#!/bin/bash
#
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.


{%- set MANAGER = salt['grains.get']('master') %}
{%- set VERSION = salt['pillar.get']('global:soversion') %}
{%- set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}

TESTRULE=$1
TESTPCAP=$2

. /usr/sbin/so-common

if [ $# -lt 2 ]; then
  echo "Usage: $0 <CustomRule> <TargetPCAP>"
  exit 1
fi

echo ""
echo "==============="
echo "Running all.rules and $TESTRULE against the following pcap: $TESTPCAP" 
echo ""
sleep 3


rm -rf /tmp/nids-testing/output
mkdir -p /tmp/nids-testing/output
chown suricata:socore /tmp/nids-testing/output
mkdir -p /tmp/nids-testing/rules

cp /opt/so/conf/suricata/rules/all.rules /tmp/nids-testing/rules/all.rules
cat $TESTRULE >> /tmp/nids-testing/rules/all.rules

echo "==== Begin Suricata Output ==="

  docker run --rm \
    -v /opt/so/conf/suricata/suricata.yaml:/etc/suricata/suricata.yaml:ro \
    -v /opt/so/conf/suricata/threshold.conf:/etc/suricata/threshold.conf:ro \
    -v /tmp/nids-testing/rules:/etc/suricata/rules:ro \
    -v "$TESTPCAP:/input.pcap:ro" \
    -v /opt/so/conf/suricata/bpf:/etc/suricata/bpf:ro \
    -v /tmp/nids-testing/output/:/nsm/:rw \
    {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-suricata:{{ VERSION }} \
    --runmode single -v -k none -r /input.pcap -l /tmp --init-errors-fatal
echo "==== End Suricata Output ==="

echo ""
echo "If any alerts hit, they will be displayed below:"
echo ""

cat /tmp/nids-testing/output/* | jq

echo ""
echo "End so-suricata-testrule"
echo "==============="
echo ""