[Oisf-users] Suricata and Dockers

Jason Ish lists at unx.ca
Thu Mar 5 17:40:48 UTC 2015 

On Tue, Mar 3, 2015 at 3:48 PM, Jeripotula, Shashiraj
<shashiraj.jeripotula at verizon.com> wrote:
> Hi All,
>
> I have asked this question to Victor and Peter, but would like to reach out
> to larger audience.
>
> Has anyone used Suricata with Dockers ???
>
> Presently, I have Suricata installed in one of our front end server, that
> hosts application specific code. So basically, Suricata acts as an host
> based IDS/IPS System.

With Docker on that host I think you would do much the same.

> We have plan to move to Docker Containers, ie an single server will host
> multiple containers. All this containers will host different applications.
> In this case does Suricata run on the host server as before or will it be
> part of an single container.

Suricata can be run on the host or in a container.  When running in a
container though you must use host networking, and in some cases even
run that container in privileged mode.  You lose some of the
"containerization" aspect of Docker here, but it can still be useful
as it will give it a recreatable Suricata image to use.

I've found that running in IDS mode on the "docker0" interface will
allow you to see inter-container communication, as well as
communication coming and going to the host system.  Of note, the
docker0 interface (bridge) is only visible in a container if you use
--host=net.  Without using host networking, Suricata in a container
will only be able to see traffic to and from that container.

> I am specifically interested in how Suricata can be “in-line” within a
> container environment.

You can use nfqueue on the docker0 interface.  This will allow you to
do inline IPS on traffic leaving your containers to the host OS or
externally.  It will not, at least as far as I know how, let you do
IPS between containers.

My experience so far is with the default, out of the box networking
you get with Docker.  But I do realize that the networking with Docker
is quite flexible and could easily become complex, so adapt as needed
and I'd like to hear your experiences with it.

Jason

More information about the Oisf-users mailing list