Snort mailing list archives
Re: Pcap filename from --pcap-dir?
From: Edward Fjellskål <edwardfjellskaal () gmail com>
Date: Sat, 5 Jan 2013 19:06:18 +0100
Hi beenph! I use Suricata with unix sockets to process a large amount of pcaps today. That way I can do like: ./myscript --pcap /path/to/my/md5sum.pcap --logdir /path/to/where/I/want/all/the/logs/ The pcap is processed without suricata needing to be restarted. Can I achieve the same with your DAQ ? /Edward On Sat, Jan 5, 2013 at 4:11 PM, beenph <beenph () gmail com> wrote:
On Sat, Jan 5, 2013 at 9:23 AM, Andre DiMino <adimino () sempersecurus org> wrote:I often run snort against a directory of dumped pcaps from sandbox output using the --pcap-dir option. I output the entire run in csv format. Ideally, I'd like to include the name of the pcap or other identifying information in the csv output. I know I could script something to read one file at a time and output it that way, but I'm looking to make better use of the --pcap-dir option in an automated bulk process. Has anyone done something similar who can shed some ideas? Thanks! Andre'If your pcaps have a daemonlogger type format eg: daemonlogger.pcap.timestamp (timestamp or incremental value) You can use https://github.com/binf/DAQ_PCAP_SPOOLER i wrote. Note that filename prefix is configurable -elz ------------------------------------------------------------------------------ Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. SALE $99.99 this month only -- learn more at: http://p.sf.net/sfu/learnmore_122912 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
-- Edward Bjarte Fjellskål Senior Security Analyst http://www.gamelinux.org/
------------------------------------------------------------------------------ Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. SALE $99.99 this month only -- learn more at: http://p.sf.net/sfu/learnmore_122912
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Pcap filename from --pcap-dir? Andre DiMino (Jan 05)
- Re: Pcap filename from --pcap-dir? beenph (Jan 05)
- Re: Pcap filename from --pcap-dir? Edward Fjellskål (Jan 05)
- Re: Pcap filename from --pcap-dir? beenph (Jan 05)
- Re: Pcap filename from --pcap-dir? Alex Kirk (Jan 07)
- Re: Pcap filename from --pcap-dir? Edward Fjellskål (Jan 05)
- Re: Pcap filename from --pcap-dir? beenph (Jan 05)