webapp: do not use PCAP_FILE env var

ANSSI-FR · Jul 15, 2024 · f213f42 · f213f42
1 parent 7db46ed
commit f213f42
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 17 deletions.
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -8,14 +8,18 @@ services:
       - "./input_pcaps:/input_pcaps:ro"
       - "./suricata/rules:/suricata/rules:ro"
       - "./suricata/output:/suricata/output:rw"
-    env_file:
-      - .env
+    environment:
+      # Include the name of the input pcap file in Suricata EVE logs (default: true)
+      PCAP_FILE: "true"
+      # Make Suricata wait for new pcap files (default: true)
+      # You need to disable this to see the last few flows, else Suricata will wait without logging them.
+      PCAP_FILE_CONTINUOUS: "true"
 
   webapp:
     build: ./webapp
     image: anssi/shovel-webapp:dev
     volumes:
-      # You may remove the next line if `PCAP_FILE=false`.
+      # You may remove the next line if `PCAP_FILE=false` in Suricata env
       - "./input_pcaps:/input_pcaps:ro"
       # Write access is required in SQLite `mode=ro` as readers need to record
       # a mark in the WAL file. If you need to make the volume read-only, then

diff --git a/example.env b/example.env
@@ -1,12 +1,8 @@
 # Copyright (C) 2024  ANSSI
 # SPDX-License-Identifier: CC0-1.0
 
-# Include the name of the input pcap file in Suricata EVE logs and in webapp (default: true)
-PCAP_FILE=true
-
-# Make Suricata wait for new pcap files (default: true)
-# You need to disable this to see the last few flows, else Suricata will wait without logging them.
-PCAP_FILE_CONTINUOUS=true
+# These environment variables are loaded by the webapp.
+# When updating this file, you may restart only the webapp.
 
 # Examples from FAUST CTF 2023 (2023-09-23)
 #CTF_START_DATE=2023-09-23T15:00+02:00

diff --git a/webapp/main.py b/webapp/main.py
@@ -143,10 +143,6 @@ async def api_flow_get(request):
     result = {"flow": row_to_dict(flow)}
     app_proto = result["flow"].get("app_proto")
 
-    # Make sure `pcap_filename` is empty if PCAP_FILE=false
-    if not PCAP_FILE:
-        result["flow"]["pcap_filename"] = ""
-
     # Get associated fileinfo
     # See https://docs.suricata.io/en/suricata-6.0.9/file-extraction/file-extraction.html
     if app_proto in ["http", "http2", "smtp", "ftp", "nfs", "smb"]:
@@ -325,7 +321,6 @@ async def lifespan(app):
 PAYLOAD_DB_URI = config(
     "PAYLOAD_DB_URI", cast=str, default="file:../suricata/output/payload.db?mode=ro"
 )
-PCAP_FILE = config("PCAP_FILE", cast=bool, default=True)
 CTF_CONFIG = {
     "start_date": config("CTF_START_DATE", cast=str, default="1970-01-01T00:00+00:00"),
     "tick_length": config("CTF_TICK_LENGTH", cast=int, default=0),
@@ -350,9 +345,7 @@ async def lifespan(app):
         Route("/api/replay-http/{flow_id:int}", api_replay_http),
         Route("/api/replay-raw/{flow_id:int}", api_replay_raw),
         Mount("/static", StaticFiles(directory="static")),
-        Mount(
-            "/input_pcaps", StaticFiles(directory="../input_pcaps", check_dir=PCAP_FILE)
-        ),
+        Mount("/input_pcaps", StaticFiles(directory="../input_pcaps", check_dir=False)),
         Mount("/filestore", StaticFiles(directory="../suricata/output/filestore")),
     ],
     lifespan=lifespan,