Note 1: We also provide an installation script and a Virtual Machine, which may be used to avoid the installation steps (see below).
Note 2: The sFlow module is stable and may be used in production. However, the Snort module is still under development.
Note 3: You should install it in a segregated network. By default, the services are available without authentication.
Note 4: This guide is for Debian Linux
Installation Scripts and Virtual Machine Image
Hogzilla IDS is supported by a robust and complex architecture. Due to that, its installation is quite long. To overcome it, we created the following installation script:
- install_hogzilla.sh - installs Hadoop, HBase, Thrift, Apache Spark, Pigtail, Hogzilla, SflowTool and Sflow2Hz in the same server. Must be on Debian Linux.
To install GrayLog, we recommend the official support page below, where you can find many alternatives, including a pre-installed image:
We note that GrayLog also can be installed by the Linux distribution packages. In Debian Linux, you just can follow
We also will provide a OVA image containing Hadoop, HBase, Apache Spark, Pigtail, Hogzilla, and Sflow2Hz, which can run on VMware, Virtualbox, or other hypervisor.
- Download the OVA image here (will be available soon)
Finally, if you want to install manually, use the information below.
Architecture
The main Hogzilla parts are:
- Network routers - send sFlows to a collector
- SFlow2Hz - send sFlows to a collector
- Hadoop - used for HBase and Apache Spark for, basically, HDFS and parallel processing
- HBase - stores the data in cluster
- Apache Spark - is an engine for large-scale data processing (actually it is much more!)
- Hogzilla - the set of detection routines that is submitted to Apache Spark. This is the project’s core
- Pigtail - Currently, is just a small PHP script to read the Hogzilla events in the HBase database and save them into the MySQL Snorby’s database and GrayLog. We plan to improve it to support more DBs and monitoring consoles.
- GrayLog - just a fancy, simple and useful user interface used to view alerts
- Snort - collects and tags as “malicious” some network packets, based on its signature base
- Barnyard2-hz - this is a fork of Barnyard2, which implements DPI, identifies flows, categorize them using a set of predefined categories, and save them into HBase
- GrayLog – An “Open source log management that actually works”.
- Snorby – An alternative monitoring console. We recommend to use GrayLog.
- SFlow2Hz – A simple binary used to insert sFlows into HBase.
Below there is a diagram to illustrate the role of each module.
Guides
- Installing Hogzilla+sFlow support on Debian (stable)
- Installing Hogzilla+Snort module on Debian (under dev)
It doesn’t work. How can I get help?
Please, help us improve this guide. Submit your troubles in our Mailing list.