Re: pf_ring, openfpc, snort and snorby

["Matheus Condi'ez" <conma293 () gmail com>]

So Kevin yeh I love bro and will be rrunning it as a guest vm (probably as
a secon sensor).

OK so this is my new plan (no pf_ring)
Redhat server running openfpc and v box.

Fedora guest running snort (with this new app ID thing!)

Seconion guest running bro.

I'm gonna put a splunk forwarder on the guests and also get snort to write
to snorby db.
On 6/12/2014 12:25 PM, "Kevin Ross" <kevross33 () googlemail com> wrote:

> you could also try moloch for your PCAP if you have the resources:
>
> https://github.com/aol/moloch
>
> http://blog.alejandronolla.com/2013/04/06/moloch-capturing-and-indexing-network-traffic-in-realtime/
>
> and also you should give bro-ids a try to complement snort with lots of
> metadata & use scripts like this
> https://github.com/sooshie/bro-scripts/blob/master/2.2-scripts/vt_check.bro
> in order to check certain filetypes automatically to see if Virustotal has
> seen them.
>
> You could then index your snort and bro logs into something like an ELK
> install or ELSA https://www.youtube.com/watch?v=INRJZ3_Dsyc and
> https://www.youtube.com/watch?v=d4rINH22MYo
>
> I find bro provides great metadata around a connection (connections, HTTP
> information, file types returned, email metadata, self signed certs and so
> on. Also for he amount of metadata you get I find it provides a great
> longer term option to analysis if you are looking at something which has
> already been rotated from your PCAPs.
>
>
> Kind Regards,
> Kevin Ross
>
> On 3 December 2014 at 03:52, Matheus Condi'ez <conma293 () gmail com> wrote:
>
> > In short, after many builds of snort sensors I am about to start off on a
> > new journey of discovery which will potentially send me mad.
> >
> > My goal is to create a sensor(s) which runs OpenFPC on PF_Ring native,
> > with snort sitting on top as a guest vm.
> >
> > Has anyone had any experience with PF_Ring and snort, or PF_Ring and
> > snort?
> >
> > Am aware that I will have to patch PF_Ring onto both the host and the
> > guest OS's for this to work.
> >
> > Am also aware that most likely will have to build and configure OpenFPC
> > and/or Snort as PF_Ring aware?
> >
> > If I do this but then attempt to run a version of Snort and/or OpenFPC
> > that is not configured to handle PF_Ring, will it take it?
> >
> >
> >
> > Finally - I want to send all this information to a centralised Snorby
> > GUI, so another question is, how do I get Snorby to differentiate between
> > different sensor IP's to grab the pcaps from the difference OpenFPC
> > instances?
> >
> > im sure someone has been overly ambitious and has attempted some, if not
> > all of this before..
> >
> > any guidance would be muchly appreciated.
> >
> > -conma
> >
> >
> > ------------------------------------------------------------------------------
> > Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> > from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> > with Interactivity, Sharing, Native Excel Exports, App Integration & more
> > Get technology previously reserved for billion-dollar corporations, FREE
> >
> > http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest
> > Snort news!
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!