snort-docker/Dockerfile

#
# BUILD CONTAINER
# (Note that this is a multi-phase Dockerfile)
# To build run `docker build --rm -t tebedwel/snort3-alpine:latest`
#
FROM ubuntu:22.04 AS builder

ENV PREFIX_DIR=/usr/local
ENV HOME=/root

# Update apt-get adding the @testing repo for hwloc (as of Alpine v3.7)
# RUN apt-get add -X https://dl-cdn.alpinelinux.org/alpine/v3.16/main -u alpine-keys
# RUN echo "@testing http://dl-cdn.alpinelinux.org/alpine/edge/testing" >> /etc/apt-get/repositories

# Prep apt-get for installing packages
RUN apt-get update -y && apt-get upgrade -y

# BUILD DEPENDENCIES:
RUN apt-get install -y \
  wget \
  git \
  cmake \
  make \
  g++ \
  bison \
  flex \
  cppcheck \
  cpputest \
  autoconf \
  automake \
  libtool \
  # Libraries
  libdumbnet-dev \
  libdnet-dev \
  libpcap-dev \
  libtirpc-dev \
  libmnl-dev \
  libunwind-dev \
# Install the Snort developer requirements
  curl \
  gdb \
  vim \
  build-essential \
  libpcre3-dev \
  libnet1-dev \
  zlib1g-dev \
  luajit \
  hwloc \
  liblzma-dev \
  openssl \
  libssl-dev \
  pkg-config \
  libhwloc-dev \
  libsqlite3-dev \
  uuid-dev \
  libcmocka-dev \
  libnetfilter-queue-dev \
  autotools-dev \
  libluajit-5.1-dev \
  libfl-dev

# One of the quirks of alpine is that unistd.h is in /usr/include. Lots of
# software looks for it in /usr/include/linux or /usr/include/sys.
# So, we'll make symlinks
# RUN mkdir /usr/include/linux && \
#     ln -s /usr/include/unistd.h /usr/include/linux/unistd.h && \
#     ln -s /usr/include/unistd.h /usr/include/sys/unistd.h

# The Alpine hwloc on testing is not reliable from a build perspective.
# So, lets just build it ourselves.
#
#WORKDIR $HOME
#RUN wget https://download.open-mpi.org/release/hwloc/v2.0/hwloc-2.0.3.tar.gz &&\
#    tar zxvf hwloc-2.0.3.tar.gz
#WORKDIR $HOME/hwloc-2.0.3
#RUN ./configure --prefix=${PREFIX_DIR} && \
#    make && \
#    make install

# BUILD Daq on alpine:

WORKDIR $HOME
RUN git clone https://github.com/snort3/libdaq.git
WORKDIR $HOME/libdaq
RUN ./bootstrap && \
  ./configure --prefix=${PREFIX_DIR} && make && \
  make install
    
# BUILD gperftools

WORKDIR $HOME
RUN wget https://github.com/gperftools/gperftools/releases/download/gperftools-2.9.1/gperftools-2.9.1.tar.gz &&\
  tar xzf gperftools-2.9.1.tar.gz

WORKDIR $HOME/gperftools-2.9.1
RUN ./configure && make && make install


# BUILD Snort on alpine
WORKDIR $HOME
# RUN git clone https://github.com/snort3/snort3.git
RUN wget https://github.com/snort3/snort3/archive/refs/tags/3.3.2.0.tar.gz &&\
  tar xzf 3.3.2.0.tar.gz

WORKDIR $HOME/snort3-3.3.2.0
RUN ./configure_cmake.sh \
  --prefix=${PREFIX_DIR} \
  --enable-tcmalloc \
  --disable-docs
  
WORKDIR $HOME/snort3-3.3.2.0/build
RUN make && make install
RUN ln -s /usr/local/lib/libtcmalloc.so.4 /lib/ && \
  ln -s /usr/local/lib/libdaq.so.3 /lib/ && \
  ldconfig
  

#
# RUNTIME CONTAINER
#
#FROM ubuntu:22.04

#ENV PREFIX_DIR=/usr/local
#WORKDIR ${PREFIX_DIR}

# Prep apt-get for installing packages
#RUN apt-get update -y
#RUN apt-get upgrade -y

# RUNTIME DEPENDENCIES:
#RUN apt-get install \
#    libdnet \
#    luajit \
#    musl \
#    libstdc++

# Copy the build artifacts from the build container to the runtime file system
#COPY --from=builder ${PREFIX_DIR}/etc/ /etc/
#COPY --from=builder ${PREFIX_DIR}/lib/ /lib/
#COPY --from=builder ${PREFIX_DIR}/lib64/ ${PREFIX_DIR}/lib64/
#COPY --from=builder ${PREFIX_DIR}/bin/ /bin/

WORKDIR $HOME
RUN mkdir ${PREFIX_DIR}/etc/rules && \
  mkdir ${PREFIX_DIR}/etc/so_rules/ && \
  mkdir ${PREFIX_DIR}/etc/lists/ && \
  touch ${PREFIX_DIR}/etc/rules/local.rules && \
  touch ${PREFIX_DIR}/etc/lists/default.blocklist && \
  mkdir /var/log/snort

COPY snort3-community-rules.tar ${HOME}/snort3-community-rules.tar

RUN tar -xvzf snort3-community-rules.tar && \
  cd snort3-community-rules && \
  cp * ${PREFIX_DIR}/etc/rules/

RUN snort --version

ENTRYPOINT ["snort", "-c", "/usr/local/etc/snort/snort.lua", "-R", "/usr/local/etc/rules/snort3-community.rules", "-i", "wl01", "-s", "65535", "-k", "none"]

#ENTRYPOINT ["tail", "-f", "/dev/null"]