suricata: move capture mode outside of entrypoint

ANSSI-FR · Jul 22, 2024 · 3f6242d · 3f6242d
1 parent d767d99
commit 3f6242d
Show file tree

Hide file tree

Showing 4 changed files with 8 additions and 18 deletions.
diff --git a/README.md b/README.md
@@ -80,8 +80,7 @@ This is fine, but it might add some delay before observing new flows.
 You may launch Suricata then the web application using the following:
 ```bash
 # Start Suricata
-export $(grep -vE "^(#.*|\s*)$" .env)
-./suricata/entrypoint.sh
+./suricata/entrypoint.sh -r input_pcaps --pcap-file-continuous
 ```
 
 ```bash

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -8,18 +8,15 @@ services:
       - "./input_pcaps:/input_pcaps:ro"
       - "./suricata/rules:/suricata/rules:ro"
       - "./suricata/output:/suricata/output:rw"
-    environment:
-      # Include the name of the input pcap file in Suricata EVE logs (default: true)
-      PCAP_FILE: "true"
-      # Make Suricata wait for new pcap files (default: true)
-      # You need to disable this to see the last few flows, else Suricata will wait without logging them.
-      PCAP_FILE_CONTINUOUS: "true"
+    # Remove `--pcap-file-continuous` to see the last few flows, else Suricata
+    # will wait for new pcap before logging them.
+    command: -r /input_pcaps --pcap-file-continuous
 
   webapp:
     build: ./webapp
     image: anssi/shovel-webapp:dev
     volumes:
-      # You may remove the next line if `PCAP_FILE=false` in Suricata env
+      # You may remove the next line to prevent users from downloading pcaps.
       - "./input_pcaps:/input_pcaps:ro"
       # Write access is required in SQLite `mode=ro` as readers need to record
       # a mark in the WAL file. If you need to make the volume read-only, then

diff --git a/suricata/Dockerfile b/suricata/Dockerfile
@@ -10,4 +10,4 @@ FROM alpine:3.20
 RUN apk add --no-cache suricata lua5.1-sqlite
 COPY . /suricata
 COPY --from=builder /src/target/release/libeve_sqlite_output.so /suricata/
-CMD ["/suricata/entrypoint.sh"]
+ENTRYPOINT ["/suricata/entrypoint.sh"]
diff --git a/suricata/entrypoint.sh b/suricata/entrypoint.sh
@@ -4,13 +4,7 @@
 
 # Arguments override default Suricata configuration,
 # see https://github.com/OISF/suricata/blob/suricata-7.0.5/suricata.yaml.in
-
-SURICATA_PARAM="--runmode=single --no-random"
-if [ "${PCAP_FILE_CONTINUOUS:=true}" = true ]; then
-    SURICATA_PARAM="${SURICATA_PARAM} --pcap-file-continuous"
-fi
-echo "Starting Suricata with PCAP_FILE=${PCAP_FILE:=true} PCAP_FILE_CONTINUOUS=${PCAP_FILE_CONTINUOUS:=true}"
-suricata -r input_pcaps \
+suricata --runmode=single --no-random \
     -S suricata/rules/suricata.rules \
     -l suricata/output \
     --set plugins.0=suricata/libeve_sqlite_output.so \
@@ -37,4 +31,4 @@ suricata -r input_pcaps \
     --set app-layer.protocols.enip.enabled=yes \
     --set app-layer.protocols.sip.enabled=yes \
     --set stream.reassembly.depth=50mb \
-    ${SURICATA_PARAM}
+    "$@"