Snort is an open source intrusion prevention system capable of real-time traffic analysis and packet logging.
snort:
image: vimagick/snort
command: -q -c /etc/snort/snort.conf -y -i eth0
volumes:
- ./data/snort.conf:/etc/snort/snort.conf
- ./data/u2json.conf:/etc/snort/u2json.conf
- ./data/rules:/etc/snort/rules
- ./data/log:/var/log/snort
cap_add:
- NET_ADMIN
net: host
restart: unless-stopped# /etc/snort/rules/local.rules
alert icmp any any -> any any (msg:"ICMP Echo Request"; itype:8; sid:10000;)
alert icmp any any -> any any (msg:"ICMP Echo Reply"; itype:0; sid:10001;)$ docker-compose up -d
$ docker-compose exec snort idstools-u2json @/etc/snort/u2json.conf
INFO: Loaded 523 rule message map entries.
INFO: Loaded 38 classifications.
$ tail -f data/log/alert.json
{"type":"event","event":{"impact":0,"generator-id":1,"protocol":1,"dport-icode":0,"signature-revision":0,"classification-id":0,"signature-id":1000000,"sensor-id":0,"impact-flag":0,"sport-itype":8,"priority":0,"event-second":1591597954,"pad2":null,"destination-ip":"1.2.3.4","event-id":55,"mpls-label":null,"vlan-id":null,"source-ip":"5.6.7.8","event-microsecond":905105,"blocked":0}}
{"type":"event","event":{"impact":0,"generator-id":1,"protocol":1,"dport-icode":0,"signature-revision":0,"classification-id":0,"signature-id":1000001,"sensor-id":0,"impact-flag":0,"sport-itype":0,"priority":0,"event-second":1591597954,"pad2":null,"destination-ip":"5.6.7.8","event-id":56,"mpls-label":null,"vlan-id":null,"source-ip":"1.2.3.4","event-microsecond":905126,"blocked":0}}
$ while :; do inotifywait -q -e modify data/log/alert.json && play -q alert.wav; done