Re: Pcap filename from --pcap-dir?

[Alex Kirk <akirk () sourcefire com>]

The --pcap-show directive is designed to spit out the name of each PCAP
being read out of a directory with --pcap-dir. Since it will give you the
name before any alerts on that packet, it makes it fairly easy to correlate
which PCAPs generated which events. I've used it many times on large data
dumps, it's quite useful.


On Sat, Jan 5, 2013 at 1:10 PM, beenph <beenph () gmail com> wrote:

> That is exactly whats it for.
>
>
> On Sat, Jan 5, 2013 at 1:06 PM, Edward Fjellskål
> <edwardfjellskaal () gmail com> wrote:
> > Hi beenph!
> >
> > I use Suricata with unix sockets to process a large amount of pcaps
> today.
> > That way I can do like:
> >
> > ./myscript --pcap /path/to/my/md5sum.pcap --logdir
> > /path/to/where/I/want/all/the/logs/
> >
> > The pcap is processed without suricata needing to be restarted.
> >
> > Can I achieve  the same with your DAQ ?
> >
> > /Edward
> >
> >
> > On Sat, Jan 5, 2013 at 4:11 PM, beenph <beenph () gmail com> wrote:
> > > On Sat, Jan 5, 2013 at 9:23 AM, Andre DiMino <adimino () sempersecurus org
> >
> > > wrote:
> > > > I often run snort against a directory of dumped pcaps from sandbox
> > > > output using the --pcap-dir option. I output the entire run in csv
> > > > format.
> > > > Ideally, I'd like to include the name of the pcap or other identifying
> > > > information in the csv output.
> > > >
> > > > I know I could script something to read one file at a time and output
> > > > it that way, but I'm looking to make better use of the --pcap-dir
> > > > option in an automated bulk process.
> > > > Has anyone done something similar who can shed some ideas?
> > > >
> > > > Thanks!
> > > > Andre'
> > >
> > >
> > > If your pcaps have a daemonlogger type format
> > > eg: daemonlogger.pcap.timestamp (timestamp or incremental value)
> > > You can use https://github.com/binf/DAQ_PCAP_SPOOLER i wrote.
> > > Note that filename prefix is configurable
> > > -elz
> ------------------------------------------------------------------------------
> > > Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
> > > MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
> > > with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
> > > MVPs and experts. SALE $99.99 this month only -- learn more at:
> > > http://p.sf.net/sfu/learnmore_122912
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> > >
> > > Please visit http://blog.snort.org to stay current on all the latest
> Snort
> > > news!
> >
> >
> >
> >
> > --
> > Edward Bjarte Fjellskål
> > Senior Security Analyst
> > http://www.gamelinux.org/
>
>
> ------------------------------------------------------------------------------
> Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
> MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
> with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
> MVPs and experts. SALE $99.99 this month only -- learn more at:
> http://p.sf.net/sfu/learnmore_122912
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!



-- 
Alex Kirk
AEGIS Program Lead
Sourcefire Vulnerability Research Team
+1-410-423-1937
alex.kirk () sourcefire com

------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. SALE $99.99 this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122412

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!