pom-ng:getting_started
Differences
This shows you the differences between two versions of the page.
Next revision | Previous revision | ||
pom-ng:getting_started [2012/10/01 15:56] – created 2001:7e8:2221:600:1854:f5ff:fe53:d2f2 | pom-ng:getting_started [2020/05/26 21:59] (current) – external edit 127.0.0.1 | ||
---|---|---|---|
Line 7: | Line 7: | ||
==== 1) Packets are read from an input ==== | ==== 1) Packets are read from an input ==== | ||
Packets can be read from multiple sources. In order to be able to read packets from various sources, pom-ng has a few input. The most common ones are the following : | Packets can be read from multiple sources. In order to be able to read packets from various sources, pom-ng has a few input. The most common ones are the following : | ||
- | * Input [[pom-ng: | ||
* Input [[pom-ng: | * Input [[pom-ng: | ||
- | * Input [[pom-ng: | ||
* Input [[pom-ng: | * Input [[pom-ng: | ||
+ | * Input [[pom-ng: | ||
+ | * Input [[pom-ng: | ||
+ | |||
You can configure multiple inputs and run them at the same time. | You can configure multiple inputs and run them at the same time. | ||
Line 16: | Line 17: | ||
==== 2) Packets are analyzed ==== | ==== 2) Packets are analyzed ==== | ||
- | At this step, pom-ng analyze the packets coming from the input. It finds out what protocol chain are inside the packets and decode the headers of each protocol that will be useful for later processing. It will also keep track of packets related to a single connection.\\ | + | At this step, pom-ng analyze the packets coming from the input. It finds out what protocol chain are inside the packets and decode the headers of each protocol that will be useful for later processing. It will also keep track of packets related to a single connection. This job is done by the protocol aka proto modules.\\ |
For higher layer protocol such as [[pom-ng: | For higher layer protocol such as [[pom-ng: | ||
- | ==== 3) Protocol events are processed | + | ==== 3) Protocol events are processed ==== |
Most of the time, protocol events alone are not very useful. In the case of the http_query and http_request events, it is not easy to correlate a query with a request. This is why the http analyzer will listen for those two events and create a new event called http_request that will contain informations about a single HTTP transaction. It will contain both the info from the client and the server with additional informations that will be computed by correlating the two events. | Most of the time, protocol events alone are not very useful. In the case of the http_query and http_request events, it is not easy to correlate a query with a request. This is why the http analyzer will listen for those two events and create a new event called http_request that will contain informations about a single HTTP transaction. It will contain both the info from the client and the server with additional informations that will be computed by correlating the two events. | ||
- | ==== 4) Packets/ | + | ==== 4) Packets/ |
+ | |||
+ | Some protocols cary files or payload. The payload analyzers will check the content of the payload and provide useful information about it for later filtering. For example, the [[pom-ng: | ||
+ | |||
+ | ==== 5) Outputs receive events, payloads and raw packets ==== | ||
+ | |||
+ | The output will then receive the events that were generated or the payloads. Depending on what the output does, it will act accordingly. For example the [[pom-ng: | ||
+ | Other output such as [[pom-ng: | ||
+ | |||
+ | ===== Configuration ===== | ||
+ | |||
+ | In order to configure pom-ng, you must tell it how to read the packets and what output you want.\\ | ||
+ | Let's use a simple example that log all the HTTP requests being sniffed from your interface into a log file that looks like the apache log file. | ||
+ | |||
+ | ==== 1) Configure the input ==== | ||
+ | You must first choose which input you want. The one we want is [[pom-ng: | ||
+ | We will add our new input and name it ' | ||
+ | pom> input add pcap_interface input1 | ||
+ | input ' | ||
+ | |||
+ | As we can see, out input has been added and will be listening to the interface eth0 by default. However it is not yet running so it is not capturing any packet. | ||
+ | pom> input show | ||
+ | input1: (running: no, type: pcap_interface) | ||
+ | interface : ' | ||
+ | promisc : ' | ||
+ | |||
+ | ==== 2) Configure the output ==== | ||
+ | We will now tel pom-ng to save all the HTTP requests that it finds out into a log file. For this, we will use the output [[pom-ng: | ||
+ | pom> output add log_txt apache_logs | ||
+ | output ' | ||
+ | |||
+ | A quick look at the output configuration and we can see that no template is defined and that the output is not running : | ||
+ | pom> output show | ||
+ | apache_logs: | ||
+ | prefix : ' | ||
+ | template : '' | ||
+ | |||
+ | So we will use the template ' | ||
+ | |||
+ | pom> output parameter set apache_logs template http_apache | ||
+ | Parameter of output ' | ||
+ | pom> output parameter set apache_logs prefix /tmp/ | ||
+ | Parameter of output ' | ||
+ | |||
+ | ==== 3) Start everything ==== | ||
+ | |||
+ | Now that both the input and the output are configured, we only have to start them : | ||
+ | pom> output start apache_logs | ||
+ | Parameter of output ' | ||
+ | pom> input start input1 | ||
+ | Parameter of input ' | ||
+ | |||
+ | You should now find a file / | ||
+ | Now is also a good time to save your configuration if you are satisfied with it : | ||
+ | pom> config save http_logging | ||
+ | Registry configuration saved as " | ||
+ | | ||
pom-ng/getting_started.1349106960.txt.gz · Last modified: 2020/05/26 21:59 (external edit)