Initial commit

kkoziara · Dec 13, 2016 · 467cb0d · 467cb0d
commit 467cb0d
Show file tree

Hide file tree

Showing 7 changed files with 159 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -0,0 +1,2 @@
+# alpine-snort
+Docker image containing snort with pulled pork based on alpine linux image and jasonish/docker-snort.
diff --git a/build.sh b/build.sh
@@ -0,0 +1,2 @@
+#! /bin/sh
+docker build -t kkoziara/alpine-snort image
diff --git a/image/Dockerfile b/image/Dockerfile
@@ -0,0 +1,25 @@
+FROM gliderlabs/alpine:edge
+
+RUN apk --update add snort curl tar perl-libwww perl-crypt-ssleay perl-sys-syslog perl-switch perl-lwp-protocol-https
+
+RUN mkdir -p /opt/pulledpork && \
+    cd /opt/pulledpork && \
+    curl -o - -L https://github.com/shirkdog/pulledpork/archive/0.7.2.tar.gz | tar zxf - --strip-components=1 && \
+    chmod 755 pulledpork.pl
+
+RUN sed -i \
+    -e 's#^var RULE_PATH.*#var RULE_PATH /data/etc/snort/rules#' \
+    -e 's#^var WHITE_LIST_PATH.*#var WHITE_LIST_PATH /data/etc/snort/rules#' \
+    -e 's#^var BLACK_LIST_PATH.*#var BLACK_LIST_PATH /data/etc/snort/rules#' \
+    -e 's/^\(include $.*\)/# \1/' \
+    -e 's/^\(dynamicdetection.*\)/# \1/' \
+    -e '$a\\ninclude $RULE_PATH/snort.rules' \
+    -e 's!^# \(config logdir:\)!\1 /data/var/log/snort!' \
+        /etc/snort/snort.conf
+
+COPY /etc /etc
+COPY /tools/ /tools/
+
+RUN rm -f /var/cache/apk/* && rm -rf /tmp/*
+
+ENTRYPOINT ["/tools/boot"]
diff --git a/image/etc/snort/pulledpork.conf b/image/etc/snort/pulledpork.conf
@@ -0,0 +1,16 @@
+#rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|<oinkcode>
+#rule_url=http://labs.snort.org/feeds/ip-filter.blf|IPBLACKLIST|open
+ignore=deleted.rules,experimental.rules,local.rules
+rule_path=/data/etc/snort/rules/snort.rules
+sid_msg=/data/etc/snort/sid-msg.map
+sid_msg_version=1
+sid_changelog=/data/var/log/snort/sid_changes.log
+sorule_path=/data/var/lib/snort_dynamicrules/
+black_list=/data/etc/snort/rules/black_list.rules
+IPRVersion=/data/etc/snort/rules/iplists
+snort_path=/usr/bin/snort
+config_path=/etc/snort/snort.conf
+distro=alpine
+temp_path=/data/var/tmp/snort
+
+version=0.7.2
diff --git a/image/tools/boot b/image/tools/boot
@@ -0,0 +1,53 @@
+#! /bin/sh
+#
+# Entry point script to make sure external volumes are properly prepped.
+
+prepare_snort_files_and_directories() {
+    if [ ! -e /data/etc/snort ]; then
+	mkdir -p /data/etc
+	cp -a /etc/snort /data/etc
+    fi
+    mkdir -p /data/etc/snort/rules
+    mkdir -p /data/var/lib/snort_dynamicrules
+    mkdir -p /data/var/log/snort
+    mkdir -p /data/var/tmp/snort
+    test -e /data/etc/snort/rules/snort.rules || \
+	touch /data/etc/snort/rules/snort.rules
+    test -e /data/etc/snort/rules/white_list.rules || \
+	touch /data/etc/snort/rules/white_list.rules
+    test -e /data/etc/snort/rules/black_list.rules || \
+	touch /data/etc/snort/rules/black_list.rules
+}
+
+init_pulledpork() {
+    ENABLESID_CONF=/data/etc/snort/enablesid.conf
+    DISABLESID_CONF=/data/etc/snort/disablesid.conf
+    DROPSID_CONF=/data/etc/snort/dropsid.conf
+    MODIFYSID_CONF=/data/etc/snort/modifysid.conf
+
+    if [ ! -e ${ENABLESID_CONF} ]; then
+	cp /opt/pulledpork/etc/$(basename ${ENABLESID_CONF}) ${ENABLESID_CONF}
+    fi
+    if [ ! -e ${DISABLESID_CONF} ]; then
+	cp /opt/pulledpork/etc/$(basename ${DISABLESID_CONF}) ${DISABLESID_CONF}
+    fi
+    if [ ! -e ${DROPSID_CONF} ]; then
+	cp /opt/pulledpork/etc/$(basename ${DROPSID_CONF}) ${DROPSID_CONF}
+    fi
+    if [ ! -e ${MODIFYSID_CONF} ]; then
+	cp /opt/pulledpork/etc/$(basename ${MODIFYSID_CONF}) ${MODIFYSID_CONF}
+    fi
+}
+
+if [ ! -d /data ]; then
+    echo "warning: /data is not mounted as a volume"
+fi
+
+prepare_snort_files_and_directories
+init_pulledpork
+
+if [ ! "$1" ]; then
+   exec /bin/bash
+fi
+
+exec "$@"
diff --git a/image/tools/update-rules b/image/tools/update-rules
@@ -0,0 +1,56 @@
+#! /bin/sh
+#
+# Wrapper script around pulledpork to update rules.
+
+PULLEDPORK_CONF=/data/etc/snort/pulledpork.conf
+ENABLESID_CONF=/data/etc/snort/enablesid.conf
+DISABLESID_CONF=/data/etc/snort/disablesid.conf
+DROPSID_CONF=/data/etc/snort/dropsid.conf
+MODIFYSID_CONF=/data/etc/snort/modifysid.conf
+
+BLACKLIST_URL="http://labs.snort.org/feeds/ip-filter.blf"
+
+VRT_RULE_URL="https://www.snort.org/rules/|snortrules-snapshot.tar.gz"
+ET_OPEN_RULE_URL="https://rules.emergingthreatspro.com/|emerging.rules.tar.gz"
+
+PP_ARGS="/opt/pulledpork/pulledpork.pl -c ${PULLEDPORK_CONF} -P"
+PP_ARGS="${PP_ARGS} -u ${BLACKLIST_URL}|IPBLACKLIST|open"
+
+check_for_file() {
+    echo -n "Checking for file $1: "
+    if [ -e "$1" ]; then
+	echo "found."
+	return 0
+    else
+	echo "not found."
+	return 1
+    fi
+}
+
+if [ ! "${OINKCODE}" ]; then
+    echo "warning: OINKCODE variable not set: using ET open rules."
+    RULE_URL=${ET_OPEN_RULE_URL}
+    OINKCODE="open"
+else
+    RULE_URL=${VRT_RULE_URL}
+fi
+PP_ARGS="${PP_ARGS} -u ${RULE_URL}|${OINKCODE}"
+
+if check_for_file ${ENABLESID_CONF}; then
+    PP_ARGS="${PP_ARGS} -e ${ENABLESID_CONF}"
+fi
+
+if check_for_file ${DISABLESID_CONF}; then
+    PP_ARGS="${PP_ARGS} -i ${DISABLESID_CONF}"
+fi
+
+if check_for_file ${DROPSID_CONF}; then
+    PP_ARGS="${PP_ARGS} -b ${DROPSID_CONF}"
+fi
+
+if check_for_file ${MODIFYSID_CONF}; then
+    PP_ARGS="${PP_ARGS} -M ${MODIFYSID_CONF}"
+fi
+
+echo "Running ${PP_ARGS}."
+${PP_ARGS}
diff --git a/run.sh b/run.sh
@@ -0,0 +1,5 @@
+#! bin/sh
+
+docker run --name alpine-snort -d --net=host \
+           -v $(pwd)/data:/data \
+           kkoziara/alpine-snort "$@"
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		# alpine-snort
		Docker image containing snort with pulled pork based on alpine linux image and jasonish/docker-snort.
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		#! /bin/sh
		docker build -t kkoziara/alpine-snort image