snort ===== ![](https://badge.imagelayers.io/vimagick/snort:latest.svg) [`Snort`][1] is an open source intrusion prevention system capable of real-time traffic analysis and packet logging. ```yaml snort: image: vimagick/snort command: -q -c /etc/snort/snort.conf -A fast -y -i eth0 volumes: - ./data/snort.conf:/etc/snort/snort.conf - ./data/rules:/etc/snort/rules - ./data/log:/var/log/snort cap_add: - NET_ADMIN net: host restart: unless-stopped ``` ```bash # /etc/snort/rules/local.rules alert icmp any any -> any any (msg:"ICMP Echo Request"; itype:8; sid:10000;) alert icmp any any -> any any (msg:"ICMP Echo Reply"; itype:0; sid:10001;) ``` ```bash $ docker-compose up -d $ tail -f data/log/alert snort_1 | 08/26/18-06:47:35.460754 [**] [1:10000:0] ICMP Echo Request [**] [Priority: 0] {ICMP} x.x.x.x -> y.y.y.y snort_1 | 08/26/18-06:47:35.460835 [**] [1:10001:0] ICMP Echo Reply [**] [Priority: 0] {ICMP} y.y.y.y -> x.x.x.x $ tcpdump -n -r data/log/snort.log.xxx 06:47:35.460754 IP x.x.x.x > y.y.y.y: ICMP echo request, id 17767, seq 933, length 12 06:47:35.460835 IP y.y.y.y > x.x.x.x: ICMP echo reply, id 17767, seq 933, length 12 $ while :; do inotifywait -q -e modify data/log/alert && play -q alert.wav; done ``` [1]: https://snort.org/