[Snort-users] pf_ring, openfpc, snort and snorby

Matheus Condi'ez conma293 at ...11827...
Tue Dec 2 22:52:15 EST 2014

In short, after many builds of snort sensors I am about to start off on a
new journey of discovery which will potentially send me mad.

My goal is to create a sensor(s) which runs OpenFPC on PF_Ring native, with
snort sitting on top as a guest vm.

Has anyone had any experience with PF_Ring and snort, or PF_Ring and snort?

Am aware that I will have to patch PF_Ring onto both the host and the guest
OS's for this to work.

Am also aware that most likely will have to build and configure OpenFPC
and/or Snort as PF_Ring aware?

If I do this but then attempt to run a version of Snort and/or OpenFPC that
is not configured to handle PF_Ring, will it take it?

Finally - I want to send all this information to a centralised Snorby GUI,
so another question is, how do I get Snorby to differentiate between
different sensor IP's to grab the pcaps from the difference OpenFPC

im sure someone has been overly ambitious and has attempted some, if not
all of this before..

any guidance would be muchly appreciated.

