[Snort-users] pf_ring, openfpc, snort and snorby

Matheus Condi'ez conma293 at ...11827...
Fri Dec 5 19:06:06 EST 2014


Leon,

Thanks for the interest and reply.

Firstly I have decided to park Pf _ RING  for now as it seemed like too
much work for a performance rather than utility reward - I Wana focus on
pcaps.

So Leon,  I've been interested in openfpc for a while now, finally got some
time to have a crack at building it.

Now all the build docs seem to be Ubuntu which is fine cos Ubuntu is
usually a lot easier to get packages for but the goal for me is to have a
red hat server hosting openfpc with snort (and bro) as guest vms. I realize
this sounds similar to security onion which is an awesome tool to roll out
in 5 seconds flat (in fact the bro guest will probably be sec onion sensor
with only bro) but I want more control.

So back to ofpc, was building it on fedora 19 and there's not that much
documentation out there - the biggest thing I found is that fedora and red
hat have changed the perl @INC folders (no perl_site!!) so the ofpc install
script needs to be modded. Apart from that working with dependencies I got
it working mostly - says that cxtracker isn't on the system even tho it was
found when installing (where is the log for starting ofpc??) And I couldn't
seem to access the gui at ...274... - may have to re initialise the gui db
script.

But I'd be happy to share the build docs for redhat/fedora once we get a
clean build going. Awesome tool!!
 On 5/12/2014 11:17 PM, "Leon Ward (leonward)" <leonward at ...589...> wrote:

>  Hi,
>
>  An OpenFPC question, this gives me a chance to answer and add some quick
> project status info.
>
>  Finally - I want to send all this information to a centralised Snorby
> GUI, so another question is, how do I get Snorby to differentiate between
> different sensor IP's to grab the pcaps from the difference OpenFPC
> instances?
>
>
>  The first part is more of a Snorby question than one for OpenFPC, in
> that is there anything in the event that can be used to associate the event
> to a capture device? Not being a Snorby user I assume there must be
> something that identifies where the Snort event comes from?
>
>  If so, this should be doable. OFPC in a ‘proxy’ mode as to call it
> (really need to rename that to something more descriptive) can go process
> an extraction from a target device for you, then give it back to the
> requestor. There is a simple key/value text file that provides ‘routing’
> information of how to connect to the device that has the pcaps you want to
> extract.
>
>  E.g.
>
>  new_york=1.1.1.1:4242:auth_data
>
>  So if the event comes from the snort device “new_york”, it can go grab
> the pcaps from that device for you. The API that is used by Snorby is
> pretty basic. I knocked it together in a hotel room one evening as a bit of
> a proof of concept rather than something robust. I just took a quick look
> at the code and it looks like it should correctly pass an argument of
> ‘device’ in the URI for extraction. That provides the above function. I’ve
> recently been working on an actual rest API, but it’s not ready for use yet
> (and I’ve not pushed it to Github), that will handle this use case for
> sure. I expect I’ll have that ready in the next week or so, but real work
> keeps getting in the way. That will have full documentation.
>
>  On a side note,  if you didn’t know that OpenFPC had moved to github,
> you’re clearly running some old code, perhaps you should take a look at
> some of the changes.
>
>  Cheers
>
>  -Leon
>
>
>   On 3 Dec 2014, at 19:01, Matheus Condi'ez <conma293 at ...11827...> wrote:
>
>  Hey Doug,  yes I have, security onion is a powerful tool and will most
> likely use it for my bro implementation as a stand alone sensor. However it
> has some limitations and we require a central database partitioned away
> from the vm etc so seconion at this stage is in the mix hut won't be used
> in anger
> On 4/12/2014 1:22 AM, "Doug Burks" <doug.burks at ...11827...> wrote:
>
>> Hi Matheus,
>>
>>  Have you considered Security Onion?  It includes Snort, Snorby,
>> PF_RING, Bro, full packet capture, and many other tools.
>>
>>  http://securityonion.net
>>
>>
>>
>> On Wednesday, December 3, 2014, Matheus Condi'ez <conma293 at ...11827...>
>> wrote:
>>
>>> Excellent, Yeh I had actually thought it wouldn't be too strenuous to go
>>> and interrogate the individual sensors rather than rely on snorby as
>>> timings may wander anyways.
>>>
>>> Ah good I very much intended to put bro in there as well, in a separate
>>> vm. What is n top?
>>>
>>> The reason I like vms is so I can do hot swaps of new snort images,
>>> differentiate images between sensor points etc and roll back if something
>>> goes wrong (which it does)
>>>
>>> But it sounds like you could give me some pointers :-)
>>>
>>> Also Having said that jeremy if we had only 4-6 sensors that should be
>>> not timeout?
>>> How did you get snorby to differentiate, there seems to be only one
>>> field for a single ip?
>>>  On 3/12/2014 7:06 PM, "Jeremy Hoel" <jthoel at ...11827...> wrote:
>>>
>>>> At my last job we ran OpenFPC (deamon logger) and snort on top of
>>>> pf_ring along with bro and ntop..  all in the same user space.  Why run
>>>> snort in a VM?
>>>>
>>>>  We didn't use snorby to pull the packets, we used the openfpc-client
>>>> directly with the sensor information.  The way snorby did it, if the sensor
>>>> was to far down in the list (we had 50+) it would time out, so it was
>>>> easier to query the target sensor individually rather then all of them.
>>>>
>>>> On Tue, Dec 2, 2014 at 8:52 PM, Matheus Condi'ez <conma293 at ...11827...>
>>>> wrote:
>>>>
>>>>> In short, after many builds of snort sensors I am about to start off
>>>>> on a new journey of discovery which will potentially send me mad.
>>>>>
>>>>>  My goal is to create a sensor(s) which runs OpenFPC on PF_Ring
>>>>> native, with snort sitting on top as a guest vm.
>>>>>
>>>>>  Has anyone had any experience with PF_Ring and snort, or PF_Ring and
>>>>> snort?
>>>>>
>>>>>  Am aware that I will have to patch PF_Ring onto both the host and
>>>>> the guest OS's for this to work.
>>>>>
>>>>>  Am also aware that most likely will have to build and configure
>>>>> OpenFPC and/or Snort as PF_Ring aware?
>>>>>
>>>>>  If I do this but then attempt to run a version of Snort and/or
>>>>> OpenFPC that is not configured to handle PF_Ring, will it take it?
>>>>>
>>>>>
>>>>>
>>>>>  Finally - I want to send all this information to a centralised
>>>>> Snorby GUI, so another question is, how do I get Snorby to differentiate
>>>>> between different sensor IP's to grab the pcaps from the difference OpenFPC
>>>>> instances?
>>>>>
>>>>>  im sure someone has been overly ambitious and has attempted some, if
>>>>> not all of this before..
>>>>>
>>>>>  any guidance would be muchly appreciated.
>>>>>
>>>>>  -conma
>>>>>
>>>>>
>>>>> ------------------------------------------------------------------------------
>>>>> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
>>>>> from Actuate! Instantly Supercharge Your Business Reports and
>>>>> Dashboards
>>>>> with Interactivity, Sharing, Native Excel Exports, App Integration &
>>>>> more
>>>>> Get technology previously reserved for billion-dollar corporations,
>>>>> FREE
>>>>>
>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
>>>>> _______________________________________________
>>>>> Snort-users mailing list
>>>>> Snort-users at lists.sourceforge.net
>>>>> Go to this URL to change user options or unsubscribe:
>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>> Snort-users list archive:
>>>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>>>
>>>>> Please visit http://blog.snort.org to stay current on all the latest
>>>>> Snort news!
>>>>>
>>>>
>>>>
>>
>> --
>> Doug Burks
>> Need Security Onion Training or Commercial Support?
>> http://securityonionsolutions.com
>> Last day to register for 3-Day Training Class in Augusta GA is 12/11!
>>
>
> ------------------------------------------------------------------------------
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> with Interactivity, Sharing, Native Excel Exports, App Integration & more
> Get technology previously reserved for billion-dollar corporations, FREE
>
> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk_______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20141206/6edaa811/attachment.html>


More information about the Snort-users mailing list