[Zeek] Ryu Controller
Dr. Mostafa Abdallah. Ammar
mostafaammar at aast.edu
Tue Nov 26 00:44:39 PST 2019
Hi,
we made a similar research on how to integrate BRO and snort IDS with SDN controller
https://ieeexplore.ieee.org/document/7792427
we used floodlight SDN controller with IDS
In this case we created port mirror on switch to send traffic to IDS for matching attacks and if there is a detected attacker we contact the floodlight controller through rest api to get the host switch port and send a blocking flow to switch to block attacker.
Another integration if we want to search for a specific traffic we forward traffic to controller and create a module on controller , this module matches the traffic against defined database and sends a blocking flow also if match is found.
I dont know if this provides help in your case.
Best Regards,
Mostafa Abdallah Ammar, PhD.
Head of Information Security Department
CCIE security #23971
Arab Academy For Science And Technology & maritime Transport
Computer Networks & Data Center (CNDC)
Mobile: 002 01001983674
________________________________________
From: Dr. Mostafa Abdallah. Ammar
Sent: Tuesday, November 26, 2019 10:36 AM
To: Johanna Amann; Priyatham Ganta
Cc: zeek at zeek.org
Subject: RE: [Zeek] Ryu Controller
Hi,
I made a similar research on how to integrate BRO and snort IDS with SDN controller
Best Regards,
Mostafa Abdallah Ammar, PhD.
Head of Information Security Department
CCIE security #23971
Arab Academy For Science And Technology & maritime Transport
Computer Networks & Data Center (CNDC)
Mobile: 002 01001983674
________________________________________
From: zeek-bounces at zeek.org <zeek-bounces at zeek.org> on behalf of Johanna Amann <johanna at corelight.com>
Sent: Tuesday, November 26, 2019 7:45 AM
To: Priyatham Ganta
Cc: zeek at zeek.org
Subject: Re: [Zeek] Ryu Controller
Hi,
> I want to integrate Ryu controller with Zeek IDS for a project and I
> need
> help to do this. Can anyone help me with it?
if you just want send commands to Ryu from Zeek - use the netcontrol
framework. There actually is a Ryu plugin for it, although that might
have bitrotted a bit by now (so I won’t guarantee that it just works
out of the box anymore).
In any case - it might be worth taking a look at the netcontrol
documentation that highlights how netcontrol operates:
https://docs.zeek.org/en/stable/frameworks/netcontrol.html
It also shows how to instantiate everything. To make things a bit
complicated, there are two ways to interface with Ryu. The first one
uses the Ryu REST API directly from Zeek. This does not scale very well
- but is pretty simple and should still work unless they changed the
API. That plugin ships with Zeek and is at
https://github.com/zeek/zeek/blob/master/scripts/base/frameworks/openflow/plugins/ryu.zeek.
The second way is to use the generic broker plugin on the Zeek side -
and write a Ryu controller that can interact with that. A Ryu controller
implementing this is in the zeek-netcontrol repository (which is
contained in aux if you download the distribution).
https://github.com/zeek/zeek-netcontrol/tree/master/openflow contains
the source code as well as an example script that ties everything
together.
I hope this helps a bit to get started :)
Johanna
_______________________________________________
Zeek mailing list
zeek at zeek.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
More information about the Zeek
mailing list