Retrieving PCAPs using CapMe
CapMe now allows you to retrieve the actual pcap file. There are two ways to do this:
1. On the CapMe main page, change the Output option to "pcap" and click the "submit" button. The pcap will automatically download.
2. If you choose a tcpflow or bro transcript, hyperlinks to the full pcap will be placed at the top and bottom of the transcript page.
Timezone Support
If you had previously configured Snorby to render timestamps in your local timezone, you would have noticed that pivoting to CapMe would not work since CapMe expects the timestamps to be in UTC.
The new package is securityonion-capme - 20121213-0ubuntu0securityonion17 and it resolves the following issues:
Issue 413: Extend CapMe to pull pcap file
https://code.google.com/p/security-onion/issues/detail?id=413
Issue 449: CapMe: add timeout:0 to ELSA query
https://code.google.com/p/security-onion/issues/detail?id=449
Issue 450: CapMe: add support for Snorby timezones
https://code.google.com/p/security-onion/issues/detail?id=450
It has been tested by the following (thanks!):
David Zawdie
The new package is now available in our stable repo. Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade
Release Notes
- When you submit a CapMe request, it creates a symlink to the actual pcap in /var/www/capme/pcap/.
- /etc/cron.d/capme is a cron job that runs every minute and deletes any symlinks in /var/www/capme/pcap/ older than five minutes.
- Please be reminded that the management interface of your master server (where CapMe runs) should be connected to a dedicated management network or locked down via firewall rules to only accept connections from analyst IP addresses:
https://code.google.com/p/security-onion/wiki/Firewall
Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists
Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers
We especially need help in answering support questions on the mailing list and IRC channel. Thanks!
No comments:
Post a Comment