detection rulesuricata

POLICY Inbound Docker Engine API container create from internal source

First seen: 2026-06-16
Last seen: 2026-06-16
Used in: 1 post

SuricataPOLICY Inbound Docker Engine API container create from internal source

alert http $HOME_NET any -> $HOME_NET 2375 (msg:"POLICY Inbound Docker Engine API container create from internal source"; \
  flow:to_server,established; \
  http.method; content:"POST"; \
  http.uri; content:"/containers/create"; \
  classtype:policy-violation; priority:4; sid:1000231011; rev:1; \
  reference:url,docs.docker.com/engine/api/v1.47/; \
  metadata:created_at 2026-05-28;)

Posts using this rule

infoSelf-Blocking Docker API Abuse Delivers the VoidLink DDoS-for-Hire Botnet
Ingress · TCP/2375 · SID 1000231011
Info-tier companion to 1000231001. Internal-sourced creates may be legitimate management traffic port-forwarded through a firewall, but are worth logging. Suppress for known management IPs.
2026-06-10