One of the first things I like to do when I start looking at a PCAP during an investigation is run it through snort to see if it finds anything suspicious. You can easily do this at the command line with snort -dv -r test.pcap but the output is not great.
I have been using a tool called websnort for better output recently and decided it was time to put it into a docker container for easy portability.
To run it:
docker run -d -p 8080:8080 jgamblin/websnortIf you want to build your own the dockerfile is:
FROM ubuntu:latest
ENV DEBIAN_FRONTEND noninteractive
RUN apt-get update && apt-get install python-pip snort -y
RUN chmod a+r /etc/snort/snort.conf
RUN pip install websnort
CMD websnort
Protip:
malware-traffic-analysis.net has great PCAPs for testing your security tools.
WebSnort Docker Container
