Skip to content

so import pcap

doug edited this page Feb 12, 2019 · 7 revisions

Please note! We are migrating our documentation to https://securityonion.net/docs/. You can find the latest version of this page at: https://securityonion.net/docs/so-import-pcap.

so-import-pcap will import one or more pcaps into Security Onion preserving timestamps.

Availability

so-import-pcap is included by default in Security Onion Elastic Stack Release Candidate 3 (RC3) and later:
http://blog.securityonion.net/2018/03/security-onion-elastic-stack-release.html

Description

so-import-pcap is a quick and dirty EXPERIMENTAL script that will import one or more pcaps into Security Onion and preserve original timestamps.

It will do the following:

  • stop and disable Curator to avoid closing old indices
  • stop and disable all active sniffing processes (Bro, Snort, Suricata, and netsniff-ng)
  • stop and disable ossec_agent
  • reconfigure and restart sguild, syslog-ng, and Logstash where necessary
  • generate IDS alerts using Snort or Suricata
  • generate Bro logs
  • store IDS alerts and Bro logs with original timestamps
  • split traffic into separate daily pcaps and store them where sguil's pcap_agent can find them

Requirements:

  • You must be running at least Security Onion Elastic Stack Release Candidate 2 (14.04.5.8 ISO).
  • You must have a sniffing interface defined (you can choose Evaluation Mode in the Setup wizard).

Warnings:

  • Do NOT run this on a production deployment. It is designed for standalone systems designated for so-import-pcap.
  • If you're running in a VM with snapshot capability, you might want to take a snapshot before this program makes changes.

Reverting System Changes:

  • If you take a VM snapshot before this program makes changes, then just revert to snapshot.
  • Otherwise, you can re-run Setup and it should overwrite all modified files to revert the system to normal operation.

Usage

Please supply at least one pcap file.

For example, to import a single pcap named import.pcap:

so-import-pcap import.pcap

To import multiple pcaps:

so-import-pcap import1.pcap import2.pcap

Example

For a detailed walk-through with screenshots, please see:
https://taosecurity.blogspot.com/2018/02/importing-pcap-into-security-onion.html

Warning

Please note that so-import-pcap will make changes to your system! It will warn you before doing so and will prompt you to press Enter to continue or Ctrl-c to cancel.

If you want to bypass the "Press Enter to continue" prompt, you can do something like this:

echo | sudo so-import-pcap /opt/samples/markofu/ie*
Clone this wiki locally
You can’t perform that action at this time.