[Zeek] Ryu Controller

Tue Nov 26 09:24:16 PST 2019

Hi,

How can I run bro for the current traffic and show the alerts on a console
instead of logs?

Also where can I check the policies that are configured to Bro for IDS?

Also what is the difference between the broctl binary and bro binary?

Thanks
Priyatham

On Tue, Nov 26, 2019 at 12:47 AM Dr. Mostafa Abdallah. Ammar <
mostafaammar at aast.edu> wrote:

> Hi,
>
> we made a similar research on how to integrate BRO and snort IDS with SDN
> controller
> https://ieeexplore.ieee.org/document/7792427
>
> we used floodlight SDN controller with IDS
>
> In this case we created port mirror on switch to send traffic to IDS for
> matching attacks and if there is a detected attacker we contact the
> floodlight controller through rest api to get the host switch port and send
> a blocking flow to switch to block attacker.
>
> Another integration if we want to search for a specific traffic we forward
> traffic to controller and create a module on controller , this module
> matches the traffic against defined database and sends a blocking flow also
> if match is found.
>
> I dont know if this provides help in your case.
>
> Best Regards,
>
> Mostafa Abdallah Ammar, PhD.
> Head of Information Security Department
> CCIE security #23971
> Arab Academy For Science And Technology & maritime Transport
> Computer Networks & Data Center (CNDC)
> Mobile: 002 01001983674
>
> ________________________________________
> From: Dr. Mostafa Abdallah. Ammar
> Sent: Tuesday, November 26, 2019 10:36 AM
> To: Johanna Amann; Priyatham Ganta
> Cc: zeek at zeek.org
> Subject: RE: [Zeek] Ryu Controller
>
> Hi,
>
> I made a similar research on how to integrate BRO and snort IDS with SDN
> controller
>
> Best Regards,
>
> Mostafa Abdallah Ammar, PhD.
> Head of Information Security Department
> CCIE security #23971
> Arab Academy For Science And Technology & maritime Transport
> Computer Networks & Data Center (CNDC)
> Mobile: 002 01001983674
>
> ________________________________________
> From: zeek-bounces at zeek.org <zeek-bounces at zeek.org> on behalf of Johanna
> Amann <johanna at corelight.com>
> Sent: Tuesday, November 26, 2019 7:45 AM
> To: Priyatham Ganta
> Cc: zeek at zeek.org
> Subject: Re: [Zeek] Ryu Controller
>
> Hi,
>
> > I want to integrate Ryu controller with Zeek IDS for a project and I
> > need
> > help to do this. Can anyone help me with it?
>
> if you just want send commands to Ryu from Zeek - use the netcontrol
> framework. There actually is a Ryu plugin for it, although that might
> have bitrotted a bit by now (so I won’t guarantee that it just works
> out of the box anymore).
>
> In any case - it might be worth taking a look at the netcontrol
> documentation that highlights how netcontrol operates:
> https://docs.zeek.org/en/stable/frameworks/netcontrol.html
>
> It also shows how to instantiate everything. To make things a bit
> complicated, there are two ways to interface with Ryu. The first one
> uses the Ryu REST API directly from Zeek. This does not scale very well
> - but is pretty simple and should still work unless they changed the
> API. That plugin ships with Zeek and is at
>
> https://github.com/zeek/zeek/blob/master/scripts/base/frameworks/openflow/plugins/ryu.zeek
> .
>
> The second way is to use the generic broker plugin on the Zeek side -
> and write a Ryu controller that can interact with that. A Ryu controller
> implementing this is in the zeek-netcontrol repository (which is
> contained in aux if you download the distribution).
> https://github.com/zeek/zeek-netcontrol/tree/master/openflow contains
> the source code as well as an example script that ties everything
> together.
>
> I hope this helps a bit to get started :)
>   Johanna
>
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20191126/679d17f0/attachment-0001.html 