dockerfiles/snort/README.md

snort
=====

![](https://badge.imagelayers.io/vimagick/snort:latest.svg)

[Snort][1] is an open source intrusion prevention system capable of real-time
traffic analysis and packet logging.

```yaml
snort:
  image: vimagick/snort
  command: -q -c /etc/snort/snort.conf -y -i eth0
  volumes:
    - ./data/snort.conf:/etc/snort/snort.conf
    - ./data/u2json.conf:/etc/snort/u2json.conf
    - ./data/rules:/etc/snort/rules
    - ./data/log:/var/log/snort
  cap_add:
    - NET_ADMIN
  net: host
  restart: unless-stopped
```

```bash
# /etc/snort/rules/local.rules
alert icmp any any -> any any (msg:"ICMP Echo Request"; itype:8; sid:10000;)
alert icmp any any -> any any (msg:"ICMP Echo Reply"; itype:0; sid:10001;)
```

```bash
$ docker-compose up -d

$ docker-compose exec snort idstools-u2json @/etc/snort/u2json.conf --stdout

$ tail -f data/log/alert
snort_1  | 08/26/18-06:47:35.460754  [**] [1:10000:0] ICMP Echo Request [**] [Priority: 0] {ICMP} x.x.x.x -> y.y.y.y
snort_1  | 08/26/18-06:47:35.460835  [**] [1:10001:0] ICMP Echo Reply [**] [Priority: 0] {ICMP} y.y.y.y -> x.x.x.x

$ tcpdump -n -r data/log/snort.log.xxx
06:47:35.460754 IP x.x.x.x > y.y.y.y: ICMP echo request, id 17767, seq 933, length 12
06:47:35.460835 IP y.y.y.y > x.x.x.x: ICMP echo reply, id 17767, seq 933, length 12

$ while :; do inotifywait -q -e modify data/log/alert.json && play -q alert.wav; done
```

[1]: https://snort.org/
update 2015-09-03 02:08:27 +00:00			`snort`
			`=====`
add snort 2015-09-02 17:58:29 +00:00
			`![](https://badge.imagelayers.io/vimagick/snort:latest.svg)`

fix snort 2020-06-08 05:20:41 +00:00			`[Snort][1] is an open source intrusion prevention system capable of real-time`
add snort 2015-09-02 17:58:29 +00:00			`traffic analysis and packet logging.`

update snort 2018-08-26 06:55:20 +00:00			```yaml
			`snort:`
			`image: vimagick/snort`
update snort 2020-06-08 06:16:46 +00:00			`command: -q -c /etc/snort/snort.conf -y -i eth0`
update snort 2018-08-26 06:55:20 +00:00			`volumes:`
			`- ./data/snort.conf:/etc/snort/snort.conf`
update snort 2020-06-08 06:16:46 +00:00			`- ./data/u2json.conf:/etc/snort/u2json.conf`
update snort 2018-08-26 06:55:20 +00:00			`- ./data/rules:/etc/snort/rules`
			`- ./data/log:/var/log/snort`
			`cap_add:`
			`- NET_ADMIN`
			`net: host`
			`restart: unless-stopped`
			```
update 2015-09-03 02:08:27 +00:00
update snort 2018-08-26 06:55:20 +00:00			```bash
			`# /etc/snort/rules/local.rules`
			`alert icmp any any -> any any (msg:"ICMP Echo Request"; itype:8; sid:10000;)`
			`alert icmp any any -> any any (msg:"ICMP Echo Reply"; itype:0; sid:10001;)`
update 2015-09-03 02:08:27 +00:00			```
update snort 2018-08-26 06:55:20 +00:00
			```bash
			`$ docker-compose up -d`
update snort 2018-08-26 07:15:42 +00:00
update snort 2020-06-08 06:16:46 +00:00			`$ docker-compose exec snort idstools-u2json @/etc/snort/u2json.conf --stdout`

update snort alert 2018-08-26 07:36:51 +00:00			`$ tail -f data/log/alert`
			`snort_1 \| 08/26/18-06:47:35.460754 [] [1:10000:0] ICMP Echo Request [] [Priority: 0] {ICMP} x.x.x.x -> y.y.y.y`
			`snort_1 \| 08/26/18-06:47:35.460835 [] [1:10001:0] ICMP Echo Reply [] [Priority: 0] {ICMP} y.y.y.y -> x.x.x.x`
update snort 2018-08-26 07:15:42 +00:00
			`$ tcpdump -n -r data/log/snort.log.xxx`
			`06:47:35.460754 IP x.x.x.x > y.y.y.y: ICMP echo request, id 17767, seq 933, length 12`
			`06:47:35.460835 IP y.y.y.y > x.x.x.x: ICMP echo reply, id 17767, seq 933, length 12`
update snort 2018-08-26 10:48:38 +00:00
update snort 2020-06-08 06:16:46 +00:00			`$ while :; do inotifywait -q -e modify data/log/alert.json && play -q alert.wav; done`
update 2015-09-03 02:08:27 +00:00			```

add snort 2015-09-02 17:58:29 +00:00			`[1]: https://snort.org/`