Snort mailing list archives
Re: Snorby - Full Packet Capture
From: "johnny.venter" <johnny.venter () zoho com>
Date: Fri, 24 May 2013 04:56:03 -0700
Thanks Jeremy, that did it. I enabled the "server" portion of OpenFPC on the Snort box and the "client" version on the Snorby box. Another question: I will have multiple Snort servers in the near future. Snorby only allows one (1) OpenFPC URL. If I have multiple Snort servers, how can I grab the packet capture from each Snort server? Do I need on Snorby server per Snort server? Thanks. ---- On Thu, 23 May 2013 11:03:05 -0700 Jeremy Hoel wrote ----
OpenFPC has to run on the snort box.. and it should be a daemon that runs and you should have a folder filling up with pcaps. It also has to run with the web interface on the snorby box, but it doesn't have to capture packets. When you make a request from snorby to pull the pcap, it connects to it's local web interface for openfpc and queries the remote server to fetch the packets. Trying pulling them locally from the snort box using the openfpc-client. Then try connecting to the snorby server's openfpc web interface and trying pulling packets from there. If that second part doesn't work, check firewall settings and maybe run tcpdump on the snorby box, looking at the port for openfpc comms (i forget what it is) and watch the communication. On Thu, May 23, 2013 at 5:53 PM, johnny.venter wrote:Hello, I have the following setup: (1) Snort v2.9.4 sensor running on Ubuntu 12.04LTS. I use Barnyard 2.1.11 to process unified2 logs to MySQL Server v5.5.29 (1) Snorby v2.61 instance running on Ubuntu 12.04LTS. Goal: I'm trying to enable full packet capture within the Snorby interface. I *just* watched video from https://snorby.org/ on the home page that depicts the ability to generate/download the packet session. What I've done: I followed the instructions and installed the packages from: https://github.com/Snorby/snorby/wiki/Enabling-full-packet-capture on my Snorby instance (which is a *separate*) system from my Snort instance. Results: After the above install succeeds (I ran , I restart Snorby using the commands: "bundle exec rake snorby:setup" & "bundle exec rails server -e production". Snorby runs without any issues and I can see alerts. After configuring OpenFPC from (http://leonward.wordpress.com/2010/12/06/insta-snorby-0-4-with-openfpc/), I can download packets. However, all of my pcap files are 24 bytes in size and they are empty when I view them in Wireshark, it states No Packets. Is this because I have the Snort and Snorby on 2 different systems? Or something else? Thanks, ------------------------------------------------------------------------------ Try New Relic Now & We'll Send You this Cool Shirt New Relic is the only SaaS-based application performance monitoring service that delivers powerful full stack analytics. Optimize and monitor your browser, app, & servers with just a few lines of code. Try New Relic and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Try New Relic Now & We'll Send You this Cool Shirt New Relic is the only SaaS-based application performance monitoring service that delivers powerful full stack analytics. Optimize and monitor your browser, app, & servers with just a few lines of code. Try New Relic and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snorby - Full Packet Capture johnny.venter (May 23)
- <Possible follow-ups>
- Re: Snorby - Full Packet Capture Jeremy Hoel (May 23)
- Re: Snorby - Full Packet Capture johnny.venter (May 24)
- Message not available
- Re: Snorby - Full Packet Capture Jeremy Hoel (May 24)