suricata package addition

Author: PrajeetGuha

packages/common.vm/common.vm.nuspec

@@ -2,7 +2,7 @@
 <package xmlns="http://schemas.microsoft.com/packaging/2015/06/nuspec.xsd">
   <metadata>
     <id>common.vm</id>
-    <version>0.0.0.20250425</version>
+    <version>0.0.0.20250502</version>
     <description>Common libraries for VM-packages</description>
     <authors>Mandiant</authors>
   </metadata>

packages/common.vm/tools/vm.common/vm.common.psm1

@@ -81,7 +81,7 @@ function VM-Write-Log {
     [CmdletBinding()]
     Param(
         [Parameter(Mandatory=$true, Position=0)]
-        [ValidateSet("INFO","WARN","ERROR")]
+        [ValidateSet("INFO","WARN","ERROR","FATAL")]
         [String] $level,
         [Parameter(Mandatory=$true, Position=1)]
         [string] $message
@@ -1803,7 +1803,7 @@ function VM-Get-MSIInstallerPathByProductName {
 
     try {
         # Get a list of all installed MSI products
-        $installedProducts = Get-CimInstance -Class Win32_Product | Where-Object { $_.Name -like $ProductName }
+        $installedProducts = Get-CimInstance -Class Win32_Product | Where-Object { $_.Name -match $ProductName }
 
         if (-not $installedProducts) {
             VM-Write-Log "WARN" "No product found with name like '$ProductName'"

packages/suricata.vm/suricata.vm.nuspec

@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="utf-8"?>
+<package xmlns="http://schemas.microsoft.com/packaging/2015/06/nuspec.xsd">
+  <metadata>
+    <id>suricata.vm</id>
+    <version>7.0.10</version>
+    <authors>Open Information Security Foundation</authors>
+    <description>Suricata is a network IDS, IPS and NSM engine developed by the OISF and the Suricata community</description>
+    <dependencies>
+      <dependency id="common.vm" version="0.0.0.20250206" />
+      <dependency id="npcap.vm" version="1.80.20250219" />
+    </dependencies>
+    <tags>Networking</tags>
+  </metadata>
+</package>

packages/suricata.vm/tools/chocolateyinstall.ps1

@@ -0,0 +1,114 @@
+$ErrorActionPreference = 'Stop'
+Import-Module vm.common -Force -DisableNameChecking
+
+try{
+    # set configurations
+    $toolName = 'suricata'
+    $category = VM-Get-Category($MyInvocation.MyCommand.Definition)
+    $toolDir = Join-Path ${Env:ProgramFiles} $toolName
+    $executablePath = Join-Path $toolDir "$toolName.exe"
+    $exeUrl = "https://www.openinfosecfoundation.org/download/windows/Suricata-7.0.10-1-64bit.msi"
+    $sha256 = "b32a6ca8a793a603a23de307c83831c874099f50bbcd2710ee8325d69a49fb44"
+
+    $packageArgs = @{
+        toolName = $toolName
+        category = $category
+        filetype = "MSI"
+        silentArgs = "/qn /norestart"
+        executablePath = $executablePath
+        url = $exeUrl
+        sha256 = $sha256
+        consoleApp = $true
+    }
+
+    VM-Install-With-Installer @packageArgs
+
+    # delete default desktop shortcut
+    $desktopShortcutPath = "${Env:HomeDrive}\Users\*\Desktop\$toolName*.lnk"
+    Remove-Item -Path $desktopShortcutPath -ErrorAction SilentlyContinue
+
+    # rules configuration and download
+    $rulesXmlPath = "$(Split-Path -parent $MyInvocation.MyCommand.Definition)/rules.xml"
+    $rulesXml = [xml](Get-Content $rulesXmlPath)
+    $rulesDir = Join-Path $toolDir "rules" -Resolve
+    $rules = $rulesXml.rules.rule
+
+    # tempdir for rules been added
+    # rules are added to tempdir before been added to default rule folder as other default rules exist in default folder
+    # rules filenames are needed for adding to config files
+    $tempToolDir = Join-Path ${Env:TEMP} "$toolName.vm"
+    $tempRuleDir = Join-Path $tempToolDir "rules"
+
+    foreach ($rule in $rules) {
+        VM-Write-Log "INFO" "Attempting to install rule: $($rule.name)"
+        $filePath = Join-Path $tempToolDir ([System.IO.Path]::GetFileName($rule.url))
+
+        # create rule specific temp folder
+        $tempRuleSpecificFolder = Join-Path $tempRuleDir $rule.name
+        if (-not (Test-Path -Path $tempRuleSpecificFolder)) {
+            New-Item -Path $tempRuleSpecificFolder -ItemType Directory
+        }
+        try{
+            Invoke-WebRequest -Uri $rule.url -OutFile $filePath -ErrorAction Stop
+            # If the rule url is of a zip archive (collection of multiple rule files)
+            if ($filePath -like '*.zip') {
+                VM-Write-Log "INFO" "ZIP file detected."
+                Get-ChocolateyUnzip -FileFullPath $filePath -Destination $tempRuleSpecificFolder | Out-Null
+
+            # if the rule url is for only one rules file
+            } elseif ($filePath -like '*.rules') {
+                VM-Write-Log "INFO" "Rules file detected. Moving to $tempRuleSpecificFolder..."
+                Move-Item -Path $filePath -Destination $tempRuleSpecificFolder
+
+            # any other types of url resource is unsupported
+            } else {
+                throw "Unsupported file type: '$filePath'. Only .zip and .rule are allowed."
+            }
+        } catch {
+            VM-Write-Log "WARN" "Failed rule: $filePath. Cause: $($_.Exception.Message)"
+        }
+    }
+
+    $allRuleFiles = Get-ChildItem -Path $tempRuleDir -Recurse -File -Filter *.rules
+
+    $rulesConfigPath = Join-Path $toolDir "suricata.yaml" -Resolve
+    $rulesConfig = Get-Content -Path $rulesConfigPath
+
+    # collect the list of all existent rules
+    $rulesList = $rulesConfig -split "`n" | Where-Object { $_.Trim() -match '\.rules$' } | ForEach-Object { $_.TrimStart(' -').Trim() }
+
+    # index of the location in the yaml where `rule-files:` is specified
+    $ruleFilesIndex = $null
+    for ($i = 0; $i -lt $rulesConfig.Count; $i++) {
+        if ($rulesConfig[$i] -match '^rule-files:$') {
+            $ruleFilesIndex = $i
+            break
+        }
+    }
+    # If `rule-files:` was not found, throw an error
+    if ($null -eq $ruleFilesIndex) {
+        throw "Line with 'rule-files:' string not found in the config file."
+    }
+
+    # move all rule files in temp rule folder to the suricata rule folder
+    # add rules to `suricata.yaml`
+    VM-Write-Log "INFO" "Moving rule-files to $rulesDir..."
+    foreach ($ruleFile in $allRuleFiles){
+        Move-Item -Path $ruleFile.FullName -Destination $rulesDir -Force
+        if (-not ($rulesList -contains $ruleFile.Name)){
+            $newRuleLine = " - $($ruleFile.Name)"
+             # add rule to config file
+            $rulesConfig = $rulesConfig[0..$ruleFilesIndex] + $newRuleLine + $rulesConfig[($ruleFilesIndex + 1)..($rulesConfig.Length - 1)]
+            VM-Write-Log "INFO" "[+] Rule-file $($ruleFile.Name) added to $rulesDir. Added rule-file reference to config file."
+        }
+        else{
+            VM-Write-Log "INFO" "[+] Rule-file $($ruleFile.Name) added to $rulesDir. Rule-file reference already exist in config file."
+        }
+    }
+
+    # Save the updated content back to the file
+    $rulesConfig | Set-Content -Path $rulesConfigPath
+}
+catch{
+    VM-Write-Log-Exception $_
+}

packages/suricata.vm/tools/chocolateyuninstall.ps1

@@ -0,0 +1,7 @@
+$ErrorActionPreference = 'Continue'
+Import-Module vm.common -Force -DisableNameChecking
+
+$toolName = 'suricata'
+$category = VM-Get-Category($MyInvocation.MyCommand.Definition)
+
+VM-Uninstall-With-Uninstaller $toolName $category "MSI" "/qn /norestart"

packages/suricata.vm/tools/rules.xml

@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="utf-8"?>
+<rules>
+    <rule name="emerging-all" url="https://rules.emergingthreats.net/open/suricata-7.0.3/emerging.rules.zip" innerFolder="rules"/>
+</rules>