1
0
mirror of https://github.com/vimagick/dockerfiles.git synced 2024-11-24 08:52:31 +02:00
dockerfiles/snort
Pratik raj b113da5d19 chore: Use --no-cache-dir flag to pip in Dockerfiles, to save space
Using "--no-cache-dir" flag in pip install ,make sure dowloaded packages
by pip don't cached on system . This is a best practise which make sure
to fetch ftom repo instead of using local cached one . Further , in case
of Docker Containers , by restricing caching , we can reduce image size.
In term of stats , it depends upon the number of python packages
multiplied by their respective size . e.g for heavy packages with a lot
of dependencies it reduce a lot by don't caching pip packages.

Further , more detail information can be found at

https://medium.com/sciforce/strategies-of-docker-images-optimization-2ca9cc5719b6

Signed-off-by: Pratik Raj <rajpratik71@gmail.com>
2021-07-02 01:02:49 +05:30
..
arm update snort 2020-08-14 11:26:15 +08:00
data update snort 2020-06-08 14:29:13 +08:00
alert.wav add snort-arm 2018-08-26 18:35:49 +08:00
docker-compose.yml update snort 2020-06-08 14:16:46 +08:00
Dockerfile chore: Use --no-cache-dir flag to pip in Dockerfiles, to save space 2021-07-02 01:02:49 +05:30
README.md update snort 2020-06-08 14:38:25 +08:00

snort

Snort is an open source intrusion prevention system capable of real-time traffic analysis and packet logging.

snort:
  image: vimagick/snort
  command: -q -c /etc/snort/snort.conf -y -i eth0
  volumes:
    - ./data/snort.conf:/etc/snort/snort.conf
    - ./data/u2json.conf:/etc/snort/u2json.conf
    - ./data/rules:/etc/snort/rules
    - ./data/log:/var/log/snort
  cap_add:
    - NET_ADMIN
  net: host
  restart: unless-stopped
# /etc/snort/rules/local.rules
alert icmp any any -> any any (msg:"ICMP Echo Request"; itype:8; sid:10000;)
alert icmp any any -> any any (msg:"ICMP Echo Reply"; itype:0; sid:10001;)
$ docker-compose up -d

$ docker-compose exec snort idstools-u2json @/etc/snort/u2json.conf
INFO: Loaded 523 rule message map entries.
INFO: Loaded 38 classifications.

$ tail -f data/log/alert.json
{"type":"event","event":{"impact":0,"generator-id":1,"protocol":1,"dport-icode":0,"signature-revision":0,"classification-id":0,"signature-id":1000000,"sensor-id":0,"impact-flag":0,"sport-itype":8,"priority":0,"event-second":1591597954,"pad2":null,"destination-ip":"1.2.3.4","event-id":55,"mpls-label":null,"vlan-id":null,"source-ip":"5.6.7.8","event-microsecond":905105,"blocked":0}}
{"type":"event","event":{"impact":0,"generator-id":1,"protocol":1,"dport-icode":0,"signature-revision":0,"classification-id":0,"signature-id":1000001,"sensor-id":0,"impact-flag":0,"sport-itype":0,"priority":0,"event-second":1591597954,"pad2":null,"destination-ip":"5.6.7.8","event-id":56,"mpls-label":null,"vlan-id":null,"source-ip":"1.2.3.4","event-microsecond":905126,"blocked":0}}

$ while :; do inotifywait -q -e modify data/log/alert.json && play -q alert.wav; done