Changes between Version 9 and Version 10 of GENIExperimenter/Tutorials/NFV/Ryu/HandlingIntrusionwithRyu-ping


Ignore:
Timestamp:
11/01/17 14:22:55 (6 years ago)
Author:
matta@cs.bu.edu
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • GENIExperimenter/Tutorials/NFV/Ryu/HandlingIntrusionwithRyu-ping

    v9 v10  
    33== Overview ==
    44
    5 In this experiment, we will use the Ryu controller to handle intrusion traffic in the form of port scans generated by the Nmap application. In this system, we use a RINA distributed application to get the intrusion detection alerts from the VNFs (i.e., Snort) as well as the load of the VNFs. When an intrusion is detected by the VNFs, the information will be passed to the Attack Analyzer residing on the controller node via the RINA distributed application. The Attack Analyzer informs the Ryu controller about the attack, which then blocks the intrusion traffic by updating the OpenFlow rules on the OVS switch.
     5In this experiment, we will use the Ryu controller to handle intrusion traffic in the form of pings (ICMP messages). In this system, we use a RINA distributed application to get the intrusion detection alerts from the VNFs (i.e., Snort) as well as the load of the VNFs. When an intrusion is detected by the VNFs, the information will be passed to the Attack Analyzer residing on the controller node via the RINA distributed application. The Attack Analyzer informs the Ryu controller about the attack, which then blocks the intrusion traffic by updating the OpenFlow rules on the OVS switch.
    66
    77{{{
     
    215215''' Note: keep the RINA application processes, PI controller process and PI-based Ryu controller process from the previous 3 steps running in the background. '''
    216216
    217 1. We need to first configure Snort so that we can use our rules, or snort’s build-in rules to detect the intrusion traffic.
     2171. We need to first configure Snort so that we can use our rules, or snort’s built-in rules to detect the intrusion traffic.
    218218To configure Snort, in separate windows for VNF1 and VNF2, execute the following commands
    219219
     
    2302302. We will use a simple rule where all the ICMP traffic to the ''destination'' node is considered as intrusion traffic. To add the rule, open '' /etc/snort/rules/my.rules '' and add the rule specified below
    231231
    232 To open file:
     232To open the file:
    233233    - ''' nano /etc/snort/rules/my.rules '''
    234234
     
    244244   ''' Note: this command is different from [wiki:GENIExperimenter/Tutorials/NFV/Ryu/LoadBalancePIwithRyu Experiment 2]. Here we specify the file ''/etc/snort/snort.conf '' to indicate which rule files to load. '''
    245245
    246 When Snort detects intrusion traffic, it will save the alert messages into the file '' /var/log/snort/alert''. The RINA distributed application keeps reading this alert file, and passes any intrusion information to the Ryu controller which will block the intrusion traffic.
     246When Snort detects intrusion traffic, it will save the alert messages into the file '' /var/log/snort/alert''. The RINA distributed application keeps reading this alert file, and passes any intrusion information to the Ryu controller, which will block the intrusion traffic.
    247247
    248248== (5) Run Attack Analyzer ==