules.tar.gz -O /tmp/rules.tar.gz
+      else	
+        echo "Usage: update.sh <[OPEN, OINKCODE]>"
+	exit
+    fi	
+fi
+}
+
+# Download rules
+fuDLRULES
+
+# Extract and enable all rules  
+tar xvfz /tmp/rules.tar.gz -C /etc/suricata/
 sed -i s/^#alert/alert/ /etc/suricata/rules/*.rules

docker/suricata/docker-compose.yml

@@ -1,18 +1,22 @@
 # T-Pot (Standard)
 # For docker-compose ...
-version: '2.1'
+version: '2.2'
 
 services:
 
 # Suricata service
   suricata:
+    build: .
     container_name: suricata
     restart: always
+    environment:
+    # For ET Pro ruleset replace <OPEN> with your OINKCODE
+     - OINKCODE=OPEN
     network_mode: "host"
     cap_add:
      - NET_ADMIN
      - SYS_NICE
      - NET_RAW
-    image: "dtagdevsec/suricata:1710"
+    image: "dtagdevsec/suricata:1804"
     volumes:
      - /data/suricata/log:/var/log/suricata

etc/compose/collect.yml

@@ -189,12 +189,15 @@ services:
   suricata:
     container_name: suricata
     restart: always
+    environment:
+    # For ET Pro ruleset replace <OPEN> with your OINKCODE
+     - OINKCODE=OPEN
     network_mode: "host"
     cap_add:
      - NET_ADMIN
      - SYS_NICE
      - NET_RAW
-    image: "dtagdevsec/suricata:1710"
+    image: "dtagdevsec/suricata:1804"
     volumes:
      - /data/suricata/log:/var/log/suricata
 

etc/compose/tpot.yml

@@ -291,12 +291,15 @@ services:
   suricata:
     container_name: suricata
     restart: always
+    environment:
+    # For ET Pro ruleset replace <OPEN> with your OINKCODE
+     - OINKCODE=OPEN
     network_mode: "host"
     cap_add:
      - NET_ADMIN
      - SYS_NICE
      - NET_RAW
-    image: "dtagdevsec/suricata:1710"
+    image: "dtagdevsec/suricata:1804"
     volumes:
      - /data/suricata/log:/var/log/suricata
 

etc/logrotate/logrotate.conf

@@ -1,5 +1,6 @@
-/data/conpot/log/conpot.json
-/data/conpot/log/conpot.log
+/data/ciscoasa/log/ciscoasa.log
+/data/conpot/log/conpot*.json
+/data/conpot/log/conpot*.log
 /data/cowrie/log/cowrie.json
 /data/cowrie/log/cowrie-textlog.log
 /data/cowrie/log/lastlog.txt
@@ -16,6 +17,8 @@
 /data/emobility/log/centralsystemEWS.log
 /data/glastopf/log/glastopf.log
 /data/glastopf/db/glastopf.db
+/data/heralding/log/*.log
+/data/heralding/log/*.csv
 /data/honeytrap/log/*.log
 /data/honeytrap/log/*.json
 /data/honeytrap/attacks.tgz