GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → jasonish → docker-suricata

jasonish / docker-suricata

Licence: MIT License
A Suricata Docker image.

Programming Languages

shell
77523 projects
python
139335 projects - #7 most used programming language
Makefile
30231 projects

Labels

dockercontainersuricataidsnsmpodman

Projects that are alternatives of or similar to docker-suricata

nsm-attack
Mapping NSM rules to MITRE ATT&CK
Stars: ✭ 53 (-55.83%)
Mutual labels:  suricata, nsm
gonids
gonids is a library to parse IDS rules, with a focus primarily on Suricata rule compatibility. There is a discussion forum available that you can join on Google Groups: https://groups.google.com/forum/#!topic/gonids/
Stars: ✭ 140 (+16.67%)
Mutual labels:  suricata, ids
Evebox
Web Based Event Viewer (GUI) for Suricata EVE Events in Elastic Search
Stars: ✭ 286 (+138.33%)
Mutual labels:  suricata, ids
Suricata Rules
Suricata IDS rules 用来检测红队渗透/恶意行为等,支持检测CobaltStrike/MSF/Empire/DNS隧道/Weevely/菜刀/冰蝎/挖矿/反弹shell/ICMP隧道等
Stars: ✭ 397 (+230.83%)
Mutual labels:  suricata, ids
podman-macos
📦 Podman frontend for macOS
Stars: ✭ 576 (+380%)
Mutual labels:  container, podman
Suricata
Suricata git repository maintained by the OISF
Stars: ✭ 2,274 (+1795%)
Mutual labels:  ids, nsm
Selks
A Suricata based IDS/IPS distro
Stars: ✭ 707 (+489.17%)
Mutual labels:  suricata, ids
Security Onion
Security Onion 16.04 - Linux distro for threat hunting, enterprise security monitoring, and log management
Stars: ✭ 2,956 (+2363.33%)
Mutual labels:  ids, nsm
coretoolbox
"pet container" tool using podman
Stars: ✭ 22 (-81.67%)
Mutual labels:  container, podman
Py Idstools
idstools: Snort and Suricata Rule and Event Utilities in Python (Including a Rule Update Tool)
Stars: ✭ 205 (+70.83%)
Mutual labels:  suricata, ids
Suricata Update
The tool for updating your Suricata rules.
Stars: ✭ 143 (+19.17%)
Mutual labels:  suricata, ids
lede-dockerbuilder
A (container based) LEDE/OpenWrt image builder.
Stars: ✭ 53 (-55.83%)
Mutual labels:  container, podman
plasma-docker
Plasmoid for KDE Plasma to control docker containers
Stars: ✭ 38 (-68.33%)
Mutual labels:  container, podman
TheBriarPatch
An extremely crude, lightweight Web Frontend for Suricata/Bro to be used with BriarIDS
Stars: ✭ 21 (-82.5%)
Mutual labels:  suricata, ids
docker-zeek
Zeek IDS Dockerfile
Stars: ✭ 82 (-31.67%)
Mutual labels:  ids
easy-css-layout
Easy css layout
Stars: ✭ 117 (-2.5%)
Mutual labels:  container
easy-container
A small PHP dependency injection container from Laravel Container, support PHP 5.3
Stars: ✭ 32 (-73.33%)
Mutual labels:  container
render
A simple web service that renders a Blender 3D scene with custom text.
Stars: ✭ 27 (-77.5%)
Mutual labels:  container
nginx-container
Nginx high-performance HTTP server and reverse proxy container images based on Red Hat Software Collections and intended for OpenShift and general usage. Users can choose between Red Hat Enterprise Linux, Fedora, and CentOS based images.
Stars: ✭ 77 (-35.83%)
Mutual labels:  container
examples
Network Service Mesh examples repo
Stars: ✭ 14 (-88.33%)
Mutual labels:  nsm
View All Similar Projects ➔

Suricata Docker Image

Docker Tags (Suricata Versions)

  • master: The latest code from the git master branch.
  • latest: The latest release version (currently 6.0)
  • 6.0: The latest 6.0 patch release.
  • 5.0: The latest 5.0 patch release.

Specific version tags also exist for versions 4.1.5 and newer.

Examples:

docker pull jasonish/suricata:latest
docker pull jasonish/suricata:6.0.4

The images are rebuilt and pushed to Docker Hub daily to ensure they are using the most up to date packages of the base OS, and in the case of the master tag, to use the latest Suricata code for the git master branch.

Tags without an architecture like amd64 or arm64v8 are multi-architecture image manifests. For the most part Docker will do the right thing, however if you need to pull the image for a specific architecture you can do so by selecting a tag with an architecture in the name, for example:

docker pull jasonish/suricata:latest-amd64
docker pull jasonish/suricata:6.0.4-arm64v8

Alternate Registry

In addition to Docker Hub, these containers are also pushed to quay.io and can be pulled like:

docker pull quay.io/jasonish/suricata:latest

Usage

You will most likely want to run Suricata on a network interface on your host machine rather than the network interfaces normally provided inside a container:

docker run --rm -it --net=host \
    --cap-add=net_admin --cap-add=net_raw --cap-add=sys_nice \
    jasonish/suricata:latest -i <interface>

But you will probably want to see what Suricata logs, so you may want to start it like:

docker run --rm -it --net=host \
    --cap-add=net_admin --cap-add=net_raw --cap-add=sys_nice \
    -v $(pwd)/logs:/var/log/suricata \
	jasonish/suricata:latest -i <interface>

which will map the logs directory (in your current directory) to the Suricata log directory in the container so you can view the Suricata logs from outside the container.

Capabilities

This container will attempt to run Suricata as a non-root user provided the containers has the capabilities to do so. In order to monitor a network interface, and drop root privileges the container must have the sys_nice, net_admin, and net_raw capabilities. If the container detects that it does not have these capabilities, Suricata will be run as root.

Docker example:

docker run --rm -it --net=host \
    --cap-add=net_admin --cap-add=net_raw --cap-add=sys_nice \
    jasonish/suricata:latest -i eth0

Podman example:

sudo podman run --rm -it --net=host \
    --cap-add=net_admin,net_raw,sys_nice \
    jasonish/suricata:latest -i eth0

Note that with podman adding the capabilities is mandatory.

Logging

The directory /var/log/suricata is exposed as a volume. Another container can attach it by using the --volumes-from Docker option. For example:

  • Start the Suricata container with a name:

      docker run -it --net=host --name=suricata jasonish/suricata -i enp3s0

  • Start a second container with --volumes-from:

      docker run -it --net=host --volumes-from=suricata logstash /bin/bash

This will expose /var/log/suricata from the Suricata container as /var/log/suricata in the Logstash container.

Log Rotation

Running logrotate inside the Suricata container will do the right thing, for example:

docker exec CONTAINER_ID logrotate /etc/logrotate.d/suricata

to test, logrotate can run in a force and verbose mode:

docker exec CONTAINER_ID logrotate -vf /etc/logrotate.d/suricata

Volumes

The Suricata container exposes the following volumes:

  • /var/log/suricata - The Suricata log directory.
  • /var/lib/suricata - Rules, Suricata-Update cache and other runtime data that may be useful to retain between runs.
  • /etc/suricata - The configuration directory.

Note: If /etc/suricata is a volume, it will be populated with a default configuration from the container.

If doing bind mounts you may want to have the Suricata user within the container match the UID and GID of a user on the host system. This can be done by setting the PUID and PGID environment variables. For example:

docker run -e PUID=$(id -u) -e PGID=$(id -g)

which will result in the bind mounts being owned by the user starting the Docker container.

Configuration

The easiest way to provide Suricata a custom configuration is to use a host bind mount for the configuration directory, /etc/suricata. It will be populated on the first run of the container. For example:

mkdir ./etc
docker run --rm -it -v $(pwd)/etc:/etc/suricata jasonish/suricata:latest -V

When the container exits, ./etc will be populated with the default configuration files normally found in /etc/suricata.

Note: The files created in this directory will likely not be owned by the same uid as your host user, so you may need to use sudo to edit this files, or change their permissions.

Hopefully this can be fixed.

In this directory the Suricata configuration can be modified, and Suricata-Update files may be placed. It just needs to be provided as a volume in subsequent runs of Suricata. For example:

docker run --rm -it --net=host \
    -v $(pwd)/etc:/etc/suricata \
    --cap-add=net_admin --cap-add=net_raw --cap-add=sys_nice \
    jasonish/suricata:latest -i eth0

Environment Variables

SURICATA_OPTIONS

The SURICATA_OPTIONS environment variable can be used to pass command line options to Suricata. For example:

docker run --net=host -e SURICATA_OPTIONS="-i eno1 -vvv" jasonish/suricata:latest

Suricata-Update

The easiest way to run Suricata-Update is to run it while the container is running. For example:

In one terminal, start Suricata:

docker run --name=suricata --rm -it --net=host \
    --cap-add=net_admin --cap-add=net_raw --cap-add=sys_nice \
    jasonish/suricata:latest -i eth0

Then in another terminal:

docker exec -it --user suricata suricata suricata-update -f

The will execute suricata-update in the same container that is running Suricata (note --name=suricata), then signal Suricata to reload its rules with suricatasc -c reload-rules.

Raspberry Pi

This image is useable on the Raspberry Pi OS, however due to an incompatibility between Raspberry Pi OS and Docker, the timestamps in the logs will be wrong. There are 2 possible fixes to this issue:

  • Use the --privileged option to Docker
  • Upgrade the libseccomp2 package on Raspberry Pi OS to a newer version from the backports repo.

Tools

./wrapper.py

wrapper.py is a script that wraps Suricata-in-Docker for use on the command line as if it was installed locally.

wrapper.py has its own arguments that can be seen by running wrapper.py -h. Arguments that occur after -- are Suricata arguments and are passed directly to Suricata (most of the time). The Suricata arguments are preprocessed to setup any required volumes to provide the appearance that Suricata is running directly.

Example: Run Suricata on a pcap file

./wrapper.py -- -r /path/to/filename.pcap

Example: Run Suricata 5.0.4 on network interface and log to current directory

./wrapper.py --tag 5.0.4 -- -i eno1 -l .

Note that this tool is a work in process and may change, including a change of name.

License

The build scripts, Dockerfiles and any other files in this repo are MIT licensed.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].