do you prefer working with docker in all project or virtual machines separated about cyberprobe HOT 13 CLOSED

from cyberprobe.

Docker containers is a great way to deploy most stuff, and I'm a big fan. You may have seen I have Docker containers for cyberprobe... https://hub.docker.com/r/cybermaggedon/ as well as a few other things I work with.

Cybermon works fine in containers. Cyberprobe does too, but using cyberprobe to 'sniff' the network in a container means you have to understand how the container networks.

You can use docker command line directly, but once you start managing lots of containers you really need a tool like Docker Compose to describe the full set of containers you want to deploy.

We prefer to deploy containers using Kubernetes, which is a production-scale container manager, and really great to work with. The easiest way to run Kubernetes is to use the Google Cloud Platform, and just deploy a Kubernetes cluster.

You might want to deploy Cyberprobe inside Kubernetes, say to monitor a resource like an nginx web server that's running in Kubernetes. If that's the case, you need to deploy Cyberprobe and the nginx container as different containers in the same POD, and give cyberprobe the NET_ADMIN security context so that it has permission to sniff the network. By running two containers in the same POD, they share the network interface - eth0 in both PODs is the same network interface.

from cyberprobe.

Maybe you can tell me what you're trying to do, and I can suggest something?

from cyberprobe.

i can find that running the whole project from A TO Z coul cost us alot of virtual machines , thats why iwant to run the project with docker and icant find details in your project that's why iam using my skills in docker and docker compose .... iwant from you steps to run the project in docker from snort and cyberprobe -ELK -cassandra which is not working outside the docker.... and the others subscribers >>>iwant to end the project in a user interface to be a product for the others iam using nodejs for that purpose and what about you ?

from cyberprobe.

I've been tidying up the ElasticSearch and Gaffer loaders to make them easier to deploy for cyberprobe 1.7. This will deprecate some of the Lua code which hasn't been maintained. It will be easier to deploy the whole processing chain in containers.

When I've got it working in the next couple of days, I'll post a Docker compose example with Kib, ElasticSearch, Gaffer.

from cyberprobe.

from cyberprobe.

Ok, I have something which may be of interest to you working in cyberprobe 1.7.3. Documentation is here:

http://cyberprobe.trustnetworks.com/cyberprobe.html#A-containerised-processing-system

from cyberprobe.

What this does is launch cybermon, data loaders, ElasticSearch, Kibana and Gaffer using Docker Compose. You can get at the Docker Compose configuration file here:

https://github.com/cybermaggedon/cyberprobe.trustnetworks.com/blob/master/docker-compose.yml

You will be able to launch that Docker Compose file using docker-compose up. This is brand new, works for me, I'm appreciate any feedback on how well it works for you.

Once you have ElasticSearch and Kibana running, you will be able to load in my Kibana dashboard from here...

https://raw.githubusercontent.com/cybermaggedon/cyberprobe.trustnetworks.com/master/kibana-dashboards.json

You need to create the cyberprobe index in Kibana first, then load in the dashboard with Management > Saved Objects > Import.

from cyberprobe.

The only bit that is not included in the Docker Compose file is the cyberprobe packet capture. You need to run a cyberprobe outside of Docker:

<?xml version="1.0" encoding="ISO-8859-1"?>

<!-- Cyberprobe configuration file. -->
<configuration>

  <!-- Define network interfaces to sniff, replace with your network interface. -->
  <interfaces>
    <interface name="eth0"/>
  </interfaces>

  <!-- Define IP addresses or address ranges to match on, this collects everything. -->
  <targets>
    <target address="0.0.0.0/0" liid="my-network"/>
  </targets>

  <!-- Define endpoints to deliver data to. -->
  <endpoints>
    <endpoint hostname="localhost" port="9000" transport="tcp" type="etsi"/>
  </endpoints>

</configuration>

It should be possible to get cyberprobe working inside Docker, but I haven't worked out how to give it permissions to access the host network interface in Docker Compose.
Once its working with data loaded, you will see a dashboard that looks something like this...

from cyberprobe.

At this point, there's no Snort in the system, but once we've worked out how to give host network permissions to a container, both cyberprobe and snort can run in containers.

I use cyberprobe as part of a commercial cybersecurity operation, we run Kubernetes clusters on Google cloud. Kube is more complex to work with, but it's a good product if you want to deploy something larger scale.

from cyberprobe.

Got a Docker Compose config working with cyberprobe and snort...

https://github.com/cybermaggedon/cyberprobe.trustnetworks.com/blob/master/docker-compose-cp-snort.yml

from cyberprobe.

Good idea - my business uses machine learning, there are lots of interesting things to explore. ElasticSearch has a Machine Learning model which you might be interested in. Part of the paid-for product, but you can use it on the trial for 30 days.

The cyberprobe pub/sub system makes it easy to introduce new analytics, you can write code in Python and subscribe to the data feed, which makes it easy to try new ideas out in code.

i did to integrate snort in the project but i didn't tried to used the
docker for this project , and am thinking to make the elastic search and
kibana to have artificial intelligence and machine learning if we are
making a cyber defence system how about that idea ?

from cyberprobe.

Opened a discussion forum if you want to discuss this further...
https://groups.google.com/d/forum/cyberprobe-discussion

from cyberprobe.