1

I've created a docker container with Suricata and Evebox on it. On my host I start with:

ifconfig enp2s0:1 192.168.0.111 netmask 255.255.255.0 up

This sets up a new interface off my existing one. I then run the docker container like so:

docker run --privileged --network host --cap-add NET_ADMIN --cap-add NET_RAW --rm suricata-evebox

I then fire up suricata/evebox with:

mkdir -p /data/evebox
suricata -i enp2s0:1 -D
evebox -v -D /data/evebox --datastore sqlite --input /var/log/suricata/eve.json

Here are the scenarios when running curl http://testmyids.com from machines:

  • Inside a docker container: DETECTS ALERT
  • On the docker host: DETECTS ALERT
  • On a machine on the local network: DOESN'T SEE IT

Is there a way to get Suricata to see all traffic traveling over the network, not just that of the host and the containers?

slm
  • 7,355
  • 16
  • 54
  • 72
Fmstrat
  • 237
  • 4
  • 14
  • Note: I know I could set up the host or a container on the host as a traffic router and then set my DHCP to assign it as the gateway, but looking to see if there are any other solutions that don't require a docker instance to be a failure point for the internal network. – Fmstrat Jun 14 '18 at 23:02

1 Answers1

1

First here's a possible solution that could either be set up on the router itself or on any machine you'd like monitored: https://superuser.com/questions/853077/iptables-duplicate-traffic-to-another-ip

If that's not possible for your use case, there's another option in the form of a switch that can be set up between your router and all the clients, the switch should support port mirroring. You'd then add another NIC to your ids/docker host which would receive all the traffic from the mirrored switch's "WAN" port, which can be passed through to your suricata container.

Nico I
  • 26
  • 1