yes,, but when i do snort -v in vagrant ssh console it says snort isnt installed where as it can be seen working in metron. Due to that reason I am confused because James Sirota said to install snort.
On Tue, Oct 17, 2017 at 7:05 PM, Nick Allen <n...@nickallen.org> wrote: > From Metron's perspective, Snort is just another sensor. Snort is > installed, managed and executed completely independent of Metron itself. As > with any sensor, you are responsible for getting the telemetry produced by > Snort into Kafka. Metron can then consume that telemetry from Kafka and do > wonderful things with it. :) > > > On Tue, Oct 17, 2017 at 4:00 AM, Syed Hammad Tahir <mscs16...@itu.edu.pk> > wrote: > >> And I am sorry about one confusion but isnt snort builtin into the metron >> framework? If so then cant we access that snort and do the tasks you >> mentioned earlier? >> >> On Tue, Oct 17, 2017 at 11:39 AM, Syed Hammad Tahir <mscs16...@itu.edu.pk >> > wrote: >> >>> Hi, >>> >>> Thanks for the support. Can it be performed both on dumped log and real >>> time data? >>> Regards. >>> >>> On Tue, Oct 17, 2017 at 1:02 AM, James Sirota <jsir...@apache.org> >>> wrote: >>> >>>> What I mean is that you should install snort, load the appropriate >>>> Snort rules for your use case, set Snort to log to a directory, and send >>>> traffic to the network interface where Snort is listening. That will >>>> produce Snort log files. Then you can push the contents of Snort logs >>>> either to Kafka using NiFi (preferred) or using Kafka utilities such as >>>> command line producer. This should be pushed to a Kafka topic called Snort >>>> where each message is a log line of the Snort file. Does that make sense? >>>> >>>> Thanks, >>>> James >>>> >>>> >>>> 11.10.2017, 23:08, "Syed Hammad Tahir" <mscs16...@itu.edu.pk>: >>>> >>>> You mean that I must start snort from terminal by doing snort -v and >>>> then push it to kafka topic? I need to start snort in packet capture mode. >>>> >>>> On Tue, Oct 10, 2017 at 9:52 PM, James Sirota <jsir...@apache.org> >>>> wrote: >>>> >>>> Yes, you can use Snort. Metron can consume Snort telemetries out of the >>>> box. You have to setup Snort on your own and push the output into a kafka >>>> topic (most likely using NiFi). From there on you can use the output of >>>> Snort in Metron. >>>> >>>> >>>> 10.10.2017, 00:48, "Syed Hammad Tahir" <mscs16...@itu.edu.pk>: >>>> >>>> Hi, >>>> >>>> Can I use snort in packet capture mode with metron? By default it works >>>> in IDS mode only. >>>> >>>> Regards. >>>> >>>> >>>> >>>> ------------------- >>>> Thank you, >>>> >>>> James Sirota >>>> PMC- Apache Metron >>>> jsirota AT apache DOT org >>>> >>>> >>>> >>>> >>>> ------------------- >>>> Thank you, >>>> >>>> James Sirota >>>> PMC- Apache Metron >>>> jsirota AT apache DOT org >>>> >>>> >>> >> >
