metron-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Youzha <yuza.ras...@gmail.com>
Subject Re: how to using snort as a sensor on metron
Date Tue, 21 Feb 2017 05:51:32 GMT
this is the status of my snort topolpgy . is this normal or there is
something wrong?
 there are no error message but there are no emitted data on parserBolt.

​

On Tue, Feb 21, 2017 at 11:45 AM, Youzha <yuza.rasfar@gmail.com> wrote:

> oke i think it's success to parsing. there is no error on parserBolt
> anymore after i add the config below on my snort configuration. the date
> format now going to be like this 02/21/17-11:41:51:
>
> # Configure Snort to show year in timestamps
> config show_year
>
>
> but there is a different problem when i check the logs of the snort
> topology. there is a WARNING like the picture below :
>
>
> ​
> there is no emitted data when i check my enrichment topology.
> do you have any idea for this?
>
> On Tue, Feb 21, 2017 at 9:43 AM, Otto Fowler <ottobackwards@gmail.com>
> wrote:
>
>> If you can do that, please post what you did.
>>
>>
>> On February 20, 2017 at 21:40:56, Youzha (yuza.rasfar@gmail.com) wrote:
>>
>> so i must change my snort configuration before right. oke. i'll try it
>> then i'll report here . thanks to you guys for helping me :)
>>
>> On Tue, Feb 21, 2017 at 4:42 AM, Otto Fowler <ottobackwards@gmail.com>
>> wrote:
>>
>>> OK,
>>> bringing this back to the list ( please reply to list guys ).
>>>
>>> I have run the data you sent, and as I suspected, there is a date format
>>> based failure:
>>>
>>> 2017-02-20 16:00:14 ERROR BasicSnortParser:179 - Unable to parse
>>> message: 02/18-16:24:46.262884 ,1,999158,0,"'snort test
>>> alert'",TCP,192.168.1.85,58472,192.168.1.216,22,34:68:95:01:
>>> D1:BB,52:54:00:E0:8F:0D,0x42,***A****,0x6756B8AF,0xA5EF764E,
>>> ,0x5A4,64,16,57034,52,53248,,,,
>>> java.time.format.DateTimeParseException: Text '02/18-16:24:46.262884'
>>> could not be parsed at index 5
>>>
>>> We are expect a date more like 01/27/16-16:01:04.877970
>>> So the year is missing.
>>>
>>>
>>> Our default date formatter for snort is defined as
>>> MM/dd/yy-HH:mm:ss.SSSSSS
>>>
>>> You can change this by adding “dateFormat”:”your format” to your parser
>>> configuration
>>>
>>> But…
>>>
>>> I have not been able to get this to work.
>>> I will see what I can do, hopefully someone else has an idea
>>>
>>>
>>> This is not documented that I can see, I have created an issue
>>> METRON-729 for this documenting Snort’s configuration
>>>
>>> On February 18, 2017 at 22:28:19, Youzha (yuza.rasfar@gmail.com) wrote:
>>>
>>> is flume automatically read the snort logs.? can i see your flume agent
>>> configuration sample?
>>>
>>> On Sun, Feb 19, 2017 at 12:50 AM Otto Fowler <ottobackwards@gmail.com>
>>> wrote:
>>>
>>>> I don’t have it setup right now, but if you go into var/log on the
>>>> snort machine, look for the flume agent logs and make sure there are not
>>>> errors there.
>>>>
>>>>
>>>>
>>>> On February 18, 2017 at 12:39:48, Youzha (yuza.rasfar@gmail.com) wrote:
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> no i'm not using vagrant setup. i'm using ansible playbook
>>>>
>>>> setup. i'm using ambari environtment
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On Sat, Feb 18, 2017 at 8:53 PM Otto Fowler <ottobackwards@gmail.com>
>>>>
>>>> wrote:
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> Are you using one of the vagrant setups?
>>>>
>>>> What is your environment?
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On February
>>>>
>>>> 18, 2017 at 04:55:54, Youzha (yuza.rasfar@gmail.com) wrote:
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> hi. anyone can
>>>>
>>>> explained to me how to using snort as
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> a metron sensor?
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> i've try this link
>>>>
>>>> :
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> https://cwiki.apache.org/confluence/display/METRON/Adding+Du
>>>> mmy+Snort+Data+for+Load+Testing
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> but i don't see
>>>>
>>>> anything work on my snort topology or my
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> metron UI dashboard. there is no data emitted on my snort
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> topology.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> is there any
>>>>
>>>> topology that i need to make this work? pls tell
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> me step by step to using this sensor.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> ​
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>
>

Mime
View raw message