[Snort-users] pf_ring, openfpc, snort and snorby

Jeremy Hoel jthoel at ...11827...
Wed Dec 3 01:06:04 EST 2014


At my last job we ran OpenFPC (deamon logger) and snort on top of pf_ring
along with bro and ntop..  all in the same user space.  Why run snort in a
VM?

We didn't use snorby to pull the packets, we used the openfpc-client
directly with the sensor information.  The way snorby did it, if the sensor
was to far down in the list (we had 50+) it would time out, so it was
easier to query the target sensor individually rather then all of them.

On Tue, Dec 2, 2014 at 8:52 PM, Matheus Condi'ez <conma293 at ...11827...> wrote:

> In short, after many builds of snort sensors I am about to start off on a
> new journey of discovery which will potentially send me mad.
>
> My goal is to create a sensor(s) which runs OpenFPC on PF_Ring native,
> with snort sitting on top as a guest vm.
>
> Has anyone had any experience with PF_Ring and snort, or PF_Ring and snort?
>
> Am aware that I will have to patch PF_Ring onto both the host and the
> guest OS's for this to work.
>
> Am also aware that most likely will have to build and configure OpenFPC
> and/or Snort as PF_Ring aware?
>
> If I do this but then attempt to run a version of Snort and/or OpenFPC
> that is not configured to handle PF_Ring, will it take it?
>
>
>
> Finally - I want to send all this information to a centralised Snorby GUI,
> so another question is, how do I get Snorby to differentiate between
> different sensor IP's to grab the pcaps from the difference OpenFPC
> instances?
>
> im sure someone has been overly ambitious and has attempted some, if not
> all of this before..
>
> any guidance would be muchly appreciated.
>
> -conma
>
>
> ------------------------------------------------------------------------------
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> with Interactivity, Sharing, Native Excel Exports, App Integration & more
> Get technology previously reserved for billion-dollar corporations, FREE
>
> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20141202/a84f1fd0/attachment.html>


More information about the Snort-users mailing list