From 4f04e78fc61118292f6b8c167dade101fd9dc4cc Mon Sep 17 00:00:00 2001 From: da_667 Date: Mon, 25 Nov 2024 13:33:05 -0500 Subject: [PATCH 1/3] Update Dockerfile_snort -Changed FROM to ubuntu:24.04 -Installed new packages python3, python3-dev, python3-pip, libtool and libtirpc-dev -DAQ libraries have the command "autoreconf -f -i" added to the chain of commands used to compile and install the DAQ libraries in order to address a possible compilation failure -Snort has CFLAGS="-I/usr/include/tirpc" appended to the ./configure command in order to help snort locate RPC libraries it needs during compilation -final CMD statement at the end of the dockerfile changed from "python3.8" to "python3" --- dalton-agent/Dockerfiles/Dockerfile_snort | 23 ++++++++++++----------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/dalton-agent/Dockerfiles/Dockerfile_snort b/dalton-agent/Dockerfiles/Dockerfile_snort index 52e8d5d..1545511 100644 --- a/dalton-agent/Dockerfiles/Dockerfile_snort +++ b/dalton-agent/Dockerfiles/Dockerfile_snort @@ -1,26 +1,25 @@ # Builds Snort 2.9.x.x Dalton agent using Snort source -# Works for Snort 2.9.1.1 and later; previous versions are more -# nuanced with libraries and compile dependencies so if you need -# a previous version, just build your own. - +# Works for Snort 2.9.16.x and later # hadolint global ignore=DL3003,SC2046 -FROM ubuntu:18.04 +FROM ubuntu:24.04 ARG SNORT_VERSION ARG DAQ_VERSION # tcpdump is for pcap analysis; not *required* for # the agent but nice to have.... +# changed python3.8 to python3 python3-dev python3-pip +# other additional packages: libtool libtirpc-dev # hadolint ignore=DL3008 RUN apt-get update -y && \ DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \ - python3.8 \ + python3 python3-dev python3-pip \ tcpdump \ - automake autoconf \ + automake libtool autoconf \ build-essential make flex bison \ libpcap-dev libpcre3-dev \ - libcap-ng-dev libdumbnet-dev \ + libcap-ng-dev libdumbnet-dev libtirpc-dev \ zlib1g-dev liblzma-dev openssl libssl-dev \ libnghttp2-dev libluajit-5.1-dev && \ ldconfig && \ @@ -34,12 +33,14 @@ RUN apt-get update -y && \ RUN mkdir -p /src/snort-${SNORT_VERSION} && mkdir -p /etc/snort WORKDIR /src # DAQ. Apparently DAQ will sometime fail building with multiple make jobs. +# Discovered that autoreconf is necessary to avoid failures compiling DAQ on 24.04 ADD https://www.snort.org/downloads/archive/snort/daq-${DAQ_VERSION}.tar.gz daq-${DAQ_VERSION}.tar.gz -RUN tar -zxf daq-${DAQ_VERSION}.tar.gz && cd daq-${DAQ_VERSION} && ./configure && make && make install +RUN tar -zxf daq-${DAQ_VERSION}.tar.gz && cd daq-${DAQ_VERSION} && autoreconf -f -i && ./configure && make && make install # Snort +# Necessary to add CFLAGS="-I/usr/include/tirpc" to point snort to the correctly location for the RPC headers it needs ADD https://www.snort.org/downloads/archive/snort/snort-${SNORT_VERSION}.tar.gz snort-${SNORT_VERSION}.tar.gz RUN tar -zxf snort-${SNORT_VERSION}.tar.gz -C snort-${SNORT_VERSION} --strip-components=1 && \ - cd /src/snort-${SNORT_VERSION} && ./configure --enable-sourcefire --enable-debug --enable-buffer-dump && make -j $(nproc) && make install && \ + cd /src/snort-${SNORT_VERSION} && ./configure --enable-sourcefire --enable-debug --enable-buffer-dump CFLAGS="-I/usr/include/tirpc" && make -j $(nproc) && make install && \ mkdir /usr/local/lib/snort_dynamicrules && ldconfig RUN cp -t /etc/snort/ /src/snort-${SNORT_VERSION}/etc/classification.config /src/snort-${SNORT_VERSION}/etc/file_magic.conf \ @@ -51,4 +52,4 @@ WORKDIR /opt/dalton-agent COPY dalton-agent.py /opt/dalton-agent/dalton-agent.py COPY dalton-agent.conf /opt/dalton-agent/dalton-agent.conf -CMD ["python3.8", "/opt/dalton-agent/dalton-agent.py", "-c", "/opt/dalton-agent/dalton-agent.conf"] +CMD ["python3", "/opt/dalton-agent/dalton-agent.py", "-c", "/opt/dalton-agent/dalton-agent.conf"] From d8a34b35542828e106e69e6baa4afe3febec54d3 Mon Sep 17 00:00:00 2001 From: da_667 Date: Mon, 25 Nov 2024 13:44:04 -0500 Subject: [PATCH 2/3] Update Dockerfile_suricata - From line changed to ubuntu:24.04 - installing new packages python3 python3-dev and python3-pip - Final CMD statement changed from "python3.8" to "python3" --- dalton-agent/Dockerfiles/Dockerfile_suricata | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/dalton-agent/Dockerfiles/Dockerfile_suricata b/dalton-agent/Dockerfiles/Dockerfile_suricata index 1c7c878..aa30ae6 100644 --- a/dalton-agent/Dockerfiles/Dockerfile_suricata +++ b/dalton-agent/Dockerfiles/Dockerfile_suricata @@ -1,5 +1,5 @@ # Builds Suricata Dalton agent using Suricata source tarball -FROM ubuntu:18.04 +FROM ubuntu:24.04 ARG SURI_VERSION ARG ENABLE_RUST @@ -7,9 +7,10 @@ ARG ENABLE_RUST # tcpdump is for pcap analysis; not *required* for # the agent but nice to have.... # hadolint ignore=DL3008 +# changing the python3.8 package to python3 python3-dev and python3-pip RUN apt-get update -y && \ DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \ - python3.8 \ + python3 python3-dev python3-pip \ tcpdump \ libpcre3 libpcre3-dbg libpcre3-dev libnss3-dev \ build-essential autoconf automake libtool libpcap-dev libnet1-dev \ @@ -52,4 +53,4 @@ COPY tls.lua /opt/dalton-agent/tls.lua RUN sed -i 's/REPLACE_AT_DOCKER_BUILD-VERSION/'"${SURI_VERSION}"'/' /opt/dalton-agent/dalton-agent.conf -CMD ["python3.8", "/opt/dalton-agent/dalton-agent.py", "-c", "/opt/dalton-agent/dalton-agent.conf"] +CMD ["python3", "/opt/dalton-agent/dalton-agent.py", "-c", "/opt/dalton-agent/dalton-agent.conf"] From 7541351bb5b04c12f07666e2a262649c5ed5791c Mon Sep 17 00:00:00 2001 From: da_667 Date: Wed, 27 Nov 2024 12:15:33 -0500 Subject: [PATCH 3/3] Update Dockerfile_suricata - Moved the hadolint ignore=DL3008 line to directly above the RUN apt-get statement in order to resolve docker-lint failure --- dalton-agent/Dockerfiles/Dockerfile_suricata | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dalton-agent/Dockerfiles/Dockerfile_suricata b/dalton-agent/Dockerfiles/Dockerfile_suricata index aa30ae6..cbb19d3 100644 --- a/dalton-agent/Dockerfiles/Dockerfile_suricata +++ b/dalton-agent/Dockerfiles/Dockerfile_suricata @@ -6,8 +6,8 @@ ARG ENABLE_RUST # tcpdump is for pcap analysis; not *required* for # the agent but nice to have.... -# hadolint ignore=DL3008 # changing the python3.8 package to python3 python3-dev and python3-pip +# hadolint ignore=DL3008 RUN apt-get update -y && \ DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \ python3 python3-dev python3-pip \