Re: Snorby - Full Packet Capture

["johnny.venter" <johnny.venter () zoho com>]

Thanks Jeremy, that did it.  I enabled the "server" portion of OpenFPC on the Snort box and the "client" version on the 
Snorby box.

Another question: I will have multiple Snort servers in the near future.  Snorby only allows one (1) OpenFPC URL.  If I 
have multiple Snort servers, how can I grab the packet capture from each Snort server?  Do I need on Snorby server per 
Snort server?

Thanks.

---- On Thu, 23 May 2013 11:03:05 -0700 Jeremy Hoel  wrote ---- 

> OpenFPC has to run on the snort box.. and it should be a daemon that 
> runs and you should have a folder filling up with pcaps. It also has 
> to run with the web interface on the snorby box, but it doesn't have 
> to capture packets. 
>
> When you make a request from snorby to pull the pcap, it connects to 
> it's local web interface for openfpc and queries the remote server to 
> fetch the packets. 
>
> Trying pulling them locally from the snort box using the 
> openfpc-client. Then try connecting to the snorby server's openfpc 
> web interface and trying pulling packets from there. 
>
> If that second part doesn't work, check firewall settings and maybe 
> run tcpdump on the snorby box, looking at the port for openfpc comms 
> (i forget what it is) and watch the communication. 
>
>
>
> On Thu, May 23, 2013 at 5:53 PM, johnny.venter  wrote: 
> > Hello, 
> >
> > I have the following setup: 
> >
> > (1) Snort v2.9.4 sensor running on Ubuntu 12.04LTS. I use Barnyard 2.1.11 to process unified2 logs to MySQL Server 
> > v5.5.29 
> > (1) Snorby v2.61 instance running on Ubuntu 12.04LTS. 
> >
> > Goal: 
> > I'm trying to enable full packet capture within the Snorby interface. I *just* watched video from 
> > https://snorby.org/ on the home page that depicts the ability to generate/download the packet session. 
> >
> > What I've done: 
> > I followed the instructions and installed the packages from: 
> > https://github.com/Snorby/snorby/wiki/Enabling-full-packet-capture 
> > on my Snorby instance (which is a *separate*) system from my Snort instance. 
> >
> > Results: 
> > After the above install succeeds (I ran , I restart Snorby using the commands: "bundle exec rake snorby:setup" & 
> > "bundle exec rails server -e production". Snorby runs without any issues and I can see alerts. After configuring 
> > OpenFPC from (http://leonward.wordpress.com/2010/12/06/insta-snorby-0-4-with-openfpc/), I can download packets. 
> > However, all of my pcap files are 24 bytes in size and they are empty when I view them in Wireshark, it states No 
> > Packets. 
> >
> > Is this because I have the Snort and Snorby on 2 different systems? Or something else? 
> >
> >
> > Thanks, 
> >
> >
> > ------------------------------------------------------------------------------ 
> > Try New Relic Now & We'll Send You this Cool Shirt 
> > New Relic is the only SaaS-based application performance monitoring service 
> > that delivers powerful full stack analytics. Optimize and monitor your 
> > browser, app, & servers with just a few lines of code. Try New Relic 
> > and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may 
> > _______________________________________________ 
> > Snort-users mailing list 
> > Snort-users () lists sourceforge net 
> > Go to this URL to change user options or unsubscribe: 
> > https://lists.sourceforge.net/lists/listinfo/snort-users 
> > Snort-users list archive: 
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users 
> >
> > Please visit http://blog.snort.org to stay current on all the latest Snort news! 


------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!