[Oisf-users] Oisf-users Digest, Vol 89, Issue 38

Jason Ish lists at unx.ca
Wed May 17 19:03:34 UTC 2017


That should work, but test first. If it works it should continue to work as
those values are pretty static for the life of the distribution.

I'm not familiar with RedHat satellite so can't confirm myself.

Jason

On Wed, May 17, 2017 at 5:06 AM erik clark <philosnef at gmail.com> wrote:

> Jason, in your repo I see:
>
> baseurl=
> https://copr-be.cloud.fedoraproject.org/results/jasonish/suricata-stable/fedora-$releasever-$basearch/
>
> Can I just force this to be
>
> https://copr-be.cloud.fedoraproject.org/results/jasonish/suricata-stable/epel-7-x86_64/
>
> and have this work for RHEL7?
>
> I am trying to get t his integrated into RH Satellite, but there are some
> complications, so its a bit of a struggle.
>
>
>> Message: 2
>> Date: Wed, 26 Apr 2017 08:48:56 -0600
>> From: Jason Ish <lists at ish.cx>
>> To: oisf-users at lists.openinfosecfoundation.org
>> Subject: Re: [Oisf-users] suricata docker container
>> Message-ID: <ac2558a3-2f10-c741-8940-49c77baa6271 at ish.cx>
>> Content-Type: text/plain; charset=utf-8; format=flowed
>>
>> On 26/04/17 07:52 AM, erik clark wrote:
>> > Is it possible to get Jason Ish's docker container to build against
>> > af_packet? We are trying to move to docker containers, and af_packet
>> > support in the container would be very nice.
>>
>> It is already built against af-packet, for instance you can do:
>>
>> docker run --rm -it jasonish/suricata:latest --af-packet=eth0
>>
>> However, that is of questionable usefulness as that interface exists
>> inside the container and probably doesn't see the traffic you want.
>>
>> You can probably get around this with host networking:
>>
>> docker run --net=host --rm -it jasonish/suricata:latest --af-packet=eno1
>>
>> This exposes the host networking inside the container so you can view
>> all the interfaces. You might need to add "--privileged" to that command
>> if you get some errors starting up.
>>
>> > Also, I need to sniff eve.json with Splunk, but it appears that the
>> > docker container filesystem is completely segregated. Do I need to run
>> > the splunk forwarder inside the container somehow get the events off the
>> > container?
>>
>> The best way to do this is with volumes. Suricata logs to
>> /var/log/suricata inside the container, but we can make that a volume on
>> the host file system, something like:
>>
>> docker run -v /var/tmp/container/log/suricata:/var/log/suricata
>> --net=host --rm -it jasonish/suricata:latest --af-packet=eno1
>>
>> Now you will see the logs in /var/tmp/container/log/suricata on the host.
>>
>> Note that the idiomatic Docker way to do what you want would be to
>> create a data-only container, map the data-only container into the
>> Suricata container so logs end up there, and then make another container
>> for the Splunk forward which also has the data-only container mapped in
>> for viewing the logs. This goes beyond what I've done with the Docker
>> container as I find it a bit much, but just pointing it out as the
>> Docker guys used to push this approach. I would just create another
>> container for the Splunk forwarder and map in the Suricata log directory
>> like above for reading the logs and forget about the data-only container
>> unless its required for your use case.
>>
>> I hope that gets you a little farther along.
>> Jason
>>
>>
>> ------------------------------
>>
>> Subject: Digest Footer
>>
>> _______________________________________________
>> Oisf-users mailing list
>> Oisf-users at lists.openinfosecfoundation.org
>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>
>>
>> ------------------------------
>>
>> End of Oisf-users Digest, Vol 89, Issue 38
>> ******************************************
>>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170517/a2c09137/attachment-0002.html>


More information about the Oisf-users mailing list