[Oisf-users] Suricata in container

Victor Roemer viroemer at cisco.com
Tue Jun 2 19:28:03 UTC 2015 

I’m still pretty new to docker (just to be clear) and have not tried 
this yet-

This is how I am planning to deploy IPS for my HTTP server(s)

HTTP server “exposes” its port to other containers only; (not bound to 
host port)

IPS container “exposes” port 80 and is bound to the host network. IPS 
container is started with “—link :httpserv” to perform MITM of the 
servers traffic.

Dockerfile not included; the commands I expect to run would be:

|$ docker run -p 127.0.0.1:12345 --name application <http_server_image>
$ docker run -p 80:80 --link application:httpserv --name ips <snort_or_suricata_image>
|

(YMMV, specifically I’m uncertain of the “—link” option)

 From here, it becomes a question of how the IPS container firewall 
rules are setup (assuming NFQ+daq for my case).
In the example above, I would have to do some sort of NATing (:80 -> 
127.0.0.1:12345).

This seems all good; but I still feel like I’m over doing it and that 
docker may provide a more reasonable
out-of-box magic to ease this further.

------------------------------------------------------------------------

Otherwise, for passive setups, it should be super easy. Add flags to 
|docker run| command: “—net=host —privileged”
(refer to “https://registry.hub.docker.com/u/manell/wireshark/“).

On 6/2/15 14:17, Claudio Kuenzler wrote:

>
>
> Install suricata in the container where you run the loadbalancer and 
> you catch the traffic.
>
>
> On Jun 2, 2015 8:07 PM, "Saxena, Samiksha" 
> <samiksha.saxena at verizon.com <mailto:samiksha.saxena at verizon.com>> wrote:
>
>     How can I do so? I want the traffic to flow from internet to load
>     balancer server (running in a container) to Suricata (running in a
>     seperate container) to application server.
>
>     From: Claudio Kuenzler <ck at claudiokuenzler.com
>     <mailto:ck at claudiokuenzler.com>>
>     Date: Tuesday, June 2, 2015 at 2:05 PM
>     To: "Saxena, Samiksha" <samiksha.saxena at one.verizon.com
>     <mailto:samiksha.saxena at one.verizon.com>>
>     Cc: "oisf-users at lists.openinfosecfoundation.org
>     <mailto:oisf-users at lists.openinfosecfoundation.org>"
>     <oisf-users at lists.openinfosecfoundation.org
>     <mailto:oisf-users at lists.openinfosecfoundation.org>>, Victor
>     Julien <lists at inliniac.net <mailto:lists at inliniac.net>>
>     Subject: Re: [Oisf-users] Suricata in container
>
>     If you use that particular container as reverse proxy for example.
>
>     On Jun 2, 2015 4:01 PM, "Saxena, Samiksha"
>     <samiksha.saxena at verizon.com <mailto:samiksha.saxena at verizon.com>>
>     wrote:
>
>         How to make a container a hop in the traffic?
>
>
>         On 6/2/15, 5:46 AM, "Victor Julien" <lists at inliniac.net
>         <mailto:lists at inliniac.net>> wrote:
>
>
>         >On 05/26/2015 11:31 PM, Saxena, Samiksha wrote:
>
>         >> Is there a way to configure suricata in container for IPS?
>         I want to
>
>         >> forward all the traffic coming from internet to a Load balancer
>
>         >> container forwarded to Suricata container for IPS. Is this
>         possible and
>
>         >>how?
>
>         >
>
>         >I think it's possible, if you can make the container a hop in the
>
>         >traffic path.
>
>         >
>
>         >--
>
>         >---------------------------------------------
>
>         >Victor Julien
>
>         >http://www.inliniac.net/
>
>         >PGP: http://www.inliniac.net/victorjulien.asc
>
>         >---------------------------------------------
>
>         >
>
>         >_______________________________________________
>
>         >Suricata IDS Users mailing list:
>         oisf-users at openinfosecfoundation.org
>         <mailto:oisf-users at openinfosecfoundation.org>
>
>         >Site: http://suricata-ids.org | Support:
>         http://suricata-ids.org/support/
>
>         >List:
>         https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
>         >Suricata User Conference November 4 & 5 in Barcelona:
>
>         >http://oisfevents.net
>
>
>         _______________________________________________
>
>         Suricata IDS Users mailing list:
>         oisf-users at openinfosecfoundation.org
>         <mailto:oisf-users at openinfosecfoundation.org>
>
>         Site: http://suricata-ids.org | Support:
>         http://suricata-ids.org/support/
>
>         List:
>         https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
>         Suricata User Conference November 4 & 5 in Barcelona:
>         http://oisfevents.net
>
>
>
>
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net
>
>
​
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20150602/f85a576f/attachment-0001.html>

More information about the Oisf-users mailing list