Closed DrMoMo closed 13 years ago
robscetury
commented
13 years ago DrMoMo,
I've forwarded this on to dklinedinst, the lead developer (for now) on the event_daemon, and someone much more familiar than I am w/ what you would need to setup and configure bro/kismet.
Long term, I'll be taking over the event_daemon, but I'll be re-writting it based on slightly different requirements... so I'll be keeping an eye on this issue to see if any new requirements pop up from the discussion.
DrMoMo
commented
13 years ago Hi Rob,
Awesome. I met Dan at DEFCON19 this year and that's how i was introduced to Gibson3d. I definitely want this project to succeed. I, am working with another developer right now to get this working, and document the process to get a running installation. I think this will definitely help get people to the project and contribute.
We officially started today and have our dev machine setup. I am keeping real time notes here: http://momorabbithole.blogspot.com/2011/08/setting-up.html
dklinedinst
commented
13 years ago DrMoMo, Can you send me the exact command line you're using to invoke the event_daemon.py script, and any output you get? Also, are you running Gibson on the same host? If you send to localhost, you need to snoop interface lo0 with Wireshark to see the traffic, rather than your NIC. Finally, what OS are you using? Thx, Dan
DrMoMo
commented
13 years ago (all commands are done as root to rule permissions out) I am also running with the sample files output.xml and snort.alerts
I cloned the project with: git clone https://github.com/robscetury/gibson.git cd /gibson mv random.conf gibson.conf ppython main.py output.xml
two panda windows open, one is gray and in the background one is in the foreground with the giant box that you can move around in.
in another console as root cd /gibson ppython event_daemon.py localhost 1723 snort < snort.alerts
in another console as root i am running tcpdump -i lo there is traffic when i run the event_daemon
dklinedinst
commented
13 years ago -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Ahh... Just before DefCon, I updated the code on GitHub, but failed to update the (very limited) documentation. Try this from the gibson directory:
ppython gibson.py -c random.conf random.xml
You'll get a white screen for a while (30 seconds?) and then a model of the sample network.
For testing purposes, try: ppython event_daemon.py localhost 1723 bro < alarm.random
and see if you get slugs moving around. (It'll run slow for a minute as it processes them all.) If that works, we can take a look at snort.
Meanwhile, I'll update the web site!
Dan
On 8/17/11 7:49 PM, DrMoMo wrote:
(all commands are done as root to rule permissions out) I am also running with the sample files output.xml and snort.alerts
I cloned the project with: git clone https://github.com/robscetury/gibson.git cd /gibson mv random.conf gibson.conf ppython main.py output.xml
two panda windows open, one is gray and in the background one is in the foreground with the giant box that you can move around in.
in another console as root cd /gibson ppython event_daemon.py localhost 1723 snort < snort.alerts
in another console as root i am running tcpdump -i lo there is traffic when i run the event_daemon
-----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBAgAGBQJOTFptAAoJEB9q8eaorG/dWDcQAJLh8vdl3Xem1vqYVgtlhaCm Nl7Ye7I0WVDBYoi2+tjdoX5ei9JtvLTGLiCflqV2JXUk9jy132a6fEAXaj3n7YUp DImgdZ4BPEuNn5VepR7YqxFnHkthFHWqmuxNdqAgLctzEGmHUIkRq3Ho3pBjH4yU 5Sy2kKlo8djuHslRHFxFa+HmW/rz+PE3+j+oqnyu2P/UG5aPct7ktJb1W7QIduER AxpOkqOwr+m+JA8bmcYA4qynu2V/v9XQJIqmbnVC9p4dVHM2keor7KIoG0lnMn8x ETRusM4GOOkZyMglP9FcTBOYHPdt+/70nLCZIX/GVvmDIQlxI8TK9KD/BF5jytES DjRO3sZtaYShFYB4pyotnrKCtxsgKp6z2IJoiKXcL58dxgRXBkMO1i9lJfQw5aiT f1ZGJ+cZsMxqmeENYaNKSB/2Ovp87Ixhw5rUvG/DfEVSM5sHNiUdOTOixGNzLl0b mOVT0vRbWInugl4f8EVyKsOvlrAO7Jcv6stHRFLFqny6+3n0I9L6ouUzkp+NWe/l s5B09dd3FKcF+z35PXUNwKeD+YB9wU1Wn5/JcZgxrzHLkiFhTr28Vl/bbDyF88yx gV2o04Uso8V7pFsi2oH5BXvpeZLs+5TmVmpc5fMscC5CsSDX8A36JAd/Theey3wj PnTO/2hqAdZgBLq5vODb =x3jU -----END PGP SIGNATURE-----
DrMoMo
commented
13 years ago This worked -- however really laggy ... is that just because of the demo data or is a potential issue with my card? i'll try on windows in a bit.
DrMoMo
commented
13 years ago tried on 2 different linux boxes before i went to windows ... on the second linux box i tried alarm.2 ... works fine!!!! not sure the difference?
Hi -- I would like to assist in the project. I assume a fitting role would be to attempt to implement, document my work and report issues with the setup.
So far my first one is sending events. I don't have bro or snort setup so i figured it would be easist just to send specially formatted apache access logs at it.
The event_parser handles it find once I tweak the syslog_reader to accept the input ... however I never see anything leave the script on port 1723 (using wireshark)