Re: [Packetfence-users] Suricata Supoort?

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi guys,

Rich Rumble wrote:
> Suricata is beta, but so far seems very stable and comparable to Snort
> in our test environment; with its list of upcoming features I think it
> will be deployed and possibly replace Snort installs. Again when
> paired with Barnyard2, it logs to the same Snort DB as a Snort install
> does with no modifications needed. Suricata is currently a linux only
> install, windows binaries as also supposed to be on the horizon. While
> it might not be a supported IDS for PacketFence, if all PF is looking
> at is the DB where IDS log's to, in theory it should work I guess? I
> simply haven't tried it yet, my Snort and Suri are in two different
> environments.

PacketFence doesn't even need Barnyard2 and a database.

When running in local mode, we configure snort to send alarm in a named 
pipe in var/alert. Then run a daemon that tails the pipe. Check 
sbin/pfdetect for the code.

When running in remote mode, we do the same with the pipe except that we 
require users to install the pfdetect_remote_packetfence.rpm. It parses 
the alarms the same way pfdetect does (code is in 
addons/pfdetect_remote/sbin/pfdetect_remote in monotone, it is stripped 
from the packetfence rpm). On alarms, we send a SOAP call to the 
packetfence's admin interface.

So, supporting Suricata is only a matter of parsing the alarm text 
correctly. Unfortunately unless it is customer sponsored, I think it is 
unlikely that we will support that IDS soon. There is a lot of other 
things of higher priority. But, as always, patches are welcome!

Peter Bates wrote:
 > There are other projects out there like Bro - it's interesting to see
 > a bit of competition for Snort - the documentation on the Suricata
 > website is a bit on the vague side though - is it compatible with
 > Snort rule syntax and a 'drop in' replacement?
 >
I only heard of Suricata but I had the chance to try out Bro (while 
looking for a netflow-type IDS). Here's my experience with Bro: It is 
far from being as polished as snort. No binaries available, very scarce 
documentation, the netflow stuff I was trying was making it hard crash 
often, little info or how to write rules, etc.

For our netflow needs, we decided to write our own parser, but more on 
that later ;)

-- 
Olivier Bilodeau
obi...@in...  ::  +1.514.447.4918 *115  ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.scalableogo.org) and 
PacketFence (www.packetfence.org)