Threat Bus ships as pre-built Docker image. It can be used without any modifications to the host system. The Threat Bus executable is used as the entry-point of the container. You can transparently pass all command line options of Threat Bus to the container.

docker pull tenzir/threatbus:latest
docker run tenzir/threatbus:latest --help

The pre-built image comes with all required dependencies and all existing plugins pre-installed.

Configuration Inside the Container

Threat Bus requires a config file to operate. That file has to be made available inside the container, for example via mounting it.

The working directory inside the container is /opt/tenzir/threatbus. To mount a local file named my-custom-config.yaml from the current directory into the container, use the --volume (-v) flag.

docker run -v $PWD/my-custom-config.yaml:/opt/tenzir/threatbus/my-custom-config.yaml tenzir/threatbus:latest -c my-custom-config.yaml

See the configuration section to get started with a custom config file or refer to the detailed plugin documentation for fine tuning.

Port Bindings

Depending on the installed plugins, Threat Bus binds ports to the host system. The used ports are defined in your configuration file. When running Threat Bus inside a container, the container needs to bind those ports to the host system. Use the --port (-p) flag repeatedly for all ports you need to bind.

docker run -p 47661:47661 -p 12345:12345 -v $PWD/config.yaml:/opt/tenzir/threatbus/config.yaml tenzir/threatbus:latest -c config.yaml