[Snort-users] Pcap filename from --pcap-dir?

Alex Kirk akirk at ...1935...
Mon Jan 7 07:26:46 EST 2013


The --pcap-show directive is designed to spit out the name of each PCAP
being read out of a directory with --pcap-dir. Since it will give you the
name before any alerts on that packet, it makes it fairly easy to correlate
which PCAPs generated which events. I've used it many times on large data
dumps, it's quite useful.


On Sat, Jan 5, 2013 at 1:10 PM, beenph <beenph at ...11827...> wrote:

> That is exactly whats it for.
>
>
> On Sat, Jan 5, 2013 at 1:06 PM, Edward Fjellskål
> <edwardfjellskaal at ...11827...> wrote:
> > Hi beenph!
> >
> > I use Suricata with unix sockets to process a large amount of pcaps
> today.
> >
> > That way I can do like:
> >
> > ./myscript --pcap /path/to/my/md5sum.pcap --logdir
> > /path/to/where/I/want/all/the/logs/
> >
> > The pcap is processed without suricata needing to be restarted.
> >
> > Can I achieve  the same with your DAQ ?
> >
> > /Edward
> >
> >
> > On Sat, Jan 5, 2013 at 4:11 PM, beenph <beenph at ...11827...> wrote:
> >>
> >>
> >>
> >> On Sat, Jan 5, 2013 at 9:23 AM, Andre DiMino <adimino at ...16035...
> >
> >> wrote:
> >> >
> >> > I often run snort against a directory of dumped pcaps from sandbox
> >> > output using the --pcap-dir option. I output the entire run in csv
> >> > format.
> >> > Ideally, I'd like to include the name of the pcap or other identifying
> >> > information in the csv output.
> >> >
> >> > I know I could script something to read one file at a time and output
> >> > it that way, but I'm looking to make better use of the --pcap-dir
> >> > option in an automated bulk process.
> >> > Has anyone done something similar who can shed some ideas?
> >> >
> >> > Thanks!
> >> > Andre'
> >>
> >>
> >> If your pcaps have a daemonlogger type format
> >> eg: daemonlogger.pcap.timestamp (timestamp or incremental value)
> >> You can use https://github.com/binf/DAQ_PCAP_SPOOLER i wrote.
> >> Note that filename prefix is configurable
> >> -elz
> >>
> >>
> >>
> >>
> ------------------------------------------------------------------------------
> >> Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
> >> MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
> >> with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
> >> MVPs and experts. SALE $99.99 this month only -- learn more at:
> >> http://p.sf.net/sfu/learnmore_122912
> >> _______________________________________________
> >> Snort-users mailing list
> >> Snort-users at lists.sourceforge.net
> >> Go to this URL to change user options or unsubscribe:
> >> https://lists.sourceforge.net/lists/listinfo/snort-users
> >> Snort-users list archive:
> >> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >>
> >> Please visit http://blog.snort.org to stay current on all the latest
> Snort
> >> news!
> >
> >
> >
> >
> > --
> > Edward Bjarte Fjellskål
> > Senior Security Analyst
> > http://www.gamelinux.org/
>
>
> ------------------------------------------------------------------------------
> Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
> MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
> with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
> MVPs and experts. SALE $99.99 this month only -- learn more at:
> http://p.sf.net/sfu/learnmore_122912
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>



-- 
Alex Kirk
AEGIS Program Lead
Sourcefire Vulnerability Research Team
+1-410-423-1937
alex.kirk at ...1935...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130107/1f63fa66/attachment.html>


More information about the Snort-users mailing list