Snort mailing list archives
Re: Buidling IDS / IPS on existing Elasticsearch cluster using Snort
From: Y M via Snort-users <snort-users () lists snort org>
Date: Fri, 20 Apr 2018 18:21:39 +0000
If I understand correctly, then Snort will do you are going after. Snort expects network traffic in the form of a live network feed to a pcap as input. Snort will generate alerts in the configured output. It is up to your methods to parse and store these alerts to elasticsearch. Once the data is inside elasticsearch, then it is up to elasticsearch and the configured plugins (for example, Watcher) to do the alerting. Thanks. YM ________________________________ From: Snort-users <snort-users-bounces () lists snort org> on behalf of Shivkumar Mallesappa via Snort-users <snort-users () lists snort org> Sent: Wednesday, April 18, 2018 3:47 PM To: snort-users () lists snort org Subject: [Snort-users] Buidling IDS / IPS on existing Elasticsearch cluster using Snort I am new to this technology (snort). I have basic one line understanding that it is a open source IDS (correct me if I am wrong). I have some experience with ELK stack. I have my Elasticsearch cluster ready with around 50 GB of data. My question is , can I use snort on my current Elasticsearch cluster as IDS. Basically I have parsed my log and it is stored on Elasticsearch with some fields like IP, GEO_LOCATION (City name) etc, so can I use snort to read my current Elasticsearch cluster data and notify me if a suspicious activity/record is found. If not snort , is there any other open source tool available to achieve the above use case. I hope I am clear with my query. Thank you.
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Current thread:
- Buidling IDS / IPS on existing Elasticsearch cluster using Snort Shivkumar Mallesappa via Snort-users (Apr 18)
- Re: Buidling IDS / IPS on existing Elasticsearch cluster using Snort Y M via Snort-users (Apr 21)