From 35328563be39c742ce51be51e9ea157294b69edb Mon Sep 17 00:00:00 2001
From: Yun Zheng Hu <hu@fox-it.com>
Date: Sun, 20 Oct 2024 11:07:47 +0200
Subject: [PATCH 1/2] Add PCAP_OVER_IP support

- Added "Option C" example and pcap-broker stub to docker-compose.yml
- Handle $PCAP_OVER_IP environment variable in suricata/entrypoint.sh

Closes #7
---
 docker-compose.yml     | 29 +++++++++++++++++++++++++++++
 suricata/entrypoint.sh | 11 ++++++++++-
 2 files changed, 39 insertions(+), 1 deletion(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index 5cb1747..0750bb5 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -4,6 +4,7 @@ services:
   suricata:
     build: ./suricata
     image: anssi/shovel-suricata:dev
+    restart: always
     volumes:
       - "./input_pcaps:/input_pcaps:ro"
       - "./suricata/rules:/suricata/rules:ro"
@@ -20,9 +21,18 @@ services:
     #  - NET_ADMIN
     #network_mode: "host"
 
+    # Option C: pcap-over-ip (fast and easy, for live analysis)
+    # Connects to a pcap-over-ip server, such as pcap-broker to read PCAP data
+    #command: -r /dev/stdin
+    #depends_on:
+    #  - pcap-broker
+    #environment:
+    #  - PCAP_OVER_IP=pcap-broker:4242
+
   webapp:
     build: ./webapp
     image: anssi/shovel-webapp:dev
+    restart: always
     volumes:
       # You may remove the next line to prevent users from downloading pcaps.
       - "./input_pcaps:/input_pcaps:ro"
@@ -35,3 +45,22 @@ services:
       - 127.0.0.1:8000:8000
     env_file:
       - .env
+
+  # pcap-broker:
+  #   container_name: pcap-broker
+  #   build:
+  #     context: .
+  #     dockerfile_inline: |
+  #       FROM golang:alpine
+  #       RUN apk add --no-cache build-base libpcap-dev openssh-client tcpdump
+  #       RUN go install github.com/fox-it/pcap-broker@latest
+  #       ENTRYPOINT ["pcap-broker"]
+  #   restart: always
+  #   volumes:
+  #     - "~/.ssh/id_ed25519:/root/.ssh/id_ed25519:ro"
+  #   environment:
+  #     PCAP_COMMAND: |-
+  #         ssh root@vulnbox -oStrictHostKeyChecking=no
+  #         tcpdump -U --immediate-mode -ni wg-faustctf -s 65535 -w -
+  #         not port 22
+  #     LISTEN_ADDRESS: 0.0.0.0:4242
diff --git a/suricata/entrypoint.sh b/suricata/entrypoint.sh
index c180e26..c404313 100755
--- a/suricata/entrypoint.sh
+++ b/suricata/entrypoint.sh
@@ -2,9 +2,18 @@
 # Copyright (C) 2024  ANSSI
 # SPDX-License-Identifier: CC0-1.0
 
+set -euo pipefail
+
+SURICATA_CMD="suricata"
+if [ -n "$PCAP_OVER_IP" ]; then
+    PCAP_OVER_IP=$(echo "$PCAP_OVER_IP" | tr ":" " ")
+    SURICATA_CMD="nc -d $PCAP_OVER_IP | $SURICATA_CMD"
+fi
+
 # Arguments override default Suricata configuration,
 # see https://github.com/OISF/suricata/blob/suricata-7.0.5/suricata.yaml.in
-suricata --runmode=single --no-random -k none \
+eval "$SURICATA_CMD" \
+    --runmode=single --no-random -k none \
     -S suricata/rules/suricata.rules \
     -l suricata/output \
     --set plugins.0=suricata/libeve_sqlite_output.so \

From ffd6c6b2eaab72b0a8caf33a194bc5b245189442 Mon Sep 17 00:00:00 2001
From: Yun Zheng Hu <hu@fox-it.com>
Date: Mon, 21 Oct 2024 15:12:22 +0200
Subject: [PATCH 2/2] Apply suggestions from code review

---
 docker-compose.yml     | 38 +++++++++++++++++++-------------------
 suricata/entrypoint.sh |  1 +
 2 files changed, 20 insertions(+), 19 deletions(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index 0750bb5..7d6fce0 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -4,7 +4,6 @@ services:
   suricata:
     build: ./suricata
     image: anssi/shovel-suricata:dev
-    restart: always
     volumes:
       - "./input_pcaps:/input_pcaps:ro"
       - "./suricata/rules:/suricata/rules:ro"
@@ -24,6 +23,7 @@ services:
     # Option C: pcap-over-ip (fast and easy, for live analysis)
     # Connects to a pcap-over-ip server, such as pcap-broker to read PCAP data
     #command: -r /dev/stdin
+    #restart: always
     #depends_on:
     #  - pcap-broker
     #environment:
@@ -46,21 +46,21 @@ services:
     env_file:
       - .env
 
-  # pcap-broker:
-  #   container_name: pcap-broker
-  #   build:
-  #     context: .
-  #     dockerfile_inline: |
-  #       FROM golang:alpine
-  #       RUN apk add --no-cache build-base libpcap-dev openssh-client tcpdump
-  #       RUN go install github.com/fox-it/pcap-broker@latest
-  #       ENTRYPOINT ["pcap-broker"]
-  #   restart: always
-  #   volumes:
-  #     - "~/.ssh/id_ed25519:/root/.ssh/id_ed25519:ro"
-  #   environment:
-  #     PCAP_COMMAND: |-
-  #         ssh root@vulnbox -oStrictHostKeyChecking=no
-  #         tcpdump -U --immediate-mode -ni wg-faustctf -s 65535 -w -
-  #         not port 22
-  #     LISTEN_ADDRESS: 0.0.0.0:4242
+  #pcap-broker:
+  #  container_name: pcap-broker
+  #  build:
+  #    context: .
+  #    dockerfile_inline: |
+  #      FROM golang:alpine
+  #      RUN apk add --no-cache build-base libpcap-dev openssh-client tcpdump
+  #      RUN go install github.com/fox-it/pcap-broker@latest
+  #      ENTRYPOINT ["pcap-broker"]
+  #  restart: always
+  #  volumes:
+  #    - "~/.ssh/id_ed25519:/root/.ssh/id_ed25519:ro"
+  #  environment:
+  #    PCAP_COMMAND: |-
+  #        ssh root@vulnbox -oStrictHostKeyChecking=no
+  #        tcpdump -U --immediate-mode -ni wg-faustctf -s 65535 -w -
+  #        not port 22
+  #    LISTEN_ADDRESS: 0.0.0.0:4242
diff --git a/suricata/entrypoint.sh b/suricata/entrypoint.sh
index c404313..8a84e98 100755
--- a/suricata/entrypoint.sh
+++ b/suricata/entrypoint.sh
@@ -2,6 +2,7 @@
 # Copyright (C) 2024  ANSSI
 # SPDX-License-Identifier: CC0-1.0
 
+# pipefail: exit Suricata if pcap-over-ip connection ends
 set -euo pipefail
 
 SURICATA_CMD="suricata"