Overview
ravenxcope-suricata-image is the containerized Suricata engine that the sensor launches (Docker launcher). It renders a Suricata configuration from templates at startup based on environment variables.
Entrypoint behavior
docker-entrypoint.sh renders the running config from a template selected by mode:
- Mode —
SURICATA_MODE(idsdefault, orips) selects/templates/${mode}.suricata.yaml.tmpl. - Capture interface —
INTERFACE1is required; the container errors out if it is unset. - Networks —
HOME_NETdefaults toany;EXTERNAL_NETdefaults to!$HOME_NET;INTERNAL_NETdefaults to$HOME_NET. - af-packet — cluster IDs are assigned (
AF_PACKET_CLUSTER_ID_BASE, else99). - host-os-policy — derived from
HOME_NETwhen it is a literal IP/CIDR list; otherwise rendered empty with a warning.
Layout
| Path | Purpose |
|---|---|
docker-entrypoint.sh | Renders config from template + env, then runs Suricata. |
templates/ids.suricata.yaml.tmpl | IDS-mode config template (af-packet capture). |
templates/ips.suricata.yaml.tmpl | IPS-mode config template (inline). |
configs/classification.config | Alert classification definitions. |
configs/reference.config | Reference URL definitions. |
configs/threshold.config | Thresholding / rate-limiting rules. |
Rules
Detection rules combine community rules and the custom rules served by the backend Suricata rules catalog. The sensor merges these into the ruleset the container loads.