2021-10-11 16:56:00 +00:00
|
|
|
# Snort Resources
|
|
|
|
|
|
|
|
- [Snort Documents](https://snort.org/documents)
|
|
|
|
- [Snort Manual](https://github.com/snort3/snort3/releases/download/3.1.6.0/snort_user.pdf)
|
2021-10-11 16:57:30 +00:00
|
|
|
- [Snort Rules Writing Guide](https://snort-org-site.s3.amazonaws.com/production/document_files/files/000/000/596/original/Rules_Writers_Guide_to_Snort_3_Rules.pdf?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIXACIED2SPMSC7GA%2F20211011%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20211011T165700Z&X-Amz-Expires=172800&X-Amz-SignedHeaders=host&X-Amz-Signature=1d5134d3a84db0f7b1ece95fcf98387a0cc32ff131b6c95e6a80d3cd4b616a5c)
|
2021-10-11 16:56:00 +00:00
|
|
|
|
|
|
|
## Snort Docker Container
|
|
|
|
|
|
|
|
1. Start the Container in your Linux system running Docker (you can use the Ubuntu VM to test).
|
|
|
|
```
|
|
|
|
$ docker run --name snort3 -h snort3 -u snorty -w /home/snorty -d -it ciscotalos/snort3 bash
|
|
|
|
```
|
|
|
|
|
|
|
|
2. Enter the Snort Container
|
|
|
|
```
|
|
|
|
$ docker exec -it snort3 bash
|
|
|
|
snorty@snort3:~$ snort
|
|
|
|
--------------------------------------------------
|
|
|
|
o")~ Snort++ 3.0.0-267
|
|
|
|
--------------------------------------------------
|
|
|
|
Loading /home/snorty/snort3/etc/snort/snort.lua:
|
|
|
|
Loading snort_defaults.lua:
|
|
|
|
Finished snort_defaults.lua:
|
|
|
|
Loading file_magic.lua:
|
|
|
|
Finished file_magic.lua:
|
|
|
|
ssh
|
|
|
|
host_cache
|
|
|
|
pop
|
|
|
|
binder
|
|
|
|
stream_tcp
|
|
|
|
network
|
|
|
|
gtp_inspect
|
|
|
|
packets
|
|
|
|
dce_http_proxy
|
|
|
|
stream_icmp
|
|
|
|
normalizer
|
|
|
|
ftp_server
|
|
|
|
stream_udp
|
|
|
|
search_engine
|
|
|
|
ips
|
|
|
|
dce_smb
|
|
|
|
wizard
|
|
|
|
appid
|
|
|
|
file_id
|
|
|
|
ftp_data
|
|
|
|
hosts
|
|
|
|
smtp
|
|
|
|
port_scan
|
|
|
|
dce_http_server
|
|
|
|
modbus
|
|
|
|
dce_tcp
|
|
|
|
telnet
|
|
|
|
host_tracker
|
|
|
|
ssl
|
|
|
|
sip
|
|
|
|
rpc_decode
|
|
|
|
http2_inspect
|
|
|
|
http_inspect
|
|
|
|
back_orifice
|
|
|
|
stream_user
|
|
|
|
stream_ip
|
|
|
|
classifications
|
|
|
|
dnp3
|
|
|
|
active
|
|
|
|
ftp_client
|
|
|
|
daq
|
|
|
|
decode
|
|
|
|
alerts
|
|
|
|
stream
|
|
|
|
references
|
|
|
|
arp_spoof
|
|
|
|
output
|
|
|
|
dns
|
|
|
|
dce_udp
|
|
|
|
imap
|
|
|
|
process
|
|
|
|
stream_file
|
|
|
|
Finished /home/snorty/snort3/etc/snort/snort.lua:
|
|
|
|
--------------------------------------------------
|
|
|
|
pcap DAQ configured to passive.
|
|
|
|
|
|
|
|
Snort successfully validated the configuration (with 0 warnings).
|
|
|
|
o")~ Snort exiting
|
|
|
|
snorty@snort3:~$
|
|
|
|
```
|