So, this is just a general question, what I would like to do is use a suite of software to have some insight into traffic going over the network.
Ideally the setup would be about here, so spanning the port is necessary:
So, the suite of software that I would ideally have are the following:
Suricata - IDS/IPS
Bro - Another tool used to view data from Suricata and collect further insight
ELK Stack - Collecting and managing logs from Bro and other data sources to view / analyze
BPF - Filtering out traffic
Barnyard2 - Suricata rule management
pf - Possibly as another firewall
The only other tool I seem to not be able to find an equivalent for is pf_ring (possibly netmap?)
However, the way I see this setup, is it feeds mostly like this:
0. Filter events using BPF, and pf
1. Feed events from network interface to suricata
2. Feed suricata events to Bro and ELK
3. Feed Bro events to ELK
4. Manage rules using barnyard2
5. Anything missing?
Are there any helpful hints, suggestions?
Thanks all
Ideally the setup would be about here, so spanning the port is necessary:
So, the suite of software that I would ideally have are the following:
Suricata - IDS/IPS
Bro - Another tool used to view data from Suricata and collect further insight
ELK Stack - Collecting and managing logs from Bro and other data sources to view / analyze
BPF - Filtering out traffic
Barnyard2 - Suricata rule management
pf - Possibly as another firewall
The only other tool I seem to not be able to find an equivalent for is pf_ring (possibly netmap?)
However, the way I see this setup, is it feeds mostly like this:
0. Filter events using BPF, and pf
1. Feed events from network interface to suricata
2. Feed suricata events to Bro and ELK
3. Feed Bro events to ELK
4. Manage rules using barnyard2
5. Anything missing?
Are there any helpful hints, suggestions?
Thanks all