[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-users
Subject: Re: [Snort-users] Snort3 Production Deployment
From: Armel Hounkpevi via Snort-users <snort-users () lists ! snort ! org>
Date: 2021-07-17 13:29:40
Message-ID: 20210717132940.6164563.11065.4472 () gmail ! com
[Download RAW message or body]
[Attachment #2 (text/html)]
<html><head></head><body lang="fr-FR" style="background-color: rgb(255, 255, 255); \
line-height: initial;"> \
<div style="width: 100%; font-size: initial; font-family: Calibri, 'Slate Pro', \
sans-serif, sans-serif; color: rgb(31, 73, 125); text-align: initial; \
background-color: rgb(255, 255, 255);"><br></div> \
<div style="width: 100%; font-size: initial; font-family: Calibri, 'Slate Pro', \
sans-serif, sans-serif; color: rgb(31, 73, 125); text-align: initial; \
background-color: rgb(255, 255, 255);"><br style="display:initial"></div> \
<div style="font-size: initial; font-family: Calibri, 'Slate Pro', sans-serif, \
sans-serif; color: rgb(31, 73, 125); text-align: initial; background-color: rgb(255, \
255, 255);">Envoyé de mon smartphone BlackBerry 10.</div> \
<table width="100%" style="background-color:white;border-spacing:0px;"> \
<tbody><tr><td colspan="2" style="font-size: initial; text-align: initial; \
background-color: rgb(255, 255, 255);"> <div \
style="border-style: solid none none; border-top-color: rgb(181, 196, 223); \
border-top-width: 1pt; padding: 3pt 0in 0in; font-family: Tahoma, 'BB Alpha Sans', \
'Slate Pro'; font-size: 10pt;"> <div><b>De: </b>Noah Dietrich</div><div><b>Envoyé: \
</b>vendredi 16 juillet 2021 17:37</div><div><b>À: </b>Pimentel, Brandon (US - \
MDSI)</div><div><b>Cc: </b>snort-users@lists.snort.org</div><div><b>Objet: </b>Re: \
[Snort-users] Snort3 Production Deployment</div></div></td></tr></tbody></table><div \
style="border-style: solid none none; border-top-color: rgb(186, 188, 209); \
border-top-width: 1pt; font-size: initial; text-align: initial; background-color: \
rgb(255, 255, 255);"></div><br><div id="_originalContent" style=""><div \
dir="ltr">That sounds like a strange way of doing it, but I probably just don't \
understand your usecase. From what you say, you could use a single snort \
instance to process the pcap files, and when you have snort process each pcap file, \
you could write the results (in json format, because most any SIEM can ingest that) \
to a single folder, or to different folders if you need to keep things separate for \
some reason. With different folders, splunk will allow you to tag the data \
differently based on the folder, so you can search only the data from one network \
segment if that's necessary.<div><br></div><div>For capturing live snort NIDS/NIPS \
data and passing it to your SIEM, again I'd have one multi-homed machine with \
multiple instances of snort running on that machine, each one watching a network \
interface, and writing their logs in json format to individual folders. I'd then \
install the SPlunk universal forwarder (UF) and configure it to watch those log \
folders, and send the alerts back to my single Splunk server (indexer and web \
server), where i'd analyze them. You could also do this with multiple Snort3 sensors \
on the network, each one logging to a local directory in json format, with the UF \
reading those logs and sending them back.</div><div>If you go with Splunk as your \
SIEM (it's what i'm familair with), you'll want the <a \
href="https://splunkbase.splunk.com/app/4633/">Snort 3 JSON Alerts \
Add-on</a> (I'm the author) installed on your UF and your Splunk server in order \
to get your data normalized to the Splunk CIM (so that other tools can easily \
interact with that data) \
.</div><div><br></div><div>noah</div><div><br></div><div>Noah</div><div><br><div><br></div></div></div><br><div \
class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Jul 13, 2021 at 9:17 PM \
Pimentel, Brandon (US - MDSI) <<a \
href="mailto:Brandon.Pimentel@meggitt.com">Brandon.Pimentel@meggitt.com</a>> \
wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div lang="EN-US">
<div class="gmail-m_3117990578378729697WordSection1">
<p class="MsoNormal"><span \
style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">Hello \
Noah,<u></u><u></u></span></p> <p class="MsoNormal"><span \
style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"><u></u> <u></u></span></p>
<p class="MsoNormal"><span \
style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">I \
appreciate the input. To clarify on your first statement, we're looking into having \
the PCAPS for all network segments processed for alerts by that mother pig I \
mentioned- though now that you mention it, I'm thinking we can handle it all on one \
multi-homed machine. <u></u><u></u></span></p>
<p class="MsoNormal"><span \
style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"><u></u> <u></u></span></p>
<p class="MsoNormal"><span \
style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">I'm \
operating a SIEM, but at the moment none of our network traffic information from \
Snort is getting pushed to it, as the SIEM does its own level of network monitoring. \
The PCAPS are more for audit purposes and historical data review, though I'm going to \
begin looking into how to push IPS alerts to the SIEM to maximize our \
visibility.<u></u><u></u></span></p> <p class="MsoNormal"><span \
style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"><u></u> <u></u></span></p>
<p class="MsoNormal"><span \
style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">Thanks \
again for the suggestions,<u></u><u></u></span></p> <p class="MsoNormal"><span \
style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"><u></u> <u></u></span></p>
<p class="MsoNormal"><span \
style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">Brandon<u></u><u></u></span></p>
<p class="MsoNormal"><span \
style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"><u></u> <u></u></span></p>
<p class="MsoNormal"><span \
style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"><u></u> <u></u></span></p>
<p class="MsoNormal"><span \
style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"><u></u> <u></u></span></p>
<p class="MsoNormal"><b><span \
style="font-size:11pt;font-family:Calibri,sans-serif">From:</span></b><span \
style="font-size:11pt;font-family:Calibri,sans-serif"> Noah Dietrich [mailto:<a \
href="mailto:noah_dietrich@86penny.org" \
target="_blank">noah_dietrich@86penny.org</a>] <br>
<b>Sent:</b> Tuesday, July 13, 2021 9:56 AM<br>
<b>To:</b> Pimentel, Brandon (US - MDSI)<br>
<b>Cc:</b> <a href="mailto:snort-users@lists.snort.org" \
target="_blank">snort-users@lists.snort.org</a><br> <b>Subject:</b> Re: [Snort-users] \
Snort3 Production Deployment<u></u><u></u></span></p> <p \
class="MsoNormal"><u></u> <u></u></p> <p class="MsoNormal">*** This e-mail \
originated from the public Internet and its authenticity cannot be confirmed. Please \
exercise caution when you open attachments or click on links contained within the \
message – Meggitt ITG ***<u></u><u></u></p> <div class="MsoNormal" align="center" \
style="text-align:center"> <hr size="2" width="100%" align="center">
</div>
<div>
<div>
<p class="MsoNormal">So I'm not sure how you'd have snort3 reporting back to Snort3, \
that doesn't make much sense to me. A lot of this depends on how you plan to \
access the alert data, including the SIEM you plan on using.<u></u><u></u></p> </div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">If this were my project, I'd install snort3 to monitor traffic \
at the important portions of my network (inline at my ingress/egress point), and on \
any subnets that I wanted to watch (servers, management network, remote sites, \
etc). You could run multiple snort instances on a single machine, each one \
watching a different network (if you have a multi-homed machine), if that's \
possible / wanted.<u></u><u></u></p> </div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">On Each Snort3 sensor: I'd configure Snort3 to log to local json \
log files, and install the Splunk Universal Forwarder (UF) with the Snort3 Json Add \
on to read that logged json data and send the alert data back to a central \
Splunk Server, which would serve the role of my SIEM.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">I'm partial to Splunk, but this could also be done with the ELK \
stack, where Logstash serves the role of the UF, sending the data back to EK for \
storage and processing (I'm not all that knowledgeable about ELK \
though).<u></u><u></u></p> </div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">Noah<u></u><u></u></p>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
</div>
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<div>
<p class="MsoNormal">On Mon, Jul 12, 2021 at 4:16 PM Pimentel, Brandon (US - MDSI) \
via Snort-users <<a href="mailto:snort-users@lists.snort.org" \
target="_blank">snort-users@lists.snort.org</a>> wrote:<u></u><u></u></p> </div>
<blockquote style="border-top:none;border-right:none;border-bottom:none;border-left:1pt \
solid rgb(204,204,204);padding:0in 0in 0in 6pt;margin:5pt 0in 5pt 4.8pt"> <div>
<div>
<p class="MsoNormal">Hello,<u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal">My team is planning on using Snort3 in a production environment. \
We intend to have multiple monitors, and have the logging for all sensors report back \
to a "mother pig". The installation of a standalone Snort is well documented, but we \
are having trouble finding information about a multi-sensor deployment. What are some \
recommended resources, videos, or documents to help us get started?<u></u><u></u></p> \
<p class="MsoNormal"> <u></u><u></u></p> <p class="MsoNormal">Thank \
you,<u></u><u></u></p> <p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal"><b><span style="font-size:10pt;font-family:"Century \
Gothic",sans-serif">Brandon Pimentel</span></b><u></u><u></u></p> <p \
class="MsoNormal"><span style="font-size:8pt;font-family:"Century \
Gothic",sans-serif">Cyber Security Analyst I</span><u></u><u></u></p> <p \
class="MsoNormal"><span style="font-size:8pt;font-family:"Century \
Gothic",sans-serif"> </span><u></u><u></u></p> <p \
class="MsoNormal"><b><span style="font-size:8pt;font-family:"Century \
Gothic",sans-serif">Meggitt Defense Systems, Inc.</span></b><u></u><u></u></p> \
<p class="MsoNormal"><span style="font-size:8pt;font-family:"Century \
Gothic",sans-serif">9801 Miurlands Boulevard</span><u></u><u></u></p> <p \
class="MsoNormal"><span style="font-size:8pt;font-family:"Century \
Gothic",sans-serif">Irvine, CA 92618</span><u></u><u></u></p> <p \
class="MsoNormal"><span style="font-size:8pt;font-family:"Century \
Gothic",sans-serif">USA</span><u></u><u></u></p> <p class="MsoNormal"><span \
style="font-size:8pt;font-family:"Century \
Gothic",sans-serif"> </span><u></u><u></u></p> <p class="MsoNormal"><span \
style="font-size:8pt;font-family:"Century Gothic",sans-serif">Tel: +1 (949) \
465 7700 ext. 1083</span><u></u><u></u></p> <p class="MsoNormal"><span \
style="font-size:8pt;font-family:"Century Gothic",sans-serif">Direct Tel: \
+(949) 465 7733</span><u></u><u></u></p> <p class="MsoNormal"><span \
style="font-size:8pt;font-family:"Century Gothic",sans-serif">Fax: +1 (949) \
465 9557</span><u></u><u></u></p> <p class="MsoNormal"><a \
href="mailto:Brandon.pimentel@meggitt.com" target="_blank"><span \
style="font-size:8pt;font-family:"Century \
Gothic",sans-serif">Brandon.pimentel@meggitt.com</span></a><u></u><u></u></p> <p \
class="MsoNormal"><a \
href="www.meggittdefense.com_&" rel="nofollow">https://urldefense.proofpoint.com/v2/url?u=http-3A__www.meggittdefense.com_&> \
d=DwMFaQ&c=qLqNacw0Yb7yQVtNq3JZjw&r=QHoi-ORDczoqMrgCT6qKZzQvSdiN9kn_dE5dK9xJ3Y \
Y&m=YNV2vkuVeoAnr-hkXeON_g6XfuU0T0xAYi1nFJRXww4&s=20sN-mwm-IwpnDCu4Nxc0ek-XaKrXlSquTUWM0-M9NM&e=" \
target="_blank"><span style="font-size:8pt;font-family:"Century \
Gothic",sans-serif">www.meggittdefense.com</span></a><u></u><u></u></p> <p \
class="MsoNormal"><a href="http://www.meggitt.com/" target="_blank"><span \
style="font-size:8pt;font-family:"Century \
Gothic",sans-serif">www.meggitt.com</span></a><u></u><u></u></p> <p \
class="MsoNormal"><span style="font-size:8pt;font-family:"Century \
Gothic",sans-serif"> </span><u></u><u></u></p> <p class="MsoNormal"><span \
style="font-size:8pt;font-family:"Century \
Gothic",sans-serif;color:rgb(101,141,27)">Please consider the environment before \
printing this email</span><u></u><u></u></p> <p class="MsoNormal"><span \
style="font-size:8pt;font-family:"Century \
Gothic",sans-serif"> </span><u></u><u></u></p> <p \
class="MsoNormal"><b><span style="font-size:10pt;font-family:"Century \
Gothic",sans-serif"><img border="0" width="607" height="128" \
id="gmail-m_3117990578378729697gmail-m_5098910638129254086Picture_x0020_1" \
src="cid:17ab02265d34ce8e91" alt="MDSI_Email_Tagline"></span></b><u></u><u></u></p> \
<p class="MsoNormal"> <u></u><u></u></p> </div>
<p class="MsoNormal"><u></u> <u></u></p>
<div class="MsoNormal" align="center" style="text-align:center">
<hr size="2" width="100%" align="center">
</div>
<p class="MsoNormal"><span \
style="font-size:7.5pt;font-family:Arial,sans-serif;color:gray"><br> <br>
This e-mail may contain proprietary information and/or copyright material. This \
e-mail is intended for the use of the addressee only. Any unauthorized use may be \
unlawful. If you receive this e-mail by mistake, please advise the sender immediately \
by using the reply facility in your e-mail software. Information contained in and/or \
attached to this document may be subject to export control regulations of the \
European Community, USA, or other countries. Each recipient of this document is \
responsible to ensure that usage and/or transfer of any information contained in \
this document complies with all relevant export control regulations. If you are in \
any doubt about the export control restrictions that apply to this information, \
please contact the sender immediately. Be aware that Meggitt may monitor incoming \
and outgoing e-mails to ensure compliance with the Meggitt IT Use policy. Unless \
otherwise agreed by Meggitt, products and services are supplied on the terms of the \
Meggitt Standard Global Terms and Conditions of Sale available at </span><a \
href="http://www.meggitt.com" target="_blank"><span \
style="font-size:7.5pt;font-family:Arial,sans-serif">www.meggitt.com</span></a><span \
style="font-size:7.5pt;font-family:Arial,sans-serif;color:gray"> or on request. .<br> \
<br> This transmittal and any attached documents may contain technical data, the use \
of which may be restricted by the U.S. Arms Export Control Act and/or the Export \
Administration Act. By accepting such data, the recipient agrees to comply with the \
International Traffic in Arms Regulations (ITAR) and/or the Export Administration \
Regulations, as applicable.</span><u></u><u></u></p> </div>
<p class="MsoNormal">_______________________________________________<br>
Snort-users mailing list<br>
<a href="mailto:Snort-users@lists.snort.org" \
target="_blank">Snort-users@lists.snort.org</a><br> Go to this URL to change user \
options or unsubscribe:<br> <a \
href="https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.snort.org_mailman_lis \
tinfo_snort-2Dusers&d=DwMFaQ&c=qLqNacw0Yb7yQVtNq3JZjw&r=QHoi-ORDczoqMrgCT6 \
qKZzQvSdiN9kn_dE5dK9xJ3YY&m=YNV2vkuVeoAnr-hkXeON_g6XfuU0T0xAYi1nFJRXww4&s=fcCzKMW3XZkaHldybKyqrBaTY5ynhNltOPiHLDcPHP4&e=" \
target="_blank">https://lists.snort.org/mailman/listinfo/snort-users</a><br> <br>
To unsubscribe, send an email to:<br>
<a href="mailto:snort-users-leave@lists.snort.org" \
target="_blank">snort-users-leave@lists.snort.org</a><br> <br>
Please visit <a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__blog.snort.o \
rg&d=DwMFaQ&c=qLqNacw0Yb7yQVtNq3JZjw&r=QHoi-ORDczoqMrgCT6qKZzQvSdiN9kn_dE5 \
dK9xJ3YY&m=YNV2vkuVeoAnr-hkXeON_g6XfuU0T0xAYi1nFJRXww4&s=gjMJ5wH2cTpLv7kyo16uPW7erjbkRzu2fV_ZQvjC1FM&e=" \
target="_blank"> http://blog.snort.org</a> to stay current on all the latest Snort \
news!<br> <br>
Please follow these rules: <a \
href="https://urldefense.proofpoint.com/v2/url?u=https-3A__snort.org_faq_what-2Dis-2Dt \
he-2Dmailing-2Dlist-2Detiquette&d=DwMFaQ&c=qLqNacw0Yb7yQVtNq3JZjw&r=QHoi-O \
RDczoqMrgCT6qKZzQvSdiN9kn_dE5dK9xJ3YY&m=YNV2vkuVeoAnr-hkXeON_g6XfuU0T0xAYi1nFJRXww4&s=8Zy7BEKI2Fg5hY36kYBbDpwbecuOhDshcNN1EshMKNA&e=" \
target="_blank"> https://snort.org/faq/what-is-the-mailing-list-etiquette</a><u></u><u></u></p>
</blockquote>
</div>
</div>
</div>
<br>
<hr>
<font face="Arial" color="Gray" size="1"></font><font face="Arial" color="Gray" \
size="1"><br> <br>
<font></font></font>
</div>
</blockquote></div>
<br><!--end of _originalContent --></div></body></html>
["image001.jpg" (image/jpeg)]
_______________________________________________
Snort-users mailing list
Snort-users@lists.snort.org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users
To unsubscribe, send an email to:
snort-users-leave@lists.snort.org
Please visit http://blog.snort.org to stay current on all the latest Snort news!
Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic