Snort mailing list archives
Re: pf_ring, openfpc, snort and snorby
From: "Matheus Condi'ez" <conma293 () gmail com>
Date: Sat, 6 Dec 2014 13:06:06 +1300
Leon, Thanks for the interest and reply. Firstly I have decided to park Pf _ RING for now as it seemed like too much work for a performance rather than utility reward - I Wana focus on pcaps. So Leon, I've been interested in openfpc for a while now, finally got some time to have a crack at building it. Now all the build docs seem to be Ubuntu which is fine cos Ubuntu is usually a lot easier to get packages for but the goal for me is to have a red hat server hosting openfpc with snort (and bro) as guest vms. I realize this sounds similar to security onion which is an awesome tool to roll out in 5 seconds flat (in fact the bro guest will probably be sec onion sensor with only bro) but I want more control. So back to ofpc, was building it on fedora 19 and there's not that much documentation out there - the biggest thing I found is that fedora and red hat have changed the perl @INC folders (no perl_site!!) so the ofpc install script needs to be modded. Apart from that working with dependencies I got it working mostly - says that cxtracker isn't on the system even tho it was found when installing (where is the log for starting ofpc??) And I couldn't seem to access the gui@localhost - may have to re initialise the gui db script. But I'd be happy to share the build docs for redhat/fedora once we get a clean build going. Awesome tool!! On 5/12/2014 11:17 PM, "Leon Ward (leonward)" <leonward () cisco com> wrote:
Hi, An OpenFPC question, this gives me a chance to answer and add some quick project status info. Finally - I want to send all this information to a centralised Snorby GUI, so another question is, how do I get Snorby to differentiate between different sensor IP's to grab the pcaps from the difference OpenFPC instances? The first part is more of a Snorby question than one for OpenFPC, in that is there anything in the event that can be used to associate the event to a capture device? Not being a Snorby user I assume there must be something that identifies where the Snort event comes from? If so, this should be doable. OFPC in a ‘proxy’ mode as to call it (really need to rename that to something more descriptive) can go process an extraction from a target device for you, then give it back to the requestor. There is a simple key/value text file that provides ‘routing’ information of how to connect to the device that has the pcaps you want to extract. E.g. new_york=1.1.1.1:4242:auth_data So if the event comes from the snort device “new_york”, it can go grab the pcaps from that device for you. The API that is used by Snorby is pretty basic. I knocked it together in a hotel room one evening as a bit of a proof of concept rather than something robust. I just took a quick look at the code and it looks like it should correctly pass an argument of ‘device’ in the URI for extraction. That provides the above function. I’ve recently been working on an actual rest API, but it’s not ready for use yet (and I’ve not pushed it to Github), that will handle this use case for sure. I expect I’ll have that ready in the next week or so, but real work keeps getting in the way. That will have full documentation. On a side note, if you didn’t know that OpenFPC had moved to github, you’re clearly running some old code, perhaps you should take a look at some of the changes. Cheers -Leon On 3 Dec 2014, at 19:01, Matheus Condi'ez <conma293 () gmail com> wrote: Hey Doug, yes I have, security onion is a powerful tool and will most likely use it for my bro implementation as a stand alone sensor. However it has some limitations and we require a central database partitioned away from the vm etc so seconion at this stage is in the mix hut won't be used in anger On 4/12/2014 1:22 AM, "Doug Burks" <doug.burks () gmail com> wrote:Hi Matheus, Have you considered Security Onion? It includes Snort, Snorby, PF_RING, Bro, full packet capture, and many other tools. http://securityonion.net On Wednesday, December 3, 2014, Matheus Condi'ez <conma293 () gmail com> wrote:Excellent, Yeh I had actually thought it wouldn't be too strenuous to go and interrogate the individual sensors rather than rely on snorby as timings may wander anyways. Ah good I very much intended to put bro in there as well, in a separate vm. What is n top? The reason I like vms is so I can do hot swaps of new snort images, differentiate images between sensor points etc and roll back if something goes wrong (which it does) But it sounds like you could give me some pointers :-) Also Having said that jeremy if we had only 4-6 sensors that should be not timeout? How did you get snorby to differentiate, there seems to be only one field for a single ip? On 3/12/2014 7:06 PM, "Jeremy Hoel" <jthoel () gmail com> wrote:At my last job we ran OpenFPC (deamon logger) and snort on top of pf_ring along with bro and ntop.. all in the same user space. Why run snort in a VM? We didn't use snorby to pull the packets, we used the openfpc-client directly with the sensor information. The way snorby did it, if the sensor was to far down in the list (we had 50+) it would time out, so it was easier to query the target sensor individually rather then all of them. On Tue, Dec 2, 2014 at 8:52 PM, Matheus Condi'ez <conma293 () gmail com> wrote:In short, after many builds of snort sensors I am about to start off on a new journey of discovery which will potentially send me mad. My goal is to create a sensor(s) which runs OpenFPC on PF_Ring native, with snort sitting on top as a guest vm. Has anyone had any experience with PF_Ring and snort, or PF_Ring and snort? Am aware that I will have to patch PF_Ring onto both the host and the guest OS's for this to work. Am also aware that most likely will have to build and configure OpenFPC and/or Snort as PF_Ring aware? If I do this but then attempt to run a version of Snort and/or OpenFPC that is not configured to handle PF_Ring, will it take it? Finally - I want to send all this information to a centralised Snorby GUI, so another question is, how do I get Snorby to differentiate between different sensor IP's to grab the pcaps from the difference OpenFPC instances? im sure someone has been overly ambitious and has attempted some, if not all of this before.. any guidance would be muchly appreciated. -conma ------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!-- Doug Burks Need Security Onion Training or Commercial Support? http://securityonionsolutions.com Last day to register for 3-Day Training Class in Augusta GA is 12/11!------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- pf_ring, openfpc, snort and snorby Matheus Condi'ez (Dec 02)
- Re: pf_ring, openfpc, snort and snorby Jeremy Hoel (Dec 02)
- Re: pf_ring, openfpc, snort and snorby Matheus Condi'ez (Dec 03)
- Re: pf_ring, openfpc, snort and snorby Doug Burks (Dec 03)
- Re: pf_ring, openfpc, snort and snorby Matheus Condi'ez (Dec 03)
- Re: pf_ring, openfpc, snort and snorby Leon Ward (leonward) (Dec 05)
- Re: pf_ring, openfpc, snort and snorby Matheus Condi'ez (Dec 05)
- Re: pf_ring, openfpc, snort and snorby Matheus Condi'ez (Dec 03)
- Re: pf_ring, openfpc, snort and snorby Jeremy Hoel (Dec 02)
- Re: pf_ring, openfpc, snort and snorby Jeremy Hoel (Dec 03)
- Re: pf_ring, openfpc, snort and snorby Matheus Condi'ez (Dec 05)