Use live capture mode by default

ANSSI-FR · Jul 23, 2024 · ca88dc7 · ca88dc7
1 parent 0b4d524
commit ca88dc7
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 5 deletions.
diff --git a/README.md b/README.md
@@ -79,8 +79,11 @@ This is fine, but it might add some delay before observing new flows.
 
 You may launch Suricata then the web application using the following:
 ```bash
-# Start Suricata
-./suricata/entrypoint.sh -r input_pcaps --pcap-file-continuous
+# Option A: capture device (fast, for live analysis)
+sudo ./suricata/entrypoint.sh -i tun5
+
+# Option B: pcap read mode (slower, for archives replay)
+./suricata/entrypoint.sh -r input_pcaps
 ```
 
 ```bash

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -8,9 +8,17 @@ services:
       - "./input_pcaps:/input_pcaps:ro"
       - "./suricata/rules:/suricata/rules:ro"
       - "./suricata/output:/suricata/output:rw"
-    # Remove `--pcap-file-continuous` to see the last few flows, else Suricata
-    # will wait for new pcap before logging them.
-    command: -r /input_pcaps --pcap-file-continuous
+
+    # Option A: capture device (fast, for live analysis)
+    # Drastically reduces ingest delay, but requires access to an interface.
+    command: -i tun5
+    cap_add:
+      - NET_ADMIN
+    network_mode: "host"
+
+    # Option B: pcap read mode (slower, for archives replay)
+    # Add `--pcap-file-continuous` to watch for new pcap in folder.
+    #command: -r /input_pcaps --pcap-file-continuous
 
   webapp:
     build: ./webapp