This is a Docker image with a ready to use Snort and PulledPork install. Just provide your oinkcode.
First you should check out this git repository. There is a launcher script that should be run instead of running docker directly to make sure everything is setup properly. If you need to do further customizations, the script can serve as a template.
git clone https://github.com/jasonish/docker-snort.git
echo OINKCODE=<YOUR_OINKCODE> >> config
./launcher run /tools/update-rules
./launcher run snort -c /etc/snort/snort.conf -i <interface>
The path to the snort.conf is the path inside the container rather than on the host.
By default, the launcher script will start Docker with host network to give Snort access to the host interfaces.
tail -f ./data/var/log/snort/alert
Note that the above command is run outside of the container. By default, Snort will log to /data/var/log/snort, which is mapped into the ./data directory on the host.
After you have run the container at least once, you will find the basic set of Pulled Pork configuration files in ./data/etc. Just edit these files as you normally would, then run:
./launcher run /tools/update-rules
Then restart Snort.