diff --git a/README.md b/README.md new file mode 100644 index 0000000..2ed14c1 --- /dev/null +++ b/README.md @@ -0,0 +1,2 @@ +# alpine-snort +Docker image containing snort with pulled pork based on alpine linux image and jasonish/docker-snort. \ No newline at end of file diff --git a/build.sh b/build.sh new file mode 100755 index 0000000..effda1b --- /dev/null +++ b/build.sh @@ -0,0 +1,2 @@ +#! /bin/sh +docker build -t kkoziara/alpine-snort image diff --git a/image/Dockerfile b/image/Dockerfile new file mode 100644 index 0000000..c233376 --- /dev/null +++ b/image/Dockerfile @@ -0,0 +1,25 @@ +FROM gliderlabs/alpine:edge + +RUN apk --update add snort curl tar perl-libwww perl-crypt-ssleay perl-sys-syslog perl-switch perl-lwp-protocol-https + +RUN mkdir -p /opt/pulledpork && \ + cd /opt/pulledpork && \ + curl -o - -L https://github.com/shirkdog/pulledpork/archive/0.7.2.tar.gz | tar zxf - --strip-components=1 && \ + chmod 755 pulledpork.pl + +RUN sed -i \ + -e 's#^var RULE_PATH.*#var RULE_PATH /data/etc/snort/rules#' \ + -e 's#^var WHITE_LIST_PATH.*#var WHITE_LIST_PATH /data/etc/snort/rules#' \ + -e 's#^var BLACK_LIST_PATH.*#var BLACK_LIST_PATH /data/etc/snort/rules#' \ + -e 's/^\(include $.*\)/# \1/' \ + -e 's/^\(dynamicdetection.*\)/# \1/' \ + -e '$a\\ninclude $RULE_PATH/snort.rules' \ + -e 's!^# \(config logdir:\)!\1 /data/var/log/snort!' \ + /etc/snort/snort.conf + +COPY /etc /etc +COPY /tools/ /tools/ + +RUN rm -f /var/cache/apk/* && rm -rf /tmp/* + +ENTRYPOINT ["/tools/boot"] \ No newline at end of file diff --git a/image/etc/snort/pulledpork.conf b/image/etc/snort/pulledpork.conf new file mode 100644 index 0000000..66e33d6 --- /dev/null +++ b/image/etc/snort/pulledpork.conf @@ -0,0 +1,16 @@ +#rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz| +#rule_url=http://labs.snort.org/feeds/ip-filter.blf|IPBLACKLIST|open +ignore=deleted.rules,experimental.rules,local.rules +rule_path=/data/etc/snort/rules/snort.rules +sid_msg=/data/etc/snort/sid-msg.map +sid_msg_version=1 +sid_changelog=/data/var/log/snort/sid_changes.log +sorule_path=/data/var/lib/snort_dynamicrules/ +black_list=/data/etc/snort/rules/black_list.rules +IPRVersion=/data/etc/snort/rules/iplists +snort_path=/usr/bin/snort +config_path=/etc/snort/snort.conf +distro=alpine +temp_path=/data/var/tmp/snort + +version=0.7.2 diff --git a/image/tools/boot b/image/tools/boot new file mode 100755 index 0000000..09879e0 --- /dev/null +++ b/image/tools/boot @@ -0,0 +1,53 @@ +#! /bin/sh +# +# Entry point script to make sure external volumes are properly prepped. + +prepare_snort_files_and_directories() { + if [ ! -e /data/etc/snort ]; then + mkdir -p /data/etc + cp -a /etc/snort /data/etc + fi + mkdir -p /data/etc/snort/rules + mkdir -p /data/var/lib/snort_dynamicrules + mkdir -p /data/var/log/snort + mkdir -p /data/var/tmp/snort + test -e /data/etc/snort/rules/snort.rules || \ + touch /data/etc/snort/rules/snort.rules + test -e /data/etc/snort/rules/white_list.rules || \ + touch /data/etc/snort/rules/white_list.rules + test -e /data/etc/snort/rules/black_list.rules || \ + touch /data/etc/snort/rules/black_list.rules +} + +init_pulledpork() { + ENABLESID_CONF=/data/etc/snort/enablesid.conf + DISABLESID_CONF=/data/etc/snort/disablesid.conf + DROPSID_CONF=/data/etc/snort/dropsid.conf + MODIFYSID_CONF=/data/etc/snort/modifysid.conf + + if [ ! -e ${ENABLESID_CONF} ]; then + cp /opt/pulledpork/etc/$(basename ${ENABLESID_CONF}) ${ENABLESID_CONF} + fi + if [ ! -e ${DISABLESID_CONF} ]; then + cp /opt/pulledpork/etc/$(basename ${DISABLESID_CONF}) ${DISABLESID_CONF} + fi + if [ ! -e ${DROPSID_CONF} ]; then + cp /opt/pulledpork/etc/$(basename ${DROPSID_CONF}) ${DROPSID_CONF} + fi + if [ ! -e ${MODIFYSID_CONF} ]; then + cp /opt/pulledpork/etc/$(basename ${MODIFYSID_CONF}) ${MODIFYSID_CONF} + fi +} + +if [ ! -d /data ]; then + echo "warning: /data is not mounted as a volume" +fi + +prepare_snort_files_and_directories +init_pulledpork + +if [ ! "$1" ]; then + exec /bin/bash +fi + +exec "$@" diff --git a/image/tools/update-rules b/image/tools/update-rules new file mode 100755 index 0000000..319ce37 --- /dev/null +++ b/image/tools/update-rules @@ -0,0 +1,56 @@ +#! /bin/sh +# +# Wrapper script around pulledpork to update rules. + +PULLEDPORK_CONF=/data/etc/snort/pulledpork.conf +ENABLESID_CONF=/data/etc/snort/enablesid.conf +DISABLESID_CONF=/data/etc/snort/disablesid.conf +DROPSID_CONF=/data/etc/snort/dropsid.conf +MODIFYSID_CONF=/data/etc/snort/modifysid.conf + +BLACKLIST_URL="http://labs.snort.org/feeds/ip-filter.blf" + +VRT_RULE_URL="https://www.snort.org/rules/|snortrules-snapshot.tar.gz" +ET_OPEN_RULE_URL="https://rules.emergingthreatspro.com/|emerging.rules.tar.gz" + +PP_ARGS="/opt/pulledpork/pulledpork.pl -c ${PULLEDPORK_CONF} -P" +PP_ARGS="${PP_ARGS} -u ${BLACKLIST_URL}|IPBLACKLIST|open" + +check_for_file() { + echo -n "Checking for file $1: " + if [ -e "$1" ]; then + echo "found." + return 0 + else + echo "not found." + return 1 + fi +} + +if [ ! "${OINKCODE}" ]; then + echo "warning: OINKCODE variable not set: using ET open rules." + RULE_URL=${ET_OPEN_RULE_URL} + OINKCODE="open" +else + RULE_URL=${VRT_RULE_URL} +fi +PP_ARGS="${PP_ARGS} -u ${RULE_URL}|${OINKCODE}" + +if check_for_file ${ENABLESID_CONF}; then + PP_ARGS="${PP_ARGS} -e ${ENABLESID_CONF}" +fi + +if check_for_file ${DISABLESID_CONF}; then + PP_ARGS="${PP_ARGS} -i ${DISABLESID_CONF}" +fi + +if check_for_file ${DROPSID_CONF}; then + PP_ARGS="${PP_ARGS} -b ${DROPSID_CONF}" +fi + +if check_for_file ${MODIFYSID_CONF}; then + PP_ARGS="${PP_ARGS} -M ${MODIFYSID_CONF}" +fi + +echo "Running ${PP_ARGS}." +${PP_ARGS} diff --git a/run.sh b/run.sh new file mode 100755 index 0000000..50b6e54 --- /dev/null +++ b/run.sh @@ -0,0 +1,5 @@ +#! bin/sh + +docker run --name alpine-snort -d --net=host \ + -v $(pwd)/data:/data \ + kkoziara/alpine-snort "$@"