Monday, January 6, 2014

New CapMe package allows you to download PCAP files

I've updated our CapMe package with some new features.

Retrieving PCAPs using CapMe
CapMe now allows you to retrieve the actual pcap file.  There are two ways to do this:

1.  On the CapMe main page, change the Output option to "pcap" and click the "submit" button.  The pcap will automatically download.



2.  If you choose a tcpflow or bro transcript, hyperlinks to the full pcap will be placed at the top and bottom of the transcript page.



Timezone Support
If you had previously configured Snorby to render timestamps in your local timezone, you would have noticed that pivoting to CapMe would not work since CapMe expects the timestamps to be in UTC.


CapMe now supports setting your local timezone so that it can convert timestamps back to UTC and find sessions properly.  Set your local timezone in /var/www/capme/.inc/timezone.php.


Updating
The new package is securityonion-capme - 20121213-0ubuntu0securityonion17 and it resolves the following issues:

Issue 413: Extend CapMe to pull pcap file
https://code.google.com/p/security-onion/issues/detail?id=413

Issue 449: CapMe: add timeout:0 to ELSA query
https://code.google.com/p/security-onion/issues/detail?id=449

Issue 450: CapMe: add support for Snorby timezones
https://code.google.com/p/security-onion/issues/detail?id=450

It has been tested by the following (thanks!):
David Zawdie

The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade


Release Notes

  • When you submit a CapMe request, it creates a symlink to the actual pcap in /var/www/capme/pcap/.  
  • /etc/cron.d/capme is a cron job that runs every minute and deletes any symlinks in /var/www/capme/pcap/ older than five minutes. 
  • Please be reminded that the management interface of your master server (where CapMe runs) should be connected to a dedicated management network or locked down via firewall rules to only accept connections from analyst IP addresses:
    https://code.google.com/p/security-onion/wiki/Firewall

Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list and IRC channel.  Thanks!

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.