Running Suricata 6.0.0 inside a docker container with docker interface. The tool doesn't seem to Sniff traffic

Hi team, We are attempting to deploy Suricata in docker container environment ( on AWS EKS ) with a container interface. We have set up a couple of rules to alert LB healthChecks on the interface and pre-configured port. The tool doesn’t seem to sniff / alert the traffic even though the healthChecks are passing. Could you please guide us with what’s the right approach in deploying Suricata with such infra ? Thanks

What version are you running and how does your suricata.yaml look like and your run command?

It’s hard to tell what might be wrong without more details.

This will probably have more to do with the container interfaces than Suricata itself. Are you able to use another tool, such as tcpdump to verify that the interface(s) you are running Suricata on seeing the traffic you would like to monitor?

1 Like