I would start with getting the data sources (syslog, bro data, snort logs, etc.) first. Without knowing the architecture of those tools makes it very difficult to suggest an install method, although for prod use I would always default to a bare metal install. In your case you don't seem interested in PCAP, which means you _may_ be able to get away with something in EC2 or similar.
Jon On Wed, Sep 6, 2017 at 6:41 AM Syed Hammad Tahir <[email protected]> wrote: > Hello, > > Thankyou for answering my call to help. > > I am going to use it for the purpose of research at graduate level, and > may scale it on a production level. I am targeting a few labs on this floor > , that approximately accumulates upto 30-40 people using the network. I am > open to options of using YAF, BRO, SNORT and others. Once started then I > may also expand it in the future. What are your recommendations on the > stated requirements. > > Best Regards. > > On Wed, Sep 6, 2017 at 3:06 PM, [email protected] <[email protected]> wrote: > >> There are a few questions that need to be answered first. How do you >> plan to monitor the LAN? Are you going to run YAF, Bro, Snort, others? >> How big is your LAN, how much traffic traverses it, what is the traffic >> composition (heavily impacts the amount of logs from Bro/YAF/Snort), how >> much retention of data do you want, do you plan to store PCAP? >> >> Jon >> >> On Wed, Sep 6, 2017, 01:59 Syed Hammad Tahir <[email protected]> >> wrote: >> >>> Hello, >>> >>> I intend to use Apache Metron framework for the analysis of our local >>> area network. What is the best way to get started? Which installation is >>> most suitable for me as listed in the following link: >>> https://cwiki.apache.org/confluence/display/METRON/Installation >>> >>> Kindly help me with this. >>> >>> Regards. >>> >> -- >> >> Jon >> > > -- Jon
