Ok, Now I get it. Now should I install snort in vagrant ssh in the normal way snort is usually install on a linux distro or do I need to run some special commands again?
On Tue, Oct 17, 2017 at 7:45 PM, Nick Allen <[email protected]> wrote: > In the Full Dev environment, Snort is not installed. We install "Sensor > Stubs" which is just a mechanism that continually replays canned telemetry > logs repetitively to mimic real sensors. We have to do this because of > resource constraints when running all of Metron on a single VM. See the > following for more information. > > https://github.com/apache/metron/tree/master/metron- > deployment/roles/sensor-stubs > > > > On Tue, Oct 17, 2017 at 10:16 AM, Syed Hammad Tahir <[email protected]> > wrote: > >> yes,, but when i do snort -v in vagrant ssh console it says snort isnt >> installed where as it can be seen working in metron. Due to that reason I >> am confused because James Sirota said to install snort. >> >> On Tue, Oct 17, 2017 at 7:05 PM, Nick Allen <[email protected]> wrote: >> >>> From Metron's perspective, Snort is just another sensor. Snort is >>> installed, managed and executed completely independent of Metron itself. As >>> with any sensor, you are responsible for getting the telemetry produced by >>> Snort into Kafka. Metron can then consume that telemetry from Kafka and do >>> wonderful things with it. :) >>> >>> >>> On Tue, Oct 17, 2017 at 4:00 AM, Syed Hammad Tahir <[email protected] >>> > wrote: >>> >>>> And I am sorry about one confusion but isnt snort builtin into the >>>> metron framework? If so then cant we access that snort and do the tasks you >>>> mentioned earlier? >>>> >>>> On Tue, Oct 17, 2017 at 11:39 AM, Syed Hammad Tahir < >>>> [email protected]> wrote: >>>> >>>>> Hi, >>>>> >>>>> Thanks for the support. Can it be performed both on dumped log and >>>>> real time data? >>>>> Regards. >>>>> >>>>> On Tue, Oct 17, 2017 at 1:02 AM, James Sirota <[email protected]> >>>>> wrote: >>>>> >>>>>> What I mean is that you should install snort, load the appropriate >>>>>> Snort rules for your use case, set Snort to log to a directory, and send >>>>>> traffic to the network interface where Snort is listening. That will >>>>>> produce Snort log files. Then you can push the contents of Snort logs >>>>>> either to Kafka using NiFi (preferred) or using Kafka utilities such as >>>>>> command line producer. This should be pushed to a Kafka topic called >>>>>> Snort >>>>>> where each message is a log line of the Snort file. Does that make sense? >>>>>> >>>>>> Thanks, >>>>>> James >>>>>> >>>>>> >>>>>> 11.10.2017, 23:08, "Syed Hammad Tahir" <[email protected]>: >>>>>> >>>>>> You mean that I must start snort from terminal by doing snort -v and >>>>>> then push it to kafka topic? I need to start snort in packet capture >>>>>> mode. >>>>>> >>>>>> On Tue, Oct 10, 2017 at 9:52 PM, James Sirota <[email protected]> >>>>>> wrote: >>>>>> >>>>>> Yes, you can use Snort. Metron can consume Snort telemetries out of >>>>>> the box. You have to setup Snort on your own and push the output into a >>>>>> kafka topic (most likely using NiFi). From there on you can use the >>>>>> output >>>>>> of Snort in Metron. >>>>>> >>>>>> >>>>>> 10.10.2017, 00:48, "Syed Hammad Tahir" <[email protected]>: >>>>>> >>>>>> Hi, >>>>>> >>>>>> Can I use snort in packet capture mode with metron? By default it >>>>>> works in IDS mode only. >>>>>> >>>>>> Regards. >>>>>> >>>>>> >>>>>> >>>>>> ------------------- >>>>>> Thank you, >>>>>> >>>>>> James Sirota >>>>>> PMC- Apache Metron >>>>>> jsirota AT apache DOT org >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> ------------------- >>>>>> Thank you, >>>>>> >>>>>> James Sirota >>>>>> PMC- Apache Metron >>>>>> jsirota AT apache DOT org >>>>>> >>>>>> >>>>> >>>> >>> >> >
