The currrent development is going on at the Github repo. Devel is the branch i am using for my commits right now. When the source is examined, it will be seen that the project is set up with buildout. The installation of buildout is defined at the README page. The commands should be run after the repo is cloned and the directory is changed to openwitness:
After the buildout is run, some new directories will be created. To start the server run
This will run the development server of the Django. The current Django release is 1.3. When you point out 127:0.0.1:8000 at your browser, it will display the main page. Click on the PCAP menu at the top and then choose Upload. This will let you choose a pcap file for being upload. What is done at the background is
* Check the network layer protocol of the uploaded pcap file. Determining whether this file is TCP of UDP is necessary to get the flow traffic from inside. If the traffic is TCP, a flow extractor is being run. Each flow is saved as seperate pcap files.
Bro is used for detecting network layer protocol. Bro is mentioned as an IDS, which can use Snort signatures and user defined rules. After installing Bro, the command line tool of Bro generates conn.log file that gives information about the pcap file.
Bro-cut is an auxiliary command that can be found at the Bro source code after compilation finishes. It eases reading the conn.log file. A typical conn.log file is as below
One may read the fields and say that this is an HTTP traffic information, from 192.168.1.222 to 192.168.1.64. The connection is destined to 8080 and it is an established connection (S1 indicates it). The other fields are the sent and receive byte numbers. The detail information can be seen at the old Bro wiki. There are examples also at the Bro site from 2011 workshop
After the flows are saved, each flow file should be analyzed for application level protocol detection. According to the protocol detected, parsers related with the protocol will be hooked. Anyone can write its own protocol detectors, also. To use a custom protocol detector, base detector should be inherited:
self.log = Logger("Base Protocol Handler", "DEBUG")
self.log.message("base protocol handler called")
The two functions should be owerritten at the custom protocol detector. Bro appplication level protocol detection is as below:
Bro uses dynamic protocol detection. It is possible to detect application level protocols regardless of protocol information, but from predefined traffic signature. It is also possible to define custom rules to detect undetected protocols. The current supported protocols are listed here.
After the protocol is detected, the parser related with it will be run to gather applicaiton level data. The gathered information will be saved at MongoDB. It is being used the MongoDB driver for Django, so database operations will be handled by using db api.