PCAP via Sensoroni
PCAP is now available via pivot from Kibana to Sensoroni. Pivoting to PCAP from Kibana in Hybrid Hunter is the exact same process as the current version. Simply click the
_id hyperlink on the session you would like to pull:
This will launch a new browser tab that will send you to Sensoroni. You should end up on a screen that looks like this:
Refresh this page after a few seconds and you should see:
You can now switch between HEX and ASCII and expand the results.
Searching and Saving PCAP manually
To search PCAP directly you must ssh to the sensor and use the following examples:
sudo docker exec -it so-steno stenoread 'before 2018-11-24T01:58:00Z and after 2018-11-23T23:50:00Z' 'port 80 and host 192.168.140.20' -n -XXX
To save in 1.0.4:
sudo docker exec -it so-steno stenoread 'before 2018-11-24T01:58:00Z and after 2018-11-23T23:50:00Z' 'port 80 and host 192.168.2.20' -w /nsm/pcapout/somepcap.pcap
Notice that it is now not required to save the PCAP to a separate file in order to review it. This is handy when you are spot checking something that you think could be a false positive and not waste disk space on a duplicate copy of the session. Also note that this will return much faster if you narrow down to a specific timespan.