Fix the problem about getting host ip may get 127.0.0.1. On Ubuntu Python's stdlib socket.gethostbyname() returns 127.0.0.1 for some reason.
Fix the problem about pigrelay reconnect to ryu will not be accepted. Pigrelay is a program that receive Snort alert from UNIX socket and send to network socket. Update and fix typos in the snort_integrate.rst document. Signed-off-by: Che-Wei Lin <[email protected]> --- doc/source/snort_integrate.rst | 16 +++++++++------- ryu/lib/snortlib.py | 16 ++++++++++++---- 2 files changed, 21 insertions(+), 11 deletions(-) diff --git a/doc/source/snort_integrate.rst b/doc/source/snort_integrate.rst index f6b593d..bec5619 100644 --- a/doc/source/snort_integrate.rst +++ b/doc/source/snort_integrate.rst @@ -7,6 +7,8 @@ This document describes how to integrate Ryu with Snort. Overview ==== +There are two options can send alert to Ryu controller. The Option 1 is easier if you just want to demonstrate or test. Since Snort need very large computation power for analyzing packets you can choose Option 2 to separate them. + **[Option 1] Ryu and Snort are on the same machine** :: @@ -40,7 +42,7 @@ The above depicts Ryu and Snort architecture. Ryu receives Snort alert packet vi +----------+ +----------+ -**\*CP: Controller Plane** +**\*CP: Control Plane** The above depicts Ryu and Snort architecture. Ryu receives Snort alert packet via **Network Socket** . To monitor packets between HostA and HostB, installing a flow that mirrors packets to Snort. @@ -92,7 +94,7 @@ The incoming packets will all mirror to **port 3** which should be connect to Sn 3. Run Snort: :: $ sudo -i - $ sudo snort -i eth1 -A unsock -l /tmp -c /etc/snort/snort.conf + $ snort -i eth1 -A unsock -l /tmp -c /etc/snort/snort.conf 4. Send an ICMP packet from HostA (192.168.8.40) to HostB (192.168.8.50): :: @@ -114,20 +116,20 @@ The incoming packets will all mirror to **port 3** which should be connect to Sn 2. Run Ryu with sample application (On the Controller): :: - $ sudo ./bin/ryu-manager ryu/app/simple_switch_snort.py + $ ./bin/ryu-manager ryu/app/simple_switch_snort.py 3. Run Snort (On the Snort machine): :: $ sudo -i - $ sudo snort -i eth1 -A unsock -l /tmp -c /etc/snort/snort.conf + $ snort -i eth1 -A unsock -l /tmp -c /etc/snort/snort.conf -4. Run ``unsock2nwsock.py`` (On the Snort machine): :: +4. Run ``pigrelay.py`` (On the Snort machine): :: - $ sudo python unsock2nwsock.py + $ sudo python pigrelay.py This program listening snort alert messages from unix domain socket and sending it to Ryu using network socket. -You can clone the script over here. https://gist.github.com/John-Lin/9408ab716df57dbe32ca +You can clone the source code from this repo. https://github.com/John-Lin/pigrelay 5. Send an ICMP packet from HostA (192.168.8.40) to HostB (192.168.8.50): :: diff --git a/ryu/lib/snortlib.py b/ryu/lib/snortlib.py index 2773585..57ee986 100644 --- a/ryu/lib/snortlib.py +++ b/ryu/lib/snortlib.py @@ -41,14 +41,21 @@ class SnortLib(app_manager.RyuApp): self.config = {'unixsock': True} self._set_logger() + def get_host_ip(self): + """On Ubuntu Python's stdlib socket.gethostbyname() + returns 127.0.0.1 for some reason""" + s = hub.socket.socket(hub.socket.AF_INET, hub.socket.SOCK_DGRAM) + s.connect(('8.8.8.8', 53)) + return s.getsockname()[0] + def set_config(self, config): assert isinstance(config, dict) self.config = config def start_socket_server(self): if not self.config.get('unixsock'): - self.config['ip'] = hub.socket.gethostbyname(hub.socket. - gethostname()) + self.config['ip'] = self.get_host_ip() + if self.config.get('port') is None: self.config['port'] = 51234 @@ -82,14 +89,15 @@ class SnortLib(app_manager.RyuApp): hub.socket.SOCK_STREAM) self.nwsock.bind((ip, port)) self.nwsock.listen(5) - self.conn, addr = self.nwsock.accept() hub.spawn(self._recv_loop_nw_sock) def _recv_loop_nw_sock(self): self.logger.info("Network socket server start listening...") while True: - data = self.conn.recv(BUFSIZE, hub.socket.MSG_WAITALL) + conn, addr = self.nwsock.accept() + self.logger.info("Connected with %s", addr[0]) + data = conn.recv(BUFSIZE, hub.socket.MSG_WAITALL) if len(data) == BUFSIZE: msg = alert.AlertPkt.parser(data) -- 2.1.0 ------------------------------------------------------------------------------ Slashdot TV. Video for Nerds. Stuff that matters. http://tv.slashdot.org/ _______________________________________________ Ryu-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/ryu-devel
