Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: OPENFPC Proxy merge

From: Kevin Ross <kevross33 () googlemail com>
Date: Mon, 6 Jan 2014 15:05:28 +0000
Oh just for some clarity in case someone is looking at this to fix their
instance; the .so only was a typo on my part when copying the file missing
the .0 off the end. So basically the .2 stuff is what it is now but both
libwsutil and libwiretap is looking for .so.0 so doing a find for the file
and then copying it into the filename it is looking for fixed it for me.
Obviously when wireshark was updated which provides these for mergecap it
changed.

find / -name "*libwsutil*"
/usr/lib64/libwsutil.so.2
*/usr/lib64/libwsutil.so* <<< typo and wasn't there by default
/usr/lib64/libwsutil.so.2.0.0

Thanks again for all your help,
Kevin


On 6 January 2014 12:14, Kevin Ross <kevross33 () googlemail com> wrote:


Yipeee I got it working (at least on one local collector but I imagine I
will get it working on my other one and the web interface will work). I got
the following 2 errors (the second came up after I fixed the first)

Merge command is "/usr/bin/mergecap -w /tmp/1389009687-2.pcap
/tmp/mN8Mph4zQ0/1389009687-2.pcap-1389009508.pcap"
/usr/bin/mergecap: error while loading shared libraries: libwiretap.so.0:
cannot open shared object file: No such file or directory

Merge command is "/usr/bin/mergecap -w /tmp/1389010129-2.pcap
/tmp/l9uKBGa8q1/1389010129-2.pcap-1389009904.pcap"
/usr/bin/mergecap: error while loading shared libraries: libwsutil.so.0:
cannot open shared object file: No such file or directory

Now doing a find on them returned this pretty much for both of them (with
the respective library).
find / -name "*libwsutil*"
/usr/lib64/libwsutil.so.2
/usr/lib64/libwsutil.so
/usr/lib64/libwsutil.so.2.0.0

Doing cp /usr/lib64/libwsutil.so /usr/lib64/libwsutil.so.0 for each of
them respectively (so the libwiretap too) so it could find the file seems
to have fixed this. I guess a wireshark update in Centos 6.4 changed the
naming and thus broke it as wireshark provides these.

Thanks for taking the time to help me out.

Kindest Regards,
Kevin Ross


On 30 December 2013 11:39, Leon Ward <lward () sourcefire com> wrote:


Hi Kevin,

It's likely that there are some errors in syslog you can use to work out
what's causing the problem. If there is nothing obvious in syslog you could
start the queue daemon in debug mode, however make sure you run it in the
context of the same user that starts the daemon itself; In my case that's a
user called 'openfpc'.

The most simple method would be to "sudo" to the user, and then run the
following interactively on the console.

lward@Dev:~$ sudo -i                            # for root access
root@Dev:~# sudo -u openfpc /bin/bash  # Interactive shell as the
openfpc user
bash: /root/.bashrc: Permission denied
openfpc@Dev:~$ whoami
openfpc
openfpc@Dev:~$ openfpc-queued -c /etc/openfpc/openfpc-default.conf
--debug
Mon Dec 30 11:27:04 2013 GMT: NONAME DEBUG Enabled
Mon Dec 30 11:27:04 2013 GMT: Default_Node DEBUG: SHA1 passwords enabled
- Reading /etc/openfpc/openfpc.passwd
Mon Dec 30 11:27:04 2013 GMT: Default_Node DEBUG: Adding user "admin"
PassHash "XXXX"
Mon Dec 30 11:27:04 2013 GMT: Default_Node DEBUG: Adding user "openfpc"
PassHash "XXXX"
Mon Dec 30 11:27:04 2013 GMT: Default_Node START: *********** OpenFPC 0.6
**********
Mon Dec 30 11:27:04 2013 GMT: Default_Node START: **
http://www.openfpc.org    **
Mon Dec 30 11:27:04 2013 GMT: Default_Node START: Starting OFPC Node
"Default_Node" as an OpenFPC Node
Mon Dec 30 11:27:04 2013 GMT: Default_Node DEBUG: Node Description: "An
OpenFPC node. www.openfpc.org"
Mon Dec 30 11:27:04 2013 GMT: Default_Node DEBUG: Enabled : y
Mon Dec 30 11:27:04 2013 GMT: Default_Node DEBUG: local savedir : /tmp
Mon Dec 30 11:27:04 2013 GMT: Default_Node DEBUG: Buffer Path :
/var/tmp/openfpc/pcap
Mon Dec 30 11:27:04 2013 GMT: Default_Node DEBUG: mergecap :
/usr/bin/mergecap
Mon Dec 30 11:27:04 2013 GMT: Default_Node DEBUG: tcpdump :
/usr/sbin/tcpdump
Mon Dec 30 11:27:04 2013 GMT: Default_Node DEBUG: Keep files : 0
Mon Dec 30 11:27:04 2013 GMT: Default_Node START: Starting listener on
TCP:4242

<snip>
Then make your request. You'll see something like the below take place.
The exact output will vary because I'm running a different version to you:

Mon Dec 30 11:30:51 2013 GMT: Default_Node COMMS: 127.0.0.1: RID: 2
Fetch Request OK -> WAIT!
Mon Dec 30 11:30:51 2013 GMT: Default_Node NODE : Request: 2 User: admin
Action: fetch BPF: host 192.168.43.1
Mon Dec 30 11:30:51 2013 GMT: Default_Node DEBUG: WARNING vdebug not
enabled to inspect pcap filename selection
Mon Dec 30 11:30:51 2013 GMT: Default_Node DEBUG: PCAP roster (2 files in
total) for extract is:
/var/tmp/openfpc/pcap/openfpc-Default_Node.pcap.1387894639
/var/tmp/openfpc/pcap/openfpc-Default_Node.pcap.1387886703
Mon Dec 30 11:30:51 2013 GMT: Default_Node DEBUG: Doing Extraction with
BPF host 192.168.43.1 into tempdir /tmp/IUriAdyGjy
Mon Dec 30 11:30:51 2013 GMT: Default_Node EXTR : Merge command is
"/usr/bin/mergecap -w /tmp/1388403051-2.pcap
 /tmp/IUriAdyGjy/1388403051-2.pcap-1387894639.pcap
/tmp/IUriAdyGjy/1388403051-2.pcap-1387886703.pcap"
Mon Dec 30 11:30:51 2013 GMT: Default_Node NODE : Request: 2 User: admin
Result: 1388403051-2.pcap, 24, ab487d36057d446b6a8b72091da72f23
Mon Dec 30 11:30:51 2013 GMT: Default_Node COMMS: 2 127.0.0.1 Sending
File:/tmp/1388403051-2.pcap MD5: ab487d36057d446b6a8b72091da72f23
Mon Dec 30 11:30:51 2013 GMT: Default_Node COMMS: Uploaded 1 x 1KB chunks
Mon Dec 30 11:30:51 2013 GMT: Default_Node COMMS: 127.0.0.1 Request: 2 :
Transfer complete
Mon Dec 30 11:30:51 2013 GMT: Default_Node COMMS: 127.0.0.1 Request: 2 :
Cleaning up.

Cheers

-Leon



On 19 December 2013 10:49, Kevin Ross <kevross33 () googlemail com> wrote:


Something else to note is that I have checked the traffic is there and
then requested using the openfpc-client tool. When I do ps aux | grep
tcpdump when I have made the request (using a second shell) I can see
tcpdump processes going through the PCAPs with the correct filters as I
would expect. it just doesn't seem to get the traffic back out.


On 19 December 2013 08:31, Kevin Ross <kevross33 () googlemail com> wrote:


Hi,

Yup confirmed data is definately in those PCAPs I am requesting using
tcpdump. When I request for the same data using the openfpc-client tool it
does not work. How do I enable more debug/where do I look for  more
information for what it is having issues with (as -d isn't showing me the
failure reason).

Thanks,
Kevin


On 18 December 2013 15:49, Jeremy Hoel <jthoel () gmail com> wrote:


If you go to where you pcaps are kept and look at them, can you
tcpdump the packets that you are looking for?  Let's make sure the data is
there.

Once that works we can turn on debug for a few more things.  Adding
the debug to the client doesn't always turn it on for the other parts.
 On Dec 18, 2013 6:11 AM, "Kevin Ross" <kevross33 () googlemail com>
wrote:


Hi,

Still no luck with it and no idea what is actuall wrong. I have tried
debug run directly on the hosts (the capture nodes)

----Config----
Server   :  localhost
Port     :  4242
User     :  REMOVED
Action   :  fetch
Logtype  :  auto
Logline  :  0
Filename :  /tmp/out.pcap
SumType  :  0
Last     :  30
stime    :  1387371705 Wed Dec 18 13:01:45 2013
etime    :  1387371735 Wed Dec 18 13:02:15 2013


   * openfpc-client 0.6 *
   Part of the OpenFPC project

Logline created from session IDs: ofpc-v1 type:search sip:REMOVED
stime:1387371705 etime:1387371735 timestamp:
Password for user fpc :
DEBUG: Connected to localhost
DEBUG: Sent Request
Problem processing request: 0

I thought maybe it was an SELINUX issue so I have both relabelled the
filesystem and then after that not working I have disabled SELINUX but
still doesn't work. It is running according to status & also it is making
captures on the disk fine.

Thanks,
Kevin


On 17 December 2013 20:32, Leon Ward <lward () sourcefire com> wrote:


Trying to send again. I don't think the 1st try made it to the
list...


On 17 December 2013 12:09, Joel Esler (jesler) <jesler () cisco com>wrote:


Forwarded to the developer.



Yeah, that would be me - although I'm fighting to find any time to
look at it right now so it's becoming a little out of date. I've got a long
todo list to work though. Are there any logs you could share to
help work out what could be broken?

I suggest you start up the openfpc daemon interactively with --debug
and make the request again.

-L




On Dec 17, 2013, at 11:25 AM, Kevin Ross <kevross33 () googlemail com>
wrote:


Hi,

Running openfpc. Was working fine for months and months and now

this when I try and get a PCAP (nothing changed aside from maybe updates:
unable to proxy-merge


Has anyone run into this (I am asking on this userlist as it was

a sourcefire employee made tool :)


Thanks,
Kevin


------------------------------------------------------------------------------

Rapidly troubleshoot problems before they affect your business.

Most IT

organizations don't have a clear picture of how application

performance

affects their revenue. With AppDynamics, you get 100% visibility

into your

Java,.NET, & PHP application. Start your 15-day FREE TRIAL of

AppDynamics Pro!



http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk_______________________________________________

Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:


http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users


Please visit http://blog.snort.org to stay current on all the

latest Snort news!



------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business.
Most IT
organizations don't have a clear picture of how application
performance
affects their revenue. With AppDynamics, you get 100% visibility
into your
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of
AppDynamics Pro!

http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the
latest Snort news!








------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most
IT
organizations don't have a clear picture of how application
performance
affects their revenue. With AppDynamics, you get 100% visibility into
your
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of
AppDynamics Pro!

http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!












------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT 
organizations don't have a clear picture of how application performance 
affects their revenue. With AppDynamics, you get 100% visibility into your 
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: