Okay so that sounds much easier - will it be done in batches or streaming (the network data processing, not the analytics)? I assume the former, given your situation. If that's true and you don't have huge amounts of data you may be able to do everything in full dev or an equivalent VM. A lot of this depends on what you will be feeding into Metron, and to know that you need to set up the sensors and get the network traffic first.
Jon On Thu, Sep 7, 2017, 00:40 Syed Hammad Tahir <[email protected]> wrote: > Hi, > > What I wanted to do with this is the following: > > 1- Gather Network Data > > 2- Analyse it > > 3- Apply some machine learning algorithm to detect intrusion > > > Now by seeking the use of Metron framework, am I following the right track > here? > > > Regards. > > On Wed, Sep 6, 2017 at 6:10 PM, [email protected] <[email protected]> wrote: > >> I would start with getting the data sources (syslog, bro data, snort >> logs, etc.) first. Without knowing the architecture of those tools makes >> it very difficult to suggest an install method, although for prod use I >> would always default to a bare metal install. In your case you don't seem >> interested in PCAP, which means you _may_ be able to get away with >> something in EC2 or similar. >> >> Jon >> >> On Wed, Sep 6, 2017 at 6:41 AM Syed Hammad Tahir <[email protected]> >> wrote: >> >>> Hello, >>> >>> Thankyou for answering my call to help. >>> >>> I am going to use it for the purpose of research at graduate level, and >>> may scale it on a production level. I am targeting a few labs on this floor >>> , that approximately accumulates upto 30-40 people using the network. I am >>> open to options of using YAF, BRO, SNORT and others. Once started then I >>> may also expand it in the future. What are your recommendations on the >>> stated requirements. >>> >>> Best Regards. >>> >>> On Wed, Sep 6, 2017 at 3:06 PM, [email protected] <[email protected]> >>> wrote: >>> >>>> There are a few questions that need to be answered first. How do you >>>> plan to monitor the LAN? Are you going to run YAF, Bro, Snort, others? >>>> How big is your LAN, how much traffic traverses it, what is the traffic >>>> composition (heavily impacts the amount of logs from Bro/YAF/Snort), how >>>> much retention of data do you want, do you plan to store PCAP? >>>> >>>> Jon >>>> >>>> On Wed, Sep 6, 2017, 01:59 Syed Hammad Tahir <[email protected]> >>>> wrote: >>>> >>>>> Hello, >>>>> >>>>> I intend to use Apache Metron framework for the analysis of our local >>>>> area network. What is the best way to get started? Which installation is >>>>> most suitable for me as listed in the following link: >>>>> https://cwiki.apache.org/confluence/display/METRON/Installation >>>>> >>>>> Kindly help me with this. >>>>> >>>>> Regards. >>>>> >>>> -- >>>> >>>> Jon >>>> >>> >>> -- >> >> Jon >> > > -- Jon
