[Snort-users] OPENFPC Proxy merge

Kevin Ross kevross33 at ...14012...
Thu Dec 19 05:49:20 EST 2013


Something else to note is that I have checked the traffic is there and then
requested using the openfpc-client tool. When I do ps aux | grep tcpdump
when I have made the request (using a second shell) I can see tcpdump
processes going through the PCAPs with the correct filters as I would
expect. it just doesn't seem to get the traffic back out.


On 19 December 2013 08:31, Kevin Ross <kevross33 at ...14012...> wrote:

> Hi,
>
> Yup confirmed data is definately in those PCAPs I am requesting using
> tcpdump. When I request for the same data using the openfpc-client tool it
> does not work. How do I enable more debug/where do I look for  more
> information for what it is having issues with (as -d isn't showing me the
> failure reason).
>
> Thanks,
> Kevin
>
>
> On 18 December 2013 15:49, Jeremy Hoel <jthoel at ...11827...> wrote:
>
>> If you go to where you pcaps are kept and look at them, can you tcpdump
>> the packets that you are looking for?  Let's make sure the data is there.
>>
>> Once that works we can turn on debug for a few more things.  Adding the
>> debug to the client doesn't always turn it on for the other parts.
>>  On Dec 18, 2013 6:11 AM, "Kevin Ross" <kevross33 at ...14012...> wrote:
>>
>>> Hi,
>>>
>>> Still no luck with it and no idea what is actuall wrong. I have tried
>>> debug run directly on the hosts (the capture nodes)
>>>
>>> ----Config----
>>> Server   :  localhost
>>> Port     :  4242
>>> User     :  REMOVED
>>> Action   :  fetch
>>> Logtype  :  auto
>>> Logline  :  0
>>> Filename :  /tmp/out.pcap
>>> SumType  :  0
>>> Last     :  30
>>> stime    :  1387371705 Wed Dec 18 13:01:45 2013
>>> etime    :  1387371735 Wed Dec 18 13:02:15 2013
>>>
>>>
>>>    * openfpc-client 0.6 *
>>>    Part of the OpenFPC project
>>>
>>> Logline created from session IDs: ofpc-v1 type:search sip:REMOVED
>>> stime:1387371705 etime:1387371735 timestamp:
>>> Password for user fpc :
>>> DEBUG: Connected to localhost
>>> DEBUG: Sent Request
>>> Problem processing request: 0
>>>
>>> I thought maybe it was an SELINUX issue so I have both relabelled the
>>> filesystem and then after that not working I have disabled SELINUX but
>>> still doesn't work. It is running according to status & also it is making
>>> captures on the disk fine.
>>>
>>> Thanks,
>>> Kevin
>>>
>>>
>>> On 17 December 2013 20:32, Leon Ward <lward at ...1935...> wrote:
>>>
>>>> Trying to send again. I don't think the 1st try made it to the list...
>>>>
>>>>
>>>> On 17 December 2013 12:09, Joel Esler (jesler) <jesler at ...589...>wrote:
>>>>
>>>>> Forwarded to the developer.
>>>>>
>>>>
>>>> Yeah, that would be me - although I'm fighting to find any time to look
>>>> at it right now so it's becoming a little out of date. I've got a long todo
>>>> list to work though. Are there any logs you could share to help work
>>>> out what could be broken?
>>>>
>>>> I suggest you start up the openfpc daemon interactively with --debug
>>>> and make the request again.
>>>>
>>>> -L
>>>>
>>>>
>>>>>
>>>>> On Dec 17, 2013, at 11:25 AM, Kevin Ross <kevross33 at ...14012...>
>>>>> wrote:
>>>>>
>>>>> > Hi,
>>>>> >
>>>>> > Running openfpc. Was working fine for months and months and now this
>>>>> when I try and get a PCAP (nothing changed aside from maybe updates: unable
>>>>> to proxy-merge
>>>>> >
>>>>> > Has anyone run into this (I am asking on this userlist as it was a
>>>>> sourcefire employee made tool :)
>>>>> >
>>>>> > Thanks,
>>>>> > Kevin
>>>>> >
>>>>> ------------------------------------------------------------------------------
>>>>> > Rapidly troubleshoot problems before they affect your business. Most
>>>>> IT
>>>>> > organizations don't have a clear picture of how application
>>>>> performance
>>>>> > affects their revenue. With AppDynamics, you get 100% visibility
>>>>> into your
>>>>> > Java,.NET, & PHP application. Start your 15-day FREE TRIAL of
>>>>> AppDynamics Pro!
>>>>> >
>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk_______________________________________________
>>>>> > Snort-users mailing list
>>>>> > Snort-users at lists.sourceforge.net
>>>>> > Go to this URL to change user options or unsubscribe:
>>>>> > https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>> > Snort-users list archive:
>>>>> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>>> >
>>>>> > Please visit http://blog.snort.org to stay current on all the
>>>>> latest Snort news!
>>>>>
>>>>>
>>>>>
>>>>> ------------------------------------------------------------------------------
>>>>> Rapidly troubleshoot problems before they affect your business. Most IT
>>>>> organizations don't have a clear picture of how application performance
>>>>> affects their revenue. With AppDynamics, you get 100% visibility into
>>>>> your
>>>>> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of
>>>>> AppDynamics Pro!
>>>>>
>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
>>>>> _______________________________________________
>>>>> Snort-users mailing list
>>>>> Snort-users at lists.sourceforge.net
>>>>> Go to this URL to change user options or unsubscribe:
>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>> Snort-users list archive:
>>>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>>>
>>>>> Please visit http://blog.snort.org to stay current on all the latest
>>>>> Snort news!
>>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Rapidly troubleshoot problems before they affect your business. Most IT
>>> organizations don't have a clear picture of how application performance
>>> affects their revenue. With AppDynamics, you get 100% visibility into
>>> your
>>> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of
>>> AppDynamics Pro!
>>>
>>> http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>
>>> Please visit http://blog.snort.org to stay current on all the latest
>>> Snort news!
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20131219/1c07b608/attachment.html>


More information about the Snort-users mailing list