date:20171024

Re: ask about profiler rule

2017-10-24 Thread Simon Elliston Ball

The profiler reads direct from the ingest stream, so sees data before it gets 
to ES. 

The onlyif config you are asking about is a filter condition, so only data 
which matches that expression will be considered by this particular profile. 

The activedirectory example here assumes that you have a sensor setup from 
something like active directory, that has fields called user.name and 
event.type in. It will then count those failures per user.name. 

Simon

> On 24 Oct 2017, at 07:38, tkg_cangkul  wrote:
> 
> Hi,
> 
> anybody can explained to me this rule of profiler config please ?
> 
> {
>   "profile": "failed-logins",
>   "foreach": "user.name ",
>   "onlyif": "source.type == 'activedirectory' and event.type == 
> 'failed_login'"
>   "init": { "count": 0 },
>   "update": { "count" : "count + 1" },
>   "result": "count"
> }
>  
> 
> what is "source.type == 'activedirectory' and event.type == 'failed_login'" 
> means?
> does it means the profiler will read from ES index that have condition 
> source.type == 'activedirectory' . if yes, so i must index to ES first where 
> source type = activedirectory ? 
> 
> I've just read on Nick article here :
> 
> https://www.slideshare.net/NickAllen4/apache-metron-profiler 
> 
> 
> In the other rules config there are  "source.type == 'yaf'" , "source.type == 
> 'bro'". What i know that "source.type == 'yaf'" & "source.type == 'bro'" have 
> indexed by default on metron. how about activedirectory? 
> 
> 
> Best Regards,

Re: ask about profiler rule

2017-10-24 Thread Mohan Venkateshaiah

Hi,

The Profiler will consume messages from the input kafka topic defined in the 
Profiler's configuration (see Configuring the 
Profiler).
 By default, this is the indexing topic.

Thanks
Mohan DV

From: Simon Elliston Ball 
Reply-To: "user@metron.apache.org" 
Date: Tuesday, October 24, 2017 at 2:02 PM
To: "user@metron.apache.org" 
Subject: Re: ask about profiler rule

The profiler reads direct from the ingest stream, so sees data before it gets 
to ES.

The onlyif config you are asking about is a filter condition, so only data 
which matches that expression will be considered by this particular profile.

The activedirectory example here assumes that you have a sensor setup from 
something like active directory, that has fields called user.name and 
event.type in. It will then count those failures per user.name.

Simon

On 24 Oct 2017, at 07:38, tkg_cangkul 
mailto:yuza.ras...@gmail.com>> wrote:

Hi,

anybody can explained to me this rule of profiler config please ?
{
  "profile": "failed-logins",
  "foreach": "user.name",
  "onlyif": "source.type == 'activedirectory' and event.type == 'failed_login'"
  "init": { "count": 0 },
  "update": { "count" : "count + 1" },
  "result": "count"
}


what is "source.type == 'activedirectory' and event.type == 'failed_login'" 
means?
does it means the profiler will read from ES index that have condition 
source.type == 'activedirectory' . if yes, so i must index to ES first where 
source type = activedirectory ?

I've just read on Nick article here :

https://www.slideshare.net/NickAllen4/apache-metron-profiler

In the other rules config there are  "source.type == 'yaf'" , "source.type == 
'bro'". What i know that "source.type == 'yaf'" & "source.type == 'bro'" have 
indexed by default on metron. how about activedirectory?


Best Regards,

Re: ask about profiler rule

2017-10-24 Thread tkg_cangkul

Do you have any sample configuration or something like that to setup 
activedirectory sensor?

i've trying many ways but it stills not succeed.
that's because there are so many format log on there. i wanna get the 
login status (failed, success, logout, etc) with this profiler.

Is it possible to me include logstash into metron?

On 24/10/17 15:50, Mohan Venkateshaiah wrote:


Hi,

The Profiler will consume messages from the input kafka topic defined 
in the Profiler's configuration (see Configuring the Profiler 
). 
By default, this is the indexing topic.


Thanks

Mohan DV

*From: *Simon Elliston Ball 
*Reply-To: *"user@metron.apache.org" 
*Date: *Tuesday, October 24, 2017 at 2:02 PM
*To: *"user@metron.apache.org" 
*Subject: *Re: ask about profiler rule

The profiler reads direct from the ingest stream, so sees data before 
it gets to ES.


The onlyif config you are asking about is a filter condition, so only 
data which matches that expression will be considered by this 
particular profile.


The activedirectory example here assumes that you have a sensor setup 
from something like active directory, that has fields called user.name 
and event.type in. It will then count those failures per user.name.


Simon

On 24 Oct 2017, at 07:38, tkg_cangkul mailto:yuza.ras...@gmail.com>> wrote:

Hi,

anybody can explained to me this rule of profiler config please ?

{

"profile": "failed-logins",

"foreach": "user.name ",

"onlyif": "source.type == 'activedirectory' and event.type ==
'failed_login'"

"init": { "count": 0 },

"update": { "count" : "count + 1" },

"result": "count"

}


what is "source.type == 'activedirectory' and event.type ==
'failed_login'" means?
does it means the profiler will read from ES index that have
condition source.type == 'activedirectory' . if yes, so i must
index to ES first where source type = activedirectory ?

I've just read on Nick article here :

https://www.slideshare.net/NickAllen4/apache-metron-profiler

In the other rules config there are  "source.type == 'yaf'" ,
"source.type == 'bro'". What i know that "source.type == 'yaf'" &
"source.type == 'bro'" have indexed by default on metron. how
about activedirectory?


Best Regards,

Re: ask about profiler rule

2017-10-24 Thread Nick Allen

> Do you have any sample configuration or something like that to setup
activedirectory sensor?

I assuming you are not yet ingesting AD logs into Metron.  There is not
currently something out-of-the-box for AD logs, but it should not be too
hard.  Feel free to contribute as many example AD logs as you can (after
cleaning them of sensitive information) to either of these JIRAs.

https://issues.apache.org/jira/browse/METRON-1149
https://issues.apache.org/jira/browse/METRON-161


> i've trying many ways but it stills not succeed.  that's because there
are so many format log on there. i wanna get the login status (failed,
success, logout, etc) with this profiler.

What have you tried?  I assume you are still talking about parsing the AD
logs, which has nothing to do with the Profiler.

Just to level set, first step is to parse the AD logs and get them into
Metron.  Then we can use that data in the Profiler.


> Is it possible to me include logstash into metron?

You can use Logstash to push data into Kafka.  Metron would then consume it
from Kafka.




On Tue, Oct 24, 2017 at 4:59 AM, tkg_cangkul  wrote:

> Do you have any sample configuration or something like that to setup
> activedirectory sensor?
> i've trying many ways but it stills not succeed.
> that's because there are so many format log on there. i wanna get the
> login status (failed, success, logout, etc) with this profiler.
> Is it possible to me include logstash into metron?
>
>
> On 24/10/17 15:50, Mohan Venkateshaiah wrote:
>
> Hi,
>
>
>
> The Profiler will consume messages from the input kafka topic defined in
> the Profiler's configuration (see Configuring the Profiler
> ).
> By default, this is the indexing topic.
>
>
>
> Thanks
>
> Mohan DV
>
>
>
> *From: *Simon Elliston Ball 
> 
> *Reply-To: *"user@metron.apache.org" 
>  
> *Date: *Tuesday, October 24, 2017 at 2:02 PM
> *To: *"user@metron.apache.org" 
>  
> *Subject: *Re: ask about profiler rule
>
>
>
> The profiler reads direct from the ingest stream, so sees data before it
> gets to ES.
>
>
>
> The onlyif config you are asking about is a filter condition, so only data
> which matches that expression will be considered by this particular
> profile.
>
>
>
> The activedirectory example here assumes that you have a sensor setup from
> something like active directory, that has fields called user.name and
> event.type in. It will then count those failures per user.name.
>
>
>
> Simon
>
>
>
> On 24 Oct 2017, at 07:38, tkg_cangkul  wrote:
>
>
>
> Hi,
>
> anybody can explained to me this rule of profiler config please ?
>
> {
>
>   "profile": "failed-logins",
>
>   "foreach": "user.name",
>
>   "onlyif": "source.type == 'activedirectory' and event.type ==
> 'failed_login'"
>
>   "init": { "count": 0 },
>
>   "update": { "count" : "count + 1" },
>
>   "result": "count"
>
> }
>
>
>
>
> what is "source.type == 'activedirectory' and event.type ==
> 'failed_login'" means?
> does it means the profiler will read from ES index that have condition
> source.type == 'activedirectory' . if yes, so i must index to ES first
> where source type = activedirectory ?
>
> I've just read on Nick article here :
>
> https://www.slideshare.net/NickAllen4/apache-metron-profiler
>
> In the other rules config there are  "source.type == 'yaf'" , "source.type
> == 'bro'". What i know that "source.type == 'yaf'" & "source.type == 'bro'"
> have indexed by default on metron. how about activedirectory?
>
>
> Best Regards,
>
>
>
>
>

Re: Snort Installation

2017-10-24 Thread Nick Allen

Take a look at `kafka-console-producer.sh`, which is installed as part of
Kafka.

On Tue, Oct 24, 2017 at 2:11 AM, Syed Hammad Tahir 
wrote:

> Ok, I have fixed everything on my own. Now that I have snort logs saved in
> a file, I need to get them to metron. Can anyone help me on that?
>
> On Mon, Oct 23, 2017 at 3:44 PM, Syed Hammad Tahir 
> wrote:
>
>> yes nut I am a bit confused here. Let me ask them as well then.
>>
>> On Mon, Oct 23, 2017 at 3:35 PM, zeo...@gmail.com 
>> wrote:
>>
>>> Hi Syed,
>>>
>>> Just to clarify, this a snort issue you are having?  If so I suggest
>>> looking at their documentation (https://snort.org/documents) or
>>> reaching out to their community (https://snort.org/community), as they
>>> have more expertise in this area.
>>>
>>> Jon
>>>
>>> On Mon, Oct 23, 2017, 03:52 Syed Hammad Tahir 
>>> wrote:
>>>
 Hi guys,

 I tried to add another network interface in order to bridge it to LAN.
 I tried to do it on virtualbox vm settings and when i did vagrant up after
 that, there was no bridged interface. Can anyone help me on this?

 On Sun, Oct 22, 2017 at 11:44 AM, Syed Hammad Tahir <
 mscs16...@itu.edu.pk> wrote:

> Ok, thankyou. I will let you know once  I make snort sniff the traffic
> in the given configuration, might be helpful for others. I will then try 
> to
> do that kafka topic and will ask if any help is needed.
>
> On Sun, Oct 22, 2017 at 6:10 AM, Laurens Vets 
> wrote:
>
>> Hi Syed,
>>
>> See inline.
>>
>> On 2017-10-20 00:32, Syed Hammad Tahir wrote:
>>
>>> I have installed the snort manually. Now I need help with :
>>>
>>> 1- Capturing the data of my lan and dumping it via snort :Snort cant
>>> see the traffic outside vagrant vm, how do I make it see that traffic?
>>>
>>
>> To be honest, configuring Snort to work on your LAN is out of scope
>> of the project. Have a look at the documentation at
>> https://www.snort.org/.
>> You will probably have to add a 2nd network interface bridged to your
>> LAN in promiscuous mode. Additionally, I think most of us expect some 
>> basic
>> Linux & network administration knowledge when using Metron.
>>
>> 2- Making a kafka topic to push those saved logs in metron for
>>> preprocessing
>>>
>>
>> Have a look at the Metron documentation at
>> https://metron.apache.org/current-book/index.html. Adding a new
>> sensor in the Metron UI will create the Kafka iirc.
>>
>> 3- Applying a basic Machine learning algorithm on the captured data.
>>>
>>
>> I can't help you with this :)
>>
>
>
 --
>>>
>>> Jon
>>>
>>
>>
>

Re: ask about profiler rule

2017-10-24 Thread tkg_cangkul

OK Nick,

I think i've succeed to do this.
i'm using logstash like what you suggest below and use JSONMap parser in 
Metron to parse it.

Thank You so much for your help.
Have a nice day :)

On 24/10/17 22:14, Nick Allen wrote:
> Do you have any sample configuration or something like that to setup 
activedirectory sensor?

I assuming you are not yet ingesting AD logs into Metron. There is not 
currently something out-of-the-box for AD logs, but it should not be 
too hard.  Feel free to contribute as many example AD logs as you can 
(after cleaning them of sensitive information) to either of these JIRAs.

https://issues.apache.org/jira/browse/METRON-1149
https://issues.apache.org/jira/browse/METRON-161

> i've trying many ways but it stills not succeed. that's because there 
are so many format log on there. i wanna get the login status (failed, 
success, logout, etc) with this profiler.

What have you tried?  I assume you are still talking about parsing the 
AD logs, which has nothing to do with the Profiler.

Just to level set, first step is to parse the AD logs and get them 
into Metron.  Then we can use that data in the Profiler.

> Is it possible to me include logstash into metron?

You can use Logstash to push data into Kafka.  Metron would then 
consume it from Kafka.

On Tue, Oct 24, 2017 at 4:59 AM, tkg_cangkul > wrote:

Do you have any sample configuration or something like that to
setup activedirectory sensor?
i've trying many ways but it stills not succeed.
that's because there are so many format log on there. i wanna get
the login status (failed, success, logout, etc) with this profiler.
Is it possible to me include logstash into metron?

On 24/10/17 15:50, Mohan Venkateshaiah wrote:

Hi,

The Profiler will consume messages from the input kafka topic
defined in the Profiler's configuration (see Configuring the
Profiler

).
By default, this is the indexing topic.

Thanks

Mohan DV

*From: *Simon Elliston Ball 

*Reply-To: *"user@metron.apache.org"

*Date: *Tuesday, October 24, 2017 at 2:02 PM
*To: *"user@metron.apache.org" 

*Subject: *Re: ask about profiler rule

The profiler reads direct from the ingest stream, so sees data
before it gets to ES.

The onlyif config you are asking about is a filter condition, so
only data which matches that expression will be considered by
this particular profile.

The activedirectory example here assumes that you have a sensor
setup from something like active directory, that has fields
called user.name  and event.type in. It will
then count those failures per user.name .

Simon

On 24 Oct 2017, at 07:38, tkg_cangkul mailto:yuza.ras...@gmail.com>> wrote:

Hi,

anybody can explained to me this rule of profiler config please ?

{

"profile": "failed-logins",

"foreach": "user.name ",

"onlyif": "source.type == 'activedirectory' and
event.type == 'failed_login'"

"init": { "count": 0 },

"update": { "count" : "count + 1" },

"result": "count"

}

what is "source.type == 'activedirectory' and event.type ==
'failed_login'" means?
does it means the profiler will read from ES index that have
condition source.type == 'activedirectory' . if yes, so i
must index to ES first where source type = activedirectory ?

I've just read on Nick article here :

https://www.slideshare.net/NickAllen4/apache-metron-profiler

In the other rules config there are "source.type == 'yaf'" ,
"source.type == 'bro'". What i know that "source.type ==
'yaf'" & "source.type == 'bro'" have indexed by default on
metron. how about activedirectory?

Best Regards,

Re: ask about profiler rule

2017-10-24 Thread Nick Allen

Glad to hear that.


On Tue, Oct 24, 2017 at 3:04 PM, tkg_cangkul  wrote:

> OK Nick,
>
> I think i've succeed to do this.
> i'm using logstash like what you suggest below and use JSONMap parser in
> Metron to parse it.
>
> Thank You so much for your help.
> Have a nice day :)
>
>
> On 24/10/17 22:14, Nick Allen wrote:
>
> > Do you have any sample configuration or something like that to setup
> activedirectory sensor?
>
> I assuming you are not yet ingesting AD logs into Metron.  There is not
> currently something out-of-the-box for AD logs, but it should not be too
> hard.  Feel free to contribute as many example AD logs as you can (after
> cleaning them of sensitive information) to either of these JIRAs.
>
> https://issues.apache.org/jira/browse/METRON-1149
> https://issues.apache.org/jira/browse/METRON-161
>
>
> > i've trying many ways but it stills not succeed.  that's because there
> are so many format log on there. i wanna get the login status (failed,
> success, logout, etc) with this profiler.
>
> What have you tried?  I assume you are still talking about parsing the AD
> logs, which has nothing to do with the Profiler.
>
> Just to level set, first step is to parse the AD logs and get them into
> Metron.  Then we can use that data in the Profiler.
>
>
> > Is it possible to me include logstash into metron?
>
> You can use Logstash to push data into Kafka.  Metron would then consume
> it from Kafka.
>
>
>
>
> On Tue, Oct 24, 2017 at 4:59 AM, tkg_cangkul 
> wrote:
>
>> Do you have any sample configuration or something like that to setup
>> activedirectory sensor?
>> i've trying many ways but it stills not succeed.
>> that's because there are so many format log on there. i wanna get the
>> login status (failed, success, logout, etc) with this profiler.
>> Is it possible to me include logstash into metron?
>>
>>
>> On 24/10/17 15:50, Mohan Venkateshaiah wrote:
>>
>> Hi,
>>
>>
>>
>> The Profiler will consume messages from the input kafka topic defined in
>> the Profiler's configuration (see Configuring the Profiler
>> ).
>> By default, this is the indexing topic.
>>
>>
>>
>> Thanks
>>
>> Mohan DV
>>
>>
>>
>> *From: *Simon Elliston Ball 
>> 
>> *Reply-To: *"user@metron.apache.org" 
>>  
>> *Date: *Tuesday, October 24, 2017 at 2:02 PM
>> *To: *"user@metron.apache.org" 
>>  
>> *Subject: *Re: ask about profiler rule
>>
>>
>>
>> The profiler reads direct from the ingest stream, so sees data before it
>> gets to ES.
>>
>>
>>
>> The onlyif config you are asking about is a filter condition, so only
>> data which matches that expression will be considered by this particular
>> profile.
>>
>>
>>
>> The activedirectory example here assumes that you have a sensor setup
>> from something like active directory, that has fields called user.name
>> and event.type in. It will then count those failures per user.name.
>>
>>
>>
>> Simon
>>
>>
>>
>> On 24 Oct 2017, at 07:38, tkg_cangkul  wrote:
>>
>>
>>
>> Hi,
>>
>> anybody can explained to me this rule of profiler config please ?
>>
>> {
>>
>>   "profile": "failed-logins",
>>
>>   "foreach": "user.name",
>>
>>   "onlyif": "source.type == 'activedirectory' and event.type ==
>> 'failed_login'"
>>
>>   "init": { "count": 0 },
>>
>>   "update": { "count" : "count + 1" },
>>
>>   "result": "count"
>>
>> }
>>
>>
>>
>>
>> what is "source.type == 'activedirectory' and event.type ==
>> 'failed_login'" means?
>> does it means the profiler will read from ES index that have condition
>> source.type == 'activedirectory' . if yes, so i must index to ES first
>> where source type = activedirectory ?
>>
>> I've just read on Nick article here :
>>
>> https://www.slideshare.net/NickAllen4/apache-metron-profiler
>>
>> In the other rules config there are  "source.type == 'yaf'" ,
>> "source.type == 'bro'". What i know that "source.type == 'yaf'" &
>> "source.type == 'bro'" have indexed by default on metron. how about
>> activedirectory?
>>
>>
>> Best Regards,
>>
>>
>>
>>
>>
>
>

SysLog Parser in Metron

2017-10-24 Thread Farrukh Naveed Anjum

Hi,

How can I get syslog in metron any help (pattern / parser). Kindly help ?

-- 
With Regards
Farrukh Naveed Anjum

Re: Snort Installation

2017-10-24 Thread Syed Hammad Tahir

Where do I find this file kafka-console-producer.sh?

On Tue, Oct 24, 2017 at 8:27 PM, Nick Allen  wrote:

> Take a look at `kafka-console-producer.sh`, which is installed as part of
> Kafka.
>
> On Tue, Oct 24, 2017 at 2:11 AM, Syed Hammad Tahir 
> wrote:
>
>> Ok, I have fixed everything on my own. Now that I have snort logs saved
>> in a file, I need to get them to metron. Can anyone help me on that?
>>
>> On Mon, Oct 23, 2017 at 3:44 PM, Syed Hammad Tahir 
>> wrote:
>>
>>> yes nut I am a bit confused here. Let me ask them as well then.
>>>
>>> On Mon, Oct 23, 2017 at 3:35 PM, zeo...@gmail.com 
>>> wrote:
>>>
 Hi Syed,

 Just to clarify, this a snort issue you are having?  If so I suggest
 looking at their documentation (https://snort.org/documents) or
 reaching out to their community (https://snort.org/community), as they
 have more expertise in this area.

 Jon

 On Mon, Oct 23, 2017, 03:52 Syed Hammad Tahir 
 wrote:

> Hi guys,
>
> I tried to add another network interface in order to bridge it to LAN.
> I tried to do it on virtualbox vm settings and when i did vagrant up after
> that, there was no bridged interface. Can anyone help me on this?
>
> On Sun, Oct 22, 2017 at 11:44 AM, Syed Hammad Tahir <
> mscs16...@itu.edu.pk> wrote:
>
>> Ok, thankyou. I will let you know once  I make snort sniff the
>> traffic in the given configuration, might be helpful for others. I will
>> then try to do that kafka topic and will ask if any help is needed.
>>
>> On Sun, Oct 22, 2017 at 6:10 AM, Laurens Vets 
>> wrote:
>>
>>> Hi Syed,
>>>
>>> See inline.
>>>
>>> On 2017-10-20 00:32, Syed Hammad Tahir wrote:
>>>
 I have installed the snort manually. Now I need help with :

 1- Capturing the data of my lan and dumping it via snort :Snort
 cant see the traffic outside vagrant vm, how do I make it see that 
 traffic?

>>>
>>> To be honest, configuring Snort to work on your LAN is out of scope
>>> of the project. Have a look at the documentation at
>>> https://www.snort.org/.
>>> You will probably have to add a 2nd network interface bridged to
>>> your LAN in promiscuous mode. Additionally, I think most of us expect 
>>> some
>>> basic Linux & network administration knowledge when using Metron.
>>>
>>> 2- Making a kafka topic to push those saved logs in metron for
 preprocessing

>>>
>>> Have a look at the Metron documentation at
>>> https://metron.apache.org/current-book/index.html. Adding a new
>>> sensor in the Metron UI will create the Kafka iirc.
>>>
>>> 3- Applying a basic Machine learning algorithm on the captured data.

>>>
>>> I can't help you with this :)
>>>
>>
>>
> --

 Jon

>>>
>>>
>>
>

Re: Snort Installation

2017-10-24 Thread Syed Hammad Tahir

All I did was install snort separately on vagrant ssh console. The ran it
to collect logs. Now I need to bring those logs to metron.

On Wed, Oct 25, 2017 at 9:50 AM, Farrukh Naveed Anjum <
anjum.farr...@gmail.com> wrote:

> Hi Syed Hammed,
>
> Can you share the steps how did you connected snort with external source ?
> (Metron Snort ?)
>
> On Tue, Oct 24, 2017 at 8:27 PM, Nick Allen  wrote:
>
>> Take a look at `kafka-console-producer.sh`, which is installed as part of
>> Kafka.
>>
>> On Tue, Oct 24, 2017 at 2:11 AM, Syed Hammad Tahir 
>> wrote:
>>
>>> Ok, I have fixed everything on my own. Now that I have snort logs saved
>>> in a file, I need to get them to metron. Can anyone help me on that?
>>>
>>> On Mon, Oct 23, 2017 at 3:44 PM, Syed Hammad Tahir >> > wrote:
>>>
 yes nut I am a bit confused here. Let me ask them as well then.

 On Mon, Oct 23, 2017 at 3:35 PM, zeo...@gmail.com 
 wrote:

> Hi Syed,
>
> Just to clarify, this a snort issue you are having?  If so I suggest
> looking at their documentation (https://snort.org/documents) or
> reaching out to their community (https://snort.org/community), as
> they have more expertise in this area.
>
> Jon
>
> On Mon, Oct 23, 2017, 03:52 Syed Hammad Tahir 
> wrote:
>
>> Hi guys,
>>
>> I tried to add another network interface in order to bridge it to
>> LAN. I tried to do it on virtualbox vm settings and when i did vagrant up
>> after that, there was no bridged interface. Can anyone help me on this?
>>
>> On Sun, Oct 22, 2017 at 11:44 AM, Syed Hammad Tahir <
>> mscs16...@itu.edu.pk> wrote:
>>
>>> Ok, thankyou. I will let you know once  I make snort sniff the
>>> traffic in the given configuration, might be helpful for others. I will
>>> then try to do that kafka topic and will ask if any help is needed.
>>>
>>> On Sun, Oct 22, 2017 at 6:10 AM, Laurens Vets 
>>> wrote:
>>>
 Hi Syed,

 See inline.

 On 2017-10-20 00:32, Syed Hammad Tahir wrote:

> I have installed the snort manually. Now I need help with :
>
> 1- Capturing the data of my lan and dumping it via snort :Snort
> cant see the traffic outside vagrant vm, how do I make it see that 
> traffic?
>

 To be honest, configuring Snort to work on your LAN is out of scope
 of the project. Have a look at the documentation at
 https://www.snort.org/.
 You will probably have to add a 2nd network interface bridged to
 your LAN in promiscuous mode. Additionally, I think most of us expect 
 some
 basic Linux & network administration knowledge when using Metron.

 2- Making a kafka topic to push those saved logs in metron for
> preprocessing
>

 Have a look at the Metron documentation at
 https://metron.apache.org/current-book/index.html. Adding a new
 sensor in the Metron UI will create the Kafka iirc.

 3- Applying a basic Machine learning algorithm on the captured data.
>

 I can't help you with this :)

>>>
>>>
>> --
>
> Jon
>


>>>
>>
>
>
> --
> With Regards
> Farrukh Naveed Anjum
>

Re: ask about profiler rule

Re: ask about profiler rule

Re: ask about profiler rule

Re: ask about profiler rule

Re: Snort Installation

Re: ask about profiler rule

Re: ask about profiler rule

SysLog Parser in Metron

Re: Snort Installation

Re: Snort Installation

10 matches

Site Navigation

Mail list logo

Footer information