Merge pull request #8 from yunzheng/pcap-over-ip-support

Add PCAP_OVER_IP support
ANSSI-FR · Oct 21, 2024 · 7d41923 · 7d41923
2 parents cd77e7b + ffd6c6b
commit 7d41923
Show file tree

Hide file tree

Showing 2 changed files with 40 additions and 1 deletion.
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -20,9 +20,19 @@ services:
     #  - NET_ADMIN
     #network_mode: "host"
 
+    # Option C: pcap-over-ip (fast and easy, for live analysis)
+    # Connects to a pcap-over-ip server, such as pcap-broker to read PCAP data
+    #command: -r /dev/stdin
+    #restart: always
+    #depends_on:
+    #  - pcap-broker
+    #environment:
+    #  - PCAP_OVER_IP=pcap-broker:4242
+
   webapp:
     build: ./webapp
     image: anssi/shovel-webapp:dev
+    restart: always
     volumes:
       # You may remove the next line to prevent users from downloading pcaps.
       - "./input_pcaps:/input_pcaps:ro"
@@ -35,3 +45,22 @@ services:
       - 127.0.0.1:8000:8000
     env_file:
       - .env
+
+  #pcap-broker:
+  #  container_name: pcap-broker
+  #  build:
+  #    context: .
+  #    dockerfile_inline: |
+  #      FROM golang:alpine
+  #      RUN apk add --no-cache build-base libpcap-dev openssh-client tcpdump
+  #      RUN go install github.com/fox-it/pcap-broker@latest
+  #      ENTRYPOINT ["pcap-broker"]
+  #  restart: always
+  #  volumes:
+  #    - "~/.ssh/id_ed25519:/root/.ssh/id_ed25519:ro"
+  #  environment:
+  #    PCAP_COMMAND: |-
+  #        ssh root@vulnbox -oStrictHostKeyChecking=no
+  #        tcpdump -U --immediate-mode -ni wg-faustctf -s 65535 -w -
+  #        not port 22
+  #    LISTEN_ADDRESS: 0.0.0.0:4242
diff --git a/suricata/entrypoint.sh b/suricata/entrypoint.sh
@@ -2,9 +2,19 @@
 # Copyright (C) 2024  ANSSI
 # SPDX-License-Identifier: CC0-1.0
 
+# pipefail: exit Suricata if pcap-over-ip connection ends
+set -euo pipefail
+
+SURICATA_CMD="suricata"
+if [ -n "$PCAP_OVER_IP" ]; then
+    PCAP_OVER_IP=$(echo "$PCAP_OVER_IP" | tr ":" " ")
+    SURICATA_CMD="nc -d $PCAP_OVER_IP | $SURICATA_CMD"
+fi
+
 # Arguments override default Suricata configuration,
 # see https://github.com/OISF/suricata/blob/suricata-7.0.5/suricata.yaml.in
-suricata --runmode=single --no-random -k none \
+eval "$SURICATA_CMD" \
+    --runmode=single --no-random -k none \
     -S suricata/rules/suricata.rules \
     -l suricata/output \
     --set plugins.0=suricata/libeve_sqlite_output.so \