[Snort-users] Pcap filename from --pcap-dir?

Edward Fjellskål edwardfjellskaal at ...11827...
Sat Jan 5 13:06:18 EST 2013


Hi beenph!

I use Suricata with unix sockets to process a large amount of pcaps today.

That way I can do like:

./myscript --pcap /path/to/my/md5sum.pcap --logdir
/path/to/where/I/want/all/the/logs/

The pcap is processed without suricata needing to be restarted.

Can I achieve  the same with your DAQ ?

/Edward


On Sat, Jan 5, 2013 at 4:11 PM, beenph <beenph at ...11827...> wrote:

>
>
> On Sat, Jan 5, 2013 at 9:23 AM, Andre DiMino <adimino at ...16035...>
> wrote:
> >
> > I often run snort against a directory of dumped pcaps from sandbox
> > output using the --pcap-dir option. I output the entire run in csv
> > format.
> > Ideally, I'd like to include the name of the pcap or other identifying
> > information in the csv output.
> >
> > I know I could script something to read one file at a time and output
> > it that way, but I'm looking to make better use of the --pcap-dir
> > option in an automated bulk process.
> > Has anyone done something similar who can shed some ideas?
> >
> > Thanks!
> > Andre'
>
>
> If your pcaps have a daemonlogger type format
> eg: daemonlogger.pcap.timestamp (timestamp or incremental value)
>  You can use https://github.com/binf/DAQ_PCAP_SPOOLER i wrote.
> Note that filename prefix is configurable
> -elz
>
>
>
> ------------------------------------------------------------------------------
> Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
> MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
> with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
> MVPs and experts. SALE $99.99 this month only -- learn more at:
> http://p.sf.net/sfu/learnmore_122912
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>



-- 
Edward Bjarte Fjellskål
Senior Security Analyst
http://www.gamelinux.org/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130105/32ccf233/attachment.html>


More information about the Snort-users mailing list