Snort mailing list archives

Re: Snort installation on openstack

From: "Velusami, Selvi" <selvi.velusami () verizon com>
Date: Fri, 27 May 2016 15:18:17 -0400

Hi Diego,

Thank you. I got your point. I will try this and update you the results.

Thanks,
Selvi.V

From: Diego Parrilla Santamaría [mailto:diego.parrilla.santamaria () gmail com]
Sent: Friday, May 27, 2016 2:58 PM
To: Velusami, Selvi
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Snort installation on openstack

Hi Selvi,

as I said, nothing special. We followed this guide (or maybe the same but older): 
https://s3.amazonaws.com/snort-org-site/production/document_files/files/000/000/090/original/Snort_2.9.8.x_on_Ubuntu_12-14-15.pdf<https://mailtrack.io/trace/link/2b0a1249d6823ddf0674f5385c892a72abc830df?url=https%3A%2F%2Fs3.amazonaws.com%2Fsnort-org-site%2Fproduction%2Fdocument_files%2Ffiles%2F000%2F000%2F090%2Foriginal%2FSnort_2.9.8.x_on_Ubuntu_12-14-15.pdf&signature=0966467a0215ce0c>

we installed snort, pulledpork, snortby as described. Probably we had to tweak and fix some parameters not documented, 
but nothing important. We also tested banyard2, and some crazy multinode architecture that didn't work (remember: 
neutron doesn't like promiscuous...) very well.

If you want to have a fully functional Snort (or any other NIDS) in a cloud platform you need to have direct access to 
the infrastructure.

Good luck!
Diego

On Fri, May 27, 2016 at 8:47 PM, Velusami, Selvi <selvi.velusami () verizon com<mailto:selvi.velusami () verizon com>> 
wrote:
Hi,

Thanks for your response.

Can you please let me know how you deployed the Snort in the openstack. Have you created any virtual image for the 
same. In this case, could you please share the steps that you have followed.

Given below are the steps that I have followed

1.       Snort Installation

•         Installed centos 7 in a virtual machine

•         Configured the virtual machine to reach the internet

•         Downloaded and installed Snort on the virtual machine

•         Downloaded the snort rules and placed in the required folder.

•         Sent icmp packets to the snort and issued the command “snort – I <interface>

•         While running the Snort on a particular interface, it could capture the packets of the icmp message, but 
getting some warning messages here. “No preprocessors configured”

2.       Qcow2 image creation

•         Now tried to create qcow image from for the snort

•         Exported the virtual machine to ova file

•         Using qemu-img, converted the vmdk image to qcow2 image

3.       Snort installation on openstack

•         Created an instance in openstack using the qcow2 image of snort.

•         During the installation , it went to emergency mode and the installation stopped.

Also, if you have the image to create a snort instance on openstack, can you please share the same.

Thanks,
Selvi.V

From: Diego Parrilla Santamaría [mailto:diego.parrilla.santamaria () gmail com<mailto:diego.parrilla.santamaria () 
gmail com>]
Sent: Friday, May 27, 2016 2:39 PM
To: Velusami, Selvi
Cc: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>
Subject: Re: [Snort-users] Snort installation on openstack

Hi Selvi,

we have successfully deployed Snort in OpenStack and there is nothing special you have to do at operating system level. 
So keep on trying until you have it up and running!

But, keep in mind that Snort and Neutron (no matter if you use Openvswitch or other technologies) do not work very well 
together. Promiscuous mode is a must for Snort and this requirement clashes with the isolation layers offered by the 
cloud platform. We played with Snort in our cloud platform for months and found that Snort should not run as a VM, but 
as part of the Openstack infrastructure. Obviously, this is not something easy to do, but could be a nice to have 
service extension for Neutron.

Finally, we decided to drop Snort and move to a Host based IDS.

Cheers
Diego

On Fri, May 27, 2016 at 5:54 PM, Velusami, Selvi <selvi.velusami () verizon com<mailto:selvi.velusami () verizon com>> 
wrote:
Hi,

I am new to Snort and I have not used it before. The present requirement for me is I need to create a virtual image for 
snort and the same needs to be installed on openstack. Should do the configuration on top of itfor further monitoring.

At present I tried to install snort on virtual machine on centos and using that tried to create a virtual image and 
that image is not working for me in openstack.

Can anyone please help me on this.

Thanks,
Selvi.V

------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

[data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7]

--
[https://newoldstamp.com/editor/profilePictures/profile-63bd20dc625e9300c91ee806879300eb-167230.jpg]

Diego Parrilla Santamaría
CEO, StackOps Technologies
+34 91 0052164<tel:%2B34%2091%200052164>
www.stackops.com<https://mailtrack.io/trace/link/479dfa3b5a6a4374acdf1c30bc816836a62092f8?url=http%3A%2F%2Fwww.stackops.com%2F&signature=fc432a13cc8a1771>
www.cirrusflex.com<https://mailtrack.io/trace/link/8e8bce1b22795bed18a57d157bcee9fec8345418?url=http%3A%2F%2Fwww.cirrusflex.com%2F&signature=55bdffd72301773f>

[https://newoldstamp.com/editor/images/f.jpg]<https://mailtrack.io/trace/link/249a4b7927012e3c82ddeacffb35146a69d12e51?url=http%3A%2F%2Ffacebook.com%2Fstackops&signature=635c6fd5fdbd1a97>
[https://newoldstamp.com/editor/images/tw.jpg]<https://mailtrack.io/trace/link/b8bd3e023da2d58a315b6b5bfad8c2790209055e?url=http%3A%2F%2Ftwitter.com%2Fstackops&signature=47f98e84262ca8a8>
[https://newoldstamp.com/editor/images/in.jpg]<https://mailtrack.io/trace/link/9f77c31d487e2eaedab81fe44aca28cb6eb38a3e?url=https%3A%2F%2Fwww.linkedin.com%2Fcompany%2Fstackops&signature=df72c8229eb7a4c0>

[https://mailtrack.io/trace/mail/ed725586b57e02bb0af26a9459cc22ff0c603f6f33290.png]

--
[https://newoldstamp.com/editor/profilePictures/profile-63bd20dc625e9300c91ee806879300eb-167230.jpg]

Diego Parrilla Santamaría
CEO, StackOps Technologies
+34 91 0052164
www.stackops.com<https://mailtrack.io/trace/link/7632d2c26091b3847621fb3a005e6ec065688271?url=http%3A%2F%2Fwww.stackops.com%2F&signature=6330792adc31ef09>
www.cirrusflex.com<https://mailtrack.io/trace/link/7f717e8dd056b6ab5b9c369171ebd4770831bfdf?url=http%3A%2F%2Fwww.cirrusflex.com%2F&signature=f272e68d7dcc883b>

[https://newoldstamp.com/editor/images/f.jpg]<https://mailtrack.io/trace/link/88da9cb0592e61eb38be354f8dd4d1739b3a0daa?url=http%3A%2F%2Ffacebook.com%2Fstackops&signature=e2441632b6476c67>
[https://newoldstamp.com/editor/images/tw.jpg]<https://mailtrack.io/trace/link/ffda93f5f4c9c687324c69a22d053f6f114b4a69?url=http%3A%2F%2Ftwitter.com%2Fstackops&signature=fd7d1a51c59862cb>
[https://newoldstamp.com/editor/images/in.jpg]<https://mailtrack.io/trace/link/136237c554a47e6ebf96856bfcebadec8c988522?url=https%3A%2F%2Fwww.linkedin.com%2Fcompany%2Fstackops&signature=931176fdbf176ef4>

------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity 
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Re: Snort installation on openstack, (continued)
- - Re: Snort installation on openstack Velusami, Selvi (May 27)
    - Re: Snort installation on openstack wkitty42 (May 27)
    - Re: Snort installation on openstack Velusami, Selvi (May 27)
    - Re: Snort installation on openstack wkitty42 (May 27)
    - Re: Snort installation on openstack Velusami, Selvi (May 27)
    - Re: Snort installation on openstack Al Lewis (allewi) (May 27)
    - Re: Snort installation on openstack Velusami, Selvi (May 27)
- Re: Snort installation on openstack Diego Parrilla Santamaría (May 27)
  - Re: Snort installation on openstack Velusami, Selvi (May 27)
    - Re: Snort installation on openstack Diego Parrilla Santamaría (May 27)
    - Re: Snort installation on openstack Velusami, Selvi (May 27)
    - Re: Snort installation on openstack Velusami, Selvi (May 31)
- Snort installation on openstack Velusami, Selvi (May 27)