[Snort-users] pf_ring, openfpc, snort and snorby

Jeremy Hoel jthoel at ...11827...
Wed Dec 3 12:53:17 EST 2014


ntop is a tool by the makers of pf_ring.. http://www.ntop.org/

Snorby gets sensor information from the database that barnyard2 writes too.
 in the barnyard2 config you give a sensor name and interface, and that's
what snorby uses to separate the sensors.  In regards to the OpenFPC part,
that's a different set of code, there's a config for openfpc's web
interface on that you install on the snorby server and you list your
sensors and it works it's way through the list, checking them all every
time you want to pull a packet.  At least, that was the way it worked when
we set it up a few years back.  there have been updates to the code, but I
don't think many updates to the web interface part.

I'm not sure what part you mean when you talk about "How did you get snorby
to differentiate, there seems to be only one field for a single ip?"

If you swap NV's you need to remember to keep each one with different
names, otherwise you'll probably end up confusing yourself when you look at
the alerts.  And, snort configs, rull updates etc, if that's on the snort
vm, you'll need to copy that over to each one and start over every time.

snort is pretty stable and doesn't mess up very much, so I still don't get
the idea for multiple snort vms, but hey.. try it out, why now.  :-)

On Wed, Dec 3, 2014 at 2:01 AM, Matheus Condi'ez <conma293 at ...11827...> wrote:

> Excellent, Yeh I had actually thought it wouldn't be too strenuous to go
> and interrogate the individual sensors rather than rely on snorby as
> timings may wander anyways.
>
> Ah good I very much intended to put bro in there as well, in a separate
> vm. What is n top?
>
> The reason I like vms is so I can do hot swaps of new snort images,
> differentiate images between sensor points etc and roll back if something
> goes wrong (which it does)
>
> But it sounds like you could give me some pointers :-)
>
> Also Having said that jeremy if we had only 4-6 sensors that should be not
> timeout?
> How did you get snorby to differentiate, there seems to be only one field
> for a single ip?
> On 3/12/2014 7:06 PM, "Jeremy Hoel" <jthoel at ...11827...> wrote:
>
>> At my last job we ran OpenFPC (deamon logger) and snort on top of pf_ring
>> along with bro and ntop..  all in the same user space.  Why run snort in a
>> VM?
>>
>> We didn't use snorby to pull the packets, we used the openfpc-client
>> directly with the sensor information.  The way snorby did it, if the sensor
>> was to far down in the list (we had 50+) it would time out, so it was
>> easier to query the target sensor individually rather then all of them.
>>
>> On Tue, Dec 2, 2014 at 8:52 PM, Matheus Condi'ez <conma293 at ...11827...>
>> wrote:
>>
>>> In short, after many builds of snort sensors I am about to start off on
>>> a new journey of discovery which will potentially send me mad.
>>>
>>> My goal is to create a sensor(s) which runs OpenFPC on PF_Ring native,
>>> with snort sitting on top as a guest vm.
>>>
>>> Has anyone had any experience with PF_Ring and snort, or PF_Ring and
>>> snort?
>>>
>>> Am aware that I will have to patch PF_Ring onto both the host and the
>>> guest OS's for this to work.
>>>
>>> Am also aware that most likely will have to build and configure OpenFPC
>>> and/or Snort as PF_Ring aware?
>>>
>>> If I do this but then attempt to run a version of Snort and/or OpenFPC
>>> that is not configured to handle PF_Ring, will it take it?
>>>
>>>
>>>
>>> Finally - I want to send all this information to a centralised Snorby
>>> GUI, so another question is, how do I get Snorby to differentiate between
>>> different sensor IP's to grab the pcaps from the difference OpenFPC
>>> instances?
>>>
>>> im sure someone has been overly ambitious and has attempted some, if not
>>> all of this before..
>>>
>>> any guidance would be muchly appreciated.
>>>
>>> -conma
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
>>> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
>>> with Interactivity, Sharing, Native Excel Exports, App Integration & more
>>> Get technology previously reserved for billion-dollar corporations, FREE
>>>
>>> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>
>>> Please visit http://blog.snort.org to stay current on all the latest
>>> Snort news!
>>>
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20141203/f81db977/attachment.html>


More information about the Snort-users mailing list