docker.recipes

Suricata IDS/IPS

advanced

High performance network security monitoring.

Overview

Suricata is an open-source network security monitoring engine that combines intrusion detection system (IDS) and intrusion prevention system (IPS) capabilities in a single high-performance platform. Originally developed by the Open Information Security Foundation (OISF) and launched in 2010, Suricata was designed to handle modern network speeds and traffic volumes while providing deep packet inspection, network security monitoring, and real-time threat detection. It supports multi-threading architecture and hardware acceleration, making it capable of processing gigabit network traffic with minimal latency impact. This Docker deployment configures Suricata to monitor network traffic directly from the host interface using host networking mode, enabling it to capture and analyze all network packets flowing through the designated network interface. The container runs with elevated privileges including NET_ADMIN, NET_RAW, and SYS_NICE capabilities, allowing Suricata to perform raw packet capture, modify network configurations, and optimize process scheduling for maximum performance. Persistent volumes store both security logs and rule sets, ensuring continuity of monitoring data and rule updates across container restarts. Network administrators, security operations center (SOC) teams, and cybersecurity professionals will find this configuration valuable for implementing comprehensive network monitoring without the complexity of traditional bare-metal installations. The containerized approach simplifies rule management through suricata-update commands, provides JSON-formatted logging compatible with SIEM platforms like ELK Stack and Splunk, and enables rapid deployment across multiple network segments or environments while maintaining consistent security monitoring capabilities.

Key Features

  • Multi-threaded packet processing engine capable of handling gigabit network speeds
  • Emerging Threats ruleset automatically included with free community rules
  • EVE JSON logging format for structured output compatible with log aggregation platforms
  • Built-in suricata-update tool for automated rule management and signature updates
  • AF_PACKET and NETMAP support for high-performance packet capture methods
  • Hardware acceleration support for Intel DPDK and network card offloading
  • Real-time protocol detection and application layer parsing for HTTP, TLS, DNS, and SSH
  • Lua scripting engine for custom detection logic and output formatting

Common Use Cases

  • 1Network security monitoring for small to medium enterprises requiring 24/7 threat detection
  • 2Compliance monitoring for PCI-DSS, HIPAA, and other regulatory frameworks requiring network IDS
  • 3Incident response teams needing detailed network forensics and packet-level analysis
  • 4Managed security service providers (MSSPs) deploying consistent monitoring across client networks
  • 5DevSecOps teams integrating network security monitoring into CI/CD pipeline testing environments
  • 6Home lab security enthusiasts learning network security monitoring and threat hunting techniques
  • 7Edge computing deployments requiring lightweight network security monitoring at remote locations

Prerequisites

  • Host system with at least 2GB RAM for basic monitoring (4GB+ recommended for high-traffic networks)
  • Network interface access with promiscuous mode support for packet capture
  • Docker host with privileged container support and capability assignment permissions
  • Understanding of network interfaces and packet capture concepts for proper interface configuration
  • Basic knowledge of Suricata rule syntax for custom signature creation and tuning
  • Log management solution or SIEM platform for processing JSON-formatted security events

For development & testing. Review security settings, change default credentials, and test thoroughly before production use. See Terms

docker-compose.yml

docker-compose.yml
1services: 
2  suricata: 
3    image: jasonish/suricata:latest
4    container_name: suricata
5    restart: unless-stopped
6    network_mode: host
7    cap_add: 
8      - NET_ADMIN
9      - NET_RAW
10      - SYS_NICE
11    volumes: 
12      - suricata_logs:/var/log/suricata
13      - suricata_rules:/var/lib/suricata/rules
14    command: -i eth0
15
16volumes: 
17  suricata_logs: 
18  suricata_rules:

.env Template

.env
1# Configure interface in command
2# Update rules: suricata-update

Usage Notes

  1. 1Docs: https://docs.suricata.io/
  2. 2Runs in host network mode - change -i eth0 to your interface
  3. 3Update rules: docker exec suricata suricata-update
  4. 4Logs in JSON (eve.json) - ideal for ELK/Splunk integration
  5. 5Enable IPS mode: add --af-packet=eth0 or --netmap
  6. 6Emerging Threats rules included free - commercial rules available

Quick Start

terminal
1# 1. Create the compose file
2cat > docker-compose.yml << 'EOF'
3services:
4  suricata:
5    image: jasonish/suricata:latest
6    container_name: suricata
7    restart: unless-stopped
8    network_mode: host
9    cap_add:
10      - NET_ADMIN
11      - NET_RAW
12      - SYS_NICE
13    volumes:
14      - suricata_logs:/var/log/suricata
15      - suricata_rules:/var/lib/suricata/rules
16    command: -i eth0
17
18volumes:
19  suricata_logs:
20  suricata_rules:
21EOF
22
23# 2. Create the .env file
24cat > .env << 'EOF'
25# Configure interface in command
26# Update rules: suricata-update
27EOF
28
29# 3. Start the services
30docker compose up -d
31
32# 4. View logs
33docker compose logs -f

One-Liner

Run this command to download and set up the recipe in one step:

terminal
1curl -fsSL https://docker.recipes/api/recipes/suricata/run | bash

Troubleshooting

  • Permission denied when accessing network interface: Ensure container has NET_ADMIN and NET_RAW capabilities and verify interface exists on host
  • High CPU usage during packet processing: Reduce ruleset size, enable hardware acceleration, or adjust thread count in suricata.yaml configuration
  • No packets being captured in logs: Verify network interface name matches -i parameter and interface has active traffic flow
  • Rule update failures with suricata-update: Check internet connectivity from container and ensure DNS resolution is working properly
  • EVE JSON logs not appearing: Verify suricata_logs volume mount and check that eve-log output is enabled in suricata configuration
  • Container crashes with memory errors: Increase available RAM or reduce detection engine memory usage through configuration tuning

Community Notes

Loading...
Loading notes...

Download Recipe Kit

Get all files in a ready-to-deploy package

Includes docker-compose.yml, .env template, README, and license

Components

suricata

Tags

#suricata#ids#ips#network

Category

Security & Networking

Related Recipes

Ad Space