metron-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Otto Fowler <ottobackwa...@gmail.com>
Subject Re: how to using snort as a sensor on metron
Date Tue, 21 Feb 2017 02:43:29 GMT
If you can do that, please post what you did.


On February 20, 2017 at 21:40:56, Youzha (yuza.rasfar@gmail.com) wrote:

so i must change my snort configuration before right. oke. i'll try it then
i'll report here . thanks to you guys for helping me :)

On Tue, Feb 21, 2017 at 4:42 AM, Otto Fowler <ottobackwards@gmail.com>
wrote:

> OK,
> bringing this back to the list ( please reply to list guys ).
>
> I have run the data you sent, and as I suspected, there is a date format
> based failure:
>
> 2017-02-20 16:00:14 ERROR BasicSnortParser:179 - Unable to parse message:
> 02/18-16:24:46.262884 ,1,999158,0,"'snort test alert'",TCP,192.168.1.85,
> 58472,192.168.1.216,22,34:68:95:01:D1:BB,52:54:00:E0:8F:0D,
> 0x42,***A****,0x6756B8AF,0xA5EF764E,,0x5A4,64,16,57034,52,53248,,,,
> java.time.format.DateTimeParseException: Text '02/18-16:24:46.262884'
> could not be parsed at index 5
>
> We are expect a date more like 01/27/16-16:01:04.877970
> So the year is missing.
>
>
> Our default date formatter for snort is defined as
> MM/dd/yy-HH:mm:ss.SSSSSS
>
> You can change this by adding “dateFormat”:”your format” to your parser
> configuration
>
> But…
>
> I have not been able to get this to work.
> I will see what I can do, hopefully someone else has an idea
>
>
> This is not documented that I can see, I have created an issue METRON-729
> for this documenting Snort’s configuration
>
> On February 18, 2017 at 22:28:19, Youzha (yuza.rasfar@gmail.com) wrote:
>
> is flume automatically read the snort logs.? can i see your flume agent
> configuration sample?
>
> On Sun, Feb 19, 2017 at 12:50 AM Otto Fowler <ottobackwards@gmail.com>
> wrote:
>
>> I don’t have it setup right now, but if you go into var/log on the snort
>> machine, look for the flume agent logs and make sure there are not errors
>> there.
>>
>>
>>
>> On February 18, 2017 at 12:39:48, Youzha (yuza.rasfar@gmail.com) wrote:
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> no i'm not using vagrant setup. i'm using ansible playbook
>>
>> setup. i'm using ambari environtment
>>
>>
>>
>>
>>
>>
>>
>> On Sat, Feb 18, 2017 at 8:53 PM Otto Fowler <ottobackwards@gmail.com>
>>
>> wrote:
>>
>>
>>
>>
>>
>>
>> Are you using one of the vagrant setups?
>>
>> What is your environment?
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> On February
>>
>> 18, 2017 at 04:55:54, Youzha (yuza.rasfar@gmail.com) wrote:
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> hi. anyone can
>>
>> explained to me how to using snort as
>>
>>
>>
>>
>>
>> a metron sensor?
>>
>>
>>
>>
>>
>> i've try this link
>>
>> :
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> https://cwiki.apache.org/confluence/display/METRON/
>> Adding+Dummy+Snort+Data+for+Load+Testing
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> but i don't see
>>
>> anything work on my snort topology or my
>>
>>
>>
>>
>>
>> metron UI dashboard. there is no data emitted on my snort
>>
>>
>>
>>
>>
>> topology.
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> is there any
>>
>> topology that i need to make this work? pls tell
>>
>>
>>
>>
>>
>> me step by step to using this sensor.
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> ​
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>

Mime
View raw message