$docker.recipes

Suricata IDS/IPS

advanced

High performance network security monitoring.

[i]Overview

Suricata is an open-source network security monitoring engine that combines intrusion detection system (IDS) and intrusion prevention system (IPS) capabilities in a single high-performance platform. Originally developed by the Open Information Security Foundation (OISF) and launched in 2010, Suricata was designed to handle modern network speeds and traffic volumes while providing deep packet inspection, network security monitoring, and real-time threat detection. It supports multi-threading architecture and hardware acceleration, making it capable of processing gigabit network traffic with minimal latency impact. This Docker deployment configures Suricata to monitor network traffic directly from the host interface using host networking mode, enabling it to capture and analyze all network packets flowing through the designated network interface. The container runs with elevated privileges including NET_ADMIN, NET_RAW, and SYS_NICE capabilities, allowing Suricata to perform raw packet capture, modify network configurations, and optimize process scheduling for maximum performance. Persistent volumes store both security logs and rule sets, ensuring continuity of monitoring data and rule updates across container restarts. Network administrators, security operations center (SOC) teams, and cybersecurity professionals will find this configuration valuable for implementing comprehensive network monitoring without the complexity of traditional bare-metal installations. The containerized approach simplifies rule management through suricata-update commands, provides JSON-formatted logging compatible with SIEM platforms like ELK Stack and Splunk, and enables rapid deployment across multiple network segments or environments while maintaining consistent security monitoring capabilities.

[*]Key Features

  • [+]Multi-threaded packet processing engine capable of handling gigabit network speeds
  • [+]Emerging Threats ruleset automatically included with free community rules
  • [+]EVE JSON logging format for structured output compatible with log aggregation platforms
  • [+]Built-in suricata-update tool for automated rule management and signature updates
  • [+]AF_PACKET and NETMAP support for high-performance packet capture methods
  • [+]Hardware acceleration support for Intel DPDK and network card offloading
  • [+]Real-time protocol detection and application layer parsing for HTTP, TLS, DNS, and SSH
  • [+]Lua scripting engine for custom detection logic and output formatting

[#]Common Use Cases

  • [1]Network security monitoring for small to medium enterprises requiring 24/7 threat detection
  • [2]Compliance monitoring for PCI-DSS, HIPAA, and other regulatory frameworks requiring network IDS
  • [3]Incident response teams needing detailed network forensics and packet-level analysis
  • [4]Managed security service providers (MSSPs) deploying consistent monitoring across client networks
  • [5]DevSecOps teams integrating network security monitoring into CI/CD pipeline testing environments
  • [6]Home lab security enthusiasts learning network security monitoring and threat hunting techniques
  • [7]Edge computing deployments requiring lightweight network security monitoring at remote locations

[!]Prerequisites

  • [!]Host system with at least 2GB RAM for basic monitoring (4GB+ recommended for high-traffic networks)
  • [!]Network interface access with promiscuous mode support for packet capture
  • [!]Docker host with privileged container support and capability assignment permissions
  • [!]Understanding of network interfaces and packet capture concepts for proper interface configuration
  • [!]Basic knowledge of Suricata rule syntax for custom signature creation and tuning
  • [!]Log management solution or SIEM platform for processing JSON-formatted security events
[!]

WARNING: For development & testing. Review security settings, change default credentials, and test thoroughly before production use. See Terms

[$]docker-compose.yml

[docker-compose.yml]
1services: 
2  suricata: 
3    image: jasonish/suricata:latest
4    container_name: suricata
5    restart: unless-stopped
6    network_mode: host
7    cap_add: 
8      - NET_ADMIN
9      - NET_RAW
10      - SYS_NICE
11    volumes: 
12      - suricata_logs:/var/log/suricata
13      - suricata_rules:/var/lib/suricata/rules
14    command: -i eth0
15
16volumes: 
17  suricata_logs: 
18  suricata_rules:

[$].env Template

[.env]
1# Configure interface in command
2# Update rules: suricata-update

[i]Usage Notes

  1. [1]Docs: https://docs.suricata.io/
  2. [2]Runs in host network mode - change -i eth0 to your interface
  3. [3]Update rules: docker exec suricata suricata-update
  4. [4]Logs in JSON (eve.json) - ideal for ELK/Splunk integration
  5. [5]Enable IPS mode: add --af-packet=eth0 or --netmap
  6. [6]Emerging Threats rules included free - commercial rules available

[>]Quick Start

[terminal]
1# 1. Create the compose file
2cat > docker-compose.yml << 'EOF'
3services:
4  suricata:
5    image: jasonish/suricata:latest
6    container_name: suricata
7    restart: unless-stopped
8    network_mode: host
9    cap_add:
10      - NET_ADMIN
11      - NET_RAW
12      - SYS_NICE
13    volumes:
14      - suricata_logs:/var/log/suricata
15      - suricata_rules:/var/lib/suricata/rules
16    command: -i eth0
17
18volumes:
19  suricata_logs:
20  suricata_rules:
21EOF
22
23# 2. Create the .env file
24cat > .env << 'EOF'
25# Configure interface in command
26# Update rules: suricata-update
27EOF
28
29# 3. Start the services
30docker compose up -d
31
32# 4. View logs
33docker compose logs -f

[>]One-Liner

Run this command to download and set up the recipe in one step:

[terminal]
1curl -fsSL https://docker.recipes/api/recipes/suricata/run | bash

[?]Troubleshooting

  • [!]Permission denied when accessing network interface: Ensure container has NET_ADMIN and NET_RAW capabilities and verify interface exists on host
  • [!]High CPU usage during packet processing: Reduce ruleset size, enable hardware acceleration, or adjust thread count in suricata.yaml configuration
  • [!]No packets being captured in logs: Verify network interface name matches -i parameter and interface has active traffic flow
  • [!]Rule update failures with suricata-update: Check internet connectivity from container and ensure DNS resolution is working properly
  • [!]EVE JSON logs not appearing: Verify suricata_logs volume mount and check that eve-log output is enabled in suricata configuration
  • [!]Container crashes with memory errors: Increase available RAM or reduce detection engine memory usage through configuration tuning

Community Notes

Loading...
Loading notes...

## Download Recipe Kit

Get all files in a ready-to-deploy package

Includes docker-compose.yml, .env template, README, and license

## Components

suricata

## Tags

#suricata#ids#ips#network

## Category

Security & Networking

## Related