MORCE depends on snort3 including snort2lua tool to convert rules. Installation is pretty straight forward. Apart from Snort itself you need to deploy the following files into following directories:
init/morce -> /etc/init.d/morce logger/alert_morce.lua -> /usr/share/morce/loggers/alert_morce.lua
It is highly recommended to setup a cron script that would periodically check
for updated rules. That can be done via calling /etc/init.d/morce update_rules.
Whenever new rules are detected, Snort is restarted and rules are taken into
account. In general it doesn’t make sense to trigger this action more often
then once a day as currently selected rules publishers are publishing new rules
at most once a day.
By default MORCE uses Snort
3 Community Rules and subset of Open
Emerging Threads ruleset. You can use /etc/init.d/morce update_rules to
check for updated rules.
Configuration is done via /etc/config/morce UCI file. You can specify there
how you want to be notified, where do various databases live and also a subset
of Emerging Threads ruleset that you want to use.
For syntax of specific options, see default uci file.