HOW TO USE THE SNIFFER IN COLLECT MODE
"Collect" mode causes the sniffer to write messages about packets and snort alerts to disk for retrieval later by the Collector Feed. The data is stored chronologically, in compressed form; the Collector Feed allows you to pull a specific timerange of data from storage and load it into the console. Collect mode is like a flight recorder for the network the sniffer is plugged into.
1. Create keypairs for server and client, using the following commands:
keytool -genkey -alias server -keyalg RSA -keystore hubserver.jks -storepass deepnode
keytool -genkey -alias client -keyalg RSA -keystore hubclient.jks
keytool -export -file server.cert -keystore hubserver.jks -storepass deepnode -alias server
keytool -export -file client.cert -keystore hubclient.jks -alias client
keytool -import -file client.cert -keystore hubserver.jks -storepass deepnode -alias client
keytool -import -file server.cert -keystore hubclient.jks -alias server
You will be prompted for a password for the client keystore. The password for the server keystore must be "deepnode". Make the key passwords the same as the keystore passwords.
2. Run the sniffer feed on the server, in collect mode.
- READ THIS to see how to grab the sniffer files and run them locally rather than via Java Webstart.
- Configure the sniffer by creating a "pro2be.properties" file in the ".deepnode" directory in the home directory of the user which will run the sniffer process. Here's an example:
listenport=4020
snortcommand=
storagepath=c:\\sniffdata
minfreespace=250000000
"listenport=4020" will cause the sniffer to listen on port 4020.
"snortcommand=" will cause the sniffer to not run snort; put your snort command in here, making sure to include "-A console", to have the sniffer run a snort process in order to monitor alerts.
"storagepath=c:\\sniffdata" tells the sniffer to store files in c:\sniffdata (to specify a backslash in a properties file, type two backslashes in a row). The storagepath property is required in order to run collect mode.
"minfreespace=100000000" tells the sniffer to purge the oldest data any time the amount of free space on the disk is less than 1000MB. Default value is 250000000.
- Put the hubserver.jks keystore file into the .deepnode directory.
- Run the sniffer with the commandline parameter "collect" to prevent it from opening a dialog window, to make it listen for connections from clients, and to make it store data on disk; with this option, the sniffer will start monitoring as soon as it is run. The command to run the sniffer will be something like this:
sudo java -cp 3sh3ll_probe.jar:commons-codec-1.9.jar com.threeshell.Pro2be collect
(you have to use sudo to be allowed to open the interfaces in promiscuous mode)
3. Launch the Collector Feed.
- Configure it with the address of the server you are monitoring as "hub address", and the listen port you gave the sniffer, as "hub port".
- Place the hubclient.jks keystore file into the .deepnode directory within your home directory.
- Set the start and end fields to the date/time values that define the range of data you want to load into the console; all events (packets and snort alerts) that happened between these two date/times, will be retrieved. Format is yyyy-MM-dd HH:mm.
4. Launch the Console and the collector feed will connect to it, connect to the sniffer, and begin streaming data.
Example commands:
mkdir dnprobe
cd dnprobe
wget http://deepnode.us/apps/lib/3sh3ll_probe.jar
wget http://deepnode.us/apps/lib/commons-codec-1.9.jar
sudo mkdir /root/.deepnode
echo "snortcommand=" > pro2be.properties
sudo mv pro2be.properties /root/.deepnode/.
sudo java -cp 3sh3ll_probe.jar:commons-codec-1.9.jar com.threeshell.Pro2be collect
(default listen port is 4020)
1. Create keypairs for server and client, using the following commands:
keytool -genkey -alias server -keyalg RSA -keystore hubserver.jks -storepass deepnode
keytool -genkey -alias client -keyalg RSA -keystore hubclient.jks
keytool -export -file server.cert -keystore hubserver.jks -storepass deepnode -alias server
keytool -export -file client.cert -keystore hubclient.jks -alias client
keytool -import -file client.cert -keystore hubserver.jks -storepass deepnode -alias client
keytool -import -file server.cert -keystore hubclient.jks -alias server
You will be prompted for a password for the client keystore. The password for the server keystore must be "deepnode". Make the key passwords the same as the keystore passwords.
2. Run the sniffer feed on the server, in collect mode.
- READ THIS to see how to grab the sniffer files and run them locally rather than via Java Webstart.
- Configure the sniffer by creating a "pro2be.properties" file in the ".deepnode" directory in the home directory of the user which will run the sniffer process. Here's an example:
listenport=4020
snortcommand=
storagepath=c:\\sniffdata
minfreespace=250000000
"listenport=4020" will cause the sniffer to listen on port 4020.
"snortcommand=" will cause the sniffer to not run snort; put your snort command in here, making sure to include "-A console", to have the sniffer run a snort process in order to monitor alerts.
"storagepath=c:\\sniffdata" tells the sniffer to store files in c:\sniffdata (to specify a backslash in a properties file, type two backslashes in a row). The storagepath property is required in order to run collect mode.
"minfreespace=100000000" tells the sniffer to purge the oldest data any time the amount of free space on the disk is less than 1000MB. Default value is 250000000.
- Put the hubserver.jks keystore file into the .deepnode directory.
- Run the sniffer with the commandline parameter "collect" to prevent it from opening a dialog window, to make it listen for connections from clients, and to make it store data on disk; with this option, the sniffer will start monitoring as soon as it is run. The command to run the sniffer will be something like this:
sudo java -cp 3sh3ll_probe.jar:commons-codec-1.9.jar com.threeshell.Pro2be collect
(you have to use sudo to be allowed to open the interfaces in promiscuous mode)
3. Launch the Collector Feed.
- Configure it with the address of the server you are monitoring as "hub address", and the listen port you gave the sniffer, as "hub port".
- Place the hubclient.jks keystore file into the .deepnode directory within your home directory.
- Set the start and end fields to the date/time values that define the range of data you want to load into the console; all events (packets and snort alerts) that happened between these two date/times, will be retrieved. Format is yyyy-MM-dd HH:mm.
4. Launch the Console and the collector feed will connect to it, connect to the sniffer, and begin streaming data.
Example commands:
mkdir dnprobe
cd dnprobe
wget http://deepnode.us/apps/lib/3sh3ll_probe.jar
wget http://deepnode.us/apps/lib/commons-codec-1.9.jar
sudo mkdir /root/.deepnode
echo "snortcommand=" > pro2be.properties
sudo mv pro2be.properties /root/.deepnode/.
sudo java -cp 3sh3ll_probe.jar:commons-codec-1.9.jar com.threeshell.Pro2be collect
(default listen port is 4020)