2.4.200

so-strelka-backend/Dockerfile

@@ -7,7 +7,7 @@ ARG DEBIAN_FRONTEND=noninteractive
 ARG CONFIG_TESTS=false
 
 ARG YARA_VERSION=4.3.1
-ARG CAPA_VERSION=6.1.0
+ARG CAPA_VERSION=9.2.1
 ARG EXIFTOOL_VERSION=12.60
 
 # Environment variables
@@ -19,14 +19,11 @@ ENV PYTHONUNBUFFERED 1
 ARG USERNAME=strelka
 ARG USER_UID=1001
 ARG USER_GID=$USER_UID
-
-# SO - Pin to release tag, download from GitHub, and prepare container dirs
-ARG STRELKA_RELEASE_VERSION=0.24.01.18
-
 RUN groupadd --gid $USER_GID $USERNAME \
     && useradd --uid $USER_UID --gid $USER_GID --create-home --shell /bin/bash $USERNAME
 
-RUN rm -f /etc/apt/apt.conf.d/docker-clean; echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache
+# SO - Pin to release tag, download from GitHub, and prepare container dirs
+ARG STRELKA_RELEASE_VERSION=1.0.1
 
 RUN mkdir /strelka && \
     mkdir /etc/strelka && \
@@ -40,28 +37,67 @@ RUN mkdir /strelka && \
     cp -fr /tmp/strelka/poetry.lock /strelka/ && \
     cp -fr /tmp/strelka/src/python/* /strelka/ && \
     cp -fr /tmp/strelka/configs/python/backend/* /etc/strelka/ && \
-    cp -fr /tmp/strelka/build/python/backend/pin.pref /etc/apt/preferences.d/ && \
-    # cp -fr /tmp/strelka/build/python/backend/mantic.list /etc/apt/sources.list.d/ && \
     rm -fr /tmp/strelka && \
-    chown -R ${USER_UID}:${USER_GID} /var/log/strelka/
-
-ADD mantic.list /etc/apt/sources.list.d/mantic.list
+    chown -R ${USER_UID}:${USER_GID} /var/log/strelka/ && \
+    rm -rf /var/lib/apt/lists/* /var/cache/apt/*.bin /var/cache/apt/archives/*.deb
 
 # Install build packages
 RUN apt-get -q update && \
     apt-get install -q -y --no-install-recommends \
-    automake build-essential cmake curl gcc git dirmngr gnupg gpg libglu1-mesa libtool make swig python3-dev python3-pip python3-wheel python-is-python3 pkg-config supervisor ncat && \
+    automake \
+    build-essential \
+    cmake \
+    curl \
+    gcc \
+    git \
+    dirmngr \
+    gnupg \
+    gpg \
+    libglu1-mesa \
+    libtool \
+    make \
+    swig \
+    python3-dev \
+    python3-pip \
+    python3-wheel \
+    python-is-python3 \
+    pkg-config \
+    supervisor \
+    ncat && \
+    rm -rf /var/lib/apt/lists/* /var/cache/apt/*.bin /var/cache/apt/archives/*.deb
+
 # Install runtime packages
-    apt-get install -q -y --no-install-recommends \
-    7zip antiword binwalk libarchive-dev libfuzzy-dev libjansson-dev libmagic-dev libssl-dev libzbar0 libgl1 python3-setuptools redis-server tesseract-ocr unrar unzip upx jq && \
+RUN apt-get -q update && apt-get install -q -y --no-install-recommends \
+    antiword \
+    binwalk \
+    libarchive-dev \
+    libfuzzy-dev \
+    libjansson-dev \
+    libmagic-dev \
+    libssl-dev \
+    libzbar0 \
+    libgl1 \
+    python3-setuptools \
+    redis-server \
+    tesseract-ocr \
+    unrar \
+    unzip \
+    upx \
+    jq && \
+    rm -rf /var/lib/apt/lists/* /var/cache/apt/*.bin /var/cache/apt/archives/*.deb
 # Download and compile exiftool
-    cd /tmp/ && \
+RUN cd /tmp/ && \
     curl -OL https://github.com/exiftool/exiftool/archive/refs/tags/$EXIFTOOL_VERSION.tar.gz && \
     tar -zxvf $EXIFTOOL_VERSION.tar.gz && \
     cd exiftool-$EXIFTOOL_VERSION/ && \
     perl Makefile.PL && \
-    make && \
-    make install && \
+    make -s -j && \
+    make -s install && \
+# Download and move binary for 7z 24.09
+    cd /tmp/ && \
+    curl -OL https://7-zip.org/a/7z2409-linux-x64.tar.xz && \
+    tar -xf 7z2409-linux-x64.tar.xz &&\
+    cp 7zz /usr/local/bin && \
 # Install FireEye CAPA rules and signatures
     mkdir -p /etc/capa/rules/ && \
     curl -OL https://github.com/mandiant/capa-rules/archive/refs/tags/v$CAPA_VERSION.zip && \
@@ -86,7 +122,7 @@ RUN apt-get -q update && \
     cd yara-$YARA_VERSION/ && \
     ./bootstrap.sh && \
     ./configure --with-crypto --enable-magic --enable-cuckoo && \
-    make -s && make -s install && make -s check && \
+    make -s -j && make -s install && make -s check && \
 # Install yara-python
     cd /tmp/ && \
     curl -OL https://github.com/VirusTotal/yara-python/archive/v$YARA_VERSION.tar.gz && \
@@ -96,11 +132,16 @@ RUN apt-get -q update && \
     python3 setup.py install
 
 # Install JTR
-RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
-    --mount=type=cache,target=/var/lib/apt,sharing=locked \
-    apt-get update -qq && \
+RUN apt-get update -qq && \
     apt-get install -qq -y --no-install-recommends \
-    ca-certificates zlib1g-dev yasm libgmp-dev liblzma-dev libpcap-dev libbz2-dev libgomp1 && \
+    ca-certificates \
+    zlib1g-dev \
+    yasm \
+    libgmp-dev \
+    liblzma-dev \
+    libpcap-dev \
+    libbz2-dev \
+    libgomp1 && \
     cpan -i Compress::Raw::Lzma && \
 # The maintainer isn't big on releases or tags so grab an arbitrary, but consistent, commit.
 # Additionally jump through some extra hoops to get the single commit to save some download time.
@@ -111,17 +152,16 @@ RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
     cd /jtr/src && \
     ./configure && \
     make -s clean && \
-    make -sj4 && \
+    make -sj && \
     make install && \
     cp -Tr /jtr/run/ /jtr && rm -rf /jtr/run && \
     chmod -R 777 /jtr && \
     chown -R $USER_UID:$USER_UID /jtr && \
-
 # Install Poetry globally and copy project files
     python3 -m pip install -U pip setuptools && \
-#   Install specific version of poetry, in >= 2.0.0 --no-dev is removed and causes build errors in strelka <= 0.24.01.18
-    python3 -m pip install poetry==1.8.5 && \
-    rm -rf /root/.cache/pip
+    python3 -m pip install poetry && \
+    rm -rf /root/.cache/pip && \
+    rm -rf /var/lib/apt/lists/* /var/cache/apt/*.bin /var/cache/apt/archives/*.deb
 
 # Set the working directory
 WORKDIR /strelka/
@@ -130,7 +170,7 @@ WORKDIR /strelka/
 # This step is after the COPY step because it is more likely to change,
 # and therefore should not be included in earlier layers that can be cached.
 RUN poetry config virtualenvs.create false && \
-    poetry install --no-dev && \
+    poetry install --only main && \
     rm -rf /root/.cache/pypoetry && \
 # Install Strelka
     cd /strelka/ && \
@@ -139,20 +179,36 @@ RUN poetry config virtualenvs.create false && \
 # Remove build packages
     python3 setup.py -q clean --all && \
     rm -rf dist/ strelka.egg-info && \
-    pip3 uninstall -y grpcio-tools && \
-    apt-get remove -y --purge \
-    automake build-essential cmake curl gcc git gpg libtool make python3-dev python3-pip python3-wheel && \
+    apt-get -q update && \
+    apt-get purge -y \
+    automake \
+    build-essential \
+    cmake \
+    curl \
+    gcc \
+    git \
+    gpg \
+    libtool \
+    make \
+    python3-dev \
+    python3-pip \
+    python3-wheel && \
     apt-get clean -qq && \
-    rm -rf /var/lib/apt/lists/* /tmp/yara*
+    rm -rf /var/lib/apt/lists/* /tmp/yara* && \
+# Assign permissions to Strelka scan result logging directory
+    chgrp -R 0 /var/log/strelka/ && \
+    chmod -R g=u /var/log/strelka/ && \
+    rm -rf /var/lib/apt/lists/* /var/cache/apt/*.bin /var/cache/apt/archives/*.deb
 
 # Run tests as non-root user
 USER $USERNAME
 
 # Run build checks
+ARG SCANNER_TEST=""
 RUN echo '[+] Run build checks' && \
     cd /strelka/strelka/ && \
-    python3 -m pytest -p no:cacheprovider -s tests/ --ignore-glob='*pcap*.py' --ignore-glob='*test_scan_transcode.py' --ignore-glob='*test_scan_nf.py' && \
-    if $CONFIG_TESTS; then python3 -m pytest -s tests_configuration/; fi && \
+    if $SCANNER_TESTS; then python3 -m pytest -p no:cacheprovider -s --ignore=tests/test_scan_pcap.py --ignore=tests/test_scan_clamav.py tests/$SCANNER_TEST; fi && \
+    if $CONFIG_TESTS; then python3 -m pytest -s --ignore=tests/test_scan_pcap.py tests_configuration/; fi && \
     echo '[+] Done'
 
 USER root

so-strelka-manager/Dockerfile

@@ -1,13 +1,24 @@
-FROM ghcr.io/security-onion-solutions/golang:1.24.3-alpine AS build
-ARG STRELKA_RELEASE_VERSION=0.24.01.18
+FROM ghcr.io/security-onion-solutions/golang:1.25.1-alpine AS build
+ARG STRELKA_RELEASE_VERSION=1.0.1
 
-RUN CGO_ENABLED=0 go install github.com/target/strelka/src/go/cmd/strelka-manager@$STRELKA_RELEASE_VERSION
+RUN CGO_ENABLED=0 go install github.com/target/strelka/src/go/cmd/strelka-manager@$STRELKA_RELEASE_VERSION && \
+    CGO_ENABLED=0 go install github.com/target/strelka/src/go/cmd/strelka-filestream@$STRELKA_RELEASE_VERSION && \
+    apk add openssl-dev bash build-base pkgconfig librdkafka librdkafka-dev && \
+    CGO_ENABLED=1 go install -tags musl github.com/target/strelka/src/go/cmd/strelka-frontend@$STRELKA_RELEASE_VERSION
 
-FROM ghcr.io/security-onion-solutions/alpine:3.21.3
+
+FROM ghcr.io/security-onion-solutions/alpine:3.22.1
 LABEL maintainer="Security Onion Solutions, LLC"
 
 COPY --from=build /go/bin/strelka-manager /usr/local/bin/
+COPY --from=build /go/bin/strelka-filestream /usr/local/bin/
+COPY --from=build /go/bin/strelka-frontend /usr/local/bin/
+
 RUN addgroup -g 939 strelka && \
     adduser -u 939 -G strelka strelka --disabled-password \
-    -h /etc/strelka --no-create-home strelka
+    -h /etc/strelka --no-create-home strelka && \
+    apk add --no-cache jq && \
+    mkdir /var/log/strelka/ && \
+    touch /var/log/strelka/strelka.log && \
+    chown -R 939:939 /var/log/strelka/
 USER strelka

so-suricata/Dockerfile

@@ -27,7 +27,7 @@ RUN dnf -y install autoconf automake diffutils file-devel gcc gcc-c++ git \
                lua-devel lz4-devel make nss-devel pcre-devel pcre2-devel pkgconfig \
                python3-devel python3-sphinx python3-yaml sudo which cargo \
                zlib-devel luajit-devel cargo && cargo install --force cbindgen
-ENV SURIVERSION=7.0.12
+ENV SURIVERSION=8.0.2
 RUN mkdir /suricata
 
 WORKDIR /suricata

so-zeek/Dockerfile

@@ -20,7 +20,7 @@ RUN dnf -y install dnf-plugins-core && \
     dnf update -y && \
     dnf -y install epel-release bash libpcap iproute wget cmake swig && \
     dnf -y install jemalloc numactl libnl3 libdnet gdb git && \
-    dnf -y install libpcap-devel openssl-devel zlib-devel jemalloc-devel python3-devel python3 kernel-devel kernel-headers libnghttp2-devel brotli-devel && \
+    dnf -y install libpcap-devel openssl-devel zlib-devel jemalloc-devel python3-devel python3 kernel-devel kernel-headers libnghttp2-devel brotli-devel zeromq-devel && \
     dnf group install -y "Development Tools" && \
     yum install -y glibc-common && \
     pip3 install GitPython semantic-version requests && \
@@ -39,7 +39,7 @@ RUN dnf -y install perl && \
 
 WORKDIR /
 
-ENV ZEEKVER=7.0.11
+ENV ZEEKVER=8.0.4
 ARG BUILD_TYPE=Release
 
 RUN mkdir /zeekbuild
@@ -69,7 +69,7 @@ RUN /opt/zeek/bin/zkg install --force ja3 && \
     /opt/zeek/bin/zkg install --force --skiptests zeek-spicy-wireguard && \
     /opt/zeek/bin/zkg install --force --skiptests zeek-spicy-stun && \
     /opt/zeek/bin/zkg install --force --skiptests https://github.com/iamckn/oui-logging && \
-    /opt/zeek/bin/zkg install --force --skiptests https://github.com/mitrecnd/bro-http2 --version master && \
+    /opt/zeek/bin/zkg install --force --skiptests https://github.com/Security-Onion-Solutions/bro-http2.git && \
     /opt/zeek/bin/zkg install --force --skiptests zeek-spicy-ipsec && \
     /opt/zeek/bin/zkg install --force --skiptests zeek-spicy-openvpn
 
@@ -95,9 +95,9 @@ LABEL description="Zeek running in docker for use with Security Onion"
 RUN dnf update -y && dnf -y install epel-release bash libpcap iproute && \
     dnf clean all && rm -rf /var/cache/dnf/* && \
     dnf -y install findutils jemalloc numactl libnl3 libdnet gdb libunwind-devel && \
-    dnf config-manager --enable ol9_codeready_builder && \
-    dnf -y install libnghttp2-devel brotli-devel && \
-    dnf config-manager --disable ol9_codeready_builder && \
+    dnf config-manager --enable ol9_codeready_builder ol9_developer_EPEL && \
+    dnf -y install libnghttp2-devel brotli-devel zeromq-devel && \
+    dnf config-manager --disable ol9_codeready_builder ol9_developer_EPEL && \
     dnf -y remove epel-release && \
     dnf clean all && \
     rm -rf /var/cache/dnf/ && rm -rf /var/cache/yum/ && \