[Snort-users] Pigsty - A Barnyard2 Replacement by Threat Stack

[Dustin Webber]

Hey guys,

We wrote a Barnyard2 replacement we wanted to open source.    It's designed to be very extensible with a very simple plugin architecture based around Node.js's package management.  Please check it out here: https://github.com/threatstack/pigsty.

It's currently in beta but we'd love contributions and help test and write plugins.

Here is an example application we wrote using the mysql and web socket output plugins. http://snorby.org:3009/

It's important to note that we will be moving Snorby to this spooler in the future and will no longer support barnyard/2. We plan to open source a few parts of our Threat Stack Incident Response System and unfortunately making barnyard/2 work with our communication protocols and backend is not possible.

Either way great things coming to the Snorby project and I'm excited to see what the community builds with Pigsty.

Happy NSM hacking!

Dustin Willis Webber

CEO and Co-Founder at Threat Stack, Inc

Coming Soon: https://www.threatstack.com/#/products/cloudcover

[James Lay]

On 2013-06-03 14:59, Dustin Webber wrote:
> Hey guys,
>

> We wrote a Barnyard2 replacement we wanted to open source.    Its

> designed to be very extensible with a very simple plugin

> architecture based around Node.jss package management.  Please
> check it out here: https://github.com/threatstack/pigsty [1].
>
> Its currently in beta but wed love contributions and help test and

> write plugins.
>
> Here is an example application we wrote using the mysql and web
> socket

> output plugins. http://snorby.org:3009/ [2]
>
> Its important to note that we will be moving Snorby to this spooler

> in
> the future and will no longer support barnyard/2. We plan to open
> source a few parts of our Threat Stack Incident Response System and
> unfortunately making barnyard/2 work with our communication protocols
> and backend is not possible.
>

> Either way great things coming to the Snorby project and Im excited

> to
> see what the community builds with Pigsty.
>
> Happy NSM hacking!
>

> DUSTIN WILLIS WEBBER

>
> CEO and Co-Founder at Threat Stack, Inc

"Its important to note that we will be moving Snorby to this spooler in

the future and will no longer support barnyard/2."

So say if someone was running sguil in tandem with Snorby....they're
going to have to run by2 AND this?

James

------------------------------------------------------------------------------
How ServiceNow helps IT people transform IT departments:
1. A cloud service to automate IT design, transition and operations
2. Dashboards that offer high-level views of enterprise services
3. A single system of record for all IT processes
http://p.sf.net/sfu/servicenow-d2d-j
_______________________________________________
Snort-users mailing list
Snort...@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

[Dustin Webber]

James,

Good question - we are currently working on a Sguil plugin. You will just need to replace barnyard 2. We will also be releasing static versions of pigsty so you don't have to install nodesjs or any dependencies for that matter. We will not make this the standard for Snorby until all plugins are completed. We open sourced it early to get people interested in writing plugins for it and porting over the output methods people are interested in.

I'll post here again when the move to Pigsty and all output plugins are 100% completed.

Dustin

Dustin Willis Webber

[Jeremy Hoel]

And just to clarify a bit.. if someone did want to run BY2 and pigsty,
the snort would need to output two unified2 files, so each could
process their own without interfering with each other?

[Dustin Webber]

No, they can read from the same files without conflict.

Dustin Willis Webber

[James Lay]

Thanks for the clarification.

James

[Steven McLaughlin]

'No, they can read from the same files without conflict.'

Q: What if by2 is set to archive processed files. Both would be at separate bookmark locations would they not? Meaning that if by2 for example archived a .u2 after processing and pigsty was a few ticks behind, it could miss a few?

Best Regards,
Steven McLaughlin
st...@Lan.com.au
0459 351 266

[Dustin Webber]

All.

Quick update - We completed our pigsty-sguil plugin (https://github.com/threatstack/pigsty-sguil). You can now use pigsty for sguil, snorby, base etc. We are going to add syslog output today for people using unified2 with ELSA.

Dustin Willis Webber

Threat Stack, Inc - https://www.threatstack.com

Coming Soon: https://www.threatstack.com/#/products/cloudcover

Dustin Willis Webber

On Mon, Jun 3, 2013 at 4:59 PM, Dustin Webber <dustin...@gmail.com> wrote:

Hey guys,

We wrote a Barnyard2 replacement we wanted to open source.    It's designed to be very extensible with a very simple plugin architecture based around Node.js's package management.  Please check it out here: https://github.com/threatstack/pigsty.

It's currently in beta but we'd love contributions and help test and write plugins.

Here is an example application we wrote using the mysql and web socket output plugins. http://snorby.org:3009/

It's important to note that we will be moving Snorby to this spooler in the future and will no longer support barnyard/2. We plan to open source a few parts of our Threat Stack Incident Response System and unfortunately making barnyard/2 work with our communication protocols and backend is not possible.

Either way great things coming to the Snorby project and I'm excited to see what the community builds with Pigsty.

Happy NSM hacking!

Dustin Willis Webber

CEO and Co-Founder at Threat Stack, Inc

Coming Soon: https://www.threatstack.com/#/products/cloudcover