diff --git a/docker/.gitignore b/docker/.gitignore new file mode 100644 index 000000000..b99436d13 --- /dev/null +++ b/docker/.gitignore @@ -0,0 +1,10 @@ +# Do not ignore entrypoint +!containers-data/suricata/etc/new_entrypoint.sh +# Ignore logs and other dynamic data +containers-data/suricata/etc/* +containers-data/suricata/logs/* +containers-data/scirius/logs/* +containers-data/nginx/ssl/* + +# Ignore the environment secrets +.env diff --git a/docker/containers-data/suricata/etc/new_entrypoint.sh b/docker/containers-data/suricata/etc/new_entrypoint.sh index 63c8a8ecd..48954b568 100755 --- a/docker/containers-data/suricata/etc/new_entrypoint.sh +++ b/docker/containers-data/suricata/etc/new_entrypoint.sh @@ -28,4 +28,9 @@ done mkdir -p /var/log/suricata/fpc/ cat /etc/suricata/suricata.yaml | grep "include: selks6-addin.yaml" || echo "include: selks6-addin.yaml" >> /etc/suricata/suricata.yaml && echo 'suricata.yaml edited' -exec /docker-entrypoint.sh $@ \ No newline at end of file +if [[ "${CREATE_DUMMY_INTERFACE}" ]]; then + echo "Creating dummy interface" + ip link add dummy0 type dummy && ip link set dummy0 up +fi + +exec /docker-entrypoint.sh $@ diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml index 124bccafb..e0bed30f8 100644 --- a/docker/docker-compose.yml +++ b/docker/docker-compose.yml @@ -103,7 +103,7 @@ services: suricata: container_name: suricata - image: jasonish/suricata:master-amd64 + image: jasonish/suricata:master entrypoint: /etc/suricata/new_entrypoint.sh restart: ${RESTART_MODE:-unless-stopped} depends_on: @@ -111,6 +111,7 @@ services: condition: service_healthy environment: - SURICATA_OPTIONS=${INTERFACES} -vvv --set sensor-name=suricata + - CREATE_DUMMY_INTERFACE=${CREATE_DUMMY_INTERFACE:-false} cap_add: - NET_ADMIN - SYS_NICE diff --git a/docker/easy-setup.sh b/docker/easy-setup.sh index 6137a936f..610e17bcf 100755 --- a/docker/easy-setup.sh +++ b/docker/easy-setup.sh @@ -395,6 +395,8 @@ function is_compose_installed(){ composeV=$(docker-compose --version 2>/dev/null) if [[ $composeV == *"docker-compose version"* ]]; then echo "yes" + elif [[ $composeV == *"Docker Compose version"* ]]; then + echo "yes" else echo "no" fi @@ -477,10 +479,10 @@ function check_docker_version(){ function check_compose_version(){ composeV=$(docker-compose --version) composeV=( $composeV ) - composeV=$( echo ${composeV[2]} |tr ',' ' ') + composeV=$( echo ${composeV[${#composeV[@]}-1]} |tr ',' ' ') if Version $composeV '<' "${MINIMAL_COMPOSE_VERSION}"; then - echo -e "${red}-${reset} Docker version is too old, please upgrade it to ${MINIMAL_COMPOSE_VERSION} minimum" + echo -e "${red}-${reset} Docker-compose version is too old, found ${composeV}, please upgrade it to ${MINIMAL_COMPOSE_VERSION} minimum" exit fi } @@ -741,6 +743,17 @@ echo "COMPOSE_PROJECT_NAME=SELKS" > ${BASEDIR}/.env ############# function getInterfaces { + if [[ $OSTYPE == 'darwin'* ]]; then + echo "You are running macOS, this doesn't support promiscous mode, only dummy-interfaces is available. We will create dummy0 inside docker." + if [[ "${INTERACTIVE}" == "true" ]] ; then + echo "Press any key to continue or ^c to exit" + read + fi + echo "CREATE_DUMMY_INTERFACE=true" >> ${BASEDIR}/.env + interfaces="dummy0" + return + fi + echo -e " Network interfaces detected:" intfnum=0 for interface in $(ls /sys/class/net); do echo "${intfnum}: ${interface}"; ((intfnum++)) ; done diff --git a/docker/scripts/readpcap.sh b/docker/scripts/readpcap.sh index 3ff77d6a6..09dada275 100755 --- a/docker/scripts/readpcap.sh +++ b/docker/scripts/readpcap.sh @@ -289,7 +289,7 @@ if [[ "${test}" == *"Error"* ]]; then exit 1 fi -IMAGE="jasonish/suricata:master-amd64" +IMAGE="jasonish/suricata:master" OPTIONSTRING="" if [[ -n "${_arg_set_rulefile}" ]]; then @@ -302,7 +302,7 @@ if [[ -n "${_arg_set_rulefile}" ]]; then fi OPTIONSTRING="${OPTIONSTRING} -s /rules/${RULE_FILENAME}" RULE_MOUNT="-v ${RULE_HOST_PATH}:/rules/${RULE_FILENAME}" - IMAGE="jasonish/suricata:master-amd64-profiling" + IMAGE="jasonish/suricata:master-profiling" elif [[ -n "${_arg_set_rulefile_exclusive}" ]]; then echo ${_arg_set_rulefile_exclusive} @@ -314,7 +314,7 @@ elif [[ -n "${_arg_set_rulefile_exclusive}" ]]; then fi OPTIONSTRING="${OPTIONSTRING} -S /rules/${RULE_FILENAME}" RULE_MOUNT="-v ${RULE_HOST_PATH}:/rules/${RULE_FILENAME}" - IMAGE="jasonish/suricata:master-amd64-profiling" + IMAGE="jasonish/suricata:master-profiling" fi if [[ -n "${_arg_set_rulefile}" && -n "${_arg_set_rulefile_exclusive}" ]]; then @@ -322,7 +322,7 @@ if [[ -n "${_arg_set_rulefile}" && -n "${_arg_set_rulefile_exclusive}" ]]; then exit 1 fi - +touch ${BASEDIR}/containers-data/suricata/logs/eve.json && chmod 777 ${BASEDIR}/containers-data/suricata/logs/eve.json docker run --name suricata-replay --rm -it \ --cap-add=net_admin --cap-add=sys_nice \ @@ -335,4 +335,4 @@ ${RULE_MOUNT} \ ${IMAGE} -k none -r ${LOCAL_PATH} --runmode ${MODE} -l /var/log/suricata --set sensor-name=${FILENAME} ${OPTIONSTRING} docker cp ${HOST_PATH} arkime:/readpcap/ -docker exec arkime bash -c "\$ARKIMEDIR/bin/capture -r /readpcap/${FILENAME} -t ${FILENAME} >> \$ARKIMEDIR/logs/capture-readpcap.log 2>&1 && rm -rf /readpcap/* " \ No newline at end of file +docker exec arkime bash -c "\$ARKIMEDIR/bin/capture -r /readpcap/${FILENAME} -t ${FILENAME} >> \$ARKIMEDIR/logs/capture-readpcap.log 2>&1 && rm -rf /readpcap/* "