docker-compose.yml

version: '3.4'

# cf.: https://medium.com/@kinghuang/docker-compose-anchors-aliases-extensions-a1e4105d70bd#f191
#### common partials (needs docker-compose v3.4)
x-proxy: &proxy
  http_proxy: ${http_proxy}
  https_proxy: ${https_proxy}
  no_proxy: ${no_proxy}

x-base: &base
  logging:
    driver: "json-file"
    options:
      max-size: "10m"
      max-file: "5"
  # https://docs.docker.com/compose/compose-file/#restart
  #restart: on-failure # disable restart for development
  # when deployed using docker swarm, cf.: https://docs.docker.com/compose/compose-file/#restart_policy
#########

volumes:
  json-data:    # suricata json input -> logstash
  rules-data:   # scirius rules
  es-data:      # elasticsearch data
  pcap-storage: # store pcaps

services:
  suricata:
    <<: *base
    # Reference:
    # - https://github.com/dtag-dev-sec/tpotce/blob/master/docker/suricata/docker-compose.yml
    # Good suricata images, cf.:
    # - https://github.com/dtag-dev-sec/tpotce/blob/master/docker/suricata/Dockerfile
    # - https://hub.docker.com/r/jasonish/suricata/
    # - https://github.com/StamusNetworks/suricata-docker/blob/master/Dockerfile
    image: suricata-selks
    build:
      context: ./suricata
      args:
        <<: *proxy
        GIT_COMMIT: ${GIT_COMMIT}
        BUILD_ID: ${BUILD_ID}
    network_mode: "host"
    cap_add:
     - NET_ADMIN
     - SYS_NICE
     - NET_RAW
    volumes:
      - ./suricata/config/suricata.yaml:/etc/suricata/suricata.yaml:ro
      - ./suricata/pcap:/pcap
      - json-data:/var/log/suricata/
      - rules-data:/etc/suricata/rules/
      - ./suricata/rules/suricata.rules:/etc/suricata/rules/suricata.rules
      - ./suricata/pcap:/pcap
      - pcap-storage:/pcap
    # You will want to put an actual interface for suricata to listen to here if `eth0`
    # is not to your liking.
    command: bash -c "suricata -c /etc/suricata/suricata.yaml -i eth0"
    # To profile a pcap, use
    #command: bash -c "suricata -c /etc/suricata/suricata.yaml -r /pcap/${PCAPNAME}.pcap"

  elasticsearch:
    <<: *base
    image: docker.elastic.co/elasticsearch/elasticsearch-oss:6.3.0
    ports: [ '9200:9200', '9300:9300' ]
    volumes: [ 'es-data:/usr/share/elasticsearch/data' ]
    environment:
      # cf.: https://www.elastic.co/guide/en/elasticsearch/reference/current/docker.html#docker-configuration-methods
      ES_JAVA_OPTS: "-Xms1g -Xmx1g"
      network.host: 0.0.0.0
      node.max_local_storage_nodes: 1
      cluster.name: selks-cluster
      bootstrap.memory_lock: 'true'
      discovery.type: single-node

  logstash:
    <<: *base
    # cf.: https://www.elastic.co/guide/en/logstash/current/docker-config.html
    image: docker.elastic.co/logstash/logstash-oss:6.3.0
    ports:
      - "5044:5044"
      - "9600:9600"
    volumes:
      - ./logstash/pipeline/:/usr/share/logstash/pipeline/
      - json-data:/var/log/suricata:ro
    #hostname: suricata
    depends_on:
      - elasticsearch
    environment:
      LOG_LEVEL: info

  kibana:
    <<: *base
    image: docker.elastic.co/kibana/kibana-oss:6.3.0
    ports: [ '5601:5601' ]
    depends_on: [ elasticsearch ]
    environment:
      # cf.: https://www.elastic.co/guide/en/kibana/current/_configuring_kibana_on_docker.html
      SERVER_NAME: kibana.docker.selks
      ELASTICSEARCH_URL: http://elasticsearch:9200

#  scirius:
#    <<: *base
#    image: stamus/scirius:latest
#    ports:
#      - "8080:8000"
#    volumes:
#      - ./scirius/config:/etc/scirius:ro
#      - rules-data:/etc/suricata/rules:rw
#    environment:
#      <<: *proxy

  evebox:
    <<: *base
    image: jasonish/evebox:latest
    ports:
      - "5636:5636"
    depends_on:
      - elasticsearch
    environment:
      ELASTICSEARCH_URL: http://elasticsearch:9200

  eve:
    <<: *base
    image: busybox
    volumes:
      - json-data:/json
      - pcap-storage:/pcap