From fd3f0b1a1d453af498b77e933c9a6b927f8d5d71 Mon Sep 17 00:00:00 2001 From: John Dorman Date: Thu, 27 Aug 2020 02:46:17 -0700 Subject: [PATCH] Suricata support --- README.md | 2 ++ suricata/README.md | 19 +++++++++++++++++++ suricata/on_boot.d/25-suricata.sh | 28 ++++++++++++++++++++++++++++ suricata/rules/custom.example.rules | 1 + 4 files changed, 50 insertions(+) create mode 100644 suricata/README.md create mode 100644 suricata/on_boot.d/25-suricata.sh create mode 100644 suricata/rules/custom.example.rules diff --git a/README.md b/README.md index 9dd62a7..ec0bf3a 100644 --- a/README.md +++ b/README.md @@ -8,6 +8,8 @@ Pull Requests welcome! If you use this functionality to do new cool stuff to you ## General Tools +### suricata +Run an updated version of suricata and apply custom rules that survive reboot ### on-boot-script Do this first. Enables init.d style scripts to run on every boot of your UDM. Includes examples to run wpa-supplicant/eap-proxy and/or ntop-ng on startup. Follow this [readme](https://github.com/boostchicken/udm-utilities/blob/master/on-boot-script/README.md). **It enables complete customization of your UDM/P and fills the gap that config.gateway.json left behind.** diff --git a/suricata/README.md b/suricata/README.md new file mode 100644 index 0000000..75fb476 --- /dev/null +++ b/suricata/README.md @@ -0,0 +1,19 @@ +# Run Suricata 5.0.3 with custom rules + +## Features + +1. Run a newer surifcated with custom rules +2. Persists through reboots and firmware updates. + +## Requirements + +1. You have successfully setup the on boot script described [here](https://github.com/boostchicken/udm-utilities/tree/master/on-boot-script) + +## Customization + +* Put customs rules files in /mnt/data/suricata-rules + +## Steps + +1. Copy [25-suricata.sh](on_boot.d/25-suricata.sh) to /mnt/data/on_boot.d and update its values to reflect your environment +2. Execute /mnt/data/on_boot.d/25-suricata.sh diff --git a/suricata/on_boot.d/25-suricata.sh b/suricata/on_boot.d/25-suricata.sh new file mode 100644 index 0000000..954d27a --- /dev/null +++ b/suricata/on_boot.d/25-suricata.sh @@ -0,0 +1,28 @@ +#!/bin/sh + +APP_PID="/run/suricata.pid" + +echo "#!/bin/sh +CUSTOM_RULES=\"/mnt/data/suricata-rules\" + +for file in \"\$CUSTOM_RULES\"/*.rules +do + if [ -f \"\$file\" ]; then + cp \"\$file\" \"/run/ips/rules/\$(basename \"\$file\")\" + echo \" - \$(basename \"\$file\")\" >> /run/ips/config/rules.yaml + fi +done +CONTAINER=suricata +if podman container exists \${CONTAINER}; then + podman rm -f \${CONTAINER} +fi +podman run --network=host --privileged --name \${CONTAINER} --rm -it -v /run:/var/run/ -v /run:/run -v /usr/share/ubios-udapi-server/ips/:/usr/share/ubios-udapi-server/ips/ jasonish/suricata:5.0.3-arm64v8 /usr/bin/suricata \"\$@\"" > /tmp/suricata.sh + +chmod +x /tmp/suricata.sh +cp /usr/bin/suricata /tmp/suricata.backup # In case you want to move back without rebooting +ln -f -s /tmp/suricata.sh /usr/bin/suricata + +if [ ! -z "$APP_PID" ]; then + killall -9 suricata + rm -f APP_PID +fi \ No newline at end of file diff --git a/suricata/rules/custom.example.rules b/suricata/rules/custom.example.rules new file mode 100644 index 0000000..d4f1174 --- /dev/null +++ b/suricata/rules/custom.example.rules @@ -0,0 +1 @@ +# Put custom rules here, or in any file with a .rules extension \ No newline at end of file