Suricata is an Open Source IDS, IPS and NSM engine.
For more information about it, go on their website or consult the official documentation for technical information.
- For alpine : Run the version 4.0.4 of Suricata with Docker and Docker Compose.
This is a ready-to-use version of Suricata.
- Install Docker version 17.12.0+
- Install Docker Compose version 1.6.0+
Now you can launch from alpine. By default, OS_SURICATA is set to alpine inside the .env file.
To choose, you have to set the OS_SURICATA environment variable or change the value inside the .env file.
Available values:
- alpine
First: Start Suricata using docker-compose : (you have to be inside the repository to perform)
docker-compose up
If you want to run it in background :
docker-compose up -d
Once Suricata is launch you have to redirect all your traffic to suricata.
You have to get root rights to modify iptables.
If Suricata is installed on a computer, add this lines:
iptables -I INPUT -j NFQUEUE
iptables -I OUTPUT -j NFQUEUE
if Suricata is running on a gateway, add this line:
iptables -I FORWARD -j NFQUEUE
Warning: if you have to stop Suricata. Delete this iptables rules before stopping Suricata: (replace the asterisk by the right word)
iptables -D * -j NFQUEUE
From a client station, (your computer for the first scenario else on a computer from the LAN)
curl -A "BlackSun" www.google.com
If Suricata instance is operating correctly, you should see the following line end up in your "fast.log" in /var/log/suricata:
[**] [1:2008983:6] ET USER_AGENTS Suspicious User Agent (BlackSun) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP}
This Docker is build from alpine official docker.
The container shares the network of the host.
- Configuration:
The basic configuration of suricata has been changed a little bit.
Now the rules inside the container are inside the folder /var/lib/suricata/rules
This rules will be update every 6 hours thanks to the new feature suricata-update
Moreover, the netfilter mode is set to repeat. This mode is used to reinject all packets inside iptables. This permit to not bypassing some other iptables rules.
- Logs:
Fast, drop and stats logs are enabled. They're inside the /var/log/suricata folder.
All other logs types are disabled.
- Rules:
You can add your own rules in the "my.rules" file.
To reload the suricata rules you can use the reload.sh script. Or you can launch a bach inside the docker and execute the appropriate command.
docker exec -it suricata /bin/bash
suricatasc -c reload-rules
An example rule is set. The message "TEST ping google" will be log inside fast.log if you ping 8.8.8.8 (Google DNS).
If you want to contribute, please do. We use pretty much the usual classical way to handle contributions, please read CONTRIBUTING.md for details.
A roadmap is available for future features.
This repository is licenced under MIT.