Docker running a NIDS

Currently reading
Docker running a NIDS

Has anybody set up and run a NIDS via Docker on their NAS?

Is it possible - (possibly not if I think about it, but ...) ?

If you have what do you use? How hard was it? What did you have to do to get it to work pls?

No. How are you thinking of connecting it into the network? Place the NAS inline and use it as a network gateway, or use an interface to connect to a LAN device?

From experience to run a Network-based IDS device then you would connect it in one of three ways:
  1. Inline: place the IDS appliance in the flow of the traffiic being monitored.
    1. This requires interfaces for in and out bound connections.
    2. Usually placed between switches, or firewalls/routers and switches.
    3. As it's a monitor then many appliances offer fail-to-wire/fail-open interfaces so that traffic still flows if the appliance fails. In resilient pairs then the primary would be configured to fail-closed and the backup would fail-open.
  2. Indirect to a switch's SPAN port.
  3. Indirect to a network tap.
    1. Both indirect methods have the copies of the packets sent to the connected IDS appliance it passes the switch/tap.
    2. Failure of the IDS appliance won't affect the flow of traffic.
As an addition:
If you would put a container's network device into promiscuous mode, depending on the network type you will end up beeing able to monitor only parts of the traffic (see fredbert's response 3.2)
- macvlan/host: no container traffic
- bridge/overlay: no traffic outside the container network as it would only see packages from the "virtual switch" the containers are attached to.

This usecase simply doesn't fit the layer docker operates on.
Thanks All.

I didn't think it was going to be possible, but there are plenty smarter folks than me, so figured it couldn't hurt to ask.

No container traffic would be fine.

I was hoping to do it all in software, but sounds like it might just be not worth the effort.
What are you looking at? Snort? Maybe look at RPi? Enough people looking at that.

The IDS has to be able to keep up with the traffic flow or be able to catchup otherwise it won't be able to do its job. I'd look at a dedicated approach and strip out any unnecessary processes.

I wonder if you can stream the IDS logs to the NAS? Hey you can then try setting up a SIEM too :)
I wonder if you can stream the IDS logs to the NAS? Hey you can then try setting up a SIEM too :)

Pretty sure if you got the tap correct, you could run a Docker SIEM to log it all. But it's the capture first that's the tricky bit. I have a couple of switches support mirroring, but the topology would need re-jigging.

I've come to the conclusion - too much grief.

How bad do I want it? .... Not bad enough. (put that one down to just another brainfart.)
I've not used [i.e. bought] many home firewall routers so IDS/IPS may be more prevalent in this sector but I'm happy with Threat Prevention on my RT2600ac. While I knew that there would be lots of drive-by probing of my connection when using my old routers it's the number of blocks on specific potential attacks after scans that's made me set all 'scan' rules to block too.
Yeah. The RT2600 sits inside external gateway in an untrusted setup.

I "believe" the external is pretty good; in so much I don't believe I seen any issues, but then I don't know whether or not I don't know - if you know what I mean. And it doesn't log a lot in the UI.

You're always better off with more than less information. Especially in terms of security.
You're always better off with more than less information. Especially in terms of security.
Indeed. Security spend is like insurance: no one likes it, especially the accounts. Reporting is one way to demonstrate the benefits: it's hard to quantify the cost saving to productivity and infrastructure resources being used for non-business activities (CPU, bandwidth, power, cooling, hosting, etc).
1TB WD Elements USB 3 pocket drive. Far too big by nearly 1TB but I had a thumb drive die from (I think) heat and a ‘proper’ drive was only slightly more expensive. Plus I can always re-use it. Speed-wise I’m on 100Mbps and we still get that.

2-3GB is the guidance for TP, so anything bigger than that should be more than enough.

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

How did you create the Portainer container in first place? As in exact docker run commands or in case...
Thank you for this - I'll give it a go and see where I get - worst case I learn something as I go!
For the heck of it, I just checked again in docker container, and it announced an update was available. I...
  • Question
Do realize, that enabling any user to run docker containers is largely the same as giving that user full...
Hello, I already have it configured perfectly with wireguard. I was looking at the Gluetun configuration...
Thanks... I tried something similar with rsync. The docker volume lived in...

Welcome to! is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads