Re: Buidling IDS / IPS on existing Elasticsearch cluster using Snort

[Y M via Snort-users <snort-users () lists snort org>]

If I understand correctly, then Snort will do you are going after. Snort expects network traffic in the form of a live 
network feed to a pcap as input.


Snort will generate alerts in the configured output. It is up to your methods to parse and store these alerts to 
elasticsearch. Once the data is inside elasticsearch, then it is up to elasticsearch and the configured plugins (for 
example, Watcher) to do the alerting.

Thanks.
YM
________________________________
From: Snort-users <snort-users-bounces () lists snort org> on behalf of Shivkumar Mallesappa via Snort-users 
<snort-users () lists snort org>
Sent: Wednesday, April 18, 2018 3:47 PM
To: snort-users () lists snort org
Subject: [Snort-users] Buidling IDS / IPS on existing Elasticsearch cluster using Snort


I am new to this technology (snort). I have basic one line understanding that it is a open source IDS (correct me if I 
am wrong). I have some experience with ELK stack. I have my Elasticsearch cluster ready with around 50 GB of data.

My question is , can I use snort on my current Elasticsearch cluster as IDS. Basically I have parsed my log and it is 
stored on Elasticsearch with some fields like IP, GEO_LOCATION (City name) etc, so can I use snort to read my current 
Elasticsearch cluster data and notify me if a suspicious activity/record is found.

If not snort , is there any other open source tool available to achieve the above use case.

I hope I am clear with my query.

Thank you.

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette