[Snort-users] pf_ring, openfpc, snort and snorby
doug.burks at ...11827...
Wed Dec 3 07:22:25 EST 2014
Have you considered Security Onion? It includes Snort, Snorby, PF_RING,
Bro, full packet capture, and many other tools.
On Wednesday, December 3, 2014, Matheus Condi'ez <conma293 at ...11827...> wrote:
> Excellent, Yeh I had actually thought it wouldn't be too strenuous to go
> and interrogate the individual sensors rather than rely on snorby as
> timings may wander anyways.
> Ah good I very much intended to put bro in there as well, in a separate
> vm. What is n top?
> The reason I like vms is so I can do hot swaps of new snort images,
> differentiate images between sensor points etc and roll back if something
> goes wrong (which it does)
> But it sounds like you could give me some pointers :-)
> Also Having said that jeremy if we had only 4-6 sensors that should be not
> How did you get snorby to differentiate, there seems to be only one field
> for a single ip?
> On 3/12/2014 7:06 PM, "Jeremy Hoel" <jthoel at ...11827...
>> At my last job we ran OpenFPC (deamon logger) and snort on top of pf_ring
>> along with bro and ntop.. all in the same user space. Why run snort in a
>> We didn't use snorby to pull the packets, we used the openfpc-client
>> directly with the sensor information. The way snorby did it, if the sensor
>> was to far down in the list (we had 50+) it would time out, so it was
>> easier to query the target sensor individually rather then all of them.
>> On Tue, Dec 2, 2014 at 8:52 PM, Matheus Condi'ez <conma293 at ...11827...
>>> In short, after many builds of snort sensors I am about to start off on
>>> a new journey of discovery which will potentially send me mad.
>>> My goal is to create a sensor(s) which runs OpenFPC on PF_Ring native,
>>> with snort sitting on top as a guest vm.
>>> Has anyone had any experience with PF_Ring and snort, or PF_Ring and
>>> Am aware that I will have to patch PF_Ring onto both the host and the
>>> guest OS's for this to work.
>>> Am also aware that most likely will have to build and configure OpenFPC
>>> and/or Snort as PF_Ring aware?
>>> If I do this but then attempt to run a version of Snort and/or OpenFPC
>>> that is not configured to handle PF_Ring, will it take it?
>>> Finally - I want to send all this information to a centralised Snorby
>>> GUI, so another question is, how do I get Snorby to differentiate between
>>> different sensor IP's to grab the pcaps from the difference OpenFPC
>>> im sure someone has been overly ambitious and has attempted some, if not
>>> all of this before..
>>> any guidance would be muchly appreciated.
>>> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
>>> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
>>> with Interactivity, Sharing, Native Excel Exports, App Integration & more
>>> Get technology previously reserved for billion-dollar corporations, FREE
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> Snort-users list archive:
>>> Please visit http://blog.snort.org to stay current on all the latest
>>> Snort news!
Need Security Onion Training or Commercial Support?
Last day to register for 3-Day Training Class in Augusta GA is 12/11!
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users