Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Logging Packets with Snort

From: Johnny Venter <Johnny.Venter () zoho com>
Date: Fri, 25 Oct 2013 15:31:28 -0400
Here's my command:

openfpc-client -u user -p pwd -d -a fetch --bpf /tmp/test.bpf --stime 1382713697 --etime 1382729022 -w /tmp/zzzz.pcap

And the results:

----Config----
Server   :  localhost
Port     :  4242
User     :  user
Action   :  fetch
Logtype  :  auto
Logline  :  0
Filename :  /tmp/out.pcap
SumType  :  0 
Last     :  0
stime    :  1382713697 Fri Oct 25 11:08:17 2013
etime    :  1382729022 Fri Oct 25 15:23:42 2013


   * openfpc-client 0.6 * 
   Part of the OpenFPC project

Logline created from session IDs: ofpc-v1-bpf type:search bpf: /tmp/test.bpf stime:1382713697 etime:1382729022 
timestamp: 
DEBUG: Connected to localhost
DEBUG: Sent Request
Problem processing request: 0


I get nothing! One thing I do notice is "timestamp" is blank.  

Thanks.

On Oct 25, 2013, at 3:10 PM, Jeremy Hoel <jthoel () gmail com> wrote:


so try this, if you have openfpc-client installed on your workstations,

openfpc-client -u $USER -p $PW -s $sensor-IP -a fetch --bpf \"$BPF\"
--stime $STIME --etime $ETIME -w $OUT_FILE

STIME is an epoch time:
Enter pcap start date & time: 10/25/13 15:08:17
stime = 1382713697

ETIME is the amount of time to review

BPF is normally something like  'host 192.168.10.10' or more specific
if you want.

If you don't have the client tools on your workstation you should be
able to try it on the sensor without the -s (I haven't done that
before)





On Fri, Oct 25, 2013 at 7:02 PM, Johnny Venter <Johnny.Venter () zoho com> wrote:

Hi Jeremy, thanks for the quick response and yes, I need more help :)

When I issue:

openfpc-client -a status

The oldest packet is: 1380905610 (Fri Oct  4 12:53:30 2013)

The packet request in my previous email was requested today.

Here's some more information on my setup:  I have a snort sensor with
Barnyard2, MySQL and with openfpc installed and capturing packets--I think
they reference this as running in "slave" mode.  I have another server that
runs Snorby and connects to the MySQL database on the snort sensor.  I
request packets from the Snorby server which in turn connects to the snort
sensor for packet requests.

Any other ideas was to why I'm getting 24 byte packets?
While I do like the full packet capture so I can detect the start of an
intrusion, can I query the unified2 file similar to what Sourcefire does?

Thanks.


On Oct 25, 2013, at 2:52 PM, Jeremy Hoel <jthoel () gmail com> wrote:

The interface you are talking about and using is Snorby; it's a gui for
looking at snort alerts.  Snort itelf does not capture full packets, just
the bits that cause the event (like you see in SourceFire).  Snorby has a
plug-n for the a tool called OpenFPC (which is what you see in your logs)
that connects back to an OpenFPC client/server to get the pcap data, but you
have to run openfpc on the sensor and set it up.

We've found that the 'extract packets' part doesn't work great due to the
way that OpenFPC does client/server comms over many devices.  But, we do run
OpenFPC, do the full packet captures and pull the packets ourselves with a
script to the sensor that we want the data from.

The errors you are showing could be because the pcap data isn't there
anymore (how far back do your openfpc captures go?)

I hope that helps clarify some bits and if you need more help, let me know.




On Fri, Oct 25, 2013 at 6:45 PM, Johnny Venter <Johnny.Venter () zoho com>
wrote:


Having some performance issues with my Snort sensor that has OpenFPC
installed.

Not sure if this is the right place for this question, but here goes:

I have a sensor that monitors the Internet traffic.  The interface is 1GB.
When I try to download packet captures (from Snorby) most of the time it
takes a while and then downloads a packet that is 24 bytes.  When I open
this pcap in Wireshark or tcpdump, it only displays one line: link-type
EN10MB (Ethernet)

When I click on the "Packet Capture Options" in Snorby:

<Screen Shot 2013-10-25 at 2.37.55 PM.png>

I watch the syslog from my snort sensor and here is the output:

Oct 25 14:34:15 snort_s OpenfpcQ[1035]: snort_s COMMS: Accepted new
connection from 127.0.0.1
Oct 25 14:34:15 snort_s OpenfpcQ[1035]: snort_s DECODE: User netp-user
assigned RID: 0 for action fetch. Comment: 0 Filetype : PCAP
Oct 25 14:34:15 snort_s OpenfpcQ[1035]: snort_s COMMS: 127.0.0.1: RID: 15
Fetch Request OK -> WAIT!
Oct 25 14:34:15 snort_s OpenfpcQ[1035]: snort_s NODE: Request: 15 User:
netp-user Action: fetch BPF: host 192.168.216.175 and host 192.168.216.77
Oct 25 14:34:42 snort_s OpenfpcQ[1035]: snort_s NODE: Request: 15 User:
netp-user Result: 1382726055-15.pcap, 24, ab487d36057d446b6a8b72091da72f23
Oct 25 14:34:42 snort_s OpenfpcQ[1035]: snort_s COMMS: 15 127.0.0.1
Sending File:/tmp/1382726055-15.pcap MD5: ab487d36057d446b6a8b72091da72f23
Oct 25 14:34:42 snort_s OpenfpcQ[1035]: snort_s COMMS: Uploaded 1 x 1KB
chunks

So it's really a hit or miss with my packet capture.  Does anyone have any
idea why this happens?

Also, in the commercial version of Snort (Sourcefire), it *seems* to
capture just the packet the generated the alert--which saves space and
resources.  Can this be replicated with snort's unified2 output mode (which
I currently use)? If so, how can I query the binary file for the specific
intrusion event?

Thanks.



------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most
from
the latest Intel processors and coprocessors. See abstracts and register >

http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort
news!






------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!




------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: