Skip to content

Instantly share code, notes, and snippets.

@da667

da667/docker-compose.yml

Last active March 21, 2025 18:52
Show Gist options
  • Save da667/f1a4f3b41470d603bcf592eaf75240e2 to your computer and use it in GitHub Desktop.
Save da667/f1a4f3b41470d603bcf592eaf75240e2 to your computer and use it in GitHub Desktop.
Download ZIP
Streamlined docker-compose.yml for Dalton
Raw
docker-compose.yml
---
services:
controller:
build:
context: .
dockerfile: Dockerfile-dalton
args:
- http_proxy=${http_proxy}
- https_proxy=${https_proxy}
- no_proxy=${no_proxy}
image: dalton:latest
container_name: dalton_controller
# Uncomment the next line to run the app in debug mode
# command: flask --app app run --port=8080 --host=0.0.0.0 --debug
depends_on:
- redis
environment:
- CONTROLLER_DEBUG=${CONTROLLER_DEBUG}
volumes:
- ./app:/opt/dalton/app
- ./rulesets:/opt/dalton/rulesets
- ./engine-configs:/opt/dalton/engine-configs
restart: always
nginx:
build:
context: .
dockerfile: Dockerfile-nginx
args:
- DALTON_EXTERNAL_PORT=${DALTON_EXTERNAL_PORT}
- DALTON_EXTERNAL_PORT_SSL=${DALTON_EXTERNAL_PORT_SSL}
image: nginx-dalton:latest
container_name: dalton_web
depends_on:
- controller
ports:
# external HTTP listen port
# to change, set DALTON_EXTERNAL_PORT in the '.env' file (NOT here)
# default DALTON_EXTERNAL_PORT value: 80
- "${DALTON_EXTERNAL_PORT}:80"
# uncomment below line to expose the external SSL/TLS listener
# to change port, set DALTON_EXTERNAL_PORT_SSL in the '.env' file (NOT here)
# default DALTON_EXTERNAL_PORT_SSL value: 443
# - "${DALTON_EXTERNAL_PORT_SSL}:443"
restart: always
redis:
image: redis:7.4.1
container_name: dalton_redis
restart: always
###########################
###### Dalton Agents ######
###########################
# To add a new, different, or another Agent for a
# particular Suricata or Snort version, just copy
# one of the existing specifications and change the
# version number(s) as necessary. For Suricata this
# is the "SURI_VERSION" arg value; for Snort this is
# the "SNORT_VERSION" arg value (and possibly DAQ_VERSION).
# The service and container name will also need to be
# changed to be unique.
###########################
##### Suricata Agents #####
###########################
# NOTE: Suricata version 4 supports Rust but is optional. To enable Rust
# support for a Suricata 4.x Agent, set the "ENABLE_RUST" arg
# to "--enable-rust". e.g.:
# - ENABLE_RUST=--enable-rust
# Suricata current (latest) from source
agent-suricata-current:
build:
context: ./dalton-agent
dockerfile: Dockerfiles/Dockerfile_suricata
args:
- SURI_VERSION=current
- http_proxy=${http_proxy}
- https_proxy=${https_proxy}
- no_proxy=${no_proxy}
image: suricata-current:latest
container_name: suricata-current
environment:
- AGENT_DEBUG=${AGENT_DEBUG}
restart: always
# Suricata 7.0.3 from source
agent-suricata-7.0.3:
build:
context: ./dalton-agent
dockerfile: Dockerfiles/Dockerfile_suricata
args:
- SURI_VERSION=7.0.3
- http_proxy=${http_proxy}
- https_proxy=${https_proxy}
- no_proxy=${no_proxy}
image: suricata-7.0.3:latest
container_name: suricata-7.0.3
environment:
- AGENT_DEBUG=${AGENT_DEBUG}
restart: always
# Suricata 6.0.20 from source, with Rust support
# agent-suricata-6.0.20:
# build:
# context: ./dalton-agent
# dockerfile: Dockerfiles/Dockerfile_suricata
# args:
# - SURI_VERSION=6.0.20
# - http_proxy=${http_proxy}
# - https_proxy=${https_proxy}
# - no_proxy=${no_proxy}
# image: suricata-6.0.20:latest
# container_name: suricata-6.0.20
# environment:
# - AGENT_DEBUG=${AGENT_DEBUG}
# restart: always
# Suricata 5.0.6 from source, with Rust support
# agent-suricata-5.0.7:
# build:
# context: ./dalton-agent
# dockerfile: Dockerfiles/Dockerfile_suricata
# args:
# - SURI_VERSION=5.0.7
# - ENABLE_RUST=--enable-rust
# - http_proxy=${http_proxy}
# - https_proxy=${https_proxy}
# - no_proxy=${no_proxy}
# image: suricata-5.0.7:latest
# container_name: suricata-5.0.7
# environment:
# - AGENT_DEBUG=${AGENT_DEBUG}
# restart: always
# Suricata 4.1.10 from source, with Rust support
# agent-suricata-4.1.10:
# build:
# context: ./dalton-agent
# dockerfile: Dockerfiles/Dockerfile_suricata
# args:
# - SURI_VERSION=4.1.10
# - ENABLE_RUST=--enable-rust
# - http_proxy=${http_proxy}
# - https_proxy=${https_proxy}
# - no_proxy=${no_proxy}
# image: suricata-4.1.10:latest
# container_name: suricata-4.1.10
# environment:
# - AGENT_DEBUG=${AGENT_DEBUG}
# restart: always
# Suricata 4.0.7 from source
# agent-suricata-4.0.7:
# build:
# context: ./dalton-agent
# dockerfile: Dockerfiles/Dockerfile_suricata
# args:
# - SURI_VERSION=4.0.7
# - http_proxy=${http_proxy}
# - https_proxy=${https_proxy}
# - no_proxy=${no_proxy}
# image: suricata-4.0.7:latest
# container_name: suricata-4.0.7
# environment:
# - AGENT_DEBUG=${AGENT_DEBUG}
# restart: always
# Suricata 3.2.5 from source
# agent-suricata-3.2.5:
# build:
# context: ./dalton-agent
# dockerfile: Dockerfiles/Dockerfile_suricata
# args:
# - SURI_VERSION=3.2.5
# - http_proxy=${http_proxy}
# - https_proxy=${https_proxy}
# - no_proxy=${no_proxy}
# image: suricata-3.2.5:latest
# container_name: suricata-3.2.5
# environment:
# - AGENT_DEBUG=${AGENT_DEBUG}
# restart: always
# Suricata 3.1.4 from source
# agent-suricata-3.1.4:
# build:
# context: ./dalton-agent
# dockerfile: Dockerfiles/Dockerfile_suricata
# args:
# - SURI_VERSION=3.1.4
# - http_proxy=${http_proxy}
# - https_proxy=${https_proxy}
# - no_proxy=${no_proxy}
# image: suricata-3.1.4:latest
# container_name: suricata-3.1.4
# environment:
# - AGENT_DEBUG=${AGENT_DEBUG}
# restart: always
# Suricata 2.0.11 from source
# agent-suricata-2.0.11:
# build:
# context: ./dalton-agent
# dockerfile: Dockerfiles/Dockerfile_suricata
# args:
# - SURI_VERSION=2.0.11
# - http_proxy=${http_proxy}
# - https_proxy=${https_proxy}
# - no_proxy=${no_proxy}
# image: suricata-2.0.11:latest
# container_name: suricata-2.0.11
# environment:
# - AGENT_DEBUG=${AGENT_DEBUG}
# restart: always
# Suricata 2.0 from source
# agent-suricata-2.0:
# build:
# context: ./dalton-agent
# dockerfile: Dockerfiles/Dockerfile_suricata
# args:
# - SURI_VERSION=2.0
# - http_proxy=${http_proxy}
# - https_proxy=${https_proxy}
# - no_proxy=${no_proxy}
# image: suricata-2.0:latest
# container_name: suricata-2.0
# environment:
# - AGENT_DEBUG=${AGENT_DEBUG}
# restart: always
# Suricata 1.4.7 from source
# agent-suricata-1.4.7:
# build:
# context: ./dalton-agent
# dockerfile: Dockerfiles/Dockerfile_suricata
# args:
# - SURI_VERSION=1.4.7
# - http_proxy=${http_proxy}
# - https_proxy=${https_proxy}
# - no_proxy=${no_proxy}
# image: suricata-1.4.7:latest
# container_name: suricata-1.4.7
# environment:
# - AGENT_DEBUG=${AGENT_DEBUG}
# restart: always
# Suricata 1.3.6 from source
# agent-suricata-1.3.6:
# build:
# context: ./dalton-agent
# dockerfile: Dockerfiles/Dockerfile_suricata
# args:
# - SURI_VERSION=1.3.6
# - http_proxy=${http_proxy}
# - https_proxy=${https_proxy}
# - no_proxy=${no_proxy}
# image: suricata-1.3.6:latest
# container_name: suricata-1.3.6
# environment:
# - AGENT_DEBUG=${AGENT_DEBUG}
# restart: always
###########################
###### Snort Agents #######
###########################
#
# Note: Attempting to build Snort 2.9.0 and 2.9.0.x
# will fail because Autoconf can't find the dnet files.
# This was apparently fixed in Snort > 2.9.1 so if
# you really want a Snort 2.9.0 or 2.9.0.x, feel free
# to build it yourself. The Dalton Agent should work
# fine on it.
#
# Snort 2.9.20 from source
# agent-snort-2.9.20:
# build:
# context: ./dalton-agent
# dockerfile: Dockerfiles/Dockerfile_snort
# args:
# - SNORT_VERSION=2.9.20
# - DAQ_VERSION=2.0.7
# - http_proxy=${http_proxy}
# - https_proxy=${https_proxy}
# - no_proxy=${no_proxy}
# image: snort-2.9.20:latest
# container_name: snort-2.9.20
# environment:
# - AGENT_DEBUG=${AGENT_DEBUG}
# restart: always
# Snort 2.9.18 from source
# agent-snort-2.9.18.1:
# build:
# context: ./dalton-agent
# dockerfile: Dockerfiles/Dockerfile_snort
# args:
# - SNORT_VERSION=2.9.18.1
# - DAQ_VERSION=2.0.7
# - http_proxy=${http_proxy}
# - https_proxy=${https_proxy}
# - no_proxy=${no_proxy}
# image: snort-2.9.18.1:latest
# container_name: snort-2.9.18.1
# environment:
# - AGENT_DEBUG=${AGENT_DEBUG}
# restart: always
# NOTE: Snort 2.9.16 is when DAQ version went to 2.0.7 (from 2.0.6).
# Snort 2.9.15.1 from source
# agent-snort-2.9.15.1:
# build:
# context: ./dalton-agent
# dockerfile: Dockerfiles/Dockerfile_snort
# args:
# - SNORT_VERSION=2.9.15.1
# - DAQ_VERSION=2.0.6
# - http_proxy=${http_proxy}
# - https_proxy=${https_proxy}
# - no_proxy=${no_proxy}
# image: snort-2.9.15.1:latest
# container_name: snort-2.9.15.1
# environment:
# - AGENT_DEBUG=${AGENT_DEBUG}
# restart: always
# Snort 2.9.14.1 from source
# agent-snort-2.9.14.1:
# build:
# context: ./dalton-agent
# dockerfile: Dockerfiles/Dockerfile_snort
# args:
# - SNORT_VERSION=2.9.14.1
# - DAQ_VERSION=2.0.6
# - http_proxy=${http_proxy}
# - https_proxy=${https_proxy}
# - no_proxy=${no_proxy}
# image: snort-2.9.14.1:latest
# container_name: snort-2.9.14.1
# environment:
# - AGENT_DEBUG=${AGENT_DEBUG}
# restart: always
# Snort 2.9.9.0 from source
# agent-snort-2.9.9.0:
# build:
# context: ./dalton-agent
# dockerfile: Dockerfiles/Dockerfile_snort
# args:
# - SNORT_VERSION=2.9.9.0
# - DAQ_VERSION=2.0.6
# - http_proxy=${http_proxy}
# - https_proxy=${https_proxy}
# - no_proxy=${no_proxy}
# image: snort-2.9.9.0:latest
# container_name: snort-2.9.9.0
# environment:
# - AGENT_DEBUG=${AGENT_DEBUG}
# restart: always
# Snort 2.9.8.3 from source
# agent-snort-2.9.8.3:
# build:
# context: ./dalton-agent
# dockerfile: Dockerfiles/Dockerfile_snort
# args:
# - SNORT_VERSION=2.9.8.3
# - DAQ_VERSION=2.0.6
# - http_proxy=${http_proxy}
# - https_proxy=${https_proxy}
# - no_proxy=${no_proxy}
# image: snort-2.9.8.3:latest
# container_name: snort-2.9.8.3
# environment:
# - AGENT_DEBUG=${AGENT_DEBUG}
# restart: always
# Snort 2.9.7.5 from source
# agent-snort-2.9.7.5:
# build:
# context: ./dalton-agent
# dockerfile: Dockerfiles/Dockerfile_snort
# args:
# - SNORT_VERSION=2.9.7.5
# - DAQ_VERSION=2.0.6
# - http_proxy=${http_proxy}
# - https_proxy=${https_proxy}
# - no_proxy=${no_proxy}
# image: snort-2.9.7.5:latest
# container_name: snort-2.9.7.5
# environment:
# - AGENT_DEBUG=${AGENT_DEBUG}
# restart: always
# Snort 2.9.3.1 from source
# agent-snort-2.9.3.1:
# build:
# context: ./dalton-agent
# dockerfile: Dockerfiles/Dockerfile_snort
# args:
# - SNORT_VERSION=2.9.3.1
# - DAQ_VERSION=2.0.6
# - http_proxy=${http_proxy}
# - https_proxy=${https_proxy}
# - no_proxy=${no_proxy}
# image: snort-2.9.3.1:latest
# container_name: snort-2.9.3.1
# environment:
# - AGENT_DEBUG=${AGENT_DEBUG}
# restart: always
# Snort 2.9.1.1 from source
# agent-snort-2.9.1.1:
# build:
# context: ./dalton-agent
# dockerfile: Dockerfiles/Dockerfile_snort
# args:
# - SNORT_VERSION=2.9.1.1
# - DAQ_VERSION=2.0.6
# - http_proxy=${http_proxy}
# - https_proxy=${https_proxy}
# - no_proxy=${no_proxy}
# image: snort-2.9.1.1:latest
# container_name: snort-2.9.1.1
# environment:
# - AGENT_DEBUG=${AGENT_DEBUG}
# restart: always
###########################
####### Zeek Agents #######
###########################
# Zeek current (latest) from source
# agent-zeek-current:
# build:
# context: ./dalton-agent
# dockerfile: Dockerfiles/Dockerfile_zeek
# args:
# - ZEEK_VERSION=7.0.1
# image: zeek-current:latest
# container_name: zeek-current
# volumes:
# - ./rulesets/zeek:/opt/dalton-agent/zeek_scripts:ro
# restart: always
# agent-zeek-6.0.6:
# build:
# context: ./dalton-agent
# dockerfile: Dockerfiles/Dockerfile_zeek
# args:
# - ZEEK_VERSION=6.0.6
# image: zeek-6.0.6
# container_name: zeek-6.0.6
# volumes:
# - ./rulesets/zeek:/opt/dalton-agent/zeek_scripts:ro
# restart: always
###########################
## Cyberchef Integration ##
###########################
# Official cyberchef docker image, from github container repo (ghcr)
cyberchef:
image: ghcr.io/gchq/cyberchef:latest
container_name: cyberchef_current
hostname: cyberchef_current
restart: always
@da667
Copy link
Author

da667 commented Mar 21, 2025
edited
Loading

This is a streamlined docker-compose.yml for readers of Suricata: An Operator's Guide. This docker-compose.yml replaces the default that ships with dalton. This docker-compose.yml disables Suricata 6, Snort 2.9.x, and Zeek containers, leaving users with suricata-current, and suricata-7.0.3.

Uncomment the lines for the snort-2.9.20 container and/or the zeek-current and zeek-6.0.6 container to re-enable them. Delete/remove/rename the existing docker-compose.yml that ships with dalton and replace it with this one.

cd /opt/dalton
docker-compose stop
docker image remove -f $(sudo docker images -a -q)
docker rm -v -f $(docker ps -qa)
rm -rf docker-compose.yml
wget https://gist.githubusercontent.com/da667/f1a4f3b41470d603bcf592eaf75240e2/raw/2ca49e4e5177e78d74c82549de8f1a62724dfb75/docker-compose.yml -O docker-compose.yml
./start-dalton.sh

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment