search

jasonish / docker-suricata

A Suricata Docker image.
https://hub.docker.com/r/jasonish/suricata/
MIT License
250 stars 76 forks source link

No community_id when using run_pcapfile.py #8

Closed ZikyHD closed 4 years ago

ZikyHD commented 4 years ago

I change my suricata config to add community_id in eve.json, but i can't obtain it when runnning the python script.

python3 ./tools/run-pcapfile.py \ -r /TEST/PCAP/HEARTBLEED/heartbleed.pcap \ -v /TEST/CONFIG/SURICATA:/etc/suricata \ -v /TEST/RESSOURCES/SURICATA:/var/lib/suricata \ --image jasonish/suricata:latest \ -l /TEST/DATA/SURICATA/HEARTBLEED/heartbleed \ -- -k none

{"timestamp":"2014-04-10T21:03:16.424847+0000","flow_id":43317011426500,"event_type":"flow","src_ip":"192.168.11.130","src_port":57534,"dest_ip":"192.168.11.128","dest_port":443,"proto":"TCP","app_proto":"tls","flow":{"pkts_toserver":24,"pkts_toclient":41,"bytes_toserver":2013,"bytes_toclient":53725,"start":"2014-04-10T21:03:16.404676+0000","end":"2014-04-10T21:03:16.424847+0000","age":0,"state":"closed","reason":"shutdown","alerted":true},"metadata":{"flowbits":["ET.HB.Request.SI","ET.HB.Response.CI"],"flowints":{"tls.anomaly.count":4}},"tcp":{"tcp_flags":"1e","tcp_flags_ts":"1e","tcp_flags_tc":"1a","syn":true,"rst":true,"psh":true,"ack":true,"state":"closed"}}

docker run --rm -it \ -v /TEST/CONFIG/SURICATA:/etc/suricata \ -v /TEST/RESSOURCES/SURICATA:/var/lib/suricata \ -v /TEST/DATA/SURICATA/HEARTBLEED/heartbleed:/work/output \ -v /TEST/PCAP/HEARTBLEED/heartbleed.pcap:/input.pcap \ --name=suricata \ -e PUID=$(id -u) -e PGID=$(id -u) \ jasonish/suricata:latest \ -r /input.pcap \ -l /work/output \ -k none

{"timestamp":"2014-04-10T21:03:16.424847+0000","flow_id":560173375827140,"event_type":"flow","src_ip":"192.168.11.130","src_port":57534,"dest_ip":"192.168.11.128","dest_port":443,"proto":"TCP","app_proto":"tls","flow":{"pkts_toserver":24,"pkts_toclient":41,"bytes_toserver":2013,"bytes_toclient":53725,"start":"2014-04-10T21:03:16.404676+0000","end":"2014-04-10T21:03:16.424847+0000","age":0,"state":"closed","reason":"shutdown","alerted":true},"metadata":{"flowbits":["ET.HB.Request.SI","ET.HB.Response.CI"],"flowints":{"tls.anomaly.count":4}},"community_id":"1:RRjeDdsUpeZkWPkkQ953DYkwiRY=","tcp":{"tcp_flags":"1e","tcp_flags_ts":"1e","tcp_flags_tc":"1a","syn":true,"rst":true,"psh":true,"ack":true,"state":"closed"}}

jasonish commented 4 years ago

Thanks for the report. If you pull down the latest master branch this should now be fixed.

Only the last specific -v on the command line was being used, so your custom configuration wasn't being picked up as you had /var/lib/suricata after that. They should now all be used, which was how it is supposed to work.