[Oisf-users] Suricata in container
Saxena, Samiksha
samiksha.saxena at verizon.com
Tue Jun 2 20:13:35 UTC 2015
Installing suricata with load balancer server is kind of working for me, but I am not able to see the dropped packet information.
From: Claudio Kuenzler <ck at claudiokuenzler.com<mailto:ck at claudiokuenzler.com>>
Date: Tuesday, June 2, 2015 at 3:41 PM
To: Victor Roemer <viroemer at cisco.com<mailto:viroemer at cisco.com>>
Cc: "oisf-users at lists.openinfosecfoundation.org<mailto:oisf-users at lists.openinfosecfoundation.org>" <oisf-users at lists.openinfosecfoundation.org<mailto:oisf-users at lists.openinfosecfoundation.org>>, "Saxena, Samiksha" <samiksha.saxena at one.verizon.com<mailto:samiksha.saxena at one.verizon.com>>
Subject: Re: [Oisf-users] Suricata in container
Well just fyi i was talking about containers as in LXC (Linux Containers), without another layer added on it like docker.
Dont know if you can do it with docker, but should be possible, too.
On Tue, Jun 2, 2015 at 9:28 PM, Victor Roemer <viroemer at cisco.com<mailto:viroemer at cisco.com>> wrote:
I’m still pretty new to docker (just to be clear) and have not tried this yet-
This is how I am planning to deploy IPS for my HTTP server(s)
HTTP server “exposes” its port to other containers only; (not bound to host port)
IPS container “exposes” port 80 and is bound to the host network. IPS container is started with “—link :httpserv” to perform MITM of the servers traffic.
Dockerfile not included; the commands I expect to run would be:
$ docker run -p 127.0.0.1:12345<http://127.0.0.1:12345> --name application <http_server_image>
$ docker run -p 80:80 --link application:httpserv --name ips <snort_or_suricata_image>
(YMMV, specifically I’m uncertain of the “—link” option)
From here, it becomes a question of how the IPS container firewall rules are setup (assuming NFQ+daq for my case).
In the example above, I would have to do some sort of NATing (:80 -> 127.0.0.1:12345<http://127.0.0.1:12345>).
This seems all good; but I still feel like I’m over doing it and that docker may provide a more reasonable
out-of-box magic to ease this further.
________________________________
Otherwise, for passive setups, it should be super easy. Add flags to docker run command: “—net=host —privileged”
(refer to “https://registry.hub.docker.com/u/manell/wireshark/“).
On 6/2/15 14:17, Claudio Kuenzler wrote:
Install suricata in the container where you run the loadbalancer and you catch the traffic.
On Jun 2, 2015 8:07 PM, "Saxena, Samiksha" <samiksha.saxena at verizon.com<mailto:samiksha.saxena at verizon.com>> wrote:
How can I do so? I want the traffic to flow from internet to load balancer server (running in a container) to Suricata (running in a seperate container) to application server.
From: Claudio Kuenzler <ck at claudiokuenzler.com<mailto:ck at claudiokuenzler.com>>
Date: Tuesday, June 2, 2015 at 2:05 PM
To: "Saxena, Samiksha" <samiksha.saxena at one.verizon.com<mailto:samiksha.saxena at one.verizon.com>>
Cc: "oisf-users at lists.openinfosecfoundation.org<mailto:oisf-users at lists.openinfosecfoundation.org>" <oisf-users at lists.openinfosecfoundation.org<mailto:oisf-users at lists.openinfosecfoundation.org>>, Victor Julien <lists at inliniac.net<mailto:lists at inliniac.net>>
Subject: Re: [Oisf-users] Suricata in container
If you use that particular container as reverse proxy for example.
On Jun 2, 2015 4:01 PM, "Saxena, Samiksha" <samiksha.saxena at verizon.com<mailto:samiksha.saxena at verizon.com>> wrote:
How to make a container a hop in the traffic?
On 6/2/15, 5:46 AM, "Victor Julien" <lists at inliniac.net<mailto:lists at inliniac.net>> wrote:
>On 05/26/2015 11:31 PM, Saxena, Samiksha wrote:
>> Is there a way to configure suricata in container for IPS? I want to
>> forward all the traffic coming from internet to a Load balancer
>> container forwarded to Suricata container for IPS. Is this possible and
>>how?
>
>I think it's possible, if you can make the container a hop in the
>traffic path.
>
>--
>---------------------------------------------
>Victor Julien
>http://www.inliniac.net/
>PGP: http://www.inliniac.net/victorjulien.asc
>---------------------------------------------
>
>_______________________________________________
>Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org<mailto:oisf-users at openinfosecfoundation.org>
>Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>Suricata User Conference November 4 & 5 in Barcelona:
>http://oisfevents.net
_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org<mailto:oisf-users at openinfosecfoundation.org>
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net
_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org<mailto:oisf-users at openinfosecfoundation.org>
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20150602/34672642/attachment-0002.html>
More information about the Oisf-users
mailing list