snort
=====

![](https://badge.imagelayers.io/vimagick/snort:latest.svg)

[Snort][1] is an open source intrusion prevention system capable of real-time
traffic analysis and packet logging.

```yaml
snort:
  image: vimagick/snort
  command: -q -c /etc/snort/snort.conf -y -i eth0
  volumes:
    - ./data/snort.conf:/etc/snort/snort.conf
    - ./data/u2json.conf:/etc/snort/u2json.conf
    - ./data/rules:/etc/snort/rules
    - ./data/log:/var/log/snort
  cap_add:
    - NET_ADMIN
  net: host
  restart: unless-stopped
```

```bash
# /etc/snort/rules/local.rules
alert icmp any any -> any any (msg:"ICMP Echo Request"; itype:8; sid:10000;)
alert icmp any any -> any any (msg:"ICMP Echo Reply"; itype:0; sid:10001;)
```

```bash
$ docker-compose up -d

$ docker-compose exec snort idstools-u2json @/etc/snort/u2json.conf
INFO: Loaded 523 rule message map entries.
INFO: Loaded 38 classifications.

$ tail -f data/log/alert.json
{"type":"event","event":{"impact":0,"generator-id":1,"protocol":1,"dport-icode":0,"signature-revision":0,"classification-id":0,"signature-id":1000000,"sensor-id":0,"impact-flag":0,"sport-itype":8,"priority":0,"event-second":1591597954,"pad2":null,"destination-ip":"1.2.3.4","event-id":55,"mpls-label":null,"vlan-id":null,"source-ip":"5.6.7.8","event-microsecond":905105,"blocked":0}}
{"type":"event","event":{"impact":0,"generator-id":1,"protocol":1,"dport-icode":0,"signature-revision":0,"classification-id":0,"signature-id":1000001,"sensor-id":0,"impact-flag":0,"sport-itype":0,"priority":0,"event-second":1591597954,"pad2":null,"destination-ip":"5.6.7.8","event-id":56,"mpls-label":null,"vlan-id":null,"source-ip":"1.2.3.4","event-microsecond":905126,"blocked":0}}

$ while :; do inotifywait -q -e modify data/log/alert.json && play -q alert.wav; done
```

[1]: https://snort.org/