{"id":13530222,"url":"https://github.com/jasonish/docker-suricata","last_synced_at":"2025-05-16T11:02:28.315Z","repository":{"id":37483986,"uuid":"41530307","full_name":"jasonish/docker-suricata","owner":"jasonish","description":"A Suricata Docker image.","archived":false,"fork":false,"pushed_at":"2025-03-26T17:47:58.000Z","size":217,"stargazers_count":280,"open_issues_count":4,"forks_count":77,"subscribers_count":13,"default_branch":"main","last_synced_at":"2025-04-12T08:17:30.348Z","etag":null,"topics":["container","docker","ids","nsm","podman","suricata"],"latest_commit_sha":null,"homepage":"https://hub.docker.com/r/jasonish/suricata/","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/jasonish.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2015-08-28T06:07:44.000Z","updated_at":"2025-04-10T07:47:38.000Z","dependencies_parsed_at":"2024-01-07T13:11:23.009Z","dependency_job_id":"829c3164-e06c-4065-a613-ff32123f0929","html_url":"https://github.com/jasonish/docker-suricata","commit_stats":{"total_commits":173,"total_committers":4,"mean_commits":43.25,"dds":"0.19075144508670516","last_synced_commit":"32783782256eb91ddd4f3e66f28e7eedbbb94958"},"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jasonish%2Fdocker-suricata","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jasonish%2Fdocker-suricata/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jasonish%2Fdocker-suricata/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jasonish%2Fdocker-suricata/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/jasonish","download_url":"https://codeload.github.com/jasonish/docker-suricata/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254518383,"owners_count":22084374,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["container","docker","ids","nsm","podman","suricata"],"created_at":"2024-08-01T07:00:46.120Z","updated_at":"2025-05-16T11:02:28.262Z","avatar_url":"https://github.com/jasonish.png","language":"Shell","funding_links":[],"categories":["docker","Operations, Monitoring and Troubleshooting"],"sub_categories":[],"readme":"# Suricata Docker Image\n\n## Docker Tags (Suricata Versions)\n\n- master: The latest code from the git master branch\n- latest: The latest release version (currently 7.0)\n- 7.0: The latest 7.0 patch release\n\nSpecific version tags also exist for versions 4.1.5 and newer.\n\nExamples:\n\n    docker pull jasonish/suricata:latest\n    docker pull jasonish/suricata:6.0.15\n\nTags without an architecture like `amd64` or `arm64v8` are multi-architecture\nimage manifests. For the most part Docker will do the right thing, however if\nyou need to pull the image for a specific architecture you can do so by\nselecting a tag with an architecture in the name, for example:\n\n```\ndocker pull jasonish/suricata:latest-amd64\ndocker pull jasonish/suricata:6.0.4-arm64v8\n```\n\n## Alternate Registries\n\nIn addition to Docker Hub, these containers are also pushed to quay.io\nand ghcr.io and can be pulled like:\n\n```\ndocker pull quay.io/jasonish/suricata:latest\n```\n\n```\ndocker pull ghcr.io/jasonish/suricata:latest\n```\n\n## Usage\n\nYou will most likely want to run Suricata on a network interface on\nyour host machine rather than the network interfaces normally provided\ninside a container:\n\n    docker run --rm -it --net=host \\\n        --cap-add=net_admin --cap-add=net_raw --cap-add=sys_nice \\\n        jasonish/suricata:latest -i \u003cinterface\u003e\n\nBut you will probably want to see what Suricata logs, so you may want\nto start it like:\n\n    docker run --rm -it --net=host \\\n        --cap-add=net_admin --cap-add=net_raw --cap-add=sys_nice \\\n        -v $(pwd)/logs:/var/log/suricata \\\n\t\tjasonish/suricata:latest -i \u003cinterface\u003e\n\nwhich will map the logs directory (in your current directory) to the\nSuricata log directory in the container so you can view the Suricata\nlogs from outside the container.\n\n## Capabilities\n\nThis container will attempt to run Suricata as a non-root user provided the\ncontainers has the capabilities to do so. In order to monitor a network\ninterface, and drop root privileges the container must have the `sys_nice`,\n`net_admin`, and `net_raw` capabilities. If the container detects that it does\nnot have these capabilities, Suricata will be run as root.\n\nDocker example:\n\n    docker run --rm -it --net=host \\\n        --cap-add=net_admin --cap-add=net_raw --cap-add=sys_nice \\\n        jasonish/suricata:latest -i eth0\n\nPodman example:\n\n    sudo podman run --rm -it --net=host \\\n        --cap-add=net_admin,net_raw,sys_nice \\\n        jasonish/suricata:latest -i eth0\n\nNote that with `podman` adding the capabilities is mandatory.\n\n## Logging\n\nThe directory `/var/log/suricata` is exposed as a volume. Another\ncontainer can attach it by using the `--volumes-from` Docker option.\nFor example:\n\n- Start the Suricata container with a name:\n\n        docker run -it --net=host --name=suricata jasonish/suricata -i enp3s0\n\n- Start a second container with `--volumes-from`:\n\n        docker run -it --net=host --volumes-from=suricata logstash /bin/bash\n\nThis will expose `/var/log/suricata` from the Suricata container as\n`/var/log/suricata` in the Logstash container.\n\n## Log Rotation\n\nRunning `logrotate` inside the Suricata container will do the right thing, for\nexample:\n\n```\ndocker exec CONTAINER_ID logrotate /etc/logrotate.d/suricata\n```\n\nto test, logrotate can run in a force and verbose mode:\n\n```\ndocker exec CONTAINER_ID logrotate -vf /etc/logrotate.d/suricata\n```\n\nto run logrotate automatically set the `ENABLE_CRON=yes` environment\nvariable and create `suricata` bash script, with executable\npermissions, in one of `/etc/cron.*` directories\n(e.g. `/etc/cron.hourly/suricata`):\n\n```\n#! /bin/bash\n\nlogrotate /etc/logrotate.d/suricata\n```\n\nThis script could be created in a `Dockerfile` using this one as a\nbase, or bind mounted in as a volume.\n\n## Volumes\n\nThe Suricata container exposes the following volumes:\n\n- `/var/log/suricata` - The Suricata log directory.\n- `/var/lib/suricata` - Rules, Suricata-Update cache and other runtime\n    data that may be useful to retain between runs.\n- `/etc/suricata` - The configuration directory.\n\n\u003e Note: If `/etc/suricata` is a volume, it will be populated with a\n\u003e default configuration from the container.\n\nIf doing bind mounts you may want to have the Suricata user within the\ncontainer match the UID and GID of a user on the host system. This can\nbe done by setting the PUID and PGID environment variables. For\nexample:\n\n    docker run -e PUID=$(id -u) -e PGID=$(id -g)\n    \nwhich will result in the bind mounts being owned by the user starting\nthe Docker container.\n\n## Configuration\n\nThe easiest way to provide Suricata a custom configuration is to use a\nhost bind mount for the configuration directory, `/etc/suricata`. It\nwill be populated on the first run of the container. For example:\n\n    mkdir ./etc\n    docker run --rm -it -v $(pwd)/etc:/etc/suricata jasonish/suricata:latest -V\n\nWhen the container exits, `./etc` will be populated with the default\nconfiguration files normally found in `/etc/suricata`.\n\n\u003e Note: The files created in this directory will likely not be owned\n\u003e by the same uid as your host user, so you may need to use sudo to\n\u003e edit this files, or change their permissions.\n\u003e\n\u003e Hopefully this can be fixed.\n\nIn this directory the Suricata configuration can be modified, and\nSuricata-Update files may be placed. It just needs to be provided as a\nvolume in subsequent runs of Suricata. For example:\n\n    docker run --rm -it --net=host \\\n        -v $(pwd)/etc:/etc/suricata \\\n        --cap-add=net_admin --cap-add=net_raw --cap-add=sys_nice \\\n        jasonish/suricata:latest -i eth0\n\n## Environment Variables\n\n### SURICATA_OPTIONS\n\nThe `SURICATA_OPTIONS` environment variable can be used to pass command line\noptions to Suricata. For example:\n\n```\ndocker run --net=host -e SURICATA_OPTIONS=\"-i eno1 -vvv\" jasonish/suricata:latest\n```\n\n## Suricata-Update\n\nThe easiest way to run Suricata-Update is to run it while the\ncontainer is running. For example:\n\nIn one terminal, start Suricata:\n\n    docker run --name=suricata --rm -it --net=host \\\n        --cap-add=net_admin --cap-add=net_raw --cap-add=sys_nice \\\n        jasonish/suricata:latest -i eth0\n\nThen in another terminal:\n\n    docker exec -it --user suricata suricata suricata-update -f\n\nThe will execute `suricata-update` in the same container that is\nrunning Suricata (note `--name=suricata`), then signal Suricata to\nreload its rules with `suricatasc -c reload-rules`.\n\n## Raspberry Pi\n\nThis image is useable on the Raspberry Pi OS, however due to an\nincompatibility between Raspberry Pi OS and Docker, the timestamps in\nthe logs will be wrong. There are 2 possible fixes to this issue:\n- Use the `--privileged` option to Docker\n- Upgrade the libseccomp2 package on Raspberry Pi OS to a newer\n  version from the backports repo.\n\n## HOWTOs\n\n### Initialize a Configuration\n\nRunning with an empty volume at `/etc/suricata/suricata.yaml` will generate\ndefault configuration files. Example:\n\n```\ndocker run --rm -it -v $(pwd)/etc:/etc/suricata jasonish/suricata:latest -V\n```\n\nThis will leave you with a directory containing the default configuration files\nfrom the container.\n\n## Building\n\nThe Dockerfiles and scripts in this repo are designed around building\nmulti-architecture container manifests in a somewhat automated\nfashion. Due to this the Dockerfiles are not usable as-is.\n\nIf all you want to do is build an x86_64 image, the following commands\nshould work:\n\n```\ncd 7.0\ndocker build --build-arg=$(cat VERSION) -f Dockerfile.amd64 .\n```\n\nFor an Arm64 image:\n\n```\ncd 7.0\ndocker build --build-arg=$(cat VERSION) -f Dockerfile.arm64 .\n```\n\nIt is planned to keep the Dockerfiles in a state that are directly\nusable without any wrapper scripts.\n\n### Prepare to Build ARM images on x86_64\n\n```\ndocker run --rm --privileged multiarch/qemu-user-static --reset -p yes\n```\n\n#### On Arch\n\n- Install extra/qemu-user-static-binfmt\n\n## License\n\nThe build scripts, Dockerfiles and any other files in this repo are MIT licensed.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjasonish%2Fdocker-suricata","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjasonish%2Fdocker-suricata","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjasonish%2Fdocker-suricata/lists"}