Thomas Jensen (https://unsplash.com/@thomasjsn)

Inspect network activity using Suricata and Kibana (SIEM)

version: '2.3'
services:
suri:
container_name: suri
restart: always
logging:
driver: "json-file"
options:
max-size: 10m
max-file: "3"
labels: "production_status"
env: "os"
environment:
- OINKCODE=OPEN
network_mode: "host"
cap_add:
- NET_ADMIN
- SYS_NICE
- NET_RAW
image: "dtagdevsec/suricata:2006"
volumes:
- /opt/appdata/suricata/:/var/log/suricata
docker compose up -d
https://unsplash.com/@chris_pagan[mika@newton suricata]$ ls -hla /opt/appdata/suricata
total 43G
drwxrwxr-x 2 mika mika 42 May 5 18:09 .
drwxrwxrwx. 23 root root 4.0K May 3 19:24 ..
-rw-r--r-- 1 root root 39G May 5 18:10 eve.json
-rw-r--r-- 1 root root 36K May 5 12:11 suricata.log
$ curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-7.6.2-x86_64.rpm 
$ rpm -vi filebeat-7.6.2-x86_64.rpm
- module: suricata
eve:
enabled: true
var.paths: ["/opt/appdata/suricata/eve.json"]
$ filebeat modules enable suricata
$ filebeat setup

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Aymen Furter

I am a Cloud Solution Architect working for Microsoft. The views expressed on this site are mine alone and do not necessarily reflect the views of my employer.