Home page logo
/

snort logo Snort mailing list archives

Re: Snorby - Full Packet Capture
From: Jeremy Hoel <jthoel () gmail com>
Date: Thu, 23 May 2013 18:03:05 +0000

OpenFPC has to run on the snort box.. and it should be a daemon that
runs and you should have a folder filling up with pcaps.  It also has
to run with the web interface on the snorby box, but it doesn't have
to capture packets.

When you make a request from snorby to pull the pcap, it connects to
it's local web interface for openfpc and queries the remote server to
fetch the packets.

Trying pulling them locally from the snort box using the
openfpc-client.  Then try connecting to the snorby server's openfpc
web interface and trying pulling packets from there.

If that second part doesn't work, check firewall settings and maybe
run tcpdump on the snorby box, looking at the port for openfpc comms
(i forget what it is) and watch the communication.



On Thu, May 23, 2013 at 5:53 PM, johnny.venter <johnny.venter () zoho com> wrote:
Hello,

I have the following setup:

(1) Snort v2.9.4 sensor running on Ubuntu 12.04LTS. I use Barnyard 2.1.11 to process unified2 logs to MySQL Server 
v5.5.29
(1) Snorby v2.61 instance running on Ubuntu 12.04LTS.

Goal:
I'm trying to enable full packet capture within the Snorby interface.  I *just* watched video from 
https://snorby.org/ on the home page that depicts the ability to generate/download the packet session.

What I've done:
I followed the instructions and installed the packages from: 
https://github.com/Snorby/snorby/wiki/Enabling-full-packet-capture
on my Snorby instance (which is a *separate*) system from my Snort instance.

Results:
After the above install succeeds (I ran , I restart Snorby using the commands: "bundle exec rake snorby:setup" & 
"bundle exec rails server -e production".  Snorby runs without any issues and I can see alerts.  After configuring 
OpenFPC from (http://leonward.wordpress.com/2010/12/06/insta-snorby-0-4-with-openfpc/), I can download packets.  
However, all of my pcap files are 24 bytes in size and they are empty when I view them in Wireshark, it states No 
Packets.

Is this because I have the Snort and Snorby on 2 different systems?  Or something else?


Thanks,


------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]