├── .gitignore ├── Dockerfile ├── README.md ├── disablesid.conf ├── ip_black_list.rules ├── ip_white_list.rules ├── local.rules ├── pulledpork.conf └── update-rules.sh /.gitignore: -------------------------------------------------------------------------------- 1 | customintel.sh 2 | -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:16.04 2 | 3 | ## Env 4 | ARG DAQ_VER=daq-2.0.6 5 | 6 | ## PulledPork Env 7 | ARG PPORK_VERSION=0.7.3 8 | 9 | ## Snort Env 10 | ARG SNORT_VER=2.9.11.1 11 | 12 | 13 | ## Install Dependencies 14 | RUN apt-get update && apt-get -y install \ 15 | wget \ 16 | build-essential \ 17 | libtool \ 18 | automake \ 19 | gcc \ 20 | flex \ 21 | bison \ 22 | libnet1 \ 23 | libnet1-dev \ 24 | libpcre3 \ 25 | libpcre3-dev \ 26 | autoconf \ 27 | libcrypt-ssleay-perl \ 28 | libwww-perl \ 29 | git \ 30 | zlib1g \ 31 | zlib1g-dev \ 32 | libssl-dev \ 33 | libmysqlclient-dev \ 34 | imagemagick \ 35 | wkhtmltopdf \ 36 | libyaml-dev \ 37 | libxml2-dev \ 38 | libxslt1-dev \ 39 | openssl \ 40 | libreadline6-dev \ 41 | unzip \ 42 | libcurl4-openssl-dev \ 43 | libapr1-dev \ 44 | libaprutil1-dev \ 45 | supervisor \ 46 | net-tools \ 47 | gettext-base \ 48 | libdumbnet-dev \ 49 | libpcap-dev \ 50 | python-pip \ 51 | && apt-get clean && rm -rf /var/cache/apt/* 52 | 53 | 54 | ## Install DAQ 55 | RUN cd /tmp \ 56 | && wget https://snort.org/downloads/snort/$DAQ_VER.tar.gz \ 57 | && tar zxf $DAQ_VER.tar.gz \ 58 | && cd $DAQ_VER \ 59 | && ./configure \ 60 | && make && make install \ 61 | && ldconfig 62 | 63 | ## Install SNORT 64 | RUN cd /tmp \ 65 | && wget https://snort.org/downloads/snort/snort-$SNORT_VER.tar.gz \ 66 | && tar zxf snort-$SNORT_VER.tar.gz \ 67 | && cd snort-$SNORT_VER \ 68 | && ./configure --enable-sourcefire \ 69 | && make && make install 70 | 71 | ## User/group/dir for Snort 72 | RUN groupadd snort \ 73 | && useradd snort -d /var/log/snort -s /sbin/nologin -c SNORT_IDS -g snort \ 74 | && mkdir -p /var/log/snort \ 75 | && chown snort:snort /var/log/snort -R \ 76 | && mkdir -p /etc/snort \ 77 | && cd /tmp/snort-$SNORT_VER \ 78 | && cp -r etc/* /etc/snort/ 79 | 80 | ## Install Pulledpork 81 | RUN cd /tmp \ 82 | && wget https://github.com/shirkdog/pulledpork/archive/v$PPORK_VERSION.tar.gz \ 83 | && tar zxf v$PPORK_VERSION.tar.gz \ 84 | && cd pulledpork-$PPORK_VERSION \ 85 | && cp pulledpork.pl /usr/sbin/ \ 86 | && chmod 755 /usr/sbin/pulledpork.pl \ 87 | && cp -r etc/* /etc/snort/ \ 88 | && cpan install LWP::Protocol::https \ 89 | && cpan install Crypt::SSLeay \ 90 | && cpan Mozilla::CA IO::Socket::SSL 91 | 92 | RUN rm -rf /tmp/* 93 | 94 | ## Snort 95 | RUN cd /etc/snort \ 96 | && chown -R snort:snort * \ 97 | && mkdir -p /usr/local/lib/snort_dynamicrules \ 98 | && mkdir /etc/snort/rules \ 99 | && touch /etc/snort/rules/so_rules.rules \ 100 | && touch /etc/snort/rules/local.rules \ 101 | && touch /etc/snort/rules/snort.rules \ 102 | && sed -i \ 103 | -e 's#^var RULE_PATH.*#var RULE_PATH /etc/snort/rules#' \ 104 | -e 's#^var SO_RULE_PATH.*#var SO_RULE_PATH $RULE_PATH/so_rules#' \ 105 | -e 's#^var PREPROC_RULE_PATH.*#var PREPROC_RULE_PATH $RULE_PATH/preproc_rules#' \ 106 | -e 's#^var WHITE_LIST_PATH.*#var WHITE_LIST_PATH $RULE_PATH/iplists#' \ 107 | -e 's#^var BLACK_LIST_PATH.*#var BLACK_LIST_PATH $RULE_PATH/iplists#' \ 108 | -e 's/^\(include $.*\)/# \1/' \ 109 | -e '$a\\ninclude $RULE_PATH/local.rules' \ 110 | -e '$a\\ninclude $RULE_PATH/snort.rules' \ 111 | -e 's!^# \(config logdir:\)!\1 /var/log/snort!' \ 112 | /etc/snort/snort.conf 113 | 114 | ## Install websnort 115 | RUN pip install websnort 116 | 117 | # Need to generate these for the first run of PulledPork 118 | RUN touch /etc/snort/rules/local.rules 119 | RUN mkdir -p /etc/snort/rules/iplists/ 120 | RUN touch /etc/snort/rules/iplists/black_list.rules 121 | RUN touch /etc/snort/rules/iplists/white_list.rules 122 | 123 | 124 | ########################################################################### 125 | ## Edits should be conducted here to limit modification to the upper layers 126 | 127 | ARG SNORT_HOME_NET="192.168.0.0/16,172.16.0.0/12,10.0.0.0/8" 128 | 129 | ## copy pulled pork conf 130 | COPY pulledpork.conf /etc/snort/pulledpork.conf 131 | RUN sed -i -e 's|<'PPORK_VERSION'>|'$PPORK_VERSION'|g' /etc/snort/pulledpork.conf 132 | 133 | ## Rule management 134 | ## Enable all rules!! 135 | ## RUN echo 'pcre:.' >> /etc/snort/enablesid.conf 136 | 137 | ## These are noisy. Bad taffic alerts etc 138 | ## RUN echo 'preprocessor' >> /etc/snort/disablesid.conf 139 | 140 | ## Allow lots of flow bits 141 | RUN sed -i 's/^.*config flowbits_size: 64$/config flowbits_size: 2048/' /etc/snort/snort.conf 142 | ## Run snort with rule profiling 143 | RUN sed -i 's/#config profile_rules: print all, sort avg_ticks/config profile_rules: print 100, sort avg_ticks_per_nomatch/' /etc/snort/snort.conf 144 | ## Disable sensitive data pre proc + rules 145 | RUN sed -i '/preprocessor sensitive_data/s/^/#/' /etc/snort/snort.conf 146 | ## Enable portscan detection 147 | RUN sed -i 's/# preprocessor sfportscan/preprocessor sfportscan/' /etc/snort/snort.conf 148 | ## Set HOME_NET 149 | RUN sed -i 's#^ipvar HOME_NET any.*#ipvar HOME_NET '"$SNORT_HOME_NET"'#' /etc/snort/snort.conf 150 | 151 | ########################################################################### 152 | 153 | # COPY local rules across and re-run pulledpork 154 | COPY local.rules /etc/snort/rules/local.rules 155 | COPY ip_black_list.rules /etc/snort/rules/iplists/black_list.rules 156 | COPY ip_white_list.rules /etc/snort/rules/iplists/white_list.rules 157 | RUN touch /etc/snort/rules/customintel.rules 158 | COPY disablesid.conf /etc/snort/disablesid.conf 159 | 160 | # Add the script that allows the rules to be updated when the container is running 161 | COPY *.sh ./ 162 | ARG PPORK_OINKCODE 163 | RUN if [ ! -z $PPORK_OINKCODE ]; then bash update-rules.sh "$PPORK_OINKCODE"; fi 164 | 165 | EXPOSE 8080 166 | CMD ["websnort"] 167 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # docker-snort 2 | 3 | Includes Snort + PulledPork + WebSnort (exposes port 8080) 4 | 5 | The project is to assit in initial stage triage of a potentially malicious pcap. It runs all the rules it can against a pcap attempting to highlight sessions of interest. 6 | 7 | *Processing of the PCAP does take a while due to the number of rules being utilised!* 8 | 9 | Thanks to: 10 | - Cisco / Sourcefire / Snort team for Snort 11 | - PulledPork project: https://github.com/shirkdog/pulledpork 12 | - WebSnort project for the Snort frontend: https://github.com/shendo/websnort 13 | 14 | ## To use: 15 | 16 | *NB* Oink code required if not using customintel.sh script. Can be obtained from: https://www.snort.org/oinkcodes 17 | 18 | ### 1. Build with either (2nd option doesn't require git clone); 19 | 20 | docker build -t snortweb . --build-arg PPORK_OINKCODE= 21 | docker build -t snortweb . --build-arg PPORK_OINKCODE= https://github.com/geekscrapy/docker-snort.git 22 | 23 | ### 2. Run with: 24 | 25 | docker run -P8080:8080 snortweb 26 | 27 | Once running, visit http://localhost:8080/ 28 | 29 | ### 3. Update the rules: 30 | 31 | docker exec snortweb bash update-rules.sh 32 | 33 | ### 4. (optional) Custom intel rules (customintel.sh): 34 | 35 | This custom script enables rules to be pulled from any source when update-rules.sh is run. 36 | Create a scipt named customintel.sh in the current directory before building, or, alternativley the script can be created/modified once the container has been created 37 | 38 | Requirements: 39 | - The customintel.sh script must output rules to stdout - output is inserted into ```/etc/snort/rules/customintel.rules``` which is loaded by snort 40 | 41 | ### Additional whitelists/blacklists: 42 | To update local.rules, white_list.rules or black_list.rules, modify the file and build the image. 43 | 44 | ### Options 45 | The following variables can be added to customise the build (values shown are the defaults): 46 | 47 | | Option | Build argument | 48 | |--------------------------|----------------------------------------------------------------| 49 | | PulledPork Oink code: | ```PPORK_OINKCODE=``` | 50 | | Snort version: | ```SNORT_VER=2.9.11.1``` | 51 | | DAQ version: | ```DAQ_VER=daq-2.0.6``` | 52 | | PulledPork version: | ```PPORK_VERSION=0.7.3``` | 53 | | Snort HOME_NET variable: | ```SNORT_HOME_NET="192.168.0.0/16,172.16.0.0/12,10.0.0.0/8"``` | 54 | -------------------------------------------------------------------------------- /disablesid.conf: -------------------------------------------------------------------------------- 1 | # Disable certain rules that are noisey 2 | 3 | sensitive-data 4 | 129:15:1 5 | -------------------------------------------------------------------------------- /ip_black_list.rules: -------------------------------------------------------------------------------- 1 | # Blacklisted IPs 2 | -------------------------------------------------------------------------------- /ip_white_list.rules: -------------------------------------------------------------------------------- 1 | # Whitelisted IPs 2 | -------------------------------------------------------------------------------- /local.rules: -------------------------------------------------------------------------------- 1 | # Explicitly defined rules - can be used prebuild 2 | -------------------------------------------------------------------------------- /pulledpork.conf: -------------------------------------------------------------------------------- 1 | # Config file for pulledpork 2 | # Be sure to read through the entire configuration file 3 | # If you specify any of these items on the command line, it WILL take 4 | # precedence over any value that you specify in this file! 5 | 6 | ####### 7 | ####### The below section defines what your oinkcode is (required for 8 | ####### VRT rules), defines a temp path (must be writable) and also 9 | ####### defines what version of rules that you are getting (for your 10 | ####### snort version and subscription etc...) 11 | ####### 12 | 13 | # You can specify one or as many rule_urls as you like, they 14 | # must appear as http://what.site.com/|rulesfile.tar.gz|1234567. You can specify 15 | # each on an individual line, or you can specify them in a , separated list 16 | # i.e. rule_url=http://x.y.z/|a.tar.gz|123,http://z.y.z/|b.tar.gz|456 17 | # note that the url, rule file, and oinkcode itself are separated by a pipe | 18 | # i.e. url|tarball|123456789, 19 | rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz| 20 | # NEW Community ruleset: 21 | rule_url=https://snort.org/downloads/community/|community-rules.tar.gz|Community 22 | # NEW For IP Blacklisting! Note the format is urltofile|IPBLACKLIST| 23 | # This format MUST be followed to let pulledpork know that this is a blacklist 24 | rule_url=https://talosintelligence.com/documents/ip-blacklist|IPBLACKLIST| 25 | # URL for rule documentation! (slow to process) 26 | rule_url=https://snort.org/downloads/community/|opensource.gz|Opensource 27 | # THE FOLLOWING URL is for emergingthreats downloads, note the tarball name change! 28 | # and open-nogpl, to avoid conflicts. 29 | rule_url=https://rules.emergingthreats.net/|emerging.rules.tar.gz|open-nogpl 30 | # THE FOLLOWING URL is for etpro downloads, note the tarball name change! 31 | # and the et oinkcode requirement! 32 | #rule_url=https://rules.emergingthreatspro.com/|etpro.rules.tar.gz| 33 | # NOTE above that the VRT snortrules-snapshot does not contain the version 34 | # portion of the tarball name, this is because PP now automatically populates 35 | # this value for you, if, however you put the version information in, PP will 36 | # NOT populate this value but will use your value! 37 | 38 | # Specify rule categories to ignore from the tarball in a comma separated list 39 | # with no spaces. There are four ways to do this: 40 | # 1) Specify the category name with no suffix at all to ignore the category 41 | # regardless of what rule-type it is, ie: netbios 42 | # 2) Specify the category name with a '.rules' suffix to ignore only gid 1 43 | # rulefiles located in the /rules directory of the tarball, ie: policy.rules 44 | # 3) Specify the category name with a '.preproc' suffix to ignore only 45 | # preprocessor rules located in the /preproc_rules directory of the tarball, 46 | # ie: sensitive-data.preproc 47 | # 4) Specify the category name with a '.so' suffix to ignore only shared-object 48 | # rules located in the /so_rules directory of the tarball, ie: netbios.so 49 | # The example below ignores dos rules wherever they may appear, sensitive- 50 | # data preprocessor rules, p2p so-rules (while including gid 1 p2p rules), 51 | # and netbios gid-1 rules (while including netbios so-rules): 52 | # ignore = dos,sensitive-data.preproc,p2p.so,netbios.rules 53 | # These defaults are reasonable for the VRT ruleset with Snort 2.9.0.x. 54 | #ignore=deleted.rules,experimental.rules,local.rules 55 | # IMPORTANT, if you are NOT yet using 2.8.6 then you MUST comment out the 56 | # previous ignore line and uncomment the following! 57 | # ignore=deleted,experimental,local,decoder,preprocessor,sensitive-data 58 | 59 | # What is our temp path, be sure this path has a bit of space for rule 60 | # extraction and manipulation, no trailing slash 61 | temp_path=/tmp 62 | 63 | ####### 64 | ####### The below section is for rule processing. This section is 65 | ####### required if you are not specifying the configuration using 66 | ####### runtime switches. Note that runtime switches do SUPERSEED 67 | ####### any values that you have specified here! 68 | ####### 69 | 70 | # What path you want the .rules file containing all of the processed 71 | # rules? (this value has changed as of 0.4.0, previously we copied 72 | # all of the rules, now we are creating a single large rules file 73 | # but still keeping a separate file for your so_rules! 74 | rule_path=/etc/snort/rules/snort.rules 75 | 76 | # What path you want the .rules files to be written to, this is UNIQUE 77 | # from the rule_path and cannot be used in conjunction, this is to be used with the 78 | # -k runtime flag, this can be set at runtime using the -K flag or specified 79 | # here. If specified here, the -k option must also be passed at runtime, however 80 | # specifying -K at runtime forces the -k option to also be set 81 | # out_path=/usr/local/etc/snort/rules/ 82 | 83 | # If you are running any rules in your local.rules file, we need to 84 | # know about them to properly build a sid-msg.map that will contain your 85 | # local.rules metadata (msg) information. You can specify other rules 86 | # files that are local to your system here by adding a comma and more paths... 87 | # remember that the FULL path must be specified for EACH value. 88 | # local_rules=/path/to/these.rules,/path/to/those.rules 89 | local_rules=/etc/snort/rules/local.rules 90 | 91 | # Where should I put the sid-msg.map file? 92 | sid_msg=/etc/snort/sid-msg.map 93 | 94 | # New for by2 and more advanced msg mapping. Valid options are 1 or 2 95 | # specify version 2 if you are running barnyard2.2+. Otherwise use 1 96 | sid_msg_version=1 97 | 98 | # Where do you want me to put the sid changelog? This is a changelog 99 | # that pulledpork maintains of all new sids that are imported 100 | sid_changelog=/var/log/sid_changes.log 101 | # this value is optional 102 | 103 | ####### 104 | ####### The below section is for so_rule processing only. If you don't 105 | ####### need to use them.. then comment this section out! 106 | ####### Alternately, if you are not using pulledpork to process 107 | ####### so_rules, you can specify -T at runtime to bypass this altogether 108 | ####### 109 | 110 | # What path you want the .so files to actually go to *i.e. where is it 111 | # defined in your snort.conf, needs a trailing slash 112 | sorule_path=/usr/local/lib/snort_dynamicrules/ 113 | 114 | # Path to the snort binary, we need this to generate the stub files 115 | snort_path=/usr/local/bin/snort 116 | 117 | # We need to know where your snort.conf file lives so that we can 118 | # generate the stub files 119 | config_path=/etc/snort/snort.conf 120 | 121 | ##### Deprecated - The stubs are now categorically written to the single rule file! 122 | # sostub_path=/usr/local/etc/snort/rules/so_rules.rules 123 | 124 | # Define your distro, this is for the precompiled shared object libs! 125 | # Valid Distro Types: 126 | # Debian-6-0, Ubuntu-10-4 127 | # Ubuntu-12-04, Centos-5-4 128 | # FC-12, FC-14, RHEL-5-5, RHEL-6-0 129 | # FreeBSD-8-1, FreeBSD-9-0, FreeBSD-10-0 130 | # OpenBSD-5-2, OpenBSD-5-3 131 | # OpenSUSE-11-4, OpenSUSE-12-1 132 | # Slackware-13-1 133 | distro=Ubuntu-12-04 134 | 135 | ####### This next section is optional, but probably pretty useful to you. 136 | ####### Please read thoroughly! 137 | 138 | # If you are using IP Reputation and getting some public lists, you will probably 139 | # want to tell pulledpork where your blacklist file lives, PP automagically will 140 | # de-dupe any duplicate IPs from different sources. 141 | black_list=/etc/snort/rules/iplists/black_list.rules 142 | 143 | # IP Reputation does NOT require a full snort HUP, it introduces a concept whereby 144 | # the IP list can be reloaded while snort is running through the use of a control 145 | # socket. Please be sure that you built snort with the following optins: 146 | # -enable-shared-rep and --enable-control-socket. Be sure to read about how to 147 | # configure these! The following option tells pulledpork where to place the version 148 | # file for use with control socket ip list reloads! 149 | # This should be the same path where your black_list lives! 150 | IPRVersion=/etc/snort/rules/iplists 151 | 152 | # The following option tells snort where the snort_control tool is located. 153 | snort_control=/usr/local/bin/snort_control 154 | 155 | # What do you want to backup and archive? This is a comma separated list 156 | # of file or directory values. If a directory is specified, PP will recurse 157 | # through said directory and all subdirectories to archive all files. 158 | # The following example backs up all snort config files, rules, pulledpork 159 | # config files, and snort shared object binary rules. 160 | # backup=/usr/local/etc/snort,/usr/local/etc/pulledpork,/usr/local/lib/snort_dynamicrules/ 161 | 162 | # what path and filename should we use for the backup tarball? 163 | # note that an epoch time value and the .tgz extension is automatically added 164 | # to the backup_file name on completeion i.e. the written file is: 165 | # pp_backup.1295886020.tgz 166 | # backup_file=/tmp/pp_backup 167 | 168 | # Where do you want the signature docs to be copied, if this is commented 169 | # out then they will not be copied / extracted. Note that extracting them 170 | # will add considerable runtime to pulledpork. 171 | # docs=/path/to/base/www 172 | 173 | # The following option, state_order, allows you to more finely control the order 174 | # that pulledpork performs the modify operations, specifically the enablesid 175 | # disablesid and dropsid functions. An example use case here would be to 176 | # disable an entire category and later enable only a rule or two out of it. 177 | # the valid values are disable, drop, and enable. 178 | # state_order=disable,drop,enable 179 | 180 | 181 | # Define the path to the pid files of any running process that you want to 182 | # HUP after PP has completed its run. 183 | # pid_path=/var/run/snort.pid,/var/run/barnyard.pid,/var/run/barnyard2.pid 184 | # and so on... 185 | pid_path=/var/run/snort_$PID_FILE 186 | 187 | # This defines the version of snort that you are using, for use ONLY if the 188 | # proper snort binary is not on the system that you are fetching the rules with 189 | # This value MUST contain all 4 minor version 190 | # numbers. ET rules are now also dependant on this, verify supported ET versions 191 | # prior to simply throwing rubbish in this variable kthx! 192 | # 193 | # Suricata users - set this to 'suricata-3.x.x' to process rule files 194 | # for suricata, this mimics the -S flag on the command line. 195 | # snort_version=2.9.0 196 | 197 | # Here you can specify what rule modification files to run automatically. 198 | # simply uncomment and specify the apt path. 199 | # enablesid=/usr/local/etc/snort/enablesid.conf 200 | # dropsid=/usr/local/etc/snort/dropsid.conf 201 | # disablesid=/usr/local/etc/snort/disablesid.conf 202 | # modifysid=/usr/local/etc/snort/modifysid.conf 203 | enablesid=/etc/snort/enablesid.conf 204 | disablesid=/etc/snort/disablesid.conf 205 | 206 | 207 | # What is the base ruleset that you want to use, please uncomment to use 208 | # and see the README.RULESETS for a description of the options. 209 | # Note that setting this value will disable all ET rulesets if you are 210 | # Running such rulesets 211 | #ips_policy=nopolicy 212 | 213 | ####### Remember, a number of these values are optional.. if you don't 214 | ####### need to process so_rules, simply comment out the so_rule section 215 | ####### you can also specify -T at runtime to process only GID 1 rules. 216 | 217 | version= 218 | -------------------------------------------------------------------------------- /update-rules.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | if [ ! -f ./customintel.sh ]; then 4 | touch customintel.sh 5 | fi 6 | 7 | bash customintel.sh > /etc/snort/rules/customintel.rules 8 | 9 | if [ -z "$1" ]; then 10 | echo "No Oink code given... Not downloading rules. Run with \"docker exec snortweb bash update-rules.sh \"" 11 | fi 12 | 13 | # Add the oink code to the config file and tell PulledPork to download new rules 14 | sed -i 's//'"$1"'/g' /etc/snort/pulledpork.conf 15 | /usr/sbin/pulledpork.pl -c /etc/snort/pulledpork.conf -v -EP 16 | # Now remove the oink code 17 | sed -i 's/'"$1"'//g' /etc/snort/pulledpork.conf 18 | 19 | # Now test snort :) 20 | snort -c /etc/snort/snort.conf -T 21 | --------------------------------------------------------------------------------