Web service for analysing pcap files with intrusion detection systems such as
websnort provides a web interface for user and system submission of packet
capture files to run against IDS instances. Alerts and details from the analysis
are returned as results.
If you are after a web interface for monitoring a live
see https://www.snort.org/downloads#additional-downloads instead.
While originally developed specifically for
snort. Recent releases support
a flexible IDS plugin system which also supports
suricata out of the box.
websnort can be configured to run the same submitted packet capture
against any number of IDS instances, configs and rulesets. This allows broader
coverage and comparison between installs and rule versions.
snort if needed:
sudo apt-get install snort
Optional Disable running snort service if only required for this web api:
sudo service snort stop sudo update-rc.d snort disable
On recent ubuntu/debian releases the default snort.conf is not world readable. Unless planning to run the web service as root (not recommended) you will need to modify the permissions, for example:
sudo chmod a+r /etc/snort/snort.conf
Install web service using
sudo pip install websnort
websnort web server on the default port:
Browse to http://server:8080 and submit a pcap file for analysis.
Navigate to http://server:8080/api for details of provided json web api.
Full project documentation can be found on readthedocs.