-
Notifications
You must be signed in to change notification settings - Fork 2
Snort Integration
This document describes how to integrate Ryu with snort.
+---------------------+
| unixsock |
| Ryu == snort |
+----eth0-----eth1----+
| |
+-------+ +---------+ +-------+
| HostA |---| OVS |---| HostB |
+-------+ +---------+ +-------+
The above depicts Ryu and snort architecture. Ryu receives snort alert packet via unix domain socket. To monitor packets between HostA and HostB, installing a flow that mirrors packets to snort.
Ryu that supports snort alert packet parser can be downloaded from:
git clone git://github.com/ohmk/ryu.git -b snort-devel
If you are not familiar with installing Ryu, please refer to the following page.
http://osrg.github.com/ryu/doc/getting_started.html
Snort is an open source network intrusion prevention and detection system developed by Sourcefire.
If you are not familiar with installing/setting up snort, please refer to snort setup guides.
The config example is below:
#snort.conf
alert tcp any any -> any 6667 (msg:"snort test"; content:"ryu";sid:10001;)
output alert_unixsock
Configure NIC as a promiscuous mode.
$ sudo ifconfig eth1 promisc
Install following flows:
$ sudo ovs-ofctl --protocols=OpenFlow12 add-flow br0 \
table=0,actions=output:3,goto_table:1
$ sudo ovs-ofctl --protocols=OpenFlow12 add-flow br0 \
table=1,actions=NORMAL
The former flow means that all incoming packets are mirrored to snort.
Run Ryu with sample application:
$ ryu-manager ryu/app/alert_dumper.py
Run snort:
$ sudo snort -c snort.conf -i eth1 -A unsock -l /tmp
send packet from HostA to HostB:
$ sudo mz -t tcp -A 192.168.0.30 -B 192.168.0.40 "dp=6667" -c 1 \
-d 0 -P 'ryu'
You can see the following Ryu log message:
ohmura@mahon:~/openflow/ryu$ ryu-manager ryu/app/alert_dumper.py
loading app ryu/app/alert_dumper.py
loading app ryu.controller.ofp_handler
creating context alert_monitor
instantiating app ryu/app/alert_dumper.py
instantiating app ryu.controller.ofp_handler
alertmsg: snort test
p: ethernet
p: ipv4
p: tcp