This repo sets up a miniature network inside Docker where Snort acts as the all-seeing sensor. One container launches attacks, another just exists to be scanned, and the sensor sits in the middle, logging every SYN scan it can catch. Think of it as teaching your Docker containers that networks are dangerous places.
docker compose up- Watch the sensor console; SYN scan alerts will appear every 10 seconds.
- The attacker and victim containers stay up indefinitely.
- You can modify rules in
/etc/snort/rules/local.rulesinside the sensor container to detect more “creative” attacks !
-
Sensor
- Runs Ubuntu 24.04 with Snort installed.
- Configured as a network gateway between attacker and victim networks.
- Enables IP forwarding and NAT with iptables.
- Contains a minimal Snort rule detecting SYN scans from the attacker subnet.
-
Attacker
- Runs Ubuntu 24.04 with
nmap. - Routes all traffic through the sensor container.
- Loops SYN scans against the victim container every 10 seconds.
- Runs Ubuntu 24.04 with
-
Victim
- Runs Ubuntu 24.04, minimal setup, sleeps forever.
- Acts as a passive target.
-
Networks
net_attacker: 172.50.0.0/16 — attacker and sensor.net_victim: 172.60.0.0/16 — victim and sensor.- Sensor bridges the two, performing NAT and forwarding.
-
Docker Compose
- Single
docker-compose.yamlfile. - Uses
privilegedmode andNET_ADMINcapabilities for the sensor and attacker. - Health checks are deliberately skipped; you wait for Snort to be alive by watching logs.
- Single