search

jasonish / docker-suricata

A Suricata Docker image.
https://hub.docker.com/r/jasonish/suricata/
MIT License
250 stars 76 forks source link

Not working #2

Closed michaelseto closed 7 years ago

michaelseto commented 7 years ago

Started a container, here are the immediate issues I've noticed ::

  1. A flood of warnings

1/3/2017 -- 00:03:40 - - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /etc/suricata/rules/bo tcc.rules 1/3/2017 -- 00:03:40 - - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /etc/suricata/rules/ci army.rules 1/3/2017 -- 00:03:40 - - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /etc/suricata/rules/co mpromised.rules 1/3/2017 -- 00:03:40 - - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /etc/suricata/rules/dr op.rules 1/3/2017 -- 00:03:40 - - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /etc/suricata/rules/ds hield.rules 1/3/2017 -- 00:03:40 - - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /etc/suricata/rules/em erging-attack_response.rules 1/3/2017 -- 00:03:40 - - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /etc/suricata/rules/em erging-chat.rules 1/3/2017 -- 00:03:40 - - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /etc/suricata/rules/em erging-current_events.rules 1/3/2017 -- 00:03:40 - - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /etc/suricata/rules/em erging-dns.rules 1/3/2017 -- 00:03:40 - - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /etc/suricata/rules/em erging-dos.rules 1/3/2017 -- 00:03:40 - - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /etc/suricata/rules/em erging-exploit.rules 1/3/2017 -- 00:03:40 - - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /etc/suricata/rules/em erging-ftp.rules 1/3/2017 -- 00:03:40 - - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /etc/suricata/rules/em erging-imap.rules 1/3/2017 -- 00:03:40 - - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /etc/suricata/rules/em erging-malware.rules 1/3/2017 -- 00:03:40 - - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /etc/suricata/rules/em erging-misc.rules 1/3/2017 -- 00:03:40 - - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /etc/suricata/rules/em erging-mobile_malware.rules 1/3/2017 -- 00:03:40 - - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /etc/suricata/rules/em erging-netbios.rules 1/3/2017 -- 00:03:40 - - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /etc/suricata/rules/em erging-p2p.rules 1/3/2017 -- 00:03:40 - - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /etc/suricata/rules/em erging-policy.rules 1/3/2017 -- 00:03:40 - - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /etc/suricata/rules/em erging-pop3.rules 1/3/2017 -- 00:03:40 - - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /etc/suricata/rules/em erging-rpc.rules 1/3/2017 -- 00:03:40 - - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /etc/suricata/rules/em erging-scada.rules 1/3/2017 -- 00:03:40 - - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /etc/suricata/rules/em erging-scan.rules 1/3/2017 -- 00:03:40 - - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /etc/suricata/rules/em erging-smtp.rules 1/3/2017 -- 00:03:40 - - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /etc/suricata/rules/em erging-snmp.rules 1/3/2017 -- 00:03:40 - - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /etc/suricata/rules/em erging-sql.rules 1/3/2017 -- 00:03:40 - - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /etc/suricata/rules/em erging-telnet.rules 1/3/2017 -- 00:03:40 - - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /etc/suricata/rules/em erging-tftp.rules 1/3/2017 -- 00:03:40 - - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /etc/suricata/rules/em erging-trojan.rules 1/3/2017 -- 00:03:40 - - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /etc/suricata/rules/em erging-user_agents.rules 1/3/2017 -- 00:03:40 - - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /etc/suricata/rules/em erging-voip.rules 1/3/2017 -- 00:03:40 - - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /etc/suricata/rules/em erging-web_client.rules 1/3/2017 -- 00:03:40 - - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /etc/suricata/rules/em erging-web_server.rules 1/3/2017 -- 00:03:40 - - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /etc/suricata/rules/em erging-worm.rules 1/3/2017 -- 00:03:40 - - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /etc/suricata/rules/to r.rules

  1. No log file is generated on the host, even though it was started with the ' -v $(pwd)/logs:/var/log/suricata' parameter

FIX: use '-v /var/log/suricata:/var/log/suricata' instead

  1. IT DOESNT WORK!! I curl'd testmyids.com from the host, and then I had to get into bash on the container (since it clearly didn't work with the volume parameter above), and reviewed the log file, which was there but reported nothing about testmyids.com !!!
jasonish commented 7 years ago

No log file is generated on the host, even though it was started with the ' -v $(pwd)/logs:/var/log/suricata' parameter FIX: use '-v /var/log/suricata:/var/log/suricata' instead

The $(pwd) method works for me. Did you use single quotes in your command line? If so, try no quotes or double quotes.

Additionally, if you have selinux enabled you may have to run "--privileged" to your docker run command line.

IT DOESNT WORK!! I curl'd testmyids.com from the host, and then I had to get into bash on the container (since it clearly didn't work with the volume parameter above), and reviewed the log file, which was there but reported nothing about testmyids.com !!!

Yes, rules were not being added for some reason. I had them commented out, can't remember why. I've re-enabled rule downloads on image bulid.

I've also updated to Suricata 3.2.1 if you would like to try again (just docker pull jasonish/suricata again).

ghost commented 7 years ago

I think this still doesnt work. I just tested using the same method as above and I dont see any alerts in fast log. What is missing here? Would be good if you can write about what rules are added by default and what needs to be done to really make this image useful.

jasonish commented 7 years ago

No rules are added by default. This is simply Suricata in a container, not Suricata pre-configured in a container. Due to the details of volumes, and sending signals to apps within containers for log rotation I generally don't recommend using this for real-world use. But some people do use this as a base image, and orchestrate all that other stuff like configuration and log rotation as their needs desire.

But generally its easier to try Suricata outside of a container.

You could:

curl -L https://rules.emergingthreats.net/open/suricata-1.3-enhanced/emerging.rules.tar.gz | tar zxvf -

Then start your container...

docker run --rm -it --privileged --net=host -v $(pwd)/rules:/etc/suricata/rules jasonish/suricata -i eno1 -vvv