Wednesday, July 3, 2013

New NSM and Setup packages allow for changing the default netsniff-ng PCAP size

New versions of our securityonion-nsmnow-admin-scripts and securityonion-setup packages are now available that allow you to change our default 150MB netsniff-ng PCAP size.  When you run Setup, it will still default to 150MB.  Choosing "Advanced Setup" will prompt you to specify your own PCAP_SIZE:
Advanced Setup prompts for PCAP size
This PCAP_SIZE option is then placed into /etc/nsm/HOSTNAME-INTERFACE/sensor.conf where it is sourced by the NSM scripts when they start netsniff-ng.

If you've already run Setup and want to change the default 150MB PCAP size, you can add the PCAP_SIZE option to /etc/nsm/HOSTNAME-INTERFACE/sensor.conf.  Please note that netsniff-ng accepts the following units for PCAP_SIZE:
KiB
MiB
GiB

So if you want to increase your PCAPs to 500MB, you would add the following option to /etc/nsm/HOSTNAME-INTERFACE/sensor.conf:
PCAP_SIZE=500MiB

Then restart netsniff-ng as follows:
sudo nsm_sensor_ps-restart --only-pcap
Also, I've seen some intermittent cases where pcap_agent fails to start right after running Setup, so I've added a 5-second delay between starting netsniff-ng and starting pcap_agent to help ensure that netsniff-ng is fully initialized.

These updates resolve the following issues:
Issue 341: nsm_sensor_ps-start needs "sleep 5s" between netsniff-ng and pcap_agent
Issue 314: Update NSM scripts so that netsniff-ng pcap size is configurable by user

Thanks
Thanks to JP Bourget for the NSM/Setup patches for setting the PCAP size!
Thanks to the following for testing the new package:
Matt Gregory
Liam Randall
David Zawdie

Upgrading
The new package is now available in our stable repo.  Please see our Upgrade page for full upgrade instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list and IRC channel.  Thanks!

No comments:

Search This Blog

Featured Post

Did You Know Security Onion Scales to the Enterprise?

Did you know Security Onion scales to the enterprise? Security Onion is designed to scale from simple standalone deployments all the way up ...

Popular Posts

Blog Archive