[Snort-users] pf_ring, openfpc, snort and snorby

Matheus Condi'ez conma293 at ...11827...
Wed Dec 3 14:01:54 EST 2014


Hey Doug,  yes I have, security onion is a powerful tool and will most
likely use it for my bro implementation as a stand alone sensor. However it
has some limitations and we require a central database partitioned away
from the vm etc so seconion at this stage is in the mix hut won't be used
in anger
On 4/12/2014 1:22 AM, "Doug Burks" <doug.burks at ...11827...> wrote:

> Hi Matheus,
>
> Have you considered Security Onion?  It includes Snort, Snorby, PF_RING,
> Bro, full packet capture, and many other tools.
>
> http://securityonion.net
>
>
>
> On Wednesday, December 3, 2014, Matheus Condi'ez <conma293 at ...11827...>
> wrote:
>
>> Excellent, Yeh I had actually thought it wouldn't be too strenuous to go
>> and interrogate the individual sensors rather than rely on snorby as
>> timings may wander anyways.
>>
>> Ah good I very much intended to put bro in there as well, in a separate
>> vm. What is n top?
>>
>> The reason I like vms is so I can do hot swaps of new snort images,
>> differentiate images between sensor points etc and roll back if something
>> goes wrong (which it does)
>>
>> But it sounds like you could give me some pointers :-)
>>
>> Also Having said that jeremy if we had only 4-6 sensors that should be
>> not timeout?
>> How did you get snorby to differentiate, there seems to be only one field
>> for a single ip?
>> On 3/12/2014 7:06 PM, "Jeremy Hoel" <jthoel at ...11827...> wrote:
>>
>>> At my last job we ran OpenFPC (deamon logger) and snort on top of
>>> pf_ring along with bro and ntop..  all in the same user space.  Why run
>>> snort in a VM?
>>>
>>> We didn't use snorby to pull the packets, we used the openfpc-client
>>> directly with the sensor information.  The way snorby did it, if the sensor
>>> was to far down in the list (we had 50+) it would time out, so it was
>>> easier to query the target sensor individually rather then all of them.
>>>
>>> On Tue, Dec 2, 2014 at 8:52 PM, Matheus Condi'ez <conma293 at ...11827...>
>>> wrote:
>>>
>>>> In short, after many builds of snort sensors I am about to start off on
>>>> a new journey of discovery which will potentially send me mad.
>>>>
>>>> My goal is to create a sensor(s) which runs OpenFPC on PF_Ring native,
>>>> with snort sitting on top as a guest vm.
>>>>
>>>> Has anyone had any experience with PF_Ring and snort, or PF_Ring and
>>>> snort?
>>>>
>>>> Am aware that I will have to patch PF_Ring onto both the host and the
>>>> guest OS's for this to work.
>>>>
>>>> Am also aware that most likely will have to build and configure OpenFPC
>>>> and/or Snort as PF_Ring aware?
>>>>
>>>> If I do this but then attempt to run a version of Snort and/or OpenFPC
>>>> that is not configured to handle PF_Ring, will it take it?
>>>>
>>>>
>>>>
>>>> Finally - I want to send all this information to a centralised Snorby
>>>> GUI, so another question is, how do I get Snorby to differentiate between
>>>> different sensor IP's to grab the pcaps from the difference OpenFPC
>>>> instances?
>>>>
>>>> im sure someone has been overly ambitious and has attempted some, if
>>>> not all of this before..
>>>>
>>>> any guidance would be muchly appreciated.
>>>>
>>>> -conma
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
>>>> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
>>>> with Interactivity, Sharing, Native Excel Exports, App Integration &
>>>> more
>>>> Get technology previously reserved for billion-dollar corporations, FREE
>>>>
>>>> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
>>>> _______________________________________________
>>>> Snort-users mailing list
>>>> Snort-users at lists.sourceforge.net
>>>> Go to this URL to change user options or unsubscribe:
>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>> Snort-users list archive:
>>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>>
>>>> Please visit http://blog.snort.org to stay current on all the latest
>>>> Snort news!
>>>>
>>>
>>>
>
> --
> Doug Burks
> Need Security Onion Training or Commercial Support?
> http://securityonionsolutions.com
> Last day to register for 3-Day Training Class in Augusta GA is 12/11!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20141204/0d3a7c42/attachment.html>


More information about the Snort-users mailing list