[Oisf-users] Suricata and Dockers

Barkley, Joey Joey.Barkley at ingramcontent.com
Tue Mar 3 22:23:06 UTC 2015


We are running suricata in a docker container right now. I’ve made heavy customizations to it, but it runs very well. The trick to get it working is to use host-based networking with that container.

I based all my work on this container: https://registry.hub.docker.com/u/jasonish/suricata-elk/

I removed elastic search and kibana from it (we have our own internal nodes) and love evebox. Look at his Dockerfile and you should see how he does it. I have no problems with performance now that I figured out how to set my yaml file up (thanks to the good folks on this list).

We plan to use this deployment approach to add multiple sensors across our organization. RAM is the biggest bottleneck at this point.


On Mar 3, 2015, at 3:48 PM, Jeripotula, Shashiraj <shashiraj.jeripotula at verizon.com<mailto:shashiraj.jeripotula at verizon.com>> wrote:

Hi All,

I have asked this question to Victor and Peter, but would like to reach out to larger audience.

Has anyone used Suricata with Dockers ???

Presently, I have Suricata installed in one of our front end server, that hosts application specific code. So basically, Suricata acts as an host based IDS/IPS System.

We have plan to move to Docker Containers, ie an single server will host multiple containers. All this containers will host different applications. In this case does Suricata run on the host server as before or will it be part of an single container.

I am specifically interested in how Suricata can be “in-line” within a container environment.
If Suricata is run as a container, it will passively share the Linux bridge on the host.

I’m not aware of a way to make Suricata “the next hop” for layer 3 or “inline” at layer 2 to enforce Suricata rulesets without a distributed switch and VLANs in the architecture(since, it’s a container, I will not be needing distributed swithches, vlans between each container).

Please advise.


Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org<mailto:oisf-users at openinfosecfoundation.org>
Site: http://suricata-ids.org<http://suricata-ids.org/> | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
Training now available: http://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20150303/95d4e386/attachment-0002.html>

More information about the Oisf-users mailing list