- Snort3 IPS/IDS
- Django Rest Framework
- Angular
- PostgreSQL
Clone the repository to your local machine:
git clone --recurse-submodules https://github.com/LLkaia/event-monitor-snort3.git
cd event-monitor-snort3
docker compose up
localhost:8080
API is available on localhost:8000
To control daemons within the Snort container, open another bash window:
docker exec -it snort bash
Use the following commands to manage processes::
supervisorctl status
supervisorctl status process_name
supervisorctl restart process_name
supervisorctl stop process_name
supervisorctl start process_name
Notice, that we have 4 processes:
- server - DRF and WSGI with RESTAPI functionalities
- snort - Snort3 IDS which looks for traffic on eth0 interface and logs suspicious traffic into alert_json.txt
- watcher - python script which looks for changes in alert_json.txt and adds them in a database
- performance - python script which looks for changes in perf_monitor_base.json and adds them in a database
- cron - runs cron with script for auto clearing table with events in database weekly (00:00 of Monday)
- Download it: .pcap file
- Uncomment volumes in docker-compose.yml.
- Up docker compose.
- Open bash in snort container, stop snort process and run it:
snort -c /usr/local/etc/snort/snort.lua -r /root/snort/test.pcap --plugin-path=/usr/local/etc/so_rules/ -k none -l /var/log/snort --tweaks custom