suricata package addition

Author: PrajeetGuha

packages/common.vm/common.vm.nuspec

@@ -2,7 +2,7 @@
 <package xmlns="http://schemas.microsoft.com/packaging/2015/06/nuspec.xsd">
   <metadata>
     <id>common.vm</id>
-    <version>0.0.0.20250423</version>
+    <version>0.0.0.20250502</version>
     <description>Common libraries for VM-packages</description>
     <authors>Mandiant</authors>
   </metadata>

packages/common.vm/tools/vm.common/vm.common.psm1

@@ -1787,7 +1787,7 @@ function VM-Get-MSIInstallerPathByProductName {
 
     try {
         # Get a list of all installed MSI products
-        $installedProducts = Get-CimInstance -Class Win32_Product | Where-Object { $_.Name -like $ProductName }
+        $installedProducts = Get-CimInstance -Class Win32_Product | Where-Object { $_.Name -match $ProductName }
 
         if (-not $installedProducts) {
             VM-Write-Log "WARN" "No product found with name like '$ProductName'"

packages/suricata.vm/suricata.vm.nuspec

@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="utf-8"?>
+<package xmlns="http://schemas.microsoft.com/packaging/2015/06/nuspec.xsd">
+  <metadata>
+    <id>suricata.vm</id>
+    <version>7.0.8</version>
+    <authors>Open Information Security Foundation</authors>
+    <description>Suricata is a network IDS, IPS and NSM engine developed by the OISF and the Suricata community</description>
+    <dependencies>
+      <dependency id="common.vm" version="0.0.0.20250206" />
+      <dependency id="npcap.vm" version="1.80.20250219" />
+    </dependencies>
+    <tags>Networking</tags>
+  </metadata>
+</package>

packages/suricata.vm/tools/chocolateyinstall.ps1

@@ -0,0 +1,114 @@
+$ErrorActionPreference = 'Stop'
+Import-Module vm.common -Force -DisableNameChecking
+Import-Module powershell-yaml
+
+# set configurations
+$toolName = "Suricata"
+$category = VM-Get-Category($MyInvocation.MyCommand.Definition)
+$filetype = "MSI"
+$toolDir = Join-Path ${Env:ProgramFiles} $toolName
+$executablePath = Join-Path $toolDir "suricata.exe"
+$url = "https://www.openinfosecfoundation.org/download/windows/Suricata-7.0.8-1-64bit.msi"
+$sha256 = "8bdd78d2978e4efc6d23ab1ced024342cac7d38afb152a6e3f70ac5182bd8cd4"
+$silentArgs = "/qn /norestart"
+
+$packageArgs = @{
+    toolName = $toolName
+    category = $category
+    filetype = $filetype
+    silentArgs = $silentArgs
+    executablePath = $executablePath
+    url = $url
+    sha256 = $sha256
+    consoleApp = $true
+}
+
+# download msi file
+VM-Install-With-Installer @packageArgs
+VM-Assert-Path $executablePath
+
+# delete default desktop shortcut
+try{
+    $desktopShortcutPath = "${Env:HomeDrive}\Users\*\Desktop\$toolName*.lnk"
+    Remove-Item -Path $desktopShortcutPath -ErrorAction SilentlyContinue
+}
+catch{
+    VM-Write-Log-Exception $_
+}
+
+# rules configuration and download
+$rulesXmlPath = "$(Split-Path -parent $MyInvocation.MyCommand.Definition)/rules.xml"
+$rulesXml = [xml](Get-Content $rulesXmlPath)
+
+$rulesDir = Join-Path $toolDir "rules" -Resolve
+$rulesConfigPath = Join-Path $toolDir "suricata.yaml" -Resolve
+
+$rulesConfig = ConvertFrom-Yaml (Get-Content -Raw -Path $rulesConfigPath)
+
+$failures = @()
+$rules = $rulesXml.rules.rule
+
+$tempToolDir = Join-Path ${Env:TEMP} $toolName
+$tempToolDir += ".vm"
+$tempRuleDir = Join-Path $tempToolDir "rules"
+
+foreach ($rule in $rules) {
+
+    Write-Host "[+] Attempting to install rule: $($rule.name)"
+
+    $filePath = Join-Path $tempToolDir ([System.IO.Path]::GetFileName($rule.url))
+
+    try{
+        Invoke-WebRequest -Uri $rule.url -OutFile $filePath
+
+        # If the file ends in .zip, unzip it
+        if ($filePath -like '*.zip') {
+
+            Write-Host "ZIP file detected."
+
+            Get-ChocolateyUnzip -FileFullPath $filePath -Destination $tempRuleDir
+
+            #  if rules are present in innerFolder of zip archive
+            if ($rule.innerFolder){
+                $innerFolder = Join-Path $tempRuleDir $rule.innerFolder
+
+                Get-ChildItem -Path $innerFolder -File | ForEach-Object {
+                    Copy-Item -Path $_.FullName -Destination $tempRuleDir -Force
+                }
+            }
+
+        } elseif ($filePath -like '*.rules') {
+
+            Write-Host "Rules file detected. Moving to $tempRuleDir..."
+
+            Move-Item -Path $filePath -Destination $tempRuleDir
+
+        } else {
+            throw "`t[!] Unsupported file type: '$filePath'. Only .zip and .rule are allowed."
+        }
+    } catch {
+        $failures += $rule.name
+    }
+}
+
+$allRuleFiles = Get-ChildItem -Path $tempRuleDir -Recurse -File -Filter *.rules
+
+# move all rule files in temp rule folder to the suricata rule folder
+# add rules to `suricata.yaml`
+foreach ($ruleFile in $allRuleFiles){
+    Move-Item -Path $ruleFile.FullName -Destination $rulesDir -Force
+    if (-not ($rulesConfig.'rule-files' -contains $ruleFile.Name)){
+        $rulesConfig.'rule-files' += $ruleFile.Name
+    }
+    Write-Host "`t[+] Rule $($ruleFile.Name) added to $rulesDir..."
+}
+
+$rulesConfig | ConvertTo-Yaml | Set-Content -Path $rulesConfigPath
+
+# display all errors
+if ($failures.Count -gt 0) {
+    foreach ($module in $failures) {
+        VM-Write-Log "ERROR" "Failed to install rule: $($rule.name)"
+    }
+    exit 1
+}

packages/suricata.vm/tools/chocolateyuninstall.ps1

@@ -0,0 +1,7 @@
+$ErrorActionPreference = 'Continue'
+Import-Module vm.common -Force -DisableNameChecking
+
+$toolName = 'Suricata'
+$category = VM-Get-Category($MyInvocation.MyCommand.Definition)
+
+VM-Uninstall $toolName $category

packages/suricata.vm/tools/rules.xml

@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="utf-8"?>
+<rules>
+    <rule name="emerging-all" url="https://rules.emergingthreats.net/open/suricata-7.0.3/emerging.rules.zip" innerFolder="rules"/>
+</rules>