What I mean is that you should install snort, load the appropriate Snort rules for your use case, set Snort to log to a directory, and send traffic to the network interface where Snort is listening. That will produce Snort log files. Then you can push the contents of Snort logs either to Kafka using NiFi (preferred) or using Kafka utilities such as command line producer. This should be pushed to a Kafka topic called Snort where each message is a log line of the Snort file. Does that make sense?
Thanks,
James
11.10.2017, 23:08, "Syed Hammad Tahir" <mscs16...@itu.edu.pk>:
You mean that I must start snort from terminal by doing snort -v and then push it to kafka topic? I need to start snort in packet capture mode.On Tue, Oct 10, 2017 at 9:52 PM, James Sirota <jsir...@apache.org> wrote:Yes, you can use Snort. Metron can consume Snort telemetries out of the box. You have to setup Snort on your own and push the output into a kafka topic (most likely using NiFi). From there on you can use the output of Snort in Metron.10.10.2017, 00:48, "Syed Hammad Tahir" <mscs16...@itu.edu.pk>:Regards.Hi,Can I use snort in packet capture mode with metron? By default it works in IDS mode only.-------------------Thank you,James SirotaPMC- Apache Metronjsirota AT apache DOT org
-------------------
Thank you,
James Sirota
PMC- Apache Metron
jsirota AT apache DOT org
