version: '3.8'

services:
  snort:
    image: ciscotalos/snort3:latest
    user: "root"
    network_mode: host
    privileged: true
    volumes:
      # Pushed all Snort-related mounts into the ./snort directory
      - ./snort/snort-logs:/var/log/snort
      - ./snort/local.rules:/etc/snort/rules/local.rules
      - ./snort/snort3-community.rules:/etc/snort/rules/snort3-community.rules:ro
      - ./snort/snort.lua:/home/snorty/snort3/etc/snort/snort.lua:ro
    entrypoint: ["/home/snorty/snort3/bin/snort"]
    command: [
      "-c", "/home/snorty/snort3/etc/snort/snort.lua", 
      "-R", "/etc/snort/rules/local.rules", 
      # NOTE: Users cloning this must change the interface to match their machine
      "-i", "enp1s0f0",
      "-l", "/var/log/snort",
      "--lua", "alert_json = { file = true }",
      "--bpf", "not broadcast and not multicast"
    ]

  webhook-shipper:
    image: python:3.11-slim
    restart: unless-stopped
    volumes:
      # Updated paths for logs, rules, and the python script
      - ./snort/snort-logs:/var/log/snort
      - ./app/main.py:/app/main.py:ro
      - ./snort/local.rules:/app/local.rules
    environment:
      - WEBHOOK_URL=${WEBHOOK_URL}
      - OPENROUTER_API_KEY=${OPENROUTER_API_KEY}
    working_dir: /app
    command: sh -c "pip install --no-cache-dir requests && python -u main.py"

  soc-dashboard:
    image: python:3.11-slim
    restart: unless-stopped
    ports:
      - "5050:5050"
    volumes:
      # Updated paths for logs, rules, and the dashboard script
      - ./snort/snort-logs:/var/log/snort
      - ./snort/local.rules:/etc/snort/rules/local.rules
      - ./app/dashboard.py:/app/dashboard.py:ro
    working_dir: /app
    command: >
      sh -c "pip install fastapi uvicorn python-multipart && uvicorn dashboard:app --host 0.0.0.0 --port 5050"