We purchased a Corelight AP3000 recently to run Zeek and Suricata and send these logs to our SIEM. This was my first time running Suricata in my environment and I quickly learned that Suricata is only as good as the rules provided to it.
git clone https://github.com/corelight/corelight-client cd corelight-client sudo python3 setup.py install
Running it is easy enough, but I would recommend defining a few parameters to make the process more smooth. First, you’ll define the device with the -b argument and then store your devices in a corelight-client.rc file in the directory you run corelight-client from in the future:
corelight-client -b x.x.x.x
vim ~/.corelight-client.rc device=x.x.x.x user=<username> password=<password>
Now that you’ve downloaded Suricata rules in the previous section and have installed the corelight-client, you can upload the rules to Corelight:
You can confirm this worked by logging into the Corelight appliance and navigating to Packages > Suricata and confirming the upload date is today:
These earlier steps are great for one-off, on-demand uploads, but I think we can take it up a notch and run them on a scheduled job. And to take it up another notch, let’s run them in a Docker container so we don’t have to dedicate a server or workstation to handle Suricata rules.
This Dockerfile is based on Ubuntu, downloads and installs the latest suricata-update & corelight-client. It is the configuration that will be used in the next step building an image that has our tools in it so that we can run everything we need:
FROM ubuntu LABEL Description=”Corelight-Client to access Corelight API” Version=”1.0″
# Install pip, suricata-update and corelight-client
Now we’re ready to build the image with Corelight-Client & Suricata-Update installed:
sudo docker build . -t suricata-corelight
Running the Container
Now that the image has been built, we can run it as a one-off. It will run the bash script we created earlier and update the Suricata rules on our Corelight appliance (note you can run it with -it instead of -d to see what happens when it runs, great for troubleshooting):
This is the cool part of this guide: we’re going to set a CRON job to run daily that creates the container, downloads Suricata rules, uploads them to Corelight and then destroys the container. Now that’s efficiency! To achieve this, I pasted all of the below into a Bash script cron.sh: