Extract pcap from multiple ELSA queries?

[Jeff]

I have what looks to be a drive by download from a malicious advertisement.

I found it via Bro logs in ELSA and traced it back via the referrers. There were three domains involved, so I have three queries in ELSA that show me the chain of events.

Is there anyway to get a full pcap of the traffic via ELSA and these multiple queries? Or is there anyway to get all traffic from the internal IP for a given time period? Or should I just go to the command line and get the full packet capture from the time period and just start carving it up?

[Doug Burks]

Hi Jeff,

For each log in ELSA, you can click Info -> Plugin -> getPcap and then
download the pcap. Once you've downloaded each individual pcap, you
could merge them with mergecap.

Alternatively, you could go to
/nsm/sensor_data/HOSTNAME-INTERFACE/dailylogs/YYYY-MM-DD/ and use
tcpdump, tshark, or your favorite pcap utility for carving out the
streams you're interested in.

> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.



--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com

[jswan]

I have a blog post showing how to use Doug's second option here:

http://unroutable.blogspot.com/2015/07/extracting-traffic-from-rolling-capture.html

I find this very handy for any kind of traffic extraction that would be inconveniently repetitive with ELSA.

Jay