Changes between Version 9 and Version 10 of GENIExperimenter/Tutorials/NFV/Ryu/HandlingIntrusionwithRyu-ping
- Timestamp:
- 11/01/17 14:22:55 (6 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
GENIExperimenter/Tutorials/NFV/Ryu/HandlingIntrusionwithRyu-ping
v9 v10 3 3 == Overview == 4 4 5 In this experiment, we will use the Ryu controller to handle intrusion traffic in the form of p ort scans generated by the Nmap application. In this system, we use a RINA distributed application to get the intrusion detection alerts from the VNFs (i.e., Snort) as well as the load of the VNFs. When an intrusion is detected by the VNFs, the information will be passed to the Attack Analyzer residing on the controller node via the RINA distributed application. The Attack Analyzer informs the Ryu controller about the attack, which then blocks the intrusion traffic by updating the OpenFlow rules on the OVS switch.5 In this experiment, we will use the Ryu controller to handle intrusion traffic in the form of pings (ICMP messages). In this system, we use a RINA distributed application to get the intrusion detection alerts from the VNFs (i.e., Snort) as well as the load of the VNFs. When an intrusion is detected by the VNFs, the information will be passed to the Attack Analyzer residing on the controller node via the RINA distributed application. The Attack Analyzer informs the Ryu controller about the attack, which then blocks the intrusion traffic by updating the OpenFlow rules on the OVS switch. 6 6 7 7 {{{ … … 215 215 ''' Note: keep the RINA application processes, PI controller process and PI-based Ryu controller process from the previous 3 steps running in the background. ''' 216 216 217 1. We need to first configure Snort so that we can use our rules, or snort’s buil d-in rules to detect the intrusion traffic.217 1. We need to first configure Snort so that we can use our rules, or snort’s built-in rules to detect the intrusion traffic. 218 218 To configure Snort, in separate windows for VNF1 and VNF2, execute the following commands 219 219 … … 230 230 2. We will use a simple rule where all the ICMP traffic to the ''destination'' node is considered as intrusion traffic. To add the rule, open '' /etc/snort/rules/my.rules '' and add the rule specified below 231 231 232 To open file:232 To open the file: 233 233 - ''' nano /etc/snort/rules/my.rules ''' 234 234 … … 244 244 ''' Note: this command is different from [wiki:GENIExperimenter/Tutorials/NFV/Ryu/LoadBalancePIwithRyu Experiment 2]. Here we specify the file ''/etc/snort/snort.conf '' to indicate which rule files to load. ''' 245 245 246 When Snort detects intrusion traffic, it will save the alert messages into the file '' /var/log/snort/alert''. The RINA distributed application keeps reading this alert file, and passes any intrusion information to the Ryu controller which will block the intrusion traffic.246 When Snort detects intrusion traffic, it will save the alert messages into the file '' /var/log/snort/alert''. The RINA distributed application keeps reading this alert file, and passes any intrusion information to the Ryu controller, which will block the intrusion traffic. 247 247 248 248 == (5) Run Attack Analyzer ==