>From Metron's perspective, Snort is just another sensor. Snort is installed, managed and executed completely independent of Metron itself. As with any sensor, you are responsible for getting the telemetry produced by Snort into Kafka. Metron can then consume that telemetry from Kafka and do wonderful things with it. :)
On Tue, Oct 17, 2017 at 4:00 AM, Syed Hammad Tahir <[email protected]> wrote: > And I am sorry about one confusion but isnt snort builtin into the metron > framework? If so then cant we access that snort and do the tasks you > mentioned earlier? > > On Tue, Oct 17, 2017 at 11:39 AM, Syed Hammad Tahir <[email protected]> > wrote: > >> Hi, >> >> Thanks for the support. Can it be performed both on dumped log and real >> time data? >> Regards. >> >> On Tue, Oct 17, 2017 at 1:02 AM, James Sirota <[email protected]> wrote: >> >>> What I mean is that you should install snort, load the appropriate Snort >>> rules for your use case, set Snort to log to a directory, and send traffic >>> to the network interface where Snort is listening. That will produce Snort >>> log files. Then you can push the contents of Snort logs either to Kafka >>> using NiFi (preferred) or using Kafka utilities such as command line >>> producer. This should be pushed to a Kafka topic called Snort where each >>> message is a log line of the Snort file. Does that make sense? >>> >>> Thanks, >>> James >>> >>> >>> 11.10.2017, 23:08, "Syed Hammad Tahir" <[email protected]>: >>> >>> You mean that I must start snort from terminal by doing snort -v and >>> then push it to kafka topic? I need to start snort in packet capture mode. >>> >>> On Tue, Oct 10, 2017 at 9:52 PM, James Sirota <[email protected]> >>> wrote: >>> >>> Yes, you can use Snort. Metron can consume Snort telemetries out of the >>> box. You have to setup Snort on your own and push the output into a kafka >>> topic (most likely using NiFi). From there on you can use the output of >>> Snort in Metron. >>> >>> >>> 10.10.2017, 00:48, "Syed Hammad Tahir" <[email protected]>: >>> >>> Hi, >>> >>> Can I use snort in packet capture mode with metron? By default it works >>> in IDS mode only. >>> >>> Regards. >>> >>> >>> >>> ------------------- >>> Thank you, >>> >>> James Sirota >>> PMC- Apache Metron >>> jsirota AT apache DOT org >>> >>> >>> >>> >>> ------------------- >>> Thank you, >>> >>> James Sirota >>> PMC- Apache Metron >>> jsirota AT apache DOT org >>> >>> >> >
