Wednesday, July 3, 2013

New NSM and Setup packages allow for changing the default netsniff-ng PCAP size

New versions of our securityonion-nsmnow-admin-scripts and securityonion-setup packages are now available that allow you to change our default 150MB netsniff-ng PCAP size.  When you run Setup, it will still default to 150MB.  Choosing "Advanced Setup" will prompt you to specify your own PCAP_SIZE:
Advanced Setup prompts for PCAP size
This PCAP_SIZE option is then placed into /etc/nsm/HOSTNAME-INTERFACE/sensor.conf where it is sourced by the NSM scripts when they start netsniff-ng.

If you've already run Setup and want to change the default 150MB PCAP size, you can add the PCAP_SIZE option to /etc/nsm/HOSTNAME-INTERFACE/sensor.conf.  Please note that netsniff-ng accepts the following units for PCAP_SIZE:

So if you want to increase your PCAPs to 500MB, you would add the following option to /etc/nsm/HOSTNAME-INTERFACE/sensor.conf:

Then restart netsniff-ng as follows:
sudo nsm_sensor_ps-restart --only-pcap
Also, I've seen some intermittent cases where pcap_agent fails to start right after running Setup, so I've added a 5-second delay between starting netsniff-ng and starting pcap_agent to help ensure that netsniff-ng is fully initialized.

These updates resolve the following issues:
Issue 341: nsm_sensor_ps-start needs "sleep 5s" between netsniff-ng and pcap_agent
Issue 314: Update NSM scripts so that netsniff-ng pcap size is configurable by user

Thanks to JP Bourget for the NSM/Setup patches for setting the PCAP size!
Thanks to the following for testing the new package:
Matt Gregory
Liam Randall
David Zawdie

The new package is now available in our stable repo.  Please see our Upgrade page for full upgrade instructions:

If you have any questions or problems, please use our mailing list:

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:

We especially need help in answering support questions on the mailing list and IRC channel.  Thanks!

No comments: