[Snort-users] Pcap filename from --pcap-dir?

beenph beenph at ...11827...
Sat Jan 5 13:10:07 EST 2013


That is exactly whats it for.


On Sat, Jan 5, 2013 at 1:06 PM, Edward Fjellskål
<edwardfjellskaal at ...11827...> wrote:
> Hi beenph!
>
> I use Suricata with unix sockets to process a large amount of pcaps today.
>
> That way I can do like:
>
> ./myscript --pcap /path/to/my/md5sum.pcap --logdir
> /path/to/where/I/want/all/the/logs/
>
> The pcap is processed without suricata needing to be restarted.
>
> Can I achieve  the same with your DAQ ?
>
> /Edward
>
>
> On Sat, Jan 5, 2013 at 4:11 PM, beenph <beenph at ...11827...> wrote:
>>
>>
>>
>> On Sat, Jan 5, 2013 at 9:23 AM, Andre DiMino <adimino at ...16035...>
>> wrote:
>> >
>> > I often run snort against a directory of dumped pcaps from sandbox
>> > output using the --pcap-dir option. I output the entire run in csv
>> > format.
>> > Ideally, I'd like to include the name of the pcap or other identifying
>> > information in the csv output.
>> >
>> > I know I could script something to read one file at a time and output
>> > it that way, but I'm looking to make better use of the --pcap-dir
>> > option in an automated bulk process.
>> > Has anyone done something similar who can shed some ideas?
>> >
>> > Thanks!
>> > Andre'
>>
>>
>> If your pcaps have a daemonlogger type format
>> eg: daemonlogger.pcap.timestamp (timestamp or incremental value)
>> You can use https://github.com/binf/DAQ_PCAP_SPOOLER i wrote.
>> Note that filename prefix is configurable
>> -elz
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
>> MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
>> with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
>> MVPs and experts. SALE $99.99 this month only -- learn more at:
>> http://p.sf.net/sfu/learnmore_122912
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest Snort
>> news!
>
>
>
>
> --
> Edward Bjarte Fjellskål
> Senior Security Analyst
> http://www.gamelinux.org/




More information about the Snort-users mailing list