Snort mailing list archives

Re: Rule Management UI

From: Jaime Nebrera <jnebrera () eneotecnologia com>
Date: Thu, 23 May 2013 18:14:48 +0200

   Hi Agus,

hehe.. Nice. Thanks Jaime! The site looks great! Will give it a try.


   Great

ALso one thing that drew me a smile was the barnyard plugin for big data!

:D

i will read how to implement this with logstash and ElasticSearch. Im 
using red is as queue
system as logstash has output input plugins. Will read about kafka..


   Actually we read the queue in different ways. As we can consider an 
event a subset of a standard log we are working on solving that side in 
both areas, not just for Snort. Thus we do:

   * Read the events (already enriched with metadata) for dashboards / 
GUI. This will show aggregated data and not in all fields but will be 
screaming fast. The same would apply to other projects like Flow.
   * Read RAW data and store it in some kind of schema less system. We 
still have to decide quite a bit on how to do this part. Flow for 
example wont need this part, and this is why is almost ready
   * Read the messages from a Correlation engine in order to produce 
further events by itself. We have decided the software we will employ 
for this, but is not ready

   As for standard logs, an enhanced syslog server will process them and 
extract as much metadata as possible and inject this info in the kafka 
system, were it will be pipelined into our whole infraestructure

   We fear logstash wont be fast enough for what we are seeking (again, 
not just IDS events). Elastic search is for sure in our radar screen :)

   Either way, as we suggested in the original post, we believe our 
patch to Barnard will provide a lot of alternatives into BigData realm. 
We are open to discuss ideas with the community :)

-- 
Jaime Nebrera - jnebrera () eneotecnologia com
Consultor TI - ENEO Tecnologia SL
C/ Manufactura 2, Edificio Euro, Oficina 3N
Mairena del Aljarafe - 41927 - Sevilla
Telf.- 955 60 11 60 / 619 04 55 18


------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Rule Management UI Agus (May 22)
- Re: Rule Management UI Jaime Nebrera (May 22)
  - Re: Rule Management UI Agus (May 22)
    - Re: Rule Management UI Agus (May 23)
    - Re: Rule Management UI Jaime Nebrera (May 23)
    - Re: Rule Management UI Michael Steele (May 23)
    - Re: Rule Management UI Jaime Nebrera (May 23)
    - Re: Rule Management UI Dustin Webber (May 24)
    - Re: Rule Management UI Jaime Nebrera (May 23)
- Re: Rule Management UI Stephen Jonnotti (May 24)
  - Re: Rule Management UI Michael Steele (May 24)