openstack/os-ken
Code Issues Proposed changes

Snort Integrate:

Browse Source 
Remove the wrong way to get IP and bind with it.
Binding with '0.0.0.0' and listen on all host.

Update and fix typos in the snort_integrate.rst document.

Fix the problem about pigrelay reconnect to ryu will not be accepted.

Pigrelay is a program running on Snort that receive Snort alert
from UNIX socket and send to Ryu via network socket.

Signed-off-by: Che-Wei Lin <linton.tw@gmail.com>
Signed-off-by: FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp>
This commit is contained in:
Che-Wei Lin 2014-09-07 20:58:35 +08:00 committed by FUJITA Tomonori
parent acec421180
commit aa21f3d052
2 changed files with 16 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
doc/source/snort_integrate.rst
View File

@ -7,6 +7,8 @@ This document describes how to integrate Ryu with Snort.
Overview Overview
==== ====
There are two options can send alert to Ryu controller. The Option 1 is easier if you just want to demonstrate or test. Since Snort need very large computation power for analyzing packets you can choose Option 2 to separate them.
**[Option 1] Ryu and Snort are on the same machine** **[Option 1] Ryu and Snort are on the same machine**
:: ::
@ -40,7 +42,7 @@ The above depicts Ryu and Snort architecture. Ryu receives Snort alert packet vi
+----------+ +----------+ +----------+ +----------+
**\*CP: Controller Plane** **\*CP: Control Plane**
The above depicts Ryu and Snort architecture. Ryu receives Snort alert packet via **Network Socket** . To monitor packets between HostA and HostB, installing a flow that mirrors packets to Snort. The above depicts Ryu and Snort architecture. Ryu receives Snort alert packet via **Network Socket** . To monitor packets between HostA and HostB, installing a flow that mirrors packets to Snort.
@ -92,7 +94,7 @@ The incoming packets will all mirror to **port 3** which should be connect to Sn
3. Run Snort: :: 3. Run Snort: ::
$ sudo -i $ sudo -i
$ sudo snort -i eth1 -A unsock -l /tmp -c /etc/snort/snort.conf $ snort -i eth1 -A unsock -l /tmp -c /etc/snort/snort.conf
4. Send an ICMP packet from HostA (192.168.8.40) to HostB (192.168.8.50): :: 4. Send an ICMP packet from HostA (192.168.8.40) to HostB (192.168.8.50): ::
@ -114,20 +116,20 @@ The incoming packets will all mirror to **port 3** which should be connect to Sn
2. Run Ryu with sample application (On the Controller): :: 2. Run Ryu with sample application (On the Controller): ::
$ sudo ./bin/ryu-manager ryu/app/simple_switch_snort.py $ ./bin/ryu-manager ryu/app/simple_switch_snort.py
3. Run Snort (On the Snort machine): :: 3. Run Snort (On the Snort machine): ::
$ sudo -i $ sudo -i
$ sudo snort -i eth1 -A unsock -l /tmp -c /etc/snort/snort.conf $ snort -i eth1 -A unsock -l /tmp -c /etc/snort/snort.conf
4. Run ``unsock2nwsock.py`` (On the Snort machine): :: 4. Run ``pigrelay.py`` (On the Snort machine): ::
$ sudo python unsock2nwsock.py $ sudo python pigrelay.py
This program listening snort alert messages from unix domain socket and sending it to Ryu using network socket. This program listening snort alert messages from unix domain socket and sending it to Ryu using network socket.
You can clone the script over here. https://gist.github.com/John-Lin/9408ab716df57dbe32ca You can clone the source code from this repo. https://github.com/John-Lin/pigrelay
5. Send an ICMP packet from HostA (192.168.8.40) to HostB (192.168.8.50): :: 5. Send an ICMP packet from HostA (192.168.8.40) to HostB (192.168.8.50): ::

15
ryu/lib/snortlib.py
View File

@ -47,13 +47,11 @@ class SnortLib(app_manager.RyuApp):
def start_socket_server(self): def start_socket_server(self):
if not self.config.get('unixsock'): if not self.config.get('unixsock'):
self.config['ip'] = hub.socket.gethostbyname(hub.socket.
gethostname())
if self.config.get('port') is None: if self.config.get('port') is None:
self.config['port'] = 51234 self.config['port'] = 51234
self._start_recv_nw_sock(self.config.get('ip'), self._start_recv_nw_sock(self.config.get('port'))
self.config.get('port'))
else: else:
self._start_recv() self._start_recv()
@ -76,20 +74,21 @@ class SnortLib(app_manager.RyuApp):
self.sock.bind(SOCKFILE) self.sock.bind(SOCKFILE)
hub.spawn(self._recv_loop) hub.spawn(self._recv_loop)
def _start_recv_nw_sock(self, ip, port): def _start_recv_nw_sock(self, port):
self.nwsock = hub.socket.socket(hub.socket.AF_INET, self.nwsock = hub.socket.socket(hub.socket.AF_INET,
hub.socket.SOCK_STREAM) hub.socket.SOCK_STREAM)
self.nwsock.bind((ip, port)) self.nwsock.bind(('0.0.0.0', port))
self.nwsock.listen(5) self.nwsock.listen(5)
self.conn, addr = self.nwsock.accept()
hub.spawn(self._recv_loop_nw_sock) hub.spawn(self._recv_loop_nw_sock)
def _recv_loop_nw_sock(self): def _recv_loop_nw_sock(self):
self.logger.info("Network socket server start listening...") self.logger.info("Network socket server start listening...")
while True: while True:
data = self.conn.recv(BUFSIZE, hub.socket.MSG_WAITALL) conn, addr = self.nwsock.accept()
self.logger.info("Connected with %s", addr[0])
data = conn.recv(BUFSIZE, hub.socket.MSG_WAITALL)
if len(data) == BUFSIZE: if len(data) == BUFSIZE:
msg = alert.AlertPkt.parser(data) msg = alert.AlertPkt.parser(data)