pom-ng:getting_started
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
pom-ng:getting_started [2013/01/26 12:08] – KQvPZnoeFTAigs 188.143.232.12 | pom-ng:getting_started [2020/05/26 21:59] (current) – external edit 127.0.0.1 | ||
---|---|---|---|
Line 1: | Line 1: | ||
- | There is a crticail shortage | + | ====== Getting started ====== |
+ | |||
+ | Before going into the configuration part, it is best to understand how pom-ng works. | ||
+ | |||
+ | ===== Processing steps ===== | ||
+ | |||
+ | ==== 1) Packets are read from an input ==== | ||
+ | Packets can be read from multiple sources. In order to be able to read packets from various sources, pom-ng has a few input. The most common ones are the following : | ||
+ | * Input [[pom-ng: | ||
+ | * Input [[pom-ng: | ||
+ | * Input [[pom-ng: | ||
+ | * Input [[pom-ng: | ||
+ | |||
+ | |||
+ | You can configure multiple inputs and run them at the same time. | ||
+ | |||
+ | ==== 2) Packets are analyzed ==== | ||
+ | |||
+ | At this step, pom-ng analyze the packets coming from the input. It finds out what protocol chain are inside the packets and decode the headers | ||
+ | For higher layer protocol such as [[pom-ng: | ||
+ | |||
+ | ==== 3) Protocol events are processed ==== | ||
+ | |||
+ | Most of the time, protocol events alone are not very useful. In the case of the http_query and http_request events, it is not easy to correlate a query with a request. This is why the http analyzer will listen for those two events and create a new event called http_request that will contain informations about a single HTTP transaction. It will contain both the info from the client and the server with additional informations that will be computed by correlating the two events. | ||
+ | |||
+ | ==== 4) Packets/ | ||
+ | |||
+ | Some protocols cary files or payload. The payload analyzers will check the content of the payload and provide useful information about it for later filtering. For example, the [[pom-ng: | ||
+ | |||
+ | ==== 5) Outputs receive events, payloads and raw packets ==== | ||
+ | |||
+ | The output will then receive the events that were generated or the payloads. Depending on what the output does, it will act accordingly. For example the [[pom-ng: | ||
+ | Other output such as [[pom-ng: | ||
+ | |||
+ | ===== Configuration ===== | ||
+ | |||
+ | In order to configure pom-ng, you must tell it how to read the packets and what output you want.\\ | ||
+ | Let's use a simple example that log all the HTTP requests being sniffed from your interface into a log file that looks like the apache log file. | ||
+ | |||
+ | ==== 1) Configure the input ==== | ||
+ | You must first choose which input you want. The one we want is [[pom-ng: | ||
+ | We will add our new input and name it ' | ||
+ | pom> input add pcap_interface input1 | ||
+ | input ' | ||
+ | |||
+ | As we can see, out input has been added and will be listening to the interface eth0 by default. However it is not yet running so it is not capturing any packet. | ||
+ | pom> input show | ||
+ | input1: (running: no, type: pcap_interface) | ||
+ | interface : ' | ||
+ | promisc : ' | ||
+ | |||
+ | ==== 2) Configure the output ==== | ||
+ | We will now tel pom-ng to save all the HTTP requests that it finds out into a log file. For this, we will use the output [[pom-ng: | ||
+ | pom> output add log_txt apache_logs | ||
+ | output ' | ||
+ | |||
+ | A quick look at the output configuration and we can see that no template is defined and that the output is not running : | ||
+ | pom> output show | ||
+ | apache_logs: | ||
+ | prefix : './' (string) | ||
+ | template : '' | ||
+ | |||
+ | So we will use the template ' | ||
+ | |||
+ | pom> output parameter set apache_logs template http_apache | ||
+ | Parameter of output ' | ||
+ | pom> output parameter set apache_logs prefix /tmp/ | ||
+ | Parameter of output ' | ||
+ | |||
+ | ==== 3) Start everything ==== | ||
+ | |||
+ | Now that both the input and the output are configured, we only have to start them : | ||
+ | pom> output start apache_logs | ||
+ | Parameter of output ' | ||
+ | pom> input start input1 | ||
+ | Parameter of input ' | ||
+ | |||
+ | You should now find a file / | ||
+ | Now is also a good time to save your configuration if you are satisfied with it : | ||
+ | pom> config save http_logging | ||
+ | Registry configuration saved as " | ||
+ | |||
+ |
pom-ng/getting_started.1359202099.txt.gz · Last modified: 2020/05/26 21:59 (external edit)