Snort mailing list archives
Re: Pcap filename from --pcap-dir?
From: Alex Kirk <akirk () sourcefire com>
Date: Mon, 7 Jan 2013 07:26:46 -0500
The --pcap-show directive is designed to spit out the name of each PCAP being read out of a directory with --pcap-dir. Since it will give you the name before any alerts on that packet, it makes it fairly easy to correlate which PCAPs generated which events. I've used it many times on large data dumps, it's quite useful. On Sat, Jan 5, 2013 at 1:10 PM, beenph <beenph () gmail com> wrote:
That is exactly whats it for. On Sat, Jan 5, 2013 at 1:06 PM, Edward Fjellskål <edwardfjellskaal () gmail com> wrote:Hi beenph! I use Suricata with unix sockets to process a large amount of pcapstoday.That way I can do like: ./myscript --pcap /path/to/my/md5sum.pcap --logdir /path/to/where/I/want/all/the/logs/ The pcap is processed without suricata needing to be restarted. Can I achieve the same with your DAQ ? /Edward On Sat, Jan 5, 2013 at 4:11 PM, beenph <beenph () gmail com> wrote:On Sat, Jan 5, 2013 at 9:23 AM, Andre DiMino <adimino () sempersecurus orgwrote:I often run snort against a directory of dumped pcaps from sandbox output using the --pcap-dir option. I output the entire run in csv format. Ideally, I'd like to include the name of the pcap or other identifying information in the csv output. I know I could script something to read one file at a time and output it that way, but I'm looking to make better use of the --pcap-dir option in an automated bulk process. Has anyone done something similar who can shed some ideas? Thanks! Andre'If your pcaps have a daemonlogger type format eg: daemonlogger.pcap.timestamp (timestamp or incremental value) You can use https://github.com/binf/DAQ_PCAP_SPOOLER i wrote. Note that filename prefix is configurable -elz------------------------------------------------------------------------------Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. SALE $99.99 this month only -- learn more at: http://p.sf.net/sfu/learnmore_122912 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latestSnortnews!-- Edward Bjarte Fjellskål Senior Security Analyst http://www.gamelinux.org/------------------------------------------------------------------------------ Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. SALE $99.99 this month only -- learn more at: http://p.sf.net/sfu/learnmore_122912 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
-- Alex Kirk AEGIS Program Lead Sourcefire Vulnerability Research Team +1-410-423-1937 alex.kirk () sourcefire com
------------------------------------------------------------------------------ Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. SALE $99.99 this month only -- learn more at: http://p.sf.net/sfu/learnmore_122412
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Pcap filename from --pcap-dir? Andre DiMino (Jan 05)
- Re: Pcap filename from --pcap-dir? beenph (Jan 05)
- Re: Pcap filename from --pcap-dir? Edward Fjellskål (Jan 05)
- Re: Pcap filename from --pcap-dir? beenph (Jan 05)
- Re: Pcap filename from --pcap-dir? Alex Kirk (Jan 07)
- Re: Pcap filename from --pcap-dir? Edward Fjellskål (Jan 05)
- Re: Pcap filename from --pcap-dir? beenph (Jan 05)