moony
/
dockerfiles
mirror of https://github.com/vimagick/dockerfiles
1
2
Fork 0
Code Issues Releases Wiki Activity
dockerfiles/snort
History
kev 8fad8ed7cf upgrade snort to 2.9.13 2019-06-14 23:03:05 +08:00
..
arm update snort local.rules 2018-08-26 19:13:48 +08:00
data update snort local.rules 2018-08-26 19:13:48 +08:00
Dockerfile upgrade snort to 2.9.13 2019-06-14 23:03:05 +08:00
README.md update snort 2018-08-26 18:48:38 +08:00
alert.wav add snort-arm 2018-08-26 18:35:49 +08:00
docker-compose.yml add snort-arm 2018-08-26 18:35:49 +08:00

README.md

snort

Snort is an open source intrusion prevention system capable of real-time traffic analysis and packet logging.

snort:
  image: vimagick/snort
  command: -q -c /etc/snort/snort.conf -A fast -y -i eth0
  volumes:
    - ./data/snort.conf:/etc/snort/snort.conf
    - ./data/rules:/etc/snort/rules
    - ./data/log:/var/log/snort
  cap_add:
    - NET_ADMIN
  net: host
  restart: unless-stopped

# /etc/snort/rules/local.rules
alert icmp any any -> any any (msg:"ICMP Echo Request"; itype:8; sid:10000;)
alert icmp any any -> any any (msg:"ICMP Echo Reply"; itype:0; sid:10001;)

$ docker-compose up -d

$ tail -f data/log/alert
snort_1  | 08/26/18-06:47:35.460754  [**] [1:10000:0] ICMP Echo Request [**] [Priority: 0] {ICMP} x.x.x.x -> y.y.y.y
snort_1  | 08/26/18-06:47:35.460835  [**] [1:10001:0] ICMP Echo Reply [**] [Priority: 0] {ICMP} y.y.y.y -> x.x.x.x

$ tcpdump -n -r data/log/snort.log.xxx
06:47:35.460754 IP x.x.x.x > y.y.y.y: ICMP echo request, id 17767, seq 933, length 12
06:47:35.460835 IP y.y.y.y > x.x.x.x: ICMP echo reply, id 17767, seq 933, length 12

$ while :; do inotifywait -q -e modify data/log/alert && play -q alert.wav; done