Re: pf_ring, openfpc, snort and snorby

["Matheus Condi'ez" <conma293 () gmail com>]

Leon,

Thanks for the interest and reply.

Firstly I have decided to park Pf _ RING  for now as it seemed like too
much work for a performance rather than utility reward - I Wana focus on
pcaps.

So Leon,  I've been interested in openfpc for a while now, finally got some
time to have a crack at building it.

Now all the build docs seem to be Ubuntu which is fine cos Ubuntu is
usually a lot easier to get packages for but the goal for me is to have a
red hat server hosting openfpc with snort (and bro) as guest vms. I realize
this sounds similar to security onion which is an awesome tool to roll out
in 5 seconds flat (in fact the bro guest will probably be sec onion sensor
with only bro) but I want more control.

So back to ofpc, was building it on fedora 19 and there's not that much
documentation out there - the biggest thing I found is that fedora and red
hat have changed the perl @INC folders (no perl_site!!) so the ofpc install
script needs to be modded. Apart from that working with dependencies I got
it working mostly - says that cxtracker isn't on the system even tho it was
found when installing (where is the log for starting ofpc??) And I couldn't
seem to access the gui@localhost - may have to re initialise the gui db
script.

But I'd be happy to share the build docs for redhat/fedora once we get a
clean build going. Awesome tool!!
 On 5/12/2014 11:17 PM, "Leon Ward (leonward)" <leonward () cisco com> wrote:

>  Hi,
>
>  An OpenFPC question, this gives me a chance to answer and add some quick
> project status info.
>
>  Finally - I want to send all this information to a centralised Snorby
> GUI, so another question is, how do I get Snorby to differentiate between
> different sensor IP's to grab the pcaps from the difference OpenFPC
> instances?
>
>
>  The first part is more of a Snorby question than one for OpenFPC, in
> that is there anything in the event that can be used to associate the event
> to a capture device? Not being a Snorby user I assume there must be
> something that identifies where the Snort event comes from?
>
>  If so, this should be doable. OFPC in a ‘proxy’ mode as to call it
> (really need to rename that to something more descriptive) can go process
> an extraction from a target device for you, then give it back to the
> requestor. There is a simple key/value text file that provides ‘routing’
> information of how to connect to the device that has the pcaps you want to
> extract.
>
>  E.g.
>
>  new_york=1.1.1.1:4242:auth_data
>
>  So if the event comes from the snort device “new_york”, it can go grab
> the pcaps from that device for you. The API that is used by Snorby is
> pretty basic. I knocked it together in a hotel room one evening as a bit of
> a proof of concept rather than something robust. I just took a quick look
> at the code and it looks like it should correctly pass an argument of
> ‘device’ in the URI for extraction. That provides the above function. I’ve
> recently been working on an actual rest API, but it’s not ready for use yet
> (and I’ve not pushed it to Github), that will handle this use case for
> sure. I expect I’ll have that ready in the next week or so, but real work
> keeps getting in the way. That will have full documentation.
>
>  On a side note,  if you didn’t know that OpenFPC had moved to github,
> you’re clearly running some old code, perhaps you should take a look at
> some of the changes.
>
>  Cheers
>
>  -Leon
>
>
>   On 3 Dec 2014, at 19:01, Matheus Condi'ez <conma293 () gmail com> wrote:
>
>  Hey Doug,  yes I have, security onion is a powerful tool and will most
> likely use it for my bro implementation as a stand alone sensor. However it
> has some limitations and we require a central database partitioned away
> from the vm etc so seconion at this stage is in the mix hut won't be used
> in anger
> On 4/12/2014 1:22 AM, "Doug Burks" <doug.burks () gmail com> wrote:
>
> > Hi Matheus,
> >
> >  Have you considered Security Onion?  It includes Snort, Snorby,
> > PF_RING, Bro, full packet capture, and many other tools.
> >
> >  http://securityonion.net
> >
> >
> >
> > On Wednesday, December 3, 2014, Matheus Condi'ez <conma293 () gmail com>
> > wrote:
> >
> > > Excellent, Yeh I had actually thought it wouldn't be too strenuous to go
> > > and interrogate the individual sensors rather than rely on snorby as
> > > timings may wander anyways.
> > >
> > > Ah good I very much intended to put bro in there as well, in a separate
> > > vm. What is n top?
> > >
> > > The reason I like vms is so I can do hot swaps of new snort images,
> > > differentiate images between sensor points etc and roll back if something
> > > goes wrong (which it does)
> > >
> > > But it sounds like you could give me some pointers :-)
> > >
> > > Also Having said that jeremy if we had only 4-6 sensors that should be
> > > not timeout?
> > > How did you get snorby to differentiate, there seems to be only one
> > > field for a single ip?
> > >  On 3/12/2014 7:06 PM, "Jeremy Hoel" <jthoel () gmail com> wrote:
> > >
> > > > At my last job we ran OpenFPC (deamon logger) and snort on top of
> > > > pf_ring along with bro and ntop..  all in the same user space.  Why run
> > > > snort in a VM?
> > > >
> > > >  We didn't use snorby to pull the packets, we used the openfpc-client
> > > > directly with the sensor information.  The way snorby did it, if the sensor
> > > > was to far down in the list (we had 50+) it would time out, so it was
> > > > easier to query the target sensor individually rather then all of them.
> > > >
> > > > On Tue, Dec 2, 2014 at 8:52 PM, Matheus Condi'ez <conma293 () gmail com>
> > > > wrote:
> > > >
> > > > > In short, after many builds of snort sensors I am about to start off
> > > > > on a new journey of discovery which will potentially send me mad.
> > > > >
> > > > >  My goal is to create a sensor(s) which runs OpenFPC on PF_Ring
> > > > > native, with snort sitting on top as a guest vm.
> > > > >
> > > > >  Has anyone had any experience with PF_Ring and snort, or PF_Ring and
> > > > > snort?
> > > > >
> > > > >  Am aware that I will have to patch PF_Ring onto both the host and
> > > > > the guest OS's for this to work.
> > > > >
> > > > >  Am also aware that most likely will have to build and configure
> > > > > OpenFPC and/or Snort as PF_Ring aware?
> > > > >
> > > > >  If I do this but then attempt to run a version of Snort and/or
> > > > > OpenFPC that is not configured to handle PF_Ring, will it take it?
> > > > >
> > > > >
> > > > >
> > > > >  Finally - I want to send all this information to a centralised
> > > > > Snorby GUI, so another question is, how do I get Snorby to differentiate
> > > > > between different sensor IP's to grab the pcaps from the difference OpenFPC
> > > > > instances?
> > > > >
> > > > >  im sure someone has been overly ambitious and has attempted some, if
> > > > > not all of this before..
> > > > >
> > > > >  any guidance would be muchly appreciated.
> > > > >
> > > > >  -conma
> > > > >
> > > > >
> > > > > ------------------------------------------------------------------------------
> > > > > Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> > > > > from Actuate! Instantly Supercharge Your Business Reports and
> > > > > Dashboards
> > > > > with Interactivity, Sharing, Native Excel Exports, App Integration &
> > > > > more
> > > > > Get technology previously reserved for billion-dollar corporations,
> > > > > FREE
> > > > >
> > > > > http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
> > > > > _______________________________________________
> > > > > Snort-users mailing list
> > > > > Snort-users () lists sourceforge net
> > > > > Go to this URL to change user options or unsubscribe:
> > > > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > > > Snort-users list archive:
> > > > > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> > > > >
> > > > > Please visit http://blog.snort.org to stay current on all the latest
> > > > > Snort news!
> >
> > --
> > Doug Burks
> > Need Security Onion Training or Commercial Support?
> > http://securityonionsolutions.com
> > Last day to register for 3-Day Training Class in Augusta GA is 12/11!
>
> ------------------------------------------------------------------------------
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> with Interactivity, Sharing, Native Excel Exports, App Integration & more
> Get technology previously reserved for billion-dollar corporations, FREE
>
> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk_______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!