[Oisf-users] suricata docker container
Jason Ish
lists at ish.cx
Wed Apr 26 14:48:56 UTC 2017
On 26/04/17 07:52 AM, erik clark wrote:
> Is it possible to get Jason Ish's docker container to build against
> af_packet? We are trying to move to docker containers, and af_packet
> support in the container would be very nice.
It is already built against af-packet, for instance you can do:
docker run --rm -it jasonish/suricata:latest --af-packet=eth0
However, that is of questionable usefulness as that interface exists
inside the container and probably doesn't see the traffic you want.
You can probably get around this with host networking:
docker run --net=host --rm -it jasonish/suricata:latest --af-packet=eno1
This exposes the host networking inside the container so you can view
all the interfaces. You might need to add "--privileged" to that command
if you get some errors starting up.
> Also, I need to sniff eve.json with Splunk, but it appears that the
> docker container filesystem is completely segregated. Do I need to run
> the splunk forwarder inside the container somehow get the events off the
> container?
The best way to do this is with volumes. Suricata logs to
/var/log/suricata inside the container, but we can make that a volume on
the host file system, something like:
docker run -v /var/tmp/container/log/suricata:/var/log/suricata
--net=host --rm -it jasonish/suricata:latest --af-packet=eno1
Now you will see the logs in /var/tmp/container/log/suricata on the host.
Note that the idiomatic Docker way to do what you want would be to
create a data-only container, map the data-only container into the
Suricata container so logs end up there, and then make another container
for the Splunk forward which also has the data-only container mapped in
for viewing the logs. This goes beyond what I've done with the Docker
container as I find it a bit much, but just pointing it out as the
Docker guys used to push this approach. I would just create another
container for the Splunk forwarder and map in the Suricata log directory
like above for reading the logs and forget about the data-only container
unless its required for your use case.
I hope that gets you a little farther along.
Jason
More information about the Oisf-users
mailing list