Merge pull request #489 from Security-Onion-Solutions/foxtrot

UPGRADE: Strelka 2023.12.01
Security-Onion-Solutions · Dec 4, 2023 · 78e1dd6 · 78e1dd6
2 parents c9419d1 + fce17eb
commit 78e1dd6
Show file tree

Hide file tree

Showing 6 changed files with 73 additions and 58 deletions.
diff --git a/so-strelka-backend/Dockerfile b/so-strelka-backend/Dockerfile
@@ -1,55 +1,58 @@
-FROM ghcr.io/security-onion-solutions/ubuntu:23.04
+FROM ghcr.io/security-onion-solutions/ubuntu:22.04
 LABEL maintainer "Security Onion Solutions, LLC"
 
 ARG DEBIAN_FRONTEND=noninteractive
 
+# Test configuration
 ARG CONFIG_TESTS=false
 
-ARG USERNAME=strelka
-ARG USER_UID=1001
-ARG USER_GID=$USER_UID
+ARG YARA_VERSION=4.3.1
+ARG CAPA_VERSION=6.1.0
+ARG EXIFTOOL_VERSION=12.60
 
-ENV PYTHONUNBUFFERED 1
+# Environment variables
 ENV PYTHONDONTWRITEBYTECODE 1
-ENV PIP_BREAK_SYSTEM_PACKAGES 1
+ENV PYTHONFAULTHANDLER 1
+ENV PYTHONUNBUFFERED 1
 
-# Create the user
+# User configuration
+ARG USERNAME=strelka
+ARG USER_UID=1001
+ARG USER_GID=$USER_UID
 RUN groupadd --gid $USER_GID $USERNAME \
     && useradd --uid $USER_UID --gid $USER_GID --create-home --shell /bin/bash $USERNAME
 
-ARG YARA_VERSION=4.3.0
-ARG YARA_PYTHON_VERSION=4.3.0
-ARG CAPA_VERSION=5.0.0
-ARG EXIFTOOL_VERSION=12.52
-
 RUN rm -f /etc/apt/apt.conf.d/docker-clean; echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache
 
 # SO - Pin to release tag, download from GitHub, and prepare container dirs
-ARG STRELKA_RELEASE_VERSION=0.23.09.12
+ARG STRELKA_RELEASE_VERSION=0.23.12.01
 RUN mkdir /strelka && \
     mkdir /etc/strelka && \
     mkdir /tmp/strelka && \
     mkdir /var/log/strelka && \
     apt -y update && \ 
     apt install git -y && \
     git clone -b $STRELKA_RELEASE_VERSION https://github.com/target/strelka /tmp/strelka && \
+    cp -fr /tmp/strelka/pyproject.toml /strelka/ && \
+    cp -fr /tmp/strelka/poetry.lock /strelka/ && \
     cp -fr /tmp/strelka/src/python/* /strelka/ && \
     cp -fr /tmp/strelka/configs/python/backend/* /etc/strelka/ && \
     cp -fr /tmp/strelka/build/python/backend/pin.pref /etc/apt/preferences.d/ && \
-    cp -fr /tmp/strelka/build/python/backend/lunar.list /etc/apt/sources.list.d/ && \
+    cp -fr /tmp/strelka/build/python/backend/mantic.list /etc/apt/sources.list.d/ && \
     rm -fr /tmp/strelka && \
     chown -R ${USER_UID}:${USER_GID} /var/log/strelka/
 
-# Update packages
-RUN apt-get -q update && \
 # Install build packages
+RUN apt-get -q update && \
     apt-get install -q -y --no-install-recommends \
     automake \
     build-essential \
     cmake \
     curl \
     gcc \
     git \
+    dirmngr \
+    gnupg \
     gpg \
     libglu1-mesa \
     libtool \
@@ -59,17 +62,17 @@ RUN apt-get -q update && \
     python3-pip \
     python3-wheel \
     python-is-python3 \
-    pkg-config
-
+    pkg-config \
+    supervisor \
+    ncat
+
 # Install runtime packages
 RUN apt-get -q update && \
     apt-get install -q -y --no-install-recommends \
     7zip \
     antiword \
     binwalk \
     libarchive-dev \
-    # 7z2john.pl
-    libcompress-raw-lzma-perl \
     libfuzzy-dev \
     libjansson-dev \
     libmagic-dev \
@@ -83,14 +86,7 @@ RUN apt-get -q update && \
     unzip \
     upx \
     jq && \
-# Download and compile Archive library, needed for exiftool to work best
-    cd /tmp/ && \
-    curl -OL https://cpan.metacpan.org/authors/id/P/PH/PHRED/Archive-Zip-1.68.tar.gz && \
-    tar -xzf Archive-Zip-1.68.tar.gz && \
-    cd Archive-Zip-1.68/ && \
-    perl Makefile.PL && \
-    make && \
-    make install && \
+
 # Download and compile exiftool
     cd /tmp/ && \
     curl -OL https://github.com/exiftool/exiftool/archive/refs/tags/$EXIFTOOL_VERSION.tar.gz && \
@@ -103,7 +99,7 @@ RUN apt-get -q update && \
     mkdir -p /etc/capa/rules/ && \
     curl -OL https://github.com/mandiant/capa-rules/archive/refs/tags/v$CAPA_VERSION.zip && \
     unzip v$CAPA_VERSION.zip -d /etc/capa/rules/ && \
-    rm v$CAPA_VERSION.zip && \
+    rm -rf v$CAPA_VERSION.zip && \
     mkdir -p /etc/capa/signatures/ && \
     cd /etc/capa/signatures/ && \
     curl -OL https://github.com/mandiant/capa/raw/master/sigs/1_flare_msvc_rtf_32_64.sig && \
@@ -115,49 +111,66 @@ RUN apt-get -q update && \
     cd /tmp/ && \
     curl -OL https://s3.amazonaws.com/build-artifacts.floss.flare.fireeye.com/travis/linux/dist/floss && \
     chmod +x /tmp/floss && \
+    mv /tmp/floss /bin/floss && \
 # Install YARA
     cd /tmp/ && \
     curl -OL https://github.com/VirusTotal/yara/archive/v$YARA_VERSION.tar.gz && \
     tar -zxvf v$YARA_VERSION.tar.gz && \
     cd yara-$YARA_VERSION/ && \
     ./bootstrap.sh && \
     ./configure --with-crypto --enable-magic --enable-cuckoo && \
-    make && make install && make check && \
+    make -s && make -s install && make -s check && \
 # Install yara-python
     cd /tmp/ && \
-    curl -OL https://github.com/VirusTotal/yara-python/archive/v$YARA_PYTHON_VERSION.tar.gz && \
-    tar -zxvf v$YARA_PYTHON_VERSION.tar.gz && \
-    cd yara-python-$YARA_PYTHON_VERSION/ && \
+    curl -OL https://github.com/VirusTotal/yara-python/archive/v$YARA_VERSION.tar.gz && \
+    tar -zxvf v$YARA_VERSION.tar.gz && \
+    cd yara-python-$YARA_VERSION/ && \
     python3 setup.py build --dynamic-linking && \
     python3 setup.py install
 
 # Install JTR
-RUN apt-get -q update \
-  && apt-get install -q -y --no-install-recommends \
+RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
+    --mount=type=cache,target=/var/lib/apt,sharing=locked \
+    apt-get update -qq && \
+    apt-get install -qq -y --no-install-recommends \
     ca-certificates \
-    libssl-dev \
     zlib1g-dev \
     yasm \
     libgmp-dev \
+    liblzma-dev \
     libpcap-dev \
     libbz2-dev \
-    libgomp1
+    libgomp1 && \
+    cpan -i Compress::Raw::Lzma
 # The maintainer isn't big on releases or tags so grab an arbitrary, but consistent, commit.
 # Additionally jump through some extra hoops to get the single commit to save some download time.
-RUN mkdir jtr && cd jtr && git init && git remote add origin https://github.com/openwall/john.git && git fetch --depth 1 origin b5c10480f56ff1b5d76c6cbdaf9c817582ee2228 && git reset --hard FETCH_HEAD \
-  && rm -rf /jtr/.git \
-  && cd /jtr/src \
-  && ./configure \
-  && make -s clean \
-  && make -sj4 \
-  && make install \
-  && cp -Tr /jtr/run/ /jtr && rm -rf /jtr/run \
-  && chmod -R 777 /jtr \
-  && chown -R 1001:1001 /jtr
-
-# Install Python packages
-RUN pip3 install --no-cache-dir -r /strelka/requirements.txt && \
-    pip3 install --index-url https://lief-project.github.io/packages --trusted-host lief.quarkslab.com lief
+RUN mkdir jtr && cd jtr && git init && git remote add origin https://github.com/openwall/john.git && \
+    git fetch --depth 1 origin b5c10480f56ff1b5d76c6cbdaf9c817582ee2228 && \
+    git reset --hard FETCH_HEAD && \
+    rm -rf /jtr/.git && \
+    cd /jtr/src && \
+    ./configure && \
+    make -s clean && \
+    make -sj4 && \
+    make install && \
+    cp -Tr /jtr/run/ /jtr && rm -rf /jtr/run && \
+    chmod -R 777 /jtr && \
+    chown -R $USER_UID:$USER_UID /jtr
+
+# Install Poetry globally and copy project files
+RUN python3 -m pip install -U pip setuptools && \
+    python3 -m pip install poetry && \
+    rm -rf /root/.cache/pip
+
+# Set the working directory
+WORKDIR /strelka/
+
+# Use Poetry to install the project dependencies globally
+# This step is after the COPY step because it is more likely to change,
+# and therefore should not be included in earlier layers that can be cached.
+RUN poetry config virtualenvs.create false && \
+    poetry install --no-dev && \
+    rm -rf /root/.cache/pypoetry
 
 # Install Strelka
 RUN cd /strelka/ && \
@@ -195,9 +208,11 @@ RUN echo '[+] Run build checks' && \
 
 USER root
 
-# Remove python build directory
+# Remove build directories and unused files
 RUN cd /strelka/ && \
-    rm -rf /strelka/
+    rm -rf /strelka/ && \
+    rm -rf /root/.cache && \
+    rm -rf /tmp/*
 
 # Remove config directory (will bind mount once built)
 RUN rm -rf /etc/strelka/

diff --git a/so-strelka-backend/lunar.list b/so-strelka-backend/lunar.list
diff --git a/so-strelka-backend/mantic.list b/so-strelka-backend/mantic.list
@@ -0,0 +1,2 @@
+deb [arch=amd64] http://archive.ubuntu.com/ubuntu mantic main restricted universe multiverse
+deb [arch=arm64] http://ports.ubuntu.com/ mantic main restricted universe multiverse
diff --git a/so-strelka-filestream/Dockerfile b/so-strelka-filestream/Dockerfile
@@ -1,6 +1,6 @@
 FROM ghcr.io/security-onion-solutions/golang:alpine AS build
 LABEL maintainer "Security Onion Solutions, LLC"
-ARG STRELKA_RELEASE_VERSION=0.23.07.10
+ARG STRELKA_RELEASE_VERSION=0.23.12.01
 
 RUN CGO_ENABLED=0 go install github.com/target/strelka/src/go/cmd/strelka-filestream@$STRELKA_RELEASE_VERSION
 

diff --git a/so-strelka-frontend/Dockerfile b/so-strelka-frontend/Dockerfile
@@ -1,6 +1,6 @@
 FROM ghcr.io/security-onion-solutions/golang AS build
 LABEL maintainer "Security Onion Solutions, LLC"
-ARG STRELKA_RELEASE_VERSION=0.23.07.10
+ARG STRELKA_RELEASE_VERSION=0.23.12.01
 
 RUN CGO_ENABLED=0 go install github.com/target/strelka/src/go/cmd/strelka-frontend@$STRELKA_RELEASE_VERSION
 

diff --git a/so-strelka-manager/Dockerfile b/so-strelka-manager/Dockerfile
@@ -1,6 +1,6 @@
 FROM ghcr.io/security-onion-solutions/golang AS build
 LABEL maintainer "Security Onion Solutions, LLC"
-ARG STRELKA_RELEASE_VERSION=0.23.07.10
+ARG STRELKA_RELEASE_VERSION=0.23.12.01
 
 RUN CGO_ENABLED=0 go install github.com/target/strelka/src/go/cmd/strelka-manager@$STRELKA_RELEASE_VERSION
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		deb [arch=amd64] http://archive.ubuntu.com/ubuntu mantic main restricted universe multiverse
		deb [arch=arm64] http://ports.ubuntu.com/ mantic main restricted universe multiverse