moony
/
dockerfiles
mirror of https://github.com/vimagick/dockerfiles
1
2
Fork 0
Code Issues Releases Wiki Activity

update snort

This commit is contained in:
kev 2020-06-08 14:16:46 +08:00
parent f1bf999ae3
commit 5d82ab0460
6 changed files with 1199 additions and 1016 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
snort/Dockerfile
View File

@ -22,9 +22,12 @@ RUN set -xe \
/etc/snort/preproc_rules \
/usr/local/lib/snort_dynamicrules \
&& ln -s /usr/lib64/libdnet.so.1 /usr/local/lib/libdnet.1 \
&& curl -sSL https://bootstrap.pypa.io/get-pip.py | python \
&& pip install idstools \
&& yum clean all
COPY data/snort.conf /etc/snort/snort.conf
COPY data/u2json.conf /etc/snort/u2json.conf
ENTRYPOINT ["snort"]
CMD ["--help"]

7
snort/README.md
View File

@ -9,9 +9,10 @@ traffic analysis and packet logging.
```yaml
snort:
image: vimagick/snort
command: -q -c /etc/snort/snort.conf -A fast -y -i eth0
command: -q -c /etc/snort/snort.conf -y -i eth0
volumes:
- ./data/snort.conf:/etc/snort/snort.conf
- ./data/u2json.conf:/etc/snort/u2json.conf
- ./data/rules:/etc/snort/rules
- ./data/log:/var/log/snort
cap_add:
@ -29,6 +30,8 @@ alert icmp any any -> any any (msg:"ICMP Echo Reply"; itype:0; sid:10001;)
```bash
$ docker-compose up -d
$ docker-compose exec snort idstools-u2json @/etc/snort/u2json.conf --stdout
$ tail -f data/log/alert
snort_1 | 08/26/18-06:47:35.460754 [**] [1:10000:0] ICMP Echo Request [**] [Priority: 0] {ICMP} x.x.x.x -> y.y.y.y
snort_1 | 08/26/18-06:47:35.460835 [**] [1:10001:0] ICMP Echo Reply [**] [Priority: 0] {ICMP} y.y.y.y -> x.x.x.x
@ -37,7 +40,7 @@ $ tcpdump -n -r data/log/snort.log.xxx
06:47:35.460754 IP x.x.x.x > y.y.y.y: ICMP echo request, id 17767, seq 933, length 12
06:47:35.460835 IP y.y.y.y > x.x.x.x: ICMP echo reply, id 17767, seq 933, length 12
$ while :; do inotifywait -q -e modify data/log/alert && play -q alert.wav; done
$ while :; do inotifywait -q -e modify data/log/alert.json && play -q alert.wav; done
```
[1]: https://snort.org/

2191
snort/data/rules/community.rules
View File

File diff suppressed because it is too large Load Diff

4
snort/data/snort.conf
View File

@ -521,8 +521,8 @@ preprocessor reputation: \
# output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types
# Additional configuration for specific types of installs
# output alert_unified2: filename snort.alert, limit 128, nostamp
# output log_unified2: filename snort.log, limit 128, nostamp
output alert_unified2: filename snort.alert, limit 128
output log_unified2: filename snort.log, limit 128
# syslog
# output alert_syslog: LOG_AUTH LOG_ALERT

7
snort/data/u2json.conf Normal file
View File

@ -0,0 +1,7 @@
--snort-conf=/etc/snort/snort.conf
--directory=/var/log/snort
--prefix=snort.alert
--follow
--bookmark
--delete
--output=/var/log/snort/alert.json

3
snort/docker-compose.yml
View File

@ -1,8 +1,9 @@
snort:
image: vimagick/snort
command: -q -c /etc/snort/snort.conf -A fast -y -i eth0
command: -q -c /etc/snort/snort.conf -y -i eth0
volumes:
- ./data/snort.conf:/etc/snort/snort.conf
- ./data/u2json.conf:/etc/snort/u2json.conf
- ./data/rules:/etc/snort/rules
- ./data/log:/var/log/snort
cap_add: