Snort mailing list archives

Re: Logging Packets with Snort

From: Jeremy Hoel <jthoel () gmail com>
Date: Fri, 25 Oct 2013 18:52:39 +0000

The interface you are talking about and using is Snorby; it's a gui for
looking at snort alerts.  Snort itelf does not capture full packets, just
the bits that cause the event (like you see in SourceFire).  Snorby has a
plug-n for the a tool called OpenFPC (which is what you see in your logs)
that connects back to an OpenFPC client/server to get the pcap data, but
you have to run openfpc on the sensor and set it up.

We've found that the 'extract packets' part doesn't work great due to the
way that OpenFPC does client/server comms over many devices.  But, we do
run OpenFPC, do the full packet captures and pull the packets ourselves
with a script to the sensor that we want the data from.

The errors you are showing could be because the pcap data isn't there
anymore (how far back do your openfpc captures go?)

I hope that helps clarify some bits and if you need more help, let me know.




On Fri, Oct 25, 2013 at 6:45 PM, Johnny Venter <Johnny.Venter () zoho com>wrote:

Having some performance issues with my Snort sensor that has OpenFPC
installed.

Not sure if this is the right place for this question, but here goes:

I have a sensor that monitors the Internet traffic.  The interface is 1GB.
 When I try to download packet captures (from Snorby) most of the time it
takes a while and then downloads a packet that is 24 bytes.  When I open
this pcap in Wireshark or tcpdump, it only displays one line: *link-type
EN10MB (Ethernet)*
*
*
When I click on the "Packet Capture Options" in Snorby:

*
*
I watch the syslog from my snort sensor and here is the output:

*Oct 25 14:34:15 snort_s OpenfpcQ[1035]: snort_s COMMS: Accepted new
connection from 127.0.0.1*
*Oct 25 14:34:15 snort_s OpenfpcQ[1035]: snort_s DECODE: User netp-user
assigned RID: 0 for action fetch. Comment: 0 Filetype : PCAP*
*Oct 25 14:34:15 snort_s OpenfpcQ[1035]: snort_s COMMS: 127.0.0.1: RID:
15 Fetch Request OK -> WAIT!*
*Oct 25 14:34:15 snort_s OpenfpcQ[1035]: snort_s NODE: Request: 15 User:
netp-user Action: fetch BPF: host 192.168.216.175 and host 192.168.216.77
*
*Oct 25 14:34:42 snort_s OpenfpcQ[1035]: snort_s NODE: Request: 15 User:
netp-user Result: 1382726055-15.pcap, 24, ab487d36057d446b6a8b72091da72f23
*
*Oct 25 14:34:42 snort_s OpenfpcQ[1035]: snort_s COMMS: 15 127.0.0.1
Sending File:/tmp/1382726055-15.pcap MD5: ab487d36057d446b6a8b72091da72f23
*
*Oct 25 14:34:42 snort_s OpenfpcQ[1035]: snort_s COMMS: Uploaded 1 x 1KB
chunks*
*
*
So it's really a hit or miss with my packet capture.  Does anyone have any
idea why this happens?

Also, in the commercial version of Snort (Sourcefire), it *seems* to
capture just the packet the generated the alert--which saves space and
resources.  Can this be replicated with snort's unified2 output mode (which
I currently use)? If so, how can I query the binary file for the specific
intrusion event?

Thanks.



------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most
from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!

------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Logging Packets with Snort Johnny Venter (Oct 25)
- Re: Logging Packets with Snort Jeremy Hoel (Oct 25)
  - Re: Logging Packets with Snort Johnny Venter (Oct 25)
    - Re: Logging Packets with Snort Jeremy Hoel (Oct 25)
    - Re: Logging Packets with Snort Johnny Venter (Oct 25)
    - Re: Logging Packets with Snort Jeremy Hoel (Oct 25)
    - Message not available
    - Message not available
    - Message not available
    - Re: Logging Packets with Snort Johnny Venter (Oct 25)
    - Re: Logging Packets with Snort Jeremy Hoel (Oct 25)
    - Re: Logging Packets with Snort Johnny Venter (Oct 25)
    - Re: Logging Packets with Snort Jeremy Hoel (Oct 25)
    - Re: Logging Packets with Snort Johnny Venter (Oct 25)
    - Re: Logging Packets with Snort Jeremy Hoel (Oct 25)