moony/dockerfiles
1
2
Fork 0
mirror of https://github.com/vimagick/dockerfiles synced 2024-06-16 11:58:47 +00:00
Code Issues Releases Wiki Activity

update snort

Browse Source
This commit is contained in:
kev 2020-06-08 14:16:46 +08:00
parent f1bf999ae3
commit 5d82ab0460
6 changed files with 1199 additions and 1016 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
snort/Dockerfile
View File

@ -22,9 +22,12 @@ RUN set -xe \
/etc/snort/preproc_rules \ /etc/snort/preproc_rules \
/usr/local/lib/snort_dynamicrules \ /usr/local/lib/snort_dynamicrules \
&& ln -s /usr/lib64/libdnet.so.1 /usr/local/lib/libdnet.1 \ && ln -s /usr/lib64/libdnet.so.1 /usr/local/lib/libdnet.1 \
&& curl -sSL https://bootstrap.pypa.io/get-pip.py | python \
&& pip install idstools \
&& yum clean all && yum clean all
COPY data/snort.conf /etc/snort/snort.conf COPY data/snort.conf /etc/snort/snort.conf
COPY data/u2json.conf /etc/snort/u2json.conf
ENTRYPOINT ["snort"] ENTRYPOINT ["snort"]
CMD ["--help"] CMD ["--help"]

7
snort/README.md
View File

@ -9,9 +9,10 @@ traffic analysis and packet logging.
```yaml ```yaml
snort: snort:
image: vimagick/snort image: vimagick/snort
command: -q -c /etc/snort/snort.conf -A fast -y -i eth0 command: -q -c /etc/snort/snort.conf -y -i eth0
volumes: volumes:
- ./data/snort.conf:/etc/snort/snort.conf - ./data/snort.conf:/etc/snort/snort.conf
- ./data/u2json.conf:/etc/snort/u2json.conf
- ./data/rules:/etc/snort/rules - ./data/rules:/etc/snort/rules
- ./data/log:/var/log/snort - ./data/log:/var/log/snort
cap_add: cap_add:
@ -29,6 +30,8 @@ alert icmp any any -> any any (msg:"ICMP Echo Reply"; itype:0; sid:10001;)
```bash ```bash
$ docker-compose up -d $ docker-compose up -d
$ docker-compose exec snort idstools-u2json @/etc/snort/u2json.conf --stdout
$ tail -f data/log/alert $ tail -f data/log/alert
snort_1 | 08/26/18-06:47:35.460754 [**] [1:10000:0] ICMP Echo Request [**] [Priority: 0] {ICMP} x.x.x.x -> y.y.y.y snort_1 | 08/26/18-06:47:35.460754 [**] [1:10000:0] ICMP Echo Request [**] [Priority: 0] {ICMP} x.x.x.x -> y.y.y.y
snort_1 | 08/26/18-06:47:35.460835 [**] [1:10001:0] ICMP Echo Reply [**] [Priority: 0] {ICMP} y.y.y.y -> x.x.x.x snort_1 | 08/26/18-06:47:35.460835 [**] [1:10001:0] ICMP Echo Reply [**] [Priority: 0] {ICMP} y.y.y.y -> x.x.x.x
@ -37,7 +40,7 @@ $ tcpdump -n -r data/log/snort.log.xxx
06:47:35.460754 IP x.x.x.x > y.y.y.y: ICMP echo request, id 17767, seq 933, length 12 06:47:35.460754 IP x.x.x.x > y.y.y.y: ICMP echo request, id 17767, seq 933, length 12
06:47:35.460835 IP y.y.y.y > x.x.x.x: ICMP echo reply, id 17767, seq 933, length 12 06:47:35.460835 IP y.y.y.y > x.x.x.x: ICMP echo reply, id 17767, seq 933, length 12
$ while :; do inotifywait -q -e modify data/log/alert && play -q alert.wav; done $ while :; do inotifywait -q -e modify data/log/alert.json && play -q alert.wav; done
``` ```
[1]: https://snort.org/ [1]: https://snort.org/

2191
snort/data/rules/community.rules
View File

File diff suppressed because it is too large Load Diff

4
snort/data/snort.conf
View File

@ -521,8 +521,8 @@ preprocessor reputation: \
# output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types # output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types
# Additional configuration for specific types of installs # Additional configuration for specific types of installs
# output alert_unified2: filename snort.alert, limit 128, nostamp output alert_unified2: filename snort.alert, limit 128
# output log_unified2: filename snort.log, limit 128, nostamp output log_unified2: filename snort.log, limit 128
# syslog # syslog
# output alert_syslog: LOG_AUTH LOG_ALERT # output alert_syslog: LOG_AUTH LOG_ALERT

7
snort/data/u2json.conf Normal file
View File

@ -0,0 +1,7 @@
--snort-conf=/etc/snort/snort.conf
--directory=/var/log/snort
--prefix=snort.alert
--follow
--bookmark
--delete
--output=/var/log/snort/alert.json

3
snort/docker-compose.yml
View File

@ -1,8 +1,9 @@
snort: snort:
image: vimagick/snort image: vimagick/snort
command: -q -c /etc/snort/snort.conf -A fast -y -i eth0 command: -q -c /etc/snort/snort.conf -y -i eth0
volumes: volumes:
- ./data/snort.conf:/etc/snort/snort.conf - ./data/snort.conf:/etc/snort/snort.conf
- ./data/u2json.conf:/etc/snort/u2json.conf
- ./data/rules:/etc/snort/rules - ./data/rules:/etc/snort/rules
- ./data/log:/var/log/snort - ./data/log:/var/log/snort
cap_add: cap_add: