Open rysavy-ondrej opened 9 months ago
Docker compose for Suricata:
services:
suricata:
image: suricata
container_name: suricata_analysis
volumes:
- ./data:/data # Mounts the directory containing pcap files and Suricata config
- ./log:/var/log/suricata # Mounts a directory for Suricata logs
network_mode: host
command: >
-c /data/suricata.yaml
-r /data/your-pcap-file.pcap
Suricata configuration:
outputs:
- eve-log:
enabled: yes
filetype: regular # options are regular, syslog or unix_dgram
filename: eve.json
types:
- alert:
# payload: yes # to log the payload with the alert
# payload-buffer-size: 4kb # max size of payload buffer to output in eve-log
# payload-printable: yes # enable dumping payload in printable (escaped) format
# More log types can be enabled as needed
- dns:
version: 2 # version of the DNS log format
query: yes # log DNS queries
answer: yes # log DNS answers
# extended: yes # enable this for extended logging information
- tls:
extended: yes # include extended information like fingerprint
- http:
extended: yes # enable this for extended logging information
# custom: yes # enable custom logging
# customformat: "%timestamp% %flow_id% %src_ip% %dest_ip% %src_port% %dest_port% %proto% %http_hostname% %http_url% %http_length%"
app-layer:
protocols:
dns:
enabled: yes
detection-ports:
dp: 53
tls:
enabled: yes
detection-ports:
dp: 443
http:
enabled: yes
detection-ports:
dp: 80
# add more ports as required
Get TLS info from pcap generated by Tria.ge using the Suricata tool run in the container.