In the Full Dev environment, Snort is not installed. We install "Sensor Stubs" which is just a mechanism that continually replays canned telemetry logs repetitively to mimic real sensors. We have to do this because of resource constraints when running all of Metron on a single VM. See the following for more information.
https://github.com/apache/metron/tree/master/metron-deployment/roles/sensor-stubs On Tue, Oct 17, 2017 at 10:16 AM, Syed Hammad Tahir <[email protected]> wrote: > yes,, but when i do snort -v in vagrant ssh console it says snort isnt > installed where as it can be seen working in metron. Due to that reason I > am confused because James Sirota said to install snort. > > On Tue, Oct 17, 2017 at 7:05 PM, Nick Allen <[email protected]> wrote: > >> From Metron's perspective, Snort is just another sensor. Snort is >> installed, managed and executed completely independent of Metron itself. As >> with any sensor, you are responsible for getting the telemetry produced by >> Snort into Kafka. Metron can then consume that telemetry from Kafka and do >> wonderful things with it. :) >> >> >> On Tue, Oct 17, 2017 at 4:00 AM, Syed Hammad Tahir <[email protected]> >> wrote: >> >>> And I am sorry about one confusion but isnt snort builtin into the >>> metron framework? If so then cant we access that snort and do the tasks you >>> mentioned earlier? >>> >>> On Tue, Oct 17, 2017 at 11:39 AM, Syed Hammad Tahir < >>> [email protected]> wrote: >>> >>>> Hi, >>>> >>>> Thanks for the support. Can it be performed both on dumped log and real >>>> time data? >>>> Regards. >>>> >>>> On Tue, Oct 17, 2017 at 1:02 AM, James Sirota <[email protected]> >>>> wrote: >>>> >>>>> What I mean is that you should install snort, load the appropriate >>>>> Snort rules for your use case, set Snort to log to a directory, and send >>>>> traffic to the network interface where Snort is listening. That will >>>>> produce Snort log files. Then you can push the contents of Snort logs >>>>> either to Kafka using NiFi (preferred) or using Kafka utilities such as >>>>> command line producer. This should be pushed to a Kafka topic called Snort >>>>> where each message is a log line of the Snort file. Does that make sense? >>>>> >>>>> Thanks, >>>>> James >>>>> >>>>> >>>>> 11.10.2017, 23:08, "Syed Hammad Tahir" <[email protected]>: >>>>> >>>>> You mean that I must start snort from terminal by doing snort -v and >>>>> then push it to kafka topic? I need to start snort in packet capture mode. >>>>> >>>>> On Tue, Oct 10, 2017 at 9:52 PM, James Sirota <[email protected]> >>>>> wrote: >>>>> >>>>> Yes, you can use Snort. Metron can consume Snort telemetries out of >>>>> the box. You have to setup Snort on your own and push the output into a >>>>> kafka topic (most likely using NiFi). From there on you can use the output >>>>> of Snort in Metron. >>>>> >>>>> >>>>> 10.10.2017, 00:48, "Syed Hammad Tahir" <[email protected]>: >>>>> >>>>> Hi, >>>>> >>>>> Can I use snort in packet capture mode with metron? By default it >>>>> works in IDS mode only. >>>>> >>>>> Regards. >>>>> >>>>> >>>>> >>>>> ------------------- >>>>> Thank you, >>>>> >>>>> James Sirota >>>>> PMC- Apache Metron >>>>> jsirota AT apache DOT org >>>>> >>>>> >>>>> >>>>> >>>>> ------------------- >>>>> Thank you, >>>>> >>>>> James Sirota >>>>> PMC- Apache Metron >>>>> jsirota AT apache DOT org >>>>> >>>>> >>>> >>> >> >
