Suricata is an Open Source IDS, IPS and NSM engine.

For more information about it, go on their website or consult the official documentation for technical information.

• For alpine : Run the version 4.0.4 of Suricata with Docker and Docker Compose.

This is a ready-to-use version of Suricata.

1. Install Docker version 17.12.0+
2. Install Docker Compose version 1.6.0+

Now you can launch from alpine. By default, OS_SURICATA is set to alpine inside the .env file.

To choose, you have to set the OS_SURICATA environment variable or change the value inside the .env file.

Available values:

• alpine

First: Start Suricata using docker-compose : (you have to be inside the repository to perform)

docker-compose up

If you want to run it in background :

docker-compose up -d

Once Suricata is launch you have to redirect all your traffic to suricata.

You have to get root rights to modify iptables.

If Suricata is installed on a computer, add this lines:

iptables -I INPUT -j NFQUEUE
iptables -I OUTPUT -j NFQUEUE

if Suricata is running on a gateway, add this line:

iptables -I FORWARD -j NFQUEUE

Warning: if you have to stop Suricata. Delete this iptables rules before stopping Suricata: (replace the asterisk by the right word)

iptables -D * -j NFQUEUE

From a client station, (your computer for the first scenario else on a computer from the LAN)

curl -A "BlackSun" www.google.com

If Suricata instance is operating correctly, you should see the following line end up in your "fast.log" in /var/log/suricata:

[**] [1:2008983:6] ET USER_AGENTS Suspicious User Agent (BlackSun) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP}

This Docker is build from alpine official docker.

The container shares the network of the host.

1. Configuration:

The basic configuration of suricata has been changed a little bit.

Now the rules inside the container are inside the folder /var/lib/suricata/rules

This rules will be update every 6 hours thanks to the new feature suricata-update

Moreover, the netfilter mode is set to repeat. This mode is used to reinject all packets inside iptables. This permit to not bypassing some other iptables rules.

2. Logs:

Fast, drop and stats logs are enabled. They're inside the /var/log/suricata folder.

All other logs types are disabled.

3. Rules:

You can add your own rules in the "my.rules" file.

To reload the suricata rules you can use the reload.sh script. Or you can launch a bach inside the docker and execute the appropriate command.

docker exec -it suricata /bin/bash
suricatasc -c reload-rules

An example rule is set. The message "TEST ping google" will be log inside fast.log if you ping 8.8.8.8 (Google DNS).

If you want to contribute, please do. We use pretty much the usual classical way to handle contributions, please read CONTRIBUTING.md for details.

A roadmap is available for future features.

This repository is licenced under MIT.