I've created a docker container with Suricata and Evebox on it. On my host I start with:
ifconfig enp2s0:1 192.168.0.111 netmask 255.255.255.0 up
This sets up a new interface off my existing one. I then run the docker container like so:
docker run --privileged --network host --cap-add NET_ADMIN --cap-add NET_RAW --rm suricata-evebox
I then fire up suricata/evebox with:
mkdir -p /data/evebox
suricata -i enp2s0:1 -D
evebox -v -D /data/evebox --datastore sqlite --input /var/log/suricata/eve.json
Here are the scenarios when running curl http://testmyids.com
from machines:
- Inside a docker container: DETECTS ALERT
- On the docker host: DETECTS ALERT
- On a machine on the local network: DOESN'T SEE IT
Is there a way to get Suricata to see all traffic traveling over the network, not just that of the host and the containers?