[Snort-users] pf_ring, openfpc, snort and snorby
conma293 at ...11827...
Fri Dec 5 19:16:29 EST 2014
So Kevin yeh I love bro and will be rrunning it as a guest vm (probably as
a secon sensor).
OK so this is my new plan (no pf_ring)
Redhat server running openfpc and v box.
Fedora guest running snort (with this new app ID thing!)
Seconion guest running bro.
I'm gonna put a splunk forwarder on the guests and also get snort to write
to snorby db.
On 6/12/2014 12:25 PM, "Kevin Ross" <kevross33 at ...14012...> wrote:
> you could also try moloch for your PCAP if you have the resources:
> and also you should give bro-ids a try to complement snort with lots of
> metadata & use scripts like this
> in order to check certain filetypes automatically to see if Virustotal has
> seen them.
> You could then index your snort and bro logs into something like an ELK
> install or ELSA https://www.youtube.com/watch?v=INRJZ3_Dsyc and
> I find bro provides great metadata around a connection (connections, HTTP
> information, file types returned, email metadata, self signed certs and so
> on. Also for he amount of metadata you get I find it provides a great
> longer term option to analysis if you are looking at something which has
> already been rotated from your PCAPs.
> Kind Regards,
> Kevin Ross
> On 3 December 2014 at 03:52, Matheus Condi'ez <conma293 at ...11827...> wrote:
>> In short, after many builds of snort sensors I am about to start off on a
>> new journey of discovery which will potentially send me mad.
>> My goal is to create a sensor(s) which runs OpenFPC on PF_Ring native,
>> with snort sitting on top as a guest vm.
>> Has anyone had any experience with PF_Ring and snort, or PF_Ring and
>> Am aware that I will have to patch PF_Ring onto both the host and the
>> guest OS's for this to work.
>> Am also aware that most likely will have to build and configure OpenFPC
>> and/or Snort as PF_Ring aware?
>> If I do this but then attempt to run a version of Snort and/or OpenFPC
>> that is not configured to handle PF_Ring, will it take it?
>> Finally - I want to send all this information to a centralised Snorby
>> GUI, so another question is, how do I get Snorby to differentiate between
>> different sensor IP's to grab the pcaps from the difference OpenFPC
>> im sure someone has been overly ambitious and has attempted some, if not
>> all of this before..
>> any guidance would be muchly appreciated.
>> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
>> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
>> with Interactivity, Sharing, Native Excel Exports, App Integration & more
>> Get technology previously reserved for billion-dollar corporations, FREE
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> Snort-users list archive:
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users