-
Notifications
You must be signed in to change notification settings - Fork 521
so import pcap
Please note! This wiki is no longer maintained. Our documentation has moved to https://securityonion.net/docs/. Please update your bookmarks. You can find the latest version of this page at: https://securityonion.net/docs/so-import-pcap.
so-import-pcap will import one or more pcaps into Security Onion preserving timestamps.
so-import-pcap is included by default in Security Onion Elastic Stack Release Candidate 3 (RC3) and later:
http://blog.securityonion.net/2018/03/security-onion-elastic-stack-release.html
so-import-pcap is a quick and dirty EXPERIMENTAL script that will import one or more pcaps into Security Onion and preserve original timestamps.
It will do the following:
- stop and disable Curator to avoid closing old indices
- stop and disable all active sniffing processes (Bro, Snort, Suricata, and netsniff-ng)
- stop and disable ossec_agent
- reconfigure and restart sguild, syslog-ng, and Logstash where necessary
- generate IDS alerts using Snort or Suricata
- generate Bro logs
- store IDS alerts and Bro logs with original timestamps
- split traffic into separate daily pcaps and store them where sguil's pcap_agent can find them
Requirements:
- You must be running at least Security Onion Elastic Stack Release Candidate 2 (14.04.5.8 ISO).
- You must have a sniffing interface defined (you can choose Evaluation Mode in the Setup wizard).
Warnings:
- Do NOT run this on a production deployment. It is designed for standalone systems designated for so-import-pcap.
- If you're running in a VM with snapshot capability, you might want to take a snapshot before this program makes changes.
Reverting System Changes:
- If you take a VM snapshot before this program makes changes, then just revert to snapshot.
- Otherwise, you can re-run Setup and it should overwrite all modified files to revert the system to normal operation.
Please supply at least one pcap file.
For example, to import a single pcap named import.pcap:
so-import-pcap import.pcap
To import multiple pcaps:
so-import-pcap import1.pcap import2.pcap
For a detailed walk-through with screenshots, please see:
https://taosecurity.blogspot.com/2018/02/importing-pcap-into-security-onion.html
Please note that so-import-pcap will make changes to your system! It will warn you before doing so and will prompt you to press Enter to continue or Ctrl-c to cancel.
If you want to bypass the "Press Enter to continue" prompt, you can do something like this:
echo | sudo so-import-pcap /opt/samples/markofu/ie*
- Introduction
- Use Cases
- Hardware Requirements
- Release Notes
- Download/Install
- Booting Issues
- After Installation
- UTC and Time Zones
- Services
- VirtualBox Walkthrough
- VMWare Walkthrough
- Videos
- Architecture
- Cheat Sheet
- Conference
- Elastic Stack
- Elastic Architecture
- Elasticsearch
- Logstash
- Kibana
- ElastAlert
- Curator
- FreqServer
- DomainStats
- Docker
- Redis
- Data Fields
- Beats
- Pre-Releases
- ELSA to Elastic
- Network Configuration
- Proxy Configuration
- Firewall/Hardening
- Email Configuration
- Integrating with other systems
- Changing IP Addresses
- NTP
- Managing Alerts
- Managing Rules
- Adding Local Rules
- Disabling Processes
- Filtering with BPF
- Adjusting PF_RING for traffic
- MySQL Tuning
- Adding a new disk
- High Performance Tuning
- Trimming PCAPs