[Oisf-users] suricata docker container

Jason Ish lists at ish.cx
Wed Apr 26 14:48:56 UTC 2017

On 26/04/17 07:52 AM, erik clark wrote:
> Is it possible to get Jason Ish's docker container to build against 
> af_packet? We are trying to move to docker containers, and af_packet 
> support in the container would be very nice.

It is already built against af-packet, for instance you can do:

docker run --rm -it jasonish/suricata:latest --af-packet=eth0

However, that is of questionable usefulness as that interface exists 
inside the container and probably doesn't see the traffic you want.

You can probably get around this with host networking:

docker run --net=host --rm -it jasonish/suricata:latest --af-packet=eno1

This exposes the host networking inside the container so you can view 
all the interfaces. You might need to add "--privileged" to that command 
if you get some errors starting up.

> Also, I need to sniff eve.json with Splunk, but it appears that the 
> docker container filesystem is completely segregated. Do I need to run 
> the splunk forwarder inside the container somehow get the events off the 
> container?

The best way to do this is with volumes. Suricata logs to 
/var/log/suricata inside the container, but we can make that a volume on 
the host file system, something like:

docker run -v /var/tmp/container/log/suricata:/var/log/suricata 
--net=host --rm -it jasonish/suricata:latest --af-packet=eno1

Now you will see the logs in /var/tmp/container/log/suricata on the host.

Note that the idiomatic Docker way to do what you want would be to 
create a data-only container, map the data-only container into the 
Suricata container so logs end up there, and then make another container 
for the Splunk forward which also has the data-only container mapped in 
for viewing the logs. This goes beyond what I've done with the Docker 
container as I find it a bit much, but just pointing it out as the 
Docker guys used to push this approach. I would just create another 
container for the Splunk forwarder and map in the Suricata log directory 
like above for reading the logs and forget about the data-only container 
unless its required for your use case.

I hope that gets you a little farther along.

More information about the Oisf-users mailing list