Security Onion uses Stenographer to write network traffic to disk. From https://github.com/google/stenographer:
Stenographer is a full-packet-capture utility for buffering packets to disk for intrusion detection and incident response purposes. It provides a high-performance implementation of NIC-to-disk packet writing, handles deleting those files as disk fills up, and provides methods for reading back specific sets of packets quickly and easily.
Stenographer uses AF-PACKET for packet acquisition. It’s important to note that Stenographer is totally independent from Suricata and Zeek. This means that Stenographer has no impact on your NIDS alerts and protocol metadata.
Stenographer writes full packet capture to
/nsm/pcap/. It will automatically start purging old data once the partition reaches 90%. This value is configurable as shown in the Configuration section below.
You can access full packet capture via the PCAP interface:
You can also access packet capture from the command line of the box where the pcap is stored using a steno query as defined at https://github.com/google/stenographer#querying. In the following examples, replace “YourStenoQueryHere” with your actual steno query.
The first option is using docker to run
stenoread. If the query succeeds, you can then find the resulting pcap file in
/nsm/pcaptmp/ in the host filesystem:
sudo docker exec -it so-steno stenoread "YourStenoQueryHere" -w /tmp/new.pcap
We’ve included a wrapper script called
so-pcap-export to make this a little easier. For example:
sudo so-pcap-export "YourStenoQueryHere" output
If the query succeeds, you can then find the resulting
output.pcap file in
/nsm/pcapout/ in the host filesystem.
You can configure Stenographer by going to Administration –> Configuration –> pcap.
For example, suppose you want to change the default value for purging old pcap. You could go to Administration –> Configuration –> pcap –> config –> diskfreepercentage and set the value to something appropriate for your system.
By default, Stenographer limits the number of files in the pcap directory to
30000 to avoid limitations with the ext3 filesystem. However, if you’re using the ext4 or xfs filesystems, then it is safe to increase this value. So if you have a large amount of storage and find that you only have 3 weeks worth of PCAP on disk while still having plenty of free space, then you may want to increase this default setting. To do so, you can go to Administration –> Configuration –> pcap –> config –> maxdirectoryfiles and set the value to something appropriate for your system.
Diagnostic logging for Stenographer can be found at
/opt/so/log/stenographer/. Depending on what you’re looking for, you may also need to look at the Docker logs for the container:
sudo docker logs so-steno
Since Stenographer is totally independent from Suricata and Zeek, you can disable it without impacting your NIDS alerts or protocol metadata. If you decide to disable Stenographer, you can do so by going to Administration –> Configuration –> pcap –> enabled.