Github user dlyle65535 commented on the issue:
https://github.com/apache/incubator-metron/pull/176
@nickwallen - so it does. Good deal. I'm +1.
Thanks!
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your proj
Github user nickwallen commented on the issue:
https://github.com/apache/incubator-metron/pull/176
@dlyle65535 the code already configures Snort to listen on the
`sniff_interface`. See bottom of `metron-deployment/roles/snort/snort.yml`
---
If your project is set up for it, you can r
Github user james-sirota commented on the issue:
https://github.com/apache/incubator-metron/pull/176
+1
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or
Github user dlyle65535 commented on the issue:
https://github.com/apache/incubator-metron/pull/176
Ah, that's a good clarification- I guess what we need is two things:
1) HOME_NETWORK to any (which you have done).
2) Configure the snort IFACE to be the sniff_interface.
Github user nickwallen commented on the issue:
https://github.com/apache/incubator-metron/pull/176
The current code base is trying to set the HOME_NETWORK to the IP of the
sniff interface. I can't really think of any conditions under which you would
want the HOME_NETWORK set to the I
Github user nickwallen commented on the issue:
https://github.com/apache/incubator-metron/pull/176
AFAIK, the HOME_NETWORK is used primarily to designate which traffic should
be validated against the rule set. If Snort sees traffic where the source or
destination is NOT associated wi
Github user dlyle65535 commented on the issue:
https://github.com/apache/incubator-metron/pull/176
I don't agree that using "any" works fine for either general or
demonstration/development purposes. If we don't sniff the same interface with
all the sensors, we get events that are unc
