dockerfiles/snort/README.md

snort
=====

![](https://badge.imagelayers.io/vimagick/snort:latest.svg)

[Snort][1] is an open source intrusion prevention system capable of real-time
traffic analysis and packet logging.

```yaml
snort:
  image: vimagick/snort
  command: -q -c /etc/snort/snort.conf -y -i eth0
  volumes:
    - ./data/snort.conf:/etc/snort/snort.conf
    - ./data/u2json.conf:/etc/snort/u2json.conf
    - ./data/rules:/etc/snort/rules
    - ./data/log:/var/log/snort
  cap_add:
    - NET_ADMIN
  net: host
  restart: unless-stopped
```

```bash
# /etc/snort/rules/local.rules
alert icmp any any -> any any (msg:"ICMP Echo Request"; itype:8; sid:10000;)
alert icmp any any -> any any (msg:"ICMP Echo Reply"; itype:0; sid:10001;)
```

```bash
$ docker-compose up -d

$ docker-compose exec snort idstools-u2json @/etc/snort/u2json.conf
INFO: Loaded 523 rule message map entries.
INFO: Loaded 38 classifications.

$ tail -f data/log/alert.json
{"type":"event","event":{"impact":0,"generator-id":1,"protocol":1,"dport-icode":0,"signature-revision":0,"classification-id":0,"signature-id":1000000,"sensor-id":0,"impact-flag":0,"sport-itype":8,"priority":0,"event-second":1591597954,"pad2":null,"destination-ip":"1.2.3.4","event-id":55,"mpls-label":null,"vlan-id":null,"source-ip":"5.6.7.8","event-microsecond":905105,"blocked":0}}
{"type":"event","event":{"impact":0,"generator-id":1,"protocol":1,"dport-icode":0,"signature-revision":0,"classification-id":0,"signature-id":1000001,"sensor-id":0,"impact-flag":0,"sport-itype":0,"priority":0,"event-second":1591597954,"pad2":null,"destination-ip":"5.6.7.8","event-id":56,"mpls-label":null,"vlan-id":null,"source-ip":"1.2.3.4","event-microsecond":905126,"blocked":0}}

$ while :; do inotifywait -q -e modify data/log/alert.json && play -q alert.wav; done
```

[1]: https://snort.org/
update 2015-09-03 04:08:27 +02:00			`snort`
			`=====`
add snort 2015-09-02 19:58:29 +02:00
			`![](https://badge.imagelayers.io/vimagick/snort:latest.svg)`

fix snort 2020-06-08 07:20:41 +02:00			`[Snort][1] is an open source intrusion prevention system capable of real-time`
add snort 2015-09-02 19:58:29 +02:00			`traffic analysis and packet logging.`

update snort 2018-08-26 08:55:20 +02:00			```yaml
			`snort:`
			`image: vimagick/snort`
update snort 2020-06-08 08:16:46 +02:00			`command: -q -c /etc/snort/snort.conf -y -i eth0`
update snort 2018-08-26 08:55:20 +02:00			`volumes:`
			`- ./data/snort.conf:/etc/snort/snort.conf`
update snort 2020-06-08 08:16:46 +02:00			`- ./data/u2json.conf:/etc/snort/u2json.conf`
update snort 2018-08-26 08:55:20 +02:00			`- ./data/rules:/etc/snort/rules`
			`- ./data/log:/var/log/snort`
			`cap_add:`
			`- NET_ADMIN`
			`net: host`
			`restart: unless-stopped`
			```
update 2015-09-03 04:08:27 +02:00
update snort 2018-08-26 08:55:20 +02:00			```bash
			`# /etc/snort/rules/local.rules`
			`alert icmp any any -> any any (msg:"ICMP Echo Request"; itype:8; sid:10000;)`
			`alert icmp any any -> any any (msg:"ICMP Echo Reply"; itype:0; sid:10001;)`
update 2015-09-03 04:08:27 +02:00			```
update snort 2018-08-26 08:55:20 +02:00
			```bash
			`$ docker-compose up -d`
update snort 2018-08-26 09:15:42 +02:00
update snort 2020-06-08 08:38:25 +02:00			`$ docker-compose exec snort idstools-u2json @/etc/snort/u2json.conf`
			`INFO: Loaded 523 rule message map entries.`
			`INFO: Loaded 38 classifications.`
update snort 2020-06-08 08:16:46 +02:00
update snort 2020-06-08 08:38:25 +02:00			`$ tail -f data/log/alert.json`
			`{"type":"event","event":{"impact":0,"generator-id":1,"protocol":1,"dport-icode":0,"signature-revision":0,"classification-id":0,"signature-id":1000000,"sensor-id":0,"impact-flag":0,"sport-itype":8,"priority":0,"event-second":1591597954,"pad2":null,"destination-ip":"1.2.3.4","event-id":55,"mpls-label":null,"vlan-id":null,"source-ip":"5.6.7.8","event-microsecond":905105,"blocked":0}}`
			`{"type":"event","event":{"impact":0,"generator-id":1,"protocol":1,"dport-icode":0,"signature-revision":0,"classification-id":0,"signature-id":1000001,"sensor-id":0,"impact-flag":0,"sport-itype":0,"priority":0,"event-second":1591597954,"pad2":null,"destination-ip":"5.6.7.8","event-id":56,"mpls-label":null,"vlan-id":null,"source-ip":"1.2.3.4","event-microsecond":905126,"blocked":0}}`
update snort 2018-08-26 12:48:38 +02:00
update snort 2020-06-08 08:16:46 +02:00			`$ while :; do inotifywait -q -e modify data/log/alert.json && play -q alert.wav; done`
update 2015-09-03 04:08:27 +02:00			```

add snort 2015-09-02 19:58:29 +02:00			`[1]: https://snort.org/`