Snort mailing list archives
Re: Logging Packets with Snort
From: Johnny Venter <Johnny.Venter () zoho com>
Date: Fri, 25 Oct 2013 16:13:25 -0400
Thanks, Ayodele for your help. I ran this on MySQL on my Snort sensor: SELECT @@global.time_zone, @@session.time_zone; Results: +--------------------+---------------------+ | @@global.time_zone | @@session.time_zone | +--------------------+---------------------+ | SYSTEM | SYSTEM | +--------------------+---------------------+ On the snort sensor server (Ubuntu), the time is: Fri Oct 25 16:10:29 EDT 2013 On the Snorby server (Ubuntu), the time is the same. I'm still confused on the DB replication you mention. Here is my setup. Snort outputs to unified2. Barnyard2 takes that as input and stores it in my MySQL DB. Snorby does not have a DB, it connects to the Snort DB. Thanks. On Oct 25, 2013, at 4:03 PM, Ayodele Okeowo <aymacro () gmail com> wrote:
Start from your short sensor by checking the timestamp on the mysql database if it's current. If database timestamp is correct, then try a manual mysql replication between both snort database and snorby. If timestamp is not current on the snort mysql db, then check your barnyard2 and make sure it's passing data to the snort db. From there troubleshooting should be more simpler. On Oct 25, 2013 3:57 PM, "Johnny Venter" <Johnny.Venter () zoho com> wrote: I did not enable sessions with OpenFPC so there's no DB for packets/sessions. Can you elaborate on the DB replication? Also, I get the following messages in syslog: Oct 25 14:29:32 snort_s daemonlogger[16404]: stat failed for "/var/tmp/openfpc/pcap/openfpc-snort_s.pcap.1381018707": Value too large for defined data type Oct 25 14:29:32 snort_s daemonlogger[16404]: stat failed for "/var/tmp/openfpc/pcap/openfpc-snort_s.pcap.1381700285": Value too large for defined data type Oct 25 14:29:32 snort_s daemonlogger[16404]: stat failed for "/var/tmp/openfpc/pcap/openfpc-snort_s.pcap.1381711036": Value too large for defined data type Oct 25 14:29:32 snort_s daemonlogger[16404]: stat failed for "/var/tmp/openfpc/pcap/openfpc-snort_s.pcap.1381517654": Value too large for defined data type Oct 25 14:29:32 snort_s daemonlogger[16404]: stat failed for "/var/tmp/openfpc/pcap/openfpc-snort_s.pcap.1382715970": Value too large for defined data type Oct 25 14:29:32 snort_s daemonlogger[16404]: [!] Ringbuffer: deleting /var/tmp/openfpc/pcap/openfpc-snort_s.pcap.1382725637 Oct 25 14:29:32 snort_s daemonlogger[16404]: Logging packets to /var/tmp/openfpc/pcap/openfpc-snort_s.pcap.1382725772 Thanks. On Oct 25, 2013, at 3:50 PM, Ayodele Okeowo <aymacro () gmail com> wrote:This sounds like a database replication issue from the way your snorby server gets packets from the snort sensor mysql database. On Oct 25, 2013 3:05 PM, "Johnny Venter" <Johnny.Venter () zoho com> wrote: Hi Jeremy, thanks for the quick response and yes, I need more help :) When I issue: openfpc-client -a status The oldest packet is: 1380905610 (Fri Oct 4 12:53:30 2013) The packet request in my previous email was requested today. Here's some more information on my setup: I have a snort sensor with Barnyard2, MySQL and with openfpc installed and capturing packets--I think they reference this as running in "slave" mode. I have another server that runs Snorby and connects to the MySQL database on the snort sensor. I request packets from the Snorby server which in turn connects to the snort sensor for packet requests. Any other ideas was to why I'm getting 24 byte packets? While I do like the full packet capture so I can detect the start of an intrusion, can I query the unified2 file similar to what Sourcefire does? Thanks. On Oct 25, 2013, at 2:52 PM, Jeremy Hoel <jthoel () gmail com> wrote:The interface you are talking about and using is Snorby; it's a gui for looking at snort alerts. Snort itelf does not capture full packets, just the bits that cause the event (like you see in SourceFire). Snorby has a plug-n for the a tool called OpenFPC (which is what you see in your logs) that connects back to an OpenFPC client/server to get the pcap data, but you have to run openfpc on the sensor and set it up. We've found that the 'extract packets' part doesn't work great due to the way that OpenFPC does client/server comms over many devices. But, we do run OpenFPC, do the full packet captures and pull the packets ourselves with a script to the sensor that we want the data from. The errors you are showing could be because the pcap data isn't there anymore (how far back do your openfpc captures go?) I hope that helps clarify some bits and if you need more help, let me know. On Fri, Oct 25, 2013 at 6:45 PM, Johnny Venter <Johnny.Venter () zoho com> wrote: Having some performance issues with my Snort sensor that has OpenFPC installed. Not sure if this is the right place for this question, but here goes: I have a sensor that monitors the Internet traffic. The interface is 1GB. When I try to download packet captures (from Snorby) most of the time it takes a while and then downloads a packet that is 24 bytes. When I open this pcap in Wireshark or tcpdump, it only displays one line: link-type EN10MB (Ethernet) When I click on the "Packet Capture Options" in Snorby: <Screen Shot 2013-10-25 at 2.37.55 PM.png> I watch the syslog from my snort sensor and here is the output: Oct 25 14:34:15 snort_s OpenfpcQ[1035]: snort_s COMMS: Accepted new connection from 127.0.0.1 Oct 25 14:34:15 snort_s OpenfpcQ[1035]: snort_s DECODE: User netp-user assigned RID: 0 for action fetch. Comment: 0 Filetype : PCAP Oct 25 14:34:15 snort_s OpenfpcQ[1035]: snort_s COMMS: 127.0.0.1: RID: 15 Fetch Request OK -> WAIT! Oct 25 14:34:15 snort_s OpenfpcQ[1035]: snort_s NODE: Request: 15 User: netp-user Action: fetch BPF: host 192.168.216.175 and host 192.168.216.77 Oct 25 14:34:42 snort_s OpenfpcQ[1035]: snort_s NODE: Request: 15 User: netp-user Result: 1382726055-15.pcap, 24, ab487d36057d446b6a8b72091da72f23 Oct 25 14:34:42 snort_s OpenfpcQ[1035]: snort_s COMMS: 15 127.0.0.1 Sending File:/tmp/1382726055-15.pcap MD5: ab487d36057d446b6a8b72091da72f23 Oct 25 14:34:42 snort_s OpenfpcQ[1035]: snort_s COMMS: Uploaded 1 x 1KB chunks So it's really a hit or miss with my packet capture. Does anyone have any idea why this happens? Also, in the commercial version of Snort (Sourcefire), it *seems* to capture just the packet the generated the alert--which saves space and resources. Can this be replicated with snort's unified2 output mode (which I currently use)? If so, how can I query the binary file for the specific intrusion event? Thanks. ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Logging Packets with Snort Johnny Venter (Oct 25)
- Re: Logging Packets with Snort Jeremy Hoel (Oct 25)
- Re: Logging Packets with Snort Johnny Venter (Oct 25)
- Re: Logging Packets with Snort Jeremy Hoel (Oct 25)
- Re: Logging Packets with Snort Johnny Venter (Oct 25)
- Re: Logging Packets with Snort Jeremy Hoel (Oct 25)
- Re: Logging Packets with Snort Johnny Venter (Oct 25)
- Message not available
- Message not available
- Message not available
- Re: Logging Packets with Snort Johnny Venter (Oct 25)
- Re: Logging Packets with Snort Jeremy Hoel (Oct 25)
- Re: Logging Packets with Snort Johnny Venter (Oct 25)
- Re: Logging Packets with Snort Jeremy Hoel (Oct 25)
- Re: Logging Packets with Snort Johnny Venter (Oct 25)
- Re: Logging Packets with Snort Jeremy Hoel (Oct 25)
- Re: Logging Packets with Snort Jeremy Hoel (Oct 25)