Re: Snort installation on openstack

[Diego Parrilla Santamaría <diego.parrilla.santamaria () gmail com>]

Hi Selvi,

as I said, nothing special. We followed this guide (or maybe the same but
older):
https://s3.amazonaws.com/snort-org-site/production/document_files/files/000/000/090/original/Snort_2.9.8.x_on_Ubuntu_12-14-15.pdf
<https://mailtrack.io/trace/link/2b0a1249d6823ddf0674f5385c892a72abc830df?url=https%3A%2F%2Fs3.amazonaws.com%2Fsnort-org-site%2Fproduction%2Fdocument_files%2Ffiles%2F000%2F000%2F090%2Foriginal%2FSnort_2.9.8.x_on_Ubuntu_12-14-15.pdf&signature=0966467a0215ce0c>

we installed snort, pulledpork, snortby as described. Probably we had to
tweak and fix some parameters not documented, but nothing important. We
also tested banyard2, and some crazy multinode architecture that didn't
work (remember: neutron doesn't like promiscuous...) very well.

If you want to have a fully functional Snort (or any other NIDS) in a cloud
platform you need to have direct access to the infrastructure.

Good luck!
Diego

On Fri, May 27, 2016 at 8:47 PM, Velusami, Selvi <selvi.velusami () verizon com
> wrote:

> Hi,
>
>
>
> Thanks for your response.
>
>
>
> Can you please let me know how you deployed the Snort in the openstack.
> Have you created any virtual image for the same. In this case, could you
> please share the steps that you have followed.
>
>
>
> Given below are the steps that I have followed
>
>
>
> 1.       Snort Installation
>
> ·         Installed centos 7 in a virtual machine
>
> ·         Configured the virtual machine to reach the internet
>
> ·         Downloaded and installed Snort on the virtual machine
>
> ·         Downloaded the snort rules and placed in the required folder.
>
> ·         Sent icmp packets to the snort and issued the command “snort –
> I <interface>
>
> ·         While running the Snort on a particular interface, it could
> capture the packets of the icmp message, but getting some warning messages
> here. “No preprocessors configured”
>
>
>
> 2.       Qcow2 image creation
>
> ·         Now tried to create qcow image from for the snort
>
> ·         Exported the virtual machine to ova file
>
> ·         Using qemu-img, converted the vmdk image to qcow2 image
>
>
>
> 3.       Snort installation on openstack
>
> ·         Created an instance in openstack using the qcow2 image of snort.
>
> ·         During the installation , it went to emergency mode and the
> installation stopped.
>
>
>
> Also, if you have the image to create a snort instance on openstack, can
> you please share the same.
>
>
>
> Thanks,
>
> Selvi.V
>
>
>
> *From:* Diego Parrilla Santamaría [mailto:
> diego.parrilla.santamaria () gmail com]
> *Sent:* Friday, May 27, 2016 2:39 PM
> *To:* Velusami, Selvi
> *Cc:* snort-users () lists sourceforge net
> *Subject:* Re: [Snort-users] Snort installation on openstack
>
>
>
> Hi Selvi,
>
>
>
> we have successfully deployed Snort in OpenStack and there is nothing
> special you have to do at operating system level. So keep on trying until
> you have it up and running!
>
>
>
> But, keep in mind that Snort and Neutron (no matter if you use Openvswitch
> or other technologies) do not work very well together. Promiscuous mode is
> a must for Snort and this requirement clashes with the isolation layers
> offered by the cloud platform. We played with Snort in our cloud platform
> for months and found that Snort should not run as a VM, but as part of the
> Openstack infrastructure. Obviously, this is not something easy to do, but
> could be a nice to have service extension for Neutron.
>
>
>
> Finally, we decided to drop Snort and move to a Host based IDS.
>
>
>
> Cheers
>
> Diego
>
>
>
> On Fri, May 27, 2016 at 5:54 PM, Velusami, Selvi <
> selvi.velusami () verizon com> wrote:
>
> Hi,
>
>
>
> I am new to Snort and I have not used it before. The present requirement
> for me is I need to create a virtual image for snort and the same needs to
> be installed on openstack. Should do the configuration on top of itfor
> further monitoring.
>
>
>
> At present I tried to install snort on virtual machine on centos and using
> that tried to create a virtual image and that image is not working for me
> in openstack.
>
>
>
> Can anyone please help me on this.
>
>
>
> Thanks,
>
> Selvi.V
>
>
>
> ------------------------------------------------------------------------------
> What NetFlow Analyzer can do for you? Monitors network bandwidth and
> traffic
> patterns at an interface-level. Reveals which users, apps, and protocols
> are
> consuming the most bandwidth. Provides multi-vendor support for NetFlow,
> J-Flow, sFlow and other flows. Make informed decisions using capacity
> planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>
>
>
>
> --
>
> Diego Parrilla Santamaría
>
> *CEO*, StackOps Technologies
>
> +34 91 0052164
>
> www.stackops.com
> <https://mailtrack.io/trace/link/479dfa3b5a6a4374acdf1c30bc816836a62092f8?url=http%3A%2F%2Fwww.stackops.com%2F&signature=fc432a13cc8a1771>
>
> www.cirrusflex.com
> <https://mailtrack.io/trace/link/8e8bce1b22795bed18a57d157bcee9fec8345418?url=http%3A%2F%2Fwww.cirrusflex.com%2F&signature=55bdffd72301773f>
>
>
> <https://mailtrack.io/trace/link/249a4b7927012e3c82ddeacffb35146a69d12e51?url=http%3A%2F%2Ffacebook.com%2Fstackops&signature=635c6fd5fdbd1a97>
>
>
> <https://mailtrack.io/trace/link/b8bd3e023da2d58a315b6b5bfad8c2790209055e?url=http%3A%2F%2Ftwitter.com%2Fstackops&signature=47f98e84262ca8a8>
>
>
> <https://mailtrack.io/trace/link/9f77c31d487e2eaedab81fe44aca28cb6eb38a3e?url=https%3A%2F%2Fwww.linkedin.com%2Fcompany%2Fstackops&signature=df72c8229eb7a4c0>



-- 
Diego Parrilla Santamaría
CEO, StackOps Technologies
+34 91 0052164
www.stackops.com
<https://mailtrack.io/trace/link/7632d2c26091b3847621fb3a005e6ec065688271?url=http%3A%2F%2Fwww.stackops.com%2F&signature=6330792adc31ef09>
www.cirrusflex.com
<https://mailtrack.io/trace/link/7f717e8dd056b6ab5b9c369171ebd4770831bfdf?url=http%3A%2F%2Fwww.cirrusflex.com%2F&signature=f272e68d7dcc883b>
<https://mailtrack.io/trace/link/88da9cb0592e61eb38be354f8dd4d1739b3a0daa?url=http%3A%2F%2Ffacebook.com%2Fstackops&signature=e2441632b6476c67>
<https://mailtrack.io/trace/link/ffda93f5f4c9c687324c69a22d053f6f114b4a69?url=http%3A%2F%2Ftwitter.com%2Fstackops&signature=fd7d1a51c59862cb>
<https://mailtrack.io/trace/link/136237c554a47e6ebf96856bfcebadec8c988522?url=https%3A%2F%2Fwww.linkedin.com%2Fcompany%2Fstackops&signature=931176fdbf176ef4>

------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity 
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!