[Snort-users] pf_ring, openfpc, snort and snorby

Matheus Condi'ez conma293 at ...11827...
Fri Dec 5 19:16:29 EST 2014


So Kevin yeh I love bro and will be rrunning it as a guest vm (probably as
a secon sensor).

OK so this is my new plan (no pf_ring)
Redhat server running openfpc and v box.

Fedora guest running snort (with this new app ID thing!)

Seconion guest running bro.

I'm gonna put a splunk forwarder on the guests and also get snort to write
to snorby db.
On 6/12/2014 12:25 PM, "Kevin Ross" <kevross33 at ...14012...> wrote:

> you could also try moloch for your PCAP if you have the resources:
>
> https://github.com/aol/moloch
>
> http://blog.alejandronolla.com/2013/04/06/moloch-capturing-and-indexing-network-traffic-in-realtime/
>
> and also you should give bro-ids a try to complement snort with lots of
> metadata & use scripts like this
> https://github.com/sooshie/bro-scripts/blob/master/2.2-scripts/vt_check.bro
> in order to check certain filetypes automatically to see if Virustotal has
> seen them.
>
> You could then index your snort and bro logs into something like an ELK
> install or ELSA https://www.youtube.com/watch?v=INRJZ3_Dsyc and
> https://www.youtube.com/watch?v=d4rINH22MYo
>
> I find bro provides great metadata around a connection (connections, HTTP
> information, file types returned, email metadata, self signed certs and so
> on. Also for he amount of metadata you get I find it provides a great
> longer term option to analysis if you are looking at something which has
> already been rotated from your PCAPs.
>
>
> Kind Regards,
> Kevin Ross
>
> On 3 December 2014 at 03:52, Matheus Condi'ez <conma293 at ...11827...> wrote:
>
>> In short, after many builds of snort sensors I am about to start off on a
>> new journey of discovery which will potentially send me mad.
>>
>> My goal is to create a sensor(s) which runs OpenFPC on PF_Ring native,
>> with snort sitting on top as a guest vm.
>>
>> Has anyone had any experience with PF_Ring and snort, or PF_Ring and
>> snort?
>>
>> Am aware that I will have to patch PF_Ring onto both the host and the
>> guest OS's for this to work.
>>
>> Am also aware that most likely will have to build and configure OpenFPC
>> and/or Snort as PF_Ring aware?
>>
>> If I do this but then attempt to run a version of Snort and/or OpenFPC
>> that is not configured to handle PF_Ring, will it take it?
>>
>>
>>
>> Finally - I want to send all this information to a centralised Snorby
>> GUI, so another question is, how do I get Snorby to differentiate between
>> different sensor IP's to grab the pcaps from the difference OpenFPC
>> instances?
>>
>> im sure someone has been overly ambitious and has attempted some, if not
>> all of this before..
>>
>> any guidance would be muchly appreciated.
>>
>> -conma
>>
>>
>> ------------------------------------------------------------------------------
>> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
>> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
>> with Interactivity, Sharing, Native Excel Exports, App Integration & more
>> Get technology previously reserved for billion-dollar corporations, FREE
>>
>> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20141206/cd37e17d/attachment.html>


More information about the Snort-users mailing list