Comments (13)
from cyberprobe.
Docker containers is a great way to deploy most stuff, and I'm a big fan. You may have seen I have Docker containers for cyberprobe... https://hub.docker.com/r/cybermaggedon/ as well as a few other things I work with.
Cybermon works fine in containers. Cyberprobe does too, but using cyberprobe to 'sniff' the network in a container means you have to understand how the container networks.
You can use docker command line directly, but once you start managing lots of containers you really need a tool like Docker Compose to describe the full set of containers you want to deploy.
We prefer to deploy containers using Kubernetes, which is a production-scale container manager, and really great to work with. The easiest way to run Kubernetes is to use the Google Cloud Platform, and just deploy a Kubernetes cluster.
You might want to deploy Cyberprobe inside Kubernetes, say to monitor a resource like an nginx web server that's running in Kubernetes. If that's the case, you need to deploy Cyberprobe and the nginx container as different containers in the same POD, and give cyberprobe the NET_ADMIN security context so that it has permission to sniff the network. By running two containers in the same POD, they share the network interface - eth0
in both PODs is the same network interface.
from cyberprobe.
Maybe you can tell me what you're trying to do, and I can suggest something?
from cyberprobe.
i can find that running the whole project from A TO Z coul cost us alot of virtual machines , thats why iwant to run the project with docker and icant find details in your project that's why iam using my skills in docker and docker compose .... iwant from you steps to run the project in docker from snort and cyberprobe -ELK -cassandra which is not working outside the docker.... and the others subscribers >>>iwant to end the project in a user interface to be a product for the others iam using nodejs for that purpose and what about you ?
from cyberprobe.
I've been tidying up the ElasticSearch and Gaffer loaders to make them easier to deploy for cyberprobe 1.7. This will deprecate some of the Lua code which hasn't been maintained. It will be easier to deploy the whole processing chain in containers.
When I've got it working in the next couple of days, I'll post a Docker compose example with Kib, ElasticSearch, Gaffer.
from cyberprobe.
from cyberprobe.
Ok, I have something which may be of interest to you working in cyberprobe 1.7.3. Documentation is here:
http://cyberprobe.trustnetworks.com/cyberprobe.html#A-containerised-processing-system
from cyberprobe.
What this does is launch cybermon
, data loaders, ElasticSearch, Kibana and Gaffer using Docker Compose. You can get at the Docker Compose configuration file here:
https://github.com/cybermaggedon/cyberprobe.trustnetworks.com/blob/master/docker-compose.yml
You will be able to launch that Docker Compose file using docker-compose up
. This is brand new, works for me, I'm appreciate any feedback on how well it works for you.
Once you have ElasticSearch and Kibana running, you will be able to load in my Kibana dashboard from here...
You need to create the cyberprobe
index in Kibana first, then load in the dashboard with Management > Saved Objects > Import.
from cyberprobe.
The only bit that is not included in the Docker Compose file is the cyberprobe
packet capture. You need to run a cyberprobe outside of Docker:
<?xml version="1.0" encoding="ISO-8859-1"?>
<!-- Cyberprobe configuration file. -->
<configuration>
<!-- Define network interfaces to sniff, replace with your network interface. -->
<interfaces>
<interface name="eth0"/>
</interfaces>
<!-- Define IP addresses or address ranges to match on, this collects everything. -->
<targets>
<target address="0.0.0.0/0" liid="my-network"/>
</targets>
<!-- Define endpoints to deliver data to. -->
<endpoints>
<endpoint hostname="localhost" port="9000" transport="tcp" type="etsi"/>
</endpoints>
</configuration>
It should be possible to get cyberprobe working inside Docker, but I haven't worked out how to give it permissions to access the host network interface in Docker Compose.
Once its working with data loaded, you will see a dashboard that looks something like this...
from cyberprobe.
At this point, there's no Snort in the system, but once we've worked out how to give host network permissions to a container, both cyberprobe and snort can run in containers.
I use cyberprobe as part of a commercial cybersecurity operation, we run Kubernetes clusters on Google cloud. Kube is more complex to work with, but it's a good product if you want to deploy something larger scale.
from cyberprobe.
Got a Docker Compose config working with cyberprobe and snort...
from cyberprobe.
Good idea - my business uses machine learning, there are lots of interesting things to explore. ElasticSearch has a Machine Learning model which you might be interested in. Part of the paid-for product, but you can use it on the trial for 30 days.
The cyberprobe pub/sub system makes it easy to introduce new analytics, you can write code in Python and subscribe to the data feed, which makes it easy to try new ideas out in code.
i did to integrate snort in the project but i didn't tried to used the
docker for this project , and am thinking to make the elastic search and
kibana to have artificial intelligence and machine learning if we are
making a cyber defence system how about that idea ?
from cyberprobe.
Opened a discussion forum if you want to discuss this further...
https://groups.google.com/d/forum/cyberprobe-discussion
from cyberprobe.
Related Issues (20)
- cybermon subscribers don't work in containers
- Problem compiling ARM on Pi
- largest cyberprobe implementations? HOT 1
- TLS compilation warning HOT 1
- IP compilation warning HOT 1
- Compilation warning: socket.C HOT 1
- Auto-tests fail for tls-with-cert.pcap on Debian Stretch
- Auto tests fails with tls.pcap on Ubuntu Bionic
- Documentation texinfo error HOT 1
- Inconsistency in thread handling: stop vs join
- The endpoint lock remains locked while any endpoint is in the process of connecting
- Read off end-of-array if port number is 65535. HOT 1
- Compiler warning
- Compiler warning, target.C
- cybermon.C compilation warning
- High latency in packet capture in latest Fedora 30 HOT 1
- Compilation warning, 2.5.0
- Missing pulsar.lua in RPM package
- Hangs when using gRPC (cybermon and eventstream-service) HOT 2
- SEGV in cyberprobe::event::protobufify
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cyberprobe.