Snort + Suricata 5G IDS Lab

This repository packages a small 5G-focused IDS lab around three components:

• snort3 for Snort 3 inline or passive inspection
• suricata for Suricata inline inspection through NFQUEUE
• fileagent for updating Snort rule files from outside the container

The project is part of the SAND5G effort:

• https://sand5g-project.eu

What This Repository Does

The repository provides:

• a docker-compose.yml that launches the full stack
• local Docker build contexts for both Snort and Suricata
• mounted rule, config, script, and alert directories for each engine
• a traffic bundle with 5G-focused rules, generators, capture helpers, and replay scripts

The current layout is aimed at experimentation and testbed deployment rather than a polished production package.

Project Index

Top level

Path	Purpose
docker-compose.yml	Starts snort3, suricata, and fileagent with host networking and bind-mounted local volumes
README.md	Repository documentation
LICENSE	MIT license
attacks/ids_rules_traffic_bundle.zip	Archived copy of the traffic/rules bundle

Snort

Path	Purpose
snort/src/Dockerfile	Builds Snort 3 from source and installs runtime dependencies
snort/src/Dockerfile-modified	Alternate image layer for script-level testing
snort/Makefile	Local helper targets for building and rebuilding Snort images
snort/volumes/scripts/entrypoint.sh	Container entrypoint; manages iptables rules and starts the monitored Snort runner
snort/volumes/scripts/run_snort.sh	Builds the Snort command line from environment variables and launches Snort
snort/volumes/scripts/run_snort_notify.sh	Watches the configured rules file and restarts Snort on changes
snort/volumes/custom/custom_snort.lua	Default Snort Lua configuration
snort/volumes/custom/paper.rules	Local Snort rules file mounted into the container
snort/volumes/alerts/alert_json.txt	Example alert output location for Snort

Suricata

Path	Purpose
suricata/src/Dockerfile	Builds Suricata from source with NFQUEUE and AF_PACKET support
suricata/src/Dockerfile-modified	Alternate image layer for script-level testing
suricata/Makefile	Local helper targets for building and rebuilding Suricata images
suricata/volumes/scripts/entrypoint.sh	Container entrypoint; inserts a FORWARD NFQUEUE rule and starts Suricata
suricata/volumes/scripts/run_suricata.sh	Launches Suricata with the configured YAML file and queue id
suricata/volumes/custom/suricata.yaml	Default Suricata configuration
suricata/volumes/custom/paper.rules	Local Suricata rules file mounted into the container
suricata/docs/suricata.txt	Local notes/reference material

Traffic Bundle

Path	Purpose
attacks/ids_rules_traffic_bundle/README.md	Usage notes for the bundled rules and generators
attacks/ids_rules_traffic_bundle/rules/snort3/5g.rules	Snort 3 rule set for test scenarios
attacks/ids_rules_traffic_bundle/rules/suricata/5g.rules	Suricata rule set for test scenarios
attacks/ids_rules_traffic_bundle/scripts/gtpu_flood.py	Generates GTP-U flood traffic
attacks/ids_rules_traffic_bundle/scripts/amf_storm_sctp.py	Generates SCTP-based AMF registration storm traffic
attacks/ids_rules_traffic_bundle/scripts/sbi_scan.sh	Generates HTTP-based SBI scan traffic
attacks/ids_rules_traffic_bundle/scripts/capture_pcap.sh	Captures packets to a PCAP file
attacks/ids_rules_traffic_bundle/scripts/replay_suricata.sh	Replays traffic for Suricata evaluation

Architecture

The default compose stack works like this:

• snort3 runs with host networking and mounts local config, rules, and alerts from ./snort/volumes
• suricata runs with host networking and mounts local config, rules, and alerts from ./suricata/volumes
• fileagent exposes port 8000 and watches the Snort rules volume

Both IDS containers run privileged and add packet-processing capabilities. That is necessary for iptables, raw packet access, and inline operation.

Default Runtime Behavior

Snort

The Snort container:

• starts from snort/volumes/scripts/entrypoint.sh
• inserts iptables rules that send traffic to NFQUEUE
• runs run_snort_notify.sh, which watches RULES_FILE
• restarts run_snort.sh whenever the watched rules file changes

The default compose environment sets:

• RULES_FILE=/home/snorty/custom/paper.rules
• INTERFACE=ens3
• VERBOSE=1
• SNORT_ALERT_MODE=alert_json
• SNORT_DAQ_MODE=nfq

Suricata

The Suricata container:

• starts from suricata/volumes/scripts/entrypoint.sh
• inserts iptables -I FORWARD -j NFQUEUE --queue-num 2
• launches run_suricata.sh
• runs Suricata with -c /home/suricaty/custom/suricata.yaml -q 2 -k none

By default, logs are written under:

• /home/suricaty/alerts/fast.log
• /home/suricaty/alerts/eve.json

Quick Start

Start the full stack

docker compose up -d --build

Watch logs

docker compose logs -f

Watch only Suricata:

docker compose logs -f suricata

Watch only Snort:

docker compose logs -f snort3

Stop the stack

docker compose down

Build Images Locally

Snort

make -C snort build
make -C snort rebuild

Default Snort build values:

• SNORT3_TAG=3.9.1.0
• IMAGE_NAME=snort-from-scratch
• MODIFIED_IMAGE_NAME=snort-from-scratch-modified

Suricata

make -C suricata build
make -C suricata rebuild
make -C suricata run

Default Suricata build values:

• SURICATA_TAG=8.0.2
• IMAGE_NAME=suricata-package
• MODIFIED_IMAGE_NAME=suricata-package-modified

Configuration and Mounted Paths

Compose-mounted host paths

• ./snort/volumes/custom -> /home/snorty/custom
• ./snort/volumes/alerts -> /home/snorty/alerts
• ./suricata/volumes/custom -> /home/suricaty/custom
• ./suricata/volumes/alerts -> /home/suricaty/alerts

Important Snort files

• snort/volumes/custom/custom_snort.lua
• snort/volumes/custom/paper.rules
• snort/volumes/scripts/run_snort.sh

Important Suricata files

• suricata/volumes/custom/suricata.yaml
• suricata/volumes/custom/paper.rules
• suricata/volumes/scripts/run_suricata.sh

Environment Variables

Snort

Variable	Default	Meaning
RULES_FILE	/home/snorty/custom/local.rules in image, overridden to /home/snorty/custom/paper.rules in compose	Rules file to watch and load
SNORT_CONF_FILE	/home/snorty/custom/custom_snort.lua	Snort configuration file
SNORT_ALERTS	/home/snorty/alerts	Output directory for alerts
SNORT_ALERT_MODE	alert_json in compose	Snort alert output mode
SNORT_DAQ_MODE	nfq in compose	Packet acquisition mode
INTERFACE	auto-detected by script if unset	Network interface to monitor
QUEUE	1 in run_snort.sh, overridable	NFQUEUE queue id
VERBOSE	0 in image, 1 in compose	Enables more verbose startup
SNORT_DAQ_DEBUG	0	Enables DAQ debug output

Suricata

Variable	Default	Meaning
TZ	Europe/Athens in compose	Time zone inside the container
VERBOSE	1 in compose	Verbose container output
SURICATA_BIN	suricata	Binary used to start Suricata
SURICATA_CMD	same as SURICATA_BIN	Full command override
SURICATA_CONFIG	/home/suricaty/custom/suricata.yaml	Suricata configuration file
SURICATA_QUEUE	2	NFQUEUE queue id

Traffic and Rule Evaluation

The bundled scenarios cover:

• GTP-U flooding
• AMF registration storm over SCTP
• SBI scanning over HTTP

Validate Suricata rules:

suricata -T \
  -S attacks/ids_rules_traffic_bundle/rules/suricata/5g.rules \
  -c suricata/volumes/custom/suricata.yaml

Validate Snort rules:

snort -c /etc/snort/snort.lua \
  -R attacks/ids_rules_traffic_bundle/rules/snort3/5g.rules \
  -T

Generate example traffic:

python3 attacks/ids_rules_traffic_bundle/scripts/gtpu_flood.py --dst 10.10.0.2 --pps 1200 --seconds 10
python3 attacks/ids_rules_traffic_bundle/scripts/amf_storm_sctp.py --dst 10.10.0.3 --pps 50 --seconds 30
bash attacks/ids_rules_traffic_bundle/scripts/sbi_scan.sh http://10.10.0.4:8000

Replay a PCAP into Suricata:

suricata -r pcaps/ue_flood.pcap \
  -S attacks/ids_rules_traffic_bundle/rules/suricata/5g.rules \
  -l logs/

For more detail, see attacks/ids_rules_traffic_bundle/README.md.

Related Repositories

• Snort-Docker-SAND5G
• Suricata-Docker-SAND5G
• FileAgent-Docker-SAND5G

Notes and Caveats

• The stack assumes interface names such as ens3 and ogstun; these may need to be changed for your host
• The Suricata entrypoint currently inserts a broad FORWARD NFQUEUE rule
• The Suricata entrypoint comments explicitly note that cleanup is not fully functional
• The Snort and Suricata images are built from source and can take time to build
• fileagent currently manages the Snort rule volume, not the Suricata rule volume

License

This project is licensed under the MIT License. See LICENSE.