Analyze Pcap File by Suricata Selks
533 views
Skip to first unread message
fadi abusafat
Jun 21, 2019, 10:30:18 AM6/21/19
to SELKS
Hi everyone.
I would like to analyze pcap file through Suricata into Selks but it not works. every time I run it, it provides me with errors that mentioned ( The custom type "workers" does not exist for this runmode type " PC AP_FILE". Please use --list-runmodes to see available sutome types for this runmode.
I would like to analyze pcap file through Suricata into Selks but it not works. every time I run it, it provides me with errors that mentioned ( The custom type "workers" does not exist for this runmode type " PC AP_FILE". Please use --list-runmodes to see available sutome types for this runmode.
I run the following command to analyse pcap file :
suricata -c /etc/suricata/suricata.yaml -r Desktop/ Pcap\ file / wrcc.pcap
suricata -c /etc/suricata/suricata.yaml -r Desktop/ Pcap\ file / wrcc.pcap
This is an image of my works.
Anyone could help me please how to analyse Pcap file through Suricata Selks.
Thank you so much.
Many Thanks.
Fadi !!!!
Anyone could help me please how to analyse Pcap file through Suricata Selks.
Thank you so much.
Many Thanks.
Fadi !!!!
Peter Manev
Jun 21, 2019, 10:44:16 AM6/21/19
to fadi abusafat, SELKS
On Fri, Jun 21, 2019 at 5:30 PM fadi abusafat <fabusa...@gmail.com> wrote:
>
> Hi everyone.
>
> I would like to analyze pcap file through Suricata into Selks but it not works. every time I run it, it provides me with errors that mentioned ( The custom type "workers" does not exist for this runmode type " PC AP_FILE". Please use --list-runmodes to see available sutome types for this runmode.
>
> I run the following command to analyse pcap file :
>
> suricata -c /etc/suricata/suricata.yaml -r Desktop/ Pcap\ file / wrcc.pcap
>
You should probably try
>
> Hi everyone.
>
> I would like to analyze pcap file through Suricata into Selks but it not works. every time I run it, it provides me with errors that mentioned ( The custom type "workers" does not exist for this runmode type " PC AP_FILE". Please use --list-runmodes to see available sutome types for this runmode.
>
> I run the following command to analyse pcap file :
>
> suricata -c /etc/suricata/suricata.yaml -r Desktop/ Pcap\ file / wrcc.pcap
>
suricata -c /etc/suricata/suricata.yaml -r Desktop/ Pcap\ file /
wrcc.pcap --runmode=autofp
Than be careful as to the timespan of the dashboards you are using to
look at the pcap - as th epcap timestamp may be diff than from
today/now :)
> This is an image of my works.
>
> Anyone could help me please how to analyse Pcap file through Suricata Selks.
>
> Thank you so much.
>
> Many Thanks.
>
> Fadi !!!!
>
> IRC: Let's talk about SELKS on Freenode IRC on the #SELKS channel
> Wiki: https://github.com/StamusNetworks/SELKS/wiki
> GitHub: https://github.com/StamusNetworks/SELKS
> Blog: https://www.stamus-networks.com/theblog/
> Twitter: @StamusN
> g+: Stamus Networks
> ---
> You received this message because you are subscribed to the Google Groups "SELKS" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to selks+un...@googlegroups.com.
> To post to this group, send email to se...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/selks/45614601-1cd0-4d94-a224-38639418ee34%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
Regards,
Peter Manev
fadi abusafat
Jun 25, 2019, 6:15:19 AM6/25/19
to Peter Manev, SELKS
Good morning.
Thank you so much. It works but I would like to ask you how we can get details of analysed Pcap file into Kibana. I already logged in through IP address after analysed Pcap File but there is no any result such as attack, DNS, Port ...etc.
Please, could you help me in this issue.
Thank you so much. It works but I would like to ask you how we can get details of analysed Pcap file into Kibana. I already logged in through IP address after analysed Pcap File but there is no any result such as attack, DNS, Port ...etc.
Please, could you help me in this issue.
Thank you so much.
Many Thanks.
Fadi !!!!
Peter Manev
Jun 25, 2019, 6:45:06 AM6/25/19
to fadi abusafat, SELKS
On Tue, Jun 25, 2019 at 12:15 PM fadi abusafat <fabusa...@gmail.com> wrote:
>
> Good morning.
>
> Thank you so much. It works but I would like to ask you how we can get details of analysed Pcap file into Kibana. I already logged in through IP address after analysed Pcap File but there is no any result such as attack, DNS, Port ...etc.
>
> Please, could you help me in this issue.
>
You should probably adjust the time span in kibana to reflect the
>
> Good morning.
>
> Thank you so much. It works but I would like to ask you how we can get details of analysed Pcap file into Kibana. I already logged in through IP address after analysed Pcap File but there is no any result such as attack, DNS, Port ...etc.
>
> Please, could you help me in this issue.
>
timespan of the pcap (timestamp of the packets)
Tahnk you
zakaria zakaria
Feb 22, 2022, 7:44:14 AM2/22/22
to SELKS
Hello all,
Thank you for this significant discussion. in fact, I'm dealing with the same problème went trying to analyze pcap files on stamus probe based on suricata. I would like to analyze a pcap file and then explore the generated eve.json file corresponding to this action. I tried the command you mentioned earlier and it works but I found that the generated eve.json file has no alerts. do you have any idea about the solution, please.
Regards
Peter Manev
Feb 22, 2022, 11:48:13 AM2/22/22
to zakaria zakaria, SELKS
Hi,
In some cases the HOME_NET would neet to be adjusted as it depends on
the data in the pcap.
Do you have other events?(for example HTTP/DNS etc?)
Thank you
> --
> Discord: Let's talk about SELKS on
> https://discord.com/channels/911231224448712714/911238451842666546
> Twitter: @StamusN
--
Regards,
Peter Manev
In some cases the HOME_NET would neet to be adjusted as it depends on
the data in the pcap.
Do you have other events?(for example HTTP/DNS etc?)
Thank you
> Discord: Let's talk about SELKS on
> https://discord.com/channels/911231224448712714/911238451842666546
> Wiki: https://github.com/StamusNetworks/SELKS/wiki
> GitHub: https://github.com/StamusNetworks/SELKS
> Blog: https://www.stamus-networks.com/blog
> GitHub: https://github.com/StamusNetworks/SELKS
> Twitter: @StamusN
> ---
> You received this message because you are subscribed to the Google Groups "SELKS" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to selks+un...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/selks/218cb8bd-0b4d-491d-973e-4327510f5a38n%40googlegroups.com.
> You received this message because you are subscribed to the Google Groups "SELKS" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to selks+un...@googlegroups.com.
--
Regards,
Peter Manev
Reply all
Reply to author
Forward
0 new messages