Suricata support

This commit is contained in:
John Dorman 2020-08-27 02:46:17 -07:00
parent 06e990b6db
commit fd3f0b1a1d
4 changed files with 50 additions and 0 deletions

View File

@ -8,6 +8,8 @@ Pull Requests welcome! If you use this functionality to do new cool stuff to you
## General Tools
### suricata
Run an updated version of suricata and apply custom rules that survive reboot
### on-boot-script
Do this first. Enables init.d style scripts to run on every boot of your UDM. Includes examples to run wpa-supplicant/eap-proxy and/or ntop-ng on startup. Follow this [readme](https://github.com/boostchicken/udm-utilities/blob/master/on-boot-script/README.md).
**It enables complete customization of your UDM/P and fills the gap that config.gateway.json left behind.**

19
suricata/README.md Normal file
View File

@ -0,0 +1,19 @@
# Run Suricata 5.0.3 with custom rules
## Features
1. Run a newer surifcated with custom rules
2. Persists through reboots and firmware updates.
## Requirements
1. You have successfully setup the on boot script described [here](https://github.com/boostchicken/udm-utilities/tree/master/on-boot-script)
## Customization
* Put customs rules files in /mnt/data/suricata-rules
## Steps
1. Copy [25-suricata.sh](on_boot.d/25-suricata.sh) to /mnt/data/on_boot.d and update its values to reflect your environment
2. Execute /mnt/data/on_boot.d/25-suricata.sh

View File

@ -0,0 +1,28 @@
#!/bin/sh
APP_PID="/run/suricata.pid"
echo "#!/bin/sh
CUSTOM_RULES=\"/mnt/data/suricata-rules\"
for file in \"\$CUSTOM_RULES\"/*.rules
do
if [ -f \"\$file\" ]; then
cp \"\$file\" \"/run/ips/rules/\$(basename \"\$file\")\"
echo \" - \$(basename \"\$file\")\" >> /run/ips/config/rules.yaml
fi
done
CONTAINER=suricata
if podman container exists \${CONTAINER}; then
podman rm -f \${CONTAINER}
fi
podman run --network=host --privileged --name \${CONTAINER} --rm -it -v /run:/var/run/ -v /run:/run -v /usr/share/ubios-udapi-server/ips/:/usr/share/ubios-udapi-server/ips/ jasonish/suricata:5.0.3-arm64v8 /usr/bin/suricata \"\$@\"" > /tmp/suricata.sh
chmod +x /tmp/suricata.sh
cp /usr/bin/suricata /tmp/suricata.backup # In case you want to move back without rebooting
ln -f -s /tmp/suricata.sh /usr/bin/suricata
if [ ! -z "$APP_PID" ]; then
killall -9 suricata
rm -f APP_PID
fi

View File

@ -0,0 +1 @@
# Put custom rules here, or in any file with a .rules extension