Deep Node

Sniffer Configuration

Sniffer Configuration

The sniffer looks for a file named "pro2be.properties" in the ".deepnode" directory within the home directory of the user running it. The file looks like this: 

consoleaddr=localhost
consoleport=4021
listenport=4020
docountry=false
snarfpackets=true
makeinternalcritical=true
snortcommand=c:\\snort\\bin\\snort -c c:\\snort\\etc\\snort.conf -K none -i 3 -d -A console
max_packet_bytes=1000000
noresolve=false
treemode=ip

consoleaddr: use this to tell the sniffer what address to attempt to open a socket to, to stream its output (address of machine you are running the console on) 

consoleport: port the console is listening on; use 4021 normally

listenport: if you are running the sniffer in "daemon" mode, this is the port the sniffer should listen on for connections from the hub feed

docountry: if set to true, the probe looks up ip address geo information using ipinfo.io (note that they have a daily quota) 

snarfpackets: set this to false for high performance - the sniffer will not ask for packet contents from tcpdump

makeinternalcritical: set to true to make non-routable ip address nodes look like planets in the console

snortcommand: the command the sniffer should use to execute snort; make blank to not run snort. You need to include "-A console" so that snort will output alerts in the format the sniffer understands. 

max_packet_bytes: the maximum number of bytes worth of packets to store in ram for delivery to the console upon request; only applies if snarfpackets is true. 

noresolve: setting this to true stops the sniffer from attempting to do reverse dns lookups on the ip's it sees. This is necessary when playing back pcap files offline. Use in conjunction with "save domains" to use a list of pre-resolved domain names. 

treemode: set this to "mac" or "ip". The mac treemode causes the sniffer to arrange its output so that level 1 is the mac address, level 2 is the domain or "internal", level 3 is the ip, and level 4 is the port/protocol/service. 

The ip treemode causes the sniffer to tag every mesage it outputs with the source and destination mac addresses, instead of using them as part of the tree. Level 1 of the tree defaults to "internal" for non-routable addresses and "external" for routable addresses; level 2 is "internal" for non-routable addresses, and the domain or "unknown" for routable addresses. 

You can create a file called "internal_nets.txt" in the .deepnode directory to define the level 1 and level 2 values for any ip4 subnets you want. Here's an example: 

10.0.0.0,255.0.0.0,int,home
192.168.56.0,255.255.255.0,int,vm

Addresses within the 10.0.0.0 subnet will have a level1 value of "int", and a level2 value of "home"; while addresses within the 192.168.56.0 subnet will have a level1 value of "int" and a level2 value of "vm". Note that you can define any subnets, not just non-routable addresses. 

Command-line parameters... 

When running the sniffer via the command line, there are two options. Pass "nogui" to make the sniffer run headless; it will begin monitoring immediately. Pass "collect" to make the sniffer run headless, in collect mode. 

In collect mode, the sniffer stores packet header and snort alert data on disk. The Collector Feed can be used to retrieve specific time periods into the console. See collector instructions for more information.