From 4d3cec9cb16ad0f2b78fe636067b066618ffded0 Mon Sep 17 00:00:00 2001
From: Bart Biskupek <bart@tigera.io>
Date: Tue, 8 Oct 2024 12:23:10 +0100
Subject: [PATCH 1/3] dpi docs.

---
 .../threat/deeppacketinspection.mdx           | 60 +++++++++++++++++++
 1 file changed, 60 insertions(+)

diff --git a/calico-enterprise/threat/deeppacketinspection.mdx b/calico-enterprise/threat/deeppacketinspection.mdx
index 67e75e04d2..5e1621b6bb 100644
--- a/calico-enterprise/threat/deeppacketinspection.mdx
+++ b/calico-enterprise/threat/deeppacketinspection.mdx
@@ -109,6 +109,66 @@ Get the [status of DeepPacketInspection](../reference/resources/deeppacketinspec
 kubectl get <deep_packet_inspection_resource_name> -n <deep_packet_inspection_namespace>
 ```
 
+### Install custom Snort rules
+
+Installation of custom Snort rules for Calico deep packet inspection is a process that involves:
+1. Building a Docker image for the DPI init container with custom Snort rules.
+3. Configuration of the IntrusionDetection resource.
+
+#### Init container with custom Snort rules
+
+Assuming working in an empty directory:
+
+- copy your Snort rule files into `./snort-rules` directory
+- create a `Dockerfile` like this one:
+
+```yaml
+FROM alpine:3.14
+COPY snort-rules /snort-rules
+ENTRYPOINT [ "/bin/sh", "-c", "cp /snort-rules/* /usr/etc/snort/rules/" ]
+```
+
+- in the console issue the following commands:
+
+```bash
+docker build . -t your-image-name:image-tag
+docker push your-image-name:image-tag
+```
+
+After the image has been pushed to the registry you're ready to configure the `IntrusionDetection` resource.
+
+#### Configuration of the IntrusionDetection resource
+
+Patch the `IntrusionDetection` resource to contain the following data:
+
+```yaml
+spec:
+  deepPacketInspectionDaemonset:
+    spec:
+      template:
+        spec:
+          initContainers:
+          - name: snort-rules
+            image: your-image:tag
+```
+
+This can be done using the `kubectl` command as follows:
+
+```bash
+kubectl patch intrusiondetection tigera-secure --type merge -p '{"spec":{"deepPacketInspectionDaemonset":{"spec":{"template":{"spec":{"initContainers":[{"name":"snort-rules", "image":"your-image:tag"}]}}}}}}'
+```
+
+### Verify custom Snort rules installation
+
+First, verify that deep packet inspection is running. Then, assuming working in an empty directory please issue the following commands:
+
+```bash
+export POD=$(kubectl get pods -n tigera-dpi -o custom-columns=:metadata.name --no-headers | head -n 1)
+kubectl exec -n tigera-dpi $POD -- tar -cf - /usr/etc/snort/rules | tar --strip-components=4 -xf -
+```
+
+The directory will now contain Snort rules that are being used by the DPI.
+
 ## Additional resources
 
 - [Configure packet capture](../visibility/packetcapture.mdx)

From 7c63780cac30dc57891624c4fce023a77aa6d6aa Mon Sep 17 00:00:00 2001
From: Bart Biskupek <bart@tigera.io>
Date: Tue, 8 Oct 2024 12:25:50 +0100
Subject: [PATCH 2/3] typos and fixes.

---
 calico-enterprise/threat/deeppacketinspection.mdx | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/calico-enterprise/threat/deeppacketinspection.mdx b/calico-enterprise/threat/deeppacketinspection.mdx
index 5e1621b6bb..17d9a65e34 100644
--- a/calico-enterprise/threat/deeppacketinspection.mdx
+++ b/calico-enterprise/threat/deeppacketinspection.mdx
@@ -113,13 +113,13 @@ kubectl get <deep_packet_inspection_resource_name> -n <deep_packet_inspection_na
 
 Installation of custom Snort rules for Calico deep packet inspection is a process that involves:
 1. Building a Docker image for the DPI init container with custom Snort rules.
-3. Configuration of the IntrusionDetection resource.
+2. Configuration of the IntrusionDetection resource.
 
 #### Init container with custom Snort rules
 
 Assuming working in an empty directory:
 
-- copy your Snort rule files into `./snort-rules` directory
+- copy your Snort rule files into the new `./snort-rules/` directory
 - create a `Dockerfile` like this one:
 
 ```yaml
@@ -158,9 +158,10 @@ This can be done using the `kubectl` command as follows:
 kubectl patch intrusiondetection tigera-secure --type merge -p '{"spec":{"deepPacketInspectionDaemonset":{"spec":{"template":{"spec":{"initContainers":[{"name":"snort-rules", "image":"your-image:tag"}]}}}}}}'
 ```
 
-### Verify custom Snort rules installation
+### Verify Snort rules installation
 
-First, verify that deep packet inspection is running. Then, assuming working in an empty directory please issue the following commands:
+First, verify that deep packet inspection is running.
+Then, assuming working in an empty directory please issue the following commands:
 
 ```bash
 export POD=$(kubectl get pods -n tigera-dpi -o custom-columns=:metadata.name --no-headers | head -n 1)

From 875e9d17c38e8b20ba41266bfce33a704d6928f6 Mon Sep 17 00:00:00 2001
From: Christopher Tauchen <chris.tauchen@tigera.io>
Date: Thu, 10 Oct 2024 17:55:51 +0100
Subject: [PATCH 3/3] Edits to custom Snort rules

---
 .../threat/deeppacketinspection.mdx           | 102 +++++++++---------
 1 file changed, 54 insertions(+), 48 deletions(-)

diff --git a/calico-enterprise/threat/deeppacketinspection.mdx b/calico-enterprise/threat/deeppacketinspection.mdx
index 17d9a65e34..a7e22338ab 100644
--- a/calico-enterprise/threat/deeppacketinspection.mdx
+++ b/calico-enterprise/threat/deeppacketinspection.mdx
@@ -6,17 +6,22 @@ description: Monitor live traffic for malicious activities.
 
 ## Big picture
 
-Configure Deep Packet Inspection (DPI) in clusters to get alerts on compromised resources.
+Configure deep packet inspection (DPI) in clusters to get alerts on compromised resources.
 
 ## Value
 
-Security teams need to run DPI quickly in response to unusual network traffic in clusters so they can identify potential threats. Also, it is critical to run DPI on select workloads (not all) to efficiently make use of cluster resources and minimize the impact of false positives. {{prodname}} provides an easy way to perform DPI using [Snort community rules](https://www.snort.org/downloads/#rule-downloads). You can disable DPI at any time, selectively configure for namespaces and endpoints, and alerts are generated in the Security Events dashboard in Manager UI.
+Security teams need to run DPI quickly in response to unusual network traffic in clusters so they can identify potential threats.
+Also, it is critical to run DPI on select workloads (not all) to efficiently make use of cluster resources and minimize the impact of false positives.
+{{prodname}} provides an easy way to perform DPI using [Snort community rules](https://www.snort.org/downloads/#rule-downloads).
+You can disable DPI at any time, selectively configure for namespaces and endpoints, and alerts are generated in the Security Events dashboard in Manager UI.
 
 ## Concepts
 
-For each deep packet inspection resource (DeepPacketInspection), {{prodname}} creates a live network monitor that inspects the header and payload information of packets that match the Snort community rules. Whenever malicious activities are suspected, an alert is automatically added to the Security Events page in the {{prodname}} Manager.
+For each deep packet inspection resource (DeepPacketInspection), {{prodname}} creates a live network monitor that inspects the header and payload information of packets that match the Snort community rules.
+Whenever malicious activities are suspected, an alert is automatically added to the Security Events page in the {{prodname}} Manager.
 
-{{prodname}} DPI uses AF_PACKET, a Linux socket that allows an application to receive and send raw packets. It is commonly used for troubleshooting (like tcpdump and Wireshark), but also for network intrusion detection. For details, see [AF_Packet](https://man7.org/linux/man-pages/man7/packet.7.html).
+{{prodname}} DPI uses AF_PACKET, a Linux socket that allows an application to receive and send raw packets.
+It is commonly used for troubleshooting (like tcpdump and Wireshark), but also for network intrusion detection. For details, see [AF_Packet](https://man7.org/linux/man-pages/man7/packet.7.html).
 
 ## Before you begin
 
@@ -111,64 +116,65 @@ kubectl get <deep_packet_inspection_resource_name> -n <deep_packet_inspection_na
 
 ### Install custom Snort rules
 
-Installation of custom Snort rules for Calico deep packet inspection is a process that involves:
-1. Building a Docker image for the DPI init container with custom Snort rules.
-2. Configuration of the IntrusionDetection resource.
+If you don't want to use the [Snort community rules](https://www.snort.org/downloads/#rule-downloads), you can install a custom set of Snort rules to perform deep packet inspections.
+You may want to install your own rules if:
+* you use a paid subscription to a Snort ruleset
+* you have written your own Snort rules.
 
-#### Init container with custom Snort rules
+:::important
+If you install custom Snort rules, {{prodname}} will stop updating the community rules with each minor release.
+You will be responsible for making sure your rules are up to date.
+:::
 
-Assuming working in an empty directory:
+1. Create a container with your custom Snort rules.
 
-- copy your Snort rule files into the new `./snort-rules/` directory
-- create a `Dockerfile` like this one:
+   1. Copy your Snort rule files into a new `./snort-rules/` directory.
+   1. Create a `Dockerfile` like this one:
 
-```yaml
-FROM alpine:3.14
-COPY snort-rules /snort-rules
-ENTRYPOINT [ "/bin/sh", "-c", "cp /snort-rules/* /usr/etc/snort/rules/" ]
-```
+      ```yaml
+      FROM alpine:3.14
+      COPY snort-rules /snort-rules
+      ENTRYPOINT [ "/bin/sh", "-c", "cp /snort-rules/* /usr/etc/snort/rules/" ]
+      ```
+   1. In the console, run the following commands:
 
-- in the console issue the following commands:
+      ```bash
+      docker build . -t <your-image-name>:<your-image-tag>
+      docker push <your-image-name>:<your-image-tag>
+      ```
 
-```bash
-docker build . -t your-image-name:image-tag
-docker push your-image-name:image-tag
-```
+      After the image has been pushed to the registry, you're ready to configure the `IntrusionDetection` resource.
 
-After the image has been pushed to the registry you're ready to configure the `IntrusionDetection` resource.
+1. Update the `IntrusionDetection` resource with the custom Snort rules image.
 
-#### Configuration of the IntrusionDetection resource
+   ```yaml
+   spec:
+     deepPacketInspectionDaemonset:
+       spec:
+         template:
+           spec:
+             initContainers:
+             - name: snort-rules
+               image: <your-image-name>:<your-image-tag>
+   ```
 
-Patch the `IntrusionDetection` resource to contain the following data:
+  This can also be done by running the following command:
 
-```yaml
-spec:
-  deepPacketInspectionDaemonset:
-    spec:
-      template:
-        spec:
-          initContainers:
-          - name: snort-rules
-            image: your-image:tag
-```
+  ```bash
+  kubectl patch intrusiondetection tigera-secure --type merge -p '{"spec":{"deepPacketInspectionDaemonset":{"spec":{"template":{"spec":{"initContainers":[{"name":"snort-rules", "image":"<your-image-name>:<your-image-tag>"}]}}}}}}'
+  ```
 
-This can be done using the `kubectl` command as follows:
+1. Verify that your custom rules have been installed correctly:
 
-```bash
-kubectl patch intrusiondetection tigera-secure --type merge -p '{"spec":{"deepPacketInspectionDaemonset":{"spec":{"template":{"spec":{"initContainers":[{"name":"snort-rules", "image":"your-image:tag"}]}}}}}}'
-```
-
-### Verify Snort rules installation
+   1. If it's not running already, [apply the DeepPacketInspection resource(#configure-deep-packet-inspection) to your cluster.
+   1. Extract the list of Snort rules that are currently being used by running the following commands:
 
-First, verify that deep packet inspection is running.
-Then, assuming working in an empty directory please issue the following commands:
-
-```bash
-export POD=$(kubectl get pods -n tigera-dpi -o custom-columns=:metadata.name --no-headers | head -n 1)
-kubectl exec -n tigera-dpi $POD -- tar -cf - /usr/etc/snort/rules | tar --strip-components=4 -xf -
-```
+      ```bash
+      export POD=$(kubectl get pods -n tigera-dpi -o custom-columns=:metadata.name --no-headers | head -n 1) \
+      kubectl exec -n tigera-dpi $POD -- tar -cf - /usr/etc/snort/rules | tar --strip-components=4 -xf -
+      ```
 
-The directory will now contain Snort rules that are being used by the DPI.
+   1. If these rules match those in your custom set, then the installation was successful.
 
 ## Additional resources