Snort mailing list archives
Re: Logging Packets with Snort
From: Johnny Venter <Johnny.Venter () zoho com>
Date: Fri, 25 Oct 2013 15:31:28 -0400
Here's my command: openfpc-client -u user -p pwd -d -a fetch --bpf /tmp/test.bpf --stime 1382713697 --etime 1382729022 -w /tmp/zzzz.pcap And the results: ----Config---- Server : localhost Port : 4242 User : user Action : fetch Logtype : auto Logline : 0 Filename : /tmp/out.pcap SumType : 0 Last : 0 stime : 1382713697 Fri Oct 25 11:08:17 2013 etime : 1382729022 Fri Oct 25 15:23:42 2013 * openfpc-client 0.6 * Part of the OpenFPC project Logline created from session IDs: ofpc-v1-bpf type:search bpf: /tmp/test.bpf stime:1382713697 etime:1382729022 timestamp: DEBUG: Connected to localhost DEBUG: Sent Request Problem processing request: 0 I get nothing! One thing I do notice is "timestamp" is blank. Thanks. On Oct 25, 2013, at 3:10 PM, Jeremy Hoel <jthoel () gmail com> wrote:
so try this, if you have openfpc-client installed on your workstations, openfpc-client -u $USER -p $PW -s $sensor-IP -a fetch --bpf \"$BPF\" --stime $STIME --etime $ETIME -w $OUT_FILE STIME is an epoch time: Enter pcap start date & time: 10/25/13 15:08:17 stime = 1382713697 ETIME is the amount of time to review BPF is normally something like 'host 192.168.10.10' or more specific if you want. If you don't have the client tools on your workstation you should be able to try it on the sensor without the -s (I haven't done that before) On Fri, Oct 25, 2013 at 7:02 PM, Johnny Venter <Johnny.Venter () zoho com> wrote:Hi Jeremy, thanks for the quick response and yes, I need more help :) When I issue: openfpc-client -a status The oldest packet is: 1380905610 (Fri Oct 4 12:53:30 2013) The packet request in my previous email was requested today. Here's some more information on my setup: I have a snort sensor with Barnyard2, MySQL and with openfpc installed and capturing packets--I think they reference this as running in "slave" mode. I have another server that runs Snorby and connects to the MySQL database on the snort sensor. I request packets from the Snorby server which in turn connects to the snort sensor for packet requests. Any other ideas was to why I'm getting 24 byte packets? While I do like the full packet capture so I can detect the start of an intrusion, can I query the unified2 file similar to what Sourcefire does? Thanks. On Oct 25, 2013, at 2:52 PM, Jeremy Hoel <jthoel () gmail com> wrote: The interface you are talking about and using is Snorby; it's a gui for looking at snort alerts. Snort itelf does not capture full packets, just the bits that cause the event (like you see in SourceFire). Snorby has a plug-n for the a tool called OpenFPC (which is what you see in your logs) that connects back to an OpenFPC client/server to get the pcap data, but you have to run openfpc on the sensor and set it up. We've found that the 'extract packets' part doesn't work great due to the way that OpenFPC does client/server comms over many devices. But, we do run OpenFPC, do the full packet captures and pull the packets ourselves with a script to the sensor that we want the data from. The errors you are showing could be because the pcap data isn't there anymore (how far back do your openfpc captures go?) I hope that helps clarify some bits and if you need more help, let me know. On Fri, Oct 25, 2013 at 6:45 PM, Johnny Venter <Johnny.Venter () zoho com> wrote:Having some performance issues with my Snort sensor that has OpenFPC installed. Not sure if this is the right place for this question, but here goes: I have a sensor that monitors the Internet traffic. The interface is 1GB. When I try to download packet captures (from Snorby) most of the time it takes a while and then downloads a packet that is 24 bytes. When I open this pcap in Wireshark or tcpdump, it only displays one line: link-type EN10MB (Ethernet) When I click on the "Packet Capture Options" in Snorby: <Screen Shot 2013-10-25 at 2.37.55 PM.png> I watch the syslog from my snort sensor and here is the output: Oct 25 14:34:15 snort_s OpenfpcQ[1035]: snort_s COMMS: Accepted new connection from 127.0.0.1 Oct 25 14:34:15 snort_s OpenfpcQ[1035]: snort_s DECODE: User netp-user assigned RID: 0 for action fetch. Comment: 0 Filetype : PCAP Oct 25 14:34:15 snort_s OpenfpcQ[1035]: snort_s COMMS: 127.0.0.1: RID: 15 Fetch Request OK -> WAIT! Oct 25 14:34:15 snort_s OpenfpcQ[1035]: snort_s NODE: Request: 15 User: netp-user Action: fetch BPF: host 192.168.216.175 and host 192.168.216.77 Oct 25 14:34:42 snort_s OpenfpcQ[1035]: snort_s NODE: Request: 15 User: netp-user Result: 1382726055-15.pcap, 24, ab487d36057d446b6a8b72091da72f23 Oct 25 14:34:42 snort_s OpenfpcQ[1035]: snort_s COMMS: 15 127.0.0.1 Sending File:/tmp/1382726055-15.pcap MD5: ab487d36057d446b6a8b72091da72f23 Oct 25 14:34:42 snort_s OpenfpcQ[1035]: snort_s COMMS: Uploaded 1 x 1KB chunks So it's really a hit or miss with my packet capture. Does anyone have any idea why this happens? Also, in the commercial version of Snort (Sourcefire), it *seems* to capture just the packet the generated the alert--which saves space and resources. Can this be replicated with snort's unified2 output mode (which I currently use)? If so, how can I query the binary file for the specific intrusion event? Thanks. ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Logging Packets with Snort Johnny Venter (Oct 25)
- Re: Logging Packets with Snort Jeremy Hoel (Oct 25)
- Re: Logging Packets with Snort Johnny Venter (Oct 25)
- Re: Logging Packets with Snort Jeremy Hoel (Oct 25)
- Re: Logging Packets with Snort Johnny Venter (Oct 25)
- Re: Logging Packets with Snort Jeremy Hoel (Oct 25)
- Re: Logging Packets with Snort Johnny Venter (Oct 25)
- Message not available
- Message not available
- Message not available
- Re: Logging Packets with Snort Johnny Venter (Oct 25)
- Re: Logging Packets with Snort Jeremy Hoel (Oct 25)
- Re: Logging Packets with Snort Johnny Venter (Oct 25)
- Re: Logging Packets with Snort Jeremy Hoel (Oct 25)
- Re: Logging Packets with Snort Johnny Venter (Oct 25)
- Re: Logging Packets with Snort Jeremy Hoel (Oct 25)
- Re: Logging Packets with Snort Jeremy Hoel (Oct 25)