Suricata Rule Updates on Corelight

We purchased a Corelight AP3000 recently to run Zeek and Suricata and send these logs to our SIEM. This was my first time running Suricata in my environment and I quickly learned that Suricata is only as good as the rules provided to it.

Downloading Suricata Rules

To download rules for Suricata, I used the Emerging Threats Open ruleset that’s built into the suricata-update tool. You can read more about the tool here: https://suricata-update.readthedocs.io/en/latest/quickstart.html#install-suricata-update. The installation is straightforward:

pip install –upgrade suricata-update

And so is running it to download the latest rules:

suricata-update –suricata-version 5.0

We’re running Suricata version 5 on our Corelight, so I gave it that parameter to ensure the rules would be compatible.

Uploading to Corelight

Uploading the rules to Corelight is easy as well using the corelight-client. You can download it from their github repository: https://github.com/corelight/corelight-client.

The installation is straightfoward:

git clone https://github.com/corelight/corelight-client
cd corelight-client
sudo python3 setup.py install

Running it is easy enough, but I would recommend defining a few parameters to make the process more smooth. First, you’ll define the device with the -b argument and then store your devices in a corelight-client.rc file in the directory you run corelight-client from in the future:

corelight-client -b x.x.x.x

vim ~/.corelight-client.rc
device=x.x.x.x
user=<username>
password=<password>

Now that you’ve downloaded Suricata rules in the previous section and have installed the corelight-client, you can upload the rules to Corelight:

corelight-client suricata ruleset upload –file=/var/lib/suricata/rules/suricata.rules –filename=suricata.rules

You can confirm this worked by logging into the Corelight appliance and navigating to Packages > Suricata and confirming the upload date is today:

Using Docker

These earlier steps are great for one-off, on-demand uploads, but I think we can take it up a notch and run them on a scheduled job. And to take it up another notch, let’s run them in a Docker container so we don’t have to dedicate a server or workstation to handle Suricata rules.

The Dockerfile

This Dockerfile is based on Ubuntu, downloads and installs the latest suricata-update & corelight-client. It is the configuration that will be used in the next step building an image that has our tools in it so that we can run everything we need:

FROM ubuntu
LABEL Description=”Corelight-Client to access Corelight API” Version=”1.0″

# Install pip, suricata-update and corelight-client

RUN apt update -y && apt install -y python3 python3-pip curl git

RUN pip3 install setuptools

RUN pip3 install –trusted-host pypi.org –trusted-host files.pythonhosted.org corelight-client

RUN pip3 install –trusted-host pypi.org –trusted-host files.pythonhosted.org –upgrade suricata-update

# copy corelight config to home directory

# the contents of this .rc file will need to be different if connecting to multiple Corelights

COPY ./config/corelight-client.rc /root/.corelight-client.rc

# create suricata directories

RUN mkdir /etc/suricata/ \

&& mkdir /var/lib/suricata \

&& mkdir /var/lib/suricata/rules \

&& mkdir /var/lib/suricata/update

Script to Update Rules

To make things easy in our container, we’ll run a bash script to actually download and update the rules. This script will be update-ruleset-on-corelight.sh:

suricata-update –suricata-version 5.0
corelight-client suricata ruleset upload –file=/var/lib/suricata/rules/suricata.rules –filename=suricata.rules

Building the Image

Now we’re ready to build the image with Corelight-Client & Suricata-Update installed:

sudo docker build . -t suricata-corelight

Running the Container

Now that the image has been built, we can run it as a one-off. It will run the bash script we created earlier and update the Suricata rules on our Corelight appliance (note you can run it with -it instead of -d to see what happens when it runs, great for troubleshooting):

sudo docker run -d –rm \
-v /home/infosec/docker/suricata/config/suricata:/etc/suricata \
-v /home/infosec/docker/suricata/config/suricata/rules:/var/lib/suricata/rules \
suricata-corelight \
/usr/bin/update-ruleset-on-corelight.sh

Scheduling the Container

This is the cool part of this guide: we’re going to set a CRON job to run daily that creates the container, downloads Suricata rules, uploads them to Corelight and then destroys the container. Now that’s efficiency! To achieve this, I pasted all of the below into a Bash script cron.sh:

docker run -d –rm \
-v /home/infosec/docker/suricata/config/suricata:/etc/suricata \

-v /home/infosec/docker/suricata/config/suricata/rules:/var/lib/suricata/rules \
suricata-corelight \
/usr/bin/update-ruleset-on-corelight.sh

Then I scheduled cron to run that cron.sh script each day.

Conclusion

This was a fun exercise in using Docker to spin up a container when we needed to perform a particular task. If you have any questions or comments, please drop a comment and thanks for reading!

One Comment

Add a Comment

Your email address will not be published. Required fields are marked *