Snort mailing list archives
Re: pf_ring, openfpc, snort and snorby
From: "Matheus Condi'ez" <conma293 () gmail com>
Date: Sat, 6 Dec 2014 13:16:29 +1300
So Kevin yeh I love bro and will be rrunning it as a guest vm (probably as a secon sensor). OK so this is my new plan (no pf_ring) Redhat server running openfpc and v box. Fedora guest running snort (with this new app ID thing!) Seconion guest running bro. I'm gonna put a splunk forwarder on the guests and also get snort to write to snorby db. On 6/12/2014 12:25 PM, "Kevin Ross" <kevross33 () googlemail com> wrote:
you could also try moloch for your PCAP if you have the resources: https://github.com/aol/moloch http://blog.alejandronolla.com/2013/04/06/moloch-capturing-and-indexing-network-traffic-in-realtime/ and also you should give bro-ids a try to complement snort with lots of metadata & use scripts like this https://github.com/sooshie/bro-scripts/blob/master/2.2-scripts/vt_check.bro in order to check certain filetypes automatically to see if Virustotal has seen them. You could then index your snort and bro logs into something like an ELK install or ELSA https://www.youtube.com/watch?v=INRJZ3_Dsyc and https://www.youtube.com/watch?v=d4rINH22MYo I find bro provides great metadata around a connection (connections, HTTP information, file types returned, email metadata, self signed certs and so on. Also for he amount of metadata you get I find it provides a great longer term option to analysis if you are looking at something which has already been rotated from your PCAPs. Kind Regards, Kevin Ross On 3 December 2014 at 03:52, Matheus Condi'ez <conma293 () gmail com> wrote:In short, after many builds of snort sensors I am about to start off on a new journey of discovery which will potentially send me mad. My goal is to create a sensor(s) which runs OpenFPC on PF_Ring native, with snort sitting on top as a guest vm. Has anyone had any experience with PF_Ring and snort, or PF_Ring and snort? Am aware that I will have to patch PF_Ring onto both the host and the guest OS's for this to work. Am also aware that most likely will have to build and configure OpenFPC and/or Snort as PF_Ring aware? If I do this but then attempt to run a version of Snort and/or OpenFPC that is not configured to handle PF_Ring, will it take it? Finally - I want to send all this information to a centralised Snorby GUI, so another question is, how do I get Snorby to differentiate between different sensor IP's to grab the pcaps from the difference OpenFPC instances? im sure someone has been overly ambitious and has attempted some, if not all of this before.. any guidance would be muchly appreciated. -conma ------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- pf_ring, openfpc, snort and snorby Matheus Condi'ez (Dec 02)
- Re: pf_ring, openfpc, snort and snorby Jeremy Hoel (Dec 02)
- Re: pf_ring, openfpc, snort and snorby Matheus Condi'ez (Dec 03)
- Re: pf_ring, openfpc, snort and snorby Doug Burks (Dec 03)
- Re: pf_ring, openfpc, snort and snorby Matheus Condi'ez (Dec 03)
- Re: pf_ring, openfpc, snort and snorby Leon Ward (leonward) (Dec 05)
- Re: pf_ring, openfpc, snort and snorby Matheus Condi'ez (Dec 05)
- Re: pf_ring, openfpc, snort and snorby Matheus Condi'ez (Dec 03)
- Re: pf_ring, openfpc, snort and snorby Jeremy Hoel (Dec 02)
- Re: pf_ring, openfpc, snort and snorby Jeremy Hoel (Dec 03)
- Re: pf_ring, openfpc, snort and snorby Matheus Condi'ez (Dec 05)