metron-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Otto Fowler <ottobackwa...@gmail.com>
Subject Re: how to using snort as a sensor on metron
Date Mon, 20 Feb 2017 20:35:49 GMT
Nick,
>From his error, he is now getting data, but failing to parse in the
parser.  I asked for some data to run through the tests, and got it, I am
just going to forward to the list since he sent it right to me.



On February 20, 2017 at 13:45:22, Nick Allen (nick@nickallen.org) wrote:

The mechanism that transports Snort alerts to Kafka no longer uses Flume.
It just uses the `kafka-console-producer` that is shipped with Kafka.

Keep in mind that you need both Snort and the Snort Producer services
running.  The Snort Producer service actually captures the Snort alerts and
pushes them to Kafka.

    service snort-producer start

Then ensure that you have Snort telemetry actually landing in Kafka.
 (Typing this from memory, so may have typos.)

    /usr/hdp/current/kafka/bin/kafka-console-consumer.sh --zookeeper
ZK:2181 --topic snort

If you do not have any telemetry landing in the 'snort' topic, then nothing
downstream (like the parser topology) will work.


On Sun, Feb 19, 2017 at 9:23 PM, Otto Fowler <ottobackwards@gmail.com>
wrote:

> If you deploy the snort sensor and topology through metron it gets set
> up.  Did you do that?
>
>
> On February 18, 2017 at 22:28:19, Youzha (yuza.rasfar@gmail.com) wrote:
>
> is flume automatically read the snort logs.? can i see your flume agent
> configuration sample?
>
> On Sun, Feb 19, 2017 at 12:50 AM Otto Fowler <ottobackwards@gmail.com>
> wrote:
>
>> I don’t have it setup right now, but if you go into var/log on the snort
>> machine, look for the flume agent logs and make sure there are not errors
>> there.
>>
>>
>>
>> On February 18, 2017 at 12:39:48, Youzha (yuza.rasfar@gmail.com) wrote:
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> no i'm not using vagrant setup. i'm using ansible playbook
>>
>> setup. i'm using ambari environtment
>>
>>
>>
>>
>>
>>
>>
>> On Sat, Feb 18, 2017 at 8:53 PM Otto Fowler <ottobackwards@gmail.com>
>>
>> wrote:
>>
>>
>>
>>
>>
>>
>> Are you using one of the vagrant setups?
>>
>> What is your environment?
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> On February
>>
>> 18, 2017 at 04:55:54, Youzha (yuza.rasfar@gmail.com) wrote:
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> hi. anyone can
>>
>> explained to me how to using snort as
>>
>>
>>
>>
>>
>> a metron sensor?
>>
>>
>>
>>
>>
>> i've try this link
>>
>> :
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> https://cwiki.apache.org/confluence/display/METRON/
>> Adding+Dummy+Snort+Data+for+Load+Testing
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> but i don't see
>>
>> anything work on my snort topology or my
>>
>>
>>
>>
>>
>> metron UI dashboard. there is no data emitted on my snort
>>
>>
>>
>>
>>
>> topology.
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> is there any
>>
>> topology that i need to make this work? pls tell
>>
>>
>>
>>
>>
>> me step by step to using this sensor.
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> ​
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>

Mime
View raw message