[Oisf-users] Oisf-users Digest, Vol 89, Issue 38

erik clark philosnef at gmail.com
Wed May 17 12:06:41 UTC 2017

Jason, in your repo I see:


Can I just force this to be

and have this work for RHEL7?

I am trying to get t his integrated into RH Satellite, but there are some
complications, so its a bit of a struggle.

> Message: 2
> Date: Wed, 26 Apr 2017 08:48:56 -0600
> From: Jason Ish <lists at ish.cx>
> To: oisf-users at lists.openinfosecfoundation.org
> Subject: Re: [Oisf-users] suricata docker container
> Message-ID: <ac2558a3-2f10-c741-8940-49c77baa6271 at ish.cx>
> Content-Type: text/plain; charset=utf-8; format=flowed
> On 26/04/17 07:52 AM, erik clark wrote:
> > Is it possible to get Jason Ish's docker container to build against
> > af_packet? We are trying to move to docker containers, and af_packet
> > support in the container would be very nice.
> It is already built against af-packet, for instance you can do:
> docker run --rm -it jasonish/suricata:latest --af-packet=eth0
> However, that is of questionable usefulness as that interface exists
> inside the container and probably doesn't see the traffic you want.
> You can probably get around this with host networking:
> docker run --net=host --rm -it jasonish/suricata:latest --af-packet=eno1
> This exposes the host networking inside the container so you can view
> all the interfaces. You might need to add "--privileged" to that command
> if you get some errors starting up.
> > Also, I need to sniff eve.json with Splunk, but it appears that the
> > docker container filesystem is completely segregated. Do I need to run
> > the splunk forwarder inside the container somehow get the events off the
> > container?
> The best way to do this is with volumes. Suricata logs to
> /var/log/suricata inside the container, but we can make that a volume on
> the host file system, something like:
> docker run -v /var/tmp/container/log/suricata:/var/log/suricata
> --net=host --rm -it jasonish/suricata:latest --af-packet=eno1
> Now you will see the logs in /var/tmp/container/log/suricata on the host.
> Note that the idiomatic Docker way to do what you want would be to
> create a data-only container, map the data-only container into the
> Suricata container so logs end up there, and then make another container
> for the Splunk forward which also has the data-only container mapped in
> for viewing the logs. This goes beyond what I've done with the Docker
> container as I find it a bit much, but just pointing it out as the
> Docker guys used to push this approach. I would just create another
> container for the Splunk forwarder and map in the Suricata log directory
> like above for reading the logs and forget about the data-only container
> unless its required for your use case.
> I hope that gets you a little farther along.
> Jason
> ------------------------------
> Subject: Digest Footer
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at lists.openinfosecfoundation.org
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> ------------------------------
> End of Oisf-users Digest, Vol 89, Issue 38
> ******************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170517/457766f5/attachment.html>

More information about the Oisf-users mailing list