Re: Snorby - Full Packet Capture

[Jeremy Hoel <jthoel () gmail com>]

You enabled it backwards.  :-)

The server/proxy part should be on Snorby and the client, data
collection piece should be on Snort.

As for multiple servers, we run 50 sensors to one snorby box.  The
URL/proxy/multiple server idea works, in theory, but it doesn't have a
good way to request traffic from one sensor.. instead it goes down a
list and asks each sensor if they have the packets, one at a time and
then when they reply, it goes to the next one.. and the next one down
the list.. until the web query times out.  It might work great for
just 3 or 4 sites.. but we haven't taken the time to figure out how to
make it work better (ie: get packets from the one sensor that the
event is one directly, vs all sensors).

What we've done is built a wrapper around the openfpc-client command
and in the wrapper we added our sensors and then we can query the
sensor directly with a simple script.

On Fri, May 24, 2013 at 11:56 AM, johnny.venter <johnny.venter () zoho com> wrote:
> Thanks Jeremy, that did it.  I enabled the "server" portion of OpenFPC on the Snort box and the "client" version on 
> the Snorby box.
>
> Another question: I will have multiple Snort servers in the near future.  Snorby only allows one (1) OpenFPC URL.  If 
> I have multiple Snort servers, how can I grab the packet capture from each Snort server?  Do I need on Snorby server 
> per Snort server?
>
> Thanks.
>
> ---- On Thu, 23 May 2013 11:03:05 -0700 Jeremy Hoel  wrote ----
>
> > OpenFPC has to run on the snort box.. and it should be a daemon that
> > runs and you should have a folder filling up with pcaps. It also has
> > to run with the web interface on the snorby box, but it doesn't have
> > to capture packets.
> >
> > When you make a request from snorby to pull the pcap, it connects to
> > it's local web interface for openfpc and queries the remote server to
> > fetch the packets.
> >
> > Trying pulling them locally from the snort box using the
> > openfpc-client. Then try connecting to the snorby server's openfpc
> > web interface and trying pulling packets from there.
> >
> > If that second part doesn't work, check firewall settings and maybe
> > run tcpdump on the snorby box, looking at the port for openfpc comms
> > (i forget what it is) and watch the communication.
> >
> >
> >
> > On Thu, May 23, 2013 at 5:53 PM, johnny.venter  wrote:
> > > Hello,
> > >
> > > I have the following setup:
> > >
> > > (1) Snort v2.9.4 sensor running on Ubuntu 12.04LTS. I use Barnyard 2.1.11 to process unified2 logs to MySQL Server 
> > > v5.5.29
> > > (1) Snorby v2.61 instance running on Ubuntu 12.04LTS.
> > >
> > > Goal:
> > > I'm trying to enable full packet capture within the Snorby interface. I *just* watched video from 
> > > https://snorby.org/ on the home page that depicts the ability to generate/download the packet session.
> > >
> > > What I've done:
> > > I followed the instructions and installed the packages from: 
> > > https://github.com/Snorby/snorby/wiki/Enabling-full-packet-capture
> > > on my Snorby instance (which is a *separate*) system from my Snort instance.
> > >
> > > Results:
> > > After the above install succeeds (I ran , I restart Snorby using the commands: "bundle exec rake snorby:setup" & 
> > > "bundle exec rails server -e production". Snorby runs without any issues and I can see alerts. After configuring 
> > > OpenFPC from (http://leonward.wordpress.com/2010/12/06/insta-snorby-0-4-with-openfpc/), I can download packets. 
> > > However, all of my pcap files are 24 bytes in size and they are empty when I view them in Wireshark, it states No 
> > > Packets.
> > >
> > > Is this because I have the Snort and Snorby on 2 different systems? Or something else?
> > >
> > >
> > > Thanks,
> > >
> > >
> > > ------------------------------------------------------------------------------
> > > Try New Relic Now & We'll Send You this Cool Shirt
> > > New Relic is the only SaaS-based application performance monitoring service
> > > that delivers powerful full stack analytics. Optimize and monitor your
> > > browser, app, & servers with just a few lines of code. Try New Relic
> > > and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> > >
> > > Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!