[Snort-users] pf_ring, openfpc, snort and snorby

Doug Burks doug.burks at ...11827...
Wed Dec 3 07:22:25 EST 2014


Hi Matheus,

Have you considered Security Onion?  It includes Snort, Snorby, PF_RING,
Bro, full packet capture, and many other tools.

http://securityonion.net



On Wednesday, December 3, 2014, Matheus Condi'ez <conma293 at ...11827...> wrote:

> Excellent, Yeh I had actually thought it wouldn't be too strenuous to go
> and interrogate the individual sensors rather than rely on snorby as
> timings may wander anyways.
>
> Ah good I very much intended to put bro in there as well, in a separate
> vm. What is n top?
>
> The reason I like vms is so I can do hot swaps of new snort images,
> differentiate images between sensor points etc and roll back if something
> goes wrong (which it does)
>
> But it sounds like you could give me some pointers :-)
>
> Also Having said that jeremy if we had only 4-6 sensors that should be not
> timeout?
> How did you get snorby to differentiate, there seems to be only one field
> for a single ip?
> On 3/12/2014 7:06 PM, "Jeremy Hoel" <jthoel at ...11827...
> <javascript:_e(%7B%7D,'cvml','jthoel at ...11827...');>> wrote:
>
>> At my last job we ran OpenFPC (deamon logger) and snort on top of pf_ring
>> along with bro and ntop..  all in the same user space.  Why run snort in a
>> VM?
>>
>> We didn't use snorby to pull the packets, we used the openfpc-client
>> directly with the sensor information.  The way snorby did it, if the sensor
>> was to far down in the list (we had 50+) it would time out, so it was
>> easier to query the target sensor individually rather then all of them.
>>
>> On Tue, Dec 2, 2014 at 8:52 PM, Matheus Condi'ez <conma293 at ...11827...
>> <javascript:_e(%7B%7D,'cvml','conma293 at ...11827...');>> wrote:
>>
>>> In short, after many builds of snort sensors I am about to start off on
>>> a new journey of discovery which will potentially send me mad.
>>>
>>> My goal is to create a sensor(s) which runs OpenFPC on PF_Ring native,
>>> with snort sitting on top as a guest vm.
>>>
>>> Has anyone had any experience with PF_Ring and snort, or PF_Ring and
>>> snort?
>>>
>>> Am aware that I will have to patch PF_Ring onto both the host and the
>>> guest OS's for this to work.
>>>
>>> Am also aware that most likely will have to build and configure OpenFPC
>>> and/or Snort as PF_Ring aware?
>>>
>>> If I do this but then attempt to run a version of Snort and/or OpenFPC
>>> that is not configured to handle PF_Ring, will it take it?
>>>
>>>
>>>
>>> Finally - I want to send all this information to a centralised Snorby
>>> GUI, so another question is, how do I get Snorby to differentiate between
>>> different sensor IP's to grab the pcaps from the difference OpenFPC
>>> instances?
>>>
>>> im sure someone has been overly ambitious and has attempted some, if not
>>> all of this before..
>>>
>>> any guidance would be muchly appreciated.
>>>
>>> -conma
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
>>> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
>>> with Interactivity, Sharing, Native Excel Exports, App Integration & more
>>> Get technology previously reserved for billion-dollar corporations, FREE
>>>
>>> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> <javascript:_e(%7B%7D,'cvml','Snort-users at lists.sourceforge.net');>
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>
>>> Please visit http://blog.snort.org to stay current on all the latest
>>> Snort news!
>>>
>>
>>

-- 
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
Last day to register for 3-Day Training Class in Augusta GA is 12/11!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20141203/ad8c2112/attachment.html>


More information about the Snort-users mailing list