search

jasonish / docker-suricata

A Suricata Docker image.
https://hub.docker.com/r/jasonish/suricata/
MIT License
250 stars 76 forks source link

Set HOME_NET variable | possible options? #13

Closed bitvijays closed 3 years ago

bitvijays commented 3 years ago

Dear @jasonish ,

Hope you are doing well. Thank you for creating docker for suricata 👍

I was wondering if there's a way to sent HOME_NET variable in the suricata.yaml file? For instance, if we are testing suricata in the internal network as a Host IDS, I want to set the HOME_NET to be the ip address of that machine such as 192.168.1.99. Is that possible without editing the file manually?

Also, IP address can change in different deployments (such as deploying it on Kubernetes), so automatic way would be more preferred.

Thank you :)

jasonish commented 3 years ago

It would be nice if this could be passed as an environment variable or something. Perhaps some day. For now the only way to do this is with a command line parameter.. Something like:

suricata --set vars.address-groups.HOME_NET="[10.16.1.3/32]"

will override the HOME_NET in the configuration file.

bitvijays commented 3 years ago

Hey @jasonish ,

Thanks Jason :) . I tried that giving the args in Kubernetes and for some reason it doesn't work. Anyways, I tried building a image using Dockerfile and got the below error:

Step 5/24 : RUN if [ "${VERSION}" = "master" ]; then    git clone https://github.com/OISF/suricata.git suricata-${VERSION};     git clone https://github.com/OISF/libhtp.git suricata-${VERSION}/libhtp;         (cd suricata-${VERSION}/suricata-update &&              curl -L https://github.com/OISF/suricata-update/archive/master.tar.gz | tar zxf - --strip-components=1);        (cd suricata-${VERSION} && ./autogen.sh); else   curl -OL https://www.openinfosecfoundation.org/download/suricata-${VERSION}.tar.gz;     tar zxf suricata-${VERSION}.tar.gz; fi
 ---> Running in f9deeac66515
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   196  100   196    0     0    408      0 --:--:-- --:--:-- --:--:--   407
tar: invalid magic
tar: short read
The command '/bin/sh -c if [ "${VERSION}" = "master" ]; then    git clone https://github.com/OISF/suricata.git suricata-${VERSION};     git clone https://github.com/OISF/libhtp.git suricata-${VERSION}/libhtp;         (cd suricata-${VERSION}/suricata-update &&              curl -L https://github.com/OISF/suricata-update/archive/master.tar.gz | tar zxf - --strip-components=1);        (cd suricata-${VERSION} && ./autogen.sh); else   curl -OL https://www.openinfosecfoundation.org/download/suricata-${VERSION}.tar.gz;     tar zxf suricata-${VERSION}.tar.gz; fi' returned a non-zero code: 1

Came across How to solve tar invalid magic error in Alpine Linux added tar from apk add tar . However, still getting the same error

Step 5/24 : RUN if [ "${VERSION}" = "master" ]; then    git clone https://github.com/OISF/suricata.git suricata-${VERSION};     git clone https://github.com/OISF/libhtp.git suricata-${VERSION}/libhtp;         (cd suricata-${VERSION}/suricata-update &&              curl -L https://github.com/OISF/suricata-update/archive/master.tar.gz | tar zxf - --strip-components=1);        (cd suricata-${VERSION} && ./autogen.sh); else   curl -OL https://www.openinfosecfoundation.org/download/suricata-${VERSION}.tar.gz;     tar zxf suricata-${VERSION}.tar.gz; fi
 ---> Running in 18fb0479df5f
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   196  100   196    0     0    412      0 --:--:-- --:--:-- --:--:--   412
gzip: invalid magic
tar: Child returned status 1
tar: Error is not recoverable: exiting now
The command '/bin/sh -c if [ "${VERSION}" = "master" ]; then    git clone https://github.com/OISF/suricata.git suricata-${VERSION};     git clone https://github.com/OISF/libhtp.git suricata-${VERSION}/libhtp;         (cd suricata-${VERSION}/suricata-update &&              curl -L https://github.com/OISF/suricata-update/archive/master.tar.gz | tar zxf - --strip-components=1);        (cd suricata-${VERSION} && ./autogen.sh); else   curl -OL https://www.openinfosecfoundation.org/download/suricata-${VERSION}.tar.gz;     tar zxf suricata-${VERSION}.tar.gz; fi' returned a non-zero code: 2

I am building the docker image using a RaspberryPi 4.

jasonish commented 3 years ago

These Dockerfiles are really usable as-is. They require some build-args that get passed to them with the "build.sh"... Which may or may not work on the Pi. I've only ever built on x86_64 but tested the images on a Pi4.

You could try:

docker build --build-arg VERSION="6.0.0" -f Dockerfile.alpine-arm64v8 .

if you haven't updated your Pi4 to be in 64 bit mode you should use the arm32v6 Dockerfile instead.

jasonish commented 3 years ago

I just tried building the Arm64v8 on my Pi4 that has been updated to 64 bit mode, and it doesn't build. Looks like the arm32v6 one will build tho.

bitvijays commented 3 years ago

Okies.. No worries.. I will try to build it on my laptop and check. Thank you for the support @jasonish Much appreciated 👍