-
Notifications
You must be signed in to change notification settings - Fork 24
Suricata Container
This last container we're constructing will run both our Suricata process and the Filebeat process to ship Suricata logs to Elasticsearch. This container has a bit more customization that previous ones, since we're building it from a vanilla Ubuntu Docker container.
The Dockerfile does a few things. We update the apt repo for the container to allow us to install more packages. We also install the OS tools needed for modifying apt settings and install the GPG keys and repo URLs for both Filebeat and Suricata. We then install Filebeat and Suricata. Lastly, we configure the container to start both Filebeat and Suricata services and tail the Suricata log once starting. This keeps the container running when we detach from it.
The two included configurations in this Docker container directory are for Filebeat and Suricata. The Filebeat configuration file tells Filebeat to read from the suricata eve.json file and send it off to Logstash for processing. The Suricata configuration handles everything Suricata related, which we'll cover in depth later in the Suricata Configuration section.
There is one specific change to the suricata.yaml that we need to make before launching. On line 548 you'll need to change the interface name of the sniffer that we discovered back during the OS Configuration steps. Change enp8s0 to your sniffer interface name. Future iterations of this project will find a way to do this automatically.
docker pull ubuntu
Change to the Suricata docker directory in this repo and run the docker build command. This will build the suricata docker image that we'll launch in the next command.
docker build -t suricata .
This docker run command has a lot of the same flags as before and will create our Suricata container and start the required services.
docker run --network=host --hostname=suricata --name=suricata -it suricata