Ryu Controller

Hi People,

I want to integrate Ryu controller with Zeek IDS for a project and I need help to do this. Can anyone help me with it?

Thanks
Priyatham

Hi,

I want to integrate Ryu controller with Zeek IDS for a project and I need
help to do this. Can anyone help me with it?

if you just want send commands to Ryu from Zeek - use the netcontrol framework. There actually is a Ryu plugin for it, although that might have bitrotted a bit by now (so I won’t guarantee that it just works out of the box anymore).

In any case - it might be worth taking a look at the netcontrol documentation that highlights how netcontrol operates: NetControl Framework — Book of Zeek (v4.2.0)

It also shows how to instantiate everything. To make things a bit complicated, there are two ways to interface with Ryu. The first one uses the Ryu REST API directly from Zeek. This does not scale very well - but is pretty simple and should still work unless they changed the API. That plugin ships with Zeek and is at zeek/ryu.zeek at master · zeek/zeek · GitHub.

The second way is to use the generic broker plugin on the Zeek side - and write a Ryu controller that can interact with that. A Ryu controller implementing this is in the zeek-netcontrol repository (which is contained in aux if you download the distribution). zeek-netcontrol/openflow at master · zeek/zeek-netcontrol · GitHub contains the source code as well as an example script that ties everything together.

I hope this helps a bit to get started :slight_smile:
  Johanna

Hi,

I made a similar research on how to integrate BRO and snort IDS with SDN controller

Best Regards,

Mostafa Abdallah Ammar, PhD.
Head of Information Security Department
CCIE security #23971
Arab Academy For Science And Technology & maritime Transport
Computer Networks & Data Center (CNDC)
Mobile: 002 01001983674

Hi,

we made a similar research on how to integrate BRO and snort IDS with SDN controller
https://ieeexplore.ieee.org/document/7792427

we used floodlight SDN controller with IDS

In this case we created port mirror on switch to send traffic to IDS for matching attacks and if there is a detected attacker we contact the floodlight controller through rest api to get the host switch port and send a blocking flow to switch to block attacker.

Another integration if we want to search for a specific traffic we forward traffic to controller and create a module on controller , this module matches the traffic against defined database and sends a blocking flow also if match is found.

I dont know if this provides help in your case.

Best Regards,

Mostafa Abdallah Ammar, PhD.
Head of Information Security Department
CCIE security #23971
Arab Academy For Science And Technology & maritime Transport
Computer Networks & Data Center (CNDC)
Mobile: 002 01001983674

Hi,

How can I run bro for the current traffic and show the alerts on a console instead of logs?

Also where can I check the policies that are configured to Bro for IDS?

Also what is the difference between the broctl binary and bro binary?

Thanks
Priyatham

Hi,

How can I run bro for the current traffic and show the alerts on a console
instead of logs?

you can run it on the command line without using zeekctl/broctl using zeek (or bro) -i [interfacename]. However, logs will always written to files - it does not really make sense to write them to the console, which would make it hard to distinguish between the different log streams.

Note - most Zeek logs are policy neutral and not really alerts…

Also where can I check the policies that are configured to Bro for IDS?

I don’t 100% get the questions. If you load misc/loaded-scripts in your configuration, you will get a loaded-scripts.log which will show you all script files that are loaded. The default configuration of Zeek loads most protocol analyzers and writes their log-files.

Also what is the difference between the broctl binary and bro binary?

zeekctl/broctl is the management application to start zeek cluster setups. See e.g. https://github.com/zeek/zeekctl - or https://docs.zeek.org/en/stable/quickstart/ for a getting started guide that mentions this.

Johanna

Hi,

I’m trying to run Bro as IDS. Hence, I don’t want to show all the logs on the console.I just want to look at the alerts generated by Bro if there are any attacks on the network. That’s the reason I want to print only the alerts and not logs.
How do I run Bro in IDS mode?

For Bro to run as IDS, there should be some policies configured with which this application will differentiate between normal traffic and malicious traffic. I want to look at those policies.

Can you help me with this?

Thanks

Why are you interested in this approach? Is it a school project?

Zeek isn’t designed to be an intrusion detection system that creates alerts, although it does produce notices. You might be better off with Suricata if you want alerts.

Sincerely,

Richard

Hi,

Yes, it is for a school project and would like to use Bro as IDS. And I would like Bro to generate active alerts for the incoming traffic. How can I do it?

Thanks