We purchased a Corelight AP3000 recently to run Zeek and Suricata and send these logs to our SIEM. This was my first time running Suricata in my environment and I quickly learned that Suricata is only as good as the rules provided to it.
Downloading Suricata Rules
To download rules for Suricata, I used the Emerging Threats Open ruleset that’s built into the suricata-update tool. You can read more about the tool here: https://suricata-update.readthedocs.io/en/latest/quickstart.html#install-suricata-update. The installation is straightforward:
pip install –upgrade suricata-update
And so is running it to download the latest rules:
suricata-update –suricata-version 5.0
We’re running Suricata version 5 on our Corelight, so I gave it that parameter to ensure the rules would be compatible.
Uploading to Corelight
Uploading the rules to Corelight is easy as well using the corelight-client. You can download it from their github repository: https://github.com/corelight/corelight-client.
The installation is straightfoward:
git clone https://github.com/corelight/corelight-client
cd corelight-client
sudo python3 setup.py install
Running it is easy enough, but I would recommend defining a few parameters to make the process more smooth. First, you’ll define the device with the -b argument and then store your devices in a corelight-client.rc file in the directory you run corelight-client from in the future:
corelight-client -b x.x.x.x
vim ~/.corelight-client.rc
device=x.x.x.x
user=<username>
password=<password>
Now that you’ve downloaded Suricata rules in the previous section and have installed the corelight-client, you can upload the rules to Corelight:
corelight-client suricata ruleset upload –file=/var/lib/suricata/rules/suricata.rules –filename=suricata.rules
You can confirm this worked by logging into the Corelight appliance and navigating to Packages > Suricata and confirming the upload date is today:
Using Docker
These earlier steps are great for one-off, on-demand uploads, but I think we can take it up a notch and run them on a scheduled job. And to take it up another notch, let’s run them in a Docker container so we don’t have to dedicate a server or workstation to handle Suricata rules.
The Dockerfile
This Dockerfile is based on Ubuntu, downloads and installs the latest suricata-update & corelight-client. It is the configuration that will be used in the next step building an image that has our tools in it so that we can run everything we need:
FROM ubuntu
LABEL Description=”Corelight-Client to access Corelight API” Version=”1.0″# Install pip, suricata-update and corelight-client
RUN apt update -y && apt install -y python3 python3-pip curl git
RUN pip3 install setuptools
RUN pip3 install –trusted-host pypi.org –trusted-host files.pythonhosted.org corelight-client
RUN pip3 install –trusted-host pypi.org –trusted-host files.pythonhosted.org –upgrade suricata-update
# copy corelight config to home directory
# the contents of this .rc file will need to be different if connecting to multiple Corelights
COPY ./config/corelight-client.rc /root/.corelight-client.rc
# create suricata directories
RUN mkdir /etc/suricata/ \
&& mkdir /var/lib/suricata \
&& mkdir /var/lib/suricata/rules \
&& mkdir /var/lib/suricata/update
Script to Update Rules
To make things easy in our container, we’ll run a bash script to actually download and update the rules. This script will be update-ruleset-on-corelight.sh:
suricata-update –suricata-version 5.0
corelight-client suricata ruleset upload –file=/var/lib/suricata/rules/suricata.rules –filename=suricata.rules
Building the Image
Now we’re ready to build the image with Corelight-Client & Suricata-Update installed:
sudo docker build . -t suricata-corelight
Running the Container
Now that the image has been built, we can run it as a one-off. It will run the bash script we created earlier and update the Suricata rules on our Corelight appliance (note you can run it with -it instead of -d to see what happens when it runs, great for troubleshooting):
sudo docker run -d –rm \
-v /home/infosec/docker/suricata/config/suricata:/etc/suricata \
-v /home/infosec/docker/suricata/config/suricata/rules:/var/lib/suricata/rules \
suricata-corelight \
/usr/bin/update-ruleset-on-corelight.sh
Scheduling the Container
This is the cool part of this guide: we’re going to set a CRON job to run daily that creates the container, downloads Suricata rules, uploads them to Corelight and then destroys the container. Now that’s efficiency! To achieve this, I pasted all of the below into a Bash script cron.sh:
docker run -d –rm \
-v /home/infosec/docker/suricata/config/suricata:/etc/suricata \
-v /home/infosec/docker/suricata/config/suricata/rules:/var/lib/suricata/rules \
suricata-corelight \
/usr/bin/update-ruleset-on-corelight.sh
Then I scheduled cron to run that cron.sh script each day.
Conclusion
This was a fun exercise in using Docker to spin up a container when we needed to perform a particular task. If you have any questions or comments, please drop a comment and thanks for reading!
Andrew, You should checkout some of my Ansible Roles to manage your Corelight Sensors. Start with this one: https://github.com/corelight/Corelight-Ansible-Roles
I’m also working on a bundle the uses Docker and includes Ansible AWX, GitLab, Suricata-update (with Suricata), Zeek Package Manager, Corelight-client, etc. It’s still a work in progress to modify the Corelight-Ansible-Roles to target Docker containers. https://github.com/corelight/ansible-awx-docker-bundle
I’ll be publishing some Docker-compose and Dockerfiles for the Corelight Software Sensor soon.