so import pcap
so-import-pcap will import one or more pcaps into Security Onion preserving timestamps.
so-import-pcap is included by default in Security Onion Elastic Stack Release Candidate 3 (RC3) and later:
so-import-pcap is a quick and dirty EXPERIMENTAL script that will import one or more pcaps into Security Onion and preserve original timestamps.
It will do the following:
- stop and disable Curator to avoid closing old indices
- stop and disable all active sniffing processes (Bro, Snort, Suricata, and netsniff-ng)
- stop and disable ossec_agent
- reconfigure and restart sguild, syslog-ng, and Logstash where necessary
- generate IDS alerts using Snort or Suricata
- generate Bro logs
- store IDS alerts and Bro logs with original timestamps
- split traffic into separate daily pcaps and store them where sguil's pcap_agent can find them
- You must be running at least Security Onion Elastic Stack Release Candidate 2 (14.04.5.8 ISO).
- You must have a sniffing interface defined (you can choose Evaluation Mode in the Setup wizard).
- Do NOT run this on a production deployment. It is designed for standalone systems designated for so-import-pcap.
- If you're running in a VM with snapshot capability, you might want to take a snapshot before this program makes changes.
Reverting System Changes:
- If you take a VM snapshot before this program makes changes, then just revert to snapshot.
- Otherwise, you can re-run Setup and it should overwrite all modified files to revert the system to normal operation.
Please supply at least one pcap file.
For example, to import a single pcap named import.pcap:
To import multiple pcaps:
so-import-pcap import1.pcap import2.pcap
For a detailed walk-through with screenshots, please see:
Please note that so-import-pcap will make changes to your system! It will warn you before doing so and will prompt you to press Enter to continue or Ctrl-c to cancel.
If you want to bypass the "Press Enter to continue" prompt, you can do something like this:
echo | sudo so-import-pcap /opt/samples/markofu/ie*