[Oisf-users] Suricata in container

Claudio Kuenzler ck at claudiokuenzler.com
Tue Jun 2 19:41:00 UTC 2015


Well just fyi i was talking about containers as in LXC (Linux Containers),
without another layer added on it like docker.
Dont know if you can do it with docker, but should be possible, too.

On Tue, Jun 2, 2015 at 9:28 PM, Victor Roemer <viroemer at cisco.com> wrote:

>  I’m still pretty new to docker (just to be clear) and have not tried
> this yet-
>
> This is how I am planning to deploy IPS for my HTTP server(s)
>
> HTTP server “exposes” its port to other containers only; (not bound to
> host port)
>
> IPS container “exposes” port 80 and is bound to the host network. IPS
> container is started with “—link :httpserv” to perform MITM of the
> servers traffic.
>
> Dockerfile not included; the commands I expect to run would be:
>
> $ docker run -p 127.0.0.1:12345 --name application <http_server_image>
> $ docker run -p 80:80 --link application:httpserv --name ips <snort_or_suricata_image>
>
> (YMMV, specifically I’m uncertain of the “—link” option)
>
> From here, it becomes a question of how the IPS container firewall rules
> are setup (assuming NFQ+daq for my case).
> In the example above, I would have to do some sort of NATing (:80 ->
> 127.0.0.1:12345).
>
> This seems all good; but I still feel like I’m over doing it and that
> docker may provide a more reasonable
> out-of-box magic to ease this further.
> ------------------------------
>
> Otherwise, for passive setups, it should be super easy. Add flags to docker
> run command: “—net=host —privileged”
> (refer to “https://registry.hub.docker.com/u/manell/wireshark/“).
>
> On 6/2/15 14:17, Claudio Kuenzler wrote:
>
>
>
>  Install suricata in the container where you run the loadbalancer and you
> catch the traffic.
>
>  On Jun 2, 2015 8:07 PM, "Saxena, Samiksha" <samiksha.saxena at verizon.com>
> wrote:
>
>>  How can I do so? I want the traffic to flow from internet to load
>> balancer server (running in a container) to Suricata (running in a seperate
>> container) to application server.
>>
>>  From: Claudio Kuenzler <ck at claudiokuenzler.com>
>> Date: Tuesday, June 2, 2015 at 2:05 PM
>> To: "Saxena, Samiksha" <samiksha.saxena at one.verizon.com>
>> Cc: "oisf-users at lists.openinfosecfoundation.org" <
>> oisf-users at lists.openinfosecfoundation.org>, Victor Julien <
>> lists at inliniac.net>
>> Subject: Re: [Oisf-users] Suricata in container
>>
>>  If you use that particular container as reverse proxy for example.
>> On Jun 2, 2015 4:01 PM, "Saxena, Samiksha" <samiksha.saxena at verizon.com>
>> wrote:
>>
>>> How to make a container a hop in the traffic?
>>>
>>>
>>> On 6/2/15, 5:46 AM, "Victor Julien" <lists at inliniac.net> wrote:
>>>
>>>
>>> >On 05/26/2015 11:31 PM, Saxena, Samiksha wrote:
>>>
>>> >> Is there a way to configure suricata in container for IPS? I want to
>>>
>>> >> forward all the traffic coming from internet to a Load balancer
>>>
>>> >> container forwarded to Suricata container for IPS. Is this possible
>>> and
>>>
>>> >>how?
>>>
>>> >
>>>
>>> >I think it's possible, if you can make the container a hop in the
>>>
>>> >traffic path.
>>>
>>> >
>>>
>>> >--
>>>
>>> >---------------------------------------------
>>>
>>> >Victor Julien
>>>
>>> >http://www.inliniac.net/
>>>
>>> >PGP: http://www.inliniac.net/victorjulien.asc
>>>
>>> >---------------------------------------------
>>>
>>> >
>>>
>>> >_______________________________________________
>>>
>>> >Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>>
>>> >Site: http://suricata-ids.org | Support:
>>> http://suricata-ids.org/support/
>>>
>>> >List:
>>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>
>>> >Suricata User Conference November 4 & 5 in Barcelona:
>>>
>>> >http://oisfevents.net
>>>
>>>
>>> _______________________________________________
>>>
>>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>>
>>> Site: http://suricata-ids.org | Support:
>>> http://suricata-ids.org/support/
>>>
>>> List:
>>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>
>>> Suricata User Conference November 4 & 5 in Barcelona:
>>> http://oisfevents.net
>>>
>>
>>
>
>
>
>  _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net
>
>
>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20150602/211702af/attachment-0002.html>


More information about the Oisf-users mailing list