I am so noob in all of this. I am using full-dev vm metron install to do my research. So I have 2 options to install snort: as per my understanding
1- Install it in a usual way (like that on a regular linux machine) and then make its kafka topic 2- Use ansible role to do all of that. Read the content of those yml files given in main.yml to understand the procedure? Which one do you suggest? On Tue, Oct 17, 2017 at 9:22 PM, Nick Allen <[email protected]> wrote: > No special commands. Install and configure Snort however you like and get > those logs into a Kafka topic. Metron is completely agnostic to how sensor > telemetry lands in Kafka. > > We also have an Ansible role that will install Snort along with a simple > mechanism to transport its logs to Kafka. This is only useful for > development environments; not a production install. > > Using the Ansible role directly may be beyond the knowledge level of > some. I only offer this as a guide that you can use to follow along and > manually install it yourself. > > https://github.com/apache/metron/blob/master/metron- > deployment/roles/snort/tasks/main.yml > > > If you are not familiar with how Ansible roles are defined, just start at > the main.yml, then follow through each of the other files as they are > included. It is pretty readable once you get use to the layout. > > On Tue, Oct 17, 2017 at 12:05 PM, Syed Hammad Tahir <[email protected]> > wrote: > >> Ok, Now I get it. Now should I install snort in vagrant ssh in the normal >> way snort is usually install on a linux distro or do I need to run some >> special commands again? >> >> On Tue, Oct 17, 2017 at 7:45 PM, Nick Allen <[email protected]> wrote: >> >>> In the Full Dev environment, Snort is not installed. We install "Sensor >>> Stubs" which is just a mechanism that continually replays canned telemetry >>> logs repetitively to mimic real sensors. We have to do this because of >>> resource constraints when running all of Metron on a single VM. See the >>> following for more information. >>> >>> https://github.com/apache/metron/tree/master/metron-deployme >>> nt/roles/sensor-stubs >>> >>> >>> >>> On Tue, Oct 17, 2017 at 10:16 AM, Syed Hammad Tahir < >>> [email protected]> wrote: >>> >>>> yes,, but when i do snort -v in vagrant ssh console it says snort isnt >>>> installed where as it can be seen working in metron. Due to that reason I >>>> am confused because James Sirota said to install snort. >>>> >>>> On Tue, Oct 17, 2017 at 7:05 PM, Nick Allen <[email protected]> wrote: >>>> >>>>> From Metron's perspective, Snort is just another sensor. Snort is >>>>> installed, managed and executed completely independent of Metron itself. >>>>> As >>>>> with any sensor, you are responsible for getting the telemetry produced by >>>>> Snort into Kafka. Metron can then consume that telemetry from Kafka and >>>>> do >>>>> wonderful things with it. :) >>>>> >>>>> >>>>> On Tue, Oct 17, 2017 at 4:00 AM, Syed Hammad Tahir < >>>>> [email protected]> wrote: >>>>> >>>>>> And I am sorry about one confusion but isnt snort builtin into the >>>>>> metron framework? If so then cant we access that snort and do the tasks >>>>>> you >>>>>> mentioned earlier? >>>>>> >>>>>> On Tue, Oct 17, 2017 at 11:39 AM, Syed Hammad Tahir < >>>>>> [email protected]> wrote: >>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> Thanks for the support. Can it be performed both on dumped log and >>>>>>> real time data? >>>>>>> Regards. >>>>>>> >>>>>>> On Tue, Oct 17, 2017 at 1:02 AM, James Sirota <[email protected]> >>>>>>> wrote: >>>>>>> >>>>>>>> What I mean is that you should install snort, load the appropriate >>>>>>>> Snort rules for your use case, set Snort to log to a directory, and >>>>>>>> send >>>>>>>> traffic to the network interface where Snort is listening. That will >>>>>>>> produce Snort log files. Then you can push the contents of Snort logs >>>>>>>> either to Kafka using NiFi (preferred) or using Kafka utilities such as >>>>>>>> command line producer. This should be pushed to a Kafka topic called >>>>>>>> Snort >>>>>>>> where each message is a log line of the Snort file. Does that make >>>>>>>> sense? >>>>>>>> >>>>>>>> Thanks, >>>>>>>> James >>>>>>>> >>>>>>>> >>>>>>>> 11.10.2017, 23:08, "Syed Hammad Tahir" <[email protected]>: >>>>>>>> >>>>>>>> You mean that I must start snort from terminal by doing snort -v >>>>>>>> and then push it to kafka topic? I need to start snort in packet >>>>>>>> capture >>>>>>>> mode. >>>>>>>> >>>>>>>> On Tue, Oct 10, 2017 at 9:52 PM, James Sirota <[email protected]> >>>>>>>> wrote: >>>>>>>> >>>>>>>> Yes, you can use Snort. Metron can consume Snort telemetries out of >>>>>>>> the box. You have to setup Snort on your own and push the output into a >>>>>>>> kafka topic (most likely using NiFi). From there on you can use the >>>>>>>> output >>>>>>>> of Snort in Metron. >>>>>>>> >>>>>>>> >>>>>>>> 10.10.2017, 00:48, "Syed Hammad Tahir" <[email protected]>: >>>>>>>> >>>>>>>> Hi, >>>>>>>> >>>>>>>> Can I use snort in packet capture mode with metron? By default it >>>>>>>> works in IDS mode only. >>>>>>>> >>>>>>>> Regards. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> ------------------- >>>>>>>> Thank you, >>>>>>>> >>>>>>>> James Sirota >>>>>>>> PMC- Apache Metron >>>>>>>> jsirota AT apache DOT org >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> ------------------- >>>>>>>> Thank you, >>>>>>>> >>>>>>>> James Sirota >>>>>>>> PMC- Apache Metron >>>>>>>> jsirota AT apache DOT org >>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> >
