Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ubuntu 24.04 containers for Suricata (4.x and newer) and Snort (2.9.16.x and newer) #234

Merged
merged 3 commits into from
Nov 27, 2024
Merged

Ubuntu 24.04 containers for Suricata (4.x and newer) and Snort (2.9.16.x and newer) #234

merged 3 commits into from
Nov 27, 2024

Conversation

da667
Copy link
Contributor

@da667 da667 commented Nov 25, 2024
edited
Loading

Greetings!

This PR is to address #199

Here is a summary of changes:

Dockerfile_suricata:

  • FROM ubuntu:24.04 in order to use Ubuntu 24.04 as the base container image
  • Changed python3.8 package and instead acquires python3, python3-dev, and python3-pip to mirror the packages pulled for the zeek container
  • Final CMD that launches dalton-agent.py uses python3 instead of python3.8 to run the agent.
  • Tested and Confirmed to work for Suricata versions 4.1.0 and above successfully

Dockerfile_snort:

  • FROM ubuntu:24.04 in order to use Ubuntu 24.04 as the base container image
  • Changed python3.8 package and instead acquires python3, python3-dev, and python3-pip to mirror the packages pulled for the zeek container
  • Additional new packages acquired via apt-get: libtool libtirpc-dev
  • Added autoreconf -f -i to the ./configure && make && make install command chain to avoid a failure to compile the DAQ libraries
  • Appended CFLAGS="-I/usr/include/tirpc" to Snort's ./configure command. This was necessary because by default Snort tries to look for the RPC headers in /usr/include/rpc. This is no longer correct, so we have to point to the new location of the RPC headers (/usr/include/tirpc) for snort to compile successfully)
  • Final CMD that launches dalton-agent.py uses python3 instead of python3.8 to run the agent.
  • Tested and confirmed to work for Snort versions 2.9.16.x and above successfully

da667 added 2 commits November 25, 2024 13:33
@da667
Update Dockerfile_snort
4f04e78 
-Changed FROM to ubuntu:24.04
-Installed new packages python3, python3-dev, python3-pip, libtool and libtirpc-dev
-DAQ libraries have the command "autoreconf -f -i" added to the chain of commands used to compile and install the DAQ libraries in order to address a possible compilation failure
-Snort has CFLAGS="-I/usr/include/tirpc" appended to the ./configure command in order to help snort locate RPC libraries it needs during compilation
-final CMD statement at the end of the dockerfile changed from "python3.8" to "python3"
@da667
Update Dockerfile_suricata
d8a34b3 
- From line changed to ubuntu:24.04
- installing new packages python3 python3-dev and python3-pip
- Final CMD statement changed from "python3.8" to "python3"
@rkoumis
Copy link
Collaborator

rkoumis commented Nov 27, 2024

Looks good

@da667
Update Dockerfile_suricata
7541351 
- Moved the hadolint ignore=DL3008 line to directly above the RUN apt-get statement in order to resolve docker-lint failure
@rkoumis rkoumis merged commit cd848e4 into secureworks:master Nov 27, 2024
3 checks passed
@rkoumis rkoumis mentioned this pull request Nov 27, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@xssfox xssfox xssfox approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@da667 @rkoumis @xssfox