mirror of
https://github.com/vimagick/dockerfiles.git
synced 2024-12-23 01:39:27 +02:00
update snort
This commit is contained in:
parent
f1bf999ae3
commit
5d82ab0460
@ -22,9 +22,12 @@ RUN set -xe \
|
|||||||
/etc/snort/preproc_rules \
|
/etc/snort/preproc_rules \
|
||||||
/usr/local/lib/snort_dynamicrules \
|
/usr/local/lib/snort_dynamicrules \
|
||||||
&& ln -s /usr/lib64/libdnet.so.1 /usr/local/lib/libdnet.1 \
|
&& ln -s /usr/lib64/libdnet.so.1 /usr/local/lib/libdnet.1 \
|
||||||
|
&& curl -sSL https://bootstrap.pypa.io/get-pip.py | python \
|
||||||
|
&& pip install idstools \
|
||||||
&& yum clean all
|
&& yum clean all
|
||||||
|
|
||||||
COPY data/snort.conf /etc/snort/snort.conf
|
COPY data/snort.conf /etc/snort/snort.conf
|
||||||
|
COPY data/u2json.conf /etc/snort/u2json.conf
|
||||||
|
|
||||||
ENTRYPOINT ["snort"]
|
ENTRYPOINT ["snort"]
|
||||||
CMD ["--help"]
|
CMD ["--help"]
|
||||||
|
@ -9,9 +9,10 @@ traffic analysis and packet logging.
|
|||||||
```yaml
|
```yaml
|
||||||
snort:
|
snort:
|
||||||
image: vimagick/snort
|
image: vimagick/snort
|
||||||
command: -q -c /etc/snort/snort.conf -A fast -y -i eth0
|
command: -q -c /etc/snort/snort.conf -y -i eth0
|
||||||
volumes:
|
volumes:
|
||||||
- ./data/snort.conf:/etc/snort/snort.conf
|
- ./data/snort.conf:/etc/snort/snort.conf
|
||||||
|
- ./data/u2json.conf:/etc/snort/u2json.conf
|
||||||
- ./data/rules:/etc/snort/rules
|
- ./data/rules:/etc/snort/rules
|
||||||
- ./data/log:/var/log/snort
|
- ./data/log:/var/log/snort
|
||||||
cap_add:
|
cap_add:
|
||||||
@ -29,6 +30,8 @@ alert icmp any any -> any any (msg:"ICMP Echo Reply"; itype:0; sid:10001;)
|
|||||||
```bash
|
```bash
|
||||||
$ docker-compose up -d
|
$ docker-compose up -d
|
||||||
|
|
||||||
|
$ docker-compose exec snort idstools-u2json @/etc/snort/u2json.conf --stdout
|
||||||
|
|
||||||
$ tail -f data/log/alert
|
$ tail -f data/log/alert
|
||||||
snort_1 | 08/26/18-06:47:35.460754 [**] [1:10000:0] ICMP Echo Request [**] [Priority: 0] {ICMP} x.x.x.x -> y.y.y.y
|
snort_1 | 08/26/18-06:47:35.460754 [**] [1:10000:0] ICMP Echo Request [**] [Priority: 0] {ICMP} x.x.x.x -> y.y.y.y
|
||||||
snort_1 | 08/26/18-06:47:35.460835 [**] [1:10001:0] ICMP Echo Reply [**] [Priority: 0] {ICMP} y.y.y.y -> x.x.x.x
|
snort_1 | 08/26/18-06:47:35.460835 [**] [1:10001:0] ICMP Echo Reply [**] [Priority: 0] {ICMP} y.y.y.y -> x.x.x.x
|
||||||
@ -37,7 +40,7 @@ $ tcpdump -n -r data/log/snort.log.xxx
|
|||||||
06:47:35.460754 IP x.x.x.x > y.y.y.y: ICMP echo request, id 17767, seq 933, length 12
|
06:47:35.460754 IP x.x.x.x > y.y.y.y: ICMP echo request, id 17767, seq 933, length 12
|
||||||
06:47:35.460835 IP y.y.y.y > x.x.x.x: ICMP echo reply, id 17767, seq 933, length 12
|
06:47:35.460835 IP y.y.y.y > x.x.x.x: ICMP echo reply, id 17767, seq 933, length 12
|
||||||
|
|
||||||
$ while :; do inotifywait -q -e modify data/log/alert && play -q alert.wav; done
|
$ while :; do inotifywait -q -e modify data/log/alert.json && play -q alert.wav; done
|
||||||
```
|
```
|
||||||
|
|
||||||
[1]: https://snort.org/
|
[1]: https://snort.org/
|
||||||
|
File diff suppressed because it is too large
Load Diff
@ -521,8 +521,8 @@ preprocessor reputation: \
|
|||||||
# output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types
|
# output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types
|
||||||
|
|
||||||
# Additional configuration for specific types of installs
|
# Additional configuration for specific types of installs
|
||||||
# output alert_unified2: filename snort.alert, limit 128, nostamp
|
output alert_unified2: filename snort.alert, limit 128
|
||||||
# output log_unified2: filename snort.log, limit 128, nostamp
|
output log_unified2: filename snort.log, limit 128
|
||||||
|
|
||||||
# syslog
|
# syslog
|
||||||
# output alert_syslog: LOG_AUTH LOG_ALERT
|
# output alert_syslog: LOG_AUTH LOG_ALERT
|
||||||
|
7
snort/data/u2json.conf
Normal file
7
snort/data/u2json.conf
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
--snort-conf=/etc/snort/snort.conf
|
||||||
|
--directory=/var/log/snort
|
||||||
|
--prefix=snort.alert
|
||||||
|
--follow
|
||||||
|
--bookmark
|
||||||
|
--delete
|
||||||
|
--output=/var/log/snort/alert.json
|
@ -1,8 +1,9 @@
|
|||||||
snort:
|
snort:
|
||||||
image: vimagick/snort
|
image: vimagick/snort
|
||||||
command: -q -c /etc/snort/snort.conf -A fast -y -i eth0
|
command: -q -c /etc/snort/snort.conf -y -i eth0
|
||||||
volumes:
|
volumes:
|
||||||
- ./data/snort.conf:/etc/snort/snort.conf
|
- ./data/snort.conf:/etc/snort/snort.conf
|
||||||
|
- ./data/u2json.conf:/etc/snort/u2json.conf
|
||||||
- ./data/rules:/etc/snort/rules
|
- ./data/rules:/etc/snort/rules
|
||||||
- ./data/log:/var/log/snort
|
- ./data/log:/var/log/snort
|
||||||
cap_add:
|
cap_add:
|
||||||
|
Loading…
Reference in New Issue
Block a user