detection rulesuricata

ATTACK Inbound Docker Engine API container create from external source

First seen: 2026-06-16
Last seen: 2026-06-16
Used in: 1 post

SuricataATTACK Inbound Docker Engine API container create from external source

alert http $EXTERNAL_NET any -> $HOME_NET 2375 (msg:"ATTACK Inbound Docker Engine API container create from external source"; \
  flow:to_server,established; \
  http.method; content:"POST"; \
  http.uri; content:"/containers/create"; \
  classtype:attempted-admin; priority:2; sid:1000231001; rev:2; \
  reference:url,docs.docker.com/engine/api/v1.47/; \
  metadata:created_at 2026-05-28;)

Posts using this rule

mediumSelf-Blocking Docker API Abuse Delivers the VoidLink DDoS-for-Hire Botnet
Ingress · TCP/2375 · SID 1000231001
Fires on any inbound Docker Engine API container-create from an external source. Any external create against a Docker daemon is hostile. Pairs with the info-tier internal rule below.
2026-06-10