#!/bin/sh set -e apk add --no-cache suricata logrotate dcron dumb-init bind-tools iputils-ping # generate built-in sample /etc/suricata/suricata.yaml # it should otherwise be mapped as a volume at run time mv -i /etc/suricata/suricata.yaml /etc/suricata/suricata.yaml.dist # beware that's BusyBox sed sed -r '/[[:space:]]*#/d; /^$/d' /etc/suricata/suricata.yaml.dist > /etc/suricata/suricata.yaml.clean # the dpdk stanza prevents suricata from starting # Error: conf-yaml-loader: Failed to parse configuration file at line 163: did not find expected key sed -n '1,/^dpdk:/p' /etc/suricata/suricata.yaml.clean | sed '$d' > /etc/suricata/suricata.yaml.clean-nodpdk sed -n '/^pcap:/,$p' /etc/suricata/suricata.yaml.clean >> /etc/suricata/suricata.yaml.clean-nodpdk sed -r ' s/eth[0-9]/wg0/; s/interface: default/interface: wg0/; ' /etc/suricata/suricata.yaml.clean-nodpdk | uniq > /etc/suricata/suricata.yaml ln -s /etc/suricata/suricata.yaml /root/suricata.yaml suricata-update update-sources # MIT & GPL for source in \ et/open \ oisf/trafficid \ etnetera/aggressive \ tgreen/hunting \ malsilo/win-malware \ stamus/lateral \ ; do suricata-update enable-source $source done; unset source # Non-Commercial for source in \ sslbl/ssl-fp-blacklist \ sslbl/ja3-fingerprints \ ; do suricata-update enable-source $source done; unset source echo -n updating rules ... suricata-update >/dev/null && echo done # escape line continuations and graves cat > /etc/periodic/hourly/suricata-update </dev/null \\ && kill -USR2 \`cat /var/run/suricata.pid\` \\ || echo ERROR: could not update suricata rules from cron job EOF chmod +x /etc/periodic/hourly/suricata-update cat > /etc/logrotate.d/suricata </dev/null` 2>/dev/null || true endscript } /var/log/suricata/*.log { daily rotate 3 missingok compress delaycompress create sharedscripts postrotate /bin/kill -HUP `cat /var/run/suricata.pid 2>/dev/null` 2>/dev/null || true endscript } EOF # init script for dumb-init # no $var escapes there cat > /etc/rc.local <> /root/.bashrc <